Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#3225 - ipv6 npt does not work #8093

openwrt-bot opened this issue Jul 11, 2020 · 1 comment

FS#3225 - ipv6 npt does not work #8093

openwrt-bot opened this issue Jul 11, 2020 · 1 comment
flyspray kernel pull request/issue with Linux kernel related changes


Copy link


Supply the following if possible:

  • Device problem occurs on
  • Software versions of OpenWrt/LEDE release, packages, etc.
  • Steps to reproduce

I hope to use ipv6 npt(rfc6296 stateless npt), have kmod-ipt-nat6 installed.
I am sure about "ip6t_NPT" is about rfc6296
in source code:
MODULE_DESCRIPTION("IPv6-to-IPv6 Network Prefix Translation (RFC 6296)");

root@OpenWrt:~# ip6tables -t mangle -I POSTROUTING -s 2001:470:4999:100::/64 -o br-lan -j SNPT --src-pfx 2001:470:4999:100::/64 --dst-pfx 240e:82:901:9400::/64
ip6tables v1.8.3 (legacy): unknown option "--src-pfx"
Try `ip6tables -h' or 'ip6tables --help' for more information.

I have kmod-ipt-nat6 install, which contain NPT extension.

x_tables 12656 37 ipt_REJECT,ipt_MASQUERADE,xt_time,xt_tcpudp,xt_tcpmss,xt_statistic,xt_state,xt_nat,xt_multiport,xt_mark,xt_mac,xt_limit,xt_length,xt_hl,xt_ecn,xt_dscp,xt_conntrack,xt_comment,xt_TCPMSS,xt_REDIRECT,xt_LOG,xt_HL,xt_FLOWOFFLOAD,xt_DSCP,xt_CT,xt_CLASSIFY,iptable_mangle,iptable_filter,ipt_ECN,ip_tables,xt_set,ip6t_NPT,ip6t_MASQUERADE,ip6table_mangle,ip6table_filter,ip6_tables,ip6t_REJECT

DNPT (IPv6-specific)
Provides stateless destination IPv6-to-IPv6 Network Prefix Translation (as described by RFC 6296).

   You have to use this target in the mangle table, not in the nat table. It takes the following options:

   --src-pfx [prefix/length]
          Set source prefix that you want to translate and length

   --dst-pfx [prefix/length]
          Set destination prefix that you want to use in the translation and length

   You have to use the SNPT target to undo the translation. Example:

      <code>    ip6tables -t mangle -I POSTROUTING -s fd00::/64  -o vboxnet0 -j SNPT --src-pfx fd00::/64 --dst-pfx 2001:e20:2000:40f::/64

          ip6tables -t mangle -I PREROUTING -i wlan0 -d 2001:e20:2000:40f::/64 -j DNPT --src-pfx 2001:e20:2000:40f::/64 --dst-pfx fd00::/64

   You may need to enable IPv6 neighbor proxy:

          sysctl -w net.ipv6.conf.all.proxy_ndp=1

   You also have to use the NOTRACK target to disable connection tracking for translated flows.</code>

does anyone have ideas?

Copy link


NPT is mostly useless for OpenWrt as it breaks conntrack. The result is that you'll have a stateless firewall. It would only be useful if you have a firewall before or after the router with NPT.

The reason for that is when you use conntrack, you could simply use NETMAP as most of its costs are [[|already paid]].

I do suggest you to use NETMAP instead of MASQUERADE.

@aparcar aparcar added the kernel pull request/issue with Linux kernel related changes label Feb 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
flyspray kernel pull request/issue with Linux kernel related changes
None yet

No branches or pull requests

2 participants