On 2018-11-27, Arnaud BRAND <arnaud.brand--o...@tib.cc> wrote: > Good evening everyone, > > I am stuck with a IPv6 traceroute problem in an OSPFv3 environment. > > Long story short : > - IPv6 routes are propagated using OSPFv3 > - so they are installed with link-local gateways in the fib > - ICMPv6 "time exceeded" packets are generated with link-local source > address > - these packets are not to be routed so they do not get past the next > hop > - the endpoint never receives the "time exceeded packets" > > This of course is only true if the router generating the icmp packet is > not the endpoint, but only a hop in the path. > > I checked the code (or at least tried to). > It seems like it's in function icmp6_reflect in file icmp6.c at lines > 1144/1147. > > This code (if I understood it correctly) : > - fetches the route to the destination > - gets the interface source address for this route > - uses it as the source for the generated IP packet > > As my routes are installed with link-local addresses by OSPFv3, I get a > generated packet with a link local source-address. > The problem is when the destination is not on the local subnet : the > generated packet is unroutable and never makes it to its destination > > Would it be better to try to find another address on the interface that > is not link local if the destination address isn't on the interface > subnets ? > Sadly, I can't provide a patch, sorry, I'm not that skilled in OpenBSD. > > I thought of a pf trickery like : > pass out quick inet6 proto icmp6 from fe80::/10 to any icmp6-type timex > nat-to lo1 > but that won't work because the generated packet itself will be matching > a state and this rule won't even be evaluated. > > Does anyone have an idea how I could get these icmp6 packets to reach > their destination ? > > Thanks for your help ! > Arnaud > >
Known problem, no known workaround. I tried hard to find a way to do this with PF but I don't think there is one. bluhm@ pointed out "pf with IPv6 link-local addresses does not work properly. I think it cannot parse the %if suffixes. The KAME hack scope id is not handled" in my previous thread on this (https://marc.info/?t=153875386500001&r=1&w=2).
