diff options
| author | Lennart Poettering <lennart@poettering.net> | 2018-02-21 15:22:31 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2018-02-21 16:43:36 +0100 |
| commit | 5128346127a5e8c228ac5b3e201f869715a1929f (patch) | |
| tree | 22152f46578874375f50a3a12eb32d7492e365f5 /src/core/bpf-firewall.c | |
| parent | aa2b6f1d2b019de044f88851499acfef49350090 (diff) | |
| download | systemd-5128346127a5e8c228ac5b3e201f869715a1929f.tar.gz | |
bpf: reset "extra" IP accounting counters when turning off IP accounting for a unit
We maintain an "extra" set of IP accounting counters that are used when
we systemd is reloaded to carry over the counters from the previous run.
Let's reset these to zero whenever IP accounting is turned off. If we
don't do this then turning off IP accounting and back on later wouldn't
reset the counters, which is quite surprising and different from how our
CPU time counting works.
Diffstat (limited to 'src/core/bpf-firewall.c')
| -rw-r--r-- | src/core/bpf-firewall.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/src/core/bpf-firewall.c b/src/core/bpf-firewall.c index 67cbbca734..48666f64a2 100644 --- a/src/core/bpf-firewall.c +++ b/src/core/bpf-firewall.c @@ -453,9 +453,10 @@ static int bpf_firewall_prepare_access_maps( return 0; } -static int bpf_firewall_prepare_accounting_maps(bool enabled, int *fd_ingress, int *fd_egress) { +static int bpf_firewall_prepare_accounting_maps(Unit *u, bool enabled, int *fd_ingress, int *fd_egress) { int r; + assert(u); assert(fd_ingress); assert(fd_egress); @@ -476,9 +477,12 @@ static int bpf_firewall_prepare_accounting_maps(bool enabled, int *fd_ingress, i *fd_egress = r; } + } else { *fd_ingress = safe_close(*fd_ingress); *fd_egress = safe_close(*fd_egress); + + zero(u->ip_accounting_extra); } return 0; @@ -490,6 +494,10 @@ int bpf_firewall_compile(Unit *u) { assert(u); + cc = unit_get_cgroup_context(u); + if (!cc) + return -EINVAL; + supported = bpf_firewall_supported(); if (supported < 0) return supported; @@ -536,7 +544,7 @@ int bpf_firewall_compile(Unit *u) { return log_error_errno(r, "Preparation of eBPF deny maps failed: %m"); } - r = bpf_firewall_prepare_accounting_maps(cc->ip_accounting, &u->ip_accounting_ingress_map_fd, &u->ip_accounting_egress_map_fd); + r = bpf_firewall_prepare_accounting_maps(u, cc->ip_accounting, &u->ip_accounting_ingress_map_fd, &u->ip_accounting_egress_map_fd); if (r < 0) return log_error_errno(r, "Preparation of eBPF accounting maps failed: %m"); |