From: Yu Watanabe Date: Mon, 22 Mar 2021 13:33:23 +0000 (+0900) Subject: firewall-util: logs which backend will be used X-Git-Tag: v248-2~23^2~7 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=da00b84087dd5f5dc3d0588fdef93bb71789bfb1;p=thirdparty%2Fsystemd.git firewall-util: logs which backend will be used This also modernizes code a bit. --- diff --git a/src/shared/firewall-util-private.h b/src/shared/firewall-util-private.h index 59e1e502fda..07e2d0bbd3d 100644 --- a/src/shared/firewall-util-private.h +++ b/src/shared/firewall-util-private.h @@ -4,22 +4,27 @@ #include #include -#include "in-addr-util.h" #include "sd-netlink.h" -enum FirewallBackend { +#include "in-addr-util.h" + +typedef enum FirewallBackend { FW_BACKEND_NONE, #if HAVE_LIBIPTC FW_BACKEND_IPTABLES, #endif FW_BACKEND_NFTABLES, -}; + _FW_BACKEND_MAX, + _FW_BACKEND_INVALID = -EINVAL, +} FirewallBackend; struct FirewallContext { - enum FirewallBackend firewall_backend; + FirewallBackend backend; sd_netlink *nfnl; }; +const char *firewall_backend_to_string(FirewallBackend b) _const_; + int fw_nftables_init(FirewallContext *ctx); void fw_nftables_exit(FirewallContext *ctx); diff --git a/src/shared/firewall-util.c b/src/shared/firewall-util.c index 3bed941127f..65a2250ed31 100644 --- a/src/shared/firewall-util.c +++ b/src/shared/firewall-util.c @@ -7,21 +7,44 @@ #include "alloc-util.h" #include "firewall-util.h" #include "firewall-util-private.h" +#include "log.h" +#include "string-table.h" -static enum FirewallBackend firewall_backend_probe(FirewallContext *ctx) { - if (fw_nftables_init(ctx) == 0) - return FW_BACKEND_NFTABLES; +static const char * const firewall_backend_table[_FW_BACKEND_MAX] = { + [FW_BACKEND_NONE] = "none", #if HAVE_LIBIPTC - return FW_BACKEND_IPTABLES; + [FW_BACKEND_IPTABLES] = "iptables", +#endif + [FW_BACKEND_NFTABLES] = "nftables", +}; + +DEFINE_STRING_TABLE_LOOKUP_TO_STRING(firewall_backend, FirewallBackend); + +static void firewall_backend_probe(FirewallContext *ctx) { + assert(ctx); + + if (ctx->backend != _FW_BACKEND_INVALID) + return; + + if (fw_nftables_init(ctx) >= 0) + ctx->backend = FW_BACKEND_NFTABLES; + else +#if HAVE_LIBIPTC + ctx->backend = FW_BACKEND_IPTABLES; #else - return FW_BACKEND_NONE; + ctx->backend = FW_BACKEND_NONE; #endif + + if (ctx->backend != FW_BACKEND_NONE) + log_debug("Using %s as firewall backend.", firewall_backend_to_string(ctx->backend)); + else + log_debug("No firewall backend found."); } int fw_ctx_new(FirewallContext **ret) { _cleanup_free_ FirewallContext *ctx = NULL; - ctx = new0(FirewallContext, 1); + ctx = new(FirewallContext, 1); if (!ctx) return -ENOMEM; @@ -32,6 +55,11 @@ int fw_ctx_new(FirewallContext **ret) { * fw_ctx_new when nspawn/networkd know they will call * fw_add_masquerade/local_dnat later anyway. */ + + *ctx = (FirewallContext) { + .backend = _FW_BACKEND_INVALID, + }; + *ret = TAKE_PTR(ctx); return 0; } @@ -40,47 +68,44 @@ FirewallContext *fw_ctx_free(FirewallContext *ctx) { if (!ctx) return NULL; - if (ctx->firewall_backend == FW_BACKEND_NFTABLES) - fw_nftables_exit(ctx); + fw_nftables_exit(ctx); return mfree(ctx); } int fw_add_masquerade( - FirewallContext **fw_ctx, + FirewallContext **ctx, bool add, int af, const union in_addr_union *source, unsigned source_prefixlen) { - FirewallContext *ctx; + int r; - if (!*fw_ctx) { - r = fw_ctx_new(fw_ctx); + assert(ctx); + + if (!*ctx) { + r = fw_ctx_new(ctx); if (r < 0) return r; } - ctx = *fw_ctx; - if (ctx->firewall_backend == FW_BACKEND_NONE) - ctx->firewall_backend = firewall_backend_probe(ctx); + firewall_backend_probe(*ctx); - switch (ctx->firewall_backend) { - case FW_BACKEND_NONE: - return -EOPNOTSUPP; + switch ((*ctx)->backend) { #if HAVE_LIBIPTC case FW_BACKEND_IPTABLES: return fw_iptables_add_masquerade(add, af, source, source_prefixlen); #endif case FW_BACKEND_NFTABLES: - return fw_nftables_add_masquerade(ctx, add, af, source, source_prefixlen); + return fw_nftables_add_masquerade(*ctx, add, af, source, source_prefixlen); + default: + return -EOPNOTSUPP; } - - return -EOPNOTSUPP; } int fw_add_local_dnat( - FirewallContext **fw_ctx, + FirewallContext **ctx, bool add, int af, int protocol, @@ -88,28 +113,27 @@ int fw_add_local_dnat( const union in_addr_union *remote, uint16_t remote_port, const union in_addr_union *previous_remote) { - FirewallContext *ctx; - if (!*fw_ctx) { - int ret = fw_ctx_new(fw_ctx); - if (ret < 0) - return ret; + int r; + + assert(ctx); + + if (!*ctx) { + r = fw_ctx_new(ctx); + if (r < 0) + return r; } - ctx = *fw_ctx; - if (ctx->firewall_backend == FW_BACKEND_NONE) - ctx->firewall_backend = firewall_backend_probe(ctx); + firewall_backend_probe(*ctx); - switch (ctx->firewall_backend) { - case FW_BACKEND_NONE: - return -EOPNOTSUPP; - case FW_BACKEND_NFTABLES: - return fw_nftables_add_local_dnat(ctx, add, af, protocol, local_port, remote, remote_port, previous_remote); + switch ((*ctx)->backend) { #if HAVE_LIBIPTC case FW_BACKEND_IPTABLES: return fw_iptables_add_local_dnat(add, af, protocol, local_port, remote, remote_port, previous_remote); #endif + case FW_BACKEND_NFTABLES: + return fw_nftables_add_local_dnat(*ctx, add, af, protocol, local_port, remote, remote_port, previous_remote); + default: + return -EOPNOTSUPP; } - - return -EOPNOTSUPP; } diff --git a/src/shared/firewall-util.h b/src/shared/firewall-util.h index 5180b429d3d..7725a5e58df 100644 --- a/src/shared/firewall-util.h +++ b/src/shared/firewall-util.h @@ -9,19 +9,19 @@ typedef struct FirewallContext FirewallContext; int fw_ctx_new(FirewallContext **ret); -FirewallContext *fw_ctx_free(FirewallContext *fw_ctx); +FirewallContext *fw_ctx_free(FirewallContext *ctx); DEFINE_TRIVIAL_CLEANUP_FUNC(FirewallContext *, fw_ctx_free); int fw_add_masquerade( - FirewallContext **fw_ctx, + FirewallContext **ctx, bool add, int af, const union in_addr_union *source, unsigned source_prefixlen); int fw_add_local_dnat( - FirewallContext **fw_ctx, + FirewallContext **ctx, bool add, int af, int protocol,