From: Rob Ert <ertr3960@gmail.com>
To: netfilter@vger.kernel.org
Subject: Netfilter, IPVLAN, L3S and NAT64
Date: Thu, 21 Dec 2023 12:38:02 -0600 [thread overview]
Message-ID: <CANn7yVZ_uPzyp=yMm3zN+LsAQu6exn=H=a-ND3XV=tXx+ciL9Q@mail.gmail.com> (raw)
Hello all,
I need IPv4 connectivity for my particular ipvlan server setup and was
hoping someone might be able to help. My grasp of the subject matter
is too limited, but more knowledgeable people are telling me that
NAT64 will be difficult if not impossible to get working with ipvlan:
https://mail-lists.nic.mx/pipermail/jool-list/2023-December/000498.html
I am a little reluctant to do away with my ipvlan setup (described in
the link above), as it works very well, albeit minus IPv4 connectivity
:-).
Since “Tundra-NAT64” is designed as a translator for one host, I was
thinking, maybe NAT64 could be realized with Tundra-NAT64 running
inside the individual systemd-nspawn containers as an alternative to
setting up full dual-stack IPv6 and IPv4-rfc1918 with masquerading for
the individual containers? I can install Tundra-NAT64 in a
systemd-nspawn container with the following systemd.nspawn overrides:
[Exec]
PrivateUsers=off
Timezone=off
Capability=CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_NICE
CAP_CHOWN CAP_IPC_LOCK
[Network]
IPVLAN=enp1s0
I would rather not keep these overrides in production, but I assume if
it works with the overrides, it can be set up beforehand with
systemd-networkd without overrides.
According to the documentation, ipvlan in L3S mode provides netfilter hooks:
“In L3S mode, virtual devices process the same way as in L3 mode,
except that both egress and ingress traffics of a relevant container
are landed on netfilter chain in the default namespace. L3S mode
behaves in a similar way to L3 mode but provides greater control of
the network.”
I was hoping someone might be able to give me some pointers as to how
to get something like this to work, or tell me definitively that it is
not practically possible; but then, I really don’t understand what L3S
mode is good for.
I am also open to using “Jool” or “Tayga” for NAT64.
Many thanks,
all the best and
Happy Holidays,
Rob
next reply other threads:[~2023-12-21 18:38 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-21 18:38 Rob Ert [this message]
2023-12-21 18:42 ` Netfilter, IPVLAN, L3S and NAT64 Joshua Moore
[not found] ` <CANn7yVZkCm5KbRxDhJ78TCvBwj7P2adEuqWE+0EQxHAen_YFbA@mail.gmail.com>
2023-12-21 19:12 ` Fwd: " Rob Ert
2023-12-21 19:31 ` Joshua Moore
2023-12-21 19:48 ` Rob Ert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CANn7yVZ_uPzyp=yMm3zN+LsAQu6exn=H=a-ND3XV=tXx+ciL9Q@mail.gmail.com' \
--to=ertr3960@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).