On Sun, Feb 09, 2020 at 01:44:19AM +0100, Haochen Tong wrote:
> Hi,
>
> While trying to implement IPv6 NPT with nftables I did not found any
> useful documentation. The wiki says "consider native interface", however
> I cannot find any reference to this "native interface".
>
> Is this unsupported for now? Are there any workarounds?
I have hacked up something with nft, by applying bitwise arithmetic on
IP addresses and manually calculating the RFC6296 checksum for a single
/80 subnet (not necessarilly correct in the following example because IP
addresses are mangled for privacy reasons, but seems to work):
table ip6 npt {
chain prerouting-dnpt {
type filter hook prerouting priority mangle; policy accept;
iif ens3 ip6 daddr 2001:da8:1400:57:a6fb::/80 ip6 daddr set ip6 daddr and ::ffff:ffff:ffff or 2001:da8:1234:5678:90ab:: notrack
}
chain postrouting-snpt {
type filter hook postrouting priority mangle; policy accept;
oif ens3 ip6 saddr 2001:da8:1234:5678:90ab::/80 ip6 daddr != 2001:da8:1234::/48 oif ens3 ip6 saddr set ip6 saddr and ::ffff:ffff:ffff or 2001:da8:1400:57:a6fb:: notrack
}
}
However, the {S,D}NPT targets in iptables are able to calculate the checksum
automatically, for all subnets in a /64.
So, again, what is the preferred way to do NPT in nftables with "native
interfaces"? Is a new kernel module needed?
Thanks,
Haochen Tong
