Page MenuHomeVyOS Platform
Create Task
Maniphest T6403

nat64 input validation required
Closed, ResolvedPublicBUG
Actions

Description

Jool has a _feature_ relating to an underlying RFC6052, that required that buts 64-71 be zero. (ref: https://github.com/NICMx/Jool/issues/174)

If you supply a source prefix that has these lower bits set, then jool will fail to accept the config, but vyos only reports an error.

e.g.

#  compare
+ nat64 {
+     source {
+         rule 10 {
+             source {
+                 prefix "64:2001:db8:101:101::/96"
+             }
+             translation {
+                 pool 10 {
+                     address "192.0.2.1"
+                     port "1-65535"
+                 }
+             }
+         }
+     }
+ }

when you commit, you get an error like this:

# commit comment lol

Failed to set jool instance instance-10

[[nat64]] failed
Commit failed
[edit]

and if you drop to a shell and try to run this yourself, it explains why:

# jool -i instance-10 file handle /run/jool/instance-10.json 
Error: The kernel module returned error 22: The u-bit is nonzero; see https://github.com/NICMx/Jool/issues/174.
Will cancel the operation. Use --force to override this.

could we do some input validation t oreject the commit if the 64-71 bits are non zero?

Details

Version
1.5-rolling-202405240020
Is it a breaking change?
Config syntax change (migratable)
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

fatred created this task.May 26 2024, 8:48 PM
dmbaturin triaged this task as High priority.May 27 2024, 7:47 AM
pasik subscribed.May 27 2024, 2:28 PM
talmakion subscribed.Jun 1 2024, 10:56 AM

I've created a quick PR to give sane feedback from the validator: https://github.com/vyos/vyos-1x/pull/3572

Viacheslav changed the task status from Open to In progress.Jun 1 2024, 11:15 AM
Viacheslav assigned this task to talmakion.
Restricted Repository Identity mentioned this in rVYOSONEXe74970c8b1a5: Merge pull request #3572 from talmakion/bugfix/T6403.Jun 3 2024, 1:12 PM
Restricted Repository Identity mentioned this in rVYOSONEX3ad333fc6280: nat64: T6403: validate source prefix for RFC compliance.Jun 3 2024, 1:12 PM
Vijayakumar mentioned this in T6443: fix pr title regex check issue.Jun 3 2024, 7:34 PM
talmakion added a comment.Jun 6 2024, 11:29 PM

@fatred fix should be in the latest rolling, if you'd like to give it a go?

fatred added a comment.Jun 7 2024, 1:47 PM

Will pull that on Sunday and give it a try, thanks!

fatred added a comment.Jun 12 2024, 7:46 PM

confirmed working

# compare
[nat64 source rule]
+ 11 {
+     source {
+         prefix "64:2001:db8:101:101::/96"
+     }
+     translation {
+         pool 11 {
+             address "192.0.2.1"
+             port "1-65535"
+         }
+     }
+ }

[edit]
# commit comment lol

Source NAT64 rule 11 source prefix is not RFC6052-compliant: bits 64 to
71 (9th octet) must be zeroed

[[nat64]] failed
Commit failed
[edit]
fatred closed this task as Resolved.Jun 12 2024, 7:46 PM
fatred awarded a token.
Viacheslav moved this task from Open to Finished on the VyOS 1.5 Circinus board.Jun 13 2024, 6:57 AM