/usr/share/doc/iptables-dev/html/netfilter-extensions-HOWTO-6.html is in iptables-dev 1.4.12-1ubuntu4.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.66">
<TITLE>Netfilter Extensions HOWTO: New IPv6 netfilter matches</TITLE>
<LINK HREF="netfilter-extensions-HOWTO-7.html" REL=next>
<LINK HREF="netfilter-extensions-HOWTO-5.html" REL=previous>
<LINK HREF="netfilter-extensions-HOWTO.html#toc6" REL=contents>
</HEAD>
<BODY>
<A HREF="netfilter-extensions-HOWTO-7.html">Next</A>
<A HREF="netfilter-extensions-HOWTO-5.html">Previous</A>
<A HREF="netfilter-extensions-HOWTO.html#toc6">Contents</A>
<HR>
<H2><A NAME="s6">6.</A> <A HREF="netfilter-extensions-HOWTO.html#toc6">New IPv6 netfilter matches</A></H2>
<P>In this section, we will attempt to explain the usage of new netfilter matches.
The patches will appear in alphabetical order. Additionally, we will not explain
patches that break other patches. But this might come later.</P>
<P>Generally speaking, for matches, you can get the help hints from a particular
module by typing :</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ip6tables -m the_match_you_want --help
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>This would display the normal ip6tables help message, plus the specific
``the_match_you_want'' match help message at the end.</P>
<H2><A NAME="ss6.1">6.1</A> <A HREF="netfilter-extensions-HOWTO.html#toc6.1">agr patch</A>
</H2>
<P>This patch by Andras Kis-Szabo <kisza@sch.bme.hu> adds 1 new match :</P>
<P>
<UL>
<LI>``eui64'' : lets you match the IPv6 packet based on it's addressing parameters.</LI>
</UL>
</P>
<P>This patch can be quite useful for people using EUI-64 IPv6 addressing scheme
who are willing to check the packets based on the delivered address on a LAN.</P>
<P>For example, we will redirect the packets that have a correct EUI-64 address:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ip6tables -N ipv6ok
# ip6tables -A INPUT -m eui64 -j ipv6ok
# ip6tables -A INPUT -s ! 3FFE:2F00:A0::/64 -j ipv6ok
# ip6tables -A INPUT -j LOG
# ip6tables -A ipv6ok -j ACCEPT
# ip6tables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ipv6ok all anywhere anywhere eui64
ipv6ok all !3ffe:2f00:a0::/64 anywhere
LOG all anywhere anywhere LOG level warning
Chain ipv6ok (2 references)
target prot opt source destination
ACCEPT all anywhere anywhere
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>This match hasn't got any option.</P>
<H2><A NAME="ss6.2">6.2</A> <A HREF="netfilter-extensions-HOWTO.html#toc6.2">ahesp6 patch</A>
</H2>
<P>This patch by Andras Kis-Szabo <kisza@sch.bme.hu> adds a new match
that allows you to match a packet based on its ah and esp headers' content.
The name of the matches:
<UL>
<LI>``ah'' : lets you match the IPv6 packet based on its ah header.</LI>
<LI>``esp'' : lets you match the IPv6 packet based on its esp header.</LI>
</UL>
</P>
<P>For example, we will drop all the AH packets that have a SPI equal to
500, and check the contents of the restricted area in the header :</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ip6tables -A INPUT -m ah --ahspi 500 --ahres -j DROP
# ip6tables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere ah spi:500 reserved
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>Supported options for the ah match are :</P>
<P>
<DL>
<DT><B>--ahspi [!] spi[:spi]</B><DD>
<P>-> match spi (range)</P>
<DT><B>--ahlen [!] length</B><DD>
<P>-> length ot this header</P>
<DT><B>--ahres </B><DD>
<P>-> checks the contents of the reserved field</P>
</DL>
</P>
<P>The esp match works exactly the same as in IPv4 :</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ip6tables -A INPUT -m esp --espspi 500 -j DROP
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere esp spi:500
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>Supported options for the esp match are :</P>
<P>
<DL>
<DT><B>--espspi [!] spi[:spi]</B><DD>
<P>-> match spi (range)</P>
</DL>
</P>
<P>In IPv6 these matches can be concatenated:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ip6tables -A INPUT -m ah --ahspi 500 --ahres --ahlen ! 40 -m esp --espspi 500 -j DROP
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere ah spi:500 length:!40 reserved esp spi:500
</PRE>
</CODE></BLOCKQUOTE>
</P>
<H2><A NAME="ss6.3">6.3</A> <A HREF="netfilter-extensions-HOWTO.html#toc6.3">frag6 patch</A>
</H2>
<P>This patch by Andras Kis-Szabo <kisza@sch.bme.hu> adds a new match
that allows you to match a packet based on the content of its fragmentation
header.
The name of the match:
<UL>
<LI>``frag'' : lets you match the IPv6 packet based on its fragmentation
header.</LI>
</UL>
</P>
<P>For example, we will drop all the packets that have an ID between 100 and 200,
and the packet is the first fragment :</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ip6tables -A INPUT -m frag --fragid 100:200 --fragfirst -j DROP
# ip6tables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere frag ids:100:200 first
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>Supported options for the frag match are :</P>
<P>
<DL>
<DT><B>--fragid [!] id[:id]</B><DD>
<P>-> match the id (range) of the fragmenation</P>
<DT><B>--fraglen [!] length</B><DD>
<P>-> match total length of this header</P>
<DT><B>--fragres</B><DD>
<P>-> checks the contents of the reserved field</P>
<DT><B>--fragfirst</B><DD>
<P>-> matches on the first fragment</P>
<DT><B>--fragmore</B><DD>
<P>-> there are more fragments</P>
<DT><B>--fraglast</B><DD>
<P>-> this is the last fragment</P>
</DL>
</P>
<H2><A NAME="ss6.4">6.4</A> <A HREF="netfilter-extensions-HOWTO.html#toc6.4">ipv6header patch</A>
</H2>
<P>This patch by Andras Kis-Szabo <kisza@sch.bme.hu> adds a new match
that allows you to match a packet based on its extension headers.
The name of the match:
<UL>
<LI>``ipv6header'' : lets you match the IPv6 packet based on its headers.</LI>
</UL>
</P>
<P>For example, let's drop the packets which have got hop-by-hop, ipv6-route
headers and a protocol payload:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ip6tables -A INPUT -m ipv6header --header hop-by-hop,ipv6-route,protocol -j DROP
# ip6tables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere ipv6header flags:hop-by-hop,ipv6-route,protocol
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>And now, let's drop the packets which have got an ipv6-route extension header:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ip6tables -A INPUT -m ipv6header --header ipv6-route --soft -j DROP
# ip6ptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere ipv6header flags:ipv6-route soft
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>Supported options for the ipv6header match are :
<DL>
<DT><B>[!] --header headers</B><DD>
<P>-> You can specify the interested
headers with this option. Accepted formats:
<UL>
<LI>hop,dst,route,frag,auth,esp,none,proto</LI>
<LI>hop-by-hop,ipv6-opts,ipv6-route,ipv6-frag,ah,esp,ipv6-nonxt,protocol</LI>
<LI>0,60,43,44,51,50,59</LI>
</UL>
</P>
<DT><B>--soft</B><DD>
<P>-> You can specify the soft mode: in this mode
the match checks the existance of the header, not the full match!</P>
</DL>
</P>
<H2><A NAME="ss6.5">6.5</A> <A HREF="netfilter-extensions-HOWTO.html#toc6.5">ipv6-ports patch</A>
</H2>
<P>This patch by Jan Rekorajski <baggins@pld.org.pl> adds 4 new matches :</P>
<P>
<UL>
<LI>``limit'' : lets you to restrict the number of parallel TCP connections from a particular host or network.</LI>
<LI>``mac'' : lets you match a packet based on its MAC address.</LI>
<LI>``multiport'' : lets you to specify ports with a mix of port-ranges and single ports for UDP and TCP protocols.</LI>
<LI>``owner'' : lets you match a packet based on its originator process' owner id.</LI>
</UL>
</P>
<P>These matches are the ports of the IPv4 versions. See the main documentation for the details!</P>
<H2><A NAME="ss6.6">6.6</A> <A HREF="netfilter-extensions-HOWTO.html#toc6.6">length patch</A>
</H2>
<P>This patch by Imran Patel <ipatel@crosswinds.net> adds a new match
that allows you to match a packet based on its length. (This patch is shameless adaption from the
IPv4 match written by James Morris <jmorris@intercode.com.au>)</P>
<P>For example, let's drop all the pings with a packet size greater than
85 bytes :</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ip6tables -A INPUT -p ipv6-icmp --icmpv6-type echo-request -m length --length 85:0xffff -j DROP
# ip6ptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP ipv6-icmp -- anywhere anywhere ipv6-icmp echo-request length 85:65535
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>Supported options for the length match are :</P>
<P>
<DL>
<DT><B>[!] --length length[:length]</B><DD>
<P>-> Match packet length
against value or range of values (inclusive)</P>
</DL>
</P>
<P>Values of the range not present will be implied. The implied value for minimum
is 0, and for maximum is 65535.</P>
<H2><A NAME="ss6.7">6.7</A> <A HREF="netfilter-extensions-HOWTO.html#toc6.7">route6 patch</A>
</H2>
<P>This patch by Andras Kis-Szabo <kisza@sch.bme.hu> adds a new match
that allows you to match a packet based on the content of its routing
header.
The name of the match:
<UL>
<LI>``rt'' : lets you match the IPv6 packet based on its routing
header.</LI>
</UL>
</P>
<P>For example, we will drop all the packets that have 0 routing type, the packet
is near the last hop (max 2 hops far), the routing path contains ::1 and ::2
(but not exactly):</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
# ip6tables -A INPUT -m rt --rt-type 0 --rt-segsleft :2 --rt-0-addrs ::1,::2 --rt-0-not-strict -j DROP
# ip6tables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere rt type:0 segslefts:0:2 0-addrs ::1,::2 0-not-strict
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>Supported options for the rt match are :</P>
<P>
<DL>
<DT><B>--rt-type [!] type</B><DD>
<P>-> matches the type</P>
<DT><B>--rt-segsleft [!] num[:num]</B><DD>
<P>-> matches the Segments Left field (range)</P>
<DT><B>--rt-len [!] length</B><DD>
<P>-> total length of this header</P>
<DT><B>--rt-0-res</B><DD>
<P>-> checks the contents of the reserved field</P>
<DT><B>--rt-0-addrs ADDR[,ADDR...]</B><DD>
<P>-> Type=0 addresses (list, max: 16)</P>
<DT><B>--rt-0-not-strict</B><DD>
<P>-> List of Type=0 addresses not a strict list</P>
</DL>
</P>
<HR>
<A HREF="netfilter-extensions-HOWTO-7.html">Next</A>
<A HREF="netfilter-extensions-HOWTO-5.html">Previous</A>
<A HREF="netfilter-extensions-HOWTO.html#toc6">Contents</A>
</BODY>
</HTML>
|