diff --git a/src/core/cgroup.c b/src/core/cgroup.c index ffb0f49cd6b..62cbe08f13f 100644 --- a/src/core/cgroup.c +++ b/src/core/cgroup.c @@ -141,6 +141,9 @@ void cgroup_context_done(CGroupContext *c) { while (c->device_allow) cgroup_context_free_device_allow(c, c->device_allow); + + c->ip_address_allow = ip_address_access_free_all(c->ip_address_allow); + c->ip_address_deny = ip_address_access_free_all(c->ip_address_deny); } void cgroup_context_dump(CGroupContext *c, FILE* f, const char *prefix) { diff --git a/src/core/cgroup.h b/src/core/cgroup.h index 4cd168f63e5..2baf4d20e99 100644 --- a/src/core/cgroup.h +++ b/src/core/cgroup.h @@ -21,9 +21,10 @@ #include +#include "cgroup-util.h" +#include "ip-address-access.h" #include "list.h" #include "time-util.h" -#include "cgroup-util.h" typedef struct CGroupContext CGroupContext; typedef struct CGroupDeviceAllow CGroupDeviceAllow; @@ -87,6 +88,7 @@ struct CGroupContext { bool blockio_accounting; bool memory_accounting; bool tasks_accounting; + bool ip_accounting; /* For unified hierarchy */ uint64_t cpu_weight; @@ -103,6 +105,9 @@ struct CGroupContext { uint64_t memory_max; uint64_t memory_swap_max; + LIST_HEAD(IPAddressAccessItem, ip_address_allow); + LIST_HEAD(IPAddressAccessItem, ip_address_deny); + /* For legacy hierarchies */ uint64_t cpu_shares; uint64_t startup_cpu_shares; diff --git a/src/core/manager.h b/src/core/manager.h index 713d2db70cd..8880b3aab53 100644 --- a/src/core/manager.h +++ b/src/core/manager.h @@ -29,6 +29,7 @@ #include "cgroup-util.h" #include "fdset.h" #include "hashmap.h" +#include "ip-address-access.h" #include "list.h" #include "ratelimit.h" diff --git a/src/core/system.conf b/src/core/system.conf index 746572b7ff2..88f646e2fe1 100644 --- a/src/core/system.conf +++ b/src/core/system.conf @@ -60,3 +60,5 @@ #DefaultLimitNICE= #DefaultLimitRTPRIO= #DefaultLimitRTTIME= +#IPAddressAllow= +#IPAddressDeny= diff --git a/src/core/unit.c b/src/core/unit.c index df89f3d01f1..6451b755607 100644 --- a/src/core/unit.c +++ b/src/core/unit.c @@ -35,6 +35,7 @@ #include "dropin.h" #include "escape.h" #include "execute.h" +#include "fd-util.h" #include "fileio-label.h" #include "format-util.h" #include "id128-util.h" @@ -103,6 +104,13 @@ Unit *unit_new(Manager *m, size_t size) { u->ref_gid = GID_INVALID; u->cpu_usage_last = NSEC_INFINITY; + u->ip_accounting_ingress_map_fd = -1; + u->ip_accounting_egress_map_fd = -1; + u->ipv4_allow_map_fd = -1; + u->ipv6_allow_map_fd = -1; + u->ipv4_deny_map_fd = -1; + u->ipv6_deny_map_fd = -1; + RATELIMIT_INIT(u->start_limit, m->default_start_limit_interval, m->default_start_limit_burst); RATELIMIT_INIT(u->auto_stop_ratelimit, 10 * USEC_PER_SEC, 16); @@ -156,6 +164,7 @@ static void unit_init(Unit *u) { cc->blockio_accounting = u->manager->default_blockio_accounting; cc->memory_accounting = u->manager->default_memory_accounting; cc->tasks_accounting = u->manager->default_tasks_accounting; + cc->ip_accounting = u->manager->default_ip_accounting; if (u->type != UNIT_SLICE) cc->tasks_max = u->manager->default_tasks_max; @@ -610,6 +619,17 @@ void unit_free(Unit *u) { while (u->refs) unit_ref_unset(u->refs); + safe_close(u->ip_accounting_ingress_map_fd); + safe_close(u->ip_accounting_egress_map_fd); + + safe_close(u->ipv4_allow_map_fd); + safe_close(u->ipv6_allow_map_fd); + safe_close(u->ipv4_deny_map_fd); + safe_close(u->ipv6_deny_map_fd); + + bpf_program_unref(u->ip_bpf_ingress); + bpf_program_unref(u->ip_bpf_egress); + free(u); } diff --git a/src/core/unit.h b/src/core/unit.h index 4d9751a4069..95c41fcceae 100644 --- a/src/core/unit.h +++ b/src/core/unit.h @@ -28,6 +28,7 @@ typedef struct UnitVTable UnitVTable; typedef struct UnitRef UnitRef; typedef struct UnitStatusMessageFormats UnitStatusMessageFormats; +#include "bpf-program.h" #include "condition.h" #include "emergency-action.h" #include "install.h" @@ -205,6 +206,18 @@ struct Unit { CGroupMask cgroup_members_mask; int cgroup_inotify_wd; + /* IP BPF Firewalling/accounting */ + int ip_accounting_ingress_map_fd; + int ip_accounting_egress_map_fd; + + int ipv4_allow_map_fd; + int ipv6_allow_map_fd; + int ipv4_deny_map_fd; + int ipv6_deny_map_fd; + + BPFProgram *ip_bpf_ingress; + BPFProgram *ip_bpf_egress; + /* How to start OnFailure units */ JobMode on_failure_job_mode;