You are not logged in.

#1 2022-01-06 14:44:42

Emanon
Member
Registered: 2022-01-06
Posts: 2

New systemd options "RestrictNetworkInterfaces=" doesn't apply

Following this post: https://kinvolk.io/blog/2021/04/extendi … with-ebpf/
I should be able to restrict the network interface of a systemd service using RestrictNetworkInterfaces=, however running

sudo systemd-run -t -p RestrictNetworkInterfaces="lo" ping archlinux.org

I am still able to successfully ping archlinux.org after restricting the service to the loopback interface, denying my main network interface doesn't work either

sudo systemd-run -t -p RestrictNetworkInterfaces="~enp34s0" ping archlinux.org

All the required kernel options are enabled ( see the table matrix at the end of the article )

zgrep -e "CONFIG_BPF=" -e "CONFIG_BPF_SYSCALL=" -e "CONFIG_CGROUP_BPF=" /proc/config.gz

CONFIG_BPF=y
CONFIG_BPF_SYSCALL=y
CONFIG_CGROUP_BPF=y

uname --kernel-release

5.15.12-arch1-1

pacman -Qi libbpf

Version: 0.6.1-1

systemctl --version

systemd 250 (250.1-1-arch)
+PAM +AUDIT -SELINUX -APPARMOR -IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT -QRENCODE +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK +XKBCOMMON +UTMP -SYSVINIT default-hierarchy=unified

Any feedback will be greatly appreciated, thanks !

Offline

#2 2022-01-07 19:39:03

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,323

Re: New systemd options "RestrictNetworkInterfaces=" doesn't apply

Welcome to the forum.

I did not get it to work either. Btw: you still need to enable the kernel boot option for bpf, if you have not.
But I think the fail is related to the following bug, currently worked on: https://github.com/systemd/systemd/pull/22025
On fedora, it does not work either: https://bugzilla.redhat.com/show_bug.cgi?id=2035608

Offline

#3 2022-01-08 11:43:51

Emanon
Member
Registered: 2022-01-06
Posts: 2

Re: New systemd options "RestrictNetworkInterfaces=" doesn't apply

Thanks for the feedback,
I think the lsm=on ( if it's the one your talking about ) kernel boot parameter is only related to the "RestrictFileSystems=" option, I may be wrong I do not have a lot of experience tinkering with this stuff
I will wait for an working update and then mark this post as solved

Offline

#4 2022-01-09 10:45:14

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,323

Re: New systemd options "RestrictNetworkInterfaces=" doesn't apply

You're right, I read the requirements regarding "RestrictNetworkInterfaces=" only too quick.
Frankly, this sort of bug is astounding. I don't see in what circumstances the new feature worked at all, with its roll-out release.

Offline

Board footer

Powered by FluxBB