lklWithFirewall: init

[yu-re-ka]

There is a pull request in the LKL repo adding firewall support: lkl/linux#431
It simply enables the appropriate options in the kernel config, since the framework is already there.
It has not been merged yet, because enabling these options by default would lead to bigger lkl binaries and an overall slowdown for all users. However, since we can provide an opt-in variant with Firewall support, there is no reason not to do it.

This is very useful for nftables rule checking without having access to the kernel interface.

Description of changes

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 22.11 Release Notes (or backporting 22.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[Mic92]

I think this is a useful addition. Can you also link in this PR to an example on how to use this feature to check nftable rules?

[yu-re-ka]

See here for a usage example

Basically:

${lklWithFirewall.out}/bin/lkl-hijack.sh ${pkgs.nftables}/bin/nft --check --file $rulesetPath

[Mic92]

Thanks!