-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 12/26/2016 01:12 PM, Simon Hobson wrote: > Tuomo Soini <t...@foobar.fi> wrote: > >> What do you mean with NPTv6 ? > > I assume he wants to use NPT (Network Prefix Translation) to avoid > the complications of multihoming systems with multiple IPv6 > providers. >
Bit of dyslexia on my part then. My personal approach to multiple IPv6 providers is to assign my local networks prefixes delegated from one of my provider's routers and simply use SNAT when sending traffic out of the other provider. That is stateful and supports problem protocols like FTP. In Netfilter, NPT is stateless, so it is a pain to use. There is therefore no formal support for NPT in Shorewall6 (the shorewall6-netmap(5) file is no longer usable since the Netfilter rawpost table has been removed). It is possible to configure NTP in shorewall-mangle(5) (assuming that your kernel and ip6tables support the SNPT and DNPT targets) but there is currently no documentation for how to do that. A brief outline of what is required: Add SNTP and DNPT as a builtin actions in /etc/shorewall6/actions: SNPT builtin,mangle,terminating DNPT builtin,mangle,terminating To configure DNPT in the shorewall6/mangle file: IP6TABLES(DNPT --src-pfx <prefix/length> --dst-pfx <prefix/length> ):P ... and to configure SNPT: IP6TABLES(SNPT --src-pfx <prefix/length> --dst-pfs <prefix/length> ):T ... See iptables-extensions(8) for additional information on SNPT and DNPT. In particular, you must disable connection tracking for the translated flows in shorewall-conntrack(5). - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYYY9TAAoJEJbms/JCOk0QBtMQALFlKTBBu+f4o7X1OxrHa7FU QMS8ZD/eTmITmBTSya8PKSUCnqeJfMPUdI5UQzbftUagMZYXme6JdFcellhfqmd5 vWUah/nlsK3hXywS+HDyllNwk1l7Dm/i6USdYSJUibloybnKRPjVS5yuLHtSAvZq YMQKlUGinS07IOa00zxSfOAw6jqczelmgopT0JaOyx3nGyIXgIOR3uRBQp5CeyMv yjFUm8mGz9jvsW7k6235fqI3S8V/2gWV3l4Yum3mE+nRv+RTjUvWoGEP0hSHNfF5 wYYmVx46J0WQ+f6ExIucvbH8KVAmtmaIxGU6ADDLogwDx0UPwloz+ZltrzvaXt+N 447rRTaqCe3RupeECtTddisy5H74FS6PDnnsQ+t6l4O6b/gdq0d9PCHQDRejvQZ7 2fAKJogk5tlawZvKhTjy5dvqw1Q+psaOqNipyfSPFiYlAi2GoFUp7bQ+ICJ9DHIU fkkWS8cG2MkEMPWSHlkvXfgX7eGVknFlAz96OVR9SVHZJk2/F0jfc7EpzwNQVRr3 xbMqb/0d+cyEqM3XNXOUzsrCcBcDZ0CrwYdHYRk1Oo+wJ4WdaogYCEK6BW+PXLlk R4g2pBYFO04SqwjosEYmR54jm+3Mh2X8pAqL4bGG9C+DwImYdO1f8/ZPnJJDtIa7 BunT4Yb/YpLQRqkPy+TH =vX8E -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users