lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 25 Oct 2015 08:52:47 +0100 From: Gerhard Wiesinger <lists@...singer.com> To: LKML <linux-kernel@...r.kernel.org>, Linux Kernel Network Developers <netdev@...r.kernel.org>, netfilter-devel@...r.kernel.org Cc: Cong Wang <xiyou.wangcong@...il.com> Subject: Re: IPv6 and private net with masquerading not working correctly Any update on this issue? Thank you. Ciao, Gerhard On 10.08.2015 19:39, Cong Wang wrote: > (Cc'ing netdev and netfilter-devel) > > On Fri, Aug 7, 2015 at 6:00 AM, Gerhard Wiesinger <lists@...singer.com> wrote: >> On 06.08.2015 20:43, Gerhard Wiesinger wrote: >>> Hello, >>> >>> I'm having the following problem with IPv6 and a private internal LAN >>> which will be masqueraded to the public internet (I don't want to have >>> public IPs in the LAN because of some static IPs and tracking) . Rules are >>> generated by shorewall. >>> >>> Problem is that ICMP6 packets source address is not translated by the >>> kernel on the reply when MTU has to be discovered because of too big packets >>> and limited MTU capabilities on the path (happens also on tcp6 which works >>> thereofore not correctly). >>> >>> # From an internal host on net fd00:1234:5678::/64 >>> ping6 -s 2000 2a02:1234:5678:7::2 >>> >>> /etc/shorewall6/masq >>> EXT_IF fc00::/7 >>> >>> ip6tables rule: >>> MASQUERADE all * * fc00::/7 ::/0 >>> >>> # Internal interface >>> IP6 fd00:1234:5678::9 > 2a02:1234:5678:7::2: frag (0|1432) ICMP6, echo >>> request, seq 1, length 1432 >>> IP6 fd00:1234:5678::9 > 2a02:1234:5678:7::2: frag (1432|576) >>> IP6 2a02:1234:5678:9abc::115 > fd00:1234:5678::9: ICMP6, packet too big, >>> mtu 1440, length 1240 >>> >>> # External interface >>> IP6 2001:1234:5678:9abc::1 > 2a02:1234:5678:7::2: frag (0|1432) ICMP6, >>> echo request, seq 1, length 1432 >>> IP6 2001:1234:5678:9abc::1 > 2a02:1234:5678:7::2: frag (1432|576) >>> IP6 2a02:1234:5678:9abc::115 > 2001:1234:5678:9abc::1: ICMP6, packet too >>> big, mtu 1440, length 1240 >>> >>> Looks to me like a a major kernel bug. >>> Kernel version is: 4.1.3-201.fc22.x86_64 from Fedora 22 >>> >>> Any ideas? >>> >> Any comments? >> >> Ciao, >> Gerhard >> >> -- >> http://www.wiesinger.com/ >> >> >> -- >> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in >> the body of a message to majordomo@...r.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html >> Please read the FAQ at http://www.tux.org/lkml/ > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@...r.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists