RuhNetConsulting
/
rtpengine
mirror of https://github.com/sipwise/rtpengine
1
1
Fork 0
Code Issues 0 Projects 0 Releases 822 Wiki Activity
Browse Source

MT#55283 support nftables INET family 

closes #1732

Change-Id: I04c94aa4f35c55a8035eb0edadd9280c380590a3
pull/2035/head
Richard Fuchs 1 week ago
parent
b324647699
commit
c5458cb933
3 changed files with 39 additions and 16 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +6
    -1
      daemon/main.c
  2. +32
    -14
      daemon/nftables.c
  3. +1
    -1
      docs/rtpengine.md

+ 6
- 1
daemon/main.c View File

@ -698,7 +698,7 @@ static void options(int *argc, char ***argv, charp_ht templates) {
{ "nftables-chain",0,0, G_OPTION_ARG_STRING, &rtpe_config.nftables_chain, "Name of nftables chain to manage", "STR" },
{ "nftables-base-chain",0,0, G_OPTION_ARG_STRING,&rtpe_config.nftables_base_chain,"Name of nftables base chain to use", "STR" },
{ "nftables-append",0,0, G_OPTION_ARG_NONE, &rtpe_config.nftables_append, "Append instead of prepend created rules", NULL },
{ "nftables-family",0,0, G_OPTION_ARG_STRING, &nftables_family, "Address family/ies to manage via nftables", "ip|ip6|ip,ip6" },
{ "nftables-family",0,0, G_OPTION_ARG_STRING, &nftables_family, "Address family/ies to manage via nftables", "ip|ip6|ip,ip6|inet" },
{ "xtables", 0,0, G_OPTION_ARG_NONE, &rtpe_config.xtables, "Use legacy xtables interface instead of nftables", NULL },
{ "nftables-start",0,0, G_OPTION_ARG_NONE, &nftables_start, "Just add nftables rules and exit", NULL },
{ "nftables-stop",0, 0, G_OPTION_ARG_NONE, &nftables_stop, "Just remove nftables rules and exit", NULL },
@ -965,6 +965,11 @@ static void options(int *argc, char ***argv, charp_ht templates) {
rtpe_config.nftables_family = NFPROTO_IPV4;
else if (!strcmp(nftables_family, "ip6"))
rtpe_config.nftables_family = NFPROTO_IPV6;
else if (!strcmp(nftables_family, "inet")) {
if (rtpe_config.xtables)
die("'inet' nftables address family not valid with legacy xtables");
rtpe_config.nftables_family = NFPROTO_INET;
}
else
die("Invalid value for 'nftables-family' ('%s')", nftables_family);
#endif


+ 32
- 14
daemon/nftables.c View File

@ -364,25 +364,38 @@ static const char *udp_filter(nfapi_buf *b, int family) {
nfapi_nested_begin(b, NFTA_LIST_ELEM);
nfapi_add_str_attr(b, NFTA_EXPR_NAME, "payload");
if (family == NFPROTO_INET) {
nfapi_nested_begin(b, NFTA_EXPR_DATA);
nfapi_add_str_attr(b, NFTA_EXPR_NAME, "meta");
nfapi_nested_begin(b, NFTA_EXPR_DATA);
nfapi_add_u32_attr(b, NFTA_META_KEY, htonl(NFT_META_L4PROTO));
nfapi_add_u32_attr(b, NFTA_META_DREG, htonl(NFT_REG_1));
nfapi_add_u32_attr(b, NFTA_PAYLOAD_DREG, htonl(NFT_REG_1));
nfapi_add_u32_attr(b, NFTA_PAYLOAD_BASE, htonl(NFT_PAYLOAD_NETWORK_HEADER));
nfapi_nested_end(b);
}
else {
nfapi_add_str_attr(b, NFTA_EXPR_NAME, "payload");
if (family == NFPROTO_IPV4)
nfapi_add_u32_attr(b, NFTA_PAYLOAD_OFFSET,
htonl(offsetof(struct iphdr, protocol)));
else if (family == NFPROTO_IPV6)
nfapi_add_u32_attr(b, NFTA_PAYLOAD_OFFSET,
htonl(offsetof(struct ip6_hdr, ip6_nxt)));
else
return "unsupported address family for UDP filter";
nfapi_nested_begin(b, NFTA_EXPR_DATA);
nfapi_add_u32_attr(b, NFTA_PAYLOAD_LEN, htonl(sizeof(proto)));
nfapi_add_u32_attr(b, NFTA_PAYLOAD_DREG, htonl(NFT_REG_1));
nfapi_add_u32_attr(b, NFTA_PAYLOAD_BASE, htonl(NFT_PAYLOAD_NETWORK_HEADER));
nfapi_nested_end(b);
if (family == NFPROTO_IPV4)
nfapi_add_u32_attr(b, NFTA_PAYLOAD_OFFSET,
htonl(offsetof(struct iphdr, protocol)));
else if (family == NFPROTO_IPV6)
nfapi_add_u32_attr(b, NFTA_PAYLOAD_OFFSET,
htonl(offsetof(struct ip6_hdr, ip6_nxt)));
else
return "unsupported address family for UDP filter";
nfapi_add_u32_attr(b, NFTA_PAYLOAD_LEN, htonl(sizeof(proto)));
nfapi_nested_end(b);
}
nfapi_nested_end(b);
@ -783,6 +796,11 @@ static const char *nftables_do(const char *chain, const char *base_chain,
if (err)
return err;
if (args->family == NFPROTO_INET)
err = do_func(nl, NFPROTO_INET, chain, base_chain, args);
if (err)
return err;
return NULL;
}


+ 1
- 1
docs/rtpengine.md View File

@ -123,7 +123,7 @@ at the command line. See the __\-\-config-file__ option below for details.
appended to the list of existing rules. The default is to prepend it
(insert it at the beginning).
- __\-\-nftables-family=ip__|__ip6__|__ip,ip6__
- __\-\-nftables-family=ip__|__ip6__|__ip,ip6__|__inet__
Configure for which netfilter address family to manage tables, chains, and
rules. The default is to manage both IPv4 and IPv6 address families.


Write Preview
Loading…
Cancel
Save