diff options
author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2021-05-12 12:21:58 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-05-12 12:21:58 +0200 |
commit | c799d93cfa8d8202a05b28dc8836d5a29fa0487e (patch) | |
tree | 9e29b852048e6a5d287a540801e6e6a167a1c6d0 | |
parent | aa2b370dddc7e37df33769a488d6c3dce89b4e17 (diff) | |
parent | 11ab01e439e53d791c01fe980516e161ea382a32 (diff) | |
download | systemd-c799d93cfa8d8202a05b28dc8836d5a29fa0487e.tar.gz |
Merge pull request #19567 from poettering/ipv4-ipv6-lowercase
various follow-ups to socket-bind logic
-rw-r--r-- | man/systemd.resource-control.xml | 6 | ||||
-rw-r--r-- | src/basic/af-list.c | 12 | ||||
-rw-r--r-- | src/basic/af-list.h | 3 | ||||
-rw-r--r-- | src/core/cgroup.c | 19 | ||||
-rw-r--r-- | src/core/load-fragment.c | 9 | ||||
-rw-r--r-- | src/journal-remote/journal-remote.c | 3 | ||||
-rw-r--r-- | src/libsystemd/sd-bus/sd-bus.c | 8 | ||||
-rw-r--r-- | src/shared/bus-unit-util.c | 11 | ||||
-rw-r--r-- | src/systemctl/systemctl-show.c | 14 | ||||
-rw-r--r-- | src/test/test-socket-bind.c | 4 |
10 files changed, 51 insertions, 38 deletions
diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index d9b570e232..827f343a50 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -775,7 +775,7 @@ BPFProgram=bind6:/sys/fs/bpf/sock-addr-hook <para><replaceable>bind-rule</replaceable> := [<replaceable>address-family</replaceable><constant>:</constant>]<replaceable>ip-ports</replaceable></para> - <para><replaceable>address-family</replaceable> := { <constant>IPv4</constant> | <constant>IPv6</constant> }</para> + <para><replaceable>address-family</replaceable> := { <constant>ipv4</constant> | <constant>ipv6</constant> }</para> <para><replaceable>ip-ports</replaceable> := { <replaceable>ip-port</replaceable> | <replaceable>ip-port-range</replaceable> | <constant>any</constant> }</para> @@ -812,7 +812,7 @@ BPFProgram=bind6:/sys/fs/bpf/sock-addr-hook <para>Examples:<programlisting>… # Allow binding IPv6 socket addresses with a port greater than or equal to 10000. [Service] -SocketBindAllow=IPv6:10000-65535 +SocketBindAllow=ipv6:10000-65535 SocketBindDeny=any … # Allow binding IPv4 and IPv6 socket addresses with 1234 and 4321 ports. @@ -823,7 +823,7 @@ SocketBindDeny=any … # Deny binding IPv6 socket addresses. [Service] -SocketBindDeny=IPv6:any +SocketBindDeny=ipv6:any … # Deny binding IPv4 and IPv6 socket addresses. [Service] diff --git a/src/basic/af-list.c b/src/basic/af-list.c index 7e819d6d11..a9ab891e20 100644 --- a/src/basic/af-list.c +++ b/src/basic/af-list.c @@ -38,3 +38,15 @@ int af_from_name(const char *name) { int af_max(void) { return ELEMENTSOF(af_names); } + +const char *af_to_ipv4_ipv6(int id) { + /* Pretty often we want to map the address family to the typically used protocol name for IPv4 + + * IPv6. Let's add special helpers for that. */ + return id == AF_INET ? "ipv4" : + id == AF_INET6 ? "ipv6" : NULL; +} + +int af_from_ipv4_ipv6(const char *af) { + return streq_ptr(af, "ipv4") ? AF_INET : + streq_ptr(af, "ipv6") ? AF_INET6 : AF_UNSPEC; +} diff --git a/src/basic/af-list.h b/src/basic/af-list.h index 688ac63df7..9592b9ed3c 100644 --- a/src/basic/af-list.h +++ b/src/basic/af-list.h @@ -22,4 +22,7 @@ static inline const char* af_to_name_short(int id) { return f + 3; } +const char* af_to_ipv4_ipv6(int id); +int af_from_ipv4_ipv6(const char *af); + int af_max(void); diff --git a/src/core/cgroup.c b/src/core/cgroup.c index a44cf9368c..5453b5ae96 100644 --- a/src/core/cgroup.c +++ b/src/core/cgroup.c @@ -4,6 +4,7 @@ #include "sd-messages.h" +#include "af-list.h" #include "alloc-util.h" #include "blockdev-util.h" #include "bpf-devices.h" @@ -202,12 +203,10 @@ void cgroup_context_remove_bpf_foreign_program(CGroupContext *c, CGroupBPFForeig } void cgroup_context_remove_socket_bind(CGroupSocketBindItem **head) { - CGroupSocketBindItem *h; - assert(head); while (*head) { - h = *head; + CGroupSocketBindItem *h = *head; LIST_REMOVE(socket_bind_items, *head, h); free(h); } @@ -594,16 +593,18 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) { } void cgroup_context_dump_socket_bind_item(const CGroupSocketBindItem *item, FILE *f) { - const char *family = item->address_family == AF_INET ? "IPv4:" : - item->address_family == AF_INET6 ? "IPv6:" : ""; + const char *family, *colon; + + family = strempty(af_to_ipv4_ipv6(item->address_family)); + colon = isempty(family) ? "" : ":"; if (item->nr_ports == 0) - fprintf(f, " %sany", family); + fprintf(f, " %s%sany", family, colon); else if (item->nr_ports == 1) - fprintf(f, " %s%" PRIu16, family, item->port_min); + fprintf(f, " %s%s%" PRIu16, family, colon, item->port_min); else { uint16_t port_max = item->port_min + item->nr_ports - 1; - fprintf(f, " %s%" PRIu16 "-%" PRIu16, family, item->port_min, port_max); + fprintf(f, " %s%s%" PRIu16 "-%" PRIu16, family, colon, item->port_min, port_max); } } @@ -1580,7 +1581,7 @@ static bool unit_get_needs_socket_bind(Unit *u) { if (!c) return false; - return c->socket_bind_allow != NULL || c->socket_bind_deny != NULL; + return c->socket_bind_allow || c->socket_bind_deny; } static CGroupMask unit_get_cgroup_mask(Unit *u) { diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c index 4eba2d1c02..3dd1e869eb 100644 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c @@ -5653,13 +5653,10 @@ int config_parse_cgroup_socket_bind( } if (rvalue) { - if (streq(word, "IPv4")) - af = AF_INET; - else if (streq(word, "IPv6")) - af = AF_INET6; - else { + af = af_from_ipv4_ipv6(word); + if (af == AF_UNSPEC) { log_syntax(unit, LOG_WARNING, filename, line, 0, - "Only IPv4 and IPv6 protocols are supported, ignoring."); + "Only \"ipv4\" and \"ipv6\" protocols are supported, ignoring."); return 0; } diff --git a/src/journal-remote/journal-remote.c b/src/journal-remote/journal-remote.c index 9600e5f732..13461dbe41 100644 --- a/src/journal-remote/journal-remote.c +++ b/src/journal-remote/journal-remote.c @@ -8,6 +8,7 @@ #include "sd-daemon.h" +#include "af-list.h" #include "alloc-util.h" #include "def.h" #include "errno-util.h" @@ -498,7 +499,7 @@ static int accept_connection( log_debug("Accepted %s %s connection from %s", type, - socket_address_family(addr) == AF_INET ? "IP" : "IPv6", + af_to_ipv4_ipv6(socket_address_family(addr)), a); *hostname = b; diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c index 8bcf4f6c50..31f527c571 100644 --- a/src/libsystemd/sd-bus/sd-bus.c +++ b/src/libsystemd/sd-bus/sd-bus.c @@ -12,6 +12,7 @@ #include "sd-bus.h" +#include "af-list.h" #include "alloc-util.h" #include "bus-container.h" #include "bus-control.h" @@ -821,11 +822,8 @@ static int parse_tcp_address(sd_bus *b, const char **p, char **guid) { return -EINVAL; if (family) { - if (streq(family, "ipv4")) - hints.ai_family = AF_INET; - else if (streq(family, "ipv6")) - hints.ai_family = AF_INET6; - else + hints.ai_family = af_from_ipv4_ipv6(family); + if (hints.ai_family == AF_UNSPEC) return -EINVAL; } diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c index 20d368efca..54d04aae50 100644 --- a/src/shared/bus-unit-util.c +++ b/src/shared/bus-unit-util.c @@ -1,5 +1,6 @@ /* SPDX-License-Identifier: LGPL-2.1-or-later */ +#include "af-list.h" #include "alloc-util.h" #include "bus-error.h" #include "bus-unit-util.h" @@ -879,14 +880,10 @@ static int bus_append_cgroup_property(sd_bus_message *m, const char *field, cons address_family = eq ? word : NULL; if (address_family) { - if (!STR_IN_SET(address_family, "IPv4", "IPv6")) + family = af_from_ipv4_ipv6(address_family); + if (family == AF_UNSPEC) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), - "Only IPv4 and IPv6 protocols are supported"); - - if (streq(address_family, "IPv4")) - family = AF_INET; - else - family = AF_INET6; + "Only \"ipv4\" and \"ipv6\" protocols are supported"); } user_port = eq ? eq : word; diff --git a/src/systemctl/systemctl-show.c b/src/systemctl/systemctl-show.c index 2df05464c6..4d68e08c80 100644 --- a/src/systemctl/systemctl-show.c +++ b/src/systemctl/systemctl-show.c @@ -2,6 +2,7 @@ #include <sys/mount.h> +#include "af-list.h" #include "bus-error.h" #include "bus-locator.h" #include "bus-map-properties.h" @@ -1710,22 +1711,25 @@ static int print_property(const char *name, const char *expected_value, sd_bus_m return 1; } else if (STR_IN_SET(name, "SocketBindAllow", "SocketBindDeny")) { uint16_t nr_ports, port_min; - const char *family; int af; r = sd_bus_message_enter_container(m, SD_BUS_TYPE_ARRAY, "(iqq)"); if (r < 0) return bus_log_parse_error(r); while ((r = sd_bus_message_read(m, "(iqq)", &af, &nr_ports, &port_min)) > 0) { - family = af == AF_INET ? "IPv4:" : af == AF_INET6 ? "IPv6:" : ""; + const char *family, *colon; + + family = strempty(af_to_ipv4_ipv6(af)); + colon = isempty(family) ? "" : ":"; + if (nr_ports == 0) - bus_print_property_valuef(name, expected_value, flags, "%sany", family); + bus_print_property_valuef(name, expected_value, flags, "%s%sany", family, colon); else if (nr_ports == 1) bus_print_property_valuef( - name, expected_value, flags, "%s%hu", family, port_min); + name, expected_value, flags, "%s%s%hu", family, colon, port_min); else bus_print_property_valuef( - name, expected_value, flags, "%s%hu-%hu", family, port_min, + name, expected_value, flags, "%s%s%hu-%hu", family, colon, port_min, (uint16_t) (port_min + nr_ports - 1)); } if (r < 0) diff --git a/src/test/test-socket-bind.c b/src/test/test-socket-bind.c index bfe5072bc3..16cfea7779 100644 --- a/src/test/test-socket-bind.c +++ b/src/test/test-socket-bind.c @@ -141,8 +141,8 @@ int main(int argc, char *argv[]) { assert_se(manager_startup(m, NULL, NULL) >= 0); assert_se(test_socket_bind(m, "socket_bind_test.service", netcat_path, "2000", STRV_MAKE("2000"), STRV_MAKE("any")) >= 0); - assert_se(test_socket_bind(m, "socket_bind_test.service", netcat_path, "2000", STRV_MAKE("IPv6:2001-2002"), STRV_MAKE("any")) >= 0); - assert_se(test_socket_bind(m, "socket_bind_test.service", netcat_path, "6666", STRV_MAKE("IPv4:6666", "6667"), STRV_MAKE("any")) >= 0); + assert_se(test_socket_bind(m, "socket_bind_test.service", netcat_path, "2000", STRV_MAKE("ipv6:2001-2002"), STRV_MAKE("any")) >= 0); + assert_se(test_socket_bind(m, "socket_bind_test.service", netcat_path, "6666", STRV_MAKE("ipv4:6666", "6667"), STRV_MAKE("any")) >= 0); assert_se(test_socket_bind(m, "socket_bind_test.service", netcat_path, "6666", STRV_MAKE("6667", "6668", ""), STRV_MAKE("any")) >= 0); assert_se(test_socket_bind(m, "socket_bind_test.service", netcat_path, "7777", STRV_MAKE_EMPTY, STRV_MAKE_EMPTY) >= 0); assert_se(test_socket_bind(m, "socket_bind_test.service", netcat_path, "8888", STRV_MAKE("any"), STRV_MAKE("any")) >= 0); |