One thing that I forgot to mention, this for 5.15.
Most of this will also apply to master which I think is 5.19
(but I'm a yocto-kernel-cache newbie)
the only config option that went away is NF_FLOW_TABLE_IPV4
as mentioned below. I'll take that out and send a PR for master.
Next time, I'll put the target in the subject prefix.
../Randy
On 2022-07-26 21:11, Randy MacLeod wrote:
Add new NF* configs to enable more nftables features.
Previously 26/300 of the nftables ptests failed, mainly due to 'missing'
kernel modules. It's impossible to know which nftables features will be used so
add more configs to ensure that most nftables features used by nft work.
The added features are:
NF_CONNTRACK_TIMEOUT
enables support for connection tracking timeout extension.
This allows you to attach timeout policies to flow via the CT target.
NF_FLOW_TABLE
adds the flow table core infrastructure.
NF_FLOW_TABLE_INET
adds the flow table mixed IPv4/IPv6 support.
NF_FLOW_TABLE_IPV4
adds the flow table IPv4 support.
This option goes away in the 5.18 kernel.
Without this option 13 rather than 6 nftables tests fail.
The NF_FLOW_TABLE_IPV6 config isn't needed but doesn't hurt.
NFT_NUMGEN
adds the number generator expression used to perform incremental
counting and random numbers bound to a upper limit.
NFT_OSF
allows matching packets from an specific OS.
NFT_QUOTA=m
adds the "quota" expression that you can use to match enforce bytes quotas.
NFT_SYNPROXY=m
The SYNPROXY expression allows you to intercept TCP connections and
establish them using syncookies before they are passed on to the
server. This allows to avoid conntrack and server resource usage
during SYN-flood attacks.
This brings the nftables-1.0.2 ptest resutls from:
[OK] 274 [FAILED] 26 [TOTAL] 300
to:
[OK] 294 [FAILED] 6 [TOTAL] 300
The remaining 6 ptests also fail on other distros and with the
linux-yocto-dev 5.19.0-rc* kernel. The should/will be fixed eventually.
Signed-off-by: Randy MacLeod <randy.macl...@windriver.com>
---
features/nf_tables/nf_tables.cfg | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/features/nf_tables/nf_tables.cfg b/features/nf_tables/nf_tables.cfg
index b8f73b76..c6819260 100644
--- a/features/nf_tables/nf_tables.cfg
+++ b/features/nf_tables/nf_tables.cfg
@@ -3,6 +3,10 @@ CONFIG_NF_TABLES=y
CONFIG_NF_TABLES_INET=y
CONFIG_NF_TABLES_NETDEV=y
CONFIG_NFT_CT=m
+CONFIG_NF_CONNTRACK_TIMEOUT=y
+CONFIG_NF_FLOW_TABLE=m
+CONFIG_NF_FLOW_TABLE_INET=m
+CONFIG_NF_FLOW_TABLE_IPV4=m
CONFIG_NFT_HASH=m
CONFIG_NFT_COUNTER=m
CONFIG_NFT_MASQ=m
@@ -12,8 +16,11 @@ CONFIG_NFT_LIMIT=m
CONFIG_NFT_CONNLIMIT=m
CONFIG_NFT_TUNNEL=m
CONFIG_NFT_NAT=m
+CONFIG_NFT_NUMGEN=m
CONFIG_NFT_OBJREF=m
+CONFIG_NFT_OSF=m
CONFIG_NFT_QUEUE=m
+CONFIG_NFT_QUOTA=m
CONFIG_NFT_REJECT=m
CONFIG_NFT_REJECT_INET=m
CONFIG_NFT_COMPAT=m
@@ -24,3 +31,4 @@ CONFIG_NF_TABLES_ARP=y
CONFIG_NF_TABLES_IPV6=y
CONFIG_NF_TABLES_BRIDGE=m
CONFIG_NFT_SOCKET=m
+CONFIG_NFT_SYNPROXY=m
--
# Randy MacLeod
# Wind River Linux
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#11519):
https://lists.yoctoproject.org/g/linux-yocto/message/11519
Mute This Topic: https://lists.yoctoproject.org/mt/92641239/21656
Group Owner: linux-yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/linux-yocto/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
