Opened 10 years ago
Closed 9 years ago
#13475 closed defect (fixed)
UDP NAT bindings should not be closed on ICMP unreachable
| Reported by: | ocrete | Owned by: | |
|---|---|---|---|
| Component: | network/NAT | Version: | VirtualBox 4.3.16 |
| Keywords: | Cc: | ||
| Guest type: | other | Host type: | other |
Description
Currently, when VirtualBox is in NAT mode and the guest sends a UDP packet, the NAT creates a mapping for this packet, so that any incoming packet back to this port will be forwarded back. This mapping is (correctly) only based on the source port. So it is possible to "discover" the mapping from the guest by using STUN. The problem is that if any target returns a ICMP Unreachable then it deletes the mapping... But this is incorrect as the same maping could be used to send packets to multiple destinations. The correct solution is to only drop UDP mappings based on a timeout. The current behavior breaks RFC 5245, which is used by WebRTC.
Also, the current behavior is a "MUST NOT" in RFC 4787 section 9.
Change History (4)
comment:1 by , 10 years ago
comment:2 by , 9 years ago
Ok, I managed to reproduce this. The ICMP unreachable must be generated remotely - it's not enough to do that on the host (in that case a different path through the code is taken).
I can't seem to reproduce it. After sending an outgoing datagram that triggers an ICMP Unreachable the mapping is still around and forwards inbound datagrams just fine. Can you provide a packet trace perhaps?