]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/nspawn/nspawn-expose-ports.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tree-wide: use -EBADF for fd initialization
[thirdparty/systemd.git] / src / nspawn / nspawn-expose-ports.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include "sd-netlink.h"
4
5 #include "af-list.h"
6 #include "alloc-util.h"
7 #include "fd-util.h"
8 #include "firewall-util.h"
9 #include "in-addr-util.h"
10 #include "local-addresses.h"
11 #include "netlink-util.h"
12 #include "nspawn-expose-ports.h"
13 #include "parse-util.h"
14 #include "socket-util.h"
15 #include "string-util.h"
16
17 int expose_port_parse(ExposePort **l, const char *s) {
18 const char *split, *e;
19 uint16_t container_port, host_port;
20 ExposePort *port;
21 int protocol;
22 int r;
23
24 assert(l);
25 assert(s);
26
27 if ((e = startswith(s, "tcp:")))
28 protocol = IPPROTO_TCP;
29 else if ((e = startswith(s, "udp:")))
30 protocol = IPPROTO_UDP;
31 else {
32 e = s;
33 protocol = IPPROTO_TCP;
34 }
35
36 split = strchr(e, ':');
37 if (split) {
38 char v[split - e + 1];
39
40 memcpy(v, e, split - e);
41 v[split - e] = 0;
42
43 r = parse_ip_port(v, &host_port);
44 if (r < 0)
45 return -EINVAL;
46
47 r = parse_ip_port(split + 1, &container_port);
48 } else {
49 r = parse_ip_port(e, &container_port);
50 host_port = container_port;
51 }
52
53 if (r < 0)
54 return r;
55
56 LIST_FOREACH(ports, p, *l)
57 if (p->protocol == protocol && p->host_port == host_port)
58 return -EEXIST;
59
60 port = new(ExposePort, 1);
61 if (!port)
62 return -ENOMEM;
63
64 *port = (ExposePort) {
65 .protocol = protocol,
66 .host_port = host_port,
67 .container_port = container_port,
68 };
69
70 LIST_PREPEND(ports, *l, port);
71
72 return 0;
73 }
74
75 void expose_port_free_all(ExposePort *p) {
76
77 while (p) {
78 ExposePort *q = p;
79 LIST_REMOVE(ports, p, q);
80 free(q);
81 }
82 }
83
84 int expose_port_flush(FirewallContext **fw_ctx, ExposePort* l, int af, union in_addr_union *exposed) {
85 int r;
86
87 assert(exposed);
88
89 if (!l)
90 return 0;
91
92 if (!in_addr_is_set(af, exposed))
93 return 0;
94
95 log_debug("Lost IP address.");
96
97 LIST_FOREACH(ports, p, l) {
98 r = fw_add_local_dnat(fw_ctx,
99 false,
100 af,
101 p->protocol,
102 p->host_port,
103 exposed,
104 p->container_port,
105 NULL);
106 if (r < 0)
107 log_warning_errno(r, "Failed to modify %s firewall: %m", af_to_name(af));
108 }
109
110 *exposed = IN_ADDR_NULL;
111 return 0;
112 }
113
114 int expose_port_execute(sd_netlink *rtnl, FirewallContext **fw_ctx, ExposePort *l, int af, union in_addr_union *exposed) {
115 _cleanup_free_ struct local_address *addresses = NULL;
116 union in_addr_union new_exposed;
117 bool add;
118 int r;
119
120 assert(exposed);
121
122 /* Invoked each time an address is added or removed inside the
123 * container */
124
125 if (!l)
126 return 0;
127
128 r = local_addresses(rtnl, 0, af, &addresses);
129 if (r < 0)
130 return log_error_errno(r, "Failed to enumerate local addresses: %m");
131
132 add = r > 0 &&
133 addresses[0].family == af &&
134 addresses[0].scope < RT_SCOPE_LINK;
135
136 if (!add)
137 return expose_port_flush(fw_ctx, l, af, exposed);
138
139 new_exposed = addresses[0].address;
140 if (in_addr_equal(af, exposed, &new_exposed))
141 return 0;
142
143 log_debug("New container IP is %s.", IN_ADDR_TO_STRING(af, &new_exposed));
144
145 LIST_FOREACH(ports, p, l) {
146 r = fw_add_local_dnat(fw_ctx,
147 true,
148 af,
149 p->protocol,
150 p->host_port,
151 &new_exposed,
152 p->container_port,
153 in_addr_is_set(af, exposed) ? exposed : NULL);
154 if (r < 0)
155 log_warning_errno(r, "Failed to modify %s firewall: %m", af_to_name(af));
156 }
157
158 *exposed = new_exposed;
159 return 0;
160 }
161
162 int expose_port_send_rtnl(int send_fd) {
163 _cleanup_close_ int fd = -EBADF;
164 int r;
165
166 assert(send_fd >= 0);
167
168 fd = socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_ROUTE);
169 if (fd < 0)
170 return log_error_errno(errno, "Failed to allocate container netlink: %m");
171
172 /* Store away the fd in the socket, so that it stays open as
173 * long as we run the child */
174 r = send_one_fd(send_fd, fd, 0);
175 if (r < 0)
176 return log_error_errno(r, "Failed to send netlink fd: %m");
177
178 return 0;
179 }
180
181 int expose_port_watch_rtnl(
182 sd_event *event,
183 int recv_fd,
184 sd_netlink_message_handler_t handler,
185 void *userdata,
186 sd_netlink **ret) {
187 _cleanup_(sd_netlink_unrefp) sd_netlink *rtnl = NULL;
188 int fd, r;
189
190 assert(event);
191 assert(recv_fd >= 0);
192 assert(ret);
193
194 fd = receive_one_fd(recv_fd, 0);
195 if (fd < 0)
196 return log_error_errno(fd, "Failed to recv netlink fd: %m");
197
198 r = sd_netlink_open_fd(&rtnl, fd);
199 if (r < 0) {
200 safe_close(fd);
201 return log_error_errno(r, "Failed to create rtnl object: %m");
202 }
203
204 r = sd_netlink_add_match(rtnl, NULL, RTM_NEWADDR, handler, NULL, userdata, "nspawn-NEWADDR");
205 if (r < 0)
206 return log_error_errno(r, "Failed to subscribe to RTM_NEWADDR messages: %m");
207
208 r = sd_netlink_add_match(rtnl, NULL, RTM_DELADDR, handler, NULL, userdata, "nspawn-DELADDR");
209 if (r < 0)
210 return log_error_errno(r, "Failed to subscribe to RTM_DELADDR messages: %m");
211
212 r = sd_netlink_attach_event(rtnl, event, 0);
213 if (r < 0)
214 return log_error_errno(r, "Failed to add to event loop: %m");
215
216 *ret = TAKE_PTR(rtnl);
217
218 return 0;
219 }
Unnamed repository; edit this file 'description' to name the repository.