filter: choose the filtering method via configuration file

This patch changes the current behaviour of the filtering selection.
Up to now, conntrackd has used the kernel version to select the
filtering method based on the following logic: If kernel is >= 2.6.26
we use BSF-based filtering from kernel-space, otherwise, default to
userspace.

However, this filtering method still lacks of IPv6 support and
it requires a patch that got into 2.6.29 to filter IPv6 addresses
from kernel-space. To fix this issue, we default to user-space
filtering and let the user choose the method via the configuration
file.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 15 insertions, 1 deletions

diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index 0f6ffdc..06ada52 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -58,6 +58,7 @@ static void __kernel_filter_add_state(int value);
 %token T_SYSLOG T_WRITE_THROUGH T_STAT_BUFFER_SIZE T_DESTROY_TIMEOUT
 %token T_MCAST_RCVBUFF T_MCAST_SNDBUFF T_NOTRACK
 %token T_FILTER T_ADDRESS T_PROTOCOL T_STATE T_ACCEPT T_IGNORE
+%token T_FROM T_USERSPACE T_KERNELSPACE
 
 %token <string> T_IP T_PATH_VAL
 %token <val> T_NUMBER
@@ -686,7 +687,20 @@ family : T_FAMILY T_STRING
 		conf.family = AF_INET;
 };
 
-filter : T_FILTER '{' filter_list '}';
+filter : T_FILTER '{' filter_list '}'
+{
+	CONFIG(filter_from_kernelspace) = 0;
+};
+
+filter : T_FILTER T_FROM T_USERSPACE '{' filter_list '}'
+{
+	CONFIG(filter_from_kernelspace) = 0;
+};
+
+filter : T_FILTER T_FROM T_KERNELSPACE '{' filter_list '}'
+{
+	CONFIG(filter_from_kernelspace) = 1;
+};
 
 filter_list : 
 	    | filter_list filter_item;