From: <paul.guijt@gmail.com>
To: netfilter@vger.kernel.org
Subject: RE: Newbie: IPv6 equivalent of 192.168.178.0/24
Date: Sat, 10 Oct 2020 14:52:33 +0200 [thread overview]
Message-ID: <03fa01d69f04$390c20b0$ab246210$@gmail.com> (raw)
In-Reply-To: <3febcbd8-5a08-5b1d-724b-30f995d6eeca@spreadshirt.net>
Thanks for the link!
In this I'm a newbie, though.
I have a network at home behind a DSL router, and want to jump to LocalIN with any packet that comes from my home network. I know the first line does that with IPv4 packets, but I want to do it with IPv6 packets too.
I realized my problem with your answer was my not understanding the terms ' Unique-Local' and ' Link-Local Unicast'. With the help of https://en.wikipedia.org/wiki/Unique_local_address I now understand that I should use fc00::/7 instead of fe::/10 (what faulty for fe00::/10), and similarly re the Link-Local Unicast.
I have now
ip saddr 192.168.178.0/24 jump LocalIN
ip6 saddr { fc00::/7, fe80::/10} jump LocalIN
And trust that this set of rules does the trick. Thanks, Florian and Bernd!
Regards,
Paul
-----Original Message-----
From: Bernd Naumann <bena@spreadshirt.net>
Sent: Friday, October 9, 2020 3:17 PM
To: netfilter@vger.kernel.org
Subject: Re: Newbie: IPv6 equivalent of 192.168.178.0/24
On 09.10.20 14:49, paul.guijt@gmail.com wrote:
> I had
> add rule inet filter input ip saddr 192.168.178.0/24 jump LocalIN
> add rule inet filter input ip6 saddr fe::/10 jump LocalIN
> to divert all packets coming from my private network to rules in the LocalIN chain.
>
> Nftables converts the second line into “ip6 saddr c0::/10 jump LocalIN”. FE into C0.
> Will that do what I intended? If not, what rule do you prefer?
>
> Regards,
> Paul Guijt
>
>
Hi Paul,
From
https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
> fc00::/7 Unique-Local
> fe80::/10 Link-Local Unicast
I assume you want both in your case. ULA (unique local addr) and link-local.
Or, if you do not want to allow the whole ULA space, maybe just i.e. a `/48`, like i.e. openwrt generates for you automatically.
A use case to not accept the whole fc00::/10 would be if you are connected to i.e. dn42, or another community VPNs, which makes use of ULA.
Best,
Bernd
prev parent reply other threads:[~2020-10-10 12:52 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-09 12:49 Newbie: IPv6 equivalent of 192.168.178.0/24 paul.guijt
2020-10-09 13:14 ` Florian Westphal
2020-10-09 13:16 ` Bernd Naumann
2020-10-09 13:20 ` Bernd Naumann
2020-10-10 12:52 ` paul.guijt [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='03fa01d69f04$390c20b0$ab246210$@gmail.com' \
--to=paul.guijt@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.