networkd: add minimal IP forwarding and masquerading support to .network files

This adds two new settings to networkd's .network files: IPForwarding=yes and IPMasquerade=yes. The former controls the "forwarding" sysctl setting of the interface, thus controlling whether IP forwarding shall be enabled on the specific interface. The latter controls whether a firewall rule shall be installed that exposes traffic coming from the interface as coming from the local host to all other interfaces. This also enables both options by default for container network interfaces, thus making "systemd-nspawn --network-veth" have network connectivity out of the box.
author: Lennart Poettering <lennart@poettering.net> 2015-01-13 13:47:08 +0100
committer: Lennart Poettering <lennart@poettering.net> 2015-01-13 13:55:15 +0100
commit: 5a8bcb674f71a20e95df55319b34c556638378ce (patch)
tree: db1de9b03cb9bf4c017a0f620cf9d310c9de6098 /src/shared
parent: 76917807eb50ccde58901e8bec7ed3d408d1cc22 (diff)
2 files changed, 39 insertions, 0 deletions
diff --git a/src/shared/in-addr-util.c b/src/shared/in-addr-util.c
index b02e7516ca..d88864b598 100644
--- a/src/shared/in-addr-util.c
+++ b/src/shared/in-addr-util.c
@@ -300,3 +300,39 @@ int in_addr_default_subnet_mask(const struct in_addr *addr, struct in_addr *mask
         in_addr_prefixlen_to_netmask(mask, prefixlen);
         return 0;
 }
+
+int in_addr_mask(int family, union in_addr_union *addr, unsigned char prefixlen) {
+        assert(addr);
+
+        if (family == AF_INET) {
+                struct in_addr mask;
+
+                if (!in_addr_prefixlen_to_netmask(&mask, prefixlen))
+                        return -EINVAL;
+
+                addr->in.s_addr &= mask.s_addr;
+                return 0;
+        }
+
+        if (family == AF_INET6) {
+                unsigned i;
+
+                for (i = 0; i < 16; i++) {
+                        uint8_t mask;
+
+                        if (prefixlen >= 8) {
+                                mask = 0xFF;
+                                prefixlen -= 8;
+                        } else {
+                                mask = 0xFF << (8 - prefixlen);
+                                prefixlen = 0;
+                        }
+
+                        addr->in6.s6_addr[i] &= mask;
+                }
+
+                return 0;
+        }
+
+        return -EAFNOSUPPORT;
+}
diff --git a/src/shared/in-addr-util.h b/src/shared/in-addr-util.h
index 4cf4418b4b..51af08868c 100644
--- a/src/shared/in-addr-util.h
+++ b/src/shared/in-addr-util.h
@@ -43,8 +43,11 @@ unsigned char in_addr_netmask_to_prefixlen(const struct in_addr *addr);
 struct in_addr* in_addr_prefixlen_to_netmask(struct in_addr *addr, unsigned char prefixlen);
 int in_addr_default_prefixlen(const struct in_addr *addr, unsigned char *prefixlen);
 int in_addr_default_subnet_mask(const struct in_addr *addr, struct in_addr *mask);
+int in_addr_mask(int family, union in_addr_union *addr, unsigned char prefixlen);
 
 static inline size_t FAMILY_ADDRESS_SIZE(int family) {
         assert(family == AF_INET || family == AF_INET6);
         return family == AF_INET6 ? 16 : 4;
 }
+
+#define IN_ADDR_NULL ((union in_addr_union) {})
author	Lennart Poettering <lennart@poettering.net>	2015-01-13 13:47:08 +0100
committer	Lennart Poettering <lennart@poettering.net>	2015-01-13 13:55:15 +0100
commit	5a8bcb674f71a20e95df55319b34c556638378ce (patch)
tree	db1de9b03cb9bf4c017a0f620cf9d310c9de6098 /src/shared
parent	76917807eb50ccde58901e8bec7ed3d408d1cc22 (diff)