From c1fd98f6267e0188ec0e23d3d1f121a16630b3cc Mon Sep 17 00:00:00 2001 From: Izorkin Date: Mon, 14 Oct 2019 16:41:39 +0300 Subject: [PATCH] nftables: enable all features --- .../linux/kernel/common-config.nix | 27 +++++++++++++------ 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index 734509dfd564..10086a1b08dd 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -99,8 +99,6 @@ let networking = { NET = yes; IP_PNP = no; - NETFILTER = yes; - NETFILTER_ADVANCED = yes; IP_VS_PROTO_TCP = yes; IP_VS_PROTO_UDP = yes; IP_VS_PROTO_ESP = yes; @@ -145,12 +143,25 @@ let KEY_DH_OPERATIONS = whenAtLeast "4.7" yes; # needed for nftables - NF_TABLES_INET = whenAtLeast "4.17" yes; - NF_TABLES_NETDEV = whenAtLeast "4.17" yes; - NF_TABLES_IPV4 = whenAtLeast "4.17" yes; - NF_TABLES_ARP = whenAtLeast "4.17" yes; - NF_TABLES_IPV6 = whenAtLeast "4.17" yes; - NF_TABLES_BRIDGE = whenBetween "4.17" "5.3" yes; + # Networking Options + NETFILTER = yes; + NETFILTER_ADVANCED = yes; + # Core Netfilter Configuration + NF_CONNTRACK_ZONES = yes; + NF_CONNTRACK_EVENTS = yes; + NF_CONNTRACK_TIMEOUT = yes; + NF_CONNTRACK_TIMESTAMP = yes; + NETFILTER_NETLINK_GLUE_CT = yes; + NF_TABLES_INET = whenAtLeast "4.19" yes; + NF_TABLES_NETDEV = whenAtLeast "4.19" yes; + # IP: Netfilter Configuration + NF_TABLES_IPV4 = yes; + NF_TABLES_ARP = whenAtLeast "4.19" yes; + # IPv6: Netfilter Configuration + NF_TABLES_IPV6 = yes; + # Bridge Netfilter Configuration + NF_TABLES_BRIDGE = mkMerge [ (whenBetween "4.19" "5.3" yes) + (whenAtLeast "5.3" module) ]; # needed for ss INET_DIAG = yes;