diff options
author | Yu Watanabe <watanabe.yu+github@gmail.com> | 2021-03-22 22:33:23 +0900 |
---|---|---|
committer | Yu Watanabe <watanabe.yu+github@gmail.com> | 2021-03-23 14:40:50 +0900 |
commit | da00b84087dd5f5dc3d0588fdef93bb71789bfb1 (patch) | |
tree | 4670aaf349b2f10b9df9dd603580a6f7bbd99ed2 /src/shared/firewall-util.c | |
parent | e6fda8f67587ee58afc2ae9391db4388ed60f24d (diff) | |
download | systemd-da00b84087dd5f5dc3d0588fdef93bb71789bfb1.tar.gz |
firewall-util: logs which backend will be used
This also modernizes code a bit.
Diffstat (limited to 'src/shared/firewall-util.c')
-rw-r--r-- | src/shared/firewall-util.c | 98 |
1 files changed, 61 insertions, 37 deletions
diff --git a/src/shared/firewall-util.c b/src/shared/firewall-util.c index 3bed941127..65a2250ed3 100644 --- a/src/shared/firewall-util.c +++ b/src/shared/firewall-util.c @@ -7,21 +7,44 @@ #include "alloc-util.h" #include "firewall-util.h" #include "firewall-util-private.h" +#include "log.h" +#include "string-table.h" -static enum FirewallBackend firewall_backend_probe(FirewallContext *ctx) { - if (fw_nftables_init(ctx) == 0) - return FW_BACKEND_NFTABLES; +static const char * const firewall_backend_table[_FW_BACKEND_MAX] = { + [FW_BACKEND_NONE] = "none", #if HAVE_LIBIPTC - return FW_BACKEND_IPTABLES; + [FW_BACKEND_IPTABLES] = "iptables", +#endif + [FW_BACKEND_NFTABLES] = "nftables", +}; + +DEFINE_STRING_TABLE_LOOKUP_TO_STRING(firewall_backend, FirewallBackend); + +static void firewall_backend_probe(FirewallContext *ctx) { + assert(ctx); + + if (ctx->backend != _FW_BACKEND_INVALID) + return; + + if (fw_nftables_init(ctx) >= 0) + ctx->backend = FW_BACKEND_NFTABLES; + else +#if HAVE_LIBIPTC + ctx->backend = FW_BACKEND_IPTABLES; #else - return FW_BACKEND_NONE; + ctx->backend = FW_BACKEND_NONE; #endif + + if (ctx->backend != FW_BACKEND_NONE) + log_debug("Using %s as firewall backend.", firewall_backend_to_string(ctx->backend)); + else + log_debug("No firewall backend found."); } int fw_ctx_new(FirewallContext **ret) { _cleanup_free_ FirewallContext *ctx = NULL; - ctx = new0(FirewallContext, 1); + ctx = new(FirewallContext, 1); if (!ctx) return -ENOMEM; @@ -32,6 +55,11 @@ int fw_ctx_new(FirewallContext **ret) { * fw_ctx_new when nspawn/networkd know they will call * fw_add_masquerade/local_dnat later anyway. */ + + *ctx = (FirewallContext) { + .backend = _FW_BACKEND_INVALID, + }; + *ret = TAKE_PTR(ctx); return 0; } @@ -40,47 +68,44 @@ FirewallContext *fw_ctx_free(FirewallContext *ctx) { if (!ctx) return NULL; - if (ctx->firewall_backend == FW_BACKEND_NFTABLES) - fw_nftables_exit(ctx); + fw_nftables_exit(ctx); return mfree(ctx); } int fw_add_masquerade( - FirewallContext **fw_ctx, + FirewallContext **ctx, bool add, int af, const union in_addr_union *source, unsigned source_prefixlen) { - FirewallContext *ctx; + int r; - if (!*fw_ctx) { - r = fw_ctx_new(fw_ctx); + assert(ctx); + + if (!*ctx) { + r = fw_ctx_new(ctx); if (r < 0) return r; } - ctx = *fw_ctx; - if (ctx->firewall_backend == FW_BACKEND_NONE) - ctx->firewall_backend = firewall_backend_probe(ctx); + firewall_backend_probe(*ctx); - switch (ctx->firewall_backend) { - case FW_BACKEND_NONE: - return -EOPNOTSUPP; + switch ((*ctx)->backend) { #if HAVE_LIBIPTC case FW_BACKEND_IPTABLES: return fw_iptables_add_masquerade(add, af, source, source_prefixlen); #endif case FW_BACKEND_NFTABLES: - return fw_nftables_add_masquerade(ctx, add, af, source, source_prefixlen); + return fw_nftables_add_masquerade(*ctx, add, af, source, source_prefixlen); + default: + return -EOPNOTSUPP; } - - return -EOPNOTSUPP; } int fw_add_local_dnat( - FirewallContext **fw_ctx, + FirewallContext **ctx, bool add, int af, int protocol, @@ -88,28 +113,27 @@ int fw_add_local_dnat( const union in_addr_union *remote, uint16_t remote_port, const union in_addr_union *previous_remote) { - FirewallContext *ctx; - if (!*fw_ctx) { - int ret = fw_ctx_new(fw_ctx); - if (ret < 0) - return ret; + int r; + + assert(ctx); + + if (!*ctx) { + r = fw_ctx_new(ctx); + if (r < 0) + return r; } - ctx = *fw_ctx; - if (ctx->firewall_backend == FW_BACKEND_NONE) - ctx->firewall_backend = firewall_backend_probe(ctx); + firewall_backend_probe(*ctx); - switch (ctx->firewall_backend) { - case FW_BACKEND_NONE: - return -EOPNOTSUPP; - case FW_BACKEND_NFTABLES: - return fw_nftables_add_local_dnat(ctx, add, af, protocol, local_port, remote, remote_port, previous_remote); + switch ((*ctx)->backend) { #if HAVE_LIBIPTC case FW_BACKEND_IPTABLES: return fw_iptables_add_local_dnat(add, af, protocol, local_port, remote, remote_port, previous_remote); #endif + case FW_BACKEND_NFTABLES: + return fw_nftables_add_local_dnat(*ctx, add, af, protocol, local_port, remote, remote_port, previous_remote); + default: + return -EOPNOTSUPP; } - - return -EOPNOTSUPP; } |