From 078ba556da253e994724aa5565d570b5d22e0c17 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 6 Sep 2017 17:56:15 +0200 Subject: [PATCH] core: warn loudly if IP firewalling is configured but not in effect --- src/core/dbus-cgroup.c | 10 ++++++++++ src/core/ip-address-access.c | 10 ++++++++++ 2 files changed, 20 insertions(+) diff --git a/src/core/dbus-cgroup.c b/src/core/dbus-cgroup.c index 42381ec..f61ca08 100644 --- a/src/core/dbus-cgroup.c +++ b/src/core/dbus-cgroup.c @@ -21,6 +21,7 @@ #include "af-list.h" #include "alloc-util.h" +#include "bpf-firewall.h" #include "bus-util.h" #include "cgroup-util.h" #include "cgroup.h" @@ -1321,6 +1322,15 @@ int bus_cgroup_set_property( if (r < 0) return r; unit_write_drop_in_private(u, mode, name, buf); + + if (*list) { + r = bpf_firewall_supported(); + if (r < 0) + return r; + if (r == 0) + log_warning("Transient unit %s configures an IP firewall, but the local system does not support BPF/cgroup firewalling.\n" + "Proceeding WITHOUT firewalling in effect!", u->id); + } } return 1; diff --git a/src/core/ip-address-access.c b/src/core/ip-address-access.c index 18d2870..cfb7d51 100644 --- a/src/core/ip-address-access.c +++ b/src/core/ip-address-access.c @@ -21,6 +21,7 @@ #include #include "alloc-util.h" +#include "bpf-firewall.h" #include "extract-word.h" #include "hostname-util.h" #include "ip-address-access.h" @@ -150,6 +151,15 @@ int config_parse_ip_address_access( *list = ip_address_access_reduce(*list); + if (*list) { + r = bpf_firewall_supported(); + if (r < 0) + return r; + if (r == 0) + log_warning("File %s:%u configures an IP firewall (%s=%s), but the local system does not support BPF/cgroup based firewalling.\n" + "Proceeding WITHOUT firewalling in effect!", filename, line, lvalue, rvalue); + } + return 0; } -- 2.7.4