firewall: allow selecting firewall backend via env var

2024-07-21 10:17:21 +00:00 · 2023-11-02 15:58:50 +01:00 · 2023-11-02 15:58:50 +01:00 · d54c747f7e
parent f643dd1f24
commit d54c747f7e
2 changed files with 30 additions and 5 deletions
--- a/docs/ENVIRONMENT.md
+++ b/docs/ENVIRONMENT.md
@ -573,3 +573,9 @@ SYSTEMD_HOME_DEBUG_SUFFIX=foo \

 * `$SYSTEMD_REPART_OVERRIDE_FSTYPE` – if set the value will override the file
  system type specified in Format= lines in partition definition files.
+
+`systemd-nspawn`, `systemd-networkd`:
+
+* `$SYSTEMD_FIREWALL_BACKEND` – takes a string, either `iptables` or
+  `nftables`. Selects the firewall backend to use. If not specified tries to
+  use `nftables` and falls back to `iptables` if that's not available.
--- a/src/shared/firewall-util.c
+++ b/src/shared/firewall-util.c
@ -21,19 +21,38 @@ static const char * const firewall_backend_table[_FW_BACKEND_MAX] = {
 DEFINE_STRING_TABLE_LOOKUP_TO_STRING(firewall_backend, FirewallBackend);

 static void firewall_backend_probe(FirewallContext *ctx, bool init_tables) {
+        const char *e;
+
        assert(ctx);

        if (ctx->backend != _FW_BACKEND_INVALID)
                return;

-        if (fw_nftables_init_full(ctx, init_tables) >= 0)
-                ctx->backend = FW_BACKEND_NFTABLES;
-        else
+        e = secure_getenv("SYSTEMD_FIREWALL_BACKEND");
+        if (e) {
+                if (streq(e, "nftables"))
+                        ctx->backend = FW_BACKEND_NFTABLES;
+                else if (streq(e, "iptables"))
 #if HAVE_LIBIPTC
-                ctx->backend = FW_BACKEND_IPTABLES;
+                        ctx->backend = FW_BACKEND_IPTABLES;
 #else
-                ctx->backend = FW_BACKEND_NONE;
+                        log_debug("Unsupported firewall backend requested, ignoring: %s", e);
 #endif
+                else
+                        log_debug("Unrecognized $SYSTEMD_FIREWALL_BACKEND value, ignoring: %s", e);
+        }
+
+        if (ctx->backend == _FW_BACKEND_INVALID) {
+
+                if (fw_nftables_init_full(ctx, init_tables) >= 0)
+                        ctx->backend = FW_BACKEND_NFTABLES;
+                else
+#if HAVE_LIBIPTC
+                        ctx->backend = FW_BACKEND_IPTABLES;
+#else
+                        ctx->backend = FW_BACKEND_NONE;
+#endif
+        }

        if (ctx->backend != FW_BACKEND_NONE)
                log_debug("Using %s as firewall backend.", firewall_backend_to_string(ctx->backend));