From patchwork Sat Sep 14 04:02:07 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?b?5a6L5paH5q2m?= X-Patchwork-Id: 15367 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id A0E03173C7; Sat, 14 Sep 2019 05:03:24 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,UPPERCASE_50_75, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTP id 0718C173C5 for ; Sat, 14 Sep 2019 05:03:21 +0100 (BST) Received: from localhost ([::1]:48600 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1i8zHM-0001Vd-Dz for patchwork@mira.cbaines.net; Sat, 14 Sep 2019 00:03:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:37197) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1i8zH6-0001VE-MQ for guix-patches@gnu.org; Sat, 14 Sep 2019 00:03:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1i8zH4-00060d-K3 for guix-patches@gnu.org; Sat, 14 Sep 2019 00:03:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:36912) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1i8zH4-0005zM-EE for guix-patches@gnu.org; Sat, 14 Sep 2019 00:03:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1i8zH4-0001N3-7y for guix-patches@gnu.org; Sat, 14 Sep 2019 00:03:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#37398] [PATCH 1/2] gnu: linux-libre: Enable all nftables family modules. Resent-From: iyzsong@member.fsf.org (=?utf-8?b?5a6L5paH5q2m?=) Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 14 Sep 2019 04:03:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37398 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Marius Bakke Received: via spool by 37398-submit@debbugs.gnu.org id=B37398.15684337445217 (code B ref 37398); Sat, 14 Sep 2019 04:03:02 +0000 Received: (at 37398) by debbugs.gnu.org; 14 Sep 2019 04:02:24 +0000 Received: from localhost ([127.0.0.1]:45733 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1i8zGR-0001M5-F9 for submit@debbugs.gnu.org; Sat, 14 Sep 2019 00:02:24 -0400 Received: from rezeros.cc ([45.76.207.221]:60300) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1i8zGP-0001Lw-Cj for 37398@debbugs.gnu.org; Sat, 14 Sep 2019 00:02:22 -0400 Received: from localhost (112.45.96.213 [112.45.96.213]) by rezeros.cc (OpenSMTPD) with ESMTPSA id 89bd7481 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Sat, 14 Sep 2019 04:02:18 +0000 (UTC) Received: from gift (localhost [127.0.0.1]) by localhost (OpenSMTPD) with ESMTP id 9c84bad0; Sat, 14 Sep 2019 04:02:07 +0000 (UTC) From: iyzsong@member.fsf.org (=?utf-8?b?5a6L5paH5q2m?=) References: <20190913101754.4483-1-iyzsong@member.fsf.org> <87o8zoe1eb.fsf@member.fsf.org> <874l1gb3ui.fsf@devup.no> Date: Sat, 14 Sep 2019 12:02:07 +0800 In-Reply-To: <874l1gb3ui.fsf@devup.no> (Marius Bakke's message of "Fri, 13 Sep 2019 17:41:57 +0200") Message-ID: <87k1ab34qo.fsf@member.fsf.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.51.188.43 X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 37398@debbugs.gnu.org Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" X-getmail-retrieved-from-mailbox: Patches Marius Bakke writes: > iyzsong@member.fsf.org (宋文武) writes: > >> 宋文武 writes: >> >>> * gnu/packages/aux-files/linux-libre/4.19-arm.conf, >>> gnu/packages/aux-files/linux-libre/4.19-arm64.conf, >>> gnu/packages/aux-files/linux-libre/4.19-i686.conf, >>> gnu/packages/aux-files/linux-libre/4.19-x86_64.conf, >>> gnu/packages/aux-files/linux-libre/5.2-arm.conf, >>> gnu/packages/aux-files/linux-libre/5.2-arm64.conf, >>> gnu/packages/aux-files/linux-libre/5.2-i686.conf, >>> gnu/packages/aux-files/linux-libre/5.2-x86_64.conf: Set CONFIG_NF_TABLES_INET, >>> CONFIG_NF_TABLES_NETDEV, CONFIG_NF_TABLES_IPV4, CONFIG_NF_TABLES_ARP, >>> CONFIG_NF_TABLES_IPV6, and CONFIG_NF_TABLES_BRIDGE to 'm'. >> >> I got 5.2 built now, and it doesn't work, may have to be enabled as 'y', >> will investigate it later... > > In general, when making changes to the kernel configuration, you need to > use the interactive configuration system provided by the kernel build > system. The reason is that many options have dependencies: if you set > CONFIG_FOO=y, CONFIG_BAR might also need to be y. > > Using the configuration system ensures these dependencies are handled > properly. Here is one way to do that on Guix: > > $ tar -xf $(guix build -S linux-libre) -C /tmp > $ cd /tmp/linux-libre-5.2.13 > $ guix environment linux-libre --ad-hoc ncurses > $ cp /your/guix/checkout/gnu/packages/aux-files/linux-libre/5.2-x86_64.conf .config > $ make oldconfig > $ make nconfig > $ cp .config /your/guix/checkout/gnu/packages/aux-files/linux-libre/5.2-x86_64.conf > > I don't have time to go into more details right now, but hope this helps! Thanks, the interactive configuration system does the right thing. And I now have made configs for x86_64, 4.19 and 5.2. Since i686 is similar to x86_64, so I apply the x86_64 config diff to i686 config, no rejections, it should work. But the arm ones are different, and I don't know how to make them without an arm machine (a naive 'make nconfig' in my x86_64 environment generates a lot of diffs...), so I skip them for now: I also use 'make nconfig' for 4.14, and the result is okay, so I guess since 4.19, those nftables families have to be enabled as 'y', while previously they can be built as modules. Is it fine to only update kernel configurations for intel architectures? From 3071ddc697bfaa5cff9324be3332a9dda9289b76 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AE=8B=E6=96=87=E6=AD=A6?= Date: Sat, 14 Sep 2019 11:26:37 +0800 Subject: [PATCH 1/2] gnu: linux-libre: intel: Enable all nftables families. TODO: Adjust arm kernels accordingly. * gnu/packages/aux-files/linux-libre/4.19-i686.conf, gnu/packages/aux-files/linux-libre/4.19-x86_64.conf, gnu/packages/aux-files/linux-libre/5.2-i686.conf, gnu/packages/aux-files/linux-libre/5.2-x86_64.conf: Set CONFIG_NF_TABLES_INET, CONFIG_NF_TABLES_NETDEV, CONFIG_NF_TABLES_IPV4, CONFIG_NF_TABLES_IPV6 and CONFIG_NF_TABLES_BRIDGE to 'y', and related options to 'm'. --- .../aux-files/linux-libre/4.19-i686.conf | 35 +++++++++++++++---- .../aux-files/linux-libre/4.19-x86_64.conf | 35 +++++++++++++++---- .../aux-files/linux-libre/5.2-i686.conf | 28 +++++++++++---- .../aux-files/linux-libre/5.2-x86_64.conf | 28 +++++++++++---- 4 files changed, 102 insertions(+), 24 deletions(-) diff --git a/gnu/packages/aux-files/linux-libre/4.19-i686.conf b/gnu/packages/aux-files/linux-libre/4.19-i686.conf index c1df3f0f49..75a18ec5ef 100644 --- a/gnu/packages/aux-files/linux-libre/4.19-i686.conf +++ b/gnu/packages/aux-files/linux-libre/4.19-i686.conf @@ -1209,8 +1209,8 @@ CONFIG_NF_NAT_REDIRECT=y CONFIG_NETFILTER_SYNPROXY=m CONFIG_NF_TABLES=m CONFIG_NF_TABLES_SET=m -# CONFIG_NF_TABLES_INET is not set -# CONFIG_NF_TABLES_NETDEV is not set +CONFIG_NF_TABLES_INET=y +CONFIG_NF_TABLES_NETDEV=y CONFIG_NFT_NUMGEN=m CONFIG_NFT_CT=m CONFIG_NFT_FLOW_OFFLOAD=m @@ -1226,11 +1226,18 @@ CONFIG_NFT_OBJREF=m CONFIG_NFT_QUEUE=m CONFIG_NFT_QUOTA=m CONFIG_NFT_REJECT=m +CONFIG_NFT_REJECT_INET=m CONFIG_NFT_COMPAT=m CONFIG_NFT_HASH=m +CONFIG_NFT_FIB=m +CONFIG_NFT_FIB_INET=m CONFIG_NFT_SOCKET=m CONFIG_NFT_OSF=m CONFIG_NFT_TPROXY=m +CONFIG_NF_DUP_NETDEV=m +CONFIG_NFT_DUP_NETDEV=m +CONFIG_NFT_FWD_NETDEV=m +CONFIG_NFT_FIB_NETDEV=m CONFIG_NF_FLOW_TABLE_INET=m CONFIG_NF_FLOW_TABLE=m CONFIG_NETFILTER_XTABLES=m @@ -1394,8 +1401,12 @@ CONFIG_IP_VS_PE_SIP=m CONFIG_NF_DEFRAG_IPV4=m CONFIG_NF_SOCKET_IPV4=m CONFIG_NF_TPROXY_IPV4=m -# CONFIG_NF_TABLES_IPV4 is not set -# CONFIG_NF_TABLES_ARP is not set +CONFIG_NF_TABLES_IPV4=y +CONFIG_NFT_CHAIN_ROUTE_IPV4=m +CONFIG_NFT_REJECT_IPV4=m +CONFIG_NFT_DUP_IPV4=m +CONFIG_NFT_FIB_IPV4=m +CONFIG_NF_TABLES_ARP=y CONFIG_NF_FLOW_TABLE_IPV4=m CONFIG_NF_DUP_IPV4=m CONFIG_NF_LOG_ARP=m @@ -1403,6 +1414,9 @@ CONFIG_NF_LOG_IPV4=m CONFIG_NF_REJECT_IPV4=m CONFIG_NF_NAT_IPV4=m CONFIG_NF_NAT_MASQUERADE_IPV4=y +CONFIG_NFT_CHAIN_NAT_IPV4=m +CONFIG_NFT_MASQ_IPV4=m +CONFIG_NFT_REDIR_IPV4=m CONFIG_NF_NAT_SNMP_BASIC=m CONFIG_NF_NAT_PROTO_GRE=m CONFIG_NF_NAT_PPTP=m @@ -1434,7 +1448,14 @@ CONFIG_IP_NF_ARP_MANGLE=m # CONFIG_NF_SOCKET_IPV6=m CONFIG_NF_TPROXY_IPV6=m -# CONFIG_NF_TABLES_IPV6 is not set +CONFIG_NF_TABLES_IPV6=y +CONFIG_NFT_CHAIN_ROUTE_IPV6=m +CONFIG_NFT_CHAIN_NAT_IPV6=m +CONFIG_NFT_MASQ_IPV6=m +CONFIG_NFT_REDIR_IPV6=m +CONFIG_NFT_REJECT_IPV6=m +CONFIG_NFT_DUP_IPV6=m +CONFIG_NFT_FIB_IPV6=m CONFIG_NF_FLOW_TABLE_IPV6=m CONFIG_NF_DUP_IPV6=m CONFIG_NF_REJECT_IPV6=m @@ -1468,7 +1489,9 @@ CONFIG_NF_DEFRAG_IPV6=m # DECnet: Netfilter Configuration # CONFIG_DECNET_NF_GRABULATOR=m -# CONFIG_NF_TABLES_BRIDGE is not set +CONFIG_NF_TABLES_BRIDGE=y +CONFIG_NFT_BRIDGE_REJECT=m +CONFIG_NF_LOG_BRIDGE=m CONFIG_BRIDGE_NF_EBTABLES=m CONFIG_BRIDGE_EBT_BROUTE=m CONFIG_BRIDGE_EBT_T_FILTER=m diff --git a/gnu/packages/aux-files/linux-libre/4.19-x86_64.conf b/gnu/packages/aux-files/linux-libre/4.19-x86_64.conf index a8f8c81648..f151036410 100644 --- a/gnu/packages/aux-files/linux-libre/4.19-x86_64.conf +++ b/gnu/packages/aux-files/linux-libre/4.19-x86_64.conf @@ -1219,8 +1219,8 @@ CONFIG_NF_NAT_REDIRECT=y CONFIG_NETFILTER_SYNPROXY=m CONFIG_NF_TABLES=m CONFIG_NF_TABLES_SET=m -# CONFIG_NF_TABLES_INET is not set -# CONFIG_NF_TABLES_NETDEV is not set +CONFIG_NF_TABLES_INET=y +CONFIG_NF_TABLES_NETDEV=y CONFIG_NFT_NUMGEN=m CONFIG_NFT_CT=m CONFIG_NFT_FLOW_OFFLOAD=m @@ -1236,11 +1236,18 @@ CONFIG_NFT_OBJREF=m CONFIG_NFT_QUEUE=m CONFIG_NFT_QUOTA=m CONFIG_NFT_REJECT=m +CONFIG_NFT_REJECT_INET=m CONFIG_NFT_COMPAT=m CONFIG_NFT_HASH=m +CONFIG_NFT_FIB=m +CONFIG_NFT_FIB_INET=m CONFIG_NFT_SOCKET=m CONFIG_NFT_OSF=m CONFIG_NFT_TPROXY=m +CONFIG_NF_DUP_NETDEV=m +CONFIG_NFT_DUP_NETDEV=m +CONFIG_NFT_FWD_NETDEV=m +CONFIG_NFT_FIB_NETDEV=m CONFIG_NF_FLOW_TABLE_INET=m CONFIG_NF_FLOW_TABLE=m CONFIG_NETFILTER_XTABLES=m @@ -1404,8 +1411,12 @@ CONFIG_IP_VS_PE_SIP=m CONFIG_NF_DEFRAG_IPV4=m CONFIG_NF_SOCKET_IPV4=m CONFIG_NF_TPROXY_IPV4=m -# CONFIG_NF_TABLES_IPV4 is not set -# CONFIG_NF_TABLES_ARP is not set +CONFIG_NF_TABLES_IPV4=y +CONFIG_NFT_CHAIN_ROUTE_IPV4=m +CONFIG_NFT_REJECT_IPV4=m +CONFIG_NFT_DUP_IPV4=m +CONFIG_NFT_FIB_IPV4=m +CONFIG_NF_TABLES_ARP=y CONFIG_NF_FLOW_TABLE_IPV4=m CONFIG_NF_DUP_IPV4=m CONFIG_NF_LOG_ARP=m @@ -1413,6 +1424,9 @@ CONFIG_NF_LOG_IPV4=m CONFIG_NF_REJECT_IPV4=m CONFIG_NF_NAT_IPV4=m CONFIG_NF_NAT_MASQUERADE_IPV4=y +CONFIG_NFT_CHAIN_NAT_IPV4=m +CONFIG_NFT_MASQ_IPV4=m +CONFIG_NFT_REDIR_IPV4=m CONFIG_NF_NAT_SNMP_BASIC=m CONFIG_NF_NAT_PROTO_GRE=m CONFIG_NF_NAT_PPTP=m @@ -1444,7 +1458,14 @@ CONFIG_IP_NF_ARP_MANGLE=m # CONFIG_NF_SOCKET_IPV6=m CONFIG_NF_TPROXY_IPV6=m -# CONFIG_NF_TABLES_IPV6 is not set +CONFIG_NF_TABLES_IPV6=y +CONFIG_NFT_CHAIN_ROUTE_IPV6=m +CONFIG_NFT_CHAIN_NAT_IPV6=m +CONFIG_NFT_MASQ_IPV6=m +CONFIG_NFT_REDIR_IPV6=m +CONFIG_NFT_REJECT_IPV6=m +CONFIG_NFT_DUP_IPV6=m +CONFIG_NFT_FIB_IPV6=m CONFIG_NF_FLOW_TABLE_IPV6=m CONFIG_NF_DUP_IPV6=m CONFIG_NF_REJECT_IPV6=m @@ -1478,7 +1499,9 @@ CONFIG_NF_DEFRAG_IPV6=m # DECnet: Netfilter Configuration # CONFIG_DECNET_NF_GRABULATOR=m -# CONFIG_NF_TABLES_BRIDGE is not set +CONFIG_NF_TABLES_BRIDGE=y +CONFIG_NFT_BRIDGE_REJECT=m +CONFIG_NF_LOG_BRIDGE=m CONFIG_BRIDGE_NF_EBTABLES=m CONFIG_BRIDGE_EBT_BROUTE=m CONFIG_BRIDGE_EBT_T_FILTER=m diff --git a/gnu/packages/aux-files/linux-libre/5.2-i686.conf b/gnu/packages/aux-files/linux-libre/5.2-i686.conf index 0a211f6eb9..8813a70d3d 100644 --- a/gnu/packages/aux-files/linux-libre/5.2-i686.conf +++ b/gnu/packages/aux-files/linux-libre/5.2-i686.conf @@ -1147,8 +1147,8 @@ CONFIG_NF_NAT_MASQUERADE=y CONFIG_NETFILTER_SYNPROXY=m CONFIG_NF_TABLES=m CONFIG_NF_TABLES_SET=m -# CONFIG_NF_TABLES_INET is not set -# CONFIG_NF_TABLES_NETDEV is not set +CONFIG_NF_TABLES_INET=y +CONFIG_NF_TABLES_NETDEV=y CONFIG_NFT_NUMGEN=m CONFIG_NFT_CT=m CONFIG_NFT_FLOW_OFFLOAD=m @@ -1158,17 +1158,25 @@ CONFIG_NFT_LOG=m CONFIG_NFT_LIMIT=m CONFIG_NFT_MASQ=m CONFIG_NFT_REDIR=m +CONFIG_NFT_NAT=m CONFIG_NFT_TUNNEL=m CONFIG_NFT_OBJREF=m CONFIG_NFT_QUEUE=m CONFIG_NFT_QUOTA=m CONFIG_NFT_REJECT=m +CONFIG_NFT_REJECT_INET=m CONFIG_NFT_COMPAT=m CONFIG_NFT_HASH=m +CONFIG_NFT_FIB=m +CONFIG_NFT_FIB_INET=m CONFIG_NFT_XFRM=m CONFIG_NFT_SOCKET=m CONFIG_NFT_OSF=m CONFIG_NFT_TPROXY=m +CONFIG_NF_DUP_NETDEV=m +CONFIG_NFT_DUP_NETDEV=m +CONFIG_NFT_FWD_NETDEV=m +CONFIG_NFT_FIB_NETDEV=m CONFIG_NF_FLOW_TABLE_INET=m CONFIG_NF_FLOW_TABLE=m CONFIG_NETFILTER_XTABLES=m @@ -1335,8 +1343,11 @@ CONFIG_IP_VS_PE_SIP=m CONFIG_NF_DEFRAG_IPV4=m CONFIG_NF_SOCKET_IPV4=m CONFIG_NF_TPROXY_IPV4=m -# CONFIG_NF_TABLES_IPV4 is not set -# CONFIG_NF_TABLES_ARP is not set +CONFIG_NF_TABLES_IPV4=y +CONFIG_NFT_REJECT_IPV4=m +CONFIG_NFT_DUP_IPV4=m +CONFIG_NFT_FIB_IPV4=m +CONFIG_NF_TABLES_ARP=y CONFIG_NF_FLOW_TABLE_IPV4=m CONFIG_NF_DUP_IPV4=m CONFIG_NF_LOG_ARP=m @@ -1373,7 +1384,10 @@ CONFIG_IP_NF_ARP_MANGLE=m # CONFIG_NF_SOCKET_IPV6=m CONFIG_NF_TPROXY_IPV6=m -# CONFIG_NF_TABLES_IPV6 is not set +CONFIG_NF_TABLES_IPV6=y +CONFIG_NFT_REJECT_IPV6=m +CONFIG_NFT_DUP_IPV6=m +CONFIG_NFT_FIB_IPV6=m CONFIG_NF_FLOW_TABLE_IPV6=m CONFIG_NF_DUP_IPV6=m CONFIG_NF_REJECT_IPV6=m @@ -1409,7 +1423,9 @@ CONFIG_NF_DEFRAG_IPV6=m CONFIG_DECNET_NF_GRABULATOR=m # end of DECnet: Netfilter Configuration -# CONFIG_NF_TABLES_BRIDGE is not set +CONFIG_NF_TABLES_BRIDGE=y +CONFIG_NFT_BRIDGE_REJECT=m +CONFIG_NF_LOG_BRIDGE=m CONFIG_BRIDGE_NF_EBTABLES=m CONFIG_BRIDGE_EBT_BROUTE=m CONFIG_BRIDGE_EBT_T_FILTER=m diff --git a/gnu/packages/aux-files/linux-libre/5.2-x86_64.conf b/gnu/packages/aux-files/linux-libre/5.2-x86_64.conf index 51d4e93372..e1d2c93f9a 100644 --- a/gnu/packages/aux-files/linux-libre/5.2-x86_64.conf +++ b/gnu/packages/aux-files/linux-libre/5.2-x86_64.conf @@ -1168,8 +1168,8 @@ CONFIG_NF_NAT_MASQUERADE=y CONFIG_NETFILTER_SYNPROXY=m CONFIG_NF_TABLES=m CONFIG_NF_TABLES_SET=m -# CONFIG_NF_TABLES_INET is not set -# CONFIG_NF_TABLES_NETDEV is not set +CONFIG_NF_TABLES_INET=y +CONFIG_NF_TABLES_NETDEV=y CONFIG_NFT_NUMGEN=m CONFIG_NFT_CT=m CONFIG_NFT_FLOW_OFFLOAD=m @@ -1179,17 +1179,25 @@ CONFIG_NFT_LOG=m CONFIG_NFT_LIMIT=m CONFIG_NFT_MASQ=m CONFIG_NFT_REDIR=m +CONFIG_NFT_NAT=m CONFIG_NFT_TUNNEL=m CONFIG_NFT_OBJREF=m CONFIG_NFT_QUEUE=m CONFIG_NFT_QUOTA=m CONFIG_NFT_REJECT=m +CONFIG_NFT_REJECT_INET=m CONFIG_NFT_COMPAT=m CONFIG_NFT_HASH=m +CONFIG_NFT_FIB=m +CONFIG_NFT_FIB_INET=m CONFIG_NFT_XFRM=m CONFIG_NFT_SOCKET=m CONFIG_NFT_OSF=m CONFIG_NFT_TPROXY=m +CONFIG_NF_DUP_NETDEV=m +CONFIG_NFT_DUP_NETDEV=m +CONFIG_NFT_FWD_NETDEV=m +CONFIG_NFT_FIB_NETDEV=m CONFIG_NF_FLOW_TABLE_INET=m CONFIG_NF_FLOW_TABLE=m CONFIG_NETFILTER_XTABLES=m @@ -1356,8 +1364,11 @@ CONFIG_IP_VS_PE_SIP=m CONFIG_NF_DEFRAG_IPV4=m CONFIG_NF_SOCKET_IPV4=m CONFIG_NF_TPROXY_IPV4=m -# CONFIG_NF_TABLES_IPV4 is not set -# CONFIG_NF_TABLES_ARP is not set +CONFIG_NF_TABLES_IPV4=y +CONFIG_NFT_REJECT_IPV4=m +CONFIG_NFT_DUP_IPV4=m +CONFIG_NFT_FIB_IPV4=m +CONFIG_NF_TABLES_ARP=y CONFIG_NF_FLOW_TABLE_IPV4=m CONFIG_NF_DUP_IPV4=m CONFIG_NF_LOG_ARP=m @@ -1394,7 +1405,10 @@ CONFIG_IP_NF_ARP_MANGLE=m # CONFIG_NF_SOCKET_IPV6=m CONFIG_NF_TPROXY_IPV6=m -# CONFIG_NF_TABLES_IPV6 is not set +CONFIG_NF_TABLES_IPV6=y +CONFIG_NFT_REJECT_IPV6=m +CONFIG_NFT_DUP_IPV6=m +CONFIG_NFT_FIB_IPV6=m CONFIG_NF_FLOW_TABLE_IPV6=m CONFIG_NF_DUP_IPV6=m CONFIG_NF_REJECT_IPV6=m @@ -1430,7 +1444,9 @@ CONFIG_NF_DEFRAG_IPV6=m CONFIG_DECNET_NF_GRABULATOR=m # end of DECnet: Netfilter Configuration -# CONFIG_NF_TABLES_BRIDGE is not set +CONFIG_NF_TABLES_BRIDGE=y +CONFIG_NFT_BRIDGE_REJECT=m +CONFIG_NF_LOG_BRIDGE=m CONFIG_BRIDGE_NF_EBTABLES=m CONFIG_BRIDGE_EBT_BROUTE=m CONFIG_BRIDGE_EBT_T_FILTER=m -- 2.19.2 From patchwork Fri Sep 13 10:17:54 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?b?5a6L5paH5q2m?= X-Patchwork-Id: 15363 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id CFD2D173C2; Fri, 13 Sep 2019 11:22:00 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,UNPARSEABLE_RELAY, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTP id 7FB8417372 for ; Fri, 13 Sep 2019 11:22:00 +0100 (BST) Received: from localhost ([::1]:42088 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1i8iiF-0005h9-Lj for patchwork@mira.cbaines.net; Fri, 13 Sep 2019 06:21:59 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33993) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1i8ifQ-0003T7-6g for guix-patches@gnu.org; Fri, 13 Sep 2019 06:19:05 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1i8ifO-0002G4-Rb for guix-patches@gnu.org; Fri, 13 Sep 2019 06:19:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:35580) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1i8ifO-0002Fy-Nv for guix-patches@gnu.org; Fri, 13 Sep 2019 06:19:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1i8ifO-0007eC-I8 for guix-patches@gnu.org; Fri, 13 Sep 2019 06:19:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#37398] [PATCH 2/2] services: Add nftables-service-type. Resent-From: =?utf-8?b?5a6L5paH5q2m?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 13 Sep 2019 10:19:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37398 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 37398@debbugs.gnu.org Received: via spool by 37398-submit@debbugs.gnu.org id=B37398.156836989729332 (code B ref 37398); Fri, 13 Sep 2019 10:19:02 +0000 Received: (at 37398) by debbugs.gnu.org; 13 Sep 2019 10:18:17 +0000 Received: from localhost ([127.0.0.1]:44400 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1i8iee-0007d2-Od for submit@debbugs.gnu.org; Fri, 13 Sep 2019 06:18:17 -0400 Received: from rezeros.cc ([45.76.207.221]:60292) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1i8iec-0007ce-5i for 37398@debbugs.gnu.org; Fri, 13 Sep 2019 06:18:15 -0400 Received: from localhost (117.173.227.57 [117.173.227.57]) by rezeros.cc (OpenSMTPD) with ESMTPSA id a99e656c (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Fri, 13 Sep 2019 10:18:11 +0000 (UTC) Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id 74d81ee1; Fri, 13 Sep 2019 10:17:56 +0000 (UTC) From: =?utf-8?b?5a6L5paH5q2m?= Date: Fri, 13 Sep 2019 18:17:54 +0800 Message-Id: <20190913101754.4483-2-iyzsong@member.fsf.org> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20190913101754.4483-1-iyzsong@member.fsf.org> References: <20190913101754.4483-1-iyzsong@member.fsf.org> MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.51.188.43 X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: =?utf-8?b?5a6L5paH5q2m?= Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" X-getmail-retrieved-from-mailbox: Patches * gnu/services/networking.scm (%default-nftables-ruleset): New variable. (): New record type. (nftables-shepherd-service): New procedure. (nftables-service-type): New service type. * doc/guix.texi (Networking Services): Document it. --- doc/guix.texi | 27 ++++++++++++ gnu/services/networking.scm | 82 ++++++++++++++++++++++++++++++++++++- 2 files changed, 108 insertions(+), 1 deletion(-) diff --git a/doc/guix.texi b/doc/guix.texi index 39d4b865f6..e71f0a44c9 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -13041,6 +13041,33 @@ objects}). @end table @end deftp +@cindex nftables +@defvr {Scheme Variable} nftables-service-type +This is the service type to set up a nftables configuration. nftables is a +netfilter project that aims to replace the existing iptables, ip6tables, +arptables and ebtables framework. It provides a new packet filtering +framework, a new user-space utility @command{nft}, and a compatibility layer +for iptables. This service comes with a default ruleset +@code{%default-nftables-ruleset} that rejecting all incomming connections +except those to the ssh port 22. To use it, simply write: + +@lisp +(service nftables-service-type) +@end lisp +@end defvr + +@deftp {Data Type} nftables-configuration +The data type representing the configuration of nftables. + +@table @asis +@item @code{package} (default: @code{nftables}) +The nftables package that provides @command{nft}. +@item @code{ruleset} (default: @code{%default-nftables-ruleset}) +The nftables ruleset to use. This may be any ``file-like'' object +(@pxref{G-Expressions, file-like objects}). +@end table +@end deftp + @cindex NTP (Network Time Protocol), service @cindex ntpd, service for the Network Time Protocol daemon @cindex real time clock diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index c775242f99..dd63009116 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -11,6 +11,7 @@ ;;; Copyright © 2018 Arun Isaac ;;; Copyright © 2019 Florian Pelz ;;; Copyright © 2019 Maxim Cournoyer +;;; Copyright © 2019 Sou Bunnbu ;;; ;;; This file is part of GNU Guix. ;;; @@ -144,7 +145,14 @@ iptables-configuration-iptables iptables-configuration-ipv4-rules iptables-configuration-ipv6-rules - iptables-service-type)) + iptables-service-type + + nftables-service-type + nftables-configuration + nftables-configuration? + nftables-configuration-package + nftables-configuration-ruleset + %default-nftables-ruleset)) ;;; Commentary: ;;; @@ -1415,4 +1423,76 @@ COMMIT (list (service-extension shepherd-root-service-type (compose list iptables-shepherd-service)))))) +;;; +;;; nftables +;;; + +(define %default-nftables-ruleset + (plain-file "nftables.conf" + "# A simple and safe firewall +table inet filter { + chain input { + type filter hook input priority 0; policy drop; + + # early drop of invalid connections + ct state invalid drop + + # allow established/related connections + ct state { established, related } accept + + # allow from loopback + iifname lo accept + + # allow icmp + ip protocol icmp accept + ip6 nexthdr icmpv6 accept + + # allow ssh + tcp dport ssh accept + + # reject everything else + reject with icmpx type port-unreachable + } + chain forward { + type filter hook forward priority 0; policy drop; + } + chain output { + type filter hook output priority 0; policy accept; + } +} +")) + +(define-record-type* + nftables-configuration + make-nftables-configuration + nftables-configuration? + (package nftables-configuration-package + (default nftables)) + (ruleset nftables-configuration-ruleset ; file-like object + (default %default-nftables-ruleset))) + +(define nftables-shepherd-service + (match-lambda + (($ package ruleset) + (let ((nft (file-append package "/sbin/nft"))) + (shepherd-service + (documentation "Packet filtering and classification") + (provision '(nftables)) + (start #~(lambda _ + (invoke #$nft "--file" #$ruleset))) + (stop #~(lambda _ + (invoke #$nft "flush" "ruleset")))))))) + +(define nftables-service-type + (service-type + (name 'nftables) + (description + "Run @command{nft}, setting up the specified ruleset.") + (extensions + (list (service-extension shepherd-root-service-type + (compose list nftables-shepherd-service)) + (service-extension profile-service-type + (compose list nftables-configuration-package)))) + (default-value (nftables-configuration)))) + ;;; networking.scm ends here