[Bug 1343] New: With iPv6 masquerade, ICMPv6 time-exceeded pkts are forwarded with bad checksum

Wed Jun 19 02:31:27 CEST 2019

https://bugzilla.netfilter.org/show_bug.cgi?id=1343

            Bug ID: 1343
           Summary: With iPv6 masquerade, ICMPv6 time-exceeded pkts are
                    forwarded with bad checksum
           Product: netfilter/iptables
           Version: unspecified
          Hardware: x86_64
                OS: Debian GNU/Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: NAT
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: doron.shikmoni+netfilterorg at gmail.com

I have a system that does IPv6 MASQUERADE, a POSTROUTING rule in the NAT table.
For the most part it works fine, however ICMPv6 type 3 (TIME-EXCEED) seems to
have their ICMPv6 checksum botched, and hence are dropped at the next hop. 
I see the packets entering the via the upstream interface just fine with good
cksum, but then on the forwarded-to interface (i.e. after translation) I get
bad checksum. The next hop does not see the packet at all.

I looked at nf_nat_proto_icmpv6.c for a bit but so far haven't found much.

Kernel 4.9.168.

e.g. on ingress:
IP6 (hlim 61, next-header ICMPv6 (58) payload length: 80) 2a01:4f9:0:c001::a015
> 2a01:???:????:????::1: [icmp6 sum ok] ICMP6, time exceeded in-transit for
fra16s12-in-x04.1e100.net

on egress:
IP6 (hlim 60, next-header ICMPv6 (58) payload length: 80) 2a01:4f9:0:c001::a015
> fd01:???:????:????::2:1: [bad icmp6 cksum 0x735b -> 0x705b!] ICMP6, time
exceeded in-transit for fra16s12-in-x04.1e100.net

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190619/90d03c2c/attachment.html>