[gentoo-user] systemd: "local system does not support BPF/cgroup based firewalling"

public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-user] systemd: "local system does not support BPF/cgroup based firewalling"
@ 2017-10-28 18:03 Nikos Chantziaras
  2017-10-28 18:21 ` Canek Peláez Valdés
  0 siblings, 1 reply; 8+ messages in thread
From: Nikos Chantziaras @ 2017-10-28 18:03 UTC (permalink / raw
  To: gentoo-user

I'm getting these at startup:

systemd[1]: File /lib/systemd/system/systemd-journald.service:33 
configures an IP firewall (IPAddressDeny=any), but the local system does 
not support BPF/cgroup based firewalling.
systemd[1]: Proceeding WITHOUT firewalling in effect!
systemd[1]: File /lib/systemd/system/systemd-udevd.service:32 configures 
an IP firewall (IPAddressDeny=any), but the local system does not 
support BPF/cgroup based firewalling.
systemd[1]: Proceeding WITHOUT firewalling in effect!
systemd[1]: File /lib/systemd/system/systemd-logind.service:34 
configures an IP firewall (IPAddressDeny=any), but the local system does 
not support BPF/cgroup based firewalling.
systemd[1]: Proceeding WITHOUT firewalling in effect!

What do I need to make this work? I found this:

   https://github.com/systemd/systemd/issues/7188

But CONFIG_BPF_SYSCALL is enabled and I still get that message.

This is on kernel 4.9.59 with systemd 235.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [gentoo-user] systemd: "local system does not support BPF/cgroup based firewalling"
  2017-10-28 18:03 [gentoo-user] systemd: "local system does not support BPF/cgroup based firewalling" Nikos Chantziaras
@ 2017-10-28 18:21 ` Canek Peláez Valdés
  2017-10-28 18:44   ` [gentoo-user] " Nikos Chantziaras
  0 siblings, 1 reply; 8+ messages in thread
From: Canek Peláez Valdés @ 2017-10-28 18:21 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 1303 bytes --]

Do you have CONFIG_CGROUP_BPF enabled?

Regards.

On Sat, Oct 28, 2017 at 1:03 PM, Nikos Chantziaras <realnc@gmail.com> wrote:

> I'm getting these at startup:
>
> systemd[1]: File /lib/systemd/system/systemd-journald.service:33
> configures an IP firewall (IPAddressDeny=any), but the local system does
> not support BPF/cgroup based firewalling.
> systemd[1]: Proceeding WITHOUT firewalling in effect!
> systemd[1]: File /lib/systemd/system/systemd-udevd.service:32 configures
> an IP firewall (IPAddressDeny=any), but the local system does not support
> BPF/cgroup based firewalling.
> systemd[1]: Proceeding WITHOUT firewalling in effect!
> systemd[1]: File /lib/systemd/system/systemd-logind.service:34 configures
> an IP firewall (IPAddressDeny=any), but the local system does not support
> BPF/cgroup based firewalling.
> systemd[1]: Proceeding WITHOUT firewalling in effect!
>
> What do I need to make this work? I found this:
>
>   https://github.com/systemd/systemd/issues/7188
>
> But CONFIG_BPF_SYSCALL is enabled and I still get that message.
>
> This is on kernel 4.9.59 with systemd 235.
>
>
>


-- 
Dr. Canek Peláez Valdés
Profesor de Carrera Asociado C
Departamento de Matemáticas
Facultad de Ciencias
Universidad Nacional Autónoma de México

[-- Attachment #2: Type: text/html, Size: 1858 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [gentoo-user] Re: systemd: "local system does not support BPF/cgroup based firewalling"
  2017-10-28 18:21 ` Canek Peláez Valdés
@ 2017-10-28 18:44   ` Nikos Chantziaras
  2017-10-28 18:58     ` Canek Peláez Valdés
  0 siblings, 1 reply; 8+ messages in thread
From: Nikos Chantziaras @ 2017-10-28 18:44 UTC (permalink / raw
  To: gentoo-user

There is no such kernel option.


On 28/10/17 21:21, Canek Peláez Valdés wrote:
> Do you have CONFIG_CGROUP_BPF enabled?
> 
> Regards.
> 
> On Sat, Oct 28, 2017 at 1:03 PM, Nikos Chantziaras <realnc@gmail.com 
> <mailto:realnc@gmail.com>> wrote:
> 
>     I'm getting these at startup:
> 
>     systemd[1]: File /lib/systemd/system/systemd-journald.service:33
>     configures an IP firewall (IPAddressDeny=any), but the local system
>     does not support BPF/cgroup based firewalling.
>     systemd[1]: Proceeding WITHOUT firewalling in effect!
>     systemd[1]: File /lib/systemd/system/systemd-udevd.service:32
>     configures an IP firewall (IPAddressDeny=any), but the local system
>     does not support BPF/cgroup based firewalling.
>     systemd[1]: Proceeding WITHOUT firewalling in effect!
>     systemd[1]: File /lib/systemd/system/systemd-logind.service:34
>     configures an IP firewall (IPAddressDeny=any), but the local system
>     does not support BPF/cgroup based firewalling.
>     systemd[1]: Proceeding WITHOUT firewalling in effect!
> 
>     What do I need to make this work? I found this:
> 
>     https://github.com/systemd/systemd/issues/7188
>     <https://github.com/systemd/systemd/issues/7188>
> 
>     But CONFIG_BPF_SYSCALL is enabled and I still get that message.
> 
>     This is on kernel 4.9.59 with systemd 235.



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [gentoo-user] Re: systemd: "local system does not support BPF/cgroup based firewalling"
  2017-10-28 18:44   ` [gentoo-user] " Nikos Chantziaras
@ 2017-10-28 18:58     ` Canek Peláez Valdés
  2017-10-28 19:01       ` mad.scientist.at.large
                         ` (3 more replies)
  0 siblings, 4 replies; 8+ messages in thread
From: Canek Peláez Valdés @ 2017-10-28 18:58 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 721 bytes --]

On Sat, Oct 28, 2017 at 1:44 PM, Nikos Chantziaras <realnc@gmail.com> wrote:
>
> There is no such kernel option.

Yes, there is[1]. However, there is no such option for kernel version
4.9[2], although there is for 4.10[3]. I think that's the problem, for
using the firewall BPF options of systemd, you'll need to use kernel
version >= 4.10.

Regards.

[1] https://github.com/torvalds/linux/blob/master/init/Kconfig#L848
[2] https://github.com/torvalds/linux/blob/v4.9/init/Kconfig
[3] https://github.com/torvalds/linux/blob/v4.10/init/Kconfig#L1157
--
Dr. Canek Peláez Valdés
Profesor de Carrera Asociado C
Departamento de Matemáticas
Facultad de Ciencias
Universidad Nacional Autónoma de México

[-- Attachment #2: Type: text/html, Size: 1121 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [gentoo-user] Re: systemd: "local system does not support BPF/cgroup based firewalling"
  2017-10-28 18:58     ` Canek Peláez Valdés
@ 2017-10-28 19:01       ` mad.scientist.at.large
  2017-10-28 19:06       ` mad.scientist.at.large
                         ` (2 subsequent siblings)
  3 siblings, 0 replies; 8+ messages in thread
From: mad.scientist.at.large @ 2017-10-28 19:01 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 1240 bytes --]

updating the kernel is a really good idea, recent kernels have corrected a number of serious security issues that are definitely  real and exploitable.

mad.scientist.at.large (a good madscientist)
--
"The U.S. intelligence community concluded in a report made public in January that the Kremlin sought to disrupt the 2016 election and sway the race in Trump's favor."  From "thehill.com".  Only Trump and his duplicitous supports try to say it was Clinton who conspired.  Frankly Trump is likely guilty of treason, the sooner he's impeached and indited the better, along with ALL of his supporters in goverment.


28. Oct 2017 12:58 by caneko@gmail.com:


> On Sat, Oct 28, 2017 at 1:44 PM, Nikos Chantziaras <> realnc@gmail.com> > wrote:
> >
> > There is no such kernel option.
>
> Yes, there is[1]. However, there is no such option for kernel version 4.9[2], although there is for 4.10[3]. I think that's the problem, for using the firewall BPF options of systemd, you'll need to use kernel version >= 4.10.> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
> --
> Dr. Canek Peláez Valdés
> Profesor de Carrera Asociado C
> Departamento de Matemáticas
> Facultad de Ciencias
> Universidad Nacional Autónoma de México

[-- Attachment #2: Type: text/html, Size: 1947 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [gentoo-user] Re: systemd: "local system does not support BPF/cgroup based firewalling"
  2017-10-28 18:58     ` Canek Peláez Valdés
  2017-10-28 19:01       ` mad.scientist.at.large
@ 2017-10-28 19:06       ` mad.scientist.at.large
  2017-10-28 19:12       ` mad.scientist.at.large
  2017-10-28 19:45       ` Nikos Chantziaras
  3 siblings, 0 replies; 8+ messages in thread
From: mad.scientist.at.large @ 2017-10-28 19:06 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 1394 bytes --]

you should update the kernel anyway.  some serious security holes have recently been found and corrected in the newest kernel.

mad.scientist.at.large (a good madscientist)
--
"The U.S. intelligence community concluded in a report made public in January that the Kremlin sought to disrupt the 2016 election and sway the race in Trump's favor."  From "thehill.com".  Only Trump and his duplicitous supports try to say it was Clinton who conspired.  Frankly Trump is likely guilty of treason, the sooner he's impeached and indited the better, along with ALL of his supporters in goverment.


28. Oct 2017 12:58 by caneko@gmail.com:


> On Sat, Oct 28, 2017 at 1:44 PM, Nikos Chantziaras <> realnc@gmail.com> > wrote:
> >
> > There is no such kernel option.
>
> Yes, there is[1]. However, there is no such option for kernel version 4.9[2], although there is for 4.10[3]. I think that's the problem, for using the firewall BPF options of systemd, you'll need to use kernel version >= 4.10.
> Regards.
> [1] > https://github.com/torvalds/linux/blob/master/init/Kconfig#L848> [2] > https://github.com/torvalds/linux/blob/v4.9/init/Kconfig> [3] > https://github.com/torvalds/linux/blob/v4.10/init/Kconfig#L1157
> --
> Dr. Canek Peláez Valdés
> Profesor de Carrera Asociado C
> Departamento de Matemáticas
> Facultad de Ciencias
> Universidad Nacional Autónoma de México

[-- Attachment #2: Type: text/html, Size: 2389 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [gentoo-user] Re: systemd: "local system does not support BPF/cgroup based firewalling"
  2017-10-28 18:58     ` Canek Peláez Valdés
  2017-10-28 19:01       ` mad.scientist.at.large
  2017-10-28 19:06       ` mad.scientist.at.large
@ 2017-10-28 19:12       ` mad.scientist.at.large
  2017-10-28 19:45       ` Nikos Chantziaras
  3 siblings, 0 replies; 8+ messages in thread
From: mad.scientist.at.large @ 2017-10-28 19:12 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 1367 bytes --]

you should probably update your' kernel anyway, a lot of recent security fixes in the newer kernels.

mad.scientist.at.large (a good madscientist)
--
"The U.S. intelligence community concluded in a report made public in January that the Kremlin sought to disrupt the 2016 election and sway the race in Trump's favor."  From "thehill.com".  Only Trump and his duplicitous supports try to say it was Clinton who conspired.  Frankly Trump is likely guilty of treason, the sooner he's impeached and indited the better, along with ALL of his supporters in goverment.


28. Oct 2017 12:58 by caneko@gmail.com:


> On Sat, Oct 28, 2017 at 1:44 PM, Nikos Chantziaras <> realnc@gmail.com> > wrote:
> >
> > There is no such kernel option.
>
> Yes, there is[1]. However, there is no such option for kernel version 4.9[2], although there is for 4.10[3]. I think that's the problem, for using the firewall BPF options of systemd, you'll need to use kernel version >= 4.10.
> Regards.
> [1] > https://github.com/torvalds/linux/blob/master/init/Kconfig#L848> [2] > https://github.com/torvalds/linux/blob/v4.9/init/Kconfig> [3] > https://github.com/torvalds/linux/blob/v4.10/init/Kconfig#L1157
> --
> Dr. Canek Peláez Valdés
> Profesor de Carrera Asociado C
> Departamento de Matemáticas
> Facultad de Ciencias
> Universidad Nacional Autónoma de México

[-- Attachment #2: Type: text/html, Size: 2358 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [gentoo-user] Re: systemd: "local system does not support BPF/cgroup based firewalling"
  2017-10-28 18:58     ` Canek Peláez Valdés
                         ` (2 preceding siblings ...)
  2017-10-28 19:12       ` mad.scientist.at.large
@ 2017-10-28 19:45       ` Nikos Chantziaras
  3 siblings, 0 replies; 8+ messages in thread
From: Nikos Chantziaras @ 2017-10-28 19:45 UTC (permalink / raw
  To: gentoo-user

Alright, thanks. Looks like I'll have to live with that message for a 
while. Which isn't a big deal.


On 28/10/17 21:58, Canek Peláez Valdés wrote:
> On Sat, Oct 28, 2017 at 1:44 PM, Nikos Chantziaras <realnc@gmail.com 
> <mailto:realnc@gmail.com>> wrote:
>  >
>  > There is no such kernel option.
> 
> Yes, there is[1]. However, there is no such option for kernel version 
> 4.9[2], although there is for 4.10[3]. I think that's the problem, for 
> using the firewall BPF options of systemd, you'll need to use kernel 
> version >= 4.10.
> 
> Regards.
> 
> [1] https://github.com/torvalds/linux/blob/master/init/Kconfig#L848
> [2] https://github.com/torvalds/linux/blob/v4.9/init/Kconfig
> [3] https://github.com/torvalds/linux/blob/v4.10/init/Kconfig#L1157
> --
> Dr. Canek Peláez Valdés
> Profesor de Carrera Asociado C
> Departamento de Matemáticas
> Facultad de Ciencias
> Universidad Nacional Autónoma de México




^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2017-10-28 19:45 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-10-28 18:03 [gentoo-user] systemd: "local system does not support BPF/cgroup based firewalling" Nikos Chantziaras
2017-10-28 18:21 ` Canek Peláez Valdés
2017-10-28 18:44   ` [gentoo-user] " Nikos Chantziaras
2017-10-28 18:58     ` Canek Peláez Valdés
2017-10-28 19:01       ` mad.scientist.at.large
2017-10-28 19:06       ` mad.scientist.at.large
2017-10-28 19:12       ` mad.scientist.at.large
2017-10-28 19:45       ` Nikos Chantziaras

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox