diff options
| author | Lennart Poettering <lennart@poettering.net> | 2021-06-08 15:25:28 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2021-06-08 21:54:49 +0200 |
| commit | 0fd9c28cc9487fadcddc5ea5bd0c7ca2ad525534 (patch) | |
| tree | c749f7130097df33a0e2505991d079d2648f8e0d /src/core/bpf-firewall.c | |
| parent | 7ff9d99e9e8b75930aa05b45eb21889eac8af014 (diff) | |
| download | systemd-0fd9c28cc9487fadcddc5ea5bd0c7ca2ad525534.tar.gz | |
bpf-firewall: move destruction of IP firewall objects to bpf-firewall.c
These are so many runtime objects, let's add a bpf_firewall_close()
helper that destroys them all, and call that from unit_free(), simply as
an excercise of encapsulating more BPF code in bpf-firewall.c.
This also brings the destruction order and variable declaration order in
struct Unit into the same systematic order.
No change in behaviour just some minor refactoring.
Diffstat (limited to 'src/core/bpf-firewall.c')
| -rw-r--r-- | src/core/bpf-firewall.c | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/src/core/bpf-firewall.c b/src/core/bpf-firewall.c index 2a41bffee6..eda4d3bbdf 100644 --- a/src/core/bpf-firewall.c +++ b/src/core/bpf-firewall.c @@ -661,6 +661,7 @@ static int attach_custom_bpf_progs(Unit *u, const char *path, int attach_type, S r = set_ensure_put(set_installed, &filter_prog_hash_ops, prog); if (r < 0) return log_unit_error_errno(u, r, "Can't add program to BPF program set: %m"); + bpf_program_ref(prog); } @@ -902,3 +903,25 @@ void emit_bpf_firewall_warning(Unit *u) { warned = true; } } + +void bpf_firewall_close(Unit *u) { + assert(u); + + u->ip_accounting_ingress_map_fd = safe_close(u->ip_accounting_ingress_map_fd); + u->ip_accounting_egress_map_fd = safe_close(u->ip_accounting_egress_map_fd); + + u->ipv4_allow_map_fd = safe_close(u->ipv4_allow_map_fd); + u->ipv6_allow_map_fd = safe_close(u->ipv6_allow_map_fd); + u->ipv4_deny_map_fd = safe_close(u->ipv4_deny_map_fd); + u->ipv6_deny_map_fd = safe_close(u->ipv6_deny_map_fd); + + u->ip_bpf_ingress = bpf_program_unref(u->ip_bpf_ingress); + u->ip_bpf_ingress_installed = bpf_program_unref(u->ip_bpf_ingress_installed); + u->ip_bpf_egress = bpf_program_unref(u->ip_bpf_egress); + u->ip_bpf_egress_installed = bpf_program_unref(u->ip_bpf_egress_installed); + + u->ip_bpf_custom_ingress = set_free(u->ip_bpf_custom_ingress); + u->ip_bpf_custom_egress = set_free(u->ip_bpf_custom_egress); + u->ip_bpf_custom_ingress_installed = set_free(u->ip_bpf_custom_ingress_installed); + u->ip_bpf_custom_egress_installed = set_free(u->ip_bpf_custom_egress_installed); +} |