ydahhrk
commented
1 year ago Oh sorry, I thought this was closed because of the duplicate #398, and because you did reach the correct conclusion.
Yes, Jool'd packets do skip conntrack. But if you run Jool and conntrack in separate namespaces, they chain fine and don't interfere with each other. This is a result of Jool's somewhat awkward architecture, and can't be fixed without a large overhaul, which is #273.
Do you want to discuss something else?
douniwan5788
Internet <--- ipv6 ---> (2001:db8::1) WAN LAN(192.168.1.1) <--- ipv4 ---> IoT device(192.168.1.2)
I want to remote access my home IoT device over an ipv6-only wan, but a simple ipv6 port forwarding like below won't work……
#372#issuecomment-1021322964
jool uses it's own bib table instead of conntrack to manage nat mappings, this causes iptables/nftables NAT(SNAT/DNAT/MASQUERADE) can not work together with jool as the connection is NEVER actually established, jool just drops ipv6 packets from one side and recreates ipv4 packets from the other side.
A workaround is to create a pair of veth then use the network namespace, this wiil let the packet "really" be sent to the interface and conntrack will be work fine https://www.jool.mx/en/node-based-translation.html