diff options
author | Thomas Haller <thaller@redhat.com> | 2021-05-12 12:02:33 +0200 |
---|---|---|
committer | Thomas Haller <thaller@redhat.com> | 2021-05-14 11:41:33 +0200 |
commit | a79d5e2218d4adc40cb8794b56845b06cb5a2478 (patch) | |
tree | a732ee942ab87cebf9ae3ad2dd8c5b174e2231a1 | |
parent | 9ebdb967ded7cdf53e5193129e24556447b8a1e0 (diff) | |
download | NetworkManager-a79d5e2218d4adc40cb8794b56845b06cb5a2478.tar.gz |
firewall: add special firewall-backend "none"
-rw-r--r-- | man/NetworkManager.conf.xml | 11 | ||||
-rw-r--r-- | src/core/nm-firewall-utils.c | 24 | ||||
-rw-r--r-- | src/core/nm-firewall-utils.h | 1 |
3 files changed, 30 insertions, 6 deletions
diff --git a/man/NetworkManager.conf.xml b/man/NetworkManager.conf.xml index f88688e94b..d8fce34d6e 100644 --- a/man/NetworkManager.conf.xml +++ b/man/NetworkManager.conf.xml @@ -479,8 +479,15 @@ no-auto-default=* <term><varname>firewall-backend</varname></term> <listitem> <para> - The firewall backend for configuring masquerading. - Set to either <literal>iptables</literal> or <literal>nftables</literal>. + The firewall backend for configuring masquerading + with shared mode. + Set to either <literal>iptables</literal>, <literal>nftables</literal> + or <literal>none</literal>. + <literal>iptables</literal> and <literal>nftables</literal> + require <literal>iptables</literal> and <literal>nft</literal> + application, respectively. + <literal>none</literal> means to skip firewall configuration if + the users wish to manage firewall themselves. If unspecified, it will be auto detected. </para> </listitem> diff --git a/src/core/nm-firewall-utils.c b/src/core/nm-firewall-utils.c index 22d52031a0..cc342b3f22 100644 --- a/src/core/nm-firewall-utils.c +++ b/src/core/nm-firewall-utils.c @@ -21,6 +21,10 @@ static const struct { const char *name; const char *path; } FirewallBackends[] = { + [NM_FIREWALL_BACKEND_NONE - 1] = + { + .name = "none", + }, [NM_FIREWALL_BACKEND_NFTABLES - 1] = { .name = "nftables", @@ -721,6 +725,8 @@ nm_firewall_config_apply(NMFirewallConfig *self, gboolean shared) case NM_FIREWALL_BACKEND_NFTABLES: _fw_nft_set(shared, self->ip_iface, self->addr, self->plen); break; + case NM_FIREWALL_BACKEND_NONE: + break; default: nm_assert_not_reached(); break; @@ -772,15 +778,22 @@ again: if (detect) b = _firewall_backend_detect(); - nm_assert(NM_IN_SET(b, NM_FIREWALL_BACKEND_IPTABLES, NM_FIREWALL_BACKEND_NFTABLES)); + nm_assert(NM_IN_SET(b, + NM_FIREWALL_BACKEND_NONE, + NM_FIREWALL_BACKEND_IPTABLES, + NM_FIREWALL_BACKEND_NFTABLES)); if (!g_atomic_int_compare_and_exchange(&backend, NM_FIREWALL_BACKEND_UNKNOWN, b)) goto again; nm_log_dbg(LOGD_SHARING, - "firewall: use %s backend (%s)%s%s%s%s", + "firewall: use %s backend%s%s%s%s%s%s%s", FirewallBackends[b - 1].name, - FirewallBackends[b - 1].path, + NM_PRINT_FMT_QUOTED(FirewallBackends[b - 1].path, + " (", + FirewallBackends[b - 1].path, + ")", + ""), detect ? " (detected)" : "", NM_PRINT_FMT_QUOTED(detect && conf_value, " (invalid setting \"", @@ -789,6 +802,9 @@ again: "")); } - nm_assert(NM_IN_SET(b, NM_FIREWALL_BACKEND_IPTABLES, NM_FIREWALL_BACKEND_NFTABLES)); + nm_assert(NM_IN_SET(b, + NM_FIREWALL_BACKEND_NONE, + NM_FIREWALL_BACKEND_IPTABLES, + NM_FIREWALL_BACKEND_NFTABLES)); return b; } diff --git a/src/core/nm-firewall-utils.h b/src/core/nm-firewall-utils.h index f261aef384..3d6c8a6962 100644 --- a/src/core/nm-firewall-utils.h +++ b/src/core/nm-firewall-utils.h @@ -9,6 +9,7 @@ typedef enum { NM_FIREWALL_BACKEND_UNKNOWN, + NM_FIREWALL_BACKEND_NONE, NM_FIREWALL_BACKEND_IPTABLES, NM_FIREWALL_BACKEND_NFTABLES, } NMFirewallBackend; |