ip6tables - create a set of IPv6 address to block

Question

I'm using ipset for containing and matching a sets of IPv4 and it works great! I tried to do the same with IPv6 addresses and ran with errors.

I have a IPv6.cidr file that contains IPv6 addresses and a subnet mask:

2A03:C2C0::/32
2A03:C6C0::/32
...

I want to block any IPv6 that matches this list.

When I run this script:

sudo ipset -N v6 hash:ip family inet6 -exist
sudo ipset -F v6
for net in `cat IPv6.cidr`
do
    sudo ipset -A v6 $net
done

ipset returns an error:

ipset v7.5: Syntax error: plain IP address must be supplied: 2A03:C2C0::/32

It appears that ipset doesn't work for IPv6 subnet masks.

Is there any other set module that support IPv6?

score 2 · Accepted Answer · answered Dec 14 '21 at 21:39

You’re using the wrong set type. hash:ip is for “IP host addresses” (or networks, but only of fixed prefix length). You don’t have host addresses, you have networks, possibly of varying prefix length. As such, you want to use hash:net:

$ ipset create foo hash:net family inet6
$ ipset add foo 2A03:C2C0::/32
$ ipset test foo 2A03:C2C0::123
2a03:c2c0::123 is in set foo.

ip6tables - create a set of IPv6 address to block

1 Answers1