From: Lennart Poettering Date: Tue, 8 Jun 2021 13:25:28 +0000 (+0200) Subject: bpf-firewall: move destruction of IP firewall objects to bpf-firewall.c X-Git-Tag: v249-rc1~57^2~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0fd9c28cc9487fadcddc5ea5bd0c7ca2ad525534;p=thirdparty%2Fsystemd.git bpf-firewall: move destruction of IP firewall objects to bpf-firewall.c These are so many runtime objects, let's add a bpf_firewall_close() helper that destroys them all, and call that from unit_free(), simply as an excercise of encapsulating more BPF code in bpf-firewall.c. This also brings the destruction order and variable declaration order in struct Unit into the same systematic order. No change in behaviour just some minor refactoring. --- diff --git a/src/core/bpf-firewall.c b/src/core/bpf-firewall.c index 2a41bffee6b..eda4d3bbdf4 100644 --- a/src/core/bpf-firewall.c +++ b/src/core/bpf-firewall.c @@ -661,6 +661,7 @@ static int attach_custom_bpf_progs(Unit *u, const char *path, int attach_type, S r = set_ensure_put(set_installed, &filter_prog_hash_ops, prog); if (r < 0) return log_unit_error_errno(u, r, "Can't add program to BPF program set: %m"); + bpf_program_ref(prog); } @@ -902,3 +903,25 @@ void emit_bpf_firewall_warning(Unit *u) { warned = true; } } + +void bpf_firewall_close(Unit *u) { + assert(u); + + u->ip_accounting_ingress_map_fd = safe_close(u->ip_accounting_ingress_map_fd); + u->ip_accounting_egress_map_fd = safe_close(u->ip_accounting_egress_map_fd); + + u->ipv4_allow_map_fd = safe_close(u->ipv4_allow_map_fd); + u->ipv6_allow_map_fd = safe_close(u->ipv6_allow_map_fd); + u->ipv4_deny_map_fd = safe_close(u->ipv4_deny_map_fd); + u->ipv6_deny_map_fd = safe_close(u->ipv6_deny_map_fd); + + u->ip_bpf_ingress = bpf_program_unref(u->ip_bpf_ingress); + u->ip_bpf_ingress_installed = bpf_program_unref(u->ip_bpf_ingress_installed); + u->ip_bpf_egress = bpf_program_unref(u->ip_bpf_egress); + u->ip_bpf_egress_installed = bpf_program_unref(u->ip_bpf_egress_installed); + + u->ip_bpf_custom_ingress = set_free(u->ip_bpf_custom_ingress); + u->ip_bpf_custom_egress = set_free(u->ip_bpf_custom_egress); + u->ip_bpf_custom_ingress_installed = set_free(u->ip_bpf_custom_ingress_installed); + u->ip_bpf_custom_egress_installed = set_free(u->ip_bpf_custom_egress_installed); +} diff --git a/src/core/bpf-firewall.h b/src/core/bpf-firewall.h index 08d77421939..58b401f834b 100644 --- a/src/core/bpf-firewall.h +++ b/src/core/bpf-firewall.h @@ -21,3 +21,5 @@ int bpf_firewall_read_accounting(int map_fd, uint64_t *ret_bytes, uint64_t *ret_ int bpf_firewall_reset_accounting(int map_fd); void emit_bpf_firewall_warning(Unit *u); + +void bpf_firewall_close(Unit *u); diff --git a/src/core/unit.c b/src/core/unit.c index c6b17afa518..9609c87f851 100644 --- a/src/core/unit.c +++ b/src/core/unit.c @@ -114,6 +114,9 @@ Unit* unit_new(Manager *m, size_t size) { u->ip_accounting_ingress_map_fd = -1; u->ip_accounting_egress_map_fd = -1; + for (CGroupIOAccountingMetric i = 0; i < _CGROUP_IO_ACCOUNTING_METRIC_MAX; i++) + u->io_accounting_last[i] = UINT64_MAX; + u->ipv4_allow_map_fd = -1; u->ipv6_allow_map_fd = -1; u->ipv4_deny_map_fd = -1; @@ -124,9 +127,6 @@ Unit* unit_new(Manager *m, size_t size) { u->start_ratelimit = (RateLimit) { m->default_start_limit_interval, m->default_start_limit_burst }; u->auto_start_stop_ratelimit = (RateLimit) { 10 * USEC_PER_SEC, 16 }; - for (CGroupIOAccountingMetric i = 0; i < _CGROUP_IO_ACCOUNTING_METRIC_MAX; i++) - u->io_accounting_last[i] = UINT64_MAX; - return u; } @@ -757,23 +757,7 @@ Unit* unit_free(Unit *u) { if (u->in_stop_when_bound_queue) LIST_REMOVE(stop_when_bound_queue, u->manager->stop_when_bound_queue, u); - safe_close(u->ip_accounting_ingress_map_fd); - safe_close(u->ip_accounting_egress_map_fd); - - safe_close(u->ipv4_allow_map_fd); - safe_close(u->ipv6_allow_map_fd); - safe_close(u->ipv4_deny_map_fd); - safe_close(u->ipv6_deny_map_fd); - - bpf_program_unref(u->ip_bpf_ingress); - bpf_program_unref(u->ip_bpf_ingress_installed); - bpf_program_unref(u->ip_bpf_egress); - bpf_program_unref(u->ip_bpf_egress_installed); - - set_free(u->ip_bpf_custom_ingress); - set_free(u->ip_bpf_custom_egress); - set_free(u->ip_bpf_custom_ingress_installed); - set_free(u->ip_bpf_custom_egress_installed); + bpf_firewall_close(u); hashmap_free(u->bpf_foreign_by_key); diff --git a/src/core/unit.h b/src/core/unit.h index 8818392731a..52feb3693b0 100644 --- a/src/core/unit.h +++ b/src/core/unit.h @@ -308,14 +308,15 @@ typedef struct Unit { /* IP BPF Firewalling/accounting */ int ip_accounting_ingress_map_fd; int ip_accounting_egress_map_fd; + uint64_t ip_accounting_extra[_CGROUP_IP_ACCOUNTING_METRIC_MAX]; int ipv4_allow_map_fd; int ipv6_allow_map_fd; int ipv4_deny_map_fd; int ipv6_deny_map_fd; - BPFProgram *ip_bpf_ingress, *ip_bpf_ingress_installed; BPFProgram *ip_bpf_egress, *ip_bpf_egress_installed; + Set *ip_bpf_custom_ingress; Set *ip_bpf_custom_ingress_installed; Set *ip_bpf_custom_egress; @@ -334,8 +335,6 @@ typedef struct Unit { struct bpf_link *ipv6_socket_bind_link; #endif - uint64_t ip_accounting_extra[_CGROUP_IP_ACCOUNTING_METRIC_MAX]; - /* Low-priority event source which is used to remove watched PIDs that have gone away, and subscribe to any new * ones which might have appeared. */ sd_event_source *rewatch_pids_event_source;