diff options
author | Florian Westphal <fw@strlen.de> | 2020-06-25 15:00:54 +0200 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2020-12-16 00:35:56 +0100 |
commit | 3122097217a6ea44709c6ec053e57097df921331 (patch) | |
tree | 233a20154f0217406d2769dda35335cdc07b0196 /src/shared/firewall-util.h | |
parent | 47ed20e1e08d800e722b05a3fb33ba6be4b48afc (diff) | |
download | systemd-3122097217a6ea44709c6ec053e57097df921331.tar.gz |
firewall-util: prepare for alternative to iptables backend
In a nutshell:
1. git mv firewall-util.c firewall-util-iptables.c
2. existing external functions gain _iptables_ in their names
3. firewall-util.c provides old function names
4. build system always compiles firewall-util.c,
firewall-util-iptables.c is conditional instead (libiptc).
5. On first call to any of the 'old' API functions performs
a probe that should return the preferred backend.
In a future step, can add firewall-util-FOOTYPE.c, add its
probe function to firewall-util.c and then have calls to
fw_add_masq/local_dnat handed to the detected backend.
For now, only iptables backend exists, and no special probing
takes place for it, i.e. when systemd was built with iptables,
that will be used. If not, requets to add masquerade/dnat will
fail with same error (-EOPNOTSUPP) as before this change.
For reference, the rules added by the libiptc/iptables backend look like this:
for service export (via systemd-nspawn):
[0:0] -A PREROUTING -p tcp -m tcp --dport $exportedport -m addrtype --dst-type LOCAL -j DNAT --to-destination $containerip:$port
[0:0] -A OUTPUT ! -d 127.0.0.0/8 -p tcp -m tcp --dport $exportedport -m addrtype --dst-type LOCAL -j DNAT --to-destination $containerip:$port
for ip masquerade:
[0:0] -A POSTROUTING -s network/prefix -j MASQUERADE
Diffstat (limited to 'src/shared/firewall-util.h')
-rw-r--r-- | src/shared/firewall-util.h | 25 |
1 files changed, 0 insertions, 25 deletions
diff --git a/src/shared/firewall-util.h b/src/shared/firewall-util.h index f7191ba006..bb6dc5a0f0 100644 --- a/src/shared/firewall-util.h +++ b/src/shared/firewall-util.h @@ -6,8 +6,6 @@ #include "in-addr-util.h" -#if HAVE_LIBIPTC - int fw_add_masquerade( bool add, int af, @@ -22,26 +20,3 @@ int fw_add_local_dnat( const union in_addr_union *remote, uint16_t remote_port, const union in_addr_union *previous_remote); - -#else - -static inline int fw_add_masquerade( - bool add, - int af, - const union in_addr_union *source, - unsigned source_prefixlen) { - return -EOPNOTSUPP; -} - -static inline int fw_add_local_dnat( - bool add, - int af, - int protocol, - uint16_t local_port, - const union in_addr_union *remote, - uint16_t remote_port, - const union in_addr_union *previous_remote) { - return -EOPNOTSUPP; -} - -#endif |