From 9a9fe6a2f79787af07191601760b1dabe2c02b3b Mon Sep 17 00:00:00 2001 From: Stephen Akinyemi Date: Thu, 23 Apr 2026 21:26:19 +0100 Subject: [PATCH 1/2] feat(config): enable netfilter, bridge, VLAN and VXLAN for container networking Turn on the kernel primitives needed for container runtimes (Docker, Podman, CNI) and Tailscale to function inside the guest. Applied to all three architecture configs (x86_64, aarch64, riscv64) so behavior is uniform across builds. Netfilter: - Core framework, conntrack, NAT (with REDIRECT and MASQUERADE) - nftables engine with inet and bridge families, plus CT/LOG/LIMIT/ MASQ/REDIR/NAT/REJECT/COMPAT verbs and bridge conntrack - Legacy iptables/ip6tables (filter, mangle, nat) with REJECT, MASQUERADE and REDIRECT targets - xtables matches (addrtype, comment, conntrack, limit, multiport, state) and shared MARK/LOG/CHECKSUM/SET targets - ipset with the four common hash shapes (ip, ipport, net, netport) L2 networking: - CONFIG_BRIDGE + CONFIG_BRIDGE_NETFILTER so docker0-style bridges can have iptables/nftables rules applied to bridged traffic - CONFIG_VLAN_8021Q for 802.1Q VLAN tagging - CONFIG_VXLAN for L2-over-UDP overlay networks used by Docker Swarm, Flannel, Weave and Cilium Since CONFIG_MODULES is off, every option is built-in (=y); olddefconfig will resolve any remaining dependencies at build time. --- config-libkrunfw_aarch64 | 72 +++++++++++++++++++++++++++++++++++++--- config-libkrunfw_riscv64 | 72 +++++++++++++++++++++++++++++++++++++--- config-libkrunfw_x86_64 | 72 +++++++++++++++++++++++++++++++++++++--- 3 files changed, 204 insertions(+), 12 deletions(-) diff --git a/config-libkrunfw_aarch64 b/config-libkrunfw_aarch64 index 1ed24be..3262f16 100644 --- a/config-libkrunfw_aarch64 +++ b/config-libkrunfw_aarch64 @@ -968,7 +968,70 @@ CONFIG_IPV6_FOU=y # CONFIG_NETWORK_SECMARK is not set CONFIG_NET_PTP_CLASSIFY=y CONFIG_NETWORK_PHY_TIMESTAMPING=y -# CONFIG_NETFILTER is not set +CONFIG_NETFILTER=y +CONFIG_NETFILTER_ADVANCED=y +CONFIG_NETFILTER_NETLINK=y +CONFIG_NF_CONNTRACK=y +CONFIG_NF_NAT=y +CONFIG_NF_NAT_REDIRECT=y +CONFIG_NF_NAT_MASQUERADE=y +CONFIG_NF_TABLES=y +CONFIG_NF_TABLES_INET=y +CONFIG_NF_TABLES_BRIDGE=y +CONFIG_NFT_CT=y +CONFIG_NFT_BRIDGE_META=y +CONFIG_NFT_BRIDGE_REJECT=y +CONFIG_NFT_LOG=y +CONFIG_NFT_LIMIT=y +CONFIG_NFT_MASQ=y +CONFIG_NFT_REDIR=y +CONFIG_NFT_NAT=y +CONFIG_NFT_REJECT=y +CONFIG_NFT_REJECT_INET=y +CONFIG_NFT_COMPAT=y +CONFIG_NF_CONNTRACK_BRIDGE=y +CONFIG_IP_SET=y +CONFIG_IP_SET_HASH_IP=y +CONFIG_IP_SET_HASH_IPPORT=y +CONFIG_IP_SET_HASH_NET=y +CONFIG_IP_SET_HASH_NETPORT=y +CONFIG_NETFILTER_XTABLES=y +CONFIG_NETFILTER_XT_SET=y +CONFIG_NETFILTER_XT_NAT=y +CONFIG_NETFILTER_XT_TARGET_CHECKSUM=y +CONFIG_NETFILTER_XT_TARGET_REDIRECT=y +CONFIG_NETFILTER_XT_TARGET_MASQUERADE=y +CONFIG_NETFILTER_XT_TARGET_LOG=y +CONFIG_NETFILTER_XT_MARK=y +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y +CONFIG_NETFILTER_XT_MATCH_COMMENT=y +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y +CONFIG_NETFILTER_XT_MATCH_LIMIT=y +CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y +CONFIG_NETFILTER_XT_MATCH_STATE=y +CONFIG_NF_LOG_SYSLOG=y +CONFIG_NF_DEFRAG_IPV4=y +CONFIG_NF_TABLES_IPV4=y +CONFIG_NFT_REJECT_IPV4=y +CONFIG_NF_REJECT_IPV4=y +CONFIG_IP_NF_IPTABLES=y +CONFIG_IP_NF_FILTER=y +CONFIG_IP_NF_MANGLE=y +CONFIG_IP_NF_TARGET_REJECT=y +CONFIG_IP_NF_NAT=y +CONFIG_IP_NF_TARGET_MASQUERADE=y +CONFIG_IP_NF_TARGET_REDIRECT=y +CONFIG_NF_DEFRAG_IPV6=y +CONFIG_NF_TABLES_IPV6=y +CONFIG_NFT_REJECT_IPV6=y +CONFIG_NF_REJECT_IPV6=y +CONFIG_NF_LOG_IPV6=y +CONFIG_IP6_NF_IPTABLES=y +CONFIG_IP6_NF_FILTER=y +CONFIG_IP6_NF_MANGLE=y +CONFIG_IP6_NF_TARGET_REJECT=y +CONFIG_IP6_NF_NAT=y +CONFIG_IP6_NF_TARGET_MASQUERADE=y # CONFIG_BPFILTER is not set # CONFIG_IP_DCCP is not set # CONFIG_IP_SCTP is not set @@ -976,9 +1039,10 @@ CONFIG_NETWORK_PHY_TIMESTAMPING=y # CONFIG_TIPC is not set # CONFIG_ATM is not set # CONFIG_L2TP is not set -# CONFIG_BRIDGE is not set +CONFIG_BRIDGE=y +CONFIG_BRIDGE_NETFILTER=y # CONFIG_NET_DSA is not set -# CONFIG_VLAN_8021Q is not set +CONFIG_VLAN_8021Q=y # CONFIG_LLC2 is not set # CONFIG_ATALK is not set # CONFIG_X25 is not set @@ -1392,7 +1456,7 @@ CONFIG_NET_CORE=y # CONFIG_NET_TEAM is not set # CONFIG_MACVLAN is not set # CONFIG_IPVLAN is not set -# CONFIG_VXLAN is not set +CONFIG_VXLAN=y # CONFIG_GENEVE is not set # CONFIG_BAREUDP is not set # CONFIG_GTP is not set diff --git a/config-libkrunfw_riscv64 b/config-libkrunfw_riscv64 index 812b4b4..dc41e44 100644 --- a/config-libkrunfw_riscv64 +++ b/config-libkrunfw_riscv64 @@ -816,16 +816,80 @@ CONFIG_IPV6_FOU=y # CONFIG_NETWORK_SECMARK is not set CONFIG_NET_PTP_CLASSIFY=y CONFIG_NETWORK_PHY_TIMESTAMPING=y -# CONFIG_NETFILTER is not set +CONFIG_NETFILTER=y +CONFIG_NETFILTER_ADVANCED=y +CONFIG_NETFILTER_NETLINK=y +CONFIG_NF_CONNTRACK=y +CONFIG_NF_NAT=y +CONFIG_NF_NAT_REDIRECT=y +CONFIG_NF_NAT_MASQUERADE=y +CONFIG_NF_TABLES=y +CONFIG_NF_TABLES_INET=y +CONFIG_NF_TABLES_BRIDGE=y +CONFIG_NFT_CT=y +CONFIG_NFT_BRIDGE_META=y +CONFIG_NFT_BRIDGE_REJECT=y +CONFIG_NFT_LOG=y +CONFIG_NFT_LIMIT=y +CONFIG_NFT_MASQ=y +CONFIG_NFT_REDIR=y +CONFIG_NFT_NAT=y +CONFIG_NFT_REJECT=y +CONFIG_NFT_REJECT_INET=y +CONFIG_NFT_COMPAT=y +CONFIG_NF_CONNTRACK_BRIDGE=y +CONFIG_IP_SET=y +CONFIG_IP_SET_HASH_IP=y +CONFIG_IP_SET_HASH_IPPORT=y +CONFIG_IP_SET_HASH_NET=y +CONFIG_IP_SET_HASH_NETPORT=y +CONFIG_NETFILTER_XTABLES=y +CONFIG_NETFILTER_XT_SET=y +CONFIG_NETFILTER_XT_NAT=y +CONFIG_NETFILTER_XT_TARGET_CHECKSUM=y +CONFIG_NETFILTER_XT_TARGET_REDIRECT=y +CONFIG_NETFILTER_XT_TARGET_MASQUERADE=y +CONFIG_NETFILTER_XT_TARGET_LOG=y +CONFIG_NETFILTER_XT_MARK=y +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y +CONFIG_NETFILTER_XT_MATCH_COMMENT=y +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y +CONFIG_NETFILTER_XT_MATCH_LIMIT=y +CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y +CONFIG_NETFILTER_XT_MATCH_STATE=y +CONFIG_NF_LOG_SYSLOG=y +CONFIG_NF_DEFRAG_IPV4=y +CONFIG_NF_TABLES_IPV4=y +CONFIG_NFT_REJECT_IPV4=y +CONFIG_NF_REJECT_IPV4=y +CONFIG_IP_NF_IPTABLES=y +CONFIG_IP_NF_FILTER=y +CONFIG_IP_NF_MANGLE=y +CONFIG_IP_NF_TARGET_REJECT=y +CONFIG_IP_NF_NAT=y +CONFIG_IP_NF_TARGET_MASQUERADE=y +CONFIG_IP_NF_TARGET_REDIRECT=y +CONFIG_NF_DEFRAG_IPV6=y +CONFIG_NF_TABLES_IPV6=y +CONFIG_NFT_REJECT_IPV6=y +CONFIG_NF_REJECT_IPV6=y +CONFIG_NF_LOG_IPV6=y +CONFIG_IP6_NF_IPTABLES=y +CONFIG_IP6_NF_FILTER=y +CONFIG_IP6_NF_MANGLE=y +CONFIG_IP6_NF_TARGET_REJECT=y +CONFIG_IP6_NF_NAT=y +CONFIG_IP6_NF_TARGET_MASQUERADE=y # CONFIG_IP_DCCP is not set # CONFIG_IP_SCTP is not set # CONFIG_RDS is not set # CONFIG_TIPC is not set # CONFIG_ATM is not set # CONFIG_L2TP is not set -# CONFIG_BRIDGE is not set +CONFIG_BRIDGE=y +CONFIG_BRIDGE_NETFILTER=y # CONFIG_NET_DSA is not set -# CONFIG_VLAN_8021Q is not set +CONFIG_VLAN_8021Q=y # CONFIG_LLC2 is not set # CONFIG_ATALK is not set # CONFIG_X25 is not set @@ -1257,7 +1321,7 @@ CONFIG_NET_CORE=y # CONFIG_NET_TEAM is not set # CONFIG_MACVLAN is not set # CONFIG_IPVLAN is not set -# CONFIG_VXLAN is not set +CONFIG_VXLAN=y # CONFIG_GENEVE is not set # CONFIG_BAREUDP is not set # CONFIG_GTP is not set diff --git a/config-libkrunfw_x86_64 b/config-libkrunfw_x86_64 index db8fda9..eb53cc3 100644 --- a/config-libkrunfw_x86_64 +++ b/config-libkrunfw_x86_64 @@ -872,7 +872,70 @@ CONFIG_IPV6=y CONFIG_NETWORK_SECMARK=y CONFIG_NET_PTP_CLASSIFY=y # CONFIG_NETWORK_PHY_TIMESTAMPING is not set -# CONFIG_NETFILTER is not set +CONFIG_NETFILTER=y +CONFIG_NETFILTER_ADVANCED=y +CONFIG_NETFILTER_NETLINK=y +CONFIG_NF_CONNTRACK=y +CONFIG_NF_NAT=y +CONFIG_NF_NAT_REDIRECT=y +CONFIG_NF_NAT_MASQUERADE=y +CONFIG_NF_TABLES=y +CONFIG_NF_TABLES_INET=y +CONFIG_NF_TABLES_BRIDGE=y +CONFIG_NFT_CT=y +CONFIG_NFT_BRIDGE_META=y +CONFIG_NFT_BRIDGE_REJECT=y +CONFIG_NFT_LOG=y +CONFIG_NFT_LIMIT=y +CONFIG_NFT_MASQ=y +CONFIG_NFT_REDIR=y +CONFIG_NFT_NAT=y +CONFIG_NFT_REJECT=y +CONFIG_NFT_REJECT_INET=y +CONFIG_NFT_COMPAT=y +CONFIG_NF_CONNTRACK_BRIDGE=y +CONFIG_IP_SET=y +CONFIG_IP_SET_HASH_IP=y +CONFIG_IP_SET_HASH_IPPORT=y +CONFIG_IP_SET_HASH_NET=y +CONFIG_IP_SET_HASH_NETPORT=y +CONFIG_NETFILTER_XTABLES=y +CONFIG_NETFILTER_XT_SET=y +CONFIG_NETFILTER_XT_NAT=y +CONFIG_NETFILTER_XT_TARGET_CHECKSUM=y +CONFIG_NETFILTER_XT_TARGET_REDIRECT=y +CONFIG_NETFILTER_XT_TARGET_MASQUERADE=y +CONFIG_NETFILTER_XT_TARGET_LOG=y +CONFIG_NETFILTER_XT_MARK=y +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y +CONFIG_NETFILTER_XT_MATCH_COMMENT=y +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y +CONFIG_NETFILTER_XT_MATCH_LIMIT=y +CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y +CONFIG_NETFILTER_XT_MATCH_STATE=y +CONFIG_NF_LOG_SYSLOG=y +CONFIG_NF_DEFRAG_IPV4=y +CONFIG_NF_TABLES_IPV4=y +CONFIG_NFT_REJECT_IPV4=y +CONFIG_NF_REJECT_IPV4=y +CONFIG_IP_NF_IPTABLES=y +CONFIG_IP_NF_FILTER=y +CONFIG_IP_NF_MANGLE=y +CONFIG_IP_NF_TARGET_REJECT=y +CONFIG_IP_NF_NAT=y +CONFIG_IP_NF_TARGET_MASQUERADE=y +CONFIG_IP_NF_TARGET_REDIRECT=y +CONFIG_NF_DEFRAG_IPV6=y +CONFIG_NF_TABLES_IPV6=y +CONFIG_NFT_REJECT_IPV6=y +CONFIG_NF_REJECT_IPV6=y +CONFIG_NF_LOG_IPV6=y +CONFIG_IP6_NF_IPTABLES=y +CONFIG_IP6_NF_FILTER=y +CONFIG_IP6_NF_MANGLE=y +CONFIG_IP6_NF_TARGET_REJECT=y +CONFIG_IP6_NF_NAT=y +CONFIG_IP6_NF_TARGET_MASQUERADE=y # CONFIG_BPFILTER is not set # CONFIG_IP_DCCP is not set # CONFIG_IP_SCTP is not set @@ -880,9 +943,10 @@ CONFIG_NET_PTP_CLASSIFY=y # CONFIG_TIPC is not set # CONFIG_ATM is not set # CONFIG_L2TP is not set -# CONFIG_BRIDGE is not set +CONFIG_BRIDGE=y +CONFIG_BRIDGE_NETFILTER=y # CONFIG_NET_DSA is not set -# CONFIG_VLAN_8021Q is not set +CONFIG_VLAN_8021Q=y # CONFIG_LLC2 is not set # CONFIG_ATALK is not set # CONFIG_X25 is not set @@ -1127,7 +1191,7 @@ CONFIG_NET_CORE=y # CONFIG_NET_TEAM is not set # CONFIG_MACVLAN is not set # CONFIG_IPVLAN is not set -# CONFIG_VXLAN is not set +CONFIG_VXLAN=y # CONFIG_GENEVE is not set # CONFIG_BAREUDP is not set # CONFIG_GTP is not set From 706a51132eca6a61427e3dd1c5d434cc5d651fb9 Mon Sep 17 00:00:00 2001 From: Stephen Akinyemi Date: Sat, 25 Apr 2026 17:24:43 +0100 Subject: [PATCH 2/2] feat(config): add raw tables, conntrack netlink, IPVS xt match and POSIX mqueue Round out the netfilter surface and enable POSIX message queues: - CONFIG_IP_NF_RAW + CONFIG_IP6_NF_RAW for the raw table (NOTRACK rules and pre-conntrack mangling) - CONFIG_NF_CT_NETLINK so userspace tools (conntrack-tools, conntrackd, systemd-networkd, libnetfilter_conntrack) can read and modify the conntrack table over netlink - CONFIG_NETFILTER_XT_MATCH_IPVS for matching IPVS connections via iptables/nftables - CONFIG_POSIX_MQUEUE on x86_64 (already on for aarch64 and riscv64) for POSIX message queue IPC Applied uniformly across all three architecture configs where relevant. --- config-libkrunfw_aarch64 | 4 ++++ config-libkrunfw_riscv64 | 4 ++++ config-libkrunfw_x86_64 | 6 +++++- 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/config-libkrunfw_aarch64 b/config-libkrunfw_aarch64 index 3262f16..99e2961 100644 --- a/config-libkrunfw_aarch64 +++ b/config-libkrunfw_aarch64 @@ -972,6 +972,7 @@ CONFIG_NETFILTER=y CONFIG_NETFILTER_ADVANCED=y CONFIG_NETFILTER_NETLINK=y CONFIG_NF_CONNTRACK=y +CONFIG_NF_CT_NETLINK=y CONFIG_NF_NAT=y CONFIG_NF_NAT_REDIRECT=y CONFIG_NF_NAT_MASQUERADE=y @@ -1009,6 +1010,7 @@ CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y CONFIG_NETFILTER_XT_MATCH_LIMIT=y CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y CONFIG_NETFILTER_XT_MATCH_STATE=y +CONFIG_NETFILTER_XT_MATCH_IPVS=y CONFIG_NF_LOG_SYSLOG=y CONFIG_NF_DEFRAG_IPV4=y CONFIG_NF_TABLES_IPV4=y @@ -1021,6 +1023,7 @@ CONFIG_IP_NF_TARGET_REJECT=y CONFIG_IP_NF_NAT=y CONFIG_IP_NF_TARGET_MASQUERADE=y CONFIG_IP_NF_TARGET_REDIRECT=y +CONFIG_IP_NF_RAW=y CONFIG_NF_DEFRAG_IPV6=y CONFIG_NF_TABLES_IPV6=y CONFIG_NFT_REJECT_IPV6=y @@ -1032,6 +1035,7 @@ CONFIG_IP6_NF_MANGLE=y CONFIG_IP6_NF_TARGET_REJECT=y CONFIG_IP6_NF_NAT=y CONFIG_IP6_NF_TARGET_MASQUERADE=y +CONFIG_IP6_NF_RAW=y # CONFIG_BPFILTER is not set # CONFIG_IP_DCCP is not set # CONFIG_IP_SCTP is not set diff --git a/config-libkrunfw_riscv64 b/config-libkrunfw_riscv64 index dc41e44..cc4cb39 100644 --- a/config-libkrunfw_riscv64 +++ b/config-libkrunfw_riscv64 @@ -820,6 +820,7 @@ CONFIG_NETFILTER=y CONFIG_NETFILTER_ADVANCED=y CONFIG_NETFILTER_NETLINK=y CONFIG_NF_CONNTRACK=y +CONFIG_NF_CT_NETLINK=y CONFIG_NF_NAT=y CONFIG_NF_NAT_REDIRECT=y CONFIG_NF_NAT_MASQUERADE=y @@ -857,6 +858,7 @@ CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y CONFIG_NETFILTER_XT_MATCH_LIMIT=y CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y CONFIG_NETFILTER_XT_MATCH_STATE=y +CONFIG_NETFILTER_XT_MATCH_IPVS=y CONFIG_NF_LOG_SYSLOG=y CONFIG_NF_DEFRAG_IPV4=y CONFIG_NF_TABLES_IPV4=y @@ -869,6 +871,7 @@ CONFIG_IP_NF_TARGET_REJECT=y CONFIG_IP_NF_NAT=y CONFIG_IP_NF_TARGET_MASQUERADE=y CONFIG_IP_NF_TARGET_REDIRECT=y +CONFIG_IP_NF_RAW=y CONFIG_NF_DEFRAG_IPV6=y CONFIG_NF_TABLES_IPV6=y CONFIG_NFT_REJECT_IPV6=y @@ -880,6 +883,7 @@ CONFIG_IP6_NF_MANGLE=y CONFIG_IP6_NF_TARGET_REJECT=y CONFIG_IP6_NF_NAT=y CONFIG_IP6_NF_TARGET_MASQUERADE=y +CONFIG_IP6_NF_RAW=y # CONFIG_IP_DCCP is not set # CONFIG_IP_SCTP is not set # CONFIG_RDS is not set diff --git a/config-libkrunfw_x86_64 b/config-libkrunfw_x86_64 index eb53cc3..8e8ec63 100644 --- a/config-libkrunfw_x86_64 +++ b/config-libkrunfw_x86_64 @@ -51,7 +51,7 @@ CONFIG_DEFAULT_INIT="" CONFIG_DEFAULT_HOSTNAME="(none)" CONFIG_SYSVIPC=y CONFIG_SYSVIPC_SYSCTL=y -# CONFIG_POSIX_MQUEUE is not set +CONFIG_POSIX_MQUEUE=y # CONFIG_WATCH_QUEUE is not set CONFIG_CROSS_MEMORY_ATTACH=y # CONFIG_USELIB is not set @@ -876,6 +876,7 @@ CONFIG_NETFILTER=y CONFIG_NETFILTER_ADVANCED=y CONFIG_NETFILTER_NETLINK=y CONFIG_NF_CONNTRACK=y +CONFIG_NF_CT_NETLINK=y CONFIG_NF_NAT=y CONFIG_NF_NAT_REDIRECT=y CONFIG_NF_NAT_MASQUERADE=y @@ -913,6 +914,7 @@ CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y CONFIG_NETFILTER_XT_MATCH_LIMIT=y CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y CONFIG_NETFILTER_XT_MATCH_STATE=y +CONFIG_NETFILTER_XT_MATCH_IPVS=y CONFIG_NF_LOG_SYSLOG=y CONFIG_NF_DEFRAG_IPV4=y CONFIG_NF_TABLES_IPV4=y @@ -925,6 +927,7 @@ CONFIG_IP_NF_TARGET_REJECT=y CONFIG_IP_NF_NAT=y CONFIG_IP_NF_TARGET_MASQUERADE=y CONFIG_IP_NF_TARGET_REDIRECT=y +CONFIG_IP_NF_RAW=y CONFIG_NF_DEFRAG_IPV6=y CONFIG_NF_TABLES_IPV6=y CONFIG_NFT_REJECT_IPV6=y @@ -936,6 +939,7 @@ CONFIG_IP6_NF_MANGLE=y CONFIG_IP6_NF_TARGET_REJECT=y CONFIG_IP6_NF_NAT=y CONFIG_IP6_NF_TARGET_MASQUERADE=y +CONFIG_IP6_NF_RAW=y # CONFIG_BPFILTER is not set # CONFIG_IP_DCCP is not set # CONFIG_IP_SCTP is not set