From 922a4577b10b489782917bc743c9c721dce92181 Mon Sep 17 00:00:00 2001
From: Matthias Schiffer <mschiffer@universe-factory.net>
Date: Thu, 10 Nov 2011 23:57:01 +0100
Subject: Update documentation

---
 README.dbk  | 38 ++++++++++++++++++++------------------
 README.html | 32 ++++++++++++++++----------------
 2 files changed, 36 insertions(+), 34 deletions(-)

diff --git a/README.dbk b/README.dbk
index a96bb0d..dadf179 100644
--- a/README.dbk
+++ b/README.dbk
@@ -114,13 +114,31 @@ sudo dkms install -m ip6t_NPTV6 -v &VERSION;</programlisting>
       commands correspond to the <quote>Address Mapping Example</quote> given
       in the IETF discussion paper:</para>
 
-      <programlisting>ip6tables -t mangle -I POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48
-ip6tables -t mangle -I PREROUTING  -i eth0 -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48</programlisting>
+      <programlisting>ip6tables -t mangle -A PREROUTING  -i eth0 -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48
+ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48</programlisting>
 
       <para>This example is also printed to the screen if you issue
       <userinput>ip6tables -j SNPTV6 --help</userinput>. By design, you cannot
       use prefix lengths longer than 64.</para>
     </section>
+
+    <section id="config-nat-behaviour">
+      <title id="config-nat-behaviour-title">NAT Behavioral Requirements</title>
+
+      <para>RFC 6296 states that NPTv6 translators must support hairpinning behaviour.
+      This means that when an NPTv6 Translator receives a datagram on the
+      internal interface that has a destination address that matches the
+      site's external prefix, it will translate the datagram and forward it
+      internally. While it is possible that the translator works correctly
+      without this depending on the network configuration, it is desiarable
+      to have hairpinning behaviour. The following iptables rules will enable
+      this:</para>
+
+      <programlisting>ip6tables -t mangle -A PREROUTING -d 2001:0DB8:0001::/48 -j MARK --set-mark 42
+ip6tables -t mangle -A PREROUTING -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48
+ip6tables -t mangle -A POSTROUTING -m mark --mark 42 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48
+ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48</programlisting>
+    </section>
   </section>
 
   <section id="precedence">
@@ -205,22 +223,6 @@ ip6tables -t mangle -I PREROUTING  -i eth0 -d 2001:0DB8:0001::/48 -j DNPTV6 --to
         be routed on the Internet. Sadly, the (EKU)buntu defaults penalize
         6to4 addresses also.</para>
       </note>
-
-      <para>If you already deployed ULA addresses in your network, you may be
-      interested in a solution that runs on my Freifunk router. The router
-      uses the IPv6 prefix that is reserved for documentation purposes on it's
-      LAN interface. Within the OLSR-based mesh network, any interface uses an
-      fdca:ffee:babe::/64 prefix. The following internal mapping is configured
-      for this:</para>
-
-      <programlisting>ip6tables -t mangle -I PREROUTING -i br0 -s 2001:0DB8::/64 -j MAP66 --src-to fdca:ffee:babe::/64 --csum
-ip6tables -t mangle -I POSTROUTING -o br0 -d fdca:ffee:babe::/64 -j MAP66 --dst-to 2001:0DB8::/64 --csum</programlisting>
-
-      <para>To prevent the mapped packets to vanish via the default route and
-      to overcome mac address lookups during the routing process, I also added
-      these prefixes to the router's <filename>/etc/radvd.conf</filename> as
-      well as (host) routes pointing to the <quote>br0</quote> interface for
-      both prefixes.</para>
     </section>
   </section>
 
diff --git a/README.html b/README.html
index 2d2e8a2..a46d22f 100644
--- a/README.html
+++ b/README.html
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux</title><meta name="generator" content="DocBook XSL Stylesheets V1.76.1" /></head><body><div class="article" title="NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux"><div class="titlepage"><div><div><h2 class="title"><a id="id315566"></a>NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Sven-Ola</span> <span class="surname">Tuecke</span></h3><div class="affiliation"><span class="orgname">Freifunk<br /></span></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Matthias</span> <span class="surname">Schiffer</span></h3><div class="affiliation"><span class="orgname">Freifunk Lübeck<br /></span></div></div></div><div><p class="pubdate">10-NOV-2011</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl><dt><span class="section"><a href="#install">Installation</a></span></dt><dt><span class="section"><a href="#dkms">DKMS Integration</a></span></dt><dt><span class="section"><a href="#config">Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#config-brief">Brief Version</a></span></dt></dl></dd><dt><span class="section"><a href="#precedence">IPv6/IPv4 Precedence</a></span></dt><dd><dl><dt><span class="section"><a href="#precedence-gai">Change gai.conf</a></span></dt><dt><span class="section"><a href="#precedence-addrs">Use Changed Internal Address</a></span></dt></dl></dd><dt><span class="section"><a href="#motivation">Motivation</a></span></dt></dl></div><p>These files implement a Linux netfilter target that changes the IPv6
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux</title><meta name="generator" content="DocBook XSL Stylesheets V1.76.1" /></head><body><div class="article" title="NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux"><div class="titlepage"><div><div><h2 class="title"><a id="id363330"></a>NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Sven-Ola</span> <span class="surname">Tuecke</span></h3><div class="affiliation"><span class="orgname">Freifunk<br /></span></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Matthias</span> <span class="surname">Schiffer</span></h3><div class="affiliation"><span class="orgname">Freifunk Lübeck<br /></span></div></div></div><div><p class="pubdate">10-NOV-2011</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl><dt><span class="section"><a href="#install">Installation</a></span></dt><dt><span class="section"><a href="#dkms">DKMS Integration</a></span></dt><dt><span class="section"><a href="#config">Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#config-brief">Brief Version</a></span></dt><dt><span class="section"><a href="#config-nat-behaviour">NAT Behavioral Requirements</a></span></dt></dl></dd><dt><span class="section"><a href="#precedence">IPv6/IPv4 Precedence</a></span></dt><dd><dl><dt><span class="section"><a href="#precedence-gai">Change gai.conf</a></span></dt><dt><span class="section"><a href="#precedence-addrs">Use Changed Internal Address</a></span></dt></dl></dd><dt><span class="section"><a href="#motivation">Motivation</a></span></dt></dl></div><p>These files implement a Linux netfilter target that changes the IPv6
   address of packets. The address change is done checksum neutral, thus no
   checksum re-calculation for the packet is necessary. You can change the IPv6
   source address of outgoing packets as well as the IPv6 destination address
@@ -39,10 +39,20 @@ sudo dkms install -m ip6t_NPTV6 -v 0.6</pre><p>Read DKMS details here: <a class=
       source address. The second rule matches incoming packets and reverts the
       address change by altering their IPv6 destination address. To following
       commands correspond to the <span class="quote">“<span class="quote">Address Mapping Example</span>”</span> given
-      in the IETF discussion paper:</p><pre class="programlisting">ip6tables -t mangle -I POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48
-ip6tables -t mangle -I PREROUTING  -i eth0 -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48</pre><p>This example is also printed to the screen if you issue
+      in the IETF discussion paper:</p><pre class="programlisting">ip6tables -t mangle -A PREROUTING  -i eth0 -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48
+ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48</pre><p>This example is also printed to the screen if you issue
       <strong class="userinput"><code>ip6tables -j SNPTV6 --help</code></strong>. By design, you cannot
-      use prefix lengths longer than 64.</p></div></div><div class="section" title="IPv6/IPv4 Precedence"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="precedence"></a>IPv6/IPv4 Precedence</h2></div></div></div><p>With (EKU)buntu and eventually with RedHat, you will notice that
+      use prefix lengths longer than 64.</p></div><div class="section" title="NAT Behavioral Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="config-nat-behaviour"></a>NAT Behavioral Requirements</h3></div></div></div><p>RFC 6296 states that NPTv6 translators must support hairpinning behaviour.
+      This means that when an NPTv6 Translator receives a datagram on the
+      internal interface that has a destination address that matches the
+      site's external prefix, it will translate the datagram and forward it
+      internally. While it is possible that the translator works correctly
+      without this depending on the network configuration, it is desiarable
+      to have hairpinning behaviour. The following iptables rules will enable
+      this:</p><pre class="programlisting">ip6tables -t mangle -A PREROUTING -d 2001:0DB8:0001::/48 -j MARK --set-mark 42
+ip6tables -t mangle -A PREROUTING -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48
+ip6tables -t mangle -A POSTROUTING -m mark --mark 42 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48
+ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48</pre></div></div><div class="section" title="IPv6/IPv4 Precedence"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="precedence"></a>IPv6/IPv4 Precedence</h2></div></div></div><p>With (EKU)buntu and eventually with RedHat, you will notice that
     your browser does not show the IPv6 version of a web site that is
     multi-homed when using ULA addresses for your IPv6 Internet connection.
     The reason for this is an add on to the RFC 3484 rules that is compiled
@@ -60,7 +70,7 @@ ip6tables -t mangle -I PREROUTING  -i eth0 -d 2001:0DB8:0001::/48 -j DNPTV6 --to
       you cannot uncomment a single entry to overwrite the default. You need
       to uncomment all entries of a particular type for this. The
       <span class="quote">“<span class="quote">label</span>”</span> lines compare source addresses, the
-      <span class="quote">“<span class="quote">precedence</span>”</span> lines compare destination addresses.</p><div class="procedure" title="Procedure 1. Change IPv6 Precedence"><a id="id314638"></a><p class="title"><strong>Procedure 1. Change IPv6 Precedence</strong></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>Open the <code class="filename">/etc/gai.conf</code> file as root user,
+      <span class="quote">“<span class="quote">precedence</span>”</span> lines compare destination addresses.</p><div class="procedure" title="Procedure 1. Change IPv6 Precedence"><a id="id398835"></a><p class="title"><strong>Procedure 1. Change IPv6 Precedence</strong></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>Open the <code class="filename">/etc/gai.conf</code> file as root user,
           e.g. by executing <strong class="userinput"><code>sudo nano
           /etc/gai.conf</code></strong>.</p></li><li class="step" title="Step 2"><p>Remove the leading hash character from the 8 lines starting
           with <span class="quote">“<span class="quote">#label</span>”</span>.</p></li><li class="step" title="Step 3"><p>Re-add the hash character to the line stating <span class="quote">“<span class="quote">#label
@@ -75,17 +85,7 @@ ip6tables -t mangle -I PREROUTING  -i eth0 -d 2001:0DB8:0001::/48 -j DNPTV6 --to
         and 192.168.0.0/16 still exist, it is unlikely that their 6to4
         counterparts 2002:0a00::/24, 2002:ac10::/28, and 2002:c0a8::/32 will
         be routed on the Internet. Sadly, the (EKU)buntu defaults penalize
-        6to4 addresses also.</p></div><p>If you already deployed ULA addresses in your network, you may be
-      interested in a solution that runs on my Freifunk router. The router
-      uses the IPv6 prefix that is reserved for documentation purposes on it's
-      LAN interface. Within the OLSR-based mesh network, any interface uses an
-      fdca:ffee:babe::/64 prefix. The following internal mapping is configured
-      for this:</p><pre class="programlisting">ip6tables -t mangle -I PREROUTING -i br0 -s 2001:0DB8::/64 -j MAP66 --src-to fdca:ffee:babe::/64 --csum
-ip6tables -t mangle -I POSTROUTING -o br0 -d fdca:ffee:babe::/64 -j MAP66 --dst-to 2001:0DB8::/64 --csum</pre><p>To prevent the mapped packets to vanish via the default route and
-      to overcome mac address lookups during the routing process, I also added
-      these prefixes to the router's <code class="filename">/etc/radvd.conf</code> as
-      well as (host) routes pointing to the <span class="quote">“<span class="quote">br0</span>”</span> interface for
-      both prefixes.</p></div></div><div class="section" title="Motivation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="motivation"></a>Motivation</h2></div></div></div><p>My Internet access at home is realized by a wireless community mesh
+        6to4 addresses also.</p></div></div></div><div class="section" title="Motivation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="motivation"></a>Motivation</h2></div></div></div><p>My Internet access at home is realized by a wireless community mesh
     network not owned by me. The mesh is operated with small embedded devices
     (nodes aka. WLAN routers) that are interconnected via radio links (WLAN
     IBSS / AdHoc). Routing is done with a specialized protocol such as Batman
-- 
cgit v1.2.3