mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2024-12-14 05:56:56 +07:00
d5608a0578
Detect and rewrite a prefix embedded in an ICMPv6 original packet that was rewritten by a corresponding DNPT/SNPT rule so it will be recognised by the host that sent the original packet. Example Rules in effect on the 1:2:3:4::/64 + 5:6:7:8::/64 side router: * SNPT src-pfx 1:2:3:4::/64 dst-pfx 5:6:7:8::/64 * DNPT src-pfx 5:6:7:8::/64 dst-pfx 1:2:3:4::/64 No rules on the 9🅰️b:c::/64 side. 1. 1:2:3:4::1 sends UDP packet to 9🅰️b:c::1 2. Router applies SNPT changing src to 5:6:7:8::ffef::1 3. 9🅰️b:c::1 receives packet with (src 5:6:7:8::ffef::1 dst 9🅰️b:c::1) and replies with ICMPv6 port unreachable to 5:6:7:8::ffef::1, including original packet (src 5:6:7:8::ffef::1 dst 9🅰️b:c::1) 4. Router forwards ICMPv6 packet with (src 9🅰️b:c::1 dst 5:6:7:8::ffef::1) including original packet (src 5:6:7:8::ffef::1 dst 9🅰️b:c::1) and applies DNPT changing dst to 1:2:3:4::1 5. 1:2:3:4::1 receives ICMPv6 packet with (src 9🅰️b:c::1 dst 1:2:3:4::1) including original packet (src 5:6:7:8::ffef::1 dst 9🅰️b:c::1). It doesn't recognise the original packet as the src doesn't match anything it originally sent With this change, at step 4, DNPT will also rewrite the original packet src to 1:2:3:4::1, so at step 5, 1:2:3:4::1 will recognise the ICMPv6 error and provide feedback to the application properly. Conversely, SNPT will help when ICMPv6 errors are sent from the translated network. 1. 9🅰️b:c::1 sends UDP packet to 5:6:7:8::ffef::1 2. Router applies DNPT changing dst to 1:2:3:4::1 3. 1:2:3:4::1 receives packet with (src 9🅰️b:c::1 dst 1:2:3:4::1) and replies with ICMPv6 port unreachable to 9🅰️b:c::1 including original packet (src 9🅰️b:c::1 dst 1:2:3:4::1) 4. Router forwards ICMPv6 packet with (src 1:2:3:4::1 dst 9🅰️b:c::1) including original packet (src 9🅰️b:c::1 dst 1:2:3:4::1) and applies SNPT changing src to 5:6:7:8::ffef::1 5. 9🅰️b:c::1 receives ICMPv6 packet with (src 5:6:7:8::ffef::1 dst 9🅰️b:c::1) including original packet (src 9🅰️b:c::1 dst 1:2:3:4::1). It doesn't recognise the original packet as the dst doesn't match anything it already sent The change to SNPT means the ICMPv6 original packet dst will be rewritten to 5:6:7:8::ffef::1 in step 4, allowing the error to be properly recognised in step 5. Signed-off-by: Michael Zhou <mzhou@cse.unsw.edu.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
||
---|---|---|
.. | ||
6lowpan | ||
9p | ||
802 | ||
8021q | ||
appletalk | ||
atm | ||
ax25 | ||
batman-adv | ||
bluetooth | ||
bpf | ||
bpfilter | ||
bridge | ||
caif | ||
can | ||
ceph | ||
core | ||
dcb | ||
dccp | ||
decnet | ||
dns_resolver | ||
dsa | ||
ethernet | ||
ethtool | ||
hsr | ||
ieee802154 | ||
ife | ||
ipv4 | ||
ipv6 | ||
iucv | ||
kcm | ||
key | ||
l2tp | ||
l3mdev | ||
lapb | ||
llc | ||
mac80211 | ||
mac802154 | ||
mpls | ||
mptcp | ||
ncsi | ||
netfilter | ||
netlabel | ||
netlink | ||
netrom | ||
nfc | ||
nsh | ||
openvswitch | ||
packet | ||
phonet | ||
psample | ||
qrtr | ||
rds | ||
rfkill | ||
rose | ||
rxrpc | ||
sched | ||
sctp | ||
smc | ||
strparser | ||
sunrpc | ||
switchdev | ||
tipc | ||
tls | ||
unix | ||
vmw_vsock | ||
wimax | ||
wireless | ||
x25 | ||
xdp | ||
xfrm | ||
compat.c | ||
devres.c | ||
Kconfig | ||
Makefile | ||
socket.c | ||
sysctl_net.c |