* `$SYSTEMD_REPART_OVERRIDE_FSTYPE` – if set the value will override the file
system type specified in Format= lines in partition definition files.
+
+`systemd-nspawn`, `systemd-networkd`:
+
+* `$SYSTEMD_FIREWALL_BACKEND` – takes a string, either `iptables` or
+ `nftables`. Selects the firewall backend to use. If not specified tries to
+ use `nftables` and falls back to `iptables` if that's not available.
DEFINE_STRING_TABLE_LOOKUP_TO_STRING(firewall_backend, FirewallBackend);
static void firewall_backend_probe(FirewallContext *ctx, bool init_tables) {
+ const char *e;
+
assert(ctx);
if (ctx->backend != _FW_BACKEND_INVALID)
return;
- if (fw_nftables_init_full(ctx, init_tables) >= 0)
- ctx->backend = FW_BACKEND_NFTABLES;
- else
+ e = secure_getenv("SYSTEMD_FIREWALL_BACKEND");
+ if (e) {
+ if (streq(e, "nftables"))
+ ctx->backend = FW_BACKEND_NFTABLES;
+ else if (streq(e, "iptables"))
#if HAVE_LIBIPTC
- ctx->backend = FW_BACKEND_IPTABLES;
+ ctx->backend = FW_BACKEND_IPTABLES;
#else
- ctx->backend = FW_BACKEND_NONE;
+ log_debug("Unsupported firewall backend requested, ignoring: %s", e);
#endif
+ else
+ log_debug("Unrecognized $SYSTEMD_FIREWALL_BACKEND value, ignoring: %s", e);
+ }
+
+ if (ctx->backend == _FW_BACKEND_INVALID) {
+
+ if (fw_nftables_init_full(ctx, init_tables) >= 0)
+ ctx->backend = FW_BACKEND_NFTABLES;
+ else
+#if HAVE_LIBIPTC
+ ctx->backend = FW_BACKEND_IPTABLES;
+#else
+ ctx->backend = FW_BACKEND_NONE;
+#endif
+ }
if (ctx->backend != FW_BACKEND_NONE)
log_debug("Using %s as firewall backend.", firewall_backend_to_string(ctx->backend));