[thirdparty/systemd.git] / src / nspawn / nspawn-expose-ports.c

/* SPDX-License-Identifier: LGPL-2.1+ */

#include "sd-netlink.h"

#include "alloc-util.h"
#include "fd-util.h"
#include "firewall-util.h"
#include "in-addr-util.h"
#include "local-addresses.h"
#include "netlink-util.h"
#include "nspawn-expose-ports.h"
#include "parse-util.h"
#include "socket-util.h"
#include "string-util.h"
#include "util.h"

int expose_port_parse(ExposePort **l, const char *s) {

        const char *split, *e;
        uint16_t container_port, host_port;
        int protocol;
        ExposePort *p;
        int r;

        assert(l);
        assert(s);

        if ((e = startswith(s, "tcp:")))
                protocol = IPPROTO_TCP;
        else if ((e = startswith(s, "udp:")))
                protocol = IPPROTO_UDP;
        else {
                e = s;
                protocol = IPPROTO_TCP;
        }

        split = strchr(e, ':');
        if (split) {
                char v[split - e + 1];

                memcpy(v, e, split - e);
                v[split - e] = 0;

                r = parse_ip_port(v, &host_port);
                if (r < 0)
                        return -EINVAL;

                r = parse_ip_port(split + 1, &container_port);
        } else {
                r = parse_ip_port(e, &container_port);
                host_port = container_port;
        }

        if (r < 0)
                return -EINVAL;

        LIST_FOREACH(ports, p, *l)
                if (p->protocol == protocol && p->host_port == host_port)
                        return -EEXIST;

        p = new(ExposePort, 1);
        if (!p)
                return -ENOMEM;

        p->protocol = protocol;
        p->host_port = host_port;
        p->container_port = container_port;

        LIST_PREPEND(ports, *l, p);

        return 0;
}

void expose_port_free_all(ExposePort *p) {

        while (p) {
                ExposePort *q = p;
                LIST_REMOVE(ports, p, q);
                free(q);
        }
}

int expose_port_flush(ExposePort* l, union in_addr_union *exposed) {
        ExposePort *p;
        int r, af = AF_INET;

        assert(exposed);

        if (!l)
                return 0;

        if (in_addr_is_null(af, exposed))
                return 0;

        log_debug("Lost IP address.");

        LIST_FOREACH(ports, p, l) {
                r = fw_add_local_dnat(false,
                                      af,
                                      p->protocol,
                                      NULL,
                                      NULL, 0,
                                      NULL, 0,
                                      p->host_port,
                                      exposed,
                                      p->container_port,
                                      NULL);
                if (r < 0)
                        log_warning_errno(r, "Failed to modify firewall: %m");
        }

        *exposed = IN_ADDR_NULL;
        return 0;
}

int expose_port_execute(sd_netlink *rtnl, ExposePort *l, union in_addr_union *exposed) {
        _cleanup_free_ struct local_address *addresses = NULL;
        _cleanup_free_ char *pretty = NULL;
        union in_addr_union new_exposed;
        ExposePort *p;
        bool add;
        int af = AF_INET, r;

        assert(exposed);

        /* Invoked each time an address is added or removed inside the
         * container */

        if (!l)
                return 0;

        r = local_addresses(rtnl, 0, af, &addresses);
        if (r < 0)
                return log_error_errno(r, "Failed to enumerate local addresses: %m");

        add = r > 0 &&
                addresses[0].family == af &&
                addresses[0].scope < RT_SCOPE_LINK;

        if (!add)
                return expose_port_flush(l, exposed);

        new_exposed = addresses[0].address;
        if (in_addr_equal(af, exposed, &new_exposed))
                return 0;

        in_addr_to_string(af, &new_exposed, &pretty);
        log_debug("New container IP is %s.", strna(pretty));

        LIST_FOREACH(ports, p, l) {

                r = fw_add_local_dnat(true,
                                      af,
                                      p->protocol,
                                      NULL,
                                      NULL, 0,
                                      NULL, 0,
                                      p->host_port,
                                      &new_exposed,
                                      p->container_port,
                                      in_addr_is_null(af, exposed) ? NULL : exposed);
                if (r < 0)
                        log_warning_errno(r, "Failed to modify firewall: %m");
        }

        *exposed = new_exposed;
        return 0;
}

int expose_port_send_rtnl(int send_fd) {
        _cleanup_close_ int fd = -1;
        int r;

        assert(send_fd >= 0);

        fd = socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_ROUTE);
        if (fd < 0)
                return log_error_errno(errno, "Failed to allocate container netlink: %m");

        /* Store away the fd in the socket, so that it stays open as
         * long as we run the child */
        r = send_one_fd(send_fd, fd, 0);
        if (r < 0)
                return log_error_errno(r, "Failed to send netlink fd: %m");

        return 0;
}

int expose_port_watch_rtnl(
                sd_event *event,
                int recv_fd,
                sd_netlink_message_handler_t handler,
                union in_addr_union *exposed,
                sd_netlink **ret) {
        _cleanup_(sd_netlink_unrefp) sd_netlink *rtnl = NULL;
        int fd, r;

        assert(event);
        assert(recv_fd >= 0);
        assert(ret);

        fd = receive_one_fd(recv_fd, 0);
        if (fd < 0)
                return log_error_errno(fd, "Failed to recv netlink fd: %m");

        r = sd_netlink_open_fd(&rtnl, fd);
        if (r < 0) {
                safe_close(fd);
                return log_error_errno(r, "Failed to create rtnl object: %m");
        }

        r = sd_netlink_add_match(rtnl, NULL, RTM_NEWADDR, handler, NULL, exposed, "nspawn-NEWADDR");
        if (r < 0)
                return log_error_errno(r, "Failed to subscribe to RTM_NEWADDR messages: %m");

        r = sd_netlink_add_match(rtnl, NULL, RTM_DELADDR, handler, NULL, exposed, "nspawn-DELADDR");
        if (r < 0)
                return log_error_errno(r, "Failed to subscribe to RTM_DELADDR messages: %m");

        r = sd_netlink_attach_event(rtnl, event, 0);
        if (r < 0)
                return log_error_errno(r, "Failed to add to event loop: %m");

        *ret = TAKE_PTR(rtnl);

        return 0;
}
Commit	Line	Data
53e1b683	1	/* SPDX-License-Identifier: LGPL-2.1+ */
7a8f6325 LP	2
	3	#include "sd-netlink.h"
	4
b5efdb8a	5	#include "alloc-util.h"
3ffd4af2	6	#include "fd-util.h"
7a8f6325	7	#include "firewall-util.h"
07630cea	8	#include "in-addr-util.h"
7a8f6325 LP	9	#include "local-addresses.h"
7a8f6325 LP	10	#include "netlink-util.h"
3ffd4af2	11	#include "nspawn-expose-ports.h"
6bedfcbb	12	#include "parse-util.h"
2583fbea	13	#include "socket-util.h"
07630cea LP	14	#include "string-util.h"
07630cea LP	15	#include "util.h"
7a8f6325 LP	16
	17	int expose_port_parse(ExposePort *l, const char s) {
	18
	19	const char split, e;
	20	uint16_t container_port, host_port;
	21	int protocol;
	22	ExposePort *p;
	23	int r;
	24
	25	assert(l);
	26	assert(s);
	27
	28	if ((e = startswith(s, "tcp:")))
	29	protocol = IPPROTO_TCP;
	30	else if ((e = startswith(s, "udp:")))
	31	protocol = IPPROTO_UDP;
	32	else {
	33	e = s;
	34	protocol = IPPROTO_TCP;
	35	}
	36
	37	split = strchr(e, ':');
	38	if (split) {
	39	char v[split - e + 1];
	40
	41	memcpy(v, e, split - e);
	42	v[split - e] = 0;
	43
10452f7c SS	44	r = parse_ip_port(v, &host_port);
10452f7c SS	45	if (r < 0)
7a8f6325 LP	46	return -EINVAL;
7a8f6325 LP	47
10452f7c	48	r = parse_ip_port(split + 1, &container_port);
7a8f6325	49	} else {
10452f7c	50	r = parse_ip_port(e, &container_port);
7a8f6325 LP	51	host_port = container_port;
	52	}
	53
10452f7c	54	if (r < 0)
7a8f6325 LP	55	return -EINVAL;
	56
	57	LIST_FOREACH(ports, p, *l)
	58	if (p->protocol == protocol && p->host_port == host_port)
	59	return -EEXIST;
	60
	61	p = new(ExposePort, 1);
	62	if (!p)
	63	return -ENOMEM;
	64
	65	p->protocol = protocol;
	66	p->host_port = host_port;
	67	p->container_port = container_port;
	68
	69	LIST_PREPEND(ports, *l, p);
	70
	71	return 0;
	72	}
	73
	74	void expose_port_free_all(ExposePort *p) {
	75
	76	while (p) {
	77	ExposePort *q = p;
	78	LIST_REMOVE(ports, p, q);
	79	free(q);
	80	}
	81	}
	82
	83	int expose_port_flush(ExposePort* l, union in_addr_union *exposed) {
	84	ExposePort *p;
	85	int r, af = AF_INET;
	86
	87	assert(exposed);
	88
	89	if (!l)
	90	return 0;
	91
	92	if (in_addr_is_null(af, exposed))
	93	return 0;
	94
	95	log_debug("Lost IP address.");
	96
	97	LIST_FOREACH(ports, p, l) {
	98	r = fw_add_local_dnat(false,
	99	af,
	100	p->protocol,
	101	NULL,
	102	NULL, 0,
	103	NULL, 0,
	104	p->host_port,
	105	exposed,
	106	p->container_port,
	107	NULL);
	108	if (r < 0)
	109	log_warning_errno(r, "Failed to modify firewall: %m");
	110	}
	111
	112	*exposed = IN_ADDR_NULL;
	113	return 0;
	114	}
	115
	116	int expose_port_execute(sd_netlink rtnl, ExposePort l, union in_addr_union *exposed) {
	117	_cleanup_free_ struct local_address *addresses = NULL;
	118	_cleanup_free_ char *pretty = NULL;
119	union in_addr_union new_exposed;
120	ExposePort *p;
121	bool add;
122	int af = AF_INET, r;
123
124	assert(exposed);
125
126	/* Invoked each time an address is added or removed inside the
127	* container */
128
129	if (!l)
130	return 0;
131
132	r = local_addresses(rtnl, 0, af, &addresses);
133	if (r < 0)
134	return log_error_errno(r, "Failed to enumerate local addresses: %m");
135
136	add = r > 0 &&
137	addresses[0].family == af &&
138	addresses[0].scope < RT_SCOPE_LINK;
139
140	if (!add)
141	return expose_port_flush(l, exposed);
142
143	new_exposed = addresses[0].address;
144	if (in_addr_equal(af, exposed, &new_exposed))
145	return 0;
146
147	in_addr_to_string(af, &new_exposed, &pretty);
148	log_debug("New container IP is %s.", strna(pretty));
149
150	LIST_FOREACH(ports, p, l) {
151
152	r = fw_add_local_dnat(true,
153	af,
154	p->protocol,
155	NULL,
156	NULL, 0,
157	NULL, 0,
158	p->host_port,
159	&new_exposed,
160	p->container_port,
161	in_addr_is_null(af, exposed) ? NULL : exposed);
162	if (r < 0)
163	log_warning_errno(r, "Failed to modify firewall: %m");
164	}
165
166	*exposed = new_exposed;
167	return 0;
168	}
169
170	int expose_port_send_rtnl(int send_fd) {
7a8f6325	171	_cleanup_close_ int fd = -1;
d9603714	172	int r;
7a8f6325 LP	173
	174	assert(send_fd >= 0);
	175
	176	fd = socket(PF_NETLINK, SOCK_RAW\|SOCK_CLOEXEC\|SOCK_NONBLOCK, NETLINK_ROUTE);
	177	if (fd < 0)
	178	return log_error_errno(errno, "Failed to allocate container netlink: %m");
	179
7a8f6325 LP	180	/* Store away the fd in the socket, so that it stays open as
7a8f6325 LP	181	* long as we run the child */
3ee897d6	182	r = send_one_fd(send_fd, fd, 0);
d9603714 DH	183	if (r < 0)
d9603714 DH	184	return log_error_errno(r, "Failed to send netlink fd: %m");
7a8f6325 LP	185
	186	return 0;
	187	}
	188
	189	int expose_port_watch_rtnl(
	190	sd_event *event,
	191	int recv_fd,
	192	sd_netlink_message_handler_t handler,
	193	union in_addr_union *exposed,
	194	sd_netlink **ret) {
4afd3348	195	_cleanup_(sd_netlink_unrefp) sd_netlink *rtnl = NULL;
7a8f6325	196	int fd, r;
7a8f6325 LP	197
	198	assert(event);
	199	assert(recv_fd >= 0);
	200	assert(ret);
	201
3ee897d6	202	fd = receive_one_fd(recv_fd, 0);
d9603714 DH	203	if (fd < 0)
d9603714 DH	204	return log_error_errno(fd, "Failed to recv netlink fd: %m");
7a8f6325 LP	205
	206	r = sd_netlink_open_fd(&rtnl, fd);
	207	if (r < 0) {
	208	safe_close(fd);
	209	return log_error_errno(r, "Failed to create rtnl object: %m");
	210	}
	211
8190a388	212	r = sd_netlink_add_match(rtnl, NULL, RTM_NEWADDR, handler, NULL, exposed, "nspawn-NEWADDR");
7a8f6325 LP	213	if (r < 0)
	214	return log_error_errno(r, "Failed to subscribe to RTM_NEWADDR messages: %m");
	215
8190a388	216	r = sd_netlink_add_match(rtnl, NULL, RTM_DELADDR, handler, NULL, exposed, "nspawn-DELADDR");
7a8f6325 LP	217	if (r < 0)
	218	return log_error_errno(r, "Failed to subscribe to RTM_DELADDR messages: %m");
	219
	220	r = sd_netlink_attach_event(rtnl, event, 0);
	221	if (r < 0)
8f8dfb95	222	return log_error_errno(r, "Failed to add to event loop: %m");
7a8f6325	223
1cc6c93a	224	*ret = TAKE_PTR(rtnl);
7a8f6325 LP	225
	226	return 0;
	227	}