bugzilla-daemon at netfilter.org
2019-Jun-19 00:31 UTC
[Bug 1343] New: With iPv6 masquerade, ICMPv6 time-exceeded pkts are forwarded with bad checksum
https://bugzilla.netfilter.org/show_bug.cgi?id=1343
Bug ID: 1343
Summary: With iPv6 masquerade, ICMPv6 time-exceeded pkts are
forwarded with bad checksum
Product: netfilter/iptables
Version: unspecified
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: normal
Priority: P5
Component: NAT
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: doron.shikmoni+netfilterorg at gmail.com
I have a system that does IPv6 MASQUERADE, a POSTROUTING rule in the NAT table.
For the most part it works fine, however ICMPv6 type 3 (TIME-EXCEED) seems to
have their ICMPv6 checksum botched, and hence are dropped at the next hop.
I see the packets entering the via the upstream interface just fine with good
cksum, but then on the forwarded-to interface (i.e. after translation) I get
bad checksum. The next hop does not see the packet at all.
I looked at nf_nat_proto_icmpv6.c for a bit but so far haven't found much.
Kernel 4.9.168.
e.g. on ingress:
IP6 (hlim 61, next-header ICMPv6 (58) payload length: 80)
2a01:4f9:0:c001::a015> 2a01:???:????:????::1: [icmp6 sum ok] ICMP6, time exceeded in-transit for
fra16s12-in-x04.1e100.net
on egress:
IP6 (hlim 60, next-header ICMPv6 (58) payload length: 80)
2a01:4f9:0:c001::a015> fd01:???:????:????::2:1: [bad icmp6 cksum 0x735b -> 0x705b!] ICMP6, time
exceeded in-transit for fra16s12-in-x04.1e100.net
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190619/90d03c2c/attachment.html>
bugzilla-daemon at netfilter.org
2019-Jun-19 00:37 UTC
[Bug 1343] With iPv6 masquerade, ICMPv6 time-exceeded pkts are forwarded with bad checksum
https://bugzilla.netfilter.org/show_bug.cgi?id=1343
doron.shikmoni+netfilterorg at gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |doron.shikmoni+netfilterorg
| |@gmail.com
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190619/5fe9f979/attachment.html>
bugzilla-daemon at netfilter.org
2019-Aug-19 21:48 UTC
[Bug 1343] With iPv6 masquerade, ICMPv6 time-exceeded pkts are forwarded with bad checksum
https://bugzilla.netfilter.org/show_bug.cgi?id=1343
doron.shikmoni+netfilterorg at gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #1 from doron.shikmoni+netfilterorg at gmail.com ---
This seems to have already been addressed, see here
https://www.mail-archive.com/netdev at vger.kernel.org/msg166895.html . Tried
patching the kernel module and indeed the problem resolves.
Appears like the patch has been introduced in kernel 4.12. Hence my
experiencing it in 4.9.x.
Closing.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190819/eb780c4f/attachment.html>