firewall: add special firewall-backend "none"

3 files changed, 30 insertions, 6 deletions

diff --git a/man/NetworkManager.conf.xml b/man/NetworkManager.conf.xml
index f88688e94b..d8fce34d6e 100644
--- a/man/NetworkManager.conf.xml
+++ b/man/NetworkManager.conf.xml
@@ -479,8 +479,15 @@ no-auto-default=*
         <term><varname>firewall-backend</varname></term>
         <listitem>
           <para>
-            The firewall backend for configuring masquerading.
-            Set to either <literal>iptables</literal> or <literal>nftables</literal>.
+            The firewall backend for configuring masquerading
+            with shared mode.
+            Set to either <literal>iptables</literal>, <literal>nftables</literal>
+            or <literal>none</literal>.
+            <literal>iptables</literal> and <literal>nftables</literal>
+            require <literal>iptables</literal> and <literal>nft</literal>
+            application, respectively.
+            <literal>none</literal> means to skip firewall configuration if
+            the users wish to manage firewall themselves.
             If unspecified, it will be auto detected.
           </para>
         </listitem>
diff --git a/src/core/nm-firewall-utils.c b/src/core/nm-firewall-utils.c
index 22d52031a0..cc342b3f22 100644
--- a/src/core/nm-firewall-utils.c
+++ b/src/core/nm-firewall-utils.c
@@ -21,6 +21,10 @@ static const struct {
     const char *name;
     const char *path;
 } FirewallBackends[] = {
+    [NM_FIREWALL_BACKEND_NONE - 1] =
+        {
+            .name = "none",
+        },
     [NM_FIREWALL_BACKEND_NFTABLES - 1] =
         {
             .name = "nftables",
@@ -721,6 +725,8 @@ nm_firewall_config_apply(NMFirewallConfig *self, gboolean shared)
     case NM_FIREWALL_BACKEND_NFTABLES:
         _fw_nft_set(shared, self->ip_iface, self->addr, self->plen);
         break;
+    case NM_FIREWALL_BACKEND_NONE:
+        break;
     default:
         nm_assert_not_reached();
         break;
@@ -772,15 +778,22 @@ again:
         if (detect)
             b = _firewall_backend_detect();
 
-        nm_assert(NM_IN_SET(b, NM_FIREWALL_BACKEND_IPTABLES, NM_FIREWALL_BACKEND_NFTABLES));
+        nm_assert(NM_IN_SET(b,
+                            NM_FIREWALL_BACKEND_NONE,
+                            NM_FIREWALL_BACKEND_IPTABLES,
+                            NM_FIREWALL_BACKEND_NFTABLES));
 
         if (!g_atomic_int_compare_and_exchange(&backend, NM_FIREWALL_BACKEND_UNKNOWN, b))
             goto again;
 
         nm_log_dbg(LOGD_SHARING,
-                   "firewall: use %s backend (%s)%s%s%s%s",
+                   "firewall: use %s backend%s%s%s%s%s%s%s",
                    FirewallBackends[b - 1].name,
-                   FirewallBackends[b - 1].path,
+                   NM_PRINT_FMT_QUOTED(FirewallBackends[b - 1].path,
+                                       " (",
+                                       FirewallBackends[b - 1].path,
+                                       ")",
+                                       ""),
                    detect ? " (detected)" : "",
                    NM_PRINT_FMT_QUOTED(detect && conf_value,
                                        " (invalid setting \"",
@@ -789,6 +802,9 @@ again:
                                        ""));
     }
 
-    nm_assert(NM_IN_SET(b, NM_FIREWALL_BACKEND_IPTABLES, NM_FIREWALL_BACKEND_NFTABLES));
+    nm_assert(NM_IN_SET(b,
+                        NM_FIREWALL_BACKEND_NONE,
+                        NM_FIREWALL_BACKEND_IPTABLES,
+                        NM_FIREWALL_BACKEND_NFTABLES));
     return b;
 }
diff --git a/src/core/nm-firewall-utils.h b/src/core/nm-firewall-utils.h
index f261aef384..3d6c8a6962 100644
--- a/src/core/nm-firewall-utils.h
+++ b/src/core/nm-firewall-utils.h
@@ -9,6 +9,7 @@
 
 typedef enum {
     NM_FIREWALL_BACKEND_UNKNOWN,
+    NM_FIREWALL_BACKEND_NONE,
     NM_FIREWALL_BACKEND_IPTABLES,
     NM_FIREWALL_BACKEND_NFTABLES,
 } NMFirewallBackend;