Next Previous Contents

6. New IPv6 netfilter matches

In this section, we will attempt to explain the usage of new netfilter matches. The patches will appear in alphabetical order. Additionally, we will not explain patches that break other patches. But this might come later.

Generally speaking, for matches, you can get the help hints from a particular module by typing :

# ip6tables -m the_match_you_want --help

This would display the normal ip6tables help message, plus the specific ``the_match_you_want'' match help message at the end.

6.1 agr patch

This patch by Andras Kis-Szabo <[email protected]> adds 1 new match :

This patch can be quite useful for people using EUI-64 IPv6 addressing scheme who are willing to check the packets based on the delivered address on a LAN.

For example, we will redirect the packets that have a correct EUI-64 address:

# ip6tables -N ipv6ok
# ip6tables -A INPUT -m eui64 -j ipv6ok
# ip6tables -A INPUT -s ! 3FFE:2F00:A0::/64 -j ipv6ok
# ip6tables -A INPUT -j LOG
# ip6tables -A ipv6ok -j ACCEPT

# ip6tables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ipv6ok     all      anywhere             anywhere           eui64 
ipv6ok     all     !3ffe:2f00:a0::/64    anywhere           
LOG        all      anywhere             anywhere           LOG level warning 

Chain ipv6ok (2 references)
target     prot opt source               destination         
ACCEPT     all      anywhere             anywhere           

This match hasn't got any option.

6.2 ahesp6 patch

This patch by Andras Kis-Szabo <[email protected]> adds a new match that allows you to match a packet based on its ah and esp headers' content. The name of the matches:

For example, we will drop all the AH packets that have a SPI equal to 500, and check the contents of the restricted area in the header :

# ip6tables -A INPUT -m ah --ahspi 500 --ahres -j DROP

# ip6tables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all      anywhere             anywhere           ah spi:500 reserved

Supported options for the ah match are :

--ahspi [!] spi[:spi]

-> match spi (range)

--ahlen [!] length

-> length ot this header

--ahres

-> checks the contents of the reserved field

The esp match works exactly the same as in IPv4 :

# ip6tables -A INPUT -m esp --espspi 500 -j DROP

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all      anywhere             anywhere           esp spi:500 

Supported options for the esp match are :

--espspi [!] spi[:spi]

-> match spi (range)

In IPv6 these matches can be concatenated:

# ip6tables -A INPUT -m ah --ahspi 500 --ahres --ahlen ! 40 -m esp --espspi 500 -j DROP

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all      anywhere             anywhere           ah spi:500 length:!40 reserved esp spi:500

6.3 frag6 patch

This patch by Andras Kis-Szabo <[email protected]> adds a new match that allows you to match a packet based on the content of its fragmentation header. The name of the match:

For example, we will drop all the packets that have an ID between 100 and 200, and the packet is the first fragment :

# ip6tables -A INPUT -m frag --fragid 100:200 --fragfirst -j DROP

# ip6tables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all      anywhere             anywhere           frag ids:100:200 first

Supported options for the frag match are :

--fragid [!] id[:id]

-> match the id (range) of the fragmenation

--fraglen [!] length

-> match total length of this header

--fragres

-> checks the contents of the reserved field

--fragfirst

-> matches on the first fragment

--fragmore

-> there are more fragments

--fraglast

-> this is the last fragment

6.4 ipv6header patch

This patch by Andras Kis-Szabo <[email protected]> adds a new match that allows you to match a packet based on its extension headers. The name of the match:

For example, let's drop the packets which have got hop-by-hop, ipv6-route headers and a protocol payload:

# ip6tables -A INPUT -m ipv6header --header hop-by-hop,ipv6-route,protocol -j DROP

# ip6tables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all      anywhere             anywhere           ipv6header flags:hop-by-hop,ipv6-route,protocol

And now, let's drop the packets which have got an ipv6-route extension header:

# ip6tables -A INPUT -m ipv6header --header ipv6-route --soft -j DROP

# ip6ptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all      anywhere             anywhere           ipv6header flags:ipv6-route soft

Supported options for the ipv6header match are :

[!] --header headers

-> You can specify the interested headers with this option. Accepted formats:

--soft

-> You can specify the soft mode: in this mode the match checks the existence of the header, not the full match!

6.5 ipv6-ports patch

This patch by Jan Rekorajski <[email protected]> adds 4 new matches :

These matches are the ports of the IPv4 versions. See the main documentation for the details!

6.6 length patch

This patch by Imran Patel <[email protected]> adds a new match that allows you to match a packet based on its length. (This patch is shameless adaption from the IPv4 match written by James Morris <[email protected]>)

For example, let's drop all the pings with a packet size greater than 85 bytes :

# ip6tables -A INPUT -p ipv6-icmp --icmpv6-type echo-request -m length --length 85:0xffff -j DROP

# ip6ptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       ipv6-icmp --  anywhere             anywhere           ipv6-icmp echo-request length 85:65535

Supported options for the length match are :

[!] --length length[:length]

-> Match packet length against value or range of values (inclusive)

Values of the range not present will be implied. The implied value for minimum is 0, and for maximum is 65535.

6.7 route6 patch

This patch by Andras Kis-Szabo <[email protected]> adds a new match that allows you to match a packet based on the content of its routing header. The name of the match:

For example, we will drop all the packets that have 0 routing type, the packet is near the last hop (max 2 hops far), the routing path contains ::1 and ::2 (but not exactly):

# ip6tables -A INPUT -m rt --rt-type 0 --rt-segsleft :2 --rt-0-addrs ::1,::2 --rt-0-not-strict -j DROP

# ip6tables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all      anywhere             anywhere           rt type:0 segslefts:0:2 0-addrs ::1,::2 0-not-strict

Supported options for the rt match are :

--rt-type [!] type

-> matches the type

--rt-segsleft [!] num[:num]

-> matches the Segments Left field (range)

--rt-len [!] length

-> total length of this header

--rt-0-res

-> checks the contents of the reserved field

--rt-0-addrs ADDR[,ADDR...]

-> Type=0 addresses (list, max: 16)

--rt-0-not-strict

-> List of Type=0 addresses not a strict list


Next Previous Contents