Skip to content

fix(vm): enable NFT_LOG kernel module for nftables bypass detection#1391

Merged
drew merged 1 commit into
NVIDIA:mainfrom
russellb:fix/vm-nft-log-kconfig
May 15, 2026
Merged

fix(vm): enable NFT_LOG kernel module for nftables bypass detection#1391
drew merged 1 commit into
NVIDIA:mainfrom
russellb:fix/vm-nft-log-kconfig

Conversation

@russellb
Copy link
Copy Markdown
Contributor

@russellb russellb commented May 14, 2026

Summary

  • Add CONFIG_NFT_LOG=y to the VM kernel config fragment so that nftables log expressions work inside the guest kernel
  • Without this, nft rejects rulesets containing log with "No such file or directory" because the kernel lacks the nft_log module
  • Pre-requisite for the nftables migration branch — the vm-runtime kernel must be rebuilt with this config before log-based bypass detection works

Test plan

  • Built kernel from source with FROM_SOURCE=1 mise run vm:setup and verified CONFIG_NFT_LOG=y in the resulting .config
  • Created a sandbox with mise run gateway:vm using the locally built kernel
  • Confirmed nft rulesets containing log expressions load without error (previously failed with "No such file or directory")
  • Verified bypass detection log entries appear in dmesg inside the VM guest after triggering a direct connection bypass
  • release-vm-kernel workflow produces a kernel with NFT_LOG support (needed for CI and downloaded runtimes)

🤖 Generated with Claude Code

@russellb
fix(vm): enable NFT_LOG kernel module for nftables bypass detection
f16f5d6 
The nftables log statement requires CONFIG_NFT_LOG, which was not
included in the VM guest kernel config. Without it, nft rejects
rules containing the log keyword with "No such file or directory".
@copy-pr-bot
Copy link
Copy Markdown

copy-pr-bot Bot commented May 14, 2026

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@russellb russellb mentioned this pull request May 14, 2026
Open
@drew
Copy link
Copy Markdown
Collaborator

drew commented May 15, 2026

/ok to test f16f5d6

@drew drew merged commit c27dd88 into NVIDIA:main May 15, 2026
27 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@drew drew drew approved these changes

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@maxamillion maxamillion Awaiting requested review from maxamillion maxamillion is a code owner

@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr derekwaynecarr is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@russellb @drew