bpf: beef up bpf detection, check if BPF_F_ALLOW_MULTI is supported

This improves the BPF/cgroup detection logic, and looks whether BPF_ALLOW_MULTI is supported. This flag allows execution of multiple BPF filters in a recursive fashion for a whole cgroup tree. It enables us to properly report IP accounting for slice units, as well as delegation of BPF support to units without breaking our own IP accounting.
author: Lennart Poettering <lennart@poettering.net> 2018-02-16 11:55:33 +0100
committer: Lennart Poettering <lennart@poettering.net> 2018-02-21 16:43:36 +0100
commit: 2ae7ee58fa03340f767821298475d8845bda0b2c (patch)
tree: 20ffe6635615b6e2ee6c339cf85bfd3b0ef1f2c6 /src/core/bpf-firewall.h
parent: bpf: add new bpf.h header copy from 4.15 kernel (diff)
download: systemd-2ae7ee58fa03340f767821298475d8845bda0b2c.tar.xz
systemd-2ae7ee58fa03340f767821298475d8845bda0b2c.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/src/core/bpf-firewall.h b/src/core/bpf-firewall.h
index 37a1f2e003..a0658e3b86 100644
--- a/src/core/bpf-firewall.h
+++ b/src/core/bpf-firewall.h
@@ -24,6 +24,12 @@
 
 #include "unit.h"
 
+enum {
+        BPF_FIREWALL_UNSUPPORTED          = 0,
+        BPF_FIREWALL_SUPPORTED            = 1,
+        BPF_FIREWALL_SUPPORTED_WITH_MULTI = 2,
+};
+
 int bpf_firewall_supported(void);
 
 int bpf_firewall_compile(Unit *u);
author	Lennart Poettering <lennart@poettering.net>	2018-02-16 11:55:33 +0100
committer	Lennart Poettering <lennart@poettering.net>	2018-02-21 16:43:36 +0100
commit	2ae7ee58fa03340f767821298475d8845bda0b2c (patch)
tree	20ffe6635615b6e2ee6c339cf85bfd3b0ef1f2c6 /src/core/bpf-firewall.h
parent	bpf: add new bpf.h header copy from 4.15 kernel (diff)
download	systemd-2ae7ee58fa03340f767821298475d8845bda0b2c.tar.xz systemd-2ae7ee58fa03340f767821298475d8845bda0b2c.zip