In iptables, you can specify IPv6 address with a mask to ignore some bits of the address when matching. eg, ::dead:beef/::ffff:ffff will match any address that ends with dead:beef.
This is useful in an environment (eg, home) where the DHCPv6 PD prefix is not static. If you need to create an IPv6 firewall rule against a host with a predicable IPv6 address (eg, EUI-64) and dynamic prefixes. Currently the only way is to give the host a ULA and use NAT66/NPTv6.