From adb5c71c3b3cfd01c0e27225cf9c58b90fbd3e3a Mon Sep 17 00:00:00 2001 From: sven-ola Date: Thu, 7 Oct 2010 07:07:36 +0000 Subject: warning about conntrack git-svn-id: https://map66.svn.sourceforge.net/svnroot/map66@13 3484d885-4da6-438d-b19d-107d078dd756 --- README.dbk | 14 ++++++++++---- README.html | 20 +++++++++++--------- README.txt | 13 +++++++++---- TODO | 3 +++ 4 files changed, 33 insertions(+), 17 deletions(-) diff --git a/README.dbk b/README.dbk index 153d50a..c52ef16 100644 --- a/README.dbk +++ b/README.dbk @@ -15,7 +15,7 @@ - 06-OCT-2010 + 07-OCT-2010 These files implement a Linux netfilter target that changes the IPv6 @@ -31,6 +31,12 @@ http://tools.ietf.org/html/draft-mrw-behave-nat66-02 + + Using MAP66 rules together with connection tracking rules sich as + --ctstate is currently untested and may not work or + may cause oopses. + +
Installation @@ -76,9 +82,9 @@ below /usr/src/. To register the MAP66 source to DKMS and compile/install, issue these commands: - sudo dkms add -m ip6t_MAP66 -v 0.3 -sudo dkms build -m ip6t_MAP66 -v 0.3 -sudo dkms install -m ip6t_MAP66 -v 0.3 + sudo dkms add -m ip6t_MAP66 -v 0.4 +sudo dkms build -m ip6t_MAP66 -v 0.4 +sudo dkms install -m ip6t_MAP66 -v 0.4 Read DKMS details here: https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging diff --git a/README.html b/README.html index d46221a..fafd4a6 100644 --- a/README.html +++ b/README.html @@ -1,6 +1,6 @@ -MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux

MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux

Sven-Ola Tuecke

Freifunk

06-OCT-2010


These files implement a Linux netfilter target that changes the IPv6 +MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux

MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux

Sven-Ola Tuecke

Freifunk

07-OCT-2010


These files implement a Linux netfilter target that changes the IPv6 address of packets. The address change is done checksum neutral, thus no checksum re-calculation for the packet is necessary. You can change the IPv6 source address of outgoing packets as well as the IPv6 destination address @@ -8,7 +8,9 @@ to a second, externally used IPv6 address range. IPv6 address mapping is not very similar to IPv4 network address translation, but one can describe it as some sort of stateless NAT. The implementation is based on the expired IETF - discussion paper published here:

http://tools.ietf.org/html/draft-mrw-behave-nat66-02

Installation

MAP66 implements two pieces of software: a shared library that + discussion paper published here:

http://tools.ietf.org/html/draft-mrw-behave-nat66-02

Warning

Using MAP66 rules together with connection tracking rules sich as + --ctstate is currently untested and may not work or + may cause oopses.

Installation

MAP66 implements two pieces of software: a shared library that extends the ip6tables command and a Linux kernel module. The shared library file adds the '-j MAP66' target to the ip6tables command. To build and install, you need ip6tables installed as well as the necessary @@ -21,16 +23,16 @@ Linux-2.6 or ip6t_MAP66.o for Linux-2.4) is not automatically installed nor loaded into the kernel. You can copy the kernel module file manually, e.g. with sudo cp ip6t_MAP66.ko - /lib/modules/$(uname -r)/.

DKMS Integration

If the next system update needs to install a new kernel version, you + /lib/modules/$(uname -r)/.

DKMS Integration

If the next system update needs to install a new kernel version, you also need to re-compile/re-install the MAP66 kernel module. With Debian/(EKU)buntu, this can be automated with the Dynamic Kernel Module Support Framework (DKMS). For this, the dkms.conf file is included with the MAP66 source file package. Install DKMS with the following command:

sudo apt-get install dkms

If not already in place, move/unpack the MAP66 source file archive below /usr/src/. To register the MAP66 source to DKMS - and compile/install, issue these commands:

sudo dkms add -m ip6t_MAP66 -v 0.3
-sudo dkms build -m ip6t_MAP66 -v 0.3
-sudo dkms install -m ip6t_MAP66 -v 0.3

Read DKMS details here: https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging

Configuration

Brief Version

You always need to add two ip6tables-rules to your netfilter + and compile/install, issue these commands:

sudo dkms add -m ip6t_MAP66 -v 0.4
+sudo dkms build -m ip6t_MAP66 -v 0.4
+sudo dkms install -m ip6t_MAP66 -v 0.4

Read DKMS details here: https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging

Configuration

Brief Version

You always need to add two ip6tables-rules to your netfilter configuration. One rule matches outgoing packets and changes their IPv6 source address. The second rule matches incoming packets and reverts the address change by altering their IPv6 destination address. To following @@ -49,7 +51,7 @@ ip6tables -t mangle -I PREROUTING -i eth0 -d 2001:0DB8:0001::/48 -j MAP66 --to the mapping rule defines a mapping prefix that cannot result in the interface address) you can switch off the comparison. Add the --nocheck parameter to the ip6tables command for - this.

Detailed Version

The following explanation details a living example from the + this.

Detailed Version

The following explanation details a living example from the wireless mesh network that is mentioned under Motivation (see below). Throughout the mesh network, a private IP address range is used. The ULA prefix is fdca:ffee:babe::/64. All mesh nodes derive their IPv6 @@ -115,7 +117,7 @@ ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp- has a 6-to-4 address, you will get the answer packet back via the 6-to-4 interface. If the above address mapping is configured, you ping one IPv6 address and get the answer from another IPv6 - address...

IPv6/IPv4 Precedence

With (EKU)buntu and eventually with RedHat, you will notice that + address...

IPv6/IPv4 Precedence

With (EKU)buntu and eventually with RedHat, you will notice that your browser does not show the IPv6 version of a web site that is multi-homed when using ULA addresses for your IPv6 Internet connection. The reason for this is an add on to the RFC 3484 rules that is compiled @@ -132,7 +134,7 @@ ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp- you cannot uncomment a single entry to overwrite the default. You need to uncomment all entries of a particular type for this. The label lines compare source addresses, the - precedence lines compare destination addresses.

Procedure 1. Change IPv6 Precedence

  1. Open the /etc/gai.conf file as root user, + precedence lines compare destination addresses.

Procedure 1. Change IPv6 Precedence

  1. Open the /etc/gai.conf file as root user, e.g. by executing sudo nano /etc/gai.conf.

  2. Remove the leading hash character from the 8 lines starting with #label.

  3. Re-add the hash character to the line stating #label diff --git a/README.txt b/README.txt index 4e53698..816dfc0 100644 --- a/README.txt +++ b/README.txt @@ -4,7 +4,7 @@ Sven-Ola Tuecke Freifunk -06-OCT-2010 +07-OCT-2010 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ @@ -32,6 +32,11 @@ published here: http://tools.ietf.org/html/draft-mrw-behave-nat66-02 +Warning + +Using MAP66 rules together with connection tracking rules sich as --ctstate is +currently untested and may not work or may cause oopses. + Installation MAP66 implements two pieces of software: a shared library that extends the @@ -70,9 +75,9 @@ If not already in place, move/unpack the MAP66 source file archive below /usr/ src/. To register the MAP66 source to DKMS and compile/install, issue these commands: -sudo dkms add -m ip6t_MAP66 -v 0.3 -sudo dkms build -m ip6t_MAP66 -v 0.3 -sudo dkms install -m ip6t_MAP66 -v 0.3 +sudo dkms add -m ip6t_MAP66 -v 0.4 +sudo dkms build -m ip6t_MAP66 -v 0.4 +sudo dkms install -m ip6t_MAP66 -v 0.4 Read DKMS details here: https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging diff --git a/TODO b/TODO index c8438e3..8e108cb 100644 --- a/TODO +++ b/TODO @@ -2,3 +2,6 @@ Idea to think about: --salt 3b5b91c5a2 XOR client addresses for some more privac the salt can be added e.g. when restarting router/iptables or may be generated for a particular host once. Purpose: hide MAC addresses behind the address mapping gateway + +Another idea: change to a single rule either in POSTROUTING or in PREROUTING to +make MAP66 compatible with conntrack/stateful FW -- cgit v1.2.3