-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Host-Based Edge Translation #177
Comments
I just tested this by setting up local CLAT termination to trex.fi's public NAT64 instance. It works! ### 1: Create private Jool namespace and veth pair connecting it to global netns
$ ip netns add jool
$ ip link add name to_jool type veth peer name to_world
$ ip link set up dev to_jool
$ ip link set dev to_world netns jool
$ ip netns exec jool ip link set up dev to_world
### 2: Determine link-local addresses of veth pair (used as nexthops later)
$ ip -6 address show scope link dev to_jool
4: to_jool: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 fe80::2ca5:c7ff:feb5:4f07/64 scope link
valid_lft forever preferred_lft forever
$ ip netns exec jool ip -6 address show scope link dev to_world
3: to_world: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 fe80::e8d1:81ff:fee5:2406/64 scope link
valid_lft forever preferred_lft forever
### 3: Set up IP addressing and routing inside Jool namespace
$ ip netns exec jool ip -6 route add default via fe80::2ca5:c7ff:feb5:4f07 dev to_world
$ ip netns exec jool ip -4 address add 192.0.0.2/29 dev to_world
### 4: Set up IP addressing and routing in global namespace
# The IPv6 CLAT address is stolen from the /64 on eth0, so we'll need proxy-nd
$ echo 1 > /proc/sys/net/ipv6/conf/eth0/proxy_ndp
$ ip -6 neigh add proxy 2a02:c0:400:104::4646 dev eth0
$ ip -6 route add 2a02:c0:400:104::4646 via fe80::e8d1:81ff:fee5:2406 dev to_jool
$ ip -4 address add 192.0.0.1/29 dev to_jool
$ ip -4 route add default via 192.0.0.2 dev to_jool
$ echo 1 | tee /proc/sys/net/ipv6/conf/*/forwarding
### 5: Fire up Jool inside network namespace
$ ip netns exec jool modprobe jool_siit
$ ip netns exec jool jool_siit --pool6 --add 2001:67c:2b0:db32:0:1::/96
$ ip netns exec jool jool_siit --eamt --add 192.0.0.1 2a02:c0:400:104::4646
### 6: Confirm that it works:
$ ping -c1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=47 time=26.5 ms
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 26.520/26.520/26.520/0.000 ms
$ mtr -r -c 10 8.8.8.8
Start: Thu Oct 1 09:50:23 2015
HOST: kvmtest.i.bitbit.net Loss% Snt Last Avg Best Wrst StDev
1.|-- 192.0.0.2 0.0% 10 0.1 0.2 0.1 0.4 0.0
2.|-- 192.0.0.2 0.0% 10 0.2 0.3 0.2 0.3 0.0
3.|-- 192.0.0.2 0.0% 10 0.7 0.6 0.5 1.0 0.0
4.|-- 192.0.0.2 0.0% 10 1.6 1.6 1.4 1.8 0.0
5.|-- 192.0.0.2 0.0% 10 0.8 0.7 0.6 1.0 0.0
6.|-- 192.0.0.2 0.0% 10 0.8 0.8 0.7 1.1 0.0
7.|-- 192.0.0.2 0.0% 10 7.6 7.7 7.5 7.9 0.0
8.|-- 192.0.0.2 0.0% 10 13.4 13.6 13.4 13.9 0.0
9.|-- 192.0.0.2 0.0% 10 16.9 17.0 16.8 17.7 0.0
10.|-- 192.0.0.2 0.0% 10 16.7 16.9 16.6 17.4 0.0
11.|-- 192.0.0.2 0.0% 10 16.9 16.9 16.9 17.1 0.0
12.|-- 192.0.0.2 0.0% 10 16.8 17.0 16.8 17.5 0.0
13.|-- hanna.bb.trex.fi 0.0% 10 17.5 17.5 17.4 18.0 0.0
14.|-- eunetip1.unicast.trex.fi 0.0% 10 20.6 20.6 20.4 20.9 0.0
15.|-- 213.192.184.74 0.0% 10 26.2 26.7 26.2 27.8 0.0
16.|-- 74.125.50.145 0.0% 10 33.2 27.3 26.0 33.2 2.2
17.|-- 216.239.54.181 0.0% 10 26.6 26.9 26.6 27.7 0.0
18.|-- 209.85.251.227 0.0% 10 26.6 26.6 26.4 26.9 0.0
19.|-- google-public-dns-a.googl 0.0% 10 26.2 26.4 26.2 26.8 0.0 |
This functionality can also be used to make the same node run both SIIT Jool and NAT64 Jool (in their own namespaces). However, one thing that's missing is multiple instances of the same Jool flavour, for example: $ ip netns add jool1
$ ip netns exec jool1 insmod /lib/modules/3.13.0-63-generic/updates/dkms/jool.ko
$ ip netns add jool2
$ ip netns exec jool2 insmod /lib/modules/3.13.0-63-generic/updates/dkms/jool.ko
insmod: ERROR: could not insert module /lib/modules/3.13.0-63-generic/updates/dkms/jool.ko: File exists
$ ip netns exec jool2 jool
Could not send the request to Jool (is it really up?).
Netlink error message: Unspecific failure (Code -1) Being able to do this would have been truly wonderful - and perfect for integration of SIIT-DC into OpenStack Neutron. If in addition it would be possible to run NAT64 and SIIT Jool simultaneously, inside the same network namespace, then you have achieved perfection. :-) |
W00t! |
OK, Node-Based Translation is possible now. I'm going to branch the multiple Jools problem into a new issue, so I pruned a bunch of text off my previous comment. |
i create a little clat script from your snippets: |
Branched off #140.
"Host-Based Edge Translation" is when a machine translates its own IP traffic.
This is due 3.4.0 because network namespace support was already achieved (14a233d), and therefore there's now a theoretical (I haven't tested it) way to achieve HBET even though we haven't migrated frameworks.
(This can be proven false by the testing, of course.)
The text was updated successfully, but these errors were encountered: