diff --git a/package/gluon-client-bridge/Makefile b/package/gluon-client-bridge/Makefile
index ccf1bcd8b344c5451c403a792863ba6b06476b12..19a0e3a4cd09cd1ad8102682cd8a1278fadff469 100644
--- a/package/gluon-client-bridge/Makefile
+++ b/package/gluon-client-bridge/Makefile
@@ -9,7 +9,7 @@ define Package/gluon-client-bridge
   SECTION:=gluon
   CATEGORY:=Gluon
   TITLE:=Provides a bridge and a wireless interface for clients to connect to
-  DEPENDS:=+gluon-core +kmod-veth
+  DEPENDS:=+gluon-core +kmod-veth +@GLUON_SPECIALIZE_KERNEL:KERNEL_VETH
 endef
 
 $(eval $(call BuildPackageGluon,gluon-client-bridge))
diff --git a/package/gluon-core/Config.in b/package/gluon-core/Config.in
new file mode 100644
index 0000000000000000000000000000000000000000..9def3c299cfa7cb1a0149dd19548fcbbadfdec25
--- /dev/null
+++ b/package/gluon-core/Config.in
@@ -0,0 +1,338 @@
+config KERNEL_NET_IP_TUNNEL
+	bool
+
+config KERNEL_NET_UDP_TUNNEL
+	bool
+
+config KERNEL_VXLAN
+	bool
+	select KERNEL_NET_IP_TUNNEL
+	select KERNEL_NET_UDP_TUNNEL
+
+config KERNEL_VETH
+	bool
+
+
+# for fastd
+
+config KERNEL_TUN
+	bool
+
+
+# for tunneldigger
+
+config KERNEL_L2TP_V3
+	bool
+
+config KERNEL_L2TP_IP
+	bool
+
+config KERNEL_L2TP_ETH
+	bool
+
+config KERNEL_L2TP
+	bool
+	select KERNEL_L2TP_V3
+	select KERNEL_L2TP_IP
+	select KERNEL_L2TP_ETH
+
+
+# for simple-tc
+
+config KERNEL_NET_SCHED
+	bool
+
+config KERNEL_NET_CLS
+	bool
+	select KERNEL_NET_SCHED
+
+config KERNEL_NET_CLS_ACT
+	bool
+	select KERNEL_NET_CLS
+
+config KERNEL_NET_CLS_BASIC
+	bool
+	select KERNEL_NET_CLS
+
+config KERNEL_NET_SCH_TBF
+	bool
+	select KERNEL_NET_SCHED
+
+config KERNEL_NET_SCH_INGRESS
+	bool
+	select KERNEL_NET_CLS_ACT
+
+
+# for batman-adv
+
+config KERNEL_DUMMY
+	bool
+
+config KERNEL_CRC16
+	bool
+
+config KERNEL_LIBCRC32C
+	bool
+
+
+# Netfilter modules used by ebtables and fw3
+
+config KERNEL_NETFILTER
+	bool
+
+config KERNEL_NETFILTER_ADVANCED
+	bool
+	select KERNEL_NETFILTER
+
+config KERNEL_NETFILTER_XTABLES
+	bool
+	select KERNEL_NETFILTER_ADVANCED
+
+config KERNEL_BRIDGE_NF_EBTABLES
+	bool
+	select KERNEL_NETFILTER_XTABLES
+
+config KERNEL_BRIDGE_EBT_T_FILTER
+	bool
+	select KERNEL_BRIDGE_NF_EBTABLES
+
+config KERNEL_BRIDGE_EBT_T_NAT
+	bool
+	select KERNEL_BRIDGE_NF_EBTABLES
+
+config KERNEL_BRIDGE_EBT_ARP
+	bool
+	select KERNEL_BRIDGE_NF_EBTABLES
+
+config KERNEL_BRIDGE_EBT_IP
+	bool
+	select KERNEL_BRIDGE_NF_EBTABLES
+
+config KERNEL_BRIDGE_EBT_IP6
+	bool
+	select KERNEL_BRIDGE_NF_EBTABLES
+
+config KERNEL_BRIDGE_EBT_LIMIT
+	bool
+	select KERNEL_BRIDGE_NF_EBTABLES
+
+config KERNEL_BRIDGE_EBT_MARK
+	bool
+	select KERNEL_BRIDGE_NF_EBTABLES
+
+config KERNEL_BRIDGE_EBT_MARK_T
+	bool
+	select KERNEL_BRIDGE_NF_EBTABLES
+
+
+# Not all of the following modules are really required for Gluon, but fw3 pulls
+# them in, so we add them to the kernel config to reduce the number of loaded
+# modules
+
+# kmod-nf-conntrack
+
+config KERNEL_NF_CONNTRACK
+	bool
+	select KERNEL_NETFILTER_ADVANCED
+
+config KERNEL_NF_CONNTRACK_RTCACHE
+	bool
+	select KERNEL_NF_CONNTRACK
+
+config KERNEL_NF_CONNTRACK_IPV4
+	bool
+	select KERNEL_NF_CONNTRACK
+
+
+# kmod-nf-conntrack6
+
+config KERNEL_NF_CONNTRACK_IPV6
+	bool
+	select KERNEL_NF_CONNTRACK
+
+
+# kmod-nf-ipt
+
+config KERNEL_NF_REJECT_IPV4
+	bool
+	select KERNEL_NETFILTER_ADVANCED
+
+config KERNEL_IP_NF_IPTABLES
+	bool
+	select KERNEL_NETFILTER_XTABLES
+	select KERNEL_NF_REJECT_IPV4
+
+
+# kmod-nf-ipt6
+
+config KERNEL_NF_REJECT_IPV6
+	bool
+	select KERNEL_NETFILTER_ADVANCED
+
+config KERNEL_IP6_NF_IPTABLES
+	bool
+	select KERNEL_NETFILTER_XTABLES
+	select KERNEL_NF_REJECT_IPV6
+
+
+# kmod-nf-nat
+
+config KERNEL_NF_NAT
+	bool
+	select KERNEL_NF_CONNTRACK
+
+config KERNEL_NF_NAT_REDIRECT
+	bool
+	select KERNEL_NF_NAT
+
+config KERNEL_NF_NAT_IPV4
+	bool
+	select KERNEL_NETFILTER_ADVANCED
+	select KERNEL_NF_NAT
+
+config KERNEL_NF_NAT_MASQUERADE_IPV4
+	bool
+	select KERNEL_NF_NAT_IPV4
+
+
+# kmod-ipt-core
+
+config KERNEL_IP_NF_FILTER
+	bool
+	select KERNEL_IP_NF_IPTABLES
+
+config KERNEL_IP_NF_MANGLE
+	bool
+	select KERNEL_IP_NF_IPTABLES
+
+config KERNEL_IP_NF_TARGET_REJECT
+	bool
+	select KERNEL_IP_NF_FILTER
+
+config KERNEL_NETFILTER_XT_MATCH_LIMIT
+	bool
+	select KERNEL_NETFILTER_XTABLES
+
+config KERNEL_NETFILTER_XT_MATCH_MAC
+	bool
+	select KERNEL_NETFILTER_XTABLES
+
+config KERNEL_NETFILTER_XT_MATCH_MULTIPORT
+	bool
+	select KERNEL_NETFILTER_XTABLES
+
+config KERNEL_NETFILTER_XT_MATCH_COMMENT
+	bool
+	select KERNEL_NETFILTER_XTABLES
+
+config KERNEL_NETFILTER_XT_MATCH_TIME
+	bool
+	select KERNEL_NETFILTER_XTABLES
+
+config KERNEL_NETFILTER_XT_MARK
+	bool
+	select KERNEL_NETFILTER_XTABLES
+
+config KERNEL_NETFILTER_XT_TARGET_LOG
+	bool
+	select KERNEL_NETFILTER_XTABLES
+
+config KERNEL_NETFILTER_XT_TARGET_TCPMSS
+	bool
+	select KERNEL_NETFILTER_XTABLES
+
+# kmod-ip6tables
+
+config KERNEL_IP6_NF_FILTER
+	bool
+	select KERNEL_IP6_NF_IPTABLES
+
+config KERNEL_IP6_NF_MANGLE
+	bool
+	select KERNEL_IP6_NF_IPTABLES
+
+config KERNEL_IP6_NF_TARGET_REJECT
+	bool
+	select KERNEL_IP6_NF_IPTABLES
+
+
+# kmod-ipt-conntrack
+
+config KERNEL_NETFILTER_XT_MATCH_STATE
+	bool
+	select KERNEL_NETFILTER_XTABLES
+	select KERNEL_NF_CONNTRACK
+
+config KERNEL_NETFILTER_XT_MATCH_CONNTRACK
+	bool
+	select KERNEL_NETFILTER_XTABLES
+	select KERNEL_NF_CONNTRACK
+
+
+# kmod-ipt-nat
+
+config KERNEL_IP_NF_NAT
+	bool
+	select KERNEL_NF_NAT
+	select KERNEL_IP_NF_IPTABLES
+
+config KERNEL_IP_NF_TARGET_MASQUERADE
+	bool
+	select KERNEL_NF_NAT_MASQUERADE_IPV4
+	select KERNEL_IP_NF_NAT
+
+config KERNEL_IP_NF_TARGET_REDIRECT
+	bool
+	select KERNEL_NF_NAT
+	select KERNEL_IP_NF_NAT
+
+
+# kmod-ipt-extra
+
+config KERNEL_NETFILTER_XT_MATCH_ADDRTYPE
+	bool
+	select KERNEL_NETFILTER_XTABLES
+
+config KERNEL_NETFILTER_XT_MATCH_OWNER
+	bool
+	select KERNEL_NETFILTER_XTABLES
+
+config KERNEL_NETFILTER_XT_MATCH_PKTTYPE
+	bool
+	select KERNEL_NETFILTER_XTABLES
+
+config KERNEL_NETFILTER_XT_MATCH_QUOTA
+	bool
+	select KERNEL_NETFILTER_XTABLES
+
+
+config GLUON_SPECIALIZE_KERNEL
+	bool "Specialize kernel for Gluon"
+	select KERNEL_VXLAN
+	select KERNEL_NF_CONNTRACK_RTCACHE
+	select KERNEL_NF_CONNTRACK_IPV4
+	select KERNEL_NF_CONNTRACK_IPV6
+	select KERNEL_IP_NF_IPTABLES
+	select KERNEL_IP6_NF_IPTABLES
+	select KERNEL_NF_NAT_REDIRECT
+	select KERNEL_NF_NAT_IPV4
+	select KERNEL_NF_NAT_MASQUERADE_IPV4
+	select KERNEL_IP_NF_FILTER
+	select KERNEL_IP_NF_MANGLE
+	select KERNEL_IP_NF_TARGET_REJECT
+	select KERNEL_IP6_NF_FILTER
+	select KERNEL_IP6_NF_MANGLE
+	select KERNEL_IP6_NF_TARGET_REJECT
+	select KERNEL_NETFILTER_XT_MATCH_LIMIT
+	select KERNEL_NETFILTER_XT_MATCH_MAC
+	select KERNEL_NETFILTER_XT_MATCH_MULTIPORT
+	select KERNEL_NETFILTER_XT_MATCH_COMMENT
+	select KERNEL_NETFILTER_XT_MATCH_TIME
+	select KERNEL_NETFILTER_XT_MARK
+	select KERNEL_NETFILTER_XT_TARGET_LOG
+	select KERNEL_NETFILTER_XT_TARGET_TCPMSS
+	select KERNEL_NETFILTER_XT_MATCH_STATE
+	select KERNEL_NETFILTER_XT_MATCH_CONNTRACK
+	select KERNEL_IP_NF_NAT
+	select KERNEL_IP_NF_TARGET_MASQUERADE
+	select KERNEL_IP_NF_TARGET_REDIRECT
diff --git a/package/gluon-core/Makefile b/package/gluon-core/Makefile
index 39218d667d91c324253fa89219d86cf7f523af84..f220b9f463cf5a6005a60d5ad5d37462c5a2ed4a 100644
--- a/package/gluon-core/Makefile
+++ b/package/gluon-core/Makefile
@@ -23,6 +23,10 @@ define Package/gluon-core/description
 	Gluon community wifi mesh firmware framework: core
 endef
 
+define Package/gluon-core/config
+        source "$(SOURCE)/Config.in"
+endef
+
 define Package/gluon-core/install
 	$(Gluon/Build/Install)
 
diff --git a/package/gluon-ebtables-limit-arp/Makefile b/package/gluon-ebtables-limit-arp/Makefile
index 4562c62788c6e4b513c957ebf165b30bf28e9929..a356b832bbf47ab8c11e9bf8174ee22f253da354 100644
--- a/package/gluon-ebtables-limit-arp/Makefile
+++ b/package/gluon-ebtables-limit-arp/Makefile
@@ -10,7 +10,10 @@ define Package/gluon-ebtables-limit-arp
   SECTION:=gluon
   CATEGORY:=Gluon
   TITLE:=Ebtables limiter for ARP packets
-  DEPENDS:=+gluon-core +gluon-ebtables gluon-mesh-batman-adv
+  DEPENDS:=+gluon-core +gluon-ebtables gluon-mesh-batman-adv \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_BRIDGE_EBT_LIMIT \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_BRIDGE_EBT_MARK \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_BRIDGE_EBT_MARK_T
 endef
 
 define Package/gluon-ebtables-limit-arp/description
diff --git a/package/gluon-ebtables/Makefile b/package/gluon-ebtables/Makefile
index 3ecf9b8809b27749d2c705f726b112d58d05c1c4..3a2fffdc763eae25a041aaf760b6cfaf44e4c2c7 100644
--- a/package/gluon-ebtables/Makefile
+++ b/package/gluon-ebtables/Makefile
@@ -4,13 +4,23 @@ PKG_NAME:=gluon-ebtables
 PKG_VERSION:=1
 PKG_RELEASE:=1
 
+PKG_CONFIG_DEPENDS := CONFIG_GLUON_SPECIALIZE_KERNEL
+
 include ../gluon.mk
 
 define Package/gluon-ebtables
   SECTION:=gluon
   CATEGORY:=Gluon
   TITLE:=Ebtables support
-  DEPENDS:=+gluon-core +ebtables-tiny +kmod-ebtables +kmod-ebtables-ipv4 +kmod-ebtables-ipv6
+  DEPENDS:=+gluon-core +ebtables-tiny \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_BRIDGE_EBT_T_FILTER \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_BRIDGE_EBT_T_NAT \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_BRIDGE_EBT_ARP \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_BRIDGE_EBT_IP \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_BRIDGE_EBT_IP6 \
+	+!GLUON_SPECIALIZE_KERNEL:kmod-ebtables \
+	+!GLUON_SPECIALIZE_KERNEL:kmod-ebtables-ipv4 \
+	+!GLUON_SPECIALIZE_KERNEL:kmod-ebtables-ipv6
 endef
 
 define Package/gluon-ebtables/description
diff --git a/package/gluon-mesh-batman-adv/Makefile b/package/gluon-mesh-batman-adv/Makefile
index 22355798b5d289d5cb29f0ee0526297ca4f7a1d6..a8c4801ddfe39416618ac1536789b8d54f7475e1 100644
--- a/package/gluon-mesh-batman-adv/Makefile
+++ b/package/gluon-mesh-batman-adv/Makefile
@@ -9,7 +9,7 @@ define Package/gluon-mesh-batman-adv/common
   SECTION:=gluon
   CATEGORY:=Gluon
   PROVIDES:=gluon-mesh-batman-adv
-  DEPENDS:=+gluon-core +libgluonutil +gluon-client-bridge +gluon-ebtables +firewall +libiwinfo +kmod-dummy +libnl-tiny +libbatadv
+  DEPENDS:=+gluon-core +libgluonutil +gluon-client-bridge +gluon-ebtables +firewall +libiwinfo +kmod-dummy +libnl-tiny +libbatadv +@GLUON_SPECIALIZE_KERNEL:KERNEL_DUMMY +@GLUON_SPECIALIZE_KERNEL:KERNEL_CRC16 +@GLUON_SPECIALIZE_KERNEL:KERNEL_LIBCRC32C
 endef
 
 define Package/gluon-mesh-batman-adv-14
diff --git a/package/gluon-mesh-vpn-core/Makefile b/package/gluon-mesh-vpn-core/Makefile
index 263ec217347ac9e0788a6c7e316156b30b408263..885905738ef72a803d0f4d096a53af9c08c8945e 100644
--- a/package/gluon-mesh-vpn-core/Makefile
+++ b/package/gluon-mesh-vpn-core/Makefile
@@ -9,7 +9,14 @@ define Package/gluon-mesh-vpn-core
   SECTION:=gluon
   CATEGORY:=Gluon
   TITLE:=Basic support for connecting meshes via VPN tunnels
-  DEPENDS:=+gluon-core +gluon-wan-dnsmasq +iptables +iptables-mod-extra +simple-tc
+  DEPENDS:=+gluon-core +gluon-wan-dnsmasq +iptables +iptables-mod-extra +simple-tc \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_NETFILTER_XT_MATCH_ADDRTYPE \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_NETFILTER_XT_MATCH_OWNER \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_NETFILTER_XT_MATCH_PKTTYPE \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_NETFILTER_XT_MATCH_QUOTA \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_NET_CLS_BASIC \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_NET_SCH_TBF \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_NET_SCH_INGRESS
   USERID:=:gluon-mesh-vpn=800
 endef
 
diff --git a/package/gluon-mesh-vpn-fastd/Makefile b/package/gluon-mesh-vpn-fastd/Makefile
index 50b35e5acc3a5d4981af58d7754fd5c3136996ed..477cd48e8e9bd6cfa10fb69ce344b366b43a1b3f 100644
--- a/package/gluon-mesh-vpn-fastd/Makefile
+++ b/package/gluon-mesh-vpn-fastd/Makefile
@@ -9,7 +9,7 @@ define Package/gluon-mesh-vpn-fastd
   SECTION:=gluon
   CATEGORY:=Gluon
   TITLE:=Support for connecting meshes via fastd
-  DEPENDS:=+gluon-core +libgluonutil +gluon-mesh-vpn-core +fastd
+  DEPENDS:=+gluon-core +libgluonutil +gluon-mesh-vpn-core +fastd +@GLUON_SPECIALIZE_KERNEL:KERNEL_TUN
 endef
 
 $(eval $(call BuildPackageGluon,gluon-mesh-vpn-fastd))
diff --git a/package/gluon-mesh-vpn-tunneldigger/Makefile b/package/gluon-mesh-vpn-tunneldigger/Makefile
index 8b8099b147746f36b0edd595d11d7bfd67237db5..d463db414208bd94019ac59b05fba3a5303c71ab 100644
--- a/package/gluon-mesh-vpn-tunneldigger/Makefile
+++ b/package/gluon-mesh-vpn-tunneldigger/Makefile
@@ -9,7 +9,7 @@ define Package/gluon-mesh-vpn-tunneldigger
   SECTION:=gluon
   CATEGORY:=Gluon
   TITLE:=Support for connecting meshes via tunneltigger/L2TPv3 pseudowire
-  DEPENDS:=+gluon-core +gluon-mesh-vpn-core +tunneldigger
+  DEPENDS:=+gluon-core +gluon-mesh-vpn-core +tunneldigger +@GLUON_SPECIALIZE_KERNEL:KERNEL_L2TP
 endef
 
 $(eval $(call BuildPackageGluon,gluon-mesh-vpn-tunneldigger))
diff --git a/patches/lede/0082-include-kernel.mk-build-kmod-packages-with-empty-FILES.patch b/patches/lede/0082-include-kernel.mk-build-kmod-packages-with-empty-FILES.patch
new file mode 100644
index 0000000000000000000000000000000000000000..c8c4fcc9d1ccc12f9b92196ee4def9ec5ac350aa
--- /dev/null
+++ b/patches/lede/0082-include-kernel.mk-build-kmod-packages-with-empty-FILES.patch
@@ -0,0 +1,37 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Tue, 10 Apr 2018 09:03:52 +0200
+Subject: include/kernel.mk: build kmod packages with empty FILES
+
+kmod packages without FILES did not have an install step defined, leading
+to no package being built. This affected netfilter/iptables packages, which
+filter out builtin modules from FILES.
+
+Not building a package that it is selected in .config is problematic, as
+the generated empty package may be necessary to satisfy dependencies.
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+
+diff --git a/include/kernel.mk b/include/kernel.mk
+index b1d0e8d927cb462b486cfd645d68963f1b6ab8ff..d8d457fe7a5d3584d8aa4e27430da84533c85ed0 100644
+--- a/include/kernel.mk
++++ b/include/kernel.mk
+@@ -194,8 +194,7 @@ $(call KernelPackage/$(1)/config)
+   $(call KernelPackage/depends)
+ 
+   ifneq ($(if $(filter-out %=y %=n %=m,$(KCONFIG)),$(filter m y,$(foreach c,$(filter-out %=y %=n %=m,$(KCONFIG)),$($(c)))),.),)
+-    ifneq ($(strip $(FILES)),)
+-      define Package/kmod-$(1)/install
++    define Package/kmod-$(1)/install
+ 		  @for mod in $$(call version_filter,$$(FILES)); do \
+ 			if grep -q "$$$$$$$${mod##$(LINUX_DIR)/}" "$(LINUX_DIR)/modules.builtin"; then \
+ 				echo "NOTICE: module '$$$$$$$$mod' is built-in."; \
+@@ -209,8 +208,7 @@ $(call KernelPackage/$(1)/config)
+ 		  done;
+ 		  $(call ModuleAutoLoad,$(1),$$(1),$(AUTOLOAD))
+ 		  $(call KernelPackage/$(1)/install,$$(1))
+-      endef
+-    endif
++    endef
+   $(if $(CONFIG_PACKAGE_kmod-$(1)),
+     else
+       compile: $(1)-disabled