Hi. On Sun, Oct 10, 2021 at 12:06:25PM +0100, Tim Woodall wrote: > When I try to add the following rule: > > # ip6tables -t nat -A POSTROUTING -s 2001::/64 -d ! 2001:1::/64 -j ACCEPT > Bad argument `2001:1::/64' > Try `ip6tables -h' or 'ip6tables --help' for more information. > > It is rejected.
As it should. This is correct one: ip6tables -t nat -A POSTROUTING -s 2001::/64 ! -d 2001:1::/64 -j ACCEPT It's a known quirk of iptables - you apply inversion *before* the test, not *inside* of it. > And there is no problem > > The manpage suggests that it should work: > d, --destination [!] address[/mask] My instance of the same manpage states differently: [!] -d, --destination address[/mask][,...] But I'm using current stable, I'm unsure how this quirk was documented before, but it behaved this was for two major Debian releases, maybe more. Reco
