nixos/systemd-networkd-vrf: implement working TCP test on a 5.x kernel

By design, VRFs allow route-leaking for forwarded packages, but not for
local processes using a socket. While it was possible to leak such TCP
traffic through a VRF on a 4.x kernel, this behavior was considered
wrong and got fixed in Linux 5.x[1].

From now on, local unix sockets must run in the VRF itself using
`ip vrf exec`[2] which basically injects a BPF program into the VRF and
drops elevated networking capabilities by default for the specified
command.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3c82a21f4320c8d54cf6456b27c8d49e5ffb722e
[2] https://man7.org/linux/man-pages/man8/ip-vrf.8.html

0 files changed, 0 insertions, 0 deletions