nftables icon indicating copy to clipboard operation
nftables copied to clipboard
verified publisher icon ipr-cnrs

feature req: ipv6 nat support

Open nergdron opened this issue 4 years ago • 2 comments

This module is incredibly handy, and I'm using the nat table management features. however, it seems like it only sets up a table for ip(v4), and nothing for v6. I know nat generally isn't super useful on ipv6, but I believe I still need it for using keepalived/ipvsadm on my firewalls connected to backend hosts, so I'd really love to have optional support for it in this module.

nergdron avatar Apr 29 '21 16:04 nergdron

@nergdron The upcoming release will allow managing the nat tables as well and in case of nftables I don't think there's any separate flow to manage NAT for IPv4 and IPv6 - you need a prerouting (DNAT) or postrouting (SNAT) chains in nat table, and then just add rules using ip or ip6 keywords:

nft add rule inet nat prerouting dnat ip6 to feed::c0fe

kravietz avatar Aug 09 '21 13:08 kravietz

@kravietz the nat table is currently being created as an ip (ipv4-only) table.

It should be created as an inet table (for both ipv4 and ipv6).

See:

$ cat templates/etc/nftables.conf.j2 | grep "table "
table inet filter {
table ip nat {

rmsc avatar Feb 07 '22 17:02 rmsc

Fixed in https://github.com/ipr-cnrs/nftables/pull/58

kravietz avatar Mar 05 '23 10:03 kravietz