[FS#500] firewall3: missing targets with IPv6 NAT

LEDE Bugs lede-bugs at lists.infradead.org
Sat Aug 26 02:42:20 PDT 2017

The following task has a new comment added:

FS#500 - firewall3: missing targets with IPv6 NAT
User who did this - Nathaniel Wesley Filardo (nwf)

Several places in the firewall3 code for handling redirects explicitly reject IPv6, despite what's hinted in the documentation and the... shall we say somewhat aspirational inclusion of a 'family' parameter.

Looking at


the initial positions that stand out are lines 119, 243, 256-258, 275, 413, 630-631, and 650.  All of these would seemingly need IPv6 analogs in order for redirects to work properly.

I've taken the wimp's way out and just added what I need to /etc/firewall.user:

ip6tables -A forwarding_wan_rule -m conntrack --ctstate DNAT -j ACCEPT
ip6tables -t nat -A PREROUTING -p tcp -m tcp --dport 25 -m set --match-set me6 dst -j DNAT --to-destination '[fdec:...]:25'

A userland script maintains the contents of the 'me6' ipset to the union of the addresses assigned to interfaces I want redirected; it's all a big mess, because this machine is both a router and an endpoint with services.  In any case, that script is:


(ip -o -6 a s dev usb0; ip -o -6 mon addr dev usb0) |
  awk 'function ssfx(ip) { return gensub(/^([^\/]*)\/.*$/, "\\1", 1, ip) } /^[[:digit:]]+:.*inet6/{ print "ipset -! add me6 " ssfx($4) } /^Deleted.*inet6/{ print "ipset -! del me6 " ssfx($5) }' |

The more usual way that this is done, with "iptables -t nat -A PREROUTING -i $IFACE ... -j DNAT ..." doesn't work if we expect to route across $IFACE to other machines and don't wish to intercept traffic: PREROUTING happens entirely before the local routing decision, so we're looking at packets both intended for us and intended to route across us, and have no easy way of distinguishing; thus, the ipset and script.  A similar stunt would, I think, be necessary with ipv4 in a similarly complex situation, but it just happens not to arise as often, AFAICT.

More information can be found at the following URL:

More information about the lede-bugs mailing list