shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-10-27 01:55:22 +03:00
Code

firewall-util: logs which backend will be used

Browse Source 
This also modernizes code a bit.
This commit is contained in:
Yu Watanabe 2021-03-22 22:33:23 +09:00
parent e6fda8f675
commit da00b84087
3 changed files with 74 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/shared/firewall-util-private.h
View File

@ -4,22 +4,27 @@
#include <stdbool.h> #include <stdbool.h>
#include <stdint.h> #include <stdint.h>
#include "in-addr-util.h"
#include "sd-netlink.h" #include "sd-netlink.h"
enum FirewallBackend { #include "in-addr-util.h"
typedef enum FirewallBackend {
FW_BACKEND_NONE, FW_BACKEND_NONE,
#if HAVE_LIBIPTC #if HAVE_LIBIPTC
FW_BACKEND_IPTABLES, FW_BACKEND_IPTABLES,
#endif #endif
FW_BACKEND_NFTABLES, FW_BACKEND_NFTABLES,
}; _FW_BACKEND_MAX,
_FW_BACKEND_INVALID = -EINVAL,
} FirewallBackend;
struct FirewallContext { struct FirewallContext {
enum FirewallBackend firewall_backend; FirewallBackend backend;
sd_netlink *nfnl; sd_netlink *nfnl;
}; };
const char *firewall_backend_to_string(FirewallBackend b) _const_;
int fw_nftables_init(FirewallContext *ctx); int fw_nftables_init(FirewallContext *ctx);
void fw_nftables_exit(FirewallContext *ctx); void fw_nftables_exit(FirewallContext *ctx);

100
src/shared/firewall-util.c
View File

@ -7,21 +7,44 @@
#include "alloc-util.h" #include "alloc-util.h"
#include "firewall-util.h" #include "firewall-util.h"
#include "firewall-util-private.h" #include "firewall-util-private.h"
#include "log.h"
#include "string-table.h"
static enum FirewallBackend firewall_backend_probe(FirewallContext *ctx) { static const char * const firewall_backend_table[_FW_BACKEND_MAX] = {
if (fw_nftables_init(ctx) == 0) [FW_BACKEND_NONE] = "none",
return FW_BACKEND_NFTABLES;
#if HAVE_LIBIPTC #if HAVE_LIBIPTC
return FW_BACKEND_IPTABLES; [FW_BACKEND_IPTABLES] = "iptables",
#else
return FW_BACKEND_NONE;
#endif #endif
[FW_BACKEND_NFTABLES] = "nftables",
};
DEFINE_STRING_TABLE_LOOKUP_TO_STRING(firewall_backend, FirewallBackend);
static void firewall_backend_probe(FirewallContext *ctx) {
assert(ctx);
if (ctx->backend != _FW_BACKEND_INVALID)
return;
if (fw_nftables_init(ctx) >= 0)
ctx->backend = FW_BACKEND_NFTABLES;
else
#if HAVE_LIBIPTC
ctx->backend = FW_BACKEND_IPTABLES;
#else
ctx->backend = FW_BACKEND_NONE;
#endif
if (ctx->backend != FW_BACKEND_NONE)
log_debug("Using %s as firewall backend.", firewall_backend_to_string(ctx->backend));
else
log_debug("No firewall backend found.");
} }
int fw_ctx_new(FirewallContext **ret) { int fw_ctx_new(FirewallContext **ret) {
_cleanup_free_ FirewallContext *ctx = NULL; _cleanup_free_ FirewallContext *ctx = NULL;
ctx = new0(FirewallContext, 1); ctx = new(FirewallContext, 1);
if (!ctx) if (!ctx)
return -ENOMEM; return -ENOMEM;
@ -32,6 +55,11 @@ int fw_ctx_new(FirewallContext **ret) {
* fw_ctx_new when nspawn/networkd know they will call * fw_ctx_new when nspawn/networkd know they will call
* fw_add_masquerade/local_dnat later anyway. * fw_add_masquerade/local_dnat later anyway.
*/ */
*ctx = (FirewallContext) {
.backend = _FW_BACKEND_INVALID,
};
*ret = TAKE_PTR(ctx); *ret = TAKE_PTR(ctx);
return 0; return 0;
} }
@ -40,47 +68,44 @@ FirewallContext *fw_ctx_free(FirewallContext *ctx) {
if (!ctx) if (!ctx)
return NULL; return NULL;
if (ctx->firewall_backend == FW_BACKEND_NFTABLES) fw_nftables_exit(ctx);
fw_nftables_exit(ctx);
return mfree(ctx); return mfree(ctx);
} }
int fw_add_masquerade( int fw_add_masquerade(
FirewallContext **fw_ctx, FirewallContext **ctx,
bool add, bool add,
int af, int af,
const union in_addr_union *source, const union in_addr_union *source,
unsigned source_prefixlen) { unsigned source_prefixlen) {
FirewallContext *ctx;
int r; int r;
if (!*fw_ctx) { assert(ctx);
r = fw_ctx_new(fw_ctx);
if (!*ctx) {
r = fw_ctx_new(ctx);
if (r < 0) if (r < 0)
return r; return r;
} }
ctx = *fw_ctx; firewall_backend_probe(*ctx);
if (ctx->firewall_backend == FW_BACKEND_NONE)
ctx->firewall_backend = firewall_backend_probe(ctx);
switch (ctx->firewall_backend) { switch ((*ctx)->backend) {
case FW_BACKEND_NONE:
return -EOPNOTSUPP;
#if HAVE_LIBIPTC #if HAVE_LIBIPTC
case FW_BACKEND_IPTABLES: case FW_BACKEND_IPTABLES:
return fw_iptables_add_masquerade(add, af, source, source_prefixlen); return fw_iptables_add_masquerade(add, af, source, source_prefixlen);
#endif #endif
case FW_BACKEND_NFTABLES: case FW_BACKEND_NFTABLES:
return fw_nftables_add_masquerade(ctx, add, af, source, source_prefixlen); return fw_nftables_add_masquerade(*ctx, add, af, source, source_prefixlen);
default:
return -EOPNOTSUPP;
} }
return -EOPNOTSUPP;
} }
int fw_add_local_dnat( int fw_add_local_dnat(
FirewallContext **fw_ctx, FirewallContext **ctx,
bool add, bool add,
int af, int af,
int protocol, int protocol,
@ -88,28 +113,27 @@ int fw_add_local_dnat(
const union in_addr_union *remote, const union in_addr_union *remote,
uint16_t remote_port, uint16_t remote_port,
const union in_addr_union *previous_remote) { const union in_addr_union *previous_remote) {
FirewallContext *ctx;
if (!*fw_ctx) { int r;
int ret = fw_ctx_new(fw_ctx);
if (ret < 0) assert(ctx);
return ret;
if (!*ctx) {
r = fw_ctx_new(ctx);
if (r < 0)
return r;
} }
ctx = *fw_ctx; firewall_backend_probe(*ctx);
if (ctx->firewall_backend == FW_BACKEND_NONE)
ctx->firewall_backend = firewall_backend_probe(ctx);
switch (ctx->firewall_backend) { switch ((*ctx)->backend) {
case FW_BACKEND_NONE:
return -EOPNOTSUPP;
case FW_BACKEND_NFTABLES:
return fw_nftables_add_local_dnat(ctx, add, af, protocol, local_port, remote, remote_port, previous_remote);
#if HAVE_LIBIPTC #if HAVE_LIBIPTC
case FW_BACKEND_IPTABLES: case FW_BACKEND_IPTABLES:
return fw_iptables_add_local_dnat(add, af, protocol, local_port, remote, remote_port, previous_remote); return fw_iptables_add_local_dnat(add, af, protocol, local_port, remote, remote_port, previous_remote);
#endif #endif
case FW_BACKEND_NFTABLES:
return fw_nftables_add_local_dnat(*ctx, add, af, protocol, local_port, remote, remote_port, previous_remote);
default:
return -EOPNOTSUPP;
} }
return -EOPNOTSUPP;
} }

6
src/shared/firewall-util.h
View File

@ -9,19 +9,19 @@
typedef struct FirewallContext FirewallContext; typedef struct FirewallContext FirewallContext;
int fw_ctx_new(FirewallContext **ret); int fw_ctx_new(FirewallContext **ret);
FirewallContext *fw_ctx_free(FirewallContext *fw_ctx); FirewallContext *fw_ctx_free(FirewallContext *ctx);
DEFINE_TRIVIAL_CLEANUP_FUNC(FirewallContext *, fw_ctx_free); DEFINE_TRIVIAL_CLEANUP_FUNC(FirewallContext *, fw_ctx_free);
int fw_add_masquerade( int fw_add_masquerade(
FirewallContext **fw_ctx, FirewallContext **ctx,
bool add, bool add,
int af, int af,
const union in_addr_union *source, const union in_addr_union *source,
unsigned source_prefixlen); unsigned source_prefixlen);
int fw_add_local_dnat( int fw_add_local_dnat(
FirewallContext **fw_ctx, FirewallContext **ctx,
bool add, bool add,
int af, int af,
int protocol, int protocol,