package/firewalld: new package

Firewalld provides a dynamically managed firewall with
support for network or firewall zones to define the trust level of network
connections or interfaces.

Items of note:

 - Setting PYTHON="/usr/bin/env python$(PYTHON3_VERSION_MAJOR)" prevents
   Firewalld from setting the shebang in the installed python files to the
   full path to the python interpreter used when building.

 - The bundled provided SYSV init file has several bashisms and requires
   /etc/init.d/functions which buildroot doesn't provide. So instead, a more
   simple init.d file is provided in the package directory, which does not
   require bash.

 - Firewalld >= 1.0.0 requires a linux kernel version of 5.3 or later.
   Because Buildroot does not have a mechanism to detect what version a user
   is compiling if the kernel is external, there is no way to prevent a user
   with an external kernel older than 5.3 to select this package.

 - To run, Firewalld requires enabling almost every single nftables option in
   the kernel menuconfig. Indeed for a regular user, this task is quite a
   time-consuming operation, and missing even one required nftables option
   results in firewalld failing to start.

   Through a mix of trial and error and talking to the upstream developers,
   the package selects the minimum amount of kernel options required for
   runtime. Understandably the list is daunting. However, these options
   have passed run-time tests with kernel 5.3 (the minimum kernel version
   required) and kernel 6.2.10 (the latest kernel version as of this commit
   log.)

As such, it is safe to say these options will work for anybody wanting to
use firewalld with a supported kernel version of 5.3 or higher.

Signed-off-by: Adam Duskett <aduskett@gmail.com>
[Thomas:
- select python3 instead of depending on it
- fixup Config.in comment
- rely on NLS support by autotools-package]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit is contained in:
Adam Duskett 2023-06-03 19:52:04 -07:00 committed by Thomas Petazzoni
parent 4bb810fc5d
commit eea0c9f0c9
6 changed files with 366 additions and 0 deletions

View File

@ -26,6 +26,9 @@
# infrastructure, and will be CC'ed on all patches that add or
# modify packages that use this infrastructure.
N: Adam Duskett <aduskett@gmail.com>
F: package/firewalld/
N: Adam Heinrich <adam@adamh.cz>
F: package/jack1/

View File

@ -2333,6 +2333,7 @@ endif
source "package/fail2ban/Config.in"
source "package/fastd/Config.in"
source "package/fcgiwrap/Config.in"
source "package/firewalld/Config.in"
source "package/flannel/Config.in"
source "package/fmc/Config.in"
source "package/fping/Config.in"

View File

@ -0,0 +1,40 @@
config BR2_PACKAGE_FIREWALLD
bool "firewalld"
depends on BR2_USE_MMU # gobject-introspection, python3, python-gobject
depends on BR2_PACKAGE_GOBJECT_INTROSPECTION_ARCH_SUPPORTS
depends on BR2_USE_WCHAR # glib2, dbus-python, nftables, python3
depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 # gobject-introspection
depends on BR2_TOOLCHAIN_HAS_THREADS # dbus-python, python3
depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12
depends on BR2_TOOLCHAIN_USES_GLIBC # gobject-introspection
depends on BR2_HOST_GCC_AT_LEAST_8 # gobject-introspection
depends on !BR2_STATIC_LIBS # python3
select BR2_PACKAGE_DBUS # dbus-python
select BR2_PACKAGE_DBUS_PYTHON
select BR2_PACKAGE_GOBJECT_INTROSPECTION
select BR2_PACKAGE_JANSSON # Uses the nftables json interface
select BR2_PACKAGE_NFTABLES
select BR2_PACKAGE_PYTHON3
select BR2_PACKAGE_PYTHON_GOBJECT
help
Firewalld provides a dynamically managed firewall with
support for network or firewall zones to define the trust
level of network connections or interfaces. It has support
for IPv4, IPv6 firewall settings and for ethernet bridges and
a separation of runtime and permanent configuration options.
It also provides an interface for services or applications to
add ip*tables and ebtables rules directly.
Note: Firewalld uses nftables as the backend and requires
kernel version >= 5.3.
https://github.com/firewalld/firewalld
comment "firewalld needs a glibc toolchain w/ wchar, dynamic library, headers >= 3.12, gcc >= 4.9, host gcc >= 8"
depends on BR2_USE_MMU
depends on BR2_PACKAGE_GOBJECT_INTROSPECTION_ARCH_SUPPORTS
depends on !BR2_TOOLCHAIN_USES_GLIBC || \
!BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12 || \
!BR2_USE_WCHAR || BR2_STATIC_LIBS || \
!BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 || \
!BR2_HOST_GCC_AT_LEAST_8 || BR2_STATIC_LIBS

View File

@ -0,0 +1,66 @@
#!/bin/sh
DAEMON=firewalld
PIDFILE=/var/run/$DAEMON.pid
start() {
printf "Starting firewalld: "
start-stop-daemon -S -q --exec $DAEMON
status=$?
if [ "$status" -eq 0 ]; then
echo "OK"
else
echo "FAIL"
fi
}
stop() {
printf "Stopping firewalld: "
start-stop-daemon --stop --quiet --pidfile $PIDFILE
status=$?
if [ "$status" -eq 0 ]; then
echo "OK"
else
echo "FAIL"
fi
}
reload(){
printf "Reloading firewalld: "
firewall-cmd --reload
status=$?
if [ "$status" -eq 0 ]; then
echo "OK"
else
echo "FAIL"
fi
}
restart() {
stop
start
}
status(){
firewall-cmd --state
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
reload)
reload
;;
status)
status
;;
*)
echo "Usage: $0 {start|stop|restart|reload|status}"
exit 1
esac

View File

@ -0,0 +1,3 @@
# Locally computed
sha256 3be5a3caa36d1026c5b72d3f61dd963dccd953791b04af03d9946b24bef8391e firewalld-1.3.2.tar.gz
sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING

View File

@ -0,0 +1,253 @@
################################################################################
#
# firewalld
#
################################################################################
FIREWALLD_VERSION = 1.3.2
FIREWALLD_SITE = $(call github,firewalld,firewalld,v$(FIREWALLD_VERSION))
FIREWALLD_LICENSE = GPL-2.0
FIREWALLD_LICENSE_FILES = COPYING
FIREWALLD_AUTORECONF = YES
FIREWALLD_DEPENDENCIES = \
host-intltool \
host-libglib2 \
host-libxml2 \
host-libxslt \
dbus-python \
gobject-introspection \
jansson \
nftables \
python3 \
python-gobject
# Firewalld hard codes the python shebangs to the full path of the
# python-interpreter. IE: #!/home/buildroot/output/host/bin/python.
# Force the proper python path.
FIREWALLD_CONF_ENV += PYTHON="/usr/bin/env python3"
# /etc/sysconfig/firewalld is a Red Hat-ism, only referenced by
# the Red Hat-specific init script which isn't used, so we set
# --disable-sysconfig.
FIREWALLD_CONF_OPTS += \
--disable-rpmmacros \
--disable-sysconfig \
--with-nft=/usr/sbin/nft \
--without-ebtables \
--without-ebtables-restore \
--without-ipset \
--without-xml-catalog
ifeq ($(BR2_PACKAGE_IPTABLES),y)
FIREWALLD_DEPENDENCIES += iptables
FIREWALLD_CONF_OPTS += \
--with-ip6tables-restore=/usr/sbin/ip6tables-restore \
--with-ip6tables=/usr/sbin/ip6tables \
--with-iptables-restore=/usr/sbin/iptables-restore \
--with-iptables=/usr/sbin/iptables
else
FIREWALLD_CONF_OPTS += -without-iptables
endif
ifeq ($(BR2_PACKAGE_SYSTEMD),y)
FIREWALLD_DEPENDENCIES += systemd
FIREWALLD_CONF_OPTS += --with-systemd-unitdir=/usr/lib/systemd/system
else
FIREWALLD_CONF_OPTS += --disable-systemd
endif
define FIREWALLD_INSTALL_INIT_SYSTEMD
$(INSTALL) -D -m 0644 $(@D)/config/firewalld.service \
$(TARGET_DIR)/usr/lib/systemd/system/firewalld.service
endef
# The bundled sysvinit file requires /etc/init.d/functions which is not
# provided by buildroot. As such, we provide our own firewalld init file.
define FIREWALLD_INSTALL_INIT_SYSV
$(INSTALL) -D -m 0755 $(FIREWALLD_PKGDIR)/S46firewalld \
$(TARGET_DIR)/etc/init.d/S46firewalld
endef
# Firewalld requires almost every single nftable option selected.
define FIREWALLD_LINUX_CONFIG_FIXUPS
$(call KCONFIG_ENABLE_OPT,CONFIG_BRIDGE)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_FILTER)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_IPTABLES)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MANGLE)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_AH)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_EUI64)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_FRAG)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_HL)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_IPV6HEADER)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_MH)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_OPTS)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_RPFILTER)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_RT)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_SRH)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_NAT)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_RAW)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_HL)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_MASQUERADE)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_NPT)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_REJECT)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_SYNPROXY)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARP_MANGLE)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARPFILTER)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARPTABLES)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_FILTER)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_IPTABLES)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MANGLE)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_AH)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_ECN)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_RPFILTER)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_TTL)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_NAT)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_RAW)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_CLUSTERIP)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_ECN)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_MASQUERADE)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_NETMAP)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_REDIRECT)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_REJECT)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_SYNPROXY)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_TTL)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_IP)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_IPMAC)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_PORT)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IP)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPMAC)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPMARK)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORT)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORTIP)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORTNET)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_MAC)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NET)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETIFACE)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETNET)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETPORT)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETPORTNET)
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_LIST_SET)
$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_CONNCOUNT)
$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_NETLINK_GLUE_CT)
$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_SYNPROXY)
$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_AMANDA)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_BROADCAST)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_EVENTS)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_FTP)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_H323)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_IRC)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_LABELS)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_MARK)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_NETBIOS_NS)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_PPTP)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_PROCFS)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SANE)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SIP)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SNMP)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TFTP)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TIMEOUT)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TIMESTAMP)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_ZONES)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK_HELPER)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK_TIMEOUT)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_DCCP)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_GRE)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_SCTP)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_UDPLITE)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_DEFRAG_IPV4)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_DEFRAG_IPV6)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_IPV4)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_IPV6)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_NETDEV)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_INET)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_IPV4)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_IPV6)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_ARP)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_BRIDGE)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_COMMON)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_IPV4)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_IPV6)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_NETDEV)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_AMANDA)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_FTP)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_H323)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IPV4)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IPV6)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IRC)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_MASQUERADE_IPV4)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_MASQUERADE_IPV6)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_NEEDED)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PPTP)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_DCCP)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_GRE)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_SCTP)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_UDPLITE)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_REDIRECT)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_SIP)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_SNMP_BASIC)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_TFTP)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_REJECT_IPV4)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_REJECT_IPV6)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_SOCKET_IPV4)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_SOCKET_IPV6)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_ARP)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_BRIDGE)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_IPV4)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_IPV6)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_NETDEV)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_SET)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TPROXY_IPV4)
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TPROXY_IPV6)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_BRIDGE_REJECT)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_NAT_IPV4)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_NAT_IPV6)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_ROUTE_IPV4)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_ROUTE_IPV6)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_COMPAT)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CONNLIMIT)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_COUNTER)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CT)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_IPV4)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_IPV6)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_NETDEV)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_INET)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_IPV4)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_IPV6)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_NETDEV)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FLOW_OFFLOAD)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FWD_NETDEV)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_HASH)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_LIMIT)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_LOG)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ_IPV4)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ_IPV6)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_NAT)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_NUMGEN)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_OBJREF)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_OSF)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_QUEUE)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_QUOTA)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR_IPV4)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR_IPV6)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_INET)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_IPV4)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_IPV6)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_NETDEV)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_SOCKET)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_SYNPROXY)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_TPROXY)
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_TUNNEL)
endef
$(eval $(autotools-package))