RuhNetConsulting
/
rtpengine
mirror of https://github.com/sipwise/rtpengine
1
1
Fork 0
Code Issues 0 Projects 0 Releases 822 Wiki Activity
Browse Source

MT#55283 create and delete native nftables rule 

Adds option to fall back to legacy XT target.

Change-Id: Ieda628313d42159df9a6e6281a50d4b289ab8a0c
pull/2035/head
Richard Fuchs 2 weeks ago
parent
c2a9f0edcf
commit
b324647699
5 changed files with 46 additions and 2 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +3
    -0
      daemon/main.c
  2. +34
    -1
      daemon/nftables.c
  3. +6
    -0
      docs/rtpengine.md
  4. +1
    -0
      include/main.h
  5. +2
    -1
      include/nftables.h

+ 3
- 0
daemon/main.c View File

@ -699,6 +699,7 @@ static void options(int *argc, char ***argv, charp_ht templates) {
{ "nftables-base-chain",0,0, G_OPTION_ARG_STRING,&rtpe_config.nftables_base_chain,"Name of nftables base chain to use", "STR" }, { "nftables-base-chain",0,0, G_OPTION_ARG_STRING,&rtpe_config.nftables_base_chain,"Name of nftables base chain to use", "STR" },
{ "nftables-append",0,0, G_OPTION_ARG_NONE, &rtpe_config.nftables_append, "Append instead of prepend created rules", NULL }, { "nftables-append",0,0, G_OPTION_ARG_NONE, &rtpe_config.nftables_append, "Append instead of prepend created rules", NULL },
{ "nftables-family",0,0, G_OPTION_ARG_STRING, &nftables_family, "Address family/ies to manage via nftables", "ip|ip6|ip,ip6" }, { "nftables-family",0,0, G_OPTION_ARG_STRING, &nftables_family, "Address family/ies to manage via nftables", "ip|ip6|ip,ip6" },
{ "xtables", 0,0, G_OPTION_ARG_NONE, &rtpe_config.xtables, "Use legacy xtables interface instead of nftables", NULL },
{ "nftables-start",0,0, G_OPTION_ARG_NONE, &nftables_start, "Just add nftables rules and exit", NULL }, { "nftables-start",0,0, G_OPTION_ARG_NONE, &nftables_start, "Just add nftables rules and exit", NULL },
{ "nftables-stop",0, 0, G_OPTION_ARG_NONE, &nftables_stop, "Just remove nftables rules and exit", NULL }, { "nftables-stop",0, 0, G_OPTION_ARG_NONE, &nftables_stop, "Just remove nftables rules and exit", NULL },
{ "nftables-status",0, 0, G_OPTION_ARG_NONE, &nftables_status, "Check nftables rules, print result and exit", NULL }, { "nftables-status",0, 0, G_OPTION_ARG_NONE, &nftables_status, "Check nftables rules, print result and exit", NULL },
@ -997,6 +998,7 @@ static void options(int *argc, char ***argv, charp_ht templates) {
.table = rtpe_config.kernel_table, .table = rtpe_config.kernel_table,
.append = rtpe_config.nftables_append, .append = rtpe_config.nftables_append,
.family = rtpe_config.nftables_family, .family = rtpe_config.nftables_family,
.xtables = rtpe_config.xtables,
}); });
else // nftables_stop else // nftables_stop
err = nftables_shutdown(rtpe_config.nftables_chain, rtpe_config.nftables_base_chain, err = nftables_shutdown(rtpe_config.nftables_chain, rtpe_config.nftables_base_chain,
@ -1583,6 +1585,7 @@ static void kernel_setup(void) {
const char *err = nftables_setup(rtpe_config.nftables_chain, rtpe_config.nftables_base_chain, const char *err = nftables_setup(rtpe_config.nftables_chain, rtpe_config.nftables_base_chain,
(nftables_args) {.table = rtpe_config.kernel_table, (nftables_args) {.table = rtpe_config.kernel_table,
.append = rtpe_config.nftables_append, .append = rtpe_config.nftables_append,
.xtables = rtpe_config.xtables,
.family = rtpe_config.nftables_family}); .family = rtpe_config.nftables_family});
if (err) { if (err) {
if (rtpe_config.no_fallback) if (rtpe_config.no_fallback)


+ 34
- 1
daemon/nftables.c View File

@ -60,6 +60,7 @@ struct add_rule_callbacks {
const char *base_chain; const char *base_chain;
int table; int table;
bool append; bool append;
bool xtables;
}; };
@ -87,6 +88,9 @@ static const char *match_rtpe(const char *name, const int8_t *data, size_t len,
if (n && !strcmp(n, "RTPENGINE") && info_len >= sizeof(info) && info.id == callbacks->table) if (n && !strcmp(n, "RTPENGINE") && info_len >= sizeof(info) && info.id == callbacks->table)
callbacks->rule_scratch.rtpengine_matched = true; callbacks->rule_scratch.rtpengine_matched = true;
} }
else if (!strcmp(name, "rtpengine"))
callbacks->rule_scratch.rtpengine_matched = true;
return NULL; return NULL;
} }
@ -445,7 +449,26 @@ static const char *input_immediate(nfapi_buf *b, int family, struct add_rule_cal
} }
static const char *rtpe_target_base(nfapi_buf *b, struct add_rule_callbacks *callbacks) {
static const char *target_base_nft_expr(nfapi_buf *b, struct add_rule_callbacks *callbacks) {
// buffer is in the nested expressions
nfapi_nested_begin(b, NFTA_LIST_ELEM);
nfapi_add_str_attr(b, NFTA_EXPR_NAME, "rtpengine");
nfapi_nested_begin(b, NFTA_EXPR_DATA);
nfapi_add_u32_attr(b, RTPEA_RTPENGINE_TABLE, callbacks->table);
nfapi_nested_end(b);
nfapi_nested_end(b);
return NULL;
}
static const char *target_base_xt(nfapi_buf *b, struct add_rule_callbacks *callbacks) {
// buffer is in the nested expressions // buffer is in the nested expressions
struct xt_rtpengine_info info = { .id = callbacks->table }; struct xt_rtpengine_info info = { .id = callbacks->table };
@ -502,6 +525,14 @@ static const char *comment(nfapi_buf *b, int family, struct add_rule_callbacks *
} }
static const char *rtpe_target_base(nfapi_buf *b, struct add_rule_callbacks *callbacks) {
if (callbacks->xtables)
return target_base_xt(b, callbacks);
else
return target_base_nft_expr(b, callbacks);
}
static const char *rtpe_target(nfapi_buf *b, int family, struct add_rule_callbacks *callbacks) { static const char *rtpe_target(nfapi_buf *b, int family, struct add_rule_callbacks *callbacks) {
nfapi_add_str_attr(b, NFTA_RULE_CHAIN, callbacks->chain); nfapi_add_str_attr(b, NFTA_RULE_CHAIN, callbacks->chain);
@ -685,6 +716,7 @@ static const char *nftables_setup_family(nfapi_socket *nl, int family,
.chain = chain, .chain = chain,
.table = args->table, .table = args->table,
.append = args->append, .append = args->append,
.xtables = args->xtables,
}); });
if (err) if (err)
return err; return err;
@ -709,6 +741,7 @@ static const char *nftables_setup_family(nfapi_socket *nl, int family,
.chain = chain, .chain = chain,
.table = args->table, .table = args->table,
.append = args->append, .append = args->append,
.xtables = args->xtables,
}); });
if (err) if (err)
return err; return err;


+ 6
- 0
docs/rtpengine.md View File

@ -128,6 +128,12 @@ at the command line. See the __\-\-config-file__ option below for details.
Configure for which netfilter address family to manage tables, chains, and Configure for which netfilter address family to manage tables, chains, and
rules. The default is to manage both IPv4 and IPv6 address families. rules. The default is to manage both IPv4 and IPv6 address families.
- __\-\-xtables__
Manage a netfilter rule pointing to the legacy x-tables target
(`xt_RTPENGINE`) instead of the more modern nftables `rtpengine`
expression.
- __\-\-nftables-start__ - __\-\-nftables-start__
- __\-\-nftables-stop__ - __\-\-nftables-stop__


+ 1
- 0
include/main.h View File

@ -122,6 +122,7 @@ enum endpoint_learning {
X(no_redis_required) \ X(no_redis_required) \
X(active_switchover) \ X(active_switchover) \
X(rec_egress) \ X(rec_egress) \
X(xtables) \
X(nftables_append) \ X(nftables_append) \
X(log_keys) \ X(log_keys) \
X(dtmf_via_ng) \ X(dtmf_via_ng) \


+ 2
- 1
include/nftables.h View File

@ -5,8 +5,9 @@
typedef struct { typedef struct {
int table; int table;
bool append;
int family; int family;
bool append;
bool xtables;
} nftables_args; } nftables_args;
const char *nftables_setup(const char *chain, const char *base_chain, nftables_args); const char *nftables_setup(const char *chain, const char *base_chain, nftables_args);


Write Preview
Loading…
Cancel
Save