lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 10 Aug 2015 10:39:34 -0700 From: Cong Wang <xiyou.wangcong@...il.com> To: Gerhard Wiesinger <lists@...singer.com> Cc: LKML <linux-kernel@...r.kernel.org>, Linux Kernel Network Developers <netdev@...r.kernel.org>, netfilter-devel@...r.kernel.org Subject: Re: IPv6 and private net with masquerading not working correctly (Cc'ing netdev and netfilter-devel) On Fri, Aug 7, 2015 at 6:00 AM, Gerhard Wiesinger <lists@...singer.com> wrote: > On 06.08.2015 20:43, Gerhard Wiesinger wrote: >> >> Hello, >> >> I'm having the following problem with IPv6 and a private internal LAN >> which will be masqueraded to the public internet (I don't want to have >> public IPs in the LAN because of some static IPs and tracking) . Rules are >> generated by shorewall. >> >> Problem is that ICMP6 packets source address is not translated by the >> kernel on the reply when MTU has to be discovered because of too big packets >> and limited MTU capabilities on the path (happens also on tcp6 which works >> thereofore not correctly). >> >> # From an internal host on net fd00:1234:5678::/64 >> ping6 -s 2000 2a02:1234:5678:7::2 >> >> /etc/shorewall6/masq >> EXT_IF fc00::/7 >> >> ip6tables rule: >> MASQUERADE all * * fc00::/7 ::/0 >> >> # Internal interface >> IP6 fd00:1234:5678::9 > 2a02:1234:5678:7::2: frag (0|1432) ICMP6, echo >> request, seq 1, length 1432 >> IP6 fd00:1234:5678::9 > 2a02:1234:5678:7::2: frag (1432|576) >> IP6 2a02:1234:5678:9abc::115 > fd00:1234:5678::9: ICMP6, packet too big, >> mtu 1440, length 1240 >> >> # External interface >> IP6 2001:1234:5678:9abc::1 > 2a02:1234:5678:7::2: frag (0|1432) ICMP6, >> echo request, seq 1, length 1432 >> IP6 2001:1234:5678:9abc::1 > 2a02:1234:5678:7::2: frag (1432|576) >> IP6 2a02:1234:5678:9abc::115 > 2001:1234:5678:9abc::1: ICMP6, packet too >> big, mtu 1440, length 1240 >> >> Looks to me like a a major kernel bug. >> Kernel version is: 4.1.3-201.fc22.x86_64 from Fedora 22 >> >> Any ideas? >> > > Any comments? > > Ciao, > Gerhard > > -- > http://www.wiesinger.com/ > > > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@...r.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists