cgroup: add fields to accommodate eBPF related details

Add pointers for compiled eBPF programs as well as list heads for allowed
and denied hosts for both directions.

diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index ffb0f49cd6ba477db20b2cdf0163c1a32477ba6e..62cbe08f13fdb50e3ee000ab556180bee790b07f 100644 (file)
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -141,6 +141,9 @@ void cgroup_context_done(CGroupContext *c) {
 
         while (c->device_allow)
                 cgroup_context_free_device_allow(c, c->device_allow);
+
+        c->ip_address_allow = ip_address_access_free_all(c->ip_address_allow);
+        c->ip_address_deny = ip_address_access_free_all(c->ip_address_deny);
 }
 
 void cgroup_context_dump(CGroupContext *c, FILE* f, const char *prefix) {

diff --git a/src/core/cgroup.h b/src/core/cgroup.h
index 4cd168f63e5274c4d0f58c9333813922a03a0322..2baf4d20e99ca59be6a393cce03633798dfac0d6 100644 (file)
--- a/src/core/cgroup.h
+++ b/src/core/cgroup.h
@@ -21,9 +21,10 @@
 
 #include <stdbool.h>
 
+#include "cgroup-util.h"
+#include "ip-address-access.h"
 #include "list.h"
 #include "time-util.h"
-#include "cgroup-util.h"
 
 typedef struct CGroupContext CGroupContext;
 typedef struct CGroupDeviceAllow CGroupDeviceAllow;
@@ -87,6 +88,7 @@ struct CGroupContext {
         bool blockio_accounting;
         bool memory_accounting;
         bool tasks_accounting;
+        bool ip_accounting;
 
         /* For unified hierarchy */
         uint64_t cpu_weight;
@@ -103,6 +105,9 @@ struct CGroupContext {
         uint64_t memory_max;
         uint64_t memory_swap_max;
 
+        LIST_HEAD(IPAddressAccessItem, ip_address_allow);
+        LIST_HEAD(IPAddressAccessItem, ip_address_deny);
+
         /* For legacy hierarchies */
         uint64_t cpu_shares;
         uint64_t startup_cpu_shares;

diff --git a/src/core/manager.h b/src/core/manager.h
index 713d2db70cd71ed8eda64ab11ea7ab451a423b35..8880b3aab53abe001e3543996499e96a0c3089f5 100644 (file)
--- a/src/core/manager.h
+++ b/src/core/manager.h
@@ -29,6 +29,7 @@
 #include "cgroup-util.h"
 #include "fdset.h"
 #include "hashmap.h"
+#include "ip-address-access.h"
 #include "list.h"
 #include "ratelimit.h"
 

diff --git a/src/core/system.conf b/src/core/system.conf
index 746572b7ff25db7c0c54028a3a2b49ce9a152777..88f646e2fe131f154d853d24af712377d2952266 100644 (file)
--- a/src/core/system.conf
+++ b/src/core/system.conf
@@ -60,3 +60,5 @@
 #DefaultLimitNICE=
 #DefaultLimitRTPRIO=
 #DefaultLimitRTTIME=
+#IPAddressAllow=
+#IPAddressDeny=

diff --git a/src/core/unit.c b/src/core/unit.c
index df89f3d01f1fc96281029e1975a9cf77985d8676..6451b755607737561bae0b1c182d422cb3b3e922 100644 (file)
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -35,6 +35,7 @@
 #include "dropin.h"
 #include "escape.h"
 #include "execute.h"
+#include "fd-util.h"
 #include "fileio-label.h"
 #include "format-util.h"
 #include "id128-util.h"
@@ -103,6 +104,13 @@ Unit *unit_new(Manager *m, size_t size) {
         u->ref_gid = GID_INVALID;
         u->cpu_usage_last = NSEC_INFINITY;
 
+        u->ip_accounting_ingress_map_fd = -1;
+        u->ip_accounting_egress_map_fd = -1;
+        u->ipv4_allow_map_fd = -1;
+        u->ipv6_allow_map_fd = -1;
+        u->ipv4_deny_map_fd = -1;
+        u->ipv6_deny_map_fd = -1;
+
         RATELIMIT_INIT(u->start_limit, m->default_start_limit_interval, m->default_start_limit_burst);
         RATELIMIT_INIT(u->auto_stop_ratelimit, 10 * USEC_PER_SEC, 16);
 
@@ -156,6 +164,7 @@ static void unit_init(Unit *u) {
                 cc->blockio_accounting = u->manager->default_blockio_accounting;
                 cc->memory_accounting = u->manager->default_memory_accounting;
                 cc->tasks_accounting = u->manager->default_tasks_accounting;
+                cc->ip_accounting = u->manager->default_ip_accounting;
 
                 if (u->type != UNIT_SLICE)
                         cc->tasks_max = u->manager->default_tasks_max;
@@ -610,6 +619,17 @@ void unit_free(Unit *u) {
         while (u->refs)
                 unit_ref_unset(u->refs);
 
+        safe_close(u->ip_accounting_ingress_map_fd);
+        safe_close(u->ip_accounting_egress_map_fd);
+
+        safe_close(u->ipv4_allow_map_fd);
+        safe_close(u->ipv6_allow_map_fd);
+        safe_close(u->ipv4_deny_map_fd);
+        safe_close(u->ipv6_deny_map_fd);
+
+        bpf_program_unref(u->ip_bpf_ingress);
+        bpf_program_unref(u->ip_bpf_egress);
+
         free(u);
 }
 

diff --git a/src/core/unit.h b/src/core/unit.h
index 4d9751a4069c738cb87b5ffe0070e3c65a98aa97..95c41fcceae7a05ad0c80334743715c0713c396e 100644 (file)
--- a/src/core/unit.h
+++ b/src/core/unit.h
@@ -28,6 +28,7 @@ typedef struct UnitVTable UnitVTable;
 typedef struct UnitRef UnitRef;
 typedef struct UnitStatusMessageFormats UnitStatusMessageFormats;
 
+#include "bpf-program.h"
 #include "condition.h"
 #include "emergency-action.h"
 #include "install.h"
@@ -205,6 +206,18 @@ struct Unit {
         CGroupMask cgroup_members_mask;
         int cgroup_inotify_wd;
 
+        /* IP BPF Firewalling/accounting */
+        int ip_accounting_ingress_map_fd;
+        int ip_accounting_egress_map_fd;
+
+        int ipv4_allow_map_fd;
+        int ipv6_allow_map_fd;
+        int ipv4_deny_map_fd;
+        int ipv6_deny_map_fd;
+
+        BPFProgram *ip_bpf_ingress;
+        BPFProgram *ip_bpf_egress;
+
         /* How to start OnFailure units */
         JobMode on_failure_job_mode;