[thirdparty/systemd.git] / src / nspawn / nspawn-expose-ports.c

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

/***
  This file is part of systemd.

  Copyright 2015 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include "sd-netlink.h"

#include "firewall-util.h"
#include "in-addr-util.h"
#include "local-addresses.h"
#include "netlink-util.h"
#include "string-util.h"
#include "util.h"
#include "nspawn-expose-ports.h"

int expose_port_parse(ExposePort **l, const char *s) {

        const char *split, *e;
        uint16_t container_port, host_port;
        int protocol;
        ExposePort *p;
        int r;

        assert(l);
        assert(s);

        if ((e = startswith(s, "tcp:")))
                protocol = IPPROTO_TCP;
        else if ((e = startswith(s, "udp:")))
                protocol = IPPROTO_UDP;
        else {
                e = s;
                protocol = IPPROTO_TCP;
        }

        split = strchr(e, ':');
        if (split) {
                char v[split - e + 1];

                memcpy(v, e, split - e);
                v[split - e] = 0;

                r = safe_atou16(v, &host_port);
                if (r < 0 || host_port <= 0)
                        return -EINVAL;

                r = safe_atou16(split + 1, &container_port);
        } else {
                r = safe_atou16(e, &container_port);
                host_port = container_port;
        }

        if (r < 0 || container_port <= 0)
                return -EINVAL;

        LIST_FOREACH(ports, p, *l)
                if (p->protocol == protocol && p->host_port == host_port)
                        return -EEXIST;

        p = new(ExposePort, 1);
        if (!p)
                return -ENOMEM;

        p->protocol = protocol;
        p->host_port = host_port;
        p->container_port = container_port;

        LIST_PREPEND(ports, *l, p);

        return 0;
}

void expose_port_free_all(ExposePort *p) {

        while (p) {
                ExposePort *q = p;
                LIST_REMOVE(ports, p, q);
                free(q);
        }
}

int expose_port_flush(ExposePort* l, union in_addr_union *exposed) {
        ExposePort *p;
        int r, af = AF_INET;

        assert(exposed);

        if (!l)
                return 0;

        if (in_addr_is_null(af, exposed))
                return 0;

        log_debug("Lost IP address.");

        LIST_FOREACH(ports, p, l) {
                r = fw_add_local_dnat(false,
                                      af,
                                      p->protocol,
                                      NULL,
                                      NULL, 0,
                                      NULL, 0,
                                      p->host_port,
                                      exposed,
                                      p->container_port,
                                      NULL);
                if (r < 0)
                        log_warning_errno(r, "Failed to modify firewall: %m");
        }

        *exposed = IN_ADDR_NULL;
        return 0;
}

int expose_port_execute(sd_netlink *rtnl, ExposePort *l, union in_addr_union *exposed) {
        _cleanup_free_ struct local_address *addresses = NULL;
        _cleanup_free_ char *pretty = NULL;
        union in_addr_union new_exposed;
        ExposePort *p;
        bool add;
        int af = AF_INET, r;

        assert(exposed);

        /* Invoked each time an address is added or removed inside the
         * container */

        if (!l)
                return 0;

        r = local_addresses(rtnl, 0, af, &addresses);
        if (r < 0)
                return log_error_errno(r, "Failed to enumerate local addresses: %m");

        add = r > 0 &&
                addresses[0].family == af &&
                addresses[0].scope < RT_SCOPE_LINK;

        if (!add)
                return expose_port_flush(l, exposed);

        new_exposed = addresses[0].address;
        if (in_addr_equal(af, exposed, &new_exposed))
                return 0;

        in_addr_to_string(af, &new_exposed, &pretty);
        log_debug("New container IP is %s.", strna(pretty));

        LIST_FOREACH(ports, p, l) {

                r = fw_add_local_dnat(true,
                                      af,
                                      p->protocol,
                                      NULL,
                                      NULL, 0,
                                      NULL, 0,
                                      p->host_port,
                                      &new_exposed,
                                      p->container_port,
                                      in_addr_is_null(af, exposed) ? NULL : exposed);
                if (r < 0)
                        log_warning_errno(r, "Failed to modify firewall: %m");
        }

        *exposed = new_exposed;
        return 0;
}

int expose_port_send_rtnl(int send_fd) {
        _cleanup_close_ int fd = -1;
        int r;

        assert(send_fd >= 0);

        fd = socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_ROUTE);
        if (fd < 0)
                return log_error_errno(errno, "Failed to allocate container netlink: %m");

        /* Store away the fd in the socket, so that it stays open as
         * long as we run the child */
        r = send_one_fd(send_fd, fd, 0);
        if (r < 0)
                return log_error_errno(r, "Failed to send netlink fd: %m");

        return 0;
}

int expose_port_watch_rtnl(
                sd_event *event,
                int recv_fd,
                sd_netlink_message_handler_t handler,
                union in_addr_union *exposed,
                sd_netlink **ret) {
        _cleanup_netlink_unref_ sd_netlink *rtnl = NULL;
        int fd, r;

        assert(event);
        assert(recv_fd >= 0);
        assert(ret);

        fd = receive_one_fd(recv_fd, 0);
        if (fd < 0)
                return log_error_errno(fd, "Failed to recv netlink fd: %m");

        r = sd_netlink_open_fd(&rtnl, fd);
        if (r < 0) {
                safe_close(fd);
                return log_error_errno(r, "Failed to create rtnl object: %m");
        }

        r = sd_netlink_add_match(rtnl, RTM_NEWADDR, handler, exposed);
        if (r < 0)
                return log_error_errno(r, "Failed to subscribe to RTM_NEWADDR messages: %m");

        r = sd_netlink_add_match(rtnl, RTM_DELADDR, handler, exposed);
        if (r < 0)
                return log_error_errno(r, "Failed to subscribe to RTM_DELADDR messages: %m");

        r = sd_netlink_attach_event(rtnl, event, 0);
        if (r < 0)
                return log_error_errno(r, "Failed to add to even loop: %m");

        *ret = rtnl;
        rtnl = NULL;

        return 0;
}
Commit	Line	Data
7a8f6325 LP	1	/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/
	2
	3	/***
	4	This file is part of systemd.
	5
	6	Copyright 2015 Lennart Poettering
	7
	8	systemd is free software; you can redistribute it and/or modify it
	9	under the terms of the GNU Lesser General Public License as published by
	10	the Free Software Foundation; either version 2.1 of the License, or
	11	(at your option) any later version.
	12
	13	systemd is distributed in the hope that it will be useful, but
	14	WITHOUT ANY WARRANTY; without even the implied warranty of
	15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	16	Lesser General Public License for more details.
	17
	18	You should have received a copy of the GNU Lesser General Public License
	19	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	20	***/
	21
	22	#include "sd-netlink.h"
	23
7a8f6325	24	#include "firewall-util.h"
07630cea	25	#include "in-addr-util.h"
7a8f6325 LP	26	#include "local-addresses.h"
7a8f6325 LP	27	#include "netlink-util.h"
07630cea LP	28	#include "string-util.h"
07630cea LP	29	#include "util.h"
7a8f6325 LP	30	#include "nspawn-expose-ports.h"
	31
	32	int expose_port_parse(ExposePort *l, const char s) {
	33
	34	const char split, e;
	35	uint16_t container_port, host_port;
	36	int protocol;
	37	ExposePort *p;
	38	int r;
	39
	40	assert(l);
	41	assert(s);
	42
	43	if ((e = startswith(s, "tcp:")))
	44	protocol = IPPROTO_TCP;
	45	else if ((e = startswith(s, "udp:")))
	46	protocol = IPPROTO_UDP;
	47	else {
	48	e = s;
	49	protocol = IPPROTO_TCP;
	50	}
	51
	52	split = strchr(e, ':');
	53	if (split) {
	54	char v[split - e + 1];
	55
	56	memcpy(v, e, split - e);
	57	v[split - e] = 0;
	58
	59	r = safe_atou16(v, &host_port);
	60	if (r < 0 \|\| host_port <= 0)
	61	return -EINVAL;
	62
	63	r = safe_atou16(split + 1, &container_port);
	64	} else {
	65	r = safe_atou16(e, &container_port);
	66	host_port = container_port;
	67	}
	68
	69	if (r < 0 \|\| container_port <= 0)
	70	return -EINVAL;
	71
	72	LIST_FOREACH(ports, p, *l)
	73	if (p->protocol == protocol && p->host_port == host_port)
	74	return -EEXIST;
	75
	76	p = new(ExposePort, 1);
	77	if (!p)
	78	return -ENOMEM;
	79
	80	p->protocol = protocol;
	81	p->host_port = host_port;
	82	p->container_port = container_port;
	83
	84	LIST_PREPEND(ports, *l, p);
	85
	86	return 0;
	87	}
	88
	89	void expose_port_free_all(ExposePort *p) {
	90
	91	while (p) {
	92	ExposePort *q = p;
	93	LIST_REMOVE(ports, p, q);
94	free(q);
95	}
96	}
97
98	int expose_port_flush(ExposePort* l, union in_addr_union *exposed) {
99	ExposePort *p;
100	int r, af = AF_INET;
101
102	assert(exposed);
103
104	if (!l)
105	return 0;
106
107	if (in_addr_is_null(af, exposed))
108	return 0;
109
110	log_debug("Lost IP address.");
111
112	LIST_FOREACH(ports, p, l) {
113	r = fw_add_local_dnat(false,
114	af,
115	p->protocol,
116	NULL,
117	NULL, 0,
118	NULL, 0,
119	p->host_port,
120	exposed,
121	p->container_port,
122	NULL);
123	if (r < 0)
124	log_warning_errno(r, "Failed to modify firewall: %m");
125	}
126
127	*exposed = IN_ADDR_NULL;
128	return 0;
129	}
130
131	int expose_port_execute(sd_netlink rtnl, ExposePort l, union in_addr_union *exposed) {
132	_cleanup_free_ struct local_address *addresses = NULL;
133	_cleanup_free_ char *pretty = NULL;
134	union in_addr_union new_exposed;
135	ExposePort *p;
136	bool add;
137	int af = AF_INET, r;
138
139	assert(exposed);
140
141	/* Invoked each time an address is added or removed inside the
142	* container */
143
144	if (!l)
145	return 0;
146
147	r = local_addresses(rtnl, 0, af, &addresses);
148	if (r < 0)
149	return log_error_errno(r, "Failed to enumerate local addresses: %m");
150
151	add = r > 0 &&
152	addresses[0].family == af &&
153	addresses[0].scope < RT_SCOPE_LINK;
154
155	if (!add)
156	return expose_port_flush(l, exposed);
157
158	new_exposed = addresses[0].address;
159	if (in_addr_equal(af, exposed, &new_exposed))
160	return 0;
161
162	in_addr_to_string(af, &new_exposed, &pretty);
163	log_debug("New container IP is %s.", strna(pretty));
164
165	LIST_FOREACH(ports, p, l) {
166
167	r = fw_add_local_dnat(true,
168	af,
169	p->protocol,
170	NULL,
171	NULL, 0,
172	NULL, 0,
173	p->host_port,
174	&new_exposed,
175	p->container_port,
176	in_addr_is_null(af, exposed) ? NULL : exposed);
177	if (r < 0)
178	log_warning_errno(r, "Failed to modify firewall: %m");
179	}
180
181	*exposed = new_exposed;
182	return 0;
183	}
184
185	int expose_port_send_rtnl(int send_fd) {
7a8f6325	186	_cleanup_close_ int fd = -1;
d9603714	187	int r;
7a8f6325 LP	188
	189	assert(send_fd >= 0);
	190
	191	fd = socket(PF_NETLINK, SOCK_RAW\|SOCK_CLOEXEC\|SOCK_NONBLOCK, NETLINK_ROUTE);
	192	if (fd < 0)
	193	return log_error_errno(errno, "Failed to allocate container netlink: %m");
	194
7a8f6325 LP	195	/* Store away the fd in the socket, so that it stays open as
7a8f6325 LP	196	* long as we run the child */
3ee897d6	197	r = send_one_fd(send_fd, fd, 0);
d9603714 DH	198	if (r < 0)
d9603714 DH	199	return log_error_errno(r, "Failed to send netlink fd: %m");
7a8f6325 LP	200
	201	return 0;
	202	}
	203
	204	int expose_port_watch_rtnl(
	205	sd_event *event,
	206	int recv_fd,
	207	sd_netlink_message_handler_t handler,
	208	union in_addr_union *exposed,
	209	sd_netlink **ret) {
7a8f6325 LP	210	_cleanup_netlink_unref_ sd_netlink *rtnl = NULL;
7a8f6325 LP	211	int fd, r;
7a8f6325 LP	212
	213	assert(event);
	214	assert(recv_fd >= 0);
	215	assert(ret);
	216
3ee897d6	217	fd = receive_one_fd(recv_fd, 0);
d9603714 DH	218	if (fd < 0)
d9603714 DH	219	return log_error_errno(fd, "Failed to recv netlink fd: %m");
7a8f6325 LP	220
	221	r = sd_netlink_open_fd(&rtnl, fd);
	222	if (r < 0) {
	223	safe_close(fd);
	224	return log_error_errno(r, "Failed to create rtnl object: %m");
	225	}
	226
	227	r = sd_netlink_add_match(rtnl, RTM_NEWADDR, handler, exposed);
	228	if (r < 0)
	229	return log_error_errno(r, "Failed to subscribe to RTM_NEWADDR messages: %m");
	230
	231	r = sd_netlink_add_match(rtnl, RTM_DELADDR, handler, exposed);
	232	if (r < 0)
	233	return log_error_errno(r, "Failed to subscribe to RTM_DELADDR messages: %m");
	234
	235	r = sd_netlink_attach_event(rtnl, event, 0);
	236	if (r < 0)
	237	return log_error_errno(r, "Failed to add to even loop: %m");
	238
	239	*ret = rtnl;
	240	rtnl = NULL;
	241
	242	return 0;
	243	}