From c5af399ef87bf1a3d93265ae724ec586905e89e5 Mon Sep 17 00:00:00 2001
From: Yossi Boaron <yboaron@redhat.com>
Date: Thu, 2 Jan 2025 16:12:54 +0200
Subject: [PATCH] Packetfilter: add support for IPV6

iptables is used for IPv4 and ip6tables is used for IPv6.
Both iptables and ip6tables have similar syntax, but some options are
specific to either IPv4 or IPv6 while nftables provides a
unified API for both IPv4/IPv6.

This PR updates packetfilter to provide also IPV6 driver.

Signed-off-by: Yossi Boaron <yboaron@redhat.com>
---
 pkg/packetfilter/iptables/iptables.go | 13 +++++++++++++
 pkg/packetfilter/iptables/namedset.go |  3 +++
 pkg/packetfilter/packetfilter.go      | 24 ++++++++++++++++++++----
 3 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/pkg/packetfilter/iptables/iptables.go b/pkg/packetfilter/iptables/iptables.go
index 0a862872f..a9b842169 100644
--- a/pkg/packetfilter/iptables/iptables.go
+++ b/pkg/packetfilter/iptables/iptables.go
@@ -80,6 +80,19 @@ func New() (packetfilter.Driver, error) {
 		return nil, errors.Wrap(err, "error creating IP tables")
 	}
 
+	return newiptables(ipt)
+}
+
+func NewV6() (packetfilter.Driver, error) {
+	ipt, err := iptables.New(iptables.IPFamily(iptables.ProtocolIPv6), iptables.Timeout(5))
+	if err != nil {
+		return nil, errors.Wrap(err, "error creating IP tables")
+	}
+
+	return newiptables(ipt)
+}
+
+func newiptables(ipt *iptables.IPTables) (packetfilter.Driver, error) {
 	ipSetIface := ipset.New()
 
 	return &packetFilter{
diff --git a/pkg/packetfilter/iptables/namedset.go b/pkg/packetfilter/iptables/namedset.go
index 4f07f22ed..73919e6a6 100644
--- a/pkg/packetfilter/iptables/namedset.go
+++ b/pkg/packetfilter/iptables/namedset.go
@@ -31,6 +31,9 @@ type namedSet struct {
 
 func (p *packetFilter) NewNamedSet(set *packetfilter.SetInfo) packetfilter.NamedSet {
 	hashFamily := ipset.ProtocolFamilyIPV4
+	if set.Family == packetfilter.SetFamilyV6 {
+		hashFamily = ipset.ProtocolFamilyIPV6
+	}
 
 	return &namedSet{
 		ipSetIface: p.ipSetIface,
diff --git a/pkg/packetfilter/packetfilter.go b/pkg/packetfilter/packetfilter.go
index bfb2029a5..a4e22e79a 100644
--- a/pkg/packetfilter/packetfilter.go
+++ b/pkg/packetfilter/packetfilter.go
@@ -253,8 +253,9 @@ type ChainIPHook struct {
 type SetFamily uint32
 
 const (
-	// curently only IPV4 sets are supported.
+	// IPV4 and IPV6 sets are supported.
 	SetFamilyV4 SetFamily = iota
+	SetFamilyV6
 )
 
 // named set.
@@ -307,22 +308,37 @@ type Interface interface {
 	UpdateChainRules(table TableType, chain string, rules []*Rule) error
 }
 
-var newDriverFn func() (Driver, error)
+var (
+	newDriverFn   func() (Driver, error)
+	newDriverFnV6 func() (Driver, error)
+)
 
 func SetNewDriverFn(f func() (Driver, error)) {
 	newDriverFn = f
 }
 
+func SetNewDriverFnV6(f func() (Driver, error)) {
+	newDriverFnV6 = f
+}
+
 type Adapter struct {
 	Driver
 }
 
 func New() (Interface, error) {
-	if newDriverFn == nil {
+	return newImpl(newDriverFn)
+}
+
+func NewV6() (Interface, error) {
+	return newImpl(newDriverFnV6)
+}
+
+func newImpl(f func() (Driver, error)) (Interface, error) {
+	if f == nil {
 		return nil, errors.New("no driver registered")
 	}
 
-	driver, err := newDriverFn()
+	driver, err := f()
 	if err != nil {
 		return nil, errors.Wrap(err, "error creating packet filter Driver")
 	}