Skip to content

Commit

Permalink
sysctl: add glob syntax to sysctl.d files
Browse files Browse the repository at this point in the history 
This is intended for net.*.conf.*.foo files. Setting just "default" is not very
useful because any interfaces present before systemd-sysctl is invoked are not
affected. Setting "all" is too harsh, because the kernel takes the stronger of
the device-specific setting and the "all" value, so effectively having a weaker
setting for specific interfaces is not possible. Let's add a way in which can
set "default" first and then all the others without "all".
  • Loading branch information
@keszybz
keszybz committed Feb 3, 2020
1 parent 02d89f9 commit e0f4247
Show file tree
Hide file tree
Showing 2 changed files with 156 additions and 70 deletions.
58 changes: 39 additions & 19 deletions man/sysctl.d.xml
View file
Expand Up @@ -30,6 +30,9 @@ key/name/under/proc/sys = some value
key/middle.part.with.dots/foo = 123
key.middle/part/with/dots.foo = 123
-key.that.will.not.fail = value
key.pattern.*.with.glob = whatever
-key.pattern.excluded.with.glob
key.pattern.overriden.with.glob = custom
</programlisting>
</refsynopsisdiv>

Expand All @@ -51,20 +54,20 @@ key.middle/part/with/dots.foo = 123
first non-whitespace character is <literal>#</literal> or
<literal>;</literal> are ignored.</para>

<para>Note that either <literal>/</literal> or
<literal>.</literal> may be used as separators within sysctl
variable names. If the first separator is a slash, remaining
slashes and dots are left intact. If the first separator is a dot,
dots and slashes are interchanged.
<literal>kernel.domainname=foo</literal> and
<literal>kernel/domainname=foo</literal> are equivalent and will
cause <literal>foo</literal> to be written to
<para>Note that either <literal>/</literal> or <literal>.</literal> may be used as separators within
sysctl variable names. If the first separator is a slash, remaining slashes and dots are left intact. If
the first separator is a dot, dots and slashes are interchanged.
<literal>kernel.domainname=foo</literal> and <literal>kernel/domainname=foo</literal> are equivalent and
will cause <literal>foo</literal> to be written to
<filename>/proc/sys/kernel/domainname</filename>. Either
<literal>net.ipv4.conf.enp3s0/200.forwarding</literal> or
<literal>net/ipv4/conf/enp3s0.200/forwarding</literal> may be used
to refer to
<filename>/proc/sys/net/ipv4/conf/enp3s0.200/forwarding</filename>.
</para>
<literal>net/ipv4/conf/enp3s0.200/forwarding</literal> may be used to refer to
<filename>/proc/sys/net/ipv4/conf/enp3s0.200/forwarding</filename>. A glob
<citerefentry><refentrytitle>glob</refentrytitle><manvolnum>7</manvolnum></citerefentry> pattern may be
used to write the same value to all matching keys. Keys for which an explicit pattern exists will be
excluded from any glob matching. In addition, a key may be explicitly excluded from being set by any
matching glob patterns by specifying the key name prefixed with a <literal>-</literal> character and not
followed by <literal>=</literal>, see SYNOPSIS.</para>

<para>Any access permission errors and attempts to write variables not present on the local system are
logged, but do not cause the service to fail. Debug log level is used, which means that the message will
Expand All @@ -73,13 +76,10 @@ key.middle/part/with/dots.foo = 123
not cause the service to fail. All other errors when setting variables are logged with higher priority
and cause the service to return failure at the end (other variables are still processed).</para>

<para>The settings configured with <filename>sysctl.d</filename>
files will be applied early on boot. The network
interface-specific options will also be applied individually for
each network interface as it shows up in the system. (More
specifically, <filename>net.ipv4.conf.*</filename>,
<filename>net.ipv6.conf.*</filename>,
<filename>net.ipv4.neigh.*</filename> and
<para>The settings configured with <filename>sysctl.d</filename> files will be applied early on boot. The
network interface-specific options will also be applied individually for each network interface as it
shows up in the system. (More specifically, <filename>net.ipv4.conf.*</filename>,
<filename>net.ipv6.conf.*</filename>, <filename>net.ipv4.neigh.*</filename> and
<filename>net.ipv6.neigh.*</filename>).</para>

<para>Many sysctl parameters only become available when certain
Expand Down Expand Up @@ -156,6 +156,26 @@ net.bridge.bridge-nf-call-arptables = 0
(starting with kernel 3.18), so simply not loading the module is
sufficient to avoid filtering.</para>
</example>

<example>
<title>Set network routing properties for all interfaces</title>
<para><filename>/etc/systemd/20-rp_filter.conf</filename>:</para>

This comment has been minimized.

Sign in to view

Copy link
@socketpair

socketpair May 18, 2020

@keszybz /etc/systemd -> /etc/sysctl.d

This comment has been minimized.

Sign in to view

Copy link
@keszybz

keszybz May 18, 2020

Author Member

Thanks, I queued up a fix that'll go out with other documentation updated.

<programlisting>net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.*.rp_filter = 2
-net.ipv4.conf.all.rp_filter
net.ipv4.conf.hub0.rp_filter = 1
</programlisting>

<para>The <option>rp_filter</option> key will be set to "2" for all interfaces, except "hub0". We set
<filename>net.ipv4.conf.default.rp_filter</filename> first, so any interfaces which are added
<emphasis>later</emphasis> will get this value (this also covers any interfaces detected while we're
running). The glob matches any interfaces which were detected <emphasis>earlier</emphasis>. The glob
will also match <filename>net.ipv4.conf.all.rp_filter</filename>, which we don't want to set at all, so
it is explicitly excluded. And "hub0" is excluded from the glob because it has an explicit setting.
</para>
</example>

</refsect1>

<refsect1>
Expand Down
168 changes: 117 additions & 51 deletions src/sysctl/sysctl.c
View file
Expand Up @@ -14,6 +14,7 @@
#include "errno-util.h"
#include "fd-util.h"
#include "fileio.h"
#include "glob-util.h"
#include "hashmap.h"
#include "log.h"
#include "main-func.h"
Expand Down Expand Up @@ -49,6 +50,26 @@ static Option *option_free(Option *o) {
DEFINE_TRIVIAL_CLEANUP_FUNC(Option*, option_free);
DEFINE_HASH_OPS_WITH_VALUE_DESTRUCTOR(option_hash_ops, char, string_hash_func, string_compare_func, Option, option_free);

static bool test_prefix(const char *p) {
char **i;

if (strv_isempty(arg_prefixes))
return true;

STRV_FOREACH(i, arg_prefixes) {
const char *t;

t = path_startswith(*i, "/proc/sys/");
if (!t)
t = *i;

if (path_startswith(p, t))
return true;
}

return false;
}

static Option *option_new(
const char *key,
const char *value,
Expand All @@ -57,24 +78,45 @@ static Option *option_new(
_cleanup_(option_freep) Option *o = NULL;

assert(key);
assert(value);

o = new(Option, 1);
if (!o)
return NULL;

*o = (Option) {
.key = strdup(key),
.value = strdup(value),
.value = value ? strdup(value) : NULL,
.ignore_failure = ignore_failure,
};

if (!o->key || !o->value)
if (!o->key)
return NULL;
if (value && !o->value)
return NULL;

return TAKE_PTR(o);
}

static int sysctl_write_or_warn(const char *key, const char *value, bool ignore_failure) {
int r;

r = sysctl_write(key, value);
if (r < 0) {
/* If the sysctl is not available in the kernel or we are running with reduced privileges and
* cannot write it, then log about the issue, and proceed without failing. (EROFS is treated
* as a permission problem here, since that's how container managers usually protected their
* sysctls.) In all other cases log an error and make the tool fail. */
if (ignore_failure || r == -EROFS || ERRNO_IS_PRIVILEGE(r))
log_debug_errno(r, "Couldn't write '%s' to '%s', ignoring: %m", value, key);
else if (r == -ENOENT)
log_info_errno(r, "Couldn't write '%s' to '%s', ignoring: %m", value, key);
else
return log_error_errno(r, "Couldn't write '%s' to '%s': %m", value, key);
}

return 0;
}

static int apply_all(OrderedHashmap *sysctl_options) {
Option *option;
Iterator i;
Expand All @@ -83,46 +125,60 @@ static int apply_all(OrderedHashmap *sysctl_options) {
ORDERED_HASHMAP_FOREACH(option, sysctl_options, i) {
int k;

k = sysctl_write(option->key, option->value);
if (k < 0) {
/* If the sysctl is not available in the kernel or we are running with reduced
* privileges and cannot write it, then log about the issue, and proceed without
* failing. (EROFS is treated as a permission problem here, since that's how
* container managers usually protected their sysctls.) In all other cases log an
* error and make the tool fail. */

if (option->ignore_failure || k == -EROFS || ERRNO_IS_PRIVILEGE(k))
log_debug_errno(k, "Couldn't write '%s' to '%s', ignoring: %m", option->value, option->key);
else if (k == -ENOENT)
log_info_errno(k, "Couldn't write '%s' to '%s', ignoring: %m", option->value, option->key);
else {
log_error_errno(k, "Couldn't write '%s' to '%s': %m", option->value, option->key);
if (r == 0)
r = k;
}
}
}
/* Ignore "negative match" options, they are there only to exclude stuff from globs. */
if (!option->value)
continue;

return r;
}
if (string_is_glob(option->key)) {
_cleanup_strv_free_ char **paths = NULL;
_cleanup_free_ char *pattern = NULL;
char **s;

static bool test_prefix(const char *p) {
char **i;
pattern = path_join("/proc/sys", option->key);
if (!pattern)
return log_oom();

if (strv_isempty(arg_prefixes))
return true;
k = glob_extend(&paths, pattern);
if (k < 0) {
if (option->ignore_failure || ERRNO_IS_PRIVILEGE(r))
log_debug_errno(k, "Failed to resolve glob '%s', ignoring: %m",
option->key);
else {
log_error_errno(k, "Couldn't resolve glob '%s': %m",
option->key);
if (r == 0)
r = k;
}

STRV_FOREACH(i, arg_prefixes) {
const char *t;
} else if (strv_isempty(paths))
log_debug("No match for glob: %s", option->key);

t = path_startswith(*i, "/proc/sys/");
if (!t)
t = *i;
if (path_startswith(p, t))
return true;
STRV_FOREACH(s, paths) {
const char *key;

assert_se(key = path_startswith(*s, "/proc/sys"));

if (!test_prefix(key))
continue;

if (ordered_hashmap_contains(sysctl_options, key)) {
log_info("Not setting %s (explicit setting exists).", key);
continue;
}

k = sysctl_write_or_warn(key, option->value, option->ignore_failure);
if (r == 0)
r = k;
}

} else {
k = sysctl_write_or_warn(option->key, option->value, option->ignore_failure);
if (r == 0)
r = k;
}
}

return false;
return r;
}

static int parse_file(OrderedHashmap **sysctl_options, const char *path, bool ignore_enoent) {
Expand All @@ -144,7 +200,7 @@ static int parse_file(OrderedHashmap **sysctl_options, const char *path, bool ig
for (;;) {
_cleanup_(option_freep) Option *new_option = NULL;
_cleanup_free_ char *l = NULL;
bool ignore_failure;
bool ignore_failure = false;
Option *existing;
char *p, *value;
int k;
Expand All @@ -165,25 +221,35 @@ static int parse_file(OrderedHashmap **sysctl_options, const char *path, bool ig
continue;

value = strchr(p, '=');
if (!value) {
log_syntax(NULL, LOG_WARNING, path, c, 0, "Line is not an assignment, ignoring: %s", p);
if (r == 0)
r = -EINVAL;
continue;
}
if (value) {
if (p[0] == '-') {
ignore_failure = true;
p++;
}

*value = 0;
value++;
*value = 0;
value++;
value = strstrip(value);

p = strstrip(p);
ignore_failure = p[0] == '-';
if (ignore_failure)
p++;
} else {
if (p[0] == '-')
/* We have a "negative match" option. Let's continue with value==NULL. */
p++;
else {
log_syntax(NULL, LOG_WARNING, path, c, 0,
"Line is not an assignment, ignoring: %s", p);
if (r == 0)
r = -EINVAL;
continue;
}
}

p = strstrip(p);
p = sysctl_normalize(p);
value = strstrip(value);

if (!test_prefix(p))
/* We can't filter out globs at this point, we'll need to do that later. */
if (!string_is_glob(p) &&
!test_prefix(p))
continue;

if (ordered_hashmap_ensure_allocated(sysctl_options, &option_hash_ops) < 0)
Expand Down

0 comments on commit e0f4247

Please sign in to comment.