You are not logged in.

Pages: 1

#1 2021-04-24 17:12:11

t_wrex
Member
Registered: 2020-03-27
Posts: 34

nftables doing strange things to IPv6 traffic

I have a dual stack Arch router with 2 network interfaces that I am trying to migrate my iptables setup (which worked beautifully) to nftables (which kind of sucks IMO).

I have the following /etc/nftables.conf

table inet nat {
        chain prerouting {
                type nat hook prerouting priority dstnat; policy accept;
        }

        chain postrouting {
                type nat hook postrouting priority srcnat; policy accept;
                oifname "wan" masquerade
        }
}
table inet filter {
        chain input {
                type filter hook input priority filter; policy drop;
                ip protocol icmp icmp type echo-request limit rate 2/second accept
                ip protocol icmp icmp type echo-request drop
                ct state established,related accept
                iifname "lan" accept
                iifname "lo" accept
                udp dport dhcpv6-client accept
                ip6 nexthdr ipv6-icmp accept
                ip protocol icmp accept
        }

        chain forward {
                type filter hook forward priority filter; policy drop;
                ct state established,related accept
                iifname "lan" accept
        }
}

The router appears to be doing a masquerade on IPv6 traffic, which of course it shouldn't be doing since IPv6 doesn't have NAT..... this makes no sense??

Here is an tcpdump from a host behind the LAN sending IPv6 pings:

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp8s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
12:10:04.789185 IP6 2601:483:4c00:1e:e6b1:ed6e:ac46:9549 > 2607:f8b0:4004:837::2005: ICMP6, echo request, id 18, seq 1, length 64
12:10:04.817708 IP6 2607:f8b0:4004:837::2005 > 2601:483:4c00:1e:e6b1:ed6e:ac46:9549: ICMP6, echo reply, id 18, seq 1, length 64
12:10:05.790602 IP6 2601:483:4c00:1e:e6b1:ed6e:ac46:9549 > 2607:f8b0:4004:837::2005: ICMP6, echo request, id 18, seq 2, length 64
12:10:05.818669 IP6 2607:f8b0:4004:837::2005 > 2601:483:4c00:1e:e6b1:ed6e:ac46:9549: ICMP6, echo reply, id 18, seq 2, length 64
12:10:06.792388 IP6 2601:483:4c00:1e:e6b1:ed6e:ac46:9549 > 2607:f8b0:4004:837::2005: ICMP6, echo request, id 18, seq 3, length 64
12:10:06.820492 IP6 2607:f8b0:4004:837::2005 > 2601:483:4c00:1e:e6b1:ed6e:ac46:9549: ICMP6, echo reply, id 18, seq 3, length 64

Here is a tcpdump on the WAN interface of the router during the same ping:

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wan, link-type EN10MB (Ethernet), snapshot length 262144 bytes
12:08:23.300393 IP6 2001:558:6016:3a:64a1:fcc0:bdc1:202 > 2607:f8b0:4004:837::2005: ICMP6, echo request, id 17, seq 1, length 64
12:08:23.328539 IP6 2607:f8b0:4004:837::2005 > 2001:558:6016:3a:64a1:fcc0:bdc1:202: ICMP6, echo reply, id 17, seq 1, length 64
12:08:24.302117 IP6 2001:558:6016:3a:64a1:fcc0:bdc1:202 > 2607:f8b0:4004:837::2005: ICMP6, echo request, id 17, seq 2, length 64
12:08:24.316746 IP6 fe80::201:5cff:fea1:8646 > ff02::1: ICMP6, router advertisement, length 144
12:08:24.330384 IP6 2607:f8b0:4004:837::2005 > 2001:558:6016:3a:64a1:fcc0:bdc1:202: ICMP6, echo reply, id 17, seq 2, length 64
12:08:25.303373 IP6 2001:558:6016:3a:64a1:fcc0:bdc1:202 > 2607:f8b0:4004:837::2005: ICMP6, echo request, id 17, seq 3, length 64
12:08:25.331129 IP6 2607:f8b0:4004:837::2005 > 2001:558:6016:3a:64a1:fcc0:bdc1:202: ICMP6, echo reply, id 17, seq 3, length 64

As you can see, the router is changing the source address of the IPv6 packet to 2001:558:6016:3a:64a1:fcc0:bdc1:202 (which is the IPv6 address of the WAN interface of the router).

It should not be doing this. How do I make it stop doing this?

Offline

#2 2021-04-25 11:58:13

Lone_Wolf
Administrator
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 13,281

Re: nftables doing strange things to IPv6 traffic

t_wrex wrote:

IPv6 doesn't have NAT

Incorrect, just search for ipv6 nat [1] . Also openwrt documents how to set it up in [2] .


It looks like https://wiki.archlinux.org/index.php/Nf … squerading is relevant, especially the last paragraph .


[1] https://duckduckgo.com/?q=ipv6+nat&t=lm … =-1&ia=web   (requires JS )
[2] https://openwrt.org/docs/guide-user/net … /ipv6.nat6

Last edited by Lone_Wolf (2021-04-25 11:58:52)

Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.

clean chroot building not flexible enough ?
Try clean chroot manager by graysky

Offline

#3 2021-04-25 12:24:11

schard
Forum Moderator
From: Hannover
Registered: 2016-05-06
Posts: 2,152
Website

Re: nftables doing strange things to IPv6 traffic

t_wrex wrote:

[...]I am trying to migrate my iptables setup (which worked beautifully) to nftables (which kind of sucks IMO).

Why are you doing it then? Iptables is alive and well.
I might disagree with your assessment that nftables sucks, since I personally find it a huge improvement to iptables, but there is absolutely no reason to migrate from iptables to nftables, especially if you do not like the latter.

Inofficial first vice president of the Rust Evangelism Strike Force

Offline

#4 2021-04-25 15:12:09

respiranto
Member
Registered: 2015-05-15
Posts: 479
Website

Re: nftables doing strange things to IPv6 traffic

Irrelevant to your question, note that the `prerouting' chain is not necessary.

Offline

Pages: 1

Board footer

Powered by FluxBB