Date: Sat, 14 May 2022 15:38:17 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 263974] ipfw_nat64lsn reply destination mac address error Message-ID: <bug-263974-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263974 Bug ID: 263974 Summary: ipfw_nat64lsn reply destination mac address error Product: Base System Version: 13.0-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: jpb@jimby.name Created attachment 233913 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D233913&action= =3Dedit nat64lsn and dns64 test bed - 4 VMs on FreeBSD host See the attached figure (nat64_issue.png) for address layout. The FreeBSD host (my laptop), v6only VM, firewall VM, and the DNShost VM are all 13.0-RELEASE-p11. The external1 host (IPV4 only host) is 13.0-RELEASE-= p8. This nat64lsn (stateful NAT64) example follows the BSD Router Project addre= ss layout and ruleset. However, these are stock FreeBSD 13.0 VMs (qemu-system-x86_64 version 6.2.0), not BSDRP images. TCP session request from IPv6 only host to IPv4 only host *almost* works. = The initial SYN packet is NAT64ed correctly and reaches the destination IPv4 ho= st who sends a SYN/ACK back. The ipfw instance on the router moves the SYN/ACK packet back through the ruleset and writes it out the proper interface (em1= ). But - the packet sent back to the IPV6 host on that interface has a malform= ed destination MAC address. ipfw_nat64 duplicated the em1 interface MAC address (the source) in the destination field: Wireshark trace shows SYN/ACK reply packet has duplicated source and destination MAC addresses: Ethernet II, Src: 02:49:50:46:57:42 (02:49:50:46:57:42), Dst: 02:49:50:46:5= 7:42 (02:49:50:46:57:42) Destination: 02:49:50:46:57:42 (02:49:50:46:57:42) Address: 02:49:50:46:57:42 (02:49:50:46:57:42) .... ..1. .... .... .... .... =3D LG bit: Locally administered addr= ess (this is NOT the factory default) .... ...0 .... .... .... .... =3D IG bit: Individual address (unica= st) Source: 02:49:50:46:57:42 (02:49:50:46:57:42) Address: 02:49:50:46:57:42 (02:49:50:46:57:42) .... ..1. .... .... .... .... =3D LG bit: Locally administered addr= ess (this is NOT the factory default) .... ...0 .... .... .... .... =3D IG bit: Individual address (unica= st) Type: IPv6 (0x86dd) IPV6 host config: oot@v6only:~ # ifconfig em0 em0: flags=3D8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 =20=20=20=20=20=20=20 options=3D481209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAG= IC,VLAN_HWFILTER,NOMAP> ether 02:49:de:ad:be:ef inet6 2001:db8:12::1 prefixlen 64 inet6 fe80::49:deff:fead:beef%em0 prefixlen 64 scopeid 0x1 media: Ethernet autoselect (1000baseT <full-duplex>) status: active nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL> ipfw router config: root@firewall:~ # ifconfig -a em0: flags=3D8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 = mtu 1500 =20=20=20=20=20=20=20 options=3D481209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAG= IC,VLAN_HWFILTER,NOMAP> ether 02:49:50:46:57:41 inet 2.2.2.2 netmask 0xffffff00 broadcast 2.2.2.255 media: Ethernet autoselect (1000baseT <full-duplex>) status: active nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> em1: flags=3D8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 =20=20=20=20=20=20=20 options=3D481209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAG= IC,VLAN_HWFILTER,NOMAP> ether 02:49:50:46:57:42 inet6 2001:db8:12::2 prefixlen 64 inet6 fe80::49:50ff:fe46:5742%em1 prefixlen 64 scopeid 0x2 media: Ethernet autoselect (1000baseT <full-duplex>) status: active nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL> lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=3D680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff000000 groups: lo nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL> root@firewall:~ #=20 root@firewall:~ # ndp -a Neighbor Linklayer Address Netif Expire S F= lags v6only.example.com 02:49:de:ad:be:ef em1 23h8m28s S=20 2001:db8:12::2 02:49:50:46:57:42 em1 permanent R=20 fe80::49:50ff:fe46:5742%em1 02:49:50:46:57:42 em1 permanent R=20 dnshost.example.com 02:49:53:53:54:54 em1 22h49m2s S=20 root@firewall:~ #=20 ipfw setup: root@firewall:~ # ipfw nat64lsn NAT64 show config nat64lsn NAT64 prefix4 2.2.1.0/24 prefix6 64:ff9b::/96 log root@firewall:~ #=20 root@firewall:~ # ipfw show 00100 12 816 allow log ipv6-icmp from any to any icmp6types 135,136 00200 7 512 nat64lsn NAT64 log ip from 2001:db8:12::/64 to 64:ff9b::/96 in 00300 16 912 nat64lsn NAT64 log ip from any to 2.2.1.0/24 in 00400 58 5920 allow log ip from any to any 00500 0 0 allow log ip6 from any to any 65535 0 0 deny ip from any to any startup script: root@firewall:~ # cat bsdrp.sh=20 #!/bin/sh set -x kldunload ipfw_nat64 kldunload ipfw sleep 1 kldload ipfw kldload ipfw_nat64 # Logging: 0 interfaces, 1 syslog sysctl net.inet.ip.fw.verbose=3D1=20 # Debug nat64 sysctl net.inet.ip.fw.nat64_debug=3D1 fwcmd=3D"/sbin/ipfw" ${fwcmd} -f flush ${fwcmd} nat64lsn NAT64 create log prefix4 2.2.1.0/24 ${fwcmd} add allow log icmp6 from any to any icmp6types 135,136 ${fwcmd} add nat64lsn NAT64 log ip from 2001:db8:12::/64 to 64:ff9b::/96 in ${fwcmd} add nat64lsn NAT64 log ip from any to 2.2.1.0/24 in ${fwcmd} add allow log ip from any to any ${fwcmd} add allow log ip6 from any to any # Direct output: 1 enable, 0 disable (packet goes back into ruleset) sysctl net.inet.ip.fw.nat64_direct_output=3D1 Note that I've been running two dozen or more different ipfw tests using th= is same testbed and I have not encountered a similar issue with MAC addresses. I will double check all this when 13.1 lands. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-263974-227>