sipwise
/
rtpengine
mirror of https://github.com/sipwise/rtpengine.git
1
0
Fork 0
Code Issues Releases Wiki Activity

MT#57371 support "none" as nft base chain

Browse Source 
Change-Id: I8d2b43e3b4dd9c26b6b9b4cfa325a48a6c6f1c8a
pull/1747/head
Richard Fuchs 2 years ago
parent 18f0903f53
commit 27a1d60405
2 changed files with 23 additions and 15 deletions
Show Stats Download Patch File Download Diff File

32
daemon/nftables.c
Unescape View File

@ -492,7 +492,7 @@ static const char *nftables_shutdown_family(struct mnl_socket *nl, int family, u
if (err)
return err;
if (base_chain) {
if (base_chain && strcmp(base_chain, "none")) {
// clean up rules in other base chain chain if any
err = iterate_rules(nl, family, base_chain, seq,
(struct iterate_callbacks) {
@ -548,25 +548,27 @@ static const char *nftables_setup_family(struct mnl_socket *nl, int family, uint
return err;
if (base_chain) {
// make sure we have a local input base chain
err = add_chain(nl, family, base_chain, seq, local_input_chain);
if (err)
return err;
// add custom chain
err = add_chain(nl, family, chain, seq, NULL);
if (err)
return err;
// add jump rule from input base chain to custom chain
err = add_rule(nl, family, seq, (struct add_rule_callbacks) {
.callback = input_immediate,
.chain = chain,
.base_chain = base_chain,
.append = args->append,
});
if (err)
return err;
if (strcmp(base_chain, "none")) {
// make sure we have a local input base chain
err = add_chain(nl, family, base_chain, seq, local_input_chain);
if (err)
return err;
// add jump rule from input base chain to custom chain
err = add_rule(nl, family, seq, (struct add_rule_callbacks) {
.callback = input_immediate,
.chain = chain,
.base_chain = base_chain,
.append = args->append,
});
if (err)
return err;
}
// add rule for kernel forwarding
return add_rule(nl, family, seq, (struct add_rule_callbacks) {

6
docs/rtpengine.md
Unescape View File

@ -111,6 +111,12 @@ at the command line. See the __\-\-config-file__ option below for details.
will directly create the chain given by __nftables-chain__ as a base chain
and skip creating the immediate-goto rule.
If this option is set to the special string __none__, then __rtpengine__
will create its custom chain and rule as it normally would, but will skip
adding an immediate-goto rule to the custom chain. Doing so requires the
operator to manually create this immediate-goto rule somewhere themselves.
Otherwise in-kernel packet forwarding would be left inoperable.
- __\-\-nftables-append__
With this option set, the netfilter rule created in the base chain is

Write Preview
Loading…
Cancel
Save