From nobody Tue May 17 03:19:06 2022
X-Original-To: ipfw@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 930541AE84C4
	for <ipfw@mlmmj.nyi.freebsd.org>; Tue, 17 May 2022 03:19:06 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4L2Lty2Y29z4t0C
	for <ipfw@FreeBSD.org>; Tue, 17 May 2022 03:19:06 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 33D744B59
	for <ipfw@FreeBSD.org>; Tue, 17 May 2022 03:19:06 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 24H3J6rY084036
	for <ipfw@FreeBSD.org>; Tue, 17 May 2022 03:19:06 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 24H3J6Vk084035
	for ipfw@FreeBSD.org; Tue, 17 May 2022 03:19:06 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: ipfw@FreeBSD.org
Subject: [Bug 263974] ipfw_nat64lsn reply destination mac address error
Date: Tue, 17 May 2022 03:19:06 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 13.0-RELEASE
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: jpb@jimby.name
X-Bugzilla-Status: Closed
X-Bugzilla-Resolution: FIXED
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: ipfw@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: resolution bug_status
Message-ID: <bug-263974-8303-RHhaoYdQe6@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-263974-8303@https.bugs.freebsd.org/bugzilla/>
References: <bug-263974-8303@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-ipfw
List-Help: <mailto:freebsd-ipfw+help@freebsd.org>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Subscribe: <mailto:freebsd-ipfw+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-ipfw+unsubscribe@freebsd.org>
Sender: owner-freebsd-ipfw@freebsd.org
MIME-Version: 1.0
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1652757546;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=RuXdPUt4S7LbzP75PFwXwtX5EJ4vGHT7nbuqNd+ACQ4=;
	b=oSTXKrvOFWiazK91+hqyomBMe1m33S+dbooSIlYlpUBBpiVFTovo3XH+lROiqX+HhUe6zy
	T3twcgnQVWMYccCFAbPcPWM55h5FM483BsLBV2Y7whgrQB0FQtv4pd806ZX3kDBgDYE5EG
	pZw/puJMfrbSVoFSm6vsXX4IZQnAihZGAgu+NmSft5hj0i+so13qY4eY2OMizFujAIGEOq
	hyFC/oIJQGi34RvYgxtGHZnTlOstkSE4m4/Qf9SEnLECnS4AYolIj55f69sVUE4rkFEF7K
	QS1mclE4pQCemd7y2/e3iQ5lNEzDVVoknNHQjJkcoThQLRk2RHtDJe6/8FF9pw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1652757546; a=rsa-sha256; cv=none;
	b=SZcuZoY6RrBn9dGQ4einJSBkizmVslpx737E0FMdAT/jjnNH1oKvDHkxAkXJ5ke2JWjXYh
	o1sRa+TPq67ZI6JwJOT25CoVFYlhEH8blah5hRm8FYTTP4CdrxWTFOPebSbGKTIQOsyNoo
	JQggqvKhCSsqf6t0tQ8KShmxUfslSu8AN1chMYV56fKHF741Ee3LaX/pRN4yAmpF8w2sju
	WRQNVy2sq64N73Z9z1IKDBMs5dfVnMkfG5HOZf4VJJaCCtRH6GXsN0c6sFmKMVOB9pHdwk
	XHHqZHehPrJU7WxK2L1Rq9KyyYAWqWSzGJ1+WJS8300oRDaPBRDsGqV+aw37BA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263974

Jim B. <jpb@jimby.name> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|New                         |Closed

--- Comment #6 from Jim B. <jpb@jimby.name> ---
Ok, as promised in Comment #5, I spun up a new VM with 13.1-RELEASE and
retested this issue.

I now report that nat64lsn (stateful NAT64) *does work* under the following
conditions:

 * The addressing scheme is as described in the attachment "nat64lsn on my
addressing scheme not working"  now *does work*.=20=20

 * The ipfw rules to implement are:

ipfw nat64lsn foo create prefix4 203.0.112.0/24 allow_private
ipfw add allow log ipv6-icmp from any to any icmp6types 135,136
ipfw add nat64lsn foo log ip from 2001:db8:12::/64 to 64:ff9b::/96 in
ipfw add nat64lsn foo log ip from any to 203.0.112.0/24 in
ipfw add allow log ip from any to any


 * The direct_output sysctl had to be set to 1 (not zero):

sysctl net.inet.ip.fw.nat64_direct_output=3D1


 * I also set the nat64_debug sysctl and the firewall verbose sysctl:

sysctl net.inet.ip.fw.nat64_debug=3D1
sysctl net.inet.ip.fw.verbose=3D1

See /var/log/security for output.

-----

With these conditions the following tests were successful:

[root@v6only ~]# ping6 -c 3 64:ff9b::203.0.113.10
PING6(56=3D40+8+8 bytes) 2001:db8:12::30 --> 64:ff9b::cb00:710a
16 bytes from 64:ff9b::cb00:710a, icmp_seq=3D0 hlim=3D63 time=3D8.401 ms
16 bytes from 64:ff9b::cb00:710a, icmp_seq=3D1 hlim=3D63 time=3D3.429 ms
16 bytes from 64:ff9b::cb00:710a, icmp_seq=3D2 hlim=3D63 time=3D3.398 ms

--- 64:ff9b::203.0.113.10 ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev =3D 3.398/5.076/8.401/2.351 ms

And using lynx to grab the nginx home page was successful:

lynx external1.example.com
-------=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20
       Welcome to nginx!
                                         Welcome to nginx!

   If you see this page, the nginx web server is successfully installed and
working. Further
   configuration is required.

   This is Machine 1 - 203.0.113.10

   For online documentation and support please refer to nginx.org.
   Commercial support is available at nginx.com.

   Thank you for using nginx.

Are you sure you want to quit? (y)=20
  Arrow keys: Up and Down to move.  Right to follow a link; Left to go back.
-------

I am closing the ticket with the caveat that nat64lsn under 13.0 may still =
need
fixing (identical source and destination MAC addresses in the reply).

Closed : Works as Intended  <--- but only in 13.1

Jim B.

--=20
You are receiving this mail because:
You are the assignee for the bug.=