RuhNetConsulting
/
rtpengine
mirror of https://github.com/sipwise/rtpengine
1
1
Fork 0
Code Issues 0 Projects 0 Releases 822 Wiki Activity
Browse Source

MT#55283 only remove rules with matching table 

Change-Id: I19fba3b41634e3d7bd6fd66b9c64430d7976f723
pull/2035/head
Richard Fuchs 2 weeks ago
parent
09be6451d5
commit
cc5c0f07cb
3 changed files with 27 additions and 10 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +13
    -5
      daemon/main.c
  2. +13
    -5
      daemon/nftables.c
  3. +1
    -0
      lib/netfilter_api.c

+ 13
- 5
daemon/main.c View File

@ -985,17 +985,25 @@ static void options(int *argc, char ***argv, charp_ht templates) {
const char *err; const char *err;
if (nftables_status) { if (nftables_status) {
int xv = nftables_check(rtpe_config.nftables_chain, rtpe_config.nftables_base_chain, int xv = nftables_check(rtpe_config.nftables_chain, rtpe_config.nftables_base_chain,
(nftables_args){.family = rtpe_config.nftables_family});
(nftables_args) {
.table = rtpe_config.kernel_table,
.family = rtpe_config.nftables_family,
});
exit(xv); exit(xv);
} }
if (nftables_start) if (nftables_start)
err = nftables_setup(rtpe_config.nftables_chain, rtpe_config.nftables_base_chain, err = nftables_setup(rtpe_config.nftables_chain, rtpe_config.nftables_base_chain,
(nftables_args) {.table = rtpe_config.kernel_table,
.append = rtpe_config.nftables_append,
.family = rtpe_config.nftables_family});
(nftables_args) {
.table = rtpe_config.kernel_table,
.append = rtpe_config.nftables_append,
.family = rtpe_config.nftables_family,
});
else // nftables_stop else // nftables_stop
err = nftables_shutdown(rtpe_config.nftables_chain, rtpe_config.nftables_base_chain, err = nftables_shutdown(rtpe_config.nftables_chain, rtpe_config.nftables_base_chain,
(nftables_args){.family = rtpe_config.nftables_family});
(nftables_args) {
.table = rtpe_config.kernel_table,
.family = rtpe_config.nftables_family,
});
if (err) if (err)
die("Failed to perform nftables action: %s (%s)", err, strerror(errno)); die("Failed to perform nftables action: %s (%s)", err, strerror(errno));
printf("Success\n"); printf("Success\n");


+ 13
- 5
daemon/nftables.c View File

@ -33,6 +33,7 @@ struct iterate_callbacks {
// common arguments // common arguments
const char *chain; const char *chain;
const char *base_chain; const char *base_chain;
int table;
// scratch area for rule callbacks, set to zero for every rule // scratch area for rule callbacks, set to zero for every rule
struct { struct {
@ -75,8 +76,10 @@ static const char *match_rtpe(const char *name, const int8_t *data, size_t len,
// match top-level targets // match top-level targets
if (!strcmp(name, "target")) { if (!strcmp(name, "target")) {
const char *n = nfapi_get_target(data, len, NULL, NULL);
if (n && !strcmp(n, "RTPENGINE"))
struct xt_rtpengine_info info;
size_t info_len = sizeof(info);
const char *n = nfapi_get_target(data, len, &info, &info_len);
if (n && !strcmp(n, "RTPENGINE") && info_len >= sizeof(info) && info.id == callbacks->table)
callbacks->rule_scratch.rule_matched = true; callbacks->rule_scratch.rule_matched = true;
} }
return NULL; return NULL;
@ -501,7 +504,7 @@ static const char *delete_chain(nfapi_socket *nl, int family, const char *chain)
static const char *nftables_shutdown_family(nfapi_socket *nl, int family, static const char *nftables_shutdown_family(nfapi_socket *nl, int family,
const char *chain, const char *base_chain, nftables_args *dummy)
const char *chain, const char *base_chain, nftables_args *args)
{ {
const char *err; const char *err;
@ -513,6 +516,7 @@ static const char *nftables_shutdown_family(nfapi_socket *nl, int family,
.chain = chain, .chain = chain,
.rule_final = check_matched_queue, .rule_final = check_matched_queue,
.iterate_final = iterate_delete_rules, .iterate_final = iterate_delete_rules,
.table = args->table,
}); });
if (err) if (err)
return err; return err;
@ -524,6 +528,7 @@ static const char *nftables_shutdown_family(nfapi_socket *nl, int family,
.chain = chain, .chain = chain,
.rule_final = check_matched_queue, .rule_final = check_matched_queue,
.iterate_final = iterate_delete_rules, .iterate_final = iterate_delete_rules,
.table = args->table,
}); });
if (err) if (err)
return err; return err;
@ -537,6 +542,7 @@ static const char *nftables_shutdown_family(nfapi_socket *nl, int family,
.chain = chain, .chain = chain,
.rule_final = check_matched_queue, .rule_final = check_matched_queue,
.iterate_final = iterate_delete_rules, .iterate_final = iterate_delete_rules,
.table = args->table,
}); });
if (err) if (err)
return err; return err;
@ -583,7 +589,7 @@ static const char *add_table(nfapi_socket *nl, int family) {
static const char *nftables_setup_family(nfapi_socket *nl, int family, static const char *nftables_setup_family(nfapi_socket *nl, int family,
const char *chain, const char *base_chain, nftables_args *args) const char *chain, const char *base_chain, nftables_args *args)
{ {
const char *err = nftables_shutdown_family(nl, family, chain, base_chain, NULL);
const char *err = nftables_shutdown_family(nl, family, chain, base_chain, args);
if (err) if (err)
return err; return err;
@ -669,13 +675,14 @@ static const char *nftables_do(const char *chain, const char *base_chain,
static const char *nftables_check_family(nfapi_socket *nl, int family, static const char *nftables_check_family(nfapi_socket *nl, int family,
const char *chain, const char *base_chain, nftables_args *dummy)
const char *chain, const char *base_chain, nftables_args *args)
{ {
// look for our custom module rule in the specified chain // look for our custom module rule in the specified chain
struct iterate_callbacks callbacks = { struct iterate_callbacks callbacks = {
.parse_expr = match_rtpe, .parse_expr = match_rtpe,
.rule_final = check_matched_flag, .rule_final = check_matched_flag,
.table = args->table,
}; };
iterate_rules(nl, family, chain, &callbacks); iterate_rules(nl, family, chain, &callbacks);
@ -689,6 +696,7 @@ static const char *nftables_check_family(nfapi_socket *nl, int family,
.parse_expr = match_immediate, .parse_expr = match_immediate,
.chain = chain, .chain = chain,
.rule_final = check_matched_flag, .rule_final = check_matched_flag,
.table = args->table,
}; };
iterate_rules(nl, family, "INPUT", &callbacks); iterate_rules(nl, family, "INPUT", &callbacks);


+ 1
- 0
lib/netfilter_api.c View File

@ -431,6 +431,7 @@ const char *nfapi_get_target(const int8_t *buf, size_t l, void *info, size_t *in
break; break;
buf_len = MIN(buf_len, data_len); buf_len = MIN(buf_len, data_len);
memcpy(info, data, buf_len); memcpy(info, data, buf_len);
*info_len = buf_len;
break; break;
} }
} }


Write Preview
Loading…
Cancel
Save