diff options
Diffstat (limited to 'include')
-rw-r--r-- | include/internal/object.h | 13 | ||||
-rw-r--r-- | include/libnetfilter_conntrack/libnetfilter_conntrack.h | 6 |
2 files changed, 19 insertions, 0 deletions
diff --git a/include/internal/object.h b/include/internal/object.h index ef49590..df002fd 100644 --- a/include/internal/object.h +++ b/include/internal/object.h @@ -222,6 +222,19 @@ struct nfct_filter { u_int32_t mask; } l3proto[2][__FILTER_ADDR_MAX]; + /* + * FIXME: For IPv6 filtering, up to 20 IPs/masks (12 BSF lines + * per comparison). I think that it is not worthy to try to support + * more than that for performance reasons. It seems that oprofile + * shows bad numbers for very large BSF code. + */ + u_int32_t l3proto_elems_ipv6[2]; + struct { +#define __FILTER_IPV6_MAX 20 + u_int32_t addr[4]; + u_int32_t mask[4]; + } l3proto_ipv6[2][__FILTER_IPV6_MAX]; + u_int32_t set[1]; }; diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h index f77d273..766fb47 100644 --- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h +++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h @@ -416,12 +416,18 @@ struct nfct_filter_ipv4 { u_int32_t addr; u_int32_t mask; }; +struct nfct_filter_ipv6 { + u_int32_t addr[4]; + u_int32_t mask[4]; +}; enum nfct_filter_attr { NFCT_FILTER_L4PROTO = 0, /* u_int32_t */ NFCT_FILTER_L4PROTO_STATE, /* struct nfct_filter_proto */ NFCT_FILTER_SRC_IPV4, /* struct nfct_filter_ipv4 */ NFCT_FILTER_DST_IPV4, /* struct nfct_filter_ipv4 */ + NFCT_FILTER_SRC_IPV6, /* struct nfct_filter_ipv6 */ + NFCT_FILTER_DST_IPV6, /* struct nfct_filter_ipv6 */ NFCT_FILTER_MAX }; |