merged. Bruce
In message: [linux-yocto] [kernel-cache][yocto-5.19][PATCH v3] nft: add configs for greater nftables coverage on 08/08/2022 Randy MacLeod wrote: > From: Randy MacLeod <[email protected]> > > Add an nft_test.scc file, which includes both nf_tables.cfg and a newly > added nft_test.cfg file. > > The nft_test.scc file include nftables.scc and also enables more nftables > features. > > Previously 26/310 of the nftables ptests failed, due to missing kernel > modules. > It's impossible to know which nftables features will be used so add more > configs > in a new scc file to ensure that most nftables features used by nft work. > > The added features are: > > NF_CONNTRACK_TIMEOUT > enables support for connection tracking timeout extension. > This allows you to attach timeout policies to flow via the CT target. > > NFT_FLOW_OFFLOAD > adds the "flow_offload" expression that you can use to choose what flows > are placed into the hardware. > > NF_FLOW_TABLE > adds the flow table core infrastructure. > > NF_FLOW_TABLE_INET > adds the flow table mixed IPv4/IPv6 support. > > NFT_NUMGEN > adds the number generator expression used to perform incremental > counting and random numbers bound to a upper limit. > > NFT_OSF > allows matching packets from an specific OS. > > NFT_QUOTA > adds the "quota" expression that you can use to match enforce bytes quotas. > > NFT_SYNPROXY > The SYNPROXY expression allows you to intercept TCP connections and > establish them using syncookies before they are passed on to the > server. This allows to avoid conntrack and server resource usage > during SYN-flood attacks. > > NFT_XFRM > adds an expression that you can use to extract properties of a packets > security association. > > This brings the nftables-1.0.4 ptest results with 5.19.x from: > [OK] 283 [FAILED] 26 [TOTAL] 310 > to: > [OK] 310 [FAILED] 0 [TOTAL] 310 > > Signed-off-by: Aryaman Gupta <[email protected]> > Signed-off-by: Randy MacLeod <[email protected]> > --- > features/nf_tables/nft_test.cfg | 10 ++++++++++ > features/nf_tables/nft_test.scc | 5 +++++ > 2 files changed, 15 insertions(+) > create mode 100644 features/nf_tables/nft_test.cfg > create mode 100644 features/nf_tables/nft_test.scc > > diff --git a/features/nf_tables/nft_test.cfg b/features/nf_tables/nft_test.cfg > new file mode 100644 > index 00000000..fbebbaba > --- /dev/null > +++ b/features/nf_tables/nft_test.cfg > @@ -0,0 +1,10 @@ > +CONFIG_NF_CONNTRACK_TIMEOUT=y > +CONFIG_NF_FLOW_TABLE_INET=m > +CONFIG_NF_FLOW_TABLE=m > +CONFIG_NFT_FLOW_OFFLOAD=m > +CONFIG_NFT_NUMGEN=m > +CONFIG_NFT_OSF=m > +CONFIG_NFT_QUOTA=m > +CONFIG_NFT_SYNPROXY=m > +CONFIG_NFT_XFRM=m > + > diff --git a/features/nf_tables/nft_test.scc b/features/nf_tables/nft_test.scc > new file mode 100644 > index 00000000..8181c215 > --- /dev/null > +++ b/features/nf_tables/nft_test.scc > @@ -0,0 +1,5 @@ > +define KFEATURE_DESCRIPTION "Add extra nftables modules" > +define KFEATURE_COMPATIBILITY all > + > +include nf_tables.cfg > +include nft_test.cfg > -- > 2.32.0 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#11554): https://lists.yoctoproject.org/g/linux-yocto/message/11554 Mute This Topic: https://lists.yoctoproject.org/mt/92906472/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/linux-yocto/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
