From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:470:142:3::10]:37197) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1i8zH6-0001VE-MQ for guix-patches@gnu.org; Sat, 14 Sep 2019 00:03:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1i8zH4-00060d-K3 for guix-patches@gnu.org; Sat, 14 Sep 2019 00:03:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:36912) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1i8zH4-0005zM-EE for guix-patches@gnu.org; Sat, 14 Sep 2019 00:03:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1i8zH4-0001N3-7y for guix-patches@gnu.org; Sat, 14 Sep 2019 00:03:02 -0400 Subject: [bug#37398] [PATCH 1/2] gnu: linux-libre: Enable all nftables family modules. Resent-Message-ID: From: iyzsong@member.fsf.org (=?UTF-8?Q?=E5=AE=8B=E6=96=87=E6=AD=A6?=) References: <20190913101754.4483-1-iyzsong@member.fsf.org> <87o8zoe1eb.fsf@member.fsf.org> <874l1gb3ui.fsf@devup.no> Date: Sat, 14 Sep 2019 12:02:07 +0800 In-Reply-To: <874l1gb3ui.fsf@devup.no> (Marius Bakke's message of "Fri, 13 Sep 2019 17:41:57 +0200") Message-ID: <87k1ab34qo.fsf@member.fsf.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Marius Bakke Cc: 37398@debbugs.gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Marius Bakke writes: > iyzsong@member.fsf.org (=E5=AE=8B=E6=96=87=E6=AD=A6) writes: > >> =E5=AE=8B=E6=96=87=E6=AD=A6 writes: >> >>> * gnu/packages/aux-files/linux-libre/4.19-arm.conf, >>> gnu/packages/aux-files/linux-libre/4.19-arm64.conf, >>> gnu/packages/aux-files/linux-libre/4.19-i686.conf, >>> gnu/packages/aux-files/linux-libre/4.19-x86_64.conf, >>> gnu/packages/aux-files/linux-libre/5.2-arm.conf, >>> gnu/packages/aux-files/linux-libre/5.2-arm64.conf, >>> gnu/packages/aux-files/linux-libre/5.2-i686.conf, >>> gnu/packages/aux-files/linux-libre/5.2-x86_64.conf: Set CONFIG_NF_TABLE= S_INET, >>> CONFIG_NF_TABLES_NETDEV, CONFIG_NF_TABLES_IPV4, CONFIG_NF_TABLES_ARP, >>> CONFIG_NF_TABLES_IPV6, and CONFIG_NF_TABLES_BRIDGE to 'm'. >> >> I got 5.2 built now, and it doesn't work, may have to be enabled as 'y', >> will investigate it later... > > In general, when making changes to the kernel configuration, you need to > use the interactive configuration system provided by the kernel build > system. The reason is that many options have dependencies: if you set > CONFIG_FOO=3Dy, CONFIG_BAR might also need to be y. > > Using the configuration system ensures these dependencies are handled > properly. Here is one way to do that on Guix: > > $ tar -xf $(guix build -S linux-libre) -C /tmp > $ cd /tmp/linux-libre-5.2.13 > $ guix environment linux-libre --ad-hoc ncurses > $ cp /your/guix/checkout/gnu/packages/aux-files/linux-libre/5.2-x86_64.co= nf .config > $ make oldconfig > $ make nconfig > $ cp .config /your/guix/checkout/gnu/packages/aux-files/linux-libre/5.2-x= 86_64.conf > > I don't have time to go into more details right now, but hope this helps! Thanks, the interactive configuration system does the right thing. And I now have made configs for x86_64, 4.19 and 5.2. Since i686 is similar to x86_64, so I apply the x86_64 config diff to i686 config, no rejections, it should work. But the arm ones are different, and I don't know how to make them without an arm machine (a naive 'make nconfig' in my x86_64 environment generates a lot of diffs...), so I skip them for now: --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-gnu-linux-libre-intel-Enable-all-nftables-families.patch >From 3071ddc697bfaa5cff9324be3332a9dda9289b76 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AE=8B=E6=96=87=E6=AD=A6?= Date: Sat, 14 Sep 2019 11:26:37 +0800 Subject: [PATCH 1/2] gnu: linux-libre: intel: Enable all nftables families. TODO: Adjust arm kernels accordingly. * gnu/packages/aux-files/linux-libre/4.19-i686.conf, gnu/packages/aux-files/linux-libre/4.19-x86_64.conf, gnu/packages/aux-files/linux-libre/5.2-i686.conf, gnu/packages/aux-files/linux-libre/5.2-x86_64.conf: Set CONFIG_NF_TABLES_INET, CONFIG_NF_TABLES_NETDEV, CONFIG_NF_TABLES_IPV4, CONFIG_NF_TABLES_IPV6 and CONFIG_NF_TABLES_BRIDGE to 'y', and related options to 'm'. --- .../aux-files/linux-libre/4.19-i686.conf | 35 +++++++++++++++---- .../aux-files/linux-libre/4.19-x86_64.conf | 35 +++++++++++++++---- .../aux-files/linux-libre/5.2-i686.conf | 28 +++++++++++---- .../aux-files/linux-libre/5.2-x86_64.conf | 28 +++++++++++---- 4 files changed, 102 insertions(+), 24 deletions(-) diff --git a/gnu/packages/aux-files/linux-libre/4.19-i686.conf b/gnu/packages/aux-files/linux-libre/4.19-i686.conf index c1df3f0f49..75a18ec5ef 100644 --- a/gnu/packages/aux-files/linux-libre/4.19-i686.conf +++ b/gnu/packages/aux-files/linux-libre/4.19-i686.conf @@ -1209,8 +1209,8 @@ CONFIG_NF_NAT_REDIRECT=y CONFIG_NETFILTER_SYNPROXY=m CONFIG_NF_TABLES=m CONFIG_NF_TABLES_SET=m -# CONFIG_NF_TABLES_INET is not set -# CONFIG_NF_TABLES_NETDEV is not set +CONFIG_NF_TABLES_INET=y +CONFIG_NF_TABLES_NETDEV=y CONFIG_NFT_NUMGEN=m CONFIG_NFT_CT=m CONFIG_NFT_FLOW_OFFLOAD=m @@ -1226,11 +1226,18 @@ CONFIG_NFT_OBJREF=m CONFIG_NFT_QUEUE=m CONFIG_NFT_QUOTA=m CONFIG_NFT_REJECT=m +CONFIG_NFT_REJECT_INET=m CONFIG_NFT_COMPAT=m CONFIG_NFT_HASH=m +CONFIG_NFT_FIB=m +CONFIG_NFT_FIB_INET=m CONFIG_NFT_SOCKET=m CONFIG_NFT_OSF=m CONFIG_NFT_TPROXY=m +CONFIG_NF_DUP_NETDEV=m +CONFIG_NFT_DUP_NETDEV=m +CONFIG_NFT_FWD_NETDEV=m +CONFIG_NFT_FIB_NETDEV=m CONFIG_NF_FLOW_TABLE_INET=m CONFIG_NF_FLOW_TABLE=m CONFIG_NETFILTER_XTABLES=m @@ -1394,8 +1401,12 @@ CONFIG_IP_VS_PE_SIP=m CONFIG_NF_DEFRAG_IPV4=m CONFIG_NF_SOCKET_IPV4=m CONFIG_NF_TPROXY_IPV4=m -# CONFIG_NF_TABLES_IPV4 is not set -# CONFIG_NF_TABLES_ARP is not set +CONFIG_NF_TABLES_IPV4=y +CONFIG_NFT_CHAIN_ROUTE_IPV4=m +CONFIG_NFT_REJECT_IPV4=m +CONFIG_NFT_DUP_IPV4=m +CONFIG_NFT_FIB_IPV4=m +CONFIG_NF_TABLES_ARP=y CONFIG_NF_FLOW_TABLE_IPV4=m CONFIG_NF_DUP_IPV4=m CONFIG_NF_LOG_ARP=m @@ -1403,6 +1414,9 @@ CONFIG_NF_LOG_IPV4=m CONFIG_NF_REJECT_IPV4=m CONFIG_NF_NAT_IPV4=m CONFIG_NF_NAT_MASQUERADE_IPV4=y +CONFIG_NFT_CHAIN_NAT_IPV4=m +CONFIG_NFT_MASQ_IPV4=m +CONFIG_NFT_REDIR_IPV4=m CONFIG_NF_NAT_SNMP_BASIC=m CONFIG_NF_NAT_PROTO_GRE=m CONFIG_NF_NAT_PPTP=m @@ -1434,7 +1448,14 @@ CONFIG_IP_NF_ARP_MANGLE=m # CONFIG_NF_SOCKET_IPV6=m CONFIG_NF_TPROXY_IPV6=m -# CONFIG_NF_TABLES_IPV6 is not set +CONFIG_NF_TABLES_IPV6=y +CONFIG_NFT_CHAIN_ROUTE_IPV6=m +CONFIG_NFT_CHAIN_NAT_IPV6=m +CONFIG_NFT_MASQ_IPV6=m +CONFIG_NFT_REDIR_IPV6=m +CONFIG_NFT_REJECT_IPV6=m +CONFIG_NFT_DUP_IPV6=m +CONFIG_NFT_FIB_IPV6=m CONFIG_NF_FLOW_TABLE_IPV6=m CONFIG_NF_DUP_IPV6=m CONFIG_NF_REJECT_IPV6=m @@ -1468,7 +1489,9 @@ CONFIG_NF_DEFRAG_IPV6=m # DECnet: Netfilter Configuration # CONFIG_DECNET_NF_GRABULATOR=m -# CONFIG_NF_TABLES_BRIDGE is not set +CONFIG_NF_TABLES_BRIDGE=y +CONFIG_NFT_BRIDGE_REJECT=m +CONFIG_NF_LOG_BRIDGE=m CONFIG_BRIDGE_NF_EBTABLES=m CONFIG_BRIDGE_EBT_BROUTE=m CONFIG_BRIDGE_EBT_T_FILTER=m diff --git a/gnu/packages/aux-files/linux-libre/4.19-x86_64.conf b/gnu/packages/aux-files/linux-libre/4.19-x86_64.conf index a8f8c81648..f151036410 100644 --- a/gnu/packages/aux-files/linux-libre/4.19-x86_64.conf +++ b/gnu/packages/aux-files/linux-libre/4.19-x86_64.conf @@ -1219,8 +1219,8 @@ CONFIG_NF_NAT_REDIRECT=y CONFIG_NETFILTER_SYNPROXY=m CONFIG_NF_TABLES=m CONFIG_NF_TABLES_SET=m -# CONFIG_NF_TABLES_INET is not set -# CONFIG_NF_TABLES_NETDEV is not set +CONFIG_NF_TABLES_INET=y +CONFIG_NF_TABLES_NETDEV=y CONFIG_NFT_NUMGEN=m CONFIG_NFT_CT=m CONFIG_NFT_FLOW_OFFLOAD=m @@ -1236,11 +1236,18 @@ CONFIG_NFT_OBJREF=m CONFIG_NFT_QUEUE=m CONFIG_NFT_QUOTA=m CONFIG_NFT_REJECT=m +CONFIG_NFT_REJECT_INET=m CONFIG_NFT_COMPAT=m CONFIG_NFT_HASH=m +CONFIG_NFT_FIB=m +CONFIG_NFT_FIB_INET=m CONFIG_NFT_SOCKET=m CONFIG_NFT_OSF=m CONFIG_NFT_TPROXY=m +CONFIG_NF_DUP_NETDEV=m +CONFIG_NFT_DUP_NETDEV=m +CONFIG_NFT_FWD_NETDEV=m +CONFIG_NFT_FIB_NETDEV=m CONFIG_NF_FLOW_TABLE_INET=m CONFIG_NF_FLOW_TABLE=m CONFIG_NETFILTER_XTABLES=m @@ -1404,8 +1411,12 @@ CONFIG_IP_VS_PE_SIP=m CONFIG_NF_DEFRAG_IPV4=m CONFIG_NF_SOCKET_IPV4=m CONFIG_NF_TPROXY_IPV4=m -# CONFIG_NF_TABLES_IPV4 is not set -# CONFIG_NF_TABLES_ARP is not set +CONFIG_NF_TABLES_IPV4=y +CONFIG_NFT_CHAIN_ROUTE_IPV4=m +CONFIG_NFT_REJECT_IPV4=m +CONFIG_NFT_DUP_IPV4=m +CONFIG_NFT_FIB_IPV4=m +CONFIG_NF_TABLES_ARP=y CONFIG_NF_FLOW_TABLE_IPV4=m CONFIG_NF_DUP_IPV4=m CONFIG_NF_LOG_ARP=m @@ -1413,6 +1424,9 @@ CONFIG_NF_LOG_IPV4=m CONFIG_NF_REJECT_IPV4=m CONFIG_NF_NAT_IPV4=m CONFIG_NF_NAT_MASQUERADE_IPV4=y +CONFIG_NFT_CHAIN_NAT_IPV4=m +CONFIG_NFT_MASQ_IPV4=m +CONFIG_NFT_REDIR_IPV4=m CONFIG_NF_NAT_SNMP_BASIC=m CONFIG_NF_NAT_PROTO_GRE=m CONFIG_NF_NAT_PPTP=m @@ -1444,7 +1458,14 @@ CONFIG_IP_NF_ARP_MANGLE=m # CONFIG_NF_SOCKET_IPV6=m CONFIG_NF_TPROXY_IPV6=m -# CONFIG_NF_TABLES_IPV6 is not set +CONFIG_NF_TABLES_IPV6=y +CONFIG_NFT_CHAIN_ROUTE_IPV6=m +CONFIG_NFT_CHAIN_NAT_IPV6=m +CONFIG_NFT_MASQ_IPV6=m +CONFIG_NFT_REDIR_IPV6=m +CONFIG_NFT_REJECT_IPV6=m +CONFIG_NFT_DUP_IPV6=m +CONFIG_NFT_FIB_IPV6=m CONFIG_NF_FLOW_TABLE_IPV6=m CONFIG_NF_DUP_IPV6=m CONFIG_NF_REJECT_IPV6=m @@ -1478,7 +1499,9 @@ CONFIG_NF_DEFRAG_IPV6=m # DECnet: Netfilter Configuration # CONFIG_DECNET_NF_GRABULATOR=m -# CONFIG_NF_TABLES_BRIDGE is not set +CONFIG_NF_TABLES_BRIDGE=y +CONFIG_NFT_BRIDGE_REJECT=m +CONFIG_NF_LOG_BRIDGE=m CONFIG_BRIDGE_NF_EBTABLES=m CONFIG_BRIDGE_EBT_BROUTE=m CONFIG_BRIDGE_EBT_T_FILTER=m diff --git a/gnu/packages/aux-files/linux-libre/5.2-i686.conf b/gnu/packages/aux-files/linux-libre/5.2-i686.conf index 0a211f6eb9..8813a70d3d 100644 --- a/gnu/packages/aux-files/linux-libre/5.2-i686.conf +++ b/gnu/packages/aux-files/linux-libre/5.2-i686.conf @@ -1147,8 +1147,8 @@ CONFIG_NF_NAT_MASQUERADE=y CONFIG_NETFILTER_SYNPROXY=m CONFIG_NF_TABLES=m CONFIG_NF_TABLES_SET=m -# CONFIG_NF_TABLES_INET is not set -# CONFIG_NF_TABLES_NETDEV is not set +CONFIG_NF_TABLES_INET=y +CONFIG_NF_TABLES_NETDEV=y CONFIG_NFT_NUMGEN=m CONFIG_NFT_CT=m CONFIG_NFT_FLOW_OFFLOAD=m @@ -1158,17 +1158,25 @@ CONFIG_NFT_LOG=m CONFIG_NFT_LIMIT=m CONFIG_NFT_MASQ=m CONFIG_NFT_REDIR=m +CONFIG_NFT_NAT=m CONFIG_NFT_TUNNEL=m CONFIG_NFT_OBJREF=m CONFIG_NFT_QUEUE=m CONFIG_NFT_QUOTA=m CONFIG_NFT_REJECT=m +CONFIG_NFT_REJECT_INET=m CONFIG_NFT_COMPAT=m CONFIG_NFT_HASH=m +CONFIG_NFT_FIB=m +CONFIG_NFT_FIB_INET=m CONFIG_NFT_XFRM=m CONFIG_NFT_SOCKET=m CONFIG_NFT_OSF=m CONFIG_NFT_TPROXY=m +CONFIG_NF_DUP_NETDEV=m +CONFIG_NFT_DUP_NETDEV=m +CONFIG_NFT_FWD_NETDEV=m +CONFIG_NFT_FIB_NETDEV=m CONFIG_NF_FLOW_TABLE_INET=m CONFIG_NF_FLOW_TABLE=m CONFIG_NETFILTER_XTABLES=m @@ -1335,8 +1343,11 @@ CONFIG_IP_VS_PE_SIP=m CONFIG_NF_DEFRAG_IPV4=m CONFIG_NF_SOCKET_IPV4=m CONFIG_NF_TPROXY_IPV4=m -# CONFIG_NF_TABLES_IPV4 is not set -# CONFIG_NF_TABLES_ARP is not set +CONFIG_NF_TABLES_IPV4=y +CONFIG_NFT_REJECT_IPV4=m +CONFIG_NFT_DUP_IPV4=m +CONFIG_NFT_FIB_IPV4=m +CONFIG_NF_TABLES_ARP=y CONFIG_NF_FLOW_TABLE_IPV4=m CONFIG_NF_DUP_IPV4=m CONFIG_NF_LOG_ARP=m @@ -1373,7 +1384,10 @@ CONFIG_IP_NF_ARP_MANGLE=m # CONFIG_NF_SOCKET_IPV6=m CONFIG_NF_TPROXY_IPV6=m -# CONFIG_NF_TABLES_IPV6 is not set +CONFIG_NF_TABLES_IPV6=y +CONFIG_NFT_REJECT_IPV6=m +CONFIG_NFT_DUP_IPV6=m +CONFIG_NFT_FIB_IPV6=m CONFIG_NF_FLOW_TABLE_IPV6=m CONFIG_NF_DUP_IPV6=m CONFIG_NF_REJECT_IPV6=m @@ -1409,7 +1423,9 @@ CONFIG_NF_DEFRAG_IPV6=m CONFIG_DECNET_NF_GRABULATOR=m # end of DECnet: Netfilter Configuration -# CONFIG_NF_TABLES_BRIDGE is not set +CONFIG_NF_TABLES_BRIDGE=y +CONFIG_NFT_BRIDGE_REJECT=m +CONFIG_NF_LOG_BRIDGE=m CONFIG_BRIDGE_NF_EBTABLES=m CONFIG_BRIDGE_EBT_BROUTE=m CONFIG_BRIDGE_EBT_T_FILTER=m diff --git a/gnu/packages/aux-files/linux-libre/5.2-x86_64.conf b/gnu/packages/aux-files/linux-libre/5.2-x86_64.conf index 51d4e93372..e1d2c93f9a 100644 --- a/gnu/packages/aux-files/linux-libre/5.2-x86_64.conf +++ b/gnu/packages/aux-files/linux-libre/5.2-x86_64.conf @@ -1168,8 +1168,8 @@ CONFIG_NF_NAT_MASQUERADE=y CONFIG_NETFILTER_SYNPROXY=m CONFIG_NF_TABLES=m CONFIG_NF_TABLES_SET=m -# CONFIG_NF_TABLES_INET is not set -# CONFIG_NF_TABLES_NETDEV is not set +CONFIG_NF_TABLES_INET=y +CONFIG_NF_TABLES_NETDEV=y CONFIG_NFT_NUMGEN=m CONFIG_NFT_CT=m CONFIG_NFT_FLOW_OFFLOAD=m @@ -1179,17 +1179,25 @@ CONFIG_NFT_LOG=m CONFIG_NFT_LIMIT=m CONFIG_NFT_MASQ=m CONFIG_NFT_REDIR=m +CONFIG_NFT_NAT=m CONFIG_NFT_TUNNEL=m CONFIG_NFT_OBJREF=m CONFIG_NFT_QUEUE=m CONFIG_NFT_QUOTA=m CONFIG_NFT_REJECT=m +CONFIG_NFT_REJECT_INET=m CONFIG_NFT_COMPAT=m CONFIG_NFT_HASH=m +CONFIG_NFT_FIB=m +CONFIG_NFT_FIB_INET=m CONFIG_NFT_XFRM=m CONFIG_NFT_SOCKET=m CONFIG_NFT_OSF=m CONFIG_NFT_TPROXY=m +CONFIG_NF_DUP_NETDEV=m +CONFIG_NFT_DUP_NETDEV=m +CONFIG_NFT_FWD_NETDEV=m +CONFIG_NFT_FIB_NETDEV=m CONFIG_NF_FLOW_TABLE_INET=m CONFIG_NF_FLOW_TABLE=m CONFIG_NETFILTER_XTABLES=m @@ -1356,8 +1364,11 @@ CONFIG_IP_VS_PE_SIP=m CONFIG_NF_DEFRAG_IPV4=m CONFIG_NF_SOCKET_IPV4=m CONFIG_NF_TPROXY_IPV4=m -# CONFIG_NF_TABLES_IPV4 is not set -# CONFIG_NF_TABLES_ARP is not set +CONFIG_NF_TABLES_IPV4=y +CONFIG_NFT_REJECT_IPV4=m +CONFIG_NFT_DUP_IPV4=m +CONFIG_NFT_FIB_IPV4=m +CONFIG_NF_TABLES_ARP=y CONFIG_NF_FLOW_TABLE_IPV4=m CONFIG_NF_DUP_IPV4=m CONFIG_NF_LOG_ARP=m @@ -1394,7 +1405,10 @@ CONFIG_IP_NF_ARP_MANGLE=m # CONFIG_NF_SOCKET_IPV6=m CONFIG_NF_TPROXY_IPV6=m -# CONFIG_NF_TABLES_IPV6 is not set +CONFIG_NF_TABLES_IPV6=y +CONFIG_NFT_REJECT_IPV6=m +CONFIG_NFT_DUP_IPV6=m +CONFIG_NFT_FIB_IPV6=m CONFIG_NF_FLOW_TABLE_IPV6=m CONFIG_NF_DUP_IPV6=m CONFIG_NF_REJECT_IPV6=m @@ -1430,7 +1444,9 @@ CONFIG_NF_DEFRAG_IPV6=m CONFIG_DECNET_NF_GRABULATOR=m # end of DECnet: Netfilter Configuration -# CONFIG_NF_TABLES_BRIDGE is not set +CONFIG_NF_TABLES_BRIDGE=y +CONFIG_NFT_BRIDGE_REJECT=m +CONFIG_NF_LOG_BRIDGE=m CONFIG_BRIDGE_NF_EBTABLES=m CONFIG_BRIDGE_EBT_BROUTE=m CONFIG_BRIDGE_EBT_T_FILTER=m -- 2.19.2 --=-=-= Content-Type: text/plain I also use 'make nconfig' for 4.14, and the result is okay, so I guess since 4.19, those nftables families have to be enabled as 'y', while previously they can be built as modules. Is it fine to only update kernel configurations for intel architectures? --=-=-=--