[Bug 839] SNAT66 does not work for bidirectional UDP

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Thu Aug 8 16:24:47 CEST 2013


--- Comment #2 from Sebastian <saltyacid at gmail.com> 2013-08-08 16:24:46 CEST ---
Thank you for your time and for the quick reply! I have done further research
as you suggested, and came to the conclusion that you are right. For the
record, and if someone experiences the same problems, here are possible

1) I used an application which calculated UDP checksums incorrectly when the
payload length was over 255 bytes. I think this is the reason for netfilter
throwing my reply packet away (the first packet had a correct checksum since it
was small, the answer did not). However, I noticed that setting the UDP
checksum to zero is allowed and this works fine with NAT. According to RFC2460
the value is not allowed to be zero. Although it is up to the receiver to check
it, it seems inconsistent if netfilter cares about incorrect values but not
invalid values. Correct me if I'm wrong about this. 

2) Using Nmap's ncat and watching the IPv6 UDP packets with tcpdump 4.3.0 also
yields a "bad udp cksum" (default payload length for ncat is apparently 8200 so
the packets require fragmentation which probably affects they way tcpdump looks
at the packets).

3) Also tested with Iperf version 2.0.5 (8 july 2010, exactly 3 years ago)
single threaded instance. This did not work, apparently because a single
threaded instance of Iperf does not allow the option -d (bidirectional), but
fails rather silently. 

4) I was reading http://atoomnet.net/howto-ipv6-nat-in-centos-6/ where the
author reported the same issue with UDP while TCP/ICMP worked fine.

Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the netfilter-buglog mailing list