xt_FULLCONENAT -- Implementing RFC 3489 full cone SNAT in OpenWrt

TL;DR: https://github.com/Chion82/netfilter-full-cone-nat
Implementation of Full cone NAT in Linux (in Chinese)

So far the implementation of RFC 3489 full cone NAT has never been finished. One can find some discussions about this feature on netfilter mailing list:

Configure to Full Cone :
How can I configure IPtables to be Full Cone?
You cannot. iptable_nat only implements the most sophisticated version
of NAT: fully symmetric.

IPTables and different types of NAT :
“Full cone NAT” can be implemented with 1-to-1 bidirectional NAT using
SNAT+DNAT or NETMAP.

Yes, we can implement full cone NAT partially with 1-to-1 NAT or UPnP, but 1-to-1 NAT only works for ONE host and UPnP cannot traverse through multiple NATs. So here comes the kernel module: xt_FULLCONENAT.

Update: I have written a Makefile for the module, no need for a kernel patch


Somehow I managed to integrate it into OpenWrt by patching kernel and iptables directly. After installing the firmware, I disabled the default MASQUERADE SNAT rule and added the following rules to /etc/firewall.user

iptables -t nat -A zone_wan_prerouting -j FULLCONENAT
iptables -t nat -A zone_wan_postrouting -j FULLCONENAT

And it worked, here's the NAT Type tester's test result
Test result, IP address masked

It will be better if someone writes makefiles for it instead of patching directly. But I have little experience of writing iptables-mod- or kmod- makefiles. Already done.

Since it looks like this is an "in-tree" build from the repo you posted, one possibility would be to use the patches/ directory and facility, such as, for one example package/kernel/mac80211/patches/

That's what I did, put patches into package/network/utils/iptables/patches/ and target/linux/generic/hack-<kernelver> respectively, then use make kernel_menuconfig to include the module.

For those who want to give it a try, here are the patches:
Put 651-netfilter-add-xt_FULLCONENAT-target.patch and 800-fullconenat-target.patch into target/linux/generic/hack-<kernel-ver> and package/network/utils/iptables/patches respectively.
Run make kernel_menuconfig and select IP_NF_TARGET_FULLCONENAT and NETFILTER_XT_TARGET_FULLCONENAT.


Update: I have written a Makefile for the module, no need for a kernel patch

Can we add this package to the official OpenWrt package feeds?

Have you tried submitting the patch? https://openwrt.org/submitting-patches

I had added a new task before I saw this thread.

https://bugs.openwrt.org/index.php?do=details&task_id=1738