core: implement RestrictNetworkInterfaces=

This commit introduces all the logic to load and attach the BPF programs to restrict network interfaces when a unit specifying it is loaded. Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
author: Mauricio Vásquez <mauricio@kinvolk.io> 2021-01-21 17:08:19 +0100
committer: Mauricio Vásquez <mauricio@kinvolk.io> 2021-08-18 22:55:53 +0200
commit: 6f50d4f7d6406648232c8cc121ec3f9ea969de1c (patch)
tree: 442ec2af63ca882a8dcdf40d8bb968bc25c62ed0 /src/core/unit.h
parent: core: add RestrictNetworkInterfaces= BPF program source code (diff)
download: systemd-6f50d4f7d6406648232c8cc121ec3f9ea969de1c.tar.xz
systemd-6f50d4f7d6406648232c8cc121ec3f9ea969de1c.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/src/core/unit.h b/src/core/unit.h
index 48074d8ca5..b3e9c2106f 100644
--- a/src/core/unit.h
+++ b/src/core/unit.h
@@ -335,6 +335,12 @@ typedef struct Unit {
         struct bpf_link *ipv6_socket_bind_link;
 #endif
 
+        FDSet *initial_restric_ifaces_link_fds;
+#if BPF_FRAMEWORK
+        struct bpf_link *restrict_ifaces_ingress_bpf_link;
+        struct bpf_link *restrict_ifaces_egress_bpf_link;
+#endif
+
         /* Low-priority event source which is used to remove watched PIDs that have gone away, and subscribe to any new
          * ones which might have appeared. */
         sd_event_source *rewatch_pids_event_source;
author	Mauricio Vásquez <mauricio@kinvolk.io>	2021-01-21 17:08:19 +0100
committer	Mauricio Vásquez <mauricio@kinvolk.io>	2021-08-18 22:55:53 +0200
commit	6f50d4f7d6406648232c8cc121ec3f9ea969de1c (patch)
tree	442ec2af63ca882a8dcdf40d8bb968bc25c62ed0 /src/core/unit.h
parent	core: add RestrictNetworkInterfaces= BPF program source code (diff)
download	systemd-6f50d4f7d6406648232c8cc121ec3f9ea969de1c.tar.xz systemd-6f50d4f7d6406648232c8cc121ec3f9ea969de1c.zip