Linux - filtering IPv6 Traffic
Posted in How To's by Shafkat Shahzad, M.Sc on March 7th, 2010 Welcome to the tutorial guide. The guide will provide a user with guidance and instructions on filtering IPv6 traffic.
A user should know that the Routing Policy Database (RPDB) replaced the IPv4 routing and addressing structure within the Linux Kernel. The IPv6 structure within Linux was implemented outside of this core structure. Although they do share some facilities, the essential RPDB structure does not particpate in or with the IPv6 addressing and routing structures.
Marking IPv6 packets using ip6tables
ip6tables is able to mark a packet and assign a number to it:
# ip6tables -A PREROUTING -i eth0 -t mangle -p tcp -j MARK –mark 1
Please note that this will not help as the packet will not pass through the RPDB structure.
Using the u32 selector to match IPv6 packet
IPv6 is normally encapsulated in a SIT tunnel and transported over IPv4 networks.
The following filter matches all IPv6 encapsulated in IPv4 packets:
# tc filter add dev $DEV parent 10:0 protocol ip prio 10 u32 \
match ip protocol 41 0xff flowid 42:42
A user can assume his/her IPv6 packets get sent out over IPv4 and these packets have no options set. A user could use the following filter to match ICMPv6 in IPv6 in IPv4 with no options. 0×3a (58) is the Next-Header type for ICMPv6.
# tc filter add dev $DEV parent 10:0 protocol ip prio 10 u32 \
match ip protocol 41 0xff \
match u8 0×05 0×0f at 0 \
match u8 0×3a 0xff at 26 \
flowid 42:42
Matching the destination IPv6 address is a bit more work. The following filter matches on the destination address 3ffe:202c:ffff:32:230:4fff:fe08:358d:
# tc filter add dev $DEV parent 10:0 protocol ip prio 10 u32 \
match ip protocol 41 0xff \
match u8 0×05 0×0f at 0 \
match u8 0×3f 0xff at 44 \
match u8 0xfe 0xff at 45 \
match u8 0×20 0xff at 46 \
match u8 0×2c 0xff at 47 \
match u8 0xff 0xff at 48 \
match u8 0xff 0xff at 49 \
match u8 0×00 0xff at 50 \
match u8 0×32 0xff at 51 \
match u8 0×02 0xff at 52 \
match u8 0×30 0xff at 53 \
match u8 0×4f 0xff at 54 \
match u8 0xff 0xff at 55 \
match u8 0xfe 0xff at 56 \
match u8 0×08 0xff at 57 \
match u8 0×35 0xff at 58 \
match u8 0×8d 0xff at 59 \
flowid 10:13
The same technique can be used to match subnets. For example 2001::
# tc filter add dev $DEV parent 10:0 protocol ip prio 10 u32 \
match ip protocol 41 0xff \
match u8 0×05 0×0f at 0 \
match u8 0×20 0xff at 28 \
match u8 0×01 0xff at 29 \
flowid 10:13
If you followed this advise and guidance then you would have learnt about IPv6 Traffic.
