Skip to content

Commit

Permalink
Support none parameter on NETAVARK_FW
Browse files Browse the repository at this point in the history
Passing environment valuepair NETAVARK_FW=none disables all firewall/portmapper related features leaving configuration of firewall to user.

Signed-off-by: Oskari Rauta <[email protected]>
  • Loading branch information
oskarirauta committed Mar 1, 2023
1 parent 70eee07 commit c505c58
Show file tree
Hide file tree
Showing 3 changed files with 53 additions and 1 deletion.
32 changes: 32 additions & 0 deletions src/firewall/fwnone.rs
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
use crate::firewall;
use crate::firewall::NetavarkResult;
use crate::network::internal_types::{
PortForwardConfig, SetupNetwork, TearDownNetwork, TeardownPortForward,
};

// Iptables driver - uses direct iptables commands via the iptables crate.
pub struct Fwnone {}

pub fn new() -> NetavarkResult<Box<dyn firewall::FirewallDriver>> {
Ok(Box::new(Fwnone {}))
}

impl firewall::FirewallDriver for Fwnone {
fn setup_network(&self, _network_setup: SetupNetwork) -> NetavarkResult<()> {
Ok(())
}

// teardown_network should only be called in the case of
// a complete teardown.
fn teardown_network(&self, _tear: TearDownNetwork) -> NetavarkResult<()> {
Ok(())
}

fn setup_port_forward(&self, _setup_portfw: PortForwardConfig) -> NetavarkResult<()> {
Ok(())
}

fn teardown_port_forward(&self, _tear: TeardownPortForward) -> NetavarkResult<()> {
Ok(())
}
}
9 changes: 8 additions & 1 deletion src/firewall/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ use std::env;
use zbus::blocking::Connection;

pub mod firewalld;
pub mod fwnone;
pub mod iptables;
mod varktables;

Expand All @@ -29,12 +30,13 @@ enum FirewallImpl {
Iptables,
Firewalld(Connection),
Nftables,
Fwnone,
}

/// What firewall implementations does this system support?
fn get_firewall_impl() -> NetavarkResult<FirewallImpl> {
// First, check the NETAVARK_FW env var.
// It respects "firewalld", "iptables", "nftables".
// It respects "firewalld", "iptables", "nftables", "none".
if let Ok(var) = env::var("NETAVARK_FW") {
debug!("Forcibly using firewall driver {}", var);
match var.to_lowercase().as_str() {
Expand All @@ -52,6 +54,7 @@ fn get_firewall_impl() -> NetavarkResult<FirewallImpl> {
}
"iptables" => return Ok(FirewallImpl::Iptables),
"nftables" => return Ok(FirewallImpl::Nftables),
"none" => return Ok(FirewallImpl::Fwnone),
any => {
return Err(NetavarkError::Message(format!(
"Must provide a valid firewall backend, got {}",
Expand Down Expand Up @@ -101,6 +104,10 @@ pub fn get_supported_firewall_driver() -> NetavarkResult<Box<dyn FirewallDriver>
"nftables support presently not available",
))
}
FirewallImpl::Fwnone => {
info!("Not using firewall");
fwnone::new()
}
},
Err(e) => Err(e),
}
Expand Down
13 changes: 13 additions & 0 deletions test/500-bridge-fwnone.bats
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
#!/usr/bin/env bats -*- bats -*-
#
# bridge driver tests with none firewall driver
#

load helpers

fw_driver=none

@test "check none firewall driver is in use" {
RUST_LOG=netavark=info NETAVARK_FW="none" run_netavark --file ${TESTSDIR}/testfiles/simplebridge.json setup $(get_container_netns_path)
assert "${lines[0]}" "==" "[INFO netavark::firewall] Not using firewall" "none firewall driver is in use"
}

0 comments on commit c505c58

Please sign in to comment.