From: Lennart Poettering Date: Wed, 6 Sep 2017 15:56:15 +0000 (+0200) Subject: core: warn loudly if IP firewalling is configured but not in effect X-Git-Tag: v235~60^2~20 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=078ba556da253e994724aa5565d570b5d22e0c17;p=thirdparty%2Fsystemd.git core: warn loudly if IP firewalling is configured but not in effect --- diff --git a/src/core/dbus-cgroup.c b/src/core/dbus-cgroup.c index 42381eca364..f61ca08fcba 100644 --- a/src/core/dbus-cgroup.c +++ b/src/core/dbus-cgroup.c @@ -21,6 +21,7 @@ #include "af-list.h" #include "alloc-util.h" +#include "bpf-firewall.h" #include "bus-util.h" #include "cgroup-util.h" #include "cgroup.h" @@ -1321,6 +1322,15 @@ int bus_cgroup_set_property( if (r < 0) return r; unit_write_drop_in_private(u, mode, name, buf); + + if (*list) { + r = bpf_firewall_supported(); + if (r < 0) + return r; + if (r == 0) + log_warning("Transient unit %s configures an IP firewall, but the local system does not support BPF/cgroup firewalling.\n" + "Proceeding WITHOUT firewalling in effect!", u->id); + } } return 1; diff --git a/src/core/ip-address-access.c b/src/core/ip-address-access.c index 18d28708bed..cfb7d51c4f6 100644 --- a/src/core/ip-address-access.c +++ b/src/core/ip-address-access.c @@ -21,6 +21,7 @@ #include #include "alloc-util.h" +#include "bpf-firewall.h" #include "extract-word.h" #include "hostname-util.h" #include "ip-address-access.h" @@ -150,6 +151,15 @@ int config_parse_ip_address_access( *list = ip_address_access_reduce(*list); + if (*list) { + r = bpf_firewall_supported(); + if (r < 0) + return r; + if (r == 0) + log_warning("File %s:%u configures an IP firewall (%s=%s), but the local system does not support BPF/cgroup based firewalling.\n" + "Proceeding WITHOUT firewalling in effect!", filename, line, lvalue, rvalue); + } + return 0; }