Subject: Re: stf(4) and NAT protocol forwarding
To: Jonathan A. Kollasch <jakllsch@kollasch.net>
From: Jonathan A. Kollasch <jakllsch@kollasch.net>
List: tech-net
Date: 01/10/2006 10:54:41
--pf9I7BMVVzbSWLtt
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Jan 07, 2006 at 10:57:17PM -0600, Jonathan A. Kollasch wrote:
> Hi,
> 	Because my ADSL gateway (running OpenWrt Busybox/Linux\ 2.4)
> isn't providing me with stable 6to4 connectivity (long story, not
> on topic here) I've decided to switch my 6to4 router back to NetBSD.
>=20
> I've got full control over iptables on the ADSL gateway, thus I
> can do protocol forwarding.  However, I can't get stf(4) to accept
> packets directed at its private IPv4 address.  I'm using the binat
> rule as suggested the last time this subject came up, it seems to
> let the packets get out.  I've tried using the link2 bit on stf0
> and it doesn't seem to make a bit of difference.  I can see the
> encapsulated packets arrive at the 6to4 router, directed at it's
> local private address.  lo0 holds a copy of my public IP.  This
> is on 3.0/macppc if that makes any difference.  Is there a way to
> get stf(4) to decapsulate *all* protocol 41 packets, and base
> everything on the internal destination address?

Well, it looks like link2 does do that.  I put printf(3)s in the
areas of code where ingress filtering is preformed, the interface
is functioning as documented, and the binat rule eliminates the
need for the link2 bit in this case.  Somehow this all just
started working, esp. after I made the protocol 41 forwarding
the first thing on the gateway's iptables setup.  Still, it seems
that the gateway sometimes forgets to forward packets, so I
sometimes get lag on IRC (this was _much_ worse using Linux).
Also my local LAN performs better, because when my boxes make
the mistake of sending LAN traffic at the default route, a ICMPv6
redirect is sent back, rather than the packet getting forwarded.

=3D=3D ifconfig -au =3D=3D
ex0: flags=3D8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 15=
00
        capabilities=3D7<IP4CSUM,TCP4CSUM,UDP4CSUM>
        enabled=3D7<IP4CSUM,TCP4CSUM,UDP4CSUM>
        address: 00:50:da:79:XX:XX
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 172.27.72.250 netmask 0xffffff00 broadcast 172.27.72.255
        inet6 fe80::250:daff:fe79:XXXX%ex0 prefixlen 64 scopeid 0x1
        inet6 2002:a867:36dd:1::1 prefixlen 64
        inet6 fd40:b302:7d80:7001::1 prefixlen 64
lo0: flags=3D8009<UP,LOOPBACK,MULTICAST> mtu 33192
        inet 127.0.0.1 netmask 0xff000000
        inet alias 168.103.54.221 netmask 0xffffffff
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
stf0: flags=3D1<UP> mtu 1472
        inet6 2002:a867:36dd::1 prefixlen 16

=3D=3D /etc/ipnat.conf =3D=3D
bimap ex0 168.103.54.221/32 -> 172.27.72.250/32 ipv6

	Jonathan Kollasch

--pf9I7BMVVzbSWLtt
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)

iD8DBQFDw+bROjx1ye3hmokRAiXMAKCUyzwXPea+CNNgWtKRt0HcXNS5mgCfRNgg
vDkIIOJqGvZSWqFXmEhBJPc=
=sW4I
-----END PGP SIGNATURE-----

--pf9I7BMVVzbSWLtt--