3122097217
In a nutshell: 1. git mv firewall-util.c firewall-util-iptables.c 2. existing external functions gain _iptables_ in their names 3. firewall-util.c provides old function names 4. build system always compiles firewall-util.c, firewall-util-iptables.c is conditional instead (libiptc). 5. On first call to any of the 'old' API functions performs a probe that should return the preferred backend. In a future step, can add firewall-util-FOOTYPE.c, add its probe function to firewall-util.c and then have calls to fw_add_masq/local_dnat handed to the detected backend. For now, only iptables backend exists, and no special probing takes place for it, i.e. when systemd was built with iptables, that will be used. If not, requets to add masquerade/dnat will fail with same error (-EOPNOTSUPP) as before this change. For reference, the rules added by the libiptc/iptables backend look like this: for service export (via systemd-nspawn): [0:0] -A PREROUTING -p tcp -m tcp --dport $exportedport -m addrtype --dst-type LOCAL -j DNAT --to-destination $containerip:$port [0:0] -A OUTPUT ! -d 127.0.0.0/8 -p tcp -m tcp --dport $exportedport -m addrtype --dst-type LOCAL -j DNAT --to-destination $containerip:$port for ip masquerade: [0:0] -A POSTROUTING -s network/prefix -j MASQUERADE
72 lines
1.8 KiB
C
72 lines
1.8 KiB
C
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
|
|
|
#include <errno.h>
|
|
#include <stddef.h>
|
|
#include <string.h>
|
|
|
|
#include "alloc-util.h"
|
|
#include "firewall-util.h"
|
|
#include "firewall-util-private.h"
|
|
|
|
enum FirewallBackend {
|
|
FW_BACKEND_NONE,
|
|
#if HAVE_LIBIPTC
|
|
FW_BACKEND_IPTABLES,
|
|
#endif
|
|
};
|
|
|
|
static enum FirewallBackend FirewallBackend;
|
|
|
|
static enum FirewallBackend firewall_backend_probe(void) {
|
|
#if HAVE_LIBIPTC
|
|
return FW_BACKEND_IPTABLES;
|
|
#else
|
|
return FW_BACKEND_NONE;
|
|
#endif
|
|
}
|
|
|
|
int fw_add_masquerade(
|
|
bool add,
|
|
int af,
|
|
const union in_addr_union *source,
|
|
unsigned source_prefixlen) {
|
|
|
|
if (FirewallBackend == FW_BACKEND_NONE)
|
|
FirewallBackend = firewall_backend_probe();
|
|
|
|
switch (FirewallBackend) {
|
|
case FW_BACKEND_NONE:
|
|
return -EOPNOTSUPP;
|
|
#if HAVE_LIBIPTC
|
|
case FW_BACKEND_IPTABLES:
|
|
return fw_iptables_add_masquerade(add, af, source, source_prefixlen);
|
|
#endif
|
|
}
|
|
|
|
return -EOPNOTSUPP;
|
|
}
|
|
|
|
int fw_add_local_dnat(
|
|
bool add,
|
|
int af,
|
|
int protocol,
|
|
uint16_t local_port,
|
|
const union in_addr_union *remote,
|
|
uint16_t remote_port,
|
|
const union in_addr_union *previous_remote) {
|
|
|
|
if (FirewallBackend == FW_BACKEND_NONE)
|
|
FirewallBackend = firewall_backend_probe();
|
|
|
|
switch (FirewallBackend) {
|
|
case FW_BACKEND_NONE:
|
|
return -EOPNOTSUPP;
|
|
#if HAVE_LIBIPTC
|
|
case FW_BACKEND_IPTABLES:
|
|
return fw_iptables_add_local_dnat(add, af, protocol, local_port, remote, remote_port, previous_remote);
|
|
#endif
|
|
}
|
|
|
|
return -EOPNOTSUPP;
|
|
}
|