diff options
| author | Vincent Haupert <mail@vincent-haupert.de> | 2022-08-21 12:22:16 +0200 |
|---|---|---|
| committer | Vincent Haupert <mail@vincent-haupert.de> | 2022-08-21 12:22:16 +0200 |
| commit | ca0120a4bcb759b9a9040219b1f0a5e5a86e34a1 (patch) | |
| tree | 434164dda59970a16033cb5d00164bac1a7161a4 /nixos/tests/systemd-bpf.nix | |
| parent | 495b19d5b3e62b4ec7e846bdfb6ef3d9c3b83492 (diff) | |
systemd: enable `BPF_FRAMEWORK` by default (`withLibBPF=true`)
So far, we have been building Systemd without `BPF_FRAMEWORK`. As a
result, some Systemd features like `RestrictNetworkInterfaces=` cannot
work. To make things worse, Systemd doesn't even complain when using a
feature which requires `+BPF_FRAMEWORK`; yet, the option has no effect:
# systemctl --version | grep -o "\-BPF_FRAMEWORK"
-BPF_FRAMEWORK
# systemd-run -t -p RestrictNetworkInterfaces="lo" ping -c 1 8.8.8.8
This commit enables `BPF_FRAMEWORK` by default. This is in line with
other distros (e.g., Fedora). Also note that BPF does not support stack
protector: https://lkml.org/lkml/2020/2/21/1000. To that end, I added a
small `CFLAGS` patch to the BPF building to keep using stack protector
as a default.
I also added an appropriate NixOS test.
Diffstat (limited to 'nixos/tests/systemd-bpf.nix')
| -rw-r--r-- | nixos/tests/systemd-bpf.nix | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/nixos/tests/systemd-bpf.nix b/nixos/tests/systemd-bpf.nix new file mode 100644 index 0000000000000..e11347a2a817a --- /dev/null +++ b/nixos/tests/systemd-bpf.nix @@ -0,0 +1,42 @@ +import ./make-test-python.nix ({ lib, ... }: { + name = "systemd-bpf"; + meta = with lib.maintainers; { + maintainers = [ veehaitch ]; + }; + nodes = { + node1 = { + virtualisation.vlans = [ 1 ]; + networking = { + useNetworkd = true; + useDHCP = false; + firewall.enable = false; + interfaces.eth1.ipv4.addresses = [ + { address = "192.168.1.1"; prefixLength = 24; } + ]; + }; + }; + + node2 = { + virtualisation.vlans = [ 1 ]; + networking = { + useNetworkd = true; + useDHCP = false; + firewall.enable = false; + interfaces.eth1.ipv4.addresses = [ + { address = "192.168.1.2"; prefixLength = 24; } + ]; + }; + }; + }; + + testScript = '' + start_all() + node1.wait_for_unit("systemd-networkd-wait-online.service") + node2.wait_for_unit("systemd-networkd-wait-online.service") + + with subtest("test RestrictNetworkInterfaces= works"): + node1.succeed("ping -c 5 192.168.1.2") + node1.succeed("systemd-run -t -p RestrictNetworkInterfaces='eth1' ping -c 5 192.168.1.2") + node1.fail("systemd-run -t -p RestrictNetworkInterfaces='lo' ping -c 5 192.168.1.2") + ''; +}) |