On Sun, Aug 26, 2007 at 12:48:06PM +0200, alwin wrote: > i have a webserver and i'm using ipv6 and ipv4 addresses. the apache > server in openbsd does not support ipv6 so i tought i will use pf to nat > the ipv6 address to the ipv4 address for port 80. but pf for some reason > does not support this. > > i added the following rule to /etc/pf.conf: > > nat pass on vr0 from any to 2000:888:10:bbb::2 port http -> > 213.84.168.252 port http > > and got the following error message : > > /etc/pf.conf:40: no translation address with matching address family > found. > > using rdr instead of nat gives thesame problem. if i read this correctly > pf does not support natting between different address families (eg ipv6 > and ipv4). why is this?
Remember that IPv4 datagrams and IPv6 datagrams are different, and have different structures. This should be obvious from the fact that IPv6 addresses are bigger than IPv4 addresses. Now, consider what the output packet would look like, post-NAT, in the scenario you describe. Would it be an IPv4 packet containing an IPv6 source address? It couldn't be - it wouldn't fit. (However I like the idea of using IPv5 for this purpose :-) Or would it be an IPv6 packet containing an IPv4 destination address? Well it could, as there's a standard way of mapping IPv4 addresses into IPv6 format, but your application won't receive IPv6 packets so that doesn't help. NAT just changes addresses within a packet. What you want to do is to replace a TCP-over-IPv6 stream with a TCP-over-IPv4 stream (and of course, in the latter case, both source and destination addresses would have to be IPv4). If you really want to do this, you could set up a TCP (layer 4) proxy which accepts incoming IPv6 connections and makes outgoing IPv4 connections. But that wouldn't be very good, because Apache would see incoming sessions all arriving from the proxy's IP address, which means you lose the real source IP addresses in logs and access control. A HTTP (layer 7) proxy would be better, in that it could add an X-Forwarded-For: header which contained the original source IPv6 address. However, I think you'd find life far, far easier just by recompiling Apache to work with IPv6 natively. Regards, Brian.
