Project

General

Profile

Actions

Bug #6991

closed

IPv6 traffic hitting a rule with policy routing and NPt fails/disappears

Added by Jim Pingle almost 8 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Rules / NAT
Target version:
Start date:
12/06/2016
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4
Affected Architecture:
All

Description

IPv6 NPt on its own works, and IPv6 policy routing on its own works, but if traffic hits a rule that sets it on a path that would do both, the traffic never exits the firewall.

Example (made up addresses -- real ones available upon request):
NPt on WAN for internal xxxx:yyyy:2::0/64 to external wwww:zzzz:2::0/64
WAN_GW6 is wwww:zzzz:1::1

Example Rule on LAN:

WAN_GW6 = " route-to ( gif0 wwww:zzzz:1::1 ) " 
pass  in  quick  on $LAN $WAN_GW6 inet6 from any to any keep state

With the gateway on the rule, traffic enters and a state is present on the LAN interface only

igb0_vlan40 ipv6-icmp 2001:470:1f11:ssss:ssss:ssss:ssss:ssss[61473] <- xxxx:yyyy:2::7[61473]       NO_TRAFFIC:NO_TRAFFIC
   age 00:00:06, expires in 00:00:10, 7:0 pkts, 392:0 bytes, rule 290
   id: 0100000058471e69 creatorid: 285c14c6

Without the gateway on the rule, traffic enters and exits and NPt is shown on the exiting state

igb0_vlan40 ipv6-icmp 2001:470:1f11:ssss:ssss:ssss:ssss:ssss[19877] <- xxxx:yyyy:2::7[19877]       NO_TRAFFIC:NO_TRAFFIC
   age 00:00:04, expires in 00:00:07, 2:2 pkts, 112:112 bytes, rule 290
   id: 0100000058471da9 creatorid: d4262046
gif0 ipv6-icmp wwww:zzzz:2::7[19877] (xxxx:yyyy:2::7[19877]) -> 2001:470:1f11:ssss:ssss:ssss:ssss:ssss[19877]       NO_TRAFFIC:NO_TRAFFIC
   age 00:00:04, expires in 00:00:07, 2:2 pkts, 112:112 bytes, rule 117
   id: 0100000058471daa creatorid: d4262046

The combination worked without issue on 2.3.x and earlier versions.

Actions #1

Updated by Luiz Souza almost 8 years ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100
Actions #2

Updated by Jim Pingle almost 8 years ago

  • Status changed from Feedback to Resolved

Seems to work fine. Rules that resulted in no traffic passing before now pass traffic as expected.

Actions #3

Updated by Luiz Souza over 7 years ago

  • Status changed from Resolved to Feedback
  • Assignee changed from Luiz Souza to Jim Pingle

Our initial fix was reverted in favour of the upstream fix. This need to be tested again.

Actions #4

Updated by Jim Pingle over 7 years ago

  • Status changed from Feedback to Resolved

Looks OK. Traffic hitting rules that failed before the first fix works OK still.

Actions

Also available in: Atom PDF