shared/firewall-util: make NFT table init optional

author Topi Miettinen <toiwoton@gmail.com>

Sat, 10 Sep 2022 12:38:43 +0000 (15:38 +0300)

committer Topi Miettinen <toiwoton@gmail.com>

Wed, 23 Aug 2023 16:54:08 +0000 (19:54 +0300)
author Topi Miettinen <toiwoton@gmail.com>
Sat, 10 Sep 2022 12:38:43 +0000 (15:38 +0300)
committer Topi Miettinen <toiwoton@gmail.com>
Wed, 23 Aug 2023 16:54:08 +0000 (19:54 +0300)
diff --git a/src/shared/firewall-util-nft.c b/src/shared/firewall-util-nft.c

index 450e02fbcff8763c7dadc7d1833eba7536b52942..cc35b1c2de3f2922ba95c6cda585abdefa078455 100644 (file)
--- a/src/shared/firewall-util-nft.c
+++ b/src/shared/firewall-util-nft.c
@@ -796,7 +796,7 @@ static int fw_nftables_init_family(sd_netlink *nfnl, int family) {
          return 0;
  }
  
-int fw_nftables_init(FirewallContext *ctx) {
+int fw_nftables_init_full(FirewallContext *ctx, bool init_tables) {
          _cleanup_(sd_netlink_unrefp) sd_netlink *nfnl = NULL;
          int r;
  
@@ -807,20 +807,26 @@ int fw_nftables_init(FirewallContext *ctx) {
          if (r < 0)
                  return r;
  
-        r = fw_nftables_init_family(nfnl, AF_INET);
-        if (r < 0)
-                return r;
-
-        if (socket_ipv6_is_supported()) {
-                r = fw_nftables_init_family(nfnl, AF_INET6);
+        if (init_tables) {
+                r = fw_nftables_init_family(nfnl, AF_INET);
                  if (r < 0)
-                        log_debug_errno(r, "Failed to init ipv6 NAT: %m");
+                        return r;
+
+                if (socket_ipv6_is_supported()) {
+                        r = fw_nftables_init_family(nfnl, AF_INET6);
+                        if (r < 0)
+                                log_debug_errno(r, "Failed to init ipv6 NAT: %m");
+                }
          }
  
          ctx->nfnl = TAKE_PTR(nfnl);
          return 0;
  }
  
+int fw_nftables_init(FirewallContext *ctx) {
+        return fw_nftables_init_full(ctx, /* init_tables= */ true);
+}
+
  void fw_nftables_exit(FirewallContext *ctx) {
          assert(ctx);
  
diff --git a/src/shared/firewall-util-private.h b/src/shared/firewall-util-private.h

index 14f5a35a878efe89a3c2e395299015be452cec7c..97f8fe124ef7ef6500e36e78abce9b1e6e44585b 100644 (file)
--- a/src/shared/firewall-util-private.h
+++ b/src/shared/firewall-util-private.h
@@ -26,6 +26,7 @@ struct FirewallContext {
  const char *firewall_backend_to_string(FirewallBackend b) _const_;
  
  int fw_nftables_init(FirewallContext *ctx);
+int fw_nftables_init_full(FirewallContext *ctx, bool init_tables);
  void fw_nftables_exit(FirewallContext *ctx);
  
  int fw_nftables_add_masquerade(
diff --git a/src/shared/firewall-util.c b/src/shared/firewall-util.c

index afa3e02b45463dfac980975f2642c10fab06d5be..ba3e9cbc5e073127eac653e39573ca2a9d801864 100644 (file)
--- a/src/shared/firewall-util.c
+++ b/src/shared/firewall-util.c
@@ -20,13 +20,13 @@ static const char * const firewall_backend_table[_FW_BACKEND_MAX] = {
  
  DEFINE_STRING_TABLE_LOOKUP_TO_STRING(firewall_backend, FirewallBackend);
  
-static void firewall_backend_probe(FirewallContext *ctx) {
+static void firewall_backend_probe(FirewallContext *ctx, bool init_tables) {
          assert(ctx);
  
          if (ctx->backend != _FW_BACKEND_INVALID)
                  return;
  
-        if (fw_nftables_init(ctx) >= 0)
+        if (fw_nftables_init_full(ctx, init_tables) >= 0)
                  ctx->backend = FW_BACKEND_NFTABLES;
          else
  #if HAVE_LIBIPTC
@@ -41,7 +41,7 @@ static void firewall_backend_probe(FirewallContext *ctx) {
                  log_debug("No firewall backend found.");
  }
  
-int fw_ctx_new(FirewallContext **ret) {
+int fw_ctx_new_full(FirewallContext **ret, bool init_tables) {
          _cleanup_free_ FirewallContext *ctx = NULL;
  
          ctx = new(FirewallContext, 1);
@@ -52,12 +52,16 @@ int fw_ctx_new(FirewallContext **ret) {
                  .backend = _FW_BACKEND_INVALID,
          };
  
-        firewall_backend_probe(ctx);
+        firewall_backend_probe(ctx, init_tables);
  
          *ret = TAKE_PTR(ctx);
          return 0;
  }
  
+int fw_ctx_new(FirewallContext **ret) {
+        return fw_ctx_new_full(ret, /* init_tables= */ true);
+}
+
  FirewallContext *fw_ctx_free(FirewallContext *ctx) {
          if (!ctx)
                  return NULL;
diff --git a/src/shared/firewall-util.h b/src/shared/firewall-util.h

index d0e78beba83a7cd6ce77ae3553896b5db236f477..4f3cd61bf44a2fe175f3803b8d55884e8abca9b2 100644 (file)
--- a/src/shared/firewall-util.h
+++ b/src/shared/firewall-util.h
@@ -9,6 +9,7 @@
  typedef struct FirewallContext FirewallContext;
  
  int fw_ctx_new(FirewallContext **ret);
+int fw_ctx_new_full(FirewallContext **ret, bool init_tables);
  FirewallContext *fw_ctx_free(FirewallContext *ctx);
  
  DEFINE_TRIVIAL_CLEANUP_FUNC(FirewallContext *, fw_ctx_free);
author	Topi Miettinen <toiwoton@gmail.com>
	Sat, 10 Sep 2022 12:38:43 +0000 (15:38 +0300)
committer	Topi Miettinen <toiwoton@gmail.com>
	Wed, 23 Aug 2023 16:54:08 +0000 (19:54 +0300)
src/shared/firewall-util-nft.c		patch \| blob \| blame \| history
src/shared/firewall-util-private.h		patch \| blob \| blame \| history
src/shared/firewall-util.c		patch \| blob \| blame \| history
src/shared/firewall-util.h		patch \| blob \| blame \| history