MT#57371 support "none" as nft base chain

Change-Id: I8d2b43e3b4dd9c26b6b9b4cfa325a48a6c6f1c8a
2 years ago · 27a1d60405
--- a/daemon/nftables.c
+++ b/daemon/nftables.c
@ -492,7 +492,7 @@ static const char *nftables_shutdown_family(struct mnl_socket *nl, int family, u
 	if (err)
 		return err;

 	if (base_chain) {
 	if (base_chain && strcmp(base_chain, "none")) {
 		// clean up rules in other base chain chain if any
 		err = iterate_rules(nl, family, base_chain, seq,
 				(struct iterate_callbacks) {
@ -548,25 +548,27 @@ static const char *nftables_setup_family(struct mnl_socket *nl, int family, uint
 		return err;

 	if (base_chain) {
 		// make sure we have a local input base chain
 		err = add_chain(nl, family, base_chain, seq, local_input_chain);
 		if (err)
 			return err;

 		// add custom chain
 		err = add_chain(nl, family, chain, seq, NULL);
 		if (err)
 			return err;

 		// add jump rule from input base chain to custom chain
 		err = add_rule(nl, family, seq, (struct add_rule_callbacks) {
 				.callback = input_immediate,
 				.chain = chain,
 				.base_chain = base_chain,
 				.append = args->append,
 			});
 		if (err)
 			return err;
 		if (strcmp(base_chain, "none")) {
 			// make sure we have a local input base chain
 			err = add_chain(nl, family, base_chain, seq, local_input_chain);
 			if (err)
 				return err;

 			// add jump rule from input base chain to custom chain
 			err = add_rule(nl, family, seq, (struct add_rule_callbacks) {
 					.callback = input_immediate,
 					.chain = chain,
 					.base_chain = base_chain,
 					.append = args->append,
 				});
 			if (err)
 				return err;
 		}

 		// add rule for kernel forwarding
 		return add_rule(nl, family, seq, (struct add_rule_callbacks) {
--- a/docs/rtpengine.md
+++ b/docs/rtpengine.md
@ -111,6 +111,12 @@ at the command line. See the __\-\-config-file__ option below for details.
    will directly create the chain given by __nftables-chain__ as a base chain
    and skip creating the immediate-goto rule.

    If this option is set to the special string __none__, then __rtpengine__
    will create its custom chain and rule as it normally would, but will skip
    adding an immediate-goto rule to the custom chain. Doing so requires the
    operator to manually create this immediate-goto rule somewhere themselves.
    Otherwise in-kernel packet forwarding would be left inoperable.

 - __\-\-nftables-append__

    With this option set, the netfilter rule created in the base chain is