From 53c6274071f4adab870dfc4173d1815287d65464 Mon Sep 17 00:00:00 2001 From: sven-ola Date: Wed, 13 Oct 2010 18:20:19 +0000 Subject: git-svn-id: https://map66.svn.sourceforge.net/svnroot/map66@26 3484d885-4da6-438d-b19d-107d078dd756 --- README.html | 42 +++++++++++++++++++++++++++--------------- 1 file changed, 27 insertions(+), 15 deletions(-) (limited to 'README.html') diff --git a/README.html b/README.html index cd87ef5..75d1e91 100644 --- a/README.html +++ b/README.html @@ -1,6 +1,6 @@ -MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux

MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux

Sven-Ola Tuecke

Freifunk

13-OCT-2010


These files implement a Linux netfilter target that changes the IPv6 +MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux

MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux

Sven-Ola Tuecke

Freifunk

13-OCT-2010


These files implement a Linux netfilter target that changes the IPv6 address of packets. The address change is done checksum neutral, thus no checksum re-calculation for the packet is necessary. You can change the IPv6 source address of outgoing packets as well as the IPv6 destination address @@ -10,7 +10,7 @@ some sort of stateless NAT. The implementation is based on the expired IETF discussion paper published here:

http://tools.ietf.org/html/draft-mrw-behave-nat66-02

Warning

Using MAP66 rules together with connection tracking rules sich as --ctstate is currently untested and may not work or - may cause oopses.

Installation

MAP66 implements two pieces of software: a shared library that + may cause oopses.

Installation

MAP66 implements two pieces of software: a shared library that extends the ip6tables command and a Linux kernel module. The shared library file adds the '-j MAP66' target to the ip6tables command. To build and install, you need ip6tables installed as well as the necessary @@ -23,7 +23,7 @@ Linux-2.6 or ip6t_MAP66.o for Linux-2.4) is not automatically installed nor loaded into the kernel. You can copy the kernel module file manually, e.g. with sudo cp ip6t_MAP66.ko - /lib/modules/$(uname -r)/.

DKMS Integration

If the next system update needs to install a new kernel version, you + /lib/modules/$(uname -r)/.

DKMS Integration

If the next system update needs to install a new kernel version, you also need to re-compile/re-install the MAP66 kernel module. With Debian/(EKU)buntu, this can be automated with the Dynamic Kernel Module Support Framework (DKMS). For this, the dkms.conf @@ -32,7 +32,7 @@ below /usr/src/. To register the MAP66 source to DKMS and compile/install, issue these commands:

sudo dkms add -m ip6t_MAP66 -v 0.5
 sudo dkms build -m ip6t_MAP66 -v 0.5
-sudo dkms install -m ip6t_MAP66 -v 0.5

Read DKMS details here: https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging

Configuration

Brief Version

You always need to add two ip6tables-rules to your netfilter +sudo dkms install -m ip6t_MAP66 -v 0.5

Read DKMS details here: https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging

Configuration

Brief Version

You always need to add two ip6tables-rules to your netfilter configuration. One rule matches outgoing packets and changes their IPv6 source address. The second rule matches incoming packets and reverts the address change by altering their IPv6 destination address. To following @@ -51,7 +51,7 @@ ip6tables -t mangle -I PREROUTING -i eth0 -d 2001:0DB8:0001::/48 -j MAP66 --dst the mapping rule defines a mapping prefix that cannot result in the interface address) you can switch off the comparison. Add the --nocheck parameter to the ip6tables command for - this.

Detailed Version

The following explanation details a living example from the + this.

Detailed Version

The following explanation details a living example from the wireless mesh network that is mentioned under Motivation (see below). Throughout the mesh network, a private IP address range is used. The ULA prefix is fdca:ffee:babe::/64. All mesh nodes derive their IPv6 @@ -117,7 +117,7 @@ ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp- has a 6-to-4 address, you will get the answer packet back via the 6-to-4 interface. If the above address mapping is configured, you ping one IPv6 address and get the answer from another IPv6 - address...

IPv6/IPv4 Precedence

With (EKU)buntu and eventually with RedHat, you will notice that + address...

IPv6/IPv4 Precedence

With (EKU)buntu and eventually with RedHat, you will notice that your browser does not show the IPv6 version of a web site that is multi-homed when using ULA addresses for your IPv6 Internet connection. The reason for this is an add on to the RFC 3484 rules that is compiled @@ -127,21 +127,33 @@ ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp- address higher than the ULA IPv6 address when choosing the transport protocol for a new Internet connection if this add on to the RFC 3484 rules is compiled in. For this reason, you may want to change the - precedence rules within /etc/gai.conf.

Note

The getaddrinfo() library function manages lists of label, + precedence rules within /etc/gai.conf (see Change gai.conf) or use another + prefix (see Use 6to4 Internal Address).

Change gai.conf

The getaddrinfo() library function manages lists of label, precedence, and scope4 type entries. If the /etc/gai.conf file does not provide a single entry for a particular type, the compiled-in list is used. For this reason, you cannot uncomment a single entry to overwrite the default. You need to uncomment all entries of a particular type for this. The label lines compare source addresses, the - precedence lines compare destination addresses.

Procedure 1. Change IPv6 Precedence

  1. Open the /etc/gai.conf file as root user, - e.g. by executing sudo nano - /etc/gai.conf.

  2. Remove the leading hash character from the 8 lines starting with - #label.

  3. Re-add the hash character to the line stating #label - fc00::/7 6.

  4. Save the file.

  5. Restart your browser and re-try to browse to a multi-homed web - site.

The above procedure removes the difference between standard IPv6 - source addresses and ULA type private IPv6 source addresses. Anything else - is unchanged.

Motivation

My Internet access at home is realized by a wireless community mesh + precedence lines compare destination addresses.

Procedure 1. Change IPv6 Precedence

  1. Open the /etc/gai.conf file as root user, + e.g. by executing sudo nano + /etc/gai.conf.

  2. Remove the leading hash character from the 8 lines starting + with #label.

  3. Re-add the hash character to the line stating #label + fc00::/7 6.

  4. Save the file.

  5. Restart your browser and re-try to browse to a multi-homed web + site.

The above procedure removes the difference between standard IPv6 + source addresses and ULA type private IPv6 source addresses. Anything + else is unchanged.

Use 6to4 Internal Address

As an alternative solution, you may use 6to4 addresses in your + LAN. While the well known IPv4 adresses 10.0.0.0/8, 172.16.0.0/12, and + 192.168.0.0/16 still exist, it is unlikely that their 6to4 counterparts + 2002:0a00::/24, 2002:ac10::/28, and 2002:c0a8::/32 will be routed on the + Internet. Because 6to4 adresses are part of the official 2002::/3 + address prefix for the Internet, no difference between these addresses + and other Internet addresses are made by getaddrinfo().

If you already deployed ULA adresses in your network, you may be + interested in a solution that runs on my Freifunk router. The router + uses the IPv4 192.168.65.65/26 on it's LAN interface. WIthin the + OLSR-based mesh network, any interface uses an fdca:ffee:babe::/64 + prefix. The following internal mapping is configured for this:

ip6tables -t mangle -I PREROUTING -i br0 -s 2002:c0a8:4141::/64 -j MAP66 --src-to fdca:ffee:babe::/64 --unbalanced
+ip6tables -t mangle -I POSTROUTING -o br0 -d fdca:ffee:babe::/64 -j MAP66 --dst-to 2002:c0a8:4141::/64 --unbalanced

Motivation

My Internet access at home is realized by a wireless community mesh network not owned by me. The mesh is operated with small embedded devices (nodes aka. WLAN routers) that are interconnected via radio links (WLAN IBSS / AdHoc). Routing is done with a specialized protocol such as Batman -- cgit v1.2.3