Skip to content

Instantly share code, notes, and snippets.

@oskar456

oskar456/README.md

Last active April 30, 2026 17:56
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save oskar456/d898bf2e11b642757800a5ccdc2415aa to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save oskar456/d898bf2e11b642757800a5ccdc2415aa to your computer and use it in GitHub Desktop.
Download ZIP
CLAT for Linux using Jool and ipvlan PoC
Raw
README.md

CLAT for Linux using ipvlan

This proof of concept uses ipvlan feature of Linux to split up main network interface into two in order to use one in a separate namespace with jool-siit performing CLAT translation.

This way, enabling CLAT is least intrusive to the default network namespace - no need to enable forwarding or touch firewall rules.

UPDATE 2024-02-01: Rewritten to use L2 ipvlan. This allows multicast and therefore NDP to work in the ipvlan interface so the setup is even simpler and there is no need to enable proxy NDP in the main namespace. Also the IPv4 PtP link is set up more efficiently using /32 addresses and explicit peer definition.

This gist is inspired by a similar gist by Thomas Schäfer.

Raw
clat_using_ipvlan_jool.sh
#!/bin/bash
IFACE="$1"
[[ "$#" -ne 1 ]] && {
echo "Usage: $0 <IFACE>"
exit -1
}
NATPREFIX="64:ff9b::/96"
NS="clat-$IFACE"
JOOL_SIIT="$(which jool_siit)"
ip netns add $NS
# PtP link for IPv4 traffic from main NS to CLAT NS
ip link add name ${IFACE}-v4 type veth peer ${IFACE}-clat-v4
ip link set dev ${IFACE}-clat-v4 netns $NS
ip link set up dev ${IFACE}-v4
# ipvlan link using secondary address on host interface
ip link add name ${IFACE}-clat-v6 link ${IFACE} type ipvlan mode l2
ip link set dev ${IFACE}-clat-v6 netns $NS
# Set up IPv4 PtP link
ip -4 address add 192.0.0.1 peer 192.0.0.0/32 dev ${IFACE}-v4
ip -4 route add default via 192.0.0.0 dev ${IFACE}-v4
# The rest of the magic happens inside the network namespace
ip netns exec $NS sh <<EOF
ip link set up dev ${IFACE}-clat-v4
ip link set up dev ${IFACE}-clat-v6
ip -4 address add 192.0.0.0 peer 192.0.0.1/32 dev ${IFACE}-clat-v4
sleep 2 # Make sure ipvlan interface is up and SLAAC has succeeded
CLATADDR=\$(ip -c=never -6 addr show dev ${IFACE}-clat-v6 | sed -rn 's_^.*inet6 *(2[0-9a-f:]*)/.*\$_\\1_p' | head -n 1)
echo CLAT is using IPv6 address \$CLATADDR
$JOOL_SIIT instance add --netfilter --pool6 $NATPREFIX
$JOOL_SIIT eamt add \$CLATADDR 192.0.0.1
EOF
echo "All set. To stop the clat, run: ip netns del $NS"
Raw
clat_using_ipvlan_jool_unnumbered_v4.sh
#!/bin/bash
IFACE="$1"
[[ "$#" -ne 1 ]] && {
echo "Usage: $0 <IFACE>"
exit -1
}
NATPREFIX="64:ff9b::/96"
V4ADDR="192.0.0.4"
NS="clat-$IFACE"
JOOL_SIIT="$(which jool_siit)"
ip netns add $NS
# PtP link for IPv4 traffic from main NS to CLAT NS
ip link add name ${IFACE}-v4 type veth peer ${IFACE}-clat-v4
ip link set dev ${IFACE}-clat-v4 netns $NS
ip link set up dev ${IFACE}-v4
# ipvlan link using secondary address on host interface
ip link add name ${IFACE}-clat-v6 link ${IFACE} type ipvlan mode l2
ip link set dev ${IFACE}-clat-v6 netns $NS
# Set up IPv4 PtP link
ip -4 address add ${V4ADDR}/32 dev ${IFACE}-v4
ip -4 route add default dev ${IFACE}-v4
# The rest of the magic happens inside the network namespace
ip netns exec $NS sh <<EOF
ip link set up dev ${IFACE}-clat-v4
ip link set up dev ${IFACE}-clat-v6
ip link set up dev lo
ip -4 route add ${V4ADDR} dev ${IFACE}-clat-v4
ip -4 route add default dev lo
sysctl -q net.ipv4.conf.${IFACE}-clat-v4.proxy_arp=1
sysctl -q net.ipv4.conf.${IFACE}-clat-v4.forwarding=1
sleep 2 # Make sure ipvlan interface is up and SLAAC has succeeded
CLATADDR=\$(ip -c=never -6 addr show dev ${IFACE}-clat-v6 | sed -rn 's_^.*inet6 *(2[0-9a-f:]*)/.*\$_\\1_p' | head -n 1)
echo CLAT is using IPv6 address \$CLATADDR
$JOOL_SIIT instance add --netfilter --pool6 $NATPREFIX
$JOOL_SIIT eamt add \$CLATADDR ${V4ADDR}
EOF
echo "All set. To stop the clat, run: ip netns del $NS"
@iguanajuice
Copy link
Copy Markdown

iguanajuice commented Apr 27, 2026

First off, thanks for the script! Very useful to get high-bandwidth CLAT working easily.

I have fixed a few issues in my fork:

  • The script will clean up and exit if errors are had
  • Will load jool_siit kernel module on script activation
  • Some interface names can be quite long, take care not to exceed the 15-character limit
  • Abort script if an IPv4 default route exists; no need for CLAT if we already have IPv4
  • Do v4-ifname instead of ifname-v4 since networkd configs could have a Name=en* rule that will match the interface
  • Include systemd service file for easy CLAT activation via: sudo systemctl enable --now jool_clat@enp1s0

@oskar456
Copy link
Copy Markdown
Author

oskar456 commented Apr 30, 2026

Awesome, I am glad it works for you. However, I think it is better to focus on CLAT support in NetworkManager, which is supposed to appear in version 1.58. It uses an eBPF program, so it should work with any Linux kernel without compiling external modules.

@iguanajuice
Copy link
Copy Markdown

iguanajuice commented Apr 30, 2026

However, I think it is better to focus on CLAT support in NetworkManager,

I've heard about that, but I use systemd-networkd, so that isn't much use to me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment