Skip to content

Commit 2b0825a

Browse files
author
tabris
committed
armbian build machinery - force all iptables/nftables to be built
1 parent 69f068f commit 2b0825a

File tree

1 file changed

+179
-55
lines changed

1 file changed

+179
-55
lines changed

lib/functions/compilation/armbian-kernel.sh

Lines changed: 179 additions & 55 deletions
Original file line numberDiff line numberDiff line change
@@ -191,6 +191,185 @@ function armbian_kernel_config__enable_zram_support() {
191191
fi
192192
}
193193

194+
# Enables almost all IPTABLES/NFTABLES options as modules [whilst
195+
# allowing them to be built-in]. no particular modules are intentionally
196+
# excluded, but this author doesn't want to claim it's 100.00%
197+
# comprehensive, in case more are added or some oversight is found.
198+
# split in part from armbian_kernel_config__enable_docker_support.
199+
#
200+
function armbian_kernel_config__select_nftables() {
201+
if [[ -f .config ]]; then
202+
kernel_config_set_m BRIDGE_NETFILTER
203+
kernel_config_set_m IP6_NF_FILTER
204+
kernel_config_set_m IP6_NF_IPTABLES_LEGACY
205+
kernel_config_set_m IP6_NF_IPTABLES
206+
kernel_config_set_m IP6_NF_MANGLE
207+
kernel_config_set_m IP6_NF_MATCH_AH
208+
kernel_config_set_m IP6_NF_MATCH_EUI64
209+
kernel_config_set_m IP6_NF_MATCH_FRAG
210+
kernel_config_set_m IP6_NF_MATCH_HL
211+
kernel_config_set_m IP6_NF_MATCH_IPV6HEADER
212+
kernel_config_set_m IP6_NF_MATCH_MH
213+
kernel_config_set_m IP6_NF_MATCH_OPTS
214+
kernel_config_set_m IP6_NF_MATCH_RPFILTER
215+
kernel_config_set_m IP6_NF_MATCH_RT
216+
kernel_config_set_m IP6_NF_MATCH_SRH
217+
kernel_config_set_m IP6_NF_NAT
218+
kernel_config_set_m IP6_NF_RAW
219+
kernel_config_set_m IP6_NF_SECURITY
220+
kernel_config_set_m IP6_NF_TARGET_HL
221+
kernel_config_set_m IP6_NF_TARGET_MASQUERADE
222+
kernel_config_set_m IP6_NF_TARGET_NPT
223+
kernel_config_set_m IP6_NF_TARGET_REJECT
224+
kernel_config_set_m IP6_NF_TARGET_SYNPROXY
225+
kernel_config_set_m IP_NF_IPTABLES_LEGACY
226+
kernel_config_set_m IP_NF_IPTABLES
227+
kernel_config_set_m NET_ACT_IPT
228+
kernel_config_set_m NET_EMATCH_IPT
229+
kernel_config_set_y NETFILTER_ADVANCED
230+
kernel_config_set_y NETFILTER_BPF_LINK
231+
kernel_config_set_m NETFILTER_CONNCOUNT
232+
kernel_config_set_y NETFILTER_EGRESS
233+
kernel_config_set_y NETFILTER_FAMILY_ARP
234+
kernel_config_set_y NETFILTER_FAMILY_BRIDGE
235+
kernel_config_set_y NETFILTER_INGRESS
236+
kernel_config_set_m NETFILTER_NETLINK_ACCT
237+
kernel_config_set_y NETFILTER_NETLINK_GLUE_CT
238+
kernel_config_set_m NETFILTER_NETLINK_HOOK
239+
kernel_config_set_m NETFILTER_NETLINK_LOG
240+
kernel_config_set_m NETFILTER_NETLINK
241+
kernel_config_set_m NETFILTER_NETLINK_OSF
242+
kernel_config_set_m NETFILTER_NETLINK_QUEUE
243+
kernel_config_set_m NETFILTER_SYNPROXY
244+
kernel_config_set_y NETFILTER_XTABLES_COMPAT
245+
kernel_config_set_m NETFILTER_XTABLES
246+
kernel_config_set_m NETFILTER_XT_CONNMARK
247+
kernel_config_set_m NETFILTER_XT_MARK
248+
kernel_config_set_m NETFILTER_XT_MATCH_ADDRTYPE
249+
kernel_config_set_m NETFILTER_XT_MATCH_BPF
250+
kernel_config_set_m NETFILTER_XT_MATCH_CGROUP
251+
kernel_config_set_m NETFILTER_XT_MATCH_CLUSTER
252+
kernel_config_set_m NETFILTER_XT_MATCH_COMMENT
253+
kernel_config_set_m NETFILTER_XT_MATCH_CONNBYTES
254+
kernel_config_set_m NETFILTER_XT_MATCH_CONNLABEL
255+
kernel_config_set_m NETFILTER_XT_MATCH_CONNLIMIT
256+
kernel_config_set_m NETFILTER_XT_MATCH_CONNMARK
257+
kernel_config_set_m NETFILTER_XT_MATCH_CONNTRACK
258+
kernel_config_set_m NETFILTER_XT_MATCH_CPU
259+
kernel_config_set_m NETFILTER_XT_MATCH_DCCP
260+
kernel_config_set_m NETFILTER_XT_MATCH_DEVGROUP
261+
kernel_config_set_m NETFILTER_XT_MATCH_DSCP
262+
kernel_config_set_m NETFILTER_XT_MATCH_ECN
263+
kernel_config_set_m NETFILTER_XT_MATCH_ESP
264+
kernel_config_set_m NETFILTER_XT_MATCH_HASHLIMIT
265+
kernel_config_set_m NETFILTER_XT_MATCH_HELPER
266+
kernel_config_set_m NETFILTER_XT_MATCH_HL
267+
kernel_config_set_m NETFILTER_XT_MATCH_IPCOMP
268+
kernel_config_set_m NETFILTER_XT_MATCH_IPRANGE
269+
kernel_config_set_m NETFILTER_XT_MATCH_IPVS
270+
kernel_config_set_m NETFILTER_XT_MATCH_L2TP
271+
kernel_config_set_m NETFILTER_XT_MATCH_LENGTH
272+
kernel_config_set_m NETFILTER_XT_MATCH_LIMIT
273+
kernel_config_set_m NETFILTER_XT_MATCH_MAC
274+
kernel_config_set_m NETFILTER_XT_MATCH_MARK
275+
kernel_config_set_m NETFILTER_XT_MATCH_MULTIPORT
276+
kernel_config_set_m NETFILTER_XT_MATCH_NFACCT
277+
kernel_config_set_m NETFILTER_XT_MATCH_OSF
278+
kernel_config_set_m NETFILTER_XT_MATCH_OWNER
279+
kernel_config_set_m NETFILTER_XT_MATCH_PHYSDEV
280+
kernel_config_set_m NETFILTER_XT_MATCH_PKTTYPE
281+
kernel_config_set_m NETFILTER_XT_MATCH_POLICY
282+
kernel_config_set_m NETFILTER_XT_MATCH_QUOTA
283+
kernel_config_set_m NETFILTER_XT_MATCH_RATEEST
284+
kernel_config_set_m NETFILTER_XT_MATCH_REALM
285+
kernel_config_set_m NETFILTER_XT_MATCH_RECENT
286+
kernel_config_set_m NETFILTER_XT_MATCH_SCTP
287+
kernel_config_set_m NETFILTER_XT_MATCH_SOCKET
288+
kernel_config_set_m NETFILTER_XT_MATCH_STATE
289+
kernel_config_set_m NETFILTER_XT_MATCH_STATISTIC
290+
kernel_config_set_m NETFILTER_XT_MATCH_STRING
291+
kernel_config_set_m NETFILTER_XT_MATCH_TCPMSS
292+
kernel_config_set_m NETFILTER_XT_MATCH_TIME
293+
kernel_config_set_m NETFILTER_XT_MATCH_U32
294+
kernel_config_set_m NETFILTER_XT_NAT
295+
kernel_config_set_m NETFILTER_XT_SET
296+
kernel_config_set_m NETFILTER_XT_TARGET_AUDIT
297+
kernel_config_set_m NETFILTER_XT_TARGET_CHECKSUM
298+
kernel_config_set_m NETFILTER_XT_TARGET_CLASSIFY
299+
kernel_config_set_m NETFILTER_XT_TARGET_CONNMARK
300+
kernel_config_set_m NETFILTER_XT_TARGET_CONNSECMARK
301+
kernel_config_set_m NETFILTER_XT_TARGET_CT
302+
kernel_config_set_m NETFILTER_XT_TARGET_DSCP
303+
kernel_config_set_m NETFILTER_XT_TARGET_FLOWOFFLOAD
304+
kernel_config_set_m NETFILTER_XT_TARGET_HL
305+
kernel_config_set_m NETFILTER_XT_TARGET_HMARK
306+
kernel_config_set_m NETFILTER_XT_TARGET_IDLETIMER
307+
kernel_config_set_m NETFILTER_XT_TARGET_LED
308+
kernel_config_set_m NETFILTER_XT_TARGET_LOG
309+
kernel_config_set_m NETFILTER_XT_TARGET_MARK
310+
kernel_config_set_m NETFILTER_XT_TARGET_MASQUERADE
311+
kernel_config_set_m NETFILTER_XT_TARGET_NETMAP
312+
kernel_config_set_m NETFILTER_XT_TARGET_NFLOG
313+
kernel_config_set_m NETFILTER_XT_TARGET_NFQUEUE
314+
kernel_config_set_m NETFILTER_XT_TARGET_NOTRACK
315+
kernel_config_set_m NETFILTER_XT_TARGET_RATEEST
316+
kernel_config_set_m NETFILTER_XT_TARGET_REDIRECT
317+
kernel_config_set_m NETFILTER_XT_TARGET_SECMARK
318+
kernel_config_set_m NETFILTER_XT_TARGET_TCPMSS
319+
kernel_config_set_m NETFILTER_XT_TARGET_TCPOPTSTRIP
320+
kernel_config_set_m NETFILTER_XT_TARGET_TEE
321+
kernel_config_set_m NETFILTER_XT_TARGET_TPROXY
322+
kernel_config_set_m NETFILTER_XT_TARGET_TRACE
323+
kernel_config_set_y NETFILTER
324+
kernel_config_set_m NET_IP_TUNNEL
325+
kernel_config_set_y NF_TABLES_ARP
326+
kernel_config_set_m NF_TABLES_BRIDGE
327+
kernel_config_set_y NF_TABLES_INET
328+
kernel_config_set_y NF_TABLES_IPV4
329+
kernel_config_set_y NF_TABLES_IPV6
330+
kernel_config_set_m NF_TABLES
331+
kernel_config_set_y NF_TABLES_NETDEV
332+
kernel_config_set_m NFT_BRIDGE_META
333+
kernel_config_set_m NFT_BRIDGE_REJECT
334+
kernel_config_set_m NFT_COMPAT_ARP
335+
kernel_config_set_m NFT_COMPAT
336+
kernel_config_set_m NFT_CONNLIMIT
337+
kernel_config_set_m NFT_COUNTER
338+
kernel_config_set_m NFT_CT
339+
kernel_config_set_m NFT_DUP_IPV4
340+
kernel_config_set_m NFT_DUP_IPV6
341+
kernel_config_set_m NFT_DUP_NETDEV
342+
kernel_config_set_m NFT_FIB_INET
343+
kernel_config_set_m NFT_FIB_IPV4
344+
kernel_config_set_m NFT_FIB_IPV6
345+
kernel_config_set_m NFT_FIB
346+
kernel_config_set_m NFT_FIB_NETDEV
347+
kernel_config_set_m NFT_FLOW_OFFLOAD
348+
kernel_config_set_m NFT_FWD_NETDEV
349+
kernel_config_set_m NFT_HASH
350+
kernel_config_set_m NFT_LIMIT
351+
kernel_config_set_m NFT_LOG
352+
kernel_config_set_m NFT_MASQ
353+
kernel_config_set_m NFT_NAT
354+
kernel_config_set_m NFT_NUMGEN
355+
kernel_config_set_m NFT_OBJREF
356+
kernel_config_set_m NFT_OSF
357+
kernel_config_set_m NFT_QUEUE
358+
kernel_config_set_m NFT_QUOTA
359+
kernel_config_set_m NFT_REDIR
360+
kernel_config_set_m NFT_REJECT_INET
361+
kernel_config_set_m NFT_REJECT_IPV4
362+
kernel_config_set_m NFT_REJECT_IPV6
363+
kernel_config_set_m NFT_REJECT
364+
kernel_config_set_m NFT_REJECT_NETDEV
365+
kernel_config_set_m NFT_SOCKET
366+
kernel_config_set_m NFT_SYNPROXY
367+
kernel_config_set_m NFT_TPROXY
368+
kernel_config_set_m NFT_TUNNEL
369+
kernel_config_set_m NFT_XFRM
370+
fi
371+
}
372+
194373
# Enables Docker support by configuring a comprehensive set of kernel options required for Docker functionality.
195374
#
196375
# Globals:
@@ -232,34 +411,17 @@ function armbian_kernel_config__enable_docker_support() {
232411
kernel_config_set_m CRYPTO_SEQIV # Enables sequential initialization vector support for cryptographic operations
233412
kernel_config_set_y EVENTFD # Enables eventfd system calls for event notification
234413
kernel_config_set_y BPF_SYSCALL # Enables BPF (Berkeley Packet Filter) system call support
235-
kernel_config_set_y NF_TABLES # Enables nf_tables framework support
236-
kernel_config_set_y NF_TABLES_INET # Enables IPv4 and IPv6 support for nf_tables
237-
kernel_config_set_y NF_TABLES_NETDEV # Enables netdevice support for nf_tables
238414
kernel_config_set_y CFS_BANDWIDTH # Enables bandwidth control for CFS (Completely Fair Scheduler)
239415
kernel_config_set_m DUMMY # Enables dummy network driver module
240416
kernel_config_set_y DEVPTS_MULTIPLE_INSTANCES # Enables multiple instances of devpts (pseudo-terminal master/slave pairs)
241417
kernel_config_set_y ENCRYPTED_KEYS # Enables support for encrypted keys in the kernel
242418
kernel_config_set_m EXT4_FS # Enables EXT4 file system support as a module
243419
kernel_config_set_y EXT4_FS_POSIX_ACL # Enables POSIX ACL support for EXT4
244420
kernel_config_set_y EXT4_FS_SECURITY # Enables security extensions for EXT4 file system
245-
kernel_config_set_m IP6_NF_FILTER # Enables IPv6 netfilter filtering support
246-
kernel_config_set_m IP6_NF_MANGLE # Enables IPv6 netfilter mangling support
247-
kernel_config_set_m IP6_NF_NAT # Enables IPv6 network address translation support
248-
kernel_config_set_m IP6_NF_RAW # Enables raw support for IPv6 netfilter
249-
kernel_config_set_m IP6_NF_SECURITY # Enables IPv6 netfilter security features
250-
kernel_config_set_m IP6_NF_TARGET_MASQUERADE # Enables IPv6 netfilter target for masquerading (NAT)
251421
kernel_config_set_m IPVLAN # Enables IPvlan network driver support
252422
kernel_config_set_y INET # Enables Internet protocol (IPv4) support
253423
kernel_config_set_y FAIR_GROUP_SCHED # Enables fair group scheduling support
254424
kernel_config_set_m INET_ESP # Enables ESP (Encapsulating Security Payload) for IPv4
255-
kernel_config_set_y IP_NF_FILTER # Enables IPv4 netfilter filtering support
256-
kernel_config_set_m IP_NF_TARGET_MASQUERADE # Enables IPv4 netfilter target for masquerading (NAT)
257-
kernel_config_set_m IP_NF_TARGET_NETMAP # Enables IPv4 netfilter target for netmap
258-
kernel_config_set_m IP_NF_TARGET_REDIRECT # Enables IPv4 netfilter target for redirect
259-
kernel_config_set_y IP_NF_IPTABLES # Enables iptables for IPv4
260-
kernel_config_set_m IP_NF_NAT # Enables NAT (Network Address Translation) support for IPv4
261-
kernel_config_set_m IP_NF_RAW # Enables raw support for IPv4 netfilter
262-
kernel_config_set_y IP_NF_SECURITY # Enables security features for IPv4 netfilter
263425
kernel_config_set_y IP_VS_NFCT # Enables connection tracking for IPVS (IP Virtual Server)
264426
kernel_config_set_y IP_VS_PROTO_TCP # Enables TCP protocol support for IPVS
265427
kernel_config_set_y IP_VS_PROTO_UDP # Enables UDP protocol support for IPVS
@@ -270,49 +432,11 @@ function armbian_kernel_config__enable_docker_support() {
270432
kernel_config_set_m MACVLAN # Enables MACVLAN network driver support
271433
kernel_config_set_y MEMCG # Enables memory controller for cgroups
272434
kernel_config_set_y MEMCG_KMEM # Enables memory controller for kmem (kernel memory) cgroups
273-
kernel_config_set_m NFT_NAT # Enables NAT (Network Address Translation) support in nftables
274-
kernel_config_set_m NFT_TUNNEL # Enables tunneling support in nftables
275-
kernel_config_set_m NFT_QUOTA # Enables quota support in nftables
276-
kernel_config_set_m NFT_REJECT # Enables reject target support in nftables
277-
kernel_config_set_m NFT_COMPAT # Enables compatibility support for older nftables versions
278-
kernel_config_set_m NFT_HASH # Enables hash-based set operations support in nftables
279-
kernel_config_set_m NFT_XFRM # Enables transformation support in nftables
280-
kernel_config_set_m NFT_SOCKET # Enables socket operations support in nftables
281-
kernel_config_set_m NFT_TPROXY # Enables transparent proxy support in nftables
282-
kernel_config_set_m NFT_SYNPROXY # Enables SYN proxy support in nftables
283-
kernel_config_set_m NFT_DUP_NETDEV # Enables duplicate netdev (network device) support in nftables
284-
kernel_config_set_m NFT_FWD_NETDEV # Enables forward netdev support in nftables
285-
kernel_config_set_m NFT_REJECT_NETDEV # Enables reject netdev support in nftables
286-
kernel_config_set_m NF_CONNMARK_IPV4 # Enables connection mark support for IPv4 netfilter
287-
kernel_config_set_y NF_CONNTRACK # Enables connection tracking support
288-
kernel_config_set_m NF_CONNTRACK_FTP # Enables FTP connection tracking support
289-
kernel_config_set_m NF_CONNTRACK_IRC # Enables IRC connection tracking support
290-
kernel_config_set_y NF_CONNTRACK_MARK # Enables connection mark support in netfilter
291-
kernel_config_set_m NF_CONNTRACK_PPTP # Enables PPTP connection tracking support
292-
kernel_config_set_m NF_CONNTRACK_TFTP # Enables TFTP connection tracking support
293-
kernel_config_set_y NF_CONNTRACK_ZONES # Enables connection tracking zones support
294-
kernel_config_set_y NF_CONNTRACK_EVENTS # Enables connection tracking events support
295-
kernel_config_set_y NF_CONNTRACK_LABELS # Enables connection tracking labels support
296-
kernel_config_set_m NF_NAT # Enables NAT support in nf_conntrack
297-
kernel_config_set_m NF_NAT_MASQUERADE_IPV4 # Enables IPv4 masquerading for NAT in nf_conntrack
298-
kernel_config_set_m NF_NAT_IPV4 # Enables IPv4 NAT support in nf_conntrack
299-
kernel_config_set_m NF_NAT_NEEDED # Enables NAT support in nf_conntrack when needed
300-
kernel_config_set_m NF_NAT_FTP # Enables FTP NAT support in nf_conntrack
301-
kernel_config_set_m NF_NAT_TFTP # Enables TFTP NAT support in nf_conntrack
302435
kernel_config_set_m NET_CLS_CGROUP # Enables network classification using cgroups
303436
kernel_config_set_y NET_CORE # Enables core networking stack support
304437
kernel_config_set_y NET_L3_MASTER_DEV # Enables master device support for Layer 3 (L3) networking
305438
kernel_config_set_y NET_NS # Enables network namespace support
306439
kernel_config_set_y NET_SCHED # Enables network scheduler support
307-
kernel_config_set_y NETFILTER # Enables support for netfilter framework
308-
kernel_config_set_y NETFILTER_ADVANCED # Enables advanced netfilter options
309-
kernel_config_set_m NETFILTER_XT_MATCH_ADDRTYPE # Enables address type matching for netfilter
310-
kernel_config_set_m NETFILTER_XT_MATCH_BPF # Enables BPF match support in netfilter
311-
kernel_config_set_m NETFILTER_XT_MATCH_CONNTRACK # Enables connection tracking match support in netfilter
312-
kernel_config_set_m NETFILTER_XT_MATCH_IPVS # Enables IPVS match support in netfilter
313-
kernel_config_set_m NETFILTER_XT_MARK # Enables mark matching for netfilter
314-
kernel_config_set_m NETFILTER_XTABLES # Enables x_tables support in netfilter
315-
kernel_config_set_m NETFILTER_XT_TARGET_MASQUERADE # Enables masquerade target for netfilter
316440
kernel_config_set_y NETDEVICES # Enables support for network devices
317441
kernel_config_set_y NAMESPACES # Enables support for namespaces (including network namespaces)
318442
kernel_config_set_m OVERLAY_FS # Enables support for OverlayFS

0 commit comments

Comments
 (0)