From 274ffe1abbdeb4647ee98448b4ec88069ab3f4aa Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Sat, 10 Sep 2022 15:38:43 +0300 Subject: [PATCH] shared/firewall-util: make NFT table init optional --- src/shared/firewall-util-nft.c | 22 ++++++++++++++-------- src/shared/firewall-util-private.h | 1 + src/shared/firewall-util.c | 12 ++++++++---- src/shared/firewall-util.h | 1 + 4 files changed, 24 insertions(+), 12 deletions(-) diff --git a/src/shared/firewall-util-nft.c b/src/shared/firewall-util-nft.c index 450e02fbcf..cc35b1c2de 100644 --- a/src/shared/firewall-util-nft.c +++ b/src/shared/firewall-util-nft.c @@ -796,7 +796,7 @@ static int fw_nftables_init_family(sd_netlink *nfnl, int family) { return 0; } -int fw_nftables_init(FirewallContext *ctx) { +int fw_nftables_init_full(FirewallContext *ctx, bool init_tables) { _cleanup_(sd_netlink_unrefp) sd_netlink *nfnl = NULL; int r; @@ -807,20 +807,26 @@ int fw_nftables_init(FirewallContext *ctx) { if (r < 0) return r; - r = fw_nftables_init_family(nfnl, AF_INET); - if (r < 0) - return r; - - if (socket_ipv6_is_supported()) { - r = fw_nftables_init_family(nfnl, AF_INET6); + if (init_tables) { + r = fw_nftables_init_family(nfnl, AF_INET); if (r < 0) - log_debug_errno(r, "Failed to init ipv6 NAT: %m"); + return r; + + if (socket_ipv6_is_supported()) { + r = fw_nftables_init_family(nfnl, AF_INET6); + if (r < 0) + log_debug_errno(r, "Failed to init ipv6 NAT: %m"); + } } ctx->nfnl = TAKE_PTR(nfnl); return 0; } +int fw_nftables_init(FirewallContext *ctx) { + return fw_nftables_init_full(ctx, /* init_tables= */ true); +} + void fw_nftables_exit(FirewallContext *ctx) { assert(ctx); diff --git a/src/shared/firewall-util-private.h b/src/shared/firewall-util-private.h index 14f5a35a87..97f8fe124e 100644 --- a/src/shared/firewall-util-private.h +++ b/src/shared/firewall-util-private.h @@ -26,6 +26,7 @@ struct FirewallContext { const char *firewall_backend_to_string(FirewallBackend b) _const_; int fw_nftables_init(FirewallContext *ctx); +int fw_nftables_init_full(FirewallContext *ctx, bool init_tables); void fw_nftables_exit(FirewallContext *ctx); int fw_nftables_add_masquerade( diff --git a/src/shared/firewall-util.c b/src/shared/firewall-util.c index afa3e02b45..ba3e9cbc5e 100644 --- a/src/shared/firewall-util.c +++ b/src/shared/firewall-util.c @@ -20,13 +20,13 @@ static const char * const firewall_backend_table[_FW_BACKEND_MAX] = { DEFINE_STRING_TABLE_LOOKUP_TO_STRING(firewall_backend, FirewallBackend); -static void firewall_backend_probe(FirewallContext *ctx) { +static void firewall_backend_probe(FirewallContext *ctx, bool init_tables) { assert(ctx); if (ctx->backend != _FW_BACKEND_INVALID) return; - if (fw_nftables_init(ctx) >= 0) + if (fw_nftables_init_full(ctx, init_tables) >= 0) ctx->backend = FW_BACKEND_NFTABLES; else #if HAVE_LIBIPTC @@ -41,7 +41,7 @@ static void firewall_backend_probe(FirewallContext *ctx) { log_debug("No firewall backend found."); } -int fw_ctx_new(FirewallContext **ret) { +int fw_ctx_new_full(FirewallContext **ret, bool init_tables) { _cleanup_free_ FirewallContext *ctx = NULL; ctx = new(FirewallContext, 1); @@ -52,12 +52,16 @@ int fw_ctx_new(FirewallContext **ret) { .backend = _FW_BACKEND_INVALID, }; - firewall_backend_probe(ctx); + firewall_backend_probe(ctx, init_tables); *ret = TAKE_PTR(ctx); return 0; } +int fw_ctx_new(FirewallContext **ret) { + return fw_ctx_new_full(ret, /* init_tables= */ true); +} + FirewallContext *fw_ctx_free(FirewallContext *ctx) { if (!ctx) return NULL; diff --git a/src/shared/firewall-util.h b/src/shared/firewall-util.h index d0e78beba8..4f3cd61bf4 100644 --- a/src/shared/firewall-util.h +++ b/src/shared/firewall-util.h @@ -9,6 +9,7 @@ typedef struct FirewallContext FirewallContext; int fw_ctx_new(FirewallContext **ret); +int fw_ctx_new_full(FirewallContext **ret, bool init_tables); FirewallContext *fw_ctx_free(FirewallContext *ctx); DEFINE_TRIVIAL_CLEANUP_FUNC(FirewallContext *, fw_ctx_free); -- 2.25.1