shared/firewall-util: parametrize table and set names

Parametrize table and set names for fw_nftables_add_masquerade_internal, rename to nft_set_element_op_iprange to reflect more general usage. Export and use nfproto_is_valid(). Remove also unused and obsolete NFPROTO_DECNET.
2025-01-25 10:04:04 +03:00 · 2022-09-03 12:14:24 +03:00 · 2022-09-03 12:14:24 +03:00 · 940965803e
commit 940965803e
parent 804c6397bc
4 changed files with 42 additions and 10 deletions
--- a/src/libsystemd/sd-netlink/netlink-internal.h
+++ b/src/libsystemd/sd-netlink/netlink-internal.h
@ -170,6 +170,8 @@ int netlink_add_match_internal(
 #define NETLINK_DONT_DESTROY(nl) \
        _cleanup_(sd_netlink_unrefp) _unused_ sd_netlink *_dont_destroy_##nl = sd_netlink_ref(nl)

+bool nfproto_is_valid(int nfproto);
+
 /* nfnl */
 /* TODO: to be exported later */
 int sd_nfnl_socket_open(sd_netlink **ret);
--- a/src/libsystemd/sd-netlink/netlink-message-nfnl.c
+++ b/src/libsystemd/sd-netlink/netlink-message-nfnl.c
@ -12,7 +12,7 @@
 #include "netlink-types.h"
 #include "netlink-util.h"

-static bool nfproto_is_valid(int nfproto) {
+bool nfproto_is_valid(int nfproto) {
        return IN_SET(nfproto,
                      NFPROTO_UNSPEC,
                      NFPROTO_INET,
@ -20,8 +20,7 @@ static bool nfproto_is_valid(int nfproto) {
                      NFPROTO_ARP,
                      NFPROTO_NETDEV,
                      NFPROTO_BRIDGE,
-                      NFPROTO_IPV6,
-                      NFPROTO_DECNET);
+                      NFPROTO_IPV6);
 }

 int sd_nfnl_message_new(sd_netlink *nfnl, sd_netlink_message **ret, int nfproto, uint16_t subsys, uint16_t msg_type, uint16_t flags) {
--- a/src/shared/firewall-util-nft.c
+++ b/src/shared/firewall-util-nft.c
@ -891,18 +891,24 @@ static int nft_message_append_setelem_ip6range(
        return sd_netlink_message_close_container(m); /* NFTA_SET_ELEM_LIST_ELEMENTS */
 }

-static int fw_nftables_add_masquerade_internal(
-                sd_netlink *nfnl,
+int nft_set_element_modify_iprange(
+                FirewallContext *ctx,
                bool add,
+                int nfproto,
                int af,
+                const char *table,
+                const char *set,
                const union in_addr_union *source,
                unsigned int source_prefixlen) {

        _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
        int r;

-        assert(nfnl);
+        assert(ctx->nfnl);
        assert(IN_SET(af, AF_INET, AF_INET6));
+        assert(nfproto_is_valid(nfproto));
+        assert(table);
+        assert(set);

        if (!source || source_prefixlen == 0)
                return -EINVAL;
@ -910,7 +916,7 @@ static int fw_nftables_add_masquerade_internal(
        if (af == AF_INET6 && source_prefixlen < 8)
                return -EINVAL;

-        r = sd_nfnl_nft_message_new_setelems(nfnl, &m, add, af, NFT_SYSTEMD_TABLE_NAME, NFT_SYSTEMD_MASQ_SET_NAME);
+        r = sd_nfnl_nft_message_new_setelems(ctx->nfnl, &m, add, nfproto, table, set);
        if (r < 0)
                return r;

@ -921,7 +927,20 @@ static int fw_nftables_add_masquerade_internal(
        if (r < 0)
                return r;

-        return sd_nfnl_call_batch(nfnl, &m, 1, NFNL_DEFAULT_TIMEOUT_USECS, NULL);
+        return sd_nfnl_call_batch(ctx->nfnl, &m, 1, NFNL_DEFAULT_TIMEOUT_USECS, NULL);
+}
+
+static int af_to_nfproto(int af) {
+        assert(IN_SET(af, AF_INET, AF_INET6));
+
+        switch (af) {
+        case AF_INET:
+                return NFPROTO_IPV4;
+        case AF_INET6:
+                return NFPROTO_IPV6;
+        default:
+                assert_not_reached();
+        }
 }

 int fw_nftables_add_masquerade(
@ -940,7 +959,8 @@ int fw_nftables_add_masquerade(
        if (!socket_ipv6_is_supported() && af == AF_INET6)
                return -EOPNOTSUPP;

-        r = fw_nftables_add_masquerade_internal(ctx->nfnl, add, af, source, source_prefixlen);
+        r = nft_set_element_modify_iprange(ctx, add, af_to_nfproto(af), af, NFT_SYSTEMD_TABLE_NAME, NFT_SYSTEMD_MASQ_SET_NAME,
+                                           source, source_prefixlen);
        if (r != -ENOENT)
                return r;

@ -965,7 +985,8 @@ int fw_nftables_add_masquerade(
        if (r < 0)
                return r;

-        return fw_nftables_add_masquerade_internal(ctx->nfnl, add, af, source, source_prefixlen);
+        return nft_set_element_modify_iprange(ctx, add, af_to_nfproto(af), af, NFT_SYSTEMD_TABLE_NAME, NFT_SYSTEMD_MASQ_SET_NAME,
+                                              source, source_prefixlen);
 }

 static int fw_nftables_add_local_dnat_internal(
--- a/src/shared/firewall-util.h
+++ b/src/shared/firewall-util.h
@ -29,3 +29,13 @@ int fw_add_local_dnat(
                const union in_addr_union *remote,
                uint16_t remote_port,
                const union in_addr_union *previous_remote);
+
+int nft_set_element_modify_iprange(
+                FirewallContext *ctx,
+                bool add,
+                int nfproto,
+                int af,
+                const char *table,
+                const char *set,
+                const union in_addr_union *source,
+                unsigned int source_prefixlen);