IPFW NAT64 changed 11.2 --> 11.3?

Andrey V. Elsukov bu7cher at yandex.ru
Wed Jun 26 11:40:27 UTC 2019 

On 26.06.2019 14:23, Patrick M. Hausen wrote:
> Hi all,
> 
>> Am 26.06.2019 um 12:28 schrieb Andrey V. Elsukov <bu7cher at yandex.ru>:
>>
>> On 26.06.2019 13:10, Patrick M. Hausen wrote:
>>> tcpdump will take some more time, currently we do not have /dev/bpf in these jails.
>>
>> So, nat64_direct_output didn't help?
>> Does `ipfw nat64lsn NAT64 list states` shows correct addresses?
> 
> No, it didn’t. Yes, the IPv4 addresses shown are the external addresses
> of these „gate64“ jails.
> 
> See:
> 
> 13:06:28.205602 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2a00:b580:8000:12:40f9:d4:cd11:d68c > 64:ff9b::9765:7085: [icmp6 sum ok] ICMP6, echo request, seq 0
> 13:06:28.205611 IP (tos 0x0, ttl 63, id 25804, offset 0, flags [DF], proto ICMP (1), length 36)
>     217.29.40.145 > 151.101.112.133: ICMP echo request, id 1024, seq 0, length 16
> 13:06:28.207853 IP (tos 0x0, ttl 58, id 53557, offset 0, flags [none], proto ICMP (1), length 36)
>     151.101.112.133 > 217.29.40.145: ICMP echo reply, id 1024, seq 0, length 16
> 13:06:28.207861 IP6 (hlim 57, next-header ICMPv6 (58) payload length: 16) d91d:2891::9765:7085 > 2a00:b580:8000:12:40f9:d4:cd11:d68c: [icmp6 sum ok] ICMP6, echo reply, seq 0
> 13:06:29.268095 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2a00:b580:8000:12:40f9:d4:cd11:d68c > 64:ff9b::9765:7085: [icmp6 sum ok] ICMP6, echo request, seq 1
> 13:06:29.268106 IP (tos 0x0, ttl 63, id 18866, offset 0, flags [DF], proto ICMP (1), length 36)
>     217.29.40.145 > 151.101.112.133: ICMP echo request, id 1024, seq 1, length 16
> 13:06:29.270335 IP (tos 0x0, ttl 58, id 53653, offset 0, flags [none], proto ICMP (1), length 36)
>     151.101.112.133 > 217.29.40.145: ICMP echo reply, id 1024, seq 1, length 16
> 13:06:29.270340 IP6 (hlim 57, next-header ICMPv6 (58) payload length: 16) d91d:2891::9765:7085 > 2a00:b580:8000:12:40f9:d4:cd11:d68c: [icmp6 sum ok] ICMP6, echo reply, seq 1
> 
> So the IPv4 echo and reply exchange looks good. Then the packet is
> forwarded to IPv6 with an entirely bogus (AFAIK) IPv6 source address.
> 
> Interestingly the host portion of the address that should be nat64 is identical,
> but the prefix - where does it get that idea?

Thanks, it is very useful. Due to the code difference between head/ and
stable/11 there were some partial MFCs, and r334836 seems has missing
part of code. Can you try this patch?

-- 
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nat64.diff
Type: text/x-patch
Size: 505 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20190626/775216ba/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20190626/775216ba/attachment.sig>

More information about the freebsd-net mailing list