MT#55283 create and delete native nftables rule

Adds option to fall back to legacy XT target.

Change-Id: Ieda628313d42159df9a6e6281a50d4b289ab8a0c

daemon/main.c

@@ -699,6 +699,7 @@ static void options(int *argc, char ***argv, charp_ht templates) {
 		{ "nftables-base-chain",0,0, G_OPTION_ARG_STRING,&rtpe_config.nftables_base_chain,"Name of nftables base chain to use", "STR" },
 		{ "nftables-append",0,0, G_OPTION_ARG_NONE,	&rtpe_config.nftables_append,	"Append instead of prepend created rules", NULL },
 		{ "nftables-family",0,0, G_OPTION_ARG_STRING,	&nftables_family,		"Address family/ies to manage via nftables", "ip|ip6|ip,ip6" },
+		{ "xtables",	0,0, G_OPTION_ARG_NONE,		&rtpe_config.xtables,		"Use legacy xtables interface instead of nftables", NULL },
 		{ "nftables-start",0,0, G_OPTION_ARG_NONE,	&nftables_start,		"Just add nftables rules and exit", NULL },
 		{ "nftables-stop",0, 0, G_OPTION_ARG_NONE,	&nftables_stop,			"Just remove nftables rules and exit", NULL },
 		{ "nftables-status",0, 0, G_OPTION_ARG_NONE,	&nftables_status,		"Check nftables rules, print result and exit", NULL },
@@ -997,6 +998,7 @@ static void options(int *argc, char ***argv, charp_ht templates) {
 						.table = rtpe_config.kernel_table,
 						.append = rtpe_config.nftables_append,
 						.family = rtpe_config.nftables_family,
+						.xtables = rtpe_config.xtables,
 					});
 		else // nftables_stop
 			err = nftables_shutdown(rtpe_config.nftables_chain, rtpe_config.nftables_base_chain,
@@ -1583,6 +1585,7 @@ static void kernel_setup(void) {
 	const char *err = nftables_setup(rtpe_config.nftables_chain, rtpe_config.nftables_base_chain,
 			(nftables_args) {.table = rtpe_config.kernel_table,
 			.append = rtpe_config.nftables_append,
+			.xtables = rtpe_config.xtables,
 			.family = rtpe_config.nftables_family});
 	if (err) {
 		if (rtpe_config.no_fallback)

daemon/nftables.c

@@ -60,6 +60,7 @@ struct add_rule_callbacks {
 	const char *base_chain;
 	int table;
 	bool append;
+	bool xtables;
 };
 
 
@@ -87,6 +88,9 @@ static const char *match_rtpe(const char *name, const int8_t *data, size_t len,
 		if (n && !strcmp(n, "RTPENGINE") && info_len >= sizeof(info) && info.id == callbacks->table)
 			callbacks->rule_scratch.rtpengine_matched = true;
 	}
+	else if (!strcmp(name, "rtpengine"))
+		callbacks->rule_scratch.rtpengine_matched = true;
+
 	return NULL;
 }
 
@@ -445,7 +449,26 @@ static const char *input_immediate(nfapi_buf *b, int family, struct add_rule_cal
 }
 
 
-static const char *rtpe_target_base(nfapi_buf *b, struct add_rule_callbacks *callbacks) {
+static const char *target_base_nft_expr(nfapi_buf *b, struct add_rule_callbacks *callbacks) {
+	// buffer is in the nested expressions
+
+	nfapi_nested_begin(b, NFTA_LIST_ELEM);
+
+		nfapi_add_str_attr(b, NFTA_EXPR_NAME, "rtpengine");
+
+		nfapi_nested_begin(b, NFTA_EXPR_DATA);
+
+			nfapi_add_u32_attr(b, RTPEA_RTPENGINE_TABLE, callbacks->table);
+
+		nfapi_nested_end(b);
+
+	nfapi_nested_end(b);
+
+	return NULL;
+}
+
+
+static const char *target_base_xt(nfapi_buf *b, struct add_rule_callbacks *callbacks) {
 	// buffer is in the nested expressions
 
 	struct xt_rtpengine_info info = { .id = callbacks->table };
@@ -502,6 +525,14 @@ static const char *comment(nfapi_buf *b, int family, struct add_rule_callbacks *
 }
 
 
+static const char *rtpe_target_base(nfapi_buf *b, struct add_rule_callbacks *callbacks) {
+	if (callbacks->xtables)
+		return target_base_xt(b, callbacks);
+	else
+		return target_base_nft_expr(b, callbacks);
+}
+
+
 static const char *rtpe_target(nfapi_buf *b, int family, struct add_rule_callbacks *callbacks) {
 	nfapi_add_str_attr(b, NFTA_RULE_CHAIN, callbacks->chain);
 
@@ -685,6 +716,7 @@ static const char *nftables_setup_family(nfapi_socket *nl, int family,
 				.chain = chain,
 				.table = args->table,
 				.append = args->append,
+				.xtables = args->xtables,
 			});
 		if (err)
 			return err;
@@ -709,6 +741,7 @@ static const char *nftables_setup_family(nfapi_socket *nl, int family,
 				.chain = chain,
 				.table = args->table,
 				.append = args->append,
+				.xtables = args->xtables,
 			});
 		if (err)
 			return err;

docs/rtpengine.md

@@ -128,6 +128,12 @@ at the command line. See the __\-\-config-file__ option below for details.
     Configure for which netfilter address family to manage tables, chains, and
     rules. The default is to manage both IPv4 and IPv6 address families.
 
+- __\-\-xtables__
+
+    Manage a netfilter rule pointing to the legacy x-tables target
+    (`xt_RTPENGINE`) instead of the more modern nftables `rtpengine`
+    expression.
+
 - __\-\-nftables-start__
 - __\-\-nftables-stop__
 

include/main.h

@@ -122,6 +122,7 @@ enum endpoint_learning {
 	X(no_redis_required) \
 	X(active_switchover) \
 	X(rec_egress) \
+	X(xtables) \
 	X(nftables_append) \
 	X(log_keys) \
 	X(dtmf_via_ng) \

include/nftables.h

@@ -5,8 +5,9 @@
 
 typedef struct {
 	int table;
-	bool append;
 	int family;
+	bool append;
+	bool xtables;
 } nftables_args;
 
 const char *nftables_setup(const char *chain, const char *base_chain, nftables_args);