[thirdparty/systemd.git] / src / nspawn / nspawn-expose-ports.c

/* SPDX-License-Identifier: LGPL-2.1+ */
/***
  This file is part of systemd.

  Copyright 2015 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include "sd-netlink.h"

#include "alloc-util.h"
#include "fd-util.h"
#include "firewall-util.h"
#include "in-addr-util.h"
#include "local-addresses.h"
#include "netlink-util.h"
#include "nspawn-expose-ports.h"
#include "parse-util.h"
#include "socket-util.h"
#include "string-util.h"
#include "util.h"

int expose_port_parse(ExposePort **l, const char *s) {

        const char *split, *e;
        uint16_t container_port, host_port;
        int protocol;
        ExposePort *p;
        int r;

        assert(l);
        assert(s);

        if ((e = startswith(s, "tcp:")))
                protocol = IPPROTO_TCP;
        else if ((e = startswith(s, "udp:")))
                protocol = IPPROTO_UDP;
        else {
                e = s;
                protocol = IPPROTO_TCP;
        }

        split = strchr(e, ':');
        if (split) {
                char v[split - e + 1];

                memcpy(v, e, split - e);
                v[split - e] = 0;

                r = parse_ip_port(v, &host_port);
                if (r < 0)
                        return -EINVAL;

                r = parse_ip_port(split + 1, &container_port);
        } else {
                r = parse_ip_port(e, &container_port);
                host_port = container_port;
        }

        if (r < 0)
                return -EINVAL;

        LIST_FOREACH(ports, p, *l)
                if (p->protocol == protocol && p->host_port == host_port)
                        return -EEXIST;

        p = new(ExposePort, 1);
        if (!p)
                return -ENOMEM;

        p->protocol = protocol;
        p->host_port = host_port;
        p->container_port = container_port;

        LIST_PREPEND(ports, *l, p);

        return 0;
}

void expose_port_free_all(ExposePort *p) {

        while (p) {
                ExposePort *q = p;
                LIST_REMOVE(ports, p, q);
                free(q);
        }
}

int expose_port_flush(ExposePort* l, union in_addr_union *exposed) {
        ExposePort *p;
        int r, af = AF_INET;

        assert(exposed);

        if (!l)
                return 0;

        if (in_addr_is_null(af, exposed))
                return 0;

        log_debug("Lost IP address.");

        LIST_FOREACH(ports, p, l) {
                r = fw_add_local_dnat(false,
                                      af,
                                      p->protocol,
                                      NULL,
                                      NULL, 0,
                                      NULL, 0,
                                      p->host_port,
                                      exposed,
                                      p->container_port,
                                      NULL);
                if (r < 0)
                        log_warning_errno(r, "Failed to modify firewall: %m");
        }

        *exposed = IN_ADDR_NULL;
        return 0;
}

int expose_port_execute(sd_netlink *rtnl, ExposePort *l, union in_addr_union *exposed) {
        _cleanup_free_ struct local_address *addresses = NULL;
        _cleanup_free_ char *pretty = NULL;
        union in_addr_union new_exposed;
        ExposePort *p;
        bool add;
        int af = AF_INET, r;

        assert(exposed);

        /* Invoked each time an address is added or removed inside the
         * container */

        if (!l)
                return 0;

        r = local_addresses(rtnl, 0, af, &addresses);
        if (r < 0)
                return log_error_errno(r, "Failed to enumerate local addresses: %m");

        add = r > 0 &&
                addresses[0].family == af &&
                addresses[0].scope < RT_SCOPE_LINK;

        if (!add)
                return expose_port_flush(l, exposed);

        new_exposed = addresses[0].address;
        if (in_addr_equal(af, exposed, &new_exposed))
                return 0;

        in_addr_to_string(af, &new_exposed, &pretty);
        log_debug("New container IP is %s.", strna(pretty));

        LIST_FOREACH(ports, p, l) {

                r = fw_add_local_dnat(true,
                                      af,
                                      p->protocol,
                                      NULL,
                                      NULL, 0,
                                      NULL, 0,
                                      p->host_port,
                                      &new_exposed,
                                      p->container_port,
                                      in_addr_is_null(af, exposed) ? NULL : exposed);
                if (r < 0)
                        log_warning_errno(r, "Failed to modify firewall: %m");
        }

        *exposed = new_exposed;
        return 0;
}

int expose_port_send_rtnl(int send_fd) {
        _cleanup_close_ int fd = -1;
        int r;

        assert(send_fd >= 0);

        fd = socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_ROUTE);
        if (fd < 0)
                return log_error_errno(errno, "Failed to allocate container netlink: %m");

        /* Store away the fd in the socket, so that it stays open as
         * long as we run the child */
        r = send_one_fd(send_fd, fd, 0);
        if (r < 0)
                return log_error_errno(r, "Failed to send netlink fd: %m");

        return 0;
}

int expose_port_watch_rtnl(
                sd_event *event,
                int recv_fd,
                sd_netlink_message_handler_t handler,
                union in_addr_union *exposed,
                sd_netlink **ret) {
        _cleanup_(sd_netlink_unrefp) sd_netlink *rtnl = NULL;
        int fd, r;

        assert(event);
        assert(recv_fd >= 0);
        assert(ret);

        fd = receive_one_fd(recv_fd, 0);
        if (fd < 0)
                return log_error_errno(fd, "Failed to recv netlink fd: %m");

        r = sd_netlink_open_fd(&rtnl, fd);
        if (r < 0) {
                safe_close(fd);
                return log_error_errno(r, "Failed to create rtnl object: %m");
        }

        r = sd_netlink_add_match(rtnl, RTM_NEWADDR, handler, exposed);
        if (r < 0)
                return log_error_errno(r, "Failed to subscribe to RTM_NEWADDR messages: %m");

        r = sd_netlink_add_match(rtnl, RTM_DELADDR, handler, exposed);
        if (r < 0)
                return log_error_errno(r, "Failed to subscribe to RTM_DELADDR messages: %m");

        r = sd_netlink_attach_event(rtnl, event, 0);
        if (r < 0)
                return log_error_errno(r, "Failed to add to even loop: %m");

        *ret = rtnl;
        rtnl = NULL;

        return 0;
}
Commit	Line	Data
53e1b683	1	/* SPDX-License-Identifier: LGPL-2.1+ */
7a8f6325 LP	2	/***
	3	This file is part of systemd.
	4
	5	Copyright 2015 Lennart Poettering
	6
	7	systemd is free software; you can redistribute it and/or modify it
	8	under the terms of the GNU Lesser General Public License as published by
	9	the Free Software Foundation; either version 2.1 of the License, or
	10	(at your option) any later version.
	11
	12	systemd is distributed in the hope that it will be useful, but
	13	WITHOUT ANY WARRANTY; without even the implied warranty of
	14	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	15	Lesser General Public License for more details.
	16
	17	You should have received a copy of the GNU Lesser General Public License
	18	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	19	***/
	20
	21	#include "sd-netlink.h"
	22
b5efdb8a	23	#include "alloc-util.h"
3ffd4af2	24	#include "fd-util.h"
7a8f6325	25	#include "firewall-util.h"
07630cea	26	#include "in-addr-util.h"
7a8f6325 LP	27	#include "local-addresses.h"
7a8f6325 LP	28	#include "netlink-util.h"
3ffd4af2	29	#include "nspawn-expose-ports.h"
6bedfcbb	30	#include "parse-util.h"
2583fbea	31	#include "socket-util.h"
07630cea LP	32	#include "string-util.h"
07630cea LP	33	#include "util.h"
7a8f6325 LP	34
	35	int expose_port_parse(ExposePort *l, const char s) {
	36
	37	const char split, e;
	38	uint16_t container_port, host_port;
	39	int protocol;
	40	ExposePort *p;
	41	int r;
	42
	43	assert(l);
	44	assert(s);
	45
	46	if ((e = startswith(s, "tcp:")))
	47	protocol = IPPROTO_TCP;
	48	else if ((e = startswith(s, "udp:")))
	49	protocol = IPPROTO_UDP;
	50	else {
	51	e = s;
	52	protocol = IPPROTO_TCP;
	53	}
	54
	55	split = strchr(e, ':');
	56	if (split) {
	57	char v[split - e + 1];
	58
	59	memcpy(v, e, split - e);
	60	v[split - e] = 0;
	61
10452f7c SS	62	r = parse_ip_port(v, &host_port);
10452f7c SS	63	if (r < 0)
7a8f6325 LP	64	return -EINVAL;
7a8f6325 LP	65
10452f7c	66	r = parse_ip_port(split + 1, &container_port);
7a8f6325	67	} else {
10452f7c	68	r = parse_ip_port(e, &container_port);
7a8f6325 LP	69	host_port = container_port;
	70	}
	71
10452f7c	72	if (r < 0)
7a8f6325 LP	73	return -EINVAL;
	74
	75	LIST_FOREACH(ports, p, *l)
	76	if (p->protocol == protocol && p->host_port == host_port)
	77	return -EEXIST;
	78
	79	p = new(ExposePort, 1);
	80	if (!p)
	81	return -ENOMEM;
	82
	83	p->protocol = protocol;
	84	p->host_port = host_port;
	85	p->container_port = container_port;
	86
	87	LIST_PREPEND(ports, *l, p);
	88
	89	return 0;
	90	}
	91
	92	void expose_port_free_all(ExposePort *p) {
	93
	94	while (p) {
	95	ExposePort *q = p;
	96	LIST_REMOVE(ports, p, q);
	97	free(q);
	98	}
	99	}
	100
	101	int expose_port_flush(ExposePort* l, union in_addr_union *exposed) {
	102	ExposePort *p;
	103	int r, af = AF_INET;
	104
	105	assert(exposed);
	106
	107	if (!l)
	108	return 0;
	109
	110	if (in_addr_is_null(af, exposed))
	111	return 0;
	112
	113	log_debug("Lost IP address.");
	114
	115	LIST_FOREACH(ports, p, l) {
	116	r = fw_add_local_dnat(false,
	117	af,
	118	p->protocol,
	119	NULL,
	120	NULL, 0,
	121	NULL, 0,
	122	p->host_port,
	123	exposed,
	124	p->container_port,
	125	NULL);
	126	if (r < 0)
	127	log_warning_errno(r, "Failed to modify firewall: %m");
	128	}
	129
	130	*exposed = IN_ADDR_NULL;
	131	return 0;
	132	}
	133
	134	int expose_port_execute(sd_netlink rtnl, ExposePort l, union in_addr_union *exposed) {
	135	_cleanup_free_ struct local_address *addresses = NULL;
	136	_cleanup_free_ char *pretty = NULL;
137	union in_addr_union new_exposed;
138	ExposePort *p;
139	bool add;
140	int af = AF_INET, r;
141
142	assert(exposed);
143
144	/* Invoked each time an address is added or removed inside the
145	* container */
146
147	if (!l)
148	return 0;
149
150	r = local_addresses(rtnl, 0, af, &addresses);
151	if (r < 0)
152	return log_error_errno(r, "Failed to enumerate local addresses: %m");
153
154	add = r > 0 &&
155	addresses[0].family == af &&
156	addresses[0].scope < RT_SCOPE_LINK;
157
158	if (!add)
159	return expose_port_flush(l, exposed);
160
161	new_exposed = addresses[0].address;
162	if (in_addr_equal(af, exposed, &new_exposed))
163	return 0;
164
165	in_addr_to_string(af, &new_exposed, &pretty);
166	log_debug("New container IP is %s.", strna(pretty));
167
168	LIST_FOREACH(ports, p, l) {
169
170	r = fw_add_local_dnat(true,
171	af,
172	p->protocol,
173	NULL,
174	NULL, 0,
175	NULL, 0,
176	p->host_port,
177	&new_exposed,
178	p->container_port,
179	in_addr_is_null(af, exposed) ? NULL : exposed);
180	if (r < 0)
181	log_warning_errno(r, "Failed to modify firewall: %m");
182	}
183
184	*exposed = new_exposed;
185	return 0;
186	}
187
188	int expose_port_send_rtnl(int send_fd) {
7a8f6325	189	_cleanup_close_ int fd = -1;
d9603714	190	int r;
7a8f6325 LP	191
	192	assert(send_fd >= 0);
	193
	194	fd = socket(PF_NETLINK, SOCK_RAW\|SOCK_CLOEXEC\|SOCK_NONBLOCK, NETLINK_ROUTE);
	195	if (fd < 0)
	196	return log_error_errno(errno, "Failed to allocate container netlink: %m");
	197
7a8f6325 LP	198	/* Store away the fd in the socket, so that it stays open as
7a8f6325 LP	199	* long as we run the child */
3ee897d6	200	r = send_one_fd(send_fd, fd, 0);
d9603714 DH	201	if (r < 0)
d9603714 DH	202	return log_error_errno(r, "Failed to send netlink fd: %m");
7a8f6325 LP	203
	204	return 0;
	205	}
	206
	207	int expose_port_watch_rtnl(
	208	sd_event *event,
	209	int recv_fd,
	210	sd_netlink_message_handler_t handler,
	211	union in_addr_union *exposed,
	212	sd_netlink **ret) {
4afd3348	213	_cleanup_(sd_netlink_unrefp) sd_netlink *rtnl = NULL;
7a8f6325	214	int fd, r;
7a8f6325 LP	215
	216	assert(event);
	217	assert(recv_fd >= 0);
	218	assert(ret);
	219
3ee897d6	220	fd = receive_one_fd(recv_fd, 0);
d9603714 DH	221	if (fd < 0)
d9603714 DH	222	return log_error_errno(fd, "Failed to recv netlink fd: %m");
7a8f6325 LP	223
	224	r = sd_netlink_open_fd(&rtnl, fd);
	225	if (r < 0) {
	226	safe_close(fd);
	227	return log_error_errno(r, "Failed to create rtnl object: %m");
	228	}
	229
	230	r = sd_netlink_add_match(rtnl, RTM_NEWADDR, handler, exposed);
	231	if (r < 0)
	232	return log_error_errno(r, "Failed to subscribe to RTM_NEWADDR messages: %m");
	233
	234	r = sd_netlink_add_match(rtnl, RTM_DELADDR, handler, exposed);
	235	if (r < 0)
	236	return log_error_errno(r, "Failed to subscribe to RTM_DELADDR messages: %m");
	237
	238	r = sd_netlink_attach_event(rtnl, event, 0);
	239	if (r < 0)
	240	return log_error_errno(r, "Failed to add to even loop: %m");
	241
	242	*ret = rtnl;
	243	rtnl = NULL;
	244
	245	return 0;
	246	}