Packetfilter: add support for IPV6

iptables is used for IPv4 and ip6tables is used for IPv6. Both iptables and ip6tables have similar syntax, but some options are specific to either IPv4 or IPv6 while nftables provides a unified API for both IPv4/IPv6. This PR updates packetfilter to provide also IPV6 driver. Signed-off-by: Yossi Boaron <[email protected]>
submariner-io · Jan 12, 2025 · e1c58ae · e1c58ae
1 parent 0dc3a34
commit e1c58ae
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 6 deletions.
diff --git a/pkg/packetfilter/iptables/iptables.go b/pkg/packetfilter/iptables/iptables.go
@@ -75,9 +75,17 @@ type packetFilter struct {
 }
 
 func New() (packetfilter.Driver, error) {
-	ipt, err := iptables.New(iptables.IPFamily(iptables.ProtocolIPv4), iptables.Timeout(5))
+	return newiptables(iptables.ProtocolIPv4)
+}
+
+func NewV6() (packetfilter.Driver, error) {
+	return newiptables(iptables.ProtocolIPv6)
+}
+
+func newiptables(proto iptables.Protocol) (packetfilter.Driver, error) {
+	ipt, err := iptables.New(iptables.IPFamily(proto), iptables.Timeout(5))
 	if err != nil {
-		return nil, errors.Wrap(err, "error creating IP tables")
+		return nil, errors.Wrapf(err, "error creating IP tables for protocol %d", proto)
 	}
 
 	ipSetIface := ipset.New()

diff --git a/pkg/packetfilter/iptables/namedset.go b/pkg/packetfilter/iptables/namedset.go
@@ -31,6 +31,9 @@ type namedSet struct {
 
 func (p *packetFilter) NewNamedSet(set *packetfilter.SetInfo) packetfilter.NamedSet {
 	hashFamily := ipset.ProtocolFamilyIPV4
+	if set.Family == packetfilter.SetFamilyV6 {
+		hashFamily = ipset.ProtocolFamilyIPV6
+	}
 
 	return &namedSet{
 		ipSetIface: p.ipSetIface,

diff --git a/pkg/packetfilter/packetfilter.go b/pkg/packetfilter/packetfilter.go
@@ -253,8 +253,9 @@ type ChainIPHook struct {
 type SetFamily uint32
 
 const (
-	// curently only IPV4 sets are supported.
+	// IPV4 and IPV6 sets are supported.
 	SetFamilyV4 SetFamily = iota
+	SetFamilyV6
 )
 
 // named set.
@@ -307,22 +308,37 @@ type Interface interface {
 	UpdateChainRules(table TableType, chain string, rules []*Rule) error
 }
 
-var newDriverFn func() (Driver, error)
+var (
+	newDriverFn   func() (Driver, error)
+	newDriverFnV6 func() (Driver, error)
+)
 
 func SetNewDriverFn(f func() (Driver, error)) {
 	newDriverFn = f
 }
 
+func SetNewDriverFnV6(f func() (Driver, error)) {
+	newDriverFnV6 = f
+}
+
 type Adapter struct {
 	Driver
 }
 
 func New() (Interface, error) {
-	if newDriverFn == nil {
+	return newImpl(newDriverFn)
+}
+
+func NewV6() (Interface, error) {
+	return newImpl(newDriverFnV6)
+}
+
+func newImpl(f func() (Driver, error)) (Interface, error) {
+	if f == nil {
 		return nil, errors.New("no driver registered")
 	}
 
-	driver, err := newDriverFn()
+	driver, err := f()
 	if err != nil {
 		return nil, errors.Wrap(err, "error creating packet filter Driver")
 	}