IPv6 and private net with masquerading not working correctly

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* IPv6 and private net with masquerading not working correctly
@ 2015-08-06 16:22 Gerhard Wiesinger
  0 siblings, 0 replies; 5+ messages in thread
From: Gerhard Wiesinger @ 2015-08-06 16:22 UTC (permalink / raw)
  To: shorewall users, linux-kernel

Hello,

I'm having the following problem with IPv6 and a private internal LAN 
which will be masqueraded to the public internet (I don't want to have 
public IPs in the LAN because of some static IPs and tracking) . Rules 
are generated by shorewall.

Problem is that ICMP6 packets source address is not translated by the 
kernel on the reply when MTU has to be discovered because of too big 
packets and limited MTU capabilities on the path (happens also on tcp6 
which works thereofore not correctly).

# From an internal host on net fd00:1234:5678::/64
ping6 -s 2000 2a02:1234:5678:7::2

/etc/shorewall6/masq
EXT_IF                   fc00::/7

ip6tables rule:
MASQUERADE  all      *      *       fc00::/7             ::/0

# Internal interface
IP6 fd00:1234:5678::9 > 2a02:1234:5678:7::2: frag (0|1432) ICMP6, echo 
request, seq 1, length 1432
IP6 fd00:1234:5678::9 > 2a02:1234:5678:7::2: frag (1432|576)
IP6 2a02:1234:5678:9abc::115 > fd00:1234:5678::9: ICMP6, packet too big, 
mtu 1440, length 1240

# External interface
IP6 2001:1234:5678:9abc::1 > 2a02:1234:5678:7::2: frag (0|1432) ICMP6, 
echo request, seq 1, length 1432
IP6 2001:1234:5678:9abc::1 > 2a02:1234:5678:7::2: frag (1432|576)
IP6 2a02:1234:5678:9abc::115 > 2001:1234:5678:9abc::1: ICMP6, packet too 
big, mtu 1440, length 1240

Looks to me like a a major kernel bug.
Kernel version is: 4.1.3-201.fc22.x86_64 from Fedora 22

Any ideas?

Thank you.

Ciao,
Gerhard

^ permalink raw reply	[flat|nested] 5+ messages in thread

* IPv6 and private net with masquerading not working correctly
@ 2015-08-06 18:43 Gerhard Wiesinger
  2015-08-07 13:00 ` Gerhard Wiesinger
  0 siblings, 1 reply; 5+ messages in thread
From: Gerhard Wiesinger @ 2015-08-06 18:43 UTC (permalink / raw)
  To: linux-kernel

Hello,

I'm having the following problem with IPv6 and a private internal LAN 
which will be masqueraded to the public internet (I don't want to have 
public IPs in the LAN because of some static IPs and tracking) . Rules 
are generated by shorewall.

Problem is that ICMP6 packets source address is not translated by the 
kernel on the reply when MTU has to be discovered because of too big 
packets and limited MTU capabilities on the path (happens also on tcp6 
which works thereofore not correctly).

# From an internal host on net fd00:1234:5678::/64
ping6 -s 2000 2a02:1234:5678:7::2

/etc/shorewall6/masq
EXT_IF                   fc00::/7

ip6tables rule:
MASQUERADE  all      *      *       fc00::/7             ::/0

# Internal interface
IP6 fd00:1234:5678::9 > 2a02:1234:5678:7::2: frag (0|1432) ICMP6, echo 
request, seq 1, length 1432
IP6 fd00:1234:5678::9 > 2a02:1234:5678:7::2: frag (1432|576)
IP6 2a02:1234:5678:9abc::115 > fd00:1234:5678::9: ICMP6, packet too big, 
mtu 1440, length 1240

# External interface
IP6 2001:1234:5678:9abc::1 > 2a02:1234:5678:7::2: frag (0|1432) ICMP6, 
echo request, seq 1, length 1432
IP6 2001:1234:5678:9abc::1 > 2a02:1234:5678:7::2: frag (1432|576)
IP6 2a02:1234:5678:9abc::115 > 2001:1234:5678:9abc::1: ICMP6, packet too 
big, mtu 1440, length 1240

Looks to me like a a major kernel bug.
Kernel version is: 4.1.3-201.fc22.x86_64 from Fedora 22

Any ideas?

Thank you.

Ciao,
Gerhard

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: IPv6 and private net with masquerading not working correctly
  2015-08-06 18:43 IPv6 and private net with masquerading not working correctly Gerhard Wiesinger
@ 2015-08-07 13:00 ` Gerhard Wiesinger
  2015-08-10 17:39   ` Cong Wang
  0 siblings, 1 reply; 5+ messages in thread
From: Gerhard Wiesinger @ 2015-08-07 13:00 UTC (permalink / raw)
  To: linux-kernel

On 06.08.2015 20:43, Gerhard Wiesinger wrote:
> Hello,
>
> I'm having the following problem with IPv6 and a private internal LAN 
> which will be masqueraded to the public internet (I don't want to have 
> public IPs in the LAN because of some static IPs and tracking) . Rules 
> are generated by shorewall.
>
> Problem is that ICMP6 packets source address is not translated by the 
> kernel on the reply when MTU has to be discovered because of too big 
> packets and limited MTU capabilities on the path (happens also on tcp6 
> which works thereofore not correctly).
>
> # From an internal host on net fd00:1234:5678::/64
> ping6 -s 2000 2a02:1234:5678:7::2
>
> /etc/shorewall6/masq
> EXT_IF                   fc00::/7
>
> ip6tables rule:
> MASQUERADE  all      *      *       fc00::/7             ::/0
>
> # Internal interface
> IP6 fd00:1234:5678::9 > 2a02:1234:5678:7::2: frag (0|1432) ICMP6, echo 
> request, seq 1, length 1432
> IP6 fd00:1234:5678::9 > 2a02:1234:5678:7::2: frag (1432|576)
> IP6 2a02:1234:5678:9abc::115 > fd00:1234:5678::9: ICMP6, packet too 
> big, mtu 1440, length 1240
>
> # External interface
> IP6 2001:1234:5678:9abc::1 > 2a02:1234:5678:7::2: frag (0|1432) ICMP6, 
> echo request, seq 1, length 1432
> IP6 2001:1234:5678:9abc::1 > 2a02:1234:5678:7::2: frag (1432|576)
> IP6 2a02:1234:5678:9abc::115 > 2001:1234:5678:9abc::1: ICMP6, packet 
> too big, mtu 1440, length 1240
>
> Looks to me like a a major kernel bug.
> Kernel version is: 4.1.3-201.fc22.x86_64 from Fedora 22
>
> Any ideas?
>

Any comments?

Ciao,
Gerhard

--
http://www.wiesinger.com/


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: IPv6 and private net with masquerading not working correctly
  2015-08-07 13:00 ` Gerhard Wiesinger
@ 2015-08-10 17:39   ` Cong Wang
  2015-10-25  7:52     ` Gerhard Wiesinger
  0 siblings, 1 reply; 5+ messages in thread
From: Cong Wang @ 2015-08-10 17:39 UTC (permalink / raw)
  To: Gerhard Wiesinger; +Cc: LKML, Linux Kernel Network Developers, netfilter-devel

(Cc'ing netdev and netfilter-devel)

On Fri, Aug 7, 2015 at 6:00 AM, Gerhard Wiesinger <lists@wiesinger.com> wrote:
> On 06.08.2015 20:43, Gerhard Wiesinger wrote:
>>
>> Hello,
>>
>> I'm having the following problem with IPv6 and a private internal LAN
>> which will be masqueraded to the public internet (I don't want to have
>> public IPs in the LAN because of some static IPs and tracking) . Rules are
>> generated by shorewall.
>>
>> Problem is that ICMP6 packets source address is not translated by the
>> kernel on the reply when MTU has to be discovered because of too big packets
>> and limited MTU capabilities on the path (happens also on tcp6 which works
>> thereofore not correctly).
>>
>> # From an internal host on net fd00:1234:5678::/64
>> ping6 -s 2000 2a02:1234:5678:7::2
>>
>> /etc/shorewall6/masq
>> EXT_IF                   fc00::/7
>>
>> ip6tables rule:
>> MASQUERADE  all      *      *       fc00::/7             ::/0
>>
>> # Internal interface
>> IP6 fd00:1234:5678::9 > 2a02:1234:5678:7::2: frag (0|1432) ICMP6, echo
>> request, seq 1, length 1432
>> IP6 fd00:1234:5678::9 > 2a02:1234:5678:7::2: frag (1432|576)
>> IP6 2a02:1234:5678:9abc::115 > fd00:1234:5678::9: ICMP6, packet too big,
>> mtu 1440, length 1240
>>
>> # External interface
>> IP6 2001:1234:5678:9abc::1 > 2a02:1234:5678:7::2: frag (0|1432) ICMP6,
>> echo request, seq 1, length 1432
>> IP6 2001:1234:5678:9abc::1 > 2a02:1234:5678:7::2: frag (1432|576)
>> IP6 2a02:1234:5678:9abc::115 > 2001:1234:5678:9abc::1: ICMP6, packet too
>> big, mtu 1440, length 1240
>>
>> Looks to me like a a major kernel bug.
>> Kernel version is: 4.1.3-201.fc22.x86_64 from Fedora 22
>>
>> Any ideas?
>>
>
> Any comments?
>
> Ciao,
> Gerhard
>
> --
> http://www.wiesinger.com/
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: IPv6 and private net with masquerading not working correctly
  2015-08-10 17:39   ` Cong Wang
@ 2015-10-25  7:52     ` Gerhard Wiesinger
  0 siblings, 0 replies; 5+ messages in thread
From: Gerhard Wiesinger @ 2015-10-25  7:52 UTC (permalink / raw)
  To: LKML, Linux Kernel Network Developers, netfilter-devel; +Cc: Cong Wang

Any update on this issue?

Thank you.

Ciao,
Gerhard

On 10.08.2015 19:39, Cong Wang wrote:
> (Cc'ing netdev and netfilter-devel)
>
> On Fri, Aug 7, 2015 at 6:00 AM, Gerhard Wiesinger <lists@wiesinger.com> wrote:
>> On 06.08.2015 20:43, Gerhard Wiesinger wrote:
>>> Hello,
>>>
>>> I'm having the following problem with IPv6 and a private internal LAN
>>> which will be masqueraded to the public internet (I don't want to have
>>> public IPs in the LAN because of some static IPs and tracking) . Rules are
>>> generated by shorewall.
>>>
>>> Problem is that ICMP6 packets source address is not translated by the
>>> kernel on the reply when MTU has to be discovered because of too big packets
>>> and limited MTU capabilities on the path (happens also on tcp6 which works
>>> thereofore not correctly).
>>>
>>> # From an internal host on net fd00:1234:5678::/64
>>> ping6 -s 2000 2a02:1234:5678:7::2
>>>
>>> /etc/shorewall6/masq
>>> EXT_IF                   fc00::/7
>>>
>>> ip6tables rule:
>>> MASQUERADE  all      *      *       fc00::/7             ::/0
>>>
>>> # Internal interface
>>> IP6 fd00:1234:5678::9 > 2a02:1234:5678:7::2: frag (0|1432) ICMP6, echo
>>> request, seq 1, length 1432
>>> IP6 fd00:1234:5678::9 > 2a02:1234:5678:7::2: frag (1432|576)
>>> IP6 2a02:1234:5678:9abc::115 > fd00:1234:5678::9: ICMP6, packet too big,
>>> mtu 1440, length 1240
>>>
>>> # External interface
>>> IP6 2001:1234:5678:9abc::1 > 2a02:1234:5678:7::2: frag (0|1432) ICMP6,
>>> echo request, seq 1, length 1432
>>> IP6 2001:1234:5678:9abc::1 > 2a02:1234:5678:7::2: frag (1432|576)
>>> IP6 2a02:1234:5678:9abc::115 > 2001:1234:5678:9abc::1: ICMP6, packet too
>>> big, mtu 1440, length 1240
>>>
>>> Looks to me like a a major kernel bug.
>>> Kernel version is: 4.1.3-201.fc22.x86_64 from Fedora 22
>>>
>>> Any ideas?
>>>
>> Any comments?
>>
>> Ciao,
>> Gerhard
>>
>> --
>> http://www.wiesinger.com/
>>
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>> Please read the FAQ at  http://www.tux.org/lkml/
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2015-10-25  7:52 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-08-06 18:43 IPv6 and private net with masquerading not working correctly Gerhard Wiesinger
2015-08-07 13:00 ` Gerhard Wiesinger
2015-08-10 17:39   ` Cong Wang
2015-10-25  7:52     ` Gerhard Wiesinger
  -- strict thread matches above, loose matches on Subject: below --
2015-08-06 16:22 Gerhard Wiesinger

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox