mirror of
https://github.com/systemd/systemd.git
synced 2024-10-27 01:55:22 +03:00
firewall-util: logs which backend will be used
This also modernizes code a bit.
This commit is contained in:
parent
e6fda8f675
commit
da00b84087
@ -4,22 +4,27 @@
|
||||
#include <stdbool.h>
|
||||
#include <stdint.h>
|
||||
|
||||
#include "in-addr-util.h"
|
||||
#include "sd-netlink.h"
|
||||
|
||||
enum FirewallBackend {
|
||||
#include "in-addr-util.h"
|
||||
|
||||
typedef enum FirewallBackend {
|
||||
FW_BACKEND_NONE,
|
||||
#if HAVE_LIBIPTC
|
||||
FW_BACKEND_IPTABLES,
|
||||
#endif
|
||||
FW_BACKEND_NFTABLES,
|
||||
};
|
||||
_FW_BACKEND_MAX,
|
||||
_FW_BACKEND_INVALID = -EINVAL,
|
||||
} FirewallBackend;
|
||||
|
||||
struct FirewallContext {
|
||||
enum FirewallBackend firewall_backend;
|
||||
FirewallBackend backend;
|
||||
sd_netlink *nfnl;
|
||||
};
|
||||
|
||||
const char *firewall_backend_to_string(FirewallBackend b) _const_;
|
||||
|
||||
int fw_nftables_init(FirewallContext *ctx);
|
||||
void fw_nftables_exit(FirewallContext *ctx);
|
||||
|
||||
|
@ -7,21 +7,44 @@
|
||||
#include "alloc-util.h"
|
||||
#include "firewall-util.h"
|
||||
#include "firewall-util-private.h"
|
||||
#include "log.h"
|
||||
#include "string-table.h"
|
||||
|
||||
static enum FirewallBackend firewall_backend_probe(FirewallContext *ctx) {
|
||||
if (fw_nftables_init(ctx) == 0)
|
||||
return FW_BACKEND_NFTABLES;
|
||||
static const char * const firewall_backend_table[_FW_BACKEND_MAX] = {
|
||||
[FW_BACKEND_NONE] = "none",
|
||||
#if HAVE_LIBIPTC
|
||||
return FW_BACKEND_IPTABLES;
|
||||
#else
|
||||
return FW_BACKEND_NONE;
|
||||
[FW_BACKEND_IPTABLES] = "iptables",
|
||||
#endif
|
||||
[FW_BACKEND_NFTABLES] = "nftables",
|
||||
};
|
||||
|
||||
DEFINE_STRING_TABLE_LOOKUP_TO_STRING(firewall_backend, FirewallBackend);
|
||||
|
||||
static void firewall_backend_probe(FirewallContext *ctx) {
|
||||
assert(ctx);
|
||||
|
||||
if (ctx->backend != _FW_BACKEND_INVALID)
|
||||
return;
|
||||
|
||||
if (fw_nftables_init(ctx) >= 0)
|
||||
ctx->backend = FW_BACKEND_NFTABLES;
|
||||
else
|
||||
#if HAVE_LIBIPTC
|
||||
ctx->backend = FW_BACKEND_IPTABLES;
|
||||
#else
|
||||
ctx->backend = FW_BACKEND_NONE;
|
||||
#endif
|
||||
|
||||
if (ctx->backend != FW_BACKEND_NONE)
|
||||
log_debug("Using %s as firewall backend.", firewall_backend_to_string(ctx->backend));
|
||||
else
|
||||
log_debug("No firewall backend found.");
|
||||
}
|
||||
|
||||
int fw_ctx_new(FirewallContext **ret) {
|
||||
_cleanup_free_ FirewallContext *ctx = NULL;
|
||||
|
||||
ctx = new0(FirewallContext, 1);
|
||||
ctx = new(FirewallContext, 1);
|
||||
if (!ctx)
|
||||
return -ENOMEM;
|
||||
|
||||
@ -32,6 +55,11 @@ int fw_ctx_new(FirewallContext **ret) {
|
||||
* fw_ctx_new when nspawn/networkd know they will call
|
||||
* fw_add_masquerade/local_dnat later anyway.
|
||||
*/
|
||||
|
||||
*ctx = (FirewallContext) {
|
||||
.backend = _FW_BACKEND_INVALID,
|
||||
};
|
||||
|
||||
*ret = TAKE_PTR(ctx);
|
||||
return 0;
|
||||
}
|
||||
@ -40,47 +68,44 @@ FirewallContext *fw_ctx_free(FirewallContext *ctx) {
|
||||
if (!ctx)
|
||||
return NULL;
|
||||
|
||||
if (ctx->firewall_backend == FW_BACKEND_NFTABLES)
|
||||
fw_nftables_exit(ctx);
|
||||
fw_nftables_exit(ctx);
|
||||
|
||||
return mfree(ctx);
|
||||
}
|
||||
|
||||
int fw_add_masquerade(
|
||||
FirewallContext **fw_ctx,
|
||||
FirewallContext **ctx,
|
||||
bool add,
|
||||
int af,
|
||||
const union in_addr_union *source,
|
||||
unsigned source_prefixlen) {
|
||||
FirewallContext *ctx;
|
||||
|
||||
int r;
|
||||
|
||||
if (!*fw_ctx) {
|
||||
r = fw_ctx_new(fw_ctx);
|
||||
assert(ctx);
|
||||
|
||||
if (!*ctx) {
|
||||
r = fw_ctx_new(ctx);
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
|
||||
ctx = *fw_ctx;
|
||||
if (ctx->firewall_backend == FW_BACKEND_NONE)
|
||||
ctx->firewall_backend = firewall_backend_probe(ctx);
|
||||
firewall_backend_probe(*ctx);
|
||||
|
||||
switch (ctx->firewall_backend) {
|
||||
case FW_BACKEND_NONE:
|
||||
return -EOPNOTSUPP;
|
||||
switch ((*ctx)->backend) {
|
||||
#if HAVE_LIBIPTC
|
||||
case FW_BACKEND_IPTABLES:
|
||||
return fw_iptables_add_masquerade(add, af, source, source_prefixlen);
|
||||
#endif
|
||||
case FW_BACKEND_NFTABLES:
|
||||
return fw_nftables_add_masquerade(ctx, add, af, source, source_prefixlen);
|
||||
return fw_nftables_add_masquerade(*ctx, add, af, source, source_prefixlen);
|
||||
default:
|
||||
return -EOPNOTSUPP;
|
||||
}
|
||||
|
||||
return -EOPNOTSUPP;
|
||||
}
|
||||
|
||||
int fw_add_local_dnat(
|
||||
FirewallContext **fw_ctx,
|
||||
FirewallContext **ctx,
|
||||
bool add,
|
||||
int af,
|
||||
int protocol,
|
||||
@ -88,28 +113,27 @@ int fw_add_local_dnat(
|
||||
const union in_addr_union *remote,
|
||||
uint16_t remote_port,
|
||||
const union in_addr_union *previous_remote) {
|
||||
FirewallContext *ctx;
|
||||
|
||||
if (!*fw_ctx) {
|
||||
int ret = fw_ctx_new(fw_ctx);
|
||||
if (ret < 0)
|
||||
return ret;
|
||||
int r;
|
||||
|
||||
assert(ctx);
|
||||
|
||||
if (!*ctx) {
|
||||
r = fw_ctx_new(ctx);
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
|
||||
ctx = *fw_ctx;
|
||||
if (ctx->firewall_backend == FW_BACKEND_NONE)
|
||||
ctx->firewall_backend = firewall_backend_probe(ctx);
|
||||
firewall_backend_probe(*ctx);
|
||||
|
||||
switch (ctx->firewall_backend) {
|
||||
case FW_BACKEND_NONE:
|
||||
return -EOPNOTSUPP;
|
||||
case FW_BACKEND_NFTABLES:
|
||||
return fw_nftables_add_local_dnat(ctx, add, af, protocol, local_port, remote, remote_port, previous_remote);
|
||||
switch ((*ctx)->backend) {
|
||||
#if HAVE_LIBIPTC
|
||||
case FW_BACKEND_IPTABLES:
|
||||
return fw_iptables_add_local_dnat(add, af, protocol, local_port, remote, remote_port, previous_remote);
|
||||
#endif
|
||||
case FW_BACKEND_NFTABLES:
|
||||
return fw_nftables_add_local_dnat(*ctx, add, af, protocol, local_port, remote, remote_port, previous_remote);
|
||||
default:
|
||||
return -EOPNOTSUPP;
|
||||
}
|
||||
|
||||
return -EOPNOTSUPP;
|
||||
}
|
||||
|
@ -9,19 +9,19 @@
|
||||
typedef struct FirewallContext FirewallContext;
|
||||
|
||||
int fw_ctx_new(FirewallContext **ret);
|
||||
FirewallContext *fw_ctx_free(FirewallContext *fw_ctx);
|
||||
FirewallContext *fw_ctx_free(FirewallContext *ctx);
|
||||
|
||||
DEFINE_TRIVIAL_CLEANUP_FUNC(FirewallContext *, fw_ctx_free);
|
||||
|
||||
int fw_add_masquerade(
|
||||
FirewallContext **fw_ctx,
|
||||
FirewallContext **ctx,
|
||||
bool add,
|
||||
int af,
|
||||
const union in_addr_union *source,
|
||||
unsigned source_prefixlen);
|
||||
|
||||
int fw_add_local_dnat(
|
||||
FirewallContext **fw_ctx,
|
||||
FirewallContext **ctx,
|
||||
bool add,
|
||||
int af,
|
||||
int protocol,
|
||||
|
Loading…
Reference in New Issue
Block a user