[Bug 255928] ipfw: nat64 not working on 13.0-RELEASE

From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 16 May 2021 16:58:42 +0000
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255928

            Bug ID: 255928
           Summary: ipfw: nat64 not working on 13.0-RELEASE
           Product: Base System
           Version: 13.0-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs_at_FreeBSD.org
          Reporter: paul.chakravarti_at_gmail.com

Hi,

I have been testing my ipfw/nat64 configuration on 13.0-RELEASE however this
doesn't now work (the configuration is identical to the working configuration
on 12.2-RELEASE).

I have included the configuration details below - essentially the intent is to
run a bunch of IPv6 only VNET jails with NAT64 on the host (this works fine on
12.2-RELEASE).

The tcpdump output below shows that when I try an IPMPv6 ping to a NAT64
address (64:ff9b::1.1.1.1) I can see the outbound NAT64 conversion and the IPv4
ICMP response however on 13.0-RELEASE I see a strange ICMP redirect which
doesn't happen with 12.2-RELEASE and it looks like the packets are rejected by
the nat64lsn instance as 'discarded due to unsupported protocol'

>> 16:34:03.718757 IP 127.0.0.1 > 192.168.1.55: ICMP redirect 1.1.1.1 to host 0.0.0.0, length 44

Any ideas?

Regards, Paul

======== ifconfig -a ========

vtnet0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=80028<VLAN_MTU,JUMBO_MTU,LINKSTATE>
        ether 58:9c:fc:08:4f:d0
        inet 192.168.1.55 netmask 0xffffff00 broadcast 192.168.1.255
        inet6 fe80::5a9c:fcff:fe08:4fd0%vtnet0 prefixlen 64 scopeid 0x1
        inet6 2001:470:1d41:1::55 prefixlen 64
        media: Ethernet autoselect (10Gbase-T <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 58:9c:fc:10:ff:96
        inet6 fe80::5a9c:fcff:fe10:ff96%bridge0 prefixlen 64 scopeid 0x3
        inet6 2001:470:1d41:55::1 prefixlen 64
        inet6 fe80::1%bridge0 prefixlen 64 scopeid 0x3
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        groups: bridge
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
        groups: ipfw

======== /etc/ipfw.rules ========

IPV4_LOCAL="192.168.1.55/32"
IPV6_LOCAL="2001:470:1d41:1::55/128"
NAT64_NETWORK="2001:470:1d41:55::/64"

: ${LOG:=}

# Flush
ipfw -q flush
ipfw -q nat64lsn NAT64 destroy

# Create nat64 instance
ipfw nat64lsn NAT64 create log prefix4 ${IPV4_LOCAL} prefix6 64:ff9b::/96

# Allow established connections
ipfw add check-state

# Allow icmp6 neighbour advertisment 
ipfw add allow ${LOG} icmp6 from any to any icmp6types 135,136

# Allow incoming icmp echo-requests (need keep-state to allow icmp from nat64)
ipfw add allow ${LOG} icmp from any to ${IPV4_LOCAL} icmptypes 8 keep-state

# Allow incoming SSH/DNS (IPv4)
ipfw add allow ${LOG} ip4 from any to ${IPV4_LOCAL} 22
ipfw add allow ${LOG} ip4 from any to ${IPV4_LOCAL} 53

# Enable NAT64
ipfw add nat64lsn NAT64 ${LOG} ip6 from ::1 to 64:ff9b::/96 in
ipfw add nat64lsn NAT64 ${LOG} ip6 from ${IPV6_LOCAL} to 64:ff9b::/96 in
ipfw add nat64lsn NAT64 ${LOG} ip6 from ${NAT64_NETWORK} to 64:ff9b::/96 in
ipfw add nat64lsn NAT64 ${LOG} ip4 from any to ${IPV4_LOCAL} in

# Allow outgoing IPv4 (keep-state to skip nat64)
ipfw add allow ${LOG} ip4 from ${IPV4_LOCAL} to any keep-state

# Allow all
ipfw add allow ${LOG} all from any to any

# Set NAT64 route
route -6 add 64:ff9b::/96 fe80::1%lo0 

# Enable direct output
sysctl net.inet.ip.fw.nat64_direct_output=1


======== ipfw show ========

# ipfw show
00100     0        0 check-state :default
00200    82     5576 allow log ipv6-icmp from any to any icmp6types 135,136
00300     0        0 allow log icmp from any to 192.168.1.55 icmptypes 8
keep-state :default
00400     0        0 allow log ip4 from any to 192.168.1.55 22
00500     0        0 allow log ip4 from any to 192.168.1.55 53
00600     0        0 nat64lsn NAT64 log ip6 from ::1 to 64:ff9b::/96 in
00700     2      112 nat64lsn NAT64 log ip6 from 2001:470:1d41:1::55 to
64:ff9b::/96 in
00800     0        0 nat64lsn NAT64 log ip6 from 2001:470:1d41:55::/64 to
64:ff9b::/96 in
00900     2      128 nat64lsn NAT64 log ip4 from any to 192.168.1.55 in
01000     6      216 allow log ip4 from 192.168.1.55 to any keep-state :default
01100   939   127470 allow log ip from any to any


======== ping6 -c 1 64:ff9b::1.1.1.1 ========

# ping6 -c 1 64:ff9b::1.1.1.1
PING6(56=40+8+8 bytes) 2001:470:1d41:1::55 --> 64:ff9b::101:101

--- 64:ff9b::1.1.1.1 ping6 statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss


======== tcpdump -nqi ipfw0 icmp or icmp6 ========

# tcpdump -nqi ipfw0 icmp or icmp6
16:34:03.718627 IP6 2001:470:1d41:1::55 > 64:ff9b::101:101: ICMP6, echo
request, seq 0, length 16
16:34:03.718654 IP6 2001:470:1d41:1::55 > 64:ff9b::101:101: ICMP6, echo
request, seq 0, length 16
16:34:03.718681 IP 192.168.1.55 > 1.1.1.1: ICMP echo request, id 1024, seq 0,
length 16
16:34:03.718684 IP 192.168.1.55 > 1.1.1.1: ICMP echo request, id 1024, seq 0,
length 16
16:34:03.718757 IP 127.0.0.1 > 192.168.1.55: ICMP redirect 1.1.1.1 to host
0.0.0.0, length 44
16:34:03.718762 IP 127.0.0.1 > 192.168.1.55: ICMP redirect 1.1.1.1 to host
0.0.0.0, length 44
16:34:03.738308 IP 1.1.1.1 > 192.168.1.55: ICMP echo reply, id 1024, seq 0,
length 16


======== ipfw nat64lsn NAT64 stats ========

# ipfw nat64lsn NAT64 stats
nat64lsn NAT64
        2 packets translated from IPv6 to IPv4
        0 packets translated from IPv4 to IPv6
        0 IPv6 fragments created
        0 IPv4 fragments received
        0 output packets dropped due to no bufs, etc.
        0 output packets discarded due to no IPv4 route
        0 output packets discarded due to no IPv6 route
        2 packets discarded due to unsupported protocol
        0 packets discarded due to memory allocation problems
        0 packets discarded due to some errors
        0 packets not matched with IPv4 prefix
        1 mbufs queued for post processing
        1 times the job queue was processed
        1 job requests queued
        0 job requests queue limit reached
        0 job requests failed due to memory allocation problems
        1 hosts allocated
        1 hosts requested
        0 host requests failed
        0 portgroups requested
        1 portgroups allocated
        0 portgroups deleted
        0 portgroup requests failed
        0 portgroups allocated for TCP
        0 portgroups allocated for UDP
        1 portgroups allocated for ICMP
        2 states created
        2 states deleted

-- 
You are receiving this mail because:
You are the assignee for the bug.
Received on Sun May 16 2021 - 16:58:42 UTC

Original text of this message