Hello Alberto, thanks for your answers so far.
I've looked into the sockmark approach and that does not work, because what I need is an approach that works based on the IPv4 destination address, not the IPv6 source address. The netns approach looks a bit more involved, I still have to look into that. Best regards, Martin On 05/22/2018 02:29 AM, Alberto Leiva wrote: > Still haven't found the problem. It does seem to be the case that Jool > packets traverse through the postrouting mangle table, but not the nat > one. It's pretty odd. > > In any case, trying to replicate your problem I noticed that one of > Jool's features could simplify the solution, without using special > namespaces. > > Basically, you can tell Jool "mask these packets with these addresses, > mask these other packets with these other addresses." The masking > decision is based on the packet mark, which you can customize using > standard iptables rules: > > # During IPv6 prerouting, set mark 1 for packets that should be masked > # with the public address. > # (In this example, packets from the 2001:db8:1::/64 network should be > # masked with the public address, but you can use other ip6tables > # matches.) > ip6tables -t mangle -A PREROUTING --source 2001:db8:1::/64 -j MARK > --set-mark 1 > > # During IPv6 prerouting, set mark 2 for packets that should be masked > # with the private address. > ip6tables -t mangle -A PREROUTING --source 2001:db8:2::/64 -j MARK > --set-mark 2 > > # Tell Jool that packets marked 1 should be masked with your public > # address. > jool --pool4 --add 1.2.3.4 --mark 2 > > # Tell Jool that packets marked 2 should be masked with your private > # address. > jool --pool4 --add 192.168.0.1 --mark 1 > > See the pool4 documentation for more: https://jool.mx/en/pool4.html > > On Mon, May 21, 2018 at 11:31 AM, Alberto Leiva <[email protected]> wrote: >> Oh, I forgot: Here's how to enclose Jool in a network namespace: >> >> https://jool.mx/en/usr-flags-instance.html >> https://jool.mx/en/node-based-translation.html >> >> Both documentation pieces intend to do something slightly different >> from what you're doing, but should be easy to adapt. >> >> On Mon, May 21, 2018 at 11:29 AM, Alberto Leiva <[email protected]> wrote: >>>> IPv4 packets created by Jool do not seem to pass the >>>> nat postrouting chain in netfilter >>> >>> Hmm? This is odd. The kernel code says otherwise. Might be a bug; I'll >>> test it now. >>> >>> Anyway, this is how it's supposed to work: >>> https://jool.mx/en/intro-jool.html#design >>> >>> Check both diagrams. Assuming that Jool packets are really skipping >>> the postrouting chain, you could enclose it in a network namespace >>> (the red box) so you can use the outer namespace's (not red box) >>> postrouting chain. There is no way that one will be skipped if you do >>> that. >>> >>> On Sun, May 20, 2018 at 9:48 AM, Martin Weinelt >>> <[email protected]> wrote: >>>> Hi everyone, >>>> >>>> I'm currently building my first NAT64 setup and have stumbled upon a >>>> problem. >>>> >>>> When I use our public IPv4 address as pool4 I can access the internet >>>> just fine, except that I additionally need to be able to reach some >>>> private ipv4 addresses over site-to-site tunnels as well, where that >>>> source address doesn't work. >>>> >>>> This is why I though of using a bunch of private IPv4 addresses to map >>>> the NAT64 against, so they'll work for the s2s tunnel and where I can >>>> additionally make use of NAT44 towards the internet. >>>> >>>> The issue is that IPv4 packets created by Jool do not seem to pass the >>>> nat postrouting chain in netfilter, where masquerading would happen. >>>> Instead I now have private IPv4 address being used as saddr towards the >>>> internet, which cannot work either. >>>> >>>> I'd appreciate some help! >>>> >>>> >>>> Best regards, >>>> >>>> Martin >>>> _______________________________________________ >>>> Jool-list mailing list >>>> [email protected] >>>> https://mail-lists.nic.mx/listas/listinfo/jool-list _______________________________________________ Jool-list mailing list [email protected] https://mail-lists.nic.mx/listas/listinfo/jool-list
