diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2009-07-14 16:43:55 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2009-07-14 16:43:55 +0200 |
| commit | dd73e5708cc2cd127ba03fd5a82fb96b3928e7fb (patch) | |
| tree | 51c6fcb589cdb399bda4f5b134dedf2d1ca5b328 /src/conntrack/filter.c | |
| parent | 1c450e1595afdc8d1bfabb4f640c9251808426eb (diff) | |
bsf: add support for IPv6 address filtering
This patch adds support to auto-generate BSF code for IPv6. It
requires a Linux kernel >= 2.6.29. The maximum number of addresses
is limited to 20 (12 BSF lines per IPv6 address comparison). I am
not sure that to remove this limit is useful given that oprofile
does not show very good numbers for very large (in terms of lines)
filters. This completes one feature that is available in IPv4 but
that was missing in IPv6.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/conntrack/filter.c')
| -rw-r--r-- | src/conntrack/filter.c | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/src/conntrack/filter.c b/src/conntrack/filter.c index 7cee673..bf29f96 100644 --- a/src/conntrack/filter.c +++ b/src/conntrack/filter.c @@ -49,9 +49,39 @@ static void filter_attr_dst_ipv4(struct nfct_filter *filter, const void *value) filter->l3proto_elems[1]++; } +static void filter_attr_src_ipv6(struct nfct_filter *filter, const void *value) +{ + const struct nfct_filter_ipv6 *this = value; + + if (filter->l3proto_elems_ipv6[0] >= __FILTER_IPV6_MAX) + return; + + memcpy(filter->l3proto_ipv6[0][filter->l3proto_elems_ipv6[0]].addr, + this->addr, sizeof(u_int32_t)*4); + memcpy(filter->l3proto_ipv6[0][filter->l3proto_elems_ipv6[0]].mask, + this->mask, sizeof(u_int32_t)*4); + filter->l3proto_elems_ipv6[0]++; +} + +static void filter_attr_dst_ipv6(struct nfct_filter *filter, const void *value) +{ + const struct nfct_filter_ipv6 *this = value; + + if (filter->l3proto_elems_ipv6[1] >= __FILTER_IPV6_MAX) + return; + + memcpy(filter->l3proto_ipv6[1][filter->l3proto_elems_ipv6[1]].addr, + this->addr, sizeof(u_int32_t)*4); + memcpy(filter->l3proto_ipv6[1][filter->l3proto_elems_ipv6[1]].mask, + this->mask, sizeof(u_int32_t)*4); + filter->l3proto_elems_ipv6[1]++; +} + filter_attr filter_attr_array[NFCT_FILTER_MAX] = { [NFCT_FILTER_L4PROTO] = filter_attr_l4proto, [NFCT_FILTER_L4PROTO_STATE] = filter_attr_l4proto_state, [NFCT_FILTER_SRC_IPV4] = filter_attr_src_ipv4, [NFCT_FILTER_DST_IPV4] = filter_attr_dst_ipv4, + [NFCT_FILTER_SRC_IPV6] = filter_attr_src_ipv6, + [NFCT_FILTER_DST_IPV6] = filter_attr_dst_ipv6, }; |