summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--README.dbk4
-rw-r--r--README.html42
-rw-r--r--README.txt28
-rw-r--r--ip6t_MAP66.c6
4 files changed, 59 insertions, 21 deletions
diff --git a/README.dbk b/README.dbk
index 2437a31..eb58b8d 100644
--- a/README.dbk
+++ b/README.dbk
@@ -308,8 +308,8 @@ ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-
OLSR-based mesh network, any interface uses an fdca:ffee:babe::/64
prefix. The following internal mapping is configured for this: </para>
- <programlisting>ip6tables -t mangle -I PREROUTING -i br0 -s 2002:c0a8:4141::/64 -j MAP66 --src-to fdca:ffee:babe::/64 --newcsum
-ip6tables -t mangle -I POSTROUTING -o br0 -d fdca:ffee:babe::/64 -j MAP66 --dst-to 2002:c0a8:4141::/64 -newcsum</programlisting>
+ <programlisting>ip6tables -t mangle -I PREROUTING -i br0 -s 2002:c0a8:4141::/64 -j MAP66 --src-to fdca:ffee:babe::/64 --unbalanced
+ip6tables -t mangle -I POSTROUTING -o br0 -d fdca:ffee:babe::/64 -j MAP66 --dst-to 2002:c0a8:4141::/64 --unbalanced</programlisting>
</section>
</section>
diff --git a/README.html b/README.html
index cd87ef5..75d1e91 100644
--- a/README.html
+++ b/README.html
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux"><div class="titlepage"><div><div><h2 class="title"><a id="id2670864"></a>MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Sven-Ola</span> <span class="surname">Tuecke</span></h3><div class="affiliation"><span class="orgname">Freifunk<br /></span></div></div></div><div><p class="pubdate">13-OCT-2010</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2721433">Installation</a></span></dt><dt><span class="section"><a href="#id2694012">DKMS Integration</a></span></dt><dt><span class="section"><a href="#id2726093">Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#id2726270">Brief Version</a></span></dt><dt><span class="section"><a href="#id2720683">Detailed Version</a></span></dt></dl></dd><dt><span class="section"><a href="#id2705734">IPv6/IPv4 Precedence</a></span></dt><dt><span class="section"><a href="#motivation">Motivation</a></span></dt></dl></div><p>These files implement a Linux netfilter target that changes the IPv6
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux"><div class="titlepage"><div><div><h2 class="title"><a id="id2830125"></a>MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Sven-Ola</span> <span class="surname">Tuecke</span></h3><div class="affiliation"><span class="orgname">Freifunk<br /></span></div></div></div><div><p class="pubdate">13-OCT-2010</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#install">Installation</a></span></dt><dt><span class="section"><a href="#dkms">DKMS Integration</a></span></dt><dt><span class="section"><a href="#config">Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#config-brief">Brief Version</a></span></dt><dt><span class="section"><a href="#config-detailed">Detailed Version</a></span></dt></dl></dd><dt><span class="section"><a href="#precedence">IPv6/IPv4 Precedence</a></span></dt><dd><dl><dt><span class="section"><a href="#precedence-gai">Change gai.conf</a></span></dt><dt><span class="section"><a href="#precedence-6to4">Use 6to4 Internal Address</a></span></dt></dl></dd><dt><span class="section"><a href="#motivation">Motivation</a></span></dt></dl></div><p>These files implement a Linux netfilter target that changes the IPv6
address of packets. The address change is done checksum neutral, thus no
checksum re-calculation for the packet is necessary. You can change the IPv6
source address of outgoing packets as well as the IPv6 destination address
@@ -10,7 +10,7 @@
some sort of stateless NAT. The implementation is based on the expired IETF
discussion paper published here:</p><p><a class="ulink" href="http://tools.ietf.org/html/draft-mrw-behave-nat66-02" target="_top">http://tools.ietf.org/html/draft-mrw-behave-nat66-02</a></p><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Using MAP66 rules together with connection tracking rules sich as
<strong class="userinput"><code>--ctstate</code></strong> is currently untested and may not work or
- may cause oopses.</p></div><div class="section" title="Installation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2721433"></a>Installation</h2></div></div></div><p>MAP66 implements two pieces of software: a shared library that
+ may cause oopses.</p></div><div class="section" title="Installation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="install"></a>Installation</h2></div></div></div><p>MAP66 implements two pieces of software: a shared library that
extends the ip6tables command and a Linux kernel module. The shared
library file adds the '-j MAP66' target to the ip6tables command. To build
and install, you need ip6tables installed as well as the necessary
@@ -23,7 +23,7 @@
Linux-2.6 or <code class="filename">ip6t_MAP66.o</code> for Linux-2.4) is not
automatically installed nor loaded into the kernel. You can copy the
kernel module file manually, e.g. with <strong class="userinput"><code>sudo cp ip6t_MAP66.ko
- /lib/modules/$(uname -r)/</code></strong>.</p></div></div><div class="section" title="DKMS Integration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2694012"></a>DKMS Integration</h2></div></div></div><p>If the next system update needs to install a new kernel version, you
+ /lib/modules/$(uname -r)/</code></strong>.</p></div></div><div class="section" title="DKMS Integration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="dkms"></a>DKMS Integration</h2></div></div></div><p>If the next system update needs to install a new kernel version, you
also need to re-compile/re-install the MAP66 kernel module. With
Debian/(EKU)buntu, this can be automated with the Dynamic Kernel Module
Support Framework (DKMS). For this, the <code class="filename">dkms.conf</code>
@@ -32,7 +32,7 @@
below <code class="filename">/usr/src/</code>. To register the MAP66 source to DKMS
and compile/install, issue these commands:</p><pre class="programlisting">sudo dkms add -m ip6t_MAP66 -v 0.5
sudo dkms build -m ip6t_MAP66 -v 0.5
-sudo dkms install -m ip6t_MAP66 -v 0.5</pre><p>Read DKMS details here: <a class="ulink" href="Read DKMS details here: https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging" target="_top">https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging</a></p></div><div class="section" title="Configuration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2726093"></a>Configuration</h2></div></div></div><div class="section" title="Brief Version"><div class="titlepage"><div><div><h3 class="title"><a id="id2726270"></a>Brief Version</h3></div></div></div><p>You always need to add two ip6tables-rules to your netfilter
+sudo dkms install -m ip6t_MAP66 -v 0.5</pre><p>Read DKMS details here: <a class="ulink" href="Read DKMS details here: https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging" target="_top">https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging</a></p></div><div class="section" title="Configuration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="config"></a>Configuration</h2></div></div></div><div class="section" title="Brief Version"><div class="titlepage"><div><div><h3 class="title"><a id="config-brief"></a>Brief Version</h3></div></div></div><p>You always need to add two ip6tables-rules to your netfilter
configuration. One rule matches outgoing packets and changes their IPv6
source address. The second rule matches incoming packets and reverts the
address change by altering their IPv6 destination address. To following
@@ -51,7 +51,7 @@ ip6tables -t mangle -I PREROUTING -i eth0 -d 2001:0DB8:0001::/48 -j MAP66 --dst
the mapping rule defines a mapping prefix that cannot result in the
interface address) you can switch off the comparison. Add the
<strong class="userinput"><code>--nocheck</code></strong> parameter to the ip6tables command for
- this.</p></div><div class="section" title="Detailed Version"><div class="titlepage"><div><div><h3 class="title"><a id="id2720683"></a>Detailed Version</h3></div></div></div><p>The following explanation details a living example from the
+ this.</p></div><div class="section" title="Detailed Version"><div class="titlepage"><div><div><h3 class="title"><a id="config-detailed"></a>Detailed Version</h3></div></div></div><p>The following explanation details a living example from the
wireless mesh network that is mentioned under <a class="xref" href="#motivation" title="Motivation">Motivation</a> (see below).
Throughout the mesh network, a private IP address range is used. The ULA
prefix is fdca:ffee:babe::/64. All mesh nodes derive their IPv6
@@ -117,7 +117,7 @@ ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-
has a 6-to-4 address, you will get the answer packet back via the
6-to-4 interface. If the above address mapping is configured, you ping
one IPv6 address and get the answer from another IPv6
- address...</p></div></div></div><div class="section" title="IPv6/IPv4 Precedence"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2705734"></a>IPv6/IPv4 Precedence</h2></div></div></div><p>With (EKU)buntu and eventually with RedHat, you will notice that
+ address...</p></div></div></div><div class="section" title="IPv6/IPv4 Precedence"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="precedence"></a>IPv6/IPv4 Precedence</h2></div></div></div><p>With (EKU)buntu and eventually with RedHat, you will notice that
your browser does not show the IPv6 version of a web site that is
multi-homed when using ULA addresses for your IPv6 Internet connection.
The reason for this is an add on to the RFC 3484 rules that is compiled
@@ -127,21 +127,33 @@ ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-
address higher than the ULA IPv6 address when choosing the transport
protocol for a new Internet connection if this add on to the RFC 3484
rules is compiled in. For this reason, you may want to change the
- precedence rules within <code class="filename">/etc/gai.conf</code>.</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>The getaddrinfo() library function manages lists of label,
+ precedence rules within <code class="filename">/etc/gai.conf</code> (see <a class="xref" href="#precedence-gai" title="Change gai.conf">Change gai.conf</a>) or use another
+ prefix (see <a class="xref" href="#precedence-6to4" title="Use 6to4 Internal Address">Use 6to4 Internal Address</a>).</p><div class="section" title="Change gai.conf"><div class="titlepage"><div><div><h3 class="title"><a id="precedence-gai"></a>Change gai.conf</h3></div></div></div><p>The getaddrinfo() library function manages lists of label,
precedence, and scope4 type entries. If the
<code class="filename">/etc/gai.conf</code> file does not provide a single entry
for a particular type, the compiled-in list is used. For this reason,
you cannot uncomment a single entry to overwrite the default. You need
to uncomment all entries of a particular type for this. The
<span class="quote">“<span class="quote">label</span>”</span> lines compare source addresses, the
- <span class="quote">“<span class="quote">precedence</span>”</span> lines compare destination addresses.</p></div><div class="procedure" title="Procedure 1. Change IPv6 Precedence"><a id="id2714638"></a><p class="title"><b>Procedure 1. Change IPv6 Precedence</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>Open the <code class="filename">/etc/gai.conf</code> file as root user,
- e.g. by executing <strong class="userinput"><code>sudo nano
- /etc/gai.conf</code></strong>.</p></li><li class="step" title="Step 2"><p>Remove the leading hash character from the 8 lines starting with
- <span class="quote">“<span class="quote">#label</span>”</span>.</p></li><li class="step" title="Step 3"><p>Re-add the hash character to the line stating <span class="quote">“<span class="quote">#label
- fc00::/7 6</span>”</span>.</p></li><li class="step" title="Step 4"><p>Save the file.</p></li><li class="step" title="Step 5"><p>Restart your browser and re-try to browse to a multi-homed web
- site.</p></li></ol></div><p>The above procedure removes the difference between standard IPv6
- source addresses and ULA type private IPv6 source addresses. Anything else
- is unchanged.</p></div><div class="section" title="Motivation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="motivation"></a>Motivation</h2></div></div></div><p>My Internet access at home is realized by a wireless community mesh
+ <span class="quote">“<span class="quote">precedence</span>”</span> lines compare destination addresses.</p><div class="procedure" title="Procedure 1. Change IPv6 Precedence"><a id="id2877432"></a><p class="title"><b>Procedure 1. Change IPv6 Precedence</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>Open the <code class="filename">/etc/gai.conf</code> file as root user,
+ e.g. by executing <strong class="userinput"><code>sudo nano
+ /etc/gai.conf</code></strong>.</p></li><li class="step" title="Step 2"><p>Remove the leading hash character from the 8 lines starting
+ with <span class="quote">“<span class="quote">#label</span>”</span>.</p></li><li class="step" title="Step 3"><p>Re-add the hash character to the line stating <span class="quote">“<span class="quote">#label
+ fc00::/7 6</span>”</span>.</p></li><li class="step" title="Step 4"><p>Save the file.</p></li><li class="step" title="Step 5"><p>Restart your browser and re-try to browse to a multi-homed web
+ site.</p></li></ol></div><p>The above procedure removes the difference between standard IPv6
+ source addresses and ULA type private IPv6 source addresses. Anything
+ else is unchanged.</p></div><div class="section" title="Use 6to4 Internal Address"><div class="titlepage"><div><div><h3 class="title"><a id="precedence-6to4"></a>Use 6to4 Internal Address</h3></div></div></div><p>As an alternative solution, you may use 6to4 addresses in your
+ LAN. While the well known IPv4 adresses 10.0.0.0/8, 172.16.0.0/12, and
+ 192.168.0.0/16 still exist, it is unlikely that their 6to4 counterparts
+ 2002:0a00::/24, 2002:ac10::/28, and 2002:c0a8::/32 will be routed on the
+ Internet. Because 6to4 adresses are part of the official 2002::/3
+ address prefix for the Internet, no difference between these addresses
+ and other Internet addresses are made by getaddrinfo().</p><p>If you already deployed ULA adresses in your network, you may be
+ interested in a solution that runs on my Freifunk router. The router
+ uses the IPv4 192.168.65.65/26 on it's LAN interface. WIthin the
+ OLSR-based mesh network, any interface uses an fdca:ffee:babe::/64
+ prefix. The following internal mapping is configured for this: </p><pre class="programlisting">ip6tables -t mangle -I PREROUTING -i br0 -s 2002:c0a8:4141::/64 -j MAP66 --src-to fdca:ffee:babe::/64 --unbalanced
+ip6tables -t mangle -I POSTROUTING -o br0 -d fdca:ffee:babe::/64 -j MAP66 --dst-to 2002:c0a8:4141::/64 --unbalanced</pre></div></div><div class="section" title="Motivation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="motivation"></a>Motivation</h2></div></div></div><p>My Internet access at home is realized by a wireless community mesh
network not owned by me. The mesh is operated with small embedded devices
(nodes aka. WLAN routers) that are interconnected via radio links (WLAN
IBSS / AdHoc). Routing is done with a specialized protocol such as Batman
diff --git a/README.txt b/README.txt
index 9ea1734..399a38a 100644
--- a/README.txt
+++ b/README.txt
@@ -18,6 +18,10 @@ Configuration
Detailed Version
IPv6/IPv4 Precedence
+
+ Change gai.conf
+ Use 6to4 Internal Address
+
Motivation
These files implement a Linux netfilter target that changes the IPv6 address of
@@ -202,9 +206,10 @@ pre-installed /etc/gai.conf file will give you a hint on this.
In short: the getaddrinfo() library function rates a private IPv4 address
higher than the ULA IPv6 address when choosing the transport protocol for a new
Internet connection if this add on to the RFC 3484 rules is compiled in. For
-this reason, you may want to change the precedence rules within /etc/gai.conf.
+this reason, you may want to change the precedence rules within /etc/gai.conf
+(see Change gai.conf) or use another prefix (see Use 6to4 Internal Address).
-Note
+Change gai.conf
The getaddrinfo() library function manages lists of label, precedence, and
scope4 type entries. If the /etc/gai.conf file does not provide a single entry
@@ -230,6 +235,25 @@ The above procedure removes the difference between standard IPv6 source
addresses and ULA type private IPv6 source addresses. Anything else is
unchanged.
+Use 6to4 Internal Address
+
+As an alternative solution, you may use 6to4 addresses in your LAN. While the
+well known IPv4 adresses 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 still
+exist, it is unlikely that their 6to4 counterparts 2002:0a00::/24, 2002:ac10::/
+28, and 2002:c0a8::/32 will be routed on the Internet. Because 6to4 adresses
+are part of the official 2002::/3 address prefix for the Internet, no
+difference between these addresses and other Internet addresses are made by
+getaddrinfo().
+
+If you already deployed ULA adresses in your network, you may be interested in
+a solution that runs on my Freifunk router. The router uses the IPv4
+192.168.65.65/26 on it's LAN interface. WIthin the OLSR-based mesh network, any
+interface uses an fdca:ffee:babe::/64 prefix. The following internal mapping is
+configured for this:
+
+ip6tables -t mangle -I PREROUTING -i br0 -s 2002:c0a8:4141::/64 -j MAP66 --src-to fdca:ffee:babe::/64 --unbalanced
+ip6tables -t mangle -I POSTROUTING -o br0 -d fdca:ffee:babe::/64 -j MAP66 --dst-to 2002:c0a8:4141::/64 --unbalanced
+
Motivation
My Internet access at home is realized by a wireless community mesh network not
diff --git a/ip6t_MAP66.c b/ip6t_MAP66.c
index b00c818..afcc57c 100644
--- a/ip6t_MAP66.c
+++ b/ip6t_MAP66.c
@@ -126,6 +126,7 @@ static unsigned int MAP66_tg6(
&hdr->saddr, &hdr->daddr);
#endif
+#if 0
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,5,0)
if (skb_cloned(skb) && !skb->sk) {
struct sk_buff *nskb = skb_copy(skb, GFP_ATOMIC);
@@ -143,6 +144,7 @@ static unsigned int MAP66_tg6(
}
#endif
hdr = ipv6_hdr(skb);
+#endif
if (0 != (IP6T_MAP66_OPT_DST_TO & info->mapflags)) {
pr_devel("MAP66 DST, nocheck=%d, ip_summed=%d\n", 0 != (IP6T_MAP66_OPT_NOCHECK & info->mapflags), skb->ip_summed);
@@ -199,7 +201,7 @@ static bool MAP66_tg6_check(
}
if (0 != (IP6T_MAP66_OPT_DST_TO & info->mapflags) && (0 >= info->pfix_dst_len ||
- 0 != (IP6T_MAP66_OPT_UNBALANCED & info->mapflags) ? 8 : 7 < info->pfix_dst_len))
+ (0 != (IP6T_MAP66_OPT_UNBALANCED & info->mapflags) ? 8 : 7) < info->pfix_dst_len))
{
if (8 == info->pfix_dst_len) {
printk("MAP66: --" IP6T_MAP66_DST_TO " prefix length /%d only possible with --unbalanced\n", 16 * info->pfix_dst_len);
@@ -211,7 +213,7 @@ static bool MAP66_tg6_check(
}
if (0 != (IP6T_MAP66_OPT_SRC_TO & info->mapflags) && (0 >= info->pfix_src_len ||
- 0 != (IP6T_MAP66_OPT_UNBALANCED & info->mapflags) ? 8 : 7 < info->pfix_src_len))
+ (0 != (IP6T_MAP66_OPT_UNBALANCED & info->mapflags) ? 8 : 7) < info->pfix_src_len))
{
if (8 == info->pfix_src_len) {
printk("MAP66: --" IP6T_MAP66_SRC_TO " prefix length /%d only possible with --unbalanced\n", 16 * info->pfix_src_len);