mirror of
https://github.com/systemd/systemd
synced 2024-07-21 10:17:21 +00:00
firewall: allow selecting firewall backend via env var
This commit is contained in:
parent
f643dd1f24
commit
d54c747f7e
|
@ -573,3 +573,9 @@ SYSTEMD_HOME_DEBUG_SUFFIX=foo \
|
|||
|
||||
* `$SYSTEMD_REPART_OVERRIDE_FSTYPE` – if set the value will override the file
|
||||
system type specified in Format= lines in partition definition files.
|
||||
|
||||
`systemd-nspawn`, `systemd-networkd`:
|
||||
|
||||
* `$SYSTEMD_FIREWALL_BACKEND` – takes a string, either `iptables` or
|
||||
`nftables`. Selects the firewall backend to use. If not specified tries to
|
||||
use `nftables` and falls back to `iptables` if that's not available.
|
||||
|
|
|
@ -21,19 +21,38 @@ static const char * const firewall_backend_table[_FW_BACKEND_MAX] = {
|
|||
DEFINE_STRING_TABLE_LOOKUP_TO_STRING(firewall_backend, FirewallBackend);
|
||||
|
||||
static void firewall_backend_probe(FirewallContext *ctx, bool init_tables) {
|
||||
const char *e;
|
||||
|
||||
assert(ctx);
|
||||
|
||||
if (ctx->backend != _FW_BACKEND_INVALID)
|
||||
return;
|
||||
|
||||
if (fw_nftables_init_full(ctx, init_tables) >= 0)
|
||||
ctx->backend = FW_BACKEND_NFTABLES;
|
||||
else
|
||||
e = secure_getenv("SYSTEMD_FIREWALL_BACKEND");
|
||||
if (e) {
|
||||
if (streq(e, "nftables"))
|
||||
ctx->backend = FW_BACKEND_NFTABLES;
|
||||
else if (streq(e, "iptables"))
|
||||
#if HAVE_LIBIPTC
|
||||
ctx->backend = FW_BACKEND_IPTABLES;
|
||||
ctx->backend = FW_BACKEND_IPTABLES;
|
||||
#else
|
||||
ctx->backend = FW_BACKEND_NONE;
|
||||
log_debug("Unsupported firewall backend requested, ignoring: %s", e);
|
||||
#endif
|
||||
else
|
||||
log_debug("Unrecognized $SYSTEMD_FIREWALL_BACKEND value, ignoring: %s", e);
|
||||
}
|
||||
|
||||
if (ctx->backend == _FW_BACKEND_INVALID) {
|
||||
|
||||
if (fw_nftables_init_full(ctx, init_tables) >= 0)
|
||||
ctx->backend = FW_BACKEND_NFTABLES;
|
||||
else
|
||||
#if HAVE_LIBIPTC
|
||||
ctx->backend = FW_BACKEND_IPTABLES;
|
||||
#else
|
||||
ctx->backend = FW_BACKEND_NONE;
|
||||
#endif
|
||||
}
|
||||
|
||||
if (ctx->backend != FW_BACKEND_NONE)
|
||||
log_debug("Using %s as firewall backend.", firewall_backend_to_string(ctx->backend));
|
||||
|
|
Loading…
Reference in a new issue