Iptables-extention #3512

Dakuon · 2023-10-09T11:47:02Z

Dakuon
Oct 9, 2023

Hi,

My team is running rtpengine, which relies on both a kernel-module and an iptables-extention.
Getting the kernel module installed is fine, but I have been unable to find any way to add iptables-extention.

I'm wondering if there is any option for adding iptables-extentions through bootstrap-containers, so we can avoid building custom ami?

https://github.com/sipwise/rtpengine/tree/master/iptables-extension

Thanks

Answered by stmcginnis

Oct 9, 2023

Hi @Dakuon, thanks for asking. This does look a little tricky, but it depends on how iptables is used. I'm not familiar with rtpengine, but hopefully some of this makes sense and you can tell if any of it will work or not.

You can use a custom directory that contains iptables extensions by setting the XTABLES_LIBDIR environment variable. The trick here is that environment variable - and the directory it points to - needs to be present any time iptables is invoked. So if you need to do a one time policy setup or something like that, it could be possible to do this in a bootstrap container to set up the environment. Then whatever runs later already has the policies it needs.

If this is some…

View full answer

stmcginnis · 2023-10-09T14:02:54Z

stmcginnis
Oct 9, 2023

Hi @Dakuon, thanks for asking. This does look a little tricky, but it depends on how iptables is used. I'm not familiar with rtpengine, but hopefully some of this makes sense and you can tell if any of it will work or not.

You can use a custom directory that contains iptables extensions by setting the XTABLES_LIBDIR environment variable. The trick here is that environment variable - and the directory it points to - needs to be present any time iptables is invoked. So if you need to do a one time policy setup or something like that, it could be possible to do this in a bootstrap container to set up the environment. Then whatever runs later already has the policies it needs.

If this is something that needs to run based on other activity, you could maybe have this environment variable set with in the container that runs rtpengine. I'm not entirely sure if that would be passed through correctly so that whatever iptables changes are driven by rptengine activity would pick that up and work right, but it could be something to experiment with before deciding to go the full custom build route.

If that doesn't work, then you are probably right that it could require building a custom ami.

2 replies

Dakuon Oct 11, 2023
Author

Hi @stmcginnis,
Thanks for the tip. This XTABLES_LIBDIR solution was absolutely the right track.
Done quite a bit of testing and are indeed able to run the required iptables commands from a pod now.
Mounting iptables-extention to /opt/xtables/libxt_RTPENGINE.so and setting XTABLES_LIBDIR to the pod path.

+ iptables -N rtpengine
+ iptables -D INPUT -j rtpengine
+ iptables -I INPUT -j rtpengine
+ iptables -D rtpengine -p udp -j RTPENGINE --id 0
+ iptables -I rtpengine -p udp -j RTPENGINE --id 0

Now I need to spend some time to confirm that traffic works as intended.

So thanks again.

stmcginnis Oct 11, 2023

Excellent! 🎉

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Iptables-extention #3512

{{title}}

Replies: 1 comment 2 replies

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

Iptables-extention #3512

Dakuon Oct 9, 2023

Replies: 1 comment · 2 replies

stmcginnis Oct 9, 2023

Dakuon Oct 11, 2023 Author

stmcginnis Oct 11, 2023

Dakuon
Oct 9, 2023

Replies: 1 comment 2 replies

stmcginnis
Oct 9, 2023

Dakuon Oct 11, 2023
Author