kernel/common-config: enable INET_{TCP,UDP,RAW}_DIAG and INET_DIAG_DESTROY #69388
Conversation
| INET_TCP_DIAG = module; | ||
| INET_UDP_DIAG = module; | ||
| INET_RAW_DIAG = whenAtLeast "4.14" module; | ||
| INET_DIAG_DESTROY = whenAtLeast "4.9" yes; |
There was a problem hiding this comment.
Do these DIAG options incur a performance penalty we need to be aware of?
There was a problem hiding this comment.
I don't think there is a performance penalty. I looked at
https://github.com/torvalds/linux/blob/master/net/ipv4/udp_diag.c
https://github.com/torvalds/linux/blob/master/net/ipv4/tcp_diag.c
https://github.com/torvalds/linux/blob/master/net/ipv4/raw_diag.c
and it looks like they just provide additional functions. The init handler doesn't appear to change any network stack behavior.
INET_DIAG_DESTROY should be fine too; it is not referenced outside those _diag modules.
There was a problem hiding this comment.
@grahamc it only extends the netlink API of the kernel. Looks fine to me.
ivan
changed the title
|
what about other distribs (please link the configs so I can add them to https://nixos.wiki/wiki/Linux_kernel) |
Both debian and archlinux also seems to include these modules. |
|
@GrahamcOfBorg eval |
1 similar comment
|
@GrahamcOfBorg eval |
|
I still wonder why the evaluation error persists. |
|
@Mic92 Because the fix was not merged into staging and staging-next |
Motivation for this change
These are required for some ss functionality.
ss -Kis particularly useful for killing connections and requiresINET_DIAG_DESTROY. As far as I know, this is the only reliable way to kill stuck connections on Linux.Things done
sandboxinnix.confon non-NixOS)nix-shell -p nix-review --run "nix-review wip"./result/bin/)nix path-info -Sbefore and after)Notify maintainers
cc @thoughtpolice
I tested on 4.19.75-hardened and confirmed that
ss -K dst SOME_IP_ADDRESS dport = 80did not work before this change, and did work after this change.