Age | Commit message (Collapse) | Author |
|
Commit bc66b2f45ade2c63cfd14d5388f6ca0905a23bb0 added systemd helper
unit for automatic IPv4 rule loading. Complement the effort by adding
systemd helper unit also for automatic IPv6 rule loading.
Signed-off-by: Niko Mauno <niko.mauno@iki.fi>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
In some cases a distribution may want to install rules file into a
location other than /etc/iptables/ so introduce custom recipe-level
IPTABLES_RULES_DIR parameter which allows conveniently overriding
the rules directory location.
Signed-off-by: Niko Mauno <niko.mauno@iki.fi>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
There is currently no way to automatically load iptables rules in OE.
Add a systemd unit file to automatically load rules on network
connection. This is cribbed from the way ArchLinux handles iptables with
some minor modifications for OE.
New rules can be generated directly on the target using:
# iptables-save -f /etc/iptables/iptables.rules
Good documentation for writing rules offline is lacking, but the basics
are explained here:
https://unix.stackexchange.com/q/400163/49405
Signed-off-by: Jack Mitchell <jack@embed.me.uk>
Signed-off-by: Diego Rondini <diego.rondini@kynetics.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Remove upstreamed patches and manually package symlinks which aren't
handled by do_split_package.
Changelog:
http://git.netfilter.org/iptables/log/?qt=range&q=v1.8.3...v1.8.2
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Porting patch from <https://git.netfilter.org/iptables/commit/iptables/
xshared.c?id=2ae1099a42e6a0f06de305ca13a842ac83d4683e> to solve
CVE-2019-11360.
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
To enable security flash, get the build error. To fix this,
0003-extensions-format-security-fixes-in-libipt_icmp.patch is required.
Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
These were adding definitions for the second time
(see bug #10450 for why) or adding an include that isn't anymore
necessary for musl builds.
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
1.6.0 -> 1.6.1
Refreshed the following patches:
a) 0001-configure-Add-option-to-enable-disable-libnfnetlink.patch
b) 0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
1.4.21 -> 1.6.0
xtables_globals structure layout has changed.
* Refreshed below listed patches to work with this release:
1. 0001-configure-Add-option-to-enable-disable-libnfnetlink.patch
2. 0001-fix-build-with-musl.patch
* Added PACKAGECONFIG for libnftnl
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Package libnetfilter-conntrack depends on package libnfnetlink. iptables
checks package libnetfilter-conntrack whatever its package config
libnfnetlink is enabled or not. When libnfnetlink is disabled but
package libnetfilter-conntrack exists, it fails randomly with:
| In file included from .../iptables/1.4.21-r0/iptables-1.4.21/extensions/libxt_connlabel.c:8:0:
| .../tmp/sysroots/qemumips/usr/include/libnetfilter_conntrack/libnetfilter_conntrack.h:14:42: fatal error: libnfnetlink/linux_nfnetlink.h: No such file or directory
| compilation terminated.
| GNUmakefile:96: recipe for target 'libxt_connlabel.oo' failed
Only check libnetfilter-conntrack when libnfnetlink is enabled to fix it.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Added needed headers and resuffled existing ones to get it portable
Added defined for missing TCOPTS*
Change-Id: I74977dd052c5569b00631379d7f4bacfb86cf381
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
fix-iptables-extensions-build-error.patch no longer needed.
Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
fix-link-failure-ip6t-NETMAP.patch removed;
already included in upstream.
Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Detection of libnfnetlink is automatic in configure which means
that when you have meta-networking in your cosmos, it would create
a race condition where if libnfnetlink is already staged then it
will be enabled otherwise disabled. The issue happens quite often
with sstate and high parallelism. Since the dependency libnfnetlink
is not part of OE-Core, this patch turns it into a PACKAGECONFIG
which is diabled by default and iptables is patched to provide
the knob.
If you want to enable libnfnetlink support then it can be done
in a bbappend where you are sure that you are also including
meta-networking in your distro.
While at it also turned ipv6 support into packageconfig
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
patch added to fix cross-compilation issues
Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Remove a patch since it is already in upstream.
Signed-off-by: Dongxiao Xu <dongxiao.xu@intel.com>
|
|
The iptables local linux/types.h overrides the kernel/sysroot
types.h. As such, we need to provide some defines that are required
to build against 3.2+ kernel headers.
ifndef protection is provided for the defines to ensure that
configuration that already have these defines are still buildable.
This commit is temporary until a new version of iptables can be
used that contains the defines.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
|
This patch is to upgrade iptables to 1.4.12.2, and introduce a patch not to check unknown symbols.
Otherwise, when it is compiled, it will report "libxtables.so.7" from LD_PRELOAD cannot be preloaded.
Signed-off-by: Shane Wang <shane.wang@intel.com>
|