conntrackd: add support for IPv6 kernel-space filtering via BSF

This patch adds the missing support to filter IPv6 from kernel-space
by means of the BSF API that libnetfilter_conntrack provides.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

7 files changed, 38 insertions, 1 deletions

diff --git a/doc/stats/conntrackd.conf b/doc/stats/conntrackd.conf
index ef6a698..0941f64 100644
--- a/doc/stats/conntrackd.conf
+++ b/doc/stats/conntrackd.conf
@@ -88,6 +88,7 @@ General {
 		#
 		Address Ignore {
 			IPv4_address 127.0.0.1 # loopback
+			# IPv6_address ::1
 		}
 
 		#
diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf
index 805a531..800012f 100644
--- a/doc/sync/alarm/conntrackd.conf
+++ b/doc/sync/alarm/conntrackd.conf
@@ -351,6 +351,9 @@ General {
 			#
 			# You can also specify networks in format IP/cidr.
 			# IPv4_address 192.168.0.0/24
+			#
+			# You can also specify an IPv6 address
+			# IPv6_address ::1
 		}
 
 		#
diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf
index ceca224..602c3d1 100644
--- a/doc/sync/ftfw/conntrackd.conf
+++ b/doc/sync/ftfw/conntrackd.conf
@@ -361,6 +361,9 @@ General {
 			#
 			# You can also specify networks in format IP/cidr.
 			# IPv4_address 192.168.0.0/24
+			#
+			# You can also specify an IPv6 address
+			# IPv6_address ::1
 		}
 
 		#
diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf
index 1efeb81..6968025 100644
--- a/doc/sync/notrack/conntrackd.conf
+++ b/doc/sync/notrack/conntrackd.conf
@@ -341,6 +341,9 @@ General {
 			#
 			# You can also specify networks in format IP/cidr.
 			# IPv4_address 192.168.0.0/24
+			#
+			# You can also specify an IPv6 address
+			# IPv6_address ::1
 		}
 
 		#
diff --git a/include/cidr.h b/include/cidr.h
index f8a4e2a..413c321 100644
--- a/include/cidr.h
+++ b/include/cidr.h
@@ -4,5 +4,6 @@ uint32_t ipv4_cidr2mask_host(uint8_t cidr);
 uint32_t ipv4_cidr2mask_net(uint8_t cidr);
 void ipv6_cidr2mask_host(uint8_t cidr, uint32_t *res);
 void ipv6_cidr2mask_net(uint8_t cidr, uint32_t *res);
+void ipv6_addr2addr_host(uint32_t *addr, uint32_t *res);
 
 #endif
diff --git a/src/cidr.c b/src/cidr.c
index d43dabc..91025b6 100644
--- a/src/cidr.c
+++ b/src/cidr.c
@@ -57,3 +57,14 @@ void ipv6_cidr2mask_net(uint8_t cidr, uint32_t *res)
 		res[i] = htonl(res[i]);
 }
 
+/* I need this function because I initially defined an IPv6 address as
+ * uint32 u[4]. Using char u[16] instead would allow to remove this. */
+void ipv6_addr2addr_host(uint32_t *addr, uint32_t *res)
+{
+	int i;
+
+	memset(res, 0, sizeof(uint32_t)*4);
+	for (i = 0;  i < 4; i++) {
+		res[i] = ntohl(addr[i]);
+	}
+}
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index 87f99b6..f3f4730 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -1053,6 +1053,12 @@ filter_item : T_ADDRESS T_IGNORE '{' filter_address_list '}'
 	nfct_filter_set_logic(STATE(filter),
 			      NFCT_FILTER_DST_IPV4,
 			      NFCT_FILTER_LOGIC_NEGATIVE);
+	nfct_filter_set_logic(STATE(filter),
+			      NFCT_FILTER_SRC_IPV6,
+			      NFCT_FILTER_LOGIC_NEGATIVE);
+	nfct_filter_set_logic(STATE(filter),
+			      NFCT_FILTER_DST_IPV6,
+			      NFCT_FILTER_LOGIC_NEGATIVE);
 };
 
 filter_address_list :
@@ -1121,7 +1127,8 @@ filter_address_item : T_IPV6_ADDR T_IP
 {
 	union inet_address ip;
 	char *slash;
-	int cidr;
+	int cidr = 128;
+	struct nfct_filter_ipv6 filter_ipv6;
 
 	memset(&ip, 0, sizeof(union inet_address));
 
@@ -1166,6 +1173,14 @@ filter_address_item : T_IPV6_ADDR T_IP
 							"ignore pool!");
 		}
 	}
+	__kernel_filter_start();
+
+	/* host byte order */
+	ipv6_addr2addr_host(ip.ipv6, filter_ipv6.addr);
+	ipv6_cidr2mask_host(cidr, filter_ipv6.mask);
+
+	nfct_filter_add_attr(STATE(filter), NFCT_FILTER_SRC_IPV6, &filter_ipv6);
+	nfct_filter_add_attr(STATE(filter), NFCT_FILTER_DST_IPV6, &filter_ipv6);
 };
 
 filter_item : T_STATE T_ACCEPT '{' filter_state_list '}'