Question about the new IPv6 Nat mode

[poqdavid]

Hi,

I just noticed the new mode that allows the use of IPv6 and I was wondering a few things

1. What does it mean when it says its not full packet NAT and it doesn't forward arbitrary IPv6 next-header?
2. Does the new mode leak anyting?
3. Now that this i added is it possible to have a more complete IPv6 NAT support if its enabled in the Kernel?

In regard the third question my device has all IPv6 NAT enabled in the kernel and I could test it

[Mygod]

Hi,

That warning is about scope. The new IPv6 NAT mode is userspace NAT66/proxying, not full kernel packet NAT. It assigns clients an app-owned ULA /64, then proxies supported IPv6 traffic through the root daemon: TCP, UDP, DNS through those paths, and best-effort ICMPv6 echo/error handling. It does not translate every possible IPv6 packet or arbitrary IPv6 Next Header protocol, so things like ESP/AH/SCTP/GRE/custom raw IPv6 are not forwarded.

For leaks: NAT mode is intended to fail closed for downstream IPv6. Unsupported IPv6 traffic should be blocked/dropped instead of bypassing through normal platform IPv6 forwarding. This is different from System mode, where Android’s own IPv6 routing can still expose a leak if the VPN does not carry IPv6.

I assume “IPv5” means IPv6 NAT. A more complete kernel NAT66 backend may be possible on devices that have the right ip6tables/nftables NAT support, but it would be a separate implementation, not just enabling a flag in the current mode. I am guessing that you are running a custom-built kernel, which is outside the scope of support for this app for now.

[poqdavid]

Oh yes the IPv5 was a typos I didn't noticed

and this is my kernel https://github.com/poqdavid/android_kernel_samsung_sma155f/tree/kernelsunext
which its the GKI kernel source from Samsung wtih some modifications

And I enable these falgs IP6_NF_TARGET_HL, IP6_NF_MATCH_HL, IP6_NF_NAT, IP6_NF_TARGET_MASQUERADE, NF_NAT_IPV6