1 /* SPDX-License-Identifier: LGPL-2.1+ */
7 #include <linux/libbpf.h>
8 #include <net/ethernet.h>
10 #include <netinet/ip.h>
11 #include <netinet/ip6.h>
18 #include "alloc-util.h"
19 #include "bpf-firewall.h"
20 #include "bpf-program.h"
22 #include "ip-address-access.h"
23 #include "missing_syscall.h"
36 /* Compile instructions for one list of addresses, one direction and one specific verdict on matches. */
38 static int add_lookup_instructions(
45 int r
, addr_offset
, addr_size
;
53 addr_size
= sizeof(uint32_t);
54 addr_offset
= is_ingress
?
55 offsetof(struct iphdr
, saddr
) :
56 offsetof(struct iphdr
, daddr
);
60 addr_size
= 4 * sizeof(uint32_t);
61 addr_offset
= is_ingress
?
62 offsetof(struct ip6_hdr
, ip6_src
.s6_addr
) :
63 offsetof(struct ip6_hdr
, ip6_dst
.s6_addr
);
71 /* Compare IPv4 with one word instruction (32bit) */
72 struct bpf_insn insn
[] = {
73 /* If skb->protocol != ETH_P_IP, skip this whole block. The offset will be set later. */
74 BPF_JMP_IMM(BPF_JNE
, BPF_REG_7
, htobe16(protocol
), 0),
77 * Call into BPF_FUNC_skb_load_bytes to load the dst/src IP address
79 * R1: Pointer to the skb
81 * R3: Destination buffer on the stack (r10 - 4)
82 * R4: Number of bytes to read (4)
85 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_6
),
86 BPF_MOV32_IMM(BPF_REG_2
, addr_offset
),
88 BPF_MOV64_REG(BPF_REG_3
, BPF_REG_10
),
89 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_3
, -addr_size
),
91 BPF_MOV32_IMM(BPF_REG_4
, addr_size
),
92 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0, BPF_FUNC_skb_load_bytes
),
95 * Call into BPF_FUNC_map_lookup_elem to see if the address matches any entry in the
96 * LPM trie map. For this to work, the prefixlen field of 'struct bpf_lpm_trie_key'
97 * has to be set to the maximum possible value.
99 * On success, the looked up value is stored in R0. For this application, the actual
100 * value doesn't matter, however; we just set the bit in @verdict in R8 if we found any
104 BPF_LD_MAP_FD(BPF_REG_1
, map_fd
),
105 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
106 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -addr_size
- sizeof(uint32_t)),
107 BPF_ST_MEM(BPF_W
, BPF_REG_2
, 0, addr_size
* 8),
109 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0, BPF_FUNC_map_lookup_elem
),
110 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 1),
111 BPF_ALU32_IMM(BPF_OR
, BPF_REG_8
, verdict
),
114 /* Jump label fixup */
115 insn
[0].off
= ELEMENTSOF(insn
) - 1;
117 r
= bpf_program_add_instructions(p
, insn
, ELEMENTSOF(insn
));
126 static int bpf_firewall_compile_bpf(
131 struct bpf_insn pre_insn
[] = {
133 * When the eBPF program is entered, R1 contains the address of the skb.
134 * However, R1-R5 are scratch registers that are not preserved when calling
135 * into kernel functions, so we need to save anything that's supposed to
136 * stay around to R6-R9. Save the skb to R6.
138 BPF_MOV64_REG(BPF_REG_6
, BPF_REG_1
),
141 * Although we cannot access the skb data directly from eBPF programs used in this
142 * scenario, the kernel has prepared some fields for us to access through struct __sk_buff.
143 * Load the protocol (IPv4, IPv6) used by the packet in flight once and cache it in R7
146 BPF_LDX_MEM(BPF_W
, BPF_REG_7
, BPF_REG_6
, offsetof(struct __sk_buff
, protocol
)),
149 * R8 is used to keep track of whether any address check has explicitly allowed or denied the packet
150 * through ACCESS_DENIED or ACCESS_ALLOWED bits. Reset them both to 0 in the beginning.
152 BPF_MOV32_IMM(BPF_REG_8
, 0),
156 * The access checkers compiled for the configured allowance and denial lists
157 * write to R8 at runtime. The following code prepares for an early exit that
158 * skip the accounting if the packet is denied.
161 * if (R8 == ACCESS_DENIED)
164 * This means that if both ACCESS_DENIED and ACCESS_ALLOWED are set, the packet
165 * is allowed to pass.
167 struct bpf_insn post_insn
[] = {
168 BPF_MOV64_IMM(BPF_REG_0
, 1),
169 BPF_JMP_IMM(BPF_JNE
, BPF_REG_8
, ACCESS_DENIED
, 1),
170 BPF_MOV64_IMM(BPF_REG_0
, 0),
173 _cleanup_(bpf_program_unrefp
) BPFProgram
*p
= NULL
;
174 int accounting_map_fd
, r
;
180 accounting_map_fd
= is_ingress
?
181 u
->ip_accounting_ingress_map_fd
:
182 u
->ip_accounting_egress_map_fd
;
185 u
->ipv4_allow_map_fd
>= 0 ||
186 u
->ipv6_allow_map_fd
>= 0 ||
187 u
->ipv4_deny_map_fd
>= 0 ||
188 u
->ipv6_deny_map_fd
>= 0;
190 if (accounting_map_fd
< 0 && !access_enabled
) {
195 r
= bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB
, &p
);
199 r
= bpf_program_add_instructions(p
, pre_insn
, ELEMENTSOF(pre_insn
));
203 if (access_enabled
) {
205 * The simple rule this function translates into eBPF instructions is:
207 * - Access will be granted when an address matches an entry in @list_allow
208 * - Otherwise, access will be denied when an address matches an entry in @list_deny
209 * - Otherwise, access will be granted
212 if (u
->ipv4_deny_map_fd
>= 0) {
213 r
= add_lookup_instructions(p
, u
->ipv4_deny_map_fd
, ETH_P_IP
, is_ingress
, ACCESS_DENIED
);
218 if (u
->ipv6_deny_map_fd
>= 0) {
219 r
= add_lookup_instructions(p
, u
->ipv6_deny_map_fd
, ETH_P_IPV6
, is_ingress
, ACCESS_DENIED
);
224 if (u
->ipv4_allow_map_fd
>= 0) {
225 r
= add_lookup_instructions(p
, u
->ipv4_allow_map_fd
, ETH_P_IP
, is_ingress
, ACCESS_ALLOWED
);
230 if (u
->ipv6_allow_map_fd
>= 0) {
231 r
= add_lookup_instructions(p
, u
->ipv6_allow_map_fd
, ETH_P_IPV6
, is_ingress
, ACCESS_ALLOWED
);
237 r
= bpf_program_add_instructions(p
, post_insn
, ELEMENTSOF(post_insn
));
241 if (accounting_map_fd
>= 0) {
242 struct bpf_insn insn
[] = {
244 * If R0 == 0, the packet will be denied; skip the accounting instructions in this case.
245 * The jump label will be fixed up later.
247 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 0),
250 BPF_MOV64_IMM(BPF_REG_0
, MAP_KEY_PACKETS
), /* r0 = 0 */
251 BPF_STX_MEM(BPF_W
, BPF_REG_10
, BPF_REG_0
, -4), /* *(u32 *)(fp - 4) = r0 */
252 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
253 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -4), /* r2 = fp - 4 */
254 BPF_LD_MAP_FD(BPF_REG_1
, accounting_map_fd
), /* load map fd to r1 */
255 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0, BPF_FUNC_map_lookup_elem
),
256 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 2),
257 BPF_MOV64_IMM(BPF_REG_1
, 1), /* r1 = 1 */
258 BPF_RAW_INSN(BPF_STX
| BPF_XADD
| BPF_DW
, BPF_REG_0
, BPF_REG_1
, 0, 0), /* xadd r0 += r1 */
261 BPF_MOV64_IMM(BPF_REG_0
, MAP_KEY_BYTES
), /* r0 = 1 */
262 BPF_STX_MEM(BPF_W
, BPF_REG_10
, BPF_REG_0
, -4), /* *(u32 *)(fp - 4) = r0 */
263 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
264 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -4), /* r2 = fp - 4 */
265 BPF_LD_MAP_FD(BPF_REG_1
, accounting_map_fd
),
266 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0, BPF_FUNC_map_lookup_elem
),
267 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 2),
268 BPF_LDX_MEM(BPF_W
, BPF_REG_1
, BPF_REG_6
, offsetof(struct __sk_buff
, len
)), /* r1 = skb->len */
269 BPF_RAW_INSN(BPF_STX
| BPF_XADD
| BPF_DW
, BPF_REG_0
, BPF_REG_1
, 0, 0), /* xadd r0 += r1 */
271 /* Allow the packet to pass */
272 BPF_MOV64_IMM(BPF_REG_0
, 1),
275 /* Jump label fixup */
276 insn
[0].off
= ELEMENTSOF(insn
) - 1;
278 r
= bpf_program_add_instructions(p
, insn
, ELEMENTSOF(insn
));
285 * Exit from the eBPF program, R0 contains the verdict.
286 * 0 means the packet is denied, 1 means the packet may pass.
288 struct bpf_insn insn
[] = {
292 r
= bpf_program_add_instructions(p
, insn
, ELEMENTSOF(insn
));
302 static int bpf_firewall_count_access_items(IPAddressAccessItem
*list
, size_t *n_ipv4
, size_t *n_ipv6
) {
303 IPAddressAccessItem
*a
;
308 LIST_FOREACH(items
, a
, list
) {
320 return -EAFNOSUPPORT
;
327 static int bpf_firewall_add_access_items(
328 IPAddressAccessItem
*list
,
333 struct bpf_lpm_trie_key
*key_ipv4
, *key_ipv6
;
334 uint64_t value
= verdict
;
335 IPAddressAccessItem
*a
;
338 key_ipv4
= alloca0(offsetof(struct bpf_lpm_trie_key
, data
) + sizeof(uint32_t));
339 key_ipv6
= alloca0(offsetof(struct bpf_lpm_trie_key
, data
) + sizeof(uint32_t) * 4);
341 LIST_FOREACH(items
, a
, list
) {
345 key_ipv4
->prefixlen
= a
->prefixlen
;
346 memcpy(key_ipv4
->data
, &a
->address
, sizeof(uint32_t));
348 r
= bpf_map_update_element(ipv4_map_fd
, key_ipv4
, &value
);
355 key_ipv6
->prefixlen
= a
->prefixlen
;
356 memcpy(key_ipv6
->data
, &a
->address
, 4 * sizeof(uint32_t));
358 r
= bpf_map_update_element(ipv6_map_fd
, key_ipv6
, &value
);
365 return -EAFNOSUPPORT
;
372 static int bpf_firewall_prepare_access_maps(
375 int *ret_ipv4_map_fd
,
376 int *ret_ipv6_map_fd
) {
378 _cleanup_close_
int ipv4_map_fd
= -1, ipv6_map_fd
= -1;
379 size_t n_ipv4
= 0, n_ipv6
= 0;
383 assert(ret_ipv4_map_fd
);
384 assert(ret_ipv6_map_fd
);
386 for (p
= u
; p
; p
= UNIT_DEREF(p
->slice
)) {
389 cc
= unit_get_cgroup_context(p
);
393 bpf_firewall_count_access_items(verdict
== ACCESS_ALLOWED
? cc
->ip_address_allow
: cc
->ip_address_deny
, &n_ipv4
, &n_ipv6
);
397 ipv4_map_fd
= bpf_map_new(
398 BPF_MAP_TYPE_LPM_TRIE
,
399 offsetof(struct bpf_lpm_trie_key
, data
) + sizeof(uint32_t),
408 ipv6_map_fd
= bpf_map_new(
409 BPF_MAP_TYPE_LPM_TRIE
,
410 offsetof(struct bpf_lpm_trie_key
, data
) + sizeof(uint32_t)*4,
418 for (p
= u
; p
; p
= UNIT_DEREF(p
->slice
)) {
421 cc
= unit_get_cgroup_context(p
);
425 r
= bpf_firewall_add_access_items(verdict
== ACCESS_ALLOWED
? cc
->ip_address_allow
: cc
->ip_address_deny
,
426 ipv4_map_fd
, ipv6_map_fd
, verdict
);
431 *ret_ipv4_map_fd
= ipv4_map_fd
;
432 *ret_ipv6_map_fd
= ipv6_map_fd
;
434 ipv4_map_fd
= ipv6_map_fd
= -1;
438 static int bpf_firewall_prepare_accounting_maps(Unit
*u
, bool enabled
, int *fd_ingress
, int *fd_egress
) {
446 if (*fd_ingress
< 0) {
447 r
= bpf_map_new(BPF_MAP_TYPE_ARRAY
, sizeof(int), sizeof(uint64_t), 2, 0);
454 if (*fd_egress
< 0) {
456 r
= bpf_map_new(BPF_MAP_TYPE_ARRAY
, sizeof(int), sizeof(uint64_t), 2, 0);
464 *fd_ingress
= safe_close(*fd_ingress
);
465 *fd_egress
= safe_close(*fd_egress
);
467 zero(u
->ip_accounting_extra
);
473 int bpf_firewall_compile(Unit
*u
) {
479 cc
= unit_get_cgroup_context(u
);
483 supported
= bpf_firewall_supported();
486 if (supported
== BPF_FIREWALL_UNSUPPORTED
) {
487 log_unit_debug(u
, "BPF firewalling not supported on this manager, proceeding without.");
490 if (supported
!= BPF_FIREWALL_SUPPORTED_WITH_MULTI
&& u
->type
== UNIT_SLICE
) {
491 /* If BPF_F_ALLOW_MULTI is not supported we don't support any BPF magic on inner nodes (i.e. on slice
492 * units), since that would mean leaf nodes couldn't do any BPF anymore at all. Under the assumption
493 * that BPF is more interesting on leaf nodes we hence avoid it on inner nodes in that case. This is
494 * consistent with old systemd behaviour from before v238, where BPF wasn't supported in inner nodes at
496 log_unit_debug(u
, "BPF_F_ALLOW_MULTI is not supported on this manager, not doing BPF firewall on slice units.");
500 /* Note that when we compile a new firewall we first flush out the access maps and the BPF programs themselves,
501 * but we reuse the the accounting maps. That way the firewall in effect always maps to the actual
502 * configuration, but we don't flush out the accounting unnecessarily */
504 u
->ip_bpf_ingress
= bpf_program_unref(u
->ip_bpf_ingress
);
505 u
->ip_bpf_egress
= bpf_program_unref(u
->ip_bpf_egress
);
507 u
->ipv4_allow_map_fd
= safe_close(u
->ipv4_allow_map_fd
);
508 u
->ipv4_deny_map_fd
= safe_close(u
->ipv4_deny_map_fd
);
510 u
->ipv6_allow_map_fd
= safe_close(u
->ipv6_allow_map_fd
);
511 u
->ipv6_deny_map_fd
= safe_close(u
->ipv6_deny_map_fd
);
513 if (u
->type
!= UNIT_SLICE
) {
514 /* In inner nodes we only do accounting, we do not actually bother with access control. However, leaf
515 * nodes will incorporate all IP access rules set on all their parent nodes. This has the benefit that
516 * they can optionally cancel out system-wide rules. Since inner nodes can't contain processes this
517 * means that all configure IP access rules *will* take effect on processes, even though we never
518 * compile them for inner nodes. */
520 r
= bpf_firewall_prepare_access_maps(u
, ACCESS_ALLOWED
, &u
->ipv4_allow_map_fd
, &u
->ipv6_allow_map_fd
);
522 return log_unit_error_errno(u
, r
, "Preparation of eBPF allow maps failed: %m");
524 r
= bpf_firewall_prepare_access_maps(u
, ACCESS_DENIED
, &u
->ipv4_deny_map_fd
, &u
->ipv6_deny_map_fd
);
526 return log_unit_error_errno(u
, r
, "Preparation of eBPF deny maps failed: %m");
529 r
= bpf_firewall_prepare_accounting_maps(u
, cc
->ip_accounting
, &u
->ip_accounting_ingress_map_fd
, &u
->ip_accounting_egress_map_fd
);
531 return log_unit_error_errno(u
, r
, "Preparation of eBPF accounting maps failed: %m");
533 r
= bpf_firewall_compile_bpf(u
, true, &u
->ip_bpf_ingress
);
535 return log_unit_error_errno(u
, r
, "Compilation for ingress BPF program failed: %m");
537 r
= bpf_firewall_compile_bpf(u
, false, &u
->ip_bpf_egress
);
539 return log_unit_error_errno(u
, r
, "Compilation for egress BPF program failed: %m");
544 int bpf_firewall_install(Unit
*u
) {
545 _cleanup_free_
char *path
= NULL
;
552 cc
= unit_get_cgroup_context(u
);
557 if (!u
->cgroup_realized
)
560 supported
= bpf_firewall_supported();
563 if (supported
== BPF_FIREWALL_UNSUPPORTED
) {
564 log_unit_debug(u
, "BPF firewalling not supported on this manager, proceeding without.");
567 if (supported
!= BPF_FIREWALL_SUPPORTED_WITH_MULTI
&& u
->type
== UNIT_SLICE
) {
568 log_unit_debug(u
, "BPF_F_ALLOW_MULTI is not supported on this manager, not doing BPF firewall on slice units.");
572 r
= cg_get_path(SYSTEMD_CGROUP_CONTROLLER
, u
->cgroup_path
, NULL
, &path
);
574 return log_unit_error_errno(u
, r
, "Failed to determine cgroup path: %m");
576 flags
= (supported
== BPF_FIREWALL_SUPPORTED_WITH_MULTI
&&
577 (u
->type
== UNIT_SLICE
|| unit_cgroup_delegate(u
))) ? BPF_F_ALLOW_MULTI
: 0;
579 /* Unref the old BPF program (which will implicitly detach it) right before attaching the new program, to
580 * minimize the time window when we don't account for IP traffic. */
581 u
->ip_bpf_egress_installed
= bpf_program_unref(u
->ip_bpf_egress_installed
);
582 u
->ip_bpf_ingress_installed
= bpf_program_unref(u
->ip_bpf_ingress_installed
);
584 if (u
->ip_bpf_egress
) {
585 r
= bpf_program_cgroup_attach(u
->ip_bpf_egress
, BPF_CGROUP_INET_EGRESS
, path
, flags
);
587 return log_unit_error_errno(u
, r
, "Attaching egress BPF program to cgroup %s failed: %m", path
);
589 /* Remember that this BPF program is installed now. */
590 u
->ip_bpf_egress_installed
= bpf_program_ref(u
->ip_bpf_egress
);
593 if (u
->ip_bpf_ingress
) {
594 r
= bpf_program_cgroup_attach(u
->ip_bpf_ingress
, BPF_CGROUP_INET_INGRESS
, path
, flags
);
596 return log_unit_error_errno(u
, r
, "Attaching ingress BPF program to cgroup %s failed: %m", path
);
598 u
->ip_bpf_ingress_installed
= bpf_program_ref(u
->ip_bpf_ingress
);
604 int bpf_firewall_read_accounting(int map_fd
, uint64_t *ret_bytes
, uint64_t *ret_packets
) {
605 uint64_t key
, packets
;
612 key
= MAP_KEY_PACKETS
;
613 r
= bpf_map_lookup_element(map_fd
, &key
, &packets
);
620 r
= bpf_map_lookup_element(map_fd
, &key
, ret_bytes
);
626 *ret_packets
= packets
;
631 int bpf_firewall_reset_accounting(int map_fd
) {
632 uint64_t key
, value
= 0;
638 key
= MAP_KEY_PACKETS
;
639 r
= bpf_map_update_element(map_fd
, &key
, &value
);
644 return bpf_map_update_element(map_fd
, &key
, &value
);
647 int bpf_firewall_supported(void) {
648 struct bpf_insn trivial
[] = {
649 BPF_MOV64_IMM(BPF_REG_0
, 1),
653 _cleanup_(bpf_program_unrefp
) BPFProgram
*program
= NULL
;
654 static int supported
= -1;
658 /* Checks whether BPF firewalling is supported. For this, we check five things:
660 * a) whether we are privileged
661 * b) whether the unified hierarchy is being used
662 * c) the BPF implementation in the kernel supports BPF LPM TRIE maps, which we require
663 * d) the BPF implementation in the kernel supports BPF_PROG_TYPE_CGROUP_SKB programs, which we require
664 * e) the BPF implementation in the kernel supports the BPF_PROG_DETACH call, which we require
670 if (geteuid() != 0) {
671 log_debug("Not enough privileges, BPF firewalling is not supported.");
672 return supported
= BPF_FIREWALL_UNSUPPORTED
;
675 r
= cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER
);
677 return log_error_errno(r
, "Can't determine whether the unified hierarchy is used: %m");
679 log_debug("Not running with unified cgroups, BPF firewalling is not supported.");
680 return supported
= BPF_FIREWALL_UNSUPPORTED
;
683 fd
= bpf_map_new(BPF_MAP_TYPE_LPM_TRIE
,
684 offsetof(struct bpf_lpm_trie_key
, data
) + sizeof(uint64_t),
689 log_debug_errno(fd
, "Can't allocate BPF LPM TRIE map, BPF firewalling is not supported: %m");
690 return supported
= BPF_FIREWALL_UNSUPPORTED
;
695 r
= bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB
, &program
);
697 log_debug_errno(r
, "Can't allocate CGROUP SKB BPF program, BPF firewalling is not supported: %m");
698 return supported
= BPF_FIREWALL_UNSUPPORTED
;
701 r
= bpf_program_add_instructions(program
, trivial
, ELEMENTSOF(trivial
));
703 log_debug_errno(r
, "Can't add trivial instructions to CGROUP SKB BPF program, BPF firewalling is not supported: %m");
704 return supported
= BPF_FIREWALL_UNSUPPORTED
;
707 r
= bpf_program_load_kernel(program
, NULL
, 0);
709 log_debug_errno(r
, "Can't load kernel CGROUP SKB BPF program, BPF firewalling is not supported: %m");
710 return supported
= BPF_FIREWALL_UNSUPPORTED
;
713 /* Unfortunately the kernel allows us to create BPF_PROG_TYPE_CGROUP_SKB programs even when CONFIG_CGROUP_BPF
714 * is turned off at kernel compilation time. This sucks of course: why does it allow us to create a cgroup BPF
715 * program if we can't do a thing with it later?
717 * We detect this case by issuing the BPF_PROG_DETACH bpf() call with invalid file descriptors: if
718 * CONFIG_CGROUP_BPF is turned off, then the call will fail early with EINVAL. If it is turned on the
719 * parameters are validated however, and that'll fail with EBADF then. */
721 attr
= (union bpf_attr
) {
722 .attach_type
= BPF_CGROUP_INET_EGRESS
,
727 if (bpf(BPF_PROG_DETACH
, &attr
, sizeof(attr
)) < 0) {
728 if (errno
!= EBADF
) {
729 log_debug_errno(errno
, "Didn't get EBADF from BPF_PROG_DETACH, BPF firewalling is not supported: %m");
730 return supported
= BPF_FIREWALL_UNSUPPORTED
;
735 log_debug("Wut? Kernel accepted our invalid BPF_PROG_DETACH call? Something is weird, assuming BPF firewalling is broken and hence not supported.");
736 return supported
= BPF_FIREWALL_UNSUPPORTED
;
739 /* So now we know that the BPF program is generally available, let's see if BPF_F_ALLOW_MULTI is also supported
740 * (which was added in kernel 4.15). We use a similar logic as before, but this time we use the BPF_PROG_ATTACH
741 * bpf() call and the BPF_F_ALLOW_MULTI flags value. Since the flags are checked early in the system call we'll
742 * get EINVAL if it's not supported, and EBADF as before if it is available. */
744 attr
= (union bpf_attr
) {
745 .attach_type
= BPF_CGROUP_INET_EGRESS
,
748 .attach_flags
= BPF_F_ALLOW_MULTI
,
751 if (bpf(BPF_PROG_ATTACH
, &attr
, sizeof(attr
)) < 0) {
752 if (errno
== EBADF
) {
753 log_debug_errno(errno
, "Got EBADF when using BPF_F_ALLOW_MULTI, which indicates it is supported. Yay!");
754 return supported
= BPF_FIREWALL_SUPPORTED_WITH_MULTI
;
758 log_debug_errno(errno
, "Got EINVAL error when using BPF_F_ALLOW_MULTI, which indicates it's not supported.");
760 log_debug_errno(errno
, "Got unexpected error when using BPF_F_ALLOW_MULTI, assuming it's not supported: %m");
762 return supported
= BPF_FIREWALL_SUPPORTED
;
764 log_debug("Wut? Kernel accepted our invalid BPF_PROG_ATTACH+BPF_F_ALLOW_MULTI call? Something is weird, assuming BPF firewalling is broken and hence not supported.");
765 return supported
= BPF_FIREWALL_UNSUPPORTED
;