diff --git a/src/core/cgroup.c b/src/core/cgroup.c index 4b9ddd176cf..1aab238866c 100644 --- a/src/core/cgroup.c +++ b/src/core/cgroup.c @@ -1195,6 +1195,34 @@ static void cgroup_context_apply( cgroup_apply_firewall(u); } +static bool unit_get_needs_bpf_firewall(Unit *u) { + CGroupContext *c; + Unit *p; + assert(u); + + c = unit_get_cgroup_context(u); + if (!c) + return false; + + if (c->ip_accounting || + c->ip_address_allow || + c->ip_address_deny) + return true; + + /* If any parent slice has an IP access list defined, it applies too */ + for (p = UNIT_DEREF(u->slice); p; p = UNIT_DEREF(p->slice)) { + c = unit_get_cgroup_context(p); + if (!c) + return false; + + if (c->ip_address_allow || + c->ip_address_deny) + return true; + } + + return false; +} + static CGroupMask cgroup_context_get_mask(CGroupContext *c) { CGroupMask mask = 0; @@ -1356,34 +1384,6 @@ CGroupMask unit_get_enable_mask(Unit *u) { return mask; } -bool unit_get_needs_bpf_firewall(Unit *u) { - CGroupContext *c; - Unit *p; - assert(u); - - c = unit_get_cgroup_context(u); - if (!c) - return false; - - if (c->ip_accounting || - c->ip_address_allow || - c->ip_address_deny) - return true; - - /* If any parent slice has an IP access list defined, it applies too */ - for (p = UNIT_DEREF(u->slice); p; p = UNIT_DEREF(p->slice)) { - c = unit_get_cgroup_context(p); - if (!c) - return false; - - if (c->ip_address_allow || - c->ip_address_deny) - return true; - } - - return false; -} - /* Recurse from a unit up through its containing slices, propagating * mask bits upward. A unit is also member of itself. */ void unit_update_cgroup_members_masks(Unit *u) { diff --git a/src/core/cgroup.h b/src/core/cgroup.h index 5068e6971f0..2c7287841a1 100644 --- a/src/core/cgroup.h +++ b/src/core/cgroup.h @@ -155,8 +155,6 @@ CGroupMask unit_get_subtree_mask(Unit *u); CGroupMask unit_get_target_mask(Unit *u); CGroupMask unit_get_enable_mask(Unit *u); -bool unit_get_needs_bpf_firewall(Unit *u); - void unit_update_cgroup_members_masks(Unit *u); const char *unit_get_realized_cgroup_path(Unit *u, CGroupMask mask);