CONFIG_NFT_XFRM is not set #5171

hailfinger · 2022-09-10T10:20:19Z

Describe the bug

The default kernel in Debian Bullseye has CONFIG_NFT_XFRM=m.
The kernel in Raspberry Pi OS has CONFIG_NFT_XFRM not set.

This causes the following error when using nftables rules with ipsec matches:

/etc/nftables.conf:52:17-29: Error: Could not process rule: No such file or directory
                ipsec out spi 1-65536 accept comment "VPN encapsulated traffic"
                ^^^^^^^^^^^^^

The same rule works fine in Debian.

Steps to reproduce the behaviour

Use the following content for /etc/nftables.conf:

table ip filter {
        chain output {
                type filter hook output priority 0; policy accept;

                ipsec out spi 1-65536 accept comment "VPN encapsulated traffic"
        }
}

Run
nft -f /etc/nftables.conf

Device (s)

Raspberry Pi 4 Mod. B

System

cat /etc/rpi-issue

Raspberry Pi reference 2022-09-06
Generated using pi-gen, https://github.com/RPi-Distro/pi-gen, 827affcc11aaf7aa577d15daf02fb40b64392380, stage2

vcgencmd version

Aug 26 2022 14:04:10
Copyright (c) 2012 Broadcom
version 102f1e848393c2112206fadffaaf86db04e98326 (clean) (release) (start_x)

uname -a

Linux pi-test-cdh4 5.15.61-v8+ #1579 SMP PREEMPT Fri Aug 26 11:16:44 BST 2022 aarch64 GNU/Linux

Logs

No dmesg output for the bug.

Additional context

Having the same packet filtering features as the Debian Bullseye kernel would be highly appreciated. I'm using a few hundred Raspberry Pi 4B in a VPN deployment and I'd love to use nftables for packet filtering instead of relying on iptables to get the "will this traffic be sent via VPN" matching functionality.

Thank you!

The text was updated successfully, but these errors were encountered:

Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <phil@raspberrypi.com>

pelwell · 2022-09-12T08:44:26Z

Done - see e621efd.

hailfinger · 2022-09-12T11:14:51Z

Thank you! Will test later today.

kernel: configs: Add NET_XFRM=m See: raspberrypi/linux#5171

hailfinger · 2022-09-13T10:30:05Z

Tested, works.
Thank you!

Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <phil@raspberrypi.com>

hailfinger · 2022-09-13T19:46:38Z

I noticed a typo in the changelog. It's CONFIG_NFT_XFRM, not CONFIG_NET_XFRM.
Probably only relevant for trees which get rebased (linux-6.0) as changing changelogs of already committed trees is a can of worms.

pelwell · 2022-09-13T20:28:29Z

It's even less relevant for trees that get rebased because all the defconfig patches get squashed into one commit.

Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <phil@raspberrypi.com>

Enable the net_xfrm module to support using nftables rules with ipsec matches, See: raspberrypi#5171 Signed-off-by: Phil Elwell <phil@raspberrypi.com>

Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <phil@raspberrypi.com>

Enable the net_xfrm module to support using nftables rules with ipsec matches, See: raspberrypi#5171 Signed-off-by: Phil Elwell <phil@raspberrypi.com>

Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <phil@raspberrypi.com>

Enable the net_xfrm module to support using nftables rules with ipsec matches, See: raspberrypi#5171 Signed-off-by: Phil Elwell <phil@raspberrypi.com>

Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <phil@raspberrypi.com>

BugLink: https://bugs.launchpad.net/bugs/1989958 Enable the net_xfrm module to support using nftables rules with ipsec matches, See: raspberrypi/linux#5171 Signed-off-by: Phil Elwell <phil@raspberrypi.com> (cherry picked from commit ee455342735860687b542e3c0c8e629177544093 rpi-5.19.y) Signed-off-by: Juerg Haefliger <juerg.haefliger@canonical.com>

pelwell added a commit that referenced this issue Sep 12, 2022

configs: Add NET_XFRM=m

e621efd

Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <phil@raspberrypi.com>

popcornmix added a commit to raspberrypi/firmware that referenced this issue Sep 12, 2022

kernel: Bump to 5.15.67

e8f7135

kernel: configs: Add NET_XFRM=m See: raspberrypi/linux#5171

popcornmix added a commit to raspberrypi/rpi-firmware that referenced this issue Sep 12, 2022

kernel: Bump to 5.15.67

9374ec9

kernel: configs: Add NET_XFRM=m See: raspberrypi/linux#5171

pelwell closed this as completed Sep 13, 2022

pelwell added a commit that referenced this issue Sep 13, 2022

configs: Add NET_XFRM=m

ee45534

Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <phil@raspberrypi.com>

pelwell added a commit that referenced this issue Sep 13, 2022

configs: Add NET_XFRM=m

1bcc826

Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <phil@raspberrypi.com>

popcornmix pushed a commit that referenced this issue Sep 16, 2022

configs: Add NET_XFRM=m

4325211

Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <phil@raspberrypi.com>

popcornmix pushed a commit that referenced this issue Sep 20, 2022

configs: Add NET_XFRM=m

694a186

Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <phil@raspberrypi.com>

herrnst pushed a commit to herrnst/linux-raspberrypi that referenced this issue Sep 20, 2022

configs: Add NET_XFRM=m

f2e610d

Enable the net_xfrm module to support using nftables rules with ipsec matches, See: raspberrypi#5171 Signed-off-by: Phil Elwell <phil@raspberrypi.com>

popcornmix pushed a commit that referenced this issue Sep 26, 2022

configs: Add NET_XFRM=m

efb0e3e

Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <phil@raspberrypi.com>

popcornmix pushed a commit that referenced this issue Sep 26, 2022

configs: Add NET_XFRM=m

e543670

Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <phil@raspberrypi.com>

herrnst pushed a commit to herrnst/linux-raspberrypi that referenced this issue Sep 28, 2022

configs: Add NET_XFRM=m

e5d5422

Enable the net_xfrm module to support using nftables rules with ipsec matches, See: raspberrypi#5171 Signed-off-by: Phil Elwell <phil@raspberrypi.com>

popcornmix pushed a commit that referenced this issue Oct 3, 2022

configs: Add NET_XFRM=m

517c1db

Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <phil@raspberrypi.com>

popcornmix pushed a commit that referenced this issue Oct 5, 2022

configs: Add NET_XFRM=m

326d395

Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <phil@raspberrypi.com>

popcornmix pushed a commit that referenced this issue Oct 12, 2022

configs: Add NET_XFRM=m

f37ca0d

Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <phil@raspberrypi.com>

popcornmix pushed a commit that referenced this issue Oct 12, 2022

configs: Add NET_XFRM=m

f4674e8

Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <phil@raspberrypi.com>

herrnst pushed a commit to herrnst/linux-raspberrypi that referenced this issue Oct 12, 2022

configs: Add NET_XFRM=m

1a3e997

Enable the net_xfrm module to support using nftables rules with ipsec matches, See: raspberrypi#5171 Signed-off-by: Phil Elwell <phil@raspberrypi.com>

herrnst pushed a commit to herrnst/linux-raspberrypi that referenced this issue Oct 12, 2022

configs: Add NET_XFRM=m

7b4e67c

Enable the net_xfrm module to support using nftables rules with ipsec matches, See: raspberrypi#5171 Signed-off-by: Phil Elwell <phil@raspberrypi.com>

popcornmix pushed a commit that referenced this issue Oct 17, 2022

configs: Add NET_XFRM=m

d4d00dd

Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <phil@raspberrypi.com>

popcornmix pushed a commit that referenced this issue Oct 17, 2022

configs: Add NET_XFRM=m

707c052

Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <phil@raspberrypi.com>

popcornmix pushed a commit that referenced this issue Oct 25, 2022

configs: Add NET_XFRM=m

00353b2

Enable the net_xfrm module to support using nftables rules with ipsec matches, See: #5171 Signed-off-by: Phil Elwell <phil@raspberrypi.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CONFIG_NFT_XFRM is not set #5171

CONFIG_NFT_XFRM is not set #5171

hailfinger commented Sep 10, 2022 •

edited

pelwell commented Sep 12, 2022

hailfinger commented Sep 12, 2022

hailfinger commented Sep 13, 2022

hailfinger commented Sep 13, 2022

pelwell commented Sep 13, 2022

CONFIG_NFT_XFRM is not set #5171

CONFIG_NFT_XFRM is not set #5171

Comments

hailfinger commented Sep 10, 2022 • edited

Describe the bug

Steps to reproduce the behaviour

Device (s)

System

cat /etc/rpi-issue

vcgencmd version

uname -a

Logs

Additional context

pelwell commented Sep 12, 2022

hailfinger commented Sep 12, 2022

hailfinger commented Sep 13, 2022

hailfinger commented Sep 13, 2022

pelwell commented Sep 13, 2022

hailfinger commented Sep 10, 2022 •

edited