protomask

A user space NAT64 implementation.

Protomask started as a challenge to create a NAT64 implementation in a weekend. The goal of this implementation is to keep things simple. There aren't many knobs to tweak, so if you want to do stateful NAT or source address filtering, put something like iptables in front of it.

How it works

Protomask listens on an IPv6 /96 prefix for incoming traffic.

When traffic destined for an embedded IPv4 address is received, the source IPv6 address is assigned a real IPv4 address from a pool of addresses on a first-come-first-serve basis.

All further packet from that source IPv6 address will be NAT-ed through its assigned IPv4 address until the reservation expires. The reverse process happens for return traffic too.

Configuration

Protomask uses a TOML configuration file. Here is a functional example:

[Interface]
# The IPv6 prefix to listen for V6 traffic on
Prefix = "64:ff9b::/96"
# A list of IPv4 prefixes to map V6 traffic to
Pool = ["192.0.2.0/24"]

[Rules]
# A static mapping of IPv4 and IPv6 addresses
# These addresses will not used in the dynamic pool
MapStatic = [{ v4 = "192.0.2.2", v6 = "2001:db8:1::2" }]
# How many seconds to keep a dynamic mapping alive for
ReservationDuration = 7200 # Optional