From c048bd591a7e5374622cc7e026834be00d6d2344 Mon Sep 17 00:00:00 2001
From: Richard Fuchs <rfuchs@sipwise.com>
Date: Tue, 17 Oct 2023 12:41:10 -0400
Subject: [PATCH] MT#57371 adapt base chain rule

If we're not using a separate base chain, create the target rule with
the UDP filter in place, same as the "immediate" rule in the case with a
base chain.

Reported in #1732

Change-Id: I0e67a88f5f51e21ba9537c87e2955f910dd6ec2c
---
 daemon/nftables.c | 39 +++++++++++++++++++++++++++++++--------
 1 file changed, 31 insertions(+), 8 deletions(-)

diff --git a/daemon/nftables.c b/daemon/nftables.c
index fe5eec085..988f2d85a 100644
--- a/daemon/nftables.c
+++ b/daemon/nftables.c
@@ -436,6 +436,21 @@ static const char *rtpe_target(struct nftnl_rule *r, int family, struct add_rule
 }
 
 
+static const char *rtpe_target_filter(struct nftnl_rule *r, int family, struct add_rule_callbacks *callbacks) {
+	nftnl_rule_set_str(r, NFTNL_RULE_CHAIN, callbacks->chain);
+
+	const char *err = rtpe_target_base(r, callbacks);
+	if (err)
+		return err;
+
+	err = udp_filter(r, family);
+	if (err)
+		return err;
+
+	return NULL;
+}
+
+
 static const char *delete_chain(struct mnl_socket *nl, int family, uint32_t *seq, const char *chain) {
 	AUTO_CLEANUP(struct nftnl_chain *c, chain_free) = nftnl_chain_alloc();
 	if (!c)
@@ -530,6 +545,8 @@ static const char *nftables_setup_family(struct mnl_socket *nl, int family, uint
 	if (err)
 		return err;
 
+	int *table = data;
+
 	if (base_chain) {
 		// make sure we have a local input base chain
 		err = add_chain(nl, family, base_chain, seq, local_input_chain);
@@ -549,21 +566,27 @@ static const char *nftables_setup_family(struct mnl_socket *nl, int family, uint
 			});
 		if (err)
 			return err;
+
+		// add rule for kernel forwarding
+		return add_rule(nl, family, seq, (struct add_rule_callbacks) {
+				.callback = rtpe_target,
+				.chain = chain,
+				.table = *table,
+			});
 	}
 	else {
 		// create custom base chain
 		err = add_chain(nl, family, chain, seq, local_input_chain);
 		if (err)
 			return err;
-	}
 
-	// add rule for kernel forwarding
-	int *table = data;
-	return add_rule(nl, family, seq, (struct add_rule_callbacks) {
-			.callback = rtpe_target,
-			.chain = chain,
-			.table = *table,
-		});
+		// add rule for kernel forwarding
+		return add_rule(nl, family, seq, (struct add_rule_callbacks) {
+				.callback = rtpe_target_filter,
+				.chain = chain,
+				.table = *table,
+			});
+	}
 }