Fast & reliable user space NAT64

Related tags

Cryptography nat64 linux-networking clat
Overview

protomask

Crates.io Docs.rs Build

A user space NAT64 implementation.

Protomask started as a challenge to create a NAT64 implementation in a weekend. The goal of protomask is to keep things simple.

There aren't many knobs to tweak, so stateful NAT or source address filtering will require protomask to be paired with a utility like iptables.

How it works

Protomask operates by listening on an IPv6 /96 prefix for incoming traffic.

When a new IPv6 host sends traffic through protomask, it is dynamically assigned an IPv4 address from a pool of addresses on a first-come-first-serve basis.

From then on, all subsequent packets coming from that same IPv6 host will be NATed through the assigned IPv4 address until the reservation period expires. Likewise, a similar process occurs for return traffic.

For hosts that necessitate a consistent IPv4 address, it is possible to configure a static mapping in the configuration file. This ensures it always communicates using the same IPv4 address no matter how long it is offline for. This is useful for single-stack hosts that need IPv4 DNS entries.

Configuration

Protomask uses a TOML configuration file. Here is a functional example:

# The NAT64 prefix to route to protomask
Nat64Prefix = "64:ff9b::/96"
# Setting this will enable prometheus metrics
Prometheus = "[::1]:8080" # Optional, defaults to disabled

[Pool]
# All prefixes in the pool
Prefixes = ["192.0.2.0/24"]
# The maximum duration an ipv4 address from the pool will be reserved for after becoming idle
MaxIdleDuration = 7200 # Optional, seconds. Defaults to 7200 (2 hours)
# Permanent address mappings
Static = [{ v4 = "192.0.2.2", v6 = "2001:db8:1::2" }]

Installation

Protomask can be installed using various methods:

Debian

Head over to the releases page and download the latest release for your architecture.

Then, install with:

apt install /path/to/protomask_<version>_<arch>.deb

# You can also edit the config file in /etc/protomask.toml
# And once ready, start protomask with
systemctl start protomask

Using Cargo

cargo install protomask

Usage

Usage: protomask [OPTIONS] <CONFIG_FILE>

Arguments:
  <CONFIG_FILE>  Path to the config file

Options:
  -v, --verbose  Enable verbose logging
  -h, --help     Print help
  -V, --version  Print version
Comments
  • Vulnerability in `tokio 0.1.22` from `tun-tap`

    Vulnerability in `tokio 0.1.22` from `tun-tap`

    tun-tap depends on tokio 0.1.22 which is vulnerable to RUSTSEC-2021-0124.

    Crate:     tokio
Version:   0.1.22
Title:     Data race when sending and receiving after closing a `oneshot` channel
Date:      2021-11-16
ID:        RUSTSEC-2021-0124
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0124
Solution:  Upgrade to >=1.8.4, <1.9.0 OR >=1.13.1

    Dependency tree:

    tokio 0.1.22
└── tokio-core 0.1.18
    └── tun-tap 0.1.3
        ├── protomask-tun 0.1.0
        │   └── protomask 0.2.0
        └── protomask 0.2.0

    More info: https://github.com/ewpratten/protomask/runs/15207757196

    opened by ewpratten 2
  • Audit job failing due to bad permissions

    Audit job failing due to bad permissions

    The audit job fails with message Error: Resource not accessible by integration

    > Run actions-rs/audit-check@v1
/home/runner/.cargo/bin/cargo generate-lockfile
    Updating crates.io index
> Calling cargo-audit (JSON output)
Warning: 1 vulnerabilities found!
Warning: 5 warnings found!
Found 1 advisory(ies), 1 unmaintained, 4 other
Error: Resource not accessible by integration

    This can likely be fixed with the permissions outlined in https://github.com/actions-rs/audit-check/issues/220

    meta 
    opened by ewpratten 1
  • Update pnet_packet requirement from 0.33.0 to 0.34.0

    Update pnet_packet requirement from 0.33.0 to 0.34.0

    Updates the requirements on pnet_packet to permit the latest version.

    Release notes

    Sourced from pnet_packet's releases.

    v0.34.0

    What's Changed

    New Contributors

    Full Changelog: https://github.com/libpnet/libpnet/compare/v0.33.0...v0.34.0

    Commits
    • 9bd20d8 Release v0.34.0
    • b8bd8e0 Merge pull request #630 from mrmonday/fix-build-warnings
    • 47ae47d Assorted cleanup
    • c32d9db Merge pull request #625 from rikonaka/master
    • 391b133 Merge pull request #619 from reticulis/sll2
    • 12636de Merge pull request #621 from vvv/spell-check
    • d29848e Merge pull request #627 from james-jra/syn-2
    • 08622c5 Fix compile test stderr for correct rustc version
    • 431ced2 add more compilation error tests for #[construct_with]
    • b46f7f3 Update compile fail test error messages
    • Additional commits viewable in compare view

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 0
  • Cache Actions CI data across workflow runs

    Cache Actions CI data across workflow runs

    Since all the CI workflows rebuild the same binary over and over again, the time of execution can probably be cut down a lot by using actions/cache@v3 (docs)

    meta 
    opened by ewpratten 0
  • RUSTSEC-2020-0016: `net2` crate has been deprecated; use `socket2` instead

    RUSTSEC-2020-0016: `net2` crate has been deprecated; use `socket2` instead

    opened by github-actions[bot] 1
Releases(v0.2.0)
Owner
Evan Pratten
I build software to assist people in building software
Evan Pratten
GitHub https://protomask.ewpratten.com/
Fast Hilbert space-filling curve transformation using a LUT

Fast Hilbert Fast Hilbert 2D curve computation using an efficient Lookup Table (LUT). Convert from discrete 2D space to 1D hilbert space and reverse V

Armin Becher 20 Nov 3, 2022
Rapid, reliable and robust template management

Rapid, reliable and robust template management

null 14 Apr 16, 2022
Simple, reliable, open-source contract verification built for an L2 centric Ethereum ecosystem

Cove This repo contains the backend verification1 code for Cove, a simple, reliable, open-source contract verification built for an L2 centric Ethereu

ScopeLift 12 Apr 1, 2023
A blazingly fast and memory safe password cracker with user interface.

HashVat A blazingly fast and memory safe password cracker with user interface. HashVat runs with user interface and is capable of cracking the 1.000.0

JBLDSKY 2 Dec 6, 2022
Unified directories for different use cases of an application, providing standard directories for local development, when run as service or when run by a user.

UniDirs Unified directories for different use cases of an application, providing standard directories for local development, when run as service or wh

Dominik Nakamura 3 Sep 30, 2022
LibreAuth is a collection of tools for user authentication.

LibreAuth is a collection of tools for user authentication. Features Password / passphrase authentication no character-set limitation reason

Rodolphe Bréard 252 Dec 28, 2022
User-friendly secure computation engine based on secure multi-party computation

CipherCore If you have any questions, or, more generally, would like to discuss CipherCore, please join the Slack community. See a vastly extended ver

CipherMode Labs 356 Jan 5, 2023
MevWallet is a smart contract wallet that allows the user to capture MEV from Searchers, or create MEV on purpose.

MevWallet MevWallet is a smart contract wallet that allows the user to capture MEV from Searchers, or create MEV on purpose. This repo contains the so

Blunt Instruments 94 Jan 26, 2023
Cross-platform user interface framework for Rust.

Viewbuilder Examples Cross-platform user interface framework for Rust. This crate provides an HTML-like render API for the backend of a UI. It's built

null 18 Sep 26, 2023
Simple Multi-User Chat

4at Simple Multi-User Chat. The code has fallen to "Rewrite it in Rust" disease. You can find the legacy Go version in ./legacy-go-version if you stil

Tsoding 89 Nov 13, 2023
Web user interface for controlling a CATS Radio node

CATS Radio Node This project contains a web user interface for controlling a CATS Radio device, consisting of a Raspberry Pi with a RF4463 hat. Goals

Matthias P. Braendli 4 Feb 25, 2024
The fast, light, and robust client for the Ethereum mainnet.

OpenEthereum Fast and feature-rich multi-network Ethereum client. » Download the latest release « Table of Contents Description Technical Overview Bui

OpenEthereum 1.6k Dec 28, 2022
Safe, fast, small crypto using Rust

THE SOFTWARE IS PROVIDED "AS IS" AND BRIAN SMITH AND THE AUTHORS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES

Brian Smith 3k Jan 2, 2023
Fast and efficient ed25519 signing and verification in Rust.

ed25519-dalek Fast and efficient Rust implementation of ed25519 key generation, signing, and verification in Rust. Documentation Documentation is avai

dalek cryptography 563 Dec 26, 2022
Sodium Oxide: Fast cryptographic library for Rust (bindings to libsodium)

sodiumoxide |Crate|Documentation|Gitter| |:---:|:-----------:|:--------:|:-----:|:------:|:----:| |||| NaCl (pronounced "salt") is a new easy-to-use h

sodiumoxide 642 Dec 17, 2022
A fast tool to scan prototype pollution vulnerability written in Rust. 🦀

ppfuzz Prototype Pollution Fuzzer A fast tool to scan prototype pollution vulnerability written in Rust. ?? Installation Binary Source Dependencies Us

Dwi Siswanto 410 Dec 27, 2022
A fast and secure multi protocol honeypot.

Medusa A fast and secure multi protocol honeypot that can mimic realistic devices running ssh, telnet, http, https or any other tcp and udp servers. W

Simone Margaritelli 268 Dec 26, 2022
Web-Scale Blockchain for fast, secure, scalable, decentralized apps and marketplaces.

Building 1. Install rustc, cargo and rustfmt. $ curl https://sh.rustup.rs -sSf | sh $ source $HOME/.cargo/env $ rustup component add rustfmt When buil

Solana Foundation 9.8k Jan 3, 2023
A blazing fast, type-safe template engine for Rust.

markup.rs A blazing fast, type-safe template engine for Rust. markup.rs is a template engine for Rust powered by procedural macros which parses the te

Utkarsh Kukreti 209 Dec 24, 2022