mirror of
https://github.com/systemd/systemd
synced 2026-03-06 21:24:46 +01:00
Compare commits
No commits in common. "9f62de5762233cd058cbf200c9701c49ccbc1ad6" and "d7d1d18fd25e3d6c7f3d1841e0502fadb8cecbf9" have entirely different histories.
9f62de5762
...
d7d1d18fd2
@ -246,7 +246,7 @@
|
||||
|
||||
<programlisting>systemd-cryptenroll /dev/sda1 --wipe-slot=tpm2 --tpm2-device=auto</programlisting>
|
||||
|
||||
<para>The above command will enroll the TPM2 chip, and then wipe all previously created TPM2
|
||||
<para>The above command will enroll the TPM2 chip, and then wipe all previously crated TPM2
|
||||
enrollments on the LUKS2 volume, leaving only the newly created one. Combining wiping and enrollment
|
||||
may also be used to replace enrollments of different types, for example for changing from a PKCS#11
|
||||
enrollment to a FIDO2 one:</para>
|
||||
|
||||
@ -81,12 +81,10 @@
|
||||
units involved with early boot or late system shutdown should disable the
|
||||
<varname>DefaultDependencies=</varname> option.</para></listitem>
|
||||
|
||||
<listitem><para>Timer units with at least one <varname>OnCalendar=</varname> directive acquire a pair
|
||||
of additional <varname>After=</varname> dependencies on <filename>time-set.target</filename> and
|
||||
<filename>time-sync.target</filename>, in order to avoid being started before the system clock has
|
||||
been correctly set. See
|
||||
<citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
||||
for details on these two targets.</para></listitem>
|
||||
<listitem><para>Timer units
|
||||
with at least one <varname>OnCalendar=</varname> directive will have an additional <varname>After=</varname>
|
||||
dependency on <filename>time-sync.target</filename> to avoid being started before the system clock has been
|
||||
correctly set.</para></listitem>
|
||||
</itemizedlist>
|
||||
</refsect2>
|
||||
</refsect1>
|
||||
|
||||
@ -10,31 +10,25 @@
|
||||
#include "fd-util.h"
|
||||
#include "macro.h"
|
||||
|
||||
int chattr_full(const char *path, int fd, unsigned value, unsigned mask, unsigned *ret_previous, unsigned *ret_final, bool fallback) {
|
||||
_cleanup_close_ int fd_will_close = -1;
|
||||
int chattr_fd(int fd, unsigned value, unsigned mask, unsigned *previous) {
|
||||
unsigned old_attr, new_attr;
|
||||
struct stat st;
|
||||
|
||||
assert(path || fd >= 0);
|
||||
|
||||
if (fd < 0) {
|
||||
fd = fd_will_close = open(path, O_RDONLY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW);
|
||||
if (fd < 0)
|
||||
return -errno;
|
||||
}
|
||||
assert(fd >= 0);
|
||||
|
||||
if (fstat(fd, &st) < 0)
|
||||
return -errno;
|
||||
|
||||
/* Explicitly check whether this is a regular file or directory. If it is anything else (such
|
||||
* as a device node or fifo), then the ioctl will not hit the file systems but possibly
|
||||
* drivers, where the ioctl might have different effects. Notably, DRM is using the same
|
||||
* ioctl() number. */
|
||||
/* Explicitly check whether this is a regular file or
|
||||
* directory. If it is anything else (such as a device node or
|
||||
* fifo), then the ioctl will not hit the file systems but
|
||||
* possibly drivers, where the ioctl might have different
|
||||
* effects. Notably, DRM is using the same ioctl() number. */
|
||||
|
||||
if (!S_ISDIR(st.st_mode) && !S_ISREG(st.st_mode))
|
||||
return -ENOTTY;
|
||||
|
||||
if (mask == 0 && !ret_previous && !ret_final)
|
||||
if (mask == 0 && !previous)
|
||||
return 0;
|
||||
|
||||
if (ioctl(fd, FS_IOC_GETFLAGS, &old_attr) < 0)
|
||||
@ -42,55 +36,33 @@ int chattr_full(const char *path, int fd, unsigned value, unsigned mask, unsigne
|
||||
|
||||
new_attr = (old_attr & ~mask) | (value & mask);
|
||||
if (new_attr == old_attr) {
|
||||
if (ret_previous)
|
||||
*ret_previous = old_attr;
|
||||
if (ret_final)
|
||||
*ret_final = old_attr;
|
||||
if (previous)
|
||||
*previous = old_attr;
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (ioctl(fd, FS_IOC_SETFLAGS, &new_attr) >= 0) {
|
||||
if (ret_previous)
|
||||
*ret_previous = old_attr;
|
||||
if (ret_final)
|
||||
*ret_final = new_attr;
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (errno != EINVAL || !fallback)
|
||||
if (ioctl(fd, FS_IOC_SETFLAGS, &new_attr) < 0)
|
||||
return -errno;
|
||||
|
||||
/* When -EINVAL is returned, we assume that incompatible attributes are simultaneously
|
||||
* specified. E.g., compress(c) and nocow(C) attributes cannot be set to files on btrfs.
|
||||
* As a fallback, let's try to set attributes one by one. */
|
||||
if (previous)
|
||||
*previous = old_attr;
|
||||
|
||||
unsigned current_attr = old_attr;
|
||||
for (unsigned i = 0; i < sizeof(unsigned) * 8; i++) {
|
||||
unsigned new_one, mask_one = 1u << i;
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (!FLAGS_SET(mask, mask_one))
|
||||
continue;
|
||||
int chattr_path(const char *p, unsigned value, unsigned mask, unsigned *previous) {
|
||||
_cleanup_close_ int fd = -1;
|
||||
|
||||
new_one = UPDATE_FLAG(current_attr, mask_one, FLAGS_SET(value, mask_one));
|
||||
if (new_one == current_attr)
|
||||
continue;
|
||||
assert(p);
|
||||
|
||||
if (ioctl(fd, FS_IOC_SETFLAGS, &new_one) < 0) {
|
||||
if (errno != EINVAL)
|
||||
return -errno;
|
||||
continue;
|
||||
}
|
||||
if (mask == 0)
|
||||
return 0;
|
||||
|
||||
if (ioctl(fd, FS_IOC_GETFLAGS, ¤t_attr) < 0)
|
||||
return -errno;
|
||||
}
|
||||
fd = open(p, O_RDONLY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW);
|
||||
if (fd < 0)
|
||||
return -errno;
|
||||
|
||||
if (ret_previous)
|
||||
*ret_previous = old_attr;
|
||||
if (ret_final)
|
||||
*ret_final = current_attr;
|
||||
|
||||
return current_attr == new_attr ? 1 : -ENOANO; /* -ENOANO indicates that some attributes cannot be set. */
|
||||
return chattr_fd(fd, value, mask, previous);
|
||||
}
|
||||
|
||||
int read_attr_fd(int fd, unsigned *ret) {
|
||||
|
||||
@ -2,8 +2,6 @@
|
||||
#pragma once
|
||||
|
||||
#include <linux/fs.h>
|
||||
#include <stdbool.h>
|
||||
#include <stddef.h>
|
||||
|
||||
#include "missing_fs.h"
|
||||
|
||||
@ -34,13 +32,8 @@
|
||||
FS_NOCOW_FL | \
|
||||
FS_PROJINHERIT_FL)
|
||||
|
||||
int chattr_full(const char *path, int fd, unsigned value, unsigned mask, unsigned *ret_previous, unsigned *ret_final, bool fallback);
|
||||
static inline int chattr_fd(int fd, unsigned value, unsigned mask, unsigned *previous) {
|
||||
return chattr_full(NULL, fd, value, mask, previous, NULL, false);
|
||||
}
|
||||
static inline int chattr_path(const char *path, unsigned value, unsigned mask, unsigned *previous) {
|
||||
return chattr_full(path, -1, value, mask, previous, NULL, false);
|
||||
}
|
||||
int chattr_fd(int fd, unsigned value, unsigned mask, unsigned *previous);
|
||||
int chattr_path(const char *p, unsigned value, unsigned mask, unsigned *previous);
|
||||
|
||||
int read_attr_fd(int fd, unsigned *ret);
|
||||
int read_attr_path(const char *p, unsigned *ret);
|
||||
|
||||
@ -114,11 +114,7 @@ basic_sources = files('''
|
||||
linux/libc-compat.h
|
||||
linux/loadavg.h
|
||||
linux/netdevice.h
|
||||
linux/netfilter/nf_tables.h
|
||||
linux/netfilter/nfnetlink.h
|
||||
linux/netlink.h
|
||||
linux/nexthop.h
|
||||
linux/pkt_sched.h
|
||||
linux/rtnetlink.h
|
||||
linux/wireguard.h
|
||||
list.h
|
||||
|
||||
@ -42,7 +42,6 @@
|
||||
#define SPECIAL_SWAP_TARGET "swap.target"
|
||||
#define SPECIAL_NETWORK_ONLINE_TARGET "network-online.target"
|
||||
#define SPECIAL_TIME_SYNC_TARGET "time-sync.target" /* LSB's $time */
|
||||
#define SPECIAL_TIME_SET_TARGET "time-set.target"
|
||||
#define SPECIAL_BASIC_TARGET "basic.target"
|
||||
|
||||
/* LSB compatibility */
|
||||
|
||||
@ -99,20 +99,13 @@ static int timer_add_default_dependencies(Timer *t) {
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
LIST_FOREACH(value, v, t->values) {
|
||||
const char *target;
|
||||
|
||||
if (v->base != TIMER_CALENDAR)
|
||||
continue;
|
||||
|
||||
FOREACH_STRING(target, SPECIAL_TIME_SYNC_TARGET, SPECIAL_TIME_SET_TARGET) {
|
||||
r = unit_add_dependency_by_name(UNIT(t), UNIT_AFTER, target, true, UNIT_DEPENDENCY_DEFAULT);
|
||||
LIST_FOREACH(value, v, t->values)
|
||||
if (v->base == TIMER_CALENDAR) {
|
||||
r = unit_add_dependency_by_name(UNIT(t), UNIT_AFTER, SPECIAL_TIME_SYNC_TARGET, true, UNIT_DEPENDENCY_DEFAULT);
|
||||
if (r < 0)
|
||||
return r;
|
||||
break;
|
||||
}
|
||||
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
return unit_add_two_dependencies_by_name(UNIT(t), UNIT_BEFORE, UNIT_CONFLICTS, SPECIAL_SHUTDOWN_TARGET, true, UNIT_DEPENDENCY_DEFAULT);
|
||||
|
||||
@ -258,7 +258,7 @@ static int find_slot_tokens(struct crypt_device *cd, Set *wipe_slots, Set *keep_
|
||||
return log_oom();
|
||||
}
|
||||
|
||||
/* And of course, also remember the tokens to remove. */
|
||||
/* And of course, als remember the tokens to remove. */
|
||||
if (shall_wipe)
|
||||
if (set_put(wipe_tokens, INT_TO_PTR(token)) < 0)
|
||||
return log_oom();
|
||||
|
||||
@ -90,7 +90,7 @@ static int help(void) {
|
||||
" --tpm2-device=PATH\n"
|
||||
" Enroll a TPM2 device\n"
|
||||
" --tpm2-pcrs=PCR1,PCR2,PCR3,…\n"
|
||||
" Specify TPM2 PCRs to seal against\n"
|
||||
" Specifiy TPM2 PCRs to seal against\n"
|
||||
" --wipe-slot=SLOT1,SLOT2,…\n"
|
||||
" Wipe specified slots\n"
|
||||
"\nSee the %s for details.\n"
|
||||
@ -390,7 +390,7 @@ static int prepare_luks(
|
||||
password,
|
||||
strlen(password));
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Password from environment variable $PASSWORD did not work.");
|
||||
return log_error_errno(r, "Password from environent variable $PASSWORD did not work.");
|
||||
} else {
|
||||
AskPasswordFlags ask_password_flags = ASK_PASSWORD_PUSH_CACHE|ASK_PASSWORD_ACCEPT_CACHED;
|
||||
_cleanup_free_ char *question = NULL, *disk_path = NULL;
|
||||
|
||||
@ -90,7 +90,7 @@ int acquire_fido2_key(
|
||||
|
||||
r = ask_password_auto("Please enter security token PIN:", "drive-harddisk", NULL, "fido2-pin", until, flags, &pins);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to ask for user password: %m");
|
||||
return log_error_errno(r, "Failed to ask for user pasword: %m");
|
||||
|
||||
flags &= ~ASK_PASSWORD_ACCEPT_CACHED;
|
||||
}
|
||||
|
||||
@ -1035,7 +1035,7 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2(
|
||||
&keyslot,
|
||||
&token);
|
||||
if (r == -ENXIO) {
|
||||
/* No further TPM2 tokens found in the LUKS2 header.*/
|
||||
/* No futher TPM2 tokens found in the LUKS2 header.*/
|
||||
if (found_some)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN),
|
||||
"No TPM2 metadata matching the current system state found in LUKS2 header, falling back to traditional unlocking.");
|
||||
|
||||
@ -139,7 +139,7 @@ int socket_bind(sd_netlink *nl);
|
||||
int socket_broadcast_group_ref(sd_netlink *nl, unsigned group);
|
||||
int socket_broadcast_group_unref(sd_netlink *nl, unsigned group);
|
||||
int socket_write_message(sd_netlink *nl, sd_netlink_message *m);
|
||||
int socket_writev_message(sd_netlink *nl, sd_netlink_message **m, size_t msgcount);
|
||||
int socket_writev_message(sd_netlink *nl, sd_netlink_message *m[], size_t msgcount);
|
||||
int socket_read_message(sd_netlink *nl);
|
||||
|
||||
int rtnl_rqueue_make_room(sd_netlink *rtnl);
|
||||
|
||||
@ -238,14 +238,13 @@ int socket_write_message(sd_netlink *nl, sd_netlink_message *m) {
|
||||
return k;
|
||||
}
|
||||
|
||||
int socket_writev_message(sd_netlink *nl, sd_netlink_message **m, size_t msgcount) {
|
||||
int socket_writev_message(sd_netlink *nl, sd_netlink_message *m[], size_t msgcount) {
|
||||
_cleanup_free_ struct iovec *iovs = NULL;
|
||||
ssize_t k;
|
||||
size_t i;
|
||||
|
||||
assert(nl);
|
||||
assert(m);
|
||||
assert(msgcount > 0);
|
||||
assert(msgcount);
|
||||
|
||||
iovs = new0(struct iovec, msgcount);
|
||||
if (!iovs)
|
||||
|
||||
@ -1027,9 +1027,9 @@ static const NLType rtnl_types[] = {
|
||||
[RTM_NEWADDRLABEL] = { .type = NETLINK_TYPE_NESTED, .type_system = &rtnl_addrlabel_type_system, .size = sizeof(struct ifaddrlblmsg) },
|
||||
[RTM_DELADDRLABEL] = { .type = NETLINK_TYPE_NESTED, .type_system = &rtnl_addrlabel_type_system, .size = sizeof(struct ifaddrlblmsg) },
|
||||
[RTM_GETADDRLABEL] = { .type = NETLINK_TYPE_NESTED, .type_system = &rtnl_addrlabel_type_system, .size = sizeof(struct ifaddrlblmsg) },
|
||||
[RTM_NEWRULE] = { .type = NETLINK_TYPE_NESTED, .type_system = &rtnl_routing_policy_rule_type_system, .size = sizeof(struct fib_rule_hdr) },
|
||||
[RTM_DELRULE] = { .type = NETLINK_TYPE_NESTED, .type_system = &rtnl_routing_policy_rule_type_system, .size = sizeof(struct fib_rule_hdr) },
|
||||
[RTM_GETRULE] = { .type = NETLINK_TYPE_NESTED, .type_system = &rtnl_routing_policy_rule_type_system, .size = sizeof(struct fib_rule_hdr) },
|
||||
[RTM_NEWRULE] = { .type = NETLINK_TYPE_NESTED, .type_system = &rtnl_routing_policy_rule_type_system, .size = sizeof(struct rtmsg) },
|
||||
[RTM_DELRULE] = { .type = NETLINK_TYPE_NESTED, .type_system = &rtnl_routing_policy_rule_type_system, .size = sizeof(struct rtmsg) },
|
||||
[RTM_GETRULE] = { .type = NETLINK_TYPE_NESTED, .type_system = &rtnl_routing_policy_rule_type_system, .size = sizeof(struct rtmsg) },
|
||||
[RTM_NEWNEXTHOP] = { .type = NETLINK_TYPE_NESTED, .type_system = &rtnl_nexthop_type_system, .size = sizeof(struct nhmsg) },
|
||||
[RTM_DELNEXTHOP] = { .type = NETLINK_TYPE_NESTED, .type_system = &rtnl_nexthop_type_system, .size = sizeof(struct nhmsg) },
|
||||
[RTM_GETNEXTHOP] = { .type = NETLINK_TYPE_NESTED, .type_system = &rtnl_nexthop_type_system, .size = sizeof(struct nhmsg) },
|
||||
@ -1467,7 +1467,7 @@ static const NLTypeSystem nfnl_nft_rule_expr_type_system = {
|
||||
static const NLType nfnl_nft_rule_types[] = {
|
||||
[NFTA_RULE_TABLE] = { .type = NETLINK_TYPE_STRING, .size = NFT_TABLE_MAXNAMELEN - 1 },
|
||||
[NFTA_RULE_CHAIN] = { .type = NETLINK_TYPE_STRING, .size = NFT_TABLE_MAXNAMELEN - 1 },
|
||||
[NFTA_RULE_EXPRESSIONS] = { .type = NETLINK_TYPE_NESTED, .type_system = &nfnl_nft_rule_expr_type_system }
|
||||
[NFTA_RULE_EXPRESSIONS] = { .type = NETLINK_TYPE_NESTED, .type_system = &nfnl_nft_rule_expr_type_system }
|
||||
};
|
||||
|
||||
static const NLTypeSystem nfnl_nft_rule_type_system = {
|
||||
|
||||
@ -122,18 +122,21 @@ int sd_nfnl_nft_message_new_basechain(sd_netlink *nfnl, sd_netlink_message **ret
|
||||
|
||||
r = sd_netlink_message_append_u32(m, NFTA_HOOK_HOOKNUM, htobe32(hook));
|
||||
if (r < 0)
|
||||
return r;
|
||||
goto cancel;
|
||||
|
||||
r = sd_netlink_message_append_u32(m, NFTA_HOOK_PRIORITY, htobe32(prio));
|
||||
if (r < 0)
|
||||
return r;
|
||||
goto cancel;
|
||||
|
||||
r = sd_netlink_message_close_container(m);
|
||||
if (r < 0)
|
||||
return r;
|
||||
goto cancel;
|
||||
|
||||
*ret = TAKE_PTR(m);
|
||||
return 0;
|
||||
cancel:
|
||||
sd_netlink_message_cancel_array(m);
|
||||
return r;
|
||||
}
|
||||
|
||||
int sd_nfnl_nft_message_del_table(sd_netlink *nfnl, sd_netlink_message **ret,
|
||||
@ -240,7 +243,6 @@ int sd_nfnl_nft_message_new_setelems_begin(sd_netlink *nfnl, sd_netlink_message
|
||||
r = sd_netlink_message_open_container(m, NFTA_SET_ELEM_LIST_ELEMENTS);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
*ret = TAKE_PTR(m);
|
||||
return r;
|
||||
}
|
||||
@ -265,7 +267,6 @@ int sd_nfnl_nft_message_del_setelems_begin(sd_netlink *nfnl, sd_netlink_message
|
||||
r = sd_netlink_message_open_container(m, NFTA_SET_ELEM_LIST_ELEMENTS);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
*ret = TAKE_PTR(m);
|
||||
return r;
|
||||
}
|
||||
@ -282,9 +283,10 @@ static int sd_nfnl_add_data(sd_netlink_message *m, uint16_t attr, const void *da
|
||||
return sd_netlink_message_close_container(m); /* attr */
|
||||
}
|
||||
|
||||
int sd_nfnl_nft_message_add_setelem(sd_netlink_message *m, uint32_t num,
|
||||
const void *key, uint32_t klen,
|
||||
const void *data, uint32_t dlen) {
|
||||
int sd_nfnl_nft_message_add_setelem(sd_netlink_message *m,
|
||||
uint32_t num,
|
||||
const void *key, uint32_t klen,
|
||||
const void *data, uint32_t dlen) {
|
||||
int r;
|
||||
|
||||
r = sd_netlink_message_open_array(m, num);
|
||||
|
||||
@ -227,7 +227,7 @@ int sd_netlink_send(sd_netlink *nl,
|
||||
}
|
||||
|
||||
int sd_netlink_sendv(sd_netlink *nl,
|
||||
sd_netlink_message **messages,
|
||||
sd_netlink_message *messages[],
|
||||
size_t msgcount,
|
||||
uint32_t **ret_serial) {
|
||||
_cleanup_free_ uint32_t *serials = NULL;
|
||||
@ -237,7 +237,6 @@ int sd_netlink_sendv(sd_netlink *nl,
|
||||
assert_return(nl, -EINVAL);
|
||||
assert_return(!rtnl_pid_changed(nl), -ECHILD);
|
||||
assert_return(messages, -EINVAL);
|
||||
assert_return(msgcount > 0, -EINVAL);
|
||||
|
||||
if (ret_serial) {
|
||||
serials = new0(uint32_t, msgcount);
|
||||
|
||||
@ -840,9 +840,9 @@ static int ndisc_router_process_route(Link *link, sd_ndisc_router *rt) {
|
||||
return log_link_error_errno(link, r, "Failed to get gateway address from RA: %m");
|
||||
|
||||
if (link_has_ipv6_address(link, &gateway.in6) == 0) {
|
||||
if (DEBUG_LOGGING) {
|
||||
_cleanup_free_ char *buf = NULL;
|
||||
_cleanup_free_ char *buf = NULL;
|
||||
|
||||
if (DEBUG_LOGGING) {
|
||||
(void) in_addr_to_string(AF_INET6, &gateway, &buf);
|
||||
log_link_debug(link, "Advertised route gateway, %s, is local to the link, ignoring route", strnull(buf));
|
||||
}
|
||||
|
||||
@ -3,10 +3,11 @@
|
||||
|
||||
#include <inttypes.h>
|
||||
|
||||
#include "firewall-util.h"
|
||||
|
||||
#include "sd-event.h"
|
||||
#include "sd-netlink.h"
|
||||
|
||||
#include "firewall-util.h"
|
||||
#include "in-addr-util.h"
|
||||
#include "list.h"
|
||||
|
||||
|
||||
@ -314,13 +314,12 @@ static int nfnl_add_expr_masq(sd_netlink_message *m) {
|
||||
return sd_netlink_message_close_container(m); /* NFTA_LIST_ELEM */
|
||||
}
|
||||
|
||||
/* -t nat -A POSTROUTING -p protocol -s source/pflen -o out_interface -d destionation/pflen -j MASQUERADE */
|
||||
static int sd_nfnl_message_new_masq_rule(sd_netlink *nfnl, sd_netlink_message **ret, int family,
|
||||
const char *chain) {
|
||||
_cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
|
||||
int r;
|
||||
|
||||
/* -t nat -A POSTROUTING -p protocol -s source/pflen -o out_interface -d destination/pflen -j MASQUERADE */
|
||||
|
||||
r = sd_nfnl_nft_message_new_rule(nfnl, &m, family, NFT_SYSTEMD_TABLE_NAME, chain);
|
||||
if (r < 0)
|
||||
return r;
|
||||
@ -352,6 +351,7 @@ static int sd_nfnl_message_new_masq_rule(sd_netlink *nfnl, sd_netlink_message **
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* -t nat -A PREROUTING -p protocol --dport local_port -i in_interface -s source/pflen -d destionation/pflen -j DNAT --to-destination remote_addr:remote_port */
|
||||
static int sd_nfnl_message_new_dnat_rule_pre(sd_netlink *nfnl, sd_netlink_message **ret, int family,
|
||||
const char *chain) {
|
||||
_cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
|
||||
@ -359,9 +359,6 @@ static int sd_nfnl_message_new_dnat_rule_pre(sd_netlink *nfnl, sd_netlink_messag
|
||||
uint32_t local = RTN_LOCAL;
|
||||
int r;
|
||||
|
||||
/* -t nat -A PREROUTING -p protocol --dport local_port -i in_interface -s source/pflen
|
||||
* -d destination/pflen -j DNAT --to-destination remote_addr:remote_port */
|
||||
|
||||
r = sd_nfnl_nft_message_new_rule(nfnl, &m, family, NFT_SYSTEMD_TABLE_NAME, chain);
|
||||
if (r < 0)
|
||||
return r;
|
||||
@ -474,7 +471,7 @@ static int sd_nfnl_message_new_dnat_rule_out(sd_netlink *nfnl, sd_netlink_messag
|
||||
return r;
|
||||
|
||||
/* 4th statement: dnat connection to address/port retrieved by the
|
||||
* preceding expression. */
|
||||
* preceeding expression. */
|
||||
proto_reg = NFT_REG32_02;
|
||||
r = nfnl_add_expr_dnat(m, family, NFT_REG32_01, proto_reg);
|
||||
if (r < 0)
|
||||
@ -791,7 +788,7 @@ static int nft_message_add_setelem_iprange(sd_netlink_message *m,
|
||||
* In the nftables case, everything gets removed. The next add operation
|
||||
* will yield -ENOENT.
|
||||
*
|
||||
* If we see -ENOENT on add, replay the initial table setup.
|
||||
* If we see -ENOENT on add, replay the inital table setup.
|
||||
* If that works, re-do the add operation.
|
||||
*
|
||||
* Note that this doesn't protect against external sabotage such as a
|
||||
|
||||
@ -101,10 +101,10 @@ shared_sources = files('''
|
||||
fdset.h
|
||||
fileio-label.c
|
||||
fileio-label.h
|
||||
firewall-util-nft.c
|
||||
firewall-util-private.h
|
||||
firewall-util.c
|
||||
firewall-util-nft.c
|
||||
firewall-util.h
|
||||
firewall-util-private.h
|
||||
format-table.c
|
||||
format-table.h
|
||||
fsck-util.h
|
||||
|
||||
@ -60,7 +60,7 @@ sd_netlink *sd_netlink_ref(sd_netlink *nl);
|
||||
sd_netlink *sd_netlink_unref(sd_netlink *nl);
|
||||
|
||||
int sd_netlink_send(sd_netlink *nl, sd_netlink_message *message, uint32_t *serial);
|
||||
int sd_netlink_sendv(sd_netlink *nl, sd_netlink_message **messages, size_t msgcnt, uint32_t **ret_serial);
|
||||
int sd_netlink_sendv(sd_netlink *nl, sd_netlink_message *messages[], size_t msgcnt, uint32_t **ret_serial);
|
||||
int sd_netlink_call_async(sd_netlink *nl, sd_netlink_slot **ret_slot, sd_netlink_message *message,
|
||||
sd_netlink_message_handler_t callback, sd_netlink_destroy_t destoy_callback,
|
||||
void *userdata, uint64_t usec, const char *description);
|
||||
|
||||
@ -280,9 +280,9 @@ static void test_fd_is_mount_point(void) {
|
||||
assert_se(fd_is_mount_point(fd, "proc", 0) > 0);
|
||||
assert_se(fd_is_mount_point(fd, "proc/", 0) > 0);
|
||||
|
||||
/* /root's entire reason for being is to be on the root file system (i.e. not in /home/ which
|
||||
* might be split off), so that the user can always log in, so it cannot be a mount point unless
|
||||
* the system is borked. Let's allow for it to be missing though. */
|
||||
/* /root's entire raison d'etre is to be on the root file system (i.e. not in /home/ which might be
|
||||
* split off), so that the user can always log in, so it cannot be a mount point unless the system is
|
||||
* borked. Let's allow for it to be missing though. */
|
||||
assert_se(IN_SET(fd_is_mount_point(fd, "root", 0), -ENOENT, 0));
|
||||
assert_se(IN_SET(fd_is_mount_point(fd, "root/", 0), -ENOENT, 0));
|
||||
}
|
||||
|
||||
@ -1308,15 +1308,11 @@ static int fd_set_attribute(Item *item, int fd, const char *path, const struct s
|
||||
if (procfs_fd < 0)
|
||||
return log_error_errno(procfs_fd, "Failed to re-open '%s': %m", path);
|
||||
|
||||
unsigned previous, current;
|
||||
r = chattr_full(NULL, procfs_fd, f, item->attribute_mask, &previous, ¤t, true);
|
||||
if (r == -ENOANO)
|
||||
log_warning("Cannot set file attributes for '%s', maybe due to incompatiblity in specified attributes, "
|
||||
"previous=0x%08x, current=0x%08x, expected=0x%08x, ignoring.",
|
||||
path, previous, current, (previous & ~item->attribute_mask) | (f & item->attribute_mask));
|
||||
else if (r < 0)
|
||||
log_full_errno(ERRNO_IS_NOT_SUPPORTED(r) ? LOG_DEBUG : LOG_WARNING, r,
|
||||
"Cannot set file attributes for '%s', value=0x%08x, mask=0x%08x, ignoring: %m",
|
||||
r = chattr_fd(procfs_fd, f, item->attribute_mask, NULL);
|
||||
if (r < 0)
|
||||
log_full_errno(IN_SET(r, -ENOTTY, -EOPNOTSUPP) ? LOG_DEBUG : LOG_WARNING,
|
||||
r,
|
||||
"Cannot set file attribute for '%s', value=0x%08x, mask=0x%08x, ignoring: %m",
|
||||
path, item->attribute_value, item->attribute_mask);
|
||||
|
||||
return 0;
|
||||
|
||||
@ -572,7 +572,7 @@ static int dmi_table(int64_t base, uint32_t len, uint16_t num, const char *devme
|
||||
|
||||
/*
|
||||
* When reading from sysfs or from a dump file, the file may be
|
||||
* shorter than announced. For SMBIOS v3 this is expected, as we
|
||||
* shorter than announced. For SMBIOS v3 this is expcted, as we
|
||||
* only know the maximum table size, not the actual table size.
|
||||
* For older implementations (and for SMBIOS v3 too), this
|
||||
* would be the result of the kernel truncating the table on
|
||||
@ -599,7 +599,7 @@ static int smbios3_decode(const uint8_t *buf, const char *devmem, bool no_file_o
|
||||
buf[0x06], 0x18U);
|
||||
|
||||
if (!verify_checksum(buf, buf[0x06]))
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to verify checksum.");
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Faied to verify checksum.");
|
||||
|
||||
offset = QWORD(buf + 0x10);
|
||||
if (!no_file_offset && (offset >> 32) != 0 && sizeof(int64_t) < 8)
|
||||
|
||||
@ -16,7 +16,7 @@ DefaultDependencies=no
|
||||
After=systemd-sysusers.service
|
||||
Before=time-set.target sysinit.target shutdown.target
|
||||
Conflicts=shutdown.target
|
||||
Wants=time-set.target
|
||||
Wants=time-set.target time-sync.target
|
||||
|
||||
[Service]
|
||||
AmbientCapabilities=CAP_SYS_TIME
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user