Add ip protocol token to SocketBind{Allow|Deny}= property parser.
Use parse_socket_bind_item helper.
Replace int32_t with int in cgroup item for socket-bind as it was
requested in [0].
Update tests.
[0] https://github.com/systemd/systemd/pull/19942#discussion_r652150024
Parse address family, ip protocol and ports, any of them can be
optional. If neither is specified, a special value 'any' is expected.
Helper is placed in shared to be reused in both fragment and dbus.
Add unit tests with valid and invalid examples.
Thin wrappers of ip_protocol_{from|to}_name targeting IPPROTO_TCP and
IPPROTO_UDP only.
Used to parse IP protocol configuration restricted only to TCP and UDP,
e.g. in SocketBind{Allow|Deny}= unit property.
These helpers are inspired by af_{from|to}_ipv4_ipv6 and potentially
extendable with other IP protocols if there is a use-case to expose
them.
Lookup ip protocol in a socket address to allow or deny binding a socket
to the address.
Matching rule is extended with 'protocol' field. If its value is 0
(IPPROTO_IP) ip protocol comparison is omitted and matching is passed to
the next token which is ip ports.
Documentation is updated.
dns_resource_record_copy() assumes that NSEC types bitmap is non-empty
which results in a null pointer dereference inside bitmap_copy() in some
cases. Fix this by calling bitmap_copy() conditionally.
socket_broadcast_group_unref() is only called in netlink_slot_disconnect(),
so the assertion should not be triggered as the match slot was
successfully created.
But, we usually design `_ref/unref()` functions as they can be called
for any inputs. So, let's also follow the design rule here.
We checked the wrong field, which was always NULL here, so we would always
reject the assignment. We would also print the wrong string in the error
message:
$ sudo systemd-run --socket-property ListenFIFO=/tmp/fifo3 cat
Failed to start transient socket unit: Invalid socket path: FIFO
When an ExtensionImages= extension-release metadata does not match, the
log messages (unless debug level is set) are pretty much incomprehensible:
systemd[463]: run-u11.service: Failed to set up mount namespacing: /run/systemd/unit-extensions/0: Stale file handle
systemd[463]: run-u11.service: Failed at step NAMESPACE spawning /usr/bin/echo: Stale file handle
Add an explicit log message if we get ESTALE from the dissect code, to
make it clear what's happening without needing to enable debugging:
systemd[463]: Failed to mount image /tmp/app3.raw, extension-release metadata does not match the lower layer's: ID=debian VERSION_ID=11 SYSEXT_LEVEL=11
Only treat interface names containing dots specially when resolvectl is
pretending to be resolvconf to fix
https://github.com/systemd/systemd/issues/20014 .
Move the special suffix-stripping behaviour of ifname_mangle out to the
new ifname_resolvconf_mangle to be called from resolvconf only.
