OpenWrt/LEDE Project

  • Status Unconfirmed
  • Percent Complete
  • Task Type Bug Report
  • Category Kernel
  • Assigned To No-one
  • Operating System All
  • Severity Low
  • Priority Very Low
  • Reported Version Trunk
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by 尤晓杰 - 11.07.2020

FS#3225 - ipv6 npt does not work

Supply the following if possible:
- Device problem occurs on
- Software versions of OpenWrt/LEDE release, packages, etc.
- Steps to reproduce


I hope to use ipv6 npt(rfc6296 stateless npt), have kmod-ipt-nat6 installed.
I am sure about “ip6t_NPT” is about rfc6296

in source code:
MODULE_DESCRIPTION("IPv6-to-IPv6 Network Prefix Translation (RFC 6296)");
root@OpenWrt:~# ip6tables -t mangle -I POSTROUTING -s 2001:470:4999:100::/64  -o br-lan -j SNPT --src-pfx 2001:470:4999:100::/64 --dst-pfx 240e:82:901:9400::/64
ip6tables v1.8.3 (legacy): unknown option "--src-pfx"
Try `ip6tables -h' or 'ip6tables --help' for more information.

I have kmod-ipt-nat6 install, which contain NPT extension.

x_tables               12656 37 ipt_REJECT,ipt_MASQUERADE,xt_time,xt_tcpudp,xt_tcpmss,xt_statistic,xt_state,xt_nat,xt_multiport,xt_mark,xt_mac,xt_limit,xt_length,xt_hl,xt_ecn,xt_dscp,xt_conntrack,xt_comment,xt_TCPMSS,xt_REDIRECT,xt_LOG,xt_HL,xt_FLOWOFFLOAD,xt_DSCP,xt_CT,xt_CLASSIFY,iptable_mangle,iptable_filter,ipt_ECN,ip_tables,xt_set,ip6t_NPT,ip6t_MASQUERADE,ip6table_mangle,ip6table_filter,ip6_tables,ip6t_REJECT

DNPT (IPv6-specific)

     Provides stateless destination IPv6-to-IPv6 Network Prefix Translation (as described by RFC 6296).
     You have to use this target in the mangle table, not in the nat table. It takes the following options:
  1. -src-pfx [prefix/length]

Set source prefix that you want to translate and length

  1. -dst-pfx [prefix/length]

Set destination prefix that you want to use in the translation and length

     You have to use the SNPT target to undo the translation. Example:
        <code>    ip6tables -t mangle -I POSTROUTING -s fd00::/64  -o vboxnet0 -j SNPT --src-pfx fd00::/64 --dst-pfx 2001:e20:2000:40f::/64
            ip6tables -t mangle -I PREROUTING -i wlan0 -d 2001:e20:2000:40f::/64 -j DNPT --src-pfx 2001:e20:2000:40f::/64 --dst-pfx fd00::/64
     You may need to enable IPv6 neighbor proxy:
            sysctl -w net.ipv6.conf.all.proxy_ndp=1
     You also have to use the NOTRACK target to disable connection tracking for translated flows.</code>

does anyone have ideas?

Luiz Angelo Daros de Luca commented on 30.10.2020 04:55

NPT is mostly useless for OpenWrt as it breaks conntrack. The result is that you'll have a stateless firewall. It would only be useful if you have a firewall before or after the router with NPT.

The reason for that is when you use conntrack, you could simply use NETMAP as most of its costs are already paid.

I do suggest you to use NETMAP instead of MASQUERADE.


Available keyboard shortcuts


Task Details

Task Editing