shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-02-28 05:57:33 +03:00
Code

firewall-util: gracefully handle -EOVERFLOW returned from older kernel

Browse Source
This commit is contained in:
Yu Watanabe 2021-03-23 01:57:51 +09:00
parent 5ee7c719e1
commit 175bc86315
1 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/shared/firewall-util-nft.c
View File

@ -943,12 +943,16 @@ static int fw_nftables_add_local_dnat_internal(
const union in_addr_union *previous_remote) {
sd_netlink_message *transaction[NFT_DNAT_MSGS] = {};
static bool ipv6_supported = true;
uint32_t data[5], key[2], dlen;
size_t tsize;
int r;
assert(add || !previous_remote);
if (!ipv6_supported && af == AF_INET6)
return -EOPNOTSUPP;
if (!IN_SET(protocol, IPPROTO_TCP, IPPROTO_UDP))
return -EPROTONOSUPPORT;
@ -1014,7 +1018,16 @@ static int fw_nftables_add_local_dnat_internal(
tsize++;
assert(tsize <= NFT_DNAT_MSGS);
r = nfnl_netlink_sendv(ctx->nfnl, transaction, tsize);
if (r == -EOVERFLOW && af == AF_INET6) {
/* The current implementation of DNAT in systemd requires kernel's
* fdb9c405e35bdc6e305b9b4e20ebc141ed14fc81 (v5.8), and the older kernel returns
* -EOVERFLOW. Let's treat the error as -EOPNOTSUPP. */
log_debug_errno(r, "The current implementation of IPv6 DNAT in systemd requires kernel 5.8 or newer, ignoring: %m");
ipv6_supported = false;
r = -EOPNOTSUPP;
}
out_unref:
while (tsize > 0)