761cf19d7b
for planned nft backend we have three choices: - open/close a new nfnetlink socket for every operation - keep a nfnetlink socket open internally - expose a opaque fw_ctx and stash all internal data here. Originally I opted for the 2nd option, but during review it was suggested to avoid static storage duration because of perceived problems with threaded applications. This adds fw_ctx and new/free functions, then converts the existing api and nspawn and networkd to use it.
32 lines
881 B
C
32 lines
881 B
C
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
|
#pragma once
|
|
|
|
#include <stdbool.h>
|
|
#include <stdint.h>
|
|
|
|
#include "in-addr-util.h"
|
|
|
|
typedef struct FirewallContext FirewallContext;
|
|
|
|
int fw_ctx_new(FirewallContext **ret);
|
|
FirewallContext *fw_ctx_free(FirewallContext *fw_ctx);
|
|
|
|
DEFINE_TRIVIAL_CLEANUP_FUNC(FirewallContext *, fw_ctx_free);
|
|
|
|
int fw_add_masquerade(
|
|
FirewallContext **fw_ctx,
|
|
bool add,
|
|
int af,
|
|
const union in_addr_union *source,
|
|
unsigned source_prefixlen);
|
|
|
|
int fw_add_local_dnat(
|
|
FirewallContext **fw_ctx,
|
|
bool add,
|
|
int af,
|
|
int protocol,
|
|
uint16_t local_port,
|
|
const union in_addr_union *remote,
|
|
uint16_t remote_port,
|
|
const union in_addr_union *previous_remote);
|