ydahhrk
commented
3 years ago Isn't it already implemented by stock nftables? https://gist.github.com/inntran/4816f33d9230b0a31bea062fc21fcbd9
Closed cvmiller closed 3 years ago
ydahhrk
commented
3 years ago Isn't it already implemented by stock nftables? https://gist.github.com/inntran/4816f33d9230b0a31bea062fc21fcbd9
cvmiller
commented
3 years ago Yes, but not in this way. The DNPT option only supports IPv4 (at least on my ip6tables v1.83 implementation).
There is another nftables method using NETMAP which does in fact do Prefix Translation for IPv6, however it is failing because the upstream router can't resolve the MAC address of the downstream host (which is on a different segment, and has a ULA). I think some kind of NDP proxy is needed. https://gist.github.com/MisakaMikoto-35c5/93d7a32860bbb31b47a05a8c8a0152b8
ydahhrk
commented
3 years ago Ok, but to be perfectly honest, I do think NPTv6 is very much not in the scope of the Jool project.
Even if I add this feature, I think it would be short lived, because I'm aiming to merge Jool with nftables in a not too distant future, and this would probably be considered duplicated functionality and rejected.
I haven't read the RFC beyond the introduction, but if this NPTv6 thing is just a means to swap IPv6 addresses, can't you just chain two SIIT Jools?
Eg. Say you want to change 2001:db8::1111 into 2001:db8::AAAA:
[ 2001:db8::1111, 192.0.2.1 ] in namespace 1[ 192.0.2.1, 2001:db8::AAAA ] in namespace 22001:db8::1111 becomes 192.0.2.1192.0.2.1 becomes 2001:db8::AAAAIt might not be a perfect standard NPTv6, but maybe it's good enough?
cvmiller
commented
3 years ago NPTv6 doesn't quite work as you have specified, but you aren't far from the mark. It is just swapping the first 48-64 bits of a ULA prefix for a global one.
I did get this working using ip6tables (I believe nftables is under ip6tables) using NETMAP. However it doesn't work the way I want. I was hoping to use NPTv6 to "extend" a GUA /64 into a home network, for example. Unfortunately, it doesn't work that way, in that the upstream router is busy doing NDP Mac resolution for the host with the GUA prefix, but that host doesn't actually exist, it is on the ULA side. Since NETMAP doesn't forward multicast solicited node address, the connection doesn't work. What is needed is a NDP proxy. So it is more complicated that just swapping the prefixes.
Let's close this issue for now.
Jool is a fantastic translation tool, thank you for creating it.
There are use cases such as ISPs that change IPv6 prefixes delegated on a daily basis or even more often, where it would be nice to have stability in one's network, but translate to the new prefix (from the ISP) going to the internet. NPTv6 seems perfect for this use case.
The translated prefix, as per the RFC, should be user configurable between a /48 and /64.
Please consider supporting NPTv6 in a future release of Jool. TIA