291527 – pf: NAT64 af-to generates garbage ICMP error packet when TTL exceeded

Bug 291527 - pf: NAT64 af-to generates garbage ICMP error packet when TTL exceeded

Summary: pf: NAT64 af-to generates garbage ICMP error packet when TTL exceeded

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	16.0-CURRENT
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Kristof Provost

URL:
Keywords:

Depends on:
Blocks:

Reported:	2025-12-09 19:47 UTC by Lexi Winter
Modified:	2025-12-29 10:14 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Lexi Winter freebsd_committer

2025-12-09 19:47:11 UTC

tested on main from today (701e4b36b4510c8cf26155ec3ab5aca9b7ba9406), amd64, in a jail.

when using "af-to inet" (NAT64) in pf, and the router originates a TTL exceeded error (e.g., in the first hop of traceroute that reaches the NAT64 router), the generated packet is garbage.

the traceroute packet which causes the error to be originated:

19:44:11.315080 IP6 (hlim 1, next-header ICMPv6 (58) payload length: 20) fd00:0:0:1::c > 64:ff9b::101:101: [icmp6 sum ok] ICMP6, echo request, id 6279, seq 1

the packet generated by the router:

19:44:11.315144 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 48) fe80::2 > 101:0:a00:1:101:101:800:df77: [icmp6 sum ok] ICMP6, unknown icmp6 type (11), length 48
        0x0000:  0b00 5509 0000 0000 4500 0028 5a61 0000
        0x0010:  0101 0000 0a00 0001 0101 0101 0800 df77
        0x0020:  1887 0001 0000 0000 0000 0000 0000 0000

pf.conf:

----o<----
pass in
pass out

pass in on nat64b inet6 from any to 64:ff9b::/96 af-to inet from 10.0.0.1/32
----o<----


rc.conf:

----o<----
ifconfig_nat64b="inet 10.0.0.1/32"
ifconfig_nat64b_ipv6="inet6 fe80::2/64"
ipv6_defaultrouter="fe80::1%nat64b"
defaultrouter="-inet6 $ipv6_defaultrouter"

pf_enable=YES
----o<----

Comment 1 Lexi Winter freebsd_committer

2025-12-11 06:08:29 UTC

can confirm that the patch from D54166 fixes the problem on both main and 15.0:

# traceroute6 64:ff9b::185.73.44.14
traceroute6 to 64:ff9b::185.73.44.14 (64:ff9b::b949:2c0e) from fd00:0:0:1::e, 64 hops max, 28 byte packets
 1  amaranth.le-fay.org (2001:ba8:4015:100::2)  0.038 ms  0.025 ms  0.024 ms
 2  primrose.le-fay.org (fd00:0:0:1::f)  0.078 ms  0.039 ms  0.063 ms
 3  amaranth.ipv4.le-fay.org (64:ff9b::b949:2c4a)  0.073 ms  0.049 ms  0.035 ms
 4  x12a.jump.net.uk (64:ff9b::b949:2c34)  0.079 ms  0.075 ms  0.065 ms
 5  e4b.jump.net.uk (64:ff9b::c299:a914)  0.217 ms
    e4a.jump.net.uk (64:ff9b::c299:a90b)  0.239 ms
    e4b.jump.net.uk (64:ff9b::c299:a914)  0.161 ms
 6  x13a.jump.net.uk (64:ff9b::b949:2c1e)  0.175 ms  0.145 ms  0.109 ms
 7  www.jump.net.uk (64:ff9b::b949:2c0e)  0.333 ms  0.216 ms  0.164 ms

Comment 2 commit-hook freebsd_committer

2025-12-11 10:36:50 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=ac4fb06d096d6308b9522f454b68fbfc45bb8531

commit ac4fb06d096d6308b9522f454b68fbfc45bb8531
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-12-10 16:27:51 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-12-11 09:25:33 +0000

    pf: handle TTL expired during nat64

    If the TTL (or hop limit) expires during nat64 translation we may
    need to send the error message in the original address family (i.e.
    pre-translation).
    We'd usually handle this in pf_route()/pf_route6(), but at that point we
    have already translated the packet, making it difficult to include it in
    the generated ICMP message.

    Check for this case in pf_translate_af() and send icmp errors directly
    from it.

    PR:             291527
    MFC after:      2 weeks
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D54166

 sys/net/pfvar.h               |  1 -
 sys/netpfil/pf/pf.c           | 25 ++++++++++++++++++++-----
 tests/sys/netpfil/pf/nat64.py | 36 ++++++++++++++++++++++++++++++++++++
 3 files changed, 56 insertions(+), 6 deletions(-)

Comment 3 Mark Linimon freebsd_committer

2025-12-12 17:41:02 UTC

^Triage: committed via D54166.

Comment 4 commit-hook freebsd_committer

2025-12-29 10:14:14 UTC

A commit in branch stable/15 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=261642478c8e796679103612c41064f0ac78d13d

commit 261642478c8e796679103612c41064f0ac78d13d
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-12-10 16:27:51 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-12-29 06:54:56 +0000

    pf: handle TTL expired during nat64

    If the TTL (or hop limit) expires during nat64 translation we may
    need to send the error message in the original address family (i.e.
    pre-translation).
    We'd usually handle this in pf_route()/pf_route6(), but at that point we
    have already translated the packet, making it difficult to include it in
    the generated ICMP message.

    Check for this case in pf_translate_af() and send icmp errors directly
    from it.

    PR:             291527
    MFC after:      2 weeks
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D54166

    (cherry picked from commit ac4fb06d096d6308b9522f454b68fbfc45bb8531)

 sys/net/pfvar.h               |  1 -
 sys/netpfil/pf/pf.c           | 25 ++++++++++++++++++++-----
 tests/sys/netpfil/pf/nat64.py | 36 ++++++++++++++++++++++++++++++++++++
 3 files changed, 56 insertions(+), 6 deletions(-)