Page MenuHomeFreeBSD
Differential D49143

pf: fix ICMP source address translation for nat64
ClosedPublic
Actions

Authored by kp on Wed, Feb 26, 10:42 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Mar 19, 1:09 AM
Unknown Object (File)
Tue, Mar 18, 5:58 AM
Unknown Object (File)
Mon, Mar 17, 6:38 AM
Unknown Object (File)
Sun, Mar 16, 2:15 PM
Unknown Object (File)
Fri, Mar 14, 2:01 AM
Unknown Object (File)
Tue, Mar 11, 10:17 AM
Unknown Object (File)
Mon, Mar 10, 11:58 AM
Unknown Object (File)
Mon, Mar 10, 11:50 AM
View All 18 Files
Subscribers
farrokhi
glebius
imp
lexi_le-fay.org
melifaro
vegeta_tuxpowered.net

Details

Reviewers
None
Group Reviewers
pfsense
network
Commits
rGe9a490b10d6c: pf: fix ICMP source address translation for nat64
Summary

While handling an ICMP error related to another state (e.g. TTL expired, port
closed, fragmentation needed, ...) we can't just use the state's source address
as the ICMP source address. We have to translate the IPv4 address back to an
IPv6 nat64 address.

Failing to do so breaks things like traceroute, where the intermediate router
generates an ICMP error message, and the traceroute tool uses the source address
to build the path.

PR: 284944
Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kp created this revision.Wed, Feb 26, 10:42 PM
Herald added subscribers: vegeta_tuxpowered.net, glebius, melifaro and 2 others. · View Herald TranscriptWed, Feb 26, 10:42 PM
kp requested review of this revision.Wed, Feb 26, 10:42 PM
Harbormaster completed remote builds in B62643: Diff 151537.Wed, Feb 26, 10:42 PM
kp added a child revision: D49144: pf tests: test ICMP error translation with nat64.Wed, Feb 26, 10:42 PM
kp updated this revision to Diff 151666.Fri, Feb 28, 11:00 AM

Use the approach from OpenBSD's proposed patch.
That's a bit simpler and still works.

Harbormaster completed remote builds in B62670: Diff 151666.Fri, Feb 28, 11:00 AM
lexi_le-fay.org added a subscriber: lexi_le-fay.org.Fri, Feb 28, 11:12 AM
kp updated this revision to Diff 151864.Tue, Mar 4, 5:38 PM

Update to the committed OpenBSD version of this fix.

Harbormaster completed remote builds in B62752: Diff 151864.Tue, Mar 4, 5:38 PM
This revision was not accepted when it landed; it landed in state Needs Review.Wed, Mar 5, 9:38 AM
Closed by commit rGe9a490b10d6c: pf: fix ICMP source address translation for nat64 (authored by kp). · Explain Why
This revision was automatically updated to reflect the committed changes.
kp added a commit: rGe9a490b10d6c: pf: fix ICMP source address translation for nat64.

Revision Contents
Changeset List

PathSize
sys/
netpfil/
pf/
72 lines

Diff 151901

View Options

sys/netpfil/pf/pf.c

Loading...