diff options
| author | Julia Kartseva <hex@fb.com> | 2022-01-22 03:50:26 +0100 |
|---|---|---|
| committer | Yu Watanabe <watanabe.yu+github@gmail.com> | 2022-01-22 08:48:42 +0100 |
| commit | 8fe9dbb9266988235a0590f76a4e77428540f900 (patch) | |
| tree | f276616e4d75f7144ba78f4c0a55ecebc4026ba1 /src/core/bpf-firewall.c | |
| parent | Fix journald audit logging with fields > N_IOVEC_AUDIT_FIELDS. (diff) | |
| download | systemd-8fe9dbb9266988235a0590f76a4e77428540f900.tar.xz systemd-8fe9dbb9266988235a0590f76a4e77428540f900.zip | |
bpf: name unnamed bpf programs
bpf-firewall and bpf-devices do not have names. This complicates
debugging with bpftool(8).
Assign names starting with 'sd_' prefix:
* firewall program names are 'sd_fw_ingress' for ingress attach
point and 'sd_fw_egress' for egress.
* 'sd_devices' for devices prog
'sd_' prefix is already used in source-compiled programs, e.g.
sd_restrictif_i, sd_restrictif_e, sd_bind6.
The name must not be longer than 15 characters or BPF_OBJ_NAME_LEN - 1.
Assign names only to programs loaded to kernel by systemd since
programs pinned to bpffs are already loaded.
Diffstat (limited to 'src/core/bpf-firewall.c')
| -rw-r--r-- | src/core/bpf-firewall.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/src/core/bpf-firewall.c b/src/core/bpf-firewall.c index 3c1c02e444..8158fafc8e 100644 --- a/src/core/bpf-firewall.c +++ b/src/core/bpf-firewall.c @@ -193,6 +193,7 @@ static int bpf_firewall_compile_bpf( }; _cleanup_(bpf_program_freep) BPFProgram *p = NULL; + const char *prog_name = is_ingress ? "sd_fw_ingress" : "sd_fw_egress"; int accounting_map_fd, r; bool access_enabled; @@ -216,7 +217,7 @@ static int bpf_firewall_compile_bpf( return 0; } - r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, &p); + r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, prog_name, &p); if (r < 0) return r; @@ -604,7 +605,7 @@ static int load_bpf_progs_from_fs_to_set(Unit *u, char **filter_paths, Set **set _cleanup_(bpf_program_freep) BPFProgram *prog = NULL; int r; - r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, &prog); + r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, NULL, &prog); if (r < 0) return log_unit_error_errno(u, r, "Can't allocate CGROUP SKB BPF program: %m"); @@ -825,7 +826,7 @@ int bpf_firewall_supported(void) { return supported = BPF_FIREWALL_UNSUPPORTED; } - r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, &program); + r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, NULL, &program); if (r < 0) { bpf_firewall_unsupported_reason = log_debug_errno(r, "Can't allocate CGROUP SKB BPF program, BPF firewalling is not supported: %m"); |