From 794f1c6aa886ecc8814765a2dda4a677b7f4376a Mon Sep 17 00:00:00 2001 From: sven-ola Date: Wed, 13 Oct 2010 11:54:32 +0000 Subject: doc git-svn-id: https://map66.svn.sourceforge.net/svnroot/map66@19 3484d885-4da6-438d-b19d-107d078dd756 --- README.html | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) (limited to 'README.html') diff --git a/README.html b/README.html index fafd4a6..cd87ef5 100644 --- a/README.html +++ b/README.html @@ -1,6 +1,6 @@ -MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux

MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux

Sven-Ola Tuecke

Freifunk

07-OCT-2010


These files implement a Linux netfilter target that changes the IPv6 +MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux

MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux

Sven-Ola Tuecke

Freifunk

13-OCT-2010


These files implement a Linux netfilter target that changes the IPv6 address of packets. The address change is done checksum neutral, thus no checksum re-calculation for the packet is necessary. You can change the IPv6 source address of outgoing packets as well as the IPv6 destination address @@ -10,7 +10,7 @@ some sort of stateless NAT. The implementation is based on the expired IETF discussion paper published here:

http://tools.ietf.org/html/draft-mrw-behave-nat66-02

Warning

Using MAP66 rules together with connection tracking rules sich as --ctstate is currently untested and may not work or - may cause oopses.

Installation

MAP66 implements two pieces of software: a shared library that + may cause oopses.

Installation

MAP66 implements two pieces of software: a shared library that extends the ip6tables command and a Linux kernel module. The shared library file adds the '-j MAP66' target to the ip6tables command. To build and install, you need ip6tables installed as well as the necessary @@ -23,22 +23,22 @@ Linux-2.6 or ip6t_MAP66.o for Linux-2.4) is not automatically installed nor loaded into the kernel. You can copy the kernel module file manually, e.g. with sudo cp ip6t_MAP66.ko - /lib/modules/$(uname -r)/.

DKMS Integration

If the next system update needs to install a new kernel version, you + /lib/modules/$(uname -r)/.

DKMS Integration

If the next system update needs to install a new kernel version, you also need to re-compile/re-install the MAP66 kernel module. With Debian/(EKU)buntu, this can be automated with the Dynamic Kernel Module Support Framework (DKMS). For this, the dkms.conf file is included with the MAP66 source file package. Install DKMS with the following command:

sudo apt-get install dkms

If not already in place, move/unpack the MAP66 source file archive below /usr/src/. To register the MAP66 source to DKMS - and compile/install, issue these commands:

sudo dkms add -m ip6t_MAP66 -v 0.4
-sudo dkms build -m ip6t_MAP66 -v 0.4
-sudo dkms install -m ip6t_MAP66 -v 0.4

Read DKMS details here: https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging

Configuration

Brief Version

You always need to add two ip6tables-rules to your netfilter + and compile/install, issue these commands:

sudo dkms add -m ip6t_MAP66 -v 0.5
+sudo dkms build -m ip6t_MAP66 -v 0.5
+sudo dkms install -m ip6t_MAP66 -v 0.5

Read DKMS details here: https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging

Configuration

Brief Version

You always need to add two ip6tables-rules to your netfilter configuration. One rule matches outgoing packets and changes their IPv6 source address. The second rule matches incoming packets and reverts the address change by altering their IPv6 destination address. To following commands correspond to the Address Mapping Example given - in the IETF discussion paper:

ip6tables -t mangle -I POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j MAP66 --to 2001:0DB8:0001::/48
-ip6tables -t mangle -I PREROUTING  -i eth0 -d 2001:0DB8:0001::/48 -j MAP66 --to FD01:0203:0405::/48

This example is also printed to the screen if you issue + in the IETF discussion paper:

ip6tables -t mangle -I POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j MAP66 --src-to 2001:0DB8:0001::/48
+ip6tables -t mangle -I PREROUTING  -i eth0 -d 2001:0DB8:0001::/48 -j MAP66 --dst-to FD01:0203:0405::/48

This example is also printed to the screen if you issue ip6tables -j MAP66 --help. By design, you cannot use an arbitrary prefix length. Only /112, /96 .. /16 are supported.

For each packet, the Linux kernel module also compares the @@ -51,7 +51,7 @@ ip6tables -t mangle -I PREROUTING -i eth0 -d 2001:0DB8:0001::/48 -j MAP66 --to the mapping rule defines a mapping prefix that cannot result in the interface address) you can switch off the comparison. Add the --nocheck parameter to the ip6tables command for - this.

Detailed Version

The following explanation details a living example from the + this.

Detailed Version

The following explanation details a living example from the wireless mesh network that is mentioned under Motivation (see below). Throughout the mesh network, a private IP address range is used. The ULA prefix is fdca:ffee:babe::/64. All mesh nodes derive their IPv6 @@ -94,10 +94,10 @@ ip6tables -t mangle -F FORWARD grep -q ^ip6t_MAP66 /proc/modules && rmmod ip6t_MAP66 insmod /usr/src/map66/ip6t_MAP66.ko -ip6tables -t mangle -A POSTROUTING -o sixxs -s fdca:ffee:babe::/64 -j MAP66 --to 2001:4dd0:fe77:1::/64 --nocheck -ip6tables -t mangle -A PREROUTING -i sixxs -d 2001:4dd0:fe77:1::/64 -j MAP66 --to fdca:ffee:babe::/64 --nocheck -ip6tables -t mangle -A POSTROUTING -o tun6to4 -s fdca:ffee:babe::/64 -j MAP66 --to 2002:4d57:3007:1::/64 --nocheck -ip6tables -t mangle -A PREROUTING -i tun6to4 -d 2002:4d57:3007:1::/64 -j MAP66 --to fdca:ffee:babe::/64 --nocheck +ip6tables -t mangle -A POSTROUTING -o sixxs -s fdca:ffee:babe::/64 -j MAP66 --src-to 2001:4dd0:fe77:1::/64 --nocheck +ip6tables -t mangle -A PREROUTING -i sixxs -d 2001:4dd0:fe77:1::/64 -j MAP66 --dst-to fdca:ffee:babe::/64 --nocheck +ip6tables -t mangle -A POSTROUTING -o tun6to4 -s fdca:ffee:babe::/64 -j MAP66 --src-to 2002:4d57:3007:1::/64 --nocheck +ip6tables -t mangle -A PREROUTING -i tun6to4 -d 2002:4d57:3007:1::/64 -j MAP66 --dst-to fdca:ffee:babe::/64 --nocheck ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Because for both IPv6 networks the external prefix length is smaller than the internal prefix length, we can make sure that the mapped addresses cannot match the interface addresses. For example: @@ -117,7 +117,7 @@ ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp- has a 6-to-4 address, you will get the answer packet back via the 6-to-4 interface. If the above address mapping is configured, you ping one IPv6 address and get the answer from another IPv6 - address...

IPv6/IPv4 Precedence

With (EKU)buntu and eventually with RedHat, you will notice that + address...

IPv6/IPv4 Precedence

With (EKU)buntu and eventually with RedHat, you will notice that your browser does not show the IPv6 version of a web site that is multi-homed when using ULA addresses for your IPv6 Internet connection. The reason for this is an add on to the RFC 3484 rules that is compiled @@ -134,7 +134,7 @@ ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp- you cannot uncomment a single entry to overwrite the default. You need to uncomment all entries of a particular type for this. The label lines compare source addresses, the - precedence lines compare destination addresses.

Procedure 1. Change IPv6 Precedence

  1. Open the /etc/gai.conf file as root user, + precedence lines compare destination addresses.

Procedure 1. Change IPv6 Precedence

  1. Open the /etc/gai.conf file as root user, e.g. by executing sudo nano /etc/gai.conf.

  2. Remove the leading hash character from the 8 lines starting with #label.

  3. Re-add the hash character to the line stating #label -- cgit v1.2.3