diff options
| -rw-r--r-- | doc/stats/conntrackd.conf | 1 | ||||
| -rw-r--r-- | doc/sync/alarm/conntrackd.conf | 3 | ||||
| -rw-r--r-- | doc/sync/ftfw/conntrackd.conf | 3 | ||||
| -rw-r--r-- | doc/sync/notrack/conntrackd.conf | 3 | ||||
| -rw-r--r-- | include/cidr.h | 1 | ||||
| -rw-r--r-- | src/cidr.c | 11 | ||||
| -rw-r--r-- | src/read_config_yy.y | 17 |
7 files changed, 38 insertions, 1 deletions
diff --git a/doc/stats/conntrackd.conf b/doc/stats/conntrackd.conf index ef6a698..0941f64 100644 --- a/doc/stats/conntrackd.conf +++ b/doc/stats/conntrackd.conf @@ -88,6 +88,7 @@ General { # Address Ignore { IPv4_address 127.0.0.1 # loopback + # IPv6_address ::1 } # diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf index 805a531..800012f 100644 --- a/doc/sync/alarm/conntrackd.conf +++ b/doc/sync/alarm/conntrackd.conf @@ -351,6 +351,9 @@ General { # # You can also specify networks in format IP/cidr. # IPv4_address 192.168.0.0/24 + # + # You can also specify an IPv6 address + # IPv6_address ::1 } # diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf index ceca224..602c3d1 100644 --- a/doc/sync/ftfw/conntrackd.conf +++ b/doc/sync/ftfw/conntrackd.conf @@ -361,6 +361,9 @@ General { # # You can also specify networks in format IP/cidr. # IPv4_address 192.168.0.0/24 + # + # You can also specify an IPv6 address + # IPv6_address ::1 } # diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf index 1efeb81..6968025 100644 --- a/doc/sync/notrack/conntrackd.conf +++ b/doc/sync/notrack/conntrackd.conf @@ -341,6 +341,9 @@ General { # # You can also specify networks in format IP/cidr. # IPv4_address 192.168.0.0/24 + # + # You can also specify an IPv6 address + # IPv6_address ::1 } # diff --git a/include/cidr.h b/include/cidr.h index f8a4e2a..413c321 100644 --- a/include/cidr.h +++ b/include/cidr.h @@ -4,5 +4,6 @@ uint32_t ipv4_cidr2mask_host(uint8_t cidr); uint32_t ipv4_cidr2mask_net(uint8_t cidr); void ipv6_cidr2mask_host(uint8_t cidr, uint32_t *res); void ipv6_cidr2mask_net(uint8_t cidr, uint32_t *res); +void ipv6_addr2addr_host(uint32_t *addr, uint32_t *res); #endif @@ -57,3 +57,14 @@ void ipv6_cidr2mask_net(uint8_t cidr, uint32_t *res) res[i] = htonl(res[i]); } +/* I need this function because I initially defined an IPv6 address as + * uint32 u[4]. Using char u[16] instead would allow to remove this. */ +void ipv6_addr2addr_host(uint32_t *addr, uint32_t *res) +{ + int i; + + memset(res, 0, sizeof(uint32_t)*4); + for (i = 0; i < 4; i++) { + res[i] = ntohl(addr[i]); + } +} diff --git a/src/read_config_yy.y b/src/read_config_yy.y index 87f99b6..f3f4730 100644 --- a/src/read_config_yy.y +++ b/src/read_config_yy.y @@ -1053,6 +1053,12 @@ filter_item : T_ADDRESS T_IGNORE '{' filter_address_list '}' nfct_filter_set_logic(STATE(filter), NFCT_FILTER_DST_IPV4, NFCT_FILTER_LOGIC_NEGATIVE); + nfct_filter_set_logic(STATE(filter), + NFCT_FILTER_SRC_IPV6, + NFCT_FILTER_LOGIC_NEGATIVE); + nfct_filter_set_logic(STATE(filter), + NFCT_FILTER_DST_IPV6, + NFCT_FILTER_LOGIC_NEGATIVE); }; filter_address_list : @@ -1121,7 +1127,8 @@ filter_address_item : T_IPV6_ADDR T_IP { union inet_address ip; char *slash; - int cidr; + int cidr = 128; + struct nfct_filter_ipv6 filter_ipv6; memset(&ip, 0, sizeof(union inet_address)); @@ -1166,6 +1173,14 @@ filter_address_item : T_IPV6_ADDR T_IP "ignore pool!"); } } + __kernel_filter_start(); + + /* host byte order */ + ipv6_addr2addr_host(ip.ipv6, filter_ipv6.addr); + ipv6_cidr2mask_host(cidr, filter_ipv6.mask); + + nfct_filter_add_attr(STATE(filter), NFCT_FILTER_SRC_IPV6, &filter_ipv6); + nfct_filter_add_attr(STATE(filter), NFCT_FILTER_DST_IPV6, &filter_ipv6); }; filter_item : T_STATE T_ACCEPT '{' filter_state_list '}' |