summaryrefslogtreecommitdiffstats
path: root/src/core/unit.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/core/unit.c')
-rw-r--r--src/core/unit.c12
1 files changed, 12 insertions, 0 deletions
diff --git a/src/core/unit.c b/src/core/unit.c
index 4d777b447d..463db73ff1 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -12,6 +12,7 @@
#include "all-units.h"
#include "alloc-util.h"
+#include "bpf-firewall.h"
#include "bus-common-errors.h"
#include "bus-util.h"
#include "cgroup-util.h"
@@ -682,6 +683,11 @@ void unit_free(Unit *u) {
bpf_program_unref(u->ip_bpf_egress);
bpf_program_unref(u->ip_bpf_egress_installed);
+ set_free(u->ip_bpf_custom_ingress);
+ set_free(u->ip_bpf_custom_egress);
+ set_free(u->ip_bpf_custom_ingress_installed);
+ set_free(u->ip_bpf_custom_egress_installed);
+
bpf_program_unref(u->bpf_device_control_installed);
condition_free_list(u->conditions);
@@ -5500,6 +5506,12 @@ int unit_prepare_exec(Unit *u) {
assert(u);
+ /* Load any custom firewall BPF programs here once to test if they are existing and actually loadable.
+ * Fail here early since later errors in the call chain unit_realize_cgroup to cgroup_context_apply are ignored. */
+ r = bpf_firewall_load_custom(u);
+ if (r < 0)
+ return r;
+
/* Prepares everything so that we can fork of a process for this unit */
(void) unit_realize_cgroup(u);