Enable all nf tables features in the kernel

Signed-off-by: Kyle Harding <kyle@balena.io>
balena-io-experimental · Mar 12, 2024 · de02064 · de02064
1 parent cf2340e
commit de02064
Show file tree

Hide file tree

Showing 4 changed files with 184 additions and 118 deletions.
diff --git a/vmlinux/5.10/microvm-kernel-arm64-5.10.config b/vmlinux/5.10/microvm-kernel-arm64-5.10.config
@@ -960,13 +960,15 @@ CONFIG_BRIDGE_NETFILTER=y
 CONFIG_NETFILTER_INGRESS=y
 CONFIG_NETFILTER_NETLINK=y
 CONFIG_NETFILTER_FAMILY_BRIDGE=y
+CONFIG_NETFILTER_FAMILY_ARP=y
 # CONFIG_NETFILTER_NETLINK_ACCT is not set
 # CONFIG_NETFILTER_NETLINK_QUEUE is not set
 # CONFIG_NETFILTER_NETLINK_LOG is not set
-# CONFIG_NETFILTER_NETLINK_OSF is not set
+CONFIG_NETFILTER_NETLINK_OSF=y
 CONFIG_NF_CONNTRACK=y
 CONFIG_NF_LOG_COMMON=y
 # CONFIG_NF_LOG_NETDEV is not set
+CONFIG_NETFILTER_CONNCOUNT=y
 CONFIG_NF_CONNTRACK_MARK=y
 CONFIG_NF_CONNTRACK_SECMARK=y
 # CONFIG_NF_CONNTRACK_ZONES is not set
@@ -995,28 +997,35 @@ CONFIG_NF_NAT_REDIRECT=y
 CONFIG_NF_NAT_MASQUERADE=y
 CONFIG_NETFILTER_SYNPROXY=y
 CONFIG_NF_TABLES=y
-# CONFIG_NF_TABLES_INET is not set
-# CONFIG_NF_TABLES_NETDEV is not set
-# CONFIG_NFT_NUMGEN is not set
-# CONFIG_NFT_CT is not set
-# CONFIG_NFT_COUNTER is not set
-# CONFIG_NFT_CONNLIMIT is not set
-# CONFIG_NFT_LOG is not set
-# CONFIG_NFT_LIMIT is not set
-# CONFIG_NFT_MASQ is not set
-# CONFIG_NFT_REDIR is not set
-# CONFIG_NFT_TUNNEL is not set
-# CONFIG_NFT_OBJREF is not set
-# CONFIG_NFT_QUOTA is not set
-# CONFIG_NFT_REJECT is not set
-# CONFIG_NFT_COMPAT is not set
-# CONFIG_NFT_HASH is not set
-# CONFIG_NFT_XFRM is not set
-# CONFIG_NFT_SOCKET is not set
-# CONFIG_NFT_OSF is not set
-# CONFIG_NFT_TPROXY is not set
-# CONFIG_NFT_SYNPROXY is not set
-# CONFIG_NF_FLOW_TABLE is not set
+CONFIG_NF_TABLES_INET=y
+CONFIG_NF_TABLES_NETDEV=y
+CONFIG_NFT_NUMGEN=y
+CONFIG_NFT_CT=y
+CONFIG_NFT_FLOW_OFFLOAD=y
+CONFIG_NFT_COUNTER=y
+CONFIG_NFT_CONNLIMIT=y
+CONFIG_NFT_LOG=y
+CONFIG_NFT_LIMIT=y
+CONFIG_NFT_MASQ=y
+CONFIG_NFT_REDIR=y
+CONFIG_NFT_NAT=y
+CONFIG_NFT_TUNNEL=y
+CONFIG_NFT_OBJREF=y
+CONFIG_NFT_QUOTA=y
+CONFIG_NFT_REJECT=y
+CONFIG_NFT_REJECT_INET=y
+CONFIG_NFT_COMPAT=y
+CONFIG_NFT_HASH=y
+CONFIG_NFT_XFRM=y
+CONFIG_NFT_SOCKET=y
+CONFIG_NFT_OSF=y
+CONFIG_NFT_TPROXY=y
+CONFIG_NFT_SYNPROXY=y
+CONFIG_NF_DUP_NETDEV=y
+CONFIG_NFT_DUP_NETDEV=y
+CONFIG_NFT_FWD_NETDEV=y
+CONFIG_NF_FLOW_TABLE_INET=y
+CONFIG_NF_FLOW_TABLE=y
 CONFIG_NETFILTER_XTABLES=y
 
 #
@@ -1109,10 +1118,14 @@ CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
 # IP: Netfilter Configuration
 #
 CONFIG_NF_DEFRAG_IPV4=y
-# CONFIG_NF_SOCKET_IPV4 is not set
-# CONFIG_NF_TPROXY_IPV4 is not set
-# CONFIG_NF_TABLES_IPV4 is not set
-# CONFIG_NF_TABLES_ARP is not set
+CONFIG_NF_SOCKET_IPV4=y
+CONFIG_NF_TPROXY_IPV4=y
+CONFIG_NF_TABLES_IPV4=y
+CONFIG_NFT_REJECT_IPV4=y
+# CONFIG_NFT_DUP_IPV4 is not set
+# CONFIG_NFT_FIB_IPV4 is not set
+CONFIG_NF_TABLES_ARP=y
+# CONFIG_NF_FLOW_TABLE_IPV4 is not set
 # CONFIG_NF_DUP_IPV4 is not set
 CONFIG_NF_LOG_ARP=y
 CONFIG_NF_LOG_IPV4=y
@@ -1141,17 +1154,24 @@ CONFIG_IP_NF_MANGLE=y
 #
 # IPv6: Netfilter Configuration
 #
-# CONFIG_NF_SOCKET_IPV6 is not set
-# CONFIG_NF_TPROXY_IPV6 is not set
-# CONFIG_NF_TABLES_IPV6 is not set
+CONFIG_NF_SOCKET_IPV6=y
+CONFIG_NF_TPROXY_IPV6=y
+CONFIG_NF_TABLES_IPV6=y
+CONFIG_NFT_REJECT_IPV6=y
+# CONFIG_NFT_DUP_IPV6 is not set
+# CONFIG_NFT_FIB_IPV6 is not set
+# CONFIG_NF_FLOW_TABLE_IPV6 is not set
 # CONFIG_NF_DUP_IPV6 is not set
-# CONFIG_NF_REJECT_IPV6 is not set
+CONFIG_NF_REJECT_IPV6=y
 # CONFIG_NF_LOG_IPV6 is not set
 # CONFIG_IP6_NF_IPTABLES is not set
 # end of IPv6: Netfilter Configuration
 
 CONFIG_NF_DEFRAG_IPV6=y
-# CONFIG_NF_TABLES_BRIDGE is not set
+CONFIG_NF_TABLES_BRIDGE=y
+# CONFIG_NFT_BRIDGE_META is not set
+# CONFIG_NFT_BRIDGE_REJECT is not set
+# CONFIG_NF_LOG_BRIDGE is not set
 # CONFIG_NF_CONNTRACK_BRIDGE is not set
 # CONFIG_BRIDGE_NF_EBTABLES is not set
 # CONFIG_BPFILTER is not set
@@ -1257,6 +1277,7 @@ CONFIG_NET_CLS_ACT=y
 # CONFIG_NET_ACT_SKBMOD is not set
 # CONFIG_NET_ACT_IFE is not set
 # CONFIG_NET_ACT_TUNNEL_KEY is not set
+# CONFIG_NET_ACT_CT is not set
 # CONFIG_NET_ACT_GATE is not set
 # CONFIG_NET_TC_SKB_EXT is not set
 CONFIG_NET_SCH_FIFO=y

diff --git a/vmlinux/5.10/microvm-kernel-x86_64-5.10.config b/vmlinux/5.10/microvm-kernel-x86_64-5.10.config
@@ -990,10 +990,11 @@ CONFIG_NETFILTER_FAMILY_BRIDGE=y
 # CONFIG_NETFILTER_NETLINK_ACCT is not set
 # CONFIG_NETFILTER_NETLINK_QUEUE is not set
 # CONFIG_NETFILTER_NETLINK_LOG is not set
-# CONFIG_NETFILTER_NETLINK_OSF is not set
+CONFIG_NETFILTER_NETLINK_OSF=y
 CONFIG_NF_CONNTRACK=y
 CONFIG_NF_LOG_COMMON=y
 # CONFIG_NF_LOG_NETDEV is not set
+CONFIG_NETFILTER_CONNCOUNT=y
 CONFIG_NF_CONNTRACK_MARK=y
 CONFIG_NF_CONNTRACK_SECMARK=y
 # CONFIG_NF_CONNTRACK_ZONES is not set
@@ -1022,28 +1023,35 @@ CONFIG_NF_NAT_REDIRECT=y
 CONFIG_NF_NAT_MASQUERADE=y
 CONFIG_NETFILTER_SYNPROXY=y
 CONFIG_NF_TABLES=y
-# CONFIG_NF_TABLES_INET is not set
-# CONFIG_NF_TABLES_NETDEV is not set
-# CONFIG_NFT_NUMGEN is not set
-# CONFIG_NFT_CT is not set
-# CONFIG_NFT_COUNTER is not set
-# CONFIG_NFT_CONNLIMIT is not set
-# CONFIG_NFT_LOG is not set
-# CONFIG_NFT_LIMIT is not set
-# CONFIG_NFT_MASQ is not set
-# CONFIG_NFT_REDIR is not set
-# CONFIG_NFT_TUNNEL is not set
-# CONFIG_NFT_OBJREF is not set
-# CONFIG_NFT_QUOTA is not set
-# CONFIG_NFT_REJECT is not set
-# CONFIG_NFT_COMPAT is not set
-# CONFIG_NFT_HASH is not set
-# CONFIG_NFT_XFRM is not set
-# CONFIG_NFT_SOCKET is not set
-# CONFIG_NFT_OSF is not set
-# CONFIG_NFT_TPROXY is not set
-# CONFIG_NFT_SYNPROXY is not set
-# CONFIG_NF_FLOW_TABLE is not set
+CONFIG_NF_TABLES_INET=y
+CONFIG_NF_TABLES_NETDEV=y
+CONFIG_NFT_NUMGEN=y
+CONFIG_NFT_CT=y
+# CONFIG_NFT_FLOW_OFFLOAD is not set
+CONFIG_NFT_COUNTER=y
+CONFIG_NFT_CONNLIMIT=y
+CONFIG_NFT_LOG=y
+CONFIG_NFT_LIMIT=y
+CONFIG_NFT_MASQ=y
+CONFIG_NFT_REDIR=y
+CONFIG_NFT_NAT=y
+CONFIG_NFT_TUNNEL=y
+CONFIG_NFT_OBJREF=y
+CONFIG_NFT_QUOTA=y
+CONFIG_NFT_REJECT=y
+CONFIG_NFT_REJECT_INET=y
+CONFIG_NFT_COMPAT=y
+CONFIG_NFT_HASH=y
+CONFIG_NFT_XFRM=y
+CONFIG_NFT_SOCKET=y
+CONFIG_NFT_OSF=y
+CONFIG_NFT_TPROXY=y
+CONFIG_NFT_SYNPROXY=y
+CONFIG_NF_DUP_NETDEV=y
+CONFIG_NFT_DUP_NETDEV=y
+CONFIG_NFT_FWD_NETDEV=y
+# CONFIG_NF_FLOW_TABLE_INET is not set
+CONFIG_NF_FLOW_TABLE=y
 CONFIG_NETFILTER_XTABLES=y
 
 #
@@ -1136,10 +1144,14 @@ CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
 # IP: Netfilter Configuration
 #
 CONFIG_NF_DEFRAG_IPV4=y
-# CONFIG_NF_SOCKET_IPV4 is not set
-# CONFIG_NF_TPROXY_IPV4 is not set
-# CONFIG_NF_TABLES_IPV4 is not set
+CONFIG_NF_SOCKET_IPV4=y
+CONFIG_NF_TPROXY_IPV4=y
+CONFIG_NF_TABLES_IPV4=y
+CONFIG_NFT_REJECT_IPV4=y
+# CONFIG_NFT_DUP_IPV4 is not set
+# CONFIG_NFT_FIB_IPV4 is not set
 # CONFIG_NF_TABLES_ARP is not set
+# CONFIG_NF_FLOW_TABLE_IPV4 is not set
 # CONFIG_NF_DUP_IPV4 is not set
 CONFIG_NF_LOG_ARP=y
 CONFIG_NF_LOG_IPV4=y
@@ -1168,11 +1180,15 @@ CONFIG_IP_NF_MANGLE=y
 #
 # IPv6: Netfilter Configuration
 #
-# CONFIG_NF_SOCKET_IPV6 is not set
-# CONFIG_NF_TPROXY_IPV6 is not set
-# CONFIG_NF_TABLES_IPV6 is not set
+CONFIG_NF_SOCKET_IPV6=y
+CONFIG_NF_TPROXY_IPV6=y
+CONFIG_NF_TABLES_IPV6=y
+CONFIG_NFT_REJECT_IPV6=y
+# CONFIG_NFT_DUP_IPV6 is not set
+# CONFIG_NFT_FIB_IPV6 is not set
+# CONFIG_NF_FLOW_TABLE_IPV6 is not set
 # CONFIG_NF_DUP_IPV6 is not set
-# CONFIG_NF_REJECT_IPV6 is not set
+CONFIG_NF_REJECT_IPV6=y
 # CONFIG_NF_LOG_IPV6 is not set
 # CONFIG_IP6_NF_IPTABLES is not set
 # end of IPv6: Netfilter Configuration
@@ -1284,6 +1300,7 @@ CONFIG_NET_CLS_ACT=y
 # CONFIG_NET_ACT_SKBMOD is not set
 # CONFIG_NET_ACT_IFE is not set
 # CONFIG_NET_ACT_TUNNEL_KEY is not set
+# CONFIG_NET_ACT_CT is not set
 # CONFIG_NET_ACT_GATE is not set
 # CONFIG_NET_TC_SKB_EXT is not set
 CONFIG_NET_SCH_FIFO=y

diff --git a/vmlinux/6.1/microvm-kernel-arm64-6.1.config b/vmlinux/6.1/microvm-kernel-arm64-6.1.config
@@ -1002,9 +1002,10 @@ CONFIG_NETFILTER_FAMILY_BRIDGE=y
 # CONFIG_NETFILTER_NETLINK_ACCT is not set
 # CONFIG_NETFILTER_NETLINK_QUEUE is not set
 # CONFIG_NETFILTER_NETLINK_LOG is not set
-# CONFIG_NETFILTER_NETLINK_OSF is not set
+CONFIG_NETFILTER_NETLINK_OSF=y
 CONFIG_NF_CONNTRACK=y
 CONFIG_NF_LOG_SYSLOG=y
+CONFIG_NETFILTER_CONNCOUNT=y
 CONFIG_NF_CONNTRACK_MARK=y
 CONFIG_NF_CONNTRACK_SECMARK=y
 # CONFIG_NF_CONNTRACK_ZONES is not set
@@ -1033,26 +1034,32 @@ CONFIG_NF_NAT_REDIRECT=y
 CONFIG_NF_NAT_MASQUERADE=y
 CONFIG_NETFILTER_SYNPROXY=y
 CONFIG_NF_TABLES=y
-# CONFIG_NF_TABLES_INET is not set
-# CONFIG_NF_TABLES_NETDEV is not set
-# CONFIG_NFT_NUMGEN is not set
-# CONFIG_NFT_CT is not set
-# CONFIG_NFT_CONNLIMIT is not set
-# CONFIG_NFT_LOG is not set
-# CONFIG_NFT_LIMIT is not set
-# CONFIG_NFT_MASQ is not set
-# CONFIG_NFT_REDIR is not set
-# CONFIG_NFT_TUNNEL is not set
-# CONFIG_NFT_OBJREF is not set
-# CONFIG_NFT_QUOTA is not set
-# CONFIG_NFT_REJECT is not set
-# CONFIG_NFT_COMPAT is not set
-# CONFIG_NFT_HASH is not set
-# CONFIG_NFT_XFRM is not set
-# CONFIG_NFT_SOCKET is not set
-# CONFIG_NFT_OSF is not set
-# CONFIG_NFT_TPROXY is not set
-# CONFIG_NFT_SYNPROXY is not set
+CONFIG_NF_TABLES_INET=y
+CONFIG_NF_TABLES_NETDEV=y
+CONFIG_NFT_NUMGEN=y
+CONFIG_NFT_CT=y
+CONFIG_NFT_CONNLIMIT=y
+CONFIG_NFT_LOG=y
+CONFIG_NFT_LIMIT=y
+CONFIG_NFT_MASQ=y
+CONFIG_NFT_REDIR=y
+CONFIG_NFT_NAT=y
+CONFIG_NFT_TUNNEL=y
+CONFIG_NFT_OBJREF=y
+CONFIG_NFT_QUOTA=y
+CONFIG_NFT_REJECT=y
+CONFIG_NFT_REJECT_INET=y
+CONFIG_NFT_COMPAT=y
+CONFIG_NFT_HASH=y
+CONFIG_NFT_XFRM=y
+CONFIG_NFT_SOCKET=y
+CONFIG_NFT_OSF=y
+CONFIG_NFT_TPROXY=y
+CONFIG_NFT_SYNPROXY=y
+CONFIG_NF_DUP_NETDEV=y
+CONFIG_NFT_DUP_NETDEV=y
+CONFIG_NFT_FWD_NETDEV=y
+CONFIG_NFT_REJECT_NETDEV=y
 # CONFIG_NF_FLOW_TABLE is not set
 CONFIG_NETFILTER_XTABLES=y
 CONFIG_NETFILTER_XTABLES_COMPAT=y
@@ -1147,9 +1154,12 @@ CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
 # IP: Netfilter Configuration
 #
 CONFIG_NF_DEFRAG_IPV4=y
-# CONFIG_NF_SOCKET_IPV4 is not set
-# CONFIG_NF_TPROXY_IPV4 is not set
-# CONFIG_NF_TABLES_IPV4 is not set
+CONFIG_NF_SOCKET_IPV4=y
+CONFIG_NF_TPROXY_IPV4=y
+CONFIG_NF_TABLES_IPV4=y
+CONFIG_NFT_REJECT_IPV4=y
+# CONFIG_NFT_DUP_IPV4 is not set
+# CONFIG_NFT_FIB_IPV4 is not set
 # CONFIG_NF_TABLES_ARP is not set
 # CONFIG_NF_DUP_IPV4 is not set
 CONFIG_NF_LOG_ARP=y
@@ -1179,11 +1189,14 @@ CONFIG_IP_NF_MANGLE=y
 #
 # IPv6: Netfilter Configuration
 #
-# CONFIG_NF_SOCKET_IPV6 is not set
-# CONFIG_NF_TPROXY_IPV6 is not set
-# CONFIG_NF_TABLES_IPV6 is not set
+CONFIG_NF_SOCKET_IPV6=y
+CONFIG_NF_TPROXY_IPV6=y
+CONFIG_NF_TABLES_IPV6=y
+CONFIG_NFT_REJECT_IPV6=y
+# CONFIG_NFT_DUP_IPV6 is not set
+# CONFIG_NFT_FIB_IPV6 is not set
 # CONFIG_NF_DUP_IPV6 is not set
-# CONFIG_NF_REJECT_IPV6 is not set
+CONFIG_NF_REJECT_IPV6=y
 # CONFIG_NF_LOG_IPV6 is not set
 # CONFIG_IP6_NF_IPTABLES is not set
 # end of IPv6: Netfilter Configuration
@@ -1583,6 +1596,7 @@ CONFIG_NET_CORE=y
 # CONFIG_DUMMY is not set
 # CONFIG_WIREGUARD is not set
 # CONFIG_EQUALIZER is not set
+# CONFIG_IFB is not set
 # CONFIG_NET_TEAM is not set
 # CONFIG_MACVLAN is not set
 # CONFIG_IPVLAN is not set