1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-25 01:34:28 +03:00

Merge pull request #19567 from poettering/ipv4-ipv6-lowercase

various follow-ups to socket-bind logic
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2021-05-12 12:21:58 +02:00 committed by GitHub
commit c799d93cfa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 51 additions and 38 deletions

View File

@ -775,7 +775,7 @@ BPFProgram=bind6:/sys/fs/bpf/sock-addr-hook
<para><replaceable>bind-rule</replaceable> := [<replaceable>address-family</replaceable><constant>:</constant>]<replaceable>ip-ports</replaceable></para>
<para><replaceable>address-family</replaceable> := { <constant>IPv4</constant> | <constant>IPv6</constant> }</para>
<para><replaceable>address-family</replaceable> := { <constant>ipv4</constant> | <constant>ipv6</constant> }</para>
<para><replaceable>ip-ports</replaceable> := { <replaceable>ip-port</replaceable> | <replaceable>ip-port-range</replaceable> |
<constant>any</constant> }</para>
@ -812,7 +812,7 @@ BPFProgram=bind6:/sys/fs/bpf/sock-addr-hook
<para>Examples:<programlisting>
# Allow binding IPv6 socket addresses with a port greater than or equal to 10000.
[Service]
SocketBindAllow=IPv6:10000-65535
SocketBindAllow=ipv6:10000-65535
SocketBindDeny=any
# Allow binding IPv4 and IPv6 socket addresses with 1234 and 4321 ports.
@ -823,7 +823,7 @@ SocketBindDeny=any
# Deny binding IPv6 socket addresses.
[Service]
SocketBindDeny=IPv6:any
SocketBindDeny=ipv6:any
# Deny binding IPv4 and IPv6 socket addresses.
[Service]

View File

@ -38,3 +38,15 @@ int af_from_name(const char *name) {
int af_max(void) {
return ELEMENTSOF(af_names);
}
const char *af_to_ipv4_ipv6(int id) {
/* Pretty often we want to map the address family to the typically used protocol name for IPv4 +
* IPv6. Let's add special helpers for that. */
return id == AF_INET ? "ipv4" :
id == AF_INET6 ? "ipv6" : NULL;
}
int af_from_ipv4_ipv6(const char *af) {
return streq_ptr(af, "ipv4") ? AF_INET :
streq_ptr(af, "ipv6") ? AF_INET6 : AF_UNSPEC;
}

View File

@ -22,4 +22,7 @@ static inline const char* af_to_name_short(int id) {
return f + 3;
}
const char* af_to_ipv4_ipv6(int id);
int af_from_ipv4_ipv6(const char *af);
int af_max(void);

View File

@ -4,6 +4,7 @@
#include "sd-messages.h"
#include "af-list.h"
#include "alloc-util.h"
#include "blockdev-util.h"
#include "bpf-devices.h"
@ -202,12 +203,10 @@ void cgroup_context_remove_bpf_foreign_program(CGroupContext *c, CGroupBPFForeig
}
void cgroup_context_remove_socket_bind(CGroupSocketBindItem **head) {
CGroupSocketBindItem *h;
assert(head);
while (*head) {
h = *head;
CGroupSocketBindItem *h = *head;
LIST_REMOVE(socket_bind_items, *head, h);
free(h);
}
@ -594,16 +593,18 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) {
}
void cgroup_context_dump_socket_bind_item(const CGroupSocketBindItem *item, FILE *f) {
const char *family = item->address_family == AF_INET ? "IPv4:" :
item->address_family == AF_INET6 ? "IPv6:" : "";
const char *family, *colon;
family = strempty(af_to_ipv4_ipv6(item->address_family));
colon = isempty(family) ? "" : ":";
if (item->nr_ports == 0)
fprintf(f, " %sany", family);
fprintf(f, " %s%sany", family, colon);
else if (item->nr_ports == 1)
fprintf(f, " %s%" PRIu16, family, item->port_min);
fprintf(f, " %s%s%" PRIu16, family, colon, item->port_min);
else {
uint16_t port_max = item->port_min + item->nr_ports - 1;
fprintf(f, " %s%" PRIu16 "-%" PRIu16, family, item->port_min, port_max);
fprintf(f, " %s%s%" PRIu16 "-%" PRIu16, family, colon, item->port_min, port_max);
}
}
@ -1580,7 +1581,7 @@ static bool unit_get_needs_socket_bind(Unit *u) {
if (!c)
return false;
return c->socket_bind_allow != NULL || c->socket_bind_deny != NULL;
return c->socket_bind_allow || c->socket_bind_deny;
}
static CGroupMask unit_get_cgroup_mask(Unit *u) {

View File

@ -5653,13 +5653,10 @@ int config_parse_cgroup_socket_bind(
}
if (rvalue) {
if (streq(word, "IPv4"))
af = AF_INET;
else if (streq(word, "IPv6"))
af = AF_INET6;
else {
af = af_from_ipv4_ipv6(word);
if (af == AF_UNSPEC) {
log_syntax(unit, LOG_WARNING, filename, line, 0,
"Only IPv4 and IPv6 protocols are supported, ignoring.");
"Only \"ipv4\" and \"ipv6\" protocols are supported, ignoring.");
return 0;
}

View File

@ -8,6 +8,7 @@
#include "sd-daemon.h"
#include "af-list.h"
#include "alloc-util.h"
#include "def.h"
#include "errno-util.h"
@ -498,7 +499,7 @@ static int accept_connection(
log_debug("Accepted %s %s connection from %s",
type,
socket_address_family(addr) == AF_INET ? "IP" : "IPv6",
af_to_ipv4_ipv6(socket_address_family(addr)),
a);
*hostname = b;

View File

@ -12,6 +12,7 @@
#include "sd-bus.h"
#include "af-list.h"
#include "alloc-util.h"
#include "bus-container.h"
#include "bus-control.h"
@ -821,11 +822,8 @@ static int parse_tcp_address(sd_bus *b, const char **p, char **guid) {
return -EINVAL;
if (family) {
if (streq(family, "ipv4"))
hints.ai_family = AF_INET;
else if (streq(family, "ipv6"))
hints.ai_family = AF_INET6;
else
hints.ai_family = af_from_ipv4_ipv6(family);
if (hints.ai_family == AF_UNSPEC)
return -EINVAL;
}

View File

@ -1,5 +1,6 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#include "af-list.h"
#include "alloc-util.h"
#include "bus-error.h"
#include "bus-unit-util.h"
@ -879,14 +880,10 @@ static int bus_append_cgroup_property(sd_bus_message *m, const char *field, cons
address_family = eq ? word : NULL;
if (address_family) {
if (!STR_IN_SET(address_family, "IPv4", "IPv6"))
family = af_from_ipv4_ipv6(address_family);
if (family == AF_UNSPEC)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Only IPv4 and IPv6 protocols are supported");
if (streq(address_family, "IPv4"))
family = AF_INET;
else
family = AF_INET6;
"Only \"ipv4\" and \"ipv6\" protocols are supported");
}
user_port = eq ? eq : word;

View File

@ -2,6 +2,7 @@
#include <sys/mount.h>
#include "af-list.h"
#include "bus-error.h"
#include "bus-locator.h"
#include "bus-map-properties.h"
@ -1710,22 +1711,25 @@ static int print_property(const char *name, const char *expected_value, sd_bus_m
return 1;
} else if (STR_IN_SET(name, "SocketBindAllow", "SocketBindDeny")) {
uint16_t nr_ports, port_min;
const char *family;
int af;
r = sd_bus_message_enter_container(m, SD_BUS_TYPE_ARRAY, "(iqq)");
if (r < 0)
return bus_log_parse_error(r);
while ((r = sd_bus_message_read(m, "(iqq)", &af, &nr_ports, &port_min)) > 0) {
family = af == AF_INET ? "IPv4:" : af == AF_INET6 ? "IPv6:" : "";
const char *family, *colon;
family = strempty(af_to_ipv4_ipv6(af));
colon = isempty(family) ? "" : ":";
if (nr_ports == 0)
bus_print_property_valuef(name, expected_value, flags, "%sany", family);
bus_print_property_valuef(name, expected_value, flags, "%s%sany", family, colon);
else if (nr_ports == 1)
bus_print_property_valuef(
name, expected_value, flags, "%s%hu", family, port_min);
name, expected_value, flags, "%s%s%hu", family, colon, port_min);
else
bus_print_property_valuef(
name, expected_value, flags, "%s%hu-%hu", family, port_min,
name, expected_value, flags, "%s%s%hu-%hu", family, colon, port_min,
(uint16_t) (port_min + nr_ports - 1));
}
if (r < 0)

View File

@ -141,8 +141,8 @@ int main(int argc, char *argv[]) {
assert_se(manager_startup(m, NULL, NULL) >= 0);
assert_se(test_socket_bind(m, "socket_bind_test.service", netcat_path, "2000", STRV_MAKE("2000"), STRV_MAKE("any")) >= 0);
assert_se(test_socket_bind(m, "socket_bind_test.service", netcat_path, "2000", STRV_MAKE("IPv6:2001-2002"), STRV_MAKE("any")) >= 0);
assert_se(test_socket_bind(m, "socket_bind_test.service", netcat_path, "6666", STRV_MAKE("IPv4:6666", "6667"), STRV_MAKE("any")) >= 0);
assert_se(test_socket_bind(m, "socket_bind_test.service", netcat_path, "2000", STRV_MAKE("ipv6:2001-2002"), STRV_MAKE("any")) >= 0);
assert_se(test_socket_bind(m, "socket_bind_test.service", netcat_path, "6666", STRV_MAKE("ipv4:6666", "6667"), STRV_MAKE("any")) >= 0);
assert_se(test_socket_bind(m, "socket_bind_test.service", netcat_path, "6666", STRV_MAKE("6667", "6668", ""), STRV_MAKE("any")) >= 0);
assert_se(test_socket_bind(m, "socket_bind_test.service", netcat_path, "7777", STRV_MAKE_EMPTY, STRV_MAKE_EMPTY) >= 0);
assert_se(test_socket_bind(m, "socket_bind_test.service", netcat_path, "8888", STRV_MAKE("any"), STRV_MAKE("any")) >= 0);