]> git.ipfire.org Git - thirdparty/systemd.git/commit - src/core/bpf-firewall.c
projects / thirdparty / systemd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: e2e40e9) | patch
bpf-firewall: attach with BPF_F_ALLOW_MULTI if kernel supports
authorJulia Kartseva <hex@fb.com>
Thu, 4 Feb 2021 06:15:27 +0000 (22:15 -0800)
committerJulia Kartseva <hex@fb.com>
Sat, 10 Apr 2021 03:28:47 +0000 (20:28 -0700)
commita442ccb4ebdbc3a9ff9d4504eb9724092149fd42
tree7e16686e823e3f548d7cb6790befe10c747419d6tree | snapshot
parente2e40e9a9e4074eaca7984b70a5d1cd7a7f0cbe0commit | diff
bpf-firewall: attach with BPF_F_ALLOW_MULTI if kernel supports

Reduced version of [0].
Use BPF_F_ALLOW_MULTI attach flag for bpf-firewall if kernel supports
it.

Aside from addressing security issue in [0] attaching with 'multi'
allows further attaching of cgroup egress, ingress hooks specified by
BPFProgram=.

[0] https://github.com/systemd/systemd/pull/17495/commits/4e42210d40f96e185a55d43041dd6b962ea830dd
src/core/bpf-firewall.c diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.