From nobody Sun May 16 16:58:42 2021 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id EFC8685DD2C for ; Sun, 16 May 2021 16:58:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FjpPY68Tbz4n6s for ; Sun, 16 May 2021 16:58:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id BC09D1C709 for ; Sun, 16 May 2021 16:58:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 14GGwf1v023040 for ; Sun, 16 May 2021 16:58:41 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 14GGwfqa023039 for bugs@FreeBSD.org; Sun, 16 May 2021 16:58:41 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 255928] ipfw: nat64 not working on 13.0-RELEASE Date: Sun, 16 May 2021 16:58:42 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 13.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: paul.chakravarti@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: http://lists.freebsd.org/bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D255928 Bug ID: 255928 Summary: ipfw: nat64 not working on 13.0-RELEASE Product: Base System Version: 13.0-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: paul.chakravarti@gmail.com Hi, I have been testing my ipfw/nat64 configuration on 13.0-RELEASE however this doesn't now work (the configuration is identical to the working configurati= on on 12.2-RELEASE). I have included the configuration details below - essentially the intent is= to run a bunch of IPv6 only VNET jails with NAT64 on the host (this works fine= on 12.2-RELEASE). The tcpdump output below shows that when I try an IPMPv6 ping to a NAT64 address (64:ff9b::1.1.1.1) I can see the outbound NAT64 conversion and the = IPv4 ICMP response however on 13.0-RELEASE I see a strange ICMP redirect which doesn't happen with 12.2-RELEASE and it looks like the packets are rejected= by the nat64lsn instance as 'discarded due to unsupported protocol' >> 16:34:03.718757 IP 127.0.0.1 > 192.168.1.55: ICMP redirect 1.1.1.1 to ho= st 0.0.0.0, length 44 Any ideas? Regards, Paul =3D=3D=3D=3D=3D=3D=3D=3D ifconfig -a =3D=3D=3D=3D=3D=3D=3D=3D vtnet0: flags=3D8863 metric 0 mtu 1= 500 options=3D80028 ether 58:9c:fc:08:4f:d0 inet 192.168.1.55 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::5a9c:fcff:fe08:4fd0%vtnet0 prefixlen 64 scopeid 0x1 inet6 2001:470:1d41:1::55 prefixlen 64 media: Ethernet autoselect (10Gbase-T ) status: active nd6 options=3D21 lo0: flags=3D8049 metric 0 mtu 16384 options=3D680003 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 groups: lo nd6 options=3D21 bridge0: flags=3D8843 metric 0 mtu = 1500 ether 58:9c:fc:10:ff:96 inet6 fe80::5a9c:fcff:fe10:ff96%bridge0 prefixlen 64 scopeid 0x3 inet6 2001:470:1d41:55::1 prefixlen 64 inet6 fe80::1%bridge0 prefixlen 64 scopeid 0x3 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 groups: bridge nd6 options=3D21 ipfw0: flags=3D8801 metric 0 mtu 65536 groups: ipfw =3D=3D=3D=3D=3D=3D=3D=3D /etc/ipfw.rules =3D=3D=3D=3D=3D=3D=3D=3D IPV4_LOCAL=3D"192.168.1.55/32" IPV6_LOCAL=3D"2001:470:1d41:1::55/128" NAT64_NETWORK=3D"2001:470:1d41:55::/64" : ${LOG:=3D} # Flush ipfw -q flush ipfw -q nat64lsn NAT64 destroy # Create nat64 instance ipfw nat64lsn NAT64 create log prefix4 ${IPV4_LOCAL} prefix6 64:ff9b::/96 # Allow established connections ipfw add check-state # Allow icmp6 neighbour advertisment=20 ipfw add allow ${LOG} icmp6 from any to any icmp6types 135,136 # Allow incoming icmp echo-requests (need keep-state to allow icmp from nat= 64) ipfw add allow ${LOG} icmp from any to ${IPV4_LOCAL} icmptypes 8 keep-state # Allow incoming SSH/DNS (IPv4) ipfw add allow ${LOG} ip4 from any to ${IPV4_LOCAL} 22 ipfw add allow ${LOG} ip4 from any to ${IPV4_LOCAL} 53 # Enable NAT64 ipfw add nat64lsn NAT64 ${LOG} ip6 from ::1 to 64:ff9b::/96 in ipfw add nat64lsn NAT64 ${LOG} ip6 from ${IPV6_LOCAL} to 64:ff9b::/96 in ipfw add nat64lsn NAT64 ${LOG} ip6 from ${NAT64_NETWORK} to 64:ff9b::/96 in ipfw add nat64lsn NAT64 ${LOG} ip4 from any to ${IPV4_LOCAL} in # Allow outgoing IPv4 (keep-state to skip nat64) ipfw add allow ${LOG} ip4 from ${IPV4_LOCAL} to any keep-state # Allow all ipfw add allow ${LOG} all from any to any # Set NAT64 route route -6 add 64:ff9b::/96 fe80::1%lo0=20 # Enable direct output sysctl net.inet.ip.fw.nat64_direct_output=3D1 =3D=3D=3D=3D=3D=3D=3D=3D ipfw show =3D=3D=3D=3D=3D=3D=3D=3D # ipfw show 00100 0 0 check-state :default 00200 82 5576 allow log ipv6-icmp from any to any icmp6types 135,136 00300 0 0 allow log icmp from any to 192.168.1.55 icmptypes 8 keep-state :default 00400 0 0 allow log ip4 from any to 192.168.1.55 22 00500 0 0 allow log ip4 from any to 192.168.1.55 53 00600 0 0 nat64lsn NAT64 log ip6 from ::1 to 64:ff9b::/96 in 00700 2 112 nat64lsn NAT64 log ip6 from 2001:470:1d41:1::55 to 64:ff9b::/96 in 00800 0 0 nat64lsn NAT64 log ip6 from 2001:470:1d41:55::/64 to 64:ff9b::/96 in 00900 2 128 nat64lsn NAT64 log ip4 from any to 192.168.1.55 in 01000 6 216 allow log ip4 from 192.168.1.55 to any keep-state :def= ault 01100 939 127470 allow log ip from any to any =3D=3D=3D=3D=3D=3D=3D=3D ping6 -c 1 64:ff9b::1.1.1.1 =3D=3D=3D=3D=3D=3D=3D= =3D # ping6 -c 1 64:ff9b::1.1.1.1 PING6(56=3D40+8+8 bytes) 2001:470:1d41:1::55 --> 64:ff9b::101:101 --- 64:ff9b::1.1.1.1 ping6 statistics --- 1 packets transmitted, 0 packets received, 100.0% packet loss =3D=3D=3D=3D=3D=3D=3D=3D tcpdump -nqi ipfw0 icmp or icmp6 =3D=3D=3D=3D=3D= =3D=3D=3D # tcpdump -nqi ipfw0 icmp or icmp6 16:34:03.718627 IP6 2001:470:1d41:1::55 > 64:ff9b::101:101: ICMP6, echo request, seq 0, length 16 16:34:03.718654 IP6 2001:470:1d41:1::55 > 64:ff9b::101:101: ICMP6, echo request, seq 0, length 16 16:34:03.718681 IP 192.168.1.55 > 1.1.1.1: ICMP echo request, id 1024, seq = 0, length 16 16:34:03.718684 IP 192.168.1.55 > 1.1.1.1: ICMP echo request, id 1024, seq = 0, length 16 16:34:03.718757 IP 127.0.0.1 > 192.168.1.55: ICMP redirect 1.1.1.1 to host 0.0.0.0, length 44 16:34:03.718762 IP 127.0.0.1 > 192.168.1.55: ICMP redirect 1.1.1.1 to host 0.0.0.0, length 44 16:34:03.738308 IP 1.1.1.1 > 192.168.1.55: ICMP echo reply, id 1024, seq 0, length 16 =3D=3D=3D=3D=3D=3D=3D=3D ipfw nat64lsn NAT64 stats =3D=3D=3D=3D=3D=3D=3D=3D # ipfw nat64lsn NAT64 stats nat64lsn NAT64 2 packets translated from IPv6 to IPv4 0 packets translated from IPv4 to IPv6 0 IPv6 fragments created 0 IPv4 fragments received 0 output packets dropped due to no bufs, etc. 0 output packets discarded due to no IPv4 route 0 output packets discarded due to no IPv6 route 2 packets discarded due to unsupported protocol 0 packets discarded due to memory allocation problems 0 packets discarded due to some errors 0 packets not matched with IPv4 prefix 1 mbufs queued for post processing 1 times the job queue was processed 1 job requests queued 0 job requests queue limit reached 0 job requests failed due to memory allocation problems 1 hosts allocated 1 hosts requested 0 host requests failed 0 portgroups requested 1 portgroups allocated 0 portgroups deleted 0 portgroup requests failed 0 portgroups allocated for TCP 0 portgroups allocated for UDP 1 portgroups allocated for ICMP 2 states created 2 states deleted --=20 You are receiving this mail because: You are the assignee for the bug.=