bugzilla-daemon at netfilter.org
2019-Jun-19 00:31 UTC
[Bug 1343] New: With iPv6 masquerade, ICMPv6 time-exceeded pkts are forwarded with bad checksum
bugzilla.netfilter.org/show_bug.cgi?id=1343 Bug ID: 1343 Summary: With iPv6 masquerade, ICMPv6 time-exceeded pkts are forwarded with bad checksum Product: netfilter/iptables Version: unspecified Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: NAT Assignee: netfilter-buglog at lists.netfilter.org Reporter: doron.shikmoni+netfilterorg at gmail.com I have a system that does IPv6 MASQUERADE, a POSTROUTING rule in the NAT table. For the most part it works fine, however ICMPv6 type 3 (TIME-EXCEED) seems to have their ICMPv6 checksum botched, and hence are dropped at the next hop. I see the packets entering the via the upstream interface just fine with good cksum, but then on the forwarded-to interface (i.e. after translation) I get bad checksum. The next hop does not see the packet at all. I looked at nf_nat_proto_icmpv6.c for a bit but so far haven't found much. Kernel 4.9.168. e.g. on ingress: IP6 (hlim 61, next-header ICMPv6 (58) payload length: 80) 2a01:4f9:0:c001::a015> 2a01:???:????:????::1: [icmp6 sum ok] ICMP6, time exceeded in-transit forfra16s12-in-x04.1e100.net on egress: IP6 (hlim 60, next-header ICMPv6 (58) payload length: 80) 2a01:4f9:0:c001::a015> fd01:???:????:????::2:1: [bad icmp6 cksum 0x735b -> 0x705b!] ICMP6, timeexceeded in-transit for fra16s12-in-x04.1e100.net -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190619/90d03c2c/attachment.html>
bugzilla-daemon at netfilter.org
2019-Jun-19 00:37 UTC
[Bug 1343] With iPv6 masquerade, ICMPv6 time-exceeded pkts are forwarded with bad checksum
bugzilla.netfilter.org/show_bug.cgi?id=1343 doron.shikmoni+netfilterorg at gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |doron.shikmoni+netfilterorg | |@gmail.com -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190619/5fe9f979/attachment.html>
bugzilla-daemon at netfilter.org
2019-Aug-19 21:48 UTC
[Bug 1343] With iPv6 masquerade, ICMPv6 time-exceeded pkts are forwarded with bad checksum
bugzilla.netfilter.org/show_bug.cgi?id=1343 doron.shikmoni+netfilterorg at gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #1 from doron.shikmoni+netfilterorg at gmail.com --- This seems to have already been addressed, see here mail-archive.com/netdev at vger.kernel.org/msg166895.html . Tried patching the kernel module and indeed the problem resolves. Appears like the patch has been introduced in kernel 4.12. Hence my experiencing it in 4.9.x. Closing. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190819/eb780c4f/attachment.html>