Hello misc@,
I currently have a VM running as a NAT64 gateway.
It is running OpenBSD 5.3 with the vio stability patch.
I have the following pf.conf:
pass in inet6 proto { tcp, udp, icmp6 } from <network> to <pref64>
af-to inet from $ipv4_addr
While this works fine in one environnment, the same VM
moved on a different host doesn't work properly.
Specifically, packets are matched by the rule, I can see them
leave the interface with tcpdump, but I never receive a response
from the remote host.
While investigating the issue, I noticed that when sending a ping
from a host behind the NAT64 gateway, the IPv4 packet sent contains
the DF (don't fragment) flag.
I am suspecting the host might be blackholing all packets having the
DF flag set,
which is why the translation won't work there.
I have the two questions below:
- Is this behavior expected ? It affects all IPv4 packets created.
- Is there a way to clear the DF flag on the packet created by the af-to rule ?
I have tried adding the following rule after the pass :
match out scrub (no-df)
But to no success. I added the 'log' keyword but it seems the match
rule is never matched.
Thanks,
Marios
