Dynamic IPv6 prefixes in address objects #11
Description
I just stumbled across dynamic IPv6 prefixes:
Is your feature request related to a problem? Please describe.
Unfortunately many ISPs only hand out dynamic IPv6 prefixes. IPv6-enabled hosts/servers behind the firewall might have a static IPv6 interface address with a dynamic prefix part (e.g. assigned through
ip tokensin Linux).Right now it is impossible to add IPv6 firewall rules for individual hosts with dynamic prefixes.
Describe the solution you'd like
A trivial approach would be to match only the last 64 bits of an IPv6 address, thus ignoring the entire prefix. In Linux (with ip6tables) you can invert the network mask, so you ignore the prefix and only match the host part. This can be done like this:
ip6tables [...] -d ::192:168:20:1/0000:0000:0000:0000:ffff:ffff:ffff:ffff -o eth2 [...] # or even sorter ip6tables [...] -d ::192:168:20:1/!64 -o eth2 [...]I think this is a very convenient approach which resolves most issues with changing prefixes in IPv6 firewall rules.
So do I, and I think it should "just work" by specifying such an address in an address object. When I try that, this happens:
# microfw apply
ipset v7.10: Syntax error: '!64' is invalid as number
Let's see how we can make this work.