Re: IPv6 and private net with masquerading not working correctly

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Any update on this issue?

Thank you.

Ciao,
Gerhard

On 10.08.2015 19:39, Cong Wang wrote:
(Cc'ing netdev and netfilter-devel)

On Fri, Aug 7, 2015 at 6:00 AM, Gerhard Wiesinger <lists@xxxxxxxxxxxxx> wrote:
On 06.08.2015 20:43, Gerhard Wiesinger wrote:
Hello,

I'm having the following problem with IPv6 and a private internal LAN
which will be masqueraded to the public internet (I don't want to have
public IPs in the LAN because of some static IPs and tracking) . Rules are
generated by shorewall.

Problem is that ICMP6 packets source address is not translated by the
kernel on the reply when MTU has to be discovered because of too big packets
and limited MTU capabilities on the path (happens also on tcp6 which works
thereofore not correctly).

# From an internal host on net fd00:1234:5678::/64
ping6 -s 2000 2a02:1234:5678:7::2

/etc/shorewall6/masq
EXT_IF                   fc00::/7

ip6tables rule:
MASQUERADE  all      *      *       fc00::/7             ::/0

# Internal interface
IP6 fd00:1234:5678::9 > 2a02:1234:5678:7::2: frag (0|1432) ICMP6, echo
request, seq 1, length 1432
IP6 fd00:1234:5678::9 > 2a02:1234:5678:7::2: frag (1432|576)
IP6 2a02:1234:5678:9abc::115 > fd00:1234:5678::9: ICMP6, packet too big,
mtu 1440, length 1240

# External interface
IP6 2001:1234:5678:9abc::1 > 2a02:1234:5678:7::2: frag (0|1432) ICMP6,
echo request, seq 1, length 1432
IP6 2001:1234:5678:9abc::1 > 2a02:1234:5678:7::2: frag (1432|576)
IP6 2a02:1234:5678:9abc::115 > 2001:1234:5678:9abc::1: ICMP6, packet too
big, mtu 1440, length 1240

Looks to me like a a major kernel bug.
Kernel version is: 4.1.3-201.fc22.x86_64 from Fedora 22

Any ideas?

Any comments?

Ciao,
Gerhard

--
http://www.wiesinger.com/


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux