Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Need to enable firewall-like features on the NAT64 #41
Jool intercepts and steals packets before iptables filters, so there's no way to firewall translating traffic unless it is done by a separate, adjacent machine.
added a commit
Sep 19, 2014
added a commit
Dec 11, 2014
As I've mentioned before in e-mail, this isn't actually the case. Jool does steal the packet so that it doesn't traverse IPTables'
So you can do stuff like this:
Another thing worth pointing out is that any marks set on the packet in the
If you don't want to use IPTables, there's also an alternate way you can block traffic using
Note that filtering using
In summary I think this is more of a documentation issue, not a missing feature. At least I don't see any point in duplicating functionality provided by other parts of the kernel in Jool itself.
referenced this issue
Mar 13, 2015
OK, here's the status:
As I said in this comment, I do not see any problems with filtering in mangle, but some iptables documentation does (apparently). I do not know the reasoning, so I will neither discourage nor encourage it.
On the other hand, now that Jool can be enclosed in a namespace, filtering can be done in the forwarding chains. This might not look as clean as it could be, but is no different than if Jool were a device driver.
So either way, it looks like this is no longer an issue.