From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 21 Feb 2018 14:22:31 +0000 (+0100)
Subject: bpf: reset "extra" IP accounting counters when turning off IP accounting for a unit
X-Git-Tag: v238~68^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5128346127a5e8c228ac5b3e201f869715a1929f;p=thirdparty%2Fsystemd.git

bpf: reset "extra" IP accounting counters when turning off IP accounting for a unit

We maintain an "extra" set of IP accounting counters that are used when
we systemd is reloaded to carry over the counters from the previous run.
Let's reset these to zero whenever IP accounting is turned off. If we
don't do this then turning off IP accounting and back on later wouldn't
reset the counters, which is quite surprising and different from how our
CPU time counting works.
---

diff --git a/src/core/bpf-firewall.c b/src/core/bpf-firewall.c
index 67cbbca734a..48666f64a28 100644
--- a/src/core/bpf-firewall.c
+++ b/src/core/bpf-firewall.c
@@ -453,9 +453,10 @@ static int bpf_firewall_prepare_access_maps(
         return 0;
 }
 
-static int bpf_firewall_prepare_accounting_maps(bool enabled, int *fd_ingress, int *fd_egress) {
+static int bpf_firewall_prepare_accounting_maps(Unit *u, bool enabled, int *fd_ingress, int *fd_egress) {
         int r;
 
+        assert(u);
         assert(fd_ingress);
         assert(fd_egress);
 
@@ -476,9 +477,12 @@ static int bpf_firewall_prepare_accounting_maps(bool enabled, int *fd_ingress, i
 
                         *fd_egress = r;
                 }
+
         } else {
                 *fd_ingress = safe_close(*fd_ingress);
                 *fd_egress = safe_close(*fd_egress);
+
+                zero(u->ip_accounting_extra);
         }
 
         return 0;
@@ -490,6 +494,10 @@ int bpf_firewall_compile(Unit *u) {
 
         assert(u);
 
+        cc = unit_get_cgroup_context(u);
+        if (!cc)
+                return -EINVAL;
+
         supported = bpf_firewall_supported();
         if (supported < 0)
                 return supported;
@@ -536,7 +544,7 @@ int bpf_firewall_compile(Unit *u) {
                         return log_error_errno(r, "Preparation of eBPF deny maps failed: %m");
         }
 
-        r = bpf_firewall_prepare_accounting_maps(cc->ip_accounting, &u->ip_accounting_ingress_map_fd, &u->ip_accounting_egress_map_fd);
+        r = bpf_firewall_prepare_accounting_maps(u, cc->ip_accounting, &u->ip_accounting_ingress_map_fd, &u->ip_accounting_egress_map_fd);
         if (r < 0)
                 return log_error_errno(r, "Preparation of eBPF accounting maps failed: %m");