lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <w7bwjqyae36c6pqhqjmvjcrwtpny6jxjyvxzb2qzt7atjncxd2@gi4xhlyrz27b>
Date: Sun, 8 Jun 2025 20:37:10 +0000
From: Klaus Frank <vger.kernel.org@...nk.fyi>
To: netfilter-devel@...r.kernel.org
Cc: Pablo Neira Ayuso <pablo@...filter.org>, 
	Florian Westphal <fw@...len.de>, Lukas Wunner <lukas@...ner.de>, netfilter@...r.kernel.org, 
	Maciej Żenczykowski <zenczykowski@...il.com>, netdev@...r.kernel.org
Subject: Status of native NAT64/NAT46 in Netfilter?

Hi,

I've been looking through the mailling list archives and couldn't find a clear anser.
So I wanted to ask here what the status of native NAT64/NAT46 support in netfilter is?

All I was able to find so far:
* scanner patches related to "IPv4-Mapped IPv6" and "IPv4-compat IPv6"
* multiple people asking about this without replies
* "this is useful with DNS64/NAT64 networks for example" from 2023 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7b308feb4fd2d1c06919445c65c8fbf8e9fd1781
* "in the future: in-kernel NAT64/NAT46 (Pablo)" from 2021 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42df6e1d221dddc0f2acf2be37e68d553ad65f96
* "This hook is also useful for NAT46/NAT64, tunneling and filtering of
locally generated af_packet traffic such as dhclient." from 2020 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8537f78647c072bdb1a5dbe32e1c7e5b13ff1258

It kinda looks like native NAT64/NAT46 was planned at some point in time but it just become quite silent afterwards.

Was there some technical limitation/blocker or some consensus to not move forward with it?

I'm kinda looking forward to such a feature and therefore would really like to know more about the current state of things.

Sincerely,
Klaus Frank

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ