Whole document tree
6. New IPv6 netfilter matches
In this section, we will attempt to explain the usage of new netfilter matches. The patches will appear in alphabetical order. Additionally, we will not explain patches that break other patches. But this might come later.
Generally speaking, for matches, you can get the help hints from a particular module by typing :
# ip6tables -m the_match_you_want --help
This would display the normal ip6tables help message, plus the specific ``the_match_you_want'' match help message at the end.
6.1 agr patch
This patch by Andras Kis-Szabo <kisza@sch.bme.hu> adds 1 new match :
- ``agr'' : lets you match the IPv6 packet based on it's addressing parameters.
This patch can be quite useful for people using EUI-64 IPv6 addressing scheme who are willing to check the packets based on the delivered address on a LAN.
For example, we will redirect the packets that have a correct EUI-64 address:
# ip6tables -N ipv6ok
# ip6tables -A INPUT -m agr -j ipv6ok
# ip6tables -A INPUT -s ! 3FFE:2F00:A0::/64 -j ipv6ok
# ip6tables -A INPUT -j LOG
# ip6tables -A ipv6ok -j ACCEPT
# ip6tables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ipv6ok all anywhere anywhere AGR
ipv6ok all !3ffe:2f00:a0::/64 anywhere
LOG all anywhere anywhere LOG level warning
Chain ipv6ok (2 references)
target prot opt source destination
ACCEPT all anywhere anywhere
This match hasn't got any option.
6.2 ipv6header patch
This patch by Andras Kis-Szabo <kisza@sch.bme.hu> adds a new match that allows you to match a packet based on its extension headers.
For example, let's drop the packets which have got hop-by-hop, ipv6-route headers and a protocol payload:
# ip6tables -A INPUT -m ipv6header --header hop-by-hop,ipv6-route,protocol -j DROP
# ip6tables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere ipv6header flags:hop-by-hop,ipv6-route,protocol
And now, let's drop the packets which have got an ipv6-route extension header:
# ip6tables -A INPUT -m ipv6header --header ipv6-route --soft -j DROP
# ip6ptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere ipv6header flags:ipv6-route soft
Supported options for the ipv6header match are :
- [!] --header headers
-> You can specify the interested headers with this option. Accepted formats:
- hop,dst,route,frag,auth,esp,none,proto
- hop-by-hop,ipv6-opts,ipv6-route,ipv6-frag,ah,esp,ipv6-nonxt,protocol
- 0,60,43,44,51,50,59
- --soft
-> You can specify the soft mode: in this mode the match checks the existance of the header, not the full match!
6.3 ipv6-ports patch
This patch by Jan Rekorajski <baggins@pld.org.pl> adds 4 new matches :
- ``limit'' : lets you to restrict the number of parallel TCP connections from a particular host or network.
- ``mac'' : lets you match a packet based on its MAC address.
- ``multiport'' : lets you to specify ports with a mix of port-ranges and single ports for UDP and TCP protocols.
- ``owner'' : lets you match a packet based on its originator process' owner id.
These matches are the ports of the IPv4 versions. See the main documentation for the details!
6.4 length patch
This patch by Imran Patel <ipatel@crosswinds.net> adds a new match that allows you to match a packet based on its length. (This patch is shameless adaption from the IPv4 match written by James Morris <jmorris@intercode.com.au>)
For example, let's drop all the pings with a packet size greater than 85 bytes :
# ip6tables -A INPUT -p ipv6-icmp --icmpv6-type echo-request -m length --length 85:0xffff -j DROP
# ip6ptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP ipv6-icmp -- anywhere anywhere ipv6-icmp echo-request length 85:65535
Supported options for the length match are :
- [!] --length length[:length]
-> Match packet length against value or range of values (inclusive)
Values of the range not present will be implied. The implied value for minimum is 0, and for maximum is 65535.
Next Previous Contents