Thanks for the link! In this I'm a newbie, though. I have a network at home behind a DSL router, and want to jump to LocalIN with any packet that comes from my home network. I know the first line does that with IPv4 packets, but I want to do it with IPv6 packets too. I realized my problem with your answer was my not understanding the terms ' Unique-Local' and ' Link-Local Unicast'. With the help of https://en.wikipedia.org/wiki/Unique_local_address I now understand that I should use fc00::/7 instead of fe::/10 (what faulty for fe00::/10), and similarly re the Link-Local Unicast. I have now ip saddr 192.168.178.0/24 jump LocalIN ip6 saddr { fc00::/7, fe80::/10} jump LocalIN And trust that this set of rules does the trick. Thanks, Florian and Bernd! Regards, Paul -----Original Message----- From: Bernd Naumann <bena@xxxxxxxxxxxxxxx> Sent: Friday, October 9, 2020 3:17 PM To: netfilter@xxxxxxxxxxxxxxx Subject: Re: Newbie: IPv6 equivalent of 192.168.178.0/24 On 09.10.20 14:49, paul.guijt@xxxxxxxxx wrote: > I had > add rule inet filter input ip saddr 192.168.178.0/24 jump LocalIN > add rule inet filter input ip6 saddr fe::/10 jump LocalIN > to divert all packets coming from my private network to rules in the LocalIN chain. > > Nftables converts the second line into “ip6 saddr c0::/10 jump LocalIN”. FE into C0. > Will that do what I intended? If not, what rule do you prefer? > > Regards, > Paul Guijt > > Hi Paul, From https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml > fc00::/7 Unique-Local > fe80::/10 Link-Local Unicast I assume you want both in your case. ULA (unique local addr) and link-local. Or, if you do not want to allow the whole ULA space, maybe just i.e. a `/48`, like i.e. openwrt generates for you automatically. A use case to not accept the whole fc00::/10 would be if you are connected to i.e. dn42, or another community VPNs, which makes use of ULA. Best, Bernd
