Consider adding support for choosing which nftables table(s) to insert rules into

[gedia]

Hello,

I'm glad to see nft support was recently added to rtpengine. This is a minor feature request to add configuration which allows choosing which tables the rules will be injected into. nft is a bit non-intuitive when multiple tables of type filter are using the same hook, and explicitly setting this could simplify things and prevent unintended behaviours.

Currently rtpe would create rules similar to the following:

table ip filter {
        chain rtpengine {
                meta l4proto udp counter packets 0 bytes 0 # RTPENGINE id:0
        }

        chain INPUT {
                type filter hook input priority filter; policy accept;
                meta l4proto udp counter packets 0 bytes 0 jump rtpengine
        }
}
table ip6 filter {
        chain rtpengine {
                meta l4proto udp counter packets 0 bytes 0
        }

        chain INPUT {
                type filter hook input priority filter; policy accept;
                meta l4proto udp counter packets 0 bytes 0 jump rtpengine
        }
}

It would be great if this behaviour depended on a configuration setting such as:

--nftables-tables=ip,ip6

So that if one chose to use --nftables-tables=inet, the following configuration would be created instead:

table inet filter {

        chain rtpengine {
                meta l4proto udp counter packets 0 bytes 0
        }

        chain input {
                type filter hook input priority filter; policy accept;
                meta l4proto udp counter packets 0 bytes 0 jump rtpengine
        }
}

Note that these nft snippets are used for demonstration purposes and are not actually produced by the rtpengine process. Thanks!

[amessina]

Similarly, it would be helpful to have proto UDP and the port range be configurable. In the case where no base chain is set, it seems everything will need to touch xt_RTPENGINE before popping back to the remainder of the chains and rules.

nftables-chain = rtpengine
nftables-base-chain =

XT target RTPENGINE not found
table ip filter {
        chain rtpengine {
                type filter hook input priority filter; policy accept;
                # RTPENGINE id:0 counter packets 150400 bytes 33882564
        }
}
table ip6 filter {
        chain rtpengine {
                type filter hook input priority filter; policy accept;
                counter packets 5996916 bytes 9456735819
        }
}
table inet firewalld {
...
...

This nft list ruleset 2>&1 | less output is what's currently on my system.

[rfuchs]

I'm glad to see nft support was recently added to rtpengine. This is a minor feature request to add configuration which allows choosing which tables the rules will be injected into. nft is a bit non-intuitive when multiple tables of type filter are using the same hook, and explicitly setting this could simplify things and prevent unintended behaviours.

That will probably have to wait until the kernel module itself is migrated to nftables as I don't think it's possible to link xtables modules into the inet table