Home > other >  Linux - how to fix the "file" *. Service "to configure IP firewall IPAddressDeny (=an
Linux - how to fix the "file" *. Service "to configure IP firewall IPAddressDeny (=an

Time:10-08

Since I use a custom. Config to recompile the kernel boot, I got the following KMSG (i.e.. Dmesg) message:

Systemd [1] : the File/usr/lib/systemd/system/systemd - journald. Service: 35 configures the an IP firewall IPAddressDeny (=any), but the local system does not support the BPF/cgroup -based firewalling.
Systemd [1] : Proceeding WITHOUT firewalling in effect! This warning is only to the for the first the loaded unit using IP firewalling.)

What do I need to the kernel. The config options to solve this problem?

CodePudding user response:

First enable CONFIG_BPF_SYSCALL=y

┌ - Enable BPF () system call -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- ─ ┐
│ │
│ CONFIG_BPF_SYSCALL: │
│ │
│ Enable the BPF () system call that allows to file eBPF │
│ designed and maps via the file descriptors. │
│ │
│ │ Symbol: BPF_SYSCALL [=y]
│ Type: bool │
The system call │ │ Prompt: Enable BPF ()
│ Location: │
│ - & gt; The General setup │
1414 │ │ Defined at the init/Kconfig:
│ Selects: ANON_INODES [=y] & amp; & BPF [=y] & amp; & IRQ_WORK [=y] │
│ Selected by [n] : │
│ - AF_KCM [=n] & amp; & NET [=y] & amp; & INET [=y] │
└ -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- ─ ┘

^, then you can also enable the CONFIG_CGROUP_BPF=y:

┌ - Support for eBPF designed attached to cgroups -- -- -- -- -- -- -- -- ─ ┐
│ │
│ CONFIG_CGROUP_BPF: │
│ │
│ Allow attaching eBPF designed to a cgroup using the BPF (2) │
│ syscall command BPF_PROG_ATTACH. │
│ │
│ In which context these designed are accessed the depends on the type │
│ of legislation. For instance, designed that are attached using │
│ BPF_CGROUP_INET_INGRESS will be executed on the ingress path of │
│ inet sockets. │
│ │
│ │ Symbol: CGROUP_BPF [=y]
│ Type: bool │
│ Prompt: Support for eBPF designed attached to cgroups │
│ Location: │
│ - & gt; The General setup │
│ - & gt; The Control Group, the support (CGROUPS [=y]) │
845 │ │ Defined at the init/Kconfig:
│ Depends on: CGROUPS [=y] & amp; & BPF_SYSCALL [=y] │
│ │ Selects: SOCK_CGROUP_DATA [=y]
└ -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- ┘

This is a necessary condition for the system messages disappear.
When you select the content above, it is. What's happening in the config: before:

# CONFIG_BPF_SYSCALL is not set

After:

CONFIG_BPF_SYSCALL=y
# CONFIG_XDP_SOCKETS is not set
# CONFIG_BPF_STREAM_PARSER is not set
CONFIG_CGROUP_BPF=y
CONFIG_BPF_EVENTS=y

There are two options available: CONFIG_XDP_SOCKETS and CONFIG_BPF_STREAM_PARSER, but there is no need to enable them. But if you want to know what they are:

┌ - XDP sockets -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- ┐
│ │
│ CONFIG_XDP_SOCKETS: │
│ │
│ XDP sockets allows a channel between XDP designed and │
│ pulls applications. │
│ │
│ │ Symbol: XDP_SOCKETS [=n]
│ Type: bool │
│ Prompt: XDP sockets │
│ Location: │
│ - & gt; Networking support NET ([=y]) │
│ - & gt; Networking options │
│ Defined at.net/XDP/Kconfig: 1 │
│ Depends on: NET [=y] & amp; & BPF_SYSCALL [=y] │
└ -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- ─ ┘

┌ - enable BPF STREAM_PARSER -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- ─ ┐
│ │
│ CONFIG_BPF_STREAM_PARSER: │
│ │
nullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnull
  • Related