New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kernel/common-config: enable INET_{TCP,UDP,RAW}_DIAG and INET_DIAG_DESTROY #69388
Conversation
INET_TCP_DIAG = module; | ||
INET_UDP_DIAG = module; | ||
INET_RAW_DIAG = whenAtLeast "4.14" module; | ||
INET_DIAG_DESTROY = whenAtLeast "4.9" yes; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do these DIAG options incur a performance penalty we need to be aware of?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think there is a performance penalty. I looked at
https://github.com/torvalds/linux/blob/master/net/ipv4/udp_diag.c
https://github.com/torvalds/linux/blob/master/net/ipv4/tcp_diag.c
https://github.com/torvalds/linux/blob/master/net/ipv4/raw_diag.c
and it looks like they just provide additional functions. The init handler doesn't appear to change any network stack behavior.
INET_DIAG_DESTROY
should be fine too; it is not referenced outside those _diag
modules.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@grahamc it only extends the netlink API of the kernel. Looks fine to me.
what about other distribs (please link the configs so I can add them to https://nixos.wiki/wiki/Linux_kernel) |
Both debian and archlinux also seems to include these modules. |
@GrahamcOfBorg eval |
1 similar comment
@GrahamcOfBorg eval |
I still wonder why the evaluation error persists. |
@Mic92 Because the fix was not merged into staging and staging-next |
Motivation for this change
These are required for some ss functionality.
ss -K
is particularly useful for killing connections and requiresINET_DIAG_DESTROY
. As far as I know, this is the only reliable way to kill stuck connections on Linux.Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nix-review --run "nix-review wip"
./result/bin/
)nix path-info -S
before and after)Notify maintainers
cc @thoughtpolice
I tested on 4.19.75-hardened and confirmed that
ss -K dst SOME_IP_ADDRESS dport = 80
did not work before this change, and did work after this change.