diff options
| -rw-r--r-- | Makefile | 5 | ||||
| -rw-r--r-- | README | 12 | ||||
| -rw-r--r-- | ip6t_MAP66.c | 17 | ||||
| -rw-r--r-- | ip6t_MAP66.h | 2 | ||||
| -rw-r--r-- | libip6t_MAP66.c | 14 |
5 files changed, 32 insertions, 18 deletions
@@ -3,9 +3,12 @@ KVERSION := $(shell uname -r) KPATH := /lib/modules/$(KVERSION)/build IPTABLES_VERSION := $(shell ip6tables --version|sed 's/^.*\([[:digit:]]\+\.[[:digit:]]\+\.[[:digit:]]\+\).*/\1/') IPTABLES_VERSION_CODE := $(shell echo $$(( $$(echo $(IPTABLES_VERSION)|sed 's/^.*\([[:digit:]]\+\)\.\([[:digit:]]\+\)\.\([[:digit:]]\+\).*/\1 * 65536 + \2 * 256 + \3/') ))) +ifeq ($(DEBUG),1) +EXTRA_CFLAGS := -DMAP66_DEBUG +endif all: libip6t_MAP66.so - $(MAKE) -C $(KPATH) M=$(PWD) modules + $(MAKE) -C $(KPATH) V=1 M=$(PWD) modules libip6t_MAP66.so: libip6t_MAP66.o gcc -shared -o $@ $< @@ -1,3 +1,15 @@ You need "iptables-dev", "dkms" and "linux-headers". For a DKMS template, see https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging +Note: svn propedit svn:ignore . + +Note: on ubuntu, you need to enable prefer-family in /etc/wgetrc. +after this e.g. "wget -O /dev/null http://ftp.se.debian.org" should +connect to the IPv6 addrs of that server. + +/etc/gai.conf + +for wget --prefer-family=IPv6 -O - http://6to4.nro.net/ +ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + +Mention --nocheck for speedup (if you do not expect the outer iface in the mapping range) diff --git a/ip6t_MAP66.c b/ip6t_MAP66.c index fb0a243..6cae5af 100644 --- a/ip6t_MAP66.c +++ b/ip6t_MAP66.c @@ -15,7 +15,6 @@ MODULE_AUTHOR("Sven-Ola <sven-ola()gmx.de>"); MODULE_DESCRIPTION("Xtables: MAP66 - IPv6 to IPv6 SNAT"); MODULE_LICENSE("GPL"); -#undef MAP66_DEBUG #ifdef MAP66_DEBUG /* Use lock to serialize, so printks don't overlap */ static DEFINE_SPINLOCK(MAP66_lock); @@ -126,12 +125,12 @@ static unsigned int MAP66_tg6( #ifdef MAP66_DEBUG spin_lock_bh(&MAP66_lock); #if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,28) - printk("MAP66i: in=%s, out=%s, saddr=" NIP6_FMT ", daddr=" NIP6_FMT "\n", + printk("MAP66: enter in=%s, out=%s, saddr=" NIP6_FMT ", daddr=" NIP6_FMT "\n", NULL != par->in ? par->in->name : "", NULL != par->out ? par->out->name : "", NIP6(hdr->saddr), NIP6(hdr->daddr)); #else - printk("MAP66i: in=%s, out=%s, saddr=%pI6, daddr=%pI6\n", + printk("MAP66: enter in=%s, out=%s, saddr=%pI6, daddr=%pI6\n", NULL != par->in ? par->in->name : "", NULL != par->out ? par->out->name : "", &hdr->saddr, &hdr->daddr); @@ -141,9 +140,9 @@ static unsigned int MAP66_tg6( switch(par->hooknum) { case NF_INET_PRE_ROUTING: #ifdef MAP66_DEBUG - printk("MAP66 PRE, spoof=%d\n", 0 != (IP6T_MAP66_OPT_NOSPOOF & info->mapflags)); + printk("MAP66 PRE, check=%d\n", 0 != (IP6T_MAP66_OPT_NOCHECK & info->mapflags)); #endif - if (0 != (IP6T_MAP66_OPT_NOSPOOF & info->mapflags) || + if (0 != (IP6T_MAP66_OPT_NOCHECK & info->mapflags) || !is_my_ipv6_addr(par->in, &hdr->daddr)) { map16(&hdr->daddr, info->prefixlength, &info->prefix, info->prefixcsum); @@ -151,10 +150,10 @@ static unsigned int MAP66_tg6( break; case NF_INET_POST_ROUTING: #ifdef MAP66_DEBUG - printk("MAP66 POST, spoof=%d\n", 0 != (IP6T_MAP66_OPT_NOSPOOF & info->mapflags)); + printk("MAP66 POST, check=%d\n", 0 != (IP6T_MAP66_OPT_NOCHECK & info->mapflags)); #endif map16(&hdr->saddr, info->prefixlength, &info->prefix, info->prefixcsum); - if (0 == (IP6T_MAP66_OPT_NOSPOOF & info->mapflags) && + if (0 == (IP6T_MAP66_OPT_NOCHECK & info->mapflags) && is_my_ipv6_addr(par->out, &hdr->saddr)) { #ifdef MAP66_DEBUG @@ -172,12 +171,12 @@ static unsigned int MAP66_tg6( #ifdef MAP66_DEBUG #if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,28) - printk("MAP66i: in=%s, out=%s, saddr=" NIP6_FMT ", daddr=" NIP6_FMT "\n", + printk("MAP66: exit in=%s, out=%s, saddr=" NIP6_FMT ", daddr=" NIP6_FMT "\n", NULL != par->in ? par->in->name : "", NULL != par->out ? par->out->name : "", NIP6(hdr->saddr), NIP6(hdr->daddr)); #else - printk("MAP66i: in=%s, out=%s, saddr=%pI6, daddr=%pI6\n", + printk("MAP66: exit in=%s, out=%s, saddr=%pI6, daddr=%pI6\n", NULL != par->in ? par->in->name : "", NULL != par->out ? par->out->name : "", &hdr->saddr, &hdr->daddr); diff --git a/ip6t_MAP66.h b/ip6t_MAP66.h index 652c1c2..21cb833 100644 --- a/ip6t_MAP66.h +++ b/ip6t_MAP66.h @@ -8,7 +8,7 @@ #define _IP6T_MAP66_H #define IP6T_MAP66_OPT_TO 0x01 -#define IP6T_MAP66_OPT_NOSPOOF 0x02 +#define IP6T_MAP66_OPT_NOCHECK 0x02 struct ip6t_MAP66_info { struct in6_addr prefix; /* The prefix to map to */ diff --git a/libip6t_MAP66.c b/libip6t_MAP66.c index a8a0f72..1d56d7f 100644 --- a/libip6t_MAP66.c +++ b/libip6t_MAP66.c @@ -60,7 +60,7 @@ static void MAP66_help(void) printf( "MAP66 target options\n" " --to ipv6addr/prefixlength (External IPv6 address)\n" -" --nospoof (Disables spoof check)\n" +" --nocheck (Disables check check)\n" "\n" "Note: you need two ip6tables rules to map an internal network\n" "using ULAs to an external network with official IPv6 address.\n" @@ -115,11 +115,11 @@ static int MAP66_parse( return 1; break; case '2': - if (0 != (IP6T_MAP66_OPT_NOSPOOF & *flags)) { - xtables_error(PARAMETER_PROBLEM, "Multiple --nospoof not supported"); + if (0 != (IP6T_MAP66_OPT_NOCHECK & *flags)) { + xtables_error(PARAMETER_PROBLEM, "Multiple --nocheck not supported"); } - info->mapflags |= IP6T_MAP66_OPT_NOSPOOF; - *flags |= IP6T_MAP66_OPT_NOSPOOF; + info->mapflags |= IP6T_MAP66_OPT_NOCHECK; + *flags |= IP6T_MAP66_OPT_NOCHECK; return 1; break; } @@ -140,12 +140,12 @@ static void MAP66_save( char s[50+1]; const struct ip6t_MAP66_info* info = (struct ip6t_MAP66_info*)target->data; printf("--to %s/%d ", inet_ntop(AF_INET6, &info->prefix, s, sizeof(s)), 16 * info->prefixlength); - if (0 != (IP6T_MAP66_OPT_NOSPOOF & info->mapflags)) printf("--nospoof "); + if (0 != (IP6T_MAP66_OPT_NOCHECK & info->mapflags)) printf("--nocheck "); } static struct option MAP66_opts[] = { { .name = "to", .has_arg = 1, .flag = NULL, .val = '1' }, - { .name = "nospoof", .has_arg = 0, .flag = NULL, .val = '2' }, + { .name = "nocheck", .has_arg = 0, .flag = NULL, .val = '2' }, { .name = NULL } }; |