diff options
-rw-r--r-- | README.dbk | 55 | ||||
-rw-r--r-- | README.html | 39 | ||||
-rw-r--r-- | README.txt | 49 |
3 files changed, 86 insertions, 57 deletions
@@ -19,7 +19,7 @@ </affiliation> </author> - <pubdate>13-OCT-2010</pubdate> + <pubdate>16-OCT-2010</pubdate> </articleinfo> <para>These files implement a Linux netfilter target that changes the IPv6 @@ -36,9 +36,9 @@ url="http://tools.ietf.org/html/draft-mrw-behave-nat66-02">http://tools.ietf.org/html/draft-mrw-behave-nat66-02</ulink></para> <warning> - <para>Using MAP66 rules together with connection tracking rules sich as + <para>Using MAP66 rules together with connection tracking rules such as <userinput>--ctstate</userinput> is currently untested and may not work or - may cause oopses.</para> + may cause dysfunctions.</para> </warning> <section id="install"> @@ -242,8 +242,8 @@ ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp- rules is compiled in. For this reason, you may want to change the precedence rules within <filename>/etc/gai.conf</filename> (see <xref endterm="precedence-gai-title" linkend="precedence-gai" />) or use another - prefix (see <xref endterm="precedence-6to4-title" - linkend="precedence-6to4" />).</para> + prefix (see <xref endterm="precedence-addrs-title" + linkend="precedence-addrs" />).</para> <section id="precedence-gai"> <title id="precedence-gai-title">Change gai.conf</title> @@ -291,25 +291,38 @@ ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp- else is unchanged.</para> </section> - <section id="precedence-6to4"> - <title id="precedence-6to4-title">Use 6to4 Internal Address</title> + <section id="precedence-addrs"> + <title id="precedence-addrs-title">Use Changed Internal Address</title> - <para>As an alternative solution, you may use 6to4 addresses in your - LAN. While the well known IPv4 adresses 10.0.0.0/8, 172.16.0.0/12, and - 192.168.0.0/16 still exist, it is unlikely that their 6to4 counterparts - 2002:0a00::/24, 2002:ac10::/28, and 2002:c0a8::/32 will be routed on the - Internet. Because 6to4 adresses are part of the official 2002::/3 - address prefix for the Internet, no difference between these addresses - and other Internet addresses are made by getaddrinfo().</para> + <para>As an alternative solution, you may use an arbitrary address + prefix in your LAN that is not mentioned in the + <filename>gai.conf</filename> file nor compiled in. This will work but + introduces a double mapping: one map (Inet-ULA) on the Internet gateway + router and a second map (ULA-Intern) on the internal router. </para> - <para>If you already deployed ULA adresses in your network, you may be - interested in a solution that runs on my Freifunk router. The router - uses the IPv4 192.168.65.65/26 on it's LAN interface. WIthin the - OLSR-based mesh network, any interface uses an fdca:ffee:babe::/64 - prefix. The following internal mapping is configured for this: </para> + <note> + <para>While the well known IPv4 addresses 10.0.0.0/8, 172.16.0.0/12, + and 192.168.0.0/16 still exist, it is unlikely that their 6to4 + counterparts 2002:0a00::/24, 2002:ac10::/28, and 2002:c0a8::/32 will + be routed on the Internet. Sadly, the (EKU)buntu defaults penalize + 6to4 addresses also.</para> + </note> - <programlisting>ip6tables -t mangle -I PREROUTING -i br0 -s 2002:c0a8:4141::/64 -j MAP66 --src-to fdca:ffee:babe::/64 --csum -ip6tables -t mangle -I POSTROUTING -o br0 -d fdca:ffee:babe::/64 -j MAP66 --dst-to 2002:c0a8:4141::/64 --csum</programlisting> + <para>If you already deployed ULA addresses in your network, you may be + interested in a solution that runs on my Freifunk router. The router + uses the IPv6 prefix that is reserved for documentation purposes on it's + LAN interface. WIthin the OLSR-based mesh network, any interface uses an + fdca:ffee:babe::/64 prefix. The following internal mapping is configured + for this:</para> + + <programlisting>ip6tables -t mangle -I PREROUTING -i br0 -s 2001:0DB8::/64 -j MAP66 --src-to fdca:ffee:babe::/64 --csum +ip6tables -t mangle -I POSTROUTING -o br0 -d fdca:ffee:babe::/64 -j MAP66 --dst-to 2001:0DB8::/64 --csum</programlisting> + + <para>To prevent the mapped packets to vanish via the default route and + to overcome mac address lookups during the routing process, I also added + these prefixes to the router's <filename>/etc/radvd.conf</filename> as + well as (host) routes pointing to the <quote>br0</quote> interface for + both prefixes.</para> </section> </section> diff --git a/README.html b/README.html index 337f6ca..ebdef69 100644 --- a/README.html +++ b/README.html @@ -1,6 +1,6 @@ <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux"><div class="titlepage"><div><div><h2 class="title"><a id="id2964483"></a>MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Sven-Ola</span> <span class="surname">Tuecke</span></h3><div class="affiliation"><span class="orgname">Freifunk<br /></span></div></div></div><div><p class="pubdate">13-OCT-2010</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#install">Installation</a></span></dt><dt><span class="section"><a href="#dkms">DKMS Integration</a></span></dt><dt><span class="section"><a href="#config">Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#config-brief">Brief Version</a></span></dt><dt><span class="section"><a href="#config-detailed">Detailed Version</a></span></dt></dl></dd><dt><span class="section"><a href="#precedence">IPv6/IPv4 Precedence</a></span></dt><dd><dl><dt><span class="section"><a href="#precedence-gai">Change gai.conf</a></span></dt><dt><span class="section"><a href="#precedence-6to4">Use 6to4 Internal Address</a></span></dt></dl></dd><dt><span class="section"><a href="#motivation">Motivation</a></span></dt></dl></div><p>These files implement a Linux netfilter target that changes the IPv6 +<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux"><div class="titlepage"><div><div><h2 class="title"><a id="id2593518"></a>MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Sven-Ola</span> <span class="surname">Tuecke</span></h3><div class="affiliation"><span class="orgname">Freifunk<br /></span></div></div></div><div><p class="pubdate">16-OCT-2010</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#install">Installation</a></span></dt><dt><span class="section"><a href="#dkms">DKMS Integration</a></span></dt><dt><span class="section"><a href="#config">Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#config-brief">Brief Version</a></span></dt><dt><span class="section"><a href="#config-detailed">Detailed Version</a></span></dt></dl></dd><dt><span class="section"><a href="#precedence">IPv6/IPv4 Precedence</a></span></dt><dd><dl><dt><span class="section"><a href="#precedence-gai">Change gai.conf</a></span></dt><dt><span class="section"><a href="#precedence-addrs">Use Changed Internal Address</a></span></dt></dl></dd><dt><span class="section"><a href="#motivation">Motivation</a></span></dt></dl></div><p>These files implement a Linux netfilter target that changes the IPv6 address of packets. The address change is done checksum neutral, thus no checksum re-calculation for the packet is necessary. You can change the IPv6 source address of outgoing packets as well as the IPv6 destination address @@ -8,9 +8,9 @@ to a second, externally used IPv6 address range. IPv6 address mapping is not very similar to IPv4 network address translation, but one can describe it as some sort of stateless NAT. The implementation is based on the expired IETF - discussion paper published here:</p><p><a class="ulink" href="http://tools.ietf.org/html/draft-mrw-behave-nat66-02" target="_top">http://tools.ietf.org/html/draft-mrw-behave-nat66-02</a></p><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Using MAP66 rules together with connection tracking rules sich as + discussion paper published here:</p><p><a class="ulink" href="http://tools.ietf.org/html/draft-mrw-behave-nat66-02" target="_top">http://tools.ietf.org/html/draft-mrw-behave-nat66-02</a></p><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Using MAP66 rules together with connection tracking rules such as <strong class="userinput"><code>--ctstate</code></strong> is currently untested and may not work or - may cause oopses.</p></div><div class="section" title="Installation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="install"></a>Installation</h2></div></div></div><p>MAP66 implements two pieces of software: a shared library that + may cause dysfunctions.</p></div><div class="section" title="Installation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="install"></a>Installation</h2></div></div></div><p>MAP66 implements two pieces of software: a shared library that extends the ip6tables command and a Linux kernel module. The shared library file adds the '-j MAP66' target to the ip6tables command. To build and install, you need ip6tables installed as well as the necessary @@ -128,32 +128,39 @@ ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp- protocol for a new Internet connection if this add on to the RFC 3484 rules is compiled in. For this reason, you may want to change the precedence rules within <code class="filename">/etc/gai.conf</code> (see <a class="xref" href="#precedence-gai" title="Change gai.conf">Change gai.conf</a>) or use another - prefix (see <a class="xref" href="#precedence-6to4" title="Use 6to4 Internal Address">Use 6to4 Internal Address</a>).</p><div class="section" title="Change gai.conf"><div class="titlepage"><div><div><h3 class="title"><a id="precedence-gai"></a>Change gai.conf</h3></div></div></div><p>The getaddrinfo() library function manages lists of label, + prefix (see <a class="xref" href="#precedence-addrs" title="Use Changed Internal Address">Use Changed Internal Address</a>).</p><div class="section" title="Change gai.conf"><div class="titlepage"><div><div><h3 class="title"><a id="precedence-gai"></a>Change gai.conf</h3></div></div></div><p>The getaddrinfo() library function manages lists of label, precedence, and scope4 type entries. If the <code class="filename">/etc/gai.conf</code> file does not provide a single entry for a particular type, the compiled-in list is used. For this reason, you cannot uncomment a single entry to overwrite the default. You need to uncomment all entries of a particular type for this. The <span class="quote">“<span class="quote">label</span>”</span> lines compare source addresses, the - <span class="quote">“<span class="quote">precedence</span>”</span> lines compare destination addresses.</p><div class="procedure" title="Procedure 1. Change IPv6 Precedence"><a id="id3013740"></a><p class="title"><b>Procedure 1. Change IPv6 Precedence</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>Open the <code class="filename">/etc/gai.conf</code> file as root user, + <span class="quote">“<span class="quote">precedence</span>”</span> lines compare destination addresses.</p><div class="procedure" title="Procedure 1. Change IPv6 Precedence"><a id="id2624529"></a><p class="title"><b>Procedure 1. Change IPv6 Precedence</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>Open the <code class="filename">/etc/gai.conf</code> file as root user, e.g. by executing <strong class="userinput"><code>sudo nano /etc/gai.conf</code></strong>.</p></li><li class="step" title="Step 2"><p>Remove the leading hash character from the 8 lines starting with <span class="quote">“<span class="quote">#label</span>”</span>.</p></li><li class="step" title="Step 3"><p>Re-add the hash character to the line stating <span class="quote">“<span class="quote">#label fc00::/7 6</span>”</span>.</p></li><li class="step" title="Step 4"><p>Save the file.</p></li><li class="step" title="Step 5"><p>Restart your browser and re-try to browse to a multi-homed web site.</p></li></ol></div><p>The above procedure removes the difference between standard IPv6 source addresses and ULA type private IPv6 source addresses. Anything - else is unchanged.</p></div><div class="section" title="Use 6to4 Internal Address"><div class="titlepage"><div><div><h3 class="title"><a id="precedence-6to4"></a>Use 6to4 Internal Address</h3></div></div></div><p>As an alternative solution, you may use 6to4 addresses in your - LAN. While the well known IPv4 adresses 10.0.0.0/8, 172.16.0.0/12, and - 192.168.0.0/16 still exist, it is unlikely that their 6to4 counterparts - 2002:0a00::/24, 2002:ac10::/28, and 2002:c0a8::/32 will be routed on the - Internet. Because 6to4 adresses are part of the official 2002::/3 - address prefix for the Internet, no difference between these addresses - and other Internet addresses are made by getaddrinfo().</p><p>If you already deployed ULA adresses in your network, you may be + else is unchanged.</p></div><div class="section" title="Use Changed Internal Address"><div class="titlepage"><div><div><h3 class="title"><a id="precedence-addrs"></a>Use Changed Internal Address</h3></div></div></div><p>As an alternative solution, you may use an arbitrary address + prefix in your LAN that is not mentioned in the + <code class="filename">gai.conf</code> file nor compiled in. This will work but + introduces a double mapping: one map (Inet-ULA) on the Internet gateway + router and a second map (ULA-Intern) on the internal router. </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>While the well known IPv4 addresses 10.0.0.0/8, 172.16.0.0/12, + and 192.168.0.0/16 still exist, it is unlikely that their 6to4 + counterparts 2002:0a00::/24, 2002:ac10::/28, and 2002:c0a8::/32 will + be routed on the Internet. Sadly, the (EKU)buntu defaults penalize + 6to4 addresses also.</p></div><p>If you already deployed ULA addresses in your network, you may be interested in a solution that runs on my Freifunk router. The router - uses the IPv4 192.168.65.65/26 on it's LAN interface. WIthin the - OLSR-based mesh network, any interface uses an fdca:ffee:babe::/64 - prefix. The following internal mapping is configured for this: </p><pre class="programlisting">ip6tables -t mangle -I PREROUTING -i br0 -s 2002:c0a8:4141::/64 -j MAP66 --src-to fdca:ffee:babe::/64 --csum -ip6tables -t mangle -I POSTROUTING -o br0 -d fdca:ffee:babe::/64 -j MAP66 --dst-to 2002:c0a8:4141::/64 --csum</pre></div></div><div class="section" title="Motivation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="motivation"></a>Motivation</h2></div></div></div><p>My Internet access at home is realized by a wireless community mesh + uses the IPv6 prefix that is reserved for documentation purposes on it's + LAN interface. WIthin the OLSR-based mesh network, any interface uses an + fdca:ffee:babe::/64 prefix. The following internal mapping is configured + for this:</p><pre class="programlisting">ip6tables -t mangle -I PREROUTING -i br0 -s 2001:0DB8::/64 -j MAP66 --src-to fdca:ffee:babe::/64 --csum +ip6tables -t mangle -I POSTROUTING -o br0 -d fdca:ffee:babe::/64 -j MAP66 --dst-to 2001:0DB8::/64 --csum</pre><p>To prevent the mapped packets to vanish via the default route and + to overcome mac address lookups during the routing process, I also added + these prefixes to the router's <code class="filename">/etc/radvd.conf</code> as + well as (host) routes pointing to the <span class="quote">“<span class="quote">br0</span>”</span> interface for + both prefixes.</p></div></div><div class="section" title="Motivation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="motivation"></a>Motivation</h2></div></div></div><p>My Internet access at home is realized by a wireless community mesh network not owned by me. The mesh is operated with small embedded devices (nodes aka. WLAN routers) that are interconnected via radio links (WLAN IBSS / AdHoc). Routing is done with a specialized protocol such as Batman @@ -4,7 +4,7 @@ Sven-Ola Tuecke Freifunk -13-OCT-2010 +16-OCT-2010 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ @@ -20,7 +20,7 @@ Configuration IPv6/IPv4 Precedence Change gai.conf - Use 6to4 Internal Address + Use Changed Internal Address Motivation @@ -38,8 +38,8 @@ http://tools.ietf.org/html/draft-mrw-behave-nat66-02 Warning -Using MAP66 rules together with connection tracking rules sich as --ctstate is -currently untested and may not work or may cause oopses. +Using MAP66 rules together with connection tracking rules such as --ctstate is +currently untested and may not work or may cause dysfunctions. Installation @@ -207,7 +207,7 @@ In short: the getaddrinfo() library function rates a private IPv4 address higher than the ULA IPv6 address when choosing the transport protocol for a new Internet connection if this add on to the RFC 3484 rules is compiled in. For this reason, you may want to change the precedence rules within /etc/gai.conf -(see Change gai.conf) or use another prefix (see Use 6to4 Internal Address). +(see Change gai.conf) or use another prefix (see Use Changed Internal Address). Change gai.conf @@ -235,24 +235,33 @@ The above procedure removes the difference between standard IPv6 source addresses and ULA type private IPv6 source addresses. Anything else is unchanged. -Use 6to4 Internal Address +Use Changed Internal Address -As an alternative solution, you may use 6to4 addresses in your LAN. While the -well known IPv4 adresses 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 still -exist, it is unlikely that their 6to4 counterparts 2002:0a00::/24, 2002:ac10::/ -28, and 2002:c0a8::/32 will be routed on the Internet. Because 6to4 adresses -are part of the official 2002::/3 address prefix for the Internet, no -difference between these addresses and other Internet addresses are made by -getaddrinfo(). +As an alternative solution, you may use an arbitrary address prefix in your LAN +that is not mentioned in the gai.conf file nor compiled in. This will work but +introduces a double mapping: one map (Inet-ULA) on the Internet gateway router +and a second map (ULA-Intern) on the internal router. -If you already deployed ULA adresses in your network, you may be interested in -a solution that runs on my Freifunk router. The router uses the IPv4 -192.168.65.65/26 on it's LAN interface. WIthin the OLSR-based mesh network, any -interface uses an fdca:ffee:babe::/64 prefix. The following internal mapping is -configured for this: +Note + +While the well known IPv4 addresses 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/ +16 still exist, it is unlikely that their 6to4 counterparts 2002:0a00::/24, +2002:ac10::/28, and 2002:c0a8::/32 will be routed on the Internet. Sadly, the +(EKU)buntu defaults penalize 6to4 addresses also. + +If you already deployed ULA addresses in your network, you may be interested in +a solution that runs on my Freifunk router. The router uses the IPv6 prefix +that is reserved for documentation purposes on it's LAN interface. WIthin the +OLSR-based mesh network, any interface uses an fdca:ffee:babe::/64 prefix. The +following internal mapping is configured for this: + +ip6tables -t mangle -I PREROUTING -i br0 -s 2001:0DB8::/64 -j MAP66 --src-to fdca:ffee:babe::/64 --csum +ip6tables -t mangle -I POSTROUTING -o br0 -d fdca:ffee:babe::/64 -j MAP66 --dst-to 2001:0DB8::/64 --csum -ip6tables -t mangle -I PREROUTING -i br0 -s 2002:c0a8:4141::/64 -j MAP66 --src-to fdca:ffee:babe::/64 --csum -ip6tables -t mangle -I POSTROUTING -o br0 -d fdca:ffee:babe::/64 -j MAP66 --dst-to 2002:c0a8:4141::/64 --csum +To prevent the mapped packets to vanish via the default route and to overcome +mac address lookups during the routing process, I also added these prefixes to +the router's /etc/radvd.conf as well as (host) routes pointing to the “br0” +interface for both prefixes. Motivation |