Skip to content

lklWithFirewall: init #192190

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Mic92 merged 1 commit into from
Sep 30, 2022
Merged

lklWithFirewall: init #192190

Mic92 merged 1 commit into from
Sep 30, 2022

Conversation

@yu-re-ka
Copy link
Contributor

@yu-re-ka yu-re-ka commented Sep 21, 2022
edited
Loading

There is a pull request in the LKL repo adding firewall support: lkl/linux#431
It simply enables the appropriate options in the kernel config, since the framework is already there.
It has not been merged yet, because enabling these options by default would lead to bigger lkl binaries and an overall slowdown for all users. However, since we can provide an opt-in variant with Firewall support, there is no reason not to do it.

This is very useful for nftables rule checking without having access to the kernel interface.

Description of changes
Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 22.11 Release Notes (or backporting 22.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
    • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
  • Fits CONTRIBUTING.md.

@yuyuyureka
lklWithFirewall: init
502c8c1 
There is a pull request in the LKL repo adding firewall support:
lkl/linux#431
It simply enables the appropriate options in the kernel config, since
the framework is already there.
It has not been merged yet, because enabling these options by default
would lead to bigger lkl binaries and an overall slowdown for all users.
However, since we can provide an opt-in variant with Firewall support,
there is no reason not to do it.

This is very useful for nftables rule checking without having access to
the kernel interface.
@ofborg ofborg bot added the 8.has: package (new) This PR adds a new package label Sep 21, 2022
@ofborg ofborg bot requested a review from copumpkin September 21, 2022 06:31
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-linux: 1 This PR causes 1 package to rebuild on Linux. labels Sep 21, 2022
@yu-re-ka yu-re-ka requested review from Mic92 and Qubasa September 26, 2022 18:07
Mic92
Mic92 reviewed Sep 28, 2022
View reviewed changes
pkgs/top-level/all-packages.nix
tgt = callPackage ../tools/networking/tgt { };

lkl = callPackage ../applications/virtualization/lkl { };
lklWithFirewall = callPackage ../applications/virtualization/lkl { firewallSupport = true; };
Copy link
Member

@Mic92 Mic92 Sep 28, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is a useful addition. Can you also link in this PR to an example on how to use this feature to check nftable rules?

@yu-re-ka
Copy link
Contributor Author

yu-re-ka commented Sep 30, 2022
edited
Loading

See here for a usage example

Basically:

${lklWithFirewall.out}/bin/lkl-hijack.sh ${pkgs.nftables}/bin/nft --check --file $rulesetPath

@Mic92 Mic92 merged commit 877341e into NixOS:master Sep 30, 2022
@Mic92
Copy link
Member

Mic92 commented Sep 30, 2022

Thanks!

@yu-re-ka yu-re-ka deleted the lkl-with-firewall branch October 1, 2022 10:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mic92 Mic92 Mic92 left review comments

@copumpkin copumpkin Awaiting requested review from copumpkin

@Qubasa Qubasa Awaiting requested review from Qubasa

Assignees

No one assigned

Labels

8.has: package (new) This PR adds a new package 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-linux: 1 This PR causes 1 package to rebuild on Linux.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@yu-re-ka @Mic92 @yuyuyureka