Crash when using v4 SNAT/Masquerade in a SOHO routing scenario

[fuero]

Sorry if I missed something in the docs. Nonetheless, if this is something I skipped over or missed, it's still a bug IMO that the kernel just crashes.

On to the details:

I'm trying to use Jool on my router (CentOS Linux release 7.6.1810 (Core), Jool 4.0.4)

It has a WAN interface with v4 connectivity and a 6in4 tunnel, with a /48 prefix delegated. On the LAN interface, theres the v4 192.168.1.0/24 segment. The router is set up to do SNAT/Masquerading for the IPv4 hosts behind it (using nftables).

I've set up jool with:

modprobe jool
jool instance add --netfilter --pool6 <48-prefix>:2::/96

From outside my home network, I ping one of my boxes with:

ping <48-prefix>:2::192.168.1.7

This crashes the kernel immediately. Doesn't matter if I use iptables or netfilter.

I've investigated the issue, once I remove the IPv4 masquerading config it no longer dies but doesn't do anything.

Here's one of the crash dmesg outputs (the one where I used iptables in tandem with nftables):

[ 7376.696832] NAT64 Jool: NAT64 Jool v4.0.4.0 module inserted.
[ 7413.949717] NAT64 Jool: Created instance 'default'.
[ 7460.229073] ip6_tables: (C) 2000-2006 Netfilter Core Team
[ 7585.183165] BUG: unable to handle kernel NULL pointer dereference at 00000000000001d0
[ 7585.183189] IP: [<ffffffffc0b86ad2>] get_unique_tuple+0x82/0x670 [nf_nat]
[ 7585.183211] PGD 0 
[ 7585.183217] Oops: 0000 [#1] SMP 
[ 7585.183226] Modules linked in: iptable_mangle ip6table_mangle ip6_tables jool(OE) iptable_filter sit tunnel4 ip_tunnel vxlan 8021q garp mrp stp llc ip_vs nft_nat nft_masq_ipv4 nf_nat_masquerade_ipv4 nft_masq nft_chain_nat_ipv4 nf_nat_ipv4 nf_nat nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_meta nf_conntrack_ipv6 nf_defrag_ipv6 nf_conntrack_ipv4 nf_defrag_ipv4 nft_ct nf_conntrack libcrc32c nft_hash nft_rbtree nf_tables_inet nf_tables_ipv6 nf_tables_ipv4 nf_tables(T) nfnetlink intel_powerclamp vfat coretemp intel_rapl fat kvm_intel kvm irqbypass crc32_pclmul snd_hda_codec_hdmi snd_soc_skl snd_soc_skl_ipc snd_hda_ext_core snd_hda_codec_realtek snd_soc_sst_dsp snd_soc_sst_ipc snd_soc_acpi snd_hda_codec_generic ghash_clmulni_intel snd_soc_core snd_compress snd_hda_intel snd_hda_codec snd_hda_core
[ 7585.183349]  snd_hwdep snd_seq snd_seq_device aesni_intel lrw gf128mul glue_helper ablk_helper cryptd snd_pcm wdat_wdt pcspkr i2c_i801 snd_timer i2c_designware_platform idma64 i2c_designware_core snd virt_dma soundcore pinctrl_geminilake pinctrl_intel ip_tables ext4 mbcache jbd2 i915 i2c_algo_bit iosf_mbi drm_kms_helper ahci sdhci_pci crct10dif_pclmul syscopyarea crct10dif_common libahci sysfillrect crc32c_intel sysimgblt cqhci fb_sys_fops sdhci serio_raw mmc_core drm libata r8169 nvme mii nvme_core drm_panel_orientation_quirks video dm_mirror dm_region_hash dm_log dm_mod wireguard(OE) ip6_udp_tunnel udp_tunnel
[ 7585.183487] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Tainted: G           OE  ------------ T 3.10.0-957.27.2.el7.x86_64 #1
[ 7585.183519] Hardware name: HARDKERNEL ODROID-H2/ODROID-H2, BIOS 5.13 05/10/2019
[ 7585.183547] task: ffffa0907a356180 ti: ffffa0907a378000 task.ti: ffffa0907a378000
[ 7585.183575] RIP: 0010:[<ffffffffc0b86ad2>]  [<ffffffffc0b86ad2>] get_unique_tuple+0x82/0x670 [nf_nat]
[ 7585.183611] RSP: 0018:ffffa0937fd83530  EFLAGS: 00010246
[ 7585.183628] RAX: 00000000000001d0 RBX: ffffa0937fd835f0 RCX: ffffa0929ebb9680
[ 7585.183645] RDX: 000000000000003a RSI: ffffa0937fd835c8 RDI: 0000000000000000
[ 7585.183662] RBP: ffffa0937fd835b8 R08: ffffa09361e9d568 R09: ffffa0937fd835c8
[ 7585.183679] R10: ffffffff993119c0 R11: ffffa09237980000 R12: ffffa0937fd83678
[ 7585.183695] R13: 0000000000000000 R14: ffffffff993119c0 R15: ffffa0929ebb9680
[ 7585.183714] FS:  0000000000000000(0000) GS:ffffa0937fd80000(0000) knlGS:0000000000000000
[ 7585.183742] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 7585.183758] CR2: 00000000000001d0 CR3: 0000000338610000 CR4: 0000000000340fe0
[ 7585.183776] Call Trace:
[ 7585.183793]  <IRQ> 
[ 7585.183808]  [<ffffffff9881bd89>] ? ___slab_alloc+0x209/0x4f0
[ 7585.183853]  [<ffffffffc0b21737>] ? nf_ct_invert_tuple+0x77/0x90 [nf_conntrack]
[ 7585.183888]  [<ffffffffc0b8714c>] nf_nat_setup_info+0x8c/0x320 [nf_nat]
[ 7585.183924]  [<ffffffffc0c224f4>] ? find_bib_session6+0x284/0x7e0 [jool]
[ 7585.183948]  [<ffffffffc0b87437>] __nf_nat_alloc_null_binding+0x57/0x80 [nf_nat]
[ 7585.183982]  [<ffffffffc0b87481>] nf_nat_alloc_null_binding+0x21/0x30 [nf_nat]
[ 7585.184015]  [<ffffffffc0b9378e>] nf_nat_ipv4_fn+0x1be/0x230 [nf_nat_ipv4]
[ 7585.184037]  [<ffffffffc0b8e020>] ? nft_nat_ipv4_out+0x20/0x20 [nft_chain_nat_ipv4]
[ 7585.184070]  [<ffffffffc0b938d8>] nf_nat_ipv4_out+0x48/0xf0 [nf_nat_ipv4]
[ 7585.184092]  [<ffffffffc0b8e018>] nft_nat_ipv4_out+0x18/0x20 [nft_chain_nat_ipv4]
[ 7585.184126]  [<ffffffff98c7a528>] nf_iterate+0x98/0xe0
[ 7585.184146]  [<ffffffff98c7a618>] nf_hook_slow+0xa8/0x110
[ 7585.184166]  [<ffffffff98c8ad6e>] ip_output+0xce/0xe0
[ 7585.184186]  [<ffffffff98c8a260>] ? __ip_append_data.isra.51+0xa50/0xa50
[ 7585.184221]  [<ffffffffc0c2e667>] sendpkt_send+0x187/0x290 [jool]
[ 7585.184254]  [<ffffffffc0c2e8a4>] core_common+0x74/0xe0 [jool]
[ 7585.184285]  [<ffffffffc0c2eb4a>] core_6to4+0x10a/0x160 [jool]
[ 7585.184322]  [<ffffffffc0c29d1b>] target_ipv6+0x4b/0x90 [jool]
[ 7585.184344]  [<ffffffffc0c57af3>] ip6t_do_table+0x2d3/0x6d0 [ip6_tables]
[ 7585.184365]  [<ffffffff987550b0>] ? kfree_call_rcu+0x20/0x30
[ 7585.184402]  [<ffffffffc0b2b87d>] ? __nf_ct_ext_add_length+0x10d/0x1a0 [nf_conntrack]
[ 7585.184434]  [<ffffffff986a15d7>] ? local_bh_enable+0x17/0x20
[ 7585.184467]  [<ffffffffc0b23f56>] ? init_conntrack+0x326/0x590 [nf_conntrack]
[ 7585.184489]  [<ffffffffc0c4b057>] ip6table_mangle_hook+0x57/0x190 [ip6table_mangle]
[ 7585.184521]  [<ffffffff98c7a528>] nf_iterate+0x98/0xe0
[ 7585.184540]  [<ffffffff98c7a618>] nf_hook_slow+0xa8/0x110
[ 7585.184560]  [<ffffffff98d0137a>] ipv6_rcv+0x43a/0x540
[ 7585.184578]  [<ffffffff98d00990>] ? ip6_make_skb+0x1e0/0x1e0
[ 7585.184600]  [<ffffffff98c3b579>] __netif_receive_skb_core+0x729/0xa10
[ 7585.184620]  [<ffffffff98c3c588>] ? napi_gro_receive+0xd8/0x100
[ 7585.184639]  [<ffffffff98c3b878>] __netif_receive_skb+0x18/0x60
[ 7585.184658]  [<ffffffff98c3c83e>] process_backlog+0xae/0x180
[ 7585.184678]  [<ffffffff98c3bf1f>] net_rx_action+0x26f/0x390
[ 7585.184698]  [<ffffffff986a2155>] __do_softirq+0xf5/0x280
[ 7585.184719]  [<ffffffff98d7a32c>] call_softirq+0x1c/0x30
[ 7585.184739]  [<ffffffff9862e675>] do_softirq+0x65/0xa0
[ 7585.184758]  [<ffffffff986a24d5>] irq_exit+0x105/0x110
[ 7585.184777]  [<ffffffff98d7b606>] do_IRQ+0x56/0xf0
[ 7585.184798]  [<ffffffff98d6d362>] common_interrupt+0x162/0x162
[ 7585.184814]  <EOI> 
[ 7585.184825]  [<ffffffff98bb06c7>] ? cpuidle_enter_state+0x57/0xd0
[ 7585.184856]  [<ffffffff98bb081e>] cpuidle_idle_call+0xde/0x230
[ 7585.184876]  [<ffffffff986366de>] arch_cpu_idle+0xe/0xc0
[ 7585.184896]  [<ffffffff986fd7ba>] cpu_startup_entry+0x14a/0x1e0
[ 7585.184918]  [<ffffffff986580d7>] start_secondary+0x1f7/0x270
[ 7585.184938]  [<ffffffff986000d5>] start_cpu+0x5/0x14
[ 7585.184954] Code: 85 fc 01 00 00 41 0f b6 41 12 41 0f b6 51 26 45 85 ed 48 8b 3c c5 c0 a1 b8 c0 48 8b 04 c5 40 a1 b8 c0 48 8d 04 d0 48 89 7c 24 28 <4c> 8b 30 0f 85 be 05 00 00 41 f6 04 24 14 0f 84 0a 02 00 00 49 
[ 7585.185079] RIP  [<ffffffffc0b86ad2>] get_unique_tuple+0x82/0x670 [nf_nat]
[ 7585.185102]  RSP <ffffa0937fd83530>
[ 7585.185117] CR2: 00000000000001d0

Here's one with just netfilter involved:

[ 5150.957276] NAT64 Jool: NAT64 Jool v4.0.4.0 module inserted.
[ 5151.752298] NAT64 Jool: Created instance 'default'.
[ 5160.147288] BUG: unable to handle kernel NULL pointer dereference at 00000000000001d0
[ 5160.147312] IP: [<ffffffffc0949ad2>] get_unique_tuple+0x82/0x670 [nf_nat]
[ 5160.147333] PGD 0 
[ 5160.147339] Oops: 0000 [#1] SMP 
[ 5160.147348] Modules linked in: jool(OE) sit tunnel4 ip_tunnel nft_nat nft_masq_ipv4 nf_nat_masquerade_ipv4 nft_masq nft_chain_nat_ipv4 nf_nat_ipv4 nf_nat nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_meta nf_conntrack_ipv6 nf_defrag_ipv6 nf_conntrack_ipv4 nf_defrag_ipv4 nft_ct nft_hash nft_rbtree nf_tables_inet nf_tables_ipv6 nf_tables_ipv4 vxlan nf_tables(T) nfnetlink 8021q garp mrp stp llc ip_vs nf_conntrack libcrc32c intel_powerclamp coretemp intel_rapl kvm_intel kvm irqbypass crc32_pclmul snd_hda_codec_hdmi vfat ghash_clmulni_intel fat snd_hda_codec_realtek snd_soc_skl snd_hda_codec_generic snd_soc_skl_ipc snd_hda_ext_core snd_soc_sst_dsp snd_soc_sst_ipc snd_soc_acpi snd_soc_core snd_compress snd_hda_intel snd_hda_codec aesni_intel lrw gf128mul glue_helper ablk_helper cryptd snd_hda_core
[ 5160.147504]  snd_hwdep snd_seq snd_seq_device wdat_wdt idma64 virt_dma pcspkr i2c_designware_platform i2c_i801 i2c_designware_core snd_pcm snd_timer snd soundcore pinctrl_geminilake pinctrl_intel ip_tables ext4 mbcache jbd2 i915 i2c_algo_bit iosf_mbi drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops sdhci_pci crct10dif_pclmul crct10dif_common cqhci sdhci ahci drm crc32c_intel mmc_core serio_raw libahci libata r8169 nvme mii nvme_core drm_panel_orientation_quirks video dm_mirror dm_region_hash dm_log dm_mod wireguard(OE) ip6_udp_tunnel udp_tunnel [last unloaded: jool]
[ 5160.147686] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Tainted: G           OE  ------------ T 3.10.0-957.27.2.el7.x86_64 #1
[ 5160.147717] Hardware name: HARDKERNEL ODROID-H2/ODROID-H2, BIOS 5.13 05/10/2019
[ 5160.147746] task: ffff9068fa356180 ti: ffff9068fa378000 task.ti: ffff9068fa378000
[ 5160.147774] RIP: 0010:[<ffffffffc0949ad2>]  [<ffffffffc0949ad2>] get_unique_tuple+0x82/0x670 [nf_nat]
[ 5160.147809] RSP: 0018:ffff906bffd836e8  EFLAGS: 00010246
[ 5160.147826] RAX: 00000000000001d0 RBX: ffff906bffd837a8 RCX: ffff906bb5fd97c0
[ 5160.147843] RDX: 000000000000003a RSI: ffff906bffd83780 RDI: 0000000000000000
[ 5160.147860] RBP: ffff906bffd83770 R08: ffff906bea8663e8 R09: ffff906bffd83780
[ 5160.147877] R10: ffffffffaf7119c0 R11: 0000000000000000 R12: ffff906bffd83830
[ 5160.147894] R13: 0000000000000000 R14: ffffffffaf7119c0 R15: ffff906bb5fd97c0
[ 5160.147912] FS:  0000000000000000(0000) GS:ffff906bffd80000(0000) knlGS:0000000000000000
[ 5160.147940] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 5160.147957] CR2: 00000000000001d0 CR3: 0000000283e10000 CR4: 0000000000340fe0
[ 5160.147974] Call Trace:
[ 5160.147991]  <IRQ> 
[ 5160.148008]  [<ffffffffc08e85af>] ? nft_do_chain+0x4ef/0x530 [nf_tables]
[ 5160.148054]  [<ffffffffc071a737>] ? nf_ct_invert_tuple+0x77/0x90 [nf_conntrack]
[ 5160.148088]  [<ffffffffc094a14c>] nf_nat_setup_info+0x8c/0x320 [nf_nat]
[ 5160.148125]  [<ffffffffc09f24f4>] ? find_bib_session6+0x284/0x7e0 [jool]
[ 5160.148148]  [<ffffffffc094a437>] __nf_nat_alloc_null_binding+0x57/0x80 [nf_nat]
[ 5160.148180]  [<ffffffffc094a481>] nf_nat_alloc_null_binding+0x21/0x30 [nf_nat]
[ 5160.148213]  [<ffffffffc095678e>] nf_nat_ipv4_fn+0x1be/0x230 [nf_nat_ipv4]
[ 5160.148234]  [<ffffffffc0951020>] ? nft_nat_ipv4_out+0x20/0x20 [nft_chain_nat_ipv4]
[ 5160.148265]  [<ffffffffc09568d8>] nf_nat_ipv4_out+0x48/0xf0 [nf_nat_ipv4]
[ 5160.148286]  [<ffffffffc0951018>] nft_nat_ipv4_out+0x18/0x20 [nft_chain_nat_ipv4]
[ 5160.148321]  [<ffffffffaf07a528>] nf_iterate+0x98/0xe0
[ 5160.148341]  [<ffffffffaf07a618>] nf_hook_slow+0xa8/0x110
[ 5160.148362]  [<ffffffffaf08ad6e>] ip_output+0xce/0xe0
[ 5160.148382]  [<ffffffffaf08a260>] ? __ip_append_data.isra.51+0xa50/0xa50
[ 5160.148417]  [<ffffffffc09fe667>] sendpkt_send+0x187/0x290 [jool]
[ 5160.148449]  [<ffffffffc09fe8a4>] core_common+0x74/0xe0 [jool]
[ 5160.148480]  [<ffffffffc09feb4a>] core_6to4+0x10a/0x160 [jool]
[ 5160.148505]  [<ffffffffaec20000>] ? kmem_cache_close+0x30/0x300
[ 5160.148540]  [<ffffffffc09f99fd>] hook_ipv6+0x3d/0x80 [jool]
[ 5160.148560]  [<ffffffffaf07a528>] nf_iterate+0x98/0xe0
[ 5160.148580]  [<ffffffffaf07a618>] nf_hook_slow+0xa8/0x110
[ 5160.148600]  [<ffffffffaf10137a>] ipv6_rcv+0x43a/0x540
[ 5160.148618]  [<ffffffffaf100990>] ? ip6_make_skb+0x1e0/0x1e0
[ 5160.148640]  [<ffffffffaf03b579>] __netif_receive_skb_core+0x729/0xa10
[ 5160.148660]  [<ffffffffaf03c588>] ? napi_gro_receive+0xd8/0x100
[ 5160.148680]  [<ffffffffaf03b878>] __netif_receive_skb+0x18/0x60
[ 5160.148699]  [<ffffffffaf03c83e>] process_backlog+0xae/0x180
[ 5160.148719]  [<ffffffffaf03bf1f>] net_rx_action+0x26f/0x390
[ 5160.148740]  [<ffffffffaeaa2155>] __do_softirq+0xf5/0x280
[ 5160.148762]  [<ffffffffaf17a32c>] call_softirq+0x1c/0x30
[ 5160.148782]  [<ffffffffaea2e675>] do_softirq+0x65/0xa0
[ 5160.148801]  [<ffffffffaeaa24d5>] irq_exit+0x105/0x110
[ 5160.148820]  [<ffffffffaf17b606>] do_IRQ+0x56/0xf0
[ 5160.148841]  [<ffffffffaf16d362>] common_interrupt+0x162/0x162
[ 5160.148857]  <EOI> 
[ 5160.148869]  [<ffffffffaefb06c7>] ? cpuidle_enter_state+0x57/0xd0
[ 5160.148899]  [<ffffffffaefb081e>] cpuidle_idle_call+0xde/0x230
[ 5160.148919]  [<ffffffffaea366de>] arch_cpu_idle+0xe/0xc0
[ 5160.148939]  [<ffffffffaeafd7ba>] cpu_startup_entry+0x14a/0x1e0
[ 5160.148961]  [<ffffffffaea580d7>] start_secondary+0x1f7/0x270
[ 5160.148981]  [<ffffffffaea000d5>] start_cpu+0x5/0x14
[ 5160.148997] Code: 85 fc 01 00 00 41 0f b6 41 12 41 0f b6 51 26 45 85 ed 48 8b 3c c5 c0 d1 94 c0 48 8b 04 c5 40 d1 94 c0 48 8d 04 d0 48 89 7c 24 28 <4c> 8b 30 0f 85 be 05 00 00 41 f6 04 24 14 0f 84 0a 02 00 00 49 
[ 5160.149122] RIP  [<ffffffffc0949ad2>] get_unique_tuple+0x82/0x670 [nf_nat]
[ 5160.149144]  RSP <ffff906bffd836e8>
[ 5160.149159] CR2: 00000000000001d0

[ydahhrk]

Thanks.

Any chance you could provide the nftables configuration? Sorry; can't say I've needed to interface with the nftables client before.

Even if it has placeholder IP addresses or whatever. My email is in my profile, if you want to keep it private.

[ydahhrk]

BTW: Judging by the first stack trace, this might be the same bug as #279. There's apparently some workaround for it.

(But I'd still like to patch it properly.)

[fuero]

It's pretty straight-forward if only nat is relevant:

table ip nat {
    chain prerouting {
        type nat hook prerouting priority filter; policy accept;
        tcp dport xxxx iifname "<wan-iface>" dnat to 192.168.0.4
    }

    chain postrouting {
        type nat hook postrouting priority filter; policy accept;
        oifname "<wan-iface>" masquerade
    }
}

[ydahhrk]

It's pretty straight-forward if only nat is relevant:

I'm just hoping.

Ok, working...

[ydahhrk]

Can't reproduce yet. It really baffles me because, given that you don't have any nftables rules matching ICMP, I'd expect the ping to be completely untouched by the masquerading. Unless nftables performs some sort of evil ICMP magic behind the scenes.

There are a few things I haven't tried, but I do have a few questions:

• If your private network is 192.168.1, then why are you DNATting to 192.168.0?
• Any special reasons why you're using priority filter? (Which I think is the same as priority 0) I think SNAT is normally 100, and DNAT is -100. (But this is probably irrelevant.)

once I remove the IPv4 masquerading config it no longer dies but doesn't do anything.

• What does "doesn't do anything" mean? All pings fail, even if they are not NATted? Why would a normal NAT64'd ping to an internal box fail?
• What's the intended packet flow? This is how I'm imagining it:
  1. Random IPv6 node writes packet 2001:db8::4 -> <48-prefix>:2::192.168.1.7. (This packet gets tunneled, but I'm not caring about this for now.)
  2. Packet arrives to router. Jool translates packet into 192.168.1.1 -> 192.168.1.7 (Assuming 192.168.1.1 is the router's address.)
  3. nftables translates that into 192.168.1.1 -> 192.168.0?.4 during postrouting.
  4. Packet arrives to internal node. Internal node answers 192.168.0?.4 -> 192.168.1.1
  5. Presumably, masquerading kicks in before Jool (I need to confirm if this is actually the case, though, because both of them happen during prerouting), so nftables changes that into 192.168.1.7 -> 192.168.1.1
  6. Jool translates that back into <48-prefix>:2::192.168.1.7 -> 2001:db8::4

Are we on the same page?

[fuero]

Sorry for the confusion, I messed up replacing the IP address in my nftables listing - it's supposed to be 192.168.1.7 of course. I've sent a copy of my firewall and network config to you via email.

I'll try to recreate this in a VM-Lab setting.

[ydahhrk]

Hypothesis

This crash is being caused by IPv6 connection tracking data reaching the IPv4 NAT code. (Most likely, they are inherently incompatible with each other.)

Rationale

(Note: I can't find an HTTP-available copy of CentOS's kernel source, so I'm linking kernel code to Linux 4.10 on LXR. I found it to be close enough to the version of the CentOS code I'm reading.)

To create the IPv4 version of an IPv6 packet, Jool 4 uses pskb_copy.

pskb_copy -> __pskb_copy -> __pskb_copy_fclone -> copy_skb_header -> __copy_skb_header -> __nf_copy

__nf_copy copies the nfct ("Netfilter Connection") information from the source (IPv6) packet to the "destination" (resulting, IPv4) packet.

Later on, Linux's NAT code infers a nf_conn object from nfct.

nf_nat_ipv4_fn -> nf_nat_alloc_null_binding -> __nf_nat_alloc_null_binding -> nf_nat_setup_info

nf_nat_setup_info infers a "tuple" object (curr_tuple) from the connection object...

nf_nat_setup_info -> get_unique_tuple -> __nf_nat_l4proto_find

...whose layer-3 protocol number is later used to dereference ~a layer-3 protocol NAT object~ an array of layer-4 protocol NAT objects. nf_nat_l4protos[family] is probably the NULL pointer that's causing the crash; there's no such thing as an IPv6 NAT implementation.

Thoughts

This has a pretty good chance of being the bug. It matches the stack trace and explains why I've had so much trouble reproducing it: My setup is completely clean of IPv6 connection tracking noise, and some level of it is required to non-zeroize nfct.

And even if it's not the cause of the bug, I do think that Jool should clear nfct instead of copying it. Whatever iptables/nftables does to the packet before reaching Jool is protocol-specific, so it should probably not survive the translation.

The downside is that zeroizing nfct will probably prevent you from chaining NAT and NAT64 the way you want. A cleared nfct means that the NAT code will short-circuit out early.

Chaining NAT and NAT64 would probably be possible if you enclose them in different network namespaces, though. I don't know how much of a pain it would be to configure.

Roadmap

I'll try ~clearing~ setting nfct manually. If it crashes, I will upload a commit that will zeroize nfct after pskb_copy (along with a bunch of reference counting stuff that I can already tell needs to be done). If this prevents the crash, I think we're done.

[ydahhrk]

ALL RIGHT. Finally managed to reproduce it. Wasn't so hard; I was just being a freaking idiot. All it takes is modprobing nf_conntrack_ipv6 and chaining an SNAT to Jool.

My hypothesis was correct, though the solution was not. I fixed it in the last commit, and it's already collapsed into master. Will probably release Jool 4.0.5 in a few days.

I'm still not sure if chaining Jool to an SNAT in the same namespace will yield the behavior you want, but at least it shouldn't crash anymore.

To recapitulate:

Jool is clearing the conntrack information now, which is needed by NAT. It does this because the conntrack information is Layer 3 protocol dependent. Althogh I'm not sure if this completely nullifies Jool's compatibility with NAT, because NAT appears to initialize lazily, so it's not exactly doing nothing. But I couldn't manage to actually change the source address via SNAT. But this could just be my own incompetence. (ie. Lack of familiarity with nftables.)

[ydahhrk]

<comment deleted because I can't reproduce the claim anymore>