filter: choose the filtering method via configuration file

This patch changes the current behaviour of the filtering selection.
Up to now, conntrackd has used the kernel version to select the
filtering method based on the following logic: If kernel is >= 2.6.26
we use BSF-based filtering from kernel-space, otherwise, default to
userspace.

However, this filtering method still lacks of IPv6 support and
it requires a patch that got into 2.6.29 to filter IPv6 addresses
from kernel-space. To fix this issue, we default to user-space
filtering and let the user choose the method via the configuration
file.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 5 insertions, 3 deletions

diff --git a/src/netlink.c b/src/netlink.c
index 89a4ebc..b8a2a02 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -80,7 +80,7 @@ static int event_handler(enum nf_conntrack_msg_type type,
 			 void *data)
 {
 	/* skip user-space filtering if already do it in the kernel */
-	if (ignore_conntrack(ct, !CONFIG(kernel_support_netlink_bsf)))
+	if (ignore_conntrack(ct, !CONFIG(filter_from_kernelspace)))
 		return NFCT_CB_STOP;
 
 	switch(type) {
@@ -113,14 +113,16 @@ int nl_init_event_handler(void)
 		return -1;
 
 	if (STATE(filter)) {
-		if (CONFIG(kernel_support_netlink_bsf)) {
+		if (CONFIG(filter_from_kernelspace)) {
 			if (nfct_filter_attach(nfct_fd(STATE(event)),
 					       STATE(filter)) == -1) {
 				dlog(LOG_ERR, "cannot set event filtering: %s",
 				     strerror(errno));
 			}
 			dlog(LOG_NOTICE, "using kernel-space event filtering");
-		} 
+		} else
+			dlog(LOG_NOTICE, "using user-space event filtering");
+
 		nfct_filter_destroy(STATE(filter));
 	}