From a50180b75344e9539eb602aa3c5bc25d179ca08a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Florian=20Str=C3=B6ger?= Date: Tue, 17 Sep 2024 09:54:23 +0200 Subject: [PATCH] feat: enable INET_DIAG MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: https://github.com/siderolabs/pkgs/issues/1028 INET_DIAG_DESTROY is used by CNIs such as Cilium to terminate connections in other containers. KSPP recommends to disable it due to "Prior to v4.1, assists heap memory attacks; best to keep interface disabled.". Linux 4.1 was almost 10 years ago and Cilium with their eBPF-based kube-proxy replacement is widely used by the community and not having this enabled leads to weird networking issues (e.g. when coredns pods get a different IP due deployment restarts UDP dns clients keep sending connections to the old IP) Signed-off-by: Ströger Florian Signed-off-by: Noel Georgi (cherry picked from commit 79a4f92c5aa4b8288a927351209542c274724475) --- kernel/build/config-amd64 | 8 +++++++- kernel/build/config-arm64 | 7 ++++++- kernel/build/scripts/filter-hardened-check.py | 1 + 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/kernel/build/config-amd64 b/kernel/build/config-amd64 index f28de44d..addc568d 100644 --- a/kernel/build/config-amd64 +++ b/kernel/build/config-amd64 @@ -1163,7 +1163,11 @@ CONFIG_INET_IPCOMP=y CONFIG_INET_TABLE_PERTURB_ORDER=16 CONFIG_INET_XFRM_TUNNEL=y CONFIG_INET_TUNNEL=y -# CONFIG_INET_DIAG is not set +CONFIG_INET_DIAG=y +CONFIG_INET_TCP_DIAG=y +CONFIG_INET_UDP_DIAG=y +# CONFIG_INET_RAW_DIAG is not set +CONFIG_INET_DIAG_DESTROY=y CONFIG_TCP_CONG_ADVANCED=y # CONFIG_TCP_CONG_BIC is not set CONFIG_TCP_CONG_CUBIC=y @@ -1564,6 +1568,7 @@ CONFIG_BRIDGE_EBT_LOG=y CONFIG_BRIDGE_EBT_NFLOG=y # CONFIG_BPFILTER is not set CONFIG_IP_DCCP=y +CONFIG_INET_DCCP_DIAG=y # # DCCP CCIDs Configuration @@ -1587,6 +1592,7 @@ CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5=y # CONFIG_SCTP_DEFAULT_COOKIE_HMAC_NONE is not set CONFIG_SCTP_COOKIE_HMAC_MD5=y # CONFIG_SCTP_COOKIE_HMAC_SHA1 is not set +CONFIG_INET_SCTP_DIAG=y CONFIG_RDS=y # CONFIG_RDS_RDMA is not set # CONFIG_RDS_TCP is not set diff --git a/kernel/build/config-arm64 b/kernel/build/config-arm64 index a2ad8ad1..13aa39de 100644 --- a/kernel/build/config-arm64 +++ b/kernel/build/config-arm64 @@ -1198,7 +1198,11 @@ CONFIG_INET_IPCOMP=y CONFIG_INET_TABLE_PERTURB_ORDER=16 CONFIG_INET_XFRM_TUNNEL=y CONFIG_INET_TUNNEL=y -# CONFIG_INET_DIAG is not set +CONFIG_INET_DIAG=y +CONFIG_INET_TCP_DIAG=y +CONFIG_INET_UDP_DIAG=y +# CONFIG_INET_RAW_DIAG is not set +CONFIG_INET_DIAG_DESTROY=y CONFIG_TCP_CONG_ADVANCED=y # CONFIG_TCP_CONG_BIC is not set CONFIG_TCP_CONG_CUBIC=y @@ -1606,6 +1610,7 @@ CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5=y # CONFIG_SCTP_DEFAULT_COOKIE_HMAC_NONE is not set CONFIG_SCTP_COOKIE_HMAC_MD5=y # CONFIG_SCTP_COOKIE_HMAC_SHA1 is not set +CONFIG_INET_SCTP_DIAG=y CONFIG_RDS=y # CONFIG_RDS_RDMA is not set # CONFIG_RDS_TCP is not set diff --git a/kernel/build/scripts/filter-hardened-check.py b/kernel/build/scripts/filter-hardened-check.py index b13a5d48..7922dd66 100644 --- a/kernel/build/scripts/filter-hardened-check.py +++ b/kernel/build/scripts/filter-hardened-check.py @@ -31,6 +31,7 @@ 'CONFIG_SECURITY_SELINUX_DEVELOP', # SELinux enabled, but permissive unless enforcing=1. TODO: force enforcing mode when complete 'CONFIG_SPECULATION_MITIGATIONS', # Renamed in the kernel to 'CONFIG_CPU_MITIGATIONS' 'CONFIG_EFI_DISABLE_PCI_DMA', # enabling this breaks boot with no visible error messages to debug (https://github.com/siderolabs/talos/issues/8743) + 'CONFIG_INET_DIAG', # last vulnerability prior to v4.1. Required for CNIs such as Cilium to terminate sockets. (https://github.com/siderolabs/pkgs/issues/1028) } """