You are not logged in.

#1 2021-04-24 17:12:11

t_wrex
Member
Registered: 2020-03-27
Posts: 30

nftables doing strange things to IPv6 traffic

I have a dual stack Arch router with 2 network interfaces that I am trying to migrate my iptables setup (which worked beautifully) to nftables (which kind of sucks IMO).

I have the following /etc/nftables.conf

table inet nat {
        chain prerouting {
                type nat hook prerouting priority dstnat; policy accept;
        }

        chain postrouting {
                type nat hook postrouting priority srcnat; policy accept;
                oifname "wan" masquerade
        }
}
table inet filter {
        chain input {
                type filter hook input priority filter; policy drop;
                ip protocol icmp icmp type echo-request limit rate 2/second accept
                ip protocol icmp icmp type echo-request drop
                ct state established,related accept
                iifname "lan" accept
                iifname "lo" accept
                udp dport dhcpv6-client accept
                ip6 nexthdr ipv6-icmp accept
                ip protocol icmp accept
        }

        chain forward {
                type filter hook forward priority filter; policy drop;
                ct state established,related accept
                iifname "lan" accept
        }
}

The router appears to be doing a masquerade on IPv6 traffic, which of course it shouldn't be doing since IPv6 doesn't have NAT..... this makes no sense??

Here is an tcpdump from a host behind the LAN sending IPv6 pings:

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp8s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
12:10:04.789185 IP6 2601:483:4c00:1e:e6b1:ed6e:ac46:9549 > 2607:f8b0:4004:837::2005: ICMP6, echo request, id 18, seq 1, length 64
12:10:04.817708 IP6 2607:f8b0:4004:837::2005 > 2601:483:4c00:1e:e6b1:ed6e:ac46:9549: ICMP6, echo reply, id 18, seq 1, length 64
12:10:05.790602 IP6 2601:483:4c00:1e:e6b1:ed6e:ac46:9549 > 2607:f8b0:4004:837::2005: ICMP6, echo request, id 18, seq 2, length 64
12:10:05.818669 IP6 2607:f8b0:4004:837::2005 > 2601:483:4c00:1e:e6b1:ed6e:ac46:9549: ICMP6, echo reply, id 18, seq 2, length 64
12:10:06.792388 IP6 2601:483:4c00:1e:e6b1:ed6e:ac46:9549 > 2607:f8b0:4004:837::2005: ICMP6, echo request, id 18, seq 3, length 64
12:10:06.820492 IP6 2607:f8b0:4004:837::2005 > 2601:483:4c00:1e:e6b1:ed6e:ac46:9549: ICMP6, echo reply, id 18, seq 3, length 64

Here is a tcpdump on the WAN interface of the router during the same ping:

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wan, link-type EN10MB (Ethernet), snapshot length 262144 bytes
12:08:23.300393 IP6 2001:558:6016:3a:64a1:fcc0:bdc1:202 > 2607:f8b0:4004:837::2005: ICMP6, echo request, id 17, seq 1, length 64
12:08:23.328539 IP6 2607:f8b0:4004:837::2005 > 2001:558:6016:3a:64a1:fcc0:bdc1:202: ICMP6, echo reply, id 17, seq 1, length 64
12:08:24.302117 IP6 2001:558:6016:3a:64a1:fcc0:bdc1:202 > 2607:f8b0:4004:837::2005: ICMP6, echo request, id 17, seq 2, length 64
12:08:24.316746 IP6 fe80::201:5cff:fea1:8646 > ff02::1: ICMP6, router advertisement, length 144
12:08:24.330384 IP6 2607:f8b0:4004:837::2005 > 2001:558:6016:3a:64a1:fcc0:bdc1:202: ICMP6, echo reply, id 17, seq 2, length 64
12:08:25.303373 IP6 2001:558:6016:3a:64a1:fcc0:bdc1:202 > 2607:f8b0:4004:837::2005: ICMP6, echo request, id 17, seq 3, length 64
12:08:25.331129 IP6 2607:f8b0:4004:837::2005 > 2001:558:6016:3a:64a1:fcc0:bdc1:202: ICMP6, echo reply, id 17, seq 3, length 64

As you can see, the router is changing the source address of the IPv6 packet to 2001:558:6016:3a:64a1:fcc0:bdc1:202 (which is the IPv6 address of the WAN interface of the router).

It should not be doing this. How do I make it stop doing this?

Offline

#2 2021-04-25 11:58:13

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,868

Re: nftables doing strange things to IPv6 traffic

t_wrex wrote:

IPv6 doesn't have NAT

Incorrect, just search for ipv6 nat [1] . Also openwrt documents how to set it up in [2] .


It looks like https://wiki.archlinux.org/index.php/Nf … squerading is relevant, especially the last paragraph .


[1] https://duckduckgo.com/?q=ipv6+nat&t=lm … =-1&ia=web   (requires JS )
[2] https://openwrt.org/docs/guide-user/net … /ipv6.nat6

Last edited by Lone_Wolf (2021-04-25 11:58:52)


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#3 2021-04-25 12:24:11

schard
Member
From: Hannover
Registered: 2016-05-06
Posts: 1,932
Website

Re: nftables doing strange things to IPv6 traffic

t_wrex wrote:

[...]I am trying to migrate my iptables setup (which worked beautifully) to nftables (which kind of sucks IMO).

Why are you doing it then? Iptables is alive and well.
I might disagree with your assessment that nftables sucks, since I personally find it a huge improvement to iptables, but there is absolutely no reason to migrate from iptables to nftables, especially if you do not like the latter.

Offline

#4 2021-04-25 15:12:09

respiranto
Member
Registered: 2015-05-15
Posts: 479
Website

Re: nftables doing strange things to IPv6 traffic

Irrelevant to your question, note that the `prerouting' chain is not necessary.

Offline

Board footer

Powered by FluxBB