Background
In nat/src/stateless/nf.rs, source_nat() guards ICMP-error inner-packet rewrites with validate_checksums_icmp() before calling translate_icmp_inner_packet_dst_if_any(). However, destination_nat() currently skips that validation step when calling translate_icmp_inner_packet_src_if_any().
The validation cannot simply be added inside destination_nat() because destination_nat() may run after source_nat() has already rewritten the packet, which would invalidate the checksum and cause the validation to fail spuriously.
Proposed fix
Move the validate_checksums_icmp() call into the parent translate() function, before either NAT direction runs. That way the checksum is validated once against the original packet, and both source_nat() and destination_nat() can safely perform their respective ICMP inner-packet translations.
References
Raised by @qmonnet.
Background
In
nat/src/stateless/nf.rs,source_nat()guards ICMP-error inner-packet rewrites withvalidate_checksums_icmp()before callingtranslate_icmp_inner_packet_dst_if_any(). However,destination_nat()currently skips that validation step when callingtranslate_icmp_inner_packet_src_if_any().The validation cannot simply be added inside
destination_nat()becausedestination_nat()may run aftersource_nat()has already rewritten the packet, which would invalidate the checksum and cause the validation to fail spuriously.Proposed fix
Move the
validate_checksums_icmp()call into the parenttranslate()function, before either NAT direction runs. That way the checksum is validated once against the original packet, and bothsource_nat()anddestination_nat()can safely perform their respective ICMP inner-packet translations.References
Raised by @qmonnet.