From 85820b8509b14a46f6df34835fa54fc8c6fb2fe1 Mon Sep 17 00:00:00 2001 From: Peron Date: Sat, 7 Mar 2026 21:59:10 +0800 Subject: [PATCH] feat(config): add k3s and NFSv4 server kernel options Enable kernel options required for k3s (lightweight Kubernetes) and NFSv4 server support across both ARM64 and x86_64 configs. k3s additions: - iptables REJECT/REDIRECT targets for network policy enforcement - Netfilter xt matches: STATISTIC, BPF, CGROUP - IPVS schedulers: WRR, LC, WLC, SH (required by kube-proxy IPVS mode) - SCTP protocol support - XFRM/IPsec framework for encrypted overlay networking - WireGuard for encrypted Flannel backend NFSv4 server additions: - NFSD with NFSv4 protocol support - SunRPC with GSS-API and Kerberos 5 authentication - LOCKD, EXPORTFS, GRACE_PERIOD dependencies - Crypto primitives for Kerberos (MD5, SHA1, AES, CBC, CTS, HMAC, AEAD, GCM, GHASH, SEQIV, SKCIPHER, HASH) --- configs/arcbox-arm64.config | 40 +++++++++++++++++++++++++++++++++++- configs/arcbox-x86_64.config | 40 +++++++++++++++++++++++++++++++++++- 2 files changed, 78 insertions(+), 2 deletions(-) diff --git a/configs/arcbox-arm64.config b/configs/arcbox-arm64.config index 8330c8c..07e5609 100644 --- a/configs/arcbox-arm64.config +++ b/configs/arcbox-arm64.config @@ -117,18 +117,24 @@ CONFIG_IP_NF_MANGLE=y CONFIG_IP_NF_RAW=y CONFIG_IP_NF_NAT=y CONFIG_IP_NF_TARGET_MASQUERADE=y +CONFIG_IP_NF_TARGET_REJECT=y +CONFIG_IP_NF_TARGET_REDIRECT=y CONFIG_IP6_NF_IPTABLES=y CONFIG_IP6_NF_FILTER=y CONFIG_IP6_NF_MANGLE=y CONFIG_IP6_NF_RAW=y CONFIG_IP6_NF_NAT=y CONFIG_IP6_NF_TARGET_MASQUERADE=y +CONFIG_IP6_NF_TARGET_REJECT=y CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y CONFIG_NETFILTER_XT_MATCH_COMMENT=y CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y CONFIG_NETFILTER_XT_MATCH_IPVS=y CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y CONFIG_NETFILTER_XT_MARK=y +CONFIG_NETFILTER_XT_MATCH_STATISTIC=y +CONFIG_NETFILTER_XT_MATCH_BPF=y +CONFIG_NETFILTER_XT_MATCH_CGROUP=y CONFIG_NETFILTER_XT_TARGET_MASQUERADE=y CONFIG_NF_NAT=y CONFIG_NF_TABLES=y @@ -149,6 +155,10 @@ CONFIG_IP_VS_NFCT=y CONFIG_IP_VS_PROTO_TCP=y CONFIG_IP_VS_PROTO_UDP=y CONFIG_IP_VS_RR=y +CONFIG_IP_VS_WRR=y +CONFIG_IP_VS_LC=y +CONFIG_IP_VS_WLC=y +CONFIG_IP_VS_SH=y CONFIG_BRIDGE=y CONFIG_VETH=y CONFIG_VXLAN=y @@ -166,6 +176,12 @@ CONFIG_NF_CONNTRACK_TFTP=y CONFIG_NF_NAT_TFTP=y CONFIG_INET_DIAG=y CONFIG_NETLINK_DIAG=y +CONFIG_IP_SCTP=y +CONFIG_XFRM=y +CONFIG_XFRM_USER=y +CONFIG_XFRM_ALGO=y +CONFIG_INET_ESP=y +CONFIG_WIREGUARD=y # Device Drivers CONFIG_PCI=y @@ -220,7 +236,6 @@ CONFIG_SCSI_VIRTIO=y CONFIG_NETDEVICES=y CONFIG_NET_CORE=y CONFIG_TUN=y -CONFIG_VETH=y # Character devices CONFIG_DEVTMPFS=y @@ -263,6 +278,17 @@ CONFIG_CONFIGFS_FS=y CONFIG_OVERLAY_FS=y CONFIG_FS_POSIX_ACL=y +# NFS server (NFSv4) +CONFIG_NETWORK_FILESYSTEMS=y +CONFIG_NFSD=y +CONFIG_NFSD_V4=y +CONFIG_SUNRPC=y +CONFIG_SUNRPC_GSS=y +CONFIG_RPCSEC_GSS_KRB5=y +CONFIG_LOCKD=y +CONFIG_EXPORTFS=y +CONFIG_GRACE_PERIOD=y + # Kernel hacking - disabled for release CONFIG_DEBUG_KERNEL=n CONFIG_DEBUG_INFO=n @@ -283,6 +309,18 @@ CONFIG_CRYPTO_CRC32C=y CONFIG_CRYPTO_XXHASH=y CONFIG_CRYPTO_BLAKE2B=y CONFIG_LIBCRC32C=y +CONFIG_CRYPTO_MD5=y +CONFIG_CRYPTO_SHA1=y +CONFIG_CRYPTO_AES=y +CONFIG_CRYPTO_CBC=y +CONFIG_CRYPTO_CTS=y +CONFIG_CRYPTO_HMAC=y +CONFIG_CRYPTO_AEAD=y +CONFIG_CRYPTO_GCM=y +CONFIG_CRYPTO_SEQIV=y +CONFIG_CRYPTO_GHASH=y +CONFIG_CRYPTO_SKCIPHER=y +CONFIG_CRYPTO_HASH=y # Library routines CONFIG_CRC32=y diff --git a/configs/arcbox-x86_64.config b/configs/arcbox-x86_64.config index b01093b..d587548 100644 --- a/configs/arcbox-x86_64.config +++ b/configs/arcbox-x86_64.config @@ -120,18 +120,24 @@ CONFIG_IP_NF_MANGLE=y CONFIG_IP_NF_RAW=y CONFIG_IP_NF_NAT=y CONFIG_IP_NF_TARGET_MASQUERADE=y +CONFIG_IP_NF_TARGET_REJECT=y +CONFIG_IP_NF_TARGET_REDIRECT=y CONFIG_IP6_NF_IPTABLES=y CONFIG_IP6_NF_FILTER=y CONFIG_IP6_NF_MANGLE=y CONFIG_IP6_NF_RAW=y CONFIG_IP6_NF_NAT=y CONFIG_IP6_NF_TARGET_MASQUERADE=y +CONFIG_IP6_NF_TARGET_REJECT=y CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y CONFIG_NETFILTER_XT_MATCH_COMMENT=y CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y CONFIG_NETFILTER_XT_MATCH_IPVS=y CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y CONFIG_NETFILTER_XT_MARK=y +CONFIG_NETFILTER_XT_MATCH_STATISTIC=y +CONFIG_NETFILTER_XT_MATCH_BPF=y +CONFIG_NETFILTER_XT_MATCH_CGROUP=y CONFIG_NETFILTER_XT_TARGET_MASQUERADE=y CONFIG_NF_NAT=y CONFIG_NF_TABLES=y @@ -152,6 +158,10 @@ CONFIG_IP_VS_NFCT=y CONFIG_IP_VS_PROTO_TCP=y CONFIG_IP_VS_PROTO_UDP=y CONFIG_IP_VS_RR=y +CONFIG_IP_VS_WRR=y +CONFIG_IP_VS_LC=y +CONFIG_IP_VS_WLC=y +CONFIG_IP_VS_SH=y CONFIG_BRIDGE=y CONFIG_VETH=y CONFIG_VXLAN=y @@ -169,6 +179,12 @@ CONFIG_NF_CONNTRACK_TFTP=y CONFIG_NF_NAT_TFTP=y CONFIG_INET_DIAG=y CONFIG_NETLINK_DIAG=y +CONFIG_IP_SCTP=y +CONFIG_XFRM=y +CONFIG_XFRM_USER=y +CONFIG_XFRM_ALGO=y +CONFIG_INET_ESP=y +CONFIG_WIREGUARD=y # Device Drivers CONFIG_PCI=y @@ -211,7 +227,6 @@ CONFIG_SCSI_VIRTIO=y CONFIG_NETDEVICES=y CONFIG_NET_CORE=y CONFIG_TUN=y -CONFIG_VETH=y # Character devices CONFIG_DEVTMPFS=y @@ -250,6 +265,17 @@ CONFIG_CONFIGFS_FS=y CONFIG_OVERLAY_FS=y CONFIG_FS_POSIX_ACL=y +# NFS server (NFSv4) +CONFIG_NETWORK_FILESYSTEMS=y +CONFIG_NFSD=y +CONFIG_NFSD_V4=y +CONFIG_SUNRPC=y +CONFIG_SUNRPC_GSS=y +CONFIG_RPCSEC_GSS_KRB5=y +CONFIG_LOCKD=y +CONFIG_EXPORTFS=y +CONFIG_GRACE_PERIOD=y + # Kernel hacking - disabled for release CONFIG_DEBUG_KERNEL=n CONFIG_DEBUG_INFO=n @@ -270,6 +296,18 @@ CONFIG_CRYPTO_CRC32C=y CONFIG_CRYPTO_XXHASH=y CONFIG_CRYPTO_BLAKE2B=y CONFIG_LIBCRC32C=y +CONFIG_CRYPTO_MD5=y +CONFIG_CRYPTO_SHA1=y +CONFIG_CRYPTO_AES=y +CONFIG_CRYPTO_CBC=y +CONFIG_CRYPTO_CTS=y +CONFIG_CRYPTO_HMAC=y +CONFIG_CRYPTO_AEAD=y +CONFIG_CRYPTO_GCM=y +CONFIG_CRYPTO_SEQIV=y +CONFIG_CRYPTO_GHASH=y +CONFIG_CRYPTO_SKCIPHER=y +CONFIG_CRYPTO_HASH=y # Library routines CONFIG_CRC32=y