Revert NFTSet feature

This reverts PR #22587 and its follow-up commit. More specifically, 2299b1cae32c1fb8911da0ce26efced68032f4f8 (partially), e176f855278d5098d3fecc5aa24ba702147d42e0, ceb46a31a01b3d3d1d6095d857e29ea214a2776b, and 51bb9076ab8c050bebb64db5035852385accda35. The PR was merged without final approval, and has several issues: - OSS fuzz reported issues in the conf parser, - It calls synchrnous netlink call, it should not be especially in PID1, - The importance of NFTSet for CGroup and DynamicUser may be questionable, at least, there was no justification PID1 should support it. - For networkd, it should be implemented with Request object, - There is no test for the feature. Fixes #23711. Fixes #23717. Fixes #23719. Fixes #23720. Fixes #23721. Fixes #23759.
author: Yu Watanabe <watanabe.yu+github@gmail.com> 2022-06-14 15:06:27 +0900
committer: Yu Watanabe <watanabe.yu+github@gmail.com> 2022-06-22 22:23:58 +0900
commit: b48ed70c79c6482e1f39b77d16e62043ff5042a5 (patch)
tree: 58245c4075beb60a8558020b647dc67134beb68e /src/core/cgroup.c
parent: 127b26f3d8b589907ed75a34d34ab330995778f9 (diff)
download: systemd-b48ed70c79c6482e1f39b77d16e62043ff5042a5.tar.gz
1 files changed, 0 insertions, 52 deletions
diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index a3fb44fcb8..25707fce64 100644
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -19,7 +19,6 @@
 #include "devnum-util.h"
 #include "fd-util.h"
 #include "fileio.h"
-#include "firewall-util.h"
 #include "in-addr-prefix-util.h"
 #include "inotify-util.h"
 #include "io-util.h"
@@ -280,8 +279,6 @@ void cgroup_context_done(CGroupContext *c) {
         cpu_set_reset(&c->startup_cpuset_cpus);
         cpu_set_reset(&c->cpuset_mems);
         cpu_set_reset(&c->startup_cpuset_mems);
-
-        c->nft_set_context = nft_set_context_free_many(c->nft_set_context, &c->n_nft_set_contexts);
 }
 
 static int unit_get_kernel_memory_limit(Unit *u, const char *file, uint64_t *ret) {
@@ -612,11 +609,6 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) {
                 SET_FOREACH(iface, c->restrict_network_interfaces)
                         fprintf(f, "%sRestrictNetworkInterfaces: %s\n", prefix, iface);
         }
-
-        for (size_t i = 0; i < c->n_nft_set_contexts; i++)
-                fprintf(f, "%sControlGroupNFTSet: %s:%s:%s\n", prefix,
-                        nfproto_to_string(c->nft_set_context[i].nfproto),
-                        c->nft_set_context[i].table, c->nft_set_context[i].set);
 }
 
 void cgroup_context_dump_socket_bind_item(const CGroupSocketBindItem *item, FILE *f) {
@@ -1226,46 +1218,6 @@ static void cgroup_apply_firewall(Unit *u) {
         (void) bpf_firewall_install(u);
 }
 
-static void cgroup_apply_nft_set(Unit *u) {
-        int r;
-        CGroupContext *c;
-
-        assert(u);
-
-        assert_se(c = unit_get_cgroup_context(u));
-
-        for (size_t i = 0; i < c->n_nft_set_contexts; i++) {
-                NFTSetContext *s = &c->nft_set_context[i];
-                r = nft_set_element_add_uint64(s, u->cgroup_id);
-                if (r < 0)
-                        log_warning_errno(r, "Adding NFT family %s table %s set %s cgroup %" PRIu64 " failed, ignoring: %m",
-                                 nfproto_to_string(s->nfproto),
-                                 s->table,
-                                 s->set,
-                                 u->cgroup_id);
-        }
-}
-
-static void cgroup_delete_nft_set(Unit *u) {
-        int r;
-        CGroupContext *c;
-
-        assert(u);
-
-        assert_se(c = unit_get_cgroup_context(u));
-
-        for (size_t i = 0; i < c->n_nft_set_contexts; i++) {
-                NFTSetContext *s = &c->nft_set_context[i];
-                r = nft_set_element_del_uint64(s, u->cgroup_id);
-                if (r < 0)
-                        log_warning_errno(r, "Deleting NFT family %s table %s set %s cgroup %" PRIu64 " failed, ignoring: %m",
-                                 nfproto_to_string(s->nfproto),
-                                 s->table,
-                                 s->set,
-                                 u->cgroup_id);
-        }
-}
-
 static void cgroup_apply_socket_bind(Unit *u) {
         assert(u);
 
@@ -1698,8 +1650,6 @@ static void cgroup_context_apply(
 
         if (apply_mask & CGROUP_MASK_BPF_RESTRICT_NETWORK_INTERFACES)
                 cgroup_apply_restrict_network_interfaces(u);
-
-        cgroup_apply_nft_set(u);
 }
 
 static bool unit_get_needs_bpf_firewall(Unit *u) {
@@ -2849,8 +2799,6 @@ void unit_prune_cgroup(Unit *u) {
         (void) lsm_bpf_cleanup(u); /* Remove cgroup from the global LSM BPF map */
 #endif
 
-        cgroup_delete_nft_set(u);
-
         is_root_slice = unit_has_name(u, SPECIAL_ROOT_SLICE);
 
         r = cg_trim_everywhere(u->manager->cgroup_supported, u->cgroup_path, !is_root_slice);
author	Yu Watanabe <watanabe.yu+github@gmail.com>	2022-06-14 15:06:27 +0900
committer	Yu Watanabe <watanabe.yu+github@gmail.com>	2022-06-22 22:23:58 +0900
commit	b48ed70c79c6482e1f39b77d16e62043ff5042a5 (patch)
tree	58245c4075beb60a8558020b647dc67134beb68e /src/core/cgroup.c
parent	127b26f3d8b589907ed75a34d34ab330995778f9 (diff)
download	systemd-b48ed70c79c6482e1f39b77d16e62043ff5042a5.tar.gz