bpf: reset "extra" IP accounting counters when turning off IP accounting for a unit

We maintain an "extra" set of IP accounting counters that are used when
we systemd is reloaded to carry over the counters from the previous run.
Let's reset these to zero whenever IP accounting is turned off. If we
don't do this then turning off IP accounting and back on later wouldn't
reset the counters, which is quite surprising and different from how our
CPU time counting works.

diff --git a/src/core/bpf-firewall.c b/src/core/bpf-firewall.c
index 67cbbca734a91cfa964a8a197bb6223f0e15a924..48666f64a282de4d416a6b5ddfb165837c5dad80 100644 (file)
--- a/src/core/bpf-firewall.c
+++ b/src/core/bpf-firewall.c
@@ -453,9 +453,10 @@ static int bpf_firewall_prepare_access_maps(
         return 0;
 }
 
-static int bpf_firewall_prepare_accounting_maps(bool enabled, int *fd_ingress, int *fd_egress) {
+static int bpf_firewall_prepare_accounting_maps(Unit *u, bool enabled, int *fd_ingress, int *fd_egress) {
         int r;
 
+        assert(u);
         assert(fd_ingress);
         assert(fd_egress);
 
@@ -476,9 +477,12 @@ static int bpf_firewall_prepare_accounting_maps(bool enabled, int *fd_ingress, i
 
                         *fd_egress = r;
                 }
+
         } else {
                 *fd_ingress = safe_close(*fd_ingress);
                 *fd_egress = safe_close(*fd_egress);
+
+                zero(u->ip_accounting_extra);
         }
 
         return 0;
@@ -490,6 +494,10 @@ int bpf_firewall_compile(Unit *u) {
 
         assert(u);
 
+        cc = unit_get_cgroup_context(u);
+        if (!cc)
+                return -EINVAL;
+
         supported = bpf_firewall_supported();
         if (supported < 0)
                 return supported;
@@ -536,7 +544,7 @@ int bpf_firewall_compile(Unit *u) {
                         return log_error_errno(r, "Preparation of eBPF deny maps failed: %m");
         }
 
-        r = bpf_firewall_prepare_accounting_maps(cc->ip_accounting, &u->ip_accounting_ingress_map_fd, &u->ip_accounting_egress_map_fd);
+        r = bpf_firewall_prepare_accounting_maps(u, cc->ip_accounting, &u->ip_accounting_ingress_map_fd, &u->ip_accounting_egress_map_fd);
         if (r < 0)
                 return log_error_errno(r, "Preparation of eBPF accounting maps failed: %m");