From: Topi Miettinen Date: Sat, 10 Sep 2022 12:38:43 +0000 (+0300) Subject: shared/firewall-util: make NFT table init optional X-Git-Tag: v255-rc1~612^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=274ffe1abbdeb4647ee98448b4ec88069ab3f4aa;p=thirdparty%2Fsystemd.git shared/firewall-util: make NFT table init optional --- diff --git a/src/shared/firewall-util-nft.c b/src/shared/firewall-util-nft.c index 450e02fbcff..cc35b1c2de3 100644 --- a/src/shared/firewall-util-nft.c +++ b/src/shared/firewall-util-nft.c @@ -796,7 +796,7 @@ static int fw_nftables_init_family(sd_netlink *nfnl, int family) { return 0; } -int fw_nftables_init(FirewallContext *ctx) { +int fw_nftables_init_full(FirewallContext *ctx, bool init_tables) { _cleanup_(sd_netlink_unrefp) sd_netlink *nfnl = NULL; int r; @@ -807,20 +807,26 @@ int fw_nftables_init(FirewallContext *ctx) { if (r < 0) return r; - r = fw_nftables_init_family(nfnl, AF_INET); - if (r < 0) - return r; - - if (socket_ipv6_is_supported()) { - r = fw_nftables_init_family(nfnl, AF_INET6); + if (init_tables) { + r = fw_nftables_init_family(nfnl, AF_INET); if (r < 0) - log_debug_errno(r, "Failed to init ipv6 NAT: %m"); + return r; + + if (socket_ipv6_is_supported()) { + r = fw_nftables_init_family(nfnl, AF_INET6); + if (r < 0) + log_debug_errno(r, "Failed to init ipv6 NAT: %m"); + } } ctx->nfnl = TAKE_PTR(nfnl); return 0; } +int fw_nftables_init(FirewallContext *ctx) { + return fw_nftables_init_full(ctx, /* init_tables= */ true); +} + void fw_nftables_exit(FirewallContext *ctx) { assert(ctx); diff --git a/src/shared/firewall-util-private.h b/src/shared/firewall-util-private.h index 14f5a35a878..97f8fe124ef 100644 --- a/src/shared/firewall-util-private.h +++ b/src/shared/firewall-util-private.h @@ -26,6 +26,7 @@ struct FirewallContext { const char *firewall_backend_to_string(FirewallBackend b) _const_; int fw_nftables_init(FirewallContext *ctx); +int fw_nftables_init_full(FirewallContext *ctx, bool init_tables); void fw_nftables_exit(FirewallContext *ctx); int fw_nftables_add_masquerade( diff --git a/src/shared/firewall-util.c b/src/shared/firewall-util.c index afa3e02b454..ba3e9cbc5e0 100644 --- a/src/shared/firewall-util.c +++ b/src/shared/firewall-util.c @@ -20,13 +20,13 @@ static const char * const firewall_backend_table[_FW_BACKEND_MAX] = { DEFINE_STRING_TABLE_LOOKUP_TO_STRING(firewall_backend, FirewallBackend); -static void firewall_backend_probe(FirewallContext *ctx) { +static void firewall_backend_probe(FirewallContext *ctx, bool init_tables) { assert(ctx); if (ctx->backend != _FW_BACKEND_INVALID) return; - if (fw_nftables_init(ctx) >= 0) + if (fw_nftables_init_full(ctx, init_tables) >= 0) ctx->backend = FW_BACKEND_NFTABLES; else #if HAVE_LIBIPTC @@ -41,7 +41,7 @@ static void firewall_backend_probe(FirewallContext *ctx) { log_debug("No firewall backend found."); } -int fw_ctx_new(FirewallContext **ret) { +int fw_ctx_new_full(FirewallContext **ret, bool init_tables) { _cleanup_free_ FirewallContext *ctx = NULL; ctx = new(FirewallContext, 1); @@ -52,12 +52,16 @@ int fw_ctx_new(FirewallContext **ret) { .backend = _FW_BACKEND_INVALID, }; - firewall_backend_probe(ctx); + firewall_backend_probe(ctx, init_tables); *ret = TAKE_PTR(ctx); return 0; } +int fw_ctx_new(FirewallContext **ret) { + return fw_ctx_new_full(ret, /* init_tables= */ true); +} + FirewallContext *fw_ctx_free(FirewallContext *ctx) { if (!ctx) return NULL; diff --git a/src/shared/firewall-util.h b/src/shared/firewall-util.h index d0e78beba83..4f3cd61bf44 100644 --- a/src/shared/firewall-util.h +++ b/src/shared/firewall-util.h @@ -9,6 +9,7 @@ typedef struct FirewallContext FirewallContext; int fw_ctx_new(FirewallContext **ret); +int fw_ctx_new_full(FirewallContext **ret, bool init_tables); FirewallContext *fw_ctx_free(FirewallContext *ctx); DEFINE_TRIVIAL_CLEANUP_FUNC(FirewallContext *, fw_ctx_free);