1 files changed, 19 insertions, 9 deletions

diff --git a/src/conf_mode/nat64.py b/src/conf_mode/nat64.py
index c1e7ebf85..df501ce7f 100755
--- a/src/conf_mode/nat64.py
+++ b/src/conf_mode/nat64.py
@@ -20,7 +20,7 @@ import csv
 import os
 import re
 
-from ipaddress import IPv6Network
+from ipaddress import IPv6Network, IPv6Address
 from json import dumps as json_write
 
 from vyos import ConfigError
@@ -46,7 +46,12 @@ def get_config(config: Config | None = None) -> None:
     base = ["nat64"]
     nat64 = config.get_config_dict(base, key_mangling=("-", "_"), get_first_key=True)
 
-    base_src = base + ["source", "rule"]
+    return nat64
+
+
+def verify(nat64) -> None:
+    check_kmod(["jool"])
+    base_src = ["nat64", "source", "rule"]
 
     # Load in existing instances so we can destroy any unknown
     lines = cmd("jool instance display --csv").splitlines()
@@ -76,12 +81,8 @@ def get_config(config: Config | None = None) -> None:
         ):
             rules[num]["recreate"] = True
 
-    return nat64
-
-
-def verify(nat64) -> None:
     if not nat64:
-        # no need to verify the CLI as nat64 is going to be deactivated
+        # nothing left to do
         return
 
     if dict_search("source.rule", nat64):
@@ -103,8 +104,14 @@ def verify(nat64) -> None:
             # Verify that source.prefix is set and is a /96
             if not dict_search("source.prefix", instance):
                 raise ConfigError(f"Source NAT64 rule {rule} missing source prefix")
-            if IPv6Network(instance["source"]["prefix"]).prefixlen != 96:
+            src_prefix = IPv6Network(instance["source"]["prefix"])
+            if src_prefix.prefixlen != 96:
                 raise ConfigError(f"Source NAT64 rule {rule} source prefix must be /96")
+            if (int(src_prefix[0]) & int(IPv6Address('0:0:0:0:ff00::'))) != 0:
+                raise ConfigError(
+                    f'Source NAT64 rule {rule} source prefix is not RFC6052-compliant: '
+                    'bits 64 to 71 (9th octet) must be zeroed'
+                )
 
             pools = dict_search("translation.pool", instance)
             if pools:
@@ -122,6 +129,9 @@ def verify(nat64) -> None:
 
 
 def generate(nat64) -> None:
+    if not nat64:
+        return
+
     os.makedirs(JOOL_CONFIG_DIR, exist_ok=True)
 
     if dict_search("source.rule", nat64):
@@ -178,6 +188,7 @@ def generate(nat64) -> None:
 
 def apply(nat64) -> None:
     if not nat64:
+        unload_kmod(['jool'])
         return
 
     if dict_search("source.rule", nat64):
@@ -205,7 +216,6 @@ def apply(nat64) -> None:
 
 if __name__ == "__main__":
     try:
-        check_kmod(["jool"])
         c = get_config()
         verify(c)
         generate(c)