diff options
Diffstat (limited to 'meta-openembedded/meta-networking/dynamic-layers')
4 files changed, 332 insertions, 93 deletions
diff --git a/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-connectivity/crda/crda_3.18.bb b/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-connectivity/crda/crda_3.18.bb index 9abfd61cf2..a616557e7c 100644 --- a/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-connectivity/crda/crda_3.18.bb +++ b/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-connectivity/crda/crda_3.18.bb @@ -36,4 +36,4 @@ do_install() { oe_runmake SBINDIR=${sbindir}/ install } -RDEPENDS:${PN} = "udev wireless-regdb-static" +RDEPENDS:${PN} = "udev wireless-regdb" diff --git a/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/files/run-ptest b/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/files/run-ptest new file mode 100644 index 0000000000..9d3ec79042 --- /dev/null +++ b/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/files/run-ptest @@ -0,0 +1,21 @@ +#!/bin/sh + +ret_val=0 + +# Check if all the kernel modules are available +FIREWALLD_KERNEL_MODULES="@@FIREWALLD_KERNEL_MODULES@@" +for m in $FIREWALLD_KERNEL_MODULES; do + if modprobe $m; then + echo "PASS: loading $m" + else + echo "FAIL: loading $m" + ret_val=1 + fi +done + +# Run the test suite from firewalld +# Failing testsuites: 203 226 241 250 270 280 281 282 285 286 +# Problem icmpv6 compared against ipv6-icmptype? +/usr/share/firewalld/testsuite/testsuite -C /tmp -A || ret_val=1 + +exit $ret_val diff --git a/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_0.9.4.bb b/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_0.9.4.bb deleted file mode 100644 index 1dea339535..0000000000 --- a/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_0.9.4.bb +++ /dev/null @@ -1,92 +0,0 @@ -SUMMARY = "Dynamic firewall daemon with a D-Bus interface" -HOMEPAGE = "https://firewalld.org/" -BUGTRACKER = "https://github.com/firewalld/firewalld/issues" -UPSTREAM_CHECK_URI = "https://github.com/firewalld/firewalld/releases" -LICENSE = "GPL-2.0-or-later" -LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" - -SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.gz \ - file://firewalld.init \ -" -SRC_URI[sha256sum] = "52c5e3d5b1e2efc0e86c22b2bc1f7fd80908cc2d8130157dc2a3517a59b0a760" - -# glib-2.0-native is needed for GSETTINGS_RULES autoconf macro from gsettings.m4 -DEPENDS = "intltool-native glib-2.0-native nftables" - -inherit gettext autotools bash-completion pkgconfig python3native gsettings systemd update-rc.d - -PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}" -PACKAGECONFIG[systemd] = "--with-systemd-unitdir=${systemd_system_unitdir},--disable-systemd" -PACKAGECONFIG[docs] = "--with-xml-catalog=${STAGING_ETCDIR_NATIVE}/xml/catalog,--disable-docs,libxslt-native docbook-xsl-stylesheets-native" - -PACKAGES += "${PN}-zsh-completion" - -# iptables, ip6tables, ebtables, and ipset *should* be unnecessary -# when the nftables backend is available, because nftables supersedes all of them. -# However we still need iptables and ip6tables to be available otherwise any -# application relying on "direct passthrough" rules (such as docker) will break. -# /etc/sysconfig/firewalld is a Red Hat-ism, only referenced by -# the Red Hat-specific init script which we aren't using, so we disable that. -EXTRA_OECONF = "\ - --without-ipset \ - --with-iptables=${sbindir}/iptables \ - --with-iptables-restore=${sbindir}/iptables-restore \ - --with-ip6tables=${sbindir}/ip6tables \ - --with-ip6tables-restore=${sbindir}/ip6tables-restore \ - --without-ebtables \ - --without-ebtables-restore \ - --disable-sysconfig \ -" - -INITSCRIPT_NAME = "firewalld" -SYSTEMD_SERVICE:${PN} = "firewalld.service" - -do_install:append() { - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - : - else - # firewalld ships an init script but it contains Red Hat-isms, replace it with our own - rm -rf ${D}${sysconfdir}/rc.d/ - install -d ${D}${sysconfdir}/init.d - install -m0755 ${WORKDIR}/firewalld.init ${D}${sysconfdir}/init.d/firewalld - fi - - # We ran ./configure with PYTHON pointed at the binary inside $STAGING_BINDIR_NATIVE - # so now we need to fix up any references to point at the proper path in the image. - # This hack is also in distutils.bbclass, but firewalld doesn't use distutils/setuptools. - if [ ${PN} != "${BPN}-native" ]; then - sed -i -e s:${STAGING_BINDIR_NATIVE}/python3-native/python3:${bindir}/python3:g \ - ${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml - fi - sed -i -e s:${STAGING_BINDIR_NATIVE}:${bindir}:g \ - ${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml - - # This file contains Red Hat-isms. Modules get loaded without it. - rm -f ${D}${sysconfdir}/modprobe.d/firewalld-sysctls.conf -} - -FILES:${PN} += "\ - ${PYTHON_SITEPACKAGES_DIR}/firewall \ - ${nonarch_libdir}/firewalld \ - ${datadir}/dbus-1 \ - ${datadir}/polkit-1 \ - ${datadir}/metainfo \ -" -FILES:${PN}-zsh-completion = "${datadir}/zsh/site-functions" - -RDEPENDS:${PN} = "\ - nftables-python \ - iptables \ - python3-core \ - python3-io \ - python3-fcntl \ - python3-shell \ - python3-syslog \ - python3-xml \ - python3-dbus \ - python3-slip-dbus \ - python3-decorator \ - python3-pygobject \ - python3-json \ - python3-ctypes \ -" diff --git a/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_1.2.0.bb b/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_1.2.0.bb new file mode 100644 index 0000000000..987cc640e1 --- /dev/null +++ b/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_1.2.0.bb @@ -0,0 +1,310 @@ +SUMMARY = "Dynamic firewall daemon with a D-Bus interface" +HOMEPAGE = "https://firewalld.org/" +BUGTRACKER = "https://github.com/firewalld/firewalld/issues" +UPSTREAM_CHECK_URI = "https://github.com/firewalld/firewalld/releases" +LICENSE = "GPL-2.0-or-later" +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" + +SRC_URI = "\ + https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.gz \ + file://firewalld.init \ + file://run-ptest \ +" +SRC_URI[sha256sum] = "28fd90e88bda0dfd460f370f353474811b2e295d7eb27f0d7d18ffa3d786eeb7" + +# glib-2.0-native is needed for GSETTINGS_RULES autoconf macro from gsettings.m4 +DEPENDS = "intltool-native glib-2.0-native nftables" + +inherit gettext autotools-brokensep bash-completion pkgconfig python3native python3-dir gsettings systemd update-rc.d ptest + +PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}" +PACKAGECONFIG[systemd] = "--with-systemd-unitdir=${systemd_system_unitdir},--disable-systemd" +PACKAGECONFIG[docs] = "--with-xml-catalog=${STAGING_ETCDIR_NATIVE}/xml/catalog,--disable-docs,libxslt-native docbook-xsl-stylesheets-native" +PACKAGECONFIG[ipset] = "--with-ipset=${sbindir}/ipset,--without-ipset,,ipset" +PACKAGECONFIG[ebtables] = "--with-ebtables=${base_sbindir}/ebtables --with-ebtables-restore=${sbindir}/ebtables-legacy-restore,--without-ebtables --without-ebtables-restore,,ebtables" + +# Default logging configuration: mixed syslog file console +FIREWALLD_DEFAULT_LOG_TARGET ??= "syslog" + +# The UIs are not yet tested and the dependencies are probably not quite correct yet. +# Splitting into separate packages is beneficial so that no dead code is transferred +# to the target device. +# Without enabling qt5, the firewalld-config package is not usable. +# Without enabling qt5 and gtk, the firewalld-applet package is not usable. +PACKAGECONFIG[qt5] = "" +PACKAGECONFIG[gtk] = "" + +PACKAGES =+ "python3-firewall ${PN}-applet ${PN}-config ${PN}-offline-cmd ${PN}-zsh-completion ${PN}-log-rotate" + +# iptables, ip6tables, ebtables, and ipset *should* be unnecessary +# when the nftables backend is available, because nftables supersedes all of them. +# However we still need iptables and ip6tables to be available otherwise any +# application relying on "direct passthrough" rules (such as docker) will break. +# /etc/sysconfig/firewalld is a Red Hat-ism, only referenced by +# the Red Hat-specific init script which we aren't using, so we disable that. +EXTRA_OECONF = "\ + --with-iptables=${sbindir}/iptables \ + --with-iptables-restore=${sbindir}/iptables-restore \ + --with-ip6tables=${sbindir}/ip6tables \ + --with-ip6tables-restore=${sbindir}/ip6tables-restore \ + --disable-sysconfig \ +" + +INITSCRIPT_NAME = "firewalld" +SYSTEMD_SERVICE:${PN} = "firewalld.service" + +# kernel modules loaded after ptest execution (linux-yocto 5.15) +FIREWALLD_KERNEL_MODULES ?= "\ + xt_tcpudp \ + xt_TCPMSS \ + xt_set \ + xt_sctp \ + xt_REDIRECT \ + xt_pkttype \ + xt_NFLOG \ + xt_nat \ + xt_MASQUERADE \ + xt_mark \ + xt_mac \ + xt_LOG \ + xt_limit \ + xt_dccp \ + xt_CT \ + xt_conntrack \ + xt_CHECKSUM \ + nft_redir \ + nft_objref \ + nft_nat \ + nft_masq \ + nft_log \ + nfnetlink_log \ + nf_nat_tftp \ + nf_nat_sip \ + nf_nat_ftp \ + nf_log_syslog \ + nf_conntrack_tftp \ + nf_conntrack_sip \ + nf_conntrack_netbios_ns \ + nf_conntrack_ftp \ + nf_conntrack_broadcast \ + ipt_REJECT \ + ip6t_rpfilter \ + ip6t_REJECT \ + ip_set_hash_netport \ + ip_set_hash_netnet \ + ip_set_hash_netiface \ + ip_set_hash_net \ + ip_set_hash_mac \ + ip_set_hash_ipportnet \ + ip_set_hash_ipport \ + ip_set_hash_ipmark \ + ip_set_hash_ip \ + ebt_ip6 \ + nft_fib_inet \ + nft_fib_ipv4 \ + nft_fib_ipv6 \ + nft_fib \ + nft_reject_inet \ + nf_reject_ipv4 \ + nf_reject_ipv6 \ + nft_reject \ + nft_ct \ + nft_chain_nat \ + ebtable_nat \ + ebtable_broute \ + ip6table_nat \ + ip6table_mangle \ + ip6table_raw \ + ip6table_security \ + iptable_nat \ + nf_nat \ + nf_conntrack \ + nf_defrag_ipv6 \ + nf_defrag_ipv4 \ + iptable_mangle \ + iptable_raw \ + iptable_security \ + ip_set \ + ebtable_filter \ + ebtables \ + ip6table_filter \ + ip6_tables \ + iptable_filter \ + ip_tables \ + x_tables \ + sch_fq_codel \ +" + +do_configure:prepend() { + export DEFAULT_LOG_TARGET=${FIREWALLD_DEFAULT_LOG_TARGET} +} + +do_install:append() { + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'false', 'true', d)}; then + # firewalld ships an init script but it contains Red Hat-isms, replace it with our own + rm -rf ${D}${sysconfdir}/rc.d/ + install -d ${D}${sysconfdir}/init.d + install -m0755 ${WORKDIR}/firewalld.init ${D}${sysconfdir}/init.d/firewalld + fi + + if ${@bb.utils.contains('DISTRO_FEATURES', 'polkit', 'false', 'true', d)}; then + # Delete polkit profiles if polkit is not available + rm -rf ${D}${datadir}/polkit-1 + fi + + # We ran ./configure with PYTHON pointed at the binary inside $STAGING_BINDIR_NATIVE + # so now we need to fix up any references to point at the proper path in the image. + # This hack is also in distutils.bbclass, but firewalld doesn't use distutils/setuptools. + if [ ${PN} != "${BPN}-native" ]; then + sed -i -e s:${STAGING_BINDIR_NATIVE}/python3-native/python3:${bindir}/python3:g \ + ${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml + fi + sed -i -e s:${STAGING_BINDIR_NATIVE}:${bindir}:g \ + ${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml + + # This file contains Red Hat-isms. Modules get loaded without it. + rm -f ${D}${sysconfdir}/modprobe.d/firewalld-sysctls.conf +} + +do_install_ptest:append() { + # Add kernel modules to the ptest script + if [ ${PTEST_ENABLED} = "1" ]; then + sed -i -e 's:@@FIREWALLD_KERNEL_MODULES@@:${FIREWALLD_KERNEL_MODULES}:g' \ + ${D}${PTEST_PATH}/run-ptest + fi +} + +SUMMARY:python3-firewall = "${SUMMARY} (Python3 bindings)" +FILES:python3-firewall = "\ + ${PYTHON_SITEPACKAGES_DIR}/firewall/__pycache__/*.py* \ + ${PYTHON_SITEPACKAGES_DIR}/firewall/*.py* \ + ${PYTHON_SITEPACKAGES_DIR}/firewall/config/*.py* \ + ${PYTHON_SITEPACKAGES_DIR}/firewall/config/__pycache__/*.py* \ + ${PYTHON_SITEPACKAGES_DIR}/firewall/core/*.py* \ + ${PYTHON_SITEPACKAGES_DIR}/firewall/core/__pycache__/*.py* \ + ${PYTHON_SITEPACKAGES_DIR}/firewall/core/io/*.py* \ + ${PYTHON_SITEPACKAGES_DIR}/firewall/core/io/__pycache__/*.py* \ + ${PYTHON_SITEPACKAGES_DIR}/firewall/server/*.py* \ + ${PYTHON_SITEPACKAGES_DIR}/firewall/server/__pycache__/*.py* \ +" +RDEPENDS:python3-firewall = "\ + python3-dbus \ + nftables-python \ + python3-pygobject \ +" + +# Do not depend on QT5 layer and GTK deps if not explicitely required. +FIREWALLD_QT5_RDEPENDS = "\ + ${PN}-config \ + hicolor-icon-theme \ + python3-pyqt5 \ + python3-pygobject \ + libnotify \ + networkmanager \ +" +FIREWALLD_GTK_RDEPENDS = "\ + gtk3 \ +" + +# A QT5 based UI +SUMMARY:${PN}-config = "${SUMMARY} (configuration application)" +FILES:${PN}-config = "\ + ${bindir}/firewall-config \ + ${datadir}/firewalld/firewall-config.glade \ + ${datadir}/firewalld/gtk3_chooserbutton.py* \ + ${datadir}/firewalld/gtk3_niceexpander.py* \ + ${datadir}/applications/firewall-config.desktop \ + ${datadir}/metainfo/firewall-config.appdata.xml \ + ${datadir}/icons/hicolor/*/apps/firewall-config*.* \ +" +RDEPENDS:${PN}-config += "\ + python3-core \ + python3-ctypes \ + ${@bb.utils.contains('PACKAGECONFIG', 'qt5', '${FIREWALLD_QT5_RDEPENDS}', '', d)} \ +" + +# A GTK3 applet depending on the QT5 firewall-config UI +SUMMARY:${PN}-applet = "${SUMMARY} (panel applet)" +FILES:${PN}-applet += "\ + ${bindir}/firewall-applet \ + ${sysconfdir}/xdg/autostart/firewall-applet.desktop \ + ${sysconfdir}/firewall/applet.conf \ + ${datadir}/icons/hicolor/*/apps/firewall-applet*.* \ +" +RDEPENDS:${PN}-applet += "\ + python3-core \ + python3-ctypes \ + ${@bb.utils.contains('PACKAGECONFIG', 'qt5', '${FIREWALLD_QT5_RDEPENDS}', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'gtk', '${FIREWALLD_GTK_RDEPENDS}', '', d)} \ +" + +SUMMARY:${PN}-offline-cmd = "${SUMMARY} (offline configuration utility)" +FILES:${PN}-offline-cmd += " \ + ${bindir}/firewall-offline-cmd \ +" +RDEPENDS:${PN}-offline-cmd += "python3-core" + +SUMMARY:${PN}-log-rotate = "${SUMMARY} (log-rotate configuration)" +FILES:${PN}-log-rotate += "${sysconfdir}/logrotate.d" + +# To get allmost all tests passing +# - Enable PACKAGECONFIG ipset, ebtable +# - Enough RAM QB_MEM = "-m 8192" (used für fancy ipset tests) +FILES:${PN}-ptest += "\ + ${datadir}/firewalld/testsuite \ +" +RDEPENDS:${PN}-ptest += "\ + python3-unittest \ + ${PN}-offline-cmd \ + procps-ps \ + iproute2 \ +" +RDEPENDS:${PN}-ptest:append:libc-glibc = " glibc-utils glibc-localedata-en-us" + +FILES:${PN}-zsh-completion = "${datadir}/zsh/site-functions" + +FILES:${PN} += "\ + ${PYTHON_SITEPACKAGES_DIR}/firewall \ + ${nonarch_libdir}/firewalld \ + ${datadir}/dbus-1 \ + ${datadir}/polkit-1 \ + ${datadir}/metainfo \ + ${datadir}/glib-2.0/schemas/org.fedoraproject.FirewallConfig.gschema.xml \ +" +RDEPENDS:${PN} += "\ + python3-firewall \ + iptables \ + python3-core \ + python3-io \ + python3-fcntl \ + python3-syslog \ + python3-xml \ + python3-json \ + python3-ctypes \ + python3-pprint \ +" +# If firewalld writes a log file rotation is needed +RRECOMMENDS:${PN} += "${@bb.utils.contains_any('FIREWALLD_DEFAULT_LOG_TARGET', [ 'mixed', 'file' ], '${PN}-log-rotate', '', d)}" + +# Add required kernel modules. With Yocto kernel 5.15 this currently means: +# - features/nf_tables/nf_tables.scc +# - features/netfilter/netfilter.scc +# - cgl/features/audit/audit.scc +# - cfg/net/ip6_nf.scc +# - Plus: +# - ebtables +# - ipset +# - CONFIG_IP6_NF_SECURITY=m +# - CONFIG_IP6_NF_MATCH_RPFILTER=m +# - CONFIG_IP6_NF_TARGET_REJECT=m +# - CONFIG_NFT_OBJREF=m +# - CONFIG_NFT_FIB=m +# - CONFIG_NFT_FIB_INET=m +# - CONFIG_NFT_FIB_IPV4=m +# - CONFIG_NFT_FIB_IPV6=m +# - CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m +# - CONFIG_NETFILTER_XT_SET=m +def get_kernel_deps(d): + kmodules = (d.getVar('FIREWALLD_KERNEL_MODULES') or "").split() + return ' '.join([ 'kernel-module-' + mod.replace('_', '-').lower() for mod in kmodules ]) +RRECOMMENDS:${PN} += "${@get_kernel_deps(d)}" |