diff options
Diffstat (limited to 'src/core/unit.c')
-rw-r--r-- | src/core/unit.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/core/unit.c b/src/core/unit.c index 4d777b447d..463db73ff1 100644 --- a/src/core/unit.c +++ b/src/core/unit.c @@ -12,6 +12,7 @@ #include "all-units.h" #include "alloc-util.h" +#include "bpf-firewall.h" #include "bus-common-errors.h" #include "bus-util.h" #include "cgroup-util.h" @@ -682,6 +683,11 @@ void unit_free(Unit *u) { bpf_program_unref(u->ip_bpf_egress); bpf_program_unref(u->ip_bpf_egress_installed); + set_free(u->ip_bpf_custom_ingress); + set_free(u->ip_bpf_custom_egress); + set_free(u->ip_bpf_custom_ingress_installed); + set_free(u->ip_bpf_custom_egress_installed); + bpf_program_unref(u->bpf_device_control_installed); condition_free_list(u->conditions); @@ -5500,6 +5506,12 @@ int unit_prepare_exec(Unit *u) { assert(u); + /* Load any custom firewall BPF programs here once to test if they are existing and actually loadable. + * Fail here early since later errors in the call chain unit_realize_cgroup to cgroup_context_apply are ignored. */ + r = bpf_firewall_load_custom(u); + if (r < 0) + return r; + /* Prepares everything so that we can fork of a process for this unit */ (void) unit_realize_cgroup(u); |