definitely, that's the ultimate goal. But it still needs to be figured out what is going to do the actual packet translation.
During the hackathon, I also received a tip on how to make the clat least intrusive to the host OS - that means no forwarding enabled and no fiddling with firewall.

I have made a PoC and it seems to work quite well:
gist.github.com/oskar456/d898b…

I would like to try to write a daemon to automate such a setup and eventually integrate to NM and similar.

CLAT for Linux using Jool and ipvlan PoC

CLAT for Linux using Jool and ipvlan PoC. GitHub Gist: instantly share code, notes, and snippets.

^Gist

Very nice! I've done something similar for a #k8s cluster that needed #NAT64 translation for its containers. One thing I did have to add was filtering within the namespace, since Jool was unexpectedly translating RFC1918 addresses when using the well-known prefix.

It was unclear to me why Jool was doing that, but all was easily fixed with some reject rules for each of the rfc1918 address subnets.

@tschaefer What I had in mind was the restriction from RFC6053 section 3.1, where the well known prefix is supposed to reject non-global legacy IP addresses.

I suppose it's not a big issue if Android's CLAT tries to initiate traffic with such a destination, but the #NAT64 gateway is supposed to decline to translate that destination within the well known prefix, if I understand the RFC correctly.

@litchralee_v6 @tschaefer I think the reason for that restriction is mostly the idea of the uniqueness of IPv6 addresses - the same reason why site-local addresses were deprecated. Basically it is considered beneficial that there is no case where one IPv6 address represents more than one node.

On the other hand, we have cases like NAT64 tethering on macOS which uses the same ULA prefix on every single host.