lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:   Fri, 5 Aug 2022 03:09:29 +0500
From:   Roman Mamedov <>
Subject: [iproute2] Rightmost part IPv6 address masking?


ip6tables supports the little-known format to mask the rightmost part of an
IPv6 address:

# ip6tables -A FORWARD -d ::a:b:c:d/::ffff:ffff:ffff:ffff -j ACCEPT

would match any IP which ends with the specified sequence, i.e.:
*:*:*:*:a:b:c:d. This is really useful in cases where the ISP provides a
dynamic IPv6 prefix, or there are prefixes from multiple ISPs in a LAN.

However in iproute2 there is no such support for "ip rule": 

# ip -6 rule add from ::a:b:c:d/::ffff:ffff:ffff:ffff lookup main
Error: inet6 prefix is expected rather than "::a:b:c:d/::ffff:ffff:ffff:ffff".

I suppose the iproute2 developers might be reading this, so could you please
consider adding support for masks like these? Aside from that, would you
reckon there's a limitation which would prevent this kind of masks from
working on the kernels-side?

Or maybe anyone can suggest the proper way to specify this for "ip rule" which
is supported currently?


With respect,

Powered by blists - more mailing lists