SIIT translation in a L2 network

[PouuleT]

Hello,

I'm using jool in SIIT mode with a special use case. I want my IPv6 service to be reachable using an IPv4 in a L2 network. This way the client does not have to update its network configuration to reach the service.

IPv4 Client (C) -- L2 -- SIIT Service gateway (GW) -- L3 -- IPv6 Service (S)

Example: the client wants to reach the service using an IPv4

• C does a ARP request for this IP, GW responds with its mac address
• C sends the packets to the mac of GW
• GW translates the packet to IPv6 and routes it to S
• S responds to GW ( routed IPv6 )
• GW responds to C ( IPv4 )

Using jool version v4.0.9, I can put an IPv4 in the client subnet (/32) on GW's loopback, the kernel handles the ARP requests and jool handles the traffic translation without any issue.

Since the version v4.1.1, jool refuses to translate the traffic due to the IP on the loopback. It seems to be related to the latest changes on the implicit blacklist algorithm:
#223 (comment)

Reading the code, a workaround could be to flag this IP as secondary. Unfortunately the iproute2 documentation is sparse and it is not easy to setup ( as far as I can tell, two IPs in the same subnet are needed in order for the second one to be flagged as secondary, thus using one additional useless IP in the L2 network )

Is there another way to achieve this use case? Am I doing anything wrong or missing something? How would you do it?

P.S.: Thanks for your awesome work on this project ;)

[ydahhrk]

I removed the /32 check because I had no memory of why I chose it back then. According to the #223 thread, what we originally wanted was to check for the secondary bit, not check /32 necessarily.

But now you've given a valid reason to check for /32. I don't think it breaks anything.

Ok, let me see if I got this straight:

If address is broadcast:
	deny address translation

else if (address belongs to interface and (is secondary or its prefix length is 32)):
	translate address

else if address belongs to interface:
	deny address translation

else:
	translate address

(Where "broadcast" implies prefix length < 31.)

Do you anticipate that this implementation of the generic denylist will solve your problem?

[ydahhrk]

Also:

Do you believe checking for /32 is the most elegant possible way to solve your problem?

[ydahhrk]

I just uploaded the code proposed above. I'd be grateful if you would test it.

(See the issue342 branch.)

[PouuleT]

Thanks for your fast answer and branch!
I tested it, and I can confirm that it fixes our issue!
As to whether it is the most elegant possible way to solve this problem, I don't know =)

I suppose that if nobody ever complained about their /32 being translated, this fix should not be too intrusive.

Another possible way would be to have an "allowlist" that overrides any "denylist" entry ( implicit or explicit ), but it adds complexity ( in the code and for the user), I don't know if it's a good idea

You're the one with the most experience dealing with Jool's users / usecases / codebase =)

[ydahhrk]

I suppose that if nobody ever complained about their /32 being translated, this fix should not be too intrusive.

True.

I've scheduled a release for this in the beginning of next month.