Re: ip6tables rule being rejected.

To: debian-user@lists.debian.org
Subject: Re: ip6tables rule being rejected.
From: Reco <recoverym4n@enotuniq.net>
Date: Sun, 10 Oct 2021 15:15:13 +0300
Message-id: <[🔎] E1mZXjX-0007yS-9e@enotuniq.net>
In-reply-to: <[🔎] alpine.DEB.2.21.2110101157141.19195@einstein.home.woodall.me.uk>
References: <[🔎] alpine.DEB.2.21.2110101157141.19195@einstein.home.woodall.me.uk>

	Hi.

On Sun, Oct 10, 2021 at 12:06:25PM +0100, Tim Woodall wrote:
> When I try to add the following rule:
> 
> # ip6tables -t nat -A POSTROUTING -s 2001::/64 -d ! 2001:1::/64 -j ACCEPT
> Bad argument `2001:1::/64'
> Try `ip6tables -h' or 'ip6tables --help' for more information.
> 
> It is rejected.

As it should. This is correct one:

ip6tables -t nat -A POSTROUTING -s 2001::/64 ! -d 2001:1::/64 -j ACCEPT

It's a known quirk of iptables - you apply inversion *before* the test,
not *inside* of it.

> And there is no problem
> 
> The manpage suggests that it should work:
> d, --destination [!] address[/mask]

My instance of the same manpage states differently:

[!] -d, --destination address[/mask][,...]

But I'm using current stable, I'm unsure how this quirk was documented
before, but it behaved this was for two major Debian releases, maybe
more.

Reco

Reply to:

Follow-Ups:
- Re: ip6tables rule being rejected.
  - From: Tim Woodall <debianuser@woodall.me.uk>

References:
- ip6tables rule being rejected.
  - From: Tim Woodall <debianuser@woodall.me.uk>

Prev by Date: Re: ip6tables rule being rejected.
Next by Date: Re: Then it happened to me...
Previous by thread: Re: ip6tables rule being rejected.
Next by thread: Re: ip6tables rule being rejected.
Index(es):
- Date
- Thread