How to do NETMAP by nftables

Question

I have some home servers in my lan, connecting to internet by an adsl My router is a linux-based x86 server, and I wrote script on it I updated the script to nftables some months ago...

It worked all right in ipv4....

One day, I found my isp provides ipv6 by dhcp-pd As the ipv6 address may change, It will be hard to set static global ipv6 addresses on servers. Then I'm considering about using unique local addresses. I'll need something like: ip6tables -t nat -A POSTROUTING -o eth0 -s fc00::/64 -j NETMAP --to 2006::/64 to nat the addresses to global addresses (and with proper dnat rules) But I can not find anything like that in nftables...

I've checked the offical wiki: nft_nat

But I can not understand how to use nft_nat.

If it's a /24 block in ipv4, it is even possible to enum all addresses into a map. But it is really impossible to enum a /64 block in ipv6...

So is there any way to do netmap by nftables? Or I have to revert to ip(6)tables? Or any other suggestion?

Thank you.

Answer 1

For those like me looking for up-to-date answer, the stateful network prefix translation aka NPT/NPTv6/NAT66 can be done with nftables. There is a regular use case for this – RFC 7157, IPv6 Multihoming without Network Address Translation.

Just place the following ip6 snat rule in the nat postrouting hook (use your prefix size) like in the following example:

table inet mytable {
  chain srcnat {
    type nat hook postrouting priority srcnat; policy accept;
    ip6 saddr <local-prefix>::/64 snat ip6 prefix to <public-prefix>::/64
  }
}

You can match only packets going out from a particular interface by specifying:

    oifname "<outgoing-interface>" ip6 saddr <local-prefix>::/64 snat ip6 prefix to <public-prefix>::/64