[Bug 284944] pf: incorrect ICMP error translation in af-to inet

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 284944] pf: incorrect ICMP error translation in af-to inet"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 21 Feb 2025 09:48:30 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284944

            Bug ID: 284944
           Summary: pf: incorrect ICMP error translation in af-to inet
           Product: Base System
           Version: 15.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: lexi@hemlock.eden.le-fay.org

it's possible i'm doing something wrong here since i thought this problem
should be fixed by 25dbba4fc6e152a05e091180b2e031ab495ba337, but i'm using
f5aff1871d3273b3cd3621ea5d3e37cdd807e66f (with a couple of local patches,
including the fix for bug 284866) and i'm still seeing the issue.

the problem is that traceroute over af-to NAT64 returns garbage once it hits
pf:

# traceroute6 64:ff9b::1.1.1.1
traceroute6 to 64:ff9b::1.1.1.1 (64:ff9b::101:101) from 2a00:1098:6b:200::1, 64
hops max, 28 byte packets
 1  uk-myb-1.le-fay.org (2a00:1098:6b:100::1)  0.544 ms  0.411 ms  0.305 ms
 2  uk-aai-1.le-fay.org (2001:8b0:aab5:100::1)  6.738 ms  7.558 ms  7.520 ms
 3  64:ff9b::101:101 (64:ff9b::101:101)  12.666 ms  12.443 ms  11.981 ms
 4  64:ff9b::101:101 (64:ff9b::101:101)  12.904 ms  11.460 ms  13.006 ms
 5  64:ff9b::101:101 (64:ff9b::101:101)  14.095 ms  13.377 ms  13.012 ms
 6  64:ff9b::101:101 (64:ff9b::101:101)  12.984 ms  13.523 ms  14.175 ms
 7  64:ff9b::101:101 (64:ff9b::101:101)  13.939 ms  13.436 ms  13.025 ms

on the router's external interface, i see the correct outgoing and incoming
traffic:

09:42:39.937871 IP (tos 0x0, ttl 1, id 4079, offset 0, flags [none], proto UDP
(17), length 40)
    81.187.47.193.25587 > 1.1.1.1.33441: UDP, length 12

09:42:39.942958 IP (tos 0x0, ttl 64, id 13105, offset 0, flags [none], proto
ICMP (1), length 56)
    90.155.53.128 > 81.187.47.193: ICMP time exceeded in-transit, length 36
        IP (tos 0x0, id 4079, offset 0, flags [none], proto UDP (17), length
40)
    81.187.47.193.25587 > 1.1.1.1.33441: UDP, length 12

but the translated outgoing error on the internal interface is wrong:

09:42:39.937819 IP6 (hlim 1, next-header UDP (17) payload length: 20)
2a00:1098:6b:200::1.25587 > 64:ff9b::101:101.33441: [udp sum ok] UDP, length 12

09:42:39.942997 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 56)
64:ff9b::101:101 > 2a00:1098:6b:200::1: [icmp6 sum ok] ICMP6, time exceeded
in-transit for 64:ff9b::101:101

specifically the source address is 64:ff9b::101:101, when it should be
64:ff9b::5a9b:3580 (64:ff9b::90.155.53.128).

the af-to rule is fairly straightforward:

anchor on ep.uk-aai-1 {
        pass from fe80::/10 to any
        pass in from <lf> to any
        pass in inet6 proto ipv6-icmp from <dn42> to any icmp6-type echoreq
        pass in proto tcp from <dn42> to <dn42-fuchsia> port { smtp, domain,
http, https }
        pass in proto udp from <dn42> to <dn42-fuchsia> port domain
        pass in from any to 64:ff9b::/96 af-to inet from 81.187.47.193/32
}

-- 
You are receiving this mail because:
You are the assignee for the bug.