shared/firewall-util: parametrize table and set names

Parametrize table and set names for fw_nftables_add_masquerade_internal, rename
to nft_set_element_op_iprange to reflect more general usage. Export and use
nfproto_is_valid().

Remove also unused and obsolete NFPROTO_DECNET.

diff --git a/src/libsystemd/sd-netlink/netlink-internal.h b/src/libsystemd/sd-netlink/netlink-internal.h
index bca13bce57527801e10b90c11fd5163b054fce7a..891d3e841345f0ba1cb3ba2f7709ff30d56c377f 100644 (file)
--- a/src/libsystemd/sd-netlink/netlink-internal.h
+++ b/src/libsystemd/sd-netlink/netlink-internal.h
@@ -170,6 +170,8 @@ int netlink_add_match_internal(
 #define NETLINK_DONT_DESTROY(nl) \
         _cleanup_(sd_netlink_unrefp) _unused_ sd_netlink *_dont_destroy_##nl = sd_netlink_ref(nl)
 
+bool nfproto_is_valid(int nfproto);
+
 /* nfnl */
 /* TODO: to be exported later */
 int sd_nfnl_socket_open(sd_netlink **ret);

diff --git a/src/libsystemd/sd-netlink/netlink-message-nfnl.c b/src/libsystemd/sd-netlink/netlink-message-nfnl.c
index a8cec2bd8bdf512782638718d268c19ce656b5f9..edde5d2a88f8fb69d23b78b0f559e2ce5d94d047 100644 (file)
--- a/src/libsystemd/sd-netlink/netlink-message-nfnl.c
+++ b/src/libsystemd/sd-netlink/netlink-message-nfnl.c
@@ -12,7 +12,7 @@
 #include "netlink-types.h"
 #include "netlink-util.h"
 
-static bool nfproto_is_valid(int nfproto) {
+bool nfproto_is_valid(int nfproto) {
         return IN_SET(nfproto,
                       NFPROTO_UNSPEC,
                       NFPROTO_INET,
@@ -20,8 +20,7 @@ static bool nfproto_is_valid(int nfproto) {
                       NFPROTO_ARP,
                       NFPROTO_NETDEV,
                       NFPROTO_BRIDGE,
-                      NFPROTO_IPV6,
-                      NFPROTO_DECNET);
+                      NFPROTO_IPV6);
 }
 
 int sd_nfnl_message_new(sd_netlink *nfnl, sd_netlink_message **ret, int nfproto, uint16_t subsys, uint16_t msg_type, uint16_t flags) {

diff --git a/src/shared/firewall-util-nft.c b/src/shared/firewall-util-nft.c
index b5f0d1bab75afe184d873436878efe1a6d9187a5..b36872cb90d98197e2959cc3a9147438315e7eea 100644 (file)
--- a/src/shared/firewall-util-nft.c
+++ b/src/shared/firewall-util-nft.c
@@ -891,18 +891,24 @@ static int nft_message_append_setelem_ip6range(
         return sd_netlink_message_close_container(m); /* NFTA_SET_ELEM_LIST_ELEMENTS */
 }
 
-static int fw_nftables_add_masquerade_internal(
-                sd_netlink *nfnl,
+int nft_set_element_modify_iprange(
+                FirewallContext *ctx,
                 bool add,
+                int nfproto,
                 int af,
+                const char *table,
+                const char *set,
                 const union in_addr_union *source,
                 unsigned int source_prefixlen) {
 
         _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
         int r;
 
-        assert(nfnl);
+        assert(ctx->nfnl);
         assert(IN_SET(af, AF_INET, AF_INET6));
+        assert(nfproto_is_valid(nfproto));
+        assert(table);
+        assert(set);
 
         if (!source || source_prefixlen == 0)
                 return -EINVAL;
@@ -910,7 +916,7 @@ static int fw_nftables_add_masquerade_internal(
         if (af == AF_INET6 && source_prefixlen < 8)
                 return -EINVAL;
 
-        r = sd_nfnl_nft_message_new_setelems(nfnl, &m, add, af, NFT_SYSTEMD_TABLE_NAME, NFT_SYSTEMD_MASQ_SET_NAME);
+        r = sd_nfnl_nft_message_new_setelems(ctx->nfnl, &m, add, nfproto, table, set);
         if (r < 0)
                 return r;
 
@@ -921,7 +927,20 @@ static int fw_nftables_add_masquerade_internal(
         if (r < 0)
                 return r;
 
-        return sd_nfnl_call_batch(nfnl, &m, 1, NFNL_DEFAULT_TIMEOUT_USECS, NULL);
+        return sd_nfnl_call_batch(ctx->nfnl, &m, 1, NFNL_DEFAULT_TIMEOUT_USECS, NULL);
+}
+
+static int af_to_nfproto(int af) {
+        assert(IN_SET(af, AF_INET, AF_INET6));
+
+        switch (af) {
+        case AF_INET:
+                return NFPROTO_IPV4;
+        case AF_INET6:
+                return NFPROTO_IPV6;
+        default:
+                assert_not_reached();
+        }
 }
 
 int fw_nftables_add_masquerade(
@@ -940,7 +959,8 @@ int fw_nftables_add_masquerade(
         if (!socket_ipv6_is_supported() && af == AF_INET6)
                 return -EOPNOTSUPP;
 
-        r = fw_nftables_add_masquerade_internal(ctx->nfnl, add, af, source, source_prefixlen);
+        r = nft_set_element_modify_iprange(ctx, add, af_to_nfproto(af), af, NFT_SYSTEMD_TABLE_NAME, NFT_SYSTEMD_MASQ_SET_NAME,
+                                           source, source_prefixlen);
         if (r != -ENOENT)
                 return r;
 
@@ -965,7 +985,8 @@ int fw_nftables_add_masquerade(
         if (r < 0)
                 return r;
 
-        return fw_nftables_add_masquerade_internal(ctx->nfnl, add, af, source, source_prefixlen);
+        return nft_set_element_modify_iprange(ctx, add, af_to_nfproto(af), af, NFT_SYSTEMD_TABLE_NAME, NFT_SYSTEMD_MASQ_SET_NAME,
+                                              source, source_prefixlen);
 }
 
 static int fw_nftables_add_local_dnat_internal(

diff --git a/src/shared/firewall-util.h b/src/shared/firewall-util.h
index 7725a5e58dfd31a20ae5de8dc7fee653ab969be3..d0e78beba83a7cd6ce77ae3553896b5db236f477 100644 (file)
--- a/src/shared/firewall-util.h
+++ b/src/shared/firewall-util.h
@@ -29,3 +29,13 @@ int fw_add_local_dnat(
                 const union in_addr_union *remote,
                 uint16_t remote_port,
                 const union in_addr_union *previous_remote);
+
+int nft_set_element_modify_iprange(
+                FirewallContext *ctx,
+                bool add,
+                int nfproto,
+                int af,
+                const char *table,
+                const char *set,
+                const union in_addr_union *source,
+                unsigned int source_prefixlen);