Ticket #13475 (closed defect: fixed)

Opened 3 years ago

Last modified 3 years ago

UDP NAT bindings should not be closed on ICMP unreachable

Reported by: ocrete Owned by:
Priority: major Component: network/NAT
Version: VirtualBox 4.3.16 Keywords:
Cc: Guest type: other
Host type: other


Currently, when VirtualBox is in NAT mode and the guest sends a UDP packet, the NAT creates a mapping for this packet, so that any incoming packet back to this port will be forwarded back. This mapping is (correctly) only based on the source port. So it is possible to "discover" the mapping from the guest by using STUN. The problem is that if any target returns a ICMP Unreachable then it deletes the mapping... But this is incorrect as the same maping could be used to send packets to multiple destinations. The correct solution is to only drop UDP mappings based on a timeout. The current behavior breaks RFC 5245, which is used by WebRTC.

Also, the current behavior is a "MUST NOT" in RFC 4787 section 9.

Change History

comment:1 Changed 3 years ago by vushakov

I can't seem to reproduce it. After sending an outgoing datagram that triggers an ICMP Unreachable the mapping is still around and forwards inbound datagrams just fine. Can you provide a packet trace perhaps?

comment:2 Changed 3 years ago by vushakov

Ok, I managed to reproduce this. The ICMP unreachable must be generated remotely - it's not enough to do that on the host (in that case a different path through the code is taken).

comment:3 Changed 3 years ago by Jeff M

Adding a link to #14055 (a probable duplicate) for future reference.

comment:4 Changed 3 years ago by frank

  • Status changed from new to closed
  • Resolution set to fixed

Fix is part of VBox 4.3.28.

Note: See TracTickets for help on using tickets.
ContactPrivacy policyTerms of Use