[Bug 1771] New: Stateless NAT ICMP Payload Mismatch
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Wed Aug 28 21:28:33 CEST 2024
https://bugzilla.netfilter.org/show_bug.cgi?id=1771
Bug ID: 1771
Summary: Stateless NAT ICMP Payload Mismatch
Product: nftables
Version: unspecified
Hardware: x86_64
OS: other
Status: NEW
Severity: normal
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: echo at lethedata.com
When using the following ruleset to stateless NAT, ICMP payloads are not
mangled. This leads to a mismatch between packet IPv4 Header and ICMP IPv4
Header Payload in destination-unreachable (type 3) packets causing dropped
packets by the receiving host.
Internal to external:
IPv4 Header - Src: 192.0.2.2, Dst: 100.64.1.105
ICMP Type 3 Payload - Src: 203.0.113.100, Dst: 192.0.2.2
External to internal:
IPv4 Header - Src: 203.0.113.100, Dst: 203.0.113.200
ICMP Type 3 Payload - Src: 203.0.113.200, Dst: 100.64.1.105
table ip NAT {
chain prerouting {
type filter hook prerouting priority raw; policy accept;
iif "eth0" ip daddr 203.0.113.100 ip daddr set 100.64.1.105
notrack return
}
chain postrouting {
type filter hook postrouting priority raw; policy accept;
oif "eth0" ip saddr 100.64.1.105 ip saddr set 203.0.113.100
notrack return
}
}
OS: Void Linux
version: nftables v1.1.0 (Commodore Bullmoose)
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240828/35c2ab65/attachment.html>
More information about the netfilter-buglog
mailing list