Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Locally originating packages #393

Open
agowa opened this issue Nov 27, 2022 · 2 comments
Open

Locally originating packages #393

agowa opened this issue Nov 27, 2022 · 2 comments

Comments

@agowa
Copy link

agowa commented Nov 27, 2022
edited
Loading

Hi, because jool hooks into the PREROUTING table it doesn't handle locally originating packages.
Just adding a rule to the OUTPUT table doesn't make it work either.
Would it be possible to get this feature? I don't think it's fair to say that "464XLAT" is fully supported without honoring local traffic.

The issue behind this request is:

  • Setting up network namespaces dynamically (if the upstream prefix changes) is complicated and not something I'd like to recommend to anyone.
  • Setting up jool in a separate namespace requires NAT44 and NAT66 which further complicates the setup.
  • When the jool box itself gets it's DNS from the DNS64 other applications will try to connect to the NAT64-Prefix first and hang until they ran into a timeout. Some apps then don't try other IPs at all.
  • Putting jool into a network namespace doesn't work if the upstream network changes (like when jool is the router of a testlab on a notebook), when the upstream does not have prefix delegation or only assigns a single IPv6 via DHCPv6.
  • It makes debugging more complicated and unintuitive. Many may incorrectly assume jool is malfunctioning when a ping 64:ff9b::1.1.1.1 from the jool router fails.

Also related to:
@ydahhrk
Copy link
Member

ydahhrk commented Nov 30, 2022

Sorry for the silence.

Yes, a lot of people has complained about this. AFAIK, the problem is not trivial to fix and it's consequence of Jool's awkward hookup to the kernel.

I'm currently writing a message to the nftables people so we can discuss this. Please be patient. Because I have to do this on my free time, I'm forced to research at a slow pace.

@ydahhrk
Copy link
Member

ydahhrk commented Nov 30, 2022
edited
Loading

Yes, a lot of people has complained about this. AFAIK, the problem is not trivial to fix and it's consequence of Jool's awkward hookup to the kernel.

IIRC, the problem is that Jool switches the packet's pipeline (from the IPv4 stack to the IPv6 stack or vice versa) by routing and then calling dst_output(), which sends the packet to the proper L3 layer's POSTROUTING code.

When I coded this, I was unable to find a public kernel function that would allow me to do the same for LOCAL_IN. This is the reason why I can't get any packet to the current namespace.

I'm not sure if LOCAL_OUT had a similar problem. It's been ~10 years.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ydahhrk @agowa