From c5458cb933af5382a54ebfb43af0d596c085ec79 Mon Sep 17 00:00:00 2001 From: Richard Fuchs Date: Mon, 1 Dec 2025 12:49:03 -0400 Subject: [PATCH] MT#55283 support nftables INET family closes #1732 Change-Id: I04c94aa4f35c55a8035eb0edadd9280c380590a3 --- daemon/main.c | 7 ++++++- daemon/nftables.c | 46 ++++++++++++++++++++++++++++++++-------------- docs/rtpengine.md | 2 +- 3 files changed, 39 insertions(+), 16 deletions(-) diff --git a/daemon/main.c b/daemon/main.c index 22c36364d..f703dc58f 100644 --- a/daemon/main.c +++ b/daemon/main.c @@ -698,7 +698,7 @@ static void options(int *argc, char ***argv, charp_ht templates) { { "nftables-chain",0,0, G_OPTION_ARG_STRING, &rtpe_config.nftables_chain, "Name of nftables chain to manage", "STR" }, { "nftables-base-chain",0,0, G_OPTION_ARG_STRING,&rtpe_config.nftables_base_chain,"Name of nftables base chain to use", "STR" }, { "nftables-append",0,0, G_OPTION_ARG_NONE, &rtpe_config.nftables_append, "Append instead of prepend created rules", NULL }, - { "nftables-family",0,0, G_OPTION_ARG_STRING, &nftables_family, "Address family/ies to manage via nftables", "ip|ip6|ip,ip6" }, + { "nftables-family",0,0, G_OPTION_ARG_STRING, &nftables_family, "Address family/ies to manage via nftables", "ip|ip6|ip,ip6|inet" }, { "xtables", 0,0, G_OPTION_ARG_NONE, &rtpe_config.xtables, "Use legacy xtables interface instead of nftables", NULL }, { "nftables-start",0,0, G_OPTION_ARG_NONE, &nftables_start, "Just add nftables rules and exit", NULL }, { "nftables-stop",0, 0, G_OPTION_ARG_NONE, &nftables_stop, "Just remove nftables rules and exit", NULL }, @@ -965,6 +965,11 @@ static void options(int *argc, char ***argv, charp_ht templates) { rtpe_config.nftables_family = NFPROTO_IPV4; else if (!strcmp(nftables_family, "ip6")) rtpe_config.nftables_family = NFPROTO_IPV6; + else if (!strcmp(nftables_family, "inet")) { + if (rtpe_config.xtables) + die("'inet' nftables address family not valid with legacy xtables"); + rtpe_config.nftables_family = NFPROTO_INET; + } else die("Invalid value for 'nftables-family' ('%s')", nftables_family); #endif diff --git a/daemon/nftables.c b/daemon/nftables.c index 4536a2d43..23c6c6af4 100644 --- a/daemon/nftables.c +++ b/daemon/nftables.c @@ -364,25 +364,38 @@ static const char *udp_filter(nfapi_buf *b, int family) { nfapi_nested_begin(b, NFTA_LIST_ELEM); - nfapi_add_str_attr(b, NFTA_EXPR_NAME, "payload"); + if (family == NFPROTO_INET) { - nfapi_nested_begin(b, NFTA_EXPR_DATA); + nfapi_add_str_attr(b, NFTA_EXPR_NAME, "meta"); + + nfapi_nested_begin(b, NFTA_EXPR_DATA); + + nfapi_add_u32_attr(b, NFTA_META_KEY, htonl(NFT_META_L4PROTO)); + nfapi_add_u32_attr(b, NFTA_META_DREG, htonl(NFT_REG_1)); - nfapi_add_u32_attr(b, NFTA_PAYLOAD_DREG, htonl(NFT_REG_1)); - nfapi_add_u32_attr(b, NFTA_PAYLOAD_BASE, htonl(NFT_PAYLOAD_NETWORK_HEADER)); + nfapi_nested_end(b); + } + else { + nfapi_add_str_attr(b, NFTA_EXPR_NAME, "payload"); - if (family == NFPROTO_IPV4) - nfapi_add_u32_attr(b, NFTA_PAYLOAD_OFFSET, - htonl(offsetof(struct iphdr, protocol))); - else if (family == NFPROTO_IPV6) - nfapi_add_u32_attr(b, NFTA_PAYLOAD_OFFSET, - htonl(offsetof(struct ip6_hdr, ip6_nxt))); - else - return "unsupported address family for UDP filter"; + nfapi_nested_begin(b, NFTA_EXPR_DATA); - nfapi_add_u32_attr(b, NFTA_PAYLOAD_LEN, htonl(sizeof(proto))); + nfapi_add_u32_attr(b, NFTA_PAYLOAD_DREG, htonl(NFT_REG_1)); + nfapi_add_u32_attr(b, NFTA_PAYLOAD_BASE, htonl(NFT_PAYLOAD_NETWORK_HEADER)); - nfapi_nested_end(b); + if (family == NFPROTO_IPV4) + nfapi_add_u32_attr(b, NFTA_PAYLOAD_OFFSET, + htonl(offsetof(struct iphdr, protocol))); + else if (family == NFPROTO_IPV6) + nfapi_add_u32_attr(b, NFTA_PAYLOAD_OFFSET, + htonl(offsetof(struct ip6_hdr, ip6_nxt))); + else + return "unsupported address family for UDP filter"; + + nfapi_add_u32_attr(b, NFTA_PAYLOAD_LEN, htonl(sizeof(proto))); + + nfapi_nested_end(b); + } nfapi_nested_end(b); @@ -783,6 +796,11 @@ static const char *nftables_do(const char *chain, const char *base_chain, if (err) return err; + if (args->family == NFPROTO_INET) + err = do_func(nl, NFPROTO_INET, chain, base_chain, args); + if (err) + return err; + return NULL; } diff --git a/docs/rtpengine.md b/docs/rtpengine.md index 8b5933d3c..9ba6a6d41 100644 --- a/docs/rtpengine.md +++ b/docs/rtpengine.md @@ -123,7 +123,7 @@ at the command line. See the __\-\-config-file__ option below for details. appended to the list of existing rules. The default is to prepend it (insert it at the beginning). -- __\-\-nftables-family=ip__|__ip6__|__ip,ip6__ +- __\-\-nftables-family=ip__|__ip6__|__ip,ip6__|__inet__ Configure for which netfilter address family to manage tables, chains, and rules. The default is to manage both IPv4 and IPv6 address families.