+/* SPDX-License-Identifier: LGPL-2.1+ */
/***
This file is part of systemd.
Copyright 2016 Daniel Mack
-
- systemd is free software; you can redistribute it and/or modify it
- under the terms of the GNU Lesser General Public License as published by
- the Free Software Foundation; either version 2.1 of the License, or
- (at your option) any later version.
-
- systemd is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- Lesser General Public License for more details.
-
- You should have received a copy of the GNU Lesser General Public License
- along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
#include <stdio.h>
#include <stdlib.h>
#include "alloc-util.h"
+#include "bpf-firewall.h"
#include "extract-word.h"
#include "hostname-util.h"
#include "ip-address-access.h"
a->family = AF_INET6;
a->address.in6 = (struct in6_addr) {
- .__in6_u.__u6_addr32[0] = htobe32(0xfe800000)
+ .s6_addr32[0] = htobe32(0xfe800000)
};
a->prefixlen = 64;
a->family = AF_INET6;
a->address.in6 = (struct in6_addr) {
- .__in6_u.__u6_addr32[0] = htobe32(0xff000000)
+ .s6_addr32[0] = htobe32(0xff000000)
};
a->prefixlen = 8;
*list = ip_address_access_reduce(*list);
+ if (*list) {
+ r = bpf_firewall_supported();
+ if (r < 0)
+ return r;
+ if (r == BPF_FIREWALL_UNSUPPORTED) {
+ static bool warned = false;
+
+ log_full(warned ? LOG_DEBUG : LOG_WARNING,
+ "File %s:%u configures an IP firewall (%s=%s), but the local system does not support BPF/cgroup based firewalling.\n"
+ "Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)", filename, line, lvalue, rvalue);
+
+ warned = true;
+ }
+ }
+
return 0;
}
&b->address,
b->prefixlen,
&a->address);
- if (r <= 0)
- continue;
-
- /* b covers a fully, then let's drop a */
-
- LIST_REMOVE(items, first, a);
- free(a);
+ if (r > 0) {
+ /* b covers a fully, then let's drop a */
+ LIST_REMOVE(items, first, a);
+ free(a);
+ break;
+ }
}
}