Page MenuHomeFreeBSD
Differential D49143

pf: fix ICMP source address translation for nat64
ClosedPublic
Actions

Authored by kp on Feb 26 2025, 10:42 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Apr 11, 2:37 AM
Unknown Object (File)
Sun, Apr 6, 1:11 AM
Unknown Object (File)
Mar 22 2025, 5:33 AM
Unknown Object (File)
Mar 21 2025, 7:39 AM
Unknown Object (File)
Mar 20 2025, 10:52 AM
Unknown Object (File)
Mar 19 2025, 1:09 AM
Unknown Object (File)
Mar 18 2025, 5:58 AM
Unknown Object (File)
Mar 17 2025, 6:38 AM
View All 23 Files
Subscribers
farrokhi
glebius
imp
ivy
melifaro
vegeta_tuxpowered.net

Details

Reviewers
None
Group Reviewers
pfsense
network
Commits
rGe9a490b10d6c: pf: fix ICMP source address translation for nat64
Summary

While handling an ICMP error related to another state (e.g. TTL expired, port
closed, fragmentation needed, ...) we can't just use the state's source address
as the ICMP source address. We have to translate the IPv4 address back to an
IPv6 nat64 address.

Failing to do so breaks things like traceroute, where the intermediate router
generates an ICMP error message, and the traceroute tool uses the source address
to build the path.

PR: 284944
Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kp created this revision.Feb 26 2025, 10:42 PM
Herald added subscribers: vegeta_tuxpowered.net, glebius, melifaro and 2 others. · View Herald TranscriptFeb 26 2025, 10:42 PM
kp requested review of this revision.Feb 26 2025, 10:42 PM
Harbormaster completed remote builds in B62643: Diff 151537.Feb 26 2025, 10:42 PM
kp added a child revision: D49144: pf tests: test ICMP error translation with nat64.Feb 26 2025, 10:42 PM
kp updated this revision to Diff 151666.Feb 28 2025, 11:00 AM

Use the approach from OpenBSD's proposed patch.
That's a bit simpler and still works.

Harbormaster completed remote builds in B62670: Diff 151666.Feb 28 2025, 11:00 AM
ivy added a subscriber: ivy.Feb 28 2025, 11:12 AM
kp updated this revision to Diff 151864.Mar 4 2025, 5:38 PM

Update to the committed OpenBSD version of this fix.

Harbormaster completed remote builds in B62752: Diff 151864.Mar 4 2025, 5:38 PM
This revision was not accepted when it landed; it landed in state Needs Review.Mar 5 2025, 9:38 AM
Closed by commit rGe9a490b10d6c: pf: fix ICMP source address translation for nat64 (authored by kp). · Explain Why
This revision was automatically updated to reflect the committed changes.
kp added a commit: rGe9a490b10d6c: pf: fix ICMP source address translation for nat64.

Revision Contents
Changeset List

PathSize
sys/
netpfil/
pf/
72 lines

Diff 151901

View Options

sys/netpfil/pf/pf.c

Loading...