summaryrefslogtreecommitdiff
path: root/src/shared/firewall-util.h
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2020-06-25 15:00:54 +0200
committerFlorian Westphal <fw@strlen.de>2020-12-16 00:35:56 +0100
commit3122097217a6ea44709c6ec053e57097df921331 (patch)
tree233a20154f0217406d2769dda35335cdc07b0196 /src/shared/firewall-util.h
parent47ed20e1e08d800e722b05a3fb33ba6be4b48afc (diff)
downloadsystemd-3122097217a6ea44709c6ec053e57097df921331.tar.gz
firewall-util: prepare for alternative to iptables backend
In a nutshell: 1. git mv firewall-util.c firewall-util-iptables.c 2. existing external functions gain _iptables_ in their names 3. firewall-util.c provides old function names 4. build system always compiles firewall-util.c, firewall-util-iptables.c is conditional instead (libiptc). 5. On first call to any of the 'old' API functions performs a probe that should return the preferred backend. In a future step, can add firewall-util-FOOTYPE.c, add its probe function to firewall-util.c and then have calls to fw_add_masq/local_dnat handed to the detected backend. For now, only iptables backend exists, and no special probing takes place for it, i.e. when systemd was built with iptables, that will be used. If not, requets to add masquerade/dnat will fail with same error (-EOPNOTSUPP) as before this change. For reference, the rules added by the libiptc/iptables backend look like this: for service export (via systemd-nspawn): [0:0] -A PREROUTING -p tcp -m tcp --dport $exportedport -m addrtype --dst-type LOCAL -j DNAT --to-destination $containerip:$port [0:0] -A OUTPUT ! -d 127.0.0.0/8 -p tcp -m tcp --dport $exportedport -m addrtype --dst-type LOCAL -j DNAT --to-destination $containerip:$port for ip masquerade: [0:0] -A POSTROUTING -s network/prefix -j MASQUERADE
Diffstat (limited to 'src/shared/firewall-util.h')
-rw-r--r--src/shared/firewall-util.h25
1 files changed, 0 insertions, 25 deletions
diff --git a/src/shared/firewall-util.h b/src/shared/firewall-util.h
index f7191ba006..bb6dc5a0f0 100644
--- a/src/shared/firewall-util.h
+++ b/src/shared/firewall-util.h
@@ -6,8 +6,6 @@
#include "in-addr-util.h"
-#if HAVE_LIBIPTC
-
int fw_add_masquerade(
bool add,
int af,
@@ -22,26 +20,3 @@ int fw_add_local_dnat(
const union in_addr_union *remote,
uint16_t remote_port,
const union in_addr_union *previous_remote);
-
-#else
-
-static inline int fw_add_masquerade(
- bool add,
- int af,
- const union in_addr_union *source,
- unsigned source_prefixlen) {
- return -EOPNOTSUPP;
-}
-
-static inline int fw_add_local_dnat(
- bool add,
- int af,
- int protocol,
- uint16_t local_port,
- const union in_addr_union *remote,
- uint16_t remote_port,
- const union in_addr_union *previous_remote) {
- return -EOPNOTSUPP;
-}
-
-#endif