From fca6f60a44a75f76d2c1183f06466228b01b9686 Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Sat, 12 Nov 2011 12:17:23 +0100 Subject: Allow using [SD]NPTV6 rules in INPUT/OUTOUT chains --- README.dbk | 14 ++++++++++---- README.html | 14 ++++++++------ README.txt | 17 ++++++++++++----- ip6t_DNPTV6.c | 2 +- ip6t_SNPTV6.c | 2 +- 5 files changed, 32 insertions(+), 17 deletions(-) diff --git a/README.dbk b/README.dbk index 37cd8d4..c34822d 100644 --- a/README.dbk +++ b/README.dbk @@ -139,19 +139,25 @@ ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to ip6tables -t mangle -A PREROUTING -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48 ip6tables -t mangle -A POSTROUTING -m mark --mark 42 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48 ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48 + + If the router running NPTv6 is offering services itself, additional + rules are necessary for the services to be reachable by the external address: + + ip6tables -t mangle -A OUTPUT -d 2001:0DB8:0001::/48 -j MARK --set-mark 42 +ip6tables -t mangle -A OUTPUT -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48 +ip6tables -t mangle -A INPUT -m mark --mark 42 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48
IPv6/IPv4 Precedence - With (EKU)buntu and eventually with RedHat, you will notice that + With most Linux distributions you will notice that your browser does not show the IPv6 version of a web site that is multi-homed when using ULA addresses for your IPv6 Internet connection. The reason for this is an add on to the RFC 3484 rules that is compiled - into the (EKU)buntu libc. The pre-installed - /etc/gai.conf file will give you a hint on - this. + into the libc. The pre-installed /etc/gai.conf file + will give you a hint on this. In short: the getaddrinfo() library function rates a private IPv4 address higher than the ULA IPv6 address when choosing the transport diff --git a/README.html b/README.html index 7a0674c..159f51c 100644 --- a/README.html +++ b/README.html @@ -1,6 +1,6 @@ -NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux

NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux

Sven-Ola Tuecke

Freifunk

Matthias Schiffer

Freifunk Lübeck

10-NOV-2011


These files implement a Linux netfilter target that changes the IPv6 +NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux

NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux

Sven-Ola Tuecke

Freifunk

Matthias Schiffer

Freifunk Lübeck

10-NOV-2011


These files implement a Linux netfilter target that changes the IPv6 address of packets. The address change is done checksum neutral, thus no checksum re-calculation for the packet is necessary. You can change the IPv6 source address of outgoing packets as well as the IPv6 destination address @@ -53,13 +53,15 @@ ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to will enable this:

ip6tables -t mangle -A PREROUTING -d 2001:0DB8:0001::/48 -j MARK --set-mark 42
 ip6tables -t mangle -A PREROUTING -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48
 ip6tables -t mangle -A POSTROUTING -m mark --mark 42 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48
-ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48

IPv6/IPv4 Precedence

With (EKU)buntu and eventually with RedHat, you will notice that +ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48

If the router running NPTv6 is offering services itself, additional + rules are necessary for the services to be reachable by the external address:

ip6tables -t mangle -A OUTPUT -d 2001:0DB8:0001::/48 -j MARK --set-mark 42
+ip6tables -t mangle -A OUTPUT -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48
+ip6tables -t mangle -A INPUT -m mark --mark 42 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48

IPv6/IPv4 Precedence

With most Linux distributions you will notice that your browser does not show the IPv6 version of a web site that is multi-homed when using ULA addresses for your IPv6 Internet connection. The reason for this is an add on to the RFC 3484 rules that is compiled - into the (EKU)buntu libc. The pre-installed - /etc/gai.conf file will give you a hint on - this.

In short: the getaddrinfo() library function rates a private IPv4 + into the libc. The pre-installed /etc/gai.conf file + will give you a hint on this.

In short: the getaddrinfo() library function rates a private IPv4 address higher than the ULA IPv6 address when choosing the transport protocol for a new Internet connection if this add on to the RFC 3484 rules is compiled in. For this reason, you may want to change the @@ -70,7 +72,7 @@ ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to you cannot uncomment a single entry to overwrite the default. You need to uncomment all entries of a particular type for this. The label lines compare source addresses, the - precedence lines compare destination addresses.

Procedure 1. Change IPv6 Precedence

  1. Open the /etc/gai.conf file as root user, + precedence lines compare destination addresses.

    Procedure 1. Change IPv6 Precedence

    1. Open the /etc/gai.conf file as root user, e.g. by executing sudo nano /etc/gai.conf.

    2. Remove the leading hash character from the 8 lines starting with #label.

    3. Re-add the hash character to the line stating #label diff --git a/README.txt b/README.txt index 39e43e7..3b9cd9c 100644 --- a/README.txt +++ b/README.txt @@ -118,13 +118,20 @@ ip6tables -t mangle -A PREROUTING -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destinat ip6tables -t mangle -A POSTROUTING -m mark --mark 42 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48 ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48 +If the router running NPTv6 is offering services itself, additional rules are +necessary for the services to be reachable by the external address: + +ip6tables -t mangle -A OUTPUT -d 2001:0DB8:0001::/48 -j MARK --set-mark 42 +ip6tables -t mangle -A OUTPUT -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48 +ip6tables -t mangle -A INPUT -m mark --mark 42 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48 + IPv6/IPv4 Precedence -With (EKU)buntu and eventually with RedHat, you will notice that your browser -does not show the IPv6 version of a web site that is multi-homed when using ULA -addresses for your IPv6 Internet connection. The reason for this is an add on -to the RFC 3484 rules that is compiled into the (EKU)buntu libc. The -pre-installed /etc/gai.conf file will give you a hint on this. +With most Linux distributions you will notice that your browser does not show +the IPv6 version of a web site that is multi-homed when using ULA addresses for +your IPv6 Internet connection. The reason for this is an add on to the RFC 3484 +rules that is compiled into the libc. The pre-installed /etc/gai.conf file will +give you a hint on this. In short: the getaddrinfo() library function rates a private IPv4 address higher than the ULA IPv6 address when choosing the transport protocol for a new diff --git a/ip6t_DNPTV6.c b/ip6t_DNPTV6.c index ea09835..e83697d 100644 --- a/ip6t_DNPTV6.c +++ b/ip6t_DNPTV6.c @@ -67,7 +67,7 @@ static struct xt_target dnptv6_tg6_reg __read_mostly = { .checkentry = dnptv6_tg6_check, .targetsize = sizeof(struct ip6t_nptv6_info), .table = "mangle", - .hooks = (1 << NF_INET_PRE_ROUTING), + .hooks = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT), .me = THIS_MODULE, }; diff --git a/ip6t_SNPTV6.c b/ip6t_SNPTV6.c index 97f8e04..378ad8a 100644 --- a/ip6t_SNPTV6.c +++ b/ip6t_SNPTV6.c @@ -67,7 +67,7 @@ static struct xt_target snptv6_tg6_reg __read_mostly = { .checkentry = snptv6_tg6_check, .targetsize = sizeof(struct ip6t_nptv6_info), .table = "mangle", - .hooks = (1 << NF_INET_POST_ROUTING), + .hooks = (1 << NF_INET_POST_ROUTING) | (1 << NF_INET_LOCAL_IN), .me = THIS_MODULE, }; -- cgit v1.2.3