[thirdparty/systemd.git] / src / nspawn / nspawn-expose-ports.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include "sd-netlink.h"

#include "af-list.h"
#include "alloc-util.h"
#include "fd-util.h"
#include "firewall-util.h"
#include "in-addr-util.h"
#include "local-addresses.h"
#include "netlink-util.h"
#include "nspawn-expose-ports.h"
#include "parse-util.h"
#include "socket-util.h"
#include "string-util.h"

int expose_port_parse(ExposePort **l, const char *s) {
        const char *split, *e;
        uint16_t container_port, host_port;
        ExposePort *port;
        int protocol;
        int r;

        assert(l);
        assert(s);

        if ((e = startswith(s, "tcp:")))
                protocol = IPPROTO_TCP;
        else if ((e = startswith(s, "udp:")))
                protocol = IPPROTO_UDP;
        else {
                e = s;
                protocol = IPPROTO_TCP;
        }

        split = strchr(e, ':');
        if (split) {
                char v[split - e + 1];

                memcpy(v, e, split - e);
                v[split - e] = 0;

                r = parse_ip_port(v, &host_port);
                if (r < 0)
                        return -EINVAL;

                r = parse_ip_port(split + 1, &container_port);
        } else {
                r = parse_ip_port(e, &container_port);
                host_port = container_port;
        }

        if (r < 0)
                return r;

        LIST_FOREACH(ports, p, *l)
                if (p->protocol == protocol && p->host_port == host_port)
                        return -EEXIST;

        port = new(ExposePort, 1);
        if (!port)
                return -ENOMEM;

        *port = (ExposePort) {
                .protocol = protocol,
                .host_port = host_port,
                .container_port = container_port,
        };

        LIST_PREPEND(ports, *l, port);

        return 0;
}

void expose_port_free_all(ExposePort *p) {

        while (p) {
                ExposePort *q = p;
                LIST_REMOVE(ports, p, q);
                free(q);
        }
}

int expose_port_flush(FirewallContext **fw_ctx, ExposePort* l, int af, union in_addr_union *exposed) {
        int r;

        assert(exposed);

        if (!l)
                return 0;

        if (!in_addr_is_set(af, exposed))
                return 0;

        log_debug("Lost IP address.");

        LIST_FOREACH(ports, p, l) {
                r = fw_add_local_dnat(fw_ctx,
                                      false,
                                      af,
                                      p->protocol,
                                      p->host_port,
                                      exposed,
                                      p->container_port,
                                      NULL);
                if (r < 0)
                        log_warning_errno(r, "Failed to modify %s firewall: %m", af_to_name(af));
        }

        *exposed = IN_ADDR_NULL;
        return 0;
}

int expose_port_execute(sd_netlink *rtnl, FirewallContext **fw_ctx, ExposePort *l, int af, union in_addr_union *exposed) {
        _cleanup_free_ struct local_address *addresses = NULL;
        union in_addr_union new_exposed;
        bool add;
        int r;

        assert(exposed);

        /* Invoked each time an address is added or removed inside the
         * container */

        if (!l)
                return 0;

        r = local_addresses(rtnl, 0, af, &addresses);
        if (r < 0)
                return log_error_errno(r, "Failed to enumerate local addresses: %m");

        add = r > 0 &&
                addresses[0].family == af &&
                addresses[0].scope < RT_SCOPE_LINK;

        if (!add)
                return expose_port_flush(fw_ctx, l, af, exposed);

        new_exposed = addresses[0].address;
        if (in_addr_equal(af, exposed, &new_exposed))
                return 0;

        log_debug("New container IP is %s.", IN_ADDR_TO_STRING(af, &new_exposed));

        LIST_FOREACH(ports, p, l) {
                r = fw_add_local_dnat(fw_ctx,
                                      true,
                                      af,
                                      p->protocol,
                                      p->host_port,
                                      &new_exposed,
                                      p->container_port,
                                      in_addr_is_set(af, exposed) ? exposed : NULL);
                if (r < 0)
                        log_warning_errno(r, "Failed to modify %s firewall: %m", af_to_name(af));
        }

        *exposed = new_exposed;
        return 0;
}

int expose_port_send_rtnl(int send_fd) {
        _cleanup_close_ int fd = -EBADF;
        int r;

        assert(send_fd >= 0);

        fd = socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_ROUTE);
        if (fd < 0)
                return log_error_errno(errno, "Failed to allocate container netlink: %m");

        /* Store away the fd in the socket, so that it stays open as
         * long as we run the child */
        r = send_one_fd(send_fd, fd, 0);
        if (r < 0)
                return log_error_errno(r, "Failed to send netlink fd: %m");

        return 0;
}

int expose_port_watch_rtnl(
                sd_event *event,
                int recv_fd,
                sd_netlink_message_handler_t handler,
                void *userdata,
                sd_netlink **ret) {
        _cleanup_(sd_netlink_unrefp) sd_netlink *rtnl = NULL;
        int fd, r;

        assert(event);
        assert(recv_fd >= 0);
        assert(ret);

        fd = receive_one_fd(recv_fd, 0);
        if (fd < 0)
                return log_error_errno(fd, "Failed to recv netlink fd: %m");

        r = sd_netlink_open_fd(&rtnl, fd);
        if (r < 0) {
                safe_close(fd);
                return log_error_errno(r, "Failed to create rtnl object: %m");
        }

        r = sd_netlink_add_match(rtnl, NULL, RTM_NEWADDR, handler, NULL, userdata, "nspawn-NEWADDR");
        if (r < 0)
                return log_error_errno(r, "Failed to subscribe to RTM_NEWADDR messages: %m");

        r = sd_netlink_add_match(rtnl, NULL, RTM_DELADDR, handler, NULL, userdata, "nspawn-DELADDR");
        if (r < 0)
                return log_error_errno(r, "Failed to subscribe to RTM_DELADDR messages: %m");

        r = sd_netlink_attach_event(rtnl, event, 0);
        if (r < 0)
                return log_error_errno(r, "Failed to add to event loop: %m");

        *ret = TAKE_PTR(rtnl);

        return 0;
}
Commit	Line	Data
db9ecf05	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
7a8f6325 LP	2
	3	#include "sd-netlink.h"
	4
deff68e7	5	#include "af-list.h"
b5efdb8a	6	#include "alloc-util.h"
3ffd4af2	7	#include "fd-util.h"
7a8f6325	8	#include "firewall-util.h"
07630cea	9	#include "in-addr-util.h"
7a8f6325 LP	10	#include "local-addresses.h"
7a8f6325 LP	11	#include "netlink-util.h"
3ffd4af2	12	#include "nspawn-expose-ports.h"
6bedfcbb	13	#include "parse-util.h"
2583fbea	14	#include "socket-util.h"
07630cea	15	#include "string-util.h"
7a8f6325 LP	16
7a8f6325 LP	17	int expose_port_parse(ExposePort *l, const char s) {
7a8f6325 LP	18	const char split, e;
7a8f6325 LP	19	uint16_t container_port, host_port;
03677889	20	ExposePort *port;
7a8f6325	21	int protocol;
7a8f6325 LP	22	int r;
	23
	24	assert(l);
	25	assert(s);
	26
	27	if ((e = startswith(s, "tcp:")))
	28	protocol = IPPROTO_TCP;
	29	else if ((e = startswith(s, "udp:")))
	30	protocol = IPPROTO_UDP;
	31	else {
	32	e = s;
	33	protocol = IPPROTO_TCP;
	34	}
	35
	36	split = strchr(e, ':');
	37	if (split) {
	38	char v[split - e + 1];
	39
	40	memcpy(v, e, split - e);
	41	v[split - e] = 0;
	42
10452f7c SS	43	r = parse_ip_port(v, &host_port);
10452f7c SS	44	if (r < 0)
7a8f6325 LP	45	return -EINVAL;
7a8f6325 LP	46
10452f7c	47	r = parse_ip_port(split + 1, &container_port);
7a8f6325	48	} else {
10452f7c	49	r = parse_ip_port(e, &container_port);
7a8f6325 LP	50	host_port = container_port;
	51	}
	52
10452f7c	53	if (r < 0)
81d2fe53	54	return r;
7a8f6325 LP	55
	56	LIST_FOREACH(ports, p, *l)
	57	if (p->protocol == protocol && p->host_port == host_port)
	58	return -EEXIST;
	59
03677889 YW	60	port = new(ExposePort, 1);
03677889 YW	61	if (!port)
7a8f6325 LP	62	return -ENOMEM;
7a8f6325 LP	63
03677889	64	*port = (ExposePort) {
81d2fe53 LP	65	.protocol = protocol,
	66	.host_port = host_port,
	67	.container_port = container_port,
	68	};
7a8f6325	69
03677889	70	LIST_PREPEND(ports, *l, port);
7a8f6325 LP	71
	72	return 0;
	73	}
	74
	75	void expose_port_free_all(ExposePort *p) {
	76
	77	while (p) {
	78	ExposePort *q = p;
	79	LIST_REMOVE(ports, p, q);
	80	free(q);
	81	}
	82	}
	83
deff68e7	84	int expose_port_flush(FirewallContext *fw_ctx, ExposePort l, int af, union in_addr_union *exposed) {
deff68e7	85	int r;
7a8f6325 LP	86
	87	assert(exposed);
	88
	89	if (!l)
	90	return 0;
	91
94876904	92	if (!in_addr_is_set(af, exposed))
7a8f6325 LP	93	return 0;
	94
	95	log_debug("Lost IP address.");
	96
	97	LIST_FOREACH(ports, p, l) {
761cf19d FW	98	r = fw_add_local_dnat(fw_ctx,
761cf19d FW	99	false,
7a8f6325 LP	100	af,
7a8f6325 LP	101	p->protocol,
7a8f6325 LP	102	p->host_port,
	103	exposed,
	104	p->container_port,
	105	NULL);
	106	if (r < 0)
deff68e7	107	log_warning_errno(r, "Failed to modify %s firewall: %m", af_to_name(af));
7a8f6325 LP	108	}
	109
	110	*exposed = IN_ADDR_NULL;
	111	return 0;
	112	}
	113
deff68e7	114	int expose_port_execute(sd_netlink rtnl, FirewallContext fw_ctx, ExposePort l, int af, union in_addr_union *exposed) {
7a8f6325	115	_cleanup_free_ struct local_address *addresses = NULL;
7a8f6325	116	union in_addr_union new_exposed;
7a8f6325	117	bool add;
deff68e7	118	int r;
7a8f6325 LP	119
	120	assert(exposed);
	121
	122	/* Invoked each time an address is added or removed inside the
	123	* container */
	124
	125	if (!l)
	126	return 0;
	127
	128	r = local_addresses(rtnl, 0, af, &addresses);
	129	if (r < 0)
	130	return log_error_errno(r, "Failed to enumerate local addresses: %m");
	131
	132	add = r > 0 &&
	133	addresses[0].family == af &&
	134	addresses[0].scope < RT_SCOPE_LINK;
	135
	136	if (!add)
deff68e7	137	return expose_port_flush(fw_ctx, l, af, exposed);
7a8f6325 LP	138
	139	new_exposed = addresses[0].address;
	140	if (in_addr_equal(af, exposed, &new_exposed))
	141	return 0;
	142
84dbb3fd	143	log_debug("New container IP is %s.", IN_ADDR_TO_STRING(af, &new_exposed));
7a8f6325 LP	144
7a8f6325 LP	145	LIST_FOREACH(ports, p, l) {
761cf19d FW	146	r = fw_add_local_dnat(fw_ctx,
761cf19d FW	147	true,
7a8f6325 LP	148	af,
7a8f6325 LP	149	p->protocol,
7a8f6325 LP	150	p->host_port,
	151	&new_exposed,
	152	p->container_port,
94876904	153	in_addr_is_set(af, exposed) ? exposed : NULL);
7a8f6325	154	if (r < 0)
deff68e7	155	log_warning_errno(r, "Failed to modify %s firewall: %m", af_to_name(af));
7a8f6325 LP	156	}
	157
	158	*exposed = new_exposed;
	159	return 0;
	160	}
	161
	162	int expose_port_send_rtnl(int send_fd) {
254d1313	163	_cleanup_close_ int fd = -EBADF;
d9603714	164	int r;
7a8f6325 LP	165
	166	assert(send_fd >= 0);
	167
0522729e	168	fd = socket(AF_NETLINK, SOCK_RAW\|SOCK_CLOEXEC\|SOCK_NONBLOCK, NETLINK_ROUTE);
7a8f6325 LP	169	if (fd < 0)
	170	return log_error_errno(errno, "Failed to allocate container netlink: %m");
	171
7a8f6325 LP	172	/* Store away the fd in the socket, so that it stays open as
7a8f6325 LP	173	* long as we run the child */
3ee897d6	174	r = send_one_fd(send_fd, fd, 0);
d9603714 DH	175	if (r < 0)
d9603714 DH	176	return log_error_errno(r, "Failed to send netlink fd: %m");
7a8f6325 LP	177
	178	return 0;
	179	}
	180
	181	int expose_port_watch_rtnl(
	182	sd_event *event,
	183	int recv_fd,
	184	sd_netlink_message_handler_t handler,
f51343d0	185	void *userdata,
7a8f6325	186	sd_netlink **ret) {
4afd3348	187	_cleanup_(sd_netlink_unrefp) sd_netlink *rtnl = NULL;
7a8f6325	188	int fd, r;
7a8f6325 LP	189
	190	assert(event);
	191	assert(recv_fd >= 0);
	192	assert(ret);
	193
3ee897d6	194	fd = receive_one_fd(recv_fd, 0);
d9603714 DH	195	if (fd < 0)
d9603714 DH	196	return log_error_errno(fd, "Failed to recv netlink fd: %m");
7a8f6325 LP	197
	198	r = sd_netlink_open_fd(&rtnl, fd);
	199	if (r < 0) {
	200	safe_close(fd);
	201	return log_error_errno(r, "Failed to create rtnl object: %m");
	202	}
	203
f51343d0	204	r = sd_netlink_add_match(rtnl, NULL, RTM_NEWADDR, handler, NULL, userdata, "nspawn-NEWADDR");
7a8f6325 LP	205	if (r < 0)
	206	return log_error_errno(r, "Failed to subscribe to RTM_NEWADDR messages: %m");
	207
f51343d0	208	r = sd_netlink_add_match(rtnl, NULL, RTM_DELADDR, handler, NULL, userdata, "nspawn-DELADDR");
7a8f6325 LP	209	if (r < 0)
	210	return log_error_errno(r, "Failed to subscribe to RTM_DELADDR messages: %m");
	211
	212	r = sd_netlink_attach_event(rtnl, event, 0);
	213	if (r < 0)
8f8dfb95	214	return log_error_errno(r, "Failed to add to event loop: %m");
7a8f6325	215
1cc6c93a	216	*ret = TAKE_PTR(rtnl);
7a8f6325 LP	217
	218	return 0;
	219	}