CONFIG_NFT_XFRM is not set #5171
Comments
pelwell
added a commit
that referenced
this issue
Sep 12, 2022
Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <[email protected]>
|
Done - see e621efd. |
|
Thank you! Will test later today. |
popcornmix
added a commit
to raspberrypi/firmware
that referenced
this issue
Sep 12, 2022
kernel: configs: Add NET_XFRM=m See: raspberrypi/linux#5171
popcornmix
added a commit
to raspberrypi/rpi-firmware
that referenced
this issue
Sep 12, 2022
kernel: configs: Add NET_XFRM=m See: raspberrypi/linux#5171
|
Tested, works. |
pelwell
added a commit
that referenced
this issue
Sep 13, 2022
Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <[email protected]>
pelwell
added a commit
that referenced
this issue
Sep 13, 2022
Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <[email protected]>
|
I noticed a typo in the changelog. It's CONFIG_NFT_XFRM, not CONFIG_NET_XFRM. |
|
It's even less relevant for trees that get rebased because all the defconfig patches get squashed into one commit. |
popcornmix
pushed a commit
that referenced
this issue
Sep 16, 2022
Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <[email protected]>
popcornmix
pushed a commit
that referenced
this issue
Sep 20, 2022
Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <[email protected]>
herrnst
pushed a commit
to herrnst/linux-raspberrypi
that referenced
this issue
Sep 20, 2022
Enable the net_xfrm module to support using nftables rules with ipsec matches, See: raspberrypi#5171 Signed-off-by: Phil Elwell <[email protected]>
popcornmix
pushed a commit
that referenced
this issue
Sep 26, 2022
Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <[email protected]>
popcornmix
pushed a commit
that referenced
this issue
Sep 26, 2022
Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <[email protected]>
herrnst
pushed a commit
to herrnst/linux-raspberrypi
that referenced
this issue
Sep 28, 2022
Enable the net_xfrm module to support using nftables rules with ipsec matches, See: raspberrypi#5171 Signed-off-by: Phil Elwell <[email protected]>
popcornmix
pushed a commit
that referenced
this issue
Oct 3, 2022
Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <[email protected]>
popcornmix
pushed a commit
that referenced
this issue
Oct 5, 2022
Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <[email protected]>
popcornmix
pushed a commit
that referenced
this issue
Oct 12, 2022
Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <[email protected]>
popcornmix
pushed a commit
that referenced
this issue
Oct 12, 2022
Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <[email protected]>
herrnst
pushed a commit
to herrnst/linux-raspberrypi
that referenced
this issue
Oct 12, 2022
Enable the net_xfrm module to support using nftables rules with ipsec matches, See: raspberrypi#5171 Signed-off-by: Phil Elwell <[email protected]>
herrnst
pushed a commit
to herrnst/linux-raspberrypi
that referenced
this issue
Oct 12, 2022
Enable the net_xfrm module to support using nftables rules with ipsec matches, See: raspberrypi#5171 Signed-off-by: Phil Elwell <[email protected]>
popcornmix
pushed a commit
that referenced
this issue
Oct 17, 2022
Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <[email protected]>
popcornmix
pushed a commit
that referenced
this issue
Oct 17, 2022
Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <[email protected]>
popcornmix
pushed a commit
that referenced
this issue
Oct 25, 2022
Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Describe the bug
The default kernel in Debian Bullseye has CONFIG_NFT_XFRM=m.
The kernel in Raspberry Pi OS has CONFIG_NFT_XFRM not set.
This causes the following error when using nftables rules with ipsec matches:
The same rule works fine in Debian.
Steps to reproduce the behaviour
Use the following content for /etc/nftables.conf:
Run
nft -f /etc/nftables.confDevice (s)
Raspberry Pi 4 Mod. B
System
cat /etc/rpi-issue
Raspberry Pi reference 2022-09-06
Generated using pi-gen, https://github.com/RPi-Distro/pi-gen, 827affcc11aaf7aa577d15daf02fb40b64392380, stage2
vcgencmd version
Aug 26 2022 14:04:10
Copyright (c) 2012 Broadcom
version 102f1e848393c2112206fadffaaf86db04e98326 (clean) (release) (start_x)
uname -a
Linux pi-test-cdh4 5.15.61-v8+ #1579 SMP PREEMPT Fri Aug 26 11:16:44 BST 2022 aarch64 GNU/Linux
Logs
No dmesg output for the bug.
Additional context
Having the same packet filtering features as the Debian Bullseye kernel would be highly appreciated. I'm using a few hundred Raspberry Pi 4B in a VPN deployment and I'd love to use nftables for packet filtering instead of relying on iptables to get the "will this traffic be sent via VPN" matching functionality.
Thank you!
The text was updated successfully, but these errors were encountered: