Suppose I have this configuration on IPv4 right now:
My router (a Linux box) is connected to the Internet on eth0 and my LAN on eth1. I want to forward port 80 to 10.1.2.3. Here's how I'd currently do that:
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to 10.1.2.3
iptables -A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
Now I want to do the equivalent on IPv6. Suppose I have the same configuration as before, with these changes:
My ISP gives my router the range 2001:db8:aaaa::/64 via prefix delegation. My router takes 2001:db8:aaaa::1 for itself on eth1 and gives 2001:db8:aaaa::123 to the host that I want port 80 open on.
NAT is no longer necessary in the IPv6 case, so all I need is a firewall rule to allow the traffic. Here's the rule I can think of to do that:
ip6tables -A FORWARD -i eth0 -d 2001:db8:aaaa::123 -p tcp -m tcp --dport 80 -j ACCEPT
The problem I have with this is that I had to hardcode 2001:db8:aaaa::123 into my firewall rule, and the 2001:db8:aaaa:: prefix is subject to change at my ISP's whim. In the IPv4 world, the only IP that I had to hardcode was an internal one, so I knew it would never get changed out from under me. Is there any way I can allow traffic like this without having to modify a rule every time my ISP changes my delegated prefix? (If pf can do what I want but ip6tables can't, I'd be willing to switch to BSD for it.)