warning about conntrack

git-svn-id: https://map66.svn.sourceforge.net/svnroot/map66@13 3484d885-4da6-438d-b19d-107d078dd756

4 files changed, 33 insertions, 17 deletions

diff --git a/README.dbk b/README.dbk
index 153d50a..c52ef16 100644
--- a/README.dbk
+++ b/README.dbk
@@ -15,7 +15,7 @@
       </affiliation>
     </author>
 
-    <pubdate>06-OCT-2010</pubdate>
+    <pubdate>07-OCT-2010</pubdate>
   </articleinfo>
 
   <para>These files implement a Linux netfilter target that changes the IPv6
@@ -31,6 +31,12 @@
   <para><ulink
   url="http://tools.ietf.org/html/draft-mrw-behave-nat66-02">http://tools.ietf.org/html/draft-mrw-behave-nat66-02</ulink></para>
 
+  <warning>
+    <para>Using MAP66 rules together with connection tracking rules sich as
+    <userinput>--ctstate</userinput> is currently untested and may not work or
+    may cause oopses.</para>
+  </warning>
+
   <section>
     <title>Installation</title>
 
@@ -76,9 +82,9 @@
     below <filename>/usr/src/</filename>. To register the MAP66 source to DKMS
     and compile/install, issue these commands:</para>
 
-    <programlisting>sudo dkms add -m ip6t_MAP66 -v 0.3
-sudo dkms build -m ip6t_MAP66 -v 0.3
-sudo dkms install -m ip6t_MAP66 -v 0.3</programlisting>
+    <programlisting>sudo dkms add -m ip6t_MAP66 -v 0.4
+sudo dkms build -m ip6t_MAP66 -v 0.4
+sudo dkms install -m ip6t_MAP66 -v 0.4</programlisting>
 
     <para>Read DKMS details here: <ulink
     url="Read DKMS details here: https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging">https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging</ulink></para>
diff --git a/README.html b/README.html
index d46221a..fafd4a6 100644
--- a/README.html
+++ b/README.html
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux"><div class="titlepage"><div><div><h2 class="title"><a id="id2928121"></a>MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Sven-Ola</span> <span class="surname">Tuecke</span></h3><div class="affiliation"><span class="orgname">Freifunk<br /></span></div></div></div><div><p class="pubdate">06-OCT-2010</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2961474">Installation</a></span></dt><dt><span class="section"><a href="#id2953819">DKMS Integration</a></span></dt><dt><span class="section"><a href="#id2974647">Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#id2959435">Brief Version</a></span></dt><dt><span class="section"><a href="#id2955411">Detailed Version</a></span></dt></dl></dd><dt><span class="section"><a href="#id2949227">IPv6/IPv4 Precedence</a></span></dt><dt><span class="section"><a href="#motivation">Motivation</a></span></dt></dl></div><p>These files implement a Linux netfilter target that changes the IPv6
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux"><div class="titlepage"><div><div><h2 class="title"><a id="id2934947"></a>MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Sven-Ola</span> <span class="surname">Tuecke</span></h3><div class="affiliation"><span class="orgname">Freifunk<br /></span></div></div></div><div><p class="pubdate">07-OCT-2010</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2932794">Installation</a></span></dt><dt><span class="section"><a href="#id2959102">DKMS Integration</a></span></dt><dt><span class="section"><a href="#id2954287">Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#id2950621">Brief Version</a></span></dt><dt><span class="section"><a href="#id2951135">Detailed Version</a></span></dt></dl></dd><dt><span class="section"><a href="#id2950210">IPv6/IPv4 Precedence</a></span></dt><dt><span class="section"><a href="#motivation">Motivation</a></span></dt></dl></div><p>These files implement a Linux netfilter target that changes the IPv6
   address of packets. The address change is done checksum neutral, thus no
   checksum re-calculation for the packet is necessary. You can change the IPv6
   source address of outgoing packets as well as the IPv6 destination address
@@ -8,7 +8,9 @@
   to a second, externally used IPv6 address range. IPv6 address mapping is not
   very similar to IPv4 network address translation, but one can describe it as
   some sort of stateless NAT. The implementation is based on the expired IETF
-  discussion paper published here:</p><p><a class="ulink" href="http://tools.ietf.org/html/draft-mrw-behave-nat66-02" target="_top">http://tools.ietf.org/html/draft-mrw-behave-nat66-02</a></p><div class="section" title="Installation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2961474"></a>Installation</h2></div></div></div><p>MAP66 implements two pieces of software: a shared library that
+  discussion paper published here:</p><p><a class="ulink" href="http://tools.ietf.org/html/draft-mrw-behave-nat66-02" target="_top">http://tools.ietf.org/html/draft-mrw-behave-nat66-02</a></p><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Using MAP66 rules together with connection tracking rules sich as
+    <strong class="userinput"><code>--ctstate</code></strong> is currently untested and may not work or
+    may cause oopses.</p></div><div class="section" title="Installation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2932794"></a>Installation</h2></div></div></div><p>MAP66 implements two pieces of software: a shared library that
     extends the ip6tables command and a Linux kernel module. The shared
     library file adds the '-j MAP66' target to the ip6tables command. To build
     and install, you need ip6tables installed as well as the necessary
@@ -21,16 +23,16 @@
       Linux-2.6 or <code class="filename">ip6t_MAP66.o</code> for Linux-2.4) is not
       automatically installed nor loaded into the kernel. You can copy the
       kernel module file manually, e.g. with <strong class="userinput"><code>sudo cp ip6t_MAP66.ko
-      /lib/modules/$(uname -r)/</code></strong>.</p></div></div><div class="section" title="DKMS Integration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2953819"></a>DKMS Integration</h2></div></div></div><p>If the next system update needs to install a new kernel version, you
+      /lib/modules/$(uname -r)/</code></strong>.</p></div></div><div class="section" title="DKMS Integration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2959102"></a>DKMS Integration</h2></div></div></div><p>If the next system update needs to install a new kernel version, you
     also need to re-compile/re-install the MAP66 kernel module. With
     Debian/(EKU)buntu, this can be automated with the Dynamic Kernel Module
     Support Framework (DKMS). For this, the <code class="filename">dkms.conf</code>
     file is included with the MAP66 source file package. Install DKMS with the
     following command:</p><pre class="programlisting">sudo apt-get install dkms</pre><p>If not already in place, move/unpack the MAP66 source file archive
     below <code class="filename">/usr/src/</code>. To register the MAP66 source to DKMS
-    and compile/install, issue these commands:</p><pre class="programlisting">sudo dkms add -m ip6t_MAP66 -v 0.3
-sudo dkms build -m ip6t_MAP66 -v 0.3
-sudo dkms install -m ip6t_MAP66 -v 0.3</pre><p>Read DKMS details here: <a class="ulink" href="Read DKMS details here: https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging" target="_top">https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging</a></p></div><div class="section" title="Configuration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2974647"></a>Configuration</h2></div></div></div><div class="section" title="Brief Version"><div class="titlepage"><div><div><h3 class="title"><a id="id2959435"></a>Brief Version</h3></div></div></div><p>You always need to add two ip6tables-rules to your netfilter
+    and compile/install, issue these commands:</p><pre class="programlisting">sudo dkms add -m ip6t_MAP66 -v 0.4
+sudo dkms build -m ip6t_MAP66 -v 0.4
+sudo dkms install -m ip6t_MAP66 -v 0.4</pre><p>Read DKMS details here: <a class="ulink" href="Read DKMS details here: https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging" target="_top">https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging</a></p></div><div class="section" title="Configuration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2954287"></a>Configuration</h2></div></div></div><div class="section" title="Brief Version"><div class="titlepage"><div><div><h3 class="title"><a id="id2950621"></a>Brief Version</h3></div></div></div><p>You always need to add two ip6tables-rules to your netfilter
       configuration. One rule matches outgoing packets and changes their IPv6
       source address. The second rule matches incoming packets and reverts the
       address change by altering their IPv6 destination address. To following
@@ -49,7 +51,7 @@ ip6tables -t mangle -I PREROUTING  -i eth0 -d 2001:0DB8:0001::/48 -j MAP66 --to
       the mapping rule defines a mapping prefix that cannot result in the
       interface address) you can switch off the comparison. Add the
       <strong class="userinput"><code>--nocheck</code></strong> parameter to the ip6tables command for
-      this.</p></div><div class="section" title="Detailed Version"><div class="titlepage"><div><div><h3 class="title"><a id="id2955411"></a>Detailed Version</h3></div></div></div><p>The following explanation details a living example from the
+      this.</p></div><div class="section" title="Detailed Version"><div class="titlepage"><div><div><h3 class="title"><a id="id2951135"></a>Detailed Version</h3></div></div></div><p>The following explanation details a living example from the
       wireless mesh network that is mentioned under <a class="xref" href="#motivation" title="Motivation">Motivation</a> (see below).
       Throughout the mesh network, a private IP address range is used. The ULA
       prefix is fdca:ffee:babe::/64. All mesh nodes derive their IPv6
@@ -115,7 +117,7 @@ ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-
         has a 6-to-4 address, you will get the answer packet back via the
         6-to-4 interface. If the above address mapping is configured, you ping
         one IPv6 address and get the answer from another IPv6
-        address...</p></div></div></div><div class="section" title="IPv6/IPv4 Precedence"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2949227"></a>IPv6/IPv4 Precedence</h2></div></div></div><p>With (EKU)buntu and eventually with RedHat, you will notice that
+        address...</p></div></div></div><div class="section" title="IPv6/IPv4 Precedence"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2950210"></a>IPv6/IPv4 Precedence</h2></div></div></div><p>With (EKU)buntu and eventually with RedHat, you will notice that
     your browser does not show the IPv6 version of a web site that is
     multi-homed when using ULA addresses for your IPv6 Internet connection.
     The reason for this is an add on to the RFC 3484 rules that is compiled
@@ -132,7 +134,7 @@ ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-
       you cannot uncomment a single entry to overwrite the default. You need
       to uncomment all entries of a particular type for this. The
       <span class="quote">“<span class="quote">label</span>”</span> lines compare source addresses, the
-      <span class="quote">“<span class="quote">precedence</span>”</span> lines compare destination addresses.</p></div><div class="procedure" title="Procedure 1. Change IPv6 Precedence"><a id="id2955439"></a><p class="title"><b>Procedure 1. Change IPv6 Precedence</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>Open the <code class="filename">/etc/gai.conf</code> file as root user,
+      <span class="quote">“<span class="quote">precedence</span>”</span> lines compare destination addresses.</p></div><div class="procedure" title="Procedure 1. Change IPv6 Precedence"><a id="id2960948"></a><p class="title"><b>Procedure 1. Change IPv6 Precedence</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>Open the <code class="filename">/etc/gai.conf</code> file as root user,
         e.g. by executing <strong class="userinput"><code>sudo nano
         /etc/gai.conf</code></strong>.</p></li><li class="step" title="Step 2"><p>Remove the leading hash character from the 8 lines starting with
         <span class="quote">“<span class="quote">#label</span>”</span>.</p></li><li class="step" title="Step 3"><p>Re-add the hash character to the line stating <span class="quote">“<span class="quote">#label
diff --git a/README.txt b/README.txt
index 4e53698..816dfc0 100644
--- a/README.txt
+++ b/README.txt
@@ -4,7 +4,7 @@ Sven-Ola Tuecke
 
 Freifunk
 
-06-OCT-2010
+07-OCT-2010
 
 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 
@@ -32,6 +32,11 @@ published here:
 
 http://tools.ietf.org/html/draft-mrw-behave-nat66-02
 
+Warning
+
+Using MAP66 rules together with connection tracking rules sich as --ctstate is
+currently untested and may not work or may cause oopses.
+
 Installation
 
 MAP66 implements two pieces of software: a shared library that extends the
@@ -70,9 +75,9 @@ If not already in place, move/unpack the MAP66 source file archive below /usr/
 src/. To register the MAP66 source to DKMS and compile/install, issue these
 commands:
 
-sudo dkms add -m ip6t_MAP66 -v 0.3
-sudo dkms build -m ip6t_MAP66 -v 0.3
-sudo dkms install -m ip6t_MAP66 -v 0.3
+sudo dkms add -m ip6t_MAP66 -v 0.4
+sudo dkms build -m ip6t_MAP66 -v 0.4
+sudo dkms install -m ip6t_MAP66 -v 0.4
 
 Read DKMS details here: https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging
 
diff --git a/TODO b/TODO
index c8438e3..8e108cb 100644
--- a/TODO
+++ b/TODO
@@ -2,3 +2,6 @@ Idea to think about: --salt 3b5b91c5a2 XOR client addresses for some more privac
 the salt can be added e.g. when restarting router/iptables or may be generated for
 a particular host once. Purpose: hide MAC addresses behind the address mapping
 gateway 
+
+Another idea: change to a single rule either in POSTROUTING or in PREROUTING to 
+make MAP66 compatible with conntrack/stateful FW