lklWithFirewall: init
There is a pull request in the LKL repo adding firewall support: https://github.com/lkl/linux/pull/431 It simply enables the appropriate options in the kernel config, since the framework is already there. It has not been merged yet, because enabling these options by default would lead to bigger lkl binaries and an overall slowdown for all users. However, since we can provide an opt-in variant with Firewall support, there is no reason not to do it. This is very useful for nftables rule checking without having access to the kernel interface.
This commit is contained in:
parent
d3270d6b32
commit
502c8c1587
@ -1,5 +1,8 @@
|
||||
{ lib, stdenv, fetchFromGitHub, bc, python3, bison, flex, fuse, libarchive
|
||||
, buildPackages }:
|
||||
, buildPackages
|
||||
|
||||
, firewallSupport ? false
|
||||
}:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "lkl";
|
||||
@ -26,6 +29,8 @@ stdenv.mkDerivation rec {
|
||||
|
||||
# Fixup build with newer Linux headers: https://github.com/lkl/linux/pull/484
|
||||
sed '1i#include <linux/sockios.h>' -i tools/lkl/lib/hijack/xlate.c
|
||||
'' + lib.optionalString firewallSupport ''
|
||||
cat ${./lkl-defconfig-enable-nftables} >> arch/lkl/configs/defconfig
|
||||
'';
|
||||
|
||||
installPhase = ''
|
||||
|
@ -0,0 +1,155 @@
|
||||
CONFIG_NETFILTER=y
|
||||
CONFIG_NF_CONNTRACK=y
|
||||
CONFIG_NF_LOG_NETDEV=y
|
||||
CONFIG_NF_CONNTRACK_ZONES=y
|
||||
CONFIG_NF_CONNTRACK_EVENTS=y
|
||||
CONFIG_NF_CONNTRACK_TIMEOUT=y
|
||||
CONFIG_NF_CONNTRACK_TIMESTAMP=y
|
||||
CONFIG_NF_CONNTRACK_AMANDA=y
|
||||
CONFIG_NF_CONNTRACK_FTP=y
|
||||
CONFIG_NF_CONNTRACK_H323=y
|
||||
CONFIG_NF_CONNTRACK_IRC=y
|
||||
CONFIG_NF_CONNTRACK_NETBIOS_NS=y
|
||||
CONFIG_NF_CONNTRACK_SNMP=y
|
||||
CONFIG_NF_CONNTRACK_PPTP=y
|
||||
CONFIG_NF_CONNTRACK_SANE=y
|
||||
CONFIG_NF_CONNTRACK_SIP=y
|
||||
CONFIG_NF_CONNTRACK_TFTP=y
|
||||
CONFIG_NF_CT_NETLINK=y
|
||||
CONFIG_NF_CT_NETLINK_TIMEOUT=y
|
||||
CONFIG_NF_CT_NETLINK_HELPER=y
|
||||
CONFIG_NETFILTER_NETLINK_GLUE_CT=y
|
||||
CONFIG_NF_TABLES=y
|
||||
CONFIG_NF_TABLES_INET=y
|
||||
CONFIG_NF_TABLES_NETDEV=y
|
||||
CONFIG_NFT_NUMGEN=y
|
||||
CONFIG_NFT_CT=y
|
||||
CONFIG_NFT_COUNTER=y
|
||||
CONFIG_NFT_CONNLIMIT=y
|
||||
CONFIG_NFT_LOG=y
|
||||
CONFIG_NFT_LIMIT=y
|
||||
CONFIG_NFT_MASQ=y
|
||||
CONFIG_NFT_REDIR=y
|
||||
CONFIG_NFT_NAT=y
|
||||
CONFIG_NFT_TUNNEL=y
|
||||
CONFIG_NFT_OBJREF=y
|
||||
CONFIG_NFT_QUEUE=y
|
||||
CONFIG_NFT_QUOTA=y
|
||||
CONFIG_NFT_REJECT=y
|
||||
CONFIG_NFT_COMPAT=y
|
||||
CONFIG_NFT_HASH=y
|
||||
CONFIG_NFT_FIB_INET=y
|
||||
CONFIG_NFT_SOCKET=y
|
||||
CONFIG_NFT_OSF=y
|
||||
CONFIG_NFT_TPROXY=y
|
||||
CONFIG_NFT_SYNPROXY=y
|
||||
CONFIG_NFT_DUP_NETDEV=y
|
||||
CONFIG_NFT_FWD_NETDEV=y
|
||||
CONFIG_NFT_FIB_NETDEV=y
|
||||
CONFIG_NF_FLOW_TABLE_INET=y
|
||||
CONFIG_NF_FLOW_TABLE=y
|
||||
CONFIG_NETFILTER_XT_TARGET_CHECKSUM=y
|
||||
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
|
||||
CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
|
||||
CONFIG_NETFILTER_XT_TARGET_DSCP=y
|
||||
CONFIG_NETFILTER_XT_TARGET_HMARK=y
|
||||
CONFIG_NETFILTER_XT_TARGET_IDLETIMER=y
|
||||
CONFIG_NETFILTER_XT_TARGET_LOG=y
|
||||
CONFIG_NETFILTER_XT_TARGET_MARK=y
|
||||
CONFIG_NETFILTER_XT_TARGET_NFLOG=y
|
||||
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
|
||||
CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
|
||||
CONFIG_NETFILTER_XT_TARGET_TEE=y
|
||||
CONFIG_NETFILTER_XT_TARGET_TPROXY=y
|
||||
CONFIG_NETFILTER_XT_TARGET_TRACE=y
|
||||
CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
|
||||
CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=y
|
||||
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
|
||||
CONFIG_NETFILTER_XT_MATCH_BPF=y
|
||||
CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
|
||||
CONFIG_NETFILTER_XT_MATCH_COMMENT=y
|
||||
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
|
||||
CONFIG_NETFILTER_XT_MATCH_CONNLABEL=y
|
||||
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
|
||||
CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
|
||||
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
|
||||
CONFIG_NETFILTER_XT_MATCH_CPU=y
|
||||
CONFIG_NETFILTER_XT_MATCH_DCCP=y
|
||||
CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
|
||||
CONFIG_NETFILTER_XT_MATCH_DSCP=y
|
||||
CONFIG_NETFILTER_XT_MATCH_ESP=y
|
||||
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
|
||||
CONFIG_NETFILTER_XT_MATCH_HELPER=y
|
||||
CONFIG_NETFILTER_XT_MATCH_IPCOMP=y
|
||||
CONFIG_NETFILTER_XT_MATCH_IPRANGE=y
|
||||
CONFIG_NETFILTER_XT_MATCH_L2TP=y
|
||||
CONFIG_NETFILTER_XT_MATCH_LENGTH=y
|
||||
CONFIG_NETFILTER_XT_MATCH_LIMIT=y
|
||||
CONFIG_NETFILTER_XT_MATCH_MAC=y
|
||||
CONFIG_NETFILTER_XT_MATCH_MARK=y
|
||||
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
|
||||
CONFIG_NETFILTER_XT_MATCH_NFACCT=y
|
||||
CONFIG_NETFILTER_XT_MATCH_OSF=y
|
||||
CONFIG_NETFILTER_XT_MATCH_OWNER=y
|
||||
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
|
||||
CONFIG_NETFILTER_XT_MATCH_QUOTA=y
|
||||
CONFIG_NETFILTER_XT_MATCH_RATEEST=y
|
||||
CONFIG_NETFILTER_XT_MATCH_REALM=y
|
||||
CONFIG_NETFILTER_XT_MATCH_RECENT=y
|
||||
CONFIG_NETFILTER_XT_MATCH_SCTP=y
|
||||
CONFIG_NETFILTER_XT_MATCH_SOCKET=y
|
||||
CONFIG_NETFILTER_XT_MATCH_STATE=y
|
||||
CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
|
||||
CONFIG_NETFILTER_XT_MATCH_STRING=y
|
||||
CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
|
||||
CONFIG_NETFILTER_XT_MATCH_TIME=y
|
||||
CONFIG_NETFILTER_XT_MATCH_U32=y
|
||||
CONFIG_NFT_DUP_IPV4=y
|
||||
CONFIG_NFT_FIB_IPV4=y
|
||||
CONFIG_NF_TABLES_ARP=y
|
||||
CONFIG_NF_FLOW_TABLE_IPV4=y
|
||||
CONFIG_NF_LOG_ARP=y
|
||||
CONFIG_IP_NF_IPTABLES=y
|
||||
CONFIG_IP_NF_MATCH_AH=y
|
||||
CONFIG_IP_NF_MATCH_ECN=y
|
||||
CONFIG_IP_NF_MATCH_RPFILTER=y
|
||||
CONFIG_IP_NF_MATCH_TTL=y
|
||||
CONFIG_IP_NF_FILTER=y
|
||||
CONFIG_IP_NF_TARGET_REJECT=y
|
||||
CONFIG_IP_NF_TARGET_SYNPROXY=y
|
||||
CONFIG_IP_NF_NAT=y
|
||||
CONFIG_IP_NF_TARGET_MASQUERADE=y
|
||||
CONFIG_IP_NF_TARGET_NETMAP=y
|
||||
CONFIG_IP_NF_TARGET_REDIRECT=y
|
||||
CONFIG_IP_NF_MANGLE=y
|
||||
CONFIG_IP_NF_TARGET_CLUSTERIP=y
|
||||
CONFIG_IP_NF_TARGET_ECN=y
|
||||
CONFIG_IP_NF_TARGET_TTL=y
|
||||
CONFIG_IP_NF_RAW=y
|
||||
CONFIG_IP_NF_ARPTABLES=y
|
||||
CONFIG_IP_NF_ARPFILTER=y
|
||||
CONFIG_IP_NF_ARP_MANGLE=y
|
||||
CONFIG_NFT_DUP_IPV6=y
|
||||
CONFIG_NFT_FIB_IPV6=y
|
||||
CONFIG_NF_FLOW_TABLE_IPV6=y
|
||||
CONFIG_IP6_NF_IPTABLES=y
|
||||
CONFIG_IP6_NF_MATCH_AH=y
|
||||
CONFIG_IP6_NF_MATCH_EUI64=y
|
||||
CONFIG_IP6_NF_MATCH_FRAG=y
|
||||
CONFIG_IP6_NF_MATCH_OPTS=y
|
||||
CONFIG_IP6_NF_MATCH_HL=y
|
||||
CONFIG_IP6_NF_MATCH_IPV6HEADER=y
|
||||
CONFIG_IP6_NF_MATCH_MH=y
|
||||
CONFIG_IP6_NF_MATCH_RPFILTER=y
|
||||
CONFIG_IP6_NF_MATCH_RT=y
|
||||
CONFIG_IP6_NF_MATCH_SRH=y
|
||||
CONFIG_IP6_NF_TARGET_HL=y
|
||||
CONFIG_IP6_NF_FILTER=y
|
||||
CONFIG_IP6_NF_TARGET_REJECT=y
|
||||
CONFIG_IP6_NF_TARGET_SYNPROXY=y
|
||||
CONFIG_IP6_NF_MANGLE=y
|
||||
CONFIG_IP6_NF_RAW=y
|
||||
CONFIG_IP6_NF_NAT=y
|
||||
CONFIG_IP6_NF_TARGET_MASQUERADE=y
|
||||
CONFIG_IP6_NF_TARGET_NPT=y
|
||||
CONFIG_NF_CONNTRACK_BRIDGE=y
|
@ -24530,6 +24530,7 @@ with pkgs;
|
||||
tgt = callPackage ../tools/networking/tgt { };
|
||||
|
||||
lkl = callPackage ../applications/virtualization/lkl { };
|
||||
lklWithFirewall = callPackage ../applications/virtualization/lkl { firewallSupport = true; };
|
||||
|
||||
inherit (callPackages ../os-specific/linux/kernel-headers { })
|
||||
linuxHeaders makeLinuxHeaders;
|
||||
|
Loading…
Reference in New Issue
Block a user