firewall: Add nftables build infrastructure

Introduce --with-firewall configuration flag which is on default
iptables. You can enable nftables by providing --with-firewall=nftables.

Makefile.am

@@ -142,6 +142,11 @@ src_connmand_SOURCES += src/iptables.c src/firewall-iptables.c
 src_connmand_LDADD += @XTABLES_LIBS@
 endif
 
+if NFTABLES
+src_connmand_SOURCES += src/firewall-nftables.c
+src_connmand_LDADD +=  @NFTABLES_LIBS@
+endif
+
 if VPN
 vpn_plugin_LTLIBRARIES =
 
@@ -262,6 +267,11 @@ AM_CFLAGS += @XTABLES_CFLAGS@
 src_connmand_CFLAGS += @XTABLES_CFLAGS@
 endif
 
+if NFTABLES
+AM_CFLAGS += @NFTABLES_CFLAGS@
+src_connmand_CFLAGS += @NFTABLES_CFLAGS@
+endif
+
 EXTRA_DIST += vpn/vpn-dbus.conf vpn/vpn-polkit.conf
 
 script_DATA =

configure.ac

@@ -265,11 +265,33 @@ if (test -n "${path_tmpfiles}"); then
 	AC_SUBST(SYSTEMD_TMPFILESDIR)
 fi
 
-PKG_CHECK_MODULES(XTABLES, xtables >= 1.4.11, dummy=yes,
-				AC_MSG_ERROR(Xtables library is required))
-AC_SUBST(XTABLES_CFLAGS)
-AC_SUBST(XTABLES_LIBS)
-AM_CONDITIONAL(XTABLES, test "${XTABLES}" != "no")
+AC_ARG_WITH(firewall, AC_HELP_STRING([--with-firewall=TYPE],
+			[specify which firewall type is used iptables or nftables [default=iptables]]),
+		[firewall_type=${withval}],
+		[firewall_type="iptables"])
+
+if (test "${firewall_type}" != "iptables" -a \
+		"${firewall_type}" != "nftables"); then
+	AC_MSG_ERROR(neither nftables nor iptables support enabled)
+fi
+
+found_iptables="no"
+if (test "${firewall_type}" = "iptables"); then
+	PKG_CHECK_MODULES(XTABLES, xtables >= 1.4.11, [found_iptables="yes"],
+			AC_MSG_ERROR(Xtables library is required))
+	AC_SUBST(XTABLES_CFLAGS)
+	AC_SUBST(XTABLES_LIBS)
+fi
+AM_CONDITIONAL(XTABLES, test "${found_iptables}" != "no")
+
+found_nftables="no"
+if (test "${firewall_type}" = "nftables"); then
+	PKG_CHECK_MODULES(NFTABLES, [libnftnl >= 1.0.4 libmnl >= 1.0.0], [found_nftables="yes"],
+		AC_MSG_ERROR([libnftnl >= 1.0.4 or libmnl >= 1.0.0 not found]))
+	AC_SUBST(NFTABLES_CFLAGS)
+	AC_SUBST(NFTABLES_LIBS)
+fi
+AM_CONDITIONAL(NFTABLES, test "${found_nftables}" != "no")
 
 AC_ARG_ENABLE(test, AC_HELP_STRING([--enable-test],
 		[enable test/example scripts]), [enable_test=${enableval}])

src/firewall-nftables.c

@@ -0,0 +1,81 @@
+/*
+ *
+ *  Connection Manager
+ *
+ *  Copyright (C) 2016  BMW Car IT GmbH.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2 as
+ *  published by the Free Software Foundation.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <errno.h>
+
+#include "connman.h"
+
+struct firewall_context *__connman_firewall_create(void)
+{
+	return NULL;
+}
+
+void __connman_firewall_destroy(struct firewall_context *ctx)
+{
+}
+
+int __connman_firewall_enable_nat(struct firewall_context *ctx,
+					char *address, unsigned char prefixlen,
+					char *interface)
+{
+	return -EPROTONOSUPPORT;
+}
+
+int __connman_firewall_disable_nat(struct firewall_context *ctx)
+{
+	return -EPROTONOSUPPORT;
+}
+
+int __connman_firewall_enable_snat(struct firewall_context *ctx,
+				int index, const char *ifname, const char *addr)
+{
+	return -EPROTONOSUPPORT;
+}
+
+int __connman_firewall_disable_snat(struct firewall_context *ctx)
+{
+	return -EPROTONOSUPPORT;
+}
+
+int __connman_firewall_enable_marking(struct firewall_context *ctx,
+					enum connman_session_id_type id_type,
+					char *id, uint32_t mark)
+{
+	return -EPROTONOSUPPORT;
+}
+
+int __connman_firewall_disable_marking(struct firewall_context *ctx)
+{
+	return -EPROTONOSUPPORT;
+}
+
+int __connman_firewall_init(void)
+{
+	return 0;
+}
+
+void __connman_firewall_cleanup(void)
+{
+}