Juan Carlos Lazcano <juan@xxxxxxxxxxxxxxxxxx> wrote: > My echo/reply base icmp functionality for v4 is working atleast at a cursory glance, without further testing I'm not sure what other parts of icmp are not working with this approach. Internal addresses leak via icmp dst unreach, redirects etc. which contain copies of the (rewritten or original) addresses. That in turn breaks path mtu discovery for instance: Server may see internal address reflected in embedded header. Client can receive error for source address it doesn't have. NAT engine also rewrites embedded headers, see e.g. nf_nat_ipv4_fn() in net/netfilter/nf_nat_proto.c and nf_nat_icmp_reply_translation() to avoid this.
