diff mbox series

[v2,1/1] package/firewalld: new package

Message ID 20230604025204.324443-1-aduskett@gmail.com
State Accepted
Headers show
Series [v2,1/1] package/firewalld: new package | expand

Commit Message

Adam Duskett June 4, 2023, 2:52 a.m. UTC 
Firewalld provides a dynamically managed firewall with
support for network or firewall zones to define the trust level of network
connections or interfaces.

Items of note:

 - Setting PYTHON="/usr/bin/env python$(PYTHON3_VERSION_MAJOR)" prevents
   Firewalld from setting the shebang in the installed python files to the
   full path to the python interpreter used when building.

 - The bundled provided SYSV init file has several bashisms and requires
   /etc/init.d/functions which buildroot doesn't provide. So instead, a more
   simple init.d file is provided in the package directory, which does not
   require bash.

 - Firewalld >= 1.0.0 requires a linux kernel version of 5.3 or later.
   Because Buildroot does not have a mechanism to detect what version a user
   is compiling if the kernel is external, there is no way to prevent a user
   with an external kernel older than 5.3 to select this package.

 - To run, Firewalld requires enabling almost every single nftables option in
   the kernel menuconfig. Indeed for a regular user, this task is quite a
   time-consuming operation, and missing even one required nftables option
   results in firewalld failing to start.

   Through a mix of trial and error and talking to the upstream developers,
   the package selects the minimum amount of kernel options required for
   runtime. Understandably the list is daunting. However, these options
   have passed run-time tests with kernel 5.3 (the minimum kernel version
   required) and kernel 6.2.10 (the latest kernel version as of this commit
   log.)

As such, it is safe to say these options will work for anybody wanting to
use firewalld with a supported kernel version of 5.3 or higher.

Signed-off-by: Adam Duskett <aduskett@gmail.com>
---
Changes v1 -> v2:
  - Fix verbage in Config.in
  - Bump to version 1.3.2

 package/Config.in                |   1 +
 package/firewalld/Config.in      |  43 ++++++
 package/firewalld/S46firewalld   |  66 ++++++++
 package/firewalld/firewalld.hash |   3 +
 package/firewalld/firewalld.mk   | 257 +++++++++++++++++++++++++++++++
 5 files changed, 370 insertions(+)
 create mode 100644 package/firewalld/Config.in
 create mode 100644 package/firewalld/S46firewalld
 create mode 100644 package/firewalld/firewalld.hash
 create mode 100644 package/firewalld/firewalld.mk

Comments

Thomas Petazzoni Aug. 13, 2023, 9:59 p.m. UTC | #1 
Hello Adam,

On Sat,  3 Jun 2023 19:52:04 -0700
Adam Duskett <aduskett@gmail.com> wrote:

> Firewalld provides a dynamically managed firewall with
> support for network or firewall zones to define the trust level of network
> connections or interfaces.

Thanks for the patch, which I have applied to our next branch, with a
few small changes. See below.

>  package/Config.in                |   1 +
>  package/firewalld/Config.in      |  43 ++++++
>  package/firewalld/S46firewalld   |  66 ++++++++
>  package/firewalld/firewalld.hash |   3 +
>  package/firewalld/firewalld.mk   | 257 +++++++++++++++++++++++++++++++
>  5 files changed, 370 insertions(+)

An entry in the DEVELOPERS file was missing, so I've added that.

> diff --git a/package/firewalld/Config.in b/package/firewalld/Config.in
> new file mode 100644
> index 0000000000..4f58a3ea05
> --- /dev/null
> +++ b/package/firewalld/Config.in
> @@ -0,0 +1,43 @@
> +config BR2_PACKAGE_FIREWALLD
> +	bool "firewalld"
> +	depends on BR2_USE_MMU # gobject-introspection, python-gobject
> +	depends on BR2_PACKAGE_GOBJECT_INTROSPECTION_ARCH_SUPPORTS
> +	depends on BR2_USE_WCHAR # glib2, dbus-python, nftables
> +	depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 # gobject-introspection
> +	depends on BR2_TOOLCHAIN_HAS_THREADS # dbus-python
> +	depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12
> +	depends on BR2_TOOLCHAIN_USES_GLIBC # gobject-introspection
> +	depends on BR2_HOST_GCC_AT_LEAST_8 # gobject-introspection -> host-qemu
> +	depends on BR2_PACKAGE_PYTHON3 # dbus-python, gobject-introspection

I think for a package like this a "select BR2_PACKAGE_PYTHON3" made
more sense than "depends on BR2_PACKAGE_PYTHON3", so I've changed that
and of course propagated the reverse dependencies as needed.

> +	select BR2_PACKAGE_DBUS # dbus-python
> +	select BR2_PACKAGE_DBUS_PYTHON
> +	select BR2_PACKAGE_GOBJECT_INTROSPECTION
> +	select BR2_PACKAGE_JANSSON # Uses the nftables json interface
> +	select BR2_PACKAGE_NFTABLES
> +	select BR2_PACKAGE_PYTHON_GOBJECT
> +	help
> +	  Firewalld provides a dynamically managed firewall with
> +	  support for network or firewall zones to define the trust
> +	  level of network connections or interfaces. It has support
> +	  for IPv4, IPv6 firewall settings and for ethernet bridges and
> +	  a separation of runtime and permanent configuration options.
> +	  It also provides an interface for services or applications to
> +	  add ip*tables and ebtables rules directly.
> +
> +	  Note: Firewalld uses nftables as the backend and requires
> +	  kernel version >= 5.3.
> +
> +	  https://github.com/firewalld/firewalld
> +
> +comment "firewalld needs python3"
> +	depends on !BR2_PACKAGE_PYTHON3
> +	depends on BR2_PACKAGE_GOBJECT_INTROSPECTION_ARCH_SUPPORTS

So I dropped this comment.

> +
> +comment "firewalld needs a glibc toolchain w/ wchar, dynamic library, headers >= 3.12, gcc >= 4.9, host gcc >= 8"

Interestingly, you mentioned "dynamic library" here, but there was
nothing related to BR2_STATIC_LIBS. Turned out that with Python3 being
selected, in fact !BR2_STATIC_LIBS has been added in the dependencies,
and therefore "needs [...] dynamic library" is indeed correct.

> +	depends on BR2_USE_MMU
> +	depends on BR2_PACKAGE_GOBJECT_INTROSPECTION_ARCH_SUPPORTS
> +	depends on !BR2_TOOLCHAIN_USES_GLIBC || \
> +		!BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12 || \
> +		!BR2_USE_WCHAR || BR2_STATIC_LIBS || \
> +		!BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 || \
> +		!BR2_HOST_GCC_AT_LEAST_8
> +ifeq ($(BR2_SYSTEM_ENABLE_NLS),y)
> +FIREWALLD_CONF_OPTS += --enable-nls
> +endif

This NLS option is already handled in a generic way by the
autotools-package infrastructure, so it is not necessary to do it here.

I did a build, which went well, so I've pushed your patch with the
above changes.

Thanks for this contribution!

Thomas
Thomas Petazzoni Aug. 13, 2023, 10 p.m. UTC | #2 
On Sat,  3 Jun 2023 19:52:04 -0700
Adam Duskett <aduskett@gmail.com> wrote:

> Firewalld provides a dynamically managed firewall with
> support for network or firewall zones to define the trust level of network
> connections or interfaces.

One thing that would be really nice as a follow-up patch would be a
test case for the runtime test infrastructure. This is especially
relevant as it is Python based, so it is easy to miss runtime
dependencies that might be needed. I've added Julien Olivain in Cc, who
can provide guidance on that, as he has probably written some of the
most complex/elaborate test cases we gave in our runtime infrastructure.

Thomas
Julien Olivain Aug. 15, 2023, 3 p.m. UTC | #3 
Hi Thomas, Adam, all,

I'm adding Yegor Yefremov in CC, since he is registered as a
nftables developer.

On 14/08/2023 00:00, Thomas Petazzoni wrote:
> On Sat,  3 Jun 2023 19:52:04 -0700
> Adam Duskett <aduskett@gmail.com> wrote:
> 
>> Firewalld provides a dynamically managed firewall with
>> support for network or firewall zones to define the trust level of 
>> network
>> connections or interfaces.
> 
> One thing that would be really nice as a follow-up patch would be a
> test case for the runtime test infrastructure. This is especially
> relevant as it is Python based, so it is easy to miss runtime
> dependencies that might be needed. I've added Julien Olivain in Cc, who
> can provide guidance on that, as he has probably written some of the
> most complex/elaborate test cases we gave in our runtime 
> infrastructure.

I'll be happy to write such a firewalld runtime test.

When trying to do it, on branch next at commit eea0c9f, I was not able
to run any of the simplest firwalld command (Python nftables module
cannot load).

With a configuration such as:

     make qemu_aarch64_virt_defconfig
     utils/config \
         -e BR2_PACKAGE_FIREWALLD \
         --set-str BR2_TARGET_ROOTFS_EXT2_SIZE 200M
     make olddefconfig
     make
     output/images/start-qemu.sh

Running simple commands, logged as root on qemu target, such as:

     firewall-offline-cmd --version
     firewalld --nofork --nopid
     python -c 'import nftables'

All fail with output such as:

     Traceback (most recent call last):
       File "<string>", line 1, in <module>
     ModuleNotFoundError: No module named 'nftables'

I quickly tried with updated version of libnftnl and nftables proposed
at [1] but did not helped.

Upstream nftables reworked Python integration in commits [2] [3] but
are not yet in a release.

So I believe the nftables package needs a rework, at least for its
python support. We should first write a runtime test for it (including
its Python support). Only then, we should be able to write a runtime
test for firewalld.

Best regards,

Julien.

[1] https://patchwork.ozlabs.org/project/buildroot/list/?series=368887
[2] 
https://git.netfilter.org/nftables/commit/?id=b3def33efecb2f7be39fc9aefc9546907202056c
[3] 
https://git.netfilter.org/nftables/commit/?id=8e603e0f7eec7c0000344a004228a30fbf0ece5c
Yann E. MORIN Aug. 15, 2023, 4:30 p.m. UTC | #4 
Julien, All,

On 2023-08-15 17:00 +0200, Julien Olivain spake thusly:
> On 14/08/2023 00:00, Thomas Petazzoni wrote:
> >On Sat,  3 Jun 2023 19:52:04 -0700
> >Adam Duskett <aduskett@gmail.com> wrote:
> >>Firewalld provides a dynamically managed firewall with
> >>support for network or firewall zones to define the trust level of
> >>network
> >>connections or interfaces.
> >One thing that would be really nice as a follow-up patch would be a
> >test case for the runtime test infrastructure. This is especially
> >relevant as it is Python based, so it is easy to miss runtime
> >dependencies that might be needed. I've added Julien Olivain in Cc, who
> >can provide guidance on that, as he has probably written some of the
> >most complex/elaborate test cases we gave in our runtime infrastructure.
> 
> I'll be happy to write such a firewalld runtime test.
> 
> When trying to do it, on branch next at commit eea0c9f, I was not able
> to run any of the simplest firwalld command (Python nftables module
> cannot load).
> 
> With a configuration such as:
> 
>     make qemu_aarch64_virt_defconfig
>     utils/config \
>         -e BR2_PACKAGE_FIREWALLD \
>         --set-str BR2_TARGET_ROOTFS_EXT2_SIZE 200M
>     make olddefconfig
>     make
>     output/images/start-qemu.sh
> 
> Running simple commands, logged as root on qemu target, such as:
> 
>     firewall-offline-cmd --version
>     firewalld --nofork --nopid
>     python -c 'import nftables'

I did about the same, starting off with qemu_aarch64_virt_defconfig,
but manually tweaked the configuration to switch to a bootlin glibc
toolchain, and manually enable firewall. And it works:

    # firewalld --version
    usage: firewalld [-h] [--debug [level]] [--debug-gc] [--nofork] [--nopid]
                     [--system-config path] [--default-config path]
                     [--log-target {mixed,syslog,file,console}] [--log-file path]
    firewalld: error: unrecognized arguments: --version
    # firewall-offline-cmd --version
    1.3.2
    # firewalld --nofork --nopid
    2023-08-15 16:24:04 ipset not usable, disabling ipset usage in firewall.  Other set backends (nftables) remain usable.
    2023-08-15 16:24:04 iptables-restore and iptables are missing, IPv4 direct rules won't be usable.
    2023-08-15 16:24:04 ip6tables-restore and ip6tables are missing, IPv6 direct rules won't be usable.
    2023-08-15 16:24:04 ebtables-restore and ebtables are missing, eb direct rules won't be usable.
    ^C#
    # python -c 'import nftables'
    #

Regards,
Yann E. MORIN.

> All fail with output such as:
> 
>     Traceback (most recent call last):
>       File "<string>", line 1, in <module>
>     ModuleNotFoundError: No module named 'nftables'
> 
> I quickly tried with updated version of libnftnl and nftables proposed
> at [1] but did not helped.
> 
> Upstream nftables reworked Python integration in commits [2] [3] but
> are not yet in a release.
> 
> So I believe the nftables package needs a rework, at least for its
> python support. We should first write a runtime test for it (including
> its Python support). Only then, we should be able to write a runtime
> test for firewalld.
> 
> Best regards,
> 
> Julien.
> 
> [1] https://patchwork.ozlabs.org/project/buildroot/list/?series=368887
> [2] https://git.netfilter.org/nftables/commit/?id=b3def33efecb2f7be39fc9aefc9546907202056c
> [3] https://git.netfilter.org/nftables/commit/?id=8e603e0f7eec7c0000344a004228a30fbf0ece5c
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
diff mbox series

Patch

diff --git a/package/Config.in b/package/Config.in
index ad438667d2..da1b5bb4b9 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2315,6 +2315,7 @@  endif
 	source "package/fail2ban/Config.in"
 	source "package/fastd/Config.in"
 	source "package/fcgiwrap/Config.in"
+	source "package/firewalld/Config.in"
 	source "package/flannel/Config.in"
 	source "package/fmc/Config.in"
 	source "package/fping/Config.in"
diff --git a/package/firewalld/Config.in b/package/firewalld/Config.in
new file mode 100644
index 0000000000..4f58a3ea05
--- /dev/null
+++ b/package/firewalld/Config.in
@@ -0,0 +1,43 @@ 
+config BR2_PACKAGE_FIREWALLD
+	bool "firewalld"
+	depends on BR2_USE_MMU # gobject-introspection, python-gobject
+	depends on BR2_PACKAGE_GOBJECT_INTROSPECTION_ARCH_SUPPORTS
+	depends on BR2_USE_WCHAR # glib2, dbus-python, nftables
+	depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 # gobject-introspection
+	depends on BR2_TOOLCHAIN_HAS_THREADS # dbus-python
+	depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12
+	depends on BR2_TOOLCHAIN_USES_GLIBC # gobject-introspection
+	depends on BR2_HOST_GCC_AT_LEAST_8 # gobject-introspection -> host-qemu
+	depends on BR2_PACKAGE_PYTHON3 # dbus-python, gobject-introspection
+	select BR2_PACKAGE_DBUS # dbus-python
+	select BR2_PACKAGE_DBUS_PYTHON
+	select BR2_PACKAGE_GOBJECT_INTROSPECTION
+	select BR2_PACKAGE_JANSSON # Uses the nftables json interface
+	select BR2_PACKAGE_NFTABLES
+	select BR2_PACKAGE_PYTHON_GOBJECT
+	help
+	  Firewalld provides a dynamically managed firewall with
+	  support for network or firewall zones to define the trust
+	  level of network connections or interfaces. It has support
+	  for IPv4, IPv6 firewall settings and for ethernet bridges and
+	  a separation of runtime and permanent configuration options.
+	  It also provides an interface for services or applications to
+	  add ip*tables and ebtables rules directly.
+
+	  Note: Firewalld uses nftables as the backend and requires
+	  kernel version >= 5.3.
+
+	  https://github.com/firewalld/firewalld
+
+comment "firewalld needs python3"
+	depends on !BR2_PACKAGE_PYTHON3
+	depends on BR2_PACKAGE_GOBJECT_INTROSPECTION_ARCH_SUPPORTS
+
+comment "firewalld needs a glibc toolchain w/ wchar, dynamic library, headers >= 3.12, gcc >= 4.9, host gcc >= 8"
+	depends on BR2_USE_MMU
+	depends on BR2_PACKAGE_GOBJECT_INTROSPECTION_ARCH_SUPPORTS
+	depends on !BR2_TOOLCHAIN_USES_GLIBC || \
+		!BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12 || \
+		!BR2_USE_WCHAR || BR2_STATIC_LIBS || \
+		!BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 || \
+		!BR2_HOST_GCC_AT_LEAST_8
diff --git a/package/firewalld/S46firewalld b/package/firewalld/S46firewalld
new file mode 100644
index 0000000000..40f43e1f57
--- /dev/null
+++ b/package/firewalld/S46firewalld
@@ -0,0 +1,66 @@ 
+#!/bin/sh
+
+DAEMON=firewalld
+PIDFILE=/var/run/$DAEMON.pid
+
+start() {
+	printf "Starting firewalld: "
+	start-stop-daemon -S -q --exec $DAEMON
+	status=$?
+	if [ "$status" -eq 0 ]; then
+		echo "OK"
+	else
+		echo "FAIL"
+	fi
+}
+stop() {
+	printf "Stopping firewalld: "
+	start-stop-daemon --stop --quiet --pidfile $PIDFILE
+	status=$?
+	if [ "$status" -eq 0 ]; then
+		echo "OK"
+	else
+		echo "FAIL"
+	fi
+}
+
+reload(){
+	printf "Reloading firewalld: "
+	firewall-cmd --reload
+	status=$?
+	if [ "$status" -eq 0 ]; then
+		echo "OK"
+	else
+		echo "FAIL"
+	fi
+}
+
+restart() {
+	stop
+	start
+}
+
+status(){
+	firewall-cmd --state
+}
+
+case "$1" in
+		start)
+			start
+			;;
+		stop)
+			stop
+			;;
+		restart)
+			restart
+			;;
+		reload)
+			reload
+			;;
+		status)
+			status
+			;;
+		*)
+			echo "Usage: $0 {start|stop|restart|reload|status}"
+			exit 1
+esac
diff --git a/package/firewalld/firewalld.hash b/package/firewalld/firewalld.hash
new file mode 100644
index 0000000000..d8be3f7ba0
--- /dev/null
+++ b/package/firewalld/firewalld.hash
@@ -0,0 +1,3 @@ 
+# Locally computed
+sha256  3be5a3caa36d1026c5b72d3f61dd963dccd953791b04af03d9946b24bef8391e  firewalld-1.3.2.tar.gz
+sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
diff --git a/package/firewalld/firewalld.mk b/package/firewalld/firewalld.mk
new file mode 100644
index 0000000000..e91825601d
--- /dev/null
+++ b/package/firewalld/firewalld.mk
@@ -0,0 +1,257 @@ 
+################################################################################
+#
+# firewalld
+#
+################################################################################
+
+FIREWALLD_VERSION = 1.3.2
+FIREWALLD_SITE = $(call github,firewalld,firewalld,v$(FIREWALLD_VERSION))
+FIREWALLD_LICENSE = GPL-2.0
+FIREWALLD_LICENSE_FILES = COPYING
+FIREWALLD_AUTORECONF = YES
+
+FIREWALLD_DEPENDENCIES = \
+	host-intltool \
+	host-libglib2 \
+	host-libxml2 \
+	host-libxslt \
+	dbus-python \
+	gobject-introspection \
+	jansson \
+	nftables \
+	python3 \
+	python-gobject
+
+# Firewalld hard codes the python shebangs to the full path of the
+# python-interpreter. IE: #!/home/buildroot/output/host/bin/python.
+# Force the proper python path.
+FIREWALLD_CONF_ENV += PYTHON="/usr/bin/env python3"
+
+# /etc/sysconfig/firewalld is a Red Hat-ism, only referenced by
+# the Red Hat-specific init script which isn't used, so we set
+# --disable-sysconfig.
+FIREWALLD_CONF_OPTS += \
+	--disable-rpmmacros \
+	--disable-sysconfig \
+	--with-nft=/usr/sbin/nft \
+	--without-ebtables \
+	--without-ebtables-restore \
+	--without-ipset \
+	--without-xml-catalog
+
+ifeq ($(BR2_PACKAGE_IPTABLES),y)
+FIREWALLD_DEPENDENCIES += iptables
+FIREWALLD_CONF_OPTS += \
+	--with-ip6tables-restore=/usr/sbin/ip6tables-restore \
+	--with-ip6tables=/usr/sbin/ip6tables \
+	--with-iptables-restore=/usr/sbin/iptables-restore \
+	--with-iptables=/usr/sbin/iptables
+else
+FIREWALLD_CONF_OPTS += -without-iptables
+endif
+
+ifeq ($(BR2_SYSTEM_ENABLE_NLS),y)
+FIREWALLD_CONF_OPTS += --enable-nls
+endif
+
+ifeq ($(BR2_PACKAGE_SYSTEMD),y)
+FIREWALLD_DEPENDENCIES += systemd
+FIREWALLD_CONF_OPTS += --with-systemd-unitdir=/usr/lib/systemd/system
+else
+FIREWALLD_CONF_OPTS += --disable-systemd
+endif
+
+define FIREWALLD_INSTALL_INIT_SYSTEMD
+	$(INSTALL) -D -m 0644 $(@D)/config/firewalld.service \
+		$(TARGET_DIR)/usr/lib/systemd/system/firewalld.service
+endef
+
+# The bundled sysvinit file requires /etc/init.d/functions which is not
+# provided by buildroot. As such, we provide our own firewalld init file.
+define FIREWALLD_INSTALL_INIT_SYSV
+	$(INSTALL) -D -m 0755 $(FIREWALLD_PKGDIR)/S46firewalld \
+		$(TARGET_DIR)/etc/init.d/S46firewalld
+endef
+
+# Firewalld requires almost every single nftable option selected.
+define FIREWALLD_LINUX_CONFIG_FIXUPS
+	$(call KCONFIG_ENABLE_OPT,CONFIG_BRIDGE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_FILTER)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_IPTABLES)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MANGLE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_AH)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_EUI64)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_FRAG)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_HL)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_IPV6HEADER)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_MH)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_OPTS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_RPFILTER)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_RT)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_SRH)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_NAT)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_RAW)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_HL)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_MASQUERADE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_NPT)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_REJECT)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_SYNPROXY)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARP_MANGLE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARPFILTER)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARPTABLES)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_FILTER)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_IPTABLES)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MANGLE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_AH)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_ECN)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_RPFILTER)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_TTL)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_NAT)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_RAW)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_CLUSTERIP)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_ECN)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_MASQUERADE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_NETMAP)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_REDIRECT)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_REJECT)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_SYNPROXY)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_TTL)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_IP)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_IPMAC)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_PORT)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IP)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPMAC)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPMARK)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORT)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORTIP)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORTNET)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_MAC)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NET)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETIFACE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETNET)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETPORT)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETPORTNET)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_LIST_SET)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_CONNCOUNT)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_NETLINK_GLUE_CT)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_SYNPROXY)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_AMANDA)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_BROADCAST)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_EVENTS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_FTP)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_H323)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_IRC)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_LABELS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_MARK)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_NETBIOS_NS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_PPTP)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_PROCFS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SANE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SIP)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SNMP)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TFTP)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TIMEOUT)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TIMESTAMP)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_ZONES)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK_HELPER)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK_TIMEOUT)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_DCCP)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_GRE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_SCTP)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_UDPLITE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_DEFRAG_IPV4)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_DEFRAG_IPV6)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_IPV4)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_IPV6)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_NETDEV)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_INET)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_IPV4)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_IPV6)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_ARP)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_BRIDGE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_COMMON)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_IPV4)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_IPV6)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_NETDEV)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_AMANDA)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_FTP)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_H323)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IPV4)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IPV6)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IRC)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_MASQUERADE_IPV4)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_MASQUERADE_IPV6)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_NEEDED)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PPTP)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_DCCP)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_GRE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_SCTP)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_UDPLITE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_REDIRECT)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_SIP)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_SNMP_BASIC)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_TFTP)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_REJECT_IPV4)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_REJECT_IPV6)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_SOCKET_IPV4)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_SOCKET_IPV6)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_ARP)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_BRIDGE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_IPV4)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_IPV6)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_NETDEV)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_SET)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TPROXY_IPV4)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TPROXY_IPV6)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_BRIDGE_REJECT)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_NAT_IPV4)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_NAT_IPV6)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_ROUTE_IPV4)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_ROUTE_IPV6)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_COMPAT)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CONNLIMIT)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_COUNTER)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CT)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_IPV4)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_IPV6)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_NETDEV)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_INET)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_IPV4)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_IPV6)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_NETDEV)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FLOW_OFFLOAD)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FWD_NETDEV)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_HASH)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_LIMIT)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_LOG)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ_IPV4)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ_IPV6)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_NAT)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_NUMGEN)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_OBJREF)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_OSF)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_QUEUE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_QUOTA)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR_IPV4)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR_IPV6)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_INET)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_IPV4)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_IPV6)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_NETDEV)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_SOCKET)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_SYNPROXY)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_TPROXY)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_TUNNEL)
+endef
+
+$(eval $(autotools-package))