Feature Optimization Request: Enhancement for Dynamic IPv6 Host Aliases in Firewall

[LHSFK]

Request for Optimizing Dynamic IPv6 Host Alias Functionality in Firewall
Current Limitation:
The firewall's alias feature for dynamic IPv6 hosts automatically fills the first 64 bits of an IPv6 address based on the interface's subnet. However, this causes issues when downstream routers receive a delegated IPv6-PD prefix that does not match the LAN subnet, making it impossible to enforce precise firewall rules for hosts under the downstream router.

Example Scenario:
WAN Prefix (Assigned): fc00:0000:0000:0080::/57
LAN Subnet: fc00:0000:0000:0080::/64
Delegated IPv6-PD to Downstream Router: fc00:0000:0000:00a0::/60
Host Address (Under Downstream Router): fc00:0000:0000:00a0::100/128
In this case, the firewall's alias rules (based on the LAN's /64 prefix) cannot target the host fc00:0000:0000:00a0::100 because it belongs to a different subnet (/60).

Proposed Optimizations:
1. Dynamic Prefix Length Support
Allow aliases to auto-complete the prefix based on a user-specified length (not fixed to /64).

Example:

User Input: ::11:0000:0000:0000:1000
Interface Prefix: 2000:db9:1234:1234::/57
Auto-Completed Address: 2000:db9:1234:1211:0000:0000:0000:1000
2. Flexible Pattern Matching
Support wildcard-like matching for specific segments of the IPv6 address.

Example:

Pattern: 0000:0000:0000:1234:1234:1200:0000:0000
Matches: All IPv6 addresses where bits 49–88 (hex segments 4–5) are 1234:1234:12.
Technical Justification:
Need for Granular Control: Firewall rules must adapt to variable subnet hierarchies in multi-router environments.