mirror of
https://github.com/systemd/systemd.git
synced 2024-10-27 01:55:22 +03:00
firewall-util: logs which backend will be used
This also modernizes code a bit.
This commit is contained in:
parent
e6fda8f675
commit
da00b84087
@ -4,22 +4,27 @@
|
|||||||
#include <stdbool.h>
|
#include <stdbool.h>
|
||||||
#include <stdint.h>
|
#include <stdint.h>
|
||||||
|
|
||||||
#include "in-addr-util.h"
|
|
||||||
#include "sd-netlink.h"
|
#include "sd-netlink.h"
|
||||||
|
|
||||||
enum FirewallBackend {
|
#include "in-addr-util.h"
|
||||||
|
|
||||||
|
typedef enum FirewallBackend {
|
||||||
FW_BACKEND_NONE,
|
FW_BACKEND_NONE,
|
||||||
#if HAVE_LIBIPTC
|
#if HAVE_LIBIPTC
|
||||||
FW_BACKEND_IPTABLES,
|
FW_BACKEND_IPTABLES,
|
||||||
#endif
|
#endif
|
||||||
FW_BACKEND_NFTABLES,
|
FW_BACKEND_NFTABLES,
|
||||||
};
|
_FW_BACKEND_MAX,
|
||||||
|
_FW_BACKEND_INVALID = -EINVAL,
|
||||||
|
} FirewallBackend;
|
||||||
|
|
||||||
struct FirewallContext {
|
struct FirewallContext {
|
||||||
enum FirewallBackend firewall_backend;
|
FirewallBackend backend;
|
||||||
sd_netlink *nfnl;
|
sd_netlink *nfnl;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
const char *firewall_backend_to_string(FirewallBackend b) _const_;
|
||||||
|
|
||||||
int fw_nftables_init(FirewallContext *ctx);
|
int fw_nftables_init(FirewallContext *ctx);
|
||||||
void fw_nftables_exit(FirewallContext *ctx);
|
void fw_nftables_exit(FirewallContext *ctx);
|
||||||
|
|
||||||
|
@ -7,21 +7,44 @@
|
|||||||
#include "alloc-util.h"
|
#include "alloc-util.h"
|
||||||
#include "firewall-util.h"
|
#include "firewall-util.h"
|
||||||
#include "firewall-util-private.h"
|
#include "firewall-util-private.h"
|
||||||
|
#include "log.h"
|
||||||
|
#include "string-table.h"
|
||||||
|
|
||||||
static enum FirewallBackend firewall_backend_probe(FirewallContext *ctx) {
|
static const char * const firewall_backend_table[_FW_BACKEND_MAX] = {
|
||||||
if (fw_nftables_init(ctx) == 0)
|
[FW_BACKEND_NONE] = "none",
|
||||||
return FW_BACKEND_NFTABLES;
|
|
||||||
#if HAVE_LIBIPTC
|
#if HAVE_LIBIPTC
|
||||||
return FW_BACKEND_IPTABLES;
|
[FW_BACKEND_IPTABLES] = "iptables",
|
||||||
#else
|
|
||||||
return FW_BACKEND_NONE;
|
|
||||||
#endif
|
#endif
|
||||||
|
[FW_BACKEND_NFTABLES] = "nftables",
|
||||||
|
};
|
||||||
|
|
||||||
|
DEFINE_STRING_TABLE_LOOKUP_TO_STRING(firewall_backend, FirewallBackend);
|
||||||
|
|
||||||
|
static void firewall_backend_probe(FirewallContext *ctx) {
|
||||||
|
assert(ctx);
|
||||||
|
|
||||||
|
if (ctx->backend != _FW_BACKEND_INVALID)
|
||||||
|
return;
|
||||||
|
|
||||||
|
if (fw_nftables_init(ctx) >= 0)
|
||||||
|
ctx->backend = FW_BACKEND_NFTABLES;
|
||||||
|
else
|
||||||
|
#if HAVE_LIBIPTC
|
||||||
|
ctx->backend = FW_BACKEND_IPTABLES;
|
||||||
|
#else
|
||||||
|
ctx->backend = FW_BACKEND_NONE;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
if (ctx->backend != FW_BACKEND_NONE)
|
||||||
|
log_debug("Using %s as firewall backend.", firewall_backend_to_string(ctx->backend));
|
||||||
|
else
|
||||||
|
log_debug("No firewall backend found.");
|
||||||
}
|
}
|
||||||
|
|
||||||
int fw_ctx_new(FirewallContext **ret) {
|
int fw_ctx_new(FirewallContext **ret) {
|
||||||
_cleanup_free_ FirewallContext *ctx = NULL;
|
_cleanup_free_ FirewallContext *ctx = NULL;
|
||||||
|
|
||||||
ctx = new0(FirewallContext, 1);
|
ctx = new(FirewallContext, 1);
|
||||||
if (!ctx)
|
if (!ctx)
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
|
||||||
@ -32,6 +55,11 @@ int fw_ctx_new(FirewallContext **ret) {
|
|||||||
* fw_ctx_new when nspawn/networkd know they will call
|
* fw_ctx_new when nspawn/networkd know they will call
|
||||||
* fw_add_masquerade/local_dnat later anyway.
|
* fw_add_masquerade/local_dnat later anyway.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
*ctx = (FirewallContext) {
|
||||||
|
.backend = _FW_BACKEND_INVALID,
|
||||||
|
};
|
||||||
|
|
||||||
*ret = TAKE_PTR(ctx);
|
*ret = TAKE_PTR(ctx);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -40,47 +68,44 @@ FirewallContext *fw_ctx_free(FirewallContext *ctx) {
|
|||||||
if (!ctx)
|
if (!ctx)
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
if (ctx->firewall_backend == FW_BACKEND_NFTABLES)
|
fw_nftables_exit(ctx);
|
||||||
fw_nftables_exit(ctx);
|
|
||||||
|
|
||||||
return mfree(ctx);
|
return mfree(ctx);
|
||||||
}
|
}
|
||||||
|
|
||||||
int fw_add_masquerade(
|
int fw_add_masquerade(
|
||||||
FirewallContext **fw_ctx,
|
FirewallContext **ctx,
|
||||||
bool add,
|
bool add,
|
||||||
int af,
|
int af,
|
||||||
const union in_addr_union *source,
|
const union in_addr_union *source,
|
||||||
unsigned source_prefixlen) {
|
unsigned source_prefixlen) {
|
||||||
FirewallContext *ctx;
|
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
if (!*fw_ctx) {
|
assert(ctx);
|
||||||
r = fw_ctx_new(fw_ctx);
|
|
||||||
|
if (!*ctx) {
|
||||||
|
r = fw_ctx_new(ctx);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
ctx = *fw_ctx;
|
firewall_backend_probe(*ctx);
|
||||||
if (ctx->firewall_backend == FW_BACKEND_NONE)
|
|
||||||
ctx->firewall_backend = firewall_backend_probe(ctx);
|
|
||||||
|
|
||||||
switch (ctx->firewall_backend) {
|
switch ((*ctx)->backend) {
|
||||||
case FW_BACKEND_NONE:
|
|
||||||
return -EOPNOTSUPP;
|
|
||||||
#if HAVE_LIBIPTC
|
#if HAVE_LIBIPTC
|
||||||
case FW_BACKEND_IPTABLES:
|
case FW_BACKEND_IPTABLES:
|
||||||
return fw_iptables_add_masquerade(add, af, source, source_prefixlen);
|
return fw_iptables_add_masquerade(add, af, source, source_prefixlen);
|
||||||
#endif
|
#endif
|
||||||
case FW_BACKEND_NFTABLES:
|
case FW_BACKEND_NFTABLES:
|
||||||
return fw_nftables_add_masquerade(ctx, add, af, source, source_prefixlen);
|
return fw_nftables_add_masquerade(*ctx, add, af, source, source_prefixlen);
|
||||||
|
default:
|
||||||
|
return -EOPNOTSUPP;
|
||||||
}
|
}
|
||||||
|
|
||||||
return -EOPNOTSUPP;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
int fw_add_local_dnat(
|
int fw_add_local_dnat(
|
||||||
FirewallContext **fw_ctx,
|
FirewallContext **ctx,
|
||||||
bool add,
|
bool add,
|
||||||
int af,
|
int af,
|
||||||
int protocol,
|
int protocol,
|
||||||
@ -88,28 +113,27 @@ int fw_add_local_dnat(
|
|||||||
const union in_addr_union *remote,
|
const union in_addr_union *remote,
|
||||||
uint16_t remote_port,
|
uint16_t remote_port,
|
||||||
const union in_addr_union *previous_remote) {
|
const union in_addr_union *previous_remote) {
|
||||||
FirewallContext *ctx;
|
|
||||||
|
|
||||||
if (!*fw_ctx) {
|
int r;
|
||||||
int ret = fw_ctx_new(fw_ctx);
|
|
||||||
if (ret < 0)
|
assert(ctx);
|
||||||
return ret;
|
|
||||||
|
if (!*ctx) {
|
||||||
|
r = fw_ctx_new(ctx);
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
ctx = *fw_ctx;
|
firewall_backend_probe(*ctx);
|
||||||
if (ctx->firewall_backend == FW_BACKEND_NONE)
|
|
||||||
ctx->firewall_backend = firewall_backend_probe(ctx);
|
|
||||||
|
|
||||||
switch (ctx->firewall_backend) {
|
switch ((*ctx)->backend) {
|
||||||
case FW_BACKEND_NONE:
|
|
||||||
return -EOPNOTSUPP;
|
|
||||||
case FW_BACKEND_NFTABLES:
|
|
||||||
return fw_nftables_add_local_dnat(ctx, add, af, protocol, local_port, remote, remote_port, previous_remote);
|
|
||||||
#if HAVE_LIBIPTC
|
#if HAVE_LIBIPTC
|
||||||
case FW_BACKEND_IPTABLES:
|
case FW_BACKEND_IPTABLES:
|
||||||
return fw_iptables_add_local_dnat(add, af, protocol, local_port, remote, remote_port, previous_remote);
|
return fw_iptables_add_local_dnat(add, af, protocol, local_port, remote, remote_port, previous_remote);
|
||||||
#endif
|
#endif
|
||||||
|
case FW_BACKEND_NFTABLES:
|
||||||
|
return fw_nftables_add_local_dnat(*ctx, add, af, protocol, local_port, remote, remote_port, previous_remote);
|
||||||
|
default:
|
||||||
|
return -EOPNOTSUPP;
|
||||||
}
|
}
|
||||||
|
|
||||||
return -EOPNOTSUPP;
|
|
||||||
}
|
}
|
||||||
|
@ -9,19 +9,19 @@
|
|||||||
typedef struct FirewallContext FirewallContext;
|
typedef struct FirewallContext FirewallContext;
|
||||||
|
|
||||||
int fw_ctx_new(FirewallContext **ret);
|
int fw_ctx_new(FirewallContext **ret);
|
||||||
FirewallContext *fw_ctx_free(FirewallContext *fw_ctx);
|
FirewallContext *fw_ctx_free(FirewallContext *ctx);
|
||||||
|
|
||||||
DEFINE_TRIVIAL_CLEANUP_FUNC(FirewallContext *, fw_ctx_free);
|
DEFINE_TRIVIAL_CLEANUP_FUNC(FirewallContext *, fw_ctx_free);
|
||||||
|
|
||||||
int fw_add_masquerade(
|
int fw_add_masquerade(
|
||||||
FirewallContext **fw_ctx,
|
FirewallContext **ctx,
|
||||||
bool add,
|
bool add,
|
||||||
int af,
|
int af,
|
||||||
const union in_addr_union *source,
|
const union in_addr_union *source,
|
||||||
unsigned source_prefixlen);
|
unsigned source_prefixlen);
|
||||||
|
|
||||||
int fw_add_local_dnat(
|
int fw_add_local_dnat(
|
||||||
FirewallContext **fw_ctx,
|
FirewallContext **ctx,
|
||||||
bool add,
|
bool add,
|
||||||
int af,
|
int af,
|
||||||
int protocol,
|
int protocol,
|
||||||
|
Loading…
Reference in New Issue
Block a user