netfilter buglog - Aug 2024 - [Bug 1771] New: Stateless NAT ICMP Payload Mismatch

https://bugzilla.netfilter.org/show_bug.cgi?id=1771

            Bug ID: 1771
           Summary: Stateless NAT ICMP Payload Mismatch
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: other
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: echo at lethedata.com

When using the following ruleset to stateless NAT, ICMP payloads are not
mangled. This leads to a mismatch between packet IPv4 Header and ICMP IPv4
Header Payload in destination-unreachable (type 3) packets causing dropped
packets by the receiving host.

Internal to external:
IPv4 Header - Src: 192.0.2.2, Dst: 100.64.1.105
ICMP Type 3 Payload - Src: 203.0.113.100, Dst: 192.0.2.2

External to internal:
   IPv4 Header - Src: 203.0.113.100, Dst: 203.0.113.200
   ICMP Type 3 Payload - Src: 203.0.113.200, Dst: 100.64.1.105

table ip NAT {
   chain prerouting {
      type filter hook prerouting priority raw; policy accept;
         iif "eth0" ip daddr 203.0.113.100 ip daddr set 100.64.1.105
notrack return
   }

   chain postrouting {
      type filter hook postrouting priority raw; policy accept;
         oif "eth0" ip saddr 100.64.1.105 ip saddr set 203.0.113.100
notrack return
   }
}

OS: Void Linux
version: nftables v1.1.0 (Commodore Bullmoose)

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240828/35c2ab65/attachment.html>