Jool is a powerful kernel-space namespace-aware Stateful NAT64 and SIIT implementation. This repo contains a simple docker-wrapped configurator for the tool. Even though Jool supports both iptables and netfilter backend, this image uses iptables only.
- set up Jool 4.x in Stateful NAT64 mode in current network namespace:
- host network
- docker network
- kubernetes pod
Before you're able to run the image, your host machine has to have Jool installed and loaded as module. Follow Jool docs for installation instructions.
Example for Ubuntu 18.04:
apt-get update
wget https://github.com/NICMx/Jool/releases/download/v4.1.11/jool-dkms_4.1.11-1_all.deb -O /tmp/jool-dkms_4.1.11-1_all.deb
apt install -y /tmp/jool-dkms_4.1.11-1_all.deb
modprobe jool
modprobe ip6table_mangle
The container has to run with extended capabilities for network.
To set up Jool on local network with default well-known prefix 64:ff9b::/96
:
docker run --cap-add=NET_ADMIN --network host ghcr.io/wandera/jool
To set up Jool on docker network test
with custom prefix 2001:db8:1234::/96
:
docker run --cap-add=NET_ADMIN --network test ghcr.io/wandera/jool --pool6=2001:db8:1234::/96
To set up Jool on docker network test
with custom IPv6 MTU 1420
:
docker run --cap-add=NET_ADMIN --network test ghcr.io/wandera/jool --lowest-ipv6-mtu=1420
If you ran Jool on top of your host network, you may need to cleanup:
docker run --cap-add=NET_ADMIN --network host --entrypoint /cleanup.sh ghcr.io/wandera/jool
Otherwise all Jool instances get cleaned when network namespace is destroyed (usually when the {container/docker network/kubernetes pod} is destroyed).
Jool can be used to set up NAT64 within kubernetes pod. It still requires jool kernel module on the host machine.
apiVersion: apps/v1
kind: Pod
metadata:
name: jool-example
spec:
initContainers:
- name: jool
image: ghcr.io/wandera/jool:latest
args:
- "--pool6=2001:db8:1234::/96" # use custom prefix
- "--lowest-ipv6-mtu=1420" # use custom IPv6 MTU
securityContext:
capabilities:
add: ["NET_ADMIN"]
...
The tool is released as docker image, check the repository.