[yocto] [PATCH][yocto-kernel-cache] netfilter: enable several netfilter options
Bruce Ashfield
bruce.ashfield at gmail.com
Mon Dec 7 14:17:28 PST 2015
On Tue, Dec 1, 2015 at 12:24 AM, Bruce Ashfield <
bruce.ashfield at windriver.com> wrote:
> On 2015-11-30 8:08 PM, Rongqing Li wrote:
>
>>
>>
>> On 2015年11月30日 13:22, Bruce Ashfield wrote:
>>
>>> On 2015-11-26 12:25 AM, rongqing.li at windriver.com wrote:
>>>
>>>> From: Roy Li <rongqing.li at windriver.com>
>>>>
>>>> the below kernel options are enabled:
>>>> LOG target support
>>>> IPv6 connection tracking support,
>>>> "addrtype" address type match support
>>>> "recent" match support
>>>>
>>>> the default configuration of ufw(Uncomplicated Firewall) asked them.
>>>>
>>>
>>> Like the other patch you submitted, this should go to the linux-yocto
>>> list, but I'll reply here, since this one needs a bit more tweaking.
>>>
>>>
>>>> Signed-off-by: Roy Li <rongqing.li at windriver.com>
>>>> ---
>>>> features/netfilter/netfilter.cfg | 4 ++++
>>>> 1 file changed, 4 insertions(+)
>>>>
>>>> diff --git a/features/netfilter/netfilter.cfg
>>>> b/features/netfilter/netfilter.cfg
>>>> index 8ecef4a..7bb8490 100644
>>>> --- a/features/netfilter/netfilter.cfg
>>>> +++ b/features/netfilter/netfilter.cfg
>>>> @@ -62,12 +62,16 @@ CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
>>>> CONFIG_NETFILTER_XT_MATCH_STRING=m
>>>> CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
>>>> CONFIG_NETFILTER_XT_MATCH_U32=m
>>>> +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
>>>> +CONFIG_NETFILTER_XT_MATCH_RECENT=m
>>>> +CONFIG_NETFILTER_XT_TARGET_LOG=m
>>>>
>>>
>>> Adding these are fine, but if ufw needs these extra options, we should
>>> also have a ufw.scc/.cfg fragment that can be triggered when ufw is
>>> being built.
>>>
>>> So either create that fragment and inside it, document the NF options
>>> it needs, and have ufw include netfilter.scc to get the options you
>>> are adding above.
>>>
>>> or .. at the very least, put comments in the .cfg file above the
>>> options indicating that they are required for ufw.
>>>
>>
>> I think the below two configurations are more basic, not special to
>> ufw, and netfiler.cfg lost them.
>> CONFIG_NETFILTER_XT_TARGET_LOG=m
>> CONFIG_NF_CONNTRACK_IPV6=m
>>
>
> Sure, but we still don't have anything within the fragments or
> their descriptions that document what ufw is looking for, which
> means we could remove them in the feature and unknowingly break
> that functionality.
>
> You can still add those options to the netfilter config, but we'd
> be wise to add those comments, or create a ufw.scc file that (for
> now), simply includes netfilter.scc and indicates that ufw requires
> the options as they are in that config.
>
ping.
And just so we are clear, I didn't merge this yet, and it should be
re-submitted
to the linux-yocto mailing list with the comments addressed.
Cheers,
Bruce
>
> Bruce
>
>
>>
>> since this change has entered wrlinux kernel cache, I hope we do not
>> add the comment on .cfg
>>
>>
>> -Roy
>>
>>
>>
>>
>>> Bruce
>>>
>>>
>>>> #
>>>> # IP: Netfilter Configuration
>>>> #
>>>> CONFIG_NF_DEFRAG_IPV4=m
>>>> CONFIG_NF_CONNTRACK_IPV4=m
>>>> +CONFIG_NF_CONNTRACK_IPV6=m
>>>> CONFIG_NF_CONNTRACK_PROC_COMPAT=y
>>>> CONFIG_IP_NF_IPTABLES=m
>>>> CONFIG_IP_NF_MATCH_AH=m
>>>>
>>>>
>>>
>>>
>>
> --
> _______________________________________________
> yocto mailing list
> yocto at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
>
--
"Thou shalt not follow the NULL pointer, for chaos and madness await thee
at its end"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20151207/6aab70e2/attachment.html>
More information about the yocto
mailing list