CustomMount *m = &arg_custom_mounts[i];
if (path_equal(m->destination, "/") && arg_userns_mode != USER_NAMESPACE_NO) {
-
- if (arg_userns_chown) {
- log_error("--private-users-chown may not be combined with custom root mounts.");
- return -EINVAL;
- } else if (arg_uid_shift == UID_INVALID) {
- log_error("--private-users with automatic UID shift may not be combined with custom root mounts.");
- return -EINVAL;
- }
+ if (arg_userns_chown)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "--private-users-chown may not be combined with custom root mounts.");
+ else if (arg_uid_shift == UID_INVALID)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "--private-users with automatic UID shift may not be combined with custom root mounts.");
}
}
case ARG_NETWORK_BRIDGE:
- if (!ifname_valid(optarg)) {
- log_error("Bridge interface name not valid: %s", optarg);
- return -EINVAL;
- }
+ if (!ifname_valid(optarg))
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Bridge interface name not valid: %s", optarg);
r = free_and_strdup(&arg_network_bridge, optarg);
if (r < 0)
break;
case ARG_NETWORK_INTERFACE:
- if (!ifname_valid(optarg)) {
- log_error("Network interface name not valid: %s", optarg);
- return -EINVAL;
- }
+ if (!ifname_valid(optarg))
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Network interface name not valid: %s", optarg);
if (strv_extend(&arg_network_interfaces, optarg) < 0)
return log_oom();
case ARG_NETWORK_MACVLAN:
- if (!ifname_valid(optarg)) {
- log_error("MACVLAN network interface name not valid: %s", optarg);
- return -EINVAL;
- }
+ if (!ifname_valid(optarg))
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "MACVLAN network interface name not valid: %s", optarg);
if (strv_extend(&arg_network_macvlan, optarg) < 0)
return log_oom();
case ARG_NETWORK_IPVLAN:
- if (!ifname_valid(optarg)) {
- log_error("IPVLAN network interface name not valid: %s", optarg);
- return -EINVAL;
- }
+ if (!ifname_valid(optarg))
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "IPVLAN network interface name not valid: %s", optarg);
if (strv_extend(&arg_network_ipvlan, optarg) < 0)
return log_oom();
break;
case 'b':
- if (arg_start_mode == START_PID2) {
- log_error("--boot and --as-pid2 may not be combined.");
- return -EINVAL;
- }
+ if (arg_start_mode == START_PID2)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "--boot and --as-pid2 may not be combined.");
arg_start_mode = START_BOOT;
arg_settings_mask |= SETTING_START_MODE;
break;
case 'a':
- if (arg_start_mode == START_BOOT) {
- log_error("--boot and --as-pid2 may not be combined.");
- return -EINVAL;
- }
+ if (arg_start_mode == START_BOOT)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "--boot and --as-pid2 may not be combined.");
arg_start_mode = START_PID2;
arg_settings_mask |= SETTING_START_MODE;
if (r < 0)
return log_error_errno(r, "Invalid UUID: %s", optarg);
- if (sd_id128_is_null(arg_uuid)) {
- log_error("Machine UUID may not be all zeroes.");
- return -EINVAL;
- }
+ if (sd_id128_is_null(arg_uuid))
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Machine UUID may not be all zeroes.");
arg_settings_mask |= SETTING_MACHINE_ID;
break;
if (isempty(optarg))
arg_machine = mfree(arg_machine);
else {
- if (!machine_name_is_valid(optarg)) {
- log_error("Invalid machine name: %s", optarg);
- return -EINVAL;
- }
+ if (!machine_name_is_valid(optarg))
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Invalid machine name: %s", optarg);
r = free_and_strdup(&arg_machine, optarg);
if (r < 0)
if (isempty(optarg))
arg_hostname = mfree(arg_hostname);
else {
- if (!hostname_is_valid(optarg, false)) {
- log_error("Invalid hostname: %s", optarg);
- return -EINVAL;
- }
+ if (!hostname_is_valid(optarg, false))
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Invalid hostname: %s", optarg);
r = free_and_strdup(&arg_hostname, optarg);
if (r < 0)
int cap;
cap = capability_from_name(t);
- if (cap < 0) {
- log_error("Failed to parse capability %s.", t);
- return -EINVAL;
- }
+ if (cap < 0)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Failed to parse capability %s.", t);
if (c == ARG_CAPABILITY)
plus |= 1ULL << (uint64_t) cap;
case 'E': {
char **n;
- if (!env_assignment_is_valid(optarg)) {
- log_error("Environment variable assignment '%s' is not valid.", optarg);
- return -EINVAL;
- }
+ if (!env_assignment_is_valid(optarg))
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Environment variable assignment '%s' is not valid.", optarg);
n = strv_env_set(arg_setenv, optarg);
if (!n)
case ARG_PERSONALITY:
arg_personality = personality_from_string(optarg);
- if (arg_personality == PERSONALITY_INVALID) {
- log_error("Unknown or unsupported personality '%s'.", optarg);
- return -EINVAL;
- }
+ if (arg_personality == PERSONALITY_INVALID)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Unknown or unsupported personality '%s'.", optarg);
arg_settings_mask |= SETTING_PERSONALITY;
break;
VolatileMode m;
m = volatile_mode_from_string(optarg);
- if (m < 0) {
- log_error("Failed to parse --volatile= argument: %s", optarg);
- return -EINVAL;
- } else
+ if (m < 0)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Failed to parse --volatile= argument: %s", optarg);
+ else
arg_volatile_mode = m;
}
arg_userns_mode = USER_NAMESPACE_FIXED;
}
- if (arg_uid_range <= 0) {
- log_error("UID range cannot be 0.");
- return -EINVAL;
- }
+ if (arg_uid_range <= 0)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "UID range cannot be 0.");
arg_settings_mask |= SETTING_USERNS;
break;
}
arg_kill_signal = signal_from_string(optarg);
- if (arg_kill_signal < 0) {
- log_error("Cannot parse signal: %s", optarg);
- return -EINVAL;
- }
+ if (arg_kill_signal < 0)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Cannot parse signal: %s", optarg);
arg_settings_mask |= SETTING_KILL_SIGNAL;
break;
break;
case ARG_CHDIR:
- if (!path_is_absolute(optarg)) {
- log_error("Working directory %s is not an absolute path.", optarg);
- return -EINVAL;
- }
+ if (!path_is_absolute(optarg))
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Working directory %s is not an absolute path.", optarg);
r = free_and_strdup(&arg_chdir, optarg);
if (r < 0)
case ARG_NOTIFY_READY:
r = parse_boolean(optarg);
- if (r < 0) {
- log_error("%s is not a valid notify mode. Valid modes are: yes, no, and ready.", optarg);
- return -EINVAL;
- }
+ if (r < 0)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "%s is not a valid notify mode. Valid modes are: yes, no, and ready.", optarg);
arg_notify_ready = r;
arg_settings_mask |= SETTING_NOTIFY_READY;
break;
}
eq = strchr(optarg, '=');
- if (!eq) {
- log_error("--rlimit= expects an '=' assignment.");
- return -EINVAL;
- }
+ if (!eq)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "--rlimit= expects an '=' assignment.");
name = strndup(optarg, eq - optarg);
if (!name)
return log_oom();
rl = rlimit_from_string_harder(name);
- if (rl < 0) {
- log_error("Unknown resource limit: %s", name);
- return -EINVAL;
- }
+ if (rl < 0)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Unknown resource limit: %s", name);
if (!arg_rlimit[rl]) {
arg_rlimit[rl] = new0(struct rlimit, 1);
}
arg_resolv_conf = resolv_conf_mode_from_string(optarg);
- if (arg_resolv_conf < 0) {
- log_error("Failed to parse /etc/resolv.conf mode: %s", optarg);
- return -EINVAL;
- }
+ if (arg_resolv_conf < 0)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Failed to parse /etc/resolv.conf mode: %s", optarg);
arg_settings_mask |= SETTING_RESOLV_CONF;
break;
}
arg_timezone = timezone_mode_from_string(optarg);
- if (arg_timezone < 0) {
- log_error("Failed to parse /etc/localtime mode: %s", optarg);
- return -EINVAL;
- }
+ if (arg_timezone < 0)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Failed to parse /etc/localtime mode: %s", optarg);
arg_settings_mask |= SETTING_TIMEZONE;
break;
(arg_network_interfaces || arg_network_macvlan ||
arg_network_ipvlan || arg_network_veth_extra ||
arg_network_bridge || arg_network_zone ||
- arg_network_veth || arg_private_network)) {
- log_error("--network-namespace-path cannot be combined with other network options.");
- return -EINVAL;
- }
+ arg_network_veth || arg_private_network))
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "--network-namespace-path cannot be combined with other network options.");
parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_NS_IPC", CLONE_NEWIPC);
parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_NS_PID", CLONE_NEWPID);
if (!(arg_clone_ns_flags & CLONE_NEWPID) ||
!(arg_clone_ns_flags & CLONE_NEWUTS)) {
arg_register = false;
- if (arg_start_mode != START_PID1) {
- log_error("--boot cannot be used without namespacing.");
- return -EINVAL;
- }
+ if (arg_start_mode != START_PID1)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "--boot cannot be used without namespacing.");
}
if (arg_userns_mode == USER_NAMESPACE_PICK)
arg_userns_chown = true;
- if (arg_keep_unit && arg_register && cg_pid_get_owner_uid(0, NULL) >= 0) {
+ if (arg_keep_unit && arg_register && cg_pid_get_owner_uid(0, NULL) >= 0)
/* Save the user from accidentally registering either user-$SESSION.scope or user@.service.
* The latter is not technically a user session, but we don't need to labour the point. */
- log_error("--keep-unit --register=yes may not be used when invoked from a user session.");
- return -EINVAL;
- }
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "--keep-unit --register=yes may not be used when invoked from a user session.");
- if (arg_directory && arg_image) {
- log_error("--directory= and --image= may not be combined.");
- return -EINVAL;
- }
+ if (arg_directory && arg_image)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "--directory= and --image= may not be combined.");
- if (arg_template && arg_image) {
- log_error("--template= and --image= may not be combined.");
- return -EINVAL;
- }
+ if (arg_template && arg_image)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "--template= and --image= may not be combined.");
if (arg_ephemeral && arg_template && !arg_directory) {
/* User asked for ephemeral execution but specified --template= instead of --directory=. Semantically
arg_directory = TAKE_PTR(arg_template);
}
- if (arg_template && !(arg_directory || arg_machine)) {
- log_error("--template= needs --directory= or --machine=.");
- return -EINVAL;
- }
+ if (arg_template && !(arg_directory || arg_machine))
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "--template= needs --directory= or --machine=.");
- if (arg_ephemeral && arg_template) {
- log_error("--ephemeral and --template= may not be combined.");
- return -EINVAL;
- }
+ if (arg_ephemeral && arg_template)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "--ephemeral and --template= may not be combined.");
- if (arg_ephemeral && !IN_SET(arg_link_journal, LINK_NO, LINK_AUTO)) {
- log_error("--ephemeral and --link-journal= may not be combined.");
- return -EINVAL;
- }
+ if (arg_ephemeral && !IN_SET(arg_link_journal, LINK_NO, LINK_AUTO))
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "--ephemeral and --link-journal= may not be combined.");
- if (arg_userns_mode != USER_NAMESPACE_NO && !userns_supported()) {
- log_error("--private-users= is not supported, kernel compiled without user namespace support.");
- return -EOPNOTSUPP;
- }
+ if (arg_userns_mode != USER_NAMESPACE_NO && !userns_supported())
+ return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
+ "--private-users= is not supported, kernel compiled without user namespace support.");
- if (arg_userns_chown && arg_read_only) {
- log_error("--read-only and --private-users-chown may not be combined.");
- return -EINVAL;
- }
+ if (arg_userns_chown && arg_read_only)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "--read-only and --private-users-chown may not be combined.");
- if (arg_network_bridge && arg_network_zone) {
- log_error("--network-bridge= and --network-zone= may not be combined.");
- return -EINVAL;
- }
+ if (arg_network_bridge && arg_network_zone)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "--network-bridge= and --network-zone= may not be combined.");
if (argc > optind) {
arg_parameters = strv_copy(argv + optind);
}
static int verify_arguments(void) {
- if (arg_userns_mode != USER_NAMESPACE_NO && (arg_mount_settings & MOUNT_APPLY_APIVFS_NETNS) && !arg_private_network) {
- log_error("Invalid namespacing settings. Mounting sysfs with --private-users requires --private-network.");
- return -EINVAL;
- }
+ if (arg_userns_mode != USER_NAMESPACE_NO && (arg_mount_settings & MOUNT_APPLY_APIVFS_NETNS) && !arg_private_network)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Invalid namespacing settings. Mounting sysfs with --private-users requires --private-network.");
- if (arg_userns_mode != USER_NAMESPACE_NO && !(arg_mount_settings & MOUNT_APPLY_APIVFS_RO)) {
- log_error("Cannot combine --private-users with read-write mounts.");
- return -EINVAL;
- }
+ if (arg_userns_mode != USER_NAMESPACE_NO && !(arg_mount_settings & MOUNT_APPLY_APIVFS_RO))
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Cannot combine --private-users with read-write mounts.");
- if (arg_volatile_mode != VOLATILE_NO && arg_read_only) {
- log_error("Cannot combine --read-only with --volatile. Note that --volatile already implies a read-only base hierarchy.");
- return -EINVAL;
- }
+ if (arg_volatile_mode != VOLATILE_NO && arg_read_only)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Cannot combine --read-only with --volatile. Note that --volatile already implies a read-only base hierarchy.");
- if (arg_expose_ports && !arg_private_network) {
- log_error("Cannot use --port= without private networking.");
- return -EINVAL;
- }
+ if (arg_expose_ports && !arg_private_network)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Cannot use --port= without private networking.");
#if ! HAVE_LIBIPTC
- if (arg_expose_ports) {
- log_error("--port= is not supported, compiled without libiptc support.");
- return -EOPNOTSUPP;
- }
+ if (arg_expose_ports)
+ return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
+ "--port= is not supported, compiled without libiptc support.");
#endif
if (arg_start_mode == START_BOOT && arg_kill_signal <= 0)
if (errno != ENOENT)
return log_error_errno(errno, "Failed to stat %s: %m", from);
- } else if (!S_ISCHR(st.st_mode) && !S_ISBLK(st.st_mode)) {
-
- log_error("%s is not a char or block device, cannot copy.", from);
- return -EIO;
-
- } else {
+ } else if (!S_ISCHR(st.st_mode) && !S_ISBLK(st.st_mode))
+ return log_error_errno(SYNTHETIC_ERRNO(EIO),
+ "%s is not a char or block device, cannot copy.", from);
+ else {
_cleanup_free_ char *sl = NULL, *prefixed = NULL, *dn = NULL, *t = NULL;
if (mknod(to, st.st_mode, st.st_rdev) < 0) {
if (try)
return 0;
- log_error("%s: already a mount point, refusing to use for journal", p);
- return -EEXIST;
+ return log_error_errno(SYNTHETIC_ERRNO(EEXIST),
+ "%s: already a mount point, refusing to use for journal", p);
}
if (path_is_mount_point(q, NULL, 0) > 0) {
if (try)
return 0;
- log_error("%s: already a mount point, refusing to use for journal", q);
- return -EEXIST;
+ return log_error_errno(SYNTHETIC_ERRNO(EEXIST),
+ "%s: already a mount point, refusing to use for journal", q);
}
r = readlink_and_make_absolute(p, &d);
return log_error_errno(r, "Failed to acquire randomized machine UUID: %m");
}
} else {
- if (sd_id128_is_null(id)) {
- log_error("Machine ID in container image is zero, refusing.");
- return -EINVAL;
- }
+ if (sd_id128_is_null(id))
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Machine ID in container image is zero, refusing.");
arg_uuid = id;
}
_fallthrough_;
case CLD_DUMPED:
- log_error("Container %s terminated by signal %s.", arg_machine, signal_to_string(status.si_status));
- return -EIO;
+ return log_error_errno(SYNTHETIC_ERRNO(EIO),
+ "Container %s terminated by signal %s.", arg_machine, signal_to_string(status.si_status));
default:
- log_error("Container %s failed due to unknown reason.", arg_machine);
- return -EIO;
+ return log_error_errno(SYNTHETIC_ERRNO(EIO),
+ "Container %s failed due to unknown reason.", arg_machine);
}
}
arg_uid_shift = st.st_uid & UINT32_C(0xffff0000);
- if (arg_uid_shift != (st.st_gid & UINT32_C(0xffff0000))) {
- log_error("UID and GID base of %s don't match.", directory);
- return -EINVAL;
- }
+ if (arg_uid_shift != (st.st_gid & UINT32_C(0xffff0000)))
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "UID and GID base of %s don't match.", directory);
arg_uid_range = UINT32_C(0x10000);
}
- if (arg_uid_shift > (uid_t) -1 - arg_uid_range) {
- log_error("UID base too high for UID range.");
- return -EINVAL;
- }
+ if (arg_uid_shift > (uid_t) -1 - arg_uid_range)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "UID base too high for UID range.");
return 0;
}
(void) barrier_place(barrier); /* #1 */
/* Wait until the parent wrote the UID map */
- if (!barrier_place_and_sync(barrier)) { /* #2 */
- log_error("Parent died too early");
- return -ESRCH;
- }
+ if (!barrier_place_and_sync(barrier)) /* #2 */
+ return log_error_errno(SYNTHETIC_ERRNO(ESRCH),
+ "Parent died too early");
}
r = reset_uid_gid();
/* Wait until we are cgroup-ified, so that we
* can mount the right cgroup path writable */
- if (!barrier_place_and_sync(barrier)) { /* #4 */
- log_error("Parent died too early");
- return -ESRCH;
- }
+ if (!barrier_place_and_sync(barrier)) /* #4 */
+ return log_error_errno(SYNTHETIC_ERRNO(ESRCH),
+ "Parent died too early");
if (arg_use_cgns && cg_ns_supported()) {
r = unshare(CLONE_NEWCGROUP);
/* Let the parent know that we are ready and
* wait until the parent is ready with the
* setup, too... */
- if (!barrier_place_and_sync(barrier)) { /* #5 */
- log_error("Parent died too early");
- return -ESRCH;
- }
+ if (!barrier_place_and_sync(barrier)) /* #5 */
+ return log_error_errno(SYNTHETIC_ERRNO(ESRCH),
+ "Parent died too early");
if (arg_chdir)
if (chdir(arg_chdir) < 0)
l = send(uid_shift_socket, &arg_uid_shift, sizeof(arg_uid_shift), MSG_NOSIGNAL);
if (l < 0)
return log_error_errno(errno, "Failed to send UID shift: %m");
- if (l != sizeof(arg_uid_shift)) {
- log_error("Short write while sending UID shift.");
- return -EIO;
- }
+ if (l != sizeof(arg_uid_shift))
+ return log_error_errno(SYNTHETIC_ERRNO(EIO),
+ "Short write while sending UID shift.");
if (arg_userns_mode == USER_NAMESPACE_PICK) {
/* When we are supposed to pick the UID shift, the parent will check now whether the UID shift
l = recv(uid_shift_socket, &arg_uid_shift, sizeof(arg_uid_shift), 0);
if (l < 0)
return log_error_errno(errno, "Failed to recv UID shift: %m");
- if (l != sizeof(arg_uid_shift)) {
- log_error("Short read while receiving UID shift.");
- return -EIO;
- }
+ if (l != sizeof(arg_uid_shift))
+ return log_error_errno(SYNTHETIC_ERRNO(EIO),
+ "Short read while receiving UID shift.");
}
log_full(arg_quiet ? LOG_DEBUG : LOG_INFO,
l = send(unified_cgroup_hierarchy_socket, &arg_unified_cgroup_hierarchy, sizeof(arg_unified_cgroup_hierarchy), MSG_NOSIGNAL);
if (l < 0)
return log_error_errno(errno, "Failed to send cgroup mode: %m");
- if (l != sizeof(arg_unified_cgroup_hierarchy)) {
- log_error("Short write while sending cgroup mode.");
- return -EIO;
- }
+ if (l != sizeof(arg_unified_cgroup_hierarchy))
+ return log_error_errno(SYNTHETIC_ERRNO(EIO),
+ "Short write while sending cgroup mode.");
unified_cgroup_hierarchy_socket = safe_close(unified_cgroup_hierarchy_socket);
}
l = send(pid_socket, &pid, sizeof(pid), MSG_NOSIGNAL);
if (l < 0)
return log_error_errno(errno, "Failed to send PID: %m");
- if (l != sizeof(pid)) {
- log_error("Short write while sending PID.");
- return -EIO;
- }
+ if (l != sizeof(pid))
+ return log_error_errno(SYNTHETIC_ERRNO(EIO),
+ "Short write while sending PID.");
l = send(uuid_socket, &arg_uuid, sizeof(arg_uuid), MSG_NOSIGNAL);
if (l < 0)
return log_error_errno(errno, "Failed to send machine ID: %m");
- if (l != sizeof(arg_uuid)) {
- log_error("Short write while sending machine ID.");
- return -EIO;
- }
+ if (l != sizeof(arg_uuid))
+ return log_error_errno(SYNTHETIC_ERRNO(EIO),
+ "Short write while sending machine ID.");
l = send_one_fd(notify_socket, fd, 0);
if (l < 0)
projects / thirdparty / systemd.git / blobdiff