eBPF compatibility with custom and hardened kernels (xanmod, liquorix, etc)

gustavo-iniguez-goya commented 1 year ago

We've had several issues in the past regarding compatibility with this type of kernels and eBPF.

Custom kernels (xanmod, liquorix, others)

In order to use eBPF as process monitor method, the kernel must have some features enabled:

Basic:

[x] CONFIG_FTRACE=y (Without this option, the path /sys/kernel/debug/tracing/ is not created.)
[x] CONFIG_KPROBES=y , CONFIG_KPROBES_ON_FTRACE=y, CONFIG_HAVE_KPROBES=y , CONFIG_HAVE_KPROBES_ON_FTRACE=y, CONFIG_KPROBE_EVENTS=y

Additionally:

[x] CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
[x] CONFIG_FTRACE_SYSCALLS=y (Without these options, opensnitch-procs.o module will fail)

Extras:

[x] CONFIG_UPROBE_EVENTS=y (Without this option, the path /sys/kernel/debug/tracing/uprobe_events is not created. Thus the opensnitch-dns.o module, and any other that hooks userland libs won't work.)

You can check these options out with the following command: $ grep FTRACE /boot/config-$(uname -r) (or KPROBE, etc)

On the other hand, the path /sys/kernel/debug/tracing/kprobe_events must exist. Usually it's created when debugfs is mounted. Since version 1.6.0rc2 opensnitch will try to mount it (some distros like devuan do not mount it by default). If we fail to mount it, then much probably one of the mentioned kernel features is not enabled.

xanmod kernels: CONFIG_FTRACE is not set, thus ebpf proc monitor method doesn't work.

liquorix kernels: ebpf proc monitor method works partially: connections are intercepted, but new/exit processes don't (CONFIG_FTRACE_SYSCALLS not set). DNS passive requests interception doesn't work either (CONFIG_UPROBE_EVENTS not set).
Arch / Manjaro hardened kernels (as of 29/10/2023) /sys/kernel/debug/tracing/ path does not exist, thus we cannot configure kprobes or tracepoints. See this comment: https://github.com/evilsocket/opensnitch/issues/774#issuecomment-1783870063

Hardened kernels / systems

There're some configurable kernel options that prevent us from working as expected (eBPF only, AFAIK). #767 In particular these scripts seem to block some eBPF features: https://github.com/Kicksecure/security-misc#enhances-miscellaneous-security-settings

One of these options is lockdown=confidentiality:

tjbbjt said: Removing lockdown=confidentiality from grub boot parameters fixed eBPF disabling for me.

(thank you @tjbbjt for reporting this!)

What happen if eBPF is not supported

We fallback to proc monitor method. Starting from v1.6.0rc3 you'll receive an alert on the desktop. If you want to stop seeing those alerts: 1) you can change proc monitor method to proc (Preferences -> Nodes), or 2) run a kernel with needed requirements.

For example, a desktop notification alerting that opensnitch-procs.o failed loading on liquorix kernel:

For iptables rules to work, you need at least this option enabled in your kernel configuration:

CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y

Danny3 commented 1 year ago

Good that now an alert / notification will be shown to better explain what the problem is!

Maybe a link to this page or some page on the documentation with all these explanations could be added.

gustavo-iniguez-goya commented 9 months ago

liquorix kernels: ebpf proc monitor method works partially: connections are intercepted, but new/exit processes don't > (CONFIG_FTRACE_SYSCALLS not set).

Starting from the next version (> v1.6.3), if the ebpf proc monitor doesn't work we'll fallback to PROC CONNECTOR: 7a9bb17829ddd1eda0bc09b0725a0c19c428a1fc

moisesmsf commented 9 months ago

Hi,

Getting warning message: "Unable to set new process monitor (ebpf) method from disk: exit status 32. Unable to access debugfs filesystem, needed for eBPF to work, likely caused by a hardened or customized kernel. Change process monitor method to 'proc' to stop receiving this alert" Screenshot from 2023-10-12 07-46-05

How to resolve this warning message in Archlinux Hardened kernel without change process monitor method to 'proc'?

SPECS: Linux station 6.5.7-hardened1-1-hardened #1 SMP PREEMPT_DYNAMIC Wed, 11 Oct 2023 17:20:19 +0000 x86_64 GNU/Linux

opensnitchd --version 1.6.2

pacman --query | grep opensnitch opensnitch 1.6.3-1

Gnome 45 (Wayland) Screenshot from 2023-10-12 08-22-03

Screenshot from 2023-10-12 08-25-59

Check requirements: Screenshot from 2023-10-12 08-27-32

SYSCTL: (sorry for the dump, I don't know which parameter is actually important) [r@station ~]$ sudo sysctl -a abi.vsyscall32 = 1 debug.exception-trace = 1 debug.kprobes-optimization = 1 dev.hpet.max-user-freq = 64 dev.mac_hid.mouse_button2_keycode = 97 dev.mac_hid.mouse_button3_keycode = 100 dev.mac_hid.mouse_button_emulation = 0 dev.scsi.logging_level = 0 dev.tty.ldisc_autoload = 0 dev.tty.legacy_tiocsti = 0 dev.tty.tiocsti_restrict = 1 fs.aio-max-nr = 1048576 fs.aio-nr = 0 fs.binfmt_misc.status = enabled fs.dentry-state = 44328 24012 45 0 5635 0 fs.device_sidechannel_restrict = 1 fs.dir-notify-enable = 1 fs.epoll.max_user_watches = 13696779 fs.fanotify.max_queued_events = 16384 fs.fanotify.max_user_groups = 128 fs.fanotify.max_user_marks = 468787 fs.file-max = 9223372036854775807 fs.file-nr = 7616 0 9223372036854775807 fs.inode-nr = 38778 404 fs.inode-state = 38778 404 0 0 0 0 0 fs.inotify.max_queued_events = 16384 fs.inotify.max_user_instances = 1024 fs.inotify.max_user_watches = 524288 fs.lease-break-time = 45 fs.leases-enable = 1 fs.mount-max = 100000 fs.mqueue.msg_default = 10 fs.mqueue.msg_max = 10 fs.mqueue.msgsize_default = 8192 fs.mqueue.msgsize_max = 8192 fs.mqueue.queues_max = 256 fs.nr_open = 1073741816 fs.overflowgid = 65534 fs.overflowuid = 65534 fs.pipe-max-size = 1048576 fs.pipe-user-pages-hard = 0 fs.pipe-user-pages-soft = 16384 fs.protected_fifos = 1 fs.protected_hardlinks = 1 fs.protected_regular = 1 fs.protected_symlinks = 1 fs.quota.allocated_dquots = 0 fs.quota.cache_hits = 0 fs.quota.drops = 0 fs.quota.free_dquots = 0 fs.quota.lookups = 0 fs.quota.reads = 0 fs.quota.syncs = 0 fs.quota.writes = 0 fs.suid_dumpable = 2 fs.verity.require_signatures = 0 kernel.acct = 4 2 30 kernel.acpi_video_flags = 0 kernel.arch = x86_64 kernel.auto_msgmni = 0 kernel.bootloader_type = 33 kernel.bootloader_version = 1 kernel.bpf_stats_enabled = 0 kernel.cad_pid = 1 kernel.cap_last_cap = 40 kernel.core_pattern = |/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h kernel.core_pipe_limit = 16 kernel.core_uses_pid = 1 kernel.ctrl-alt-del = 0 kernel.deny_new_usb = 0 kernel.dmesg_restrict = 1 kernel.domainname = (none) kernel.ftrace_dump_on_oops = 0 kernel.ftrace_enabled = 1 kernel.hardlockup_all_cpu_backtrace = 0 kernel.hardlockup_panic = 0 kernel.hostname = station kernel.hung_task_all_cpu_backtrace = 0 kernel.hung_task_check_count = 4194304 kernel.hung_task_check_interval_secs = 0 kernel.hung_task_panic = 0 kernel.hung_task_timeout_secs = 120 kernel.hung_task_warnings = 10 kernel.io_delay_type = 0 kernel.keys.gc_delay = 300 kernel.keys.maxbytes = 20000 kernel.keys.maxkeys = 200 kernel.keys.persistent_keyring_expiry = 259200 kernel.keys.root_maxbytes = 25000000 kernel.keys.root_maxkeys = 1000000 kernel.kptr_restrict = 2 kernel.latencytop = 0 kernel.max_lock_depth = 1024 kernel.max_rcu_stall_to_panic = 0 kernel.modprobe = /sbin/modprobe kernel.modules_disabled = 0 kernel.msgmax = 8192 kernel.msgmnb = 16384 kernel.msgmni = 32000 kernel.ngroups_max = 65536 kernel.nmi_watchdog = 1 kernel.numa_balancing = 0 kernel.numa_balancing_promote_rate_limit_MBps = 65536 kernel.oops_all_cpu_backtrace = 0 kernel.oops_limit = 10000 kernel.osrelease = 6.5.7-hardened1-1-hardened kernel.ostype = Linux kernel.overflowgid = 65534 kernel.overflowuid = 65534 kernel.panic = 0 kernel.panic_on_io_nmi = 0 kernel.panic_on_oops = 1 kernel.panic_on_rcu_stall = 0 kernel.panic_on_unrecovered_nmi = 0 kernel.panic_on_warn = 0 kernel.panic_print = 0 kernel.perf_cpu_time_max_percent = 25 kernel.perf_event_max_contexts_per_stack = 8 kernel.perf_event_max_sample_rate = 100000 kernel.perf_event_max_stack = 127 kernel.perf_event_mlock_kb = 516 kernel.perf_event_paranoid = 3 kernel.pid_max = 4194304 kernel.poweroff_cmd = /sbin/poweroff kernel.print-fatal-signals = 0 kernel.printk = 4 4 1 4 kernel.printk_delay = 0 kernel.printk_devkmsg = on kernel.printk_ratelimit = 5 kernel.printk_ratelimit_burst = 10 kernel.pty.max = 4096 kernel.pty.nr = 2 kernel.pty.reserve = 1024 kernel.random.boot_id = d6eb7807-41c5-4e57-948d-2ceb49603359 kernel.random.entropy_avail = 256 kernel.random.poolsize = 256 kernel.random.urandom_min_reseed_secs = 60 kernel.random.uuid = 980bd9c5-6ca7-40ea-918c-0b8a12bec865 kernel.random.write_wakeup_threshold = 256 kernel.randomize_va_space = 2 kernel.real-root-dev = 0 kernel.sched_autogroup_enabled = 1 kernel.sched_cfs_bandwidth_slice_us = 5000 kernel.sched_child_runs_first = 0 kernel.sched_deadline_period_max_us = 4194304 kernel.sched_deadline_period_min_us = 100 kernel.sched_energy_aware = 1 kernel.sched_rr_timeslice_ms = 100 kernel.sched_rt_period_us = 1000000 kernel.sched_rt_runtime_us = 950000 kernel.sched_schedstats = 0 kernel.sched_util_clamp_max = 1024 kernel.sched_util_clamp_min = 1024 kernel.sched_util_clamp_min_rt_default = 1024 kernel.seccomp.actions_avail = kill_process kill_thread trap errno user_notif trace log allow kernel.seccomp.actions_logged = kill_process kill_thread trap errno user_notif trace log kernel.sem = 32000 1024000000 500 32000 kernel.shm_rmid_forced = 0 kernel.shmall = 18446744073692774399 kernel.shmmax = 18446744073692774399 kernel.shmmni = 4096 kernel.soft_watchdog = 1 kernel.softlockup_all_cpu_backtrace = 0 kernel.softlockup_panic = 0 kernel.split_lock_mitigate = 1 kernel.stack_tracer_enabled = 0 kernel.sysctl_writes_strict = 1 kernel.sysrq = 16 kernel.tainted = 131072 kernel.task_delayacct = 0 kernel.threads-max = 480692 kernel.timer_migration = 1 kernel.traceoff_on_warning = 0 kernel.tracepoint_printk = 0 kernel.unknown_nmi_panic = 0 kernel.unprivileged_bpf_disabled = 2 kernel.unprivileged_userns_clone = 0 kernel.usermodehelper.bset = 4294967295 511 kernel.usermodehelper.inheritable = 4294967295 511 kernel.version = #1 SMP PREEMPT_DYNAMIC Wed, 11 Oct 2023 17:20:19 +0000 kernel.warn_limit = 0 kernel.watchdog = 1 kernel.watchdog_cpumask = 0-15 kernel.watchdog_thresh = 10 kernel.yama.ptrace_scope = 1 net.core.bpf_jit_enable = 1 net.core.bpf_jit_harden = 2 net.core.bpf_jit_kallsyms = 1 net.core.bpf_jit_limit = 528482304 net.core.busy_poll = 0 net.core.busy_read = 0 net.core.default_qdisc = fq_codel net.core.dev_weight = 64 net.core.dev_weight_rx_bias = 1 net.core.dev_weight_tx_bias = 1 net.core.devconf_inherit_init_net = 0 net.core.fb_tunnels_only_for_init_net = 0 net.core.flow_limit_cpu_bitmap = 0000 net.core.flow_limit_table_len = 4096 net.core.gro_normal_batch = 8 net.core.high_order_alloc_disable = 0 net.core.max_skb_frags = 17 net.core.message_burst = 10 net.core.message_cost = 5 net.core.netdev_budget = 300 net.core.netdev_budget_usecs = 6666 net.core.netdev_max_backlog = 1000 net.core.netdev_rss_key = 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 net.core.netdev_tstamp_prequeue = 1 net.core.netdev_unregister_timeout_secs = 10 net.core.optmem_max = 20480 net.core.rmem_default = 212992 net.core.rmem_max = 2621440 net.core.rps_default_mask = 0000 net.core.rps_sock_flow_entries = 0 net.core.skb_defer_max = 64 net.core.somaxconn = 4096 net.core.tstamp_allow_data = 1 net.core.txrehash = 1 net.core.warnings = 0 net.core.wmem_default = 212992 net.core.wmem_max = 2621440 net.core.xfrm_acq_expires = 30 net.core.xfrm_aevent_etime = 10 net.core.xfrm_aevent_rseqth = 2 net.core.xfrm_larval_drop = 1 net.ipv4.cipso_cache_bucket_size = 10 net.ipv4.cipso_cache_enable = 1 net.ipv4.cipso_rbm_optfmt = 0 net.ipv4.cipso_rbm_strictvalid = 1 net.ipv4.conf.all.accept_local = 0 net.ipv4.conf.all.accept_redirects = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.arp_accept = 0 net.ipv4.conf.all.arp_announce = 0 net.ipv4.conf.all.arp_evict_nocarrier = 1 net.ipv4.conf.all.arp_filter = 0 net.ipv4.conf.all.arp_ignore = 0 net.ipv4.conf.all.arp_notify = 0 net.ipv4.conf.all.bc_forwarding = 0 net.ipv4.conf.all.bootp_relay = 0 net.ipv4.conf.all.disable_policy = 0 net.ipv4.conf.all.disable_xfrm = 0 net.ipv4.conf.all.drop_gratuitous_arp = 0 net.ipv4.conf.all.drop_unicast_in_l2_multicast = 0 net.ipv4.conf.all.force_igmp_version = 0 net.ipv4.conf.all.forwarding = 0 net.ipv4.conf.all.igmpv2_unsolicited_report_interval = 10000 net.ipv4.conf.all.igmpv3_unsolicited_report_interval = 1000 net.ipv4.conf.all.ignore_routes_with_linkdown = 0 net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.all.mc_forwarding = 0 net.ipv4.conf.all.medium_id = 0 net.ipv4.conf.all.promote_secondaries = 0 net.ipv4.conf.all.proxy_arp = 0 net.ipv4.conf.all.proxy_arp_pvlan = 0 net.ipv4.conf.all.route_localnet = 0 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.all.secure_redirects = 1 net.ipv4.conf.all.send_redirects = 1 net.ipv4.conf.all.shared_media = 1 net.ipv4.conf.all.src_valid_mark = 0 net.ipv4.conf.all.tag = 0 net.ipv4.conf.default.accept_local = 0 net.ipv4.conf.default.accept_redirects = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.arp_accept = 0 net.ipv4.conf.default.arp_announce = 0 net.ipv4.conf.default.arp_evict_nocarrier = 1 net.ipv4.conf.default.arp_filter = 0 net.ipv4.conf.default.arp_ignore = 0 net.ipv4.conf.default.arp_notify = 0 net.ipv4.conf.default.bc_forwarding = 0 net.ipv4.conf.default.bootp_relay = 0 net.ipv4.conf.default.disable_policy = 0 net.ipv4.conf.default.disable_xfrm = 0 net.ipv4.conf.default.drop_gratuitous_arp = 0 net.ipv4.conf.default.drop_unicast_in_l2_multicast = 0 net.ipv4.conf.default.force_igmp_version = 0 net.ipv4.conf.default.forwarding = 0 net.ipv4.conf.default.igmpv2_unsolicited_report_interval = 10000 net.ipv4.conf.default.igmpv3_unsolicited_report_interval = 1000 net.ipv4.conf.default.ignore_routes_with_linkdown = 0 net.ipv4.conf.default.log_martians = 0 net.ipv4.conf.default.mc_forwarding = 0 net.ipv4.conf.default.medium_id = 0 net.ipv4.conf.default.promote_secondaries = 1 net.ipv4.conf.default.proxy_arp = 0 net.ipv4.conf.default.proxy_arp_pvlan = 0 net.ipv4.conf.default.route_localnet = 0 net.ipv4.conf.default.rp_filter = 2 net.ipv4.conf.default.secure_redirects = 1 net.ipv4.conf.default.send_redirects = 1 net.ipv4.conf.default.shared_media = 1 net.ipv4.conf.default.src_valid_mark = 0 net.ipv4.conf.default.tag = 0 net.ipv4.conf.enp2s0.accept_local = 0 net.ipv4.conf.enp2s0.accept_redirects = 1 net.ipv4.conf.enp2s0.accept_source_route = 0 net.ipv4.conf.enp2s0.arp_accept = 0 net.ipv4.conf.enp2s0.arp_announce = 0 net.ipv4.conf.enp2s0.arp_evict_nocarrier = 1 net.ipv4.conf.enp2s0.arp_filter = 0 net.ipv4.conf.enp2s0.arp_ignore = 0 net.ipv4.conf.enp2s0.arp_notify = 0 net.ipv4.conf.enp2s0.bc_forwarding = 0 net.ipv4.conf.enp2s0.bootp_relay = 0 net.ipv4.conf.enp2s0.disable_policy = 0 net.ipv4.conf.enp2s0.disable_xfrm = 0 net.ipv4.conf.enp2s0.drop_gratuitous_arp = 0 net.ipv4.conf.enp2s0.drop_unicast_in_l2_multicast = 0 net.ipv4.conf.enp2s0.force_igmp_version = 0 net.ipv4.conf.enp2s0.forwarding = 0 net.ipv4.conf.enp2s0.igmpv2_unsolicited_report_interval = 10000 net.ipv4.conf.enp2s0.igmpv3_unsolicited_report_interval = 1000 net.ipv4.conf.enp2s0.ignore_routes_with_linkdown = 0 net.ipv4.conf.enp2s0.log_martians = 0 net.ipv4.conf.enp2s0.mc_forwarding = 0 net.ipv4.conf.enp2s0.medium_id = 0 net.ipv4.conf.enp2s0.promote_secondaries = 1 net.ipv4.conf.enp2s0.proxy_arp = 0 net.ipv4.conf.enp2s0.proxy_arp_pvlan = 0 net.ipv4.conf.enp2s0.route_localnet = 0 net.ipv4.conf.enp2s0.rp_filter = 2 net.ipv4.conf.enp2s0.secure_redirects = 1 net.ipv4.conf.enp2s0.send_redirects = 1 net.ipv4.conf.enp2s0.shared_media = 1 net.ipv4.conf.enp2s0.src_valid_mark = 0 net.ipv4.conf.enp2s0.tag = 0 net.ipv4.conf.lo.accept_local = 0 net.ipv4.conf.lo.accept_redirects = 1 net.ipv4.conf.lo.accept_source_route = 0 net.ipv4.conf.lo.arp_accept = 0 net.ipv4.conf.lo.arp_announce = 0 net.ipv4.conf.lo.arp_evict_nocarrier = 1 net.ipv4.conf.lo.arp_filter = 0 net.ipv4.conf.lo.arp_ignore = 0 net.ipv4.conf.lo.arp_notify = 0 net.ipv4.conf.lo.bc_forwarding = 0 net.ipv4.conf.lo.bootp_relay = 0 net.ipv4.conf.lo.disable_policy = 1 net.ipv4.conf.lo.disable_xfrm = 1 net.ipv4.conf.lo.drop_gratuitous_arp = 0 net.ipv4.conf.lo.drop_unicast_in_l2_multicast = 0 net.ipv4.conf.lo.force_igmp_version = 0 net.ipv4.conf.lo.forwarding = 0 net.ipv4.conf.lo.igmpv2_unsolicited_report_interval = 10000 net.ipv4.conf.lo.igmpv3_unsolicited_report_interval = 1000 net.ipv4.conf.lo.ignore_routes_with_linkdown = 0 net.ipv4.conf.lo.log_martians = 0 net.ipv4.conf.lo.mc_forwarding = 0 net.ipv4.conf.lo.medium_id = 0 net.ipv4.conf.lo.promote_secondaries = 1 net.ipv4.conf.lo.proxy_arp = 0 net.ipv4.conf.lo.proxy_arp_pvlan = 0 net.ipv4.conf.lo.route_localnet = 0 net.ipv4.conf.lo.rp_filter = 2 net.ipv4.conf.lo.secure_redirects = 1 net.ipv4.conf.lo.send_redirects = 1 net.ipv4.conf.lo.shared_media = 1 net.ipv4.conf.lo.src_valid_mark = 0 net.ipv4.conf.lo.tag = 0 net.ipv4.conf.wlo1.accept_local = 0 net.ipv4.conf.wlo1.accept_redirects = 1 net.ipv4.conf.wlo1.accept_source_route = 0 net.ipv4.conf.wlo1.arp_accept = 0 net.ipv4.conf.wlo1.arp_announce = 0 net.ipv4.conf.wlo1.arp_evict_nocarrier = 1 net.ipv4.conf.wlo1.arp_filter = 0 net.ipv4.conf.wlo1.arp_ignore = 0 net.ipv4.conf.wlo1.arp_notify = 0 net.ipv4.conf.wlo1.bc_forwarding = 0 net.ipv4.conf.wlo1.bootp_relay = 0 net.ipv4.conf.wlo1.disable_policy = 0 net.ipv4.conf.wlo1.disable_xfrm = 0 net.ipv4.conf.wlo1.drop_gratuitous_arp = 0 net.ipv4.conf.wlo1.drop_unicast_in_l2_multicast = 0 net.ipv4.conf.wlo1.force_igmp_version = 0 net.ipv4.conf.wlo1.forwarding = 0 net.ipv4.conf.wlo1.igmpv2_unsolicited_report_interval = 10000 net.ipv4.conf.wlo1.igmpv3_unsolicited_report_interval = 1000 net.ipv4.conf.wlo1.ignore_routes_with_linkdown = 0 net.ipv4.conf.wlo1.log_martians = 0 net.ipv4.conf.wlo1.mc_forwarding = 0 net.ipv4.conf.wlo1.medium_id = 0 net.ipv4.conf.wlo1.promote_secondaries = 1 net.ipv4.conf.wlo1.proxy_arp = 0 net.ipv4.conf.wlo1.proxy_arp_pvlan = 0 net.ipv4.conf.wlo1.route_localnet = 0 net.ipv4.conf.wlo1.rp_filter = 2 net.ipv4.conf.wlo1.secure_redirects = 1 net.ipv4.conf.wlo1.send_redirects = 1 net.ipv4.conf.wlo1.shared_media = 1 net.ipv4.conf.wlo1.src_valid_mark = 0 net.ipv4.conf.wlo1.tag = 0 net.ipv4.fib_multipath_hash_fields = 7 net.ipv4.fib_multipath_hash_policy = 0 net.ipv4.fib_multipath_use_neigh = 0 net.ipv4.fib_notify_on_flag_change = 0 net.ipv4.fib_sync_mem = 524288 net.ipv4.fwmark_reflect = 0 net.ipv4.icmp_echo_enable_probe = 0 net.ipv4.icmp_echo_ignore_all = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_errors_use_inbound_ifaddr = 0 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.icmp_msgs_burst = 50 net.ipv4.icmp_msgs_per_sec = 1000 net.ipv4.icmp_ratelimit = 1000 net.ipv4.icmp_ratemask = 6168 net.ipv4.igmp_link_local_mcast_reports = 1 net.ipv4.igmp_max_memberships = 20 net.ipv4.igmp_max_msf = 10 net.ipv4.igmp_qrv = 2 net.ipv4.inet_peer_maxttl = 600 net.ipv4.inet_peer_minttl = 120 net.ipv4.inet_peer_threshold = 65664 net.ipv4.ip_autobind_reuse = 0 net.ipv4.ip_default_ttl = 64 net.ipv4.ip_dynaddr = 0 net.ipv4.ip_early_demux = 1 net.ipv4.ip_forward = 0 net.ipv4.ip_forward_update_priority = 1 net.ipv4.ip_forward_use_pmtu = 0 net.ipv4.ip_local_port_range = 32768 60999 net.ipv4.ip_local_reserved_ports = net.ipv4.ip_no_pmtu_disc = 0 net.ipv4.ip_nonlocal_bind = 0 net.ipv4.ip_unprivileged_port_start = 1024 net.ipv4.ipfrag_high_thresh = 4194304 net.ipv4.ipfrag_low_thresh = 3145728 net.ipv4.ipfrag_max_dist = 64 net.ipv4.ipfrag_secret_interval = 0 net.ipv4.ipfrag_time = 30 net.ipv4.neigh.default.anycast_delay = 99 net.ipv4.neigh.default.app_solicit = 0 net.ipv4.neigh.default.base_reachable_time_ms = 30000 net.ipv4.neigh.default.delay_first_probe_time = 5 net.ipv4.neigh.default.gc_interval = 30 net.ipv4.neigh.default.gc_stale_time = 60 net.ipv4.neigh.default.gc_thresh1 = 128 net.ipv4.neigh.default.gc_thresh2 = 512 net.ipv4.neigh.default.gc_thresh3 = 1024 net.ipv4.neigh.default.interval_probe_time_ms = 5000 net.ipv4.neigh.default.locktime = 99 net.ipv4.neigh.default.mcast_resolicit = 0 net.ipv4.neigh.default.mcast_solicit = 3 net.ipv4.neigh.default.proxy_delay = 79 net.ipv4.neigh.default.proxy_qlen = 64 net.ipv4.neigh.default.retrans_time_ms = 1000 net.ipv4.neigh.default.ucast_solicit = 3 net.ipv4.neigh.default.unres_qlen = 101 net.ipv4.neigh.default.unres_qlen_bytes = 212992 net.ipv4.neigh.enp2s0.anycast_delay = 99 net.ipv4.neigh.enp2s0.app_solicit = 0 net.ipv4.neigh.enp2s0.base_reachable_time_ms = 30000 net.ipv4.neigh.enp2s0.delay_first_probe_time = 5 net.ipv4.neigh.enp2s0.gc_stale_time = 60 net.ipv4.neigh.enp2s0.interval_probe_time_ms = 5000 net.ipv4.neigh.enp2s0.locktime = 99 net.ipv4.neigh.enp2s0.mcast_resolicit = 0 net.ipv4.neigh.enp2s0.mcast_solicit = 3 net.ipv4.neigh.enp2s0.proxy_delay = 79 net.ipv4.neigh.enp2s0.proxy_qlen = 64 net.ipv4.neigh.enp2s0.retrans_time_ms = 1000 net.ipv4.neigh.enp2s0.ucast_solicit = 3 net.ipv4.neigh.enp2s0.unres_qlen = 101 net.ipv4.neigh.enp2s0.unres_qlen_bytes = 212992 net.ipv4.neigh.lo.anycast_delay = 99 net.ipv4.neigh.lo.app_solicit = 0 net.ipv4.neigh.lo.base_reachable_time_ms = 30000 net.ipv4.neigh.lo.delay_first_probe_time = 5 net.ipv4.neigh.lo.gc_stale_time = 60 net.ipv4.neigh.lo.interval_probe_time_ms = 5000 net.ipv4.neigh.lo.locktime = 99 net.ipv4.neigh.lo.mcast_resolicit = 0 net.ipv4.neigh.lo.mcast_solicit = 3 net.ipv4.neigh.lo.proxy_delay = 79 net.ipv4.neigh.lo.proxy_qlen = 64 net.ipv4.neigh.lo.retrans_time_ms = 1000 net.ipv4.neigh.lo.ucast_solicit = 3 net.ipv4.neigh.lo.unres_qlen = 101 net.ipv4.neigh.lo.unres_qlen_bytes = 212992 net.ipv4.neigh.wlo1.anycast_delay = 99 net.ipv4.neigh.wlo1.app_solicit = 0 net.ipv4.neigh.wlo1.base_reachable_time_ms = 30000 net.ipv4.neigh.wlo1.delay_first_probe_time = 5 net.ipv4.neigh.wlo1.gc_stale_time = 60 net.ipv4.neigh.wlo1.interval_probe_time_ms = 5000 net.ipv4.neigh.wlo1.locktime = 99 net.ipv4.neigh.wlo1.mcast_resolicit = 0 net.ipv4.neigh.wlo1.mcast_solicit = 3 net.ipv4.neigh.wlo1.proxy_delay = 79 net.ipv4.neigh.wlo1.proxy_qlen = 64 net.ipv4.neigh.wlo1.retrans_time_ms = 1000 net.ipv4.neigh.wlo1.ucast_solicit = 3 net.ipv4.neigh.wlo1.unres_qlen = 101 net.ipv4.neigh.wlo1.unres_qlen_bytes = 212992 net.ipv4.nexthop_compat_mode = 1 net.ipv4.ping_group_range = 0 2147483647 net.ipv4.raw_l3mdev_accept = 1 net.ipv4.route.error_burst = 1500 net.ipv4.route.error_cost = 300 net.ipv4.route.gc_elasticity = 8 net.ipv4.route.gc_interval = 60 net.ipv4.route.gc_min_interval = 0 net.ipv4.route.gc_min_interval_ms = 500 net.ipv4.route.gc_thresh = -1 net.ipv4.route.gc_timeout = 300 net.ipv4.route.max_size = 2147483647 net.ipv4.route.min_adv_mss = 256 net.ipv4.route.min_pmtu = 552 net.ipv4.route.mtu_expires = 600 net.ipv4.route.redirect_load = 6 net.ipv4.route.redirect_number = 9 net.ipv4.route.redirect_silence = 6144 net.ipv4.tcp_abort_on_overflow = 0 net.ipv4.tcp_adv_win_scale = 1 net.ipv4.tcp_allowed_congestion_control = reno cubic net.ipv4.tcp_app_win = 31 net.ipv4.tcp_autocorking = 1 net.ipv4.tcp_available_congestion_control = reno cubic net.ipv4.tcp_available_ulp = espintcp mptcp net.ipv4.tcp_base_mss = 1024 net.ipv4.tcp_challenge_ack_limit = 2147483647 net.ipv4.tcp_child_ehash_entries = 0 net.ipv4.tcp_comp_sack_delay_ns = 1000000 net.ipv4.tcp_comp_sack_nr = 44 net.ipv4.tcp_comp_sack_slack_ns = 100000 net.ipv4.tcp_congestion_control = cubic net.ipv4.tcp_dsack = 1 net.ipv4.tcp_early_demux = 1 net.ipv4.tcp_early_retrans = 3 net.ipv4.tcp_ecn = 2 net.ipv4.tcp_ecn_fallback = 1 net.ipv4.tcp_ehash_entries = 524288 net.ipv4.tcp_fack = 0 net.ipv4.tcp_fastopen = 1 net.ipv4.tcp_fastopen_blackhole_timeout_sec = 0 net.ipv4.tcp_fastopen_key = 00000000-00000000-00000000-00000000 net.ipv4.tcp_fin_timeout = 60 net.ipv4.tcp_frto = 2 net.ipv4.tcp_fwmark_accept = 0 net.ipv4.tcp_invalid_ratelimit = 500 net.ipv4.tcp_keepalive_intvl = 75 net.ipv4.tcp_keepalive_probes = 9 net.ipv4.tcp_keepalive_time = 7200 net.ipv4.tcp_l3mdev_accept = 0 net.ipv4.tcp_limit_output_bytes = 1048576 net.ipv4.tcp_low_latency = 0 net.ipv4.tcp_max_orphans = 262144 net.ipv4.tcp_max_reordering = 300 net.ipv4.tcp_max_syn_backlog = 4096 net.ipv4.tcp_max_tw_buckets = 262144 net.ipv4.tcp_mem = 718803 958405 1437606 net.ipv4.tcp_migrate_req = 0 net.ipv4.tcp_min_rtt_wlen = 300 net.ipv4.tcp_min_snd_mss = 48 net.ipv4.tcp_min_tso_segs = 2 net.ipv4.tcp_moderate_rcvbuf = 1 net.ipv4.tcp_mtu_probe_floor = 48 net.ipv4.tcp_mtu_probing = 0 net.ipv4.tcp_no_metrics_save = 0 net.ipv4.tcp_no_ssthresh_metrics_save = 1 net.ipv4.tcp_notsent_lowat = 4294967295 net.ipv4.tcp_orphan_retries = 0 net.ipv4.tcp_pacing_ca_ratio = 120 net.ipv4.tcp_pacing_ss_ratio = 200 net.ipv4.tcp_plb_cong_thresh = 128 net.ipv4.tcp_plb_enabled = 0 net.ipv4.tcp_plb_idle_rehash_rounds = 3 net.ipv4.tcp_plb_rehash_rounds = 12 net.ipv4.tcp_plb_suspend_rto_sec = 60 net.ipv4.tcp_probe_interval = 600 net.ipv4.tcp_probe_threshold = 8 net.ipv4.tcp_recovery = 1 net.ipv4.tcp_reflect_tos = 0 net.ipv4.tcp_reordering = 3 net.ipv4.tcp_retrans_collapse = 1 net.ipv4.tcp_retries1 = 3 net.ipv4.tcp_retries2 = 15 net.ipv4.tcp_rfc1337 = 0 net.ipv4.tcp_rmem = 4096 131072 6291456 net.ipv4.tcp_sack = 1 net.ipv4.tcp_shrink_window = 0 net.ipv4.tcp_simult_connect = 0 net.ipv4.tcp_slow_start_after_idle = 1 net.ipv4.tcp_stdurg = 0 net.ipv4.tcp_syn_linear_timeouts = 4 net.ipv4.tcp_syn_retries = 6 net.ipv4.tcp_synack_retries = 5 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_thin_linear_timeouts = 0 net.ipv4.tcp_timestamps = 1 net.ipv4.tcp_tso_rtt_log = 9 net.ipv4.tcp_tso_win_divisor = 3 net.ipv4.tcp_tw_reuse = 2 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_wmem = 4096 16384 4194304 net.ipv4.tcp_workaround_signed_windows = 0 net.ipv4.udp_child_hash_entries = 0 net.ipv4.udp_early_demux = 1 net.ipv4.udp_hash_entries = 32768 net.ipv4.udp_l3mdev_accept = 0 net.ipv4.udp_mem = 1437606 1916811 2875212 net.ipv4.udp_rmem_min = 4096 net.ipv4.udp_wmem_min = 4096 net.ipv4.xfrm4_gc_thresh = 32768 net.ipv6.anycast_src_echo_reply = 0 net.ipv6.auto_flowlabels = 1 net.ipv6.bindv6only = 0 net.ipv6.calipso_cache_bucket_size = 10 net.ipv6.calipso_cache_enable = 1 net.ipv6.conf.all.accept_dad = 0 net.ipv6.conf.all.accept_ra = 1 net.ipv6.conf.all.accept_ra_defrtr = 1 net.ipv6.conf.all.accept_ra_from_local = 0 net.ipv6.conf.all.accept_ra_min_hop_limit = 1 net.ipv6.conf.all.accept_ra_min_lft = 0 net.ipv6.conf.all.accept_ra_mtu = 1 net.ipv6.conf.all.accept_ra_pinfo = 1 net.ipv6.conf.all.accept_ra_rt_info_max_plen = 0 net.ipv6.conf.all.accept_ra_rt_info_min_plen = 0 net.ipv6.conf.all.accept_ra_rtr_pref = 1 net.ipv6.conf.all.accept_redirects = 1 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.all.accept_untracked_na = 0 net.ipv6.conf.all.addr_gen_mode = 0 net.ipv6.conf.all.autoconf = 1 net.ipv6.conf.all.dad_transmits = 1 net.ipv6.conf.all.disable_ipv6 = 0 net.ipv6.conf.all.disable_policy = 0 net.ipv6.conf.all.drop_unicast_in_l2_multicast = 0 net.ipv6.conf.all.drop_unsolicited_na = 0 net.ipv6.conf.all.enhanced_dad = 1 net.ipv6.conf.all.force_mld_version = 0 net.ipv6.conf.all.force_tllao = 0 net.ipv6.conf.all.forwarding = 0 net.ipv6.conf.all.hop_limit = 64 net.ipv6.conf.all.ignore_routes_with_linkdown = 0 net.ipv6.conf.all.ioam6_enabled = 0 net.ipv6.conf.all.ioam6_id = 65535 net.ipv6.conf.all.ioam6_id_wide = 4294967295 net.ipv6.conf.all.keep_addr_on_down = 0 net.ipv6.conf.all.max_addresses = 16 net.ipv6.conf.all.max_desync_factor = 600 net.ipv6.conf.all.mc_forwarding = 0 net.ipv6.conf.all.mldv1_unsolicited_report_interval = 10000 net.ipv6.conf.all.mldv2_unsolicited_report_interval = 1000 net.ipv6.conf.all.mtu = 1280 net.ipv6.conf.all.ndisc_evict_nocarrier = 1 net.ipv6.conf.all.ndisc_notify = 0 net.ipv6.conf.all.ndisc_tclass = 0 net.ipv6.conf.all.optimistic_dad = 0 net.ipv6.conf.all.proxy_ndp = 0 net.ipv6.conf.all.ra_defrtr_metric = 1024 net.ipv6.conf.all.regen_max_retry = 3 net.ipv6.conf.all.router_probe_interval = 60 net.ipv6.conf.all.router_solicitation_delay = 1 net.ipv6.conf.all.router_solicitation_interval = 4 net.ipv6.conf.all.router_solicitation_max_interval = 3600 net.ipv6.conf.all.router_solicitations = -1 net.ipv6.conf.all.rpl_seg_enabled = 0 net.ipv6.conf.all.seg6_enabled = 0 net.ipv6.conf.all.seg6_require_hmac = 0 net.ipv6.conf.all.suppress_frag_ndisc = 1 net.ipv6.conf.all.temp_prefered_lft = 86400 net.ipv6.conf.all.temp_valid_lft = 604800 net.ipv6.conf.all.use_oif_addrs_only = 0 net.ipv6.conf.all.use_optimistic = 0 net.ipv6.conf.all.use_tempaddr = 0 net.ipv6.conf.default.accept_dad = 1 net.ipv6.conf.default.accept_ra = 1 net.ipv6.conf.default.accept_ra_defrtr = 1 net.ipv6.conf.default.accept_ra_from_local = 0 net.ipv6.conf.default.accept_ra_min_hop_limit = 1 net.ipv6.conf.default.accept_ra_min_lft = 0 net.ipv6.conf.default.accept_ra_mtu = 1 net.ipv6.conf.default.accept_ra_pinfo = 1 net.ipv6.conf.default.accept_ra_rt_info_max_plen = 0 net.ipv6.conf.default.accept_ra_rt_info_min_plen = 0 net.ipv6.conf.default.accept_ra_rtr_pref = 1 net.ipv6.conf.default.accept_redirects = 1 net.ipv6.conf.default.accept_source_route = 0 net.ipv6.conf.default.accept_untracked_na = 0 net.ipv6.conf.default.addr_gen_mode = 0 net.ipv6.conf.default.autoconf = 1 net.ipv6.conf.default.dad_transmits = 1 net.ipv6.conf.default.disable_ipv6 = 0 net.ipv6.conf.default.disable_policy = 0 net.ipv6.conf.default.drop_unicast_in_l2_multicast = 0 net.ipv6.conf.default.drop_unsolicited_na = 0 net.ipv6.conf.default.enhanced_dad = 1 net.ipv6.conf.default.force_mld_version = 0 net.ipv6.conf.default.force_tllao = 0 net.ipv6.conf.default.forwarding = 0 net.ipv6.conf.default.hop_limit = 64 net.ipv6.conf.default.ignore_routes_with_linkdown = 0 net.ipv6.conf.default.ioam6_enabled = 0 net.ipv6.conf.default.ioam6_id = 65535 net.ipv6.conf.default.ioam6_id_wide = 4294967295 net.ipv6.conf.default.keep_addr_on_down = 0 net.ipv6.conf.default.max_addresses = 16 net.ipv6.conf.default.max_desync_factor = 600 net.ipv6.conf.default.mc_forwarding = 0 net.ipv6.conf.default.mldv1_unsolicited_report_interval = 10000 net.ipv6.conf.default.mldv2_unsolicited_report_interval = 1000 net.ipv6.conf.default.mtu = 1280 net.ipv6.conf.default.ndisc_evict_nocarrier = 1 net.ipv6.conf.default.ndisc_notify = 0 net.ipv6.conf.default.ndisc_tclass = 0 net.ipv6.conf.default.optimistic_dad = 0 net.ipv6.conf.default.proxy_ndp = 0 net.ipv6.conf.default.ra_defrtr_metric = 1024 net.ipv6.conf.default.regen_max_retry = 3 net.ipv6.conf.default.router_probe_interval = 60 net.ipv6.conf.default.router_solicitation_delay = 1 net.ipv6.conf.default.router_solicitation_interval = 4 net.ipv6.conf.default.router_solicitation_max_interval = 3600 net.ipv6.conf.default.router_solicitations = -1 net.ipv6.conf.default.rpl_seg_enabled = 0 net.ipv6.conf.default.seg6_enabled = 0 net.ipv6.conf.default.seg6_require_hmac = 0 net.ipv6.conf.default.suppress_frag_ndisc = 1 net.ipv6.conf.default.temp_prefered_lft = 86400 net.ipv6.conf.default.temp_valid_lft = 604800 net.ipv6.conf.default.use_oif_addrs_only = 0 net.ipv6.conf.default.use_optimistic = 0 net.ipv6.conf.default.use_tempaddr = 0 net.ipv6.conf.enp2s0.accept_dad = 1 net.ipv6.conf.enp2s0.accept_ra = 0 net.ipv6.conf.enp2s0.accept_ra_defrtr = 1 net.ipv6.conf.enp2s0.accept_ra_from_local = 0 net.ipv6.conf.enp2s0.accept_ra_min_hop_limit = 1 net.ipv6.conf.enp2s0.accept_ra_min_lft = 0 net.ipv6.conf.enp2s0.accept_ra_mtu = 1 net.ipv6.conf.enp2s0.accept_ra_pinfo = 1 net.ipv6.conf.enp2s0.accept_ra_rt_info_max_plen = 0 net.ipv6.conf.enp2s0.accept_ra_rt_info_min_plen = 0 net.ipv6.conf.enp2s0.accept_ra_rtr_pref = 1 net.ipv6.conf.enp2s0.accept_redirects = 1 net.ipv6.conf.enp2s0.accept_source_route = 0 net.ipv6.conf.enp2s0.accept_untracked_na = 0 net.ipv6.conf.enp2s0.addr_gen_mode = 1 net.ipv6.conf.enp2s0.autoconf = 1 net.ipv6.conf.enp2s0.dad_transmits = 1 net.ipv6.conf.enp2s0.disable_ipv6 = 0 net.ipv6.conf.enp2s0.disable_policy = 0 net.ipv6.conf.enp2s0.drop_unicast_in_l2_multicast = 0 net.ipv6.conf.enp2s0.drop_unsolicited_na = 0 net.ipv6.conf.enp2s0.enhanced_dad = 1 net.ipv6.conf.enp2s0.force_mld_version = 0 net.ipv6.conf.enp2s0.force_tllao = 0 net.ipv6.conf.enp2s0.forwarding = 0 net.ipv6.conf.enp2s0.hop_limit = 64 net.ipv6.conf.enp2s0.ignore_routes_with_linkdown = 0 net.ipv6.conf.enp2s0.ioam6_enabled = 0 net.ipv6.conf.enp2s0.ioam6_id = 65535 net.ipv6.conf.enp2s0.ioam6_id_wide = 4294967295 net.ipv6.conf.enp2s0.keep_addr_on_down = 0 net.ipv6.conf.enp2s0.max_addresses = 16 net.ipv6.conf.enp2s0.max_desync_factor = 600 net.ipv6.conf.enp2s0.mc_forwarding = 0 net.ipv6.conf.enp2s0.mldv1_unsolicited_report_interval = 10000 net.ipv6.conf.enp2s0.mldv2_unsolicited_report_interval = 1000 net.ipv6.conf.enp2s0.mtu = 1500 net.ipv6.conf.enp2s0.ndisc_evict_nocarrier = 1 net.ipv6.conf.enp2s0.ndisc_notify = 0 net.ipv6.conf.enp2s0.ndisc_tclass = 0 net.ipv6.conf.enp2s0.optimistic_dad = 0 net.ipv6.conf.enp2s0.proxy_ndp = 0 net.ipv6.conf.enp2s0.ra_defrtr_metric = 1024 net.ipv6.conf.enp2s0.regen_max_retry = 3 net.ipv6.conf.enp2s0.router_probe_interval = 60 net.ipv6.conf.enp2s0.router_solicitation_delay = 1 net.ipv6.conf.enp2s0.router_solicitation_interval = 4 net.ipv6.conf.enp2s0.router_solicitation_max_interval = 3600 net.ipv6.conf.enp2s0.router_solicitations = -1 net.ipv6.conf.enp2s0.rpl_seg_enabled = 0 net.ipv6.conf.enp2s0.seg6_enabled = 0 net.ipv6.conf.enp2s0.seg6_require_hmac = 0 net.ipv6.conf.enp2s0.suppress_frag_ndisc = 1 net.ipv6.conf.enp2s0.temp_prefered_lft = 86400 net.ipv6.conf.enp2s0.temp_valid_lft = 604800 net.ipv6.conf.enp2s0.use_oif_addrs_only = 0 net.ipv6.conf.enp2s0.use_optimistic = 0 net.ipv6.conf.enp2s0.use_tempaddr = 0 net.ipv6.conf.lo.accept_dad = -1 net.ipv6.conf.lo.accept_ra = 1 net.ipv6.conf.lo.accept_ra_defrtr = 1 net.ipv6.conf.lo.accept_ra_from_local = 0 net.ipv6.conf.lo.accept_ra_min_hop_limit = 1 net.ipv6.conf.lo.accept_ra_min_lft = 0 net.ipv6.conf.lo.accept_ra_mtu = 1 net.ipv6.conf.lo.accept_ra_pinfo = 1 net.ipv6.conf.lo.accept_ra_rt_info_max_plen = 0 net.ipv6.conf.lo.accept_ra_rt_info_min_plen = 0 net.ipv6.conf.lo.accept_ra_rtr_pref = 1 net.ipv6.conf.lo.accept_redirects = 1 net.ipv6.conf.lo.accept_source_route = 0 net.ipv6.conf.lo.accept_untracked_na = 0 net.ipv6.conf.lo.addr_gen_mode = 0 net.ipv6.conf.lo.autoconf = 1 net.ipv6.conf.lo.dad_transmits = 1 net.ipv6.conf.lo.disable_ipv6 = 0 net.ipv6.conf.lo.disable_policy = 0 net.ipv6.conf.lo.drop_unicast_in_l2_multicast = 0 net.ipv6.conf.lo.drop_unsolicited_na = 0 net.ipv6.conf.lo.enhanced_dad = 1 net.ipv6.conf.lo.force_mld_version = 0 net.ipv6.conf.lo.force_tllao = 0 net.ipv6.conf.lo.forwarding = 0 net.ipv6.conf.lo.hop_limit = 64 net.ipv6.conf.lo.ignore_routes_with_linkdown = 0 net.ipv6.conf.lo.ioam6_enabled = 0 net.ipv6.conf.lo.ioam6_id = 65535 net.ipv6.conf.lo.ioam6_id_wide = 4294967295 net.ipv6.conf.lo.keep_addr_on_down = 0 net.ipv6.conf.lo.max_addresses = 16 net.ipv6.conf.lo.max_desync_factor = 600 net.ipv6.conf.lo.mc_forwarding = 0 net.ipv6.conf.lo.mldv1_unsolicited_report_interval = 10000 net.ipv6.conf.lo.mldv2_unsolicited_report_interval = 1000 net.ipv6.conf.lo.mtu = 65536 net.ipv6.conf.lo.ndisc_evict_nocarrier = 1 net.ipv6.conf.lo.ndisc_notify = 0 net.ipv6.conf.lo.ndisc_tclass = 0 net.ipv6.conf.lo.optimistic_dad = 0 net.ipv6.conf.lo.proxy_ndp = 0 net.ipv6.conf.lo.ra_defrtr_metric = 1024 net.ipv6.conf.lo.regen_max_retry = 3 net.ipv6.conf.lo.router_probe_interval = 60 net.ipv6.conf.lo.router_solicitation_delay = 1 net.ipv6.conf.lo.router_solicitation_interval = 4 net.ipv6.conf.lo.router_solicitation_max_interval = 3600 net.ipv6.conf.lo.router_solicitations = -1 net.ipv6.conf.lo.rpl_seg_enabled = 0 net.ipv6.conf.lo.seg6_enabled = 0 net.ipv6.conf.lo.seg6_require_hmac = 0 net.ipv6.conf.lo.suppress_frag_ndisc = 1 net.ipv6.conf.lo.temp_prefered_lft = 86400 net.ipv6.conf.lo.temp_valid_lft = 604800 net.ipv6.conf.lo.use_oif_addrs_only = 0 net.ipv6.conf.lo.use_optimistic = 0 net.ipv6.conf.lo.use_tempaddr = -1 net.ipv6.conf.wlo1.accept_dad = 1 net.ipv6.conf.wlo1.accept_ra = 0 net.ipv6.conf.wlo1.accept_ra_defrtr = 1 net.ipv6.conf.wlo1.accept_ra_from_local = 0 net.ipv6.conf.wlo1.accept_ra_min_hop_limit = 1 net.ipv6.conf.wlo1.accept_ra_min_lft = 0 net.ipv6.conf.wlo1.accept_ra_mtu = 1 net.ipv6.conf.wlo1.accept_ra_pinfo = 1 net.ipv6.conf.wlo1.accept_ra_rt_info_max_plen = 0 net.ipv6.conf.wlo1.accept_ra_rt_info_min_plen = 0 net.ipv6.conf.wlo1.accept_ra_rtr_pref = 1 net.ipv6.conf.wlo1.accept_redirects = 1 net.ipv6.conf.wlo1.accept_source_route = 0 net.ipv6.conf.wlo1.accept_untracked_na = 0 net.ipv6.conf.wlo1.addr_gen_mode = 1 net.ipv6.conf.wlo1.autoconf = 1 net.ipv6.conf.wlo1.dad_transmits = 1 net.ipv6.conf.wlo1.disable_ipv6 = 0 net.ipv6.conf.wlo1.disable_policy = 0 net.ipv6.conf.wlo1.drop_unicast_in_l2_multicast = 0 net.ipv6.conf.wlo1.drop_unsolicited_na = 0 net.ipv6.conf.wlo1.enhanced_dad = 1 net.ipv6.conf.wlo1.force_mld_version = 0 net.ipv6.conf.wlo1.force_tllao = 0 net.ipv6.conf.wlo1.forwarding = 0 net.ipv6.conf.wlo1.hop_limit = 64 net.ipv6.conf.wlo1.ignore_routes_with_linkdown = 0 net.ipv6.conf.wlo1.ioam6_enabled = 0 net.ipv6.conf.wlo1.ioam6_id = 65535 net.ipv6.conf.wlo1.ioam6_id_wide = 4294967295 net.ipv6.conf.wlo1.keep_addr_on_down = 0 net.ipv6.conf.wlo1.max_addresses = 16 net.ipv6.conf.wlo1.max_desync_factor = 600 net.ipv6.conf.wlo1.mc_forwarding = 0 net.ipv6.conf.wlo1.mldv1_unsolicited_report_interval = 10000 net.ipv6.conf.wlo1.mldv2_unsolicited_report_interval = 1000 net.ipv6.conf.wlo1.mtu = 1500 net.ipv6.conf.wlo1.ndisc_evict_nocarrier = 1 net.ipv6.conf.wlo1.ndisc_notify = 0 net.ipv6.conf.wlo1.ndisc_tclass = 0 net.ipv6.conf.wlo1.optimistic_dad = 0 net.ipv6.conf.wlo1.proxy_ndp = 0 net.ipv6.conf.wlo1.ra_defrtr_metric = 1024 net.ipv6.conf.wlo1.regen_max_retry = 3 net.ipv6.conf.wlo1.router_probe_interval = 60 net.ipv6.conf.wlo1.router_solicitation_delay = 1 net.ipv6.conf.wlo1.router_solicitation_interval = 4 net.ipv6.conf.wlo1.router_solicitation_max_interval = 3600 net.ipv6.conf.wlo1.router_solicitations = -1 net.ipv6.conf.wlo1.rpl_seg_enabled = 0 net.ipv6.conf.wlo1.seg6_enabled = 0 net.ipv6.conf.wlo1.seg6_require_hmac = 0 net.ipv6.conf.wlo1.suppress_frag_ndisc = 1 net.ipv6.conf.wlo1.temp_prefered_lft = 86400 net.ipv6.conf.wlo1.temp_valid_lft = 604800 net.ipv6.conf.wlo1.use_oif_addrs_only = 0 net.ipv6.conf.wlo1.use_optimistic = 0 net.ipv6.conf.wlo1.use_tempaddr = 0 net.ipv6.fib_multipath_hash_fields = 7 net.ipv6.fib_multipath_hash_policy = 0 net.ipv6.fib_notify_on_flag_change = 0 net.ipv6.flowlabel_consistency = 1 net.ipv6.flowlabel_reflect = 0 net.ipv6.flowlabel_state_ranges = 0 net.ipv6.fwmark_reflect = 0 net.ipv6.icmp.echo_ignore_all = 0 net.ipv6.icmp.echo_ignore_anycast = 0 net.ipv6.icmp.echo_ignore_multicast = 0 net.ipv6.icmp.error_anycast_as_unicast = 0 net.ipv6.icmp.ratelimit = 1000 net.ipv6.icmp.ratemask = 0-1,3-127 net.ipv6.idgen_delay = 1 net.ipv6.idgen_retries = 3 net.ipv6.ioam6_id = 16777215 net.ipv6.ioam6_id_wide = 72057594037927935 net.ipv6.ip6frag_high_thresh = 4194304 net.ipv6.ip6frag_low_thresh = 3145728 net.ipv6.ip6frag_secret_interval = 0 net.ipv6.ip6frag_time = 60 net.ipv6.ip_nonlocal_bind = 0 net.ipv6.max_dst_opts_length = 2147483647 net.ipv6.max_dst_opts_number = 8 net.ipv6.max_hbh_length = 2147483647 net.ipv6.max_hbh_opts_number = 8 net.ipv6.mld_max_msf = 64 net.ipv6.mld_qrv = 2 net.ipv6.neigh.default.anycast_delay = 99 net.ipv6.neigh.default.app_solicit = 0 net.ipv6.neigh.default.base_reachable_time_ms = 30000 net.ipv6.neigh.default.delay_first_probe_time = 5 net.ipv6.neigh.default.gc_interval = 30 net.ipv6.neigh.default.gc_stale_time = 60 net.ipv6.neigh.default.gc_thresh1 = 128 net.ipv6.neigh.default.gc_thresh2 = 512 net.ipv6.neigh.default.gc_thresh3 = 1024 net.ipv6.neigh.default.interval_probe_time_ms = 5000 net.ipv6.neigh.default.locktime = 0 net.ipv6.neigh.default.mcast_resolicit = 0 net.ipv6.neigh.default.mcast_solicit = 3 net.ipv6.neigh.default.proxy_delay = 79 net.ipv6.neigh.default.proxy_qlen = 64 net.ipv6.neigh.default.retrans_time_ms = 1000 net.ipv6.neigh.default.ucast_solicit = 3 net.ipv6.neigh.default.unres_qlen = 101 net.ipv6.neigh.default.unres_qlen_bytes = 212992 net.ipv6.neigh.enp2s0.anycast_delay = 99 net.ipv6.neigh.enp2s0.app_solicit = 0 net.ipv6.neigh.enp2s0.base_reachable_time_ms = 30000 net.ipv6.neigh.enp2s0.delay_first_probe_time = 5 net.ipv6.neigh.enp2s0.gc_stale_time = 60 net.ipv6.neigh.enp2s0.interval_probe_time_ms = 5000 net.ipv6.neigh.enp2s0.locktime = 0 net.ipv6.neigh.enp2s0.mcast_resolicit = 0 net.ipv6.neigh.enp2s0.mcast_solicit = 3 net.ipv6.neigh.enp2s0.proxy_delay = 79 net.ipv6.neigh.enp2s0.proxy_qlen = 64 net.ipv6.neigh.enp2s0.retrans_time_ms = 1000 net.ipv6.neigh.enp2s0.ucast_solicit = 3 net.ipv6.neigh.enp2s0.unres_qlen = 101 net.ipv6.neigh.enp2s0.unres_qlen_bytes = 212992 net.ipv6.neigh.lo.anycast_delay = 99 net.ipv6.neigh.lo.app_solicit = 0 net.ipv6.neigh.lo.base_reachable_time_ms = 30000 net.ipv6.neigh.lo.delay_first_probe_time = 5 net.ipv6.neigh.lo.gc_stale_time = 60 net.ipv6.neigh.lo.interval_probe_time_ms = 5000 net.ipv6.neigh.lo.locktime = 0 net.ipv6.neigh.lo.mcast_resolicit = 0 net.ipv6.neigh.lo.mcast_solicit = 3 net.ipv6.neigh.lo.proxy_delay = 79 net.ipv6.neigh.lo.proxy_qlen = 64 net.ipv6.neigh.lo.retrans_time_ms = 1000 net.ipv6.neigh.lo.ucast_solicit = 3 net.ipv6.neigh.lo.unres_qlen = 101 net.ipv6.neigh.lo.unres_qlen_bytes = 212992 net.ipv6.neigh.wlo1.anycast_delay = 99 net.ipv6.neigh.wlo1.app_solicit = 0 net.ipv6.neigh.wlo1.base_reachable_time_ms = 30000 net.ipv6.neigh.wlo1.delay_first_probe_time = 5 net.ipv6.neigh.wlo1.gc_stale_time = 60 net.ipv6.neigh.wlo1.interval_probe_time_ms = 5000 net.ipv6.neigh.wlo1.locktime = 0 net.ipv6.neigh.wlo1.mcast_resolicit = 0 net.ipv6.neigh.wlo1.mcast_solicit = 3 net.ipv6.neigh.wlo1.proxy_delay = 79 net.ipv6.neigh.wlo1.proxy_qlen = 64 net.ipv6.neigh.wlo1.retrans_time_ms = 1000 net.ipv6.neigh.wlo1.ucast_solicit = 3 net.ipv6.neigh.wlo1.unres_qlen = 101 net.ipv6.neigh.wlo1.unres_qlen_bytes = 212992 net.ipv6.route.gc_elasticity = 9 net.ipv6.route.gc_interval = 30 net.ipv6.route.gc_min_interval = 0 net.ipv6.route.gc_min_interval_ms = 500 net.ipv6.route.gc_thresh = 1024 net.ipv6.route.gc_timeout = 60 net.ipv6.route.max_size = 2147483647 net.ipv6.route.min_adv_mss = 1220 net.ipv6.route.mtu_expires = 600 net.ipv6.route.skip_notify_on_dev_down = 0 net.ipv6.seg6_flowlabel = 0 net.ipv6.xfrm6_gc_thresh = 32768 net.mptcp.add_addr_timeout = 120 net.mptcp.allow_join_initial_addr_port = 1 net.mptcp.checksum_enabled = 0 net.mptcp.enabled = 1 net.mptcp.pm_type = 0 net.mptcp.stale_loss_cnt = 4 net.netfilter.nf_conntrack_acct = 0 net.netfilter.nf_conntrack_buckets = 262144 net.netfilter.nf_conntrack_checksum = 1 net.netfilter.nf_conntrack_count = 12 net.netfilter.nf_conntrack_dccp_loose = 1 net.netfilter.nf_conntrack_dccp_timeout_closereq = 64 net.netfilter.nf_conntrack_dccp_timeout_closing = 64 net.netfilter.nf_conntrack_dccp_timeout_open = 43200 net.netfilter.nf_conntrack_dccp_timeout_partopen = 480 net.netfilter.nf_conntrack_dccp_timeout_request = 240 net.netfilter.nf_conntrack_dccp_timeout_respond = 480 net.netfilter.nf_conntrack_dccp_timeout_timewait = 240 net.netfilter.nf_conntrack_events = 2 net.netfilter.nf_conntrack_expect_max = 4096 net.netfilter.nf_conntrack_frag6_high_thresh = 4194304 net.netfilter.nf_conntrack_frag6_low_thresh = 3145728 net.netfilter.nf_conntrack_frag6_timeout = 60 net.netfilter.nf_conntrack_generic_timeout = 600 net.netfilter.nf_conntrack_gre_timeout = 30 net.netfilter.nf_conntrack_gre_timeout_stream = 180 net.netfilter.nf_conntrack_icmp_timeout = 30 net.netfilter.nf_conntrack_icmpv6_timeout = 30 net.netfilter.nf_conntrack_log_invalid = 0 net.netfilter.nf_conntrack_max = 262144 net.netfilter.nf_conntrack_sctp_timeout_closed = 10 net.netfilter.nf_conntrack_sctp_timeout_cookie_echoed = 3 net.netfilter.nf_conntrack_sctp_timeout_cookie_wait = 3 net.netfilter.nf_conntrack_sctp_timeout_established = 210 net.netfilter.nf_conntrack_sctp_timeout_heartbeat_sent = 30 net.netfilter.nf_conntrack_sctp_timeout_shutdown_ack_sent = 3 net.netfilter.nf_conntrack_sctp_timeout_shutdown_recd = 3 net.netfilter.nf_conntrack_sctp_timeout_shutdown_sent = 3 net.netfilter.nf_conntrack_tcp_be_liberal = 0 net.netfilter.nf_conntrack_tcp_ignore_invalid_rst = 0 net.netfilter.nf_conntrack_tcp_loose = 1 net.netfilter.nf_conntrack_tcp_max_retrans = 3 net.netfilter.nf_conntrack_tcp_timeout_close = 10 net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60 net.netfilter.nf_conntrack_tcp_timeout_established = 432000 net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120 net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30 net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300 net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60 net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120 net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300 net.netfilter.nf_conntrack_timestamp = 0 net.netfilter.nf_conntrack_udp_timeout = 30 net.netfilter.nf_conntrack_udp_timeout_stream = 120 net.netfilter.nf_flowtable_tcp_timeout = 30 net.netfilter.nf_flowtable_udp_timeout = 30 net.netfilter.nf_hooks_lwtunnel = 0 net.netfilter.nf_log.0 = NONE net.netfilter.nf_log.1 = NONE net.netfilter.nf_log.10 = NONE net.netfilter.nf_log.2 = NONE net.netfilter.nf_log.3 = NONE net.netfilter.nf_log.4 = NONE net.netfilter.nf_log.5 = NONE net.netfilter.nf_log.6 = NONE net.netfilter.nf_log.7 = NONE net.netfilter.nf_log.8 = NONE net.netfilter.nf_log.9 = NONE net.netfilter.nf_log_all_netns = 0 net.nf_conntrack_max = 262144 net.unix.max_dgram_qlen = 512 user.max_cgroup_namespaces = 240346 user.max_fanotify_groups = 128 user.max_fanotify_marks = 468787 user.max_inotify_instances = 1024 user.max_inotify_watches = 524288 user.max_ipc_namespaces = 240346 user.max_mnt_namespaces = 240346 user.max_net_namespaces = 240346 user.max_pid_namespaces = 240346 user.max_time_namespaces = 240346 user.max_user_namespaces = 240346 user.max_uts_namespaces = 240346 vm.admin_reserve_kbytes = 8192 vm.compact_unevictable_allowed = 1 vm.compaction_proactiveness = 20 vm.dirty_background_bytes = 0 vm.dirty_background_ratio = 10 vm.dirty_bytes = 0 vm.dirty_expire_centisecs = 3000 vm.dirty_ratio = 20 vm.dirty_writeback_centisecs = 500 vm.dirtytime_expire_seconds = 43200 vm.extfrag_threshold = 500 vm.hugetlb_optimize_vmemmap = 0 vm.hugetlb_shm_group = 0 vm.laptop_mode = 0 vm.legacy_va_layout = 0 vm.lowmem_reserve_ratio = 256 256 32 0 0 vm.max_map_count = 65530 vm.memfd_noexec = 0 vm.memory_failure_early_kill = 0 vm.memory_failure_recovery = 1 vm.min_free_kbytes = 67584 vm.min_slab_ratio = 5 vm.min_unmapped_ratio = 1 vm.mmap_min_addr = 65536 vm.mmap_rnd_bits = 32 vm.mmap_rnd_compat_bits = 16 vm.nr_hugepages = 0 vm.nr_hugepages_mempolicy = 0 vm.nr_overcommit_hugepages = 0 vm.numa_stat = 1 vm.numa_zonelist_order = Node vm.oom_dump_tasks = 1 vm.oom_kill_allocating_task = 0 vm.overcommit_kbytes = 0 vm.overcommit_memory = 0 vm.overcommit_ratio = 50 vm.page-cluster = 3 vm.page_lock_unfairness = 5 vm.panic_on_oom = 0 vm.percpu_pagelist_high_fraction = 0 vm.stat_interval = 1 vm.swappiness = 60 vm.user_reserve_kbytes = 131072 vm.vfs_cache_pressure = 100 vm.watermark_boost_factor = 15000 vm.watermark_scale_factor = 10 vm.zone_reclaim_mode = 0

KCONFIG: [r@station ~]$ zgrep FTRACE /proc/config.gz CONFIG_KPROBES_ON_FTRACE=y CONFIG_HAVE_KPROBES_ON_FTRACE=y CONFIG_STM_SOURCE_FTRACE=m # CONFIG_PSTORE_FTRACE is not set CONFIG_HAVE_DYNAMIC_FTRACE=y CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y CONFIG_HAVE_DYNAMIC_FTRACE_WITH_DIRECT_CALLS=y CONFIG_HAVE_DYNAMIC_FTRACE_WITH_ARGS=y CONFIG_HAVE_DYNAMIC_FTRACE_NO_PATCHABLE=y CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y CONFIG_FTRACE=y CONFIG_DYNAMIC_FTRACE=y CONFIG_DYNAMIC_FTRACE_WITH_REGS=y CONFIG_DYNAMIC_FTRACE_WITH_DIRECT_CALLS=y CONFIG_DYNAMIC_FTRACE_WITH_ARGS=y CONFIG_FTRACE_SYSCALLS=y CONFIG_FTRACE_MCOUNT_RECORD=y CONFIG_FTRACE_MCOUNT_USE_CC=y # CONFIG_FTRACE_RECORD_RECURSION is not set # CONFIG_FTRACE_STARTUP_TEST is not set # CONFIG_FTRACE_SORT_STARTUP_TEST is not set CONFIG_HAVE_SAMPLE_FTRACE_DIRECT=y CONFIG_HAVE_SAMPLE_FTRACE_DIRECT_MULTI=y

[r@station ~]$ zgrep KPROBE /proc/config.gz CONFIG_KPROBES=y CONFIG_KPROBES_ON_FTRACE=y CONFIG_HAVE_KPROBES=y CONFIG_HAVE_KPROBES_ON_FTRACE=y CONFIG_KPROBE_EVENTS=y # CONFIG_KPROBE_EVENTS_ON_NOTRACE is not set # CONFIG_BPF_KPROBE_OVERRIDE is not set # CONFIG_KPROBE_EVENT_GEN_TEST is not set

[r@station ~]$ zgrep UPROBE /proc/config.gz CONFIG_ARCH_SUPPORTS_UPROBES=y CONFIG_UPROBES=y CONFIG_UPROBE_EVENTS=y

[r@station ~]$ zgrep SYSCALL /proc/config.gz CONFIG_HAVE_ARCH_AUDITSYSCALL=y CONFIG_AUDITSYSCALL=y CONFIG_GENERIC_TIME_VSYSCALL=y CONFIG_BPF_SYSCALL=y CONFIG_SGETMASK_SYSCALL=y # CONFIG_SYSFS_SYSCALL is not set CONFIG_ADVISE_SYSCALLS=y CONFIG_CACHESTAT_SYSCALL=y CONFIG_X86_VSYSCALL_EMULATION=y # CONFIG_LEGACY_VSYSCALL_XONLY is not set CONFIG_LEGACY_VSYSCALL_NONE=y # CONFIG_MODIFY_LDT_SYSCALL is not set CONFIG_ARCH_HAS_SYSCALL_WRAPPER=y CONFIG_HAVE_SYSCALL_TRACEPOINTS=y CONFIG_FTRACE_SYSCALLS=y

[r@station ~]$ zgrep BPF /proc/config.gz CONFIG_BPF=y CONFIG_HAVE_EBPF_JIT=y CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y # BPF subsystem CONFIG_BPF_SYSCALL=y CONFIG_BPF_JIT=y CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_BPF_JIT_DEFAULT_ON=y CONFIG_BPF_UNPRIV_DEFAULT_OFF=y # CONFIG_BPF_PRELOAD is not set CONFIG_BPF_LSM=y # end of BPF subsystem CONFIG_CGROUP_BPF=y CONFIG_IPV6_SEG6_BPF=y CONFIG_NETFILTER_BPF_LINK=y CONFIG_NETFILTER_XT_MATCH_BPF=m # CONFIG_BPFILTER is not set CONFIG_NET_CLS_BPF=m CONFIG_NET_ACT_BPF=m CONFIG_BPF_STREAM_PARSER=y CONFIG_LWTUNNEL_BPF=y # HID-BPF support CONFIG_HID_BPF=y # end of HID-BPF support CONFIG_BPF_EVENTS=y # CONFIG_BPF_KPROBE_OVERRIDE is not set # CONFIG_TEST_BPF is not set

[r@station r]$ zgrep DEBUGFS /proc/config.gz # CONFIG_GENERIC_IRQ_DEBUGFS is not set # CONFIG_ACPI_EC_DEBUGFS is not set CONFIG_MODULE_DEBUGFS=y # CONFIG_CMA_DEBUGFS is not set # CONFIG_L2TP_DEBUGFS is not set # CONFIG_6LOWPAN_DEBUGFS is not set # CONFIG_BT_DEBUGFS is not set # CONFIG_CFG80211_DEBUGFS is not set # CONFIG_MAC80211_DEBUGFS is not set # CONFIG_ATH9K_DEBUGFS is not set # CONFIG_ATH9K_HTC_DEBUGFS is not set # CONFIG_WIL6210_DEBUGFS is not set # CONFIG_ATH10K_DEBUGFS is not set # CONFIG_WCN36XX_DEBUGFS is not set # CONFIG_RTW88_DEBUGFS is not set # CONFIG_RTW89_DEBUGFS is not set # CONFIG_RSI_DEBUGFS is not set # CONFIG_IEEE802154_CA8210_DEBUGFS is not set CONFIG_WWAN_DEBUGFS=y # CONFIG_SMS_SIANO_DEBUGFS is not set CONFIG_CROS_EC_DEBUGFS=m CONFIG_WILCO_EC_DEBUGFS=m # CONFIG_IOMMU_DEBUGFS is not set # CONFIG_USB4_DEBUGFS_WRITE is not set # CONFIG_CRYPTO_DEV_CCP_DEBUGFS is not set # CONFIG_PTDUMP_DEBUGFS is not set

[r@station r]$ zgrep DEBUG_FS /proc/config.gz # CONFIG_XEN_DEBUG_FS is not set CONFIG_BLK_DEBUG_FS=y CONFIG_BLK_DEBUG_FS_ZONED=y # CONFIG_SCSI_SNIC_DEBUG_FS is not set # CONFIG_SCSI_LPFC_DEBUG_FS is not set # CONFIG_OCFS2_DEBUG_FS is not set CONFIG_DEBUG_FS=y # CONFIG_DEBUG_FS_ALLOW_ALL is not set # CONFIG_DEBUG_FS_DISALLOW_MOUNT is not set CONFIG_DEBUG_FS_ALLOW_NONE=y

BOOT OPTIONS (systemd-boot) [r@station ~]$ cat /boot/loader/entries/arch.conf title archlinux linux /vmlinuz-linux-hardened initrd /amd-ucode.img initrd /initramfs-linux-hardened.img options cryptdevice=UUID=XXX:roote root=/dev/mapper/root rw iommu=force nosmt=force mitigations=auto,nosmt

DEBUGFS [r@station ~]$ sudo dmesg | grep debugfs [ 4.368928] pinctrl core: failed to create debugfs directory [ 4.625699] zsmalloc: debugfs not available, stat dir not created [ 4.633071] pinctrl core: failed to create debugfs directory for AMDI0030:00 [ 4.718985] zswap: debugfs initialization failed [ 5.289343] cec: Failed to create debugfs cec dir [ 36.701912] request_module fs-debugfs succeeded, but still no fs?

Screenshot from 2023-10-12 08-51-34

tjbbjt commented 9 months ago

Removing lockdown=confidentiality from grub boot parameters fixed eBPF disabling for me.

gustavo-iniguez-goya commented 8 months ago

hi @moisesmsf ,

I've got an Arch installation with a hardened kernel as well, where this error pop-ups. As far as I can tell, we (gobpf+opensnitch) depend on 2 options to configure the kprobes/tracepoints: DEBUGFS and TRACEFS.

DEBUGFS is usually mounted under /sys/kernel/debug, and TRACEFS under /sys/kernel/debug/tracing

On this Arch installation, I can mount TRACEFS under any directory (i.e.: tracefs mount option is available):

~ # mkdir x
~ # mount -t tracefs none x/
~ # ls x/
README                      dyn_ftrace_total_info     instances        saved_cmdlines         set_ftrace_notrace_pid  synthetic_events  trace_stat
available_events            dynamic_events            kprobe_events    saved_cmdlines_size    set_ftrace_pid          timestamp_mode    tracing_cpumask
(...)

I think that this should be enough to configure the hook points.

however! if I try to mount DEBUGFS, it fails:

~ # mount -t debugfs none /sys/kernel/debug
mount: /home/ga/x: unknown filesystem type 'debugfs'

Apparently this behaviour is governed by the kernel config option DEBUG_FS_ALLOW_NONE: https://github.com/torvalds/linux/blob/56567a20b22bdbf85c3e55eee3bf2bd23fa2f108/lib/Kconfig.debug#L666C8-L671

Access is off. Clients get -PERM when trying to create nodes in debugfs tree and debugfs is not registered as a filesystem. Client can then back-off or continue without debugfs access.

So:

Even if debugfs is configured in these hardened kernels, AFAICT it can't be used to mount the directory /sys/kernel/debug
As we can't mount /sys/kernel/debug, we can't mount either /sys/kernel/debug/tracing/ (mkdir can't be used here)
And finally, the paths to debugfs and tracefs are hardcoded in gobpf, so we can't configure them from opensnitch :/ https://github.com/iovisor/gobpf/blob/16120a1bf4d4abc1f9cf37fecfb86009a1631b9f/elf/module.go#L248

atomGit commented 2 months ago

@moisesmsf - when you post that much content, consider using <details> tags...

<details>
<summary>SOME_TITLE</summary>
CONTENT_GOES_HERE
</details>

atomGit commented 2 months ago

@gustavo-iniguez-goya

$ grep FTRACE /boot/config-$(uname -r) <-- this doesn't work on Manjaro

also for Manjaro, the build file needs to be edited - an example path is /usr/lib/modules/6.9.0-1-MANJARO, so...

KDIR="/usr/lib/modules/$(uname -r)/build"

might be good to add this stuff to the wiki???

evilsocket / opensnitch

eBPF compatibility with custom and hardened kernels (xanmod, liquorix, etc) #774

Custom kernels (xanmod, liquorix, others)

Hardened kernels / systems