From: Lennart Poettering Date: Mon, 26 Jun 2023 11:16:11 +0000 (+0200) Subject: man: rework BPFForeign= documentation a bit X-Git-Tag: v254-rc1~113^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a27e6fb71bf70f27347b0e1167b2de32c4dc6637;p=thirdparty%2Fsystemd.git man: rework BPFForeign= documentation a bit Various assorted changes, among them make clear that a missing BPF program is not reason to abort unit activation. --- diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index 1cd0beea046..57ebb8e1ea1 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -1003,24 +1003,22 @@ RestrictNetworkInterfaces=~eth1 - BPFProgram=type:program-path + BPFProgram=type:program-path - Add a custom cgroup BPF program. - - BPFProgram= allows attaching BPF hooks to the cgroup of a systemd unit. - (This generalizes the functionality exposed via IPEgressFilterPath= for egress and - IPIngressFilterPath= for ingress.) - Cgroup-bpf hooks in the form of BPF programs loaded to the BPF filesystem are attached with cgroup-bpf attach - flags determined by the unit. For details about attachment types and flags see . - For general BPF documentation please refer to . - - The specification of BPF program consists of a type followed by a - program-path with : as the separator: - type:program-path. - - type is the string name of BPF attach type also used in - bpftool. type can be one of egress, + BPFProgram= allows attaching custom BPF programs to the cgroup of a + unit. (This generalizes the functionality exposed via IPEgressFilterPath= and + and IPIngressFilterPath= for other hooks.) Cgroup-bpf hooks in the form of BPF + programs loaded to the BPF filesystem are attached with cgroup-bpf attach flags determined by the + unit. For details about attachment types and flags see bpf.h. Also + refer to the general BPF documentation. + + The specification of BPF program consists of a pair of BPF program type and program path in + the file system, with : as the separator: + type:program-path. + + The BPF program type is equivalent to the BPF attach type used in + bpftool. It may be one of egress, ingress, sock_create, sock_ops, device, bind4, bind6, connect4, connect6, post_bind4, @@ -1028,21 +1026,28 @@ RestrictNetworkInterfaces=~eth1 sysctl, recvmsg4, recvmsg6, getsockopt, setsockopt. - Setting BPFProgram= to an empty value makes previous assignments ineffective. - Multiple assignments of the same type:program-path - value have the same effect as a single assignment: the program with the path program-path - will be attached to cgroup hook type just once. + The specified program path must be an absolute path referencing a BPF program inode in the + bpffs file system (which generally means it must begin with /sys/fs/bpf/). If + a specified program does not exist (i.e. has not been uploaded to the BPF subsystem of the kernel + yet), it will not be installed but unit activation will continue (a warning will be printed to the + logs). + + Setting BPFProgram= to an empty value makes previous assignments + ineffective. + + Multiple assignments of the same program type/path pair have the same effect as a single + assignment: the program will be attached just once. + If BPF egress pinned to program-path path is already being handled by IPEgressFilterPath=, BPFProgram= assignment will be considered valid and BPFProgram= will be attached to a cgroup. Similarly for ingress hook and IPIngressFilterPath= assignment. - BPF programs passed with BPFProgram= are attached to the cgroup of a unit with BPF - attach flag multi, that allows further attachments of the same + BPF programs passed with BPFProgram= are attached to the cgroup of a unit + with BPF attach flag multi, that allows further attachments of the same type within cgroup hierarchy topped by the unit cgroup. - Examples: -BPFProgram=egress:/sys/fs/bpf/egress-hook + Examples:BPFProgram=egress:/sys/fs/bpf/egress-hook BPFProgram=bind6:/sys/fs/bpf/sock-addr-hook