Skip to content

Include CONFIG_IP_NF_RAW and IP6 iptables modules in check-config #49622

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
thaJeztah merged 2 commits into from
Mar 10, 2025
Merged

Include CONFIG_IP_NF_RAW and IP6 iptables modules in check-config #49622

thaJeztah merged 2 commits into from
Mar 10, 2025

Conversation

@robmry
Copy link
Contributor

@robmry robmry commented Mar 10, 2025
edited by vvoland
Loading

- What I did

- How I did it

- How to verify it

On a Debian host, running a kernel with # CONFIG_IP_NF_RAW is not set ...

# sh check-config.sh
warning: /proc/config.gz does not exist, searching other paths for kernel config ...
info: reading kernel config from /boot/config-6.1.128 ...

Generally Necessary:
- cgroup hierarchy: cgroupv2
  Controllers:
  - cpu: available
  - cpuset: available
  - io: available
  - memory: available
  - pids: available
- apparmor: enabled and tools installed
- CONFIG_NAMESPACES: enabled
- CONFIG_NET_NS: enabled
- CONFIG_PID_NS: enabled
- CONFIG_IPC_NS: enabled
- CONFIG_UTS_NS: enabled
- CONFIG_CGROUPS: enabled
- CONFIG_CGROUP_CPUACCT: enabled
- CONFIG_CGROUP_DEVICE: enabled
- CONFIG_CGROUP_FREEZER: enabled
- CONFIG_CGROUP_SCHED: enabled
- CONFIG_CPUSETS: enabled
- CONFIG_MEMCG: enabled
- CONFIG_KEYS: enabled
- CONFIG_VETH: enabled (as module)
- CONFIG_BRIDGE: enabled (as module)
- CONFIG_BRIDGE_NETFILTER: enabled (as module)
- CONFIG_IP_NF_FILTER: enabled (as module)
- CONFIG_IP_NF_MANGLE: enabled (as module)
- CONFIG_IP_NF_TARGET_MASQUERADE: enabled (as module)
- CONFIG_IP6_NF_FILTER: enabled (as module)
- CONFIG_IP6_NF_MANGLE: enabled (as module)
- CONFIG_IP6_NF_TARGET_MASQUERADE: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_IPVS: enabled (as module)
- CONFIG_NETFILTER_XT_MARK: enabled (as module)
- CONFIG_IP_NF_RAW: missing
- CONFIG_IP_NF_NAT: enabled (as module)
- CONFIG_NF_NAT: enabled (as module)
- CONFIG_IP6_NF_RAW: enabled (as module)
- CONFIG_IP6_NF_NAT: enabled (as module)
- CONFIG_NF_NAT: enabled (as module)
- CONFIG_POSIX_MQUEUE: enabled
- CONFIG_CGROUP_BPF: enabled

Optional Features:
[...]

- Human readable description for the release notes

- Update `contrib/check-config.sh` to check for more kernel modules related to iptables

@robmry robmry added this to the 28.0.2 milestone Mar 10, 2025
@robmry robmry self-assigned this Mar 10, 2025
thaJeztah
thaJeztah approved these changes Mar 10, 2025
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@thaJeztah thaJeztah merged commit a1c1340 into moby:master Mar 10, 2025
167 checks passed
@robmry robmry deleted the check-config_ip_nf_raw branch March 10, 2025 17:33
@jtgasper3 jtgasper3 mentioned this pull request Mar 24, 2025
Closed
@heitbaum heitbaum mentioned this pull request Mar 25, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thaJeztah thaJeztah thaJeztah approved these changes

Assignees

@robmry robmry

Labels

area/contrib area/networking Networking impact/changelog kind/bugfix PR's that fix bugs version/28.0

Projects

None yet

Milestone

28.0.2

Development

Successfully merging this pull request may close these issues.

check-config.sh should check for IPv6 features

2 participants

@robmry @thaJeztah