diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
index 5f830151..608a6ba9 100644
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -61,7 +61,9 @@ jobs:
             apt -y install git crossbuild-essential-arm64 make flex bison bc \
                 libelf-dev libssl-dev libssl-dev:arm64 dpkg-dev \
                 debhelper-compat kmod python3 rsync coreutils
-            scripts/build-linux-deb.sh kernel-configs/systemd-boot.config
+            # sort config files alphabetically to have predictable ordering
+            ls kernel-configs/*.config | sort |
+                xargs scripts/build-linux-deb.sh
 
       - name: Upload results to fileserver
         env:
diff --git a/README.md b/README.md
index 8ce4016a..2eb4b279 100644
--- a/README.md
+++ b/README.md
@@ -66,9 +66,9 @@ To build flashable assets for all supported boards, follow these steps:
     scripts/build-u-boot-rb1.sh
     ```
 
-1. (optional) build a local Linux kernel deb from mainline with a recommended config fragment
+1. (optional) build a local Linux kernel deb from mainline with recommended config fragments
     ```bash
-    scripts/build-linux-deb.sh kernel-configs/systemd-boot.config
+    scripts/build-linux-deb.sh kernel-configs/*.config
     ```
 
 1. build tarballs of the root filesystem and DTBs
diff --git a/kernel-configs/docker.config b/kernel-configs/docker.config
new file mode 100644
index 00000000..b5d27c84
--- /dev/null
+++ b/kernel-configs/docker.config
@@ -0,0 +1,115 @@
+# Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.
+# SPDX-License-Identifier: BSD-3-Clause
+
+# Prepared by reviewing the output of
+# https://github.com/moby/moby/blob/master/contrib/check-config.sh on a RB1
+# running a trixie + 6.15.0-rc6 + defconfig kernel; also added CONFIG_NF_TABLES
+# and a few NETFILTER_NETLINK modules; see
+# https://github.com/qualcomm-linux/qcom-deb-images/issues/43 and
+# https://github.com/qualcomm-linux/qcom-deb-images/pull/47
+CONFIG_NAMESPACES=y
+CONFIG_NET_NS=y
+CONFIG_PID_NS=y
+CONFIG_IPC_NS=y
+CONFIG_UTS_NS=y
+CONFIG_CGROUPS=y
+CONFIG_CGROUP_CPUACCT=y
+CONFIG_CGROUP_DEVICE=y
+CONFIG_CGROUP_FREEZER=y
+CONFIG_CGROUP_SCHED=y
+CONFIG_CPUSETS=y
+CONFIG_MEMCG=y
+CONFIG_KEYS=y
+CONFIG_VETH=m
+CONFIG_BRIDGE=m
+CONFIG_BRIDGE_NETFILTER=m
+CONFIG_IP_NF_FILTER=m
+CONFIG_IP_NF_MANGLE=m
+CONFIG_IP_NF_TARGET_MASQUERADE=m
+CONFIG_IP6_NF_FILTER=m
+CONFIG_IP6_NF_MANGLE=m
+CONFIG_IP6_NF_TARGET_MASQUERADE=m
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
+CONFIG_NETFILTER_XT_MATCH_IPVS=m
+CONFIG_NETFILTER_XT_MARK=m
+CONFIG_IP_NF_RAW=m
+CONFIG_IP_NF_NAT=m
+CONFIG_NF_NAT=m
+CONFIG_IP6_NF_RAW=m
+CONFIG_IP6_NF_NAT=m
+CONFIG_NF_NAT=m
+CONFIG_POSIX_MQUEUE=y
+CONFIG_CGROUP_BPF=y
+
+# optional features
+CONFIG_USER_NS=y
+CONFIG_SECCOMP=y
+CONFIG_SECCOMP_FILTER=y
+CONFIG_CGROUP_PIDS=y
+CONFIG_BLK_CGROUP=y
+CONFIG_BLK_DEV_THROTTLING=y
+CONFIG_CGROUP_PERF=y
+CONFIG_CGROUP_HUGETLB=y
+CONFIG_NET_CLS_CGROUP=m
+CONFIG_CGROUP_NET_PRIO=y
+CONFIG_CFS_BANDWIDTH=y
+CONFIG_FAIR_GROUP_SCHED=y
+CONFIG_IP_NF_TARGET_REDIRECT=m
+CONFIG_IP_VS=m
+CONFIG_IP_VS_NFCT=y
+CONFIG_IP_VS_PROTO_TCP=y
+CONFIG_IP_VS_PROTO_UDP=y
+CONFIG_IP_VS_RR=m
+CONFIG_SECURITY_SELINUX=y
+CONFIG_SECURITY_APPARMOR=y
+CONFIG_EXT4_FS=y
+CONFIG_EXT4_FS_POSIX_ACL=y
+CONFIG_EXT4_FS_SECURITY=y
+
+# network drivers
+## overlay
+CONFIG_VXLAN=m
+CONFIG_BRIDGE_VLAN_FILTERING=y
+### optional (for encrypted networks):
+CONFIG_CRYPTO=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_GCM=m
+CONFIG_CRYPTO_SEQIV=m
+CONFIG_CRYPTO_GHASH=m
+CONFIG_XFRM=y
+CONFIG_XFRM_USER=m
+CONFIG_XFRM_ALGO=m
+CONFIG_INET_ESP=m
+CONFIG_NETFILTER_XT_MATCH_BPF=m
+## ipvlan
+CONFIG_IPVLAN=m
+## macvlan
+CONFIG_MACVLAN=m
+CONFIG_DUMMY=m
+## ftp,tftp client in container
+CONFIG_NF_NAT_FTP=m
+CONFIG_NF_CONNTRACK_FTP=m
+CONFIG_NF_NAT_TFTP=m
+CONFIG_NF_CONNTRACK_TFTP=m
+
+# storage drivers
+## btrfs
+CONFIG_BTRFS_FS=m
+CONFIG_BTRFS_FS_POSIX_ACL=y
+## overlay
+CONFIG_OVERLAY_FS=m
+
+# iptables netlink related options
+# extended accounting via NFNETLINK
+CONFIG_NETFILTER_NETLINK_ACCT=m
+# queueing packets via NFNETLINK
+CONFIG_NETFILTER_NETLINK_QUEUE=m
+# logging packets via NFNETLINK
+CONFIG_NETFILTER_NETLINK_LOG=m
+# passive OS fingerprint via NFNETLINK
+CONFIG_NETFILTER_NETLINK_OSF=m
+
+# iptables is built with nftables in Debian
+CONFIG_NF_TABLES=m
+
diff --git a/kernel-configs/netfilter.config b/kernel-configs/netfilter.config
new file mode 100644
index 00000000..34aca7b9
--- /dev/null
+++ b/kernel-configs/netfilter.config
@@ -0,0 +1,106 @@
+#
+# Not directly sourced via a kernel type but via an external bb
+#
+CONFIG_NETFILTER=y
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_NETLINK=m
+CONFIG_NETFILTER_NETLINK_QUEUE=m
+CONFIG_NETFILTER_NETLINK_LOG=m
+CONFIG_NF_CONNTRACK=m
+CONFIG_NF_CONNTRACK_MARK=y
+CONFIG_NF_CT_PROTO_GRE=y
+CONFIG_NF_CT_PROTO_SCTP=y
+CONFIG_NF_CT_PROTO_UDPLITE=y
+CONFIG_NF_CONNTRACK_AMANDA=m
+CONFIG_NF_CONNTRACK_FTP=m
+CONFIG_NF_CONNTRACK_H323=m
+CONFIG_NF_CONNTRACK_IRC=m
+CONFIG_NF_CONNTRACK_NETBIOS_NS=m
+CONFIG_NF_CONNTRACK_PPTP=m
+CONFIG_NF_CONNTRACK_SANE=m
+CONFIG_NF_CONNTRACK_SIP=m
+CONFIG_NF_CONNTRACK_TFTP=m
+CONFIG_NF_CONNTRACK_EVENTS=y
+CONFIG_NF_CONNTRACK_TIMEOUT=y
+CONFIG_NF_CONNTRACK_TIMESTAMP=y
+CONFIG_NF_CT_NETLINK=m
+CONFIG_NETFILTER_XTABLES=m
+CONFIG_NETFILTER_XTABLES_COMPAT=y
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
+CONFIG_NETFILTER_XT_TARGET_CT=m
+CONFIG_NETFILTER_XT_TARGET_DSCP=m
+CONFIG_NETFILTER_XT_TARGET_HL=m
+CONFIG_NETFILTER_XT_TARGET_LOG=m
+CONFIG_NETFILTER_XT_TARGET_MARK=m
+CONFIG_NETFILTER_XT_TARGET_NFLOG=m
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
+# CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set
+CONFIG_NETFILTER_XT_TARGET_TRACE=m
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
+CONFIG_NETFILTER_XT_MATCH_COMMENT=m
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
+CONFIG_NETFILTER_XT_MATCH_DCCP=m
+CONFIG_NETFILTER_XT_MATCH_DSCP=m
+CONFIG_NETFILTER_XT_MATCH_ESP=m
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
+CONFIG_NETFILTER_XT_MATCH_HELPER=m
+CONFIG_NETFILTER_XT_MATCH_HL=m
+CONFIG_NETFILTER_XT_MATCH_LENGTH=m
+CONFIG_NETFILTER_XT_MATCH_LIMIT=m
+CONFIG_NETFILTER_XT_MATCH_MAC=m
+CONFIG_NETFILTER_XT_MATCH_MARK=m
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
+CONFIG_NETFILTER_XT_MATCH_POLICY=m
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
+CONFIG_NETFILTER_XT_MATCH_QUOTA=m
+CONFIG_NETFILTER_XT_MATCH_REALM=m
+CONFIG_NETFILTER_XT_MATCH_SCTP=m
+CONFIG_NETFILTER_XT_MATCH_STATE=m
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
+CONFIG_NETFILTER_XT_MATCH_STRING=m
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
+CONFIG_NETFILTER_XT_MATCH_U32=m
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=m
+CONFIG_IP_NF_IPTABLES=m
+CONFIG_IP_NF_MATCH_AH=m
+CONFIG_IP_NF_MATCH_ECN=m
+CONFIG_IP_NF_MATCH_TTL=m
+CONFIG_IP_NF_MATCH_RPFILTER=m
+CONFIG_IP_NF_FILTER=m
+CONFIG_IP_NF_TARGET_REJECT=m
+CONFIG_NF_NAT=m
+CONFIG_IP_NF_NAT=m
+CONFIG_IP_NF_TARGET_SYNPROXY=m
+CONFIG_IP_NF_TARGET_MASQUERADE=m
+CONFIG_IP_NF_TARGET_NETMAP=m
+CONFIG_IP_NF_TARGET_REDIRECT=m
+CONFIG_NF_NAT_SNMP_BASIC=m
+CONFIG_NF_NAT_FTP=m
+CONFIG_NF_NAT_IRC=m
+CONFIG_NF_NAT_TFTP=m
+CONFIG_NF_NAT_AMANDA=m
+CONFIG_NF_NAT_PPTP=m
+CONFIG_NF_NAT_H323=m
+CONFIG_NF_NAT_SIP=m
+CONFIG_IP_NF_MANGLE=m
+CONFIG_IP_NF_TARGET_ECN=m
+CONFIG_IP_NF_TARGET_TTL=m
+CONFIG_IP_NF_RAW=m
+CONFIG_IP_NF_ARPTABLES=m
+CONFIG_IP_NF_ARPFILTER=m
+CONFIG_IP_NF_ARP_MANGLE=m
+CONFIG_IP_NF_SECURITY=m
+
+CONFIG_NET_SCHED=y