netfilter buglog - Jun 2019 - [Bug 1342] New: IPv6 NAT translates to addresses outside of specified range

https://bugzilla.netfilter.org/show_bug.cgi?id=1342

            Bug ID: 1342
           Summary: IPv6 NAT translates to addresses outside of specified
                    range
           Product: netfilter/iptables
           Version: unspecified
          Hardware: x86_64
                OS: Debian GNU/Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: NAT
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: zrm at trustiosity.com

Take a rule like this:

ip6tables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source
1000::1:ffff:ffff-1000::2:0:0

The kernel was then observed choosing the address 1000::2:ffff:ffff as the
translation, which is outside the specified range.

This is the code in find_best_ips_proto() in nf_nat_core.c. It assumes that in
each u32 of the IPv6 address, the minimum value is not larger than the maximum,
even though that is only required for the most significant u32 of the address.
It also assumes the minimum will be zero (full_range) whenever the previously
chosen u32 was not the maximum, which may not be true when the previous chosen
u32 was the minimum.

It might not be that unreasonable to just refuse IPV6 NAT ranges that split
like this, but in that case it should be documented and there should be an
error when you try to insert the rule.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190608/0fc10122/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1342

zrm at trustiosity.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |zrm at trustiosity.com

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190608/482e7582/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1342

Castrob <castro8583bennett at gmx.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |castro8583bennett at gmx.com

--- Comment #1 from Castrob <castro8583bennett at gmx.com> ---
May i know the solution? I also have the same problem

Castro B,
https://rechargevodafone.co.uk/

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190620/191d0426/attachment.html>