Date: Wed, 26 Jun 2019 13:23:58 +0200 From: "Patrick M. Hausen" <hausen@punkt.de> To: "Andrey V. Elsukov" <bu7cher@yandex.ru> Cc: FreeBSD Net <freebsd-net@freebsd.org>, mops@punkt.de Subject: Re: IPFW NAT64 changed 11.2 --> 11.3? Message-ID: <C8B5D541-C064-49FC-9E3E-27993721D1D3@punkt.de> In-Reply-To: <A15270D2-08F6-49F9-8201-E2935381F122@punkt.de> References: <950200A8-6D36-46FE-B0DD-BA6EA860FEB7@punkt.de> <71dacccb-2500-6d7e-c890-2733d15fbbe5@yandex.ru> <F475ACC5-71CD-4C62-9E63-3F206A305F34@punkt.de> <76d0fb6a-28cb-4411-acb0-12f9ebe9b1f0@yandex.ru> <A15270D2-08F6-49F9-8201-E2935381F122@punkt.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi all,
> Am 26.06.2019 um 12:28 schrieb Andrey V. Elsukov <bu7cher@yandex.ru>:
>=20
> On 26.06.2019 13:10, Patrick M. Hausen wrote:
>> tcpdump will take some more time, currently we do not have /dev/bpf =
in these jails.
>=20
> So, nat64_direct_output didn't help?
> Does `ipfw nat64lsn NAT64 list states` shows correct addresses?
No, it didn=E2=80=99t. Yes, the IPv4 addresses shown are the external =
addresses
of these =E2=80=9Egate64=E2=80=9C jails.
See:
13:06:28.205602 IP6 (hlim 64, next-header ICMPv6 (58) payload length: =
16) 2a00:b580:8000:12:40f9:d4:cd11:d68c > 64:ff9b::9765:7085: [icmp6 sum =
ok] ICMP6, echo request, seq 0
13:06:28.205611 IP (tos 0x0, ttl 63, id 25804, offset 0, flags [DF], =
proto ICMP (1), length 36)
217.29.40.145 > 151.101.112.133: ICMP echo request, id 1024, seq 0, =
length 16
13:06:28.207853 IP (tos 0x0, ttl 58, id 53557, offset 0, flags [none], =
proto ICMP (1), length 36)
151.101.112.133 > 217.29.40.145: ICMP echo reply, id 1024, seq 0, =
length 16
13:06:28.207861 IP6 (hlim 57, next-header ICMPv6 (58) payload length: =
16) d91d:2891::9765:7085 > 2a00:b580:8000:12:40f9:d4:cd11:d68c: [icmp6 =
sum ok] ICMP6, echo reply, seq 0
13:06:29.268095 IP6 (hlim 64, next-header ICMPv6 (58) payload length: =
16) 2a00:b580:8000:12:40f9:d4:cd11:d68c > 64:ff9b::9765:7085: [icmp6 sum =
ok] ICMP6, echo request, seq 1
13:06:29.268106 IP (tos 0x0, ttl 63, id 18866, offset 0, flags [DF], =
proto ICMP (1), length 36)
217.29.40.145 > 151.101.112.133: ICMP echo request, id 1024, seq 1, =
length 16
13:06:29.270335 IP (tos 0x0, ttl 58, id 53653, offset 0, flags [none], =
proto ICMP (1), length 36)
151.101.112.133 > 217.29.40.145: ICMP echo reply, id 1024, seq 1, =
length 16
13:06:29.270340 IP6 (hlim 57, next-header ICMPv6 (58) payload length: =
16) d91d:2891::9765:7085 > 2a00:b580:8000:12:40f9:d4:cd11:d68c: [icmp6 =
sum ok] ICMP6, echo reply, seq 1
So the IPv4 echo and reply exchange looks good. Then the packet is
forwarded to IPv6 with an entirely bogus (AFAIK) IPv6 source address.
Interestingly the host portion of the address that should be nat64 is =
identical,
but the prefix - where does it get that idea?
Now for TCP things look like this:
13:13:28.285846 IP6 (flowlabel 0x03c68, hlim 64, next-header TCP (6) =
payload length: 40) 2a00:b580:8000:12:40f9:d4:cd11:d68c.36162 > =
64:ff9b::9765:7085.80: Flags [S], cksum 0xf517 (correct), seq =
1579275858, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val =
2313075246 ecr 0], length 0
13:13:28.285855 IP (tos 0x0, ttl 63, id 62854, offset 0, flags [DF], =
proto TCP (6), length 60)
217.29.40.145.1025 > 151.101.112.133.80: Flags [S], cksum 0xc1a9 =
(correct), seq 1579275858, win 65535, options [mss 1440,nop,wscale =
6,sackOK,TS val 2313075246 ecr 0], length 0
13:13:28.288071 IP (tos 0x0, ttl 58, id 0, offset 0, flags [DF], proto =
TCP (6), length 60)
151.101.112.133.80 > 217.29.40.145.1025: Flags [S.], cksum 0xd68d =
(correct), seq 4085564593, ack 1579275859, win 28960, options [mss =
1460,sackOK,TS val 12042469 ecr 2313075246,nop,wscale 9], length 0
13:13:28.288078 IP6 (hlim 57, next-header TCP (6) payload length: 40) =
::200:0:50:e689:9765:7085.80 > =
2a00:b580:8000:12:40f9:d4:cd11:d68c.36162: Flags [S.], cksum 0x2122 =
(correct), seq 4085564593, ack 1579275859, win 28960, options [mss =
1460,sackOK,TS val 12042469 ecr 2313075246,nop,wscale 9], length 0
13:13:29.291084 IP (tos 0x0, ttl 58, id 0, offset 0, flags [DF], proto =
TCP (6), length 60)
151.101.112.133.80 > 217.29.40.145.1025: Flags [S.], cksum 0xd592 =
(correct), seq 4085564593, ack 1579275859, win 28960, options [mss =
1460,sackOK,TS val 12042720 ecr 2313075246,nop,wscale 9], length 0
13:13:29.291093 IP6 (hlim 57, next-header TCP (6) payload length: 40) =
::151.101.112.133.80 > 2a00:b580:8000:12:40f9:d4:cd11:d68c.36162: Flags =
[S.], cksum 0x0901 (correct), seq 4085564593, ack 1579275859, win 28960, =
options [mss 1460,sackOK,TS val 12042720 ecr 2313075246,nop,wscale 9], =
length 0
13:13:31.311090 IP (tos 0x0, ttl 58, id 0, offset 0, flags [DF], proto =
TCP (6), length 60)
151.101.112.133.80 > 217.29.40.145.1025: Flags [S.], cksum 0xd399 =
(correct), seq 4085564593, ack 1579275859, win 28960, options [mss =
1460,sackOK,TS val 12043225 ecr 2313075246,nop,wscale 9], length 0
13:13:31.311099 IP6 (hlim 57, next-header TCP (6) payload length: 40) =
::151.101.112.133.80 > 2a00:b580:8000:12:40f9:d4:cd11:d68c.36162: Flags =
[S.], cksum 0x0708 (correct), seq 4085564593, ack 1579275859, win 28960, =
options [mss 1460,sackOK,TS val 12043225 ecr 2313075246,nop,wscale 9], =
length 0
So (3rd line) the SYN/ACK arrives with correct IPv4 addresses then =
get=E2=80=99s
forwarded with a source address of=20
:200:0:50:e689:9765:7085 instead of 64:ff9b::9765:7085
Then we have another SYN/ACK (retransmit, identical sequence number and =
ACK)
forwarded with yet another source address:
::151.101.112.133
BTW, config of the physical interface is:
ifconfig_bnxt0=3D"-rxcsum -rxcsum6 -txcsum -txcsum6 -vlanhwtag =
-vlanhwtso up"
cloned_interfaces=3D"bridge0 bridge1"
ifconfig_bridge0_name=3D"inet0"
ifconfig_inet0=3D"addm bnxt0 up=E2=80=9C
ifconfig_inet0_ipv6=3D"inet6 2a00:b580:8000:12:40f9:00d4:cd11:d68c/64 =
auto_linklocal=E2=80=9C
Thanks,
Patrick
--=20
punkt.de GmbH Internet - Dienstleistungen - Beratung
Kaiserallee 13a Tel.: 0721 9109-0 Fax: -100
76133 Karlsruhe info@punkt.de http://punkt.de
AG Mannheim 108285 Gf: Juergen Egeling
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C8B5D541-C064-49FC-9E3E-27993721D1D3>