Skip to content

Commit

Permalink
feat: enable INET_DIAG
Browse files Browse the repository at this point in the history
Fixes: #1028

INET_DIAG_DESTROY is used by CNIs such as Cilium to terminate
connections in other containers. KSPP recommends to disable it due to
"Prior to v4.1, assists heap memory attacks; best to keep interface
disabled.".

Linux 4.1 was almost 10 years ago and Cilium with their eBPF-based
kube-proxy replacement is widely used by the community and not having
this enabled leads to weird networking issues (e.g. when coredns pods
get a different IP due deployment restarts UDP dns clients keep sending
connections to the old IP)

Signed-off-by: Ströger Florian <[email protected]>
  • Loading branch information
Preisschild committed Sep 17, 2024
1 parent c9f7eb9 commit 4f7f0e1
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 2 deletions.
6 changes: 5 additions & 1 deletion kernel/build/config-amd64
Original file line number Diff line number Diff line change
Expand Up @@ -1163,7 +1163,11 @@ CONFIG_INET_IPCOMP=y
CONFIG_INET_TABLE_PERTURB_ORDER=16
CONFIG_INET_XFRM_TUNNEL=y
CONFIG_INET_TUNNEL=y
# CONFIG_INET_DIAG is not set
CONFIG_INET_DIAG=y
CONFIG_INET_TCP_DIAG=y
CONFIG_INET_UDP_DIAG=y
# CONFIG_INET_RAW_DIAG is not set
CONFIG_INET_DIAG_DESTROY=y
CONFIG_TCP_CONG_ADVANCED=y
# CONFIG_TCP_CONG_BIC is not set
CONFIG_TCP_CONG_CUBIC=y
Expand Down
6 changes: 5 additions & 1 deletion kernel/build/config-arm64
Original file line number Diff line number Diff line change
Expand Up @@ -1198,7 +1198,11 @@ CONFIG_INET_IPCOMP=y
CONFIG_INET_TABLE_PERTURB_ORDER=16
CONFIG_INET_XFRM_TUNNEL=y
CONFIG_INET_TUNNEL=y
# CONFIG_INET_DIAG is not set
CONFIG_INET_DIAG=y
CONFIG_INET_TCP_DIAG=y
CONFIG_INET_UDP_DIAG=y
# CONFIG_INET_RAW_DIAG is not set
CONFIG_INET_DIAG_DESTROY=y
CONFIG_TCP_CONG_ADVANCED=y
# CONFIG_TCP_CONG_BIC is not set
CONFIG_TCP_CONG_CUBIC=y
Expand Down
1 change: 1 addition & 0 deletions kernel/build/scripts/filter-hardened-check.py
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@
'CONFIG_SECURITY_SELINUX_DEVELOP', # SELinux enabled, but permissive unless enforcing=1. TODO: force enforcing mode when complete
'CONFIG_SPECULATION_MITIGATIONS', # Renamed in the kernel to 'CONFIG_CPU_MITIGATIONS'
'CONFIG_EFI_DISABLE_PCI_DMA', # enabling this breaks boot with no visible error messages to debug (https://github.com/siderolabs/talos/issues/8743)
'CONFIG_INET_DIAG', # last vulnerability prior to v4.1. Required for CNIs such as Cilium to terminate sockets. (https://github.com/siderolabs/pkgs/issues/1028)
}

"""
Expand Down

0 comments on commit 4f7f0e1

Please sign in to comment.