Its probably doable, but it would probably require about 64 whitelist rules to block a certain address.
So before you are going there, I would ask myself if there is a better way to do it, for example - implement this filtering somewhere else along the way. if you have control on a proxy along the way or the service itself and add some specific logic to the service.
Assuming you have to, I would start by saying that you are probably safe by blocking the entire /64 subnet to which the blocked IP belongs, so if your blocked IPv6 address is 2001:4860:4860::8888 you can be safe with blocking 2001:4860:4860:0000/64 (normally written as 2001:4860:4860::/64)
The reason is that /64 subnets are normally the smallest subnet that is used to represent a physical site (NAT is not needed for IPv6), so anything else within this site is safe to block.
You can also reduce your problem to allow only the 2000::/3 (everything that start with hex digit 2 or 3) because these are all the Global Unicast addresses (Read here about GUA addresses)
So basically you want to allow everything in 2000::/3 apart from 2001:4860:4860::/64
The remaining problem is not related to IPv6, its more about binary arithmetics.
you need to do something like this:
for simplicity, let's say we have an 8 bit address that is 0x34 which we want to block but allow the remaining address space, 0x34 is binary 0011:0100b.
So here is a procedure to do that:
let's mark the whole 8 bit space as xxxx:xxxx we split it to two:
- 0xxx:xxxx
- 1xxx:xxxx
0011:0100 belongs to (1), so we can allow the complete 1xxx:xxxx
now we have a problem with 0xxx:xxxx, split that to get
- 00xx:xxxx << blocked number is here
- 01xx:xxxx
so we can also allow 01xx:xxxx
and again, the problem i not 00xx:xxxx, split that to get
- 000x:xxxx
- 001x:xxxx << blocked number is here
so we can allow 000x:xxxxx
and so on until you are left with exactly the blocked address.
