assert(p);
- struct bpf_insn insn[] = {
+ const struct bpf_insn insn[] = {
BPF_ALU32_IMM(BPF_OR, BPF_REG_8, verdict),
};
bool ip_allow_any,
bool ip_deny_any) {
- struct bpf_insn pre_insn[] = {
+ const struct bpf_insn pre_insn[] = {
/*
* When the eBPF program is entered, R1 contains the address of the skb.
* However, R1-R5 are scratch registers that are not preserved when calling
* This means that if both ACCESS_DENIED and ACCESS_ALLOWED are set, the packet
* is allowed to pass.
*/
- struct bpf_insn post_insn[] = {
+ const struct bpf_insn post_insn[] = {
BPF_MOV64_IMM(BPF_REG_0, 1),
BPF_JMP_IMM(BPF_JNE, BPF_REG_8, ACCESS_DENIED, 1),
BPF_MOV64_IMM(BPF_REG_0, 0),
* Exit from the eBPF program, R0 contains the verdict.
* 0 means the packet is denied, 1 means the packet may pass.
*/
- struct bpf_insn insn[] = {
+ const struct bpf_insn insn[] = {
BPF_EXIT_INSN()
};
"BPF_F_ALLOW_MULTI is not supported on this manager, not doing BPF firewall on slice units.");
/* Note that when we compile a new firewall we first flush out the access maps and the BPF programs themselves,
- * but we reuse the the accounting maps. That way the firewall in effect always maps to the actual
+ * but we reuse the accounting maps. That way the firewall in effect always maps to the actual
* configuration, but we don't flush out the accounting unnecessarily */
u->ip_bpf_ingress = bpf_program_unref(u->ip_bpf_ingress);
set_clear(*set);
STRV_FOREACH(bpf_fs_path, filter_paths) {
- _cleanup_free_ BPFProgram *prog = NULL;
+ _cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL;
int r;
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, &prog);
if (r < 0)
return log_unit_error_errno(u, r, "Loading of ingress BPF program %s failed: %m", *bpf_fs_path);
- r = set_ensure_allocated(set, &filter_prog_hash_ops);
- if (r < 0)
- return log_unit_error_errno(u, r, "Can't allocate BPF program set: %m");
-
- r = set_put(*set, prog);
+ r = set_ensure_consume(set, &filter_prog_hash_ops, TAKE_PTR(prog));
if (r < 0)
return log_unit_error_errno(u, r, "Can't add program to BPF program set: %m");
- TAKE_PTR(prog);
}
return 0;
static int attach_custom_bpf_progs(Unit *u, const char *path, int attach_type, Set **set, Set **set_installed) {
BPFProgram *prog;
- Iterator i;
int r;
assert(u);
set_clear(*set_installed);
- SET_FOREACH(prog, *set, i) {
+ SET_FOREACH(prog, *set) {
r = bpf_program_cgroup_attach(prog, attach_type, path, BPF_F_ALLOW_MULTI);
if (r < 0)
return log_unit_error_errno(u, r, "Attaching custom egress BPF program to cgroup %s failed: %m", path);
- /* Remember that these BPF programs are installed now. */
- r = set_ensure_allocated(set_installed, &filter_prog_hash_ops);
- if (r < 0)
- return log_unit_error_errno(u, r, "Can't allocate BPF program set: %m");
- r = set_put(*set_installed, prog);
+ /* Remember that these BPF programs are installed now. */
+ r = set_ensure_put(set_installed, &filter_prog_hash_ops, prog);
if (r < 0)
return log_unit_error_errno(u, r, "Can't add program to BPF program set: %m");
bpf_program_ref(prog);
static int bpf_firewall_unsupported_reason = 0;
int bpf_firewall_supported(void) {
- struct bpf_insn trivial[] = {
+ const struct bpf_insn trivial[] = {
BPF_MOV64_IMM(BPF_REG_0, 1),
BPF_EXIT_INSN()
};
if (!warned) {
bool quiet = bpf_firewall_unsupported_reason == -EPERM && detect_container();
- log_unit_full(u, quiet ? LOG_DEBUG : LOG_WARNING, bpf_firewall_unsupported_reason,
- "unit configures an IP firewall, but %s.\n"
- "(This warning is only shown for the first unit using IP firewalling.)",
- getuid() != 0 ? "not running as root" :
- "the local system does not support BPF/cgroup firewalling");
+ log_unit_full_errno(u, quiet ? LOG_DEBUG : LOG_WARNING, bpf_firewall_unsupported_reason,
+ "unit configures an IP firewall, but %s.\n"
+ "(This warning is only shown for the first unit using IP firewalling.)",
+ getuid() != 0 ? "not running as root" :
+ "the local system does not support BPF/cgroup firewalling");
warned = true;
}
}
projects / thirdparty / systemd.git / blobdiff