[Bug 263974] ipfw_nat64lsn reply destination mac address error

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 17 May 2022 03:19:06 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263974

Jim B. <jpb@jimby.name> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|New                         |Closed

--- Comment #6 from Jim B. <jpb@jimby.name> ---
Ok, as promised in Comment #5, I spun up a new VM with 13.1-RELEASE and
retested this issue.

I now report that nat64lsn (stateful NAT64) *does work* under the following
conditions:

 * The addressing scheme is as described in the attachment "nat64lsn on my
addressing scheme not working"  now *does work*.  

 * The ipfw rules to implement are:

ipfw nat64lsn foo create prefix4 203.0.112.0/24 allow_private
ipfw add allow log ipv6-icmp from any to any icmp6types 135,136
ipfw add nat64lsn foo log ip from 2001:db8:12::/64 to 64:ff9b::/96 in
ipfw add nat64lsn foo log ip from any to 203.0.112.0/24 in
ipfw add allow log ip from any to any


 * The direct_output sysctl had to be set to 1 (not zero):

sysctl net.inet.ip.fw.nat64_direct_output=1


 * I also set the nat64_debug sysctl and the firewall verbose sysctl:

sysctl net.inet.ip.fw.nat64_debug=1
sysctl net.inet.ip.fw.verbose=1

See /var/log/security for output.

-----

With these conditions the following tests were successful:

[root@v6only ~]# ping6 -c 3 64:ff9b::203.0.113.10
PING6(56=40+8+8 bytes) 2001:db8:12::30 --> 64:ff9b::cb00:710a
16 bytes from 64:ff9b::cb00:710a, icmp_seq=0 hlim=63 time=8.401 ms
16 bytes from 64:ff9b::cb00:710a, icmp_seq=1 hlim=63 time=3.429 ms
16 bytes from 64:ff9b::cb00:710a, icmp_seq=2 hlim=63 time=3.398 ms

--- 64:ff9b::203.0.113.10 ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 3.398/5.076/8.401/2.351 ms

And using lynx to grab the nginx home page was successful:

lynx external1.example.com
-------                                                                        
       Welcome to nginx!
                                         Welcome to nginx!

   If you see this page, the nginx web server is successfully installed and
working. Further
   configuration is required.

   This is Machine 1 - 203.0.113.10

   For online documentation and support please refer to nginx.org.
   Commercial support is available at nginx.com.

   Thank you for using nginx.

Are you sure you want to quit? (y) 
  Arrow keys: Up and Down to move.  Right to follow a link; Left to go back.
-------

I am closing the ticket with the caveat that nat64lsn under 13.0 may still need
fixing (identical source and destination MAC addresses in the reply).

Closed : Works as Intended  <--- but only in 13.1

Jim B.

-- 
You are receiving this mail because:
You are the assignee for the bug.