MT#55283 support nftables INET family

closes #1732 Change-Id: I04c94aa4f35c55a8035eb0edadd9280c380590a3
1 month ago · c5458cb933
parent b324647699
commit c5458cb933
3 changed files with 39 additions and 16 deletions
--- a/daemon/main.c
+++ b/daemon/main.c
@ -698,7 +698,7 @@ static void options(int *argc, char ***argv, charp_ht templates) {
 		{ "nftables-chain",0,0, G_OPTION_ARG_STRING,	&rtpe_config.nftables_chain,	"Name of nftables chain to manage", "STR" },
 		{ "nftables-base-chain",0,0, G_OPTION_ARG_STRING,&rtpe_config.nftables_base_chain,"Name of nftables base chain to use", "STR" },
 		{ "nftables-append",0,0, G_OPTION_ARG_NONE,	&rtpe_config.nftables_append,	"Append instead of prepend created rules", NULL },
-		{ "nftables-family",0,0, G_OPTION_ARG_STRING,	&nftables_family,		"Address family/ies to manage via nftables", "ip|ip6|ip,ip6" },
+		{ "nftables-family",0,0, G_OPTION_ARG_STRING,	&nftables_family,		"Address family/ies to manage via nftables", "ip|ip6|ip,ip6|inet" },
 		{ "xtables",	0,0, G_OPTION_ARG_NONE,		&rtpe_config.xtables,		"Use legacy xtables interface instead of nftables", NULL },
 		{ "nftables-start",0,0, G_OPTION_ARG_NONE,	&nftables_start,		"Just add nftables rules and exit", NULL },
 		{ "nftables-stop",0, 0, G_OPTION_ARG_NONE,	&nftables_stop,			"Just remove nftables rules and exit", NULL },
@ -965,6 +965,11 @@ static void options(int *argc, char ***argv, charp_ht templates) {
 		rtpe_config.nftables_family = NFPROTO_IPV4;
 	else if (!strcmp(nftables_family, "ip6"))
 		rtpe_config.nftables_family = NFPROTO_IPV6;
+	else if (!strcmp(nftables_family, "inet")) {
+		if (rtpe_config.xtables)
+			die("'inet' nftables address family not valid with legacy xtables");
+		rtpe_config.nftables_family = NFPROTO_INET;
+	}
 	else
 		die("Invalid value for 'nftables-family' ('%s')", nftables_family);
 #endif
--- a/daemon/nftables.c
+++ b/daemon/nftables.c
@ -364,6 +364,18 @@ static const char *udp_filter(nfapi_buf *b, int family) {

 	nfapi_nested_begin(b, NFTA_LIST_ELEM);

+		if (family == NFPROTO_INET) {
+
+			nfapi_add_str_attr(b, NFTA_EXPR_NAME, "meta");
+
+			nfapi_nested_begin(b, NFTA_EXPR_DATA);
+
+				nfapi_add_u32_attr(b, NFTA_META_KEY, htonl(NFT_META_L4PROTO));
+				nfapi_add_u32_attr(b, NFTA_META_DREG, htonl(NFT_REG_1));
+
+			nfapi_nested_end(b);
+		}
+		else {
 			nfapi_add_str_attr(b, NFTA_EXPR_NAME, "payload");

 			nfapi_nested_begin(b, NFTA_EXPR_DATA);
@ -383,6 +395,7 @@ static const char *udp_filter(nfapi_buf *b, int family) {
 				nfapi_add_u32_attr(b, NFTA_PAYLOAD_LEN, htonl(sizeof(proto)));

 			nfapi_nested_end(b);
+		}

 	nfapi_nested_end(b);

@ -783,6 +796,11 @@ static const char *nftables_do(const char *chain, const char *base_chain,
 	if (err)
 		return err;

+	if (args->family == NFPROTO_INET)
+		err = do_func(nl, NFPROTO_INET, chain, base_chain, args);
+	if (err)
+		return err;
+
 	return NULL;
 }

--- a/docs/rtpengine.md
+++ b/docs/rtpengine.md
@ -123,7 +123,7 @@ at the command line. See the __\-\-config-file__ option below for details.
    appended to the list of existing rules. The default is to prepend it
    (insert it at the beginning).

- __\-\-nftables-family=ip__|__ip6__|__ip,ip6__
+- __\-\-nftables-family=ip__|__ip6__|__ip,ip6__|__inet__

    Configure for which netfilter address family to manage tables, chains, and
    rules. The default is to manage both IPv4 and IPv6 address families.