Skip to content

Commit

Permalink
Packetfilter: add support for IPV6
Browse files Browse the repository at this point in the history
iptables is used for IPv4 and ip6tables is used for IPv6.
Both iptables and ip6tables have similar syntax, but some options are
specific to either IPv4 or IPv6 while nftables provides a
unified API for both IPv4/IPv6.

This PR updates packetfilter to provide also IPV6 driver.

Signed-off-by: Yossi Boaron <[email protected]>
  • Loading branch information
yboaron committed Jan 5, 2025
1 parent 3a034c7 commit c5af399
Show file tree
Hide file tree
Showing 3 changed files with 36 additions and 4 deletions.
13 changes: 13 additions & 0 deletions pkg/packetfilter/iptables/iptables.go
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,19 @@ func New() (packetfilter.Driver, error) {
return nil, errors.Wrap(err, "error creating IP tables")
}

return newiptables(ipt)
}

func NewV6() (packetfilter.Driver, error) {
ipt, err := iptables.New(iptables.IPFamily(iptables.ProtocolIPv6), iptables.Timeout(5))
if err != nil {
return nil, errors.Wrap(err, "error creating IP tables")
}

return newiptables(ipt)
}

func newiptables(ipt *iptables.IPTables) (packetfilter.Driver, error) {
ipSetIface := ipset.New()

return &packetFilter{
Expand Down
3 changes: 3 additions & 0 deletions pkg/packetfilter/iptables/namedset.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,9 @@ type namedSet struct {

func (p *packetFilter) NewNamedSet(set *packetfilter.SetInfo) packetfilter.NamedSet {
hashFamily := ipset.ProtocolFamilyIPV4
if set.Family == packetfilter.SetFamilyV6 {
hashFamily = ipset.ProtocolFamilyIPV6
}

return &namedSet{
ipSetIface: p.ipSetIface,
Expand Down
24 changes: 20 additions & 4 deletions pkg/packetfilter/packetfilter.go
Original file line number Diff line number Diff line change
Expand Up @@ -253,8 +253,9 @@ type ChainIPHook struct {
type SetFamily uint32

const (
// curently only IPV4 sets are supported.
// IPV4 and IPV6 sets are supported.
SetFamilyV4 SetFamily = iota
SetFamilyV6
)

// named set.
Expand Down Expand Up @@ -307,22 +308,37 @@ type Interface interface {
UpdateChainRules(table TableType, chain string, rules []*Rule) error
}

var newDriverFn func() (Driver, error)
var (
newDriverFn func() (Driver, error)
newDriverFnV6 func() (Driver, error)
)

func SetNewDriverFn(f func() (Driver, error)) {
newDriverFn = f
}

func SetNewDriverFnV6(f func() (Driver, error)) {
newDriverFnV6 = f
}

type Adapter struct {
Driver
}

func New() (Interface, error) {
if newDriverFn == nil {
return newImpl(newDriverFn)
}

func NewV6() (Interface, error) {
return newImpl(newDriverFnV6)
}

func newImpl(f func() (Driver, error)) (Interface, error) {
if f == nil {
return nil, errors.New("no driver registered")
}

driver, err := newDriverFn()
driver, err := f()
if err != nil {
return nil, errors.Wrap(err, "error creating packet filter Driver")
}
Expand Down

0 comments on commit c5af399

Please sign in to comment.