From 77b3a2e6cae3dca73eb662146da9b3dcac353bac Mon Sep 17 00:00:00 2001 From: Adrian Freihofer Date: Thu, 7 Jul 2022 13:08:21 +0200 Subject: firewalld: upgrade 1.1.1 -> 1.2.0 Firewalld: This is a feature release. It also includes all bug fixes since v1.1.0. Details are here: https://firewalld.org/2022/07/firewalld-1-2-0-release Recipe: Firewalld defaults to create a log file for debug messages. This is basically an empty file until firewalld's log level is configured to debug level. Writing log files requies something like log-rotate to prevent full disks. The default for OE is to not create files and send all log messages to syslog (journald). Signed-off-by: Adrian Freihofer Signed-off-by: Khem Raj --- .../firewalld/firewalld_1.1.1.bb | 297 -------------------- .../firewalld/firewalld_1.2.0.bb | 310 +++++++++++++++++++++ 2 files changed, 310 insertions(+), 297 deletions(-) delete mode 100644 meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_1.1.1.bb create mode 100644 meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_1.2.0.bb (limited to 'meta-networking') diff --git a/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_1.1.1.bb b/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_1.1.1.bb deleted file mode 100644 index 00e851f450..0000000000 --- a/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_1.1.1.bb +++ /dev/null @@ -1,297 +0,0 @@ -SUMMARY = "Dynamic firewall daemon with a D-Bus interface" -HOMEPAGE = "https://firewalld.org/" -BUGTRACKER = "https://github.com/firewalld/firewalld/issues" -UPSTREAM_CHECK_URI = "https://github.com/firewalld/firewalld/releases" -LICENSE = "GPL-2.0-or-later" -LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" - -SRC_URI = "\ - https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.gz \ - file://firewalld.init \ - file://run-ptest \ -" -SRC_URI[sha256sum] = "1dcd314ff836b2ce69f15f60fc7d50bd77ed359d784f9b3c07f2d394ea570e4c" - -# glib-2.0-native is needed for GSETTINGS_RULES autoconf macro from gsettings.m4 -DEPENDS = "intltool-native glib-2.0-native nftables" - -inherit gettext autotools-brokensep bash-completion pkgconfig python3native python3-dir gsettings systemd update-rc.d ptest - -PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}" -PACKAGECONFIG[systemd] = "--with-systemd-unitdir=${systemd_system_unitdir},--disable-systemd" -PACKAGECONFIG[docs] = "--with-xml-catalog=${STAGING_ETCDIR_NATIVE}/xml/catalog,--disable-docs,libxslt-native docbook-xsl-stylesheets-native" -PACKAGECONFIG[ipset] = "--with-ipset=${sbindir}/ipset,--without-ipset,,ipset" -PACKAGECONFIG[ebtables] = "--with-ebtables=${base_sbindir}/ebtables --with-ebtables-restore=${sbindir}/ebtables-legacy-restore,--without-ebtables --without-ebtables-restore,,ebtables" - -# The UIs are not yet tested and the dependencies are probably not quite correct yet. -# Splitting into separate packages is beneficial so that no dead code is transferred -# to the target device. -# Without enabling qt5, the firewalld-config package is not usable. -# Without enabling qt5 and gtk, the firewalld-applet package is not usable. -PACKAGECONFIG[qt5] = "" -PACKAGECONFIG[gtk] = "" - -PACKAGES =+ "python3-firewall ${PN}-applet ${PN}-config ${PN}-offline-cmd ${PN}-zsh-completion" - -# iptables, ip6tables, ebtables, and ipset *should* be unnecessary -# when the nftables backend is available, because nftables supersedes all of them. -# However we still need iptables and ip6tables to be available otherwise any -# application relying on "direct passthrough" rules (such as docker) will break. -# /etc/sysconfig/firewalld is a Red Hat-ism, only referenced by -# the Red Hat-specific init script which we aren't using, so we disable that. -EXTRA_OECONF = "\ - --with-iptables=${sbindir}/iptables \ - --with-iptables-restore=${sbindir}/iptables-restore \ - --with-ip6tables=${sbindir}/ip6tables \ - --with-ip6tables-restore=${sbindir}/ip6tables-restore \ - --disable-sysconfig \ -" - -INITSCRIPT_NAME = "firewalld" -SYSTEMD_SERVICE:${PN} = "firewalld.service" - -# kernel modules loaded after ptest execution (linux-yocto 5.15) -FIREWALLD_KERNEL_MODULES ?= "\ - xt_tcpudp \ - xt_TCPMSS \ - xt_set \ - xt_sctp \ - xt_REDIRECT \ - xt_pkttype \ - xt_NFLOG \ - xt_nat \ - xt_MASQUERADE \ - xt_mark \ - xt_mac \ - xt_LOG \ - xt_limit \ - xt_dccp \ - xt_CT \ - xt_conntrack \ - xt_CHECKSUM \ - nft_redir \ - nft_objref \ - nft_nat \ - nft_masq \ - nft_log \ - nfnetlink_log \ - nf_nat_tftp \ - nf_nat_sip \ - nf_nat_ftp \ - nf_log_syslog \ - nf_conntrack_tftp \ - nf_conntrack_sip \ - nf_conntrack_netbios_ns \ - nf_conntrack_ftp \ - nf_conntrack_broadcast \ - ipt_REJECT \ - ip6t_rpfilter \ - ip6t_REJECT \ - ip_set_hash_netport \ - ip_set_hash_netnet \ - ip_set_hash_netiface \ - ip_set_hash_net \ - ip_set_hash_mac \ - ip_set_hash_ipportnet \ - ip_set_hash_ipport \ - ip_set_hash_ipmark \ - ip_set_hash_ip \ - ebt_ip6 \ - nft_fib_inet \ - nft_fib_ipv4 \ - nft_fib_ipv6 \ - nft_fib \ - nft_reject_inet \ - nf_reject_ipv4 \ - nf_reject_ipv6 \ - nft_reject \ - nft_ct \ - nft_chain_nat \ - ebtable_nat \ - ebtable_broute \ - ip6table_nat \ - ip6table_mangle \ - ip6table_raw \ - ip6table_security \ - iptable_nat \ - nf_nat \ - nf_conntrack \ - nf_defrag_ipv6 \ - nf_defrag_ipv4 \ - iptable_mangle \ - iptable_raw \ - iptable_security \ - ip_set \ - ebtable_filter \ - ebtables \ - ip6table_filter \ - ip6_tables \ - iptable_filter \ - ip_tables \ - x_tables \ - sch_fq_codel \ -" - -do_install:append() { - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'false', 'true', d)}; then - # firewalld ships an init script but it contains Red Hat-isms, replace it with our own - rm -rf ${D}${sysconfdir}/rc.d/ - install -d ${D}${sysconfdir}/init.d - install -m0755 ${WORKDIR}/firewalld.init ${D}${sysconfdir}/init.d/firewalld - fi - - if ${@bb.utils.contains('DISTRO_FEATURES', 'polkit', 'false', 'true', d)}; then - # Delete polkit profiles if polkit is not available - rm -rf ${D}${datadir}/polkit-1 - fi - - # We ran ./configure with PYTHON pointed at the binary inside $STAGING_BINDIR_NATIVE - # so now we need to fix up any references to point at the proper path in the image. - # This hack is also in distutils.bbclass, but firewalld doesn't use distutils/setuptools. - if [ ${PN} != "${BPN}-native" ]; then - sed -i -e s:${STAGING_BINDIR_NATIVE}/python3-native/python3:${bindir}/python3:g \ - ${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml - fi - sed -i -e s:${STAGING_BINDIR_NATIVE}:${bindir}:g \ - ${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml - - # This file contains Red Hat-isms. Modules get loaded without it. - rm -f ${D}${sysconfdir}/modprobe.d/firewalld-sysctls.conf -} - -do_install_ptest:append() { - # Add kernel modules to the ptest script - if [ ${PTEST_ENABLED} = "1" ]; then - sed -i -e 's:@@FIREWALLD_KERNEL_MODULES@@:${FIREWALLD_KERNEL_MODULES}:g' \ - ${D}${PTEST_PATH}/run-ptest - fi -} - -SUMMARY:python3-firewall = "${SUMMARY} (Python3 bindings)" -FILES:python3-firewall = "\ - ${PYTHON_SITEPACKAGES_DIR}/firewall/__pycache__/*.py* \ - ${PYTHON_SITEPACKAGES_DIR}/firewall/*.py* \ - ${PYTHON_SITEPACKAGES_DIR}/firewall/config/*.py* \ - ${PYTHON_SITEPACKAGES_DIR}/firewall/config/__pycache__/*.py* \ - ${PYTHON_SITEPACKAGES_DIR}/firewall/core/*.py* \ - ${PYTHON_SITEPACKAGES_DIR}/firewall/core/__pycache__/*.py* \ - ${PYTHON_SITEPACKAGES_DIR}/firewall/core/io/*.py* \ - ${PYTHON_SITEPACKAGES_DIR}/firewall/core/io/__pycache__/*.py* \ - ${PYTHON_SITEPACKAGES_DIR}/firewall/server/*.py* \ - ${PYTHON_SITEPACKAGES_DIR}/firewall/server/__pycache__/*.py* \ -" -RDEPENDS:python3-firewall = "\ - python3-dbus \ - nftables-python \ - python3-pygobject \ -" - -# Do not depend on QT5 layer and GTK deps if not explicitely required. -FIREWALLD_QT5_RDEPENDS = "\ - ${PN}-config \ - hicolor-icon-theme \ - python3-pyqt5 \ - python3-pygobject \ - libnotify \ - networkmanager \ -" -FIREWALLD_GTK_RDEPENDS = "\ - gtk3 \ -" - -# A QT5 based UI -SUMMARY:${PN}-config = "${SUMMARY} (configuration application)" -FILES:${PN}-config = "\ - ${bindir}/firewall-config \ - ${datadir}/firewalld/firewall-config.glade \ - ${datadir}/firewalld/gtk3_chooserbutton.py* \ - ${datadir}/firewalld/gtk3_niceexpander.py* \ - ${datadir}/applications/firewall-config.desktop \ - ${datadir}/metainfo/firewall-config.appdata.xml \ - ${datadir}/icons/hicolor/*/apps/firewall-config*.* \ -" -RDEPENDS:${PN}-config += "\ - python3-core \ - python3-ctypes \ - ${@bb.utils.contains('PACKAGECONFIG', 'qt5', '${FIREWALLD_QT5_RDEPENDS}', '', d)} \ -" - -# A GTK3 applet depending on the QT5 firewall-config UI -SUMMARY:${PN}-applet = "${SUMMARY} (panel applet)" -FILES:${PN}-applet += "\ - ${bindir}/firewall-applet \ - ${sysconfdir}/xdg/autostart/firewall-applet.desktop \ - ${sysconfdir}/firewall/applet.conf \ - ${datadir}/icons/hicolor/*/apps/firewall-applet*.* \ -" -RDEPENDS:${PN}-applet += "\ - python3-core \ - python3-ctypes \ - ${@bb.utils.contains('PACKAGECONFIG', 'qt5', '${FIREWALLD_QT5_RDEPENDS}', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'gtk', '${FIREWALLD_GTK_RDEPENDS}', '', d)} \ -" - -SUMMARY:${PN}-offline-cmd = "${SUMMARY} (offline configuration utility)" -FILES:${PN}-offline-cmd += " \ - ${bindir}/firewall-offline-cmd \ -" -RDEPENDS:${PN}-offline-cmd += "python3-core" - -# To get allmost all tests passing -# - Enable PACKAGECONFIG ipset, ebtable -# - Enough RAM QB_MEM = "-m 8192" (used für fancy ipset tests) -FILES:${PN}-ptest += "\ - ${datadir}/firewalld/testsuite \ -" -RDEPENDS:${PN}-ptest += "\ - python3-unittest \ - ${PN}-offline-cmd \ - procps-ps \ - iproute2 \ -" -RDEPENDS:${PN}-ptest:append:libc-glibc = " glibc-utils glibc-localedata-en-us" - -FILES:${PN}-zsh-completion = "${datadir}/zsh/site-functions" - -FILES:${PN} += "\ - ${PYTHON_SITEPACKAGES_DIR}/firewall \ - ${nonarch_libdir}/firewalld \ - ${datadir}/dbus-1 \ - ${datadir}/polkit-1 \ - ${datadir}/metainfo \ - ${datadir}/glib-2.0/schemas/org.fedoraproject.FirewallConfig.gschema.xml \ -" -RDEPENDS:${PN} += "\ - python3-firewall \ - iptables \ - python3-core \ - python3-io \ - python3-fcntl \ - python3-syslog \ - python3-xml \ - python3-json \ - python3-ctypes \ - python3-pprint \ -" -# Add required kernel modules. With Yocto kernel 5.15 this currently means: -# - features/nf_tables/nf_tables.scc -# - features/netfilter/netfilter.scc -# - cgl/features/audit/audit.scc -# - cfg/net/ip6_nf.scc -# - Plus: -# - ebtables -# - ipset -# - CONFIG_IP6_NF_SECURITY=m -# - CONFIG_IP6_NF_MATCH_RPFILTER=m -# - CONFIG_IP6_NF_TARGET_REJECT=m -# - CONFIG_NFT_OBJREF=m -# - CONFIG_NFT_FIB=m -# - CONFIG_NFT_FIB_INET=m -# - CONFIG_NFT_FIB_IPV4=m -# - CONFIG_NFT_FIB_IPV6=m -# - CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m -# - CONFIG_NETFILTER_XT_SET=m -def get_kernel_deps(d): - kmodules = (d.getVar('FIREWALLD_KERNEL_MODULES') or "").split() - return ' '.join([ 'kernel-module-' + mod.replace('_', '-').lower() for mod in kmodules ]) -RRECOMMENDS:${PN} += "${@get_kernel_deps(d)}" diff --git a/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_1.2.0.bb b/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_1.2.0.bb new file mode 100644 index 0000000000..987cc640e1 --- /dev/null +++ b/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_1.2.0.bb @@ -0,0 +1,310 @@ +SUMMARY = "Dynamic firewall daemon with a D-Bus interface" +HOMEPAGE = "https://firewalld.org/" +BUGTRACKER = "https://github.com/firewalld/firewalld/issues" +UPSTREAM_CHECK_URI = "https://github.com/firewalld/firewalld/releases" +LICENSE = "GPL-2.0-or-later" +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" + +SRC_URI = "\ + https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.gz \ + file://firewalld.init \ + file://run-ptest \ +" +SRC_URI[sha256sum] = "28fd90e88bda0dfd460f370f353474811b2e295d7eb27f0d7d18ffa3d786eeb7" + +# glib-2.0-native is needed for GSETTINGS_RULES autoconf macro from gsettings.m4 +DEPENDS = "intltool-native glib-2.0-native nftables" + +inherit gettext autotools-brokensep bash-completion pkgconfig python3native python3-dir gsettings systemd update-rc.d ptest + +PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}" +PACKAGECONFIG[systemd] = "--with-systemd-unitdir=${systemd_system_unitdir},--disable-systemd" +PACKAGECONFIG[docs] = "--with-xml-catalog=${STAGING_ETCDIR_NATIVE}/xml/catalog,--disable-docs,libxslt-native docbook-xsl-stylesheets-native" +PACKAGECONFIG[ipset] = "--with-ipset=${sbindir}/ipset,--without-ipset,,ipset" +PACKAGECONFIG[ebtables] = "--with-ebtables=${base_sbindir}/ebtables --with-ebtables-restore=${sbindir}/ebtables-legacy-restore,--without-ebtables --without-ebtables-restore,,ebtables" + +# Default logging configuration: mixed syslog file console +FIREWALLD_DEFAULT_LOG_TARGET ??= "syslog" + +# The UIs are not yet tested and the dependencies are probably not quite correct yet. +# Splitting into separate packages is beneficial so that no dead code is transferred +# to the target device. +# Without enabling qt5, the firewalld-config package is not usable. +# Without enabling qt5 and gtk, the firewalld-applet package is not usable. +PACKAGECONFIG[qt5] = "" +PACKAGECONFIG[gtk] = "" + +PACKAGES =+ "python3-firewall ${PN}-applet ${PN}-config ${PN}-offline-cmd ${PN}-zsh-completion ${PN}-log-rotate" + +# iptables, ip6tables, ebtables, and ipset *should* be unnecessary +# when the nftables backend is available, because nftables supersedes all of them. +# However we still need iptables and ip6tables to be available otherwise any +# application relying on "direct passthrough" rules (such as docker) will break. +# /etc/sysconfig/firewalld is a Red Hat-ism, only referenced by +# the Red Hat-specific init script which we aren't using, so we disable that. +EXTRA_OECONF = "\ + --with-iptables=${sbindir}/iptables \ + --with-iptables-restore=${sbindir}/iptables-restore \ + --with-ip6tables=${sbindir}/ip6tables \ + --with-ip6tables-restore=${sbindir}/ip6tables-restore \ + --disable-sysconfig \ +" + +INITSCRIPT_NAME = "firewalld" +SYSTEMD_SERVICE:${PN} = "firewalld.service" + +# kernel modules loaded after ptest execution (linux-yocto 5.15) +FIREWALLD_KERNEL_MODULES ?= "\ + xt_tcpudp \ + xt_TCPMSS \ + xt_set \ + xt_sctp \ + xt_REDIRECT \ + xt_pkttype \ + xt_NFLOG \ + xt_nat \ + xt_MASQUERADE \ + xt_mark \ + xt_mac \ + xt_LOG \ + xt_limit \ + xt_dccp \ + xt_CT \ + xt_conntrack \ + xt_CHECKSUM \ + nft_redir \ + nft_objref \ + nft_nat \ + nft_masq \ + nft_log \ + nfnetlink_log \ + nf_nat_tftp \ + nf_nat_sip \ + nf_nat_ftp \ + nf_log_syslog \ + nf_conntrack_tftp \ + nf_conntrack_sip \ + nf_conntrack_netbios_ns \ + nf_conntrack_ftp \ + nf_conntrack_broadcast \ + ipt_REJECT \ + ip6t_rpfilter \ + ip6t_REJECT \ + ip_set_hash_netport \ + ip_set_hash_netnet \ + ip_set_hash_netiface \ + ip_set_hash_net \ + ip_set_hash_mac \ + ip_set_hash_ipportnet \ + ip_set_hash_ipport \ + ip_set_hash_ipmark \ + ip_set_hash_ip \ + ebt_ip6 \ + nft_fib_inet \ + nft_fib_ipv4 \ + nft_fib_ipv6 \ + nft_fib \ + nft_reject_inet \ + nf_reject_ipv4 \ + nf_reject_ipv6 \ + nft_reject \ + nft_ct \ + nft_chain_nat \ + ebtable_nat \ + ebtable_broute \ + ip6table_nat \ + ip6table_mangle \ + ip6table_raw \ + ip6table_security \ + iptable_nat \ + nf_nat \ + nf_conntrack \ + nf_defrag_ipv6 \ + nf_defrag_ipv4 \ + iptable_mangle \ + iptable_raw \ + iptable_security \ + ip_set \ + ebtable_filter \ + ebtables \ + ip6table_filter \ + ip6_tables \ + iptable_filter \ + ip_tables \ + x_tables \ + sch_fq_codel \ +" + +do_configure:prepend() { + export DEFAULT_LOG_TARGET=${FIREWALLD_DEFAULT_LOG_TARGET} +} + +do_install:append() { + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'false', 'true', d)}; then + # firewalld ships an init script but it contains Red Hat-isms, replace it with our own + rm -rf ${D}${sysconfdir}/rc.d/ + install -d ${D}${sysconfdir}/init.d + install -m0755 ${WORKDIR}/firewalld.init ${D}${sysconfdir}/init.d/firewalld + fi + + if ${@bb.utils.contains('DISTRO_FEATURES', 'polkit', 'false', 'true', d)}; then + # Delete polkit profiles if polkit is not available + rm -rf ${D}${datadir}/polkit-1 + fi + + # We ran ./configure with PYTHON pointed at the binary inside $STAGING_BINDIR_NATIVE + # so now we need to fix up any references to point at the proper path in the image. + # This hack is also in distutils.bbclass, but firewalld doesn't use distutils/setuptools. + if [ ${PN} != "${BPN}-native" ]; then + sed -i -e s:${STAGING_BINDIR_NATIVE}/python3-native/python3:${bindir}/python3:g \ + ${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml + fi + sed -i -e s:${STAGING_BINDIR_NATIVE}:${bindir}:g \ + ${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml + + # This file contains Red Hat-isms. Modules get loaded without it. + rm -f ${D}${sysconfdir}/modprobe.d/firewalld-sysctls.conf +} + +do_install_ptest:append() { + # Add kernel modules to the ptest script + if [ ${PTEST_ENABLED} = "1" ]; then + sed -i -e 's:@@FIREWALLD_KERNEL_MODULES@@:${FIREWALLD_KERNEL_MODULES}:g' \ + ${D}${PTEST_PATH}/run-ptest + fi +} + +SUMMARY:python3-firewall = "${SUMMARY} (Python3 bindings)" +FILES:python3-firewall = "\ + ${PYTHON_SITEPACKAGES_DIR}/firewall/__pycache__/*.py* \ + ${PYTHON_SITEPACKAGES_DIR}/firewall/*.py* \ + ${PYTHON_SITEPACKAGES_DIR}/firewall/config/*.py* \ + ${PYTHON_SITEPACKAGES_DIR}/firewall/config/__pycache__/*.py* \ + ${PYTHON_SITEPACKAGES_DIR}/firewall/core/*.py* \ + ${PYTHON_SITEPACKAGES_DIR}/firewall/core/__pycache__/*.py* \ + ${PYTHON_SITEPACKAGES_DIR}/firewall/core/io/*.py* \ + ${PYTHON_SITEPACKAGES_DIR}/firewall/core/io/__pycache__/*.py* \ + ${PYTHON_SITEPACKAGES_DIR}/firewall/server/*.py* \ + ${PYTHON_SITEPACKAGES_DIR}/firewall/server/__pycache__/*.py* \ +" +RDEPENDS:python3-firewall = "\ + python3-dbus \ + nftables-python \ + python3-pygobject \ +" + +# Do not depend on QT5 layer and GTK deps if not explicitely required. +FIREWALLD_QT5_RDEPENDS = "\ + ${PN}-config \ + hicolor-icon-theme \ + python3-pyqt5 \ + python3-pygobject \ + libnotify \ + networkmanager \ +" +FIREWALLD_GTK_RDEPENDS = "\ + gtk3 \ +" + +# A QT5 based UI +SUMMARY:${PN}-config = "${SUMMARY} (configuration application)" +FILES:${PN}-config = "\ + ${bindir}/firewall-config \ + ${datadir}/firewalld/firewall-config.glade \ + ${datadir}/firewalld/gtk3_chooserbutton.py* \ + ${datadir}/firewalld/gtk3_niceexpander.py* \ + ${datadir}/applications/firewall-config.desktop \ + ${datadir}/metainfo/firewall-config.appdata.xml \ + ${datadir}/icons/hicolor/*/apps/firewall-config*.* \ +" +RDEPENDS:${PN}-config += "\ + python3-core \ + python3-ctypes \ + ${@bb.utils.contains('PACKAGECONFIG', 'qt5', '${FIREWALLD_QT5_RDEPENDS}', '', d)} \ +" + +# A GTK3 applet depending on the QT5 firewall-config UI +SUMMARY:${PN}-applet = "${SUMMARY} (panel applet)" +FILES:${PN}-applet += "\ + ${bindir}/firewall-applet \ + ${sysconfdir}/xdg/autostart/firewall-applet.desktop \ + ${sysconfdir}/firewall/applet.conf \ + ${datadir}/icons/hicolor/*/apps/firewall-applet*.* \ +" +RDEPENDS:${PN}-applet += "\ + python3-core \ + python3-ctypes \ + ${@bb.utils.contains('PACKAGECONFIG', 'qt5', '${FIREWALLD_QT5_RDEPENDS}', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'gtk', '${FIREWALLD_GTK_RDEPENDS}', '', d)} \ +" + +SUMMARY:${PN}-offline-cmd = "${SUMMARY} (offline configuration utility)" +FILES:${PN}-offline-cmd += " \ + ${bindir}/firewall-offline-cmd \ +" +RDEPENDS:${PN}-offline-cmd += "python3-core" + +SUMMARY:${PN}-log-rotate = "${SUMMARY} (log-rotate configuration)" +FILES:${PN}-log-rotate += "${sysconfdir}/logrotate.d" + +# To get allmost all tests passing +# - Enable PACKAGECONFIG ipset, ebtable +# - Enough RAM QB_MEM = "-m 8192" (used für fancy ipset tests) +FILES:${PN}-ptest += "\ + ${datadir}/firewalld/testsuite \ +" +RDEPENDS:${PN}-ptest += "\ + python3-unittest \ + ${PN}-offline-cmd \ + procps-ps \ + iproute2 \ +" +RDEPENDS:${PN}-ptest:append:libc-glibc = " glibc-utils glibc-localedata-en-us" + +FILES:${PN}-zsh-completion = "${datadir}/zsh/site-functions" + +FILES:${PN} += "\ + ${PYTHON_SITEPACKAGES_DIR}/firewall \ + ${nonarch_libdir}/firewalld \ + ${datadir}/dbus-1 \ + ${datadir}/polkit-1 \ + ${datadir}/metainfo \ + ${datadir}/glib-2.0/schemas/org.fedoraproject.FirewallConfig.gschema.xml \ +" +RDEPENDS:${PN} += "\ + python3-firewall \ + iptables \ + python3-core \ + python3-io \ + python3-fcntl \ + python3-syslog \ + python3-xml \ + python3-json \ + python3-ctypes \ + python3-pprint \ +" +# If firewalld writes a log file rotation is needed +RRECOMMENDS:${PN} += "${@bb.utils.contains_any('FIREWALLD_DEFAULT_LOG_TARGET', [ 'mixed', 'file' ], '${PN}-log-rotate', '', d)}" + +# Add required kernel modules. With Yocto kernel 5.15 this currently means: +# - features/nf_tables/nf_tables.scc +# - features/netfilter/netfilter.scc +# - cgl/features/audit/audit.scc +# - cfg/net/ip6_nf.scc +# - Plus: +# - ebtables +# - ipset +# - CONFIG_IP6_NF_SECURITY=m +# - CONFIG_IP6_NF_MATCH_RPFILTER=m +# - CONFIG_IP6_NF_TARGET_REJECT=m +# - CONFIG_NFT_OBJREF=m +# - CONFIG_NFT_FIB=m +# - CONFIG_NFT_FIB_INET=m +# - CONFIG_NFT_FIB_IPV4=m +# - CONFIG_NFT_FIB_IPV6=m +# - CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m +# - CONFIG_NETFILTER_XT_SET=m +def get_kernel_deps(d): + kmodules = (d.getVar('FIREWALLD_KERNEL_MODULES') or "").split() + return ' '.join([ 'kernel-module-' + mod.replace('_', '-').lower() for mod in kmodules ]) +RRECOMMENDS:${PN} += "${@get_kernel_deps(d)}" -- cgit 1.2.3-korg