From dd73e5708cc2cd127ba03fd5a82fb96b3928e7fb Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 14 Jul 2009 16:43:55 +0200
Subject: bsf: add support for IPv6 address filtering

This patch adds support to auto-generate BSF code for IPv6. It
requires a Linux kernel >= 2.6.29. The maximum number of addresses
is limited to 20 (12 BSF lines per IPv6 address comparison). I am
not sure that to remove this limit is useful given that oprofile
does not show very good numbers for very large (in terms of lines)
filters. This completes one feature that is available in IPv4 but
that was missing in IPv6.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/internal/object.h                               | 13 +++++++++++++
 include/libnetfilter_conntrack/libnetfilter_conntrack.h |  6 ++++++
 2 files changed, 19 insertions(+)

(limited to 'include')

diff --git a/include/internal/object.h b/include/internal/object.h
index ef49590..df002fd 100644
--- a/include/internal/object.h
+++ b/include/internal/object.h
@@ -222,6 +222,19 @@ struct nfct_filter {
 		u_int32_t 	mask;
 	} l3proto[2][__FILTER_ADDR_MAX];
 
+	/*
+	 * FIXME: For IPv6 filtering, up to 20 IPs/masks (12 BSF lines
+	 * per comparison). I think that it is not worthy to try to support
+	 * more than that for performance reasons. It seems that oprofile
+	 * shows bad numbers for very large BSF code.
+	 */
+	u_int32_t 		l3proto_elems_ipv6[2];
+	struct {
+#define __FILTER_IPV6_MAX	20
+		u_int32_t 	addr[4];
+		u_int32_t 	mask[4];
+	} l3proto_ipv6[2][__FILTER_IPV6_MAX];
+
 	u_int32_t 		set[1];
 };
 
diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
index f77d273..766fb47 100644
--- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h
+++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
@@ -416,12 +416,18 @@ struct nfct_filter_ipv4 {
 	u_int32_t addr;
 	u_int32_t mask;
 };
+struct nfct_filter_ipv6 {
+	u_int32_t addr[4];
+	u_int32_t mask[4];
+};
 
 enum nfct_filter_attr {
 	NFCT_FILTER_L4PROTO = 0,	/* u_int32_t */
 	NFCT_FILTER_L4PROTO_STATE,	/* struct nfct_filter_proto */
 	NFCT_FILTER_SRC_IPV4,		/* struct nfct_filter_ipv4 */
 	NFCT_FILTER_DST_IPV4,		/* struct nfct_filter_ipv4 */
+	NFCT_FILTER_SRC_IPV6,		/* struct nfct_filter_ipv6 */
+	NFCT_FILTER_DST_IPV6,		/* struct nfct_filter_ipv6 */
 	NFCT_FILTER_MAX
 };
 
-- 
cgit v1.2.3