Ian Pilcher <arequipeno@xxxxxxxxx> wrote: > My plan to migrate from iptables to nftables seems to have hit a major > snag. nftables seems to lack the ability to use prefix-independent > masks when matching IPv6 addresses. > > For example, my ISP delegates a /56 prefix, which I can divide into as > many as 256 separate /64 subnets. So a routable IPv6 address in my > network can be broken down like this. > > pppp:pppp:pppp:ppNN:hhhh:hhhh:hhhh:hhhh > > Where the p's represent the delegated prefix, the N's represent an > internal "network ID", and the h's represent the host address. The > prefix is relatively stable, but it can change occasionally, so hard- > coding it into firewall rules is not really an option. > > Assume that I want to match a particular host (pppp:pppp:pppp:ppc8::1) > in a rule. With ip6tables, I can match this address with this > expression: > > 0:0:0:c8::1/::ff:ffff:ffff:ffff:ffff ip6tables-translate suggests: nft add rule ip6 filter INPUT 'ip6 saddr & ::ff:ffff:ffff:ffff:ffff == ::c8:0:0:0:1'
