Am 26.12.2016 um 22:44 schrieb Tom Eastep: >> I assume he wants to use NPT (Network Prefix Translation) to avoid >> the complications of multihoming systems with multiple IPv6 >> providers.
this is correct. i wish to have a solution to use two providers with different ipv6-prefixes with the option to say use provider A for particular destinations and provider B for all other destinations. in shorewall (for ipv4) this works without problems with mangle. > Bit of dyslexia on my part then. > > My personal approach to multiple IPv6 providers is to assign my local > networks prefixes delegated from one of my provider's routers and > simply use SNAT when sending traffic out of the other provider. That > is stateful and supports problem protocols like FTP. can you give me an configuration example for this? > In Netfilter, NPT is stateless, so it is a pain to use. There is > therefore no formal support for NPT in Shorewall6 (the > shorewall6-netmap(5) file is no longer usable since the Netfilter > rawpost table has been removed). It is possible to configure NTP in > shorewall-mangle(5) (assuming that your kernel and ip6tables support > the SNPT and DNPT targets) but there is currently no documentation for > how to do that. > > A brief outline of what is required: > > Add SNTP and DNPT as a builtin actions in /etc/shorewall6/actions: > > SNPT builtin,mangle,terminating > DNPT builtin,mangle,terminating > > To configure DNPT in the shorewall6/mangle file: > > IP6TABLES(DNPT --src-pfx <prefix/length> --dst-pfx <prefix/length> ):P ... > > and to configure SNPT: > > IP6TABLES(SNPT --src-pfx <prefix/length> --dst-pfs <prefix/length> ):T ... > > See iptables-extensions(8) for additional information on SNPT and > DNPT. In particular, you must disable connection tracking for the > translated flows in shorewall-conntrack(5). it doesn't work: /etc/shorewall6/mangle: MARK(768):P eth0 - tcp 22,47238,52486 # ssh traffic by dsl MARK(512):P eth0 - - - # other traffic by cbl IP6TABLES(DNPT --src-pfx 2001:XXXX:YYYY:100::/64 --dst-pfx fdae:fa7:dead:beef::/64 ):P eth0 - - - IP6TABLES(SNPT --src-pfx fdae:fa7:dead:beef::/64 --dst-pfx 2001:XXXX:YYYY:100::/64 ):P eth0 - - - result: Checking /etc/shorewall6/mangle... ERROR: Invalid ACTION (IP6TABLES(DNPT --src-pfx 2001:XXXX:YYYY:100::/64 --dst-pfx fdae:fa7:dead:beef::/64 ):P) /etc/shorewall6/mangle (line 18) fdae:fa7:dead:beef::/64 is the local network, 2001:XXXX:YYYY:100::/64 the network of a provider. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
