[yocto] [PATCH][yocto-kernel-cache] netfilter: enable several netfilter options
Rongqing Li
rongqing.li at windriver.com
Mon Nov 30 17:08:22 PST 2015
On 2015年11月30日 13:22, Bruce Ashfield wrote:
> On 2015-11-26 12:25 AM, rongqing.li at windriver.com wrote:
>> From: Roy Li <rongqing.li at windriver.com>
>>
>> the below kernel options are enabled:
>> LOG target support
>> IPv6 connection tracking support,
>> "addrtype" address type match support
>> "recent" match support
>>
>> the default configuration of ufw(Uncomplicated Firewall) asked them.
>
> Like the other patch you submitted, this should go to the linux-yocto
> list, but I'll reply here, since this one needs a bit more tweaking.
>
>>
>> Signed-off-by: Roy Li <rongqing.li at windriver.com>
>> ---
>> features/netfilter/netfilter.cfg | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/features/netfilter/netfilter.cfg
>> b/features/netfilter/netfilter.cfg
>> index 8ecef4a..7bb8490 100644
>> --- a/features/netfilter/netfilter.cfg
>> +++ b/features/netfilter/netfilter.cfg
>> @@ -62,12 +62,16 @@ CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
>> CONFIG_NETFILTER_XT_MATCH_STRING=m
>> CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
>> CONFIG_NETFILTER_XT_MATCH_U32=m
>> +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
>> +CONFIG_NETFILTER_XT_MATCH_RECENT=m
>> +CONFIG_NETFILTER_XT_TARGET_LOG=m
>
> Adding these are fine, but if ufw needs these extra options, we should
> also have a ufw.scc/.cfg fragment that can be triggered when ufw is
> being built.
>
> So either create that fragment and inside it, document the NF options
> it needs, and have ufw include netfilter.scc to get the options you
> are adding above.
>
> or .. at the very least, put comments in the .cfg file above the
> options indicating that they are required for ufw.
I think the below two configurations are more basic, not special to
ufw, and netfiler.cfg lost them.
CONFIG_NETFILTER_XT_TARGET_LOG=m
CONFIG_NF_CONNTRACK_IPV6=m
since this change has entered wrlinux kernel cache, I hope we do not
add the comment on .cfg
-Roy
>
> Bruce
>
>>
>> #
>> # IP: Netfilter Configuration
>> #
>> CONFIG_NF_DEFRAG_IPV4=m
>> CONFIG_NF_CONNTRACK_IPV4=m
>> +CONFIG_NF_CONNTRACK_IPV6=m
>> CONFIG_NF_CONNTRACK_PROC_COMPAT=y
>> CONFIG_IP_NF_IPTABLES=m
>> CONFIG_IP_NF_MATCH_AH=m
>>
>
>
--
Best Reagrds,
Roy | RongQing Li
More information about the yocto
mailing list