From: Remi Gacogne Date: Fri, 2 Jul 2021 13:14:55 +0000 (+0200) Subject: dnsdist: Document that some capabilities are needed for eBPF X-Git-Tag: dnsdist-1.7.0-alpha1~98^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=758915a7b5ad87e670317ff8ed13238d673a12a5;p=thirdparty%2Fpdns.git dnsdist: Document that some capabilities are needed for eBPF --- diff --git a/pdns/dnsdistdist/dnsdist.service.in b/pdns/dnsdistdist/dnsdist.service.in index 12aadb9c72..4fdbbb4115 100644 --- a/pdns/dnsdistdist/dnsdist.service.in +++ b/pdns/dnsdistdist/dnsdist.service.in @@ -22,6 +22,8 @@ LimitNOFILE=16384 TasksMax=8192 # Sandboxing +# Note: adding CAP_SYS_ADMIN (or CAP_BPF for Linux >= 5.8) is required to use eBPF support, +# and CAP_NET_RAW to be able to set the source interface to contact a backend CapabilityBoundingSet=CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_BIND_SERVICE LockPersonality=true diff --git a/pdns/dnsdistdist/docs/advanced/ebpf.rst b/pdns/dnsdistdist/docs/advanced/ebpf.rst index 2d82845016..446a52b82d 100644 --- a/pdns/dnsdistdist/docs/advanced/ebpf.rst +++ b/pdns/dnsdistdist/docs/advanced/ebpf.rst @@ -1,7 +1,7 @@ eBPF Socket Filtering ===================== -:program:`dnsdist` can use `eBPF `_ socket filtering on recent Linux kernels (4.1+) built with eBPF support (``CONFIG_BPF``, ``CONFIG_BPF_SYSCALL``, ideally ``CONFIG_BPF_JIT``). +:program:`dnsdist` can use `eBPF `_ socket filtering on recent Linux kernels (4.1+) built with eBPF support (``CONFIG_BPF``, ``CONFIG_BPF_SYSCALL``, ideally ``CONFIG_BPF_JIT``). It requires dnsdist to have the ``CAP_SYS_ADMIN`` capabilities at startup, or the more restrictive ``CAP_BPF`` one since Linux 5.8. This feature allows dnsdist to ask the kernel to discard incoming packets in kernel-space instead of them being copied to userspace just to be dropped, thus being a lot of faster. The current implementation supports dropping UDP and TCP queries based on the source IP and UDP datagrams on exact DNS names. We have not been able to implement suffix matching yet, due to a limit on the maximum number of EBPF instructions.