You are not logged in.
I have a dual stack Arch router with 2 network interfaces that I am trying to migrate my iptables setup (which worked beautifully) to nftables (which kind of sucks IMO).
I have the following /etc/nftables.conf
table inet nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifname "wan" masquerade
}
}
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ip protocol icmp icmp type echo-request limit rate 2/second accept
ip protocol icmp icmp type echo-request drop
ct state established,related accept
iifname "lan" accept
iifname "lo" accept
udp dport dhcpv6-client accept
ip6 nexthdr ipv6-icmp accept
ip protocol icmp accept
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept
iifname "lan" accept
}
}
The router appears to be doing a masquerade on IPv6 traffic, which of course it shouldn't be doing since IPv6 doesn't have NAT..... this makes no sense??
Here is an tcpdump from a host behind the LAN sending IPv6 pings:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp8s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
12:10:04.789185 IP6 2601:483:4c00:1e:e6b1:ed6e:ac46:9549 > 2607:f8b0:4004:837::2005: ICMP6, echo request, id 18, seq 1, length 64
12:10:04.817708 IP6 2607:f8b0:4004:837::2005 > 2601:483:4c00:1e:e6b1:ed6e:ac46:9549: ICMP6, echo reply, id 18, seq 1, length 64
12:10:05.790602 IP6 2601:483:4c00:1e:e6b1:ed6e:ac46:9549 > 2607:f8b0:4004:837::2005: ICMP6, echo request, id 18, seq 2, length 64
12:10:05.818669 IP6 2607:f8b0:4004:837::2005 > 2601:483:4c00:1e:e6b1:ed6e:ac46:9549: ICMP6, echo reply, id 18, seq 2, length 64
12:10:06.792388 IP6 2601:483:4c00:1e:e6b1:ed6e:ac46:9549 > 2607:f8b0:4004:837::2005: ICMP6, echo request, id 18, seq 3, length 64
12:10:06.820492 IP6 2607:f8b0:4004:837::2005 > 2601:483:4c00:1e:e6b1:ed6e:ac46:9549: ICMP6, echo reply, id 18, seq 3, length 64
Here is a tcpdump on the WAN interface of the router during the same ping:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wan, link-type EN10MB (Ethernet), snapshot length 262144 bytes
12:08:23.300393 IP6 2001:558:6016:3a:64a1:fcc0:bdc1:202 > 2607:f8b0:4004:837::2005: ICMP6, echo request, id 17, seq 1, length 64
12:08:23.328539 IP6 2607:f8b0:4004:837::2005 > 2001:558:6016:3a:64a1:fcc0:bdc1:202: ICMP6, echo reply, id 17, seq 1, length 64
12:08:24.302117 IP6 2001:558:6016:3a:64a1:fcc0:bdc1:202 > 2607:f8b0:4004:837::2005: ICMP6, echo request, id 17, seq 2, length 64
12:08:24.316746 IP6 fe80::201:5cff:fea1:8646 > ff02::1: ICMP6, router advertisement, length 144
12:08:24.330384 IP6 2607:f8b0:4004:837::2005 > 2001:558:6016:3a:64a1:fcc0:bdc1:202: ICMP6, echo reply, id 17, seq 2, length 64
12:08:25.303373 IP6 2001:558:6016:3a:64a1:fcc0:bdc1:202 > 2607:f8b0:4004:837::2005: ICMP6, echo request, id 17, seq 3, length 64
12:08:25.331129 IP6 2607:f8b0:4004:837::2005 > 2001:558:6016:3a:64a1:fcc0:bdc1:202: ICMP6, echo reply, id 17, seq 3, length 64
As you can see, the router is changing the source address of the IPv6 packet to 2001:558:6016:3a:64a1:fcc0:bdc1:202 (which is the IPv6 address of the WAN interface of the router).
It should not be doing this. How do I make it stop doing this?
Offline
IPv6 doesn't have NAT
Incorrect, just search for ipv6 nat [1] . Also openwrt documents how to set it up in [2] .
It looks like https://wiki.archlinux.org/index.php/Nf … squerading is relevant, especially the last paragraph .
[1] https://duckduckgo.com/?q=ipv6+nat&t=lm … =-1&ia=web (requires JS )
[2] https://openwrt.org/docs/guide-user/net … /ipv6.nat6
Last edited by Lone_Wolf (2021-04-25 11:58:52)
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
(A works at time B) && (time C > time B ) ≠ (A works at time C)
Offline
[...]I am trying to migrate my iptables setup (which worked beautifully) to nftables (which kind of sucks IMO).
Why are you doing it then? Iptables is alive and well.
I might disagree with your assessment that nftables sucks, since I personally find it a huge improvement to iptables, but there is absolutely no reason to migrate from iptables to nftables, especially if you do not like the latter.
macro_rules! yolo { { $($tokens:tt)* } => { unsafe { $($tokens)* } }; }
Offline
Irrelevant to your question, note that the `prerouting' chain is not necessary.
Offline