From owner-freebsd-ipfw@freebsd.org  Sun Oct 20 21:00:52 2019
Return-Path: <owner-freebsd-ipfw@freebsd.org>
Delivered-To: freebsd-ipfw@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id EC2A616A1D7
 for <freebsd-ipfw@mailman.nyi.freebsd.org>;
 Sun, 20 Oct 2019 21:00:52 +0000 (UTC)
 (envelope-from bugzilla-noreply@FreeBSD.org)
Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:13])
 by mx1.freebsd.org (Postfix) with ESMTP id 46xBxw3cwQz4M3n
 for <freebsd-ipfw@freebsd.org>; Sun, 20 Oct 2019 21:00:52 +0000 (UTC)
 (envelope-from bugzilla-noreply@FreeBSD.org)
Received: by mailman.nyi.freebsd.org (Postfix)
 id 6D32816A1CB; Sun, 20 Oct 2019 21:00:52 +0000 (UTC)
Delivered-To: ipfw@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6CDEA16A1C8
 for <ipfw@mailman.nyi.freebsd.org>; Sun, 20 Oct 2019 21:00:52 +0000 (UTC)
 (envelope-from bugzilla-noreply@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 46xBxw174Yz4M3b
 for <ipfw@FreeBSD.org>; Sun, 20 Oct 2019 21:00:52 +0000 (UTC)
 (envelope-from bugzilla-noreply@FreeBSD.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:1d])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 0BB3919930
 for <ipfw@FreeBSD.org>; Sun, 20 Oct 2019 21:00:52 +0000 (UTC)
 (envelope-from bugzilla-noreply@FreeBSD.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id x9KL0pDh018645
 for <ipfw@FreeBSD.org>; Sun, 20 Oct 2019 21:00:51 GMT
 (envelope-from bugzilla-noreply@FreeBSD.org)
Received: (from bugzilla@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id x9KL0pL6018644
 for ipfw@FreeBSD.org; Sun, 20 Oct 2019 21:00:51 GMT
 (envelope-from bugzilla-noreply@FreeBSD.org)
Message-Id: <201910202100.x9KL0pL6018644@kenobi.freebsd.org>
X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to
 bugzilla-noreply@FreeBSD.org using -f
From: bugzilla-noreply@FreeBSD.org
To: ipfw@FreeBSD.org
Subject: Problem reports for ipfw@FreeBSD.org that need special attention
Date: Sun, 20 Oct 2019 21:00:51 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Oct 2019 21:00:53 -0000

To view an individual PR, use:
  https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id).

The following is a listing of current problems submitted by FreeBSD users,
which need special attention. These represent problem reports covering
all versions including experimental development code and obsolete releases.

Status      |    Bug Id | Description
------------+-----------+---------------------------------------------------
New         |    215875 | [ipfw] ipfw lookup tables do not support mbuf_tag 
New         |    232764 | [ipfw] share/examples/ipfw/change_rules.sh: Suppo 

2 problems total for which you should take action.

From owner-freebsd-ipfw@freebsd.org  Fri Oct 25 14:57:27 2019
Return-Path: <owner-freebsd-ipfw@freebsd.org>
Delivered-To: freebsd-ipfw@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 40EC6172EA4
 for <freebsd-ipfw@mailman.nyi.freebsd.org>;
 Fri, 25 Oct 2019 14:57:27 +0000 (UTC) (envelope-from marco@tols.org)
Received: from tolstoy.tols.org (tolstoy-a1.tols.org [IPv6:2a02:898:57:3::1])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits)) (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4706fG39JDz4cBT
 for <freebsd-ipfw@freebsd.org>; Fri, 25 Oct 2019 14:57:26 +0000 (UTC)
 (envelope-from marco@tols.org)
Received: from [2001:67c:64:49:a421:5045:508d:495a]
 by tolstoy.tols.org with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
 (Exim 4.92.3 (FreeBSD)) (envelope-from <marco@tols.org>)
 id 1iO11g-0003Fy-Gb; Fri, 25 Oct 2019 16:57:16 +0200
From: Marco van Tol <marco@tols.org>
Content-Type: text/plain;
	charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3594.4.19\))
Subject: nat64lsn first hop in traceroute has a source ip of the final host
Message-Id: <898BCDF8-EA5C-49C1-B159-7FCEEBD47B4F@tols.org>
Date: Fri, 25 Oct 2019 16:57:15 +0200
Cc: Marco van Tol <marco@tols.org>
To: freebsd-ipfw@freebsd.org
X-Mailer: Apple Mail (2.3594.4.19)
X-Tolsorg-Spam-Score: -1.0 (-)
X-Rspamd-Queue-Id: 4706fG39JDz4cBT
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of marco@tols.org designates
 2a02:898:57:3::1 as permitted sender) smtp.mailfrom=marco@tols.org
X-Spamd-Result: default: False [-3.50 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[];
 R_SPF_ALLOW(-0.20)[+a:tolstoy-a1.tols.org]; MV_CASE(0.50)[];
 MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[tols.org];
 NEURAL_HAM_LONG(-1.00)[-1.000,0];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2];
 IP_SCORE(-1.70)[ipnet: 2a02:898::/32(-4.77), asn: 8283(-3.76), country:
 NL(0.02)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:8283, ipnet:2a02:898::/32, country:NL];
 MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[];
 RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Oct 2019 14:57:27 -0000

Hi there,

I setup a NAT64 gateway on a FreeBSD 11.3-RELEASE-p3 host using the =
following config:

-----
#!/bin/sh

fwcmd=3D"/sbin/ipfw"
nat64_v4=3D"193.0.31.240/28"
nat64_pfx_v6=3D"64:ff9b::/96"
icmp6ns=3D135
icmp6na=3D136

kldstat -q -m ipfw_nat64 || kldload ipfw_nat64
${fwcmd} -f flush
${fwcmd} nat64lsn NAT64 create prefix4 $nat64_v4
${fwcmd} add allow icmp6 from any to any icmp6types $icmp6ns,$icmp6na
${fwcmd} add nat64lsn NAT64 ip from any to $nat64_pfx_v6 in
${fwcmd} add nat64lsn NAT64 ip from any to $nat64_v4 in
${fwcmd} add allow ip from any to any
-----

This all works great in that the guests have no IPv4 any more, and in =
their point of view the entire world has migrated to IPv6-only.

There is only one quirck, and that is that the first hop in a traceroute =
towards a synthesized address reports as being sent from the =
destination, like this:
-----
[me@mylaptop ~]traceroute6 -w1 -n 64:ff9b::8.8.8.8
traceroute6 to 64:ff9b::8.8.8.8 (64:ff9b::808:808) from =
2001:67c:64:49:a421:5045:508d:495a, 64 hops max, 12 byte packets
 1  64:ff9b::808:808  1.732 ms  2.166 ms  2.198 ms
 2  64:ff9b::c100:605  2.131 ms  2.308 ms  3.216 ms
 3  64:ff9b::50f9:d0f7  3.115 ms  4.114 ms  3.657 ms
 4  64:ff9b::6caa:f1c1  3.892 ms
    64:ff9b::6caa:f1a1  4.034 ms  5.465 ms
 5  64:ff9b::6caa:ec87  5.895 ms
    64:ff9b::480e:eef5  4.412 ms
    64:ff9b::d8ef:310d  4.358 ms
 6  64:ff9b::808:808  4.418 ms  3.498 ms  3.247 ms
-----
As you can see the first hop already claims to be from 64:ff9b::808:808 =
(or 64:ff9b::8.8.8.8).

When I do a traceroute6 to a normal destination, the first hop reports =
correctly, like this:
-----
[me@mylaptop ~]traceroute6 -w1 -n dns.google
traceroute6 to dns.google (2001:4860:4860::8844) from =
2001:67c:64:49:a421:5045:508d:495a, 64 hops max, 12 byte packets
 1  2001:67c:64:49::1:2  2.627 ms  2.053 ms  2.576 ms
 2  2001:67c:2e8:26::5  1.905 ms  3.936 ms  3.472 ms
 3  2001:7f8:1::a501:5169:1  5.384 ms  8.982 ms  3.920 ms
 4  2001:4860:0:f8b::1  11.778 ms
    2001:4860:0:f8c::1  3.224 ms  5.524 ms
 5  2001:4860:0:1::1485  4.232 ms
    2001:4860:0:1::1c7d  21.334 ms  4.589 ms
 6  2001:4860:4860::8844  2.762 ms  2.173 ms  3.222 ms
-----

This does not break traceroute6, but it does break things like mtr.

Is there a way to change this behaviour so that traceroutes to =
synthesized addresses also report to be coming from the router IP on the =
first hop?

Thank you very much in advance!

--=20
Marco van Tol=