summaryrefslogtreecommitdiffstats
path: root/README.html
diff options
context:
space:
mode:
Diffstat (limited to 'README.html')
-rw-r--r--README.html30
1 files changed, 15 insertions, 15 deletions
diff --git a/README.html b/README.html
index fafd4a6..cd87ef5 100644
--- a/README.html
+++ b/README.html
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux"><div class="titlepage"><div><div><h2 class="title"><a id="id2934947"></a>MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Sven-Ola</span> <span class="surname">Tuecke</span></h3><div class="affiliation"><span class="orgname">Freifunk<br /></span></div></div></div><div><p class="pubdate">07-OCT-2010</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2932794">Installation</a></span></dt><dt><span class="section"><a href="#id2959102">DKMS Integration</a></span></dt><dt><span class="section"><a href="#id2954287">Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#id2950621">Brief Version</a></span></dt><dt><span class="section"><a href="#id2951135">Detailed Version</a></span></dt></dl></dd><dt><span class="section"><a href="#id2950210">IPv6/IPv4 Precedence</a></span></dt><dt><span class="section"><a href="#motivation">Motivation</a></span></dt></dl></div><p>These files implement a Linux netfilter target that changes the IPv6
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux"><div class="titlepage"><div><div><h2 class="title"><a id="id2670864"></a>MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Sven-Ola</span> <span class="surname">Tuecke</span></h3><div class="affiliation"><span class="orgname">Freifunk<br /></span></div></div></div><div><p class="pubdate">13-OCT-2010</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2721433">Installation</a></span></dt><dt><span class="section"><a href="#id2694012">DKMS Integration</a></span></dt><dt><span class="section"><a href="#id2726093">Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#id2726270">Brief Version</a></span></dt><dt><span class="section"><a href="#id2720683">Detailed Version</a></span></dt></dl></dd><dt><span class="section"><a href="#id2705734">IPv6/IPv4 Precedence</a></span></dt><dt><span class="section"><a href="#motivation">Motivation</a></span></dt></dl></div><p>These files implement a Linux netfilter target that changes the IPv6
address of packets. The address change is done checksum neutral, thus no
checksum re-calculation for the packet is necessary. You can change the IPv6
source address of outgoing packets as well as the IPv6 destination address
@@ -10,7 +10,7 @@
some sort of stateless NAT. The implementation is based on the expired IETF
discussion paper published here:</p><p><a class="ulink" href="http://tools.ietf.org/html/draft-mrw-behave-nat66-02" target="_top">http://tools.ietf.org/html/draft-mrw-behave-nat66-02</a></p><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Using MAP66 rules together with connection tracking rules sich as
<strong class="userinput"><code>--ctstate</code></strong> is currently untested and may not work or
- may cause oopses.</p></div><div class="section" title="Installation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2932794"></a>Installation</h2></div></div></div><p>MAP66 implements two pieces of software: a shared library that
+ may cause oopses.</p></div><div class="section" title="Installation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2721433"></a>Installation</h2></div></div></div><p>MAP66 implements two pieces of software: a shared library that
extends the ip6tables command and a Linux kernel module. The shared
library file adds the '-j MAP66' target to the ip6tables command. To build
and install, you need ip6tables installed as well as the necessary
@@ -23,22 +23,22 @@
Linux-2.6 or <code class="filename">ip6t_MAP66.o</code> for Linux-2.4) is not
automatically installed nor loaded into the kernel. You can copy the
kernel module file manually, e.g. with <strong class="userinput"><code>sudo cp ip6t_MAP66.ko
- /lib/modules/$(uname -r)/</code></strong>.</p></div></div><div class="section" title="DKMS Integration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2959102"></a>DKMS Integration</h2></div></div></div><p>If the next system update needs to install a new kernel version, you
+ /lib/modules/$(uname -r)/</code></strong>.</p></div></div><div class="section" title="DKMS Integration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2694012"></a>DKMS Integration</h2></div></div></div><p>If the next system update needs to install a new kernel version, you
also need to re-compile/re-install the MAP66 kernel module. With
Debian/(EKU)buntu, this can be automated with the Dynamic Kernel Module
Support Framework (DKMS). For this, the <code class="filename">dkms.conf</code>
file is included with the MAP66 source file package. Install DKMS with the
following command:</p><pre class="programlisting">sudo apt-get install dkms</pre><p>If not already in place, move/unpack the MAP66 source file archive
below <code class="filename">/usr/src/</code>. To register the MAP66 source to DKMS
- and compile/install, issue these commands:</p><pre class="programlisting">sudo dkms add -m ip6t_MAP66 -v 0.4
-sudo dkms build -m ip6t_MAP66 -v 0.4
-sudo dkms install -m ip6t_MAP66 -v 0.4</pre><p>Read DKMS details here: <a class="ulink" href="Read DKMS details here: https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging" target="_top">https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging</a></p></div><div class="section" title="Configuration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2954287"></a>Configuration</h2></div></div></div><div class="section" title="Brief Version"><div class="titlepage"><div><div><h3 class="title"><a id="id2950621"></a>Brief Version</h3></div></div></div><p>You always need to add two ip6tables-rules to your netfilter
+ and compile/install, issue these commands:</p><pre class="programlisting">sudo dkms add -m ip6t_MAP66 -v 0.5
+sudo dkms build -m ip6t_MAP66 -v 0.5
+sudo dkms install -m ip6t_MAP66 -v 0.5</pre><p>Read DKMS details here: <a class="ulink" href="Read DKMS details here: https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging" target="_top">https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging</a></p></div><div class="section" title="Configuration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2726093"></a>Configuration</h2></div></div></div><div class="section" title="Brief Version"><div class="titlepage"><div><div><h3 class="title"><a id="id2726270"></a>Brief Version</h3></div></div></div><p>You always need to add two ip6tables-rules to your netfilter
configuration. One rule matches outgoing packets and changes their IPv6
source address. The second rule matches incoming packets and reverts the
address change by altering their IPv6 destination address. To following
commands correspond to the <span class="quote">“<span class="quote">Address Mapping Example</span>”</span> given
- in the IETF discussion paper:</p><pre class="programlisting">ip6tables -t mangle -I POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j MAP66 --to 2001:0DB8:0001::/48
-ip6tables -t mangle -I PREROUTING -i eth0 -d 2001:0DB8:0001::/48 -j MAP66 --to FD01:0203:0405::/48</pre><p>This example is also printed to the screen if you issue
+ in the IETF discussion paper:</p><pre class="programlisting">ip6tables -t mangle -I POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j MAP66 --src-to 2001:0DB8:0001::/48
+ip6tables -t mangle -I PREROUTING -i eth0 -d 2001:0DB8:0001::/48 -j MAP66 --dst-to FD01:0203:0405::/48</pre><p>This example is also printed to the screen if you issue
<strong class="userinput"><code>ip6tables -j MAP66 --help</code></strong>. By design, you cannot
use an arbitrary prefix length. Only /112, /96 .. /16 are
supported.</p><p>For each packet, the Linux kernel module also compares the
@@ -51,7 +51,7 @@ ip6tables -t mangle -I PREROUTING -i eth0 -d 2001:0DB8:0001::/48 -j MAP66 --to
the mapping rule defines a mapping prefix that cannot result in the
interface address) you can switch off the comparison. Add the
<strong class="userinput"><code>--nocheck</code></strong> parameter to the ip6tables command for
- this.</p></div><div class="section" title="Detailed Version"><div class="titlepage"><div><div><h3 class="title"><a id="id2951135"></a>Detailed Version</h3></div></div></div><p>The following explanation details a living example from the
+ this.</p></div><div class="section" title="Detailed Version"><div class="titlepage"><div><div><h3 class="title"><a id="id2720683"></a>Detailed Version</h3></div></div></div><p>The following explanation details a living example from the
wireless mesh network that is mentioned under <a class="xref" href="#motivation" title="Motivation">Motivation</a> (see below).
Throughout the mesh network, a private IP address range is used. The ULA
prefix is fdca:ffee:babe::/64. All mesh nodes derive their IPv6
@@ -94,10 +94,10 @@ ip6tables -t mangle -F FORWARD
grep -q ^ip6t_MAP66 /proc/modules &amp;&amp; rmmod ip6t_MAP66
insmod /usr/src/map66/ip6t_MAP66.ko
-ip6tables -t mangle -A POSTROUTING -o sixxs -s fdca:ffee:babe::/64 -j MAP66 --to 2001:4dd0:fe77:1::/64 --nocheck
-ip6tables -t mangle -A PREROUTING -i sixxs -d 2001:4dd0:fe77:1::/64 -j MAP66 --to fdca:ffee:babe::/64 --nocheck
-ip6tables -t mangle -A POSTROUTING -o tun6to4 -s fdca:ffee:babe::/64 -j MAP66 --to 2002:4d57:3007:1::/64 --nocheck
-ip6tables -t mangle -A PREROUTING -i tun6to4 -d 2002:4d57:3007:1::/64 -j MAP66 --to fdca:ffee:babe::/64 --nocheck
+ip6tables -t mangle -A POSTROUTING -o sixxs -s fdca:ffee:babe::/64 -j MAP66 --src-to 2001:4dd0:fe77:1::/64 --nocheck
+ip6tables -t mangle -A PREROUTING -i sixxs -d 2001:4dd0:fe77:1::/64 -j MAP66 --dst-to fdca:ffee:babe::/64 --nocheck
+ip6tables -t mangle -A POSTROUTING -o tun6to4 -s fdca:ffee:babe::/64 -j MAP66 --src-to 2002:4d57:3007:1::/64 --nocheck
+ip6tables -t mangle -A PREROUTING -i tun6to4 -d 2002:4d57:3007:1::/64 -j MAP66 --dst-to fdca:ffee:babe::/64 --nocheck
ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu</pre><p>Because for both IPv6 networks the external prefix length is
smaller than the internal prefix length, we can make sure that the
mapped addresses cannot match the interface addresses. For example:
@@ -117,7 +117,7 @@ ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-
has a 6-to-4 address, you will get the answer packet back via the
6-to-4 interface. If the above address mapping is configured, you ping
one IPv6 address and get the answer from another IPv6
- address...</p></div></div></div><div class="section" title="IPv6/IPv4 Precedence"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2950210"></a>IPv6/IPv4 Precedence</h2></div></div></div><p>With (EKU)buntu and eventually with RedHat, you will notice that
+ address...</p></div></div></div><div class="section" title="IPv6/IPv4 Precedence"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2705734"></a>IPv6/IPv4 Precedence</h2></div></div></div><p>With (EKU)buntu and eventually with RedHat, you will notice that
your browser does not show the IPv6 version of a web site that is
multi-homed when using ULA addresses for your IPv6 Internet connection.
The reason for this is an add on to the RFC 3484 rules that is compiled
@@ -134,7 +134,7 @@ ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-
you cannot uncomment a single entry to overwrite the default. You need
to uncomment all entries of a particular type for this. The
<span class="quote">“<span class="quote">label</span>”</span> lines compare source addresses, the
- <span class="quote">“<span class="quote">precedence</span>”</span> lines compare destination addresses.</p></div><div class="procedure" title="Procedure 1. Change IPv6 Precedence"><a id="id2960948"></a><p class="title"><b>Procedure 1. Change IPv6 Precedence</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>Open the <code class="filename">/etc/gai.conf</code> file as root user,
+ <span class="quote">“<span class="quote">precedence</span>”</span> lines compare destination addresses.</p></div><div class="procedure" title="Procedure 1. Change IPv6 Precedence"><a id="id2714638"></a><p class="title"><b>Procedure 1. Change IPv6 Precedence</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>Open the <code class="filename">/etc/gai.conf</code> file as root user,
e.g. by executing <strong class="userinput"><code>sudo nano
/etc/gai.conf</code></strong>.</p></li><li class="step" title="Step 2"><p>Remove the leading hash character from the 8 lines starting with
<span class="quote">“<span class="quote">#label</span>”</span>.</p></li><li class="step" title="Step 3"><p>Re-add the hash character to the line stating <span class="quote">“<span class="quote">#label