Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#3225 - ipv6 npt does not work #8093

Open
openwrt-bot opened this issue Jul 11, 2020 · 1 comment
Open

FS#3225 - ipv6 npt does not work #8093

openwrt-bot opened this issue Jul 11, 2020 · 1 comment
Labels
flyspray kernel pull request/issue with Linux kernel related changes

Comments

@openwrt-bot
Copy link

youxiaojie:

Supply the following if possible:

  • Device problem occurs on
  • Software versions of OpenWrt/LEDE release, packages, etc.
  • Steps to reproduce

I hope to use ipv6 npt(rfc6296 stateless npt), have kmod-ipt-nat6 installed.
I am sure about "ip6t_NPT" is about rfc6296
in source code:
MODULE_DESCRIPTION("IPv6-to-IPv6 Network Prefix Translation (RFC 6296)");

root@OpenWrt:~# ip6tables -t mangle -I POSTROUTING -s 2001:470:4999:100::/64 -o br-lan -j SNPT --src-pfx 2001:470:4999:100::/64 --dst-pfx 240e:82:901:9400::/64
ip6tables v1.8.3 (legacy): unknown option "--src-pfx"
Try `ip6tables -h' or 'ip6tables --help' for more information.

I have kmod-ipt-nat6 install, which contain NPT extension.

lsmod
x_tables 12656 37 ipt_REJECT,ipt_MASQUERADE,xt_time,xt_tcpudp,xt_tcpmss,xt_statistic,xt_state,xt_nat,xt_multiport,xt_mark,xt_mac,xt_limit,xt_length,xt_hl,xt_ecn,xt_dscp,xt_conntrack,xt_comment,xt_TCPMSS,xt_REDIRECT,xt_LOG,xt_HL,xt_FLOWOFFLOAD,xt_DSCP,xt_CT,xt_CLASSIFY,iptable_mangle,iptable_filter,ipt_ECN,ip_tables,xt_set,ip6t_NPT,ip6t_MASQUERADE,ip6table_mangle,ip6table_filter,ip6_tables,ip6t_REJECT

DNPT (IPv6-specific)
Provides stateless destination IPv6-to-IPv6 Network Prefix Translation (as described by RFC 6296).

   You have to use this target in the mangle table, not in the nat table. It takes the following options:

   --src-pfx [prefix/length]
          Set source prefix that you want to translate and length

   --dst-pfx [prefix/length]
          Set destination prefix that you want to use in the translation and length

   You have to use the SNPT target to undo the translation. Example:

      <code>    ip6tables -t mangle -I POSTROUTING -s fd00::/64  -o vboxnet0 -j SNPT --src-pfx fd00::/64 --dst-pfx 2001:e20:2000:40f::/64

          ip6tables -t mangle -I PREROUTING -i wlan0 -d 2001:e20:2000:40f::/64 -j DNPT --src-pfx 2001:e20:2000:40f::/64 --dst-pfx fd00::/64

   You may need to enable IPv6 neighbor proxy:

          sysctl -w net.ipv6.conf.all.proxy_ndp=1

   You also have to use the NOTRACK target to disable connection tracking for translated flows.</code>

does anyone have ideas?

@openwrt-bot
Copy link
Author

luizluca:

NPT is mostly useless for OpenWrt as it breaks conntrack. The result is that you'll have a stateless firewall. It would only be useful if you have a firewall before or after the router with NPT.

The reason for that is when you use conntrack, you could simply use NETMAP as most of its costs are [[https://unix.stackexchange.com/questions/331224/is-there-a-way-to-have-nptv6-with-connection-tracking-on-linux|already paid]].

I do suggest you to use NETMAP instead of MASQUERADE.

@aparcar aparcar added the kernel pull request/issue with Linux kernel related changes label Feb 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
flyspray kernel pull request/issue with Linux kernel related changes
Projects
None yet
Development

No branches or pull requests

2 participants