Jool can not working with netfilter(iptables/nftables) NAT which using conntrack #397
Labels
Discussion
Not a bug (for now)
Milestone
Comments
|
Oh sorry, I thought this was closed because of the duplicate #398, and because you did reach the correct conclusion. Yes, Jool'd packets do skip conntrack. But if you run Jool and conntrack in separate namespaces, they chain fine and don't interfere with each other. This is a result of Jool's somewhat awkward architecture, and can't be fixed without a large overhaul, which is #273. Do you want to discuss something else? |
|
I'm sorry for any inconvenience caused. No, my issue has already been resolved. I don't recall creating a duplicate issue, perhaps it was caused by network jitter. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Internet <--- ipv6 ---> (2001:db8::1) WAN LAN(192.168.1.1) <--- ipv4 ---> IoT device(192.168.1.2)
I want to remote access my home IoT device over an ipv6-only wan, but a simple ipv6 port forwarding like below won't work……
jool instance add --pool6 64:ff9b::/96 nft 'add rule inet fw4 dstnat_wan meta nfproto ipv6 tcp dport 10022 dnat ip6 to [64:ff9b::c0a8:102]:22'#372#issuecomment-1021322964
jool uses it's own bib table instead of conntrack to manage nat mappings, this causes iptables/nftables NAT(SNAT/DNAT/MASQUERADE) can not work together with jool as the connection is NEVER actually established, jool just drops ipv6 packets from one side and recreates ipv4 packets from the other side.
A workaround is to create a pair of veth then use the network namespace, this wiil let the packet "really" be sent to the interface and conntrack will be work fine
https://www.jool.mx/en/node-based-translation.html
The text was updated successfully, but these errors were encountered: