On Sun, Oct 10, 2021 at 12:06:25PM +0100, Tim Woodall wrote:
When I try to add the following rule:
# ip6tables -t nat -A POSTROUTING -s 2001::/64 -d ! 2001:1::/64 -j ACCEPT
Bad argument `2001:1::/64'
Try `ip6tables -h' or 'ip6tables --help' for more information.
It is rejected.
As it should. This is correct one:
ip6tables -t nat -A POSTROUTING -s 2001::/64 ! -d 2001:1::/64 -j ACCEPT
It's a known quirk of iptables - you apply inversion *before* the test,
not *inside* of it.
And there is no problem
The manpage suggests that it should work:
d, --destination [!] address[/mask]
My instance of the same manpage states differently:
[!] -d, --destination address[/mask][,...]
But I'm using current stable, I'm unsure how this quirk was documented
before, but it behaved this was for two major Debian releases, maybe
more.