From c505c5824004368177b11e1bea6aa708e7d2f86b Mon Sep 17 00:00:00 2001 From: Oskari Rauta Date: Wed, 1 Mar 2023 07:25:30 +0000 Subject: [PATCH] Support none parameter on NETAVARK_FW Passing environment valuepair NETAVARK_FW=none disables all firewall/portmapper related features leaving configuration of firewall to user. Signed-off-by: Oskari Rauta --- src/firewall/fwnone.rs | 32 ++++++++++++++++++++++++++++++++ src/firewall/mod.rs | 9 ++++++++- test/500-bridge-fwnone.bats | 13 +++++++++++++ 3 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 src/firewall/fwnone.rs create mode 100644 test/500-bridge-fwnone.bats diff --git a/src/firewall/fwnone.rs b/src/firewall/fwnone.rs new file mode 100644 index 000000000..5b6f1aa66 --- /dev/null +++ b/src/firewall/fwnone.rs @@ -0,0 +1,32 @@ +use crate::firewall; +use crate::firewall::NetavarkResult; +use crate::network::internal_types::{ + PortForwardConfig, SetupNetwork, TearDownNetwork, TeardownPortForward, +}; + +// Iptables driver - uses direct iptables commands via the iptables crate. +pub struct Fwnone {} + +pub fn new() -> NetavarkResult> { + Ok(Box::new(Fwnone {})) +} + +impl firewall::FirewallDriver for Fwnone { + fn setup_network(&self, _network_setup: SetupNetwork) -> NetavarkResult<()> { + Ok(()) + } + + // teardown_network should only be called in the case of + // a complete teardown. + fn teardown_network(&self, _tear: TearDownNetwork) -> NetavarkResult<()> { + Ok(()) + } + + fn setup_port_forward(&self, _setup_portfw: PortForwardConfig) -> NetavarkResult<()> { + Ok(()) + } + + fn teardown_port_forward(&self, _tear: TeardownPortForward) -> NetavarkResult<()> { + Ok(()) + } +} diff --git a/src/firewall/mod.rs b/src/firewall/mod.rs index 2a28150ec..3f2fed379 100644 --- a/src/firewall/mod.rs +++ b/src/firewall/mod.rs @@ -7,6 +7,7 @@ use std::env; use zbus::blocking::Connection; pub mod firewalld; +pub mod fwnone; pub mod iptables; mod varktables; @@ -29,12 +30,13 @@ enum FirewallImpl { Iptables, Firewalld(Connection), Nftables, + Fwnone, } /// What firewall implementations does this system support? fn get_firewall_impl() -> NetavarkResult { // First, check the NETAVARK_FW env var. - // It respects "firewalld", "iptables", "nftables". + // It respects "firewalld", "iptables", "nftables", "none". if let Ok(var) = env::var("NETAVARK_FW") { debug!("Forcibly using firewall driver {}", var); match var.to_lowercase().as_str() { @@ -52,6 +54,7 @@ fn get_firewall_impl() -> NetavarkResult { } "iptables" => return Ok(FirewallImpl::Iptables), "nftables" => return Ok(FirewallImpl::Nftables), + "none" => return Ok(FirewallImpl::Fwnone), any => { return Err(NetavarkError::Message(format!( "Must provide a valid firewall backend, got {}", @@ -101,6 +104,10 @@ pub fn get_supported_firewall_driver() -> NetavarkResult "nftables support presently not available", )) } + FirewallImpl::Fwnone => { + info!("Not using firewall"); + fwnone::new() + } }, Err(e) => Err(e), } diff --git a/test/500-bridge-fwnone.bats b/test/500-bridge-fwnone.bats new file mode 100644 index 000000000..3bb0a2e9d --- /dev/null +++ b/test/500-bridge-fwnone.bats @@ -0,0 +1,13 @@ +#!/usr/bin/env bats -*- bats -*- +# +# bridge driver tests with none firewall driver +# + +load helpers + +fw_driver=none + +@test "check none firewall driver is in use" { + RUST_LOG=netavark=info NETAVARK_FW="none" run_netavark --file ${TESTSDIR}/testfiles/simplebridge.json setup $(get_container_netns_path) + assert "${lines[0]}" "==" "[INFO netavark::firewall] Not using firewall" "none firewall driver is in use" +}