Linux
如何修復“文件”*.service“配置 IP 防火牆(IPAddressDeny=any),但本地系統不支持基於 BPF/cgroup 的防火牆”?
從我用 custom 重新編譯的核心啟動
.config,我收到以下 kmsg(ie.dmesg) 消息:systemd[1]: File /usr/lib/systemd/system/systemd-journald.service:35 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling. systemd[1]: Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)
.config我需要 哪些核心選項來解決這個問題?
首先啟用
CONFIG_BPF_SYSCALL=y┌── Enable bpf() system call ─────────────────────────────────┐ │ │ │ CONFIG_BPF_SYSCALL: │ │ │ │ Enable the bpf() system call that allows to manipulate eBPF │ │ programs and maps via file descriptors. │ │ │ │ Symbol: BPF_SYSCALL [=y] │ │ Type : bool │ │ Prompt: Enable bpf() system call │ │ Location: │ │ -> General setup │ │ Defined at init/Kconfig:1414 │ │ Selects: ANON_INODES [=y] && BPF [=y] && IRQ_WORK [=y] │ │ Selected by [n]: │ │ - AF_KCM [=n] && NET [=y] && INET [=y] │ └─────────────────────────────────────────────────────────────┘^ 允許您然後還啟用
CONFIG_CGROUP_BPF=y:┌── Support for eBPF programs attached to cgroups ─────────────────┐ │ │ │ CONFIG_CGROUP_BPF: │ │ │ │ Allow attaching eBPF programs to a cgroup using the bpf(2) │ │ syscall command BPF_PROG_ATTACH. │ │ │ │ In which context these programs are accessed depends on the type │ │ of attachment. For instance, programs that are attached using │ │ BPF_CGROUP_INET_INGRESS will be executed on the ingress path of │ │ inet sockets. │ │ │ │ Symbol: CGROUP_BPF [=y] │ │ Type : bool │ │ Prompt: Support for eBPF programs attached to cgroups │ │ Location: │ │ -> General setup │ │ -> Control Group support (CGROUPS [=y]) │ │ Defined at init/Kconfig:845 │ │ Depends on: CGROUPS [=y] && BPF_SYSCALL [=y] │ │ Selects: SOCK_CGROUP_DATA [=y] │ └──────────────────────────────────────────────────────────────────┘這就是讓這些
systemd消息消失所必需的一切。當您選擇上述內容時,會發生以下情況
.config:之前:
# CONFIG_BPF_SYSCALL is not set後:
CONFIG_BPF_SYSCALL=y # CONFIG_XDP_SOCKETS is not set # CONFIG_BPF_STREAM_PARSER is not set CONFIG_CGROUP_BPF=y CONFIG_BPF_EVENTS=y
CONFIG_XDP_SOCKETS還有兩個選項可用:CONFIG_BPF_STREAM_PARSER但沒有必要啟用它們。但如果你想知道它們是關於什麼的:┌── XDP sockets ────────────────────────────────────────┐ │ │ │ CONFIG_XDP_SOCKETS: │ │ │ │ XDP sockets allows a channel between XDP programs and │ │ userspace applications. │ │ │ │ Symbol: XDP_SOCKETS [=n] │ │ Type : bool │ │ Prompt: XDP sockets │ │ Location: │ │ -> Networking support (NET [=y]) │ │ -> Networking options │ │ Defined at net/xdp/Kconfig:1 │ │ Depends on: NET [=y] && BPF_SYSCALL [=y] │ └───────────────────────────────────────────────────────┘ ┌── enable BPF STREAM_PARSER ───────────────────────────────────────────┐ │ │ │ CONFIG_BPF_STREAM_PARSER: │ │ │ │ Enabling this allows a stream parser to be used with │ │ BPF_MAP_TYPE_SOCKMAP. │ │ │ │ BPF_MAP_TYPE_SOCKMAP provides a map type to use with network sockets. │ │ It can be used to enforce socket policy, implement socket redirects, │ │ etc. │ │ │ │ Symbol: BPF_STREAM_PARSER [=n] │ │ Type : bool │ │ Prompt: enable BPF STREAM_PARSER │ │ Location: │ │ -> Networking support (NET [=y]) │ │ -> Networking options │ │ Defined at net/Kconfig:301 │ │ Depends on: NET [=y] && BPF_SYSCALL [=y] │ │ Selects: STREAM_PARSER [=m] │ └───────────────────────────────────────────────────────────────────────┘如果想知道為什麼
CONFIG_BPF_EVENTS=y:┌── Search Results ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐ │ │ │ Symbol: BPF_EVENTS [=y] │ │ Type : bool │ │ Defined at kernel/trace/Kconfig:476 │ │ Depends on: TRACING_SUPPORT [=y] && FTRACE [=y] && BPF_SYSCALL [=y] && (KPROBE_EVENTS [=n] || UPROBE_EVENTS [=y]) && PERF_EVENTS [=y] │ └─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘核心在 Qubes OS 4.0 內的 Fedora 28 AppVM 上測試了 4.18.5