Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
ICMPERR_HOP_LIMIT errors are generated for blacklisted packets #167
When a Jool node in stateless mode receives an IPv4 packet that is in its blacklist with TTL=1, it will steal the packet from its intended receipient and return an ICMPv4 error:
Whether the destination address is in the implicit blacklist (due to being assigned to a local interface) or explicitly added with
The easiest way to reproduce this is to run
For me, this is a blocker stopping me from putting Jool in production, because I need the Jool node to speak OSPF with its upstream router to dynamically advertise the various pools to the network. The upstream router sends OSPF hellos to the OSPF multicast address 184.108.40.206 with TTL=1, but since I cannot figure out how to prevent Jool from stealing these packets from the BIRD routing daemon, the OSPF adjacency cannot form, and the required routes cannot be advertised to the network.
Here's a full list of everything I see that might go wrong, which should cause SIIT Jool to drop packets before realizing they weren't meant to be translated:
The most reliable and natural way to solve this is by switching frameworks. This issue is another argument in favor of #140.
Alternatively, I can move the the address translation to somewhere earlier. I think the best tradeoff between fixing the problem and not changing the code too aggressively is to move it to the beginning of the translate submodule. This will only solve bullets 4 and 5.
Bullet 5 is the only one I really care about here due to the OSPF issue (RFC 2328 requires TTL=1, and I have found no way to override that in JUNOS). So it's not too much trouble to make a quick hack that solves bullet 5, that would be much appreciated.