View Single Post
  #1   (View Single Post)  
Old 3rd April 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default Work being done to add NAT64 to OpenBSD pf

NAT64 is one of the transition mechanisms from IPv4 to IPv6.

From http://en.wikipedia.org/wiki/NAT64#NAT64

Quote:
NAT64 is an mechanism to allow IPv6 hosts to communicate with IPv4 servers. The NAT64 server is the endpoint for at least one IPv4 address and a IPv6 network segment of 32-bits (64:FF9B::/96). The IPv6 client embeds the IPv4 address it wishes to communicate with using these bits, and sends its packets to the resulting address. The NAT64 server then creates a NAT-mapping between the IPv6 and the IPv4 address, allowing them to communicate
According to http://marc.info/?l=openbsd-tech&m=130168007430450&w=2 NAT 64 is being worked on in OpenBSD's pf packet filter.

Quote:
The pfctl(8) grammar we conceived is based on the style of nat-to, so
if vr0 is your incoming interface then the ipv4-to-ipv6 translation
rule looks like:

pass in on vr0 inet af-to inet6 (2001::1 2001::/96)

and in a short form, considering a 1:1 mapping of the ipv4 address
inside the last 32 octets of an ipv6 address (allowed by the /96
prefix):

pass in on vr0 inet af-to inet6 2001::1

where 2001::1 is a *source* address of the target ipv6 capable interface.
It can also be specified in a (int0) notation. Source and destination
addresses don't need to be on the same subnet. 1:1 (or "af-to binat")
configurations are supported to.

The same applies to the ipv6-to-ipv4 translation. Unfortunately man page
bits for pfctl are still in development
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote