diff --git a/kernel/build/config-amd64 b/kernel/build/config-amd64
index f28de44d7..9cc30e442 100644
--- a/kernel/build/config-amd64
+++ b/kernel/build/config-amd64
@@ -1163,7 +1163,11 @@ CONFIG_INET_IPCOMP=y
 CONFIG_INET_TABLE_PERTURB_ORDER=16
 CONFIG_INET_XFRM_TUNNEL=y
 CONFIG_INET_TUNNEL=y
-# CONFIG_INET_DIAG is not set
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+CONFIG_INET_UDP_DIAG=y
+# CONFIG_INET_RAW_DIAG is not set
+CONFIG_INET_DIAG_DESTROY=y
 CONFIG_TCP_CONG_ADVANCED=y
 # CONFIG_TCP_CONG_BIC is not set
 CONFIG_TCP_CONG_CUBIC=y
diff --git a/kernel/build/config-arm64 b/kernel/build/config-arm64
index a2ad8ad10..a3134d589 100644
--- a/kernel/build/config-arm64
+++ b/kernel/build/config-arm64
@@ -1198,7 +1198,11 @@ CONFIG_INET_IPCOMP=y
 CONFIG_INET_TABLE_PERTURB_ORDER=16
 CONFIG_INET_XFRM_TUNNEL=y
 CONFIG_INET_TUNNEL=y
-# CONFIG_INET_DIAG is not set
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+CONFIG_INET_UDP_DIAG=y
+# CONFIG_INET_RAW_DIAG is not set
+CONFIG_INET_DIAG_DESTROY=y
 CONFIG_TCP_CONG_ADVANCED=y
 # CONFIG_TCP_CONG_BIC is not set
 CONFIG_TCP_CONG_CUBIC=y
diff --git a/kernel/build/scripts/filter-hardened-check.py b/kernel/build/scripts/filter-hardened-check.py
index b13a5d481..7922dd66c 100644
--- a/kernel/build/scripts/filter-hardened-check.py
+++ b/kernel/build/scripts/filter-hardened-check.py
@@ -31,6 +31,7 @@
     'CONFIG_SECURITY_SELINUX_DEVELOP', # SELinux enabled, but permissive unless enforcing=1. TODO: force enforcing mode when complete
     'CONFIG_SPECULATION_MITIGATIONS', # Renamed in the kernel to 'CONFIG_CPU_MITIGATIONS'
     'CONFIG_EFI_DISABLE_PCI_DMA', # enabling this breaks boot with no visible error messages to debug (https://github.com/siderolabs/talos/issues/8743)
+    'CONFIG_INET_DIAG', # last vulnerability prior to v4.1. Required for CNIs such as Cilium to terminate sockets. (https://github.com/siderolabs/pkgs/issues/1028)
 }
 
 """