shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-03-19 22:50:17 +03:00
Code

Merge pull request #23774 from yuwata/netlabel-nftset-follow-ups

Browse Source 
network, core: revert NFTSet and NetLabel features
This commit is contained in:
Yu Watanabe 2022-06-23 01:33:19 +09:00 committed by GitHub
commit 46355675f7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
42 changed files with 14 additions and 1837 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
man/org.freedesktop.systemd1.xml
View File

@ -2599,8 +2599,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly (bas) RestrictNetworkInterfaces = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(iss) ControlGroupNFTSet = [...];
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly as Environment = ['...', ...];
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(sb) EnvironmentFiles = [...];
@ -2785,8 +2783,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b DynamicUser = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(iss) DynamicUserNFTSet = [...];
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b RemoveIPC = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(say) SetCredential = [...];
@ -3174,8 +3170,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
<!--property RestrictNetworkInterfaces is not documented!-->
<!--property ControlGroupNFTSet is not documented!-->
<!--property EnvironmentFiles is not documented!-->
<!--property PassEnvironment is not documented!-->
@ -3334,8 +3328,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
<!--property DynamicUser is not documented!-->
<!--property DynamicUserNFTSet is not documented!-->
<!--property RemoveIPC is not documented!-->
<!--property SetCredential is not documented!-->
@ -3758,8 +3750,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
<variablelist class="dbus-property" generated="True" extra-ref="RestrictNetworkInterfaces"/>
<variablelist class="dbus-property" generated="True" extra-ref="ControlGroupNFTSet"/>
<variablelist class="dbus-property" generated="True" extra-ref="Environment"/>
<variablelist class="dbus-property" generated="True" extra-ref="EnvironmentFiles"/>
@ -3944,8 +3934,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
<variablelist class="dbus-property" generated="True" extra-ref="DynamicUser"/>
<variablelist class="dbus-property" generated="True" extra-ref="DynamicUserNFTSet"/>
<variablelist class="dbus-property" generated="True" extra-ref="RemoveIPC"/>
<variablelist class="dbus-property" generated="True" extra-ref="SetCredential"/>
@ -4499,8 +4487,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly (bas) RestrictNetworkInterfaces = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(iss) ControlGroupNFTSet = [...];
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly as Environment = ['...', ...];
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(sb) EnvironmentFiles = [...];
@ -4685,8 +4671,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b DynamicUser = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(iss) DynamicUserNFTSet = [...];
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b RemoveIPC = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(say) SetCredential = [...];
@ -5098,8 +5082,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
<!--property RestrictNetworkInterfaces is not documented!-->
<!--property ControlGroupNFTSet is not documented!-->
<!--property EnvironmentFiles is not documented!-->
<!--property PassEnvironment is not documented!-->
@ -5258,8 +5240,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
<!--property DynamicUser is not documented!-->
<!--property DynamicUserNFTSet is not documented!-->
<!--property RemoveIPC is not documented!-->
<!--property SetCredential is not documented!-->
@ -5676,8 +5656,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
<variablelist class="dbus-property" generated="True" extra-ref="RestrictNetworkInterfaces"/>
<variablelist class="dbus-property" generated="True" extra-ref="ControlGroupNFTSet"/>
<variablelist class="dbus-property" generated="True" extra-ref="Environment"/>
<variablelist class="dbus-property" generated="True" extra-ref="EnvironmentFiles"/>
@ -5862,8 +5840,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
<variablelist class="dbus-property" generated="True" extra-ref="DynamicUser"/>
<variablelist class="dbus-property" generated="True" extra-ref="DynamicUserNFTSet"/>
<variablelist class="dbus-property" generated="True" extra-ref="RemoveIPC"/>
<variablelist class="dbus-property" generated="True" extra-ref="SetCredential"/>
@ -6306,8 +6282,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly (bas) RestrictNetworkInterfaces = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(iss) ControlGroupNFTSet = [...];
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly as Environment = ['...', ...];
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(sb) EnvironmentFiles = [...];
@ -6492,8 +6466,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b DynamicUser = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(iss) DynamicUserNFTSet = [...];
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b RemoveIPC = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(say) SetCredential = [...];
@ -6833,8 +6805,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
<!--property RestrictNetworkInterfaces is not documented!-->
<!--property ControlGroupNFTSet is not documented!-->
<!--property EnvironmentFiles is not documented!-->
<!--property PassEnvironment is not documented!-->
@ -6993,8 +6963,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
<!--property DynamicUser is not documented!-->
<!--property DynamicUserNFTSet is not documented!-->
<!--property RemoveIPC is not documented!-->
<!--property SetCredential is not documented!-->
@ -7329,8 +7297,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
<variablelist class="dbus-property" generated="True" extra-ref="RestrictNetworkInterfaces"/>
<variablelist class="dbus-property" generated="True" extra-ref="ControlGroupNFTSet"/>
<variablelist class="dbus-property" generated="True" extra-ref="Environment"/>
<variablelist class="dbus-property" generated="True" extra-ref="EnvironmentFiles"/>
@ -7515,8 +7481,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
<variablelist class="dbus-property" generated="True" extra-ref="DynamicUser"/>
<variablelist class="dbus-property" generated="True" extra-ref="DynamicUserNFTSet"/>
<variablelist class="dbus-property" generated="True" extra-ref="RemoveIPC"/>
<variablelist class="dbus-property" generated="True" extra-ref="SetCredential"/>
@ -8086,8 +8050,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly (bas) RestrictNetworkInterfaces = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(iss) ControlGroupNFTSet = [...];
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly as Environment = ['...', ...];
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(sb) EnvironmentFiles = [...];
@ -8272,8 +8234,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b DynamicUser = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(iss) DynamicUserNFTSet = [...];
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b RemoveIPC = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(say) SetCredential = [...];
@ -8599,8 +8559,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
<!--property RestrictNetworkInterfaces is not documented!-->
<!--property ControlGroupNFTSet is not documented!-->
<!--property EnvironmentFiles is not documented!-->
<!--property PassEnvironment is not documented!-->
@ -8759,8 +8717,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
<!--property DynamicUser is not documented!-->
<!--property DynamicUserNFTSet is not documented!-->
<!--property RemoveIPC is not documented!-->
<!--property SetCredential is not documented!-->
@ -9081,8 +9037,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
<variablelist class="dbus-property" generated="True" extra-ref="RestrictNetworkInterfaces"/>
<variablelist class="dbus-property" generated="True" extra-ref="ControlGroupNFTSet"/>
<variablelist class="dbus-property" generated="True" extra-ref="Environment"/>
<variablelist class="dbus-property" generated="True" extra-ref="EnvironmentFiles"/>
@ -9267,8 +9221,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
<variablelist class="dbus-property" generated="True" extra-ref="DynamicUser"/>
<variablelist class="dbus-property" generated="True" extra-ref="DynamicUserNFTSet"/>
<variablelist class="dbus-property" generated="True" extra-ref="RemoveIPC"/>
<variablelist class="dbus-property" generated="True" extra-ref="SetCredential"/>
@ -9696,8 +9648,6 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
readonly a(iiqq) SocketBindDeny = [...];
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly (bas) RestrictNetworkInterfaces = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(iss) ControlGroupNFTSet = [...];
};
interface org.freedesktop.DBus.Peer { ... };
interface org.freedesktop.DBus.Introspectable { ... };
@ -9850,8 +9800,6 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
<!--property RestrictNetworkInterfaces is not documented!-->
<!--property ControlGroupNFTSet is not documented!-->
<!--Autogenerated cross-references for systemd.directives, do not edit-->
<variablelist class="dbus-interface" generated="True" extra-ref="org.freedesktop.systemd1.Unit"/>
@ -10010,8 +9958,6 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
<variablelist class="dbus-property" generated="True" extra-ref="RestrictNetworkInterfaces"/>
<variablelist class="dbus-property" generated="True" extra-ref="ControlGroupNFTSet"/>
<!--End of Autogenerated section-->
<refsect2>
@ -10192,8 +10138,6 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly (bas) RestrictNetworkInterfaces = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(iss) ControlGroupNFTSet = [...];
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s KillMode = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly i KillSignal = ...;
@ -10363,8 +10307,6 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
<!--property RestrictNetworkInterfaces is not documented!-->
<!--property ControlGroupNFTSet is not documented!-->
<!--property KillMode is not documented!-->
<!--property KillSignal is not documented!-->
@ -10551,8 +10493,6 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
<variablelist class="dbus-property" generated="True" extra-ref="RestrictNetworkInterfaces"/>
<variablelist class="dbus-property" generated="True" extra-ref="ControlGroupNFTSet"/>
<variablelist class="dbus-property" generated="True" extra-ref="KillMode"/>
<variablelist class="dbus-property" generated="True" extra-ref="KillSignal"/>

34
man/systemd.exec.xml
View File

@ -3163,40 +3163,6 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX
</variablelist>
</refsect1>
<refsect1>
<title>Firewall Integration</title>
<variablelist class='unit-directives'>
<varlistentry>
<term><varname>DynamicUserNFTSet=</varname><replaceable>family</replaceable>:<replaceable>table</replaceable>:<replaceable>set</replaceable></term>
<listitem><para>This setting provides a method for integrating <varname>DynamicUser=</varname>
configuration into firewall rules with NFT sets. This option expects a whitespace separated list of
NFT set definitions. Each definition consists of a colon-separated tuple of NFT address family (one
of <literal>arp</literal>, <literal>bridge</literal>, <literal>inet</literal>, <literal>ip</literal>,
<literal>ip6</literal>, or <literal>netdev</literal>), table name and set name. The names of tables
and sets must conform to lexical restrictions of NFT table names. When the unit starts, the user ID
will be appended to the NFT sets and it will be removed when the unit is stopped. Failures to manage
the sets will be ignored.</para>
<para>Example:
<programlisting>[Service]
DynamicUserNFTSet=inet:filter:u</programlisting>
Corresponding NFT rules:
<programlisting>table inet filter {
set u {
typeof meta skuid
}
chain service_output {
meta skuid != @u drop
accept
}
}</programlisting>
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>System V Compatibility</title>
<variablelist class='unit-directives'>

118
man/systemd.network.xml
View File

@ -1109,71 +1109,6 @@ Table=1234</programlisting></para>
Defaults to <literal>no</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>NetLabel=</varname><replaceable>label</replaceable></term>
<listitem>
<para>This setting provides a method for integrating dynamic network configuration into Linux
NetLabel subsystem rules, used by Linux security modules (LSMs) for network access control. The
option expects a whitespace separated list of NetLabel labels. The labels must conform to lexical
restrictions of LSM labels. When an interface is configured with IP addresses, the addresses and
subnetwork masks will be appended to the NetLabel Fallback Peer Labeling rules. They will be
removed when the interface is deconfigured. Failures to manage the labels will be ignored.</para>
<para>Warning: Once labeling is enabled for network traffic, a lot of LSM access control points in
Linux networking stack go from dormant to active. It is easy for someone not familiar with the LSM
per-packet access controls to get into a situation where for example remote connectivity is
broken. Also note that additional configuration with <citerefentry
project='man-pages'><refentrytitle>netlabelctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
is needed.</para>
<para>Example:
<programlisting>[Address]
NetLabel=system_u:object_r:localnet_peer_t:s0</programlisting>
With the example rules applying for interface <literal>eth0</literal>, when the interface is
configured with an IPv4 address of 10.0.0.0/8, <command>systemd-networkd</command> performs the
equivalent of <command>netlabelctl</command> operation
<programlisting>netlabelctl unlbl add interface eth0 address:10.0.0.0/8 label:system_u:object_r:localnet_peer_t:s0</programlisting>
and the reverse operation when the IPv4 address is deconfigured.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>IPv4NFTSet=</varname><replaceable>family</replaceable>:<replaceable>table</replaceable>:<replaceable>set</replaceable></term>
<term><varname>IPv6NFTSet=</varname><replaceable>family</replaceable>:<replaceable>table</replaceable>:<replaceable>set</replaceable></term>
<listitem>
<para>These settings provide a method for integrating dynamic network configuration into firewall
rules with NFT sets. These options expect a whitespace separated list of NFT set definitions. Each
definition consists of a colon-separated tuple of NFT address family (one of
<literal>arp</literal>, <literal>bridge</literal>, <literal>inet</literal>, <literal>ip</literal>,
<literal>ip6</literal>, or <literal>netdev</literal>), table name and set name. The names of tables
and sets must conform to lexical restrictions of NFT table names. When an interface is configured
with IP addresses, the addresses and subnetwork masks will be appended to the NFT sets. They will
be removed when the interface is deconfigured. Failures to manage the sets will be ignored.</para>
<para>Example:
<programlisting>[Address]
IPv4NFTSet=netdev:filter:eth_ipv4_address
IPv6NFTSet=netdev:filter:eth_ipv6_address</programlisting>
Corresponding NFT rules:
<programlisting>table netdev filter {
set eth_ipv4_address {
type ipv4_addr
flags interval
}
chain eth_ingress {
type filter hook ingress device "eth0" priority filter; policy drop;
ip daddr != @eth_ipv4_address drop
accept
}
}</programlisting>
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
@ -2115,21 +2050,6 @@ IPv6NFTSet=netdev:filter:eth_ipv6_address</programlisting>
<ulink url="https://tools.ietf.org/html/rfc5227">RFC 5227</ulink>. Defaults to false.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>NetLabel=</varname></term>
<listitem>
<para>As in [Address] section.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>NFTSet=</varname></term>
<listitem>
<para>As in [Address] section. The type in NFT set definition must be
<literal>ipv4_addr</literal>.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
@ -2243,20 +2163,11 @@ IPv6NFTSet=netdev:filter:eth_ipv6_address</programlisting>
<term><varname>UseNTP=</varname></term>
<term><varname>UseHostname=</varname></term>
<term><varname>UseDomains=</varname></term>
<term><varname>NetLabel=</varname></term>
<listitem>
<para>As in the [DHCPv4] section.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>NFTSet=</varname></term>
<listitem>
<para>As in [DHCPv4] section. The type in NFT set definition must be
<literal>ipv6_addr</literal>.</para>
</listitem>
</varlistentry>
<!-- How to communicate with the server -->
<varlistentry>
@ -2353,21 +2264,6 @@ IPv6NFTSet=netdev:filter:eth_ipv6_address</programlisting>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>NetLabel=</varname></term>
<listitem>
<para>As in [Address] section.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>NFTSet=</varname></term>
<listitem>
<para>As in [DHCPv6] section. The type in NFT set definition must be
<literal>ipv6_addr</literal>.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
@ -2625,20 +2521,6 @@ Token=prefixstable:2002:da8:1::</programlisting></para>
specified. Defaults to true.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>NetLabel=</varname></term>
<listitem>
<para>As in [Address] section.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>NFTSet=</varname></term>
<listitem>
<para>As in [DHCPv6] section. The type in NFT set definition must be
<literal>ipv6_addr</literal>.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>

29
man/systemd.resource-control.xml
View File

@ -1173,35 +1173,6 @@ DeviceAllow=/dev/loop-control
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>ControlGroupNFTSet=</varname><replaceable>family</replaceable>:<replaceable>table</replaceable>:<replaceable>set</replaceable></term>
<listitem>
<para>This setting provides a method for integrating dynamic cgroup IDs into firewall rules with
NFT sets. This option expects a whitespace separated list of NFT set definitions. Each definition
consists of a colon-separated tuple of NFT address family (one of <literal>arp</literal>,
<literal>bridge</literal>, <literal>inet</literal>, <literal>ip</literal>, <literal>ip6</literal>,
or <literal>netdev</literal>), table name and set name. The names of tables and sets must conform
to lexical restrictions of NFT table names. When a control group for a unit is realized, the cgroup
ID will be appended to the NFT sets and it will be be removed when the control group is
removed. Failures to manage the sets will be ignored.</para>
<para>Example:
<programlisting>[Unit]
ControlGroupNFTSet=inet:filter:my_service
</programlisting>
Corresponding NFT rules:
<programlisting>table inet filter {
set my_service {
type cgroupsv2
}
chain x {
socket cgroupv2 level 2 @my_service accept
drop
}
}</programlisting>
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>

39
src/basic/in-addr-util.c
View File

@ -585,45 +585,6 @@ struct in_addr* in4_addr_prefixlen_to_netmask(struct in_addr *addr, unsigned cha
return addr;
}
struct in6_addr* in6_addr_prefixlen_to_netmask(struct in6_addr *addr, unsigned char prefixlen) {
assert(addr);
assert(prefixlen <= 128);
for (unsigned int i = 0; i < 16; i++) {
uint8_t mask;
if (prefixlen >= 8) {
mask = 0xFF;
prefixlen -= 8;
} else if (prefixlen > 0) {
mask = 0xFF << (8 - prefixlen);
prefixlen = 0;
} else {
assert(prefixlen == 0);
mask = 0;
}
addr->s6_addr[i] = mask;
}
return addr;
}
int in_addr_prefixlen_to_netmask(int family, union in_addr_union *addr, unsigned char prefixlen) {
assert(addr);
switch (family) {
case AF_INET:
in4_addr_prefixlen_to_netmask(&addr->in, prefixlen);
return 0;
case AF_INET6:
in6_addr_prefixlen_to_netmask(&addr->in6, prefixlen);
return 0;
default:
return -EAFNOSUPPORT;
}
}
int in4_addr_default_prefixlen(const struct in_addr *addr, unsigned char *prefixlen) {
uint8_t msb_octet = *(uint8_t*) addr;

2
src/basic/in-addr-util.h
View File

@ -137,8 +137,6 @@ int in_addr_from_string_auto(const char *s, int *ret_family, union in_addr_union
unsigned char in4_addr_netmask_to_prefixlen(const struct in_addr *addr);
struct in_addr* in4_addr_prefixlen_to_netmask(struct in_addr *addr, unsigned char prefixlen);
struct in6_addr* in6_addr_prefixlen_to_netmask(struct in6_addr *addr, unsigned char prefixlen);
int in_addr_prefixlen_to_netmask(int family, union in_addr_union *addr, unsigned char prefixlen);
int in4_addr_default_prefixlen(const struct in_addr *addr, unsigned char *prefixlen);
int in4_addr_default_subnet_mask(const struct in_addr *addr, struct in_addr *mask);
int in4_addr_mask(struct in_addr *addr, unsigned char prefixlen);

32
src/basic/missing_network.h
View File

@ -49,35 +49,3 @@
#ifndef IEEE80211_MAX_SSID_LEN
#define IEEE80211_MAX_SSID_LEN 32
#endif
/* Not exposed but defined in include/net/netlabel.h */
#ifndef NETLBL_NLTYPE_UNLABELED_NAME
#define NETLBL_NLTYPE_UNLABELED_NAME "NLBL_UNLBL"
#endif
/* Not exposed but defined in net/netlabel/netlabel_unlabeled.h */
enum {
NLBL_UNLABEL_C_UNSPEC,
NLBL_UNLABEL_C_ACCEPT,
NLBL_UNLABEL_C_LIST,
NLBL_UNLABEL_C_STATICADD,
NLBL_UNLABEL_C_STATICREMOVE,
NLBL_UNLABEL_C_STATICLIST,
NLBL_UNLABEL_C_STATICADDDEF,
NLBL_UNLABEL_C_STATICREMOVEDEF,
NLBL_UNLABEL_C_STATICLISTDEF,
__NLBL_UNLABEL_C_MAX,
};
/* Not exposed but defined in net/netlabel/netlabel_unlabeled.h */
enum {
NLBL_UNLABEL_A_UNSPEC,
NLBL_UNLABEL_A_ACPTFLG,
NLBL_UNLABEL_A_IPV6ADDR,
NLBL_UNLABEL_A_IPV6MASK,
NLBL_UNLABEL_A_IPV4ADDR,
NLBL_UNLABEL_A_IPV4MASK,
NLBL_UNLABEL_A_IFACE,
NLBL_UNLABEL_A_SECCTX,
__NLBL_UNLABEL_A_MAX,
};

35
src/basic/parse-util.c
View File

@ -750,38 +750,3 @@ int parse_loadavg_fixed_point(const char *s, loadavg_t *ret) {
return store_loadavg_fixed_point(i, f, ret);
}
static bool nft_first_char_bad(const char c) {
if ((c >= 'a' && c <= 'z') ||
(c >= 'A' && c <= 'Z'))
return false;
return true;
}
static bool nft_next_char_bad(const char c) {
if ((c >= 'a' && c <= 'z') ||
(c >= 'A' && c <= 'Z') ||
(c >= '0' && c <= '9') ||
c == '/' || c == '\\' || c == '_' || c == '.')
return false;
return true;
}
/* Limitations are described in https://www.netfilter.org/projects/nftables/manpage.html and
* https://bugzilla.netfilter.org/show_bug.cgi?id=1175 */
bool nft_identifier_bad(const char *id) {
assert(id);
size_t len;
len = strlen(id);
if (len == 0 || len > 31)
return true;
if (nft_first_char_bad(id[0]))
return true;
for (size_t i = 1; i < len; i++)
if (nft_next_char_bad(id[i]))
return true;
return false;
}

2
src/basic/parse-util.h
View File

@ -146,5 +146,3 @@ int parse_oom_score_adjust(const char *s, int *ret);
* to a loadavg_t. */
int store_loadavg_fixed_point(unsigned long i, unsigned long f, loadavg_t *ret);
int parse_loadavg_fixed_point(const char *s, loadavg_t *ret);
bool nft_identifier_bad(const char *id);

52
src/core/cgroup.c
View File

@ -19,7 +19,6 @@
#include "devnum-util.h"
#include "fd-util.h"
#include "fileio.h"
#include "firewall-util.h"
#include "in-addr-prefix-util.h"
#include "inotify-util.h"
#include "io-util.h"
@ -280,8 +279,6 @@ void cgroup_context_done(CGroupContext *c) {
cpu_set_reset(&c->startup_cpuset_cpus);
cpu_set_reset(&c->cpuset_mems);
cpu_set_reset(&c->startup_cpuset_mems);
c->nft_set_context = nft_set_context_free_many(c->nft_set_context, &c->n_nft_set_contexts);
}
static int unit_get_kernel_memory_limit(Unit *u, const char *file, uint64_t *ret) {
@ -612,11 +609,6 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) {
SET_FOREACH(iface, c->restrict_network_interfaces)
fprintf(f, "%sRestrictNetworkInterfaces: %s\n", prefix, iface);
}
for (size_t i = 0; i < c->n_nft_set_contexts; i++)
fprintf(f, "%sControlGroupNFTSet: %s:%s:%s\n", prefix,
nfproto_to_string(c->nft_set_context[i].nfproto),
c->nft_set_context[i].table, c->nft_set_context[i].set);
}
void cgroup_context_dump_socket_bind_item(const CGroupSocketBindItem *item, FILE *f) {
@ -1226,46 +1218,6 @@ static void cgroup_apply_firewall(Unit *u) {
(void) bpf_firewall_install(u);
}
static void cgroup_apply_nft_set(Unit *u) {
int r;
CGroupContext *c;
assert(u);
assert_se(c = unit_get_cgroup_context(u));
for (size_t i = 0; i < c->n_nft_set_contexts; i++) {
NFTSetContext *s = &c->nft_set_context[i];
r = nft_set_element_add_uint64(s, u->cgroup_id);
if (r < 0)
log_warning_errno(r, "Adding NFT family %s table %s set %s cgroup %" PRIu64 " failed, ignoring: %m",
nfproto_to_string(s->nfproto),
s->table,
s->set,
u->cgroup_id);
}
}
static void cgroup_delete_nft_set(Unit *u) {
int r;
CGroupContext *c;
assert(u);
assert_se(c = unit_get_cgroup_context(u));
for (size_t i = 0; i < c->n_nft_set_contexts; i++) {
NFTSetContext *s = &c->nft_set_context[i];
r = nft_set_element_del_uint64(s, u->cgroup_id);
if (r < 0)
log_warning_errno(r, "Deleting NFT family %s table %s set %s cgroup %" PRIu64 " failed, ignoring: %m",
nfproto_to_string(s->nfproto),
s->table,
s->set,
u->cgroup_id);
}
}
static void cgroup_apply_socket_bind(Unit *u) {
assert(u);
@ -1698,8 +1650,6 @@ static void cgroup_context_apply(
if (apply_mask & CGROUP_MASK_BPF_RESTRICT_NETWORK_INTERFACES)
cgroup_apply_restrict_network_interfaces(u);
cgroup_apply_nft_set(u);
}
static bool unit_get_needs_bpf_firewall(Unit *u) {
@ -2849,8 +2799,6 @@ void unit_prune_cgroup(Unit *u) {
(void) lsm_bpf_cleanup(u); /* Remove cgroup from the global LSM BPF map */
#endif
cgroup_delete_nft_set(u);
is_root_slice = unit_has_name(u, SPECIAL_ROOT_SLICE);
r = cg_trim_everywhere(u->manager->cgroup_supported, u->cgroup_path, !is_root_slice);

4
src/core/cgroup.h
View File

@ -6,7 +6,6 @@
#include "bpf-lsm.h"
#include "cgroup-util.h"
#include "cpu-set-util.h"
#include "firewall-util.h"
#include "list.h"
#include "time-util.h"
@ -195,9 +194,6 @@ struct CGroupContext {
ManagedOOMMode moom_mem_pressure;
uint32_t moom_mem_pressure_limit; /* Normalized to 2^32-1 == 100% */
ManagedOOMPreference moom_preference;
NFTSetContext *nft_set_context;
size_t n_nft_set_contexts;
};
/* Used when querying IP accounting data */

85
src/core/dbus-cgroup.c
View File

@ -15,7 +15,6 @@
#include "errno-util.h"
#include "fd-util.h"
#include "fileio.h"
#include "firewall-util.h"
#include "in-addr-prefix-util.h"
#include "ip-protocol-list.h"
#include "limits-util.h"
@ -444,36 +443,6 @@ static int property_get_restrict_network_interfaces(
return sd_bus_message_close_container(reply);
}
static int property_get_cgroup_nft_set(
sd_bus *bus,
const char *path,
const char *interface,
const char *property,
sd_bus_message *reply,
void *userdata,
sd_bus_error *error) {
int r;
CGroupContext *c = userdata;
assert(bus);
assert(reply);
assert(c);
r = sd_bus_message_open_container(reply, 'a', "(iss)");
if (r < 0)
return r;
for (size_t i = 0; i < c->n_nft_set_contexts; i++) {
NFTSetContext *s = &c->nft_set_context[i];
r = sd_bus_message_append(reply, "(iss)", s->nfproto, s->table, s->set);
if (r < 0)
return r;
}
return sd_bus_message_close_container(reply);
}
const sd_bus_vtable bus_cgroup_vtable[] = {
SD_BUS_VTABLE_START(0),
SD_BUS_PROPERTY("Delegate", "b", bus_property_get_bool, offsetof(CGroupContext, delegate), 0),
@ -531,7 +500,6 @@ const sd_bus_vtable bus_cgroup_vtable[] = {
SD_BUS_PROPERTY("SocketBindAllow", "a(iiqq)", property_get_socket_bind, offsetof(CGroupContext, socket_bind_allow), 0),
SD_BUS_PROPERTY("SocketBindDeny", "a(iiqq)", property_get_socket_bind, offsetof(CGroupContext, socket_bind_deny), 0),
SD_BUS_PROPERTY("RestrictNetworkInterfaces", "(bas)", property_get_restrict_network_interfaces, 0, 0),
SD_BUS_PROPERTY("ControlGroupNFTSet", "a(iss)", property_get_cgroup_nft_set, 0, SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_VTABLE_END
};
@ -2085,58 +2053,5 @@ int bus_cgroup_set_property(
if (streq(name, "DisableControllers") || (u->transient && u->load_state == UNIT_STUB))
return bus_cgroup_set_transient_property(u, c, name, message, flags, error);
if (streq(name, "ControlGroupNFTSet")) {
int nfproto;
const char *table, *set;
bool empty = true;
r = sd_bus_message_enter_container(message, 'a', "(iss)");
if (r < 0)
return r;
while ((r = sd_bus_message_read(message, "(iss)", &nfproto, &table, &set)) > 0) {
const char *nfproto_name;
nfproto_name = nfproto_to_string(nfproto);
if (!nfproto_name)
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid protocol %d.", nfproto);
if (nft_identifier_bad(table))
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid NFT table name %s.", table);
if (nft_identifier_bad(set))
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid NFT set name %s.", set);
if (!UNIT_WRITE_FLAGS_NOOP(flags)) {
r = nft_set_context_add(&c->nft_set_context, &c->n_nft_set_contexts, nfproto, table, set);
if (r < 0)
return r;
unit_write_settingf(
u, flags|UNIT_ESCAPE_SPECIFIERS, name,
"%s=%s:%s:%s",
name,
nfproto_name,
table,
set);
}
empty = false;
}
if (r < 0)
return r;
r = sd_bus_message_exit_container(message);
if (r < 0)
return r;
if (empty) {
c->nft_set_context = nft_set_context_free_many(c->nft_set_context, &c->n_nft_set_contexts);
unit_write_settingf(u, flags, name, "%s=", name);
}
return 1;
}
return 0;
}

85
src/core/dbus-execute.c
View File

@ -22,7 +22,6 @@
#include "execute.h"
#include "fd-util.h"
#include "fileio.h"
#include "firewall-util.h"
#include "hexdecoct.h"
#include "io-util.h"
#include "ioprio-util.h"
@ -1143,37 +1142,6 @@ static int bus_property_get_exec_dir_symlink(
return sd_bus_message_close_container(reply);
}
static int property_get_dynamic_user_nft_set(
sd_bus *bus,
const char *path,
const char *interface,
const char *property,
sd_bus_message *reply,
void *userdata,
sd_bus_error *error) {
ExecContext *c = userdata;
int r;
assert(bus);
assert(reply);
assert(c);
r = sd_bus_message_open_container(reply, 'a', "(iss)");
if (r < 0)
return r;
for (size_t i = 0; i < c->n_dynamic_user_nft_set_contexts; i++) {
NFTSetContext *s = &c->dynamic_user_nft_set_context[i];
r = sd_bus_message_append(reply, "(iss)", s->nfproto, s->table, s->set);
if (r < 0)
return r;
}
return sd_bus_message_close_container(reply);
}
const sd_bus_vtable bus_exec_vtable[] = {
SD_BUS_VTABLE_START(0),
SD_BUS_PROPERTY("Environment", "as", NULL, offsetof(ExecContext, environment), SD_BUS_VTABLE_PROPERTY_CONST),
@ -1268,7 +1236,6 @@ const sd_bus_vtable bus_exec_vtable[] = {
SD_BUS_PROPERTY("User", "s", NULL, offsetof(ExecContext, user), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("Group", "s", NULL, offsetof(ExecContext, group), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("DynamicUser", "b", bus_property_get_bool, offsetof(ExecContext, dynamic_user), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("DynamicUserNFTSet", "a(iss)", property_get_dynamic_user_nft_set, 0, SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("RemoveIPC", "b", bus_property_get_bool, offsetof(ExecContext, remove_ipc), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("SetCredential", "a(say)", property_get_set_credential, 0, SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("SetCredentialEncrypted", "a(say)", property_get_set_credential, 0, SD_BUS_VTABLE_PROPERTY_CONST),
@ -3540,58 +3507,6 @@ int bus_exec_context_set_transient_property(
return 1;
} else if (streq(name, "DynamicUserNFTSet")) {
int nfproto;
const char *table, *set;
bool empty = true;
r = sd_bus_message_enter_container(message, 'a', "(iss)");
if (r < 0)
return r;
while ((r = sd_bus_message_read(message, "(iss)", &nfproto, &table, &set)) > 0) {
const char *nfproto_name;
nfproto_name = nfproto_to_string(nfproto);
if (!nfproto_name)
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid protocol %d.", nfproto);
if (nft_identifier_bad(table))
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid NFT table name %s.", table);
if (nft_identifier_bad(set))
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid NFT set name %s.", set);
if (!UNIT_WRITE_FLAGS_NOOP(flags)) {
r = nft_set_context_add(&c->dynamic_user_nft_set_context, &c->n_dynamic_user_nft_set_contexts, nfproto, table, set);
if (r < 0)
return r;
unit_write_settingf(
u, flags|UNIT_ESCAPE_SPECIFIERS, name,
"%s=%s:%s:%s",
name,
nfproto_name,
table,
set);
}
empty = false;
}
if (r < 0)
return r;
r = sd_bus_message_exit_container(message);
if (r < 0)
return r;
if (empty) {
c->dynamic_user_nft_set_context = nft_set_context_free_many(c->dynamic_user_nft_set_context, &c->n_dynamic_user_nft_set_contexts);
unit_write_settingf(u, flags, name, "%s=", name);
}
return 1;
} else if ((suffix = startswith(name, "Limit"))) {
const char *soft = NULL;
int ri;

46
src/core/execute.c
View File

@ -4083,43 +4083,6 @@ static int add_shifted_fd(int *fds, size_t fds_size, size_t *n_fds, int fd, int
return 1;
}
static void exec_op_dynamic_user_nft_set(bool add, const ExecContext *c, uid_t uid) {
int r;
assert(c);
for (size_t i = 0; i < c->n_dynamic_user_nft_set_contexts; i++) {
NFTSetContext *s = &c->dynamic_user_nft_set_context[i];
if (add)
r = nft_set_element_add_uint32(s, uid);
else
r = nft_set_element_del_uint32(s, uid);
if (r < 0)
log_warning_errno(r, "%s NFT family %s table %s set %s UID " UID_FMT " failed, ignoring: %m",
add? "Adding" : "Deleting", nfproto_to_string(s->nfproto), s->table, s->set, uid);
}
}
static void exec_add_dynamic_user_nft_set(const ExecContext *c, uid_t uid) {
exec_op_dynamic_user_nft_set(true, c, uid);
}
void exec_delete_dynamic_user_nft_set(const ExecContext *c, DynamicUser *d) {
int r;
uid_t uid;
if (!d)
return;
r = dynamic_user_current(d, &uid);
if (r < 0) {
log_warning_errno(r, "Can't get current dynamic user, ignoring: %m");
return;
}
exec_op_dynamic_user_nft_set(false, c, uid);
}
static int exec_child(
Unit *unit,
const ExecCommand *command,
@ -4321,8 +4284,6 @@ static int exec_child(
if (dcreds->user)
username = dcreds->user->name;
exec_add_dynamic_user_nft_set(context, uid);
} else {
r = get_fixed_user(context, &username, &uid, &gid, &home, &shell);
if (r < 0) {
@ -5385,8 +5346,6 @@ void exec_context_done(ExecContext *c) {
c->user = mfree(c->user);
c->group = mfree(c->group);
c->dynamic_user_nft_set_context = nft_set_context_free_many(c->dynamic_user_nft_set_context, &c->n_dynamic_user_nft_set_contexts);
c->supplementary_groups = strv_free(c->supplementary_groups);
c->pam_name = mfree(c->pam_name);
@ -6061,11 +6020,6 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) {
fprintf(f, "%sGroup: %s\n", prefix, c->group);
fprintf(f, "%sDynamicUser: %s\n", prefix, yes_no(c->dynamic_user));
for (size_t i = 0; i < c->n_dynamic_user_nft_set_contexts; i++)
fprintf(f, "%sDynamicUserNFTSet: %s:%s:%s\n", prefix,
nfproto_to_string(c->dynamic_user_nft_set_context[i].nfproto),
c->dynamic_user_nft_set_context[i].table,
c->dynamic_user_nft_set_context[i].set);
strv_dump(f, prefix, "SupplementaryGroups", c->supplementary_groups);

6
src/core/execute.h
View File

@ -18,7 +18,6 @@ typedef struct Manager Manager;
#include "cpu-set-util.h"
#include "exec-util.h"
#include "fdset.h"
#include "firewall-util.h"
#include "list.h"
#include "missing_resource.h"
#include "namespace.h"
@ -314,9 +313,6 @@ struct ExecContext {
bool mount_apivfs;
bool dynamic_user;
size_t n_dynamic_user_nft_set_contexts;
NFTSetContext *dynamic_user_nft_set_context;
bool remove_ipc;
bool memory_deny_write_execute;
@ -526,5 +522,3 @@ const char* exec_resource_type_to_string(ExecDirectoryType i) _const_;
ExecDirectoryType exec_resource_type_from_string(const char *s) _pure_;
bool exec_needs_mount_namespace(const ExecContext *context, const ExecParameters *params, const ExecRuntime *runtime);
void exec_delete_dynamic_user_nft_set(const ExecContext *c, DynamicUser *d);

2
src/core/load-fragment-gperf.gperf.in
View File

@ -32,7 +32,6 @@
{{type}}.PassEnvironment, config_parse_pass_environ, 0, offsetof({{type}}, exec_context.pass_environment)
{{type}}.UnsetEnvironment, config_parse_unset_environ, 0, offsetof({{type}}, exec_context.unset_environment)
{{type}}.DynamicUser, config_parse_bool, true, offsetof({{type}}, exec_context.dynamic_user)
{{type}}.DynamicUserNFTSet, config_parse_dynamic_user_nft_set, 0, offsetof({{type}}, exec_context)
{{type}}.RemoveIPC, config_parse_bool, 0, offsetof({{type}}, exec_context.remove_ipc)
{{type}}.StandardInput, config_parse_exec_input, 0, offsetof({{type}}, exec_context)
{{type}}.StandardOutput, config_parse_exec_output, 0, offsetof({{type}}, exec_context)
@ -242,7 +241,6 @@
{{type}}.SocketBindAllow, config_parse_cgroup_socket_bind, 0, offsetof({{type}}, cgroup_context.socket_bind_allow)
{{type}}.SocketBindDeny, config_parse_cgroup_socket_bind, 0, offsetof({{type}}, cgroup_context.socket_bind_deny)
{{type}}.RestrictNetworkInterfaces, config_parse_restrict_network_interfaces, 0, offsetof({{type}}, cgroup_context)
{{type}}.ControlGroupNFTSet, config_parse_cgroup_nft_set, 0, offsetof({{type}}, cgroup_context)
{%- endmacro -%}
%{

104
src/core/load-fragment.c
View File

@ -35,10 +35,8 @@
#include "env-util.h"
#include "errno-list.h"
#include "escape.h"
#include "execute.h"
#include "fd-util.h"
#include "fileio.h"
#include "firewall-util.h"
#include "fs-util.h"
#include "hexdecoct.h"
#include "io-util.h"
@ -6522,105 +6520,3 @@ int config_parse_tty_size(
return config_parse_unsigned(unit, filename, line, section, section_line, lvalue, ltype, rvalue, data, userdata);
}
static int config_parse_nft_set(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
NFTSetContext **c,
size_t *n,
Unit *u) {
_cleanup_free_ char *family_str = NULL, *table = NULL, *set = NULL, *table_resolved = NULL, *set_resolved = NULL;
int nfproto, r;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(u);
if (isempty(rvalue)) {
/* Empty assignment resets the list */
*c = nft_set_context_free_many(*c, n);
return 0;
}
for (const char *p = rvalue;;) {
r = extract_many_words(&p, ":", EXTRACT_CUNESCAPE, &family_str, &table, &set, NULL);
if (r == -ENOMEM)
return log_oom();
if (r == 0)
break;
if (r != 3) {
log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse NFT set, ignoring: %s", p);
return 0;
}
nfproto = nfproto_from_string(family_str);
if (nfproto < 0) {
log_syntax(unit, LOG_WARNING, filename, line, 0, "Unknown NFT protocol family, ignoring: %s", family_str);
return 0;
}
r = unit_path_printf(u, table, &table_resolved);
if (r < 0) {
log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to resolve unit specifiers in '%s', ignoring: %m", table);
return 0;
}
if (nft_identifier_bad(table_resolved))
return log_syntax(unit, LOG_WARNING, filename, line, 0, "Invalid table name %s, ignoring", table);
r = unit_path_printf(u, set, &set_resolved);
if (r < 0) {
log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to resolve unit specifiers in '%s', ignoring: %m", set);
return 0;
}
if (nft_identifier_bad(set_resolved))
return log_syntax(unit, LOG_WARNING, filename, line, 0, "Invalid set name %s, ignoring", set);
r = nft_set_context_add(c, n, nfproto, table_resolved, set_resolved);
if (r < 0)
return log_oom();
}
return 0;
}
int config_parse_cgroup_nft_set(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
CGroupContext *c = data;
Unit *u = userdata;
return config_parse_nft_set(unit, filename, line, section, section_line, lvalue, ltype, rvalue, &c->nft_set_context, &c->n_nft_set_contexts, u);
}
int config_parse_dynamic_user_nft_set(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
ExecContext *c = data;
Unit *u = userdata;
return config_parse_nft_set(unit, filename, line, section, section_line, lvalue, ltype, rvalue, &c->dynamic_user_nft_set_context, &c->n_dynamic_user_nft_set_contexts, u);
}

2
src/core/load-fragment.h
View File

@ -150,8 +150,6 @@ CONFIG_PARSER_PROTOTYPE(config_parse_cgroup_socket_bind);
CONFIG_PARSER_PROTOTYPE(config_parse_restrict_network_interfaces);
CONFIG_PARSER_PROTOTYPE(config_parse_watchdog_sec);
CONFIG_PARSER_PROTOTYPE(config_parse_tty_size);
CONFIG_PARSER_PROTOTYPE(config_parse_cgroup_nft_set);
CONFIG_PARSER_PROTOTYPE(config_parse_dynamic_user_nft_set);
/* gperf prototypes */
const struct ConfigPerfItem* load_fragment_gperf_lookup(const char *key, GPERF_LEN_TYPE length);

3
src/core/service.c
View File

@ -1877,9 +1877,6 @@ static void service_enter_dead(Service *s, ServiceResult f, bool allow_restart)
/* Get rid of the IPC bits of the user */
unit_unref_uid_gid(UNIT(s), true);
/* Delete DynamicUserNFTSet= */
exec_delete_dynamic_user_nft_set(&s->exec_context, s->dynamic_creds.user);
/* Release the user, and destroy it if we are the only remaining owner */
dynamic_creds_destroy(&s->dynamic_creds);

25
src/libsystemd/sd-netlink/netlink-types-genl.c
View File

@ -221,26 +221,15 @@ static const NLType genl_wireguard_types[] = {
[WGDEVICE_A_PEERS] = { .type = NETLINK_TYPE_NESTED, .type_system = &genl_wireguard_peer_type_system },
};
/***************** genl NetLabel type systems *****************/
static const NLType genl_netlabel_types[] = {
[NLBL_UNLABEL_A_IPV4ADDR] = { .type = NETLINK_TYPE_IN_ADDR, .size = sizeof(struct in_addr) },
[NLBL_UNLABEL_A_IPV4MASK] = { .type = NETLINK_TYPE_IN_ADDR, .size = sizeof(struct in_addr) },
[NLBL_UNLABEL_A_IPV6ADDR] = { .type = NETLINK_TYPE_IN_ADDR, .size = sizeof(struct in6_addr) },
[NLBL_UNLABEL_A_IPV6MASK] = { .type = NETLINK_TYPE_IN_ADDR, .size = sizeof(struct in6_addr) },
[NLBL_UNLABEL_A_IFACE] = { .type = NETLINK_TYPE_STRING, .size = IFNAMSIZ-1 },
[NLBL_UNLABEL_A_SECCTX] = { .type = NETLINK_TYPE_STRING },
};
/***************** genl families *****************/
static const NLTypeSystemUnionElement genl_type_systems[] = {
{ .name = CTRL_GENL_NAME, .type_system = TYPE_SYSTEM_FROM_TYPE(genl_ctrl), },
{ .name = BATADV_NL_NAME, .type_system = TYPE_SYSTEM_FROM_TYPE(genl_batadv), },
{ .name = FOU_GENL_NAME, .type_system = TYPE_SYSTEM_FROM_TYPE(genl_fou), },
{ .name = L2TP_GENL_NAME, .type_system = TYPE_SYSTEM_FROM_TYPE(genl_l2tp), },
{ .name = MACSEC_GENL_NAME, .type_system = TYPE_SYSTEM_FROM_TYPE(genl_macsec), },
{ .name = NL80211_GENL_NAME, .type_system = TYPE_SYSTEM_FROM_TYPE(genl_nl80211), },
{ .name = WG_GENL_NAME, .type_system = TYPE_SYSTEM_FROM_TYPE(genl_wireguard), },
{ .name = NETLBL_NLTYPE_UNLABELED_NAME, .type_system = TYPE_SYSTEM_FROM_TYPE(genl_netlabel), },
{ .name = CTRL_GENL_NAME, .type_system = TYPE_SYSTEM_FROM_TYPE(genl_ctrl), },
{ .name = BATADV_NL_NAME, .type_system = TYPE_SYSTEM_FROM_TYPE(genl_batadv), },
{ .name = FOU_GENL_NAME, .type_system = TYPE_SYSTEM_FROM_TYPE(genl_fou), },
{ .name = L2TP_GENL_NAME, .type_system = TYPE_SYSTEM_FROM_TYPE(genl_l2tp), },
{ .name = MACSEC_GENL_NAME, .type_system = TYPE_SYSTEM_FROM_TYPE(genl_macsec), },
{ .name = NL80211_GENL_NAME, .type_system = TYPE_SYSTEM_FROM_TYPE(genl_nl80211), },
{ .name = WG_GENL_NAME, .type_system = TYPE_SYSTEM_FROM_TYPE(genl_wireguard), },
};
/* This is the root type system union, so match_attribute is not necessary. */

2
src/libsystemd/sd-netlink/test-netlink.c
View File

@ -657,8 +657,6 @@ static void test_genl(void) {
(void) sd_genl_message_new(genl, MACSEC_GENL_NAME, 0, &m);
m = sd_netlink_message_unref(m);
(void) sd_genl_message_new(genl, NL80211_GENL_NAME, 0, &m);
m = sd_netlink_message_unref(m);
(void) sd_genl_message_new(genl, NETLBL_NLTYPE_UNLABELED_NAME, 0, &m);
for (;;) {
r = sd_event_run(event, 500 * USEC_PER_MSEC);

2
src/network/meson.build
View File

@ -115,8 +115,6 @@ sources = files(
'networkd-ndisc.h',
'networkd-neighbor.c',
'networkd-neighbor.h',
'networkd-netlabel.c',
'networkd-netlabel.h',
'networkd-network-bus.c',
'networkd-network-bus.h',
'networkd-network.c',

200
src/network/networkd-address.c
View File

@ -12,7 +12,6 @@
#include "networkd-dhcp-server.h"
#include "networkd-ipv4acd.h"
#include "networkd-manager.h"
#include "networkd-netlabel.h"
#include "networkd-network.h"
#include "networkd-queue.h"
#include "networkd-route-util.h"
@ -138,9 +137,6 @@ Address *address_free(Address *address) {
config_section_free(address->section);
free(address->label);
set_free(address->netlabels);
nft_set_context_free_many(address->ipv4_nft_set_context, &address->n_ipv4_nft_set_contexts);
nft_set_context_free_many(address->ipv6_nft_set_context, &address->n_ipv6_nft_set_contexts);
return mfree(address);
}
@ -452,91 +448,6 @@ static int address_set_masquerade(Address *address, bool add) {
return 0;
}
static void address_add_nft_set_context(const Address *address, const NFTSetContext *nft_set_context, size_t n_nft_set_contexts) {
int r;
assert(address);
for (size_t i = 0; i < n_nft_set_contexts; i++) {
r = nft_set_element_add_in_addr(&nft_set_context[i], address->family,
&address->in_addr, address->prefixlen);
if (r < 0)
log_warning_errno(r, "Adding NFT family %s table %s set %s for IP address %s failed, ignoring",
nfproto_to_string(nft_set_context[i].nfproto),
nft_set_context[i].table,
nft_set_context[i].set,
IN_ADDR_PREFIX_TO_STRING(address->family, &address->in_addr, address->prefixlen));
}
}
static void address_del_nft_set_context(const Address *address, const NFTSetContext *nft_set_context, size_t n_nft_set_contexts) {
int r;
assert(address);
for (size_t i = 0; i < n_nft_set_contexts; i++) {
r = nft_set_element_del_in_addr(&nft_set_context[i], address->family,
&address->in_addr, address->prefixlen);
if (r < 0)
log_warning_errno(r, "Deleting NFT family %s table %s set %s for IP address %s failed, ignoring",
nfproto_to_string(nft_set_context[i].nfproto),
nft_set_context[i].table,
nft_set_context[i].set,
IN_ADDR_PREFIX_TO_STRING(address->family, &address->in_addr, address->prefixlen)); }
}
static void address_add_nft_set(const Address *address) {
assert(address);
assert(address->link);
if (!address->link->network || !IN_SET(address->family, AF_INET, AF_INET6))
return;
switch (address->source) {
case NETWORK_CONFIG_SOURCE_DHCP4:
return address_add_nft_set_context(address, address->link->network->dhcp_nft_set_context, address->link->network->n_dhcp_nft_set_contexts);
case NETWORK_CONFIG_SOURCE_DHCP6:
return address_add_nft_set_context(address, address->link->network->dhcp6_nft_set_context, address->link->network->n_dhcp6_nft_set_contexts);
case NETWORK_CONFIG_SOURCE_DHCP_PD:
return address_add_nft_set_context(address, address->link->network->dhcp_pd_nft_set_context, address->link->network->n_dhcp_pd_nft_set_contexts);
case NETWORK_CONFIG_SOURCE_NDISC:
return address_add_nft_set_context(address, address->link->network->ndisc_nft_set_context, address->link->network->n_ndisc_nft_set_contexts);
case NETWORK_CONFIG_SOURCE_STATIC:
if (address->family == AF_INET)
return address_add_nft_set_context(address, address->ipv4_nft_set_context, address->n_ipv4_nft_set_contexts);
else
return address_add_nft_set_context(address, address->ipv6_nft_set_context, address->n_ipv6_nft_set_contexts);
default:
return;
}
}
static void address_del_nft_set(const Address *address) {
assert(address);
assert(address->link);
if (!address->link->network || !IN_SET(address->family, AF_INET, AF_INET6))
return;
switch (address->source) {
case NETWORK_CONFIG_SOURCE_DHCP4:
return address_del_nft_set_context(address, address->link->network->dhcp_nft_set_context, address->link->network->n_dhcp_nft_set_contexts);
case NETWORK_CONFIG_SOURCE_DHCP6:
return address_del_nft_set_context(address, address->link->network->dhcp6_nft_set_context, address->link->network->n_dhcp6_nft_set_contexts);
case NETWORK_CONFIG_SOURCE_DHCP_PD:
return address_del_nft_set_context(address, address->link->network->dhcp_pd_nft_set_context, address->link->network->n_dhcp_pd_nft_set_contexts);
case NETWORK_CONFIG_SOURCE_NDISC:
return address_del_nft_set_context(address, address->link->network->ndisc_nft_set_context, address->link->network->n_ndisc_nft_set_contexts);
case NETWORK_CONFIG_SOURCE_STATIC:
if (address->family == AF_INET)
return address_del_nft_set_context(address, address->ipv4_nft_set_context, address->n_ipv4_nft_set_contexts);
else
return address_del_nft_set_context(address, address->ipv6_nft_set_context, address->n_ipv6_nft_set_contexts);
default:
return;
}
}
static int address_add(Link *link, Address *address) {
int r;
@ -581,10 +492,6 @@ static int address_update(Address *address) {
if (r < 0)
return log_link_warning_errno(link, r, "Could not enable IP masquerading: %m");
address_add_netlabel(address);
address_add_nft_set(address);
if (address_is_ready(address) && address->callback) {
r = address->callback(address);
if (r < 0)
@ -611,10 +518,6 @@ static int address_drop(Address *address) {
if (r < 0)
log_link_warning_errno(link, r, "Failed to disable IP masquerading, ignoring: %m");
address_del_nft_set(address);
address_del_netlabel(address);
if (address->state == 0)
address_free(address);
@ -2034,41 +1937,6 @@ int config_parse_duplicate_address_detection(
return 0;
}
int config_parse_address_netlabel(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
Network *network = userdata;
_cleanup_(address_free_or_set_invalidp) Address *n = NULL;
int r;
assert(filename);
assert(section);
assert(lvalue);
assert(rvalue);
assert(data);
assert(network);
r = address_new_static(network, filename, section_line, &n);
if (r == -ENOMEM)
return log_oom();
if (r < 0) {
log_syntax(unit, LOG_WARNING, filename, line, r,
"Failed to allocate new address, ignoring assignment: %m");
return 0;
}
return config_parse_netlabel(unit, filename, line, section, section_line, lvalue, ltype, rvalue, &n->netlabels, network);
}
static int address_section_verify(Address *address) {
if (section_is_invalid(address->section))
return -EINVAL;
@ -2172,71 +2040,3 @@ int network_drop_invalid_addresses(Network *network) {
return 0;
}
int config_parse_address_ipv4_nft_set_context(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
Network *network = userdata;
_cleanup_(address_free_or_set_invalidp) Address *n = NULL;
int r;
assert(filename);
assert(section);
assert(lvalue);
assert(rvalue);
assert(data);
assert(network);
r = address_new_static(network, filename, section_line, &n);
if (r == -ENOMEM)
return log_oom();
if (r < 0) {
log_syntax(unit, LOG_WARNING, filename, line, r,
"Failed to allocate new address, ignoring assignment: %m");
return 0;
}
return config_parse_nft_set_context(unit, filename, line, section, section_line, lvalue, ltype, rvalue, &n->ipv4_nft_set_context, &n->n_ipv4_nft_set_contexts);
}
int config_parse_address_ipv6_nft_set_context(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
Network *network = userdata;
_cleanup_(address_free_or_set_invalidp) Address *n = NULL;
int r;
assert(filename);
assert(section);
assert(lvalue);
assert(rvalue);
assert(data);
assert(network);
r = address_new_static(network, filename, section_line, &n);
if (r == -ENOMEM)
return log_oom();
if (r < 0) {
log_syntax(unit, LOG_WARNING, filename, line, r,
"Failed to allocate new address, ignoring assignment: %m");
return 0;
}
return config_parse_nft_set_context(unit, filename, line, section, section_line, lvalue, ltype, rvalue, &n->ipv6_nft_set_context, &n->n_ipv6_nft_set_contexts);
}

10
src/network/networkd-address.h
View File

@ -8,7 +8,6 @@
#include "sd-ipv4acd.h"
#include "conf-parser.h"
#include "firewall-util.h"
#include "in-addr-util.h"
#include "networkd-link.h"
#include "networkd-util.h"
@ -62,12 +61,6 @@ struct Address {
/* Called when address become ready */
address_ready_callback_t callback;
/* NetLabel */
Set *netlabels;
NFTSetContext *ipv4_nft_set_context, *ipv6_nft_set_context;
size_t n_ipv4_nft_set_contexts, n_ipv6_nft_set_contexts;
};
const char* format_lifetime(char *buf, size_t l, usec_t lifetime_usec) _warn_unused_result_;
@ -142,6 +135,3 @@ CONFIG_PARSER_PROTOTYPE(config_parse_address_flags);
CONFIG_PARSER_PROTOTYPE(config_parse_address_scope);
CONFIG_PARSER_PROTOTYPE(config_parse_address_route_metric);
CONFIG_PARSER_PROTOTYPE(config_parse_duplicate_address_detection);
CONFIG_PARSER_PROTOTYPE(config_parse_address_netlabel);
CONFIG_PARSER_PROTOTYPE(config_parse_address_ipv4_nft_set_context);
CONFIG_PARSER_PROTOTYPE(config_parse_address_ipv6_nft_set_context);

191
src/network/networkd-netlabel.c
View File

@ -1,191 +0,0 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#include "netlink-util.h"
#include "networkd-address.h"
#include "networkd-link.h"
#include "networkd-manager.h"
#include "networkd-netlabel.h"
#include "networkd-network.h"
static int netlabel_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) {
int r;
assert_se(rtnl);
assert_se(m);
assert_se(link);
r = sd_netlink_message_get_errno(m);
if (r < 0) {
log_link_message_warning_errno(link, m, r, "NetLabel operation failed, ignoring");
return 1;
}
log_link_debug(link, "NetLabel operation successful");
return 1;
}
static int netlabel_command(uint16_t command, const char *label, const Address *address) {
_cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
int r;
assert(address);
assert(address->link);
assert(address->link->manager);
assert(address->link->manager->genl);
assert(address->link->network);
assert(IN_SET(address->family, AF_INET, AF_INET6));
r = sd_genl_message_new(address->link->manager->genl, NETLBL_NLTYPE_UNLABELED_NAME, command, &m);
if (r < 0)
return r;
r = sd_netlink_message_append_string(m, NLBL_UNLABEL_A_IFACE, address->link->ifname);
if (r < 0)
return r;
if (command == NLBL_UNLABEL_C_STATICADD) {
assert(label);
r = sd_netlink_message_append_string(m, NLBL_UNLABEL_A_SECCTX, label);
if (r < 0)
return r;
}
union in_addr_union netmask;
r = in_addr_prefixlen_to_netmask(address->family, &netmask, address->prefixlen);
if (r < 0)
return r;
if (address->family == AF_INET) {
r = sd_netlink_message_append_in_addr(m, NLBL_UNLABEL_A_IPV4ADDR, &address->in_addr.in);
if (r < 0)
return r;
r = sd_netlink_message_append_in_addr(m, NLBL_UNLABEL_A_IPV4MASK, &netmask.in);
} else if (address->family == AF_INET6) {
r = sd_netlink_message_append_in6_addr(m, NLBL_UNLABEL_A_IPV6ADDR, &address->in_addr.in6);
if (r < 0)
return r;
r = sd_netlink_message_append_in6_addr(m, NLBL_UNLABEL_A_IPV6MASK, &netmask.in6);
}
if (r < 0)
return r;
r = netlink_call_async(address->link->manager->genl, NULL, m, netlabel_handler, link_netlink_destroy_callback,
address->link);
if (r < 0)
return r;
link_ref(address->link);
return 0;
}
static void address_add_netlabel_set(const Address *address, Set *labels) {
const char *label;
int r;
SET_FOREACH(label, labels) {
r = netlabel_command(NLBL_UNLABEL_C_STATICADD, label, address);
if (r < 0)
log_link_warning_errno(address->link, r, "Adding NetLabel %s for IP address %s failed, ignoring",
label,
IN_ADDR_PREFIX_TO_STRING(address->family, &address->in_addr, address->prefixlen));
else
log_link_debug(address->link, "Adding NetLabel %s for IP address %s", label,
IN_ADDR_PREFIX_TO_STRING(address->family, &address->in_addr, address->prefixlen));
}
}
void address_add_netlabel(const Address *address) {
assert(address);
assert(address->link);
if (!address->link->network || !IN_SET(address->family, AF_INET, AF_INET6))
return;
switch (address->source) {
case NETWORK_CONFIG_SOURCE_DHCP4:
return address_add_netlabel_set(address, address->link->network->dhcp_netlabels);
case NETWORK_CONFIG_SOURCE_DHCP6:
return address_add_netlabel_set(address, address->link->network->dhcp6_netlabels);
case NETWORK_CONFIG_SOURCE_DHCP_PD:
return address_add_netlabel_set(address, address->link->network->dhcp_pd_netlabels);
case NETWORK_CONFIG_SOURCE_NDISC:
return address_add_netlabel_set(address, address->link->network->ndisc_netlabels);
case NETWORK_CONFIG_SOURCE_STATIC:
return address_add_netlabel_set(address, address->netlabels);
default:
return;
}
}
void address_del_netlabel(const Address *address) {
int r;
assert(address);
assert(address->link);
if (!address->link->network || !IN_SET(address->family, AF_INET, AF_INET6))
return;
r = netlabel_command(NLBL_UNLABEL_C_STATICREMOVE, NULL, address);
if (r < 0)
log_link_warning_errno(address->link, r, "Deleting NetLabels for IP address %s failed, ignoring",
IN_ADDR_PREFIX_TO_STRING(address->family, &address->in_addr, address->prefixlen));
else
log_link_debug(address->link, "Deleting NetLabels for IP address %s",
IN_ADDR_PREFIX_TO_STRING(address->family, &address->in_addr, address->prefixlen));
}
int config_parse_netlabel(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
int r;
Set **set = data;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(set);
if (isempty(rvalue)) {
*set = set_free(*set);
return 0;
}
for (const char *p = rvalue;;) {
_cleanup_free_ char *w = NULL;
r = extract_first_word(&p, &w, NULL, 0);
if (r == -ENOMEM)
return log_oom();
if (r < 0) {
log_syntax(unit, LOG_WARNING, filename, line, r,
"Failed to extract NetLabel label, ignoring: %s", rvalue);
return 0;
}
if (r == 0)
return 0;
/* Label semantics depend on LSM but let's do basic checks */
if (!string_is_safe(w)) {
log_syntax(unit, LOG_WARNING, filename, line, 0,
"Bad NetLabel label, ignoring: %s", w);
continue;
}
r = set_ensure_consume(set, &string_hash_ops_free, TAKE_PTR(w));
if (r < 0)
return log_oom();
}
}

7
src/network/networkd-netlabel.h
View File

@ -1,7 +0,0 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once
void address_add_netlabel(const Address *address);
void address_del_netlabel(const Address *address);
CONFIG_PARSER_PROTOTYPE(config_parse_netlabel);

12
src/network/networkd-network-gperf.gperf
View File

@ -25,7 +25,6 @@ _Pragma("GCC diagnostic ignored \"-Wimplicit-fallthrough\"")
#include "networkd-ipv6ll.h"
#include "networkd-lldp-tx.h"
#include "networkd-ndisc.h"
#include "networkd-netlabel.h"
#include "networkd-network.h"
#include "networkd-neighbor.h"
#include "networkd-nexthop.h"
@ -157,9 +156,6 @@ Address.AutoJoin, config_parse_address_flags,
Address.DuplicateAddressDetection, config_parse_duplicate_address_detection, 0, 0
Address.Scope, config_parse_address_scope, 0, 0
Address.RouteMetric, config_parse_address_route_metric, 0, 0
Address.NetLabel, config_parse_address_netlabel, 0, 0
Address.IPv4NFTSet, config_parse_address_ipv4_nft_set_context, 0, 0
Address.IPv6NFTSet, config_parse_address_ipv6_nft_set_context, 0, 0
IPv6AddressLabel.Prefix, config_parse_address_label_prefix, 0, 0
IPv6AddressLabel.Label, config_parse_address_label, 0, 0
Neighbor.Address, config_parse_neighbor_address, 0, 0
@ -247,8 +243,6 @@ DHCPv4.SendVendorOption, config_parse_dhcp_send_option,
DHCPv4.RouteMTUBytes, config_parse_mtu, AF_INET, offsetof(Network, dhcp_route_mtu)
DHCPv4.FallbackLeaseLifetimeSec, config_parse_dhcp_fallback_lease_lifetime, 0, 0
DHCPv4.Use6RD, config_parse_bool, 0, offsetof(Network, dhcp_use_6rd)
DHCPv4.NetLabel, config_parse_netlabel, 0, offsetof(Network, dhcp_netlabels)
DHCPv4.NFTSet, config_parse_dhcp_nft_set_context, 0, 0
DHCPv6.UseAddress, config_parse_bool, 0, offsetof(Network, dhcp6_use_address)
DHCPv6.UseDelegatedPrefix, config_parse_bool, 0, offsetof(Network, dhcp6_use_pd_prefix)
DHCPv6.UseDNS, config_parse_dhcp_use_dns, AF_INET6, 0
@ -266,8 +260,6 @@ DHCPv6.SendOption, config_parse_dhcp_send_option,
DHCPv6.IAID, config_parse_iaid, AF_INET6, 0
DHCPv6.DUIDType, config_parse_duid_type, 0, offsetof(Network, dhcp6_duid)
DHCPv6.DUIDRawData, config_parse_duid_rawdata, 0, offsetof(Network, dhcp6_duid)
DHCPv6.NetLabel, config_parse_netlabel, 0, offsetof(Network, dhcp6_netlabels)
DHCPv6.NFTSet, config_parse_dhcp6_nft_set_context, 0, 0
IPv6AcceptRA.UseGateway, config_parse_bool, 0, offsetof(Network, ipv6_accept_ra_use_gateway)
IPv6AcceptRA.UseRoutePrefix, config_parse_bool, 0, offsetof(Network, ipv6_accept_ra_use_route_prefix)
IPv6AcceptRA.UseAutonomousPrefix, config_parse_bool, 0, offsetof(Network, ipv6_accept_ra_use_autonomous_prefix)
@ -285,8 +277,6 @@ IPv6AcceptRA.PrefixDenyList, config_parse_in_addr_prefixes,
IPv6AcceptRA.RouteAllowList, config_parse_in_addr_prefixes, AF_INET6, offsetof(Network, ndisc_allow_listed_route_prefix)
IPv6AcceptRA.RouteDenyList, config_parse_in_addr_prefixes, AF_INET6, offsetof(Network, ndisc_deny_listed_route_prefix)
IPv6AcceptRA.Token, config_parse_address_generation_type, 0, offsetof(Network, ndisc_tokens)
IPv6AcceptRA.NetLabel, config_parse_netlabel, 0, offsetof(Network, ndisc_netlabels)
IPv6AcceptRA.NFTSet, config_parse_ndisc_nft_set_context, 0, 0
DHCPServer.ServerAddress, config_parse_dhcp_server_address, 0, 0
DHCPServer.UplinkInterface, config_parse_uplink, 0, 0
DHCPServer.RelayTarget, config_parse_in_addr_non_null, AF_INET, offsetof(Network, dhcp_server_relay_target)
@ -353,8 +343,6 @@ DHCPPrefixDelegation.Assign, config_parse_bool,
DHCPPrefixDelegation.ManageTemporaryAddress, config_parse_bool, 0, offsetof(Network, dhcp_pd_manage_temporary_address)
DHCPPrefixDelegation.Token, config_parse_address_generation_type, 0, offsetof(Network, dhcp_pd_tokens)
DHCPPrefixDelegation.RouteMetric, config_parse_uint32, 0, offsetof(Network, dhcp_pd_route_metric)
DHCPPrefixDelegation.NetLabel, config_parse_netlabel, 0, offsetof(Network, dhcp_pd_netlabels)
DHCPPrefixDelegation.NFTSet, config_parse_dhcp_pd_nft_set_context, 0, 0
IPv6SendRA.RouterLifetimeSec, config_parse_router_lifetime, 0, offsetof(Network, router_lifetime_usec)
IPv6SendRA.Managed, config_parse_bool, 0, offsetof(Network, router_managed)
IPv6SendRA.OtherInformation, config_parse_bool, 0, offsetof(Network, router_other_information)

92
src/network/networkd-network.c
View File

@ -688,10 +688,6 @@ static Network *network_free(Network *network) {
free(network->dhcp6_mudurl);
strv_free(network->dhcp6_user_class);
strv_free(network->dhcp6_vendor_class);
set_free(network->dhcp_netlabels);
set_free(network->dhcp6_netlabels);
nft_set_context_free_many(network->dhcp_nft_set_context, &network->n_dhcp_nft_set_contexts);
nft_set_context_free_many(network->dhcp6_nft_set_context, &network->n_dhcp6_nft_set_contexts);
strv_free(network->ntp);
for (unsigned i = 0; i < network->n_dns; i++)
@ -758,10 +754,6 @@ static Network *network_free(Network *network) {
ordered_hashmap_free(network->dhcp6_client_send_vendor_options);
set_free(network->dhcp_pd_tokens);
set_free(network->ndisc_tokens);
set_free(network->dhcp_pd_netlabels);
set_free(network->ndisc_netlabels);
nft_set_context_free_many(network->dhcp_pd_nft_set_context, &network->n_dhcp_pd_nft_set_contexts);
nft_set_context_free_many(network->ndisc_nft_set_context, &network->n_ndisc_nft_set_contexts);
return mfree(network);
}
@ -1306,90 +1298,6 @@ int config_parse_ignore_carrier_loss(
return 0;
}
int config_parse_dhcp_nft_set_context(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
Network *network = userdata;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(network);
return config_parse_nft_set_context(unit, filename, line, section, section_line, lvalue, ltype, rvalue, &network->dhcp_nft_set_context, &network->n_dhcp_nft_set_contexts);
}
int config_parse_dhcp6_nft_set_context(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
Network *network = userdata;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(network);
return config_parse_nft_set_context(unit, filename, line, section, section_line, lvalue, ltype, rvalue, &network->dhcp6_nft_set_context, &network->n_dhcp6_nft_set_contexts);
}
int config_parse_dhcp_pd_nft_set_context(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
Network *network = userdata;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(network);
return config_parse_nft_set_context(unit, filename, line, section, section_line, lvalue, ltype, rvalue, &network->dhcp_pd_nft_set_context, &network->n_dhcp_pd_nft_set_contexts);
}
int config_parse_ndisc_nft_set_context(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
Network *network = userdata;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(network);
return config_parse_nft_set_context(unit, filename, line, section, section_line, lvalue, ltype, rvalue, &network->ndisc_nft_set_context, &network->n_ndisc_nft_set_contexts);
}
DEFINE_CONFIG_PARSE_ENUM(config_parse_required_family_for_online, link_required_address_family, AddressFamily,
"Failed to parse RequiredFamilyForOnline= setting");

17
src/network/networkd-network.h
View File

@ -10,7 +10,6 @@
#include "bridge.h"
#include "condition.h"
#include "conf-parser.h"
#include "firewall-util.h"
#include "hashmap.h"
#include "ipoib.h"
#include "net-condition.h"
@ -156,9 +155,6 @@ struct Network {
Set *dhcp_request_options;
OrderedHashmap *dhcp_client_send_options;
OrderedHashmap *dhcp_client_send_vendor_options;
Set *dhcp_netlabels;
NFTSetContext *dhcp_nft_set_context;
size_t n_dhcp_nft_set_contexts;
/* DHCPv6 Client support */
bool dhcp6_use_address;
@ -183,9 +179,6 @@ struct Network {
OrderedHashmap *dhcp6_client_send_options;
OrderedHashmap *dhcp6_client_send_vendor_options;
Set *dhcp6_request_options;
Set *dhcp6_netlabels;
NFTSetContext *dhcp6_nft_set_context;
size_t n_dhcp6_nft_set_contexts;
/* DHCP Server Support */
bool dhcp_server;
@ -242,9 +235,6 @@ struct Network {
Set *dhcp_pd_tokens;
int dhcp_pd_uplink_index;
char *dhcp_pd_uplink_name;
Set *dhcp_pd_netlabels;
NFTSetContext *dhcp_pd_nft_set_context;
size_t n_dhcp_pd_nft_set_contexts;
/* Bridge Support */
int use_bpdu;
@ -329,9 +319,6 @@ struct Network {
Set *ndisc_deny_listed_route_prefix;
Set *ndisc_allow_listed_route_prefix;
Set *ndisc_tokens;
Set *ndisc_netlabels;
NFTSetContext *ndisc_nft_set_context;
size_t n_ndisc_nft_set_contexts;
/* LLDP support */
LLDPMode lldp_mode; /* LLDP reception */
@ -397,10 +384,6 @@ CONFIG_PARSER_PROTOTYPE(config_parse_keep_configuration);
CONFIG_PARSER_PROTOTYPE(config_parse_activation_policy);
CONFIG_PARSER_PROTOTYPE(config_parse_link_group);
CONFIG_PARSER_PROTOTYPE(config_parse_ignore_carrier_loss);
CONFIG_PARSER_PROTOTYPE(config_parse_dhcp_nft_set_context);
CONFIG_PARSER_PROTOTYPE(config_parse_dhcp6_nft_set_context);
CONFIG_PARSER_PROTOTYPE(config_parse_dhcp_pd_nft_set_context);
CONFIG_PARSER_PROTOTYPE(config_parse_ndisc_nft_set_context);
const struct ConfigPerfItem* network_network_gperf_lookup(const char *key, GPERF_LEN_TYPE length);

92
src/shared/bus-unit-util.c
View File

@ -16,7 +16,6 @@
#include "exec-util.h"
#include "exit-status.h"
#include "fileio.h"
#include "firewall-util.h"
#include "hexdecoct.h"
#include "hostname-util.h"
#include "in-addr-util.h"
@ -435,91 +434,6 @@ static int bus_append_ip_address_access(sd_bus_message *m, int family, const uni
return sd_bus_message_close_container(m);
}
static int bus_append_nft_set(sd_bus_message *m, const char *field, const char *eq) {
int r;
assert(m);
if (isempty(eq)) {
r = sd_bus_message_append(m, "(sv)", field, "a(iss)", 0);
if (r < 0)
return bus_log_create_error(r);
return 1;
}
r = sd_bus_message_open_container(m, SD_BUS_TYPE_STRUCT, "sv");
if (r < 0)
return bus_log_create_error(r);
r = sd_bus_message_append_basic(m, SD_BUS_TYPE_STRING, field);
if (r < 0)
return bus_log_create_error(r);
r = sd_bus_message_open_container(m, 'v', "a(iss)");
if (r < 0)
return bus_log_create_error(r);
r = sd_bus_message_open_container(m, 'a', "(iss)");
if (r < 0)
return bus_log_create_error(r);
for (;;) {
_cleanup_free_ char *word = NULL;
int family;
r = extract_first_word(&eq, &word, ":", 0);
if (r == -ENOMEM)
return log_oom();
if (r < 0)
return log_error_errno(r, "Failed to parse %s: %m", field);
if (isempty(word)) {
log_error("Failed to parse %s", field);
return 0;
}
family = nfproto_from_string(word);
if (family < 0)
return log_error_errno(family, "Failed to parse %s: %m", field);
r = extract_first_word(&eq, &word, ":", EXTRACT_CUNESCAPE|EXTRACT_UNESCAPE_SEPARATORS);
if (r == -ENOMEM)
return log_oom();
if (r < 0)
return log_error_errno(r, "Failed to parse %s: %m", field);
if (isempty(word) || isempty(eq)) {
log_error("Failed to parse %s", field);
return 0;
}
_cleanup_free_ char *unescaped = NULL;
ssize_t l;
l = cunescape(eq, 0, &unescaped);
if (l < 0)
return log_error_errno(l, "Failed to unescape %s= value: %s", field, eq);
r = sd_bus_message_append(m, "(iss)", family, word, eq);
r = sd_bus_message_close_container(m);
if (r < 0)
return bus_log_create_error(r);
}
r = sd_bus_message_close_container(m);
if (r < 0)
return bus_log_create_error(r);
r = sd_bus_message_close_container(m);
if (r < 0)
return bus_log_create_error(r);
r = sd_bus_message_close_container(m);
if (r < 0)
return bus_log_create_error(r);
return 1;
}
static int bus_append_cgroup_property(sd_bus_message *m, const char *field, const char *eq) {
int r;
@ -977,9 +891,6 @@ static int bus_append_cgroup_property(sd_bus_message *m, const char *field, cons
return 1;
}
if (streq(field, "ControlGroupNFTSet"))
return bus_append_nft_set(m, field, eq);
return 0;
}
@ -2137,9 +2048,6 @@ static int bus_append_execute_property(sd_bus_message *m, const char *field, con
return 1;
}
if (STR_IN_SET(field, "DynamicUserNFTSet"))
return bus_append_nft_set(m, field, eq);
return 0;
}

297
src/shared/firewall-util-nft.c
View File

@ -14,13 +14,11 @@
#include "sd-netlink.h"
#include "alloc-util.h"
#include "extract-word.h"
#include "firewall-util.h"
#include "firewall-util-private.h"
#include "in-addr-util.h"
#include "macro.h"
#include "socket-util.h"
#include "string-table.h"
#include "time-util.h"
#define NFT_SYSTEMD_DNAT_MAP_NAME "map_port_ipport"
@ -850,12 +848,9 @@ static int nft_message_add_setelem_ip6range(
#define NFT_MASQ_MSGS 3
static int nft_set_element_op_in_addr(
sd_netlink *nfnl,
const char *table,
const char *set,
static int fw_nftables_add_masquerade_internal(
FirewallContext *ctx,
bool add,
int nfproto,
int af,
const union in_addr_union *source,
unsigned int source_prefixlen) {
@ -870,14 +865,14 @@ static int nft_set_element_op_in_addr(
if (af == AF_INET6 && source_prefixlen < 8)
return -EINVAL;
r = sd_nfnl_message_batch_begin(nfnl, &transaction[0]);
r = sd_nfnl_message_batch_begin(ctx->nfnl, &transaction[0]);
if (r < 0)
return r;
tsize = 1;
if (add)
r = sd_nfnl_nft_message_new_setelems_begin(nfnl, &transaction[tsize], nfproto, table, set);
r = sd_nfnl_nft_message_new_setelems_begin(ctx->nfnl, &transaction[tsize], af, NFT_SYSTEMD_TABLE_NAME, NFT_SYSTEMD_MASQ_SET_NAME);
else
r = sd_nfnl_nft_message_del_setelems_begin(nfnl, &transaction[tsize], nfproto, table, set);
r = sd_nfnl_nft_message_del_setelems_begin(ctx->nfnl, &transaction[tsize], af, NFT_SYSTEMD_TABLE_NAME, NFT_SYSTEMD_MASQ_SET_NAME);
if (r < 0)
goto out_unref;
@ -890,12 +885,12 @@ static int nft_set_element_op_in_addr(
++tsize;
assert(tsize < NFT_MASQ_MSGS);
r = sd_nfnl_message_batch_end(nfnl, &transaction[tsize]);
r = sd_nfnl_message_batch_end(ctx->nfnl, &transaction[tsize]);
if (r < 0)
return r;
++tsize;
r = nfnl_netlink_sendv(nfnl, transaction, tsize);
r = nfnl_netlink_sendv(ctx->nfnl, transaction, tsize);
out_unref:
while (tsize > 0)
@ -903,65 +898,6 @@ out_unref:
return r < 0 ? r : 0;
}
static int nft_set_element_op_in_addr_open(
bool add,
const NFTSetContext *nft_set_context,
int af,
const union in_addr_union *address,
unsigned int prefixlen) {
_cleanup_(sd_netlink_unrefp) sd_netlink *nfnl = NULL;
const char *table, *set;
int r, nfproto;
assert(nft_set_context);
nfproto = nft_set_context->nfproto;
table = nft_set_context->table;
assert(table);
set = nft_set_context->set;
assert(set);
r = sd_nfnl_socket_open(&nfnl);
if (r < 0)
return r;
r = nft_set_element_op_in_addr(nfnl, table, set,
add, nfproto, af, address, prefixlen);
log_debug("%s NFT family %s table %s set %s IP address %s",
add ? "Added" : "Deleted",
nfproto_to_string(nfproto), table, set,
IN_ADDR_PREFIX_TO_STRING(af, address, prefixlen));
return r;
}
int nft_set_element_add_in_addr(
const NFTSetContext *nft_set_context,
int af,
const union in_addr_union *address,
unsigned int prefixlen) {
return nft_set_element_op_in_addr_open(true, nft_set_context, af, address, prefixlen);
}
int nft_set_element_del_in_addr(
const NFTSetContext *nft_set_context,
int af,
const union in_addr_union *address,
unsigned int prefixlen) {
return nft_set_element_op_in_addr_open(false, nft_set_context, af, address, prefixlen);
}
static int fw_nftables_add_masquerade_internal(
FirewallContext *ctx,
bool add,
int af,
const union in_addr_union *source,
unsigned int source_prefixlen) {
return nft_set_element_op_in_addr(ctx->nfnl, NFT_SYSTEMD_TABLE_NAME, NFT_SYSTEMD_MASQ_SET_NAME,
add, af, af, source, source_prefixlen);
}
int fw_nftables_add_masquerade(
FirewallContext *ctx,
bool add,
@ -1135,222 +1071,3 @@ int fw_nftables_add_local_dnat(
/* table created anew; previous address already gone */
return fw_nftables_add_local_dnat_internal(ctx, add, af, protocol, local_port, remote, remote_port, NULL);
}
static const char *const nfproto_table[] = {
[NFPROTO_ARP] = "arp",
[NFPROTO_BRIDGE] = "bridge",
[NFPROTO_INET] = "inet",
[NFPROTO_IPV4] = "ip",
[NFPROTO_IPV6] = "ip6",
[NFPROTO_NETDEV] = "netdev",
};
DEFINE_STRING_TABLE_LOOKUP(nfproto, int);
#define NFT_SET_MSGS 3
static int nft_set_element_op(bool add, const NFTSetContext *nft_set_context, void *element, size_t element_size) {
_cleanup_(sd_netlink_unrefp) sd_netlink *nfnl = NULL;
sd_netlink_message *transaction[NFT_SET_MSGS] = {};
_cleanup_free_ uint32_t *serial = NULL;
size_t tsize;
int r, nfproto;
const char *table, *set;
assert(nft_set_context);
nfproto = nft_set_context->nfproto;
table = nft_set_context->table;
assert(table);
set = nft_set_context->set;
assert(set);
assert(element);
r = sd_nfnl_socket_open(&nfnl);
if (r < 0)
return r;
r = sd_nfnl_message_batch_begin(nfnl, &transaction[0]);
if (r < 0)
return r;
tsize = 1;
if (add)
r = sd_nfnl_nft_message_new_setelems_begin(nfnl, &transaction[tsize], nfproto, table, set);
else
r = sd_nfnl_nft_message_del_setelems_begin(nfnl, &transaction[tsize], nfproto, table, set);
if (r < 0)
goto out_unref;
r = sd_nfnl_nft_message_add_setelem(transaction[tsize], 0, element, element_size, NULL, 0);
if (r < 0)
return r;
r = sd_nfnl_nft_message_add_setelem_end(transaction[tsize]);
if (r < 0)
return r;
++tsize;
assert(tsize < ELEMENTSOF(transaction));
r = sd_nfnl_message_batch_end(nfnl, &transaction[tsize]);
if (r < 0)
return r;
++tsize;
r = sd_netlink_sendv(nfnl, transaction, tsize, &serial);
out_unref:
while (tsize > 0)
sd_netlink_message_unref(transaction[--tsize]);
return r < 0 ? r : 0;
}
int nft_set_element_add_uint32(const NFTSetContext *nft_set_context, uint32_t element) {
int r;
assert(nft_set_context);
r = nft_set_element_op(true, nft_set_context, &element, sizeof(element));
if (r == 0)
log_debug("Added NFT family %s table %s set %s element %d",
nfproto_to_string(nft_set_context->nfproto), nft_set_context->table, nft_set_context->set, element);
return r;
}
int nft_set_element_del_uint32(const NFTSetContext *nft_set_context, uint32_t element) {
int r;
assert(nft_set_context);
r = nft_set_element_op(false, nft_set_context, &element, sizeof(element));
if (r == 0)
log_debug("Deleted NFT family %s table %s set %s element %d",
nfproto_to_string(nft_set_context->nfproto), nft_set_context->table, nft_set_context->set, element);
return r;
}
int nft_set_element_add_uint64(const NFTSetContext *nft_set_context, uint64_t element) {
int r;
assert(nft_set_context);
r = nft_set_element_op(true, nft_set_context, &element, sizeof(element));
if (r == 0)
log_debug("Added NFT family %s table %s set %s element %"PRIu64,
nfproto_to_string(nft_set_context->nfproto), nft_set_context->table, nft_set_context->set, element);
return r;
}
int nft_set_element_del_uint64(const NFTSetContext *nft_set_context, uint64_t element) {
int r;
assert(nft_set_context);
r = nft_set_element_op(false, nft_set_context, &element, sizeof(element));
if (r == 0)
log_debug("Deleted NFT family %s table %s set %s element %"PRIu64,
nfproto_to_string(nft_set_context->nfproto), nft_set_context->table, nft_set_context->set, element);
return r;
}
NFTSetContext* nft_set_context_free_many(NFTSetContext *s, size_t *n) {
assert(n);
assert(s || *n == 0);
for (size_t i = 0; i < *n; i++) {
free(s[i].table);
free(s[i].set);
}
free(s);
*n = 0;
return NULL;
}
int nft_set_context_add(NFTSetContext **s, size_t *n, int nfproto, const char *table, const char *set) {
_cleanup_free_ char *table_dup = NULL, *set_dup = NULL;
assert(s);
assert(n);
table_dup = strdup(table);
if (!table_dup)
return -ENOMEM;
set_dup = strdup(set);
if (!set_dup)
return -ENOMEM;
NFTSetContext *c;
c = reallocarray(*s, *n + 1, sizeof(NFTSetContext));
if (!c)
return -ENOMEM;
*s = c;
c[(*n) ++] = (NFTSetContext) {
.nfproto = nfproto,
.table = TAKE_PTR(table_dup),
.set = TAKE_PTR(set_dup),
};
return 0;
}
int config_parse_nft_set_context(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
NFTSetContext **nft_set_context,
size_t *n) {
_cleanup_free_ char *family_str = NULL, *table = NULL, *set = NULL;
int nfproto, r;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(nft_set_context);
if (isempty(rvalue)) {
nft_set_context_free_many(*nft_set_context, n);
return 0;
}
for (const char *p = rvalue;;) {
r = extract_many_words(&p, ":" WHITESPACE, EXTRACT_CUNESCAPE, &family_str, &table, &set, NULL);
if (r == -ENOMEM)
return log_oom();
if (r == 0)
return 0;
if (r != 3) {
log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse IPvxNFT set, ignoring: %s", rvalue);
return 0;
}
nfproto = nfproto_from_string(family_str);
if (nfproto < 0) {
log_syntax(unit, LOG_WARNING, filename, line, 0, "Unknown NFT protocol family, ignoring: %s", family_str);
return 0;
}
if (nft_identifier_bad(table))
return log_syntax(unit, LOG_WARNING, filename, line, 0, "Invalid table name %s, ignoring", table);
if (nft_identifier_bad(set))
return log_syntax(unit, LOG_WARNING, filename, line, 0, "Invalid set name %s, ignoring", set);
NFTSetContext *c;
c = reallocarray(*nft_set_context, *n + 1, sizeof(NFTSetContext));
if (!c)
return -ENOMEM;
*nft_set_context = c;
c[(*n) ++] = (NFTSetContext) {
.nfproto = nfproto,
.table = TAKE_PTR(table),
.set = TAKE_PTR(set),
};
}
return 0;
}

40
src/shared/firewall-util.h
View File

@ -29,43 +29,3 @@ int fw_add_local_dnat(
const union in_addr_union *remote,
uint16_t remote_port,
const union in_addr_union *previous_remote);
struct NFTSetContext {
int nfproto;
char *table;
char *set;
};
typedef struct NFTSetContext NFTSetContext;
int nft_set_context_add(NFTSetContext **s, size_t *n, int nfproto, const char *table, const char *set);
NFTSetContext* nft_set_context_free_many(NFTSetContext *s, size_t *n);
int config_parse_nft_set_context(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
NFTSetContext **nft_set_context,
size_t *n);
const char *nfproto_to_string(int i) _const_;
int nfproto_from_string(const char *s) _pure_;
int nft_set_element_add_in_addr(
const NFTSetContext *nft_set_context,
int af,
const union in_addr_union *address,
unsigned int prefixlen);
int nft_set_element_del_in_addr(
const NFTSetContext *nft_set_context,
int af,
const union in_addr_union *address,
unsigned int prefixlen);
int nft_set_element_add_uint32(const NFTSetContext *nft_set_context, uint32_t element);
int nft_set_element_del_uint32(const NFTSetContext *nft_set_context, uint32_t element);
int nft_set_element_add_uint64(const NFTSetContext *nft_set_context, uint64_t element);
int nft_set_element_del_uint64(const NFTSetContext *nft_set_context, uint64_t element);

3
src/test/meson.build
View File

@ -672,9 +672,6 @@ tests += [
[files('test-hmac.c')],
[files('test-sha256.c')],
[files('test-nft-set.c'),
[], [], [], '', 'manual'],
]
############################################################

31
src/test/test-in-addr-util.c
View File

@ -364,35 +364,4 @@ TEST(in_addr_to_string) {
test_in_addr_to_string_one(AF_INET6, "fe80::");
}
TEST(in_addr_prefixlen_to_netmask) {
union in_addr_union addr;
static const char *const ipv4_netmasks[] = {
"0.0.0.0", "128.0.0.0", "192.0.0.0", "224.0.0.0", "240.0.0.0",
"248.0.0.0", "252.0.0.0", "254.0.0.0", "255.0.0.0",
"255.128.0.0", "255.192.0.0", "255.224.0.0", "255.240.0.0",
"255.248.0.0", "255.252.0.0", "255.254.0.0", "255.255.0.0",
"255.255.128.0", "255.255.192.0", "255.255.224.0", "255.255.240.0",
"255.255.248.0", "255.255.252.0", "255.255.254.0", "255.255.255.0",
"255.255.255.128", "255.255.255.192", "255.255.255.224", "255.255.255.240",
"255.255.255.248", "255.255.255.252", "255.255.255.254", "255.255.255.255",
};
for (unsigned char prefixlen = 0; prefixlen <= 32; prefixlen++) {
_cleanup_free_ char *r = NULL;
assert_se(in_addr_prefixlen_to_netmask(AF_INET, &addr, prefixlen) >= 0);
assert_se(in_addr_to_string(AF_INET, &addr, &r) >= 0);
printf("test_in_addr_prefixlen_to_netmask: %s == %s\n", ipv4_netmasks[prefixlen], r);
assert_se(streq(ipv4_netmasks[prefixlen], r));
}
for (unsigned char prefixlen = 0; prefixlen <= 128; prefixlen++) {
_cleanup_free_ char *r = NULL;
assert_se(in_addr_prefixlen_to_netmask(AF_INET6, &addr, prefixlen) >= 0);
assert_se(in_addr_to_string(AF_INET6, &addr, &r) >= 0);
printf("test_in_addr_prefixlen_to_netmask: %s\n", r);
}
}
DEFINE_TEST_MAIN(LOG_DEBUG);

69
src/test/test-nft-set.c
View File

@ -1,69 +0,0 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#include <assert.h>
#include <unistd.h>
#include "firewall-util.h"
#include "in-addr-util.h"
#include "log.h"
#include "parse-util.h"
#include "string-util.h"
#include "tests.h"
int main(int argc, char **argv) {
int r;
assert_se(argc == 7);
test_setup_logging(LOG_DEBUG);
if (getuid() != 0)
return log_tests_skipped("not root");
int nfproto;
nfproto = nfproto_from_string(argv[2]);
assert_se(nfproto > 0);
const NFTSetContext nft_set_context = {
.nfproto = nfproto,
.table = argv[3],
.set = argv[4],
};
if (streq(argv[5], "uint32")) {
uint32_t element;
r = safe_atou32(argv[6], &element);
assert_se(r == 0);
if (streq(argv[1], "add"))
r = nft_set_element_add_uint32(&nft_set_context, element);
else
r = nft_set_element_del_uint32(&nft_set_context, element);
assert_se(r == 0);
} else if (streq(argv[5], "uint64")) {
uint64_t element;
r = safe_atou64(argv[6], &element);
assert_se(r == 0);
if (streq(argv[1], "add"))
r = nft_set_element_add_uint64(&nft_set_context, element);
else
r = nft_set_element_del_uint64(&nft_set_context, element);
assert_se(r == 0);
} else {
union in_addr_union addr;
int af;
unsigned char prefixlen;
r = in_addr_prefix_from_string_auto(argv[6], &af, &addr, &prefixlen);
assert_se(r == 0);
if (streq(argv[1], "add"))
r = nft_set_element_add_in_addr(&nft_set_context, af, &addr, prefixlen);
else
r = nft_set_element_del_in_addr(&nft_set_context, af, &addr, prefixlen);
assert_se(r == 0);
}
return 0;
}

11
test/fuzz/fuzz-network-parser/directives
View File

@ -131,8 +131,6 @@ MUDURL=
RouteMTUBytes=
FallbackLeaseLifetimeSec=
Use6RD=
NetLabel=
NFTSet=
[DHCPv6]
UseAddress=
UseDelegatedPrefix=
@ -154,8 +152,6 @@ RouteMetric=
IAID=
DUIDType=
DUIDRawData=
NetLabel=
NFTSet=
[DHCPv6PrefixDelegation]
SubnetId=
Announce=
@ -163,7 +159,6 @@ Assign=
ManageTemporaryAddress=
Token=
RouteMetric=
NetLabel=
[DHCPPrefixDelegation]
UplinkInterface=
SubnetId=
@ -172,8 +167,6 @@ Assign=
ManageTemporaryAddress=
Token=
RouteMetric=
NetLabel=
NFTSet=
[Route]
Destination=
Protocol=
@ -260,8 +253,6 @@ DHCPv6PrefixDelegation=
DHCPPrefixDelegation=
BatmanAdvanced=
IPoIB=
IPv4NFTSet=
IPv6NFTSet=
[IPv6Prefix]
Prefix=
OnLink=
@ -352,8 +343,6 @@ EmitDomains=
Managed=
OtherInformation=
UplinkInterface=
NetLabel=
NFTSet=
[IPv6PrefixDelegation]
RouterPreference=
DNSLifetimeSec=

2
test/fuzz/fuzz-unit-file/directives.mount
View File

@ -28,7 +28,6 @@ Capabilities=
CapabilityBoundingSet=
ConfigurationDirectory=
ConfigurationDirectoryMode=
ControlGroupNFTSet=
CoredumpFilter=
DefaultMemoryLow=
DefaultMemoryMin=
@ -38,7 +37,6 @@ DevicePolicy=
DirectoryMode=
DisableControllers=
DynamicUser=
DynamicUserNFTSet=
Environment=
EnvironmentFile=
ExecPaths=

1
test/fuzz/fuzz-unit-file/directives.scope
View File

@ -8,7 +8,6 @@ BlockIODeviceWeight=
BlockIOReadBandwidth=
BlockIOWeight=
BlockIOWriteBandwidth=
ControlGroupNFTSet=
CPUAccounting=
CPUQuota=
CPUQuotaPeriodSec=

2
test/fuzz/fuzz-unit-file/directives.service
View File

@ -72,7 +72,6 @@ ConditionSecurity=
ConditionUser=
ConditionVirtualization=
Conflicts=
ControlGroupNFTSet=
DefaultDependencies=
Description=
Documentation=
@ -160,7 +159,6 @@ DeviceAllow=
DevicePolicy=
DisableControllers=
DynamicUser=
DynamicUserNFTSet=
Environment=
EnvironmentFile=
ExecCondition=

1
test/fuzz/fuzz-unit-file/directives.slice
View File

@ -8,7 +8,6 @@ BlockIODeviceWeight=
BlockIOReadBandwidth=
BlockIOWeight=
BlockIOWriteBandwidth=
ControlGroupNFTSet=
CPUAccounting=
CPUQuota=
CPUQuotaPeriodSec=

2
test/fuzz/fuzz-unit-file/directives.socket
View File

@ -33,7 +33,6 @@ Capabilities=
CapabilityBoundingSet=
ConfigurationDirectory=
ConfigurationDirectoryMode=
ControlGroupNFTSet=
CoredumpFilter=
DefaultMemoryLow=
DefaultMemoryMin=
@ -44,7 +43,6 @@ DevicePolicy=
DirectoryMode=
DisableControllers=
DynamicUser=
DynamicUserNFTSet=
Environment=
EnvironmentFile=
ExecPaths=

2
test/fuzz/fuzz-unit-file/directives.swap
View File

@ -28,7 +28,6 @@ Capabilities=
CapabilityBoundingSet=
ConfigurationDirectory=
ConfigurationDirectoryMode=
ControlGroupNFTSet=
CoredumpFilter=
DefaultMemoryLow=
DefaultMemoryMin=
@ -37,7 +36,6 @@ DeviceAllow=
DevicePolicy=
DisableControllers=
DynamicUser=
DynamicUserNFTSet=
Environment=
EnvironmentFile=
ExecPaths=