Unable to get NPTv6 to work with kernel 3.8.2

Matthias Schiffer <mschiffer@xxxxxxxxxxxxxxxxxxxx> · Mon, 11 Mar 2013 15:03:23 +0100

Hi,
we are currently trying to switch from an own NPTv6 implementation [1]
to the new in-tree one.

The rules we've been trying out are:

ip6tables -t mangle -A PREROUTING -d fd00:0:0:3::/64 -j MARK --set-xmark
0x2a/0xffffffff
ip6tables -t mangle -A OUTPUT -d fd00:0:0:3::/64 -j MARK --set-xmark
0x2a/0xffffffff

ip6tables -t nat -A OUTPUT -d fd00:0:0:3::/64 -j DNPT --src-pfx
fd00:0:0:3::/64 --dst-pfx fd00:0:0:1::/64
ip6tables -t nat -A PREROUTING -d fd00:0:0:3::/64 -j DNPT --src-pfx
fd00:0:0:3::/64 --dst-pfx fd00:0:0:1::/64

ip6tables -t nat -A INPUT -s fd00:0:0:1::/64 -m mark --mark 0x2a -j SNPT
--src-pfx fd00:0:0:1::/64 --dst-pfx fd00:0:0:3::/64
ip6tables -t nat -A POSTROUTING -s fd00:0:0:1::/64 -m mark --mark 0x2a
-j SNPT --src-pfx fd00:0:0:1::/64 --dst-pfx fd00:0:0:3::/64
ip6tables -t nat -A POSTROUTING -s fd00:0:0:1::/64 -o test0 -j SNPT
--src-pfx fd00:0:0:1::/64 --dst-pfx fd00:0:0:3::/64

(With our old module, which worked complely in the mangle table, we
needed these complex rules to archieve the hairpinning behaviour
required by RFC6296, are such rules still necessary with the in-tree
implementation?)

We are seeing the strange behaviour that the first packet of a new flow
is translated correctly (tested with ICMP echo packets), regardless of
the direction of the first packet, but the reply and all subsequent
packets don't get translated at all.

This is the output of conntrack after starting a ping in both
directions, showing the untranslated addresses in both cases:

# conntrack -f ipv6 -L
icmpv6   58 10 src=fd00:0:0:2::2 dst=fd00::3:fffd:0:0:2 type=128 code=0
id=811 [UNREPLIED] src=fd00::3:fffd:0:0:2 dst=fd00:0:0:2::2 type=129
code=0 id=811 mark=0 use=1
icmpv6   58 28 src=fd00:0:0:1::2 dst=fd00:0:0:2::2 type=128 code=0
id=1131 [UNREPLIED] src=fd00:0:0:2::2 dst=fd00:0:0:1::2 type=129 code=0
id=1131 mark=0 use=1
conntrack v1.4.1 (conntrack-tools): 2 flow entries have been shown.

Is there anything wrong with the rules? What can I do to debug the
problem? Please let me know if there is any more information I can
provide you to help you understand the issue.

Thanks in advance,
Matthias Schiffer

[1] http://git.universe-factory.net/NPTv6/

Attachment:
signature.asc

Description: OpenPGP digital signature