When
faithd
receives
TCPv6
traffic,
faithd
will relay the
TCPv6
traffic to
TCPv4.
Destination for relayed
TCPv4
connection will be determined by the last 4 octets of the original
IPv6
destination.
For example, if
3ffe:0501:4819:ffff::
is reserved for
,
and the
TCPv6
destination address is
3ffe:0501:4819:ffff::0a01:0101
,
the traffic will be relayed to IPv4 destination
10.1.1.1
.
To use
faithd
translation service,
an IPv6 address prefix must be reserved for mapping IPv4 addresses into.
Kernel must be properly configured to route all the TCP connection
toward the reserved IPv6 address prefix into the
faith(4)
pseudo interface, by using
route(8)
command.
Also,
sysctl(8)
should be used to configure
net.inet6.ip6.keepfaith
to
1
.
The router must be configured to capture all the TCP traffic toward reserved IPv6 address prefix, by using route(8) and sysctl(8) commands.
faithd
needs a special name-to-address translation logic, so that
hostnames gets resolved into special
IPv6
address prefix.
For small-scale installation, use
hosts(5).
For large-scale installation, it is useful to have
a DNS server with special address translation support.
An implementation called
totd
is available
at
http://www.vermicelli.pasta.cs.uit.no/ipv6/software.html
.
Make sure you do not propagate translated DNS records to normal DNS cloud,
it is highly harmful.
Since faithd listens to TCP port service, it is not possible to run local TCP daemons for port service on the router, using inetd(8) or other standard mechanisms. By specifying serverpath to , you can run local daemons on the router. faithd will invoke local daemon at serverpath if the destination address is local interface address, and will perform translation to IPv4 TCP in other cases. You can also specify serverargs for the arguments for the local daemon.
The following options are available:
faithd
will relay both normal and out-of-band TCP data.
It is capable of emulating TCP half close as well.
faithd
includes special support for protocols used by
ftp(1).
When translating FTP protocol,
faithd
translates network level addresses in
PORT/LPRT/EPRT
and
PASV/LPSV/EPSV
commands.
Inactive sessions will be disconnected in 30 minutes, to avoid stale sessions from chewing up resources. This may be inappropriate for some of the services (should this be configurable?).
faithd determines operation mode by the local TCP port number, and enables special protocol handling whenever necessary/possible. For example, if faithd is invoked via inetd(8) on FTP port, it will operate as a FTP relay.
/etc/faithd.conf
(or configfile specified by -f,)
faithd
will avoid relaying unwanted traffic.
The
faithd.conf
contains directives with the following format:
deny
dst/dlen
If the source address of a query matches src/slen, and the translated destination address matches dst/dlen, deny the connection.
permit
dst/dlen
If the source address of a query matches src/slen, and the translated destination address matches dst/dlen, permit the connection.
The directives are evaluated in sequence, and the first matching entry will be effective. If there is no match (if we reach the end of the ruleset) the traffic will be denied.
With inetd mode, traffic may be filtered by using access control functionality in inetd(8).
EXIT_SUCCESS
(0)
on success, and
EXIT_FAILURE
(1)
on error.
# sysctl -w net.inet6.ip6.accept_rtadv=0
# sysctl -w net.inet6.ip6.forwarding=1
# sysctl -w net.inet6.ip6.keepfaith=1
# ifconfig faith0 create up
# route add -inet6 3ffe:501:4819:ffff:: -prefixlen 96 ::1
# route change -inet6 3ffe:501:4819:ffff:: -prefixlen 96 -ifp faith0
telnet
service, and provide no local telnet service, invoke
faithd
as follows:
# faithd telnet
If you would like to provide local telnet service via
telnetd(8)
on
/usr/libexec/telnetd
,
use the following command line:
# faithd telnet /usr/libexec/telnetd telnetd
If you would like to pass extra arguments to the local daemon:
# faithd ftp /usr/libexec/ftpd ftpd -l
Here are some other examples. You may need -p if the service checks the source port range.
# faithd ssh
# faithd telnet /usr/libexec/telnetd telnetd
telnet stream faith/tcp6 nowait root faithd telnetd
ftp stream faith/tcp6 nowait root faithd ftpd -l
ssh stream faith/tcp6 nowait root faithd /usr/sbin/sshd -i
inetd(8) will open listening sockets with enabling kernel TCP relay support. Whenever connection comes in, faithd will be invoked by inetd(8). If it the connection endpoint is in the reserved IPv6 address prefix. faithd will relay the connection. Otherwise, faithd will invoke service-specific daemon like telnetd(8).
faithd.conf
setting.
# permit anyone from 3ffe:501:ffff::/48 to use the translator,
# to connect to the following IPv4 destinations:
# - any location except 10.0.0.0/8 and 127.0.0.0/8.
# Permit no other connections.
#
3ffe:501:ffff::/48 deny 10.0.0.0/8
3ffe:501:ffff::/48 deny 127.0.0.0/8
3ffe:501:ffff::/48 permit 0.0.0.0/0
Administrators are advised to limit accesses to
faithd
using
faithd.conf
,
or by using IPv6 packet filters.
It is to protect
faithd
service from malicious parties and avoid theft of service/bandwidth.
IPv6 destination address can be limited by
carefully configuring routing entries that points to
faith(4),
using
route(8).
IPv6 source address needs to be filtered by using packet filters.
Documents listed in
SEE ALSO
have more discussions on this topic.