Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
Need to enable firewall-like features on the NAT64 #41
Jool intercepts and steals packets before iptables filters, so there's no way to firewall translating traffic unless it is done by a separate, adjacent machine.
This is necessary so NAT64 happens after iptables does filtering. It's also needed so Jool catches local traffic, which is needed by local CLATs. As an added bonus, it invalidates issue #90. Woot! Progress so far, summary: - Issue #33: Done. - Issue #41: Done. - Issue #107: Done. - Issue #111: dhfelix is done, but haven't even started to review. - Issue #116: EAM done, moved from prerouting done, dummy interface done. Missing (off the top of my head): - Adapting the global packet processing pipeline for stateless mode. - Configuration options. - Review RFC 6145 and updaters. - Issue #120: Done. - Issue #121: Not done. Everything needs testing. There are known bugs with fragmentation.
As I've mentioned before in e-mail, this isn't actually the case. Jool does steal the packet so that it doesn't traverse IPTables'
So you can do stuff like this:
Another thing worth pointing out is that any marks set on the packet in the
If you don't want to use IPTables, there's also an alternate way you can block traffic using
Note that filtering using
In summary I think this is more of a documentation issue, not a missing feature. At least I don't see any point in duplicating functionality provided by other parts of the kernel in Jool itself.
OK, here's the status:
As I said in this comment, I do not see any problems with filtering in mangle, but some iptables documentation does (apparently). I do not know the reasoning, so I will neither discourage nor encourage it.
On the other hand, now that Jool can be enclosed in a namespace, filtering can be done in the forwarding chains. This might not look as clean as it could be, but is no different than if Jool were a device driver.
So either way, it looks like this is no longer an issue.