diff --git a/src/shared/firewall-util.c b/src/shared/firewall-util.c index 87bc3f76fed..93bdd8c7f12 100644 --- a/src/shared/firewall-util.c +++ b/src/shared/firewall-util.c @@ -90,6 +90,7 @@ int fw_add_masquerade( const union in_addr_union *destination, unsigned destination_prefixlen) { + static const xt_chainlabel chain = "POSTROUTING"; _cleanup_(iptc_freep) struct xtc_handle *h = NULL; struct ipt_entry *entry, *mask; struct ipt_entry_target *t; @@ -133,15 +134,15 @@ int fw_add_masquerade( memset(mask, 0xFF, sz); if (add) { - if (iptc_check_entry("POSTROUTING", entry, (unsigned char*) mask, h)) + if (iptc_check_entry(chain, entry, (unsigned char*) mask, h)) return 0; if (errno != ENOENT) /* if other error than not existing yet, fail */ return -errno; - if (!iptc_insert_entry("POSTROUTING", entry, 0, h)) + if (!iptc_insert_entry(chain, entry, 0, h)) return -errno; } else { - if (!iptc_delete_entry("POSTROUTING", entry, (unsigned char*) mask, h)) { + if (!iptc_delete_entry(chain, entry, (unsigned char*) mask, h)) { if (errno == ENOENT) /* if it's already gone, all is good! */ return 0; @@ -169,6 +170,7 @@ int fw_add_local_dnat( uint16_t remote_port, const union in_addr_union *previous_remote) { + static const xt_chainlabel chain_pre = "PREROUTING", chain_output = "OUTPUT"; _cleanup_(iptc_freep) struct xtc_handle *h = NULL; struct ipt_entry *entry, *mask; struct ipt_entry_target *t; @@ -275,11 +277,11 @@ int fw_add_local_dnat( if (add) { /* Add the PREROUTING rule, if it is missing so far */ - if (!iptc_check_entry("PREROUTING", entry, (unsigned char*) mask, h)) { + if (!iptc_check_entry(chain_pre, entry, (unsigned char*) mask, h)) { if (errno != ENOENT) return -EINVAL; - if (!iptc_insert_entry("PREROUTING", entry, 0, h)) + if (!iptc_insert_entry(chain_pre, entry, 0, h)) return -errno; } @@ -287,7 +289,7 @@ int fw_add_local_dnat( if (previous_remote && previous_remote->in.s_addr != remote->in.s_addr) { mr->range[0].min_ip = mr->range[0].max_ip = previous_remote->in.s_addr; - if (!iptc_delete_entry("PREROUTING", entry, (unsigned char*) mask, h)) { + if (!iptc_delete_entry(chain_pre, entry, (unsigned char*) mask, h)) { if (errno != ENOENT) return -errno; } @@ -305,11 +307,11 @@ int fw_add_local_dnat( entry->ip.invflags = IPT_INV_DSTIP; } - if (!iptc_check_entry("OUTPUT", entry, (unsigned char*) mask, h)) { + if (!iptc_check_entry(chain_output, entry, (unsigned char*) mask, h)) { if (errno != ENOENT) return -errno; - if (!iptc_insert_entry("OUTPUT", entry, 0, h)) + if (!iptc_insert_entry(chain_output, entry, 0, h)) return -errno; } @@ -317,14 +319,14 @@ int fw_add_local_dnat( if (previous_remote && previous_remote->in.s_addr != remote->in.s_addr) { mr->range[0].min_ip = mr->range[0].max_ip = previous_remote->in.s_addr; - if (!iptc_delete_entry("OUTPUT", entry, (unsigned char*) mask, h)) { + if (!iptc_delete_entry(chain_output, entry, (unsigned char*) mask, h)) { if (errno != ENOENT) return -errno; } } } } else { - if (!iptc_delete_entry("PREROUTING", entry, (unsigned char*) mask, h)) { + if (!iptc_delete_entry(chain_pre, entry, (unsigned char*) mask, h)) { if (errno != ENOENT) return -errno; } @@ -336,7 +338,7 @@ int fw_add_local_dnat( entry->ip.invflags = IPT_INV_DSTIP; } - if (!iptc_delete_entry("OUTPUT", entry, (unsigned char*) mask, h)) { + if (!iptc_delete_entry(chain_output, entry, (unsigned char*) mask, h)) { if (errno != ENOENT) return -errno; }