mirror of
https://github.com/ilyakooo0/nixpkgs.git
synced 2024-10-07 04:57:26 +03:00
d1d8dd3e55
The Express Data Path (XDP) is a way to circumvent the traditional Linux networking stack and instead run an eBPF program on your NIC, that makes the decision to provide Knot with certain packets. This is way faster and more scalable but comes at the cost of reduced introspection. Unfortunately the `knotc conf-check` command fails hard with missing interfaces or IP addresses configured in `xdp.listen`, so we disable it for now, once the `xdp` config section is set. We also promote the config check condition to a proper option, so our conditions become public documentation, and we allow users to deal with corner cases, that we have not thought of yet. We follow the pre-requisites documented in the Knot 3.3 manual, and set up the required capabilities and allow the AF_XDP address family. But on top of that, due to our strict hardening, we found two more requirements, that were communicated upstream while debugging this. - There is a requirement on AF_NETLINK, likely to query for and configure the relevant network interface - Running eBPF programs requires access to the `bpf` syscall, which we deny through the `~@privileged` configuration. In summary We now conditionally loosen the hardening of the unit once we detect that an XDP configuration is wanted. And since we cannot introspect arbitrary files from the `settingsFiles` option, we expose XDP support through the `enableXDP` toggle option on the module. |
||
|---|---|---|
| .. | ||
| config | ||
| hardware | ||
| i18n/input-method | ||
| image | ||
| installer | ||
| misc | ||
| profiles | ||
| programs | ||
| security | ||
| services | ||
| system | ||
| tasks | ||
| testing | ||
| virtualisation | ||
| module-list.nix | ||
| rename.nix | ||