Skip to content

Introduce and use IcmpErrorPacket view#1591

Open
qmonnet wants to merge 4 commits into
pr/qmonnet/icmp-checksumsfrom
pr/qmonnet/icmp-error-packet
Open

Introduce and use IcmpErrorPacket view#1591
qmonnet wants to merge 4 commits into
pr/qmonnet/icmp-checksumsfrom
pr/qmonnet/icmp-error-packet

Conversation

@qmonnet

@qmonnet qmonnet commented Jun 12, 2026

Copy link
Copy Markdown
Member

Introduce a new “validated” type to represent an ICMP Error packet with embedded IP and transport headers, and use it to simplify the checksum validation code and flow key extraction code in the ICMP Error handler.

Please refer to individual commit descriptions for details.

On top of #1587.

@qmonnet qmonnet self-assigned this Jun 12, 2026
@qmonnet qmonnet added the area/nat Related to Network Address Translation (NAT) label Jun 12, 2026
@qmonnet qmonnet requested a review from a team as a code owner June 12, 2026 11:56
@coderabbitai

coderabbitai Bot commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 75161c3c-0889-4ae3-8ae5-125abe84aa50

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI reviewed Jun 12, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces a new IcmpErrorPacket “view” type in net to represent ICMP error packets that contain embedded (inner) IP + transport headers, and updates NAT ICMP-error handling and flow-key extraction to use it for simpler, more centralized parsing/checksum validation.

Changes:

  • Add net::packet::icmp_err::IcmpErrorPacket with checksum validation and accessors for inner headers.
  • Refactor flow-key extraction for embedded packets into an IcmpErrorPacket::embedded_flowkey() helper.
  • Update NAT ICMP error handler and related tests/bolero checks to use IcmpErrorPacket instead of duplicated checksum/parse logic.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
net/src/udp/truncated.rs Add From<Udp> / From<TruncatedUdpHeader> conversions into TruncatedUdp.
net/src/tcp/truncated.rs Add From<Tcp> / From<TruncatedTcpHeader> conversions into TruncatedTcp.
net/src/icmp4/truncated.rs Add From<Icmp4> / From<TruncatedIcmp4Header> conversions into TruncatedIcmp4.
net/src/icmp6/truncated.rs Add From<Icmp6> / From<TruncatedIcmp6Header> conversions into TruncatedIcmp6.
net/src/headers/embedded.rs Add (test-only) From<…> conversions into EmbeddedTransport variants.
net/src/packet/mod.rs Export the new icmp_err packet view module.
net/src/packet/icmp_err.rs Implement IcmpErrorPacket view + checksum validation and unit tests.
net/src/flows/flow_key.rs Add IcmpErrorPacket::embedded_flowkey() to build flow keys from embedded headers.
nat/src/icmp_handler/nf.rs Use IcmpErrorPacket for parsing, checksum validation, and inner flow-key extraction.
nat/src/icmp_handler/icmp_error_msg.rs Remove legacy checksum-validation helper and update bolero tests to use IcmpErrorPacket.

Comment thread net/src/packet/icmp_err.rs
Comment thread net/src/packet/icmp_err.rs Outdated
@qmonnet qmonnet force-pushed the pr/qmonnet/icmp-error-packet branch from 02a3d14 to b613305 Compare June 12, 2026 12:04
@qmonnet qmonnet force-pushed the pr/qmonnet/icmp-checksums branch from 5ca15fa to 054a648 Compare June 17, 2026 10:14
qmonnet added 4 commits June 17, 2026 11:14
@qmonnet
chore(net): Implement From<...> for EmbeddedTransport
3df1443 
Implement trait From for EmbeddedTransport, and for its variants, so
that we can turn directly a Tcp object directly into EmbeddedTransport,
for example. Some of the implementations are only available (and used)
for the test target.

More specifically, we implement:

- For<Tcp> for TruncatedTcp
- For<Tcp> for EmbeddedTransport
- For<TruncatedTcpHeader> for TruncatedTcp
- For<TruncatedTcpHeader> for EmbeddedTransport
- For<Udp> for TruncatedUdp
- For<Udp> for EmbeddedTransport
- For<TruncatedUdpHeader> for TruncatedUdp
- For<TruncatedUdpHeader> for EmbeddedTransport
- For<Icmp4> for TruncatedIcmp4
- For<Icmp4> for EmbeddedTransport
- For<TruncatedIcmp4Header> for TruncatedIcmp4
- For<TruncatedIcmp4Header> for EmbeddedTransport
- For<Icmp6> for TruncatedIcmp6
- For<Icmp6> for EmbeddedTransport
- For<TruncatedIcmp6Header> for TruncatedIcmp6
- For<TruncatedIcmp6Header> for EmbeddedTransport

Signed-off-by: Quentin Monnet <qmo@qmon.net>
@qmonnet
feat(net): Add IcmpErrorPacket view of a Packet
901be99 
Add an IcmpErrorPacket view of a Packet. This is in fact not a complete
view, but a holder for references to its outer IP header, (outer) ICMP
header, ICMP payload, inner IP header, and inner transport header. The
view is read-only, and is only created if all of these headers
(including the inner transport header) are present for the packet.

This view will help process ICMP Error messages in a future commit.

Signed-off-by: Quentin Monnet <qmo@qmon.net>
@qmonnet
refactor(nat,net): Use IcmpErrorPacket view
22cdf98 
Rather than re-validating that the packet has an outer IP, ICMP, inner
IP and inner transport layers, use the IcmpErrorPacket view to validate
just once at the beginning of the ICMP Error messages handler, and use
the view when we need read-only checks or flowkey extraction from the
packet.

Signed-off-by: Quentin Monnet <qmo@qmon.net>
@qmonnet
chore(nat,net): Clean up legacy ICMP Error checksum code
f3cb653 
Now that we've moved to the IcmpErrorPacket view in the ICMP Error
handler code, we can remove function validate_checksums_icmp() which is
no longer used outside of tests. Tests can be adjusted to use the
IcmpErrorPacket view as well, and its method validate_checksums().

Move unit tests related to checksum validation to
net/src/packet/icmp_err.rs, where they now belong. Most of these tests
now validate whether we manage to form a valid IcmpErrorPacket view from
a packet, rather than the result from the checksum validation: they were
adjusted and renamed accordingly. Add a test to check that the view
fails when we have an ICMP Error message with embedded packet fragment,
but without an embedded transport layer.

The bolero tests, which check the full translation in addition to the
checksum update, remain at the same location. One adjustment is that we
now only check the checksums when we are supposed to be able to form a
valid IcmpErrorPacket, in other words, when the generated packet
contains an inner transport layer.

Signed-off-by: Quentin Monnet <qmo@qmon.net>
@qmonnet qmonnet force-pushed the pr/qmonnet/icmp-error-packet branch from b613305 to f3cb653 Compare June 17, 2026 10:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@daniel-noland daniel-noland Awaiting requested review from daniel-noland

@mvachhar mvachhar Awaiting requested review from mvachhar

@Fredi-raspall Fredi-raspall Awaiting requested review from Fredi-raspall

Assignees

@qmonnet qmonnet

Labels

area/nat Related to Network Address Translation (NAT)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@qmonnet