mirror of
https://github.com/systemd/systemd.git
synced 2024-12-25 01:34:28 +03:00
Merge pull request #19567 from poettering/ipv4-ipv6-lowercase
various follow-ups to socket-bind logic
This commit is contained in:
commit
c799d93cfa
@ -775,7 +775,7 @@ BPFProgram=bind6:/sys/fs/bpf/sock-addr-hook
|
||||
|
||||
<para><replaceable>bind-rule</replaceable> := [<replaceable>address-family</replaceable><constant>:</constant>]<replaceable>ip-ports</replaceable></para>
|
||||
|
||||
<para><replaceable>address-family</replaceable> := { <constant>IPv4</constant> | <constant>IPv6</constant> }</para>
|
||||
<para><replaceable>address-family</replaceable> := { <constant>ipv4</constant> | <constant>ipv6</constant> }</para>
|
||||
|
||||
<para><replaceable>ip-ports</replaceable> := { <replaceable>ip-port</replaceable> | <replaceable>ip-port-range</replaceable> |
|
||||
<constant>any</constant> }</para>
|
||||
@ -812,7 +812,7 @@ BPFProgram=bind6:/sys/fs/bpf/sock-addr-hook
|
||||
<para>Examples:<programlisting>…
|
||||
# Allow binding IPv6 socket addresses with a port greater than or equal to 10000.
|
||||
[Service]
|
||||
SocketBindAllow=IPv6:10000-65535
|
||||
SocketBindAllow=ipv6:10000-65535
|
||||
SocketBindDeny=any
|
||||
…
|
||||
# Allow binding IPv4 and IPv6 socket addresses with 1234 and 4321 ports.
|
||||
@ -823,7 +823,7 @@ SocketBindDeny=any
|
||||
…
|
||||
# Deny binding IPv6 socket addresses.
|
||||
[Service]
|
||||
SocketBindDeny=IPv6:any
|
||||
SocketBindDeny=ipv6:any
|
||||
…
|
||||
# Deny binding IPv4 and IPv6 socket addresses.
|
||||
[Service]
|
||||
|
@ -38,3 +38,15 @@ int af_from_name(const char *name) {
|
||||
int af_max(void) {
|
||||
return ELEMENTSOF(af_names);
|
||||
}
|
||||
|
||||
const char *af_to_ipv4_ipv6(int id) {
|
||||
/* Pretty often we want to map the address family to the typically used protocol name for IPv4 +
|
||||
* IPv6. Let's add special helpers for that. */
|
||||
return id == AF_INET ? "ipv4" :
|
||||
id == AF_INET6 ? "ipv6" : NULL;
|
||||
}
|
||||
|
||||
int af_from_ipv4_ipv6(const char *af) {
|
||||
return streq_ptr(af, "ipv4") ? AF_INET :
|
||||
streq_ptr(af, "ipv6") ? AF_INET6 : AF_UNSPEC;
|
||||
}
|
||||
|
@ -22,4 +22,7 @@ static inline const char* af_to_name_short(int id) {
|
||||
return f + 3;
|
||||
}
|
||||
|
||||
const char* af_to_ipv4_ipv6(int id);
|
||||
int af_from_ipv4_ipv6(const char *af);
|
||||
|
||||
int af_max(void);
|
||||
|
@ -4,6 +4,7 @@
|
||||
|
||||
#include "sd-messages.h"
|
||||
|
||||
#include "af-list.h"
|
||||
#include "alloc-util.h"
|
||||
#include "blockdev-util.h"
|
||||
#include "bpf-devices.h"
|
||||
@ -202,12 +203,10 @@ void cgroup_context_remove_bpf_foreign_program(CGroupContext *c, CGroupBPFForeig
|
||||
}
|
||||
|
||||
void cgroup_context_remove_socket_bind(CGroupSocketBindItem **head) {
|
||||
CGroupSocketBindItem *h;
|
||||
|
||||
assert(head);
|
||||
|
||||
while (*head) {
|
||||
h = *head;
|
||||
CGroupSocketBindItem *h = *head;
|
||||
LIST_REMOVE(socket_bind_items, *head, h);
|
||||
free(h);
|
||||
}
|
||||
@ -594,16 +593,18 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) {
|
||||
}
|
||||
|
||||
void cgroup_context_dump_socket_bind_item(const CGroupSocketBindItem *item, FILE *f) {
|
||||
const char *family = item->address_family == AF_INET ? "IPv4:" :
|
||||
item->address_family == AF_INET6 ? "IPv6:" : "";
|
||||
const char *family, *colon;
|
||||
|
||||
family = strempty(af_to_ipv4_ipv6(item->address_family));
|
||||
colon = isempty(family) ? "" : ":";
|
||||
|
||||
if (item->nr_ports == 0)
|
||||
fprintf(f, " %sany", family);
|
||||
fprintf(f, " %s%sany", family, colon);
|
||||
else if (item->nr_ports == 1)
|
||||
fprintf(f, " %s%" PRIu16, family, item->port_min);
|
||||
fprintf(f, " %s%s%" PRIu16, family, colon, item->port_min);
|
||||
else {
|
||||
uint16_t port_max = item->port_min + item->nr_ports - 1;
|
||||
fprintf(f, " %s%" PRIu16 "-%" PRIu16, family, item->port_min, port_max);
|
||||
fprintf(f, " %s%s%" PRIu16 "-%" PRIu16, family, colon, item->port_min, port_max);
|
||||
}
|
||||
}
|
||||
|
||||
@ -1580,7 +1581,7 @@ static bool unit_get_needs_socket_bind(Unit *u) {
|
||||
if (!c)
|
||||
return false;
|
||||
|
||||
return c->socket_bind_allow != NULL || c->socket_bind_deny != NULL;
|
||||
return c->socket_bind_allow || c->socket_bind_deny;
|
||||
}
|
||||
|
||||
static CGroupMask unit_get_cgroup_mask(Unit *u) {
|
||||
|
@ -5653,13 +5653,10 @@ int config_parse_cgroup_socket_bind(
|
||||
}
|
||||
|
||||
if (rvalue) {
|
||||
if (streq(word, "IPv4"))
|
||||
af = AF_INET;
|
||||
else if (streq(word, "IPv6"))
|
||||
af = AF_INET6;
|
||||
else {
|
||||
af = af_from_ipv4_ipv6(word);
|
||||
if (af == AF_UNSPEC) {
|
||||
log_syntax(unit, LOG_WARNING, filename, line, 0,
|
||||
"Only IPv4 and IPv6 protocols are supported, ignoring.");
|
||||
"Only \"ipv4\" and \"ipv6\" protocols are supported, ignoring.");
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -8,6 +8,7 @@
|
||||
|
||||
#include "sd-daemon.h"
|
||||
|
||||
#include "af-list.h"
|
||||
#include "alloc-util.h"
|
||||
#include "def.h"
|
||||
#include "errno-util.h"
|
||||
@ -498,7 +499,7 @@ static int accept_connection(
|
||||
|
||||
log_debug("Accepted %s %s connection from %s",
|
||||
type,
|
||||
socket_address_family(addr) == AF_INET ? "IP" : "IPv6",
|
||||
af_to_ipv4_ipv6(socket_address_family(addr)),
|
||||
a);
|
||||
|
||||
*hostname = b;
|
||||
|
@ -12,6 +12,7 @@
|
||||
|
||||
#include "sd-bus.h"
|
||||
|
||||
#include "af-list.h"
|
||||
#include "alloc-util.h"
|
||||
#include "bus-container.h"
|
||||
#include "bus-control.h"
|
||||
@ -821,11 +822,8 @@ static int parse_tcp_address(sd_bus *b, const char **p, char **guid) {
|
||||
return -EINVAL;
|
||||
|
||||
if (family) {
|
||||
if (streq(family, "ipv4"))
|
||||
hints.ai_family = AF_INET;
|
||||
else if (streq(family, "ipv6"))
|
||||
hints.ai_family = AF_INET6;
|
||||
else
|
||||
hints.ai_family = af_from_ipv4_ipv6(family);
|
||||
if (hints.ai_family == AF_UNSPEC)
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
|
@ -1,5 +1,6 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
|
||||
#include "af-list.h"
|
||||
#include "alloc-util.h"
|
||||
#include "bus-error.h"
|
||||
#include "bus-unit-util.h"
|
||||
@ -879,14 +880,10 @@ static int bus_append_cgroup_property(sd_bus_message *m, const char *field, cons
|
||||
|
||||
address_family = eq ? word : NULL;
|
||||
if (address_family) {
|
||||
if (!STR_IN_SET(address_family, "IPv4", "IPv6"))
|
||||
family = af_from_ipv4_ipv6(address_family);
|
||||
if (family == AF_UNSPEC)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
||||
"Only IPv4 and IPv6 protocols are supported");
|
||||
|
||||
if (streq(address_family, "IPv4"))
|
||||
family = AF_INET;
|
||||
else
|
||||
family = AF_INET6;
|
||||
"Only \"ipv4\" and \"ipv6\" protocols are supported");
|
||||
}
|
||||
|
||||
user_port = eq ? eq : word;
|
||||
|
@ -2,6 +2,7 @@
|
||||
|
||||
#include <sys/mount.h>
|
||||
|
||||
#include "af-list.h"
|
||||
#include "bus-error.h"
|
||||
#include "bus-locator.h"
|
||||
#include "bus-map-properties.h"
|
||||
@ -1710,22 +1711,25 @@ static int print_property(const char *name, const char *expected_value, sd_bus_m
|
||||
return 1;
|
||||
} else if (STR_IN_SET(name, "SocketBindAllow", "SocketBindDeny")) {
|
||||
uint16_t nr_ports, port_min;
|
||||
const char *family;
|
||||
int af;
|
||||
|
||||
r = sd_bus_message_enter_container(m, SD_BUS_TYPE_ARRAY, "(iqq)");
|
||||
if (r < 0)
|
||||
return bus_log_parse_error(r);
|
||||
while ((r = sd_bus_message_read(m, "(iqq)", &af, &nr_ports, &port_min)) > 0) {
|
||||
family = af == AF_INET ? "IPv4:" : af == AF_INET6 ? "IPv6:" : "";
|
||||
const char *family, *colon;
|
||||
|
||||
family = strempty(af_to_ipv4_ipv6(af));
|
||||
colon = isempty(family) ? "" : ":";
|
||||
|
||||
if (nr_ports == 0)
|
||||
bus_print_property_valuef(name, expected_value, flags, "%sany", family);
|
||||
bus_print_property_valuef(name, expected_value, flags, "%s%sany", family, colon);
|
||||
else if (nr_ports == 1)
|
||||
bus_print_property_valuef(
|
||||
name, expected_value, flags, "%s%hu", family, port_min);
|
||||
name, expected_value, flags, "%s%s%hu", family, colon, port_min);
|
||||
else
|
||||
bus_print_property_valuef(
|
||||
name, expected_value, flags, "%s%hu-%hu", family, port_min,
|
||||
name, expected_value, flags, "%s%s%hu-%hu", family, colon, port_min,
|
||||
(uint16_t) (port_min + nr_ports - 1));
|
||||
}
|
||||
if (r < 0)
|
||||
|
@ -141,8 +141,8 @@ int main(int argc, char *argv[]) {
|
||||
assert_se(manager_startup(m, NULL, NULL) >= 0);
|
||||
|
||||
assert_se(test_socket_bind(m, "socket_bind_test.service", netcat_path, "2000", STRV_MAKE("2000"), STRV_MAKE("any")) >= 0);
|
||||
assert_se(test_socket_bind(m, "socket_bind_test.service", netcat_path, "2000", STRV_MAKE("IPv6:2001-2002"), STRV_MAKE("any")) >= 0);
|
||||
assert_se(test_socket_bind(m, "socket_bind_test.service", netcat_path, "6666", STRV_MAKE("IPv4:6666", "6667"), STRV_MAKE("any")) >= 0);
|
||||
assert_se(test_socket_bind(m, "socket_bind_test.service", netcat_path, "2000", STRV_MAKE("ipv6:2001-2002"), STRV_MAKE("any")) >= 0);
|
||||
assert_se(test_socket_bind(m, "socket_bind_test.service", netcat_path, "6666", STRV_MAKE("ipv4:6666", "6667"), STRV_MAKE("any")) >= 0);
|
||||
assert_se(test_socket_bind(m, "socket_bind_test.service", netcat_path, "6666", STRV_MAKE("6667", "6668", ""), STRV_MAKE("any")) >= 0);
|
||||
assert_se(test_socket_bind(m, "socket_bind_test.service", netcat_path, "7777", STRV_MAKE_EMPTY, STRV_MAKE_EMPTY) >= 0);
|
||||
assert_se(test_socket_bind(m, "socket_bind_test.service", netcat_path, "8888", STRV_MAKE("any"), STRV_MAKE("any")) >= 0);
|
||||
|
Loading…
Reference in New Issue
Block a user