Unable to get NPTv6 to work with kernel 3.8.2

Unable to get NPTv6 to work with kernel 3.8.2

[Matthias Schiffer]

[-- Attachment #1: Type: text/plain, Size: 2240 bytes --]

Hi,
we are currently trying to switch from an own NPTv6 implementation [1]
to the new in-tree one.

The rules we've been trying out are:

ip6tables -t mangle -A PREROUTING -d fd00:0:0:3::/64 -j MARK --set-xmark
0x2a/0xffffffff
ip6tables -t mangle -A OUTPUT -d fd00:0:0:3::/64 -j MARK --set-xmark
0x2a/0xffffffff

ip6tables -t nat -A OUTPUT -d fd00:0:0:3::/64 -j DNPT --src-pfx
fd00:0:0:3::/64 --dst-pfx fd00:0:0:1::/64
ip6tables -t nat -A PREROUTING -d fd00:0:0:3::/64 -j DNPT --src-pfx
fd00:0:0:3::/64 --dst-pfx fd00:0:0:1::/64

ip6tables -t nat -A INPUT -s fd00:0:0:1::/64 -m mark --mark 0x2a -j SNPT
--src-pfx fd00:0:0:1::/64 --dst-pfx fd00:0:0:3::/64
ip6tables -t nat -A POSTROUTING -s fd00:0:0:1::/64 -m mark --mark 0x2a
-j SNPT --src-pfx fd00:0:0:1::/64 --dst-pfx fd00:0:0:3::/64
ip6tables -t nat -A POSTROUTING -s fd00:0:0:1::/64 -o test0 -j SNPT
--src-pfx fd00:0:0:1::/64 --dst-pfx fd00:0:0:3::/64

(With our old module, which worked complely in the mangle table, we
needed these complex rules to archieve the hairpinning behaviour
required by RFC6296, are such rules still necessary with the in-tree
implementation?)

We are seeing the strange behaviour that the first packet of a new flow
is translated correctly (tested with ICMP echo packets), regardless of
the direction of the first packet, but the reply and all subsequent
packets don't get translated at all.

This is the output of conntrack after starting a ping in both
directions, showing the untranslated addresses in both cases:

# conntrack -f ipv6 -L
icmpv6   58 10 src=fd00:0:0:2::2 dst=fd00::3:fffd:0:0:2 type=128 code=0
id=811 [UNREPLIED] src=fd00::3:fffd:0:0:2 dst=fd00:0:0:2::2 type=129
code=0 id=811 mark=0 use=1
icmpv6   58 28 src=fd00:0:0:1::2 dst=fd00:0:0:2::2 type=128 code=0
id=1131 [UNREPLIED] src=fd00:0:0:2::2 dst=fd00:0:0:1::2 type=129 code=0
id=1131 mark=0 use=1
conntrack v1.4.1 (conntrack-tools): 2 flow entries have been shown.

Is there anything wrong with the rules? What can I do to debug the
problem? Please let me know if there is any more information I can
provide you to help you understand the issue.

Thanks in advance,
Matthias Schiffer


[1] http://git.universe-factory.net/NPTv6/


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 263 bytes --]

Re: Unable to get NPTv6 to work with kernel 3.8.2

[Florian Westphal]

Matthias Schiffer <mschiffer@universe-factory.net> wrote:
> ip6tables -t nat -A OUTPUT -d fd00:0:0:3::/64 -j DNPT --src-pfx
> fd00:0:0:3::/64 --dst-pfx fd00:0:0:1::/64
[..]

This won't work, DNPT is stateless, the nat table is only consulted
for the first packet of a connection.

Use mangle instead, this should also take care of possible new
route due to changed dst address.

Any objections wrt. restricting NPT to mangle?

From: Florian Westphal <fw@strlen.de>
Subject: [PATCH] netfilter: ip6t_NPT: restrict to mangle table

As the translation is stateless, using it in nat table
doesn't work (only initial packet is translated).
filter table OUTPUT works but won't re-route the packet after translation.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
not even compile tested.

diff --git a/net/ipv6/netfilter/ip6t_NPT.c b/net/ipv6/netfilter/ip6t_NPT.c
index 83acc14..33608c6 100644
--- a/net/ipv6/netfilter/ip6t_NPT.c
+++ b/net/ipv6/netfilter/ip6t_NPT.c
@@ -114,6 +114,7 @@ ip6t_dnpt_tg(struct sk_buff *skb, const struct xt_action_param *par)
 static struct xt_target ip6t_npt_target_reg[] __read_mostly = {
 	{
 		.name		= "SNPT",
+		.table		= "mangle",
 		.target		= ip6t_snpt_tg,
 		.targetsize	= sizeof(struct ip6t_npt_tginfo),
 		.checkentry	= ip6t_npt_checkentry,
@@ -124,6 +125,7 @@ static struct xt_target ip6t_npt_target_reg[] __read_mostly = {
 	},
 	{
 		.name		= "DNPT",
+		.table		= "mangle",
 		.target		= ip6t_dnpt_tg,
 		.targetsize	= sizeof(struct ip6t_npt_tginfo),
 		.checkentry	= ip6t_npt_checkentry,
-- 
1.7.12.4

Re: Unable to get NPTv6 to work with kernel 3.8.2

[Matthias Schiffer]

[-- Attachment #1: Type: text/plain, Size: 573 bytes --]

On 03/12/2013 07:11 AM, Florian Westphal wrote:
> Matthias Schiffer <mschiffer@universe-factory.net> wrote:
>> ip6tables -t nat -A OUTPUT -d fd00:0:0:3::/64 -j DNPT --src-pfx
>> fd00:0:0:3::/64 --dst-pfx fd00:0:0:1::/64
> [..]
> 
> This won't work, DNPT is stateless, the nat table is only consulted
> for the first packet of a connection.
> 
> Use mangle instead, this should also take care of possible new
> route due to changed dst address.
> 

Ah, thanks for your pointer. Everything seems to work correctly now :)

Best regards,
Matthias Schiffer



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 263 bytes --]

Re: Unable to get NPTv6 to work with kernel 3.8.2

[Pablo Neira Ayuso]

On Tue, Mar 12, 2013 at 07:11:01AM +0100, Florian Westphal wrote:
> Matthias Schiffer <mschiffer@universe-factory.net> wrote:
> > ip6tables -t nat -A OUTPUT -d fd00:0:0:3::/64 -j DNPT --src-pfx
> > fd00:0:0:3::/64 --dst-pfx fd00:0:0:1::/64
> [..]
> 
> This won't work, DNPT is stateless, the nat table is only consulted
> for the first packet of a connection.
> 
> Use mangle instead, this should also take care of possible new
> route due to changed dst address.
> 
> Any objections wrt. restricting NPT to mangle?

No. People are getting confused with this, so let's get this into the
nf tree to hit mainstream as soon as possible.

Applied, thanks Florian.