bugzilla-daemon at netfilter.org
2013-Sep-11 18:52 UTC
[Bug 851] New: IPv6 SNAT target with --random doesn't work
https://bugzilla.netfilter.org/show_bug.cgi?id=851 Summary: IPv6 SNAT target with --random doesn't work Product: netfilter/iptables Version: unspecified Platform: x86_64 OS/Version: All Status: NEW Severity: normal Priority: P5 Component: NAT AssignedTo: netfilter-buglog at lists.netfilter.org ReportedBy: netfilter at null.bumpern.de Estimated Hours: 0.0 Hi, I would like to use the IPv6 SNAT target with --random, and that does not seem to work (on an experimental network I'm preparing, not in the open Internet). The situation is as follows: +----------------+ +------------------+ | | | monitor | | | | | | | | | | gw eth2|<---------------------+|eth0 | | | | | | | | | | eth1 | | | +----------------+ +------------------+ + fd73:d95d:a475:1001:255:64ff:fe9c:6eef | | | v fd73:d95d:a475:1000::1 +-----------------+ | eth0 | | | | | | | | | | other | +-----------------+ I have a gateway and two other clients called "monitor" and "other". When "monitor" communicates with "other", the source ip address should be translated to an IP address between fd73:d95d:a475:ffff::1 and fd73:d95d:a475:ffff::a. When a SNAT rule is inserted on the gateway, this works. On gw This basically works, as the following tcpdump (on gw) output shows: # ip6tables -t nat -A POSTROUTING -o eth1 -s fd73:d95d:a475:1001::/64 -j SNAT --to-source fd73:d95d:a475:ffff::1-fd73:d95d:a475:ffff::a # tcpdump -n -i eth1 ip6 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 20:42:23.210428 IP6 fd73:d95d:a475:ffff::a > fd73:d95d:a475:1000::1: ICMP6, echo request, seq 1, length 64 20:42:23.210704 IP6 fd73:d95d:a475:1000::1 > fd73:d95d:a475:ffff::a: ICMP6, echo reply, seq 1, length 64 20:42:24.209394 IP6 fd73:d95d:a475:ffff::a > fd73:d95d:a475:1000::1: ICMP6, echo request, seq 2, length 64 20:42:24.209669 IP6 fd73:d95d:a475:1000::1 > fd73:d95d:a475:ffff::a: ICMP6, echo reply, seq 2, length 64 ^C 4 packets captured 4 packets received by filter When the option --random is used, it does not work any more (again, on gw): # ip6tables -t nat -D POSTROUTING -o eth1 -s fd73:d95d:a475:1001::/64 -j SNAT --to-source fd73:d95d:a475:ffff::1-fd73:d95d:a475:ffff::a # ip6tables -t nat -A POSTROUTING -o eth1 -s fd73:d95d:a475:1001::/64 -j SNAT --to-source fd73:d95d:a475:ffff::1-fd73:d95d:a475:ffff::a --random # tcpdump -n -i eth1 ip6 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 20:50:31.523526 IP6 fd73:d95d:a475:ffff::a > fd73:d95d:a475:1000::1: ICMP6, echo request, seq 1, length 64 20:50:31.523786 IP6 fd73:d95d:a475:1000::1 > fd73:d95d:a475:ffff::a: ICMP6, echo reply, seq 1, length 64 20:50:31.523830 IP6 fe80::21b:21ff:fe69:5fdd > fd73:d95d:a475:1000::1: ICMP6, destination unreachable, unreachable route fd73:d95d:a475:ffff::a, length 112 20:50:32.530121 IP6 fd73:d95d:a475:ffff::a > fd73:d95d:a475:1000::1: ICMP6, echo request, seq 2, length 64 20:50:32.530368 IP6 fd73:d95d:a475:1000::1 > fd73:d95d:a475:ffff::a: ICMP6, echo reply, seq 2, length 64 20:50:32.530405 IP6 fe80::21b:21ff:fe69:5fdd > fd73:d95d:a475:1000::1: ICMP6, destination unreachable, unreachable route fd73:d95d:a475:ffff::a, length 112 ^C 6 packets captured 6 packets received by filter 0 packets dropped by kernel Although a connection tracking entry is created, which looks valid (at least for me), on gw: # conntrack -n -L -f ipv6 icmpv6 58 23 src=fd73:d95d:a475:1001:225:64ff:fe9c:6eef dst=fd73:d95d:a475:1000::1 type=128 code=0 id=24124 [UNREPLIED] src=fd73:d95d:a475:1000::1 dst=fd73:d95d:a475:ffff::a type=129 code=0 id=1 mark=0 use=1 conntrack v1.2.1 (conntrack-tools): 1 flow entries have been shown. I have no idea on how to debug this further. This was tested on a Ubuntu 13.04 system with the default kernel (3.8) and 3.11.0: # uname -a Linux gw 3.11.0-7-generic #13-Ubuntu SMP Tue Sep 10 20:55:38 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux I also had a look at the recent commits to the kernel-code git-repository, but found no patches which touch this functionality. Did I do something wrong? Is this a bug? I'm happy to help debbuging this... -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Sep-12 17:34 UTC
[Bug 851] IPv6 SNAT target with --random doesn't work
https://bugzilla.netfilter.org/show_bug.cgi?id=851 --- Comment #1 from Alexander Neumann <netfilter at null.bumpern.de> 2013-09-12 19:34:22 CEST --- Hi again, in order to clear things up, let me summarise this bug from my point of view: * IPv6 SNAT for a range of IP addresses works * IPv6 SNAT does not work for a range of IP addresses with --random, answer packets are not translated back to the original source IP Desired behavior: Answer packets to packets which did undergo SNAT should be translated back to the original source IP even when --random is used. Observed behaviour: Answer packets to packets which did undergo SNAT are not translated back, instead an ICMP packet is sent that the translated IP address is unreachable. Maybe this summary clears things up. I'm really interested in solving this bug, so please contact me when you have an idea on how to debug it... Best regards, Alex -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Sep-12 22:15 UTC
[Bug 851] IPv6 SNAT target with --random doesn't work
https://bugzilla.netfilter.org/show_bug.cgi?id=851 Phil Oester <netfilter at linuxace.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |netfilter at linuxace.com --- Comment #2 from Phil Oester <netfilter at linuxace.com> 2013-09-13 00:15:47 CEST --- I confirm that for ICMPv6 packets, the --random option is currently broken. That will be investigated. However, I will note that for TCP and UDP packets it is currently working properly. Also, just to confirm you understand that the --random option randomizes _ports_ not IP addresses: If option --random is used then *port* mapping will be randomized You intentions with using that option are unclear, given you only illustrate ICMP traffic in your example. -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Sep-13 00:38 UTC
[Bug 851] IPv6 SNAT target with --random doesn't work
https://bugzilla.netfilter.org/show_bug.cgi?id=851 --- Comment #3 from Phil Oester <netfilter at linuxace.com> 2013-09-13 02:38:19 CEST --- Created attachment 412 --> https://bugzilla.netfilter.org/attachment.cgi?id=412 icmpv6_manip_pkt patch Please test the attached patch, and confirm this fixes your issue. -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Sep-13 08:22 UTC
[Bug 851] IPv6 SNAT target with --random doesn't work
https://bugzilla.netfilter.org/show_bug.cgi?id=851 --- Comment #4 from Alexander Neumann <netfilter at null.bumpern.de> 2013-09-13 10:22:22 CEST --- Hi Phil, thanks a lot for looking into this. I confirm I understood that --random only randomises ports, not IP addresses. I my use-case I want to hide a lot of clients behind a few IP addresses (disclaimer: network not connected to the Internet, just for a capture-the-flag game) and the receiver should not be able to easily distinguish the clients from one another. So I though randomising the source ports is a nice idea. Is there a way to randomise this further, even the IP addresses? I confirm that IPv6 SNAT works for UDP and TCP packets and I will test the patch this evening. Thanks again, Alex -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Sep-13 09:11 UTC
[Bug 851] IPv6 SNAT target with --random doesn't work
https://bugzilla.netfilter.org/show_bug.cgi?id=851 --- Comment #5 from Alexander Neumann <netfilter at null.bumpern.de> 2013-09-13 11:11:55 CEST --- Hi, the patch fixes the issue, ICMPv6 throug SNAT with --random flag works. Best regards, - Alex -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Sep-14 17:32 UTC
[Bug 851] IPv6 SNAT target with --random doesn't work
https://bugzilla.netfilter.org/show_bug.cgi?id=851 --- Comment #6 from Alexander Neumann <netfilter at null.bumpern.de> 2013-09-14 19:32:54 CEST --- Hi, am I supposed to close this bug? Best regards, Alex -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Sep-14 20:10 UTC
[Bug 851] IPv6 SNAT target with --random doesn't work
https://bugzilla.netfilter.org/show_bug.cgi?id=851 --- Comment #7 from Phil Oester <netfilter at linuxace.com> 2013-09-14 22:10:37 CEST --- I will close when the patch is accepted upstream. -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Sep-15 15:29 UTC
[Bug 851] IPv6 SNAT target with --random doesn't work
https://bugzilla.netfilter.org/show_bug.cgi?id=851 Phil Oester <netfilter at linuxace.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #8 from Phil Oester <netfilter at linuxace.com> 2013-09-15 17:29:16 CEST --- Patch accepted as commit d830f0fa (netfilter: nf_nat_proto_icmpv6:: fix wrong comparison in icmpv6_manip_pkt). Closing. -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
Reasonably Related Threads
- [Bug 852] New: IPv6 TEE target sends packets to original IP address on wrong network device
- [Bug 839] New: SNAT66 does not work for bidirectional UDP
- [Bug 823] New: IPv6 NAT memory leaking
- [Bug 877] New: nftables - Set - define core dumps
- [Bug 850] New: DNAT applied even after deleting the IP Tables DNAT Rule