tree-wide: drop license boilerplate

[thirdparty/systemd.git] / src / core / ip-address-access.c

diff --git a/src/core/ip-address-access.c b/src/core/ip-address-access.c
index 18d28708bed07fe91f53a408c16b8fc613a9d287..d74d9e68ba28bbcc22ee86d279d5bb720d039040 100644 (file)
--- a/src/core/ip-address-access.c
+++ b/src/core/ip-address-access.c
@@ -1,26 +1,15 @@
+/* SPDX-License-Identifier: LGPL-2.1+ */
 /***
   This file is part of systemd.
 
   Copyright 2016 Daniel Mack
-
-  systemd is free software; you can redistribute it and/or modify it
-  under the terms of the GNU Lesser General Public License as published by
-  the Free Software Foundation; either version 2.1 of the License, or
-  (at your option) any later version.
-
-  systemd is distributed in the hope that it will be useful, but
-  WITHOUT ANY WARRANTY; without even the implied warranty of
-  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-  Lesser General Public License for more details.
-
-  You should have received a copy of the GNU Lesser General Public License
-  along with systemd; If not, see <http://www.gnu.org/licenses/>.
 ***/
 
 #include <stdio.h>
 #include <stdlib.h>
 
 #include "alloc-util.h"
+#include "bpf-firewall.h"
 #include "extract-word.h"
 #include "hostname-util.h"
 #include "ip-address-access.h"
@@ -113,7 +102,7 @@ int config_parse_ip_address_access(
 
                         a->family = AF_INET6;
                         a->address.in6 = (struct in6_addr) {
-                                .__in6_u.__u6_addr32[0] = htobe32(0xfe800000)
+                                .s6_addr32[0] = htobe32(0xfe800000)
                         };
                         a->prefixlen = 64;
 
@@ -132,7 +121,7 @@ int config_parse_ip_address_access(
 
                         a->family = AF_INET6;
                         a->address.in6 = (struct in6_addr) {
-                                .__in6_u.__u6_addr32[0] = htobe32(0xff000000)
+                                .s6_addr32[0] = htobe32(0xff000000)
                         };
                         a->prefixlen = 8;
 
@@ -150,6 +139,21 @@ int config_parse_ip_address_access(
 
         *list = ip_address_access_reduce(*list);
 
+        if (*list) {
+                r = bpf_firewall_supported();
+                if (r < 0)
+                        return r;
+                if (r == BPF_FIREWALL_UNSUPPORTED) {
+                        static bool warned = false;
+
+                        log_full(warned ? LOG_DEBUG : LOG_WARNING,
+                                 "File %s:%u configures an IP firewall (%s=%s), but the local system does not support BPF/cgroup based firewalling.\n"
+                                 "Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)", filename, line, lvalue, rvalue);
+
+                        warned = true;
+                }
+        }
+
         return 0;
 }
 
@@ -193,13 +197,12 @@ IPAddressAccessItem* ip_address_access_reduce(IPAddressAccessItem *first) {
                                                   &b->address,
                                                   b->prefixlen,
                                                   &a->address);
-                        if (r <= 0)
-                                continue;
-
-                        /* b covers a fully, then let's drop a */
-
-                        LIST_REMOVE(items, first, a);
-                        free(a);
+                        if (r > 0) {
+                                /* b covers a fully, then let's drop a */
+                                LIST_REMOVE(items, first, a);
+                                free(a);
+                                break;
+                        }
                 }
         }