Hi,
I'd like the option to simply provide the subnet and the 64 bit host portion when setting entries in the IPv6 firewall. At router boot time the assigned IPv6 prefix could be concatenated with the subnet and 64 bit host portion and the resulting rules entered into the ip6tables. To me this makes more sense than hard coding a network prefix that can change. In general when stateless autoconfiguration is used, the 64 bit right hand side of a hosts IPv6 address is automatically generated from the interfaces ethernet address in a deterministic fashion - i.e. it does not change. Thus combined with the prefix and possible subnet, it becomes the permanent IPv6 address of the host for long lived servers etc.
For example suppose my ISP assigns a /64 IPv6 network prefix of:
2601:646:c100:3d9e
I provide an entry in the IPv6 firewall table of my /64 host address
5d68:596:ec63:51a7 together with port number 2107 specifying the TCP protocol (subnet is length 0)
I'd like a rule to be generated at router bootup time to add the following entry to ip6tables Chain FORWARD:
ACCEPT tcp anywhere 2601:646:c100:3d9e:5d68:596:ec63:51a7/128 state
NEW tcp dpt:2107
There would need to be some logic to handle the case where bitssizeof(network) + bitssizeof(subnet) + bitssizeof(host) != 128. Certainly the subnet could be padded with zero's if the resulting bit string was too small.
Overall this accomplishes the same thing for IPv6 as port forwarding accomplishes for IPv4 with the same degree of permanence.
I guess as a workaround it is possible to create a script that does the same thing and store it in jffs but I have not figured out how to do this yet. The other alternative is to use stateful DCHPv6 address assignment but one presumably still runs into the prefix change issue.
I'd like the option to simply provide the subnet and the 64 bit host portion when setting entries in the IPv6 firewall. At router boot time the assigned IPv6 prefix could be concatenated with the subnet and 64 bit host portion and the resulting rules entered into the ip6tables. To me this makes more sense than hard coding a network prefix that can change. In general when stateless autoconfiguration is used, the 64 bit right hand side of a hosts IPv6 address is automatically generated from the interfaces ethernet address in a deterministic fashion - i.e. it does not change. Thus combined with the prefix and possible subnet, it becomes the permanent IPv6 address of the host for long lived servers etc.
For example suppose my ISP assigns a /64 IPv6 network prefix of:
2601:646:c100:3d9e
I provide an entry in the IPv6 firewall table of my /64 host address
5d68:596:ec63:51a7 together with port number 2107 specifying the TCP protocol (subnet is length 0)
I'd like a rule to be generated at router bootup time to add the following entry to ip6tables Chain FORWARD:
ACCEPT tcp anywhere 2601:646:c100:3d9e:5d68:596:ec63:51a7/128 state
NEW tcp dpt:2107
There would need to be some logic to handle the case where bitssizeof(network) + bitssizeof(subnet) + bitssizeof(host) != 128. Certainly the subnet could be padded with zero's if the resulting bit string was too small.
Overall this accomplishes the same thing for IPv6 as port forwarding accomplishes for IPv4 with the same degree of permanence.
I guess as a workaround it is possible to create a script that does the same thing and store it in jffs but I have not figured out how to do this yet. The other alternative is to use stateful DCHPv6 address assignment but one presumably still runs into the prefix change issue.
