nixpkgs-suyu/nixos
Maximilian Bosch 37e3cadb8b
nixos/systemd-networkd-vrf: implement working TCP test on a 5.x kernel
By design, VRFs allow route-leaking for forwarded packages, but not for
local processes using a socket. While it was possible to leak such TCP
traffic through a VRF on a 4.x kernel, this behavior was considered
wrong and got fixed in Linux 5.x[1].

From now on, local unix sockets must run in the VRF itself using
`ip vrf exec`[2] which basically injects a BPF program into the VRF and
drops elevated networking capabilities by default for the specified
command.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3c82a21f4320c8d54cf6456b27c8d49e5ffb722e
[2] https://man7.org/linux/man-pages/man8/ip-vrf.8.html
2020-07-31 21:06:00 +02:00
..
doc nixos/doc/*: editorconfig fixes 2020-07-31 15:08:54 +10:00
lib nixos/boot: some documentation improvements 2020-07-29 14:39:21 -07:00
maintainers
modules nixos/nix-daemon.nix: fix nix.distributedBuilds assertion 2020-07-30 21:38:24 -05:00
tests nixos/systemd-networkd-vrf: implement working TCP test on a 5.x kernel 2020-07-31 21:06:00 +02:00
COPYING
default.nix
README
release-combined.nix
release-small.nix
release.nix nixos/release: add pantheon closure 2020-07-26 15:30:08 -04:00

*** NixOS ***

NixOS is a Linux distribution based on the purely functional package
management system Nix.  More information can be found at
https://nixos.org/nixos and in the manual in doc/manual.