From owner-freebsd-net@freebsd.org Mon Jul 13 09:15:23 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 425863C04 for ; Mon, 13 Jul 2015 09:15:23 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 099E11C2C for ; Mon, 13 Jul 2015 09:15:23 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [192.168.18.125] (unknown [81.83.8.162]) by venus.codepro.be (Postfix) with ESMTPSA id 1428213EF1; Mon, 13 Jul 2015 11:15:19 +0200 (CEST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\)) Subject: Re: FreeBSD 9.3: Looks like a bug in pf NAT while translating ICMP packets of type 3 From: Kristof Provost In-Reply-To: <55A380CF.2030503@at-hacker.in> Date: Mon, 13 Jul 2015 11:15:51 +0200 Cc: freebsd-net@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <559BC04F.70107@at-hacker.in> <20150707123320.GF3135@vega.codepro.be> <55A380CF.2030503@at-hacker.in> To: Alexey Pereklad X-Mailer: Apple Mail (2.2102) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2015 09:15:23 -0000 Thanks. I=E2=80=99ve added it to my todo list. (No promises about when = I=E2=80=99ll have time though.) Regards, Kristof > On 13 Jul 2015, at 11:11, Alexey Pereklad = wrote: >=20 > Hi. >=20 > I checked if I can reproduce this issue with -CURRENT. Well, -CURRENT = has the same problem. Here is my test lab: >=20 > # uname -a > FreeBSD test-BSD-01.hyperv.local 11.0-CURRENT FreeBSD 11.0-CURRENT #1 = r285351: Fri Jul 10 14:49:08 MSK 2015 = root@test-BSD-01.hyperv.local:/usr/obj/usr/src/sys/GENERIC amd64 >=20 > Here is dump on LAN interface: >=20 > # tcpdump -npi hn1 host 172.16.129.18 > tcpdump: verbose output suppressed, use -v or -vv for full protocol = decode > listening on hn1, link-type EN10MB (Ethernet), capture size 262144 = bytes > 11:43:25.506775 IP 172.16.129.18.29490 > 208.67.220.220.53: 9125+ A? = freebsd.org. (29) > 11:43:25.570851 IP 208.67.220.220.53 > 172.16.129.18.29490: 9125 1/0/0 = A 8.8.178.110 (45) > 11:43:25.571635 IP 172.16.129.18 > 208.67.220.220: ICMP 172.16.129.18 = udp port 29490 unreachable, length 36 >=20 > Dump on external WAN interface at the same moment: >=20 > # tcpdump -npi hn0 \(udp and port 53\) or icmp > tcpdump: verbose output suppressed, use -v or -vv for full protocol = decode > listening on hn0, link-type EN10MB (Ethernet), capture size 262144 = bytes > 11:43:25.741672 IP 213.208.xx.yy.55677 > 208.67.220.220.53: 1319+ A? = ya.ru. (23) > 11:43:25.795961 IP 208.67.220.220.53 > 213.208.xx.yy.55677: 1319 3/0/0 = A 93.158.134.3, A 213.180.193.3, A 213.180.204.3 (71) > 11:43:25.796700 IP 172.16.129.18 > 208.67.220.220: ICMP 213.208.xx.yy = udp port 55677 unreachable, length 36 >=20 > So I've created bugreport: = https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D201519 >=20 > 07.07.2015 15:33, Kristof Provost =D0=BF=D0=B8=D1=88=D0=B5=D1=82: >> On 2015-07-07 15:04:31 (+0300), technical account = wrote: >>> I have an issue with pf in FreeBSD 9.3. Looks there is something = wrong >>> with pf's NAT while processing ICMP packets of type 3 (destination >>> unreachable). >>>=20 >> Can you check if this also happens on CURRENT? >>=20 >> If so, please create a bug on bugs.freebsd.org/bugzilla and cc me >> (kp@FreeBSD.org). >> You've already gathered the information required for a good bug = report. >>=20 >> I'll try to take a look at it when I find some time. >>=20 >=20