firewall-util: logs which backend will be used

This also modernizes code a bit.

1 files changed, 61 insertions, 37 deletions

diff --git a/src/shared/firewall-util.c b/src/shared/firewall-util.c
index 3bed941127..65a2250ed3 100644
--- a/src/shared/firewall-util.c
+++ b/src/shared/firewall-util.c
@@ -7,21 +7,44 @@
 #include "alloc-util.h"
 #include "firewall-util.h"
 #include "firewall-util-private.h"
+#include "log.h"
+#include "string-table.h"
 
-static enum FirewallBackend firewall_backend_probe(FirewallContext *ctx) {
-        if (fw_nftables_init(ctx) == 0)
-               return FW_BACKEND_NFTABLES;
+static const char * const firewall_backend_table[_FW_BACKEND_MAX] = {
+        [FW_BACKEND_NONE] = "none",
 #if HAVE_LIBIPTC
-        return FW_BACKEND_IPTABLES;
+        [FW_BACKEND_IPTABLES] = "iptables",
+#endif
+        [FW_BACKEND_NFTABLES] = "nftables",
+};
+
+DEFINE_STRING_TABLE_LOOKUP_TO_STRING(firewall_backend, FirewallBackend);
+
+static void firewall_backend_probe(FirewallContext *ctx) {
+        assert(ctx);
+
+        if (ctx->backend != _FW_BACKEND_INVALID)
+                return;
+
+        if (fw_nftables_init(ctx) >= 0)
+                ctx->backend = FW_BACKEND_NFTABLES;
+        else
+#if HAVE_LIBIPTC
+                ctx->backend = FW_BACKEND_IPTABLES;
 #else
-        return FW_BACKEND_NONE;
+                ctx->backend = FW_BACKEND_NONE;
 #endif
+
+        if (ctx->backend != FW_BACKEND_NONE)
+                log_debug("Using %s as firewall backend.", firewall_backend_to_string(ctx->backend));
+        else
+                log_debug("No firewall backend found.");
 }
 
 int fw_ctx_new(FirewallContext **ret) {
         _cleanup_free_ FirewallContext *ctx = NULL;
 
-        ctx = new0(FirewallContext, 1);
+        ctx = new(FirewallContext, 1);
         if (!ctx)
                 return -ENOMEM;
 
@@ -32,6 +55,11 @@ int fw_ctx_new(FirewallContext **ret) {
          * fw_ctx_new when nspawn/networkd know they will call
          * fw_add_masquerade/local_dnat later anyway.
          */
+
+        *ctx = (FirewallContext) {
+                .backend = _FW_BACKEND_INVALID,
+        };
+
         *ret = TAKE_PTR(ctx);
         return 0;
 }
@@ -40,47 +68,44 @@ FirewallContext *fw_ctx_free(FirewallContext *ctx) {
         if (!ctx)
                 return NULL;
 
-        if (ctx->firewall_backend == FW_BACKEND_NFTABLES)
-                fw_nftables_exit(ctx);
+        fw_nftables_exit(ctx);
 
         return mfree(ctx);
 }
 
 int fw_add_masquerade(
-                FirewallContext **fw_ctx,
+                FirewallContext **ctx,
                 bool add,
                 int af,
                 const union in_addr_union *source,
                 unsigned source_prefixlen) {
-        FirewallContext *ctx;
+
         int r;
 
-        if (!*fw_ctx) {
-                r = fw_ctx_new(fw_ctx);
+        assert(ctx);
+
+        if (!*ctx) {
+                r = fw_ctx_new(ctx);
                 if (r < 0)
                         return r;
         }
 
-        ctx = *fw_ctx;
-        if (ctx->firewall_backend == FW_BACKEND_NONE)
-                ctx->firewall_backend = firewall_backend_probe(ctx);
+        firewall_backend_probe(*ctx);
 
-        switch (ctx->firewall_backend) {
-        case FW_BACKEND_NONE:
-                return -EOPNOTSUPP;
+        switch ((*ctx)->backend) {
 #if HAVE_LIBIPTC
         case FW_BACKEND_IPTABLES:
                 return fw_iptables_add_masquerade(add, af, source, source_prefixlen);
 #endif
         case FW_BACKEND_NFTABLES:
-                return fw_nftables_add_masquerade(ctx, add, af, source, source_prefixlen);
+                return fw_nftables_add_masquerade(*ctx, add, af, source, source_prefixlen);
+        default:
+                return -EOPNOTSUPP;
         }
-
-        return -EOPNOTSUPP;
 }
 
 int fw_add_local_dnat(
-                FirewallContext **fw_ctx,
+                FirewallContext **ctx,
                 bool add,
                 int af,
                 int protocol,
@@ -88,28 +113,27 @@ int fw_add_local_dnat(
                 const union in_addr_union *remote,
                 uint16_t remote_port,
                 const union in_addr_union *previous_remote) {
-        FirewallContext *ctx;
 
-        if (!*fw_ctx) {
-                int ret = fw_ctx_new(fw_ctx);
-                if (ret < 0)
-                        return ret;
+        int r;
+
+        assert(ctx);
+
+        if (!*ctx) {
+                r = fw_ctx_new(ctx);
+                if (r < 0)
+                        return r;
         }
 
-        ctx = *fw_ctx;
-        if (ctx->firewall_backend == FW_BACKEND_NONE)
-                ctx->firewall_backend = firewall_backend_probe(ctx);
+        firewall_backend_probe(*ctx);
 
-        switch (ctx->firewall_backend) {
-        case FW_BACKEND_NONE:
-                return -EOPNOTSUPP;
-        case FW_BACKEND_NFTABLES:
-                return fw_nftables_add_local_dnat(ctx, add, af, protocol, local_port, remote, remote_port, previous_remote);
+        switch ((*ctx)->backend) {
 #if HAVE_LIBIPTC
         case FW_BACKEND_IPTABLES:
                 return fw_iptables_add_local_dnat(add, af, protocol, local_port, remote, remote_port, previous_remote);
 #endif
+        case FW_BACKEND_NFTABLES:
+                return fw_nftables_add_local_dnat(*ctx, add, af, protocol, local_port, remote, remote_port, previous_remote);
+        default:
+                return -EOPNOTSUPP;
         }
-
-        return -EOPNOTSUPP;
 }