29852 – Missing kernel options for netfilter

Bug 29852 - Missing kernel options for netfilter

Summary: Missing kernel options for netfilter

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	RPM Packages (show other bugs)
Version:	Cauldron
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	Thomas Backlund
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2022-01-06 23:49 CET by Angelo Naselli
Modified:	2022-01-18 18:16 CET (History)
CC List:	0 users

See Also:
Source RPM:	kernel
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Angelo Naselli 2022-01-06 23:49:00 CET

I was testing firewalld in cauldron and having some problems. I investigated a bit on it asking to their developers and they found we missed some
CONFIG_NFT_* KConfig options into our kernel.

One for instance that is needed is CONFIG_NF_TABLES_INET, i noticed it isn't set on mageia 8 too.

In general they suggest to set all nftables, all iptables, all ipset, all conntrack options.

Comment 1 Thomas Backlund 2022-01-07 11:33:50 CET

Yes, I usually try to enable support for all traffic firewalling, but for some reason CONFIG_NF_TABLES_INET was missed...

There is now a kernel-5.15.13-2.mga9 building that should resolve this...

Comment 2 Angelo Naselli 2022-01-07 12:56:44 CET

thanks tmb!

just for info into mageia 8 (stbale):
cat /boot/config-5.15.11-desktop-3.mga8 | grep NF_TA
CONFIG_NF_TABLES=m
# CONFIG_NF_TABLES_INET is not set
CONFIG_NF_TABLES_NETDEV=y
CONFIG_NF_TABLES_IPV4=y
CONFIG_NF_TABLES_ARP=y
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_SYNPROXY=m
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_CLUSTERIP=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_IFWLOG=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_NF_TABLES_IPV6=y
CONFIG_IP6_NF_TARGET_HL=m
CONFIG_IP6_NF_TARGET_REJECT=m
CONFIG_IP6_NF_TARGET_SYNPROXY=m
CONFIG_IP6_NF_TARGET_MASQUERADE=m
CONFIG_IP6_NF_TARGET_NPT=m
CONFIG_NF_TABLES_BRIDGE=m
I think we should add there as well. i can't remember how tag this bug to say mga8 too though....

Comment 3 Thomas Backlund 2022-01-07 13:38:10 CET

Yep, 
I will update mga8 builds too as I'm keeping mga8 and Cauldron in sync for most parts...

But I'm waiting for you to test this before buildning the mga8 kernels

Comment 4 Angelo Naselli 2022-01-07 13:55:06 CET

fine! waiting for mirrors to be updated :)

Comment 5 Angelo Naselli 2022-01-07 15:30:55 CET

The tests that failed, now work! as far as i can say this kernel fixed the original problem. Thanks.
Do you need me to test it on mageia 8 or to close this issue?

Comment 6 Thomas Backlund 2022-01-07 16:09:47 CET

You can close it if you want ...

I've committed the same changes to mga8 svn:
http://svnweb.mageia.org/packages?view=revision&revision=1767196

so it will be part of next mga8 build

Comment 7 Angelo Naselli 2022-01-07 17:24:35 CET

Fine for me, closing.

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 8 Thomas Backlund 2022-01-18 18:16:41 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0021.html

Note You need to log in before you can comment on or make changes to this bug.