Date: Wed, 19 May 2021 16:57:59 +0000 From: bugzilla-noreply@freebsd.org To: ipfw@FreeBSD.org Subject: [Bug 255928] ipfw: nat64 not working on 13.0-RELEASE Message-ID: <bug-255928-8303-dROEcxjMkP@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-255928-8303@https.bugs.freebsd.org/bugzilla/> References: <bug-255928-8303@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D255928 --- Comment #4 from PaulC <paul.chakravarti@gmail.com> --- Thanks for having a look at this. Additional information below. # sysctl net.inet.ip | egrep "forward|redir" net.inet.ip.forwarding: 1 net.inet.ip.redirect: 1 # netstat -rn Routing tables Internet: Destination Gateway Flags Netif Expire default 192.168.1.1 UGS vtnet0 127.0.0.1 link#2 UH lo0 192.168.1.0/24 link#1 U vtnet0 192.168.1.55 link#1 UHS lo0 Internet6: Destination Gateway Flags N= etif Expire ::/96 ::1 UGRS = lo0 default fe80::1%vtnet0 UGS vt= net0 ::1 link#2 UHS = lo0 ::ffff:0.0.0.0/96 ::1 UGRS = lo0 64:ff9b::/96 ::1 UGS = lo0 2001:470:1d41:1::/64 link#1 U vt= net0 2001:470:1d41:1::55 link#1 UHS = lo0 2001:470:1d41:55::/64 link#3 U bri= dge0 2001:470:1d41:55::1 link#3 UHS = lo0 fe80::/10 ::1 UGRS = lo0 fe80::%vtnet0/64 link#1 U vt= net0 fe80::5a9c:fcff:fe08:4fd0%vtnet0 link#1 UHS = lo0 fe80::%lo0/64 link#2 U = lo0 fe80::1%lo0 link#2 UHS = lo0 fe80::%bridge0/64 link#3 U bri= dge0 fe80::1%bridge0 link#3 UHS = lo0 fe80::5a9c:fcff:fe10:ff96%bridge0 link#3 UHS = lo0 ff02::/16 ::1 UGRS = lo0 # tcpdump -nqi ipfw0 icmp or 'icmp6[icmp6type]=3Dicmp6-echo' 16:39:35.351581 IP6 2001:470:1d41:1::55 > 64:ff9b::101:101: ICMP6, echo request, seq 0, length 16 16:39:35.351603 IP6 2001:470:1d41:1::55 > 64:ff9b::101:101: ICMP6, echo request, seq 0, length 16 16:39:35.351629 IP 192.168.1.55 > 1.1.1.1: ICMP echo request, id 1025, seq = 0, length 16 16:39:35.351632 IP 192.168.1.55 > 1.1.1.1: ICMP echo request, id 1025, seq = 0, length 16 16:39:35.351692 IP 127.0.0.1 > 192.168.1.55: ICMP redirect 1.1.1.1 to host 0.0.0.0, length 44 16:39:35.351696 IP 127.0.0.1 > 192.168.1.55: ICMP redirect 1.1.1.1 to host 0.0.0.0, length 44 16:39:35.369844 IP 1.1.1.1 > 192.168.1.55: ICMP echo reply, id 1025, seq 0, length 16 # tcpdump -nqei ipfwlog0 16:39:35.351611 rule 3232235831..67174657/0(match) [uid 0]: nat in on NAT64= LSN: 2001:470:1d41:1::55 > 64:ff9b::101:101: ICMP6, echo request, seq 0, length = 16 16:39:35.351619 rule 3232235831..67174657/0(match) [uid 0]: nat out on NAT64LSN: 192.168.1.55 > 1.1.1.1: ICMP echo request, id 1025, seq 0, length= 16 The same configuration definitely worked on 12.2-RELEASE (systems are configured from the same build script). The difference seems to be the way = the the translated ICMP request is handled. In 13.0 it seems to go back through= the ipfw rules (generating the ICMP redirect and the IPFW state that prevents t= he packet getting back to the NAT64 rule) whereas on 12.2 this doesn't seem to happen.=20 >From an equivalent a 12.2-RELEASE system: # uname -a FreeBSD v6jail.pchak.net 12.2-RELEASE-p6 FreeBSD 12.2-RELEASE-p6 GENERIC a= md64 # ping6 -c1 64:ff9b::1.1.1.1 PING6(56=3D40+8+8 bytes) 2001:470:1d41:1::50 --> 64:ff9b::101:101 16 bytes from 64:ff9b::101:101, icmp_seq=3D0 hlim=3D57 time=3D30.070 ms --- 64:ff9b::1.1.1.1 ping6 statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/std-dev =3D 30.070/30.070/30.070/0.000 ms # tcpdump -nqi ipfw0 icmp or 'icmp6[icmp6type]=3Dicmp6-echo' 16:45:03.534468 IP6 2001:470:1d41:1::50 > 64:ff9b::101:101: ICMP6, echo request, seq 0, length 16 16:45:03.534483 IP6 2001:470:1d41:1::50 > 64:ff9b::101:101: ICMP6, echo request, seq 0, length 16 16:45:03.564421 IP 1.1.1.1 > 192.168.1.50: ICMP echo reply, id 1024, seq 0, length 16 # tcpdump -nqei ipfwlog0 16:45:03.537560 rule 3232235826..67109121/0(match) [uid 0]: nat in on NAT64= LSN: 2001:470:1d41:1::50 > 64:ff9b::101:101: ICMP6, echo request, seq 0, length = 16 16:45:03.537563 rule 3232235826..67109121/0(match) [uid 0]: nat out on NAT64LSN: 192.168.1.50 > 1.1.1.1: ICMP echo request, id 1024, seq 0, length= 16 16:45:03.564423 rule 3232235826..67109121/0(match) [uid 0]: nat in on NAT64= LSN: 1.1.1.1 > 192.168.1.50: ICMP echo reply, id 1024, seq 0, length 16 16:45:03.564425 rule 3232235826..67109121/0(match) [uid 0]: nat out on NAT64LSN: 64:ff9b::101:101 > 2001:470:1d41:1::50: ICMP6, echo reply, seq 0, length 16 # ipfw show 00100 0 0 check-state :default 00200 0 0 allow log ipv6-icmp from any to any icmp6types 135,136 00300 0 0 allow log icmp from any to 192.168.1.50 icmptypes 8 keep-state :default 00400 0 0 allow log ip4 from any to 192.168.1.50 22 00500 0 0 allow log ip4 from any to 192.168.1.50 53 00600 0 0 nat64lsn NAT64 log ip6 from ::1 to 64:ff9b::/96 in 00700 0 0 nat64lsn NAT64 log ip6 from 2001:470:1d41:1::50 to 64:ff9b::/= 96 in 00800 0 0 nat64lsn NAT64 log ip6 from 2001:470:1d41:50::/64 to 64:ff9b:= :/96 in 00900 0 0 nat64lsn NAT64 log ip4 from any to 192.168.1.50 in 01000 0 0 allow log ip4 from 192.168.1.50 to any keep-state :default 01100 19 1936 allow log ip from any to any 65535 0 0 allow ip from any to any # ifconfig -a vtnet0: flags=3D8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric= 0 mtu 1500 options=3D80028<VLAN_MTU,JUMBO_MTU,LINKSTATE> ether 58:9c:fc:01:71:9d inet 192.168.1.50 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::5a9c:fcff:fe01:719d%vtnet0 prefixlen 64 scopeid 0x1 inet6 2001:470:1d41:1::50 prefixlen 64 media: Ethernet 10Gbase-T <full-duplex> status: active nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL> lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=3D680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 groups: lo nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL> bridge0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu = 1500 ether 02:dd:a6:3d:7b:00 inet6 fe80::dd:a6ff:fe3d:7b00%bridge0 prefixlen 64 scopeid 0x3 inet6 2001:470:1d41:50::1 prefixlen 64 inet6 fe80::1%bridge0 prefixlen 64 scopeid 0x3 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto stp-rstp maxaddr 2000 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 groups: bridge nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL> ipfw0: flags=3D8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536 groups: ipfw ipfwlog0: flags=3D8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536 groups: ipfwlog # netstat -rn Routing tables Internet: Destination Gateway Flags Netif Expire default 192.168.1.1 UGS vtnet0 127.0.0.1 link#2 UH lo0 192.168.1.0/24 link#1 U vtnet0 192.168.1.50 link#1 UHS lo0 Internet6: Destination Gateway Flags N= etif Expire ::/96 ::1 UGRS = lo0 default fe80::1%vtnet0 UGS vt= net0 ::1 link#2 UH = lo0 ::ffff:0.0.0.0/96 ::1 UGRS = lo0 64:ff9b::/96 fe80::1%lo0 UGS = lo0 2001:470:1d41:1::/64 link#1 U vt= net0 2001:470:1d41:1::50 link#1 UHS = lo0 2001:470:1d41:50::/64 link#3 U bri= dge0 2001:470:1d41:50::1 link#3 UHS = lo0 fe80::/10 ::1 UGRS = lo0 fe80::%vtnet0/64 link#1 U vt= net0 fe80::5a9c:fcff:fe01:719d%vtnet0 link#1 UHS = lo0 fe80::%lo0/64 link#2 U = lo0 fe80::1%lo0 link#2 UHS = lo0 fe80::%bridge0/64 link#3 U bri= dge0 fe80::1%bridge0 link#3 UHS = lo0 fe80::dd:a6ff:fe3d:7b00%bridge0 link#3 UHS = lo0 ff02::/16 ::1 UGRS = lo0 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-255928-8303-dROEcxjMkP>