picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

cgroup: add fields to accommodate eBPF related details

Browse source 
Add pointers for compiled eBPF programs as well as list heads for allowed
and denied hosts for both directions.
This commit is contained in:
Daniel Mack 2016-11-11 19:59:19 +01:00 committed by Lennart Poettering
parent b36672e072
commit 6a48d82f02
6 changed files with 45 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
src/core/cgroup.c
View file

@ -141,6 +141,9 @@ void cgroup_context_done(CGroupContext *c) {
while (c->device_allow)
cgroup_context_free_device_allow(c, c->device_allow);
c->ip_address_allow = ip_address_access_free_all(c->ip_address_allow);
c->ip_address_deny = ip_address_access_free_all(c->ip_address_deny);
}
void cgroup_context_dump(CGroupContext *c, FILE* f, const char *prefix) {

7
src/core/cgroup.h
View file

@ -21,9 +21,10 @@
#include <stdbool.h>
#include "cgroup-util.h"
#include "ip-address-access.h"
#include "list.h"
#include "time-util.h"
#include "cgroup-util.h"
typedef struct CGroupContext CGroupContext;
typedef struct CGroupDeviceAllow CGroupDeviceAllow;
@ -87,6 +88,7 @@ struct CGroupContext {
bool blockio_accounting;
bool memory_accounting;
bool tasks_accounting;
bool ip_accounting;
/* For unified hierarchy */
uint64_t cpu_weight;
@ -103,6 +105,9 @@ struct CGroupContext {
uint64_t memory_max;
uint64_t memory_swap_max;
LIST_HEAD(IPAddressAccessItem, ip_address_allow);
LIST_HEAD(IPAddressAccessItem, ip_address_deny);
/* For legacy hierarchies */
uint64_t cpu_shares;
uint64_t startup_cpu_shares;

1
src/core/manager.h
View file

@ -29,6 +29,7 @@
#include "cgroup-util.h"
#include "fdset.h"
#include "hashmap.h"
#include "ip-address-access.h"
#include "list.h"
#include "ratelimit.h"

2
src/core/system.conf
View file

@ -60,3 +60,5 @@
#DefaultLimitNICE=
#DefaultLimitRTPRIO=
#DefaultLimitRTTIME=
#IPAddressAllow=
#IPAddressDeny=

20
src/core/unit.c
View file

@ -35,6 +35,7 @@
#include "dropin.h"
#include "escape.h"
#include "execute.h"
#include "fd-util.h"
#include "fileio-label.h"
#include "format-util.h"
#include "id128-util.h"
@ -103,6 +104,13 @@ Unit *unit_new(Manager *m, size_t size) {
u->ref_gid = GID_INVALID;
u->cpu_usage_last = NSEC_INFINITY;
u->ip_accounting_ingress_map_fd = -1;
u->ip_accounting_egress_map_fd = -1;
u->ipv4_allow_map_fd = -1;
u->ipv6_allow_map_fd = -1;
u->ipv4_deny_map_fd = -1;
u->ipv6_deny_map_fd = -1;
RATELIMIT_INIT(u->start_limit, m->default_start_limit_interval, m->default_start_limit_burst);
RATELIMIT_INIT(u->auto_stop_ratelimit, 10 * USEC_PER_SEC, 16);
@ -156,6 +164,7 @@ static void unit_init(Unit *u) {
cc->blockio_accounting = u->manager->default_blockio_accounting;
cc->memory_accounting = u->manager->default_memory_accounting;
cc->tasks_accounting = u->manager->default_tasks_accounting;
cc->ip_accounting = u->manager->default_ip_accounting;
if (u->type != UNIT_SLICE)
cc->tasks_max = u->manager->default_tasks_max;
@ -610,6 +619,17 @@ void unit_free(Unit *u) {
while (u->refs)
unit_ref_unset(u->refs);
safe_close(u->ip_accounting_ingress_map_fd);
safe_close(u->ip_accounting_egress_map_fd);
safe_close(u->ipv4_allow_map_fd);
safe_close(u->ipv6_allow_map_fd);
safe_close(u->ipv4_deny_map_fd);
safe_close(u->ipv6_deny_map_fd);
bpf_program_unref(u->ip_bpf_ingress);
bpf_program_unref(u->ip_bpf_egress);
free(u);
}

13
src/core/unit.h
View file

@ -28,6 +28,7 @@ typedef struct UnitVTable UnitVTable;
typedef struct UnitRef UnitRef;
typedef struct UnitStatusMessageFormats UnitStatusMessageFormats;
#include "bpf-program.h"
#include "condition.h"
#include "emergency-action.h"
#include "install.h"
@ -205,6 +206,18 @@ struct Unit {
CGroupMask cgroup_members_mask;
int cgroup_inotify_wd;
/* IP BPF Firewalling/accounting */
int ip_accounting_ingress_map_fd;
int ip_accounting_egress_map_fd;
int ipv4_allow_map_fd;
int ipv6_allow_map_fd;
int ipv4_deny_map_fd;
int ipv6_deny_map_fd;
BPFProgram *ip_bpf_ingress;
BPFProgram *ip_bpf_egress;
/* How to start OnFailure units */
JobMode on_failure_job_mode;