supported = bpf_firewall_supported();
if (supported < 0)
return supported;
- if (supported == BPF_FIREWALL_UNSUPPORTED) {
- log_unit_debug(u, "BPF firewalling not supported on this manager, proceeding without.");
- return -EOPNOTSUPP;
- }
- if (supported != BPF_FIREWALL_SUPPORTED_WITH_MULTI && u->type == UNIT_SLICE) {
+ if (supported == BPF_FIREWALL_UNSUPPORTED)
+ return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP),
+ "BPF firewalling not supported on this manager, proceeding without.");
+ if (supported != BPF_FIREWALL_SUPPORTED_WITH_MULTI && u->type == UNIT_SLICE)
/* If BPF_F_ALLOW_MULTI is not supported we don't support any BPF magic on inner nodes (i.e. on slice
* units), since that would mean leaf nodes couldn't do any BPF anymore at all. Under the assumption
* that BPF is more interesting on leaf nodes we hence avoid it on inner nodes in that case. This is
* consistent with old systemd behaviour from before v238, where BPF wasn't supported in inner nodes at
* all, either. */
- log_unit_debug(u, "BPF_F_ALLOW_MULTI is not supported on this manager, not doing BPF firewall on slice units.");
- return -EOPNOTSUPP;
- }
+ return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP),
+ "BPF_F_ALLOW_MULTI is not supported on this manager, not doing BPF firewall on slice units.");
/* Note that when we compile a new firewall we first flush out the access maps and the BPF programs themselves,
* but we reuse the the accounting maps. That way the firewall in effect always maps to the actual
return supported = BPF_FIREWALL_UNSUPPORTED;
}
}
+
+void emit_bpf_firewall_warning(Unit *u) {
+ static bool warned = false;
+
+ if (!warned) {
+ log_unit_warning(u, "unit configures an IP firewall, but %s.\n"
+ "(This warning is only shown for the first unit using IP firewalling.)",
+ getuid() != 0 ? "not running as root" :
+ "the local system does not support BPF/cgroup firewalling");
+ warned = true;
+ }
+}
* hierarchy that shall be enabled for it. */
mask = unit_get_own_mask(u) | unit_get_members_mask(u) | unit_get_siblings_mask(u);
+
+ if (mask & CGROUP_MASK_BPF_FIREWALL & ~u->manager->cgroup_supported)
+ emit_bpf_firewall_warning(u);
+
mask &= u->manager->cgroup_supported;
mask &= ~unit_get_ancestor_disable_mask(u);
return r;
unit_write_setting(u, flags, name, buf);
-
- if (*list) {
- r = bpf_firewall_supported();
- if (r < 0)
- return r;
- if (r == BPF_FIREWALL_UNSUPPORTED) {
- static bool warned = false;
-
- log_full(warned ? LOG_DEBUG : LOG_WARNING,
- "Transient unit %s configures an IP firewall, but the local system does not support BPF/cgroup firewalling.\n"
- "Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first started transient unit using IP firewalling.)", u->id);
-
- warned = true;
- }
- }
}
return 1;
*list = ip_address_access_reduce(*list);
- if (*list) {
- r = bpf_firewall_supported();
- if (r < 0)
- return r;
- if (r == BPF_FIREWALL_UNSUPPORTED) {
- static bool warned = false;
-
- log_full(warned ? LOG_DEBUG : LOG_WARNING,
- "File %s:%u configures an IP firewall (%s=%s), but the local system does not support BPF/cgroup based firewalling.\n"
- "Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)", filename, line, lvalue, rvalue);
-
- warned = true;
- }
- }
-
return 0;
}