tfw_ipv6_hash(struct in6_addr *addr) { return ((unsigned long)addr->s6_addr32[0] << 32) ^ ((unsigned long)addr->s6_addr32[1] << 24) ^ ((unsigned long)addr->s6_addr32[2] << 8) ^ addr->s6_addr32[3]; } void tfw_filter_block_ip(struct in6_addr *addr) { TfwFRule rule = { .addr = *addr, .action = TFW_F_DROP, }; unsigned long key = tfw_ipv6_hash(addr); size_t len = sizeof(rule); /* TODO create records on all NUMA nodes. */ if (!tdb_entry_create(ip_filter_db, key, &rule, &len)) { TFW_WARN_ADDR6("cannot create blocking rule", addr); } else { TFW_DBG_ADDR6("block client", addr); } } EXPORT_SYMBOL(tfw_filter_block_ip); /** * Drop early IP layer filtering. * The check is run agains each ingress packet - if application layer filter * blocks a client, then the client is totaly blocked and can't send us any
tfw_ipv6_hash(const struct in6_addr *addr) { return ((unsigned long)addr->s6_addr32[0] << 32) ^ ((unsigned long)addr->s6_addr32[1] << 24) ^ ((unsigned long)addr->s6_addr32[2] << 8) ^ addr->s6_addr32[3]; } void tfw_filter_block_ip(const TfwAddr *addr) { TfwFRule rule = { .addr = addr->sin6_addr, .action = TFW_F_DROP, }; unsigned long key = tfw_ipv6_hash(&addr->sin6_addr); size_t len = sizeof(rule); TFW_DBG_ADDR("filter: block", addr, TFW_NO_PORT); /* TODO create records on all NUMA nodes. */ if (!tdb_entry_create(ip_filter_db, key, &rule, &len)) { TFW_WARN_ADDR("cannot create blocking rule", addr, TFW_NO_PORT); } else { TFW_DBG_ADDR("block client", addr, TFW_NO_PORT); } } EXPORT_SYMBOL(tfw_filter_block_ip); /** * Drop early IP layer filtering.