[Bug 255928] ipfw: nat64 not working on 13.0-RELEASE

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 18 May 2021 22:10:02 +0000
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255928

--- Comment #3 from Andrey V. Elsukov <ae_at_FreeBSD.org> ---
(In reply to PaulC from comment #0)

According your dump I think what was happened are:

> 16:34:03.718627 IP6 2001:470:1d41:1::55 > 64:ff9b::101:101: ICMP6, echo request, seq 0, length 16
This entry generated by rule 1100 for outbound ICMPv6 echo request.

> 16:34:03.718654 IP6 2001:470:1d41:1::55 > 64:ff9b::101:101: ICMP6, echo request, seq 0, length 16
Then packet was routed to lo0 due to static route, and this entry was generated
by rule 700 as inbound packet.
It was translated by NAT64 and directly put to outbound interface.

> 16:34:03.718681 IP 192.168.1.55 > 1.1.1.1: ICMP echo request, id 1024, seq 0, length 16
I'm not sure how this entry was created. Probably you have some strange IPv4
routing and somehow you have extra firewall check,
and this was created by rule 1000 as inbound packet. Thus dynamic state was
created. This also means that the packet was handled by ip_input and then
passed to ip_tryforward. And this is "inbound" pass from ip_tryforward. 

> 16:34:03.718684 IP 192.168.1.55 > 1.1.1.1: ICMP echo request, id 1024, seq 0, length 16
This entry was created by the "outbound" firewall pass from ip_tryforward. And
translated packet finally gone to the destination.

> 16:34:03.718757 IP 127.0.0.1 > 192.168.1.55: ICMP redirect 1.1.1.1 to host 0.0.0.0, length 44
Since net.inet.ip.redirect is enabled by default, and mbuf's rcvif matches
interfice given by route, you have ICMP redirect. And this entry was created by
rule 1100 by firewall pass from icmp_error->ip_output.

> 16:34:03.718762 IP 127.0.0.1 > 192.168.1.55: ICMP redirect 1.1.1.1 to host 0.0.0.0, length 44
This entry probably was created by rule 900 and since ICMP redirect was not
translated, it counted as unsupported protocol in NAT64.

> 16:34:03.738308 IP 1.1.1.1 > 192.168.1.55: ICMP echo reply, id 1024, seq 0, length 16
This entry was created by rule 100 as reverse match from the dynamic state
created before, so it did not hit NAT64 to be translated back into IPv6.

If you are 100% sure that exactly this configuration worked before 13.0, I add
melifaro_at_ to CC list, he did major routing rewriting in 13.0.
Also, please provide what you have in `netstat -rn`. Also show `sysctl
net.inet.ip | egrep "forward|redir"`.

Also, you can create ipfwlog0 interface and see what will report NAT64
instance.

-- 
You are receiving this mail because:
You are the assignee for the bug.
Received on Tue May 18 2021 - 22:10:02 UTC

Original text of this message