summaryrefslogtreecommitdiff
path: root/pkgs/development/python-modules/python-mapnik/python-mapnik_std_optional.patch
diff options
context:
space:
mode:
authorMaximilian Bosch <maximilian@mbosch.me>2020-07-31 20:44:59 +0200
committerMaximilian Bosch <maximilian@mbosch.me>2020-07-31 21:06:00 +0200
commit37e3cadb8b20a1a057c0996885f88be2e2f081e1 (patch)
tree9c575f9b469b00f73abc2214f47d7328c143e177 /pkgs/development/python-modules/python-mapnik/python-mapnik_std_optional.patch
parent8738de2346d73527038c531619974354a8ae344b (diff)
nixos/systemd-networkd-vrf: implement working TCP test on a 5.x kernel
By design, VRFs allow route-leaking for forwarded packages, but not for local processes using a socket. While it was possible to leak such TCP traffic through a VRF on a 4.x kernel, this behavior was considered wrong and got fixed in Linux 5.x[1]. From now on, local unix sockets must run in the VRF itself using `ip vrf exec`[2] which basically injects a BPF program into the VRF and drops elevated networking capabilities by default for the specified command. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3c82a21f4320c8d54cf6456b27c8d49e5ffb722e [2] https://man7.org/linux/man-pages/man8/ip-vrf.8.html
Diffstat (limited to 'pkgs/development/python-modules/python-mapnik/python-mapnik_std_optional.patch')
0 files changed, 0 insertions, 0 deletions