summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2009-07-21 16:57:54 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2009-07-21 16:57:54 +0200
commite55321739fa5e04920feeb2a25b02073d8eb9e10 (patch)
tree1e11aed31eb140fee5ccd9355fc5f914c31c69ca /src
parent0521db731c0daa417a3dfb67fba7c6f80596e553 (diff)
conntrackd: add support for IPv6 kernel-space filtering via BSF
This patch adds the missing support to filter IPv6 from kernel-space by means of the BSF API that libnetfilter_conntrack provides. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r--src/cidr.c11
-rw-r--r--src/read_config_yy.y17
2 files changed, 27 insertions, 1 deletions
diff --git a/src/cidr.c b/src/cidr.c
index d43dabc..91025b6 100644
--- a/src/cidr.c
+++ b/src/cidr.c
@@ -57,3 +57,14 @@ void ipv6_cidr2mask_net(uint8_t cidr, uint32_t *res)
res[i] = htonl(res[i]);
}
+/* I need this function because I initially defined an IPv6 address as
+ * uint32 u[4]. Using char u[16] instead would allow to remove this. */
+void ipv6_addr2addr_host(uint32_t *addr, uint32_t *res)
+{
+ int i;
+
+ memset(res, 0, sizeof(uint32_t)*4);
+ for (i = 0; i < 4; i++) {
+ res[i] = ntohl(addr[i]);
+ }
+}
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index 87f99b6..f3f4730 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -1053,6 +1053,12 @@ filter_item : T_ADDRESS T_IGNORE '{' filter_address_list '}'
nfct_filter_set_logic(STATE(filter),
NFCT_FILTER_DST_IPV4,
NFCT_FILTER_LOGIC_NEGATIVE);
+ nfct_filter_set_logic(STATE(filter),
+ NFCT_FILTER_SRC_IPV6,
+ NFCT_FILTER_LOGIC_NEGATIVE);
+ nfct_filter_set_logic(STATE(filter),
+ NFCT_FILTER_DST_IPV6,
+ NFCT_FILTER_LOGIC_NEGATIVE);
};
filter_address_list :
@@ -1121,7 +1127,8 @@ filter_address_item : T_IPV6_ADDR T_IP
{
union inet_address ip;
char *slash;
- int cidr;
+ int cidr = 128;
+ struct nfct_filter_ipv6 filter_ipv6;
memset(&ip, 0, sizeof(union inet_address));
@@ -1166,6 +1173,14 @@ filter_address_item : T_IPV6_ADDR T_IP
"ignore pool!");
}
}
+ __kernel_filter_start();
+
+ /* host byte order */
+ ipv6_addr2addr_host(ip.ipv6, filter_ipv6.addr);
+ ipv6_cidr2mask_host(cidr, filter_ipv6.mask);
+
+ nfct_filter_add_attr(STATE(filter), NFCT_FILTER_SRC_IPV6, &filter_ipv6);
+ nfct_filter_add_attr(STATE(filter), NFCT_FILTER_DST_IPV6, &filter_ipv6);
};
filter_item : T_STATE T_ACCEPT '{' filter_state_list '}'