From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 2 Nov 2023 14:58:50 +0000 (+0100)
Subject: firewall: allow selecting firewall backend via env var
X-Git-Tag: v255-rc1~34^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d54c747f7ecff80874f75c27056c879034bb38bc;p=thirdparty%2Fsystemd.git

firewall: allow selecting firewall backend via env var
---

diff --git a/docs/ENVIRONMENT.md b/docs/ENVIRONMENT.md
index 3a42774212e..a884ed86ac1 100644
--- a/docs/ENVIRONMENT.md
+++ b/docs/ENVIRONMENT.md
@@ -573,3 +573,9 @@ SYSTEMD_HOME_DEBUG_SUFFIX=foo \
 
 * `$SYSTEMD_REPART_OVERRIDE_FSTYPE` – if set the value will override the file
   system type specified in Format= lines in partition definition files.
+
+`systemd-nspawn`, `systemd-networkd`:
+
+* `$SYSTEMD_FIREWALL_BACKEND` – takes a string, either `iptables` or
+  `nftables`. Selects the firewall backend to use. If not specified tries to
+  use `nftables` and falls back to `iptables` if that's not available.
diff --git a/src/shared/firewall-util.c b/src/shared/firewall-util.c
index ba3e9cbc5e0..764ef5a0189 100644
--- a/src/shared/firewall-util.c
+++ b/src/shared/firewall-util.c
@@ -21,19 +21,38 @@ static const char * const firewall_backend_table[_FW_BACKEND_MAX] = {
 DEFINE_STRING_TABLE_LOOKUP_TO_STRING(firewall_backend, FirewallBackend);
 
 static void firewall_backend_probe(FirewallContext *ctx, bool init_tables) {
+        const char *e;
+
         assert(ctx);
 
         if (ctx->backend != _FW_BACKEND_INVALID)
                 return;
 
-        if (fw_nftables_init_full(ctx, init_tables) >= 0)
-                ctx->backend = FW_BACKEND_NFTABLES;
-        else
+        e = secure_getenv("SYSTEMD_FIREWALL_BACKEND");
+        if (e) {
+                if (streq(e, "nftables"))
+                        ctx->backend = FW_BACKEND_NFTABLES;
+                else if (streq(e, "iptables"))
 #if HAVE_LIBIPTC
-                ctx->backend = FW_BACKEND_IPTABLES;
+                        ctx->backend = FW_BACKEND_IPTABLES;
 #else
-                ctx->backend = FW_BACKEND_NONE;
+                        log_debug("Unsupported firewall backend requested, ignoring: %s", e);
 #endif
+                else
+                        log_debug("Unrecognized $SYSTEMD_FIREWALL_BACKEND value, ignoring: %s", e);
+        }
+
+        if (ctx->backend == _FW_BACKEND_INVALID) {
+
+                if (fw_nftables_init_full(ctx, init_tables) >= 0)
+                        ctx->backend = FW_BACKEND_NFTABLES;
+                else
+#if HAVE_LIBIPTC
+                        ctx->backend = FW_BACKEND_IPTABLES;
+#else
+                        ctx->backend = FW_BACKEND_NONE;
+#endif
+        }
 
         if (ctx->backend != FW_BACKEND_NONE)
                 log_debug("Using %s as firewall backend.", firewall_backend_to_string(ctx->backend));