NetBSD Problem Report #50508

From www@NetBSD.org  Wed Dec  9 17:01:13 2015
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.NetBSD.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id D97E9A664E
	for <gnats-bugs@gnats.NetBSD.org>; Wed,  9 Dec 2015 17:01:12 +0000 (UTC)
Message-Id: <20151209170036.B15F7A6656@mollari.NetBSD.org>
Date: Wed,  9 Dec 2015 17:00:36 +0000 (UTC)
From: scole_mail@gmx.com
Reply-To: scole_mail@gmx.com
To: gnats-bugs@NetBSD.org
Subject: ipnat doesn't work without INET6 kernel option
X-Send-Pr-Version: www-1.0

>Number:         50508
>Category:       kern
>Synopsis:       ipnat doesn't work without INET6 kernel option
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Dec 09 17:05:00 +0000 2015
>Closed-Date:    Thu Nov 29 20:25:07 +0000 2018
>Last-Modified:  Mon Dec 03 05:30:00 +0000 2018
>Originator:     scole_mail
>Release:        NetBSD 7.0 GENERIC
>Organization:
>Environment:
NetBSD dstar 7.0.0_PATCH NetBSD 7.0.0_PATCH (GENERIC) #0: Wed Dec  9 10:55:42 EST 2015  scole@dstar:/usr/src/sys/arch/i386/compile/GENERIC i386

>Description:
ipnat doesn't work without INET6 kernel option:

# /etc/rc.d/ipnat restart
70:ioctl(SIOCGNATS) object size mismatch for copying out ipfobj

freebsd used to have a similar bug:
 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=190964

It'd be nice to have ipnat without necessarily requiring ipv6 in the kernel.

>How-To-Repeat:
Build GENERIC kernel without INET6, run ipnat.
>Fix:

>Release-Note:

>Audit-Trail:
From: scole_mail@gmx.com
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/50508 ipnat doesn't work without INET6 kernel option
Date: Tue, 24 May 2016 13:44:02 -0400

 It looks like this flag
   #ifdef USE_INET6
 might have to be unset somehow everywhere in
   /src/sys/external/bsd/ipf/netinet/

 To get the same effect without having to recompiling a kernel sans
 INET6, I tried to block ipv6 packets in /etc/ipf.conf:

  ########################
  #
  # n.b., last matching rule wins unless line has "quick" keyword
  #

  # block all ipv6
  block in  quick on athn0 family inet6 all
  block out quick on athn0 family inet6 all
  # allow
  pass in from any to any
  pass out from any to any
  #######################

  dstar# ipfstat -io -h -n -6
  19 @1 block out quick on athn0 inet6 all
  16 @2 pass out from any to any
  97 @1 block in quick on athn0 inet6 all
  20 @2 pass in from any to any
  dstar# ipfstat -io -h -n 
  18 @1 pass out from any to any
  24 @1 pass in from any to any

 But that seems to block everything.  My athn0 interface is a dhcp wifi
 ipv4 that works fine until those block lines are added.  Once added, I
 can't reach any external ip upstream on that interface.  I can still
 reach other hosts on my local network through a different re0 interface
 though.

 So it seems like the "family inet6" or "on athn0" flag is not working,
 that packets still going through ipv6 routing somehow, or I am missing
 something.

 Thanks

From: scole_mail@gmx.com
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/50508 ipnat doesn't work without INET6 kernel option
Date: Fri, 17 Jun 2016 11:02:58 -0400

 I just saw USE_INET6 and MKINET6 flags in "man mk.conf", so I guess the
 whole system and kernel could be rebuilt to skirt this issue.  It would
 be nice if there was a sysctl or someway to disable ipv6 without
 recompiling everything.

 I still think there is an issue with trying to block ipv6 packets
 unintentionally also blocking ipv4 packets.

 Thanks

State-Changed-From-To: open->closed
State-Changed-By: scole@NetBSD.org
State-Changed-When: Thu, 29 Nov 2018 12:25:07 -0800
State-Changed-Why:
closed due to staleness.  networking code has changed a lot so it would be best to open an new PR if this is still an issue


From: matthew green <mrg@eterna.com.au>
To: gnats-bugs@NetBSD.org
Cc: kern-bug-people@netbsd.org, netbsd-bugs@netbsd.org,
    gnats-admin@netbsd.org, scole@NetBSD.org, scole_mail@gmx.com
Subject: re: kern/50508 (ipnat doesn't work without INET6 kernel option)
Date: Mon, 03 Dec 2018 16:28:35 +1100

 scole@NetBSD.org writes:
 > Synopsis: ipnat doesn't work without INET6 kernel option
 > =

 > State-Changed-From-To: open->closed
 > State-Changed-By: scole@NetBSD.org
 > State-Changed-When: Thu, 29 Nov 2018 12:25:07 -0800
 > State-Changed-Why:
 > closed due to staleness.  networking code has changed a lot so it would =
 be best to open an new PR if this is still an issue

 i can confirm that INET6-less and ipnat works in -7 and -8.

 ie, this can and should remain closed now.  thanks!


 .mrg.

>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.