firewall: add special firewall-backend "none"

2026-05-05 16:58:02 +02:00 · 2021-05-12 12:02:33 +02:00 · 2021-05-12 12:02:33 +02:00 · a79d5e2218
commit a79d5e2218
parent 9ebdb967de
3 changed files with 30 additions and 6 deletions
--- a/man/NetworkManager.conf.xml
+++ b/man/NetworkManager.conf.xml
@ -479,8 +479,15 @@ no-auto-default=*
        <term><varname>firewall-backend</varname></term>
        <listitem>
          <para>
-            The firewall backend for configuring masquerading.
-            Set to either <literal>iptables</literal> or <literal>nftables</literal>.
+            The firewall backend for configuring masquerading
+            with shared mode.
+            Set to either <literal>iptables</literal>, <literal>nftables</literal>
+            or <literal>none</literal>.
+            <literal>iptables</literal> and <literal>nftables</literal>
+            require <literal>iptables</literal> and <literal>nft</literal>
+            application, respectively.
+            <literal>none</literal> means to skip firewall configuration if
+            the users wish to manage firewall themselves.
            If unspecified, it will be auto detected.
          </para>
        </listitem>
--- a/src/core/nm-firewall-utils.c
+++ b/src/core/nm-firewall-utils.c
@ -21,6 +21,10 @@ static const struct {
    const char *name;
    const char *path;
 } FirewallBackends[] = {
+    [NM_FIREWALL_BACKEND_NONE - 1] =
+        {
+            .name = "none",
+        },
    [NM_FIREWALL_BACKEND_NFTABLES - 1] =
        {
            .name = "nftables",
@ -721,6 +725,8 @@ nm_firewall_config_apply(NMFirewallConfig *self, gboolean shared)
    case NM_FIREWALL_BACKEND_NFTABLES:
        _fw_nft_set(shared, self->ip_iface, self->addr, self->plen);
        break;
+    case NM_FIREWALL_BACKEND_NONE:
+        break;
    default:
        nm_assert_not_reached();
        break;
@ -772,15 +778,22 @@ again:
        if (detect)
            b = _firewall_backend_detect();

-        nm_assert(NM_IN_SET(b, NM_FIREWALL_BACKEND_IPTABLES, NM_FIREWALL_BACKEND_NFTABLES));
+        nm_assert(NM_IN_SET(b,
+                            NM_FIREWALL_BACKEND_NONE,
+                            NM_FIREWALL_BACKEND_IPTABLES,
+                            NM_FIREWALL_BACKEND_NFTABLES));

        if (!g_atomic_int_compare_and_exchange(&backend, NM_FIREWALL_BACKEND_UNKNOWN, b))
            goto again;

        nm_log_dbg(LOGD_SHARING,
-                   "firewall: use %s backend (%s)%s%s%s%s",
+                   "firewall: use %s backend%s%s%s%s%s%s%s",
                   FirewallBackends[b - 1].name,
-                   FirewallBackends[b - 1].path,
+                   NM_PRINT_FMT_QUOTED(FirewallBackends[b - 1].path,
+                                       " (",
+                                       FirewallBackends[b - 1].path,
+                                       ")",
+                                       ""),
                   detect ? " (detected)" : "",
                   NM_PRINT_FMT_QUOTED(detect && conf_value,
                                       " (invalid setting \"",
@ -789,6 +802,9 @@ again:
                                       ""));
    }

-    nm_assert(NM_IN_SET(b, NM_FIREWALL_BACKEND_IPTABLES, NM_FIREWALL_BACKEND_NFTABLES));
+    nm_assert(NM_IN_SET(b,
+                        NM_FIREWALL_BACKEND_NONE,
+                        NM_FIREWALL_BACKEND_IPTABLES,
+                        NM_FIREWALL_BACKEND_NFTABLES));
    return b;
 }
--- a/src/core/nm-firewall-utils.h
+++ b/src/core/nm-firewall-utils.h
@ -9,6 +9,7 @@

 typedef enum {
    NM_FIREWALL_BACKEND_UNKNOWN,
+    NM_FIREWALL_BACKEND_NONE,
    NM_FIREWALL_BACKEND_IPTABLES,
    NM_FIREWALL_BACKEND_NFTABLES,
 } NMFirewallBackend;