Skip to content

fix(connlib): don't fail NAT64 on invalid IPv4 DSCP value#7479

Merged
thomaseizinger merged 2 commits intomainfrom
fix/no-fail-ipv4-dscp
Dec 11, 2024
Merged

fix(connlib): don't fail NAT64 on invalid IPv4 DSCP value#7479
thomaseizinger merged 2 commits intomainfrom
fix/no-fail-ipv4-dscp

Conversation

@thomaseizinger
Copy link
Copy Markdown
Member

@thomaseizinger thomaseizinger commented Dec 11, 2024

As per the RFC, the IPv6 traffic class should be 1-to-1 translated to the IPv4 DSCP value. However, it appears that not all values here are valid. In particular, when attempting to reach GitHub over IPv6, we receive an IPv6 packet that has a traffic class value of 72 which is out-of-range for the IPv4 DSCP value, resulting in the following error on the Gateway:

Failed to translate packet: NAT64 failed: Error '72' is too big to be a 'IPv4 DSCP (Differentiated Services Code Point)' (maximum allowed value is '63')

The bigger scope of this issue is that this causes the ICMP packets returned to the client to be dropped which means that ssh spawned by git doesn't learn that the IPv6 address assigned by Firezone is not actually routable.

Related: #7476.

@vercel
Copy link
Copy Markdown

vercel Bot commented Dec 11, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
firezone ✅ Ready (Inspect) Visit Preview 💬 Add feedback Dec 11, 2024 6:52pm

@thomaseizinger
Copy link
Copy Markdown
Member Author

thomaseizinger commented Dec 11, 2024

Related: #7476.

I'll close it once it is deployed to main and verified that git clone now works through Firezone.

jamilbk
jamilbk approved these changes Dec 11, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@jamilbk jamilbk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting, nice to see this working in action

@thomaseizinger thomaseizinger added this pull request to the merge queue Dec 11, 2024
Merged via the queue into main with commit a0efc4c Dec 11, 2024
@thomaseizinger thomaseizinger deleted the fix/no-fail-ipv4-dscp branch December 11, 2024 19:18
github-merge-queue Bot pushed a commit that referenced this pull request Dec 11, 2024
@thomaseizinger
docs(gateway): add changelog entry for #7479 (#7484)
e507197 
The issue is now fixed and `git pull` from `github.com` as a resource
now works as expected.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jamilbk jamilbk jamilbk approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@thomaseizinger @jamilbk