On 2022-08-05 16:29, Randy MacLeod wrote:
Add an nft_test.scc file, which includes both nf_tables.cfg and a newly added nft_test.cfg file.The nft_test.scc file include nftables.scc and also enables more nftables features. Previously 27/310 of the nftables ptests failed, due to missing kernel modules. It's impossible to know which nftables features will be used so add more configs in a new scc file to ensure that most nftables features used by nft work. The added features are: NF_CONNTRACK_TIMEOUT enables support for connection tracking timeout extension. This allows you to attach timeout policies to flow via the CT target. NFT_FLOW_OFFLOAD adds the "flow_offload" expression that you can use to choose what flows are placed into the hardware. NF_FLOW_TABLE adds the flow table core infrastructure. NF_FLOW_TABLE_INET adds the flow table mixed IPv4/IPv6 support. NFT_NUMGEN adds the number generator expression used to perform incremental counting and random numbers bound to a upper limit. NFT_OSF allows matching packets from an specific OS. NFT_QUOTA adds the "quota" expression that you can use to match enforce bytes quotas. NFT_SYNPROXY The SYNPROXY expression allows you to intercept TCP connections and establish them using syncookies before they are passed on to the server. This allows to avoid conntrack and server resource usage during SYN-flood attacks. NFT_XFRM adds an expression that you can use to extract properties of a packets security association. This brings the nftables-1.0.4 ptest results from: [OK] 283 [FAILED] 27 [TOTAL] 310 to: [OK] 310 [FAILED] 0 [TOTAL] 310 Signed-off-by: Aryaman Gupta <[email protected]> Signed-off-by: Randy MacLeod <[email protected]> --- features/nf_tables/nft_test.cfg | 10 ++++++++++ features/nf_tables/nft_test.scc | 5 +++++ 2 files changed, 15 insertions(+) create mode 100644 features/nf_tables/nft_test.cfg create mode 100644 features/nf_tables/nft_test.scc diff --git a/features/nf_tables/nft_test.cfg b/features/nf_tables/nft_test.cfg new file mode 100644 index 00000000..fbebbaba --- /dev/null +++ b/features/nf_tables/nft_test.cfg @@ -0,0 +1,10 @@ +CONFIG_NF_CONNTRACK_TIMEOUT=y +CONFIG_NF_FLOW_TABLE_INET=m +CONFIG_NF_FLOW_TABLE=m +CONFIG_NFT_FLOW_OFFLOAD=m +CONFIG_NFT_NUMGEN=m +CONFIG_NFT_OSF=m +CONFIG_NFT_QUOTA=m +CONFIG_NFT_SYNPROXY=m +CONFIG_NFT_XFRM=m + diff --git a/features/nf_tables/nft_test.scc b/features/nf_tables/nft_test.scc new file mode 100644 index 00000000..38f0030a --- /dev/null +++ b/features/nf_tables/nft_test.scc @@ -0,0 +1,5 @@ +define KFEATURE_DESCRIPTION "Add extra nftables modules" +define KFEATURE_COMPATIBILITY board
Ugh, this should be all. v3 in a minute. ../Randy
+ +include nf_tables.cfg +include nft_test.cfg
-- # Randy MacLeod # Wind River Linux
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#11538): https://lists.yoctoproject.org/g/linux-yocto/message/11538 Mute This Topic: https://lists.yoctoproject.org/mt/92843414/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/linux-yocto/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
