colin/NetworkManager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

firewall/utils: replace ipv4 iptables macro with ipxtables macro

Browse Source
This commit is contained in:
Jan Vaclav
2025-03-27 11:21:45 +01:00
parent 18d5b7d641
commit 2106251e46
1 changed files with 107 additions and 101 deletions
Download Patch File Download Diff File Expand all files Collapse all files

208
src/core/nm-firewall-utils.c
View File

@@ -213,9 +213,6 @@ _iptables_call_v(const char *const *argv)
return TRUE; return TRUE;
} }
#define _share_iptables_call(...) \
_iptables_call_v(NM_MAKE_STRV("" IPTABLES_PATH "", "--wait", "2", __VA_ARGS__))
#define _ipxtables_call(family, ...) \ #define _ipxtables_call(family, ...) \
_iptables_call_v( \ _iptables_call_v( \
NM_MAKE_STRV((family == AF_INET ? "" IPTABLES_PATH "" : "" IP6TABLES_PATH ""), \ NM_MAKE_STRV((family == AF_INET ? "" IPTABLES_PATH "" : "" IP6TABLES_PATH ""), \
@@ -226,7 +223,7 @@ _iptables_call_v(const char *const *argv)
static gboolean static gboolean
_share_iptables_chain_op(const char *table, const char *chain, const char *op) _share_iptables_chain_op(const char *table, const char *chain, const char *op)
{ {
return _share_iptables_call("--table", table, op, chain); return _ipxtables_call(AF_INET, "--table", table, op, chain);
} }
static gboolean static gboolean
@@ -255,21 +252,22 @@ _share_iptables_set_masquerade_sync(gboolean up, const char *ip_iface, in_addr_t
comment_name = _iptables_get_name(FALSE, "nm-shared", ip_iface); comment_name = _iptables_get_name(FALSE, "nm-shared", ip_iface);
_share_iptables_subnet_to_str(str_subnet, addr, plen); _share_iptables_subnet_to_str(str_subnet, addr, plen);
_share_iptables_call("--table", _ipxtables_call(AF_INET,
"nat", "--table",
up ? "--insert" : "--delete", "nat",
"POSTROUTING", up ? "--insert" : "--delete",
"--source", "POSTROUTING",
str_subnet, "--source",
"!", str_subnet,
"--destination", "!",
str_subnet, "--destination",
"--jump", str_subnet,
"MASQUERADE", "--jump",
"-m", "MASQUERADE",
"comment", "-m",
"--comment", "comment",
comment_name); "--comment",
comment_name);
} }
static void static void
@@ -305,70 +303,76 @@ _share_iptables_set_shared_chains_add(const char *chain_input,
_share_iptables_chain_add("filter", chain_input); _share_iptables_chain_add("filter", chain_input);
for (i = 0; i < (int) G_N_ELEMENTS(input_params); i++) { for (i = 0; i < (int) G_N_ELEMENTS(input_params); i++) {
_share_iptables_call("--table", _ipxtables_call(AF_INET,
"filter", "--table",
"--append", "filter",
chain_input, "--append",
"--protocol", chain_input,
input_params[i][0], "--protocol",
"--destination-port", input_params[i][0],
input_params[i][1], "--destination-port",
"--jump", input_params[i][1],
"ACCEPT"); "--jump",
"ACCEPT");
} }
_share_iptables_chain_add("filter", chain_forward); _share_iptables_chain_add("filter", chain_forward);
_share_iptables_call("--table", _ipxtables_call(AF_INET,
"filter", "--table",
"--append", "filter",
chain_forward, "--append",
"--destination", chain_forward,
str_subnet, "--destination",
"--out-interface", str_subnet,
ip_iface, "--out-interface",
"--match", ip_iface,
"state", "--match",
"--state", "state",
"ESTABLISHED,RELATED", "--state",
"--jump", "ESTABLISHED,RELATED",
"ACCEPT"); "--jump",
_share_iptables_call("--table", "ACCEPT");
"filter", _ipxtables_call(AF_INET,
"--append", "--table",
chain_forward, "filter",
"--source", "--append",
str_subnet, chain_forward,
"--in-interface", "--source",
ip_iface, str_subnet,
"--jump", "--in-interface",
"ACCEPT"); ip_iface,
_share_iptables_call("--table", "--jump",
"filter", "ACCEPT");
"--append", _ipxtables_call(AF_INET,
chain_forward, "--table",
"--in-interface", "filter",
ip_iface, "--append",
"--out-interface", chain_forward,
ip_iface, "--in-interface",
"--jump", ip_iface,
"ACCEPT"); "--out-interface",
_share_iptables_call("--table", ip_iface,
"filter", "--jump",
"--append", "ACCEPT");
chain_forward, _ipxtables_call(AF_INET,
"--out-interface", "--table",
ip_iface, "filter",
"--jump", "--append",
"REJECT"); chain_forward,
_share_iptables_call("--table", "--out-interface",
"filter", ip_iface,
"--append", "--jump",
chain_forward, "REJECT");
"--in-interface", _ipxtables_call(AF_INET,
ip_iface, "--table",
"--jump", "filter",
"REJECT"); "--append",
chain_forward,
"--in-interface",
ip_iface,
"--jump",
"REJECT");
} }
static void static void
@@ -392,29 +396,31 @@ _share_iptables_set_shared_sync(gboolean up, const char *ip_iface, in_addr_t add
if (up) if (up)
_share_iptables_set_shared_chains_add(chain_input, chain_forward, ip_iface, addr, plen); _share_iptables_set_shared_chains_add(chain_input, chain_forward, ip_iface, addr, plen);
_share_iptables_call("--table", _ipxtables_call(AF_INET,
"filter", "--table",
up ? "--insert" : "--delete", "filter",
"INPUT", up ? "--insert" : "--delete",
"--in-interface", "INPUT",
ip_iface, "--in-interface",
"--jump", ip_iface,
chain_input, "--jump",
"-m", chain_input,
"comment", "-m",
"--comment", "comment",
comment_name); "--comment",
comment_name);
_share_iptables_call("--table", _ipxtables_call(AF_INET,
"filter", "--table",
up ? "--insert" : "--delete", "filter",
"FORWARD", up ? "--insert" : "--delete",
"--jump", "FORWARD",
chain_forward, "--jump",
"-m", chain_forward,
"comment", "-m",
"--comment", "comment",
comment_name); "--comment",
comment_name);
if (!up) if (!up)
_share_iptables_set_shared_chains_delete(chain_input, chain_forward); _share_iptables_set_shared_chains_delete(chain_input, chain_forward);