Lacking network configuration in the linux-rpi4 kernel

Hello,

nftables seems to be completely unusable with the current kernel config of the linux-rpi4 package. I think at least CONFIG_NF_TABLES is needed. netfilter is a bit like a swiss cheese in this kernel :slight_smile:

/etc/nftables.conf:2:1-14: Error: Could not process rule: Operation not supported
flush ruleset
^^^^^^^^^^^^^^
/etc/nftables.conf:3:1-2: Error: Could not process rule: Operation not supported
table inet filter {
^^
/etc/nftables.conf:10:8-12: Error: Could not process rule: Operation not supported
        chain input {

Is there a way to get the kernel config closer to the generic archlinux kernel config for the raspberry pi 4 ? Maybe BFQ as well for external storage ? The kernel config is a bit odd.

Best Regards

I will look into it.
Our mainline kernel seems to already have these. :slight_smile:

Thanks, linux-rpi4 4.19.69-1 has the needed modules for nftables to work properly.

While on the topic of the kernel config, could more crypto modules be enabled ? Or at least the chacha20 modules, the arch linux kernel has all crypto modules enabled.

@Strit

4.19.69-2 doesn't have the netfilter modules enabled anymore :frowning: I'm glad I caught it in time the pi didn't have any firewalling anymore :fearful:

/etc/nftables.conf:12:3-50: Error: Could not process rule: No such file or directory
                ct state { established, related } counter accept
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/etc/nftables.conf:13:3-23: Error: Could not process rule: No such file or directory
                ct state invalid drop
                ^^^^^^^^^^^^^^^^^^^^^
/etc/nftables.conf:14:3-30: Error: Could not process rule: No such file or directory
                meta iiftype loopback accept
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/etc/nftables.conf:15:3-55: Error: Could not process rule: No such file or directory
                meta l4proto { icmp, igmp, ipv6-icmp } counter accept
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/etc/nftables.conf:16:3-26: Error: Could not process rule: No such file or directory
                ct state new jump common
                ^^^^^^^^^^^^^^^^^^^^^^^^
/etc/nftables.conf:17:3-40: Error: Could not process rule: No such file or directory
                meta l4proto udp ct state new jump UDP
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/etc/nftables.conf:18:3-66: Error: Could not process rule: No such file or directory
                tcp flags & (fin | syn | rst | ack) == syn ct state new jump TCP
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

etc...

So what I can deduce from that, is that it needs ALL the Netfilter stuff, not just some of it.

It gives the most flexibility to have everything compiled as module. It depends on what features you want to use on the firewall, though I do not see the point to not enable everything.

But 4.19.69-1 had the right modules enable for my nftables needs so I don't know what happened in between.

Here's my current kernel config if it helps : https://p.teknik.io/b5ThZ

I also enabled everything crypto related and for instance CONFIG_CRYPTO_CRC32_ARM64_CE or crc32_ce seems to be usable on the raspberry pi which may give a boost to btrfs but not sure. Just saying that it would also be nice to enable more of them.

Forum kindly sponsored by Bytemark