mirror of
https://github.com/systemd/systemd
synced 2025-11-22 10:14:45 +01:00
Compare commits
No commits in common. "de5d773ddf3270817360bd637471a67c675580ad" and "bdd8728c91be3a344d879157ba49738e75ba4356" have entirely different histories.
de5d773ddf
...
bdd8728c91
@ -2691,15 +2691,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
|
||||
or the restart rate limit is reached. See the <literal>RestartMode=</literal> section in
|
||||
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||||
for more details.</para>
|
||||
|
||||
<para><varname>OOMKills</varname> contains a different value depending on whether
|
||||
<varname>OOMPolicy=kill</varname> is enabled for the unit or not. If enabled, the property contains the
|
||||
number of times the kernel OOM killer killed all the processes in the unit's cgroup and its
|
||||
descendant cgroups. If disabled, the property contains the number of processes the kernel OOM killer
|
||||
has killed in the unit's cgroup and its descendant cgroups.</para>
|
||||
|
||||
<para><varname>ManagedOOMKills</varname> contains the number of times <command>systemd-oomd</command>
|
||||
killed all the processes in the unit's cgroup and its descendant cgroups.</para>
|
||||
</refsect2>
|
||||
|
||||
<refsect2>
|
||||
@ -2909,10 +2900,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t IOWriteOperations = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t OOMKills = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t ManagedOOMKills = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly b Delegate = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly as DelegateControllers = ['...', ...];
|
||||
@ -4260,10 +4247,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="IOWriteOperations"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="OOMKills"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="ManagedOOMKills"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="Delegate"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="DelegateControllers"/>
|
||||
@ -5156,10 +5139,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t IOWriteOperations = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t OOMKills = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t ManagedOOMKills = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly b Delegate = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly as DelegateControllers = ['...', ...];
|
||||
@ -6507,10 +6486,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="IOWriteOperations"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="OOMKills"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="ManagedOOMKills"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="Delegate"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="DelegateControllers"/>
|
||||
@ -7227,10 +7202,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t IOWriteOperations = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t OOMKills = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t ManagedOOMKills = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly b Delegate = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly as DelegateControllers = ['...', ...];
|
||||
@ -8408,10 +8379,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="IOWriteOperations"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="OOMKills"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="ManagedOOMKills"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="Delegate"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="DelegateControllers"/>
|
||||
@ -9261,10 +9228,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t IOWriteOperations = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t OOMKills = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t ManagedOOMKills = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly b Delegate = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly as DelegateControllers = ['...', ...];
|
||||
@ -10406,10 +10369,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="IOWriteOperations"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="OOMKills"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="ManagedOOMKills"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="Delegate"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="DelegateControllers"/>
|
||||
@ -11112,10 +11071,6 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t IOWriteOperations = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t OOMKills = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t ManagedOOMKills = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly b Delegate = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly as DelegateControllers = ['...', ...];
|
||||
@ -11481,10 +11436,6 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="IOWriteOperations"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="OOMKills"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="ManagedOOMKills"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="Delegate"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="DelegateControllers"/>
|
||||
@ -11696,10 +11647,6 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t IOWriteOperations = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t OOMKills = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t ManagedOOMKills = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly b Delegate = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly as DelegateControllers = ['...', ...];
|
||||
@ -12103,10 +12050,6 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="IOWriteOperations"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="OOMKills"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="ManagedOOMKills"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="Delegate"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="DelegateControllers"/>
|
||||
@ -12516,8 +12459,6 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
|
||||
<varname>LogsDirectoryQuotaUsage</varname>,
|
||||
<varname>LogsDirectoryAccounting</varname>, and
|
||||
<function>KillSubgroup()</function> were added in version 258.</para>
|
||||
<para><varname>OOMKills</varname>, and
|
||||
<varname>ManagedOOMKills</varname> were added in 259.</para>
|
||||
</refsect2>
|
||||
<refsect2>
|
||||
<title>Socket Unit Objects</title>
|
||||
@ -12583,8 +12524,6 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
|
||||
<varname>LogsDirectoryQuotaUsage</varname>,
|
||||
<varname>LogsDirectoryAccounting</varname>, and
|
||||
<function>KillSubgroup()</function> were added in version 258.</para>
|
||||
<para><varname>OOMKills</varname>, and
|
||||
<varname>ManagedOOMKills</varname> were added in 259.</para>
|
||||
</refsect2>
|
||||
<refsect2>
|
||||
<title>Mount Unit Objects</title>
|
||||
@ -12645,8 +12584,6 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
|
||||
<varname>LogsDirectoryQuotaUsage</varname>,
|
||||
<varname>LogsDirectoryAccounting</varname>, and
|
||||
<function>KillSubgroup()</function> were added in version 258.</para>
|
||||
<para><varname>OOMKills</varname>, and
|
||||
<varname>ManagedOOMKills</varname> were added in 259.</para>
|
||||
</refsect2>
|
||||
<refsect2>
|
||||
<title>Swap Unit Objects</title>
|
||||
@ -12705,8 +12642,6 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
|
||||
<varname>LogsDirectoryQuotaUsage</varname>,
|
||||
<varname>LogsDirectoryAccounting</varname>, and
|
||||
<function>KillSubgroup()</function> were added in version 258.</para>
|
||||
<para><varname>OOMKills</varname>, and
|
||||
<varname>ManagedOOMKills</varname> were added in 259.</para>
|
||||
</refsect2>
|
||||
<refsect2>
|
||||
<title>Slice Unit Objects</title>
|
||||
@ -12737,8 +12672,6 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
|
||||
<varname>NCurrentlyActive</varname>,
|
||||
<function>RemoveSubgroup()</function>, and
|
||||
<function>KillSubgroup()</function> were added in version 258.</para>
|
||||
<para><varname>OOMKills</varname>, and
|
||||
<varname>ManagedOOMKills</varname> were added in 259.</para>
|
||||
</refsect2>
|
||||
<refsect2>
|
||||
<title>Scope Unit Objects</title>
|
||||
@ -12767,8 +12700,6 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
|
||||
<para><varname>ManagedOOMMemoryPressureDurationUSec</varname> was added in version 257.</para>
|
||||
<para><function>RemoveSubgroup()</function> and
|
||||
<function>KillSubgroup()</function> were added in version 258.</para>
|
||||
<para><varname>OOMKills</varname>, and
|
||||
<varname>ManagedOOMKills</varname> were added in 259.</para>
|
||||
</refsect2>
|
||||
<refsect2>
|
||||
<title>Job Objects</title>
|
||||
|
||||
@ -874,7 +874,7 @@
|
||||
|
||||
<listitem><para>Configures the list of PCRs to use for LUKS2 volumes configured with
|
||||
the <varname>Encrypt=tpm2</varname> setting in partition files.
|
||||
This option take the same parameters as the similarly named options to
|
||||
This option take the same parameters as the similary named options to
|
||||
<citerefentry><refentrytitle>systemd-cryptenroll</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
||||
and have the same effect on partitions where TPM2 enrollment is requested.
|
||||
This option will be overridden by the global <varname>--tpm2-pcrs=</varname> option.</para>
|
||||
|
||||
@ -45,7 +45,7 @@
|
||||
raised as client-generated reply to the method call.</para>
|
||||
|
||||
<para>This call is particularly useful for method calls issued via
|
||||
<function>sd_varlink_observe()</function> that shall remain open continuously for a long time.</para>
|
||||
<function>sd_varlink_observe()</function> that shall remain open continously for a long time.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
|
||||
@ -1187,7 +1187,6 @@ conf.set10('HAVE_ACL', libacl.found())
|
||||
libaudit = dependency('audit',
|
||||
required : get_option('audit'))
|
||||
conf.set10('HAVE_AUDIT', libaudit.found())
|
||||
libaudit_cflags = libaudit.partial_dependency(includes: true, compile_args: true)
|
||||
|
||||
libblkid = dependency('blkid',
|
||||
required : get_option('blkid'))
|
||||
@ -1306,6 +1305,11 @@ endif
|
||||
conf.set10('HAVE_LIBIDN', not have and libidn.found())
|
||||
conf.set10('HAVE_LIBIDN2', have)
|
||||
|
||||
libiptc = dependency('libiptc',
|
||||
required : get_option('libiptc'))
|
||||
conf.set10('HAVE_LIBIPTC', libiptc.found())
|
||||
libiptc_cflags = libiptc.partial_dependency(includes: true, compile_args: true)
|
||||
|
||||
libqrencode = dependency('libqrencode',
|
||||
version : '>= 3',
|
||||
required : get_option('qrencode'))
|
||||
@ -3048,6 +3052,7 @@ foreach tuple : [
|
||||
['libfido2'],
|
||||
['libidn'],
|
||||
['libidn2'],
|
||||
['libiptc'],
|
||||
['microhttpd'],
|
||||
['openssl'],
|
||||
['p11kit'],
|
||||
|
||||
@ -432,7 +432,7 @@ option('libidn2', type : 'feature', deprecated : { 'true' : 'enabled', 'false' :
|
||||
description : 'libidn2 support')
|
||||
option('libidn', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },
|
||||
description : 'libidn support')
|
||||
option('libiptc', type : 'feature', deprecated : true,
|
||||
option('libiptc', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },
|
||||
description : 'libiptc support')
|
||||
option('qrencode', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },
|
||||
description : 'libqrencode support')
|
||||
|
||||
@ -90,7 +90,6 @@ wrap=(
|
||||
socat
|
||||
sshd
|
||||
stat
|
||||
stress-ng
|
||||
su
|
||||
tar
|
||||
tgtd
|
||||
|
||||
@ -1,5 +1,6 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
|
||||
|
||||
@ -3,6 +3,7 @@
|
||||
#include <stdlib.h>
|
||||
|
||||
#include "ansi-color.h"
|
||||
#include "log.h"
|
||||
#include "process-util.h"
|
||||
#include "string-table.h"
|
||||
#include "string-util.h"
|
||||
|
||||
@ -126,6 +126,12 @@ const char* const systemd_features =
|
||||
" -IDN"
|
||||
#endif
|
||||
|
||||
#if HAVE_LIBIPTC
|
||||
" +IPTC"
|
||||
#else
|
||||
" -IPTC"
|
||||
#endif
|
||||
|
||||
#if HAVE_KMOD
|
||||
" +KMOD"
|
||||
#else
|
||||
|
||||
@ -6,6 +6,7 @@
|
||||
#include "alloc-util.h"
|
||||
#include "env-file.h"
|
||||
#include "env-util.h"
|
||||
#include "errno-util.h"
|
||||
#include "escape.h"
|
||||
#include "fd-util.h"
|
||||
#include "fileio.h"
|
||||
|
||||
@ -20,6 +20,7 @@
|
||||
#include "parse-util.h"
|
||||
#include "path-util.h"
|
||||
#include "process-util.h"
|
||||
#include "socket-util.h"
|
||||
#include "sort-util.h"
|
||||
#include "stat-util.h"
|
||||
#include "stdio-util.h"
|
||||
|
||||
@ -1,6 +1,7 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
|
||||
#include "filesystems-gperf.h"
|
||||
#include "nulstr-util.h"
|
||||
#include "stat-util.h"
|
||||
#include "string-util.h"
|
||||
|
||||
|
||||
@ -39,8 +39,7 @@ char* format_bytes_full(char *buf, size_t l, uint64_t t, FormatBytesFlag flag) {
|
||||
(t / table[i + 1].factor * 10 / table[n - 1].factor) % 10 :
|
||||
(t * 10 / table[i].factor) % 10;
|
||||
|
||||
if (FLAGS_SET(flag, FORMAT_BYTES_ALWAYS_POINT) ||
|
||||
(FLAGS_SET(flag, FORMAT_BYTES_BELOW_POINT) && remainder > 0))
|
||||
if (FLAGS_SET(flag, FORMAT_BYTES_BELOW_POINT) && remainder > 0)
|
||||
(void) snprintf(buf, l,
|
||||
"%" PRIu64 ".%" PRIu64 "%s",
|
||||
t / table[i].factor,
|
||||
|
||||
@ -64,10 +64,9 @@ assert_cc(sizeof(gid_t) == sizeof(uint32_t));
|
||||
#endif
|
||||
|
||||
typedef enum {
|
||||
FORMAT_BYTES_USE_IEC = 1 << 0, /* use base 1024 rather than 1000 */
|
||||
FORMAT_BYTES_BELOW_POINT = 1 << 1, /* show one digit after the point, if non-zero */
|
||||
FORMAT_BYTES_ALWAYS_POINT = 1 << 2, /* show one digit after the point, always */
|
||||
FORMAT_BYTES_TRAILING_B = 1 << 3, /* suffix the expression with a "B" for "bytes" */
|
||||
FORMAT_BYTES_USE_IEC = 1 << 0,
|
||||
FORMAT_BYTES_BELOW_POINT = 1 << 1,
|
||||
FORMAT_BYTES_TRAILING_B = 1 << 2,
|
||||
} FormatBytesFlag;
|
||||
|
||||
#define FORMAT_BYTES_MAX 16U
|
||||
@ -83,7 +82,6 @@ static inline char* format_bytes(char *buf, size_t l, uint64_t t) {
|
||||
* see C11 §6.5.2.5, and
|
||||
* https://stackoverflow.com/questions/34880638/compound-literal-lifetime-and-if-blocks */
|
||||
#define FORMAT_BYTES(t) format_bytes((char[FORMAT_BYTES_MAX]){}, FORMAT_BYTES_MAX, t)
|
||||
#define FORMAT_BYTES_FULL(t, flags) format_bytes_full((char[FORMAT_BYTES_MAX]){}, FORMAT_BYTES_MAX, t, flags)
|
||||
#define FORMAT_BYTES_WITH_POINT(t) format_bytes_full((char[FORMAT_BYTES_MAX]){}, FORMAT_BYTES_MAX, t, FORMAT_BYTES_USE_IEC|FORMAT_BYTES_ALWAYS_POINT|FORMAT_BYTES_TRAILING_B)
|
||||
#define FORMAT_BYTES_FULL(t, flag) format_bytes_full((char[FORMAT_BYTES_MAX]){}, FORMAT_BYTES_MAX, t, flag)
|
||||
|
||||
#define FORMAT_BYTES_CGROUP_PROTECTION(t) (t == CGROUP_LIMIT_MAX ? "infinity" : FORMAT_BYTES(t))
|
||||
|
||||
@ -284,6 +284,7 @@ typedef struct ConfigTableItem ConfigTableItem;
|
||||
typedef struct CPUSet CPUSet;
|
||||
typedef struct FDSet FDSet;
|
||||
typedef struct Fido2HmacSalt Fido2HmacSalt;
|
||||
typedef struct FirewallContext FirewallContext;
|
||||
typedef struct GroupRecord GroupRecord;
|
||||
typedef struct Image Image;
|
||||
typedef struct ImagePolicy ImagePolicy;
|
||||
|
||||
@ -16,8 +16,8 @@
|
||||
#include "log.h"
|
||||
#include "namespace-util.h"
|
||||
#include "parse-util.h"
|
||||
#include "pidref.h"
|
||||
#include "process-util.h"
|
||||
#include "stat-util.h"
|
||||
#include "string-table.h"
|
||||
#include "string-util.h"
|
||||
#include "strv.h"
|
||||
@ -816,19 +816,16 @@ int running_in_chroot(void) {
|
||||
if (getenv_bool("SYSTEMD_IGNORE_CHROOT") > 0)
|
||||
return 0;
|
||||
|
||||
r = inode_same("/proc/1/root", "/", /* flags = */ 0);
|
||||
if (r == -ENOENT) {
|
||||
r = proc_mounted();
|
||||
if (r == 0) {
|
||||
if (getpid_cached() == 1)
|
||||
return false; /* We will mount /proc, assuming we're not in a chroot. */
|
||||
r = pidref_from_same_root_fs(&PIDREF_MAKE_FROM_PID(1), NULL);
|
||||
if (r == -ENOSYS) {
|
||||
if (getpid_cached() == 1)
|
||||
return false; /* We will mount /proc, assuming we're not in a chroot. */
|
||||
|
||||
log_debug("/proc/ is not mounted, assuming we're in a chroot.");
|
||||
return true;
|
||||
}
|
||||
if (r > 0) /* If we have fake /proc/, we can't do the check properly. */
|
||||
return -ENOSYS;
|
||||
log_debug("/proc/ is not mounted, assuming we're in a chroot.");
|
||||
return true;
|
||||
}
|
||||
if (r == -ESRCH) /* We must have a fake /proc/, we can't do the check properly. */
|
||||
return -ENOSYS;
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
|
||||
@ -28,12 +28,12 @@
|
||||
#include "fd-util.h"
|
||||
#include "fdset.h"
|
||||
#include "fileio.h"
|
||||
#include "firewall-util.h"
|
||||
#include "in-addr-prefix-util.h"
|
||||
#include "inotify-util.h"
|
||||
#include "ip-protocol-list.h"
|
||||
#include "limits-util.h"
|
||||
#include "manager.h"
|
||||
#include "netlink-internal.h"
|
||||
#include "nulstr-util.h"
|
||||
#include "parse-util.h"
|
||||
#include "path-util.h"
|
||||
@ -1335,10 +1335,12 @@ void unit_modify_nft_set(Unit *u, bool add) {
|
||||
if (!crt || crt->cgroup_id == 0)
|
||||
return;
|
||||
|
||||
if (!u->manager->nfnl) {
|
||||
r = sd_nfnl_socket_open(&u->manager->nfnl);
|
||||
if (!u->manager->fw_ctx) {
|
||||
r = fw_ctx_new_full(&u->manager->fw_ctx, /* init_tables= */ false);
|
||||
if (r < 0)
|
||||
return;
|
||||
|
||||
assert(u->manager->fw_ctx);
|
||||
}
|
||||
|
||||
CGroupContext *c = ASSERT_PTR(unit_get_cgroup_context(u));
|
||||
@ -1349,7 +1351,7 @@ void unit_modify_nft_set(Unit *u, bool add) {
|
||||
|
||||
uint64_t element = crt->cgroup_id;
|
||||
|
||||
r = nft_set_element_modify_any(u->manager->nfnl, add, nft_set->nfproto, nft_set->table, nft_set->set, &element, sizeof(element));
|
||||
r = nft_set_element_modify_any(u->manager->fw_ctx, add, nft_set->nfproto, nft_set->table, nft_set->set, &element, sizeof(element));
|
||||
if (r < 0)
|
||||
log_warning_errno(r, "Failed to %s NFT set entry: family %s, table %s, set %s, cgroup %" PRIu64 ", ignoring: %m",
|
||||
add? "add" : "delete", nfproto_to_string(nft_set->nfproto), nft_set->table, nft_set->set, crt->cgroup_id);
|
||||
@ -3034,43 +3036,20 @@ int unit_check_oom(Unit *u) {
|
||||
if (!crt || !crt->cgroup_path)
|
||||
return 0;
|
||||
|
||||
CGroupContext *ctx = unit_get_cgroup_context(u);
|
||||
if (!ctx)
|
||||
return 0;
|
||||
|
||||
/* If memory.oom.group=1, then look up the oom_group_kill field, which reports how many times the
|
||||
* kernel killed every process recursively in this cgroup and its descendants, similar to
|
||||
* systemd-oomd. Because the memory.events.local file was only introduced in kernel 5.12, we fall
|
||||
* back to reading oom_kill if we can't find the file or field. */
|
||||
|
||||
if (ctx->memory_oom_group) {
|
||||
r = cg_get_keyed_attribute(
|
||||
"memory",
|
||||
crt->cgroup_path,
|
||||
"memory.events.local",
|
||||
STRV_MAKE("oom_group_kill"),
|
||||
&oom_kill);
|
||||
if (r < 0 && !IN_SET(r, -ENOENT, -ENXIO))
|
||||
return log_unit_debug_errno(u, r, "Failed to read oom_group_kill field of memory.events.local cgroup attribute, ignoring: %m");
|
||||
}
|
||||
|
||||
if (isempty(oom_kill)) {
|
||||
r = cg_get_keyed_attribute(
|
||||
r = cg_get_keyed_attribute(
|
||||
"memory",
|
||||
crt->cgroup_path,
|
||||
"memory.events",
|
||||
STRV_MAKE("oom_kill"),
|
||||
&oom_kill);
|
||||
if (r < 0 && !IN_SET(r, -ENOENT, -ENXIO))
|
||||
return log_unit_debug_errno(u, r, "Failed to read oom_kill field of memory.events cgroup attribute: %m");
|
||||
}
|
||||
|
||||
if (!oom_kill)
|
||||
if (IN_SET(r, -ENOENT, -ENXIO)) /* Handle gracefully if cgroup or oom_kill attribute don't exist */
|
||||
c = 0;
|
||||
else if (r < 0)
|
||||
return log_unit_debug_errno(u, r, "Failed to read oom_kill field of memory.events cgroup attribute: %m");
|
||||
else {
|
||||
r = safe_atou64(oom_kill, &c);
|
||||
if (r < 0)
|
||||
return log_unit_debug_errno(u, r, "Failed to parse memory.events cgroup oom field: %m");
|
||||
return log_unit_debug_errno(u, r, "Failed to parse oom_kill field: %m");
|
||||
}
|
||||
|
||||
increased = c > crt->oom_kill_last;
|
||||
@ -3082,7 +3061,7 @@ int unit_check_oom(Unit *u) {
|
||||
log_unit_struct(u, LOG_NOTICE,
|
||||
LOG_MESSAGE_ID(SD_MESSAGE_UNIT_OUT_OF_MEMORY_STR),
|
||||
LOG_UNIT_INVOCATION_ID(u),
|
||||
LOG_UNIT_MESSAGE(u, "The kernel OOM killer killed some processes in this unit."));
|
||||
LOG_UNIT_MESSAGE(u, "A process of this unit has been killed by the OOM killer."));
|
||||
|
||||
unit_notify_cgroup_oom(u, /* managed_oom= */ false);
|
||||
|
||||
|
||||
@ -9,6 +9,7 @@
|
||||
#include "cgroup-util.h"
|
||||
#include "dbus-cgroup.h"
|
||||
#include "escape.h"
|
||||
#include "firewall-util.h"
|
||||
#include "in-addr-prefix-util.h"
|
||||
#include "limits-util.h"
|
||||
#include "manager.h"
|
||||
|
||||
@ -1295,42 +1295,6 @@ static int property_get_cgroup_id(
|
||||
return sd_bus_message_append(reply, "t", crt ? crt->cgroup_id : UINT64_C(0));
|
||||
}
|
||||
|
||||
static int property_get_oom_kills(
|
||||
sd_bus *bus,
|
||||
const char *path,
|
||||
const char *interface,
|
||||
const char *property,
|
||||
sd_bus_message *reply,
|
||||
void *userdata,
|
||||
sd_bus_error *error) {
|
||||
|
||||
Unit *u = ASSERT_PTR(userdata);
|
||||
|
||||
assert(bus);
|
||||
assert(reply);
|
||||
|
||||
CGroupRuntime *crt = unit_get_cgroup_runtime(u);
|
||||
return sd_bus_message_append(reply, "t", crt ? crt->oom_kill_last : UINT64_MAX);
|
||||
}
|
||||
|
||||
static int property_get_managed_oom_kills(
|
||||
sd_bus *bus,
|
||||
const char *path,
|
||||
const char *interface,
|
||||
const char *property,
|
||||
sd_bus_message *reply,
|
||||
void *userdata,
|
||||
sd_bus_error *error) {
|
||||
|
||||
Unit *u = ASSERT_PTR(userdata);
|
||||
|
||||
assert(bus);
|
||||
assert(reply);
|
||||
|
||||
CGroupRuntime *crt = unit_get_cgroup_runtime(u);
|
||||
return sd_bus_message_append(reply, "t", crt ? crt->managed_oom_kill_last : UINT64_MAX);
|
||||
}
|
||||
|
||||
static int append_process(sd_bus_message *reply, const char *p, PidRef *pid, Set *pids) {
|
||||
_cleanup_free_ char *buf = NULL, *cmdline = NULL;
|
||||
int r;
|
||||
@ -1751,8 +1715,6 @@ const sd_bus_vtable bus_unit_cgroup_vtable[] = {
|
||||
SD_BUS_PROPERTY("IOReadOperations", "t", property_get_io_counter, 0, 0),
|
||||
SD_BUS_PROPERTY("IOWriteBytes", "t", property_get_io_counter, 0, 0),
|
||||
SD_BUS_PROPERTY("IOWriteOperations", "t", property_get_io_counter, 0, 0),
|
||||
SD_BUS_PROPERTY("OOMKills", "t", property_get_oom_kills, 0, 0),
|
||||
SD_BUS_PROPERTY("ManagedOOMKills", "t", property_get_managed_oom_kills, 0, 0),
|
||||
|
||||
SD_BUS_METHOD_WITH_ARGS("GetProcesses",
|
||||
SD_BUS_NO_ARGS,
|
||||
|
||||
@ -62,6 +62,7 @@
|
||||
#include "open-file.h"
|
||||
#include "osc-context.h"
|
||||
#include "path-util.h"
|
||||
#include "percent-util.h"
|
||||
#include "pidref.h"
|
||||
#include "proc-cmdline.h"
|
||||
#include "process-util.h"
|
||||
|
||||
@ -115,6 +115,10 @@ int kmod_setup(void) {
|
||||
/* This should never be a module */
|
||||
{ "unix", "/proc/net/unix", true, true, NULL },
|
||||
|
||||
#if HAVE_LIBIPTC
|
||||
/* netfilter is needed by networkd, nspawn among others, and cannot be autoloaded */
|
||||
{ "ip_tables", "/proc/net/ip_tables_names", false, false, NULL },
|
||||
#endif
|
||||
/* virtio_rng would be loaded by udev later, but real entropy might be needed very early */
|
||||
{ "virtio_rng", NULL, false, false, has_virtio_rng },
|
||||
|
||||
|
||||
@ -32,6 +32,7 @@
|
||||
#include "execute.h"
|
||||
#include "extract-word.h"
|
||||
#include "fd-util.h"
|
||||
#include "firewall-util.h"
|
||||
#include "fstab-util.h"
|
||||
#include "hashmap.h"
|
||||
#include "hexdecoct.h"
|
||||
|
||||
@ -12,7 +12,6 @@
|
||||
#include "sd-bus.h"
|
||||
#include "sd-daemon.h"
|
||||
#include "sd-messages.h"
|
||||
#include "sd-netlink.h"
|
||||
#include "sd-path.h"
|
||||
|
||||
#include "all-units.h"
|
||||
@ -1754,7 +1753,7 @@ Manager* manager_free(Manager *m) {
|
||||
free(m->watchdog_pretimeout_governor);
|
||||
free(m->watchdog_pretimeout_governor_overridden);
|
||||
|
||||
sd_netlink_unref(m->nfnl);
|
||||
fw_ctx_free(m->fw_ctx);
|
||||
|
||||
#if BPF_FRAMEWORK
|
||||
bpf_restrict_fs_destroy(m->restrict_fs);
|
||||
@ -3417,7 +3416,7 @@ void manager_send_unit_audit(Manager *m, Unit *u, int type, bool success) {
|
||||
}
|
||||
|
||||
msg = strjoina("unit=", p);
|
||||
if (sym_audit_log_user_comm_message(audit_fd, type, msg, "systemd", NULL, NULL, NULL, success) < 0) {
|
||||
if (audit_log_user_comm_message(audit_fd, type, msg, "systemd", NULL, NULL, NULL, success) < 0) {
|
||||
if (ERRNO_IS_PRIVILEGE(errno)) {
|
||||
/* We aren't allowed to send audit messages? Then let's not retry again. */
|
||||
log_debug_errno(errno, "Failed to send audit message, closing audit socket: %m");
|
||||
|
||||
@ -474,7 +474,7 @@ typedef struct Manager {
|
||||
sd_event_source *memory_pressure_event_source;
|
||||
|
||||
/* For NFTSet= */
|
||||
sd_netlink *nfnl;
|
||||
FirewallContext *fw_ctx;
|
||||
|
||||
/* Pin the systemd-executor binary, so that it never changes until re-exec, ensuring we don't have
|
||||
* serialization/deserialization compatibility issues during upgrades. */
|
||||
|
||||
@ -132,7 +132,7 @@ libcore_static = static_library(
|
||||
implicit_include_directories : false,
|
||||
c_args : ['-fvisibility=default'],
|
||||
dependencies : [libacl,
|
||||
libaudit_cflags,
|
||||
libaudit,
|
||||
libblkid,
|
||||
libdl,
|
||||
libm,
|
||||
|
||||
@ -38,6 +38,7 @@
|
||||
#include "nsflags.h"
|
||||
#include "nulstr-util.h"
|
||||
#include "os-util.h"
|
||||
#include "parse-util.h"
|
||||
#include "path-util.h"
|
||||
#include "pidref.h"
|
||||
#include "process-util.h"
|
||||
|
||||
@ -121,9 +121,9 @@ _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
|
||||
|
||||
if (r >= 0) {
|
||||
if (type == SELINUX_AVC)
|
||||
sym_audit_log_user_avc_message(fd, AUDIT_USER_AVC, buf, NULL, NULL, NULL, getuid());
|
||||
audit_log_user_avc_message(fd, AUDIT_USER_AVC, buf, NULL, NULL, NULL, getuid());
|
||||
else if (type == SELINUX_ERROR)
|
||||
sym_audit_log_user_avc_message(fd, AUDIT_USER_SELINUX_ERR, buf, NULL, NULL, NULL, getuid());
|
||||
audit_log_user_avc_message(fd, AUDIT_USER_SELINUX_ERR, buf, NULL, NULL, NULL, getuid());
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -35,6 +35,7 @@
|
||||
#include "id128-util.h"
|
||||
#include "install.h"
|
||||
#include "iovec-util.h"
|
||||
#include "label-util.h"
|
||||
#include "load-dropin.h"
|
||||
#include "load-fragment.h"
|
||||
#include "log.h"
|
||||
@ -43,7 +44,6 @@
|
||||
#include "manager.h"
|
||||
#include "mount-util.h"
|
||||
#include "mountpoint-util.h"
|
||||
#include "netlink-internal.h"
|
||||
#include "path-util.h"
|
||||
#include "process-util.h"
|
||||
#include "quota-util.h"
|
||||
@ -5290,17 +5290,19 @@ static void unit_modify_user_nft_set(Unit *u, bool add, NFTSetSource source, uin
|
||||
if (!c)
|
||||
return;
|
||||
|
||||
if (!u->manager->nfnl) {
|
||||
r = sd_nfnl_socket_open(&u->manager->nfnl);
|
||||
if (!u->manager->fw_ctx) {
|
||||
r = fw_ctx_new_full(&u->manager->fw_ctx, /* init_tables= */ false);
|
||||
if (r < 0)
|
||||
return;
|
||||
|
||||
assert(u->manager->fw_ctx);
|
||||
}
|
||||
|
||||
FOREACH_ARRAY(nft_set, c->nft_set_context.sets, c->nft_set_context.n_sets) {
|
||||
if (nft_set->source != source)
|
||||
continue;
|
||||
|
||||
r = nft_set_element_modify_any(u->manager->nfnl, add, nft_set->nfproto, nft_set->table, nft_set->set, &element, sizeof(element));
|
||||
r = nft_set_element_modify_any(u->manager->fw_ctx, add, nft_set->nfproto, nft_set->table, nft_set->set, &element, sizeof(element));
|
||||
if (r < 0)
|
||||
log_warning_errno(r, "Failed to %s NFT set entry: family %s, table %s, set %s, ID %u, ignoring: %m",
|
||||
add? "add" : "delete", nfproto_to_string(nft_set->nfproto), nft_set->table, nft_set->set, element);
|
||||
|
||||
@ -615,9 +615,5 @@ int unit_cgroup_runtime_build_json(sd_json_variant **ret, const char *name, void
|
||||
JSON_BUILD_PAIR_CALLBACK_NON_NULL("IOReadBytes", get_io_counter_build_json, u),
|
||||
JSON_BUILD_PAIR_CALLBACK_NON_NULL("IOReadOperations", get_io_counter_build_json, u),
|
||||
JSON_BUILD_PAIR_CALLBACK_NON_NULL("IOWriteBytes", get_io_counter_build_json, u),
|
||||
JSON_BUILD_PAIR_CALLBACK_NON_NULL("IOWriteOperations", get_io_counter_build_json, u),
|
||||
|
||||
/* OOM */
|
||||
SD_JSON_BUILD_PAIR_UNSIGNED("OOMKills", crt->oom_kill_last),
|
||||
SD_JSON_BUILD_PAIR_UNSIGNED("ManagedOOMKills", crt->managed_oom_kill_last));
|
||||
JSON_BUILD_PAIR_CALLBACK_NON_NULL("IOWriteOperations", get_io_counter_build_json, u));
|
||||
}
|
||||
|
||||
@ -3,6 +3,7 @@
|
||||
#include "sd-varlink.h"
|
||||
|
||||
#include "dynamic-user.h"
|
||||
#include "errno-util.h"
|
||||
#include "hashmap.h"
|
||||
#include "json-util.h"
|
||||
#include "manager.h"
|
||||
|
||||
@ -13,7 +13,9 @@
|
||||
#include "set.h"
|
||||
#include "strv.h"
|
||||
#include "unit.h"
|
||||
#include "unit-name.h"
|
||||
#include "varlink-cgroup.h"
|
||||
#include "varlink-common.h"
|
||||
#include "varlink-unit.h"
|
||||
#include "varlink-util.h"
|
||||
|
||||
|
||||
@ -4,6 +4,7 @@
|
||||
|
||||
#include "constants.h"
|
||||
#include "errno-util.h"
|
||||
#include "json-util.h"
|
||||
#include "manager.h"
|
||||
#include "path-util.h"
|
||||
#include "pidref.h"
|
||||
|
||||
@ -22,6 +22,7 @@
|
||||
#include "fs-util.h"
|
||||
#include "fsck-util.h"
|
||||
#include "main-func.h"
|
||||
#include "parse-util.h"
|
||||
#include "path-util.h"
|
||||
#include "proc-cmdline.h"
|
||||
#include "process-util.h"
|
||||
|
||||
@ -9,6 +9,7 @@
|
||||
#include "fuzz.h"
|
||||
#include "hexdecoct.h"
|
||||
#include "iovec-util.h"
|
||||
#include "log.h"
|
||||
|
||||
static FILE *null = NULL;
|
||||
|
||||
|
||||
@ -6,6 +6,7 @@
|
||||
#include "dirent-util.h"
|
||||
#include "escape.h"
|
||||
#include "fd-util.h"
|
||||
#include "hexdecoct.h"
|
||||
#include "io-util.h"
|
||||
#include "log.h"
|
||||
#include "memory-util.h"
|
||||
|
||||
@ -759,7 +759,7 @@ int pull_job_begin(PullJob *j) {
|
||||
if (curl_easy_setopt(j->curl, CURLOPT_XFERINFODATA, j) != CURLE_OK)
|
||||
return -EIO;
|
||||
|
||||
if (curl_easy_setopt(j->curl, CURLOPT_NOPROGRESS, 0L) != CURLE_OK)
|
||||
if (curl_easy_setopt(j->curl, CURLOPT_NOPROGRESS, 0) != CURLE_OK)
|
||||
return -EIO;
|
||||
|
||||
r = curl_glue_add(j->glue, j->curl);
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
#pragma once
|
||||
|
||||
#include_next <fcntl.h> /* IWYU pragma: export */
|
||||
#include_next <fcntl.h>
|
||||
|
||||
/* This is defined since glibc-2.41. */
|
||||
#ifndef F_DUPFD_QUERY
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
#pragma once
|
||||
|
||||
#include_next <malloc.h> /* IWYU pragma: export */
|
||||
#include_next <malloc.h>
|
||||
|
||||
#if !HAVE_MALLINFO2
|
||||
struct mallinfo2 {
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
* Note, this must be included before sched.h, otherwise the headers conflict with each other. */
|
||||
#include <linux/sched/types.h>
|
||||
|
||||
#include_next <sched.h> /* IWYU pragma: export */
|
||||
#include_next <sched.h>
|
||||
|
||||
#include <assert.h>
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
#pragma once
|
||||
|
||||
#include_next <signal.h> /* IWYU pragma: export */
|
||||
#include_next <signal.h>
|
||||
|
||||
#if !HAVE_RT_TGSIGQUEUEINFO
|
||||
int missing_rt_tgsigqueueinfo(pid_t tgid, pid_t tid, int sig, siginfo_t *info);
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
#pragma once
|
||||
|
||||
#include_next <sys/mman.h> /* IWYU pragma: export */
|
||||
#include_next <sys/mman.h>
|
||||
|
||||
#include <assert.h>
|
||||
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
|
||||
/* since glibc-2.36 */
|
||||
#if HAVE_PIDFD_OPEN
|
||||
#include_next <sys/pidfd.h> /* IWYU pragma: export */
|
||||
#include_next <sys/pidfd.h>
|
||||
#endif
|
||||
|
||||
#include <linux/types.h>
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
#pragma once
|
||||
|
||||
#include_next <sys/quota.h> /* IWYU pragma: export */
|
||||
#include_next <sys/quota.h>
|
||||
|
||||
/* Supported since kernel v5.14 (64c2c2c62f92339b176ea24403d8db16db36f9e6). */
|
||||
#if !HAVE_QUOTACTL_FD
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
#pragma once
|
||||
|
||||
#include_next <sys/random.h> /* IWYU pragma: export */
|
||||
#include_next <sys/random.h>
|
||||
|
||||
#include <assert.h>
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
#pragma once
|
||||
|
||||
#include_next <sys/socket.h> /* IWYU pragma: export */
|
||||
#include_next <sys/socket.h>
|
||||
|
||||
/* Supported since kernel v6.5 (5e2ff6704a275be009be8979af17c52361b79b89) */
|
||||
#ifndef SO_PASSPIDFD
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
#pragma once
|
||||
|
||||
#include_next <sys/stat.h> /* IWYU pragma: export */
|
||||
#include_next <sys/stat.h>
|
||||
|
||||
/* Supported since kernel v6.6 (78252deb023cf0879256fcfbafe37022c390762b). */
|
||||
#if !HAVE_FCHMODAT2
|
||||
|
||||
@ -9,7 +9,7 @@
|
||||
*/
|
||||
#pragma once
|
||||
|
||||
#include_next <sys/syscall.h> /* IWYU pragma: export */
|
||||
#include_next <sys/syscall.h>
|
||||
|
||||
#ifdef ARCH_MIPS
|
||||
#include <asm/sgidefs.h>
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
#pragma once
|
||||
|
||||
#include_next <sys/wait.h> /* IWYU pragma: export */
|
||||
#include_next <sys/wait.h>
|
||||
|
||||
#include <assert.h>
|
||||
|
||||
|
||||
@ -3,9 +3,9 @@
|
||||
|
||||
/* To make struct xattr_args defined, which is used by setxattrat(). Note, the kernel header must be
|
||||
* included before the glibc header, otherwise the struct will not be defined. */
|
||||
#include <linux/xattr.h> /* IWYU pragma: export */
|
||||
#include <linux/xattr.h>
|
||||
|
||||
#include_next <sys/xattr.h> /* IWYU pragma: export */
|
||||
#include_next <sys/xattr.h>
|
||||
|
||||
/* Supported since kernel v6.13 (6140be90ec70c39fa844741ca3cc807dd0866394). */
|
||||
#if !HAVE_SETXATTRAT
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
#pragma once
|
||||
|
||||
#include_next <unistd.h> /* IWYU pragma: export */
|
||||
#include_next <unistd.h>
|
||||
|
||||
/* Defined since glibc-2.34.
|
||||
* Supported since kernel v5.9 (9b4feb630e8e9801603f3cab3a36369e3c1cf88d). */
|
||||
|
||||
@ -308,7 +308,7 @@ int start_upload(Uploader *u,
|
||||
}
|
||||
|
||||
if (STRPTR_IN_SET(arg_trust, "-", "all"))
|
||||
easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L,
|
||||
easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0,
|
||||
LOG_ERR, return -EUCLEAN);
|
||||
else if (arg_trust || startswith(u->url, "https://"))
|
||||
easy_setopt(curl, CURLOPT_CAINFO, arg_trust ?: TRUST_FILE,
|
||||
|
||||
@ -18,6 +18,8 @@
|
||||
#include "alloc-util.h"
|
||||
#include "audit-util.h"
|
||||
#include "cgroup-util.h"
|
||||
#include "conf-parser.h"
|
||||
#include "creds-util.h"
|
||||
#include "daemon-util.h"
|
||||
#include "dirent-util.h"
|
||||
#include "errno-util.h"
|
||||
@ -51,12 +53,14 @@
|
||||
#include "log-ratelimit.h"
|
||||
#include "memory-util.h"
|
||||
#include "mkdir.h"
|
||||
#include "parse-util.h"
|
||||
#include "path-util.h"
|
||||
#include "prioq.h"
|
||||
#include "process-util.h"
|
||||
#include "rm-rf.h"
|
||||
#include "set.h"
|
||||
#include "signal-util.h"
|
||||
#include "socket-netlink.h"
|
||||
#include "socket-util.h"
|
||||
#include "stdio-util.h"
|
||||
#include "string-util.h"
|
||||
|
||||
@ -7,6 +7,7 @@
|
||||
#include "journald-forward.h"
|
||||
#include "list.h"
|
||||
#include "ratelimit.h"
|
||||
#include "socket-util.h"
|
||||
|
||||
typedef struct JournalStorageSpace {
|
||||
usec_t timestamp;
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
|
||||
#include "journald-config.h"
|
||||
#include "journald-manager.h"
|
||||
#include "test-tables.h"
|
||||
#include "tests.h"
|
||||
|
||||
|
||||
@ -4,6 +4,7 @@
|
||||
#include "dhcp-client-id-internal.h"
|
||||
#include "iovec-util.h"
|
||||
#include "json-util.h"
|
||||
#include "log.h"
|
||||
#include "siphash24.h"
|
||||
#include "string-util.h"
|
||||
#include "unaligned.h"
|
||||
|
||||
@ -6,10 +6,10 @@
|
||||
#include <unistd.h>
|
||||
|
||||
#include "sd-event.h"
|
||||
#include "sd-json.h"
|
||||
#include "sd-lldp-rx.h"
|
||||
|
||||
#include "fd-util.h"
|
||||
#include "json-util.h"
|
||||
#include "lldp-neighbor.h"
|
||||
#include "lldp-network.h"
|
||||
#include "tests.h"
|
||||
|
||||
@ -34,6 +34,7 @@
|
||||
#include "path-util.h"
|
||||
#include "prioq.h"
|
||||
#include "random-util.h"
|
||||
#include "ratelimit.h"
|
||||
#include "sort-util.h"
|
||||
#include "stat-util.h"
|
||||
#include "string-table.h"
|
||||
|
||||
@ -16,6 +16,7 @@
|
||||
#include "io-util.h"
|
||||
#include "iovec-util.h"
|
||||
#include "journal-send.h"
|
||||
#include "log.h"
|
||||
#include "memfd-util.h"
|
||||
#include "process-util.h"
|
||||
#include "socket-util.h"
|
||||
|
||||
@ -16,6 +16,7 @@
|
||||
#include "journal-vacuum.h"
|
||||
#include "log.h"
|
||||
#include "log-ratelimit.h"
|
||||
#include "ratelimit.h"
|
||||
#include "sort-util.h"
|
||||
#include "string-util.h"
|
||||
#include "time-util.h"
|
||||
|
||||
@ -9,6 +9,7 @@
|
||||
#include "alloc-util.h"
|
||||
#include "errno-util.h"
|
||||
#include "iovec-util.h"
|
||||
#include "log.h"
|
||||
#include "netlink-internal.h"
|
||||
#include "netlink-util.h"
|
||||
|
||||
|
||||
@ -466,8 +466,7 @@ static int timeout_compare(const void *a, const void *b) {
|
||||
}
|
||||
|
||||
size_t netlink_get_reply_callback_count(sd_netlink *nl) {
|
||||
if (!nl)
|
||||
return 0;
|
||||
assert(nl);
|
||||
|
||||
return hashmap_size(nl->reply_callbacks);
|
||||
}
|
||||
|
||||
@ -19,6 +19,7 @@
|
||||
#include "io-util.h"
|
||||
#include "iovec-util.h"
|
||||
#include "list.h"
|
||||
#include "log.h"
|
||||
#include "memory-util.h"
|
||||
#include "process-util.h"
|
||||
#include "resolve-private.h"
|
||||
|
||||
@ -15,6 +15,7 @@
|
||||
#include "bus-unit-util.h"
|
||||
#include "env-file.h"
|
||||
#include "errno-util.h"
|
||||
#include "escape.h"
|
||||
#include "extract-word.h"
|
||||
#include "fd-util.h"
|
||||
#include "fileio.h"
|
||||
|
||||
@ -669,10 +669,6 @@ static int address_set_masquerade(Address *address, bool add) {
|
||||
|
||||
assert(address);
|
||||
assert(address->link);
|
||||
assert(address->link->manager);
|
||||
|
||||
if (!address->link->manager->nfnl)
|
||||
return 0;
|
||||
|
||||
if (!address->link->network)
|
||||
return 0;
|
||||
@ -691,7 +687,7 @@ static int address_set_masquerade(Address *address, bool add) {
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = fw_nftables_add_masquerade(address->link->manager->nfnl, add, address->family, &masked, address->prefixlen);
|
||||
r = fw_add_masquerade(&address->link->manager->fw_ctx, add, address->family, &masked, address->prefixlen);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
@ -706,9 +702,14 @@ static void address_modify_nft_set_context(Address *address, bool add, NFTSetCon
|
||||
assert(address);
|
||||
assert(address->link);
|
||||
assert(address->link->manager);
|
||||
assert(address->link->manager->nfnl);
|
||||
assert(nft_set_context);
|
||||
|
||||
if (!address->link->manager->fw_ctx) {
|
||||
r = fw_ctx_new_full(&address->link->manager->fw_ctx, /* init_tables= */ false);
|
||||
if (r < 0)
|
||||
return;
|
||||
}
|
||||
|
||||
FOREACH_ARRAY(nft_set, nft_set_context->sets, nft_set_context->n_sets) {
|
||||
uint32_t ifindex;
|
||||
|
||||
@ -716,16 +717,16 @@ static void address_modify_nft_set_context(Address *address, bool add, NFTSetCon
|
||||
|
||||
switch (nft_set->source) {
|
||||
case NFT_SET_SOURCE_ADDRESS:
|
||||
r = nft_set_element_modify_ip(address->link->manager->nfnl, add, nft_set->nfproto, address->family, nft_set->table, nft_set->set,
|
||||
r = nft_set_element_modify_ip(address->link->manager->fw_ctx, add, nft_set->nfproto, address->family, nft_set->table, nft_set->set,
|
||||
&address->in_addr);
|
||||
break;
|
||||
case NFT_SET_SOURCE_PREFIX:
|
||||
r = nft_set_element_modify_iprange(address->link->manager->nfnl, add, nft_set->nfproto, address->family, nft_set->table, nft_set->set,
|
||||
r = nft_set_element_modify_iprange(address->link->manager->fw_ctx, add, nft_set->nfproto, address->family, nft_set->table, nft_set->set,
|
||||
&address->in_addr, address->prefixlen);
|
||||
break;
|
||||
case NFT_SET_SOURCE_IFINDEX:
|
||||
ifindex = address->link->ifindex;
|
||||
r = nft_set_element_modify_any(address->link->manager->nfnl, add, nft_set->nfproto, nft_set->table, nft_set->set,
|
||||
r = nft_set_element_modify_any(address->link->manager->fw_ctx, add, nft_set->nfproto, nft_set->table, nft_set->set,
|
||||
&ifindex, sizeof(ifindex));
|
||||
break;
|
||||
default:
|
||||
@ -748,10 +749,6 @@ static void address_modify_nft_set_context(Address *address, bool add, NFTSetCon
|
||||
static void address_modify_nft_set(Address *address, bool add) {
|
||||
assert(address);
|
||||
assert(address->link);
|
||||
assert(address->link->manager);
|
||||
|
||||
if (!address->link->manager->nfnl)
|
||||
return;
|
||||
|
||||
if (!IN_SET(address->family, AF_INET, AF_INET6))
|
||||
return;
|
||||
|
||||
@ -15,6 +15,7 @@
|
||||
#include "siphash24.h"
|
||||
#include "socket-util.h"
|
||||
#include "string-table.h"
|
||||
#include "string-util.h"
|
||||
#include "strv.h"
|
||||
#include "sysctl-util.h"
|
||||
|
||||
|
||||
@ -23,9 +23,9 @@
|
||||
#include "env-util.h"
|
||||
#include "errno-util.h"
|
||||
#include "fd-util.h"
|
||||
#include "firewall-util.h"
|
||||
#include "initrd-util.h"
|
||||
#include "mount-util.h"
|
||||
#include "netlink-internal.h"
|
||||
#include "netlink-util.h"
|
||||
#include "networkd-address.h"
|
||||
#include "networkd-address-label.h"
|
||||
@ -285,28 +285,6 @@ static int manager_connect_genl(Manager *m) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int manager_connect_nfnl(Manager *m) {
|
||||
int r;
|
||||
|
||||
assert(m);
|
||||
|
||||
r = sd_nfnl_socket_open(&m->nfnl);
|
||||
if (r < 0) {
|
||||
log_warning_errno(r, "Failed to open nftables netlink socket. IPMasquerade= and NFTSet= settings will not be applied. Ignoring: %m");
|
||||
return 0;
|
||||
}
|
||||
|
||||
r = sd_netlink_increase_rxbuf(m->nfnl, RCVBUF_SIZE);
|
||||
if (r < 0)
|
||||
log_warning_errno(r, "Failed to increase receive buffer size for nftables netlink socket, ignoring: %m");
|
||||
|
||||
r = sd_netlink_attach_event(m->nfnl, m->event, 0);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int manager_setup_rtnl_filter(Manager *manager) {
|
||||
struct sock_filter filter[] = {
|
||||
/* Check the packet length. */
|
||||
@ -457,7 +435,7 @@ static int manager_post_handler(sd_event_source *s, void *userdata) {
|
||||
|
||||
if (netlink_get_reply_callback_count(manager->rtnl) > 0 ||
|
||||
netlink_get_reply_callback_count(manager->genl) > 0 ||
|
||||
netlink_get_reply_callback_count(manager->nfnl) > 0)
|
||||
fw_ctx_get_reply_callback_count(manager->fw_ctx) > 0)
|
||||
return 0; /* There are some message calls waiting for their replies. */
|
||||
|
||||
(void) manager_serialize(manager);
|
||||
@ -579,10 +557,6 @@ int manager_setup(Manager *m) {
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = manager_connect_nfnl(m);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
if (m->test_mode)
|
||||
return 0;
|
||||
|
||||
@ -722,7 +696,6 @@ Manager* manager_free(Manager *m) {
|
||||
|
||||
sd_netlink_unref(m->rtnl);
|
||||
sd_netlink_unref(m->genl);
|
||||
sd_netlink_unref(m->nfnl);
|
||||
sd_resolve_unref(m->resolve);
|
||||
|
||||
m->routes = set_free(m->routes);
|
||||
@ -747,6 +720,8 @@ Manager* manager_free(Manager *m) {
|
||||
safe_close(m->ethtool_fd);
|
||||
safe_close(m->persistent_storage_fd);
|
||||
|
||||
m->fw_ctx = fw_ctx_free(m->fw_ctx);
|
||||
|
||||
m->serialization_fd = safe_close(m->serialization_fd);
|
||||
|
||||
return mfree(m);
|
||||
|
||||
@ -17,7 +17,6 @@ typedef struct Manager {
|
||||
sd_netlink *rtnl;
|
||||
/* lazy initialized */
|
||||
sd_netlink *genl;
|
||||
sd_netlink *nfnl;
|
||||
sd_event *event;
|
||||
sd_resolve *resolve;
|
||||
sd_bus *bus;
|
||||
@ -104,6 +103,8 @@ typedef struct Manager {
|
||||
usec_t speed_meter_usec_new;
|
||||
usec_t speed_meter_usec_old;
|
||||
|
||||
FirewallContext *fw_ctx;
|
||||
|
||||
bool request_queued;
|
||||
OrderedSet *request_queue;
|
||||
OrderedSet *remove_request_queue;
|
||||
|
||||
@ -293,7 +293,7 @@ int manager_process_requests(Manager *manager) {
|
||||
* queued, then this event may make reply callback queue in sd-netlink full. */
|
||||
if (netlink_get_reply_callback_count(manager->rtnl) >= REPLY_CALLBACK_COUNT_THRESHOLD ||
|
||||
netlink_get_reply_callback_count(manager->genl) >= REPLY_CALLBACK_COUNT_THRESHOLD ||
|
||||
netlink_get_reply_callback_count(manager->nfnl) >= REPLY_CALLBACK_COUNT_THRESHOLD)
|
||||
fw_ctx_get_reply_callback_count(manager->fw_ctx) >= REPLY_CALLBACK_COUNT_THRESHOLD)
|
||||
break;
|
||||
|
||||
/* Avoid the request and link freed by req->process() and request_detach(). */
|
||||
|
||||
@ -76,13 +76,12 @@ void expose_port_free_all(ExposePort *p) {
|
||||
LIST_CLEAR(ports, p, free);
|
||||
}
|
||||
|
||||
int expose_port_flush(sd_netlink *nfnl, ExposePort* l, int af, union in_addr_union *exposed) {
|
||||
int expose_port_flush(FirewallContext **fw_ctx, ExposePort* l, int af, union in_addr_union *exposed) {
|
||||
int r;
|
||||
|
||||
assert(IN_SET(af, AF_INET, AF_INET6));
|
||||
assert(exposed);
|
||||
|
||||
if (!nfnl || !l)
|
||||
if (!l)
|
||||
return 0;
|
||||
|
||||
if (!in_addr_is_set(af, exposed))
|
||||
@ -91,15 +90,14 @@ int expose_port_flush(sd_netlink *nfnl, ExposePort* l, int af, union in_addr_uni
|
||||
log_debug("Lost IP address.");
|
||||
|
||||
LIST_FOREACH(ports, p, l) {
|
||||
r = fw_nftables_add_local_dnat(
|
||||
nfnl,
|
||||
/* add = */ false,
|
||||
af,
|
||||
p->protocol,
|
||||
p->host_port,
|
||||
exposed,
|
||||
p->container_port,
|
||||
/* previous_remote = */ NULL);
|
||||
r = fw_add_local_dnat(fw_ctx,
|
||||
false,
|
||||
af,
|
||||
p->protocol,
|
||||
p->host_port,
|
||||
exposed,
|
||||
p->container_port,
|
||||
NULL);
|
||||
if (r < 0)
|
||||
log_warning_errno(r, "Failed to modify %s firewall: %m", af_to_name(af));
|
||||
}
|
||||
@ -108,15 +106,12 @@ int expose_port_flush(sd_netlink *nfnl, ExposePort* l, int af, union in_addr_uni
|
||||
return 0;
|
||||
}
|
||||
|
||||
int expose_port_execute(sd_netlink *rtnl, sd_netlink *nfnl, ExposePort *l, int af, union in_addr_union *exposed) {
|
||||
int expose_port_execute(sd_netlink *rtnl, FirewallContext **fw_ctx, ExposePort *l, int af, union in_addr_union *exposed) {
|
||||
_cleanup_free_ struct local_address *addresses = NULL;
|
||||
union in_addr_union new_exposed;
|
||||
bool add;
|
||||
int r;
|
||||
|
||||
assert(rtnl);
|
||||
assert(nfnl);
|
||||
assert(IN_SET(af, AF_INET, AF_INET6));
|
||||
assert(exposed);
|
||||
|
||||
/* Invoked each time an address is added or removed inside the
|
||||
@ -134,7 +129,7 @@ int expose_port_execute(sd_netlink *rtnl, sd_netlink *nfnl, ExposePort *l, int a
|
||||
addresses[0].scope < RT_SCOPE_LINK;
|
||||
|
||||
if (!add)
|
||||
return expose_port_flush(nfnl, l, af, exposed);
|
||||
return expose_port_flush(fw_ctx, l, af, exposed);
|
||||
|
||||
new_exposed = addresses[0].address;
|
||||
if (in_addr_equal(af, exposed, &new_exposed))
|
||||
@ -143,15 +138,14 @@ int expose_port_execute(sd_netlink *rtnl, sd_netlink *nfnl, ExposePort *l, int a
|
||||
log_debug("New container IP is %s.", IN_ADDR_TO_STRING(af, &new_exposed));
|
||||
|
||||
LIST_FOREACH(ports, p, l) {
|
||||
r = fw_nftables_add_local_dnat(
|
||||
nfnl,
|
||||
/* add = */ true,
|
||||
af,
|
||||
p->protocol,
|
||||
p->host_port,
|
||||
&new_exposed,
|
||||
p->container_port,
|
||||
in_addr_is_set(af, exposed) ? exposed : NULL);
|
||||
r = fw_add_local_dnat(fw_ctx,
|
||||
true,
|
||||
af,
|
||||
p->protocol,
|
||||
p->host_port,
|
||||
&new_exposed,
|
||||
p->container_port,
|
||||
in_addr_is_set(af, exposed) ? exposed : NULL);
|
||||
if (r < 0)
|
||||
log_warning_errno(r, "Failed to modify %s firewall: %m", af_to_name(af));
|
||||
}
|
||||
|
||||
@ -1,6 +1,7 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
#pragma once
|
||||
|
||||
#include "firewall-util.h"
|
||||
#include "forward.h"
|
||||
#include "list.h"
|
||||
|
||||
@ -17,5 +18,5 @@ int expose_port_parse(ExposePort **l, const char *s);
|
||||
int expose_port_watch_rtnl(sd_event *event, int recv_fd, sd_netlink_message_handler_t handler, void *userdata, sd_netlink **ret);
|
||||
int expose_port_send_rtnl(int send_fd);
|
||||
|
||||
int expose_port_execute(sd_netlink *rtnl, sd_netlink *nfnl, ExposePort *l, int af, union in_addr_union *exposed);
|
||||
int expose_port_flush(sd_netlink *nfnl, ExposePort* l, int af, union in_addr_union *exposed);
|
||||
int expose_port_execute(sd_netlink *rtnl, FirewallContext **fw_ctx, ExposePort *l, int af, union in_addr_union *exposed);
|
||||
int expose_port_flush(FirewallContext **fw_ctx, ExposePort* l, int af, union in_addr_union *exposed);
|
||||
|
||||
@ -13,6 +13,7 @@
|
||||
#include "nspawn-network.h"
|
||||
#include "nspawn-settings.h"
|
||||
#include "parse-util.h"
|
||||
#include "path-util.h"
|
||||
#include "process-util.h"
|
||||
#include "rlimit-util.h"
|
||||
#include "socket-util.h"
|
||||
|
||||
@ -71,7 +71,6 @@
|
||||
#include "mount-util.h"
|
||||
#include "mountpoint-util.h"
|
||||
#include "namespace-util.h"
|
||||
#include "netlink-internal.h"
|
||||
#include "notify-recv.h"
|
||||
#include "nspawn-bind-user.h"
|
||||
#include "nspawn-cgroup.h"
|
||||
@ -2540,7 +2539,7 @@ static int setup_kmsg(int fd_inner_socket) {
|
||||
struct ExposeArgs {
|
||||
union in_addr_union address4;
|
||||
union in_addr_union address6;
|
||||
sd_netlink *nfnl;
|
||||
struct FirewallContext *fw_ctx;
|
||||
};
|
||||
|
||||
static int on_address_change(sd_netlink *rtnl, sd_netlink_message *m, void *userdata) {
|
||||
@ -2549,8 +2548,8 @@ static int on_address_change(sd_netlink *rtnl, sd_netlink_message *m, void *user
|
||||
assert(rtnl);
|
||||
assert(m);
|
||||
|
||||
(void) expose_port_execute(rtnl, args->nfnl, arg_expose_ports, AF_INET, &args->address4);
|
||||
(void) expose_port_execute(rtnl, args->nfnl, arg_expose_ports, AF_INET6, &args->address6);
|
||||
(void) expose_port_execute(rtnl, &args->fw_ctx, arg_expose_ports, AF_INET, &args->address4);
|
||||
(void) expose_port_execute(rtnl, &args->fw_ctx, arg_expose_ports, AF_INET6, &args->address6);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -5608,8 +5607,8 @@ static int run_container(
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
(void) expose_port_execute(rtnl, expose_args->nfnl, arg_expose_ports, AF_INET, &expose_args->address4);
|
||||
(void) expose_port_execute(rtnl, expose_args->nfnl, arg_expose_ports, AF_INET6, &expose_args->address6);
|
||||
(void) expose_port_execute(rtnl, &expose_args->fw_ctx, arg_expose_ports, AF_INET, &expose_args->address4);
|
||||
(void) expose_port_execute(rtnl, &expose_args->fw_ctx, arg_expose_ports, AF_INET6, &expose_args->address6);
|
||||
}
|
||||
|
||||
_cleanup_(osc_context_closep) sd_id128_t osc_context_id = SD_ID128_NULL;
|
||||
@ -5731,8 +5730,8 @@ static int run_container(
|
||||
return 0; /* finito */
|
||||
}
|
||||
|
||||
expose_port_flush(expose_args->nfnl, arg_expose_ports, AF_INET, &expose_args->address4);
|
||||
expose_port_flush(expose_args->nfnl, arg_expose_ports, AF_INET6, &expose_args->address6);
|
||||
expose_port_flush(&expose_args->fw_ctx, arg_expose_ports, AF_INET, &expose_args->address4);
|
||||
expose_port_flush(&expose_args->fw_ctx, arg_expose_ports, AF_INET6, &expose_args->address6);
|
||||
|
||||
(void) remove_veth_links(veth_name, arg_network_veth_extra);
|
||||
*veth_created = false;
|
||||
@ -5901,7 +5900,7 @@ static int run(int argc, char *argv[]) {
|
||||
_cleanup_(rmdir_and_freep) char *rootdir = NULL;
|
||||
_cleanup_(loop_device_unrefp) LoopDevice *loop = NULL;
|
||||
_cleanup_(dissected_image_unrefp) DissectedImage *dissected_image = NULL;
|
||||
_cleanup_(sd_netlink_unrefp) sd_netlink *nfnl = NULL;
|
||||
_cleanup_(fw_ctx_freep) FirewallContext *fw_ctx = NULL;
|
||||
_cleanup_(pidref_done) PidRef pid = PIDREF_NULL;
|
||||
|
||||
log_setup();
|
||||
@ -6386,12 +6385,12 @@ static int run(int argc, char *argv[]) {
|
||||
}
|
||||
|
||||
if (arg_expose_ports) {
|
||||
r = sd_nfnl_socket_open(&nfnl);
|
||||
r = fw_ctx_new(&fw_ctx);
|
||||
if (r < 0) {
|
||||
log_error_errno(r, "Cannot expose configured ports, failed to initialize nftables: %m");
|
||||
log_error_errno(r, "Cannot expose configured ports, firewall initialization failed: %m");
|
||||
goto finish;
|
||||
}
|
||||
expose_args.nfnl = nfnl;
|
||||
expose_args.fw_ctx = fw_ctx;
|
||||
}
|
||||
|
||||
for (;;) {
|
||||
@ -6455,8 +6454,8 @@ finish:
|
||||
|
||||
cleanup_propagation_and_export_directories();
|
||||
|
||||
expose_port_flush(nfnl, arg_expose_ports, AF_INET, &expose_args.address4);
|
||||
expose_port_flush(nfnl, arg_expose_ports, AF_INET6, &expose_args.address6);
|
||||
expose_port_flush(&fw_ctx, arg_expose_ports, AF_INET, &expose_args.address4);
|
||||
expose_port_flush(&fw_ctx, arg_expose_ports, AF_INET6, &expose_args.address6);
|
||||
|
||||
if (arg_userns_mode != USER_NAMESPACE_MANAGED) {
|
||||
if (veth_created)
|
||||
|
||||
@ -789,11 +789,7 @@ static Partition* partition_unlink_and_free(Context *context, Partition *p) {
|
||||
|
||||
DEFINE_TRIVIAL_CLEANUP_FUNC(Partition*, partition_free);
|
||||
|
||||
static Context* context_new(
|
||||
sd_id128_t seed,
|
||||
X509 *certificate,
|
||||
EVP_PKEY *private_key) {
|
||||
|
||||
static Context* context_new(sd_id128_t seed, X509 *certificate, EVP_PKEY *private_key) {
|
||||
Context *context;
|
||||
|
||||
/* Note: This function takes ownership of the certificate and private_key arguments. */
|
||||
@ -3449,7 +3445,7 @@ static int context_load_partition_table(Context *context) {
|
||||
/* Use the fallback values if we have no better idea */
|
||||
context->sector_size = fdisk_get_sector_size(c);
|
||||
context->default_fs_sector_size = fs_secsz;
|
||||
context->grain_size = MAX(context->sector_size, 4096U);
|
||||
context->grain_size = 4096;
|
||||
return /* from_scratch = */ true;
|
||||
}
|
||||
|
||||
@ -5493,9 +5489,9 @@ static int progress_bytes(uint64_t n_bytes, uint64_t bps, void *userdata) {
|
||||
strna(p->copy_blocks_path),
|
||||
glyph(GLYPH_ARROW_RIGHT),
|
||||
strna(p->definition_path),
|
||||
FORMAT_BYTES_WITH_POINT(p->copy_blocks_done),
|
||||
FORMAT_BYTES_WITH_POINT(p->copy_blocks_size),
|
||||
FORMAT_BYTES_WITH_POINT(bps));
|
||||
FORMAT_BYTES(p->copy_blocks_done),
|
||||
FORMAT_BYTES(p->copy_blocks_size),
|
||||
FORMAT_BYTES(bps));
|
||||
else
|
||||
(void) draw_progress_barf(
|
||||
percent,
|
||||
@ -5503,8 +5499,8 @@ static int progress_bytes(uint64_t n_bytes, uint64_t bps, void *userdata) {
|
||||
strna(p->copy_blocks_path),
|
||||
glyph(GLYPH_ARROW_RIGHT),
|
||||
strna(p->definition_path),
|
||||
FORMAT_BYTES_WITH_POINT(p->copy_blocks_done),
|
||||
FORMAT_BYTES_WITH_POINT(p->copy_blocks_size));
|
||||
FORMAT_BYTES(p->copy_blocks_done),
|
||||
FORMAT_BYTES(p->copy_blocks_size));
|
||||
|
||||
p->last_percent = percent;
|
||||
|
||||
@ -8670,13 +8666,7 @@ static int help(void) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int parse_argv(
|
||||
int argc,
|
||||
char *argv[],
|
||||
X509 **ret_certificate,
|
||||
EVP_PKEY **ret_private_key,
|
||||
OpenSSLAskPasswordUI **ret_ui) {
|
||||
|
||||
static int parse_argv(int argc, char *argv[], X509 **ret_certificate, EVP_PKEY **ret_private_key, OpenSSLAskPasswordUI **ret_ui) {
|
||||
enum {
|
||||
ARG_VERSION = 0x100,
|
||||
ARG_NO_PAGER,
|
||||
|
||||
@ -1,10 +1,9 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
|
||||
#include "af-list.h"
|
||||
#include "alloc-util.h"
|
||||
#include "event-util.h"
|
||||
#include "dns-domain.h"
|
||||
#include "log.h"
|
||||
#include "json-util.h"
|
||||
#include "random-util.h"
|
||||
#include "resolved-dns-browse-services.h"
|
||||
#include "resolved-dns-cache.h"
|
||||
@ -13,8 +12,8 @@
|
||||
#include "resolved-dns-rr.h"
|
||||
#include "resolved-dns-scope.h"
|
||||
#include "resolved-manager.h"
|
||||
#include "resolved-varlink.h"
|
||||
#include "string-table.h"
|
||||
#include "string-util.h"
|
||||
|
||||
typedef enum BrowseServiceUpdateEvent {
|
||||
BROWSE_SERVICE_UPDATE_ADDED,
|
||||
|
||||
@ -7,6 +7,7 @@
|
||||
#include <openssl/bio.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/x509v3.h>
|
||||
#include <sys/epoll.h>
|
||||
|
||||
#include "alloc-util.h"
|
||||
#include "openssl-util.h"
|
||||
|
||||
@ -7,6 +7,7 @@
|
||||
#include "dns-domain.h"
|
||||
#include "dns-type.h"
|
||||
#include "errno-util.h"
|
||||
#include "glyph-util.h"
|
||||
#include "in-addr-util.h"
|
||||
#include "iovec-util.h"
|
||||
#include "json-util.h"
|
||||
|
||||
@ -5,6 +5,7 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <sys/resource.h>
|
||||
#include <sys/stat.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "sd-bus.h"
|
||||
|
||||
@ -8,6 +8,7 @@
|
||||
#include "bitfield.h"
|
||||
#include "cpu-set-util.h"
|
||||
#include "extract-word.h"
|
||||
#include "hexdecoct.h"
|
||||
#include "log.h"
|
||||
#include "parse-util.h"
|
||||
#include "string-util.h"
|
||||
|
||||
@ -1209,7 +1209,7 @@ int decrypt_credential_and_warn(
|
||||
* -EHWPOISON → Attempt to decode NULL key (and CREDENTIAL_ALLOW_NULL is off), but the system has a TPM and SecureBoot is on
|
||||
* -EMEDIUMTYPE → File has unexpected scope, i.e. user-scoped credential is attempted to be unlocked in system scope, or vice versa
|
||||
* -EDESTADDRREQ → Credential is incorrectly named (i.e. the authenticated name does not match the actual name)
|
||||
* -ESTALE → Credential's validity has passed
|
||||
* -ESTALE → Credential's valdity has passed
|
||||
* -ESRCH → User specified for scope does not exist on this system
|
||||
*
|
||||
* (plus the various error codes tpm2_unseal() returns) */
|
||||
|
||||
383
src/shared/firewall-util-iptables.c
Normal file
383
src/shared/firewall-util-iptables.c
Normal file
@ -0,0 +1,383 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
|
||||
#include <endian.h>
|
||||
#include <libiptc/libiptc.h>
|
||||
#include <linux/netfilter/nf_nat.h>
|
||||
#include <linux/netfilter/xt_addrtype.h>
|
||||
#include <linux/netfilter_ipv4/ip_tables.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "alloc-util.h"
|
||||
#include "dlfcn-util.h"
|
||||
#include "firewall-util-private.h"
|
||||
#include "in-addr-util.h"
|
||||
#include "log.h"
|
||||
#include "socket-util.h"
|
||||
|
||||
static DLSYM_PROTOTYPE(iptc_check_entry) = NULL;
|
||||
static DLSYM_PROTOTYPE(iptc_commit) = NULL;
|
||||
static DLSYM_PROTOTYPE(iptc_delete_entry) = NULL;
|
||||
static DLSYM_PROTOTYPE(iptc_free) = NULL;
|
||||
static DLSYM_PROTOTYPE(iptc_init) = NULL;
|
||||
static DLSYM_PROTOTYPE(iptc_insert_entry) = NULL;
|
||||
static DLSYM_PROTOTYPE(iptc_strerror) = NULL;
|
||||
|
||||
static void *iptc_dl = NULL;
|
||||
|
||||
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(struct xtc_handle*, sym_iptc_free, NULL);
|
||||
|
||||
static int entry_fill_basics(
|
||||
struct ipt_entry *entry,
|
||||
int protocol,
|
||||
const char *in_interface,
|
||||
const union in_addr_union *source,
|
||||
unsigned source_prefixlen,
|
||||
const char *out_interface,
|
||||
const union in_addr_union *destination,
|
||||
unsigned destination_prefixlen) {
|
||||
|
||||
assert(entry);
|
||||
|
||||
if (out_interface && !ifname_valid(out_interface))
|
||||
return -EINVAL;
|
||||
if (in_interface && !ifname_valid(in_interface))
|
||||
return -EINVAL;
|
||||
|
||||
entry->ip.proto = protocol;
|
||||
|
||||
if (in_interface) {
|
||||
size_t l;
|
||||
|
||||
l = strlen(in_interface);
|
||||
assert(l < sizeof entry->ip.iniface);
|
||||
assert(l < sizeof entry->ip.iniface_mask);
|
||||
|
||||
strcpy(entry->ip.iniface, in_interface);
|
||||
memset(entry->ip.iniface_mask, 0xFF, l + 1);
|
||||
}
|
||||
if (source) {
|
||||
entry->ip.src = source->in;
|
||||
in4_addr_prefixlen_to_netmask(&entry->ip.smsk, source_prefixlen);
|
||||
}
|
||||
|
||||
if (out_interface) {
|
||||
size_t l = strlen(out_interface);
|
||||
assert(l < sizeof entry->ip.outiface);
|
||||
assert(l < sizeof entry->ip.outiface_mask);
|
||||
|
||||
strcpy(entry->ip.outiface, out_interface);
|
||||
memset(entry->ip.outiface_mask, 0xFF, l + 1);
|
||||
}
|
||||
if (destination) {
|
||||
entry->ip.dst = destination->in;
|
||||
in4_addr_prefixlen_to_netmask(&entry->ip.dmsk, destination_prefixlen);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int fw_iptables_add_masquerade(
|
||||
bool add,
|
||||
int af,
|
||||
const union in_addr_union *source,
|
||||
unsigned source_prefixlen) {
|
||||
|
||||
static const xt_chainlabel chain = "POSTROUTING";
|
||||
_cleanup_(sym_iptc_freep) struct xtc_handle *h = NULL;
|
||||
struct ipt_entry *entry, *mask;
|
||||
struct ipt_entry_target *t;
|
||||
size_t sz;
|
||||
struct nf_nat_ipv4_multi_range_compat *mr;
|
||||
int r, protocol = 0;
|
||||
const char *out_interface = NULL;
|
||||
const union in_addr_union *destination = NULL;
|
||||
unsigned destination_prefixlen = 0;
|
||||
|
||||
if (af != AF_INET)
|
||||
return -EOPNOTSUPP;
|
||||
|
||||
if (!source || source_prefixlen == 0)
|
||||
return -EINVAL;
|
||||
|
||||
r = fw_iptables_init_nat(&h);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
sz = XT_ALIGN(sizeof(struct ipt_entry)) +
|
||||
XT_ALIGN(sizeof(struct ipt_entry_target)) +
|
||||
XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));
|
||||
|
||||
/* Put together the entry we want to add or remove */
|
||||
entry = alloca0(sz);
|
||||
entry->next_offset = sz;
|
||||
entry->target_offset = XT_ALIGN(sizeof(struct ipt_entry));
|
||||
r = entry_fill_basics(entry, protocol, NULL, source, source_prefixlen, out_interface, destination, destination_prefixlen);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
/* Fill in target part */
|
||||
t = ipt_get_target(entry);
|
||||
t->u.target_size =
|
||||
XT_ALIGN(sizeof(struct ipt_entry_target)) +
|
||||
XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));
|
||||
strncpy(t->u.user.name, "MASQUERADE", sizeof(t->u.user.name));
|
||||
mr = (struct nf_nat_ipv4_multi_range_compat*) t->data;
|
||||
mr->rangesize = 1;
|
||||
|
||||
/* Create a search mask entry */
|
||||
mask = alloca_safe(sz);
|
||||
memset(mask, 0xFF, sz);
|
||||
|
||||
if (add) {
|
||||
if (sym_iptc_check_entry(chain, entry, (unsigned char*) mask, h))
|
||||
return 0;
|
||||
if (errno != ENOENT) /* if other error than not existing yet, fail */
|
||||
return -errno;
|
||||
|
||||
if (!sym_iptc_insert_entry(chain, entry, 0, h))
|
||||
return -errno;
|
||||
} else {
|
||||
if (!sym_iptc_delete_entry(chain, entry, (unsigned char*) mask, h)) {
|
||||
if (errno == ENOENT) /* if it's already gone, all is good! */
|
||||
return 0;
|
||||
|
||||
return -errno;
|
||||
}
|
||||
}
|
||||
|
||||
if (!sym_iptc_commit(h))
|
||||
return -errno;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int fw_iptables_add_local_dnat(
|
||||
bool add,
|
||||
int af,
|
||||
int protocol,
|
||||
uint16_t local_port,
|
||||
const union in_addr_union *remote,
|
||||
uint16_t remote_port,
|
||||
const union in_addr_union *previous_remote) {
|
||||
|
||||
static const xt_chainlabel chain_pre = "PREROUTING", chain_output = "OUTPUT";
|
||||
_cleanup_(sym_iptc_freep) struct xtc_handle *h = NULL;
|
||||
struct ipt_entry *entry, *mask;
|
||||
struct ipt_entry_target *t;
|
||||
struct ipt_entry_match *m;
|
||||
struct xt_addrtype_info_v1 *at;
|
||||
struct nf_nat_ipv4_multi_range_compat *mr;
|
||||
size_t sz, msz;
|
||||
int r;
|
||||
const char *in_interface = NULL;
|
||||
const union in_addr_union *source = NULL;
|
||||
unsigned source_prefixlen = 0;
|
||||
const union in_addr_union *destination = NULL;
|
||||
unsigned destination_prefixlen = 0;
|
||||
|
||||
assert(add || !previous_remote);
|
||||
|
||||
if (af != AF_INET)
|
||||
return -EOPNOTSUPP;
|
||||
|
||||
if (!IN_SET(protocol, IPPROTO_TCP, IPPROTO_UDP))
|
||||
return -EOPNOTSUPP;
|
||||
|
||||
if (local_port <= 0)
|
||||
return -EINVAL;
|
||||
|
||||
if (remote_port <= 0)
|
||||
return -EINVAL;
|
||||
|
||||
r = fw_iptables_init_nat(&h);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
sz = XT_ALIGN(sizeof(struct ipt_entry)) +
|
||||
XT_ALIGN(sizeof(struct ipt_entry_match)) +
|
||||
XT_ALIGN(sizeof(struct xt_addrtype_info_v1)) +
|
||||
XT_ALIGN(sizeof(struct ipt_entry_target)) +
|
||||
XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));
|
||||
|
||||
if (protocol == IPPROTO_TCP)
|
||||
msz = XT_ALIGN(sizeof(struct ipt_entry_match)) +
|
||||
XT_ALIGN(sizeof(struct xt_tcp));
|
||||
else
|
||||
msz = XT_ALIGN(sizeof(struct ipt_entry_match)) +
|
||||
XT_ALIGN(sizeof(struct xt_udp));
|
||||
|
||||
sz += msz;
|
||||
|
||||
/* Fill in basic part */
|
||||
entry = alloca0(sz);
|
||||
entry->next_offset = sz;
|
||||
entry->target_offset =
|
||||
XT_ALIGN(sizeof(struct ipt_entry)) +
|
||||
XT_ALIGN(sizeof(struct ipt_entry_match)) +
|
||||
XT_ALIGN(sizeof(struct xt_addrtype_info_v1)) +
|
||||
msz;
|
||||
r = entry_fill_basics(entry, protocol, in_interface, source, source_prefixlen, NULL, destination, destination_prefixlen);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
/* Fill in first match */
|
||||
m = (struct ipt_entry_match*) ((uint8_t*) entry + XT_ALIGN(sizeof(struct ipt_entry)));
|
||||
m->u.match_size = msz;
|
||||
if (protocol == IPPROTO_TCP) {
|
||||
struct xt_tcp *tcp;
|
||||
|
||||
strncpy(m->u.user.name, "tcp", sizeof(m->u.user.name));
|
||||
tcp = (struct xt_tcp*) m->data;
|
||||
tcp->dpts[0] = tcp->dpts[1] = local_port;
|
||||
tcp->spts[0] = 0;
|
||||
tcp->spts[1] = 0xFFFF;
|
||||
|
||||
} else {
|
||||
struct xt_udp *udp;
|
||||
|
||||
strncpy(m->u.user.name, "udp", sizeof(m->u.user.name));
|
||||
udp = (struct xt_udp*) m->data;
|
||||
udp->dpts[0] = udp->dpts[1] = local_port;
|
||||
udp->spts[0] = 0;
|
||||
udp->spts[1] = 0xFFFF;
|
||||
}
|
||||
|
||||
/* Fill in second match */
|
||||
m = (struct ipt_entry_match*) ((uint8_t*) entry + XT_ALIGN(sizeof(struct ipt_entry)) + msz);
|
||||
m->u.match_size =
|
||||
XT_ALIGN(sizeof(struct ipt_entry_match)) +
|
||||
XT_ALIGN(sizeof(struct xt_addrtype_info_v1));
|
||||
strncpy(m->u.user.name, "addrtype", sizeof(m->u.user.name));
|
||||
m->u.user.revision = 1;
|
||||
at = (struct xt_addrtype_info_v1*) m->data;
|
||||
at->dest = XT_ADDRTYPE_LOCAL;
|
||||
|
||||
/* Fill in target part */
|
||||
t = ipt_get_target(entry);
|
||||
t->u.target_size =
|
||||
XT_ALIGN(sizeof(struct ipt_entry_target)) +
|
||||
XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));
|
||||
strncpy(t->u.user.name, "DNAT", sizeof(t->u.user.name));
|
||||
mr = (struct nf_nat_ipv4_multi_range_compat*) t->data;
|
||||
mr->rangesize = 1;
|
||||
mr->range[0].flags = NF_NAT_RANGE_PROTO_SPECIFIED|NF_NAT_RANGE_MAP_IPS;
|
||||
mr->range[0].min_ip = mr->range[0].max_ip = remote->in.s_addr;
|
||||
if (protocol == IPPROTO_TCP)
|
||||
mr->range[0].min.tcp.port = mr->range[0].max.tcp.port = htobe16(remote_port);
|
||||
else
|
||||
mr->range[0].min.udp.port = mr->range[0].max.udp.port = htobe16(remote_port);
|
||||
|
||||
mask = alloca0(sz);
|
||||
memset(mask, 0xFF, sz);
|
||||
|
||||
if (add) {
|
||||
/* Add the PREROUTING rule, if it is missing so far */
|
||||
if (!sym_iptc_check_entry(chain_pre, entry, (unsigned char*) mask, h)) {
|
||||
if (errno != ENOENT)
|
||||
return -EINVAL;
|
||||
|
||||
if (!sym_iptc_insert_entry(chain_pre, entry, 0, h))
|
||||
return -errno;
|
||||
}
|
||||
|
||||
/* If a previous remote is set, remove its entry */
|
||||
if (previous_remote && previous_remote->in.s_addr != remote->in.s_addr) {
|
||||
mr->range[0].min_ip = mr->range[0].max_ip = previous_remote->in.s_addr;
|
||||
|
||||
if (!sym_iptc_delete_entry(chain_pre, entry, (unsigned char*) mask, h)) {
|
||||
if (errno != ENOENT)
|
||||
return -errno;
|
||||
}
|
||||
|
||||
mr->range[0].min_ip = mr->range[0].max_ip = remote->in.s_addr;
|
||||
}
|
||||
|
||||
/* Add the OUTPUT rule, if it is missing so far */
|
||||
if (!in_interface) {
|
||||
|
||||
/* Don't apply onto loopback addresses */
|
||||
if (!destination) {
|
||||
entry->ip.dst.s_addr = htobe32(0x7F000000);
|
||||
entry->ip.dmsk.s_addr = htobe32(0xFF000000);
|
||||
entry->ip.invflags = IPT_INV_DSTIP;
|
||||
}
|
||||
|
||||
if (!sym_iptc_check_entry(chain_output, entry, (unsigned char*) mask, h)) {
|
||||
if (errno != ENOENT)
|
||||
return -errno;
|
||||
|
||||
if (!sym_iptc_insert_entry(chain_output, entry, 0, h))
|
||||
return -errno;
|
||||
}
|
||||
|
||||
/* If a previous remote is set, remove its entry */
|
||||
if (previous_remote && previous_remote->in.s_addr != remote->in.s_addr) {
|
||||
mr->range[0].min_ip = mr->range[0].max_ip = previous_remote->in.s_addr;
|
||||
|
||||
if (!sym_iptc_delete_entry(chain_output, entry, (unsigned char*) mask, h)) {
|
||||
if (errno != ENOENT)
|
||||
return -errno;
|
||||
}
|
||||
}
|
||||
}
|
||||
} else {
|
||||
if (!sym_iptc_delete_entry(chain_pre, entry, (unsigned char*) mask, h)) {
|
||||
if (errno != ENOENT)
|
||||
return -errno;
|
||||
}
|
||||
|
||||
if (!in_interface) {
|
||||
if (!destination) {
|
||||
entry->ip.dst.s_addr = htobe32(0x7F000000);
|
||||
entry->ip.dmsk.s_addr = htobe32(0xFF000000);
|
||||
entry->ip.invflags = IPT_INV_DSTIP;
|
||||
}
|
||||
|
||||
if (!sym_iptc_delete_entry(chain_output, entry, (unsigned char*) mask, h)) {
|
||||
if (errno != ENOENT)
|
||||
return -errno;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (!sym_iptc_commit(h))
|
||||
return -errno;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int dlopen_iptc(void) {
|
||||
ELF_NOTE_DLOPEN("ip4tc",
|
||||
"Support for firewall rules with iptables backend",
|
||||
ELF_NOTE_DLOPEN_PRIORITY_SUGGESTED,
|
||||
"libip4tc.so.2");
|
||||
|
||||
return dlopen_many_sym_or_warn(
|
||||
&iptc_dl,
|
||||
"libip4tc.so.2", LOG_DEBUG,
|
||||
DLSYM_ARG(iptc_check_entry),
|
||||
DLSYM_ARG(iptc_commit),
|
||||
DLSYM_ARG(iptc_delete_entry),
|
||||
DLSYM_ARG(iptc_free),
|
||||
DLSYM_ARG(iptc_init),
|
||||
DLSYM_ARG(iptc_insert_entry),
|
||||
DLSYM_ARG(iptc_strerror));
|
||||
}
|
||||
|
||||
int fw_iptables_init_nat(struct xtc_handle **ret) {
|
||||
_cleanup_(sym_iptc_freep) struct xtc_handle *h = NULL;
|
||||
int r;
|
||||
|
||||
r = dlopen_iptc();
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
h = sym_iptc_init("nat");
|
||||
if (!h)
|
||||
return log_debug_errno(errno, "Failed to init \"nat\" table: %s", sym_iptc_strerror(errno));
|
||||
|
||||
if (ret)
|
||||
*ret = TAKE_PTR(h);
|
||||
|
||||
return 0;
|
||||
}
|
||||
1376
src/shared/firewall-util-nft.c
Normal file
1376
src/shared/firewall-util-nft.c
Normal file
File diff suppressed because it is too large
Load Diff
64
src/shared/firewall-util-private.h
Normal file
64
src/shared/firewall-util-private.h
Normal file
@ -0,0 +1,64 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
#pragma once
|
||||
|
||||
#include "firewall-util.h"
|
||||
#include "forward.h"
|
||||
|
||||
typedef enum FirewallBackend {
|
||||
FW_BACKEND_NONE,
|
||||
#if HAVE_LIBIPTC
|
||||
FW_BACKEND_IPTABLES,
|
||||
#endif
|
||||
FW_BACKEND_NFTABLES,
|
||||
_FW_BACKEND_MAX,
|
||||
_FW_BACKEND_INVALID = -EINVAL,
|
||||
} FirewallBackend;
|
||||
|
||||
struct FirewallContext {
|
||||
FirewallBackend backend;
|
||||
sd_netlink *nfnl;
|
||||
};
|
||||
|
||||
const char* firewall_backend_to_string(FirewallBackend b) _const_;
|
||||
|
||||
int fw_nftables_init(FirewallContext *ctx);
|
||||
int fw_nftables_init_full(FirewallContext *ctx, bool init_tables);
|
||||
void fw_nftables_exit(FirewallContext *ctx);
|
||||
|
||||
int fw_nftables_add_masquerade(
|
||||
FirewallContext *ctx,
|
||||
bool add,
|
||||
int af,
|
||||
const union in_addr_union *source,
|
||||
unsigned source_prefixlen);
|
||||
|
||||
int fw_nftables_add_local_dnat(
|
||||
FirewallContext *ctx,
|
||||
bool add,
|
||||
int af,
|
||||
int protocol,
|
||||
uint16_t local_port,
|
||||
const union in_addr_union *remote,
|
||||
uint16_t remote_port,
|
||||
const union in_addr_union *previous_remote);
|
||||
|
||||
#if HAVE_LIBIPTC
|
||||
struct xtc_handle;
|
||||
|
||||
int fw_iptables_add_masquerade(
|
||||
bool add,
|
||||
int af,
|
||||
const union in_addr_union *source,
|
||||
unsigned source_prefixlen);
|
||||
|
||||
int fw_iptables_add_local_dnat(
|
||||
bool add,
|
||||
int af,
|
||||
int protocol,
|
||||
uint16_t local_port,
|
||||
const union in_addr_union *remote,
|
||||
uint16_t remote_port,
|
||||
const union in_addr_union *previous_remote);
|
||||
|
||||
int fw_iptables_init_nat(struct xtc_handle **ret);
|
||||
#endif
|
||||
File diff suppressed because it is too large
Load Diff
@ -4,15 +4,25 @@
|
||||
#include "conf-parser-forward.h"
|
||||
#include "forward.h"
|
||||
|
||||
int fw_nftables_add_masquerade(
|
||||
sd_netlink *nfnl,
|
||||
typedef struct FirewallContext FirewallContext;
|
||||
|
||||
int fw_ctx_new(FirewallContext **ret);
|
||||
int fw_ctx_new_full(FirewallContext **ret, bool init_tables);
|
||||
FirewallContext *fw_ctx_free(FirewallContext *ctx);
|
||||
|
||||
DEFINE_TRIVIAL_CLEANUP_FUNC(FirewallContext *, fw_ctx_free);
|
||||
|
||||
size_t fw_ctx_get_reply_callback_count(FirewallContext *ctx);
|
||||
|
||||
int fw_add_masquerade(
|
||||
FirewallContext **ctx,
|
||||
bool add,
|
||||
int af,
|
||||
const union in_addr_union *source,
|
||||
unsigned source_prefixlen);
|
||||
|
||||
int fw_nftables_add_local_dnat(
|
||||
sd_netlink *nfnl,
|
||||
int fw_add_local_dnat(
|
||||
FirewallContext **ctx,
|
||||
bool add,
|
||||
int af,
|
||||
int protocol,
|
||||
@ -54,7 +64,7 @@ const char* nft_set_source_to_string(int i) _const_;
|
||||
int nft_set_source_from_string(const char *s) _pure_;
|
||||
|
||||
int nft_set_element_modify_iprange(
|
||||
sd_netlink *nfnl,
|
||||
FirewallContext *ctx,
|
||||
bool add,
|
||||
int nfproto,
|
||||
int af,
|
||||
@ -64,7 +74,7 @@ int nft_set_element_modify_iprange(
|
||||
unsigned source_prefixlen);
|
||||
|
||||
int nft_set_element_modify_ip(
|
||||
sd_netlink *nfnl,
|
||||
FirewallContext *ctx,
|
||||
bool add,
|
||||
int nfproto,
|
||||
int af,
|
||||
@ -73,7 +83,7 @@ int nft_set_element_modify_ip(
|
||||
const union in_addr_union *source);
|
||||
|
||||
int nft_set_element_modify_any(
|
||||
sd_netlink *nfnl,
|
||||
FirewallContext *ctx,
|
||||
bool add,
|
||||
int nfproto,
|
||||
const char *table,
|
||||
|
||||
@ -6,6 +6,7 @@
|
||||
|
||||
#include "alloc-util.h"
|
||||
#include "argv-util.h"
|
||||
#include "cgroup-util.h"
|
||||
#include "dropin.h"
|
||||
#include "escape.h"
|
||||
#include "fd-util.h"
|
||||
|
||||
@ -5,6 +5,7 @@
|
||||
|
||||
#include "btrfs-util.h"
|
||||
#include "errno-util.h"
|
||||
#include "fs-util.h"
|
||||
#include "label-util.h"
|
||||
#include "selinux-util.h"
|
||||
#include "smack-util.h"
|
||||
|
||||
@ -2,6 +2,7 @@
|
||||
|
||||
#include <linux/audit.h>
|
||||
#include <linux/netlink.h>
|
||||
#include <stdio.h>
|
||||
#include <sys/socket.h>
|
||||
|
||||
#include "errno-util.h"
|
||||
@ -11,32 +12,6 @@
|
||||
#include "log.h"
|
||||
#include "socket-util.h"
|
||||
|
||||
#if HAVE_AUDIT
|
||||
static void *libaudit_dl = NULL;
|
||||
|
||||
static DLSYM_PROTOTYPE(audit_close) = NULL;
|
||||
DLSYM_PROTOTYPE(audit_log_acct_message) = NULL;
|
||||
DLSYM_PROTOTYPE(audit_log_user_avc_message) = NULL;
|
||||
DLSYM_PROTOTYPE(audit_log_user_comm_message) = NULL;
|
||||
static DLSYM_PROTOTYPE(audit_open) = NULL;
|
||||
|
||||
int dlopen_libaudit(void) {
|
||||
ELF_NOTE_DLOPEN("libaudit",
|
||||
"Support for Audit loggging",
|
||||
ELF_NOTE_DLOPEN_PRIORITY_RECOMMENDED,
|
||||
"libaudit.so.1");
|
||||
|
||||
return dlopen_many_sym_or_warn(
|
||||
&libaudit_dl,
|
||||
"libaudit.so.1",
|
||||
LOG_DEBUG,
|
||||
DLSYM_ARG(audit_close),
|
||||
DLSYM_ARG(audit_log_acct_message),
|
||||
DLSYM_ARG(audit_log_user_avc_message),
|
||||
DLSYM_ARG(audit_log_user_comm_message),
|
||||
DLSYM_ARG(audit_open));
|
||||
}
|
||||
|
||||
static int try_audit_request(int fd) {
|
||||
struct iovec iov;
|
||||
struct msghdr mh;
|
||||
@ -74,19 +49,14 @@ static int try_audit_request(int fd) {
|
||||
|
||||
return msg.err.error;
|
||||
}
|
||||
#endif
|
||||
|
||||
bool use_audit(void) {
|
||||
#if HAVE_AUDIT
|
||||
static int cached_use = -1;
|
||||
int r;
|
||||
|
||||
if (cached_use >= 0)
|
||||
return cached_use;
|
||||
|
||||
if (dlopen_libaudit() < 0)
|
||||
return (cached_use = false);
|
||||
|
||||
_cleanup_close_ int fd = socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_AUDIT);
|
||||
if (fd < 0) {
|
||||
cached_use = !ERRNO_IS_PRIVILEGE(errno) && !ERRNO_IS_NOT_SUPPORTED(errno);
|
||||
@ -113,15 +83,12 @@ bool use_audit(void) {
|
||||
}
|
||||
|
||||
return cached_use;
|
||||
#else
|
||||
return false;
|
||||
#endif
|
||||
}
|
||||
|
||||
int close_audit_fd(int fd) {
|
||||
#if HAVE_AUDIT
|
||||
if (fd >= 0)
|
||||
sym_audit_close(fd);
|
||||
audit_close(fd);
|
||||
#else
|
||||
assert(fd < 0);
|
||||
#endif
|
||||
@ -130,14 +97,8 @@ int close_audit_fd(int fd) {
|
||||
|
||||
int open_audit_fd_or_warn(void) {
|
||||
#if HAVE_AUDIT
|
||||
int r;
|
||||
|
||||
r = dlopen_libaudit();
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
/* If the kernel lacks netlink or audit support, don't worry about it. */
|
||||
int fd = sym_audit_open();
|
||||
int fd = audit_open();
|
||||
if (fd < 0)
|
||||
return log_full_errno(ERRNO_IS_NOT_SUPPORTED(errno) ? LOG_DEBUG : LOG_WARNING,
|
||||
errno, "Failed to connect to audit log, ignoring: %m");
|
||||
|
||||
@ -1,20 +1,12 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
#pragma once
|
||||
|
||||
#include "forward.h"
|
||||
|
||||
#if HAVE_AUDIT
|
||||
# include <libaudit.h> /* IWYU pragma: export */
|
||||
|
||||
# include "dlfcn-util.h"
|
||||
|
||||
extern DLSYM_PROTOTYPE(audit_log_acct_message);
|
||||
extern DLSYM_PROTOTYPE(audit_log_user_avc_message);
|
||||
extern DLSYM_PROTOTYPE(audit_log_user_comm_message);
|
||||
|
||||
int dlopen_libaudit(void);
|
||||
#endif
|
||||
|
||||
#include "forward.h"
|
||||
|
||||
bool use_audit(void);
|
||||
|
||||
int close_audit_fd(int fd);
|
||||
|
||||
@ -2,6 +2,7 @@
|
||||
|
||||
#include <grp.h>
|
||||
#include <pwd.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "alloc-util.h"
|
||||
#include "chase.h"
|
||||
|
||||
@ -5,12 +5,11 @@
|
||||
#include "escape.h"
|
||||
#include "extract-word.h"
|
||||
#include "fileio.h"
|
||||
#include "iovec-util.h"
|
||||
#include "log.h"
|
||||
#include "machine-credential.h"
|
||||
#include "memory-util.h"
|
||||
#include "path-util.h"
|
||||
#include "string-util.h"
|
||||
#include "string-util-fundamental.h"
|
||||
|
||||
static void machine_credential_done(MachineCredential *cred) {
|
||||
assert(cred);
|
||||
@ -29,118 +28,74 @@ void machine_credential_context_done(MachineCredentialContext *ctx) {
|
||||
free(ctx->credentials);
|
||||
}
|
||||
|
||||
MachineCredential* machine_credential_find(MachineCredentialContext *ctx, const char *id) {
|
||||
bool machine_credentials_contains(const MachineCredentialContext *ctx, const char *id) {
|
||||
assert(ctx);
|
||||
assert(id);
|
||||
|
||||
FOREACH_ARRAY(cred, ctx->credentials, ctx->n_credentials)
|
||||
if (streq(cred->id, id))
|
||||
return cred;
|
||||
return true;
|
||||
|
||||
return NULL;
|
||||
return false;
|
||||
}
|
||||
|
||||
int machine_credential_add(
|
||||
MachineCredentialContext *ctx,
|
||||
const char *id,
|
||||
const char *value,
|
||||
size_t size) {
|
||||
|
||||
assert(ctx);
|
||||
assert(id);
|
||||
assert(value || size == 0);
|
||||
|
||||
if (!credential_name_valid(id))
|
||||
return -EINVAL;
|
||||
|
||||
if (machine_credential_find(ctx, id))
|
||||
return -EEXIST;
|
||||
|
||||
if (size == SIZE_MAX)
|
||||
size = strlen_ptr(value);
|
||||
|
||||
_cleanup_(machine_credential_done) MachineCredential cred = {};
|
||||
cred.id = strdup(id);
|
||||
if (!cred.id)
|
||||
return -ENOMEM;
|
||||
|
||||
cred.data = memdup(value, size);
|
||||
if (!cred.data)
|
||||
return -ENOMEM;
|
||||
|
||||
cred.size = size;
|
||||
|
||||
if (!GREEDY_REALLOC(ctx->credentials, ctx->n_credentials + 1))
|
||||
return -ENOMEM;
|
||||
|
||||
ctx->credentials[ctx->n_credentials++] = TAKE_STRUCT(cred);
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int machine_credential_add_and_log(
|
||||
MachineCredentialContext *ctx,
|
||||
const char *id,
|
||||
const char *value,
|
||||
size_t size) {
|
||||
|
||||
int r;
|
||||
|
||||
assert(ctx);
|
||||
assert(id);
|
||||
assert(value || size == 0);
|
||||
|
||||
r = machine_credential_add(ctx, id, value, size);
|
||||
if (r == -EEXIST)
|
||||
return log_error_errno(r, "Duplicated credential '%s', refusing.", id);
|
||||
if (r == -EINVAL)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Credential name is not valid: %s", id);
|
||||
if (r == -ENOMEM)
|
||||
return log_oom();
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to add credential '%s': %m", id);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
int machine_credential_set(MachineCredentialContext *ctx, const char *cred_str) {
|
||||
_cleanup_(machine_credential_done) MachineCredential cred = {};
|
||||
ssize_t l;
|
||||
int r;
|
||||
|
||||
assert(ctx);
|
||||
|
||||
const char *p = ASSERT_PTR(cred_str);
|
||||
_cleanup_free_ char *id = NULL;
|
||||
r = extract_first_word(&p, &id, ":", EXTRACT_DONT_COALESCE_SEPARATORS);
|
||||
|
||||
r = extract_first_word(&p, &cred.id, ":", EXTRACT_DONT_COALESCE_SEPARATORS);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to parse --set-credential= parameter: %m");
|
||||
if (r == 0 || !p)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
||||
"Missing value for --set-credential=: %s", cred_str);
|
||||
|
||||
_cleanup_free_ char *data = NULL;
|
||||
ssize_t l;
|
||||
l = cunescape(p, UNESCAPE_ACCEPT_NUL, &data);
|
||||
if (!credential_name_valid(cred.id))
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Credential name is not valid: %s", cred.id);
|
||||
|
||||
if (machine_credentials_contains(ctx, cred.id))
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EEXIST), "Duplicate credential '%s', refusing.", cred.id);
|
||||
|
||||
l = cunescape(p, UNESCAPE_ACCEPT_NUL, &cred.data);
|
||||
if (l < 0)
|
||||
return log_error_errno(l, "Failed to unescape credential data: %s", p);
|
||||
cred.size = l;
|
||||
|
||||
return machine_credential_add_and_log(ctx, id, data, l);
|
||||
if (!GREEDY_REALLOC(ctx->credentials, ctx->n_credentials + 1))
|
||||
return log_oom();
|
||||
|
||||
ctx->credentials[ctx->n_credentials++] = TAKE_STRUCT(cred);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int machine_credential_load(MachineCredentialContext *ctx, const char *cred_path) {
|
||||
_cleanup_(machine_credential_done) MachineCredential cred = {};
|
||||
_cleanup_free_ char *path_alloc = NULL;
|
||||
ReadFullFileFlags flags = READ_FULL_FILE_SECURE;
|
||||
int r;
|
||||
|
||||
assert(ctx);
|
||||
|
||||
const char *p = ASSERT_PTR(cred_path);
|
||||
_cleanup_free_ char *id = NULL;
|
||||
r = extract_first_word(&p, &id, ":", EXTRACT_DONT_COALESCE_SEPARATORS);
|
||||
|
||||
r = extract_first_word(&p, &cred.id, ":", EXTRACT_DONT_COALESCE_SEPARATORS);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to parse --load-credential= parameter: %m");
|
||||
if (r == 0 || !p)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Missing value for --load-credential=: %s", cred_path);
|
||||
|
||||
ReadFullFileFlags flags = READ_FULL_FILE_SECURE;
|
||||
_cleanup_free_ char *path_alloc = NULL;
|
||||
if (!credential_name_valid(cred.id))
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Credential name is not valid: %s", cred.id);
|
||||
|
||||
if (machine_credentials_contains(ctx, cred.id))
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EEXIST), "Duplicate credential '%s', refusing.", cred.id);
|
||||
|
||||
if (is_path(p) && path_is_valid(p))
|
||||
flags |= READ_FULL_FILE_CONNECT_SOCKET;
|
||||
else if (credential_name_valid(p)) {
|
||||
@ -148,7 +103,8 @@ int machine_credential_load(MachineCredentialContext *ctx, const char *cred_path
|
||||
|
||||
r = get_credentials_dir(&e);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Credential not available (no credentials passed at all): %s", p);
|
||||
return log_error_errno(r,
|
||||
"Credential not available (no credentials passed at all): %s", cred.id);
|
||||
|
||||
path_alloc = path_join(e, p);
|
||||
if (!path_alloc)
|
||||
@ -159,16 +115,17 @@ int machine_credential_load(MachineCredentialContext *ctx, const char *cred_path
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
||||
"Credential source appears to be neither a valid path nor a credential name: %s", p);
|
||||
|
||||
_cleanup_(iovec_done_erase) struct iovec iov = {};
|
||||
r = read_full_file_full(
|
||||
AT_FDCWD, p,
|
||||
/* offset= */ UINT64_MAX,
|
||||
/* size= */ SIZE_MAX,
|
||||
flags,
|
||||
/* bind_name= */ NULL,
|
||||
(char**) &iov.iov_base, &iov.iov_len);
|
||||
r = read_full_file_full(AT_FDCWD, p, UINT64_MAX, SIZE_MAX,
|
||||
flags,
|
||||
NULL,
|
||||
&cred.data, &cred.size);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to read credential '%s': %m", p);
|
||||
|
||||
return machine_credential_add_and_log(ctx, id, iov.iov_base, iov.iov_len);
|
||||
if (!GREEDY_REALLOC(ctx->credentials, ctx->n_credentials + 1))
|
||||
return log_oom();
|
||||
|
||||
ctx->credentials[ctx->n_credentials++] = TAKE_STRUCT(cred);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -16,8 +16,7 @@ typedef struct MachineCredentialContext {
|
||||
|
||||
void machine_credential_context_done(MachineCredentialContext *ctx);
|
||||
|
||||
MachineCredential* machine_credential_find(MachineCredentialContext *ctx, const char *id);
|
||||
bool machine_credentials_contains(const MachineCredentialContext *ctx, const char *id);
|
||||
|
||||
int machine_credential_add(MachineCredentialContext *ctx, const char *id, const char *value, size_t size);
|
||||
int machine_credential_set(MachineCredentialContext *ctx, const char *cred_str);
|
||||
int machine_credential_load(MachineCredentialContext *ctx, const char *cred_path);
|
||||
|
||||
@ -76,6 +76,7 @@ shared_sources = files(
|
||||
'fdset.c',
|
||||
'fido2-util.c',
|
||||
'find-esp.c',
|
||||
'firewall-util-nft.c',
|
||||
'firewall-util.c',
|
||||
'fork-notify.c',
|
||||
'format-table.c',
|
||||
@ -248,6 +249,10 @@ if conf.get('ENABLE_UTMP') == 1
|
||||
shared_sources += files('utmp-wtmp.c')
|
||||
endif
|
||||
|
||||
if conf.get('HAVE_LIBIPTC') == 1
|
||||
shared_sources += files('firewall-util-iptables.c')
|
||||
endif
|
||||
|
||||
if conf.get('HAVE_LIBBPF') == 1
|
||||
shared_sources += files('bpf-link.c')
|
||||
endif
|
||||
@ -312,12 +317,13 @@ libshared_name = 'systemd-shared-@0@'.format(shared_lib_tag)
|
||||
|
||||
libshared_deps = [threads,
|
||||
libacl,
|
||||
libaudit_cflags,
|
||||
libaudit,
|
||||
libblkid,
|
||||
libcap,
|
||||
libcrypt,
|
||||
libdl,
|
||||
libgcrypt_cflags,
|
||||
libiptc_cflags,
|
||||
libkmod_cflags,
|
||||
liblz4_cflags,
|
||||
libmount,
|
||||
|
||||
@ -1726,15 +1726,13 @@ int openssl_load_private_key(
|
||||
|
||||
assert(private_key);
|
||||
assert(request);
|
||||
assert(ret_private_key);
|
||||
|
||||
if (private_key_source_type == OPENSSL_KEY_SOURCE_FILE) {
|
||||
r = openssl_load_private_key_from_file(private_key, ret_private_key);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
if (ret_user_interface)
|
||||
*ret_user_interface = NULL;
|
||||
*ret_user_interface = NULL;
|
||||
} else {
|
||||
_cleanup_(openssl_ask_password_ui_freep) OpenSSLAskPasswordUI *ui = NULL;
|
||||
r = openssl_ask_password_ui_new(request, &ui);
|
||||
@ -1759,8 +1757,7 @@ int openssl_load_private_key(
|
||||
private_key,
|
||||
private_key_source);
|
||||
|
||||
if (ret_user_interface)
|
||||
*ret_user_interface = TAKE_PTR(ui);
|
||||
*ret_user_interface = TAKE_PTR(ui);
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
||||
@ -14,6 +14,7 @@
|
||||
#include "errno-util.h"
|
||||
#include "fd-util.h"
|
||||
#include "fileio.h"
|
||||
#include "fs-util.h"
|
||||
#include "log.h"
|
||||
#include "path-util.h"
|
||||
#include "pretty-print.h"
|
||||
|
||||
@ -3,6 +3,8 @@
|
||||
#include <sched.h>
|
||||
#include <stdlib.h>
|
||||
#include <sys/mman.h>
|
||||
#include <sys/prctl.h>
|
||||
#include <sys/wait.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "sd-bus.h"
|
||||
|
||||
@ -116,7 +116,7 @@ static SD_VARLINK_DEFINE_ERROR(DeniedByImagePolicy);
|
||||
static SD_VARLINK_DEFINE_ERROR(KeyNotFound);
|
||||
static SD_VARLINK_DEFINE_ERROR(VerityFailure);
|
||||
static SD_VARLINK_DEFINE_ERROR(BadFileDescriptorFlags,
|
||||
SD_VARLINK_FIELD_COMMENT("Name of the parameter referencing the file descriptor with one or more bad flags."),
|
||||
SD_VARLINK_FIELD_COMMENT("Name of the parameter referencing the file descriptor with one or more bad flag."),
|
||||
SD_VARLINK_DEFINE_FIELD(parameter, SD_VARLINK_STRING, 0));
|
||||
|
||||
SD_VARLINK_DEFINE_INTERFACE(
|
||||
|
||||
@ -455,13 +455,7 @@ static SD_VARLINK_DEFINE_STRUCT_TYPE(
|
||||
SD_VARLINK_FIELD_COMMENT("The total number of bytes written to block devices by the cgroup"),
|
||||
SD_VARLINK_DEFINE_FIELD(IOWriteBytes, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
|
||||
SD_VARLINK_FIELD_COMMENT("The total number of write operations performed on block devices by the cgroup"),
|
||||
SD_VARLINK_DEFINE_FIELD(IOWriteOperations, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
|
||||
|
||||
/* OOM */
|
||||
SD_VARLINK_FIELD_COMMENT("The number of processes of this unit killed by the kernel OOM killer"),
|
||||
SD_VARLINK_DEFINE_FIELD(OOMKills, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
|
||||
SD_VARLINK_FIELD_COMMENT("The number of processes of this unit killed by systemd-oomd"),
|
||||
SD_VARLINK_DEFINE_FIELD(ManagedOOMKills, SD_VARLINK_INT, SD_VARLINK_NULLABLE));
|
||||
SD_VARLINK_DEFINE_FIELD(IOWriteOperations, SD_VARLINK_INT, SD_VARLINK_NULLABLE));
|
||||
|
||||
static SD_VARLINK_DEFINE_STRUCT_TYPE(
|
||||
UnitRuntime,
|
||||
|
||||
@ -11,6 +11,7 @@
|
||||
#include "strv.h"
|
||||
#include "systemctl.h"
|
||||
#include "systemctl-compat-shutdown.h"
|
||||
#include "systemctl-logind.h"
|
||||
#include "time-util.h"
|
||||
|
||||
static int shutdown_help(void) {
|
||||
|
||||
@ -6,9 +6,12 @@
|
||||
#include "sd-daemon.h"
|
||||
|
||||
#include "build.h"
|
||||
#include "chase.h"
|
||||
#include "conf-files.h"
|
||||
#include "constants.h"
|
||||
#include "dirent-util.h"
|
||||
#include "dissect-image.h"
|
||||
#include "fd-util.h"
|
||||
#include "format-table.h"
|
||||
#include "glyph-util.h"
|
||||
#include "hexdecoct.h"
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
x
Reference in New Issue
Block a user