Date: Sun, 16 May 2021 16:58:42 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 255928] ipfw: nat64 not working on 13.0-RELEASE Message-ID: <bug-255928-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D255928 Bug ID: 255928 Summary: ipfw: nat64 not working on 13.0-RELEASE Product: Base System Version: 13.0-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: paul.chakravarti@gmail.com Hi, I have been testing my ipfw/nat64 configuration on 13.0-RELEASE however this doesn't now work (the configuration is identical to the working configurati= on on 12.2-RELEASE). I have included the configuration details below - essentially the intent is= to run a bunch of IPv6 only VNET jails with NAT64 on the host (this works fine= on 12.2-RELEASE). The tcpdump output below shows that when I try an IPMPv6 ping to a NAT64 address (64:ff9b::1.1.1.1) I can see the outbound NAT64 conversion and the = IPv4 ICMP response however on 13.0-RELEASE I see a strange ICMP redirect which doesn't happen with 12.2-RELEASE and it looks like the packets are rejected= by the nat64lsn instance as 'discarded due to unsupported protocol' >> 16:34:03.718757 IP 127.0.0.1 > 192.168.1.55: ICMP redirect 1.1.1.1 to ho= st 0.0.0.0, length 44 Any ideas? Regards, Paul =3D=3D=3D=3D=3D=3D=3D=3D ifconfig -a =3D=3D=3D=3D=3D=3D=3D=3D vtnet0: flags=3D8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1= 500 options=3D80028<VLAN_MTU,JUMBO_MTU,LINKSTATE> ether 58:9c:fc:08:4f:d0 inet 192.168.1.55 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::5a9c:fcff:fe08:4fd0%vtnet0 prefixlen 64 scopeid 0x1 inet6 2001:470:1d41:1::55 prefixlen 64 media: Ethernet autoselect (10Gbase-T <full-duplex>) status: active nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL> lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=3D680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 groups: lo nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL> bridge0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu = 1500 ether 58:9c:fc:10:ff:96 inet6 fe80::5a9c:fcff:fe10:ff96%bridge0 prefixlen 64 scopeid 0x3 inet6 2001:470:1d41:55::1 prefixlen 64 inet6 fe80::1%bridge0 prefixlen 64 scopeid 0x3 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 groups: bridge nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL> ipfw0: flags=3D8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536 groups: ipfw =3D=3D=3D=3D=3D=3D=3D=3D /etc/ipfw.rules =3D=3D=3D=3D=3D=3D=3D=3D IPV4_LOCAL=3D"192.168.1.55/32" IPV6_LOCAL=3D"2001:470:1d41:1::55/128" NAT64_NETWORK=3D"2001:470:1d41:55::/64" : ${LOG:=3D} # Flush ipfw -q flush ipfw -q nat64lsn NAT64 destroy # Create nat64 instance ipfw nat64lsn NAT64 create log prefix4 ${IPV4_LOCAL} prefix6 64:ff9b::/96 # Allow established connections ipfw add check-state # Allow icmp6 neighbour advertisment=20 ipfw add allow ${LOG} icmp6 from any to any icmp6types 135,136 # Allow incoming icmp echo-requests (need keep-state to allow icmp from nat= 64) ipfw add allow ${LOG} icmp from any to ${IPV4_LOCAL} icmptypes 8 keep-state # Allow incoming SSH/DNS (IPv4) ipfw add allow ${LOG} ip4 from any to ${IPV4_LOCAL} 22 ipfw add allow ${LOG} ip4 from any to ${IPV4_LOCAL} 53 # Enable NAT64 ipfw add nat64lsn NAT64 ${LOG} ip6 from ::1 to 64:ff9b::/96 in ipfw add nat64lsn NAT64 ${LOG} ip6 from ${IPV6_LOCAL} to 64:ff9b::/96 in ipfw add nat64lsn NAT64 ${LOG} ip6 from ${NAT64_NETWORK} to 64:ff9b::/96 in ipfw add nat64lsn NAT64 ${LOG} ip4 from any to ${IPV4_LOCAL} in # Allow outgoing IPv4 (keep-state to skip nat64) ipfw add allow ${LOG} ip4 from ${IPV4_LOCAL} to any keep-state # Allow all ipfw add allow ${LOG} all from any to any # Set NAT64 route route -6 add 64:ff9b::/96 fe80::1%lo0=20 # Enable direct output sysctl net.inet.ip.fw.nat64_direct_output=3D1 =3D=3D=3D=3D=3D=3D=3D=3D ipfw show =3D=3D=3D=3D=3D=3D=3D=3D # ipfw show 00100 0 0 check-state :default 00200 82 5576 allow log ipv6-icmp from any to any icmp6types 135,136 00300 0 0 allow log icmp from any to 192.168.1.55 icmptypes 8 keep-state :default 00400 0 0 allow log ip4 from any to 192.168.1.55 22 00500 0 0 allow log ip4 from any to 192.168.1.55 53 00600 0 0 nat64lsn NAT64 log ip6 from ::1 to 64:ff9b::/96 in 00700 2 112 nat64lsn NAT64 log ip6 from 2001:470:1d41:1::55 to 64:ff9b::/96 in 00800 0 0 nat64lsn NAT64 log ip6 from 2001:470:1d41:55::/64 to 64:ff9b::/96 in 00900 2 128 nat64lsn NAT64 log ip4 from any to 192.168.1.55 in 01000 6 216 allow log ip4 from 192.168.1.55 to any keep-state :def= ault 01100 939 127470 allow log ip from any to any =3D=3D=3D=3D=3D=3D=3D=3D ping6 -c 1 64:ff9b::1.1.1.1 =3D=3D=3D=3D=3D=3D=3D= =3D # ping6 -c 1 64:ff9b::1.1.1.1 PING6(56=3D40+8+8 bytes) 2001:470:1d41:1::55 --> 64:ff9b::101:101 --- 64:ff9b::1.1.1.1 ping6 statistics --- 1 packets transmitted, 0 packets received, 100.0% packet loss =3D=3D=3D=3D=3D=3D=3D=3D tcpdump -nqi ipfw0 icmp or icmp6 =3D=3D=3D=3D=3D= =3D=3D=3D # tcpdump -nqi ipfw0 icmp or icmp6 16:34:03.718627 IP6 2001:470:1d41:1::55 > 64:ff9b::101:101: ICMP6, echo request, seq 0, length 16 16:34:03.718654 IP6 2001:470:1d41:1::55 > 64:ff9b::101:101: ICMP6, echo request, seq 0, length 16 16:34:03.718681 IP 192.168.1.55 > 1.1.1.1: ICMP echo request, id 1024, seq = 0, length 16 16:34:03.718684 IP 192.168.1.55 > 1.1.1.1: ICMP echo request, id 1024, seq = 0, length 16 16:34:03.718757 IP 127.0.0.1 > 192.168.1.55: ICMP redirect 1.1.1.1 to host 0.0.0.0, length 44 16:34:03.718762 IP 127.0.0.1 > 192.168.1.55: ICMP redirect 1.1.1.1 to host 0.0.0.0, length 44 16:34:03.738308 IP 1.1.1.1 > 192.168.1.55: ICMP echo reply, id 1024, seq 0, length 16 =3D=3D=3D=3D=3D=3D=3D=3D ipfw nat64lsn NAT64 stats =3D=3D=3D=3D=3D=3D=3D=3D # ipfw nat64lsn NAT64 stats nat64lsn NAT64 2 packets translated from IPv6 to IPv4 0 packets translated from IPv4 to IPv6 0 IPv6 fragments created 0 IPv4 fragments received 0 output packets dropped due to no bufs, etc. 0 output packets discarded due to no IPv4 route 0 output packets discarded due to no IPv6 route 2 packets discarded due to unsupported protocol 0 packets discarded due to memory allocation problems 0 packets discarded due to some errors 0 packets not matched with IPv4 prefix 1 mbufs queued for post processing 1 times the job queue was processed 1 job requests queued 0 job requests queue limit reached 0 job requests failed due to memory allocation problems 1 hosts allocated 1 hosts requested 0 host requests failed 0 portgroups requested 1 portgroups allocated 0 portgroups deleted 0 portgroup requests failed 0 portgroups allocated for TCP 0 portgroups allocated for UDP 1 portgroups allocated for ICMP 2 states created 2 states deleted --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-255928-227>