firewall: add "topic" enum to NMFirewallConfig

We will use firewall config for different purposes. Currently we have the "topic" to configure IPv4 sharing (NAT).
2025-12-20 23:20:06 +01:00 · 2022-05-03 08:04:03 +02:00 · 2022-05-03 08:04:03 +02:00 · c9326fbb92
commit c9326fbb92
parent 14ad50f710
3 changed files with 59 additions and 22 deletions
--- a/src/core/devices/nm-device.c
+++ b/src/core/devices/nm-device.c
@ -12141,7 +12141,7 @@ _dev_ipshared4_start(NMDevice *self)
        goto out_fail;

    priv->ipshared_data_4.v4.firewall_config =
-        nm_firewall_config_new(ip_iface, ip4_addr.address, ip4_addr.plen);
+        nm_firewall_config_new_ip4_shared(ip_iface, ip4_addr.address, ip4_addr.plen);
    nm_firewall_config_apply(priv->ipshared_data_4.v4.firewall_config, TRUE);

    priv->ipshared_data_4.v4.l3cd = nm_l3_config_data_ref(l3cd);
--- a/src/core/nm-firewall-utils.c
+++ b/src/core/nm-firewall-utils.c
@ -15,6 +15,10 @@
 #include "nm-config.h"
 #include "NetworkManagerUtils.h"

+typedef enum _nm_packed {
+    FIREWALL_TOPIC_IP4_SHARED,
+} FirewallTopic;
+
 /*****************************************************************************/

 static const struct {
@ -599,7 +603,7 @@ _fw_nft_call_sync(GBytes *stdin_buf, GError **error)
 /*****************************************************************************/

 static void
-_fw_nft_set(gboolean up, const char *ip_iface, in_addr_t addr, guint8 plen)
+_fw_nft_set_ip4_shared(gboolean up, const char *ip_iface, in_addr_t addr, guint8 plen)
 {
    nm_auto_str_buf NMStrBuf strbuf = NM_STR_BUF_INIT(NM_UTILS_GET_NEXT_REALLOC_SIZE_1000, FALSE);
    gs_unref_bytes GBytes   *stdin_buf  = NULL;
@ -686,13 +690,18 @@ _fw_nft_set(gboolean up, const char *ip_iface, in_addr_t addr, guint8 plen)
 /*****************************************************************************/

 struct _NMFirewallConfig {
+    FirewallTopic topic;
    char         *ip_iface;
+    union {
+        struct {
            in_addr_t addr;
            guint8    plen;
+        } ip4_shared;
+    };
 };

 NMFirewallConfig *
-nm_firewall_config_new(const char *ip_iface, in_addr_t addr, guint8 plen)
+nm_firewall_config_new_ip4_shared(const char *ip_iface, in_addr_t addr, guint8 plen)
 {
    NMFirewallConfig *self;

@ -702,9 +711,13 @@ nm_firewall_config_new(const char *ip_iface, in_addr_t addr, guint8 plen)

    self  = g_slice_new(NMFirewallConfig);
    *self = (NMFirewallConfig){
+        .topic    = FIREWALL_TOPIC_IP4_SHARED,
        .ip_iface = g_strdup(ip_iface),
+        .ip4_shared =
+            {
                .addr = addr,
                .plen = plen,
+            },
    };
    return self;
 }
@ -715,6 +728,13 @@ nm_firewall_config_free(NMFirewallConfig *self)
    if (!self)
        return;

+    switch (self->topic) {
+    case FIREWALL_TOPIC_IP4_SHARED:
+        goto out;
+    }
+    nm_assert_not_reached();
+
+out:
    g_free(self->ip_iface);
    nm_g_slice_free(self);
 }
@ -722,20 +742,36 @@ nm_firewall_config_free(NMFirewallConfig *self)
 void
 nm_firewall_config_apply(NMFirewallConfig *self, gboolean up)
 {
+    nm_assert(self);
+
+    switch (self->topic) {
+    case FIREWALL_TOPIC_IP4_SHARED:
        switch (nm_firewall_utils_get_backend()) {
        case NM_FIREWALL_BACKEND_IPTABLES:
-        _share_iptables_set_masquerade(up, self->ip_iface, self->addr, self->plen);
-        _share_iptables_set_shared(up, self->ip_iface, self->addr, self->plen);
-        break;
+            _share_iptables_set_masquerade(up,
+                                           self->ip_iface,
+                                           self->ip4_shared.addr,
+                                           self->ip4_shared.plen);
+            _share_iptables_set_shared(up,
+                                       self->ip_iface,
+                                       self->ip4_shared.addr,
+                                       self->ip4_shared.plen);
+            return;
        case NM_FIREWALL_BACKEND_NFTABLES:
-        _fw_nft_set(up, self->ip_iface, self->addr, self->plen);
-        break;
+            _fw_nft_set_ip4_shared(up,
+                                   self->ip_iface,
+                                   self->ip4_shared.addr,
+                                   self->ip4_shared.plen);
+            return;
        case NM_FIREWALL_BACKEND_NONE:
-        break;
-    default:
-        nm_assert_not_reached();
-        break;
+            return;
+        case NM_FIREWALL_BACKEND_UNKNOWN:
+            goto out_bug;
        }
+        goto out_bug;
+    }
+out_bug:
+    nm_assert_not_reached();
 }

 /*****************************************************************************/
--- a/src/core/nm-firewall-utils.h
+++ b/src/core/nm-firewall-utils.h
@ -20,7 +20,8 @@ NMFirewallBackend nm_firewall_utils_get_backend(void);

 typedef struct _NMFirewallConfig NMFirewallConfig;

-NMFirewallConfig *nm_firewall_config_new(const char *ip_iface, in_addr_t addr, guint8 plen);
+NMFirewallConfig *
+nm_firewall_config_new_ip4_shared(const char *ip_iface, in_addr_t addr, guint8 plen);

 void nm_firewall_config_free(NMFirewallConfig *self);