Package: src:linux
Version: 4.14.13-1~bpo9+1
Severity: normal
Dear Maintainer,
I use Docker for application segregation on a remote server. The host has a
single v4 and a single v6 IP address allocated. On the host system, I have
NAT66 (SNAT, masquerading) setup with the following rules in order to provide
segregated IPv6 connectivity to Docker containers:
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all any any anywhere anywhere
ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all any any anywhere anywhere
ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all any docker0 anywhere anywhere
ADDRTYPE match src-type LOCAL
0 0 MASQUERADE all any !docker0 fd00:bee:cafe::/64 anywhere
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
On the standard stretch 4.9.x kernel, NAT66 works just fine as witnessed by
this tcpdump of a ping (note that the 2001:: address is that of the AAAA record
for debian.org):
% sudo tcpdump -i ens3 -n 'not tcp and not udp'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
19:56:24.980979 IP6 2a03:my:machines:v6:addr > 2001:41c8:1000:21::21:4:
ICMP6, echo request, seq 0, length 64
19:56:24.988597 IP6 2001:41c8:1000:21::21:4 > 2a03:my:machines:v6:addr:
ICMP6, echo reply, seq 0, length 64
19:56:25.981716 IP6 2a03:my:machines:v6:addr > 2001:41c8:1000:21::21:4:
ICMP6, echo request, seq 1, length 64
19:56:25.989010 IP6 2001:41c8:1000:21::21:4 > 2a03:my:machines:v6:addr:
ICMP6, echo reply, seq 1, length 64
19:56:26.982894 IP6 2a03:my:machines:v6:addr > 2001:41c8:1000:21::21:4:
ICMP6, echo request, seq 2, length 64
1 9:56:26.990022 IP6 2001:41c8:1000:21::21:4 > 2a03:my:machines:v6:addr:
ICMP6, echo reply, seq 2, length 64
Whilst on the backports kernel 4.14.x, NAT66 fails to rewrite the source
address, and all IPv6 traffic (not just ICMP) fails as a result:
% sudo tcpdump -i ens3 -n 'not tcp and not udp'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
20:00:39.711554 IP6 fd00:bee:cafe::242:ac11:2 > 2001:41c8:1000:21::21:4:
ICMP6, echo request, seq 0,length 64
20:00:40.712591 IP6 fd00:bee:cafe::242:ac11:2 > 2001:41c8:1000:21::21:4:
ICMP6, echo request, seq 1,length 64
20:00:41.713768 IP6 fd00:bee:cafe::242:ac11:2 > 2001:41c8:1000:21::21:4:
ICMP6, echo request, seq 2,length 64
20:00:42.714934 IP6 fd00:bee:cafe::242:ac11:2 > 2001:41c8:1000:21::21:4:
ICMP6, echo request, seq 3,length 64
20:00:43.716088 IP6 fd00:bee:cafe::242:ac11:2 > 2001:41c8:1000:21::21:4:
ICMP6, echo request, seq 4,length 64
20:00:44.717264 IP6 fd00:bee:cafe::242:ac11:2 > 2001:41c8:1000:21::21:4:
ICMP6, echo request, seq 5,length 64
The expected behaviour is what is witnessed with kernel 4.9.x - the source
address is rewritten with the outgoing interface address.
Ignoring the Docker aspect of this, the witnessed behaviour can be reproduced
without having to use a container: use 'ping6 -I <my-ula-address> debian.org'.
You'll need to setup some NAT66 rules and create a virtual interface with a ULA
address to simulate the behaviour - this stanza in an interfaces file will
suffice (make sure you have bridge-utils installed):
iface br-nat-virt inet6 static
bridge_ports none
address fd00:bee:f00d:cafe::1/64
And the following NAT66 rule:
ip6tables -A POSTROUTING -s fd00:bee:f00d:cafe::/64 ! -o br-nat-virt -j
MASQUERADE
Then reproduce the behaviour using 'ping6 -I fd00:bee:f00d:cafe::1 debian.org'.
I hope this makes sense. It's not a major biggy, I'm just falling back to using
the non-backports kernel in stretch in the meantime.
Kind regards,
rob.
-- Package-specific info:
** Version:
Linux version 4.14.0-0.bpo.3-amd64 (debian-ker...@lists.debian.org) (gcc
version 6.3.0 20170516 (Debian 6.3.0-18)) #1 SMP Debian 4.14.13-1~bpo9+1
(2018-01-14)
** Command line:
BOOT_IMAGE=/boot/vmlinuz-4.14.0-0.bpo.3-amd64
root=UUID=be3dc831-e7fa-449f-94e9-d302faa31fdb ro rootflags=subvol=ROOT/default
** Not tainted
** Kernel log:
Unable to read kernel log; any relevant messages should be attached
** Model information
sys_vendor: DigitalOcean
product_name: Droplet
product_version: 20171212
chassis_vendor: Bochs
chassis_version:
bios_vendor: DigitalOcean
bios_version: 20171212
** Loaded modules:
xt_nat
xt_tcpudp
veth
ipt_MASQUERADE
nf_nat_masquerade_ipv4
nf_conntrack_netlink
nfnetlink
xfrm_user
xfrm_algo
iptable_nat
nf_conntrack_ipv4
nf_defrag_ipv4
nf_nat_ipv4
iptable_filter
xt_conntrack
br_netfilter
bridge
stp
llc
ip6t_MASQUERADE
nf_nat_masquerade_ipv6
xt_addrtype
ip6table_nat
nf_conntrack_ipv6
nf_defrag_ipv6
nf_nat_ipv6
nf_nat
nf_conntrack
libcrc32c
ip6table_filter
ip6_tables
sb_edac
kvm_intel
kvm
irqbypass
crct10dif_pclmul
crc32_pclmul
qxl
ghash_clmulni_intel
ppdev
ttm
joydev
evdev
button
drm_kms_helper
serio_raw
pcspkr
drm
virtio_balloon
parport_pc
pvpanic
parport
ip_tables
x_tables
autofs4
btrfs
crc32c_generic
xor
zstd_decompress
zstd_compress
xxhash
raid6_pq
ata_generic
crc32c_intel
virtio_blk
virtio_scsi
virtio_net
aesni_intel
aes_x86_64
crypto_simd
cryptd
glue_helper
psmouse
floppy
ata_piix
virtio_pci
virtio_ring
virtio
uhci_hcd
ehci_hcd
i2c_piix4
usbcore
usb_common
libata
scsi_mod
** PCI devices:
not available
** USB devices:
not available
-- System Information:
Debian Release: 9.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.14.0-0.bpo.3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages linux-image-4.14.0-0.bpo.3-amd64 depends on:
ii initramfs-tools [linux-initramfs-tool] 0.130
ii kmod 23-2
ii linux-base 4.5
Versions of packages linux-image-4.14.0-0.bpo.3-amd64 recommends:
pn apparmor <none>
pn firmware-linux-free <none>
pn irqbalance <none>
Versions of packages linux-image-4.14.0-0.bpo.3-amd64 suggests:
pn debian-kernel-handbook <none>
ii grub-pc 2.02~beta3-5
pn linux-doc-4.14 <none>
Versions of packages linux-image-4.14.0-0.bpo.3-amd64 is related to:
pn firmware-amd-graphics <none>
pn firmware-atheros <none>
pn firmware-bnx2 <none>
pn firmware-bnx2x <none>
pn firmware-brcm80211 <none>
pn firmware-cavium <none>
pn firmware-intel-sound <none>
pn firmware-intelwimax <none>
pn firmware-ipw2x00 <none>
pn firmware-ivtv <none>
pn firmware-iwlwifi <none>
pn firmware-libertas <none>
pn firmware-linux-nonfree <none>
pn firmware-misc-nonfree <none>
pn firmware-myricom <none>
pn firmware-netxen <none>
pn firmware-qlogic <none>
pn firmware-realtek <none>
pn firmware-samsung <none>
pn firmware-siano <none>
pn firmware-ti-connectivity <none>
pn xen-hypervisor <none>
-- no debconf information
