Project

General

Profile

Feature #7741

warn me when shooting myself in the foot with NPt

Added by Adam Thompson over 3 years ago. Updated 25 days ago.

Status:
Resolved
Priority:
Low
Category:
Rules / NAT
Target version:
Start date:
07/31/2017
Due date:
% Done:

100%

Estimated time:

Description

When one configures IPv6 NPt (network prefix translation) to use a public prefix that does overlap with the interface's own address/prefix, IPv6 suddenly stops working in surprisingly mysterious and hard-to-troubleshoot ways.
While this misconfiguration is clearly user error, it would have saved me about 6-7hrs of troubleshooting if this were either disallowed or a warning of some sort were emitted. I very much doubt I'm the only person who will ever make this mistake.

(FYI: it's hard to troubleshoot because no packets get blocked, no [visible] rule counters get incremented, the packets show up in tcpdump, and yet everything fails because NDP adjacency now fails! So there are no hints to the poor sap troubleshooting this until they finally try "pfctl -d" in desperation. I'm not sure how the average user without deep IPv6 knowledge would ever find this.)

Associated revisions

Revision 0dc5aeaa (diff)
Added by Viktor Gurov about 1 month ago

NPT prefix overlap validation. Issue #7741

History

#1 Updated by Jim Pingle about 1 year ago

  • Category set to Rules / NAT

#3 Updated by Jim Pingle about 1 month ago

  • Status changed from New to Pull Request Review
  • Target version set to 2.5.0

#4 Updated by Renato Botelho about 1 month ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

#5 Updated by Steve Beaver 25 days ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF