feat: Add IPv6 support for ingress and egress firewall rules

This commit implements dual-stack IPv6/IPv4 support with separate BPF
maps for each IP version, allowing both IPv4 and IPv6 rules to coexist
and be processed efficiently.

Userspace changes:
- models/rule.rs: Add IpAddr enum (V4/V6) support to PolicyRule
- bpf_user/maps.rs: Implement dual-stack BPF map management
  * Add RuleEntryV6 and RuleMetadataV6 structs (matching C layout)
  * Create separate IPv6 maps (rules_v6, metadata_v6, rule_stats_v6)
  * Update list_all_metadata() to query both IPv4 and IPv6 maps
  * Update get_rule_metadata() to search both maps, return PolicyRule
  * Update delete_rule_metadata() to handle both IP versions
  * Fix struct sizes: RuleEntryV6=28 bytes, RuleMetadataV6=216 bytes
- policy/parser.rs: Add IPv6 CIDR parsing and validation
- state.rs: Update for dual-stack PolicyRule handling
- tests: Add 5 new IPv6-specific test cases (111 total tests passing)
- example-ipv6-policy.yaml: Add example policy with 10 IPv6 rules

Kernel-side (BPF) changes:
- bpf/firebee_common.h: Define IPv6 structures and maps
  * Add rule_entry_v6, rule_metadata_v6, rule_stats_v6 structs
  * Create rules_v6_map, metadata_v6_map, rule_stats_v6_map
  * Add MAX_ACTIVE_RULES=128 (separate from MAX_RULES=1024 storage)
    to avoid BPF verifier 1M instruction limit
- bpf/firebee_helpers.h: Implement ipv6_matches() function
  * Use explicit array indexing (no loops) to avoid variable-offset
    stack reads that trigger BPF verifier errors
  * Support IPv6 CIDR prefix matching with /0 to /128 ranges
- bpf/firebee.bpf.c: Add XDP ingress IPv6 packet processing
  * Parse IPv6 headers and extract src/dst addresses
  * Check both IPv4 and IPv6 rule sets
  * Support ICMPv6 (protocol 58) in addition to TCP/UDP/ICMP
- bpf/firebee_egress.bpf.c: Add TC egress IPv6 packet processing
  * Mirror ingress implementation for egress direction
  * Track statistics in rule_stats_v6_map

Signed-off-by: saiaunghlyanhtet <saiaunghlyanhtet2003@gmail.com>

Author: saiaunghlyanhtet

src/bpf/firebee.bpf.c

@@ -8,6 +8,7 @@
 #include <linux/bpf.h>
 #include <linux/if_ether.h>
 #include <linux/ip.h>
+#include <linux/ipv6.h>
 #include <linux/tcp.h>
 #include <linux/udp.h>
 #include <bpf/bpf_helpers.h>
@@ -17,6 +18,7 @@
 #include "firebee_helpers.h"
 
 #define ETH_P_IP 0x0800
+#define ETH_P_IPV6 0x86DD
 
 /* Maps are now defined in firebee_common.h and shared with TC program */
 
@@ -57,6 +59,39 @@ static __always_inline void extract_ports(
 	}
 }
 
+/*
+ * Extract transport layer ports from IPv6 packet
+ * Only applies to TCP and UDP protocols
+ */
+static __always_inline void extract_ports_v6(
+	struct ipv6hdr *ip6h,
+	void *data_end,
+	__u8 protocol,
+	__u16 *src_port,
+	__u16 *dst_port
+) {
+	*src_port = 0;
+	*dst_port = 0;
+
+	void *l4_hdr = (void *)(ip6h + 1);
+
+	if (protocol == IPPROTO_TCP) {
+		struct tcphdr *tcph = l4_hdr;
+		if ((void *)(tcph + 1) > data_end) {
+			return;
+		}
+		*src_port = bpf_ntohs(tcph->source);
+		*dst_port = bpf_ntohs(tcph->dest);
+	} else if (protocol == IPPROTO_UDP) {
+		struct udphdr *udph = l4_hdr;
+		if ((void *)(udph + 1) > data_end) {
+			return;
+		}
+		*src_port = bpf_ntohs(udph->source);
+		*dst_port = bpf_ntohs(udph->dest);
+	}
+}
+
 /*
  * Log packet event to ring buffer for userspace
  */
@@ -134,9 +169,9 @@ static __always_inline __u8 find_matching_rule(
 	__u32 i;
 	*rule_index = (__u32)-1; /* No match initially */
 
-	/* Bounded loop for BPF verifier compliance */
+	/* Bounded loop for BPF verifier compliance - only check first MAX_ACTIVE_RULES */
 	#pragma unroll
-	for (i = 0; i < MAX_RULES; i++) {
+	for (i = 0; i < MAX_ACTIVE_RULES; i++) {
 		__u32 key = i;
 		struct rule_entry *rule = bpf_map_lookup_elem(&rules_map, &key);
 
@@ -154,6 +189,83 @@ static __always_inline __u8 find_matching_rule(
 	return action;
 }
 
+/*
+ * Check if IPv6 packet matches a specific rule
+ * Returns 1 if all conditions match, 0 otherwise
+ */
+static __always_inline int rule_matches_v6(
+	struct rule_entry_v6 *rule,
+	__u32 packet_ip[4],
+	__u8 protocol,
+	__u16 src_port,
+	__u16 dst_port,
+	__u8 packet_direction
+) {
+	/* Check direction - DIRECTION_BOTH matches all traffic */
+	if (rule->direction != DIRECTION_BOTH && rule->direction != packet_direction) {
+		return 0;
+	}
+
+	/* Check IPv6 address with prefix length */
+	if (!ipv6_matches(packet_ip, rule->src_ip, rule->prefix_len)) {
+		return 0;
+	}
+
+	/* Check protocol */
+	if (!protocol_matches(protocol, rule->protocol)) {
+		return 0;
+	}
+
+	/* Check ports (only for TCP/UDP) */
+	if (protocol == IPPROTO_TCP || protocol == IPPROTO_UDP) {
+		if (!port_matches(src_port, rule->src_port)) {
+			return 0;
+		}
+		if (!port_matches(dst_port, rule->dst_port)) {
+			return 0;
+		}
+	}
+
+	return 1;
+}
+
+/*
+ * Find matching IPv6 rule for packet and update statistics
+ * Returns action (ACTION_ALLOW or ACTION_DROP)
+ * First matching rule wins
+ */
+static __always_inline __u8 find_matching_rule_v6(
+	__u32 packet_ip[4],
+	__u8 protocol,
+	__u16 src_port,
+	__u16 dst_port,
+	__u8 packet_direction,
+	__u32 *rule_index
+) {
+	__u8 action = ACTION_ALLOW; /* Default: allow */
+	__u32 i;
+	*rule_index = (__u32)-1; /* No match initially */
+
+	/* Bounded loop for BPF verifier compliance - only check first MAX_ACTIVE_RULES */
+	#pragma unroll
+	for (i = 0; i < MAX_ACTIVE_RULES; i++) {
+		__u32 key = i;
+		struct rule_entry_v6 *rule = bpf_map_lookup_elem(&rules_v6_map, &key);
+		
+		if (!rule || !rule->valid) {
+			continue;
+		}
+
+		if (rule_matches_v6(rule, packet_ip, protocol, src_port, dst_port, packet_direction)) {
+			action = rule->action;
+			*rule_index = i;
+			break; /* First match wins */
+		}
+	}
+
+	return action;
+}
+
 /* ========================================================================
  * XDP Main Program
  * ======================================================================== */
@@ -169,45 +281,89 @@ int xdp_firewall(struct xdp_md *ctx) {
 		return XDP_PASS;
 	}
 
-	/* Only process IPv4 packets */
-	if (eth->h_proto != bpf_htons(ETH_P_IP)) {
-		return XDP_PASS;
-	}
-	
-	/* Parse IP header */
-	struct iphdr *iph = (void *)(eth + 1);
-	if ((void *)(iph + 1) > data_end) {
-		return XDP_PASS;
-	}
+	__u16 eth_proto = bpf_ntohs(eth->h_proto);
 
-	/* Extract packet information */
-	__u32 packet_ip = bpf_ntohl(iph->saddr);
-	__u8 protocol = iph->protocol;
-	__u16 src_port, dst_port;
-	__u32 matched_rule_idx;
-	__u8 packet_direction = DIRECTION_INGRESS; /* XDP only sees ingress traffic */
-	
-	extract_ports(iph, data_end, protocol, &src_port, &dst_port);
+	/* Handle IPv4 packets */
+	if (eth_proto == ETH_P_IP) {
+		/* Parse IP header */
+		struct iphdr *iph = (void *)(eth + 1);
+		if ((void *)(iph + 1) > data_end) {
+			return XDP_PASS;
+		}
+
+		/* Extract packet information */
+		__u32 packet_ip = bpf_ntohl(iph->saddr);
+		__u8 protocol = iph->protocol;
+		__u16 src_port, dst_port;
+		__u32 matched_rule_idx;
+		__u8 packet_direction = DIRECTION_INGRESS;
+		
+		extract_ports(iph, data_end, protocol, &src_port, &dst_port);
 
-	/* Find matching firewall rule */
-	__u8 action = find_matching_rule(packet_ip, protocol, src_port, dst_port, packet_direction, &matched_rule_idx);
+		/* Find matching firewall rule */
+		__u8 action = find_matching_rule(packet_ip, protocol, src_port, dst_port, packet_direction, &matched_rule_idx);
 
-	/* Update statistics if a rule matched */
-	if (matched_rule_idx != (__u32)-1) {
-		struct rule_stats *stats = bpf_map_lookup_elem(&rule_stats_map, &matched_rule_idx);
-		if (stats) {
-			/* Calculate packet size */
-			__u64 packet_size = (__u64)(data_end - data);
-			__sync_fetch_and_add(&stats->packets, 1);
-			__sync_fetch_and_add(&stats->bytes, packet_size);
+		/* Update statistics if a rule matched */
+		if (matched_rule_idx != (__u32)-1) {
+			struct rule_stats *stats = bpf_map_lookup_elem(&rule_stats_map, &matched_rule_idx);
+			if (stats) {
+				__u64 packet_size = (__u64)(data_end - data);
+				__sync_fetch_and_add(&stats->packets, 1);
+				__sync_fetch_and_add(&stats->bytes, packet_size);
+			}
 		}
+
+		/* Log the event */
+		log_packet(packet_ip, action);
+
+		/* Apply action */
+		return (action == ACTION_DROP) ? XDP_DROP : XDP_PASS;
 	}
+	/* Handle IPv6 packets */
+	else if (eth_proto == ETH_P_IPV6) {
+		/* Parse IPv6 header */
+		struct ipv6hdr *ip6h = (void *)(eth + 1);
+		if ((void *)(ip6h + 1) > data_end) {
+			return XDP_PASS;
+		}
+
+		/* Extract IPv6 source address (already in network byte order) */
+		__u32 packet_ip[4];
+		packet_ip[0] = ip6h->saddr.in6_u.u6_addr32[0];
+		packet_ip[1] = ip6h->saddr.in6_u.u6_addr32[1];
+		packet_ip[2] = ip6h->saddr.in6_u.u6_addr32[2];
+		packet_ip[3] = ip6h->saddr.in6_u.u6_addr32[3];
 
-	/* Log the event */
-	log_packet(packet_ip, action);
+		/* Extract protocol from next header */
+		__u8 protocol = ip6h->nexthdr;
+		__u16 src_port, dst_port;
+		__u32 matched_rule_idx;
+		__u8 packet_direction = DIRECTION_INGRESS;
+		
+		extract_ports_v6(ip6h, data_end, protocol, &src_port, &dst_port);
+
+		/* Find matching IPv6 firewall rule */
+		__u8 action = find_matching_rule_v6(packet_ip, protocol, src_port, dst_port, packet_direction, &matched_rule_idx);
+
+		/* Update IPv6 statistics if a rule matched */
+		if (matched_rule_idx != (__u32)-1) {
+			struct rule_stats *stats = bpf_map_lookup_elem(&rule_stats_v6_map, &matched_rule_idx);
+			if (stats) {
+				__u64 packet_size = (__u64)(data_end - data);
+				__sync_fetch_and_add(&stats->packets, 1);
+				__sync_fetch_and_add(&stats->bytes, packet_size);
+			}
+		}
+
+		/* Log the event (using first 32-bit word for compatibility) */
+		log_packet(bpf_ntohl(packet_ip[0]), action);
+
+		/* Apply action */
+		return (action == ACTION_DROP) ? XDP_DROP : XDP_PASS;
+	}
 
-	/* Apply action */
-	return (action == ACTION_DROP) ? XDP_DROP : XDP_PASS;
+	/* Pass all other protocols */
+	return XDP_PASS;
 }
 
 char _license[] SEC("license") = "GPL";

src/bpf/firebee_common.h

@@ -7,6 +7,7 @@
 #define IPPROTO_TCP 6
 #define IPPROTO_UDP 17
 #define IPPROTO_ICMP 1
+#define IPPROTO_ICMPV6 58
 #define IPPROTO_ANY 255
 
 /* Port wildcard */
@@ -84,13 +85,56 @@ struct rule_stats {
     __u64 bytes;     /* Total bytes matched */
 };
 
+/* ========================================================================
+ * IPv6 Support Structures
+ * ======================================================================== */
+
+/* 
+ * IPv6 Rule entry structure for the BPF array map
+ * Similar to rule_entry but with IPv6 addresses (128-bit)
+ */
+struct rule_entry_v6 {
+    __u32 src_ip[4];      /* Source IPv6 address (network byte order, 128-bit) */
+    __u8 prefix_len;      /* Prefix length for CIDR matching (0-128) */
+    __u8 protocol;        /* IPPROTO_TCP, IPPROTO_UDP, IPPROTO_ICMPV6, or IPPROTO_ANY */
+    __u8 action;          /* ACTION_ALLOW or ACTION_DROP */
+    __u8 direction;       /* DIRECTION_INGRESS, DIRECTION_EGRESS, or DIRECTION_BOTH */
+    __u8 valid;           /* 1 = entry is valid, 0 = empty slot */
+    __u8 _padding[3];     /* Padding for alignment */
+    __u16 src_port;       /* Source port (PORT_ANY for wildcard) */
+    __u16 dst_port;       /* Destination port (PORT_ANY for wildcard) */
+};
+
+/* 
+ * IPv6 Rule metadata structure
+ * Stores human-readable information about IPv6 rules
+ */
+struct rule_metadata_v6 {
+    __u32 ip[4];
+    __u8 prefix_len;
+    __u8 action;
+    __u8 protocol;
+    __u8 direction;
+    __u16 src_port;
+    __u16 dst_port;
+    char name[64];
+    char description[128];
+};
+
 /* ========================================================================
  * Shared BPF Maps - Defined once and pinned for use across programs
  * These maps are shared between XDP and TC-BPF programs via pinning
  * ======================================================================== */
 
+/* Maximum number of firewall rules (map storage capacity) */
 #define MAX_RULES 1024
 
+/* Maximum number of active rules to check per packet (loop bound for BPF verifier)
+ * This must be small enough to keep the BPF program under 1M instruction limit.
+ * The BPF verifier unrolls loops, so 128 rules × ~99 instructions ≈ 12.6K instructions
+ * per loop, which leaves plenty of headroom under the 1M limit. */
+#define MAX_ACTIVE_RULES 128
+
 /*
  * Primary rules storage - Array map for efficient iteration
  * Shared between XDP (ingress) and TC (egress) programs
@@ -150,4 +194,44 @@ struct {
 	__uint(pinning, LIBBPF_PIN_BY_NAME);
 } rules_index SEC(".maps");
 
+/* ========================================================================
+ * IPv6 BPF Maps - Shared between XDP and TC programs
+ * ======================================================================== */
+
+/*
+ * Primary IPv6 rules storage - Array map for efficient iteration
+ * Shared between XDP (ingress) and TC (egress) programs
+ */
+struct {
+	__uint(type, BPF_MAP_TYPE_ARRAY);
+	__type(key, __u32);
+	__type(value, struct rule_entry_v6);
+	__uint(max_entries, MAX_RULES);
+	__uint(pinning, LIBBPF_PIN_BY_NAME);
+} rules_v6_map SEC(".maps");
+
+/*
+ * IPv6 Rule metadata - Hash map indexed by rule name
+ * Stores human-readable information (name, description)
+ */
+struct {
+	__uint(type, BPF_MAP_TYPE_HASH);
+	__type(key, char[64]);
+	__type(value, struct rule_metadata_v6);
+	__uint(max_entries, MAX_RULES);
+	__uint(pinning, LIBBPF_PIN_BY_NAME);
+} rule_metadata_v6_map SEC(".maps");
+
+/*
+ * IPv6 Rule statistics - Array map for per-rule packet/byte counters
+ * Indexed by rule array index, parallel to rules_v6_map
+ */
+struct {
+	__uint(type, BPF_MAP_TYPE_ARRAY);
+	__type(key, __u32);
+	__type(value, struct rule_stats);
+	__uint(max_entries, MAX_RULES);
+	__uint(pinning, LIBBPF_PIN_BY_NAME);
+} rule_stats_v6_map SEC(".maps");
+
 #endif /* __FIREBEE_COMMON_H__ */