lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:	Mon, 10 Aug 2015 10:39:34 -0700
From:	Cong Wang <xiyou.wangcong@...il.com>
To:	Gerhard Wiesinger <lists@...singer.com>
Cc:	LKML <linux-kernel@...r.kernel.org>,
	Linux Kernel Network Developers <netdev@...r.kernel.org>,
	netfilter-devel@...r.kernel.org
Subject: Re: IPv6 and private net with masquerading not working correctly

(Cc'ing netdev and netfilter-devel)

On Fri, Aug 7, 2015 at 6:00 AM, Gerhard Wiesinger <lists@...singer.com> wrote:
> On 06.08.2015 20:43, Gerhard Wiesinger wrote:
>>
>> Hello,
>>
>> I'm having the following problem with IPv6 and a private internal LAN
>> which will be masqueraded to the public internet (I don't want to have
>> public IPs in the LAN because of some static IPs and tracking) . Rules are
>> generated by shorewall.
>>
>> Problem is that ICMP6 packets source address is not translated by the
>> kernel on the reply when MTU has to be discovered because of too big packets
>> and limited MTU capabilities on the path (happens also on tcp6 which works
>> thereofore not correctly).
>>
>> # From an internal host on net fd00:1234:5678::/64
>> ping6 -s 2000 2a02:1234:5678:7::2
>>
>> /etc/shorewall6/masq
>> EXT_IF                   fc00::/7
>>
>> ip6tables rule:
>> MASQUERADE  all      *      *       fc00::/7             ::/0
>>
>> # Internal interface
>> IP6 fd00:1234:5678::9 > 2a02:1234:5678:7::2: frag (0|1432) ICMP6, echo
>> request, seq 1, length 1432
>> IP6 fd00:1234:5678::9 > 2a02:1234:5678:7::2: frag (1432|576)
>> IP6 2a02:1234:5678:9abc::115 > fd00:1234:5678::9: ICMP6, packet too big,
>> mtu 1440, length 1240
>>
>> # External interface
>> IP6 2001:1234:5678:9abc::1 > 2a02:1234:5678:7::2: frag (0|1432) ICMP6,
>> echo request, seq 1, length 1432
>> IP6 2001:1234:5678:9abc::1 > 2a02:1234:5678:7::2: frag (1432|576)
>> IP6 2a02:1234:5678:9abc::115 > 2001:1234:5678:9abc::1: ICMP6, packet too
>> big, mtu 1440, length 1240
>>
>> Looks to me like a a major kernel bug.
>> Kernel version is: 4.1.3-201.fc22.x86_64 from Fedora 22
>>
>> Any ideas?
>>
>
> Any comments?
>
> Ciao,
> Gerhard
>
> --
> http://www.wiesinger.com/
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists