On Tue, Dec 1, 2015 at 12:24 AM, Bruce Ashfield < bruce.ashfi...@windriver.com> wrote:
> On 2015-11-30 8:08 PM, Rongqing Li wrote: > >> >> >> On 2015年11月30日 13:22, Bruce Ashfield wrote: >> >>> On 2015-11-26 12:25 AM, rongqing...@windriver.com wrote: >>> >>>> From: Roy Li <rongqing...@windriver.com> >>>> >>>> the below kernel options are enabled: >>>> LOG target support >>>> IPv6 connection tracking support, >>>> "addrtype" address type match support >>>> "recent" match support >>>> >>>> the default configuration of ufw(Uncomplicated Firewall) asked them. >>>> >>> >>> Like the other patch you submitted, this should go to the linux-yocto >>> list, but I'll reply here, since this one needs a bit more tweaking. >>> >>> >>>> Signed-off-by: Roy Li <rongqing...@windriver.com> >>>> --- >>>> features/netfilter/netfilter.cfg | 4 ++++ >>>> 1 file changed, 4 insertions(+) >>>> >>>> diff --git a/features/netfilter/netfilter.cfg >>>> b/features/netfilter/netfilter.cfg >>>> index 8ecef4a..7bb8490 100644 >>>> --- a/features/netfilter/netfilter.cfg >>>> +++ b/features/netfilter/netfilter.cfg >>>> @@ -62,12 +62,16 @@ CONFIG_NETFILTER_XT_MATCH_STATISTIC=m >>>> CONFIG_NETFILTER_XT_MATCH_STRING=m >>>> CONFIG_NETFILTER_XT_MATCH_TCPMSS=m >>>> CONFIG_NETFILTER_XT_MATCH_U32=m >>>> +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m >>>> +CONFIG_NETFILTER_XT_MATCH_RECENT=m >>>> +CONFIG_NETFILTER_XT_TARGET_LOG=m >>>> >>> >>> Adding these are fine, but if ufw needs these extra options, we should >>> also have a ufw.scc/.cfg fragment that can be triggered when ufw is >>> being built. >>> >>> So either create that fragment and inside it, document the NF options >>> it needs, and have ufw include netfilter.scc to get the options you >>> are adding above. >>> >>> or .. at the very least, put comments in the .cfg file above the >>> options indicating that they are required for ufw. >>> >> >> I think the below two configurations are more basic, not special to >> ufw, and netfiler.cfg lost them. >> CONFIG_NETFILTER_XT_TARGET_LOG=m >> CONFIG_NF_CONNTRACK_IPV6=m >> > > Sure, but we still don't have anything within the fragments or > their descriptions that document what ufw is looking for, which > means we could remove them in the feature and unknowingly break > that functionality. > > You can still add those options to the netfilter config, but we'd > be wise to add those comments, or create a ufw.scc file that (for > now), simply includes netfilter.scc and indicates that ufw requires > the options as they are in that config. > ping. And just so we are clear, I didn't merge this yet, and it should be re-submitted to the linux-yocto mailing list with the comments addressed. Cheers, Bruce > > Bruce > > >> >> since this change has entered wrlinux kernel cache, I hope we do not >> add the comment on .cfg >> >> >> -Roy >> >> >> >> >>> Bruce >>> >>> >>>> # >>>> # IP: Netfilter Configuration >>>> # >>>> CONFIG_NF_DEFRAG_IPV4=m >>>> CONFIG_NF_CONNTRACK_IPV4=m >>>> +CONFIG_NF_CONNTRACK_IPV6=m >>>> CONFIG_NF_CONNTRACK_PROC_COMPAT=y >>>> CONFIG_IP_NF_IPTABLES=m >>>> CONFIG_IP_NF_MATCH_AH=m >>>> >>>> >>> >>> >> > -- > _______________________________________________ > yocto mailing list > yocto@yoctoproject.org > https://lists.yoctoproject.org/listinfo/yocto > -- "Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end"
-- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto