From b161e75810947b06cf4c495ee07bf15c1cd43f86 Mon Sep 17 00:00:00 2001
From: Matt Heon <mheon@redhat.com>
Date: Mon, 13 May 2024 10:31:35 -0400
Subject: [PATCH] Add conditional compilation of default firewall driver

The NETAVARK_DEFAULT_FW environment variable controls the default
firewall driver that will be used by the compiled Netavark.
Currently supported values are "iptables" (the default, if the
environment variable is unset), "nftables", and "none" (we'll add
"firewalld" as a supported value once that driver is done).

Unsupported values result in a panic/failure to build.

Signed-off-by: Matt Heon <mheon@redhat.com>
---
 build.rs                | 14 ++++++++++++++
 src/commands/version.rs |  2 ++
 src/firewall/mod.rs     | 19 ++++++++++++++++---
 3 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/build.rs b/build.rs
index e8091f296..4dd01e5c1 100644
--- a/build.rs
+++ b/build.rs
@@ -63,4 +63,18 @@ fn main() {
         Err(_) => "".to_string(),
     };
     println!("cargo:rustc-env=GIT_COMMIT={commit}");
+
+    // Handle default firewall driver.
+    // Allowed values "nftables" and "iptables".
+    let fwdriver = match env::var("NETAVARK_DEFAULT_FW")
+        .unwrap_or("iptables".to_string())
+        .as_str()
+    {
+        "nftables" => "nftables",
+        "iptables" => "iptables",
+        "none" => "none",
+        inv => panic!("Invalid default firewall driver {}", inv),
+    };
+    println!("cargo:rustc-cfg=default_fw=\"{}\"", fwdriver);
+    println!("cargo:rustc-env=DEFAULT_FW={fwdriver}");
 }
diff --git a/src/commands/version.rs b/src/commands/version.rs
index 5d0735782..5a8eab1a3 100644
--- a/src/commands/version.rs
+++ b/src/commands/version.rs
@@ -11,6 +11,7 @@ struct Info {
     commit: &'static str,
     build_time: &'static str,
     target: &'static str,
+    default_fw_driver: &'static str,
 }
 
 impl Version {
@@ -20,6 +21,7 @@ impl Version {
             commit: env!("GIT_COMMIT"),
             build_time: env!("BUILD_TIMESTAMP"),
             target: env!("BUILD_TARGET"),
+            default_fw_driver: env!("DEFAULT_FW"),
         };
 
         let out = serde_json::to_string_pretty(&info)?;
diff --git a/src/firewall/mod.rs b/src/firewall/mod.rs
index c2eda43ac..9260b2086 100644
--- a/src/firewall/mod.rs
+++ b/src/firewall/mod.rs
@@ -71,9 +71,7 @@ fn get_firewall_impl(driver_name: Option<String>) -> NetavarkResult<FirewallImpl
         }
     }
 
-    // Until firewalld 1.1.0 with support for self-port forwarding lands:
-    // Just use iptables
-    Ok(FirewallImpl::Iptables)
+    get_default_fw_impl()
 
     // Is firewalld running?
     // let conn = match Connection::system() {
@@ -92,6 +90,21 @@ fn get_firewall_impl(driver_name: Option<String>) -> NetavarkResult<FirewallImpl
     // }
 }
 
+#[cfg(default_fw = "nftables")]
+fn get_default_fw_impl() -> NetavarkResult<FirewallImpl> {
+    Ok(FirewallImpl::Nftables)
+}
+
+#[cfg(default_fw = "iptables")]
+fn get_default_fw_impl() -> NetavarkResult<FirewallImpl> {
+    Ok(FirewallImpl::Iptables)
+}
+
+#[cfg(default_fw = "none")]
+fn get_default_fw_impl() -> NetavarkResult<FirewallImpl> {
+    Ok(FirewallImpl::Fwnone)
+}
+
 /// Get the preferred firewall implementation for the current system
 /// configuration.
 pub fn get_supported_firewall_driver(