From nobody Wed May 19 16:57:59 2021 X-Original-To: ipfw@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 0248B8BA451 for ; Wed, 19 May 2021 16:58:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FlfFM6CC6z3lLv for ; Wed, 19 May 2021 16:57:59 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id AD9CF16814 for ; Wed, 19 May 2021 16:57:59 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 14JGvxBt045378 for ; Wed, 19 May 2021 16:57:59 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 14JGvxDE045376 for ipfw@FreeBSD.org; Wed, 19 May 2021 16:57:59 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ipfw@FreeBSD.org Subject: [Bug 255928] ipfw: nat64 not working on 13.0-RELEASE Date: Wed, 19 May 2021 16:57:59 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-RELEASE X-Bugzilla-Keywords: regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: paul.chakravarti@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: IPFW Technical Discussions List-Archive: https://lists.freebsd.org/archives/freebsd-ipfw List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ipfw@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D255928 --- Comment #4 from PaulC --- Thanks for having a look at this. Additional information below. # sysctl net.inet.ip | egrep "forward|redir" net.inet.ip.forwarding: 1 net.inet.ip.redirect: 1 # netstat -rn Routing tables Internet: Destination Gateway Flags Netif Expire default 192.168.1.1 UGS vtnet0 127.0.0.1 link#2 UH lo0 192.168.1.0/24 link#1 U vtnet0 192.168.1.55 link#1 UHS lo0 Internet6: Destination Gateway Flags N= etif Expire ::/96 ::1 UGRS = lo0 default fe80::1%vtnet0 UGS vt= net0 ::1 link#2 UHS = lo0 ::ffff:0.0.0.0/96 ::1 UGRS = lo0 64:ff9b::/96 ::1 UGS = lo0 2001:470:1d41:1::/64 link#1 U vt= net0 2001:470:1d41:1::55 link#1 UHS = lo0 2001:470:1d41:55::/64 link#3 U bri= dge0 2001:470:1d41:55::1 link#3 UHS = lo0 fe80::/10 ::1 UGRS = lo0 fe80::%vtnet0/64 link#1 U vt= net0 fe80::5a9c:fcff:fe08:4fd0%vtnet0 link#1 UHS = lo0 fe80::%lo0/64 link#2 U = lo0 fe80::1%lo0 link#2 UHS = lo0 fe80::%bridge0/64 link#3 U bri= dge0 fe80::1%bridge0 link#3 UHS = lo0 fe80::5a9c:fcff:fe10:ff96%bridge0 link#3 UHS = lo0 ff02::/16 ::1 UGRS = lo0 # tcpdump -nqi ipfw0 icmp or 'icmp6[icmp6type]=3Dicmp6-echo' 16:39:35.351581 IP6 2001:470:1d41:1::55 > 64:ff9b::101:101: ICMP6, echo request, seq 0, length 16 16:39:35.351603 IP6 2001:470:1d41:1::55 > 64:ff9b::101:101: ICMP6, echo request, seq 0, length 16 16:39:35.351629 IP 192.168.1.55 > 1.1.1.1: ICMP echo request, id 1025, seq = 0, length 16 16:39:35.351632 IP 192.168.1.55 > 1.1.1.1: ICMP echo request, id 1025, seq = 0, length 16 16:39:35.351692 IP 127.0.0.1 > 192.168.1.55: ICMP redirect 1.1.1.1 to host 0.0.0.0, length 44 16:39:35.351696 IP 127.0.0.1 > 192.168.1.55: ICMP redirect 1.1.1.1 to host 0.0.0.0, length 44 16:39:35.369844 IP 1.1.1.1 > 192.168.1.55: ICMP echo reply, id 1025, seq 0, length 16 # tcpdump -nqei ipfwlog0 16:39:35.351611 rule 3232235831..67174657/0(match) [uid 0]: nat in on NAT64= LSN: 2001:470:1d41:1::55 > 64:ff9b::101:101: ICMP6, echo request, seq 0, length = 16 16:39:35.351619 rule 3232235831..67174657/0(match) [uid 0]: nat out on NAT64LSN: 192.168.1.55 > 1.1.1.1: ICMP echo request, id 1025, seq 0, length= 16 The same configuration definitely worked on 12.2-RELEASE (systems are configured from the same build script). The difference seems to be the way = the the translated ICMP request is handled. In 13.0 it seems to go back through= the ipfw rules (generating the ICMP redirect and the IPFW state that prevents t= he packet getting back to the NAT64 rule) whereas on 12.2 this doesn't seem to happen.=20 >From an equivalent a 12.2-RELEASE system: # uname -a FreeBSD v6jail.pchak.net 12.2-RELEASE-p6 FreeBSD 12.2-RELEASE-p6 GENERIC a= md64 # ping6 -c1 64:ff9b::1.1.1.1 PING6(56=3D40+8+8 bytes) 2001:470:1d41:1::50 --> 64:ff9b::101:101 16 bytes from 64:ff9b::101:101, icmp_seq=3D0 hlim=3D57 time=3D30.070 ms --- 64:ff9b::1.1.1.1 ping6 statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/std-dev =3D 30.070/30.070/30.070/0.000 ms # tcpdump -nqi ipfw0 icmp or 'icmp6[icmp6type]=3Dicmp6-echo' 16:45:03.534468 IP6 2001:470:1d41:1::50 > 64:ff9b::101:101: ICMP6, echo request, seq 0, length 16 16:45:03.534483 IP6 2001:470:1d41:1::50 > 64:ff9b::101:101: ICMP6, echo request, seq 0, length 16 16:45:03.564421 IP 1.1.1.1 > 192.168.1.50: ICMP echo reply, id 1024, seq 0, length 16 # tcpdump -nqei ipfwlog0 16:45:03.537560 rule 3232235826..67109121/0(match) [uid 0]: nat in on NAT64= LSN: 2001:470:1d41:1::50 > 64:ff9b::101:101: ICMP6, echo request, seq 0, length = 16 16:45:03.537563 rule 3232235826..67109121/0(match) [uid 0]: nat out on NAT64LSN: 192.168.1.50 > 1.1.1.1: ICMP echo request, id 1024, seq 0, length= 16 16:45:03.564423 rule 3232235826..67109121/0(match) [uid 0]: nat in on NAT64= LSN: 1.1.1.1 > 192.168.1.50: ICMP echo reply, id 1024, seq 0, length 16 16:45:03.564425 rule 3232235826..67109121/0(match) [uid 0]: nat out on NAT64LSN: 64:ff9b::101:101 > 2001:470:1d41:1::50: ICMP6, echo reply, seq 0, length 16 # ipfw show 00100 0 0 check-state :default 00200 0 0 allow log ipv6-icmp from any to any icmp6types 135,136 00300 0 0 allow log icmp from any to 192.168.1.50 icmptypes 8 keep-state :default 00400 0 0 allow log ip4 from any to 192.168.1.50 22 00500 0 0 allow log ip4 from any to 192.168.1.50 53 00600 0 0 nat64lsn NAT64 log ip6 from ::1 to 64:ff9b::/96 in 00700 0 0 nat64lsn NAT64 log ip6 from 2001:470:1d41:1::50 to 64:ff9b::/= 96 in 00800 0 0 nat64lsn NAT64 log ip6 from 2001:470:1d41:50::/64 to 64:ff9b:= :/96 in 00900 0 0 nat64lsn NAT64 log ip4 from any to 192.168.1.50 in 01000 0 0 allow log ip4 from 192.168.1.50 to any keep-state :default 01100 19 1936 allow log ip from any to any 65535 0 0 allow ip from any to any # ifconfig -a vtnet0: flags=3D8943 metric= 0 mtu 1500 options=3D80028 ether 58:9c:fc:01:71:9d inet 192.168.1.50 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::5a9c:fcff:fe01:719d%vtnet0 prefixlen 64 scopeid 0x1 inet6 2001:470:1d41:1::50 prefixlen 64 media: Ethernet 10Gbase-T status: active nd6 options=3D21 lo0: flags=3D8049 metric 0 mtu 16384 options=3D680003 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 groups: lo nd6 options=3D21 bridge0: flags=3D8843 metric 0 mtu = 1500 ether 02:dd:a6:3d:7b:00 inet6 fe80::dd:a6ff:fe3d:7b00%bridge0 prefixlen 64 scopeid 0x3 inet6 2001:470:1d41:50::1 prefixlen 64 inet6 fe80::1%bridge0 prefixlen 64 scopeid 0x3 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto stp-rstp maxaddr 2000 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 groups: bridge nd6 options=3D21 ipfw0: flags=3D8801 metric 0 mtu 65536 groups: ipfw ipfwlog0: flags=3D8801 metric 0 mtu 65536 groups: ipfwlog # netstat -rn Routing tables Internet: Destination Gateway Flags Netif Expire default 192.168.1.1 UGS vtnet0 127.0.0.1 link#2 UH lo0 192.168.1.0/24 link#1 U vtnet0 192.168.1.50 link#1 UHS lo0 Internet6: Destination Gateway Flags N= etif Expire ::/96 ::1 UGRS = lo0 default fe80::1%vtnet0 UGS vt= net0 ::1 link#2 UH = lo0 ::ffff:0.0.0.0/96 ::1 UGRS = lo0 64:ff9b::/96 fe80::1%lo0 UGS = lo0 2001:470:1d41:1::/64 link#1 U vt= net0 2001:470:1d41:1::50 link#1 UHS = lo0 2001:470:1d41:50::/64 link#3 U bri= dge0 2001:470:1d41:50::1 link#3 UHS = lo0 fe80::/10 ::1 UGRS = lo0 fe80::%vtnet0/64 link#1 U vt= net0 fe80::5a9c:fcff:fe01:719d%vtnet0 link#1 UHS = lo0 fe80::%lo0/64 link#2 U = lo0 fe80::1%lo0 link#2 UHS = lo0 fe80::%bridge0/64 link#3 U bri= dge0 fe80::1%bridge0 link#3 UHS = lo0 fe80::dd:a6ff:fe3d:7b00%bridge0 link#3 UHS = lo0 ff02::/16 ::1 UGRS = lo0 --=20 You are receiving this mail because: You are the assignee for the bug.=