#include "alloc-util.h"
#include "firewall-util.h"
#include "firewall-util-private.h"
+#include "log.h"
+#include "string-table.h"
-static enum FirewallBackend firewall_backend_probe(FirewallContext *ctx) {
- if (fw_nftables_init(ctx) == 0)
- return FW_BACKEND_NFTABLES;
+static const char * const firewall_backend_table[_FW_BACKEND_MAX] = {
+ [FW_BACKEND_NONE] = "none",
#if HAVE_LIBIPTC
- return FW_BACKEND_IPTABLES;
+ [FW_BACKEND_IPTABLES] = "iptables",
+#endif
+ [FW_BACKEND_NFTABLES] = "nftables",
+};
+
+DEFINE_STRING_TABLE_LOOKUP_TO_STRING(firewall_backend, FirewallBackend);
+
+static void firewall_backend_probe(FirewallContext *ctx) {
+ assert(ctx);
+
+ if (ctx->backend != _FW_BACKEND_INVALID)
+ return;
+
+ if (fw_nftables_init(ctx) >= 0)
+ ctx->backend = FW_BACKEND_NFTABLES;
+ else
+#if HAVE_LIBIPTC
+ ctx->backend = FW_BACKEND_IPTABLES;
#else
- return FW_BACKEND_NONE;
+ ctx->backend = FW_BACKEND_NONE;
#endif
+
+ if (ctx->backend != FW_BACKEND_NONE)
+ log_debug("Using %s as firewall backend.", firewall_backend_to_string(ctx->backend));
+ else
+ log_debug("No firewall backend found.");
}
int fw_ctx_new(FirewallContext **ret) {
_cleanup_free_ FirewallContext *ctx = NULL;
- ctx = new0(FirewallContext, 1);
+ ctx = new(FirewallContext, 1);
if (!ctx)
return -ENOMEM;
* fw_ctx_new when nspawn/networkd know they will call
* fw_add_masquerade/local_dnat later anyway.
*/
+
+ *ctx = (FirewallContext) {
+ .backend = _FW_BACKEND_INVALID,
+ };
+
*ret = TAKE_PTR(ctx);
return 0;
}
if (!ctx)
return NULL;
- if (ctx->firewall_backend == FW_BACKEND_NFTABLES)
- fw_nftables_exit(ctx);
+ fw_nftables_exit(ctx);
return mfree(ctx);
}
int fw_add_masquerade(
- FirewallContext **fw_ctx,
+ FirewallContext **ctx,
bool add,
int af,
const union in_addr_union *source,
unsigned source_prefixlen) {
- FirewallContext *ctx;
+
int r;
- if (!*fw_ctx) {
- r = fw_ctx_new(fw_ctx);
+ assert(ctx);
+
+ if (!*ctx) {
+ r = fw_ctx_new(ctx);
if (r < 0)
return r;
}
- ctx = *fw_ctx;
- if (ctx->firewall_backend == FW_BACKEND_NONE)
- ctx->firewall_backend = firewall_backend_probe(ctx);
+ firewall_backend_probe(*ctx);
- switch (ctx->firewall_backend) {
- case FW_BACKEND_NONE:
- return -EOPNOTSUPP;
+ switch ((*ctx)->backend) {
#if HAVE_LIBIPTC
case FW_BACKEND_IPTABLES:
return fw_iptables_add_masquerade(add, af, source, source_prefixlen);
#endif
case FW_BACKEND_NFTABLES:
- return fw_nftables_add_masquerade(ctx, add, af, source, source_prefixlen);
+ return fw_nftables_add_masquerade(*ctx, add, af, source, source_prefixlen);
+ default:
+ return -EOPNOTSUPP;
}
-
- return -EOPNOTSUPP;
}
int fw_add_local_dnat(
- FirewallContext **fw_ctx,
+ FirewallContext **ctx,
bool add,
int af,
int protocol,
const union in_addr_union *remote,
uint16_t remote_port,
const union in_addr_union *previous_remote) {
- FirewallContext *ctx;
- if (!*fw_ctx) {
- int ret = fw_ctx_new(fw_ctx);
- if (ret < 0)
- return ret;
+ int r;
+
+ assert(ctx);
+
+ if (!*ctx) {
+ r = fw_ctx_new(ctx);
+ if (r < 0)
+ return r;
}
- ctx = *fw_ctx;
- if (ctx->firewall_backend == FW_BACKEND_NONE)
- ctx->firewall_backend = firewall_backend_probe(ctx);
+ firewall_backend_probe(*ctx);
- switch (ctx->firewall_backend) {
- case FW_BACKEND_NONE:
- return -EOPNOTSUPP;
- case FW_BACKEND_NFTABLES:
- return fw_nftables_add_local_dnat(ctx, add, af, protocol, local_port, remote, remote_port, previous_remote);
+ switch ((*ctx)->backend) {
#if HAVE_LIBIPTC
case FW_BACKEND_IPTABLES:
return fw_iptables_add_local_dnat(add, af, protocol, local_port, remote, remote_port, previous_remote);
#endif
+ case FW_BACKEND_NFTABLES:
+ return fw_nftables_add_local_dnat(*ctx, add, af, protocol, local_port, remote, remote_port, previous_remote);
+ default:
+ return -EOPNOTSUPP;
}
-
- return -EOPNOTSUPP;
}
projects / thirdparty / systemd.git / commitdiff
