1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-21 13:34:21 +03:00
This commit is contained in:
Yu Watanabe 2024-12-20 23:53:07 +01:00 committed by GitHub
commit 7c586e6ce1
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 39 additions and 17 deletions

View File

@ -34,7 +34,26 @@
#define UDP_DPORT_OFFSET 2 #define UDP_DPORT_OFFSET 2
static sd_netlink_message **netlink_message_unref_many(sd_netlink_message **m) { /* for testing */
static const char* nft_table_name(void) {
static const char *cached;
if (!cached)
cached = getenv("TEST_FIREWALL_UTIL_NFT_TABLE_NAME") ?: NFT_SYSTEMD_TABLE_NAME;
return cached;
}
static const char* dnat_map_name(void) {
static const char *cached;
if (!cached)
cached = getenv("TEST_FIREWALL_UTIL_DNAT_MAP_NAME") ?: NFT_SYSTEMD_DNAT_MAP_NAME;
return cached;
}
static sd_netlink_message** netlink_message_unref_many(sd_netlink_message **m) {
if (!m) if (!m)
return NULL; return NULL;
@ -327,7 +346,7 @@ static int sd_nfnl_message_new_masq_rule(
assert(IN_SET(family, AF_INET, AF_INET6)); assert(IN_SET(family, AF_INET, AF_INET6));
assert(chain); assert(chain);
r = sd_nfnl_nft_message_new_rule(nfnl, &m, family, NFT_SYSTEMD_TABLE_NAME, chain); r = sd_nfnl_nft_message_new_rule(nfnl, &m, family, nft_table_name(), chain);
if (r < 0) if (r < 0)
return r; return r;
@ -382,7 +401,7 @@ static int sd_nfnl_message_new_dnat_rule_pre(
assert(IN_SET(family, AF_INET, AF_INET6)); assert(IN_SET(family, AF_INET, AF_INET6));
assert(chain); assert(chain);
r = sd_nfnl_nft_message_new_rule(nfnl, &m, family, NFT_SYSTEMD_TABLE_NAME, chain); r = sd_nfnl_nft_message_new_rule(nfnl, &m, family, nft_table_name(), chain);
if (r < 0) if (r < 0)
return r; return r;
@ -412,7 +431,7 @@ static int sd_nfnl_message_new_dnat_rule_pre(
/* 3rd statement: lookup 'l4proto . dport', e.g. 'tcp . 22' as key and /* 3rd statement: lookup 'l4proto . dport', e.g. 'tcp . 22' as key and
* store address and port for the dnat mapping in REG1/REG2. */ * store address and port for the dnat mapping in REG1/REG2. */
r = nfnl_add_expr_lookup(m, NFT_SYSTEMD_DNAT_MAP_NAME, NFT_REG32_01, NFT_REG32_01); r = nfnl_add_expr_lookup(m, dnat_map_name(), NFT_REG32_01, NFT_REG32_01);
if (r < 0) if (r < 0)
return r; return r;
@ -445,7 +464,7 @@ static int sd_nfnl_message_new_dnat_rule_out(
assert(IN_SET(family, AF_INET, AF_INET6)); assert(IN_SET(family, AF_INET, AF_INET6));
assert(chain); assert(chain);
r = sd_nfnl_nft_message_new_rule(nfnl, &m, family, NFT_SYSTEMD_TABLE_NAME, chain); r = sd_nfnl_nft_message_new_rule(nfnl, &m, family, nft_table_name(), chain);
if (r < 0) if (r < 0)
return r; return r;
@ -507,7 +526,7 @@ static int sd_nfnl_message_new_dnat_rule_out(
* *
* reg1 and reg2 are clobbered and will then contain the new * reg1 and reg2 are clobbered and will then contain the new
* address/port number. */ * address/port number. */
r = nfnl_add_expr_lookup(m, NFT_SYSTEMD_DNAT_MAP_NAME, NFT_REG32_01, NFT_REG32_01); r = nfnl_add_expr_lookup(m, dnat_map_name(), NFT_REG32_01, NFT_REG32_01);
if (r < 0) if (r < 0)
return r; return r;
@ -544,7 +563,7 @@ static int nft_new_set(
assert(IN_SET(family, AF_INET, AF_INET6)); assert(IN_SET(family, AF_INET, AF_INET6));
assert(set_name); assert(set_name);
r = sd_nfnl_nft_message_new_set(nfnl, &m, family, NFT_SYSTEMD_TABLE_NAME, set_name, set_id, klen); r = sd_nfnl_nft_message_new_set(nfnl, &m, family, nft_table_name(), set_name, set_id, klen);
if (r < 0) if (r < 0)
return r; return r;
@ -730,23 +749,23 @@ static int fw_nftables_init_family(sd_netlink *nfnl, int family) {
assert(IN_SET(family, AF_INET, AF_INET6)); assert(IN_SET(family, AF_INET, AF_INET6));
/* Set F_EXCL so table add fails if the table already exists. */ /* Set F_EXCL so table add fails if the table already exists. */
r = sd_nfnl_nft_message_new_table(nfnl, &messages[msgcnt++], family, NFT_SYSTEMD_TABLE_NAME); r = sd_nfnl_nft_message_new_table(nfnl, &messages[msgcnt++], family, nft_table_name());
if (r < 0) if (r < 0)
return r; return r;
r = sd_nfnl_nft_message_new_basechain(nfnl, &messages[msgcnt++], family, NFT_SYSTEMD_TABLE_NAME, r = sd_nfnl_nft_message_new_basechain(nfnl, &messages[msgcnt++], family, nft_table_name(),
"prerouting", "nat", "prerouting", "nat",
NF_INET_PRE_ROUTING, NF_IP_PRI_NAT_DST + 1); NF_INET_PRE_ROUTING, NF_IP_PRI_NAT_DST + 1);
if (r < 0) if (r < 0)
return r; return r;
r = sd_nfnl_nft_message_new_basechain(nfnl, &messages[msgcnt++], family, NFT_SYSTEMD_TABLE_NAME, r = sd_nfnl_nft_message_new_basechain(nfnl, &messages[msgcnt++], family, nft_table_name(),
"output", "nat", "output", "nat",
NF_INET_LOCAL_OUT, NF_IP_PRI_NAT_DST + 1); NF_INET_LOCAL_OUT, NF_IP_PRI_NAT_DST + 1);
if (r < 0) if (r < 0)
return r; return r;
r = sd_nfnl_nft_message_new_basechain(nfnl, &messages[msgcnt++], family, NFT_SYSTEMD_TABLE_NAME, r = sd_nfnl_nft_message_new_basechain(nfnl, &messages[msgcnt++], family, nft_table_name(),
"postrouting", "nat", "postrouting", "nat",
NF_INET_POST_ROUTING, NF_IP_PRI_NAT_SRC + 1); NF_INET_POST_ROUTING, NF_IP_PRI_NAT_SRC + 1);
if (r < 0) if (r < 0)
@ -772,7 +791,7 @@ static int fw_nftables_init_family(sd_netlink *nfnl, int family) {
* Example: ip protocol . tcp daddr is sizeof(uint32_t) + sizeof(uint32_t), not * Example: ip protocol . tcp daddr is sizeof(uint32_t) + sizeof(uint32_t), not
* sizeof(uint8_t) + sizeof(uint16_t). * sizeof(uint8_t) + sizeof(uint16_t).
*/ */
r = nft_new_map(nfnl, &messages[msgcnt++], family, NFT_SYSTEMD_DNAT_MAP_NAME, ++set_id, 0, r = nft_new_map(nfnl, &messages[msgcnt++], family, dnat_map_name(), ++set_id, 0,
concat_types2(TYPE_INET_PROTOCOL, TYPE_INET_SERVICE), sizeof(uint32_t) * 2, concat_types2(TYPE_INET_PROTOCOL, TYPE_INET_SERVICE), sizeof(uint32_t) * 2,
concat_types2(ip_type, TYPE_INET_SERVICE), ip_type_size + sizeof(uint32_t)); concat_types2(ip_type, TYPE_INET_SERVICE), ip_type_size + sizeof(uint32_t));
if (r < 0) if (r < 0)
@ -1033,7 +1052,7 @@ int fw_nftables_add_masquerade(
if (!socket_ipv6_is_supported() && af == AF_INET6) if (!socket_ipv6_is_supported() && af == AF_INET6)
return -EOPNOTSUPP; return -EOPNOTSUPP;
r = nft_set_element_modify_iprange(ctx, add, af_to_nfproto(af), af, NFT_SYSTEMD_TABLE_NAME, NFT_SYSTEMD_MASQ_SET_NAME, r = nft_set_element_modify_iprange(ctx, add, af_to_nfproto(af), af, nft_table_name(), NFT_SYSTEMD_MASQ_SET_NAME,
source, source_prefixlen); source, source_prefixlen);
if (r != -ENOENT) if (r != -ENOENT)
return r; return r;
@ -1059,7 +1078,7 @@ int fw_nftables_add_masquerade(
if (r < 0) if (r < 0)
return r; return r;
return nft_set_element_modify_iprange(ctx, add, af_to_nfproto(af), af, NFT_SYSTEMD_TABLE_NAME, NFT_SYSTEMD_MASQ_SET_NAME, return nft_set_element_modify_iprange(ctx, add, af_to_nfproto(af), af, nft_table_name(), NFT_SYSTEMD_MASQ_SET_NAME,
source, source_prefixlen); source, source_prefixlen);
} }
@ -1118,7 +1137,7 @@ static int fw_nftables_add_local_dnat_internal(
else else
memcpy(data, &previous_remote->in6, sizeof(previous_remote->in6)); memcpy(data, &previous_remote->in6, sizeof(previous_remote->in6));
r = nft_del_element(nfnl, &messages[msgcnt++], af, NFT_SYSTEMD_TABLE_NAME, NFT_SYSTEMD_DNAT_MAP_NAME, r = nft_del_element(nfnl, &messages[msgcnt++], af, nft_table_name(), dnat_map_name(),
key, sizeof(key), data, dlen); key, sizeof(key), data, dlen);
if (r < 0) if (r < 0)
return r; return r;
@ -1130,10 +1149,10 @@ static int fw_nftables_add_local_dnat_internal(
memcpy(data, &remote->in6, sizeof(remote->in6)); memcpy(data, &remote->in6, sizeof(remote->in6));
if (add) if (add)
r = nft_add_element(nfnl, &messages[msgcnt++], af_to_nfproto(af), NFT_SYSTEMD_TABLE_NAME, NFT_SYSTEMD_DNAT_MAP_NAME, r = nft_add_element(nfnl, &messages[msgcnt++], af_to_nfproto(af), nft_table_name(), dnat_map_name(),
key, sizeof(key), data, dlen); key, sizeof(key), data, dlen);
else else
r = nft_del_element(nfnl, &messages[msgcnt++], af_to_nfproto(af), NFT_SYSTEMD_TABLE_NAME, NFT_SYSTEMD_DNAT_MAP_NAME, r = nft_del_element(nfnl, &messages[msgcnt++], af_to_nfproto(af), nft_table_name(), dnat_map_name(),
key, sizeof(key), data, dlen); key, sizeof(key), data, dlen);
if (r < 0) if (r < 0)
return r; return r;

View File

@ -103,6 +103,9 @@ int main(int argc, char *argv[]) {
if (getuid() != 0) if (getuid() != 0)
return log_tests_skipped("not root"); return log_tests_skipped("not root");
ASSERT_OK_ERRNO(setenv("TEST_FIREWALL_UTIL_NFT_TABLE_NAME", "io.systemd-test.nat", /* overwrite = */ true));
ASSERT_OK_ERRNO(setenv("TEST_FIREWALL_UTIL_DNAT_MAP_NAME", "test_map_port_ipport", /* overwrite = */ true));
ASSERT_OK(fw_ctx_new(&ctx)); ASSERT_OK(fw_ctx_new(&ctx));
ASSERT_NOT_NULL(ctx); ASSERT_NOT_NULL(ctx);