From fa7fbe565ded463f2864f128e8d467d0fd53bdff Mon Sep 17 00:00:00 2001 From: Martin Puppe Date: Thu, 9 Feb 2023 22:36:39 +0100 Subject: nixos/paperless: apply nixpkgs-fmt --- nixos/modules/services/misc/paperless.nix | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/misc/paperless.nix b/nixos/modules/services/misc/paperless.nix index 667f16d98f82..71ba8fd7075f 100644 --- a/nixos/modules/services/misc/paperless.nix +++ b/nixos/modules/services/misc/paperless.nix @@ -24,12 +24,14 @@ let lib.mapAttrs (_: toString) cfg.extraConfig ); - manage = let - setupEnv = lib.concatStringsSep "\n" (mapAttrsToList (name: val: "export ${name}=\"${val}\"") env); - in pkgs.writeShellScript "manage" '' - ${setupEnv} - exec ${pkg}/bin/paperless-ngx "$@" - ''; + manage = + let + setupEnv = lib.concatStringsSep "\n" (mapAttrsToList (name: val: "export ${name}=\"${val}\"") env); + in + pkgs.writeShellScript "manage" '' + ${setupEnv} + exec ${pkg}/bin/paperless-ngx "$@" + ''; # Secure the services defaultServiceConfig = { @@ -170,7 +172,7 @@ in extraConfig = mkOption { type = types.attrs; - default = {}; + default = { }; description = lib.mdDoc '' Extra paperless config options. -- cgit 1.4.1 From 857636b0327ad7e092ec6cbd71a7735c885cbebd Mon Sep 17 00:00:00 2001 From: Justinas Stankevicius Date: Sat, 18 Feb 2023 18:43:38 +0200 Subject: teleport: 11.3.4 -> 12.0.2 --- nixos/doc/manual/release-notes/rl-2305.section.md | 2 +- pkgs/servers/teleport/default.nix | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) (limited to 'nixos') diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index d50438ddb611..fee0e51184f1 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -105,7 +105,7 @@ In addition to numerous new and upgraded packages, this release has the followin - The EC2 image module previously detected and automatically mounted ext3-formatted instance store devices and partitions in stage-1 (initramfs), storing `/tmp` on the first discovered device. This behaviour, which only catered to very specific use cases and could not be disabled, has been removed. Users relying on this should provide their own implementation, and probably use ext4 and perform the mount in stage-2. -- `teleport` has been upgraded to major version 11. Please see upstream [upgrade instructions](https://goteleport.com/docs/setup/operations/upgrading/) and [release notes](https://goteleport.com/docs/changelog/#1100). +- `teleport` has been upgraded from major version 10 to major version 12. Please see upstream [upgrade instructions](https://goteleport.com/docs/setup/operations/upgrading/) and release notes for versions [11](https://goteleport.com/docs/changelog/#1100) and [12](https://goteleport.com/docs/changelog/#1201). Note that Teleport does not officially support upgrades across more than one major version. It is recommended to first upgrade to an intermediate 11.x version using an overlay before upgrading to version 12. - The EC2 image module previously detected and activated swap-formatted instance store devices and partitions in stage-1 (initramfs). This behaviour has been removed. Users relying on this should provide their own implementation. diff --git a/pkgs/servers/teleport/default.nix b/pkgs/servers/teleport/default.nix index 52c21cb63674..5a714480db3b 100644 --- a/pkgs/servers/teleport/default.nix +++ b/pkgs/servers/teleport/default.nix @@ -27,13 +27,13 @@ let owner = "gravitational"; repo = "teleport"; rev = "v${version}"; - hash = "sha256-jJfOgcwKkNFO/5XHxMoapZxM8Tb0kEgKVA7SrMU7uW4="; + hash = "sha256-9RD4ETQEXnj3d5YID3f3BghwitdqfcDgNhsk8ixWTW4="; }; - version = "11.3.4"; + version = "12.0.2"; rdpClient = rustPlatform.buildRustPackage rec { pname = "teleport-rdpclient"; - cargoHash = "sha256-TSIwLCY01ygCWT73LR/Ch7NwPQA3a3r0PyL3hUzBNr4="; + cargoHash = "sha256-1ScU5ywq8vz1sWHW2idBsWcB1Xs+aylukBm96dKrwL4="; inherit version src; buildAndTestSubdir = "lib/srv/desktop/rdp/rdpclient"; @@ -56,7 +56,7 @@ let yarnOfflineCache = fetchYarnDeps { yarnLock = "${src}/yarn.lock"; - hash = "sha256-MAGeWzA366yzpjdCY0+X6RV5MKcsHa/xD5CJu6ce1FU="; + hash = "sha256-ItRi5EkYrwNB1MIf9l3yyK1BX6vNpL2+H1BlN3Evibg="; }; webassets = stdenv.mkDerivation { @@ -95,7 +95,7 @@ buildGoModule rec { pname = "teleport"; inherit src version; - vendorHash = "sha256-NkiFLEHBNjxUOSuAlVugAV14yCCo3z6yhX7LZQFKhvA="; + vendorHash = "sha256-2sOELuMyg7w/rhnWvnwDiUOsjUfb56JdAbrTGKvGnjs="; proxyVendor = true; subPackages = [ "tool/tbot" "tool/tctl" "tool/teleport" "tool/tsh" ]; -- cgit 1.4.1 From ebdfdae156da6d3a94b3e5119f792e33334d6edb Mon Sep 17 00:00:00 2001 From: Martin Puppe Date: Thu, 9 Feb 2023 22:59:50 +0100 Subject: nixos/paperless: download NLTK data Since version 1.10.0 paperless-ngx depends on the NLTK library which is used to pre-process data for machine learning. NLTK needs certain data for stemming, stopword removal etc. This data has to be downloaded first. This commit introduces a new systemd service that does the downloading. --- nixos/modules/services/misc/paperless.nix | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) (limited to 'nixos') diff --git a/nixos/modules/services/misc/paperless.nix b/nixos/modules/services/misc/paperless.nix index 71ba8fd7075f..4199e7713304 100644 --- a/nixos/modules/services/misc/paperless.nix +++ b/nixos/modules/services/misc/paperless.nix @@ -6,6 +6,7 @@ let pkg = cfg.package; defaultUser = "paperless"; + nltkDir = "/var/cache/paperless/nltk"; # Don't start a redis instance if the user sets a custom redis connection enableRedis = !hasAttr "PAPERLESS_REDIS" cfg.extraConfig; @@ -15,6 +16,7 @@ let PAPERLESS_DATA_DIR = cfg.dataDir; PAPERLESS_MEDIA_ROOT = cfg.mediaDir; PAPERLESS_CONSUMPTION_DIR = cfg.consumptionDir; + PAPERLESS_NLTK_DIR = nltkDir; GUNICORN_CMD_ARGS = "--bind=${cfg.address}:${toString cfg.port}"; } // optionalAttrs (config.time.timeZone != null) { PAPERLESS_TIME_ZONE = config.time.timeZone; @@ -49,6 +51,7 @@ let cfg.dataDir cfg.mediaDir ]; + CacheDirectory = "paperless"; CapabilityBoundingSet = ""; # ProtectClock adds DeviceAllow=char-rtc r DeviceAllow = ""; @@ -293,6 +296,33 @@ in }; }; + # Download NLTK corpus data + systemd.services.paperless-download-nltk-data = { + wantedBy = [ "paperless-scheduler.service" ]; + before = [ "paperless-scheduler.service" ]; + after = [ "network-online.target" ]; + serviceConfig = defaultServiceConfig // { + User = cfg.user; + Type = "oneshot"; + # Enable internet access + PrivateNetwork = false; + # Restrict write access + BindPaths = []; + BindReadOnlyPaths = [ + "/nix/store" + "-/etc/resolv.conf" + "-/etc/nsswitch.conf" + "-/etc/ssl/certs" + "-/etc/static/ssl/certs" + "-/etc/hosts" + "-/etc/localtime" + ]; + ExecStart = let pythonWithNltk = pkg.python.withPackages (ps: [ ps.nltk ]); in '' + ${pythonWithNltk}/bin/python -m nltk.downloader -d '${nltkDir}' punkt snowball_data stopwords + ''; + }; + }; + systemd.services.paperless-consumer = { description = "Paperless document consumer"; # Bind to `paperless-scheduler` so that the consumer never runs -- cgit 1.4.1 From 31b5597cbdf327340b361704f02768650de57f38 Mon Sep 17 00:00:00 2001 From: Justinas Stankevicius Date: Thu, 23 Feb 2023 20:15:12 +0200 Subject: nixos/teleport: add "package" option --- nixos/doc/manual/release-notes/rl-2305.section.md | 2 +- nixos/modules/services/networking/teleport.nix | 12 +++- nixos/tests/teleport.nix | 82 ++++++++++++++--------- 3 files changed, 60 insertions(+), 36 deletions(-) (limited to 'nixos') diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index fee0e51184f1..b02065e97221 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -105,7 +105,7 @@ In addition to numerous new and upgraded packages, this release has the followin - The EC2 image module previously detected and automatically mounted ext3-formatted instance store devices and partitions in stage-1 (initramfs), storing `/tmp` on the first discovered device. This behaviour, which only catered to very specific use cases and could not be disabled, has been removed. Users relying on this should provide their own implementation, and probably use ext4 and perform the mount in stage-2. -- `teleport` has been upgraded from major version 10 to major version 12. Please see upstream [upgrade instructions](https://goteleport.com/docs/setup/operations/upgrading/) and release notes for versions [11](https://goteleport.com/docs/changelog/#1100) and [12](https://goteleport.com/docs/changelog/#1201). Note that Teleport does not officially support upgrades across more than one major version. It is recommended to first upgrade to an intermediate 11.x version using an overlay before upgrading to version 12. +- `teleport` has been upgraded from major version 10 to major version 12. Please see upstream [upgrade instructions](https://goteleport.com/docs/setup/operations/upgrading/) and release notes for versions [11](https://goteleport.com/docs/changelog/#1100) and [12](https://goteleport.com/docs/changelog/#1201). Note that Teleport does not officially support upgrades across more than one major version at a time. If you're running Teleport server components, it is recommended to first upgrade to an intermediate 11.x version by setting `services.teleport.package = pkgs.teleport_11`. Afterwards, this option can be removed to upgrade to the default version (12). - The EC2 image module previously detected and activated swap-formatted instance store devices and partitions in stage-1 (initramfs). This behaviour has been removed. Users relying on this should provide their own implementation. diff --git a/nixos/modules/services/networking/teleport.nix b/nixos/modules/services/networking/teleport.nix index 6433554f87da..399af711c0e1 100644 --- a/nixos/modules/services/networking/teleport.nix +++ b/nixos/modules/services/networking/teleport.nix @@ -11,6 +11,14 @@ in services.teleport = with lib.types; { enable = mkEnableOption (lib.mdDoc "the Teleport service"); + package = mkOption { + type = types.package; + default = pkgs.teleport; + defaultText = lib.literalMD "pkgs.teleport"; + example = lib.literalMD "pkgs.teleport_11"; + description = lib.mdDoc "The teleport package to use"; + }; + settings = mkOption { type = settingsYaml.type; default = { }; @@ -74,14 +82,14 @@ in }; config = mkIf config.services.teleport.enable { - environment.systemPackages = [ pkgs.teleport ]; + environment.systemPackages = [ cfg.package ]; systemd.services.teleport = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { ExecStart = '' - ${pkgs.teleport}/bin/teleport start \ + ${cfg.package}/bin/teleport start \ ${optionalString cfg.insecure.enable "--insecure"} \ ${optionalString cfg.diag.enable "--diag-addr=${cfg.diag.addr}:${toString cfg.diag.port}"} \ ${optionalString (cfg.settings != { }) "--config=${settingsYaml.generate "teleport.yaml" cfg.settings}"} diff --git a/nixos/tests/teleport.nix b/nixos/tests/teleport.nix index 34bf1bc0c70d..49adb2dd4a41 100644 --- a/nixos/tests/teleport.nix +++ b/nixos/tests/teleport.nix @@ -1,18 +1,28 @@ { system ? builtins.currentSystem , config ? { } , pkgs ? import ../.. { inherit system config; } +, lib ? pkgs.lib }: with import ../lib/testing-python.nix { inherit system pkgs; }; let - minimal = { config, ... }: { - services.teleport.enable = true; + packages = with pkgs; { + "default" = teleport; + "11" = teleport_11; }; - client = { config, ... }: { + minimal = package: { services.teleport = { enable = true; + inherit package; + }; + }; + + client = package: { + services.teleport = { + enable = true; + inherit package; settings = { teleport = { nodename = "client"; @@ -37,9 +47,10 @@ let }]; }; - server = { config, ... }: { + server = package: { services.teleport = { enable = true; + inherit package; settings = { teleport = { nodename = "server"; @@ -64,36 +75,41 @@ let }; }; in -{ - minimal = makeTest { - # minimal setup should always work - name = "teleport-minimal-setup"; - meta.maintainers = with pkgs.lib.maintainers; [ ymatsiuk ]; - nodes = { inherit minimal; }; +lib.concatMapAttrs + (name: package: { + "minimal_${name}" = makeTest { + # minimal setup should always work + name = "teleport-minimal-setup"; + meta.maintainers = with pkgs.lib.maintainers; [ ymatsiuk ]; + nodes.minimal = minimal package; - testScript = '' - minimal.wait_for_open_port(3025) - minimal.wait_for_open_port(3080) - minimal.wait_for_open_port(3022) - ''; - }; + testScript = '' + minimal.wait_for_open_port(3025) + minimal.wait_for_open_port(3080) + minimal.wait_for_open_port(3022) + ''; + }; - basic = makeTest { - # basic server and client test - name = "teleport-server-client"; - meta.maintainers = with pkgs.lib.maintainers; [ ymatsiuk ]; - nodes = { inherit server client; }; + "basic_${name}" = makeTest { + # basic server and client test + name = "teleport-server-client"; + meta.maintainers = with pkgs.lib.maintainers; [ ymatsiuk ]; + nodes = { + server = server package; + client = client package; + }; - testScript = '' - with subtest("teleport ready"): - server.wait_for_open_port(3025) - client.wait_for_open_port(3022) + testScript = '' + with subtest("teleport ready"): + server.wait_for_open_port(3025) + client.wait_for_open_port(3022) - with subtest("check applied configuration"): - server.wait_until_succeeds("tctl get nodes --format=json | ${pkgs.jq}/bin/jq -e '.[] | select(.spec.hostname==\"client\") | .metadata.labels.role==\"client\"'") - server.wait_for_open_port(3000) - client.succeed("journalctl -u teleport.service --grep='DEBU'") - server.succeed("journalctl -u teleport.service --grep='Starting teleport in insecure mode.'") - ''; - }; -} + with subtest("check applied configuration"): + server.wait_until_succeeds("tctl get nodes --format=json | ${pkgs.jq}/bin/jq -e '.[] | select(.spec.hostname==\"client\") | .metadata.labels.role==\"client\"'") + server.wait_for_open_port(3000) + client.succeed("journalctl -u teleport.service --grep='DEBU'") + server.succeed("journalctl -u teleport.service --grep='Starting teleport in insecure mode.'") + ''; + }; + }) + packages -- cgit 1.4.1 From e831a3da9883a3bd813d1ab2accaa9a85841461c Mon Sep 17 00:00:00 2001 From: Justinas Stankevicius Date: Tue, 28 Feb 2023 13:08:24 +0200 Subject: nixos/tests/teleport: make justinas the maintainer --- nixos/tests/teleport.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'nixos') diff --git a/nixos/tests/teleport.nix b/nixos/tests/teleport.nix index 49adb2dd4a41..cdf762b12844 100644 --- a/nixos/tests/teleport.nix +++ b/nixos/tests/teleport.nix @@ -80,7 +80,7 @@ lib.concatMapAttrs "minimal_${name}" = makeTest { # minimal setup should always work name = "teleport-minimal-setup"; - meta.maintainers = with pkgs.lib.maintainers; [ ymatsiuk ]; + meta.maintainers = with pkgs.lib.maintainers; [ justinas ]; nodes.minimal = minimal package; testScript = '' @@ -93,7 +93,7 @@ lib.concatMapAttrs "basic_${name}" = makeTest { # basic server and client test name = "teleport-server-client"; - meta.maintainers = with pkgs.lib.maintainers; [ ymatsiuk ]; + meta.maintainers = with pkgs.lib.maintainers; [ justinas ]; nodes = { server = server package; client = client package; -- cgit 1.4.1 From 55da71c10edda3b85f84ab50a34143d760a708d4 Mon Sep 17 00:00:00 2001 From: Yureka Date: Thu, 2 Mar 2023 10:28:01 +0100 Subject: nixos/nftables: add checkRuleset option (#216531) * nixos/nftables: add checkRuleset option * lkl: 2022-05-18 -> 2023-01-27 --- nixos/modules/services/networking/nftables.nix | 51 +++- pkgs/applications/virtualization/lkl/default.nix | 6 +- .../lkl/lkl-defconfig-enable-nftables | 299 +++++++++++++-------- 3 files changed, 236 insertions(+), 120 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/networking/nftables.nix b/nixos/modules/services/networking/nftables.nix index bd13e8c9929a..faff1dca89ba 100644 --- a/nixos/modules/services/networking/nftables.nix +++ b/nixos/modules/services/networking/nftables.nix @@ -28,6 +28,32 @@ in . ''; }; + + networking.nftables.checkRuleset = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + Run `nft check` on the ruleset to spot syntax errors during build. + Because this is executed in a sandbox, the check might fail if it requires + access to any environmental factors or paths outside the Nix store. + To circumvent this, the ruleset file can be edited using the preCheckRuleset + option to work in the sandbox environment. + ''; + }; + + networking.nftables.preCheckRuleset = mkOption { + type = types.lines; + default = ""; + example = lib.literalExpression '' + sed 's/skgid meadow/skgid nogroup/g' -i ruleset.conf + ''; + description = lib.mdDoc '' + This script gets run before the ruleset is checked. It can be used to + create additional files needed for the ruleset check to work, or modify + the ruleset for cases the build environment cannot cover. + ''; + }; + networking.nftables.ruleset = mkOption { type = types.lines; default = ""; @@ -105,13 +131,24 @@ in wantedBy = [ "multi-user.target" ]; reloadIfChanged = true; serviceConfig = let - rulesScript = pkgs.writeScript "nftables-rules" '' - #! ${pkgs.nftables}/bin/nft -f - flush ruleset - ${if cfg.rulesetFile != null then '' - include "${cfg.rulesetFile}" - '' else cfg.ruleset} - ''; + rulesScript = pkgs.writeTextFile { + name = "nftables-rules"; + executable = true; + text = '' + #! ${pkgs.nftables}/bin/nft -f + flush ruleset + ${if cfg.rulesetFile != null then '' + include "${cfg.rulesetFile}" + '' else cfg.ruleset} + ''; + checkPhase = lib.optionalString cfg.checkRuleset '' + cp $out ruleset.conf + ${cfg.preCheckRuleset} + export NIX_REDIRECTS=/etc/protocols=${pkgs.buildPackages.iana-etc}/etc/protocols:/etc/services=${pkgs.buildPackages.iana-etc}/etc/services + LD_PRELOAD="${pkgs.buildPackages.libredirect}/lib/libredirect.so ${pkgs.buildPackages.lklWithFirewall.lib}/lib/liblkl-hijack.so" \ + ${pkgs.buildPackages.nftables}/bin/nft --check --file ruleset.conf + ''; + }; in { Type = "oneshot"; RemainAfterExit = true; diff --git a/pkgs/applications/virtualization/lkl/default.nix b/pkgs/applications/virtualization/lkl/default.nix index 4a1514cd97a1..0247cd433b04 100644 --- a/pkgs/applications/virtualization/lkl/default.nix +++ b/pkgs/applications/virtualization/lkl/default.nix @@ -6,15 +6,15 @@ stdenv.mkDerivation rec { pname = "lkl"; - version = "2022-05-18"; + version = "2023-01-27"; outputs = [ "dev" "lib" "out" ]; src = fetchFromGitHub { owner = "lkl"; repo = "linux"; - rev = "10c7b5dee8c424cc2ab754e519ecb73350283ff9"; - sha256 = "sha256-D3HQdKzhB172L62a+8884bNhcv7vm/c941wzbYtbf4I="; + rev = "b00f0fbcd5ae24636a9315fea3af32f411cf93be"; + sha256 = "sha256-GZpnTVdcnS5uAUHsVre539+0Qlv36Fui0WGjOPwvWrE="; }; nativeBuildInputs = [ bc bison flex python3 ]; diff --git a/pkgs/applications/virtualization/lkl/lkl-defconfig-enable-nftables b/pkgs/applications/virtualization/lkl/lkl-defconfig-enable-nftables index 8f133938587f..d77cb4d20b74 100644 --- a/pkgs/applications/virtualization/lkl/lkl-defconfig-enable-nftables +++ b/pkgs/applications/virtualization/lkl/lkl-defconfig-enable-nftables @@ -1,71 +1,68 @@ +CONFIG_IP6_NF_FILTER=y +CONFIG_IP6_NF_IPTABLES=y +CONFIG_IP6_NF_MANGLE=y +CONFIG_IP6_NF_MATCH_AH=y +CONFIG_IP6_NF_MATCH_EUI64=y +CONFIG_IP6_NF_MATCH_FRAG=y +CONFIG_IP6_NF_MATCH_HL=y +CONFIG_IP6_NF_MATCH_IPV6HEADER=y +CONFIG_IP6_NF_MATCH_MH=y +CONFIG_IP6_NF_MATCH_OPTS=y +CONFIG_IP6_NF_MATCH_RPFILTER=y +CONFIG_IP6_NF_MATCH_RT=y +CONFIG_IP6_NF_MATCH_SRH=y +CONFIG_IP6_NF_NAT=y +CONFIG_IP6_NF_RAW=y +CONFIG_IP6_NF_SECURITY=y +CONFIG_IP6_NF_TARGET_HL=y +CONFIG_IP6_NF_TARGET_MASQUERADE=y +CONFIG_IP6_NF_TARGET_NPT=y +CONFIG_IP6_NF_TARGET_REJECT=y +CONFIG_IP6_NF_TARGET_SYNPROXY=y +CONFIG_IP_NF_ARPFILTER=y +CONFIG_IP_NF_ARP_MANGLE=y +CONFIG_IP_NF_ARPTABLES=y +CONFIG_IP_NF_FILTER=y +CONFIG_IP_NF_IPTABLES=y +CONFIG_IP_NF_MANGLE=y +CONFIG_IP_NF_MATCH_AH=y +CONFIG_IP_NF_MATCH_ECN=y +CONFIG_IP_NF_MATCH_RPFILTER=y +CONFIG_IP_NF_MATCH_TTL=y +CONFIG_IP_NF_NAT=y +CONFIG_IP_NF_RAW=y +CONFIG_IP_NF_SECURITY=y +CONFIG_IP_NF_TARGET_CLUSTERIP=y +CONFIG_IP_NF_TARGET_ECN=y +CONFIG_IP_NF_TARGET_MASQUERADE=y +CONFIG_IP_NF_TARGET_NETMAP=y +CONFIG_IP_NF_TARGET_REDIRECT=y +CONFIG_IP_NF_TARGET_REJECT=y +CONFIG_IP_NF_TARGET_SYNPROXY=y +CONFIG_IP_NF_TARGET_TTL=y CONFIG_NETFILTER=y -CONFIG_NF_CONNTRACK=y -CONFIG_NF_LOG_NETDEV=y -CONFIG_NF_CONNTRACK_ZONES=y -CONFIG_NF_CONNTRACK_EVENTS=y -CONFIG_NF_CONNTRACK_TIMEOUT=y -CONFIG_NF_CONNTRACK_TIMESTAMP=y -CONFIG_NF_CONNTRACK_AMANDA=y -CONFIG_NF_CONNTRACK_FTP=y -CONFIG_NF_CONNTRACK_H323=y -CONFIG_NF_CONNTRACK_IRC=y -CONFIG_NF_CONNTRACK_NETBIOS_NS=y -CONFIG_NF_CONNTRACK_SNMP=y -CONFIG_NF_CONNTRACK_PPTP=y -CONFIG_NF_CONNTRACK_SANE=y -CONFIG_NF_CONNTRACK_SIP=y -CONFIG_NF_CONNTRACK_TFTP=y -CONFIG_NF_CT_NETLINK=y -CONFIG_NF_CT_NETLINK_TIMEOUT=y -CONFIG_NF_CT_NETLINK_HELPER=y +CONFIG_NETFILTER_ADVANCED=y +CONFIG_NETFILTER_CONNCOUNT=y +CONFIG_NETFILTER_EGRESS=y +CONFIG_NETFILTER_FAMILY_ARP=y +CONFIG_NETFILTER_FAMILY_BRIDGE=y +CONFIG_NETFILTER_INGRESS=y +CONFIG_NETFILTER_NETLINK_ACCT=y CONFIG_NETFILTER_NETLINK_GLUE_CT=y -CONFIG_NF_TABLES=y -CONFIG_NF_TABLES_INET=y -CONFIG_NF_TABLES_NETDEV=y -CONFIG_NFT_NUMGEN=y -CONFIG_NFT_CT=y -CONFIG_NFT_COUNTER=y -CONFIG_NFT_CONNLIMIT=y -CONFIG_NFT_LOG=y -CONFIG_NFT_LIMIT=y -CONFIG_NFT_MASQ=y -CONFIG_NFT_REDIR=y -CONFIG_NFT_NAT=y -CONFIG_NFT_TUNNEL=y -CONFIG_NFT_OBJREF=y -CONFIG_NFT_QUEUE=y -CONFIG_NFT_QUOTA=y -CONFIG_NFT_REJECT=y -CONFIG_NFT_COMPAT=y -CONFIG_NFT_HASH=y -CONFIG_NFT_FIB_INET=y -CONFIG_NFT_SOCKET=y -CONFIG_NFT_OSF=y -CONFIG_NFT_TPROXY=y -CONFIG_NFT_SYNPROXY=y -CONFIG_NFT_DUP_NETDEV=y -CONFIG_NFT_FWD_NETDEV=y -CONFIG_NFT_FIB_NETDEV=y -CONFIG_NF_FLOW_TABLE_INET=y -CONFIG_NF_FLOW_TABLE=y -CONFIG_NETFILTER_XT_TARGET_CHECKSUM=y -CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y -CONFIG_NETFILTER_XT_TARGET_CONNMARK=y -CONFIG_NETFILTER_XT_TARGET_DSCP=y -CONFIG_NETFILTER_XT_TARGET_HMARK=y -CONFIG_NETFILTER_XT_TARGET_IDLETIMER=y -CONFIG_NETFILTER_XT_TARGET_LOG=y -CONFIG_NETFILTER_XT_TARGET_MARK=y -CONFIG_NETFILTER_XT_TARGET_NFLOG=y -CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y -CONFIG_NETFILTER_XT_TARGET_NOTRACK=y -CONFIG_NETFILTER_XT_TARGET_TEE=y -CONFIG_NETFILTER_XT_TARGET_TPROXY=y -CONFIG_NETFILTER_XT_TARGET_TRACE=y -CONFIG_NETFILTER_XT_TARGET_TCPMSS=y -CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=y +CONFIG_NETFILTER_NETLINK_HOOK=y +CONFIG_NETFILTER_NETLINK_LOG=y +CONFIG_NETFILTER_NETLINK_OSF=y +CONFIG_NETFILTER_NETLINK_QUEUE=y +CONFIG_NETFILTER_NETLINK=y +CONFIG_NETFILTER_SKIP_EGRESS=y +CONFIG_NETFILTER_SYNPROXY=y +CONFIG_NETFILTER_XTABLES_COMPAT=y +CONFIG_NETFILTER_XTABLES=y +CONFIG_NETFILTER_XT_CONNMARK=y +CONFIG_NETFILTER_XT_MARK=y CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y CONFIG_NETFILTER_XT_MATCH_BPF=y +CONFIG_NETFILTER_XT_MATCH_CGROUP=y CONFIG_NETFILTER_XT_MATCH_CLUSTER=y CONFIG_NETFILTER_XT_MATCH_COMMENT=y CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y @@ -77,11 +74,14 @@ CONFIG_NETFILTER_XT_MATCH_CPU=y CONFIG_NETFILTER_XT_MATCH_DCCP=y CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y CONFIG_NETFILTER_XT_MATCH_DSCP=y +CONFIG_NETFILTER_XT_MATCH_ECN=y CONFIG_NETFILTER_XT_MATCH_ESP=y CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y CONFIG_NETFILTER_XT_MATCH_HELPER=y +CONFIG_NETFILTER_XT_MATCH_HL=y CONFIG_NETFILTER_XT_MATCH_IPCOMP=y CONFIG_NETFILTER_XT_MATCH_IPRANGE=y +CONFIG_NETFILTER_XT_MATCH_IPVS=y CONFIG_NETFILTER_XT_MATCH_L2TP=y CONFIG_NETFILTER_XT_MATCH_LENGTH=y CONFIG_NETFILTER_XT_MATCH_LIMIT=y @@ -91,7 +91,9 @@ CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y CONFIG_NETFILTER_XT_MATCH_NFACCT=y CONFIG_NETFILTER_XT_MATCH_OSF=y CONFIG_NETFILTER_XT_MATCH_OWNER=y +CONFIG_NETFILTER_XT_MATCH_PHYSDEV=y CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y +CONFIG_NETFILTER_XT_MATCH_POLICY=y CONFIG_NETFILTER_XT_MATCH_QUOTA=y CONFIG_NETFILTER_XT_MATCH_RATEEST=y CONFIG_NETFILTER_XT_MATCH_REALM=y @@ -104,52 +106,129 @@ CONFIG_NETFILTER_XT_MATCH_STRING=y CONFIG_NETFILTER_XT_MATCH_TCPMSS=y CONFIG_NETFILTER_XT_MATCH_TIME=y CONFIG_NETFILTER_XT_MATCH_U32=y -CONFIG_NFT_DUP_IPV4=y -CONFIG_NFT_FIB_IPV4=y -CONFIG_NF_TABLES_ARP=y -CONFIG_NF_FLOW_TABLE_IPV4=y +CONFIG_NETFILTER_XT_NAT=y +CONFIG_NETFILTER_XT_SET=y +CONFIG_NETFILTER_XT_TARGET_AUDIT=y +CONFIG_NETFILTER_XT_TARGET_CHECKSUM=y +CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y +CONFIG_NETFILTER_XT_TARGET_CONNMARK=y +CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y +CONFIG_NETFILTER_XT_TARGET_CT=y +CONFIG_NETFILTER_XT_TARGET_DSCP=y +CONFIG_NETFILTER_XT_TARGET_HL=y +CONFIG_NETFILTER_XT_TARGET_HMARK=y +CONFIG_NETFILTER_XT_TARGET_IDLETIMER=y +CONFIG_NETFILTER_XT_TARGET_LED=y +CONFIG_NETFILTER_XT_TARGET_LOG=y +CONFIG_NETFILTER_XT_TARGET_MARK=y +CONFIG_NETFILTER_XT_TARGET_MASQUERADE=y +CONFIG_NETFILTER_XT_TARGET_NETMAP=y +CONFIG_NETFILTER_XT_TARGET_NFLOG=y +CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y +CONFIG_NETFILTER_XT_TARGET_NOTRACK=y +CONFIG_NETFILTER_XT_TARGET_RATEEST=y +CONFIG_NETFILTER_XT_TARGET_REDIRECT=y +CONFIG_NETFILTER_XT_TARGET_SECMARK=y +CONFIG_NETFILTER_XT_TARGET_TCPMSS=y +CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=y +CONFIG_NETFILTER_XT_TARGET_TEE=y +CONFIG_NETFILTER_XT_TARGET_TPROXY=y +CONFIG_NETFILTER_XT_TARGET_TRACE=y +CONFIG_NF_CONNTRACK_AMANDA=y +CONFIG_NF_CONNTRACK_BRIDGE=y +CONFIG_NF_CONNTRACK_BROADCAST=y +CONFIG_NF_CONNTRACK_EVENTS=y +CONFIG_NF_CONNTRACK_FTP=y +CONFIG_NF_CONNTRACK_H323=y +CONFIG_NF_CONNTRACK_IRC=y +CONFIG_NF_CONNTRACK_LABELS=y +CONFIG_NF_CONNTRACK_MARK=y +CONFIG_NF_CONNTRACK_NETBIOS_NS=y +CONFIG_NF_CONNTRACK_PPTP=y +CONFIG_NF_CONNTRACK_SANE=y +CONFIG_NF_CONNTRACK_SECMARK=y +CONFIG_NF_CONNTRACK_SIP=y +CONFIG_NF_CONNTRACK_SNMP=y +CONFIG_NF_CONNTRACK_TFTP=y +CONFIG_NF_CONNTRACK_TIMEOUT=y +CONFIG_NF_CONNTRACK_TIMESTAMP=y +CONFIG_NF_CONNTRACK=y +CONFIG_NF_CONNTRACK_ZONES=y +CONFIG_NF_CT_NETLINK_HELPER=y +CONFIG_NF_CT_NETLINK_TIMEOUT=y +CONFIG_NF_CT_NETLINK=y +CONFIG_NF_CT_PROTO_DCCP=y +CONFIG_NF_CT_PROTO_GRE=y +CONFIG_NF_CT_PROTO_SCTP=y +CONFIG_NF_CT_PROTO_UDPLITE=y +CONFIG_NF_DEFRAG_IPV4=y +CONFIG_NF_DEFRAG_IPV6=y +CONFIG_NF_DUP_IPV4=y +CONFIG_NF_DUP_IPV6=y +CONFIG_NF_DUP_NETDEV=y +CONFIG_NF_FLOW_TABLE_INET=y +CONFIG_NF_FLOW_TABLE=y CONFIG_NF_LOG_ARP=y -CONFIG_IP_NF_IPTABLES=y -CONFIG_IP_NF_MATCH_AH=y -CONFIG_IP_NF_MATCH_ECN=y -CONFIG_IP_NF_MATCH_RPFILTER=y -CONFIG_IP_NF_MATCH_TTL=y -CONFIG_IP_NF_FILTER=y -CONFIG_IP_NF_TARGET_REJECT=y -CONFIG_IP_NF_TARGET_SYNPROXY=y -CONFIG_IP_NF_NAT=y -CONFIG_IP_NF_TARGET_MASQUERADE=y -CONFIG_IP_NF_TARGET_NETMAP=y -CONFIG_IP_NF_TARGET_REDIRECT=y -CONFIG_IP_NF_MANGLE=y -CONFIG_IP_NF_TARGET_CLUSTERIP=y -CONFIG_IP_NF_TARGET_ECN=y -CONFIG_IP_NF_TARGET_TTL=y -CONFIG_IP_NF_RAW=y -CONFIG_IP_NF_ARPTABLES=y -CONFIG_IP_NF_ARPFILTER=y -CONFIG_IP_NF_ARP_MANGLE=y +CONFIG_NF_LOG_IPV4=y +CONFIG_NF_LOG_IPV6=y +CONFIG_NF_LOG_SYSLOG=y +CONFIG_NF_NAT_AMANDA=y +CONFIG_NF_NAT_FTP=y +CONFIG_NF_NAT_H323=y +CONFIG_NF_NAT_IRC=y +CONFIG_NF_NAT_MASQUERADE=y +CONFIG_NF_NAT_PPTP=y +CONFIG_NF_NAT_REDIRECT=y +CONFIG_NF_NAT_SIP=y +CONFIG_NF_NAT_SNMP_BASIC=y +CONFIG_NF_NAT_TFTP=y +CONFIG_NF_NAT=y +CONFIG_NF_REJECT_IPV4=y +CONFIG_NF_REJECT_IPV6=y +CONFIG_NF_SOCKET_IPV4=y +CONFIG_NF_SOCKET_IPV6=y +CONFIG_NF_TABLES_ARP=y +CONFIG_NF_TABLES_BRIDGE=y +CONFIG_NF_TABLES_INET=y +CONFIG_NF_TABLES_IPV4=y +CONFIG_NF_TABLES_IPV6=y +CONFIG_NF_TABLES_NETDEV=y +CONFIG_NF_TABLES=y +CONFIG_NFT_BRIDGE_META=y +CONFIG_NFT_BRIDGE_REJECT=y +CONFIG_NFT_COMPAT=y +CONFIG_NFT_CONNLIMIT=y +CONFIG_NFT_CT=y +CONFIG_NFT_DUP_IPV4=y CONFIG_NFT_DUP_IPV6=y +CONFIG_NFT_DUP_NETDEV=y +CONFIG_NFT_FIB_INET=y +CONFIG_NFT_FIB_IPV4=y CONFIG_NFT_FIB_IPV6=y -CONFIG_NF_FLOW_TABLE_IPV6=y -CONFIG_IP6_NF_IPTABLES=y -CONFIG_IP6_NF_MATCH_AH=y -CONFIG_IP6_NF_MATCH_EUI64=y -CONFIG_IP6_NF_MATCH_FRAG=y -CONFIG_IP6_NF_MATCH_OPTS=y -CONFIG_IP6_NF_MATCH_HL=y -CONFIG_IP6_NF_MATCH_IPV6HEADER=y -CONFIG_IP6_NF_MATCH_MH=y -CONFIG_IP6_NF_MATCH_RPFILTER=y -CONFIG_IP6_NF_MATCH_RT=y -CONFIG_IP6_NF_MATCH_SRH=y -CONFIG_IP6_NF_TARGET_HL=y -CONFIG_IP6_NF_FILTER=y -CONFIG_IP6_NF_TARGET_REJECT=y -CONFIG_IP6_NF_TARGET_SYNPROXY=y -CONFIG_IP6_NF_MANGLE=y -CONFIG_IP6_NF_RAW=y -CONFIG_IP6_NF_NAT=y -CONFIG_IP6_NF_TARGET_MASQUERADE=y -CONFIG_IP6_NF_TARGET_NPT=y -CONFIG_NF_CONNTRACK_BRIDGE=y +CONFIG_NFT_FIB_NETDEV=y +CONFIG_NFT_FIB=y +CONFIG_NFT_FLOW_OFFLOAD=y +CONFIG_NFT_FWD_NETDEV=y +CONFIG_NFT_HASH=y +CONFIG_NFT_LIMIT=y +CONFIG_NFT_LOG=y +CONFIG_NFT_MASQ=y +CONFIG_NFT_NAT=y +CONFIG_NFT_NUMGEN=y +CONFIG_NFT_OBJREF=y +CONFIG_NFT_OSF=y +CONFIG_NF_TPROXY_IPV4=y +CONFIG_NF_TPROXY_IPV6=y +CONFIG_NFT_QUEUE=y +CONFIG_NFT_QUOTA=y +CONFIG_NFT_REDIR=y +CONFIG_NFT_REJECT_INET=y +CONFIG_NFT_REJECT_IPV4=y +CONFIG_NFT_REJECT_IPV6=y +CONFIG_NFT_REJECT_NETDEV=y +CONFIG_NFT_REJECT=y +CONFIG_NFT_SOCKET=y +CONFIG_NFT_SYNPROXY=y +CONFIG_NFT_TPROXY=y +CONFIG_NFT_TUNNEL=y +CONFIG_NFT_XFRM=y -- cgit 1.4.1