RuhNetConsulting
/
rtpengine
mirror of https://github.com/sipwise/rtpengine
1
1
Fork 0
Code Issues 0 Projects 0 Releases 822 Wiki Activity
Browse Source

MT#55283 support nftables INET family 

closes #1732

Change-Id: I04c94aa4f35c55a8035eb0edadd9280c380590a3
pull/2035/head
Richard Fuchs 2 weeks ago
parent
b324647699
commit
c5458cb933
3 changed files with 39 additions and 16 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +6
    -1
      daemon/main.c
  2. +32
    -14
      daemon/nftables.c
  3. +1
    -1
      docs/rtpengine.md

+ 6
- 1
daemon/main.c View File

@ -698,7 +698,7 @@ static void options(int *argc, char ***argv, charp_ht templates) {
{ "nftables-chain",0,0, G_OPTION_ARG_STRING, &rtpe_config.nftables_chain, "Name of nftables chain to manage", "STR" }, { "nftables-chain",0,0, G_OPTION_ARG_STRING, &rtpe_config.nftables_chain, "Name of nftables chain to manage", "STR" },
{ "nftables-base-chain",0,0, G_OPTION_ARG_STRING,&rtpe_config.nftables_base_chain,"Name of nftables base chain to use", "STR" }, { "nftables-base-chain",0,0, G_OPTION_ARG_STRING,&rtpe_config.nftables_base_chain,"Name of nftables base chain to use", "STR" },
{ "nftables-append",0,0, G_OPTION_ARG_NONE, &rtpe_config.nftables_append, "Append instead of prepend created rules", NULL }, { "nftables-append",0,0, G_OPTION_ARG_NONE, &rtpe_config.nftables_append, "Append instead of prepend created rules", NULL },
{ "nftables-family",0,0, G_OPTION_ARG_STRING, &nftables_family, "Address family/ies to manage via nftables", "ip|ip6|ip,ip6" },
{ "nftables-family",0,0, G_OPTION_ARG_STRING, &nftables_family, "Address family/ies to manage via nftables", "ip|ip6|ip,ip6|inet" },
{ "xtables", 0,0, G_OPTION_ARG_NONE, &rtpe_config.xtables, "Use legacy xtables interface instead of nftables", NULL }, { "xtables", 0,0, G_OPTION_ARG_NONE, &rtpe_config.xtables, "Use legacy xtables interface instead of nftables", NULL },
{ "nftables-start",0,0, G_OPTION_ARG_NONE, &nftables_start, "Just add nftables rules and exit", NULL }, { "nftables-start",0,0, G_OPTION_ARG_NONE, &nftables_start, "Just add nftables rules and exit", NULL },
{ "nftables-stop",0, 0, G_OPTION_ARG_NONE, &nftables_stop, "Just remove nftables rules and exit", NULL }, { "nftables-stop",0, 0, G_OPTION_ARG_NONE, &nftables_stop, "Just remove nftables rules and exit", NULL },
@ -965,6 +965,11 @@ static void options(int *argc, char ***argv, charp_ht templates) {
rtpe_config.nftables_family = NFPROTO_IPV4; rtpe_config.nftables_family = NFPROTO_IPV4;
else if (!strcmp(nftables_family, "ip6")) else if (!strcmp(nftables_family, "ip6"))
rtpe_config.nftables_family = NFPROTO_IPV6; rtpe_config.nftables_family = NFPROTO_IPV6;
else if (!strcmp(nftables_family, "inet")) {
if (rtpe_config.xtables)
die("'inet' nftables address family not valid with legacy xtables");
rtpe_config.nftables_family = NFPROTO_INET;
}
else else
die("Invalid value for 'nftables-family' ('%s')", nftables_family); die("Invalid value for 'nftables-family' ('%s')", nftables_family);
#endif #endif


+ 32
- 14
daemon/nftables.c View File

@ -364,25 +364,38 @@ static const char *udp_filter(nfapi_buf *b, int family) {
nfapi_nested_begin(b, NFTA_LIST_ELEM); nfapi_nested_begin(b, NFTA_LIST_ELEM);
nfapi_add_str_attr(b, NFTA_EXPR_NAME, "payload");
if (family == NFPROTO_INET) {
nfapi_nested_begin(b, NFTA_EXPR_DATA);
nfapi_add_str_attr(b, NFTA_EXPR_NAME, "meta");
nfapi_nested_begin(b, NFTA_EXPR_DATA);
nfapi_add_u32_attr(b, NFTA_META_KEY, htonl(NFT_META_L4PROTO));
nfapi_add_u32_attr(b, NFTA_META_DREG, htonl(NFT_REG_1));
nfapi_add_u32_attr(b, NFTA_PAYLOAD_DREG, htonl(NFT_REG_1));
nfapi_add_u32_attr(b, NFTA_PAYLOAD_BASE, htonl(NFT_PAYLOAD_NETWORK_HEADER));
nfapi_nested_end(b);
}
else {
nfapi_add_str_attr(b, NFTA_EXPR_NAME, "payload");
if (family == NFPROTO_IPV4)
nfapi_add_u32_attr(b, NFTA_PAYLOAD_OFFSET,
htonl(offsetof(struct iphdr, protocol)));
else if (family == NFPROTO_IPV6)
nfapi_add_u32_attr(b, NFTA_PAYLOAD_OFFSET,
htonl(offsetof(struct ip6_hdr, ip6_nxt)));
else
return "unsupported address family for UDP filter";
nfapi_nested_begin(b, NFTA_EXPR_DATA);
nfapi_add_u32_attr(b, NFTA_PAYLOAD_LEN, htonl(sizeof(proto)));
nfapi_add_u32_attr(b, NFTA_PAYLOAD_DREG, htonl(NFT_REG_1));
nfapi_add_u32_attr(b, NFTA_PAYLOAD_BASE, htonl(NFT_PAYLOAD_NETWORK_HEADER));
nfapi_nested_end(b);
if (family == NFPROTO_IPV4)
nfapi_add_u32_attr(b, NFTA_PAYLOAD_OFFSET,
htonl(offsetof(struct iphdr, protocol)));
else if (family == NFPROTO_IPV6)
nfapi_add_u32_attr(b, NFTA_PAYLOAD_OFFSET,
htonl(offsetof(struct ip6_hdr, ip6_nxt)));
else
return "unsupported address family for UDP filter";
nfapi_add_u32_attr(b, NFTA_PAYLOAD_LEN, htonl(sizeof(proto)));
nfapi_nested_end(b);
}
nfapi_nested_end(b); nfapi_nested_end(b);
@ -783,6 +796,11 @@ static const char *nftables_do(const char *chain, const char *base_chain,
if (err) if (err)
return err; return err;
if (args->family == NFPROTO_INET)
err = do_func(nl, NFPROTO_INET, chain, base_chain, args);
if (err)
return err;
return NULL; return NULL;
} }


+ 1
- 1
docs/rtpengine.md View File

@ -123,7 +123,7 @@ at the command line. See the __\-\-config-file__ option below for details.
appended to the list of existing rules. The default is to prepend it appended to the list of existing rules. The default is to prepend it
(insert it at the beginning). (insert it at the beginning).
- __\-\-nftables-family=ip__|__ip6__|__ip,ip6__
- __\-\-nftables-family=ip__|__ip6__|__ip,ip6__|__inet__
Configure for which netfilter address family to manage tables, chains, and Configure for which netfilter address family to manage tables, chains, and
rules. The default is to manage both IPv4 and IPv6 address families. rules. The default is to manage both IPv4 and IPv6 address families.


Write Preview
Loading…
Cancel
Save