Page MenuHomeFreeBSD
Differential D54166

pf: handle TTL expired during nat64
ClosedPublic
Actions

Authored by kp on Dec 10 2025, 8:04 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, May 22, 1:46 AM
Unknown Object (File)
Wed, May 20, 2:26 AM
Unknown Object (File)
Tue, Apr 28, 1:15 PM
Unknown Object (File)
Tue, Apr 28, 7:23 AM
Unknown Object (File)
Mon, Apr 27, 11:31 PM
Unknown Object (File)
Apr 10 2026, 2:56 AM
Unknown Object (File)
Apr 7 2026, 4:28 AM
Unknown Object (File)
Apr 3 2026, 7:19 PM
View All 46 Files
Subscribers
ae
farrokhi
glebius
imp
melifaro
vegeta_tuxpowered.net

Details

Reviewers
None
Group Reviewers
network
pfsense
Commits
rG261642478c8e: pf: handle TTL expired during nat64
rGac4fb06d096d: pf: handle TTL expired during nat64
Summary

If the TTL (or hop limit) expires during nat64 translation we may
need to send the error message in the original address family (i.e.
pre-translation).
We'd usually handle this in pf_route()/pf_route6(), but at that point we
have already translated the packet, making it difficult to include it in
the generated ICMP message.

Check for this case in pf_translate_af() and send icmp errors directly
from it.

PR: 291527
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
sys/
net/
1 line
netpfil/
pf/
25 lines
tests/
sys/
netpfil/
pf/
36 lines

Diff 167860

View Options

sys/net/pfvar.h

Loading...
View Options

sys/netpfil/pf/pf.c

Loading...
View Options

tests/sys/netpfil/pf/nat64.py

Loading...