]>
Commit | Line | Data |
---|---|---|
db9ecf05 | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
7a8f6325 LP |
2 | |
3 | #include "sd-netlink.h" | |
4 | ||
deff68e7 | 5 | #include "af-list.h" |
b5efdb8a | 6 | #include "alloc-util.h" |
3ffd4af2 | 7 | #include "fd-util.h" |
7a8f6325 | 8 | #include "firewall-util.h" |
07630cea | 9 | #include "in-addr-util.h" |
7a8f6325 LP |
10 | #include "local-addresses.h" |
11 | #include "netlink-util.h" | |
3ffd4af2 | 12 | #include "nspawn-expose-ports.h" |
6bedfcbb | 13 | #include "parse-util.h" |
2583fbea | 14 | #include "socket-util.h" |
07630cea | 15 | #include "string-util.h" |
7a8f6325 LP |
16 | |
17 | int expose_port_parse(ExposePort **l, const char *s) { | |
7a8f6325 LP |
18 | const char *split, *e; |
19 | uint16_t container_port, host_port; | |
03677889 | 20 | ExposePort *port; |
7a8f6325 | 21 | int protocol; |
7a8f6325 LP |
22 | int r; |
23 | ||
24 | assert(l); | |
25 | assert(s); | |
26 | ||
27 | if ((e = startswith(s, "tcp:"))) | |
28 | protocol = IPPROTO_TCP; | |
29 | else if ((e = startswith(s, "udp:"))) | |
30 | protocol = IPPROTO_UDP; | |
31 | else { | |
32 | e = s; | |
33 | protocol = IPPROTO_TCP; | |
34 | } | |
35 | ||
36 | split = strchr(e, ':'); | |
37 | if (split) { | |
38 | char v[split - e + 1]; | |
39 | ||
40 | memcpy(v, e, split - e); | |
41 | v[split - e] = 0; | |
42 | ||
10452f7c SS |
43 | r = parse_ip_port(v, &host_port); |
44 | if (r < 0) | |
7a8f6325 LP |
45 | return -EINVAL; |
46 | ||
10452f7c | 47 | r = parse_ip_port(split + 1, &container_port); |
7a8f6325 | 48 | } else { |
10452f7c | 49 | r = parse_ip_port(e, &container_port); |
7a8f6325 LP |
50 | host_port = container_port; |
51 | } | |
52 | ||
10452f7c | 53 | if (r < 0) |
81d2fe53 | 54 | return r; |
7a8f6325 LP |
55 | |
56 | LIST_FOREACH(ports, p, *l) | |
57 | if (p->protocol == protocol && p->host_port == host_port) | |
58 | return -EEXIST; | |
59 | ||
03677889 YW |
60 | port = new(ExposePort, 1); |
61 | if (!port) | |
7a8f6325 LP |
62 | return -ENOMEM; |
63 | ||
03677889 | 64 | *port = (ExposePort) { |
81d2fe53 LP |
65 | .protocol = protocol, |
66 | .host_port = host_port, | |
67 | .container_port = container_port, | |
68 | }; | |
7a8f6325 | 69 | |
03677889 | 70 | LIST_PREPEND(ports, *l, port); |
7a8f6325 LP |
71 | |
72 | return 0; | |
73 | } | |
74 | ||
75 | void expose_port_free_all(ExposePort *p) { | |
76 | ||
77 | while (p) { | |
78 | ExposePort *q = p; | |
79 | LIST_REMOVE(ports, p, q); | |
80 | free(q); | |
81 | } | |
82 | } | |
83 | ||
deff68e7 | 84 | int expose_port_flush(FirewallContext **fw_ctx, ExposePort* l, int af, union in_addr_union *exposed) { |
deff68e7 | 85 | int r; |
7a8f6325 LP |
86 | |
87 | assert(exposed); | |
88 | ||
89 | if (!l) | |
90 | return 0; | |
91 | ||
94876904 | 92 | if (!in_addr_is_set(af, exposed)) |
7a8f6325 LP |
93 | return 0; |
94 | ||
95 | log_debug("Lost IP address."); | |
96 | ||
97 | LIST_FOREACH(ports, p, l) { | |
761cf19d FW |
98 | r = fw_add_local_dnat(fw_ctx, |
99 | false, | |
7a8f6325 LP |
100 | af, |
101 | p->protocol, | |
7a8f6325 LP |
102 | p->host_port, |
103 | exposed, | |
104 | p->container_port, | |
105 | NULL); | |
106 | if (r < 0) | |
deff68e7 | 107 | log_warning_errno(r, "Failed to modify %s firewall: %m", af_to_name(af)); |
7a8f6325 LP |
108 | } |
109 | ||
110 | *exposed = IN_ADDR_NULL; | |
111 | return 0; | |
112 | } | |
113 | ||
deff68e7 | 114 | int expose_port_execute(sd_netlink *rtnl, FirewallContext **fw_ctx, ExposePort *l, int af, union in_addr_union *exposed) { |
7a8f6325 | 115 | _cleanup_free_ struct local_address *addresses = NULL; |
7a8f6325 | 116 | union in_addr_union new_exposed; |
7a8f6325 | 117 | bool add; |
deff68e7 | 118 | int r; |
7a8f6325 LP |
119 | |
120 | assert(exposed); | |
121 | ||
122 | /* Invoked each time an address is added or removed inside the | |
123 | * container */ | |
124 | ||
125 | if (!l) | |
126 | return 0; | |
127 | ||
128 | r = local_addresses(rtnl, 0, af, &addresses); | |
129 | if (r < 0) | |
130 | return log_error_errno(r, "Failed to enumerate local addresses: %m"); | |
131 | ||
132 | add = r > 0 && | |
133 | addresses[0].family == af && | |
134 | addresses[0].scope < RT_SCOPE_LINK; | |
135 | ||
136 | if (!add) | |
deff68e7 | 137 | return expose_port_flush(fw_ctx, l, af, exposed); |
7a8f6325 LP |
138 | |
139 | new_exposed = addresses[0].address; | |
140 | if (in_addr_equal(af, exposed, &new_exposed)) | |
141 | return 0; | |
142 | ||
84dbb3fd | 143 | log_debug("New container IP is %s.", IN_ADDR_TO_STRING(af, &new_exposed)); |
7a8f6325 LP |
144 | |
145 | LIST_FOREACH(ports, p, l) { | |
761cf19d FW |
146 | r = fw_add_local_dnat(fw_ctx, |
147 | true, | |
7a8f6325 LP |
148 | af, |
149 | p->protocol, | |
7a8f6325 LP |
150 | p->host_port, |
151 | &new_exposed, | |
152 | p->container_port, | |
94876904 | 153 | in_addr_is_set(af, exposed) ? exposed : NULL); |
7a8f6325 | 154 | if (r < 0) |
deff68e7 | 155 | log_warning_errno(r, "Failed to modify %s firewall: %m", af_to_name(af)); |
7a8f6325 LP |
156 | } |
157 | ||
158 | *exposed = new_exposed; | |
159 | return 0; | |
160 | } | |
161 | ||
162 | int expose_port_send_rtnl(int send_fd) { | |
254d1313 | 163 | _cleanup_close_ int fd = -EBADF; |
d9603714 | 164 | int r; |
7a8f6325 LP |
165 | |
166 | assert(send_fd >= 0); | |
167 | ||
0522729e | 168 | fd = socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_ROUTE); |
7a8f6325 LP |
169 | if (fd < 0) |
170 | return log_error_errno(errno, "Failed to allocate container netlink: %m"); | |
171 | ||
7a8f6325 LP |
172 | /* Store away the fd in the socket, so that it stays open as |
173 | * long as we run the child */ | |
3ee897d6 | 174 | r = send_one_fd(send_fd, fd, 0); |
d9603714 DH |
175 | if (r < 0) |
176 | return log_error_errno(r, "Failed to send netlink fd: %m"); | |
7a8f6325 LP |
177 | |
178 | return 0; | |
179 | } | |
180 | ||
181 | int expose_port_watch_rtnl( | |
182 | sd_event *event, | |
183 | int recv_fd, | |
184 | sd_netlink_message_handler_t handler, | |
f51343d0 | 185 | void *userdata, |
7a8f6325 | 186 | sd_netlink **ret) { |
4afd3348 | 187 | _cleanup_(sd_netlink_unrefp) sd_netlink *rtnl = NULL; |
7a8f6325 | 188 | int fd, r; |
7a8f6325 LP |
189 | |
190 | assert(event); | |
191 | assert(recv_fd >= 0); | |
192 | assert(ret); | |
193 | ||
3ee897d6 | 194 | fd = receive_one_fd(recv_fd, 0); |
d9603714 DH |
195 | if (fd < 0) |
196 | return log_error_errno(fd, "Failed to recv netlink fd: %m"); | |
7a8f6325 LP |
197 | |
198 | r = sd_netlink_open_fd(&rtnl, fd); | |
199 | if (r < 0) { | |
200 | safe_close(fd); | |
201 | return log_error_errno(r, "Failed to create rtnl object: %m"); | |
202 | } | |
203 | ||
f51343d0 | 204 | r = sd_netlink_add_match(rtnl, NULL, RTM_NEWADDR, handler, NULL, userdata, "nspawn-NEWADDR"); |
7a8f6325 LP |
205 | if (r < 0) |
206 | return log_error_errno(r, "Failed to subscribe to RTM_NEWADDR messages: %m"); | |
207 | ||
f51343d0 | 208 | r = sd_netlink_add_match(rtnl, NULL, RTM_DELADDR, handler, NULL, userdata, "nspawn-DELADDR"); |
7a8f6325 LP |
209 | if (r < 0) |
210 | return log_error_errno(r, "Failed to subscribe to RTM_DELADDR messages: %m"); | |
211 | ||
212 | r = sd_netlink_attach_event(rtnl, event, 0); | |
213 | if (r < 0) | |
8f8dfb95 | 214 | return log_error_errno(r, "Failed to add to event loop: %m"); |
7a8f6325 | 215 | |
1cc6c93a | 216 | *ret = TAKE_PTR(rtnl); |
7a8f6325 LP |
217 | |
218 | return 0; | |
219 | } |