diff options
| author | Matthias Schiffer <mschiffer@universe-factory.net> | 2011-11-12 12:17:23 +0100 |
|---|---|---|
| committer | Matthias Schiffer <mschiffer@universe-factory.net> | 2011-11-12 12:17:23 +0100 |
| commit | 9f0da7662e647962f8ec3e1553cfdbae2d77af5b (patch) | |
| tree | 9782e671dd7deb299f198e88988ad8a342f87787 | |
| parent | 0344f2ec310d317dc5f31e5c066a7a141d504333 (diff) | |
| download | NPTv6-9f0da7662e647962f8ec3e1553cfdbae2d77af5b.tar NPTv6-9f0da7662e647962f8ec3e1553cfdbae2d77af5b.zip | |
Allow using [SD]NPTV6 rules in INPUT/OUTOUT chains
| -rw-r--r-- | README.dbk | 14 | ||||
| -rw-r--r-- | README.html | 14 | ||||
| -rw-r--r-- | README.txt | 17 | ||||
| -rw-r--r-- | ip6t_DNPTV6.c | 2 | ||||
| -rw-r--r-- | ip6t_SNPTV6.c | 2 |
5 files changed, 32 insertions, 17 deletions
@@ -139,19 +139,25 @@ ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to ip6tables -t mangle -A PREROUTING -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48 ip6tables -t mangle -A POSTROUTING -m mark --mark 42 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48 ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48</programlisting> + + <para>If the router running NPTv6 is offering services itself, additional + rules are necessary for the services to be reachable by the external address:</para> + + <programlisting>ip6tables -t mangle -A OUTPUT -d 2001:0DB8:0001::/48 -j MARK --set-mark 42 +ip6tables -t mangle -A OUTPUT -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48 +ip6tables -t mangle -A INPUT -m mark --mark 42 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48</programlisting> </section> </section> <section id="precedence"> <title id="precedence-title">IPv6/IPv4 Precedence</title> - <para>With (EKU)buntu and eventually with RedHat, you will notice that + <para>With most Linux distributions you will notice that your browser does not show the IPv6 version of a web site that is multi-homed when using ULA addresses for your IPv6 Internet connection. The reason for this is an add on to the RFC 3484 rules that is compiled - into the (EKU)buntu libc. The pre-installed - <filename>/etc/gai.conf</filename> file will give you a hint on - this.</para> + into the libc. The pre-installed <filename>/etc/gai.conf</filename> file + will give you a hint on this.</para> <para>In short: the getaddrinfo() library function rates a private IPv4 address higher than the ULA IPv6 address when choosing the transport diff --git a/README.html b/README.html index 7a0674c..159f51c 100644 --- a/README.html +++ b/README.html @@ -1,6 +1,6 @@ <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux</title><meta name="generator" content="DocBook XSL Stylesheets V1.76.1" /></head><body><div class="article" title="NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux"><div class="titlepage"><div><div><h2 class="title"><a id="id463568"></a>NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Sven-Ola</span> <span class="surname">Tuecke</span></h3><div class="affiliation"><span class="orgname">Freifunk<br /></span></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Matthias</span> <span class="surname">Schiffer</span></h3><div class="affiliation"><span class="orgname">Freifunk Lübeck<br /></span></div></div></div><div><p class="pubdate">10-NOV-2011</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl><dt><span class="section"><a href="#install">Installation</a></span></dt><dt><span class="section"><a href="#dkms">DKMS Integration</a></span></dt><dt><span class="section"><a href="#config">Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#config-brief">Brief Version</a></span></dt><dt><span class="section"><a href="#config-nat-behaviour">NAT Behavioral Requirements</a></span></dt></dl></dd><dt><span class="section"><a href="#precedence">IPv6/IPv4 Precedence</a></span></dt><dd><dl><dt><span class="section"><a href="#precedence-gai">Change gai.conf</a></span></dt></dl></dd></dl></div><p>These files implement a Linux netfilter target that changes the IPv6 +<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux</title><meta name="generator" content="DocBook XSL Stylesheets V1.76.1" /></head><body><div class="article" title="NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux"><div class="titlepage"><div><div><h2 class="title"><a id="id306179"></a>NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Sven-Ola</span> <span class="surname">Tuecke</span></h3><div class="affiliation"><span class="orgname">Freifunk<br /></span></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Matthias</span> <span class="surname">Schiffer</span></h3><div class="affiliation"><span class="orgname">Freifunk Lübeck<br /></span></div></div></div><div><p class="pubdate">10-NOV-2011</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl><dt><span class="section"><a href="#install">Installation</a></span></dt><dt><span class="section"><a href="#dkms">DKMS Integration</a></span></dt><dt><span class="section"><a href="#config">Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#config-brief">Brief Version</a></span></dt><dt><span class="section"><a href="#config-nat-behaviour">NAT Behavioral Requirements</a></span></dt></dl></dd><dt><span class="section"><a href="#precedence">IPv6/IPv4 Precedence</a></span></dt><dd><dl><dt><span class="section"><a href="#precedence-gai">Change gai.conf</a></span></dt></dl></dd></dl></div><p>These files implement a Linux netfilter target that changes the IPv6 address of packets. The address change is done checksum neutral, thus no checksum re-calculation for the packet is necessary. You can change the IPv6 source address of outgoing packets as well as the IPv6 destination address @@ -53,13 +53,15 @@ ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to will enable this:</p><pre class="programlisting">ip6tables -t mangle -A PREROUTING -d 2001:0DB8:0001::/48 -j MARK --set-mark 42 ip6tables -t mangle -A PREROUTING -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48 ip6tables -t mangle -A POSTROUTING -m mark --mark 42 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48 -ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48</pre></div></div><div class="section" title="IPv6/IPv4 Precedence"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="precedence"></a>IPv6/IPv4 Precedence</h2></div></div></div><p>With (EKU)buntu and eventually with RedHat, you will notice that +ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48</pre><p>If the router running NPTv6 is offering services itself, additional + rules are necessary for the services to be reachable by the external address:</p><pre class="programlisting">ip6tables -t mangle -A OUTPUT -d 2001:0DB8:0001::/48 -j MARK --set-mark 42 +ip6tables -t mangle -A OUTPUT -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48 +ip6tables -t mangle -A INPUT -m mark --mark 42 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48</pre></div></div><div class="section" title="IPv6/IPv4 Precedence"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="precedence"></a>IPv6/IPv4 Precedence</h2></div></div></div><p>With most Linux distributions you will notice that your browser does not show the IPv6 version of a web site that is multi-homed when using ULA addresses for your IPv6 Internet connection. The reason for this is an add on to the RFC 3484 rules that is compiled - into the (EKU)buntu libc. The pre-installed - <code class="filename">/etc/gai.conf</code> file will give you a hint on - this.</p><p>In short: the getaddrinfo() library function rates a private IPv4 + into the libc. The pre-installed <code class="filename">/etc/gai.conf</code> file + will give you a hint on this.</p><p>In short: the getaddrinfo() library function rates a private IPv4 address higher than the ULA IPv6 address when choosing the transport protocol for a new Internet connection if this add on to the RFC 3484 rules is compiled in. For this reason, you may want to change the @@ -70,7 +72,7 @@ ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to you cannot uncomment a single entry to overwrite the default. You need to uncomment all entries of a particular type for this. The <span class="quote">“<span class="quote">label</span>”</span> lines compare source addresses, the - <span class="quote">“<span class="quote">precedence</span>”</span> lines compare destination addresses.</p><div class="procedure" title="Procedure 1. Change IPv6 Precedence"><a id="id499064"></a><p class="title"><strong>Procedure 1. Change IPv6 Precedence</strong></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>Open the <code class="filename">/etc/gai.conf</code> file as root user, + <span class="quote">“<span class="quote">precedence</span>”</span> lines compare destination addresses.</p><div class="procedure" title="Procedure 1. Change IPv6 Precedence"><a id="id341688"></a><p class="title"><strong>Procedure 1. Change IPv6 Precedence</strong></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>Open the <code class="filename">/etc/gai.conf</code> file as root user, e.g. by executing <strong class="userinput"><code>sudo nano /etc/gai.conf</code></strong>.</p></li><li class="step" title="Step 2"><p>Remove the leading hash character from the 8 lines starting with <span class="quote">“<span class="quote">#label</span>”</span>.</p></li><li class="step" title="Step 3"><p>Re-add the hash character to the line stating <span class="quote">“<span class="quote">#label @@ -118,13 +118,20 @@ ip6tables -t mangle -A PREROUTING -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destinat ip6tables -t mangle -A POSTROUTING -m mark --mark 42 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48 ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48 +If the router running NPTv6 is offering services itself, additional rules are +necessary for the services to be reachable by the external address: + +ip6tables -t mangle -A OUTPUT -d 2001:0DB8:0001::/48 -j MARK --set-mark 42 +ip6tables -t mangle -A OUTPUT -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48 +ip6tables -t mangle -A INPUT -m mark --mark 42 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48 + IPv6/IPv4 Precedence -With (EKU)buntu and eventually with RedHat, you will notice that your browser -does not show the IPv6 version of a web site that is multi-homed when using ULA -addresses for your IPv6 Internet connection. The reason for this is an add on -to the RFC 3484 rules that is compiled into the (EKU)buntu libc. The -pre-installed /etc/gai.conf file will give you a hint on this. +With most Linux distributions you will notice that your browser does not show +the IPv6 version of a web site that is multi-homed when using ULA addresses for +your IPv6 Internet connection. The reason for this is an add on to the RFC 3484 +rules that is compiled into the libc. The pre-installed /etc/gai.conf file will +give you a hint on this. In short: the getaddrinfo() library function rates a private IPv4 address higher than the ULA IPv6 address when choosing the transport protocol for a new diff --git a/ip6t_DNPTV6.c b/ip6t_DNPTV6.c index 506d0a5..36752e4 100644 --- a/ip6t_DNPTV6.c +++ b/ip6t_DNPTV6.c @@ -67,7 +67,7 @@ static struct xt_target dnptv6_tg6_reg __read_mostly = { .checkentry = dnptv6_tg6_check, .targetsize = sizeof(struct ip6t_nptv6_info), .table = "mangle", - .hooks = (1 << NF_INET_PRE_ROUTING), + .hooks = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT), .me = THIS_MODULE, }; diff --git a/ip6t_SNPTV6.c b/ip6t_SNPTV6.c index 79747ae..666ae43 100644 --- a/ip6t_SNPTV6.c +++ b/ip6t_SNPTV6.c @@ -67,7 +67,7 @@ static struct xt_target snptv6_tg6_reg __read_mostly = { .checkentry = snptv6_tg6_check, .targetsize = sizeof(struct ip6t_nptv6_info), .table = "mangle", - .hooks = (1 << NF_INET_POST_ROUTING), + .hooks = (1 << NF_INET_POST_ROUTING) | (1 << NF_INET_LOCAL_IN), .me = THIS_MODULE, }; |