summaryrefslogtreecommitdiffstats
path: root/src/shared/firewall-util.h
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-10 20:49:52 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-10 20:49:52 +0000
commit55944e5e40b1be2afc4855d8d2baf4b73d1876b5 (patch)
tree33f869f55a1b149e9b7c2b7e201867ca5dd52992 /src/shared/firewall-util.h
parentInitial commit. (diff)
downloadsystemd-55944e5e40b1be2afc4855d8d2baf4b73d1876b5.tar.xz
systemd-55944e5e40b1be2afc4855d8d2baf4b73d1876b5.zip
Adding upstream version 255.4.upstream/255.4
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/shared/firewall-util.h')
-rw-r--r--src/shared/firewall-util.h104
1 files changed, 104 insertions, 0 deletions
diff --git a/src/shared/firewall-util.h b/src/shared/firewall-util.h
new file mode 100644
index 0000000..14e35be
--- /dev/null
+++ b/src/shared/firewall-util.h
@@ -0,0 +1,104 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#pragma once
+
+#include <stdbool.h>
+#include <stdint.h>
+
+#include "conf-parser.h"
+#include "in-addr-util.h"
+
+typedef struct FirewallContext FirewallContext;
+
+int fw_ctx_new(FirewallContext **ret);
+int fw_ctx_new_full(FirewallContext **ret, bool init_tables);
+FirewallContext *fw_ctx_free(FirewallContext *ctx);
+
+DEFINE_TRIVIAL_CLEANUP_FUNC(FirewallContext *, fw_ctx_free);
+
+size_t fw_ctx_get_reply_callback_count(FirewallContext *ctx);
+
+int fw_add_masquerade(
+ FirewallContext **ctx,
+ bool add,
+ int af,
+ const union in_addr_union *source,
+ unsigned source_prefixlen);
+
+int fw_add_local_dnat(
+ FirewallContext **ctx,
+ bool add,
+ int af,
+ int protocol,
+ uint16_t local_port,
+ const union in_addr_union *remote,
+ uint16_t remote_port,
+ const union in_addr_union *previous_remote);
+
+typedef enum NFTSetSource {
+ NFT_SET_SOURCE_ADDRESS,
+ NFT_SET_SOURCE_PREFIX,
+ NFT_SET_SOURCE_IFINDEX,
+ NFT_SET_SOURCE_CGROUP,
+ NFT_SET_SOURCE_USER,
+ NFT_SET_SOURCE_GROUP,
+ _NFT_SET_SOURCE_MAX,
+ _NFT_SET_SOURCE_INVALID = -EINVAL,
+} NFTSetSource;
+
+typedef struct NFTSet {
+ NFTSetSource source;
+ int nfproto;
+ char *table;
+ char *set;
+} NFTSet;
+
+typedef struct NFTSetContext {
+ NFTSet *sets;
+ size_t n_sets;
+} NFTSetContext;
+
+void nft_set_context_clear(NFTSetContext *s);
+int nft_set_context_dup(const NFTSetContext *src, NFTSetContext *dst);
+
+const char *nfproto_to_string(int i) _const_;
+int nfproto_from_string(const char *s) _pure_;
+
+const char *nft_set_source_to_string(int i) _const_;
+int nft_set_source_from_string(const char *s) _pure_;
+
+int nft_set_element_modify_iprange(
+ FirewallContext *ctx,
+ bool add,
+ int nfproto,
+ int af,
+ const char *table,
+ const char *set,
+ const union in_addr_union *source,
+ unsigned int source_prefixlen);
+
+int nft_set_element_modify_ip(
+ FirewallContext *ctx,
+ bool add,
+ int nfproto,
+ int af,
+ const char *table,
+ const char *set,
+ const union in_addr_union *source);
+
+int nft_set_element_modify_any(
+ FirewallContext *ctx,
+ bool add,
+ int nfproto,
+ const char *table,
+ const char *set,
+ const void *element,
+ size_t element_size);
+
+int nft_set_add(NFTSetContext *s, NFTSetSource source, int nfproto, const char *table, const char *set);
+
+typedef enum NFTSetParseFlags {
+ NFT_SET_PARSE_NETWORK,
+ NFT_SET_PARSE_CGROUP,
+} NFTSetParseFlags;
+
+CONFIG_PARSER_PROTOTYPE(config_parse_nft_set);