[thirdparty/systemd.git] / src / nspawn / nspawn-expose-ports.c

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

/***
  This file is part of systemd.

  Copyright 2015 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include "sd-netlink.h"

#include "fd-util.h"
#include "firewall-util.h"
#include "in-addr-util.h"
#include "local-addresses.h"
#include "netlink-util.h"
#include "nspawn-expose-ports.h"
#include "string-util.h"
#include "util.h"

int expose_port_parse(ExposePort **l, const char *s) {

        const char *split, *e;
        uint16_t container_port, host_port;
        int protocol;
        ExposePort *p;
        int r;

        assert(l);
        assert(s);

        if ((e = startswith(s, "tcp:")))
                protocol = IPPROTO_TCP;
        else if ((e = startswith(s, "udp:")))
                protocol = IPPROTO_UDP;
        else {
                e = s;
                protocol = IPPROTO_TCP;
        }

        split = strchr(e, ':');
        if (split) {
                char v[split - e + 1];

                memcpy(v, e, split - e);
                v[split - e] = 0;

                r = safe_atou16(v, &host_port);
                if (r < 0 || host_port <= 0)
                        return -EINVAL;

                r = safe_atou16(split + 1, &container_port);
        } else {
                r = safe_atou16(e, &container_port);
                host_port = container_port;
        }

        if (r < 0 || container_port <= 0)
                return -EINVAL;

        LIST_FOREACH(ports, p, *l)
                if (p->protocol == protocol && p->host_port == host_port)
                        return -EEXIST;

        p = new(ExposePort, 1);
        if (!p)
                return -ENOMEM;

        p->protocol = protocol;
        p->host_port = host_port;
        p->container_port = container_port;

        LIST_PREPEND(ports, *l, p);

        return 0;
}

void expose_port_free_all(ExposePort *p) {

        while (p) {
                ExposePort *q = p;
                LIST_REMOVE(ports, p, q);
                free(q);
        }
}

int expose_port_flush(ExposePort* l, union in_addr_union *exposed) {
        ExposePort *p;
        int r, af = AF_INET;

        assert(exposed);

        if (!l)
                return 0;

        if (in_addr_is_null(af, exposed))
                return 0;

        log_debug("Lost IP address.");

        LIST_FOREACH(ports, p, l) {
                r = fw_add_local_dnat(false,
                                      af,
                                      p->protocol,
                                      NULL,
                                      NULL, 0,
                                      NULL, 0,
                                      p->host_port,
                                      exposed,
                                      p->container_port,
                                      NULL);
                if (r < 0)
                        log_warning_errno(r, "Failed to modify firewall: %m");
        }

        *exposed = IN_ADDR_NULL;
        return 0;
}

int expose_port_execute(sd_netlink *rtnl, ExposePort *l, union in_addr_union *exposed) {
        _cleanup_free_ struct local_address *addresses = NULL;
        _cleanup_free_ char *pretty = NULL;
        union in_addr_union new_exposed;
        ExposePort *p;
        bool add;
        int af = AF_INET, r;

        assert(exposed);

        /* Invoked each time an address is added or removed inside the
         * container */

        if (!l)
                return 0;

        r = local_addresses(rtnl, 0, af, &addresses);
        if (r < 0)
                return log_error_errno(r, "Failed to enumerate local addresses: %m");

        add = r > 0 &&
                addresses[0].family == af &&
                addresses[0].scope < RT_SCOPE_LINK;

        if (!add)
                return expose_port_flush(l, exposed);

        new_exposed = addresses[0].address;
        if (in_addr_equal(af, exposed, &new_exposed))
                return 0;

        in_addr_to_string(af, &new_exposed, &pretty);
        log_debug("New container IP is %s.", strna(pretty));

        LIST_FOREACH(ports, p, l) {

                r = fw_add_local_dnat(true,
                                      af,
                                      p->protocol,
                                      NULL,
                                      NULL, 0,
                                      NULL, 0,
                                      p->host_port,
                                      &new_exposed,
                                      p->container_port,
                                      in_addr_is_null(af, exposed) ? NULL : exposed);
                if (r < 0)
                        log_warning_errno(r, "Failed to modify firewall: %m");
        }

        *exposed = new_exposed;
        return 0;
}

int expose_port_send_rtnl(int send_fd) {
        _cleanup_close_ int fd = -1;
        int r;

        assert(send_fd >= 0);

        fd = socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_ROUTE);
        if (fd < 0)
                return log_error_errno(errno, "Failed to allocate container netlink: %m");

        /* Store away the fd in the socket, so that it stays open as
         * long as we run the child */
        r = send_one_fd(send_fd, fd, 0);
        if (r < 0)
                return log_error_errno(r, "Failed to send netlink fd: %m");

        return 0;
}

int expose_port_watch_rtnl(
                sd_event *event,
                int recv_fd,
                sd_netlink_message_handler_t handler,
                union in_addr_union *exposed,
                sd_netlink **ret) {
        _cleanup_netlink_unref_ sd_netlink *rtnl = NULL;
        int fd, r;

        assert(event);
        assert(recv_fd >= 0);
        assert(ret);

        fd = receive_one_fd(recv_fd, 0);
        if (fd < 0)
                return log_error_errno(fd, "Failed to recv netlink fd: %m");

        r = sd_netlink_open_fd(&rtnl, fd);
        if (r < 0) {
                safe_close(fd);
                return log_error_errno(r, "Failed to create rtnl object: %m");
        }

        r = sd_netlink_add_match(rtnl, RTM_NEWADDR, handler, exposed);
        if (r < 0)
                return log_error_errno(r, "Failed to subscribe to RTM_NEWADDR messages: %m");

        r = sd_netlink_add_match(rtnl, RTM_DELADDR, handler, exposed);
        if (r < 0)
                return log_error_errno(r, "Failed to subscribe to RTM_DELADDR messages: %m");

        r = sd_netlink_attach_event(rtnl, event, 0);
        if (r < 0)
                return log_error_errno(r, "Failed to add to even loop: %m");

        *ret = rtnl;
        rtnl = NULL;

        return 0;
}
Commit	Line	Data
7a8f6325 LP	1	/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/
	2
	3	/***
	4	This file is part of systemd.
	5
	6	Copyright 2015 Lennart Poettering
	7
	8	systemd is free software; you can redistribute it and/or modify it
	9	under the terms of the GNU Lesser General Public License as published by
	10	the Free Software Foundation; either version 2.1 of the License, or
	11	(at your option) any later version.
	12
	13	systemd is distributed in the hope that it will be useful, but
	14	WITHOUT ANY WARRANTY; without even the implied warranty of
	15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	16	Lesser General Public License for more details.
	17
	18	You should have received a copy of the GNU Lesser General Public License
	19	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	20	***/
	21
	22	#include "sd-netlink.h"
	23
3ffd4af2	24	#include "fd-util.h"
7a8f6325	25	#include "firewall-util.h"
07630cea	26	#include "in-addr-util.h"
7a8f6325 LP	27	#include "local-addresses.h"
7a8f6325 LP	28	#include "netlink-util.h"
3ffd4af2	29	#include "nspawn-expose-ports.h"
07630cea LP	30	#include "string-util.h"
07630cea LP	31	#include "util.h"
7a8f6325 LP	32
	33	int expose_port_parse(ExposePort *l, const char s) {
	34
	35	const char split, e;
	36	uint16_t container_port, host_port;
	37	int protocol;
	38	ExposePort *p;
	39	int r;
	40
	41	assert(l);
	42	assert(s);
	43
	44	if ((e = startswith(s, "tcp:")))
	45	protocol = IPPROTO_TCP;
	46	else if ((e = startswith(s, "udp:")))
	47	protocol = IPPROTO_UDP;
	48	else {
	49	e = s;
	50	protocol = IPPROTO_TCP;
	51	}
	52
	53	split = strchr(e, ':');
	54	if (split) {
	55	char v[split - e + 1];
	56
	57	memcpy(v, e, split - e);
	58	v[split - e] = 0;
	59
	60	r = safe_atou16(v, &host_port);
	61	if (r < 0 \|\| host_port <= 0)
	62	return -EINVAL;
	63
	64	r = safe_atou16(split + 1, &container_port);
	65	} else {
	66	r = safe_atou16(e, &container_port);
	67	host_port = container_port;
	68	}
	69
	70	if (r < 0 \|\| container_port <= 0)
	71	return -EINVAL;
	72
	73	LIST_FOREACH(ports, p, *l)
	74	if (p->protocol == protocol && p->host_port == host_port)
	75	return -EEXIST;
	76
	77	p = new(ExposePort, 1);
	78	if (!p)
	79	return -ENOMEM;
	80
	81	p->protocol = protocol;
	82	p->host_port = host_port;
	83	p->container_port = container_port;
	84
	85	LIST_PREPEND(ports, *l, p);
	86
	87	return 0;
	88	}
	89
	90	void expose_port_free_all(ExposePort *p) {
	91
	92	while (p) {
	93	ExposePort *q = p;
	94	LIST_REMOVE(ports, p, q);
	95	free(q);
96	}
97	}
98
99	int expose_port_flush(ExposePort* l, union in_addr_union *exposed) {
100	ExposePort *p;
101	int r, af = AF_INET;
102
103	assert(exposed);
104
105	if (!l)
106	return 0;
107
108	if (in_addr_is_null(af, exposed))
109	return 0;
110
111	log_debug("Lost IP address.");
112
113	LIST_FOREACH(ports, p, l) {
114	r = fw_add_local_dnat(false,
115	af,
116	p->protocol,
117	NULL,
118	NULL, 0,
119	NULL, 0,
120	p->host_port,
121	exposed,
122	p->container_port,
123	NULL);
124	if (r < 0)
125	log_warning_errno(r, "Failed to modify firewall: %m");
126	}
127
128	*exposed = IN_ADDR_NULL;
129	return 0;
130	}
131
132	int expose_port_execute(sd_netlink rtnl, ExposePort l, union in_addr_union *exposed) {
133	_cleanup_free_ struct local_address *addresses = NULL;
134	_cleanup_free_ char *pretty = NULL;
135	union in_addr_union new_exposed;
136	ExposePort *p;
137	bool add;
138	int af = AF_INET, r;
139
140	assert(exposed);
141
142	/* Invoked each time an address is added or removed inside the
143	* container */
144
145	if (!l)
146	return 0;
147
148	r = local_addresses(rtnl, 0, af, &addresses);
149	if (r < 0)
150	return log_error_errno(r, "Failed to enumerate local addresses: %m");
151
152	add = r > 0 &&
153	addresses[0].family == af &&
154	addresses[0].scope < RT_SCOPE_LINK;
155
156	if (!add)
157	return expose_port_flush(l, exposed);
158
159	new_exposed = addresses[0].address;
160	if (in_addr_equal(af, exposed, &new_exposed))
161	return 0;
162
163	in_addr_to_string(af, &new_exposed, &pretty);
164	log_debug("New container IP is %s.", strna(pretty));
165
166	LIST_FOREACH(ports, p, l) {
167
168	r = fw_add_local_dnat(true,
169	af,
170	p->protocol,
171	NULL,
172	NULL, 0,
173	NULL, 0,
174	p->host_port,
175	&new_exposed,
176	p->container_port,
177	in_addr_is_null(af, exposed) ? NULL : exposed);
178	if (r < 0)
179	log_warning_errno(r, "Failed to modify firewall: %m");
180	}
181
182	*exposed = new_exposed;
183	return 0;
184	}
185
186	int expose_port_send_rtnl(int send_fd) {
7a8f6325	187	_cleanup_close_ int fd = -1;
d9603714	188	int r;
7a8f6325 LP	189
	190	assert(send_fd >= 0);
	191
	192	fd = socket(PF_NETLINK, SOCK_RAW\|SOCK_CLOEXEC\|SOCK_NONBLOCK, NETLINK_ROUTE);
	193	if (fd < 0)
	194	return log_error_errno(errno, "Failed to allocate container netlink: %m");
	195
7a8f6325 LP	196	/* Store away the fd in the socket, so that it stays open as
7a8f6325 LP	197	* long as we run the child */
3ee897d6	198	r = send_one_fd(send_fd, fd, 0);
d9603714 DH	199	if (r < 0)
d9603714 DH	200	return log_error_errno(r, "Failed to send netlink fd: %m");
7a8f6325 LP	201
	202	return 0;
	203	}
	204
	205	int expose_port_watch_rtnl(
	206	sd_event *event,
	207	int recv_fd,
	208	sd_netlink_message_handler_t handler,
	209	union in_addr_union *exposed,
	210	sd_netlink **ret) {
7a8f6325 LP	211	_cleanup_netlink_unref_ sd_netlink *rtnl = NULL;
7a8f6325 LP	212	int fd, r;
7a8f6325 LP	213
	214	assert(event);
	215	assert(recv_fd >= 0);
	216	assert(ret);
	217
3ee897d6	218	fd = receive_one_fd(recv_fd, 0);
d9603714 DH	219	if (fd < 0)
d9603714 DH	220	return log_error_errno(fd, "Failed to recv netlink fd: %m");
7a8f6325 LP	221
	222	r = sd_netlink_open_fd(&rtnl, fd);
	223	if (r < 0) {
	224	safe_close(fd);
	225	return log_error_errno(r, "Failed to create rtnl object: %m");
	226	}
	227
	228	r = sd_netlink_add_match(rtnl, RTM_NEWADDR, handler, exposed);
	229	if (r < 0)
	230	return log_error_errno(r, "Failed to subscribe to RTM_NEWADDR messages: %m");
	231
	232	r = sd_netlink_add_match(rtnl, RTM_DELADDR, handler, exposed);
	233	if (r < 0)
	234	return log_error_errno(r, "Failed to subscribe to RTM_DELADDR messages: %m");
	235
	236	r = sd_netlink_attach_event(rtnl, event, 0);
	237	if (r < 0)
	238	return log_error_errno(r, "Failed to add to even loop: %m");
	239
	240	*ret = rtnl;
	241	rtnl = NULL;
	242
	243	return 0;
	244	}