-
Notifications
You must be signed in to change notification settings - Fork 87
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #840 from Luap99/firewalld-reload
Add firewalld reload service
- Loading branch information
Showing
24 changed files
with
740 additions
and
203 deletions.
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -70,3 +70,4 @@ tonic-build = "0.10" | |
[dev-dependencies] | ||
once_cell = "1.18.0" | ||
rand = "0.8.5" | ||
tempfile = "3.8.1" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
12 changes: 12 additions & 0 deletions
12
contrib/systemd/system/netavark-firewalld-reload.service.in
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
[Unit] | ||
Description=Listen for the firewalld reload event and reapply all netavark firewall rules. | ||
# This causes systemd to stop this unit when firewalld is stopped. | ||
PartOf=firewalld.service | ||
After=firewalld.service | ||
|
||
[Service] | ||
ExecStart=@@NETAVARK@@ firewalld-reload | ||
|
||
[Install] | ||
# If the unit is enabled add a wants to firewalld so it is only started when firewalld is started. | ||
WantedBy=firewalld.service |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
use zbus::{blocking::Connection, dbus_proxy, CacheProperties}; | ||
|
||
use crate::{ | ||
error::{ErrorWrap, NetavarkResult}, | ||
firewall::{get_supported_firewall_driver, state::read_fw_config}, | ||
network::constants, | ||
}; | ||
|
||
#[dbus_proxy( | ||
interface = "org.fedoraproject.FirewallD1", | ||
default_service = "org.fedoraproject.FirewallD1", | ||
default_path = "/org/fedoraproject/FirewallD1" | ||
)] | ||
trait FirewallDDbus {} | ||
|
||
const SIGNAL_NAME: &str = "Reloaded"; | ||
|
||
pub fn listen(config_dir: Option<String>) -> NetavarkResult<()> { | ||
let config_dir = config_dir | ||
.as_deref() | ||
.unwrap_or(constants::DEFAULT_CONFIG_DIR); | ||
log::debug!("looking for firewall configs in {}", config_dir); | ||
|
||
let conn = Connection::system()?; | ||
let proxy = FirewallDDbusProxyBlocking::builder(&conn) | ||
.cache_properties(CacheProperties::No) | ||
.build()?; | ||
|
||
// Setup fw rules on start because we are started after firewalld | ||
// this means at the time firewalld stated the fw rules were flushed | ||
// and we need to add them back. | ||
// It is important to keep things like "systemctl restart firewalld" working. | ||
reload_rules(config_dir); | ||
|
||
// This loops forever until the process is killed or there is some dbus error. | ||
for _ in proxy.receive_signal(SIGNAL_NAME)? { | ||
log::debug!("got firewalld {} signal", SIGNAL_NAME); | ||
reload_rules(config_dir); | ||
} | ||
|
||
Ok(()) | ||
} | ||
|
||
fn reload_rules(config_dir: &str) { | ||
if let Err(e) = reload_rules_inner(config_dir) { | ||
log::error!("failed to reload firewall rules: {e}"); | ||
} | ||
} | ||
|
||
fn reload_rules_inner(config_dir: &str) -> NetavarkResult<()> { | ||
let conf = read_fw_config(config_dir).wrap("read firewall config")?; | ||
// If we got no conf there are no containers so nothing to do. | ||
if let Some(conf) = conf { | ||
let fw_driver = get_supported_firewall_driver(Some(conf.driver))?; | ||
|
||
for net in conf.net_confs { | ||
fw_driver.setup_network(net)?; | ||
} | ||
for port in &conf.port_confs { | ||
fw_driver.setup_port_forward(port.into())?; | ||
} | ||
log::info!("Successfully reloaded firewall rules"); | ||
} | ||
|
||
Ok(()) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,17 @@ | ||
use crate::error::{NetavarkError, NetavarkResult}; | ||
|
||
pub mod dhcp_proxy; | ||
pub mod firewalld_reload; | ||
pub mod setup; | ||
pub mod teardown; | ||
pub mod update; | ||
pub mod version; | ||
|
||
fn get_config_dir(dir: Option<String>, cmd: &str) -> NetavarkResult<String> { | ||
dir.ok_or_else(|| { | ||
NetavarkError::msg(format!( | ||
"--config not specified but required for netavark {}", | ||
cmd | ||
)) | ||
}) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.