diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2009-07-21 16:57:54 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2009-07-21 16:57:54 +0200 |
commit | e55321739fa5e04920feeb2a25b02073d8eb9e10 (patch) | |
tree | 1e11aed31eb140fee5ccd9355fc5f914c31c69ca /src | |
parent | 0521db731c0daa417a3dfb67fba7c6f80596e553 (diff) | |
download | conntrack-tools-e55321739fa5e04920feeb2a25b02073d8eb9e10.tar.gz conntrack-tools-e55321739fa5e04920feeb2a25b02073d8eb9e10.zip |
conntrackd: add support for IPv6 kernel-space filtering via BSF
This patch adds the missing support to filter IPv6 from kernel-space
by means of the BSF API that libnetfilter_conntrack provides.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/cidr.c | 11 | ||||
-rw-r--r-- | src/read_config_yy.y | 17 |
2 files changed, 27 insertions, 1 deletions
@@ -57,3 +57,14 @@ void ipv6_cidr2mask_net(uint8_t cidr, uint32_t *res) res[i] = htonl(res[i]); } +/* I need this function because I initially defined an IPv6 address as + * uint32 u[4]. Using char u[16] instead would allow to remove this. */ +void ipv6_addr2addr_host(uint32_t *addr, uint32_t *res) +{ + int i; + + memset(res, 0, sizeof(uint32_t)*4); + for (i = 0; i < 4; i++) { + res[i] = ntohl(addr[i]); + } +} diff --git a/src/read_config_yy.y b/src/read_config_yy.y index 87f99b6..f3f4730 100644 --- a/src/read_config_yy.y +++ b/src/read_config_yy.y @@ -1053,6 +1053,12 @@ filter_item : T_ADDRESS T_IGNORE '{' filter_address_list '}' nfct_filter_set_logic(STATE(filter), NFCT_FILTER_DST_IPV4, NFCT_FILTER_LOGIC_NEGATIVE); + nfct_filter_set_logic(STATE(filter), + NFCT_FILTER_SRC_IPV6, + NFCT_FILTER_LOGIC_NEGATIVE); + nfct_filter_set_logic(STATE(filter), + NFCT_FILTER_DST_IPV6, + NFCT_FILTER_LOGIC_NEGATIVE); }; filter_address_list : @@ -1121,7 +1127,8 @@ filter_address_item : T_IPV6_ADDR T_IP { union inet_address ip; char *slash; - int cidr; + int cidr = 128; + struct nfct_filter_ipv6 filter_ipv6; memset(&ip, 0, sizeof(union inet_address)); @@ -1166,6 +1173,14 @@ filter_address_item : T_IPV6_ADDR T_IP "ignore pool!"); } } + __kernel_filter_start(); + + /* host byte order */ + ipv6_addr2addr_host(ip.ipv6, filter_ipv6.addr); + ipv6_cidr2mask_host(cidr, filter_ipv6.mask); + + nfct_filter_add_attr(STATE(filter), NFCT_FILTER_SRC_IPV6, &filter_ipv6); + nfct_filter_add_attr(STATE(filter), NFCT_FILTER_DST_IPV6, &filter_ipv6); }; filter_item : T_STATE T_ACCEPT '{' filter_state_list '}' |