diff --git a/meta/meta-mediatek-aud/recipes-core/busybox/busybox/ssl/AmazonRootCA1.pem b/meta/meta-mediatek-aud/recipes-core/busybox/busybox/ssl/AmazonRootCA1.pem
new file mode 100644
index 000000000..a6f3e92af
--- /dev/null
+++ b/meta/meta-mediatek-aud/recipes-core/busybox/busybox/ssl/AmazonRootCA1.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF
+ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
+b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL
+MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
+b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj
+ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM
+9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw
+IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6
+VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L
+93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm
+jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
+AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA
+A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI
+U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs
+N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv
+o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU
+5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy
+rqXRfboQnoZsG4q5WTP468SQvvG5
+-----END CERTIFICATE-----
diff --git a/meta/meta-mediatek-aud/recipes-core/busybox/busybox/ssl/AmazonRootCA2.pem b/meta/meta-mediatek-aud/recipes-core/busybox/busybox/ssl/AmazonRootCA2.pem
new file mode 100644
index 000000000..efe3c9fed
--- /dev/null
+++ b/meta/meta-mediatek-aud/recipes-core/busybox/busybox/ssl/AmazonRootCA2.pem
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFQTCCAymgAwIBAgITBmyf0pY1hp8KD+WGePhbJruKNzANBgkqhkiG9w0BAQwF
+ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
+b24gUm9vdCBDQSAyMB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTEL
+MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
+b3QgQ0EgMjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK2Wny2cSkxK
+gXlRmeyKy2tgURO8TW0G/LAIjd0ZEGrHJgw12MBvIITplLGbhQPDW9tK6Mj4kHbZ
+W0/jTOgGNk3Mmqw9DJArktQGGWCsN0R5hYGCrVo34A3MnaZMUnbqQ523BNFQ9lXg
+1dKmSYXpN+nKfq5clU1Imj+uIFptiJXZNLhSGkOQsL9sBbm2eLfq0OQ6PBJTYv9K
+8nu+NQWpEjTj82R0Yiw9AElaKP4yRLuH3WUnAnE72kr3H9rN9yFVkE8P7K6C4Z9r
+2UXTu/Bfh+08LDmG2j/e7HJV63mjrdvdfLC6HM783k81ds8P+HgfajZRRidhW+me
+z/CiVX18JYpvL7TFz4QuK/0NURBs+18bvBt+xa47mAExkv8LV/SasrlX6avvDXbR
+8O70zoan4G7ptGmh32n2M8ZpLpcTnqWHsFcQgTfJU7O7f/aS0ZzQGPSSbtqDT6Zj
+mUyl+17vIWR6IF9sZIUVyzfpYgwLKhbcAS4y2j5L9Z469hdAlO+ekQiG+r5jqFoz
+7Mt0Q5X5bGlSNscpb/xVA1wf+5+9R+vnSUeVC06JIglJ4PVhHvG/LopyboBZ/1c6
++XUyo05f7O0oYtlNc/LMgRdg7c3r3NunysV+Ar3yVAhU/bQtCSwXVEqY0VThUWcI
+0u1ufm8/0i2BWSlmy5A5lREedCf+3euvAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMB
+Af8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBSwDPBMMPQFWAJI/TPlUq9LhONm
+UjANBgkqhkiG9w0BAQwFAAOCAgEAqqiAjw54o+Ci1M3m9Zh6O+oAA7CXDpO8Wqj2
+LIxyh6mx/H9z/WNxeKWHWc8w4Q0QshNabYL1auaAn6AFC2jkR2vHat+2/XcycuUY
++gn0oJMsXdKMdYV2ZZAMA3m3MSNjrXiDCYZohMr/+c8mmpJ5581LxedhpxfL86kS
+k5Nrp+gvU5LEYFiwzAJRGFuFjWJZY7attN6a+yb3ACfAXVU3dJnJUH/jWS5E4ywl
+7uxMMne0nxrpS10gxdr9HIcWxkPo1LsmmkVwXqkLN1PiRnsn/eBG8om3zEK2yygm
+btmlyTrIQRNg91CMFa6ybRoVGld45pIq2WWQgj9sAq+uEjonljYE1x2igGOpm/Hl
+urR8FLBOybEfdF849lHqm/osohHUqS0nGkWxr7JOcQ3AWEbWaQbLU8uz/mtBzUF+
+fUwPfHJ5elnNXkoOrJupmHN5fLT0zLm4BwyydFy4x2+IoZCn9Kr5v2c69BoVYh63
+n749sSmvZ6ES8lgQGVMDMBu4Gon2nL2XA46jCfMdiyHxtN/kHNGfZQIG6lzWE7OE
+76KlXIx3KadowGuuQNKotOrN8I1LOJwZmhsoVLiJkO/KdYE+HvJkJMcYr07/R54H
+9jVlpNMKVv/1F2Rs76giJUmTtt8AF9pYfl3uxRuw0dFfIRDH+fO6AgonB8Xx1sfT
+4PsJYGw=
+-----END CERTIFICATE-----
diff --git a/meta/meta-mediatek-aud/recipes-core/busybox/busybox/ssl/AmazonRootCA3.pem b/meta/meta-mediatek-aud/recipes-core/busybox/busybox/ssl/AmazonRootCA3.pem
new file mode 100644
index 000000000..a45da7074
--- /dev/null
+++ b/meta/meta-mediatek-aud/recipes-core/busybox/busybox/ssl/AmazonRootCA3.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBtjCCAVugAwIBAgITBmyf1XSXNmY/Owua2eiedgPySjAKBggqhkjOPQQDAjA5
+MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24g
+Um9vdCBDQSAzMB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkG
+A1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3Qg
+Q0EgMzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCmXp8ZBf8ANm+gBG1bG8lKl
+ui2yEujSLtf6ycXYqm0fc4E7O5hrOXwzpcVOho6AF2hiRVd9RFgdszflZwjrZt6j
+QjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBSr
+ttvXBp43rDCGB5Fwx5zEGbF4wDAKBggqhkjOPQQDAgNJADBGAiEA4IWSoxe3jfkr
+BqWTrBqYaGFy+uGh0PsceGCmQ5nFuMQCIQCcAu/xlJyzlvnrxir4tiz+OpAUFteM
+YyRIHN8wfdVoOw==
+-----END CERTIFICATE-----
diff --git a/meta/meta-mediatek-aud/recipes-core/busybox/busybox/ssl/AmazonRootCA4.pem b/meta/meta-mediatek-aud/recipes-core/busybox/busybox/ssl/AmazonRootCA4.pem
new file mode 100644
index 000000000..fcbdeccd4
--- /dev/null
+++ b/meta/meta-mediatek-aud/recipes-core/busybox/busybox/ssl/AmazonRootCA4.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB8jCCAXigAwIBAgITBmyf18G7EEwpQ+Vxe3ssyBrBDjAKBggqhkjOPQQDAzA5
+MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24g
+Um9vdCBDQSA0MB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkG
+A1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3Qg
+Q0EgNDB2MBAGByqGSM49AgEGBSuBBAAiA2IABNKrijdPo1MN/sGKe0uoe0ZLY7Bi
+9i0b2whxIdIA6GO9mif78DluXeo9pcmBqqNbIJhFXRbb/egQbeOc4OO9X4Ri83Bk
+M6DLJC9wuoihKqB1+IGuYgbEgds5bimwHvouXKNCMEAwDwYDVR0TAQH/BAUwAwEB
+/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFNPsxzplbszh2naaVvuc84ZtV+WB
+MAoGCCqGSM49BAMDA2gAMGUCMDqLIfG9fhGt0O9Yli/W651+kI0rz2ZVwyzjKKlw
+CkcO8DdZEv8tmZQoTipPNU0zWgIxAOp1AE47xDqUEpHJWEadIRNyp4iciuRMStuW
+1KyLa2tJElMzrdfkviT8tQp21KW8EA==
+-----END CERTIFICATE-----
diff --git a/meta/meta-mediatek-aud/recipes-core/busybox/busybox_%.bbappend b/meta/meta-mediatek-aud/recipes-core/busybox/busybox_%.bbappend
index aaac394e1..d2906f780 100755
--- a/meta/meta-mediatek-aud/recipes-core/busybox/busybox_%.bbappend
+++ b/meta/meta-mediatek-aud/recipes-core/busybox/busybox_%.bbappend
@@ -14,6 +14,10 @@ SRC_URI_append = " \
                    file://ring_buf.patch \
                    file://echo.patch \
                    file://syslog.conf \
+                   file://ssl/AmazonRootCA1.pem \
+                   file://ssl/AmazonRootCA2.pem \
+                   file://ssl/AmazonRootCA3.pem \
+                   file://ssl/AmazonRootCA4.pem \
                  "
 
 inherit systemd
@@ -24,6 +28,7 @@ FILES_${PN}-syslog_append = " ${systemd_unitdir}/system/busybox-syslog.service \
                             "
 
 do_install_append() {
+    install -d ${D}${sysconfdir}/ssl/certs
     cp ${WORKDIR}/syslogctl ${D}/bin/syslogctl
     cp ${WORKDIR}/mdlogctl ${D}/bin/mdlogctl
     cp ${WORKDIR}/syslog-start ${D}/bin/syslog-start
@@ -34,6 +39,10 @@ do_install_append() {
     install -d ${D}${sysconfdir}/systemd/system
     install -d ${D}${sysconfdir}/systemd/system/multi-user.target.wants
     install -m 0644 ${WORKDIR}/tcpdump.service.in ${D}${systemd_unitdir}/system/tcpdump.service
+    install -m 0644 ${WORKDIR}/ssl/AmazonRootCA1.pem ${D}${sysconfdir}/ssl/certs/AmazonRootCA1.pem
+    install -m 0644 ${WORKDIR}/ssl/AmazonRootCA2.pem ${D}${sysconfdir}/ssl/certs/AmazonRootCA2.pem
+    install -m 0644 ${WORKDIR}/ssl/AmazonRootCA3.pem ${D}${sysconfdir}/ssl/certs/AmazonRootCA3.pem
+    install -m 0644 ${WORKDIR}/ssl/AmazonRootCA4.pem ${D}${sysconfdir}/ssl/certs/AmazonRootCA4.pem
     ln -sf ${systemd_unitdir}/system/busybox-syslog.service ${D}${sysconfdir}/systemd/system/syslog.service
     ln -sf ${systemd_unitdir}/system/busybox-syslog.service ${D}${sysconfdir}/systemd/system/multi-user.target.wants/busybox-syslog.service
     ln -sf ${systemd_unitdir}/system/busybox-klogd.service ${D}${sysconfdir}/systemd/system/multi-user.target.wants/busybox-klogd.service
diff --git a/meta/meta-mediatek-aud/recipes-support/iptables/iptables/0001-Makefile.am-do-not-install-etc-ethertypes.patch b/meta/meta-mediatek-aud/recipes-support/iptables/iptables/0001-Makefile.am-do-not-install-etc-ethertypes.patch
new file mode 100644
index 000000000..aa5126582
--- /dev/null
+++ b/meta/meta-mediatek-aud/recipes-support/iptables/iptables/0001-Makefile.am-do-not-install-etc-ethertypes.patch
@@ -0,0 +1,40 @@
+From a4ed9fc8da720585f853d2ca6ffd30e2fa4d1247 Mon Sep 17 00:00:00 2001
+From: Trevor Gamblin <trevor.gamblin@windriver.com>
+Date: Wed, 9 Mar 2022 12:50:39 -0500
+Subject: [PATCH] Makefile.am: do not install /etc/ethertypes
+
+The /etc/ethertypes is provided by netbase since 6.0[1].
+Do not instal the file in ebtables, otherwise there would be a conflict:
+Error: Transaction test error:
+  file /etc/ethertypes conflicts between attempted installs of
+netbase-1:6.2-r0.corei7_64 and iptables-1.8.7-r0.corei7_64
+
+[1]
+https://salsa.debian.org/md/netbase/-/commit/316680c6a2c3641b6abc76b3eebf88781f609d35)
+
+This patch is based off of the same change made for the ebtables recipe:
+
+http://cgit.openembedded.org/meta-openembedded/tree/meta-networking/recipes-filter/ebtables/ebtables-2.0.11/0001-Makefile.am-do-not-install-etc-ethertypes.patch?h=master
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+---
+ Makefile.am | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 799bf8b8..2eb1843f 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -18,7 +18,6 @@ SUBDIRS         += iptables
+ 
+ if ENABLE_NFTABLES
+ confdir		= $(sysconfdir)
+-dist_conf_DATA	= etc/ethertypes
+ endif
+ 
+ .PHONY: tarball
+-- 
+2.35.1
+
diff --git a/meta/meta-mediatek-aud/recipes-support/iptables/iptables/0001-configure-Add-option-to-enable-disable-libnfnetlink.patch b/meta/meta-mediatek-aud/recipes-support/iptables/iptables/0001-configure-Add-option-to-enable-disable-libnfnetlink.patch
new file mode 100644
index 000000000..03c36ccbc
--- /dev/null
+++ b/meta/meta-mediatek-aud/recipes-support/iptables/iptables/0001-configure-Add-option-to-enable-disable-libnfnetlink.patch
@@ -0,0 +1,47 @@
+From c46db7c2e1f63ec525835553587e70c635565310 Mon Sep 17 00:00:00 2001
+From: "Maxin B. John" <maxin.john@intel.com>
+Date: Tue, 21 Feb 2017 11:16:31 +0200
+Subject: [PATCH] configure: Add option to enable/disable libnfnetlink
+
+This changes the configure behaviour from autodetecting
+for libnfnetlink to having an option to disable it explicitly
+
+Upstream-Status: Pending
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Signed-off-by: Maxin B. John <maxin.john@intel.com>
+---
+ configure.ac | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index eda7871..03ddc50 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -63,6 +63,9 @@ AC_ARG_WITH([pkgconfigdir], AS_HELP_STRING([--with-pkgconfigdir=PATH],
+ AC_ARG_ENABLE([nftables],
+ 	AS_HELP_STRING([--disable-nftables], [Do not build nftables compat]),
+ 	[enable_nftables="$enableval"], [enable_nftables="yes"])
++AC_ARG_ENABLE([libnfnetlink],
++    AS_HELP_STRING([--disable-libnfnetlink], [Do not use netfilter netlink library]),
++    [enable_libnfnetlink="$enableval"], [enable_libnfnetlink="yes"])
+ AC_ARG_ENABLE([connlabel],
+ 	AS_HELP_STRING([--disable-connlabel],
+ 	[Do not build libnetfilter_conntrack]),
+@@ -115,9 +118,10 @@ if test "x$enable_bpfc" = "xyes" || test "x$enable_nfsynproxy" = "xyes"; then
+ 	AC_CHECK_LIB(pcap, pcap_compile,, AC_MSG_ERROR(missing libpcap library required by bpf compiler or nfsynproxy tool))
+ fi
+ 
+-PKG_CHECK_MODULES([libnfnetlink], [libnfnetlink >= 1.0],
+-	[nfnetlink=1], [nfnetlink=0])
+-AM_CONDITIONAL([HAVE_LIBNFNETLINK], [test "$nfnetlink" = 1])
++AS_IF([test "x$enable_libnfnetlink" = "xyes"], [
++    PKG_CHECK_MODULES([libnfnetlink], [libnfnetlink >= 1.0])
++    ])
++AM_CONDITIONAL([HAVE_LIBNFNETLINK], [test "x$enable_libnfnetlink" = "xyes"])
+ 
+ if test "x$enable_nftables" = "xyes"; then
+ 	PKG_CHECK_MODULES([libmnl], [libmnl >= 1.0], [mnl=1], [mnl=0])
+-- 
+2.4.0
+
diff --git a/meta/meta-mediatek-aud/recipes-support/iptables/iptables/0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch b/meta/meta-mediatek-aud/recipes-support/iptables/iptables/0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch
new file mode 100644
index 000000000..7842c6408
--- /dev/null
+++ b/meta/meta-mediatek-aud/recipes-support/iptables/iptables/0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch
@@ -0,0 +1,51 @@
+From 26090b3dbcdf6a11e60535da949b726a6e86426d Mon Sep 17 00:00:00 2001
+From: "Maxin B. John" <maxin.john@intel.com>
+Date: Tue, 21 Feb 2017 11:49:07 +0200
+Subject: [PATCH] configure.ac:
+ only-check-conntrack-when-libnfnetlink-enabled.patch
+
+Package libnetfilter-conntrack depends on package libnfnetlink. iptables
+checks package libnetfilter-conntrack whatever its package config
+libnfnetlink is enabled or not. When libnfnetlink is disabled but
+package libnetfilter-conntrack exists, it fails randomly with:
+
+In file included from
+.../iptables/1.4.21-r0/iptables-1.4.21/extensions/libxt_connlabel.c:8:0:
+
+.../tmp/sysroots/qemumips/usr/include/libnetfilter_conntrack/libnetfilter_conntrack.h:14:42:
+fatal error: libnfnetlink/linux_nfnetlink.h: No such file or directory
+
+compilation terminated.
+GNUmakefile:96: recipe for target 'libxt_connlabel.oo' failed
+Only check libnetfilter-conntrack when libnfnetlink is enabled to fix it.
+
+Upstream-Status: Pending
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+Signed-off-by: Maxin B. John <maxin.john@intel.com>
+---
+ configure.ac | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 03ddc50..523caea 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -172,10 +172,12 @@ if test "$nftables" != 1; then
+ fi
+ 
+ if test "x$enable_connlabel" = "xyes"; then
+-	PKG_CHECK_MODULES([libnetfilter_conntrack],
++    nfconntrack=0
++    AS_IF([test "x$enable_libnfnetlink" = "xyes"], [
++    PKG_CHECK_MODULES([libnetfilter_conntrack],
+ 		[libnetfilter_conntrack >= 1.0.6],
+ 		[nfconntrack=1], [nfconntrack=0])
+-
++    ])
+ 	if test "$nfconntrack" -ne 1; then
+ 		blacklist_modules="$blacklist_modules connlabel";
+ 		echo "WARNING: libnetfilter_conntrack not found, connlabel match will not be built";
+-- 
+2.4.0
+
diff --git a/meta/meta-mediatek-aud/recipes-support/iptables/iptables/ip6tables.rules b/meta/meta-mediatek-aud/recipes-support/iptables/iptables/ip6tables.rules
new file mode 100644
index 000000000..e69de29bb
diff --git a/meta/meta-mediatek-aud/recipes-support/iptables/iptables/ip6tables.service b/meta/meta-mediatek-aud/recipes-support/iptables/iptables/ip6tables.service
new file mode 100644
index 000000000..6c059fca4
--- /dev/null
+++ b/meta/meta-mediatek-aud/recipes-support/iptables/iptables/ip6tables.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=IPv6 Packet Filtering Framework
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=@SBINDIR@/ip6tables-restore -w -- @RULESDIR@/ip6tables.rules
+ExecReload=@SBINDIR@/ip6tables-restore -w -- @RULESDIR@/ip6tables.rules
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta/meta-mediatek-aud/recipes-support/iptables/iptables/iptables.rules b/meta/meta-mediatek-aud/recipes-support/iptables/iptables/iptables.rules
new file mode 100644
index 000000000..273dd0d82
--- /dev/null
+++ b/meta/meta-mediatek-aud/recipes-support/iptables/iptables/iptables.rules
@@ -0,0 +1,25 @@
+# Generated by iptables-save v1.8.7 on Tue Jul 12 01:22:18 2022
+*raw
+:PREROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+# Completed on Tue Jul 12 01:22:18 2022
+# Generated by iptables-save v1.8.7 on Tue Jul 12 01:22:18 2022
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT
+# Completed on Tue Jul 12 01:22:18 2022
+# Generated by iptables-save v1.8.7 on Tue Jul 12 01:22:18 2022
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -j ACCEPT
+COMMIT
+# Completed on Tue Jul 12 01:22:18 2022
diff --git a/meta/meta-mediatek-aud/recipes-support/iptables/iptables/iptables.service b/meta/meta-mediatek-aud/recipes-support/iptables/iptables/iptables.service
new file mode 100644
index 000000000..151e7d9d7
--- /dev/null
+++ b/meta/meta-mediatek-aud/recipes-support/iptables/iptables/iptables.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=IPv4 Packet Filtering Framework
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/iptables-restore < /etc/iptables.rules
+ExecReload=/usr/sbin/iptables-restore < /etc/iptables.rules
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta/meta-mediatek-aud/recipes-support/iptables/iptables_1.8.7.bb b/meta/meta-mediatek-aud/recipes-support/iptables/iptables_1.8.7.bb
new file mode 100644
index 000000000..731a64a45
--- /dev/null
+++ b/meta/meta-mediatek-aud/recipes-support/iptables/iptables_1.8.7.bb
@@ -0,0 +1,52 @@
+SUMMARY = "Tools for managing kernel packet filtering capabilities"
+DESCRIPTION = "iptables is the userspace command line program used to configure and control network packet \
+filtering code in Linux."
+HOMEPAGE = "http://www.netfilter.org/"
+BUGTRACKER = "http://bugzilla.netfilter.org/"
+LICENSE = "GPL-2.0-or-later"
+LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
+                    file://iptables/iptables.c;beginline=13;endline=25;md5=c5cffd09974558cf27d0f763df2a12dc \
+"
+
+SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
+           file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
+           file://0001-Makefile.am-do-not-install-etc-ethertypes.patch \
+           file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \
+           file://iptables.service \
+           file://iptables.rules \
+           file://ip6tables.service \
+           file://ip6tables.rules \
+           "
+SRC_URI[sha256sum] = "c109c96bb04998cd44156622d36f8e04b140701ec60531a10668cfdff5e8d8f0"
+
+inherit autotools pkgconfig
+
+EXTRA_OECONF = "--with-kernel=${STAGING_INCDIR} \
+                --disable-ipv6 \
+               "
+PACKAGECONFIG ?= "${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ipv6', '', d)} \
+                 "
+
+PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
+
+# libnfnetlink recipe is in meta-networking layer
+PACKAGECONFIG[libnfnetlink] = "--enable-libnfnetlink,--disable-libnfnetlink,libnfnetlink libnetfilter-conntrack"
+
+# libnftnl recipe is in meta-networking layer(previously known as libnftables)
+PACKAGECONFIG[libnftnl] = "--enable-nftables,--disable-nftables,libnftnl"
+
+do_configure_prepend() {
+	# Remove some libtool m4 files
+	# Keep ax_check_linker_flags.m4 which belongs to autoconf-archive.
+	rm -f libtool.m4 lt~obsolete.m4 ltoptions.m4 ltsugar.m4 ltversion.m4
+}
+
+do_install_append() {
+    install -d ${D}${sysconfdir}/
+    install -d ${D}${sysconfdir}/systemd/system/
+    install -m 0644 ${WORKDIR}/iptables.rules ${D}${sysconfdir}/iptables.rules
+    install -m 0644 ${WORKDIR}/iptables.service ${D}${sysconfdir}/systemd/system/iptables.service
+}
+
+FILES_${PN} += "${libdir}/xtables/*"
+INSANE_SKIP_${PN} = "dev-so"
diff --git a/meta/poky/meta/recipes-core/busybox/busybox/login-utilities.cfg b/meta/poky/meta/recipes-core/busybox/busybox/login-utilities.cfg
index cc9b2db50..cdbb7b723 100644
--- a/meta/poky/meta/recipes-core/busybox/busybox/login-utilities.cfg
+++ b/meta/poky/meta/recipes-core/busybox/busybox/login-utilities.cfg
@@ -8,6 +8,7 @@ CONFIG_DELGROUP=y
 CONFIG_GETTY=y
 CONFIG_LOGIN=y
 CONFIG_PASSWD=y
-CONFIG_SU=y
+CONFIG_CHPASSWD=y
+#CONFIG_SU=y
 CONFIG_SULOGIN=y
 CONFIG_VLOCK=y
diff --git a/src/apps/aud-base/service/appmainprog.sh b/src/apps/aud-base/service/appmainprog.sh
index b3d99b7f7..9897e95e9 100644
--- a/src/apps/aud-base/service/appmainprog.sh
+++ b/src/apps/aud-base/service/appmainprog.sh
@@ -1,5 +1,8 @@
 #!/bin/sh
 # start appmainprog
+echo 2 > /proc/sys/kernel/randomize_va_space
+/usr/sbin/iptables-restore < /etc/iptables.rules
 echo auostart appmainprog
 hwclock -w
 /usr/bin/appmainprog
+
diff --git a/src/kernel/linux/v4.4/arch/arm64/configs/aud8516p1v2_consys_slc_yocto_defconfig b/src/kernel/linux/v4.4/arch/arm64/configs/aud8516p1v2_consys_slc_yocto_defconfig
index ab382d93b..d4ccaf279 100644
--- a/src/kernel/linux/v4.4/arch/arm64/configs/aud8516p1v2_consys_slc_yocto_defconfig
+++ b/src/kernel/linux/v4.4/arch/arm64/configs/aud8516p1v2_consys_slc_yocto_defconfig
@@ -535,3 +535,176 @@ CONFIG_SUNRPC_BACKCHANNEL=y
 # CONFIG_NCP_FS is not set
 # CONFIG_CODA_FS is not set
 # CONFIG_AFS_FS is not set
+
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_INGRESS=y
+CONFIG_NETFILTER_NETLINK=y
+# CONFIG_NETFILTER_NETLINK_ACCT is not set
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+# CONFIG_NETFILTER_NETLINK_LOG is not set
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_CONNTRACK_MARK=y
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+# CONFIG_NF_CONNTRACK_TIMEOUT is not set
+# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
+# CONFIG_NF_CT_PROTO_DCCP is not set
+# CONFIG_NF_CT_PROTO_SCTP is not set
+CONFIG_NF_CT_PROTO_UDPLITE=y
+# CONFIG_NF_CONNTRACK_AMANDA is not set
+# CONFIG_NF_CONNTRACK_FTP is not set
+# CONFIG_NF_CONNTRACK_H323 is not set
+# CONFIG_NF_CONNTRACK_IRC is not set
+# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
+# CONFIG_NF_CONNTRACK_SNMP is not set
+# CONFIG_NF_CONNTRACK_PPTP is not set
+# CONFIG_NF_CONNTRACK_SANE is not set
+# CONFIG_NF_CONNTRACK_SIP is not set
+# CONFIG_NF_CONNTRACK_TFTP is not set
+CONFIG_NF_CT_NETLINK=y
+# CONFIG_NF_CT_NETLINK_TIMEOUT is not set
+# CONFIG_NETFILTER_NETLINK_GLUE_CT is not set
+# CONFIG_NF_TABLES is not set
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+
+#
+# Xtables targets
+#
+# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set
+# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+# CONFIG_NETFILTER_XT_TARGET_CONNMARK is not set
+# CONFIG_NETFILTER_XT_TARGET_CT is not set
+# CONFIG_NETFILTER_XT_TARGET_DSCP is not set
+# CONFIG_NETFILTER_XT_TARGET_HL is not set
+# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
+CONFIG_NETFILTER_XT_TARGET_IDLETIMER=y
+# CONFIG_NETFILTER_XT_TARGET_LOG is not set
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+# CONFIG_NETFILTER_XT_TARGET_NFLOG is not set
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+# CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set
+# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
+# CONFIG_NETFILTER_XT_TARGET_TEE is not set
+# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set
+# CONFIG_NETFILTER_XT_TARGET_TRACE is not set
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
+
+#
+# Xtables matches
+#
+# CONFIG_NETFILTER_XT_MATCH_ADDRTYPE is not set
+# CONFIG_NETFILTER_XT_MATCH_BPF is not set
+# CONFIG_NETFILTER_XT_MATCH_CGROUP is not set
+# CONFIG_NETFILTER_XT_MATCH_CLUSTER is not set
+# CONFIG_NETFILTER_XT_MATCH_COMMENT is not set
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set
+# CONFIG_NETFILTER_XT_MATCH_CONNLIMIT is not set
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+# CONFIG_NETFILTER_XT_MATCH_CPU is not set
+# CONFIG_NETFILTER_XT_MATCH_DCCP is not set
+# CONFIG_NETFILTER_XT_MATCH_DEVGROUP is not set
+# CONFIG_NETFILTER_XT_MATCH_DSCP is not set
+# CONFIG_NETFILTER_XT_MATCH_ECN is not set
+# CONFIG_NETFILTER_XT_MATCH_ESP is not set
+# CONFIG_NETFILTER_XT_MATCH_HASHLIMIT is not set
+# CONFIG_NETFILTER_XT_MATCH_HELPER is not set
+# CONFIG_NETFILTER_XT_MATCH_HL is not set
+# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set
+CONFIG_NETFILTER_XT_MATCH_IPRANGE=y
+# CONFIG_NETFILTER_XT_MATCH_L2TP is not set
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
+# CONFIG_NETFILTER_XT_MATCH_OSF is not set
+# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PHYSDEV=y
+# CONFIG_NETFILTER_XT_MATCH_PKTTYPE is not set
+CONFIG_NETFILTER_XT_MATCH_QTAGUID=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA2=y
+# CONFIG_NETFILTER_XT_MATCH_QUOTA2_LOG is not set
+# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+CONFIG_NETFILTER_XT_MATCH_RECENT=y
+# CONFIG_NETFILTER_XT_MATCH_SCTP is not set
+CONFIG_NETFILTER_XT_MATCH_SOCKET=y
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+CONFIG_NETFILTER_XT_MATCH_TIME=y
+CONFIG_NETFILTER_XT_MATCH_U32=y
+# CONFIG_IP_SET is not set
+# CONFIG_IP_VS is not set
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=y
+CONFIG_NF_CONNTRACK_IPV4=y
+CONFIG_NF_CONNTRACK_PROC_COMPAT=y
+# CONFIG_NF_DUP_IPV4 is not set
+# CONFIG_NF_LOG_ARP is not set
+# CONFIG_NF_LOG_IPV4 is not set
+CONFIG_NF_REJECT_IPV4=y
+# CONFIG_NF_NAT_IPV4 is not set
+CONFIG_IP_NF_IPTABLES=y
+# CONFIG_IP_NF_MATCH_AH is not set
+# CONFIG_IP_NF_MATCH_ECN is not set
+# CONFIG_IP_NF_MATCH_RPFILTER is not set
+# CONFIG_IP_NF_MATCH_TTL is not set
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+# CONFIG_IP_NF_TARGET_SYNPROXY is not set
+# CONFIG_IP_NF_NAT is not set
+CONFIG_IP_NF_MANGLE=y
+# CONFIG_IP_NF_TARGET_CLUSTERIP is not set
+# CONFIG_IP_NF_TARGET_ECN is not set
+# CONFIG_IP_NF_TARGET_TTL is not set
+CONFIG_IP_NF_RAW=y
+# CONFIG_IP_NF_SECURITY is not set
+CONFIG_IP_NF_ARPTABLES=y
+# CONFIG_IP_NF_ARPFILTER is not set
+# CONFIG_IP_NF_ARP_MANGLE is not set
+# CONFIG_BRIDGE_NF_EBTABLES is not set
+# CONFIG_IP_DCCP is not set
+# CONFIG_IP_SCTP is not set
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+# CONFIG_L2TP is not set
+CONFIG_STP=y
+CONFIG_BRIDGE=y
+CONFIG_BRIDGE_IGMP_SNOOPING=y
+# CONFIG_BRIDGE_VLAN_FILTERING is not set
+CONFIG_HAVE_NET_DSA=y
+CONFIG_VLAN_8021Q=y
+# CONFIG_VLAN_8021Q_GVRP is not set
+# CONFIG_VLAN_8021Q_MVRP is not set
+# CONFIG_DECNET is not set
+CONFIG_LLC=y
+# CONFIG_LLC2 is not set
+# CONFIG_IPX is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_PHONET is not set
+# CONFIG_IEEE802154 is not set
+CONFIG_NET_SCHED=y