Using NPTv6 with stateful firewall

[Ben Swartzlander <ben@swartzlander.org>]

Like many people I'm struggling to figure out how to best manage an IPv6 
network with multiple WAN connections. I discovered the NPTv6 concept 
and read up on the implementation in ip6tables. According to the 
documentation (I haven't tried it yet) I must disable connection 
tracking if I use the DNPT and SNPT targets in ipt6tables [1]. This 
seems to be a fairly serious limitation, because in my case the router 
and the firewall are the same machine, and the whole point of a stateful 
firewall is to track connections and only allow incoming packets related 
to existing connections. Those who dislike NAT like to remind us that 
the security an IPv4 NAT router gives us comes from the stateful 
firewalling, not from the NAT feature, so it seems strange to implement 
an address translation scheme that prevents connection tracking.

I'm wondering if I'm missing something in the docs and if there actually 
is a way to do both IPv6 prefix translation and connection tracking at 
the same time, or if it's the case that what I want simply isn't 
implemented yet (or maybe never will be, perhaps with a good reason?) I 
also noted that NPT doesn't modify the payload like normal NAT [2] which 
seems like another serious limitation, making me think that perhaps the 
feature in netfilter is still experimental and not fully implemented.

I'm still hopeful that NPTv6 could be a good solution for multi-WAN with 
IPv6, at least until other solutions materialize, such as the work of 
the IETF homenet working group [3]. In the mean time it's a very big 
hassle to manage multiple prefixes on my network which periodically 
change at the whim of my ISPs, and I have absolutely no solution to help 
hosts choose the "better" prefix by default without manually configuring 
each host.

-Ben Swartzlander

[1] http://ipset.netfilter.org/iptables-extensions.man.html#lbCW
[2] http://www.spinics.net/lists/netfilter/msg53833.html
[3] https://tools.ietf.org/wg/homenet/