502c8c1587
There is a pull request in the LKL repo adding firewall support: https://github.com/lkl/linux/pull/431 It simply enables the appropriate options in the kernel config, since the framework is already there. It has not been merged yet, because enabling these options by default would lead to bigger lkl binaries and an overall slowdown for all users. However, since we can provide an opt-in variant with Firewall support, there is no reason not to do it. This is very useful for nftables rule checking without having access to the kernel interface.
155 lines
4.3 KiB
Text
155 lines
4.3 KiB
Text
CONFIG_NETFILTER=y
|
|
CONFIG_NF_CONNTRACK=y
|
|
CONFIG_NF_LOG_NETDEV=y
|
|
CONFIG_NF_CONNTRACK_ZONES=y
|
|
CONFIG_NF_CONNTRACK_EVENTS=y
|
|
CONFIG_NF_CONNTRACK_TIMEOUT=y
|
|
CONFIG_NF_CONNTRACK_TIMESTAMP=y
|
|
CONFIG_NF_CONNTRACK_AMANDA=y
|
|
CONFIG_NF_CONNTRACK_FTP=y
|
|
CONFIG_NF_CONNTRACK_H323=y
|
|
CONFIG_NF_CONNTRACK_IRC=y
|
|
CONFIG_NF_CONNTRACK_NETBIOS_NS=y
|
|
CONFIG_NF_CONNTRACK_SNMP=y
|
|
CONFIG_NF_CONNTRACK_PPTP=y
|
|
CONFIG_NF_CONNTRACK_SANE=y
|
|
CONFIG_NF_CONNTRACK_SIP=y
|
|
CONFIG_NF_CONNTRACK_TFTP=y
|
|
CONFIG_NF_CT_NETLINK=y
|
|
CONFIG_NF_CT_NETLINK_TIMEOUT=y
|
|
CONFIG_NF_CT_NETLINK_HELPER=y
|
|
CONFIG_NETFILTER_NETLINK_GLUE_CT=y
|
|
CONFIG_NF_TABLES=y
|
|
CONFIG_NF_TABLES_INET=y
|
|
CONFIG_NF_TABLES_NETDEV=y
|
|
CONFIG_NFT_NUMGEN=y
|
|
CONFIG_NFT_CT=y
|
|
CONFIG_NFT_COUNTER=y
|
|
CONFIG_NFT_CONNLIMIT=y
|
|
CONFIG_NFT_LOG=y
|
|
CONFIG_NFT_LIMIT=y
|
|
CONFIG_NFT_MASQ=y
|
|
CONFIG_NFT_REDIR=y
|
|
CONFIG_NFT_NAT=y
|
|
CONFIG_NFT_TUNNEL=y
|
|
CONFIG_NFT_OBJREF=y
|
|
CONFIG_NFT_QUEUE=y
|
|
CONFIG_NFT_QUOTA=y
|
|
CONFIG_NFT_REJECT=y
|
|
CONFIG_NFT_COMPAT=y
|
|
CONFIG_NFT_HASH=y
|
|
CONFIG_NFT_FIB_INET=y
|
|
CONFIG_NFT_SOCKET=y
|
|
CONFIG_NFT_OSF=y
|
|
CONFIG_NFT_TPROXY=y
|
|
CONFIG_NFT_SYNPROXY=y
|
|
CONFIG_NFT_DUP_NETDEV=y
|
|
CONFIG_NFT_FWD_NETDEV=y
|
|
CONFIG_NFT_FIB_NETDEV=y
|
|
CONFIG_NF_FLOW_TABLE_INET=y
|
|
CONFIG_NF_FLOW_TABLE=y
|
|
CONFIG_NETFILTER_XT_TARGET_CHECKSUM=y
|
|
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
|
|
CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
|
|
CONFIG_NETFILTER_XT_TARGET_DSCP=y
|
|
CONFIG_NETFILTER_XT_TARGET_HMARK=y
|
|
CONFIG_NETFILTER_XT_TARGET_IDLETIMER=y
|
|
CONFIG_NETFILTER_XT_TARGET_LOG=y
|
|
CONFIG_NETFILTER_XT_TARGET_MARK=y
|
|
CONFIG_NETFILTER_XT_TARGET_NFLOG=y
|
|
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
|
|
CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
|
|
CONFIG_NETFILTER_XT_TARGET_TEE=y
|
|
CONFIG_NETFILTER_XT_TARGET_TPROXY=y
|
|
CONFIG_NETFILTER_XT_TARGET_TRACE=y
|
|
CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
|
|
CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=y
|
|
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
|
|
CONFIG_NETFILTER_XT_MATCH_BPF=y
|
|
CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
|
|
CONFIG_NETFILTER_XT_MATCH_COMMENT=y
|
|
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
|
|
CONFIG_NETFILTER_XT_MATCH_CONNLABEL=y
|
|
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
|
|
CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
|
|
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
|
|
CONFIG_NETFILTER_XT_MATCH_CPU=y
|
|
CONFIG_NETFILTER_XT_MATCH_DCCP=y
|
|
CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
|
|
CONFIG_NETFILTER_XT_MATCH_DSCP=y
|
|
CONFIG_NETFILTER_XT_MATCH_ESP=y
|
|
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
|
|
CONFIG_NETFILTER_XT_MATCH_HELPER=y
|
|
CONFIG_NETFILTER_XT_MATCH_IPCOMP=y
|
|
CONFIG_NETFILTER_XT_MATCH_IPRANGE=y
|
|
CONFIG_NETFILTER_XT_MATCH_L2TP=y
|
|
CONFIG_NETFILTER_XT_MATCH_LENGTH=y
|
|
CONFIG_NETFILTER_XT_MATCH_LIMIT=y
|
|
CONFIG_NETFILTER_XT_MATCH_MAC=y
|
|
CONFIG_NETFILTER_XT_MATCH_MARK=y
|
|
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
|
|
CONFIG_NETFILTER_XT_MATCH_NFACCT=y
|
|
CONFIG_NETFILTER_XT_MATCH_OSF=y
|
|
CONFIG_NETFILTER_XT_MATCH_OWNER=y
|
|
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
|
|
CONFIG_NETFILTER_XT_MATCH_QUOTA=y
|
|
CONFIG_NETFILTER_XT_MATCH_RATEEST=y
|
|
CONFIG_NETFILTER_XT_MATCH_REALM=y
|
|
CONFIG_NETFILTER_XT_MATCH_RECENT=y
|
|
CONFIG_NETFILTER_XT_MATCH_SCTP=y
|
|
CONFIG_NETFILTER_XT_MATCH_SOCKET=y
|
|
CONFIG_NETFILTER_XT_MATCH_STATE=y
|
|
CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
|
|
CONFIG_NETFILTER_XT_MATCH_STRING=y
|
|
CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
|
|
CONFIG_NETFILTER_XT_MATCH_TIME=y
|
|
CONFIG_NETFILTER_XT_MATCH_U32=y
|
|
CONFIG_NFT_DUP_IPV4=y
|
|
CONFIG_NFT_FIB_IPV4=y
|
|
CONFIG_NF_TABLES_ARP=y
|
|
CONFIG_NF_FLOW_TABLE_IPV4=y
|
|
CONFIG_NF_LOG_ARP=y
|
|
CONFIG_IP_NF_IPTABLES=y
|
|
CONFIG_IP_NF_MATCH_AH=y
|
|
CONFIG_IP_NF_MATCH_ECN=y
|
|
CONFIG_IP_NF_MATCH_RPFILTER=y
|
|
CONFIG_IP_NF_MATCH_TTL=y
|
|
CONFIG_IP_NF_FILTER=y
|
|
CONFIG_IP_NF_TARGET_REJECT=y
|
|
CONFIG_IP_NF_TARGET_SYNPROXY=y
|
|
CONFIG_IP_NF_NAT=y
|
|
CONFIG_IP_NF_TARGET_MASQUERADE=y
|
|
CONFIG_IP_NF_TARGET_NETMAP=y
|
|
CONFIG_IP_NF_TARGET_REDIRECT=y
|
|
CONFIG_IP_NF_MANGLE=y
|
|
CONFIG_IP_NF_TARGET_CLUSTERIP=y
|
|
CONFIG_IP_NF_TARGET_ECN=y
|
|
CONFIG_IP_NF_TARGET_TTL=y
|
|
CONFIG_IP_NF_RAW=y
|
|
CONFIG_IP_NF_ARPTABLES=y
|
|
CONFIG_IP_NF_ARPFILTER=y
|
|
CONFIG_IP_NF_ARP_MANGLE=y
|
|
CONFIG_NFT_DUP_IPV6=y
|
|
CONFIG_NFT_FIB_IPV6=y
|
|
CONFIG_NF_FLOW_TABLE_IPV6=y
|
|
CONFIG_IP6_NF_IPTABLES=y
|
|
CONFIG_IP6_NF_MATCH_AH=y
|
|
CONFIG_IP6_NF_MATCH_EUI64=y
|
|
CONFIG_IP6_NF_MATCH_FRAG=y
|
|
CONFIG_IP6_NF_MATCH_OPTS=y
|
|
CONFIG_IP6_NF_MATCH_HL=y
|
|
CONFIG_IP6_NF_MATCH_IPV6HEADER=y
|
|
CONFIG_IP6_NF_MATCH_MH=y
|
|
CONFIG_IP6_NF_MATCH_RPFILTER=y
|
|
CONFIG_IP6_NF_MATCH_RT=y
|
|
CONFIG_IP6_NF_MATCH_SRH=y
|
|
CONFIG_IP6_NF_TARGET_HL=y
|
|
CONFIG_IP6_NF_FILTER=y
|
|
CONFIG_IP6_NF_TARGET_REJECT=y
|
|
CONFIG_IP6_NF_TARGET_SYNPROXY=y
|
|
CONFIG_IP6_NF_MANGLE=y
|
|
CONFIG_IP6_NF_RAW=y
|
|
CONFIG_IP6_NF_NAT=y
|
|
CONFIG_IP6_NF_TARGET_MASQUERADE=y
|
|
CONFIG_IP6_NF_TARGET_NPT=y
|
|
CONFIG_NF_CONNTRACK_BRIDGE=y
|