8 linux firewall systemd linux-kernel
从我用 custom 重新编译的内核启动.config,我收到以下 kmsg(ie. dmesg) 消息:
systemd[1]: File /usr/lib/systemd/system/systemd-journald.service:35 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling.
systemd[1]: Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)
.config我需要什么内核选项来解决这个问题?
小智 12
首先启用 CONFIG_BPF_SYSCALL=y
??? Enable bpf() system call ??????????????????????????????????
? ?
? CONFIG_BPF_SYSCALL: ?
? ?
? Enable the bpf() system call that allows to manipulate eBPF ?
? programs and maps via file descriptors. ?
? ?
? Symbol: BPF_SYSCALL [=y] ?
? Type : bool ?
? Prompt: Enable bpf() system call ?
? Location: ?
? -> General setup ?
? Defined at init/Kconfig:1414 ?
? Selects: ANON_INODES [=y] && BPF [=y] && IRQ_WORK [=y] ?
? Selected by [n]: ?
? - AF_KCM [=n] && NET [=y] && INET [=y] ?
???????????????????????????????????????????????????????????????
^ 允许您然后启用CONFIG_CGROUP_BPF=y:
??? Support for eBPF programs attached to cgroups ??????????????????
? ?
? CONFIG_CGROUP_BPF: ?
? ?
? Allow attaching eBPF programs to a cgroup using the bpf(2) ?
? syscall command BPF_PROG_ATTACH. ?
? ?
? In which context these programs are accessed depends on the type ?
? of attachment. For instance, programs that are attached using ?
? BPF_CGROUP_INET_INGRESS will be executed on the ingress path of ?
? inet sockets. ?
? ?
? Symbol: CGROUP_BPF [=y] ?
? Type : bool ?
? Prompt: Support for eBPF programs attached to cgroups ?
? Location: ?
? -> General setup ?
? -> Control Group support (CGROUPS [=y]) ?
? Defined at init/Kconfig:845 ?
? Depends on: CGROUPS [=y] && BPF_SYSCALL [=y] ?
? Selects: SOCK_CGROUP_DATA [=y] ?
????????????????????????????????????????????????????????????????????
这就是这些systemd消息消失所必需的。
当您选择上述内容时,会发生以下情况.config:
之前:
# CONFIG_BPF_SYSCALL is not set
后:
CONFIG_BPF_SYSCALL=y
# CONFIG_XDP_SOCKETS is not set
# CONFIG_BPF_STREAM_PARSER is not set
CONFIG_CGROUP_BPF=y
CONFIG_BPF_EVENTS=y
还有两个选项可用:CONFIG_XDP_SOCKETS并且CONFIG_BPF_STREAM_PARSER没有必要启用它们。但如果你想知道它们是关于什么的:
??? XDP sockets ?????????????????????????????????????????
? ?
? CONFIG_XDP_SOCKETS: ?
? ?
? XDP sockets allows a channel between XDP programs and ?
? userspace applications. ?
? ?
? Symbol: XDP_SOCKETS [=n] ?
? Type : bool ?
? Prompt: XDP sockets ?
? Location: ?
? -> Networking support (NET [=y]) ?
? -> Networking options ?
? Defined at net/xdp/Kconfig:1 ?
? Depends on: NET [=y] && BPF_SYSCALL [=y] ?
?????????????????????????????????????????????????????????
??? enable BPF STREAM_PARSER ????????????????????????????????????????????
? ?
? CONFIG_BPF_STREAM_PARSER: ?
? ?
? Enabling this allows a stream parser to be used with ?
? BPF_MAP_TYPE_SOCKMAP. ?
? ?
? BPF_MAP_TYPE_SOCKMAP provides a map type to use with network sockets. ?
? It can be used to enforce socket policy, implement socket redirects, ?
? etc. ?
? ?
? Symbol: BPF_STREAM_PARSER [=n] ?
? Type : bool ?
? Prompt: enable BPF STREAM_PARSER ?
? Location: ?
? -> Networking support (NET [=y]) ?
? -> Networking options ?
? Defined at net/Kconfig:301 ?
? Depends on: NET [=y] && BPF_SYSCALL [=y] ?
? Selects: STREAM_PARSER [=m] ?
?????????????????????????????????????????????????????????????????????????
如果想知道为什么CONFIG_BPF_EVENTS=y:
??? Search Results ????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
? ?
? Symbol: BPF_EVENTS [=y] ?
? Type : bool ?
? Defined at kernel/trace/Kconfig:476 ?
? Depends on: TRACING_SUPPORT [=y] && FTRACE [=y] && BPF_SYSCALL [=y] && (KPROBE_EVENTS [=n] || UPROBE_EVENTS [=y]) && PERF_EVENTS [=y] ?
???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
内核在 Qubes OS 4.0 中的 Fedora 28 AppVM 上测试了 4.18.5