Using NPTv6 with stateful firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Like many people I'm struggling to figure out how to best manage an IPv6 network with multiple WAN connections. I discovered the NPTv6 concept and read up on the implementation in ip6tables. According to the documentation (I haven't tried it yet) I must disable connection tracking if I use the DNPT and SNPT targets in ipt6tables [1]. This seems to be a fairly serious limitation, because in my case the router and the firewall are the same machine, and the whole point of a stateful firewall is to track connections and only allow incoming packets related to existing connections. Those who dislike NAT like to remind us that the security an IPv4 NAT router gives us comes from the stateful firewalling, not from the NAT feature, so it seems strange to implement an address translation scheme that prevents connection tracking.
I'm wondering if I'm missing something in the docs and if there actually is a way to do both IPv6 prefix translation and connection tracking at the same time, or if it's the case that what I want simply isn't implemented yet (or maybe never will be, perhaps with a good reason?) I also noted that NPT doesn't modify the payload like normal NAT [2] which seems like another serious limitation, making me think that perhaps the feature in netfilter is still experimental and not fully implemented.
I'm still hopeful that NPTv6 could be a good solution for multi-WAN with IPv6, at least until other solutions materialize, such as the work of the IETF homenet working group [3]. In the mean time it's a very big hassle to manage multiple prefixes on my network which periodically change at the whim of my ISPs, and I have absolutely no solution to help hosts choose the "better" prefix by default without manually configuring each host. 

-Ben Swartzlander

[1] http://ipset.netfilter.org/iptables-extensions.man.html#lbCW
[2] http://www.spinics.net/lists/netfilter/msg53833.html
[3] https://tools.ietf.org/wg/homenet/
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux