From 27a1d60405e6a6f7478c5001e871411101ba44ff Mon Sep 17 00:00:00 2001
From: Richard Fuchs <rfuchs@sipwise.com>
Date: Thu, 19 Oct 2023 09:14:58 -0400
Subject: [PATCH] MT#57371 support "none" as nft base chain

Change-Id: I8d2b43e3b4dd9c26b6b9b4cfa325a48a6c6f1c8a
---
 daemon/nftables.c | 32 +++++++++++++++++---------------
 docs/rtpengine.md |  6 ++++++
 2 files changed, 23 insertions(+), 15 deletions(-)

diff --git a/daemon/nftables.c b/daemon/nftables.c
index e444e9d55..ad153b06c 100644
--- a/daemon/nftables.c
+++ b/daemon/nftables.c
@@ -492,7 +492,7 @@ static const char *nftables_shutdown_family(struct mnl_socket *nl, int family, u
 	if (err)
 		return err;
 
-	if (base_chain) {
+	if (base_chain && strcmp(base_chain, "none")) {
 		// clean up rules in other base chain chain if any
 		err = iterate_rules(nl, family, base_chain, seq,
 				(struct iterate_callbacks) {
@@ -548,25 +548,27 @@ static const char *nftables_setup_family(struct mnl_socket *nl, int family, uint
 		return err;
 
 	if (base_chain) {
-		// make sure we have a local input base chain
-		err = add_chain(nl, family, base_chain, seq, local_input_chain);
-		if (err)
-			return err;
-
 		// add custom chain
 		err = add_chain(nl, family, chain, seq, NULL);
 		if (err)
 			return err;
 
-		// add jump rule from input base chain to custom chain
-		err = add_rule(nl, family, seq, (struct add_rule_callbacks) {
-				.callback = input_immediate,
-				.chain = chain,
-				.base_chain = base_chain,
-				.append = args->append,
-			});
-		if (err)
-			return err;
+		if (strcmp(base_chain, "none")) {
+			// make sure we have a local input base chain
+			err = add_chain(nl, family, base_chain, seq, local_input_chain);
+			if (err)
+				return err;
+
+			// add jump rule from input base chain to custom chain
+			err = add_rule(nl, family, seq, (struct add_rule_callbacks) {
+					.callback = input_immediate,
+					.chain = chain,
+					.base_chain = base_chain,
+					.append = args->append,
+				});
+			if (err)
+				return err;
+		}
 
 		// add rule for kernel forwarding
 		return add_rule(nl, family, seq, (struct add_rule_callbacks) {
diff --git a/docs/rtpengine.md b/docs/rtpengine.md
index 70db27433..6684b26e2 100644
--- a/docs/rtpengine.md
+++ b/docs/rtpengine.md
@@ -111,6 +111,12 @@ at the command line. See the __\-\-config-file__ option below for details.
     will directly create the chain given by __nftables-chain__ as a base chain
     and skip creating the immediate-goto rule.
 
+    If this option is set to the special string __none__, then __rtpengine__
+    will create its custom chain and rule as it normally would, but will skip
+    adding an immediate-goto rule to the custom chain. Doing so requires the
+    operator to manually create this immediate-goto rule somewhere themselves.
+    Otherwise in-kernel packet forwarding would be left inoperable.
+
 - __\-\-nftables-append__
 
     With this option set, the netfilter rule created in the base chain is