lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <55C4ABF6.3080407@wiesinger.com>
Date:	Fri, 7 Aug 2015 15:00:38 +0200
From:	Gerhard Wiesinger <lists@...singer.com>
To:	linux-kernel@...r.kernel.org
Subject: Re: IPv6 and private net with masquerading not working correctly

On 06.08.2015 20:43, Gerhard Wiesinger wrote:
> Hello,
>
> I'm having the following problem with IPv6 and a private internal LAN 
> which will be masqueraded to the public internet (I don't want to have 
> public IPs in the LAN because of some static IPs and tracking) . Rules 
> are generated by shorewall.
>
> Problem is that ICMP6 packets source address is not translated by the 
> kernel on the reply when MTU has to be discovered because of too big 
> packets and limited MTU capabilities on the path (happens also on tcp6 
> which works thereofore not correctly).
>
> # From an internal host on net fd00:1234:5678::/64
> ping6 -s 2000 2a02:1234:5678:7::2
>
> /etc/shorewall6/masq
> EXT_IF                   fc00::/7
>
> ip6tables rule:
> MASQUERADE  all      *      *       fc00::/7             ::/0
>
> # Internal interface
> IP6 fd00:1234:5678::9 > 2a02:1234:5678:7::2: frag (0|1432) ICMP6, echo 
> request, seq 1, length 1432
> IP6 fd00:1234:5678::9 > 2a02:1234:5678:7::2: frag (1432|576)
> IP6 2a02:1234:5678:9abc::115 > fd00:1234:5678::9: ICMP6, packet too 
> big, mtu 1440, length 1240
>
> # External interface
> IP6 2001:1234:5678:9abc::1 > 2a02:1234:5678:7::2: frag (0|1432) ICMP6, 
> echo request, seq 1, length 1432
> IP6 2001:1234:5678:9abc::1 > 2a02:1234:5678:7::2: frag (1432|576)
> IP6 2a02:1234:5678:9abc::115 > 2001:1234:5678:9abc::1: ICMP6, packet 
> too big, mtu 1440, length 1240
>
> Looks to me like a a major kernel bug.
> Kernel version is: 4.1.3-201.fc22.x86_64 from Fedora 22
>
> Any ideas?
>

Any comments?

Ciao,
Gerhard

--
http://www.wiesinger.com/

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ