Discussion:
Match EUI64 in IPv6 Address
Jean-Louis Dupond
2014-08-07 20:51:01 UTC
Permalink
Hi,

I'm in the following situation.
My ISP gives me native IPv6 connectivity, a /56 range.

The only thing is, the prefix is dynamic, it changes every 96hours.

Now my router announces this range to my clients, and everything works fine.
But then comes the issue.

I firewall my LAN on my router, so there is no need for a firewall on al
the clients.
But as the prefix is dynamic, I can't just fix this in a clean way.

Every time the prefix changes, I need to adjust my ip6tables rules.

So my question: Is there a way to make an ip6tables rule that only
matches the last 64 bits (the EUI64)?
This would solve the issue that i've got.

Thanks
Jean-Louis
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Jeff Haran
2014-08-07 21:14:15 UTC
Permalink
-----Original Message-----
Sent: Thursday, August 07, 2014 1:51 PM
Subject: Match EUI64 in IPv6 Address
Hi,
I'm in the following situation.
My ISP gives me native IPv6 connectivity, a /56 range.
The only thing is, the prefix is dynamic, it changes every 96hours.
Now my router announces this range to my clients, and everything works fine.
But then comes the issue.
I firewall my LAN on my router, so there is no need for a firewall on al
the clients.
But as the prefix is dynamic, I can't just fix this in a clean way.
Every time the prefix changes, I need to adjust my ip6tables rules.
So my question: Is there a way to make an ip6tables rule that only
matches the last 64 bits (the EUI64)?
This would solve the issue that i've got.
Thanks
Jean-Louis
The ip6tables man page states that one can following the IPv6 address in a -s or -d match with a mask.

So presumably something like this should work:

ip6tables ... -s ::<EUI64>/::ffff:ffff:ffff:ffff ...

Though I admit, I've never tried this myself.

Jeff Haran

��칻�&�~�&���+-��ݶ��w��˛���m�޵�������^n�r���z���h�����&���G���h�
Jean-Louis Dupond
2014-08-07 21:30:40 UTC
Permalink
Post by Jeff Haran
-----Original Message-----
Sent: Thursday, August 07, 2014 1:51 PM
Subject: Match EUI64 in IPv6 Address
Hi,
I'm in the following situation.
My ISP gives me native IPv6 connectivity, a /56 range.
The only thing is, the prefix is dynamic, it changes every 96hours.
Now my router announces this range to my clients, and everything works fine.
But then comes the issue.
I firewall my LAN on my router, so there is no need for a firewall on al
the clients.
But as the prefix is dynamic, I can't just fix this in a clean way.
Every time the prefix changes, I need to adjust my ip6tables rules.
So my question: Is there a way to make an ip6tables rule that only
matches the last 64 bits (the EUI64)?
This would solve the issue that i've got.
Thanks
Jean-Louis
The ip6tables man page states that one can following the IPv6 address in a -s or -d match with a mask.
ip6tables ... -s ::<EUI64>/::ffff:ffff:ffff:ffff ...
Though I admit, I've never tried this myself.
Jeff Haran
Thanks alot! This seems to work fine indeed.

Thx
Jean-Louis
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Loading...