Support translating ICMP errors.android-4.3_r2android-4.3_r0.9.1android-4.3_r0.9

When receiving ICMPv6 messages from IPv6-only nodes, use
255.0.0.<ttl> as a fake IPv4 source address. It's better than
nothing.

Bug: 8276725
Change-Id: Iae93f75764cb9cd875af9bb5f1862a0dce2c2fa7

7 files changed, 331 insertions, 46 deletions

diff --git a/Android.mk b/Android.mk
index 2d1b3a6..42cc168 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1,7 +1,7 @@
 LOCAL_PATH:= $(call my-dir)
 include $(CLEAR_VARS)
 
-LOCAL_SRC_FILES:=clatd.c dump.c checksum.c translate.c ipv4.c ipv6.c config.c dns64.c logging.c getaddr.c getroute.c netlink_callbacks.c netlink_msg.c setif.c setroute.c mtu.c
+LOCAL_SRC_FILES:=clatd.c dump.c checksum.c translate.c icmp.c ipv4.c ipv6.c config.c dns64.c logging.c getaddr.c getroute.c netlink_callbacks.c netlink_msg.c setif.c setroute.c mtu.c
 
 LOCAL_C_INCLUDES := external/libnl-headers
 LOCAL_STATIC_LIBRARIES := libnl_2
diff --git a/clatd.c b/clatd.c
index a914f02..063026d 100644
--- a/clatd.c
+++ b/clatd.c
@@ -317,12 +317,16 @@ void packet_handler(const struct tun_data *tunnel, struct tun_pi *tun_header, co
   struct tun_pi tun_targ;
   char iphdr[sizeof(struct ip6_hdr)];
   char transporthdr[MAX_TCP_HDR];
+  char icmp_iphdr[sizeof(struct ip6_hdr)];
+  char icmp_transporthdr[MAX_TCP_HDR];
 
   // iovec of the packets we'll send. This gets passed down to the translation functions.
   clat_packet out = {
     { &tun_targ, sizeof(tun_targ) },  // Tunnel header.
     { iphdr, 0 },                     // IP header.
     { transporthdr, 0 },              // Transport layer header.
+    { icmp_iphdr, 0 },                // ICMP error inner IP header.
+    { icmp_transporthdr, 0 },         // ICMP error transport layer header.
     { NULL, 0 },                      // Payload. No buffer, it's a pointer to the original payload.
   };
 
diff --git a/icmp.c b/icmp.c
new file mode 100644
index 0000000..af96b83
--- /dev/null
+++ b/icmp.c
@@ -0,0 +1,181 @@
+/*
+ * Copyright (C) 2013 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * icmp.c - convenience functions for translating ICMP and ICMPv6 packets.
+ */
+
+#include <netinet/in.h>
+#include <netinet/ip_icmp.h>
+#include <netinet/icmp6.h>
+#include <linux/icmp.h>
+
+#include "logging.h"
+#include "icmp.h"
+
+/* function: icmp_guess_ttl
+ * Guesses the number of hops a received packet has traversed based on its TTL.
+ * ttl - the ttl of the received packet.
+ */
+uint8_t icmp_guess_ttl(uint8_t ttl) {
+  if (ttl > 128) {
+    return 255 - ttl;
+  } else if (ttl > 64) {
+    return 128 - ttl;
+  } else if (ttl > 32) {
+    return 64 - ttl;
+  } else {
+    return 32 - ttl;
+  }
+}
+
+/* function: is_icmp_error
+ * Determines whether an ICMP type is an error message.
+ * type: the ICMP type
+ */
+int is_icmp_error(uint8_t type) {
+  return type == 3 || type == 11 || type == 12;
+}
+
+/* function: is_icmp6_error
+ * Determines whether an ICMPv6 type is an error message.
+ * type: the ICMPv6 type
+ */
+int is_icmp6_error(uint8_t type) {
+  return type < 128;
+}
+
+/* function: icmp_to_icmp6_type
+ * Maps ICMP types to ICMPv6 types. Partial implementation of RFC 6145, section 4.2.
+ * type - the ICMPv6 type
+ */
+uint8_t icmp_to_icmp6_type(uint8_t type, uint8_t code) {
+  switch (type) {
+    case ICMP_ECHO:
+      return ICMP6_ECHO_REQUEST;
+
+    case ICMP_ECHOREPLY:
+      return ICMP6_ECHO_REPLY;
+
+    case ICMP_TIME_EXCEEDED:
+      return ICMP6_TIME_EXCEEDED;
+
+    case ICMP_DEST_UNREACH:
+      // These two types need special translation which we don't support yet.
+      if (code != ICMP_UNREACH_PROTOCOL && code != ICMP_UNREACH_NEEDFRAG) {
+        return ICMP6_DST_UNREACH;
+      }
+  }
+
+  // We don't understand this ICMP type. Return parameter problem so the caller will bail out.
+  logmsg_dbg(ANDROID_LOG_DEBUG, "icmp_to_icmp6_type: unhandled ICMP type %d", type);
+  return ICMP6_PARAM_PROB;
+}
+
+/* function: icmp_to_icmp6_code
+ * Maps ICMP codes to ICMPv6 codes. Partial implementation of RFC 6145, section 4.2.
+ * type - the ICMP type
+ * code - the ICMP code
+ */
+uint8_t icmp_to_icmp6_code(uint8_t type, uint8_t code) {
+  switch (type) {
+    case ICMP_ECHO:
+    case ICMP_ECHOREPLY:
+      return 0;
+
+    case ICMP_TIME_EXCEEDED:
+      return code;
+
+    case ICMP_DEST_UNREACH:
+      switch (code) {
+        case ICMP_UNREACH_NET:
+        case ICMP_UNREACH_HOST:
+          return ICMP6_DST_UNREACH_NOROUTE;
+
+        case ICMP_UNREACH_PORT:
+          return ICMP6_DST_UNREACH_NOPORT;
+
+        case ICMP_UNREACH_NET_PROHIB:
+        case ICMP_UNREACH_HOST_PROHIB:
+        case ICMP_UNREACH_FILTER_PROHIB:
+        case ICMP_UNREACH_PRECEDENCE_CUTOFF:
+          return ICMP6_DST_UNREACH_ADMIN;
+
+        // Otherwise, we don't understand this ICMP type/code combination. Fall through.
+      }
+  }
+  logmsg_dbg(ANDROID_LOG_DEBUG, "icmp_to_icmp6_code: unhandled ICMP type/code %d/%d", type, code);
+  return 0;
+}
+
+/* function: icmp6_to_icmp_type
+ * Maps ICMPv6 types to ICMP types. Partial implementation of RFC 6145, section 5.2.
+ * type - the ICMP type
+ */
+uint8_t icmp6_to_icmp_type(uint8_t type, uint8_t code) {
+  switch (type) {
+    case ICMP6_ECHO_REQUEST:
+      return ICMP_ECHO;
+
+    case ICMP6_ECHO_REPLY:
+      return ICMP_ECHOREPLY;
+
+    case ICMP6_DST_UNREACH:
+      return ICMP_DEST_UNREACH;
+
+    case ICMP6_TIME_EXCEEDED:
+      return ICMP_TIME_EXCEEDED;
+  }
+
+  // We don't understand this ICMP type. Return parameter problem so the caller will bail out.
+  logmsg_dbg(ANDROID_LOG_DEBUG, "icmp6_to_icmp_type: unhandled ICMP type %d", type);
+  return ICMP_PARAMETERPROB;
+}
+
+/* function: icmp6_to_icmp_code
+ * Maps ICMPv6 codes to ICMP codes. Partial implementation of RFC 6145, section 5.2.
+ * type - the ICMPv6 type
+ * code - the ICMPv6 code
+ */
+uint8_t icmp6_to_icmp_code(uint8_t type, uint8_t code) {
+  switch (type) {
+    case ICMP6_ECHO_REQUEST:
+    case ICMP6_ECHO_REPLY:
+    case ICMP6_TIME_EXCEEDED:
+      return code;
+
+    case ICMP6_DST_UNREACH:
+      switch (code) {
+        case ICMP6_DST_UNREACH_NOROUTE:
+          return ICMP_UNREACH_HOST;
+
+        case ICMP6_DST_UNREACH_ADMIN:
+          return ICMP_UNREACH_HOST_PROHIB;
+
+        case ICMP6_DST_UNREACH_BEYONDSCOPE:
+          return ICMP_UNREACH_HOST;
+
+        case ICMP6_DST_UNREACH_ADDR:
+          return ICMP_HOST_UNREACH;
+
+        case ICMP6_DST_UNREACH_NOPORT:
+          return ICMP_UNREACH_PORT;
+
+        // Otherwise, we don't understand this ICMPv6 type/code combination. Fall through.
+      }
+  }
+
+  logmsg_dbg(ANDROID_LOG_DEBUG, "icmp6_to_icmp_code: unhandled ICMP type/code %d/%d", type, code);
+  return 0;
+}
diff --git a/icmp.h b/icmp.h
new file mode 100644
index 0000000..632e92d
--- /dev/null
+++ b/icmp.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2013 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * icmp.c - convenience functions for translating ICMP and ICMPv6 packets.
+ */
+
+#ifndef __ICMP_H__
+#define __ICMP_H__
+
+#include <stdint.h>
+
+// Guesses the number of hops a received packet has traversed based on its TTL.
+uint8_t icmp_guess_ttl(uint8_t ttl);
+
+// Determines whether an ICMP type is an error message.
+int is_icmp_error(uint8_t type);
+
+// Determines whether an ICMPv6 type is an error message.
+int is_icmp6_error(uint8_t type);
+
+// Maps ICMP types to ICMPv6 types. Partial implementation of RFC 6145, section 4.2.
+uint8_t icmp_to_icmp6_type(uint8_t type, uint8_t code);
+
+// Maps ICMP codes to ICMPv6 codes. Partial implementation of RFC 6145, section 4.2.
+uint8_t icmp_to_icmp6_code(uint8_t type, uint8_t code);
+
+// Maps ICMPv6 types to ICMP types. Partial implementation of RFC 6145, section 5.2.
+uint8_t icmp6_to_icmp_type(uint8_t type, uint8_t code);
+
+// Maps ICMPv6 codes to ICMP codes. Partial implementation of RFC 6145, section 5.2.
+uint8_t icmp6_to_icmp_code(uint8_t type, uint8_t code);
+
+#endif /* __ICMP_H__ */
diff --git a/ipv6.c b/ipv6.c
index bb1dc24..ef1e62f 100644
--- a/ipv6.c
+++ b/ipv6.c
@@ -64,12 +64,14 @@ int icmp6_packet(clat_packet out, int pos, const struct icmp6_hdr *icmp6, uint32
  * fmt     - printf-style format, use %s to place the address
  * badaddr - the bad address in question
  */
-void log_bad_address(const char *fmt, const struct in6_addr *badaddr) {
+void log_bad_address(const char *fmt, const struct in6_addr *src, const struct in6_addr *dst) {
 #if CLAT_DEBUG
-  char badaddr_str[INET6_ADDRSTRLEN];
+  char srcstr[INET6_ADDRSTRLEN];
+  char dststr[INET6_ADDRSTRLEN];
 
-  inet_ntop(AF_INET6, badaddr, badaddr_str, sizeof(badaddr_str));
-  logmsg_dbg(ANDROID_LOG_ERROR,fmt,badaddr_str);
+  inet_ntop(AF_INET6, src, srcstr, sizeof(srcstr));
+  inet_ntop(AF_INET6, dst, dststr, sizeof(dststr));
+  logmsg_dbg(ANDROID_LOG_ERROR, fmt, srcstr, dststr);
 #endif
 }
 
@@ -91,22 +93,27 @@ int ipv6_packet(clat_packet out, int pos, const char *packet, size_t len) {
   int i;
 
   if(len < sizeof(struct ip6_hdr)) {
-    logmsg_dbg(ANDROID_LOG_ERROR, "ipv6_packet/too short for an ip6 header");
+    logmsg_dbg(ANDROID_LOG_ERROR, "ipv6_packet/too short for an ip6 header: %d", len);
     return 0;
   }
 
   if(IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) {
-    log_bad_address("ipv6_packet/multicast %s", &ip6->ip6_dst);
+    log_bad_address("ipv6_packet/multicast %s->%s", &ip6->ip6_src, &ip6->ip6_dst);
     return 0; // silently ignore
   }
 
-  if (!is_in_plat_subnet(&ip6->ip6_src) && ip6->ip6_nxt) {
-    log_bad_address("ipv6_packet/wrong source address: %s", &ip6->ip6_src);
-    return 0;
-  }
-
-  if(!IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, &Global_Clatd_Config.ipv6_local_subnet)) {
-    log_bad_address("ipv6_packet/wrong destination address: %s", &ip6->ip6_dst);
+  // If the packet is not from the plat subnet to the local subnet, or vice versa, drop it, unless
+  // it's an ICMP packet (which can come from anywhere). We do not send IPv6 packets from the plat
+  // subnet to the local subnet, but these can appear as inner packets in ICMP errors, so we need
+  // to translate them. We accept third-party ICMPv6 errors, even though their source addresses
+  // cannot be translated, so that things like unreachables and traceroute will work. fill_ip_header
+  // takes care of faking a source address for them.
+  if (!(is_in_plat_subnet(&ip6->ip6_src) &&
+        IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, &Global_Clatd_Config.ipv6_local_subnet)) &&
+      !(is_in_plat_subnet(&ip6->ip6_dst) &&
+        IN6_ARE_ADDR_EQUAL(&ip6->ip6_src, &Global_Clatd_Config.ipv6_local_subnet)) &&
+      ip6->ip6_nxt != IPPROTO_ICMPV6) {
+    log_bad_address("ipv6_packet/wrong source address: %s->%s", &ip6->ip6_src, &ip6->ip6_dst);
     return 0;
   }
 
@@ -141,7 +148,7 @@ int ipv6_packet(clat_packet out, int pos, const char *packet, size_t len) {
                          len_left);
   } else {
 #if CLAT_DEBUG
-    logmsg(ANDROID_LOG_ERROR, "ipv6_packet/unknown next header type: %x",ip6->ip6_nxt);
+    logmsg(ANDROID_LOG_ERROR, "ipv6_packet/unknown next header type: %x", ip6->ip6_nxt);
     logcat_hexdump("ipv6/nxthdr", packet, len);
 #endif
     return 0;
diff --git a/translate.c b/translate.c
index 4092bcc..fc70f3d 100644
--- a/translate.c
+++ b/translate.c
@@ -26,6 +26,7 @@
 #include <netinet/icmp6.h>
 #include <linux/icmp.h>
 
+#include "icmp.h"
 #include "translate.h"
 #include "checksum.h"
 #include "clatd.h"
@@ -53,7 +54,7 @@ uint16_t packet_checksum(uint32_t checksum, clat_packet packet, int pos) {
 /* function: packet_length
  * returns the total length of all the packet components after pos
  * packet - packet to calculate the length of
- * pos    - position to start counting from
+ * pos    - position to start counting after
  * returns: the total length of the packet components after pos
  */
 uint16_t packet_length(clat_packet packet, int pos) {
@@ -80,13 +81,15 @@ int is_in_plat_subnet(const struct in6_addr *addr6) {
  * returns: the IPv4 address
  */
 uint32_t ipv6_addr_to_ipv4_addr(const struct in6_addr *addr6) {
-
   if (is_in_plat_subnet(addr6)) {
     // Assumes a /96 plat subnet.
     return addr6->s6_addr32[3];
-  } else {
-    // Currently this can only be our own address; other packets are dropped by ipv6_packet.
+  } else if (IN6_ARE_ADDR_EQUAL(addr6, &Global_Clatd_Config.ipv6_local_subnet)) {
+    // Special-case our own address.
     return Global_Clatd_Config.ipv4_local_subnet.s_addr;
+  } else {
+    // Third party packet. Let the caller deal with it.
+    return INADDR_NONE;
   }
 }
 
@@ -127,6 +130,7 @@ void fill_tun_header(struct tun_pi *tun_header, uint16_t proto) {
  */
 void fill_ip_header(struct iphdr *ip, uint16_t payload_len, uint8_t protocol,
                     const struct ip6_hdr *old_header) {
+  int ttl_guess;
   memset(ip, 0, sizeof(struct iphdr));
 
   ip->ihl = 5;
@@ -141,6 +145,14 @@ void fill_ip_header(struct iphdr *ip, uint16_t payload_len, uint8_t protocol,
 
   ip->saddr = ipv6_addr_to_ipv4_addr(&old_header->ip6_src);
   ip->daddr = ipv6_addr_to_ipv4_addr(&old_header->ip6_dst);
+
+  // Third-party ICMPv6 message. This may have been originated by an native IPv6 address.
+  // In that case, the source IPv6 address can't be translated and we need to make up an IPv4
+  // source address. For now, use 255.0.0.<ttl>, which at least looks useful in traceroute.
+  if (ip->saddr == (uint32_t) INADDR_NONE) {
+    ttl_guess = icmp_guess_ttl(old_header->ip6_hlim);
+    ip->saddr = htonl((0xff << 24) + ttl_guess);
+  }
 }
 
 /* function: fill_ip6_header
@@ -164,7 +176,7 @@ void fill_ip6_header(struct ip6_hdr *ip6, uint16_t payload_len, uint8_t protocol
 }
 
 /* function: icmp_to_icmp6
- * translate ipv4 icmp to ipv6 icmp (only currently supports echo/echo reply)
+ * translate ipv4 icmp to ipv6 icmp
  * out          - output packet
  * icmp         - source packet icmp header
  * checksum     - pseudo-header checksum
@@ -175,31 +187,53 @@ void fill_ip6_header(struct ip6_hdr *ip6, uint16_t payload_len, uint8_t protocol
 int icmp_to_icmp6(clat_packet out, int pos, const struct icmphdr *icmp, uint32_t checksum,
                   const char *payload, size_t payload_size) {
   struct icmp6_hdr *icmp6_targ = out[pos].iov_base;
-  uint32_t checksum_temp;
-
-  if((icmp->type != ICMP_ECHO) && (icmp->type != ICMP_ECHOREPLY)) {
-    logmsg_dbg(ANDROID_LOG_WARN,"icmp_to_icmp6/unhandled icmp type: 0x%x", icmp->type);
-    return 0;
-  }
+  uint8_t icmp6_type;
+  int clat_packet_len;
 
   memset(icmp6_targ, 0, sizeof(struct icmp6_hdr));
-  icmp6_targ->icmp6_type = (icmp->type == ICMP_ECHO) ? ICMP6_ECHO_REQUEST : ICMP6_ECHO_REPLY;
-  icmp6_targ->icmp6_code = 0;
-  icmp6_targ->icmp6_id = icmp->un.echo.id;
-  icmp6_targ->icmp6_seq = icmp->un.echo.sequence;
+
+  icmp6_type = icmp_to_icmp6_type(icmp->type, icmp->code);
+  icmp6_targ->icmp6_type = icmp6_type;
+  icmp6_targ->icmp6_code = icmp_to_icmp6_code(icmp->type, icmp->code);
 
   out[pos].iov_len = sizeof(struct icmp6_hdr);
-  out[CLAT_POS_PAYLOAD].iov_base = (char *) payload;
-  out[CLAT_POS_PAYLOAD].iov_len = payload_size;
+
+  if (pos == CLAT_POS_TRANSPORTHDR &&
+      is_icmp_error(icmp->type) &&
+      icmp6_type != ICMP6_PARAM_PROB) {
+    // An ICMP error we understand, one level deep.
+    // Translate the nested packet (the one that caused the error).
+    clat_packet_len = ipv4_packet(out, pos + 1, payload, payload_size);
+
+    // The pseudo-header checksum was calculated on the transport length of the original IPv4
+    // packet that we were asked to translate. This transport length is 20 bytes smaller than it
+    // needs to be, because the ICMP error contains an IPv4 header, which we will be translating to
+    // an IPv6 header, which is 20 bytes longer. Fix it up here. This is simpler than the
+    // alternative, which is to always update the pseudo-header checksum in all UDP/TCP/ICMP
+    // translation functions (rather than pre-calculating it when translating the IPv4 header).
+    // We only need to do this for ICMP->ICMPv6, not ICMPv6->ICMP, because ICMP does not use the
+    // pseudo-header when calculating its checksum (as the IPv4 header has its own checksum).
+    checksum = htonl(ntohl(checksum) + 20);
+  } else if (icmp6_type == ICMP6_ECHO_REQUEST || icmp6_type == ICMP6_ECHO_REPLY) {
+    // Ping packet.
+    icmp6_targ->icmp6_id = icmp->un.echo.id;
+    icmp6_targ->icmp6_seq = icmp->un.echo.sequence;
+    out[CLAT_POS_PAYLOAD].iov_base = (char *) payload;
+    out[CLAT_POS_PAYLOAD].iov_len = payload_size;
+    clat_packet_len = CLAT_POS_PAYLOAD + 1;
+  } else {
+    // Unknown type/code. The type/code conversion functions have already logged an error.
+    return 0;
+  }
 
   icmp6_targ->icmp6_cksum = 0;  // Checksum field must be 0 when calculating checksum.
   icmp6_targ->icmp6_cksum = packet_checksum(checksum, out, pos);
 
-  return CLAT_POS_PAYLOAD + 1;
+  return clat_packet_len;
 }
 
 /* function: icmp6_to_icmp
- * translate ipv6 icmp to ipv4 icmp (only currently supports echo/echo reply)
+ * translate ipv6 icmp to ipv4 icmp
  * out          - output packet
  * icmp6        - source packet icmp6 header
  * checksum     - pseudo-header checksum (unused)
@@ -210,27 +244,40 @@ int icmp_to_icmp6(clat_packet out, int pos, const struct icmphdr *icmp, uint32_t
 int icmp6_to_icmp(clat_packet out, int pos, const struct icmp6_hdr *icmp6, uint32_t checksum,
                   const char *payload, size_t payload_size) {
   struct icmphdr *icmp_targ = out[pos].iov_base;
-
-  if((icmp6->icmp6_type != ICMP6_ECHO_REQUEST) && (icmp6->icmp6_type != ICMP6_ECHO_REPLY)) {
-    logmsg_dbg(ANDROID_LOG_WARN,"icmp6_to_icmp/unhandled icmp6 type: 0x%x",icmp6->icmp6_type);
-    return 0;
-  }
+  uint8_t icmp_type;
+  int ttl;
+  int clat_packet_len;
 
   memset(icmp_targ, 0, sizeof(struct icmphdr));
 
-  icmp_targ->type = (icmp6->icmp6_type == ICMP6_ECHO_REQUEST) ? ICMP_ECHO : ICMP_ECHOREPLY;
-  icmp_targ->code = 0x0;
-  icmp_targ->un.echo.id = icmp6->icmp6_id;
-  icmp_targ->un.echo.sequence = icmp6->icmp6_seq;
+  icmp_type = icmp6_to_icmp_type(icmp6->icmp6_type, icmp6->icmp6_code);
+  icmp_targ->type = icmp_type;
+  icmp_targ->code = icmp6_to_icmp_code(icmp6->icmp6_type, icmp6->icmp6_code);
 
   out[pos].iov_len = sizeof(struct icmphdr);
-  out[CLAT_POS_PAYLOAD].iov_base = (char *) payload;
-  out[CLAT_POS_PAYLOAD].iov_len = payload_size;
+
+  if (pos == CLAT_POS_TRANSPORTHDR &&
+      is_icmp6_error(icmp6->icmp6_type) &&
+      icmp_type != ICMP_PARAMETERPROB) {
+    // An ICMPv6 error we understand, one level deep.
+    // Translate the nested packet (the one that caused the error).
+    clat_packet_len = ipv6_packet(out, pos + 1, payload, payload_size);
+  } else if (icmp_type == ICMP_ECHO || icmp_type == ICMP_ECHOREPLY) {
+    // Ping packet.
+    icmp_targ->un.echo.id = icmp6->icmp6_id;
+    icmp_targ->un.echo.sequence = icmp6->icmp6_seq;
+    out[CLAT_POS_PAYLOAD].iov_base = (char *) payload;
+    out[CLAT_POS_PAYLOAD].iov_len = payload_size;
+    clat_packet_len = CLAT_POS_PAYLOAD + 1;
+  } else {
+      // Unknown type/code. The type/code conversion functions have already logged an error.
+    return 0;
+  }
 
   icmp_targ->checksum = 0;  // Checksum field must be 0 when calculating checksum.
   icmp_targ->checksum = packet_checksum(0, out, pos);
 
-  return CLAT_POS_PAYLOAD + 1;
+  return clat_packet_len;
 }
 
 /* function: udp_packet
diff --git a/translate.h b/translate.h
index 120fecf..fded251 100644
--- a/translate.h
+++ b/translate.h
@@ -27,6 +27,7 @@
 // specific parts of the packet. The packet_* functions operate on all the packet segments past a
 // given position.
 enum clat_packet_index { CLAT_POS_TUNHDR, CLAT_POS_IPHDR, CLAT_POS_TRANSPORTHDR,
+                         CLAT_POS_ICMPERR_IPHDR, CLAT_POS_ICMPERR_TRANSPORTHDR,
                          CLAT_POS_PAYLOAD, CLAT_POS_MAX };
 typedef struct iovec clat_packet[CLAT_POS_MAX];