firewalld: update to 1.1.1 fixes ptest

Update firewalld by 2 major versions, which also includes breaking and behavioral changes. Highlights from 0.9 to 1.0: - Reduced dependencies - Intra-zone forwarding by default - NAT rules moved to inet family (reduced rule set) - Default target is now similar to reject - ICMP blocks and block inversion only apply to input, not forward - tftp-client service has been removed - iptables backend is deprecated - Direct interface is deprecated - CleanupModulesOnExit defaults to no (kernel modules not unloaded) Details: - https://firewalld.org/2021/07/firewalld-1-0-0-release - https://github.com/firewalld/firewalld/compare/v0.9.0...v1.0.0 From 1.0 to 1.1 is mostly a bug fix release update. Details: - https://firewalld.org/2022/02/firewalld-1-1-0-release - https://github.com/firewalld/firewalld/compare/v0.9.0...v1.0.0 Improvements on the recipe: - Add ptest - Very helpful to get all the kernel modules - Long running, probably not suitable for any OE autobuilder - RRECOMMENS kernel modules, document configuration - Improve package splitting - firewalld-config and firewalld-applet depend on QT5, pyqt5 and GTK. The dependencies were not correctly set but the code was ending up on the target device. Now the code gets into a separate package but the dependeinces are probably still not complete. Since this is probably not used anyway it is not tested yet. It's still not perfect but much better than installing broken stuff to the target device. - The dependenices are added to variables instead of rdepends to keep the meta-qt5 and gnome layers optional also at build-time. - New packageconfigs: ebtables, ipset. This is mosly required to get the test suite running but probably also usable otherwise. Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Adrian Freihofer <adrian.freihofer@gmail.com> 2022-06-08 14:53:57 +0200
committer: Khem Raj <raj.khem@gmail.com> 2022-06-30 07:01:37 -0400
commit: 63d620555073c4fca5e70737095b7700047ad5b2 (patch)
tree: 12b52996c016468d8fd3dd0fa13922bdd2e1777e /meta-networking/dynamic-layers
parent: 11df15765c1c16572dfbbbe2831de6ad39f0ed63 (diff)
download: meta-openembedded-63d620555073c4fca5e70737095b7700047ad5b2.tar.gz
3 files changed, 318 insertions, 92 deletions
diff --git a/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/files/run-ptest b/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/files/run-ptest
new file mode 100644
index 000000000..9d3ec7904
--- /dev/null
+++ b/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/files/run-ptest
@@ -0,0 +1,21 @@
+#!/bin/sh
+ret_val=0
+# Check if all the kernel modules are available
+FIREWALLD_KERNEL_MODULES="@@FIREWALLD_KERNEL_MODULES@@"
+for m in $FIREWALLD_KERNEL_MODULES; do
+    if modprobe $m; then
+        echo "PASS: loading $m"
+    else
+        echo "FAIL: loading $m"
+        ret_val=1
+    fi
+done
+# Run the test suite from firewalld
+# Failing testsuites: 203 226 241 250 270 280 281 282 285 286
+# Problem icmpv6 compared against ipv6-icmptype?
+/usr/share/firewalld/testsuite/testsuite -C /tmp -A || ret_val=1
+exit $ret_val
diff --git a/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_0.9.4.bb b/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_0.9.4.bb
deleted file mode 100644
index 1dea33953..000000000
--- a/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_0.9.4.bb
+++ /dev/null
@@ -1,92 +0,0 @@
-SUMMARY = "Dynamic firewall daemon with a D-Bus interface"
-HOMEPAGE = "https://firewalld.org/"
-BUGTRACKER = "https://github.com/firewalld/firewalld/issues"
-UPSTREAM_CHECK_URI = "https://github.com/firewalld/firewalld/releases"
-LICENSE = "GPL-2.0-or-later"
-LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
-SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.gz \
-           file://firewalld.init \
-"
-SRC_URI[sha256sum] = "52c5e3d5b1e2efc0e86c22b2bc1f7fd80908cc2d8130157dc2a3517a59b0a760"
-# glib-2.0-native is needed for GSETTINGS_RULES autoconf macro from gsettings.m4
-DEPENDS = "intltool-native glib-2.0-native nftables"
-inherit gettext autotools bash-completion pkgconfig python3native gsettings systemd update-rc.d
-PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}"
-PACKAGECONFIG[systemd] = "--with-systemd-unitdir=${systemd_system_unitdir},--disable-systemd"
-PACKAGECONFIG[docs] = "--with-xml-catalog=${STAGING_ETCDIR_NATIVE}/xml/catalog,--disable-docs,libxslt-native docbook-xsl-stylesheets-native"
-PACKAGES += "${PN}-zsh-completion"
-# iptables, ip6tables, ebtables, and ipset *should* be unnecessary
-# when the nftables backend is available, because nftables supersedes all of them.
-# However we still need iptables and ip6tables to be available otherwise any
-# application relying on "direct passthrough" rules (such as docker) will break.
-# /etc/sysconfig/firewalld is a Red Hat-ism, only referenced by
-# the Red Hat-specific init script which we aren't using, so we disable that.
-EXTRA_OECONF = "\
-    --without-ipset \
-    --with-iptables=${sbindir}/iptables \
-    --with-iptables-restore=${sbindir}/iptables-restore \
-    --with-ip6tables=${sbindir}/ip6tables \
-    --with-ip6tables-restore=${sbindir}/ip6tables-restore \
-    --without-ebtables \
-    --without-ebtables-restore \
-    --disable-sysconfig \
-"
-INITSCRIPT_NAME = "firewalld"
-SYSTEMD_SERVICE:${PN} = "firewalld.service"
-do_install:append() {
-    if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
-        :
-    else
-        # firewalld ships an init script but it contains Red Hat-isms, replace it with our own
-        rm -rf ${D}${sysconfdir}/rc.d/
-        install -d ${D}${sysconfdir}/init.d
-        install -m0755 ${WORKDIR}/firewalld.init ${D}${sysconfdir}/init.d/firewalld
-    fi
-    # We ran ./configure with PYTHON pointed at the binary inside $STAGING_BINDIR_NATIVE
-    # so now we need to fix up any references to point at the proper path in the image.
-    # This hack is also in distutils.bbclass, but firewalld doesn't use distutils/setuptools.
-    if [ ${PN} != "${BPN}-native" ]; then
-        sed -i -e s:${STAGING_BINDIR_NATIVE}/python3-native/python3:${bindir}/python3:g \
-            ${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml
-    fi
-    sed -i -e s:${STAGING_BINDIR_NATIVE}:${bindir}:g \
-        ${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml
-    # This file contains Red Hat-isms. Modules get loaded without it.
-    rm -f ${D}${sysconfdir}/modprobe.d/firewalld-sysctls.conf
-}
-FILES:${PN} += "\
-    ${PYTHON_SITEPACKAGES_DIR}/firewall \
-    ${nonarch_libdir}/firewalld \
-    ${datadir}/dbus-1 \
-    ${datadir}/polkit-1 \
-    ${datadir}/metainfo \
-"
-FILES:${PN}-zsh-completion = "${datadir}/zsh/site-functions"
-RDEPENDS:${PN} = "\
-    nftables-python \
-    iptables \
-    python3-core \
-    python3-io \
-    python3-fcntl \
-    python3-shell \
-    python3-syslog \
-    python3-xml \
-    python3-dbus \
-    python3-slip-dbus \
-    python3-decorator \
-    python3-pygobject \
-    python3-json \
-    python3-ctypes \
-"
diff --git a/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_1.1.1.bb b/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_1.1.1.bb
new file mode 100644
index 000000000..00e851f45
--- /dev/null
+++ b/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_1.1.1.bb
@@ -0,0 +1,297 @@
+SUMMARY = "Dynamic firewall daemon with a D-Bus interface"
+HOMEPAGE = "https://firewalld.org/"
+BUGTRACKER = "https://github.com/firewalld/firewalld/issues"
+UPSTREAM_CHECK_URI = "https://github.com/firewalld/firewalld/releases"
+LICENSE = "GPL-2.0-or-later"
+LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
+SRC_URI = "\
+    https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.gz \
+    file://firewalld.init \
+    file://run-ptest \
+"
+SRC_URI[sha256sum] = "1dcd314ff836b2ce69f15f60fc7d50bd77ed359d784f9b3c07f2d394ea570e4c"
+# glib-2.0-native is needed for GSETTINGS_RULES autoconf macro from gsettings.m4
+DEPENDS = "intltool-native glib-2.0-native nftables"
+inherit gettext autotools-brokensep bash-completion pkgconfig python3native python3-dir gsettings systemd update-rc.d ptest
+PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}"
+PACKAGECONFIG[systemd] = "--with-systemd-unitdir=${systemd_system_unitdir},--disable-systemd"
+PACKAGECONFIG[docs] = "--with-xml-catalog=${STAGING_ETCDIR_NATIVE}/xml/catalog,--disable-docs,libxslt-native docbook-xsl-stylesheets-native"
+PACKAGECONFIG[ipset] = "--with-ipset=${sbindir}/ipset,--without-ipset,,ipset"
+PACKAGECONFIG[ebtables] = "--with-ebtables=${base_sbindir}/ebtables --with-ebtables-restore=${sbindir}/ebtables-legacy-restore,--without-ebtables --without-ebtables-restore,,ebtables"
+# The UIs are not yet tested and the dependencies are probably not quite correct yet.
+# Splitting into separate packages is beneficial so that no dead code is transferred
+# to the target device.
+# Without enabling qt5, the firewalld-config package is not usable.
+# Without enabling qt5 and gtk, the firewalld-applet package is not usable.
+PACKAGECONFIG[qt5] = ""
+PACKAGECONFIG[gtk] = ""
+PACKAGES =+ "python3-firewall ${PN}-applet ${PN}-config ${PN}-offline-cmd ${PN}-zsh-completion"
+# iptables, ip6tables, ebtables, and ipset *should* be unnecessary
+# when the nftables backend is available, because nftables supersedes all of them.
+# However we still need iptables and ip6tables to be available otherwise any
+# application relying on "direct passthrough" rules (such as docker) will break.
+# /etc/sysconfig/firewalld is a Red Hat-ism, only referenced by
+# the Red Hat-specific init script which we aren't using, so we disable that.
+EXTRA_OECONF = "\
+    --with-iptables=${sbindir}/iptables \
+    --with-iptables-restore=${sbindir}/iptables-restore \
+    --with-ip6tables=${sbindir}/ip6tables \
+    --with-ip6tables-restore=${sbindir}/ip6tables-restore \
+    --disable-sysconfig \
+"
+INITSCRIPT_NAME = "firewalld"
+SYSTEMD_SERVICE:${PN} = "firewalld.service"
+# kernel modules loaded after ptest execution (linux-yocto 5.15)
+FIREWALLD_KERNEL_MODULES ?= "\
+    xt_tcpudp \
+    xt_TCPMSS \
+    xt_set \
+    xt_sctp \
+    xt_REDIRECT \
+    xt_pkttype \
+    xt_NFLOG \
+    xt_nat \
+    xt_MASQUERADE \
+    xt_mark \
+    xt_mac \
+    xt_LOG \
+    xt_limit \
+    xt_dccp \
+    xt_CT \
+    xt_conntrack \
+    xt_CHECKSUM \
+    nft_redir \
+    nft_objref \
+    nft_nat \
+    nft_masq \
+    nft_log \
+    nfnetlink_log \
+    nf_nat_tftp \
+    nf_nat_sip \
+    nf_nat_ftp \
+    nf_log_syslog \
+    nf_conntrack_tftp \
+    nf_conntrack_sip \
+    nf_conntrack_netbios_ns \
+    nf_conntrack_ftp \
+    nf_conntrack_broadcast \
+    ipt_REJECT \
+    ip6t_rpfilter \
+    ip6t_REJECT \
+    ip_set_hash_netport \
+    ip_set_hash_netnet \
+    ip_set_hash_netiface \
+    ip_set_hash_net \
+    ip_set_hash_mac \
+    ip_set_hash_ipportnet \
+    ip_set_hash_ipport \
+    ip_set_hash_ipmark \
+    ip_set_hash_ip \
+    ebt_ip6 \
+    nft_fib_inet \
+    nft_fib_ipv4 \
+    nft_fib_ipv6 \
+    nft_fib \
+    nft_reject_inet \
+    nf_reject_ipv4 \
+    nf_reject_ipv6 \
+    nft_reject \
+    nft_ct \
+    nft_chain_nat \
+    ebtable_nat \
+    ebtable_broute \
+    ip6table_nat \
+    ip6table_mangle \
+    ip6table_raw \
+    ip6table_security \
+    iptable_nat \
+    nf_nat \
+    nf_conntrack \
+    nf_defrag_ipv6 \
+    nf_defrag_ipv4 \
+    iptable_mangle \
+    iptable_raw \
+    iptable_security \
+    ip_set \
+    ebtable_filter \
+    ebtables \
+    ip6table_filter \
+    ip6_tables \
+    iptable_filter \
+    ip_tables \
+    x_tables \
+    sch_fq_codel \
+"
+do_install:append() {
+    if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'false', 'true', d)}; then
+        # firewalld ships an init script but it contains Red Hat-isms, replace it with our own
+        rm -rf ${D}${sysconfdir}/rc.d/
+        install -d ${D}${sysconfdir}/init.d
+        install -m0755 ${WORKDIR}/firewalld.init ${D}${sysconfdir}/init.d/firewalld
+    fi
+    if ${@bb.utils.contains('DISTRO_FEATURES', 'polkit', 'false', 'true', d)}; then
+        # Delete polkit profiles if polkit is not available
+        rm -rf ${D}${datadir}/polkit-1
+    fi
+    # We ran ./configure with PYTHON pointed at the binary inside $STAGING_BINDIR_NATIVE
+    # so now we need to fix up any references to point at the proper path in the image.
+    # This hack is also in distutils.bbclass, but firewalld doesn't use distutils/setuptools.
+    if [ ${PN} != "${BPN}-native" ]; then
+        sed -i -e s:${STAGING_BINDIR_NATIVE}/python3-native/python3:${bindir}/python3:g \
+            ${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml
+    fi
+    sed -i -e s:${STAGING_BINDIR_NATIVE}:${bindir}:g \
+        ${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml
+    # This file contains Red Hat-isms. Modules get loaded without it.
+    rm -f ${D}${sysconfdir}/modprobe.d/firewalld-sysctls.conf
+}
+do_install_ptest:append() {
+    # Add kernel modules to the ptest script
+    if [ ${PTEST_ENABLED} = "1" ]; then
+        sed -i -e 's:@@FIREWALLD_KERNEL_MODULES@@:${FIREWALLD_KERNEL_MODULES}:g' \
+            ${D}${PTEST_PATH}/run-ptest
+    fi
+}
+SUMMARY:python3-firewall = "${SUMMARY} (Python3 bindings)"
+FILES:python3-firewall = "\
+    ${PYTHON_SITEPACKAGES_DIR}/firewall/__pycache__/*.py* \
+    ${PYTHON_SITEPACKAGES_DIR}/firewall/*.py* \
+    ${PYTHON_SITEPACKAGES_DIR}/firewall/config/*.py* \
+    ${PYTHON_SITEPACKAGES_DIR}/firewall/config/__pycache__/*.py* \
+    ${PYTHON_SITEPACKAGES_DIR}/firewall/core/*.py* \
+    ${PYTHON_SITEPACKAGES_DIR}/firewall/core/__pycache__/*.py* \
+    ${PYTHON_SITEPACKAGES_DIR}/firewall/core/io/*.py* \
+    ${PYTHON_SITEPACKAGES_DIR}/firewall/core/io/__pycache__/*.py* \
+    ${PYTHON_SITEPACKAGES_DIR}/firewall/server/*.py* \
+    ${PYTHON_SITEPACKAGES_DIR}/firewall/server/__pycache__/*.py* \
+"
+RDEPENDS:python3-firewall = "\
+    python3-dbus \
+    nftables-python \
+    python3-pygobject \
+"
+# Do not depend on QT5 layer and GTK deps if not explicitely required.
+FIREWALLD_QT5_RDEPENDS = "\
+    ${PN}-config \
+    hicolor-icon-theme \
+    python3-pyqt5 \
+    python3-pygobject \
+    libnotify \
+    networkmanager \
+"
+FIREWALLD_GTK_RDEPENDS = "\
+    gtk3 \
+"
+# A QT5 based UI
+SUMMARY:${PN}-config = "${SUMMARY} (configuration application)"
+FILES:${PN}-config = "\
+    ${bindir}/firewall-config \
+    ${datadir}/firewalld/firewall-config.glade \
+    ${datadir}/firewalld/gtk3_chooserbutton.py* \
+    ${datadir}/firewalld/gtk3_niceexpander.py* \
+    ${datadir}/applications/firewall-config.desktop \
+    ${datadir}/metainfo/firewall-config.appdata.xml \
+    ${datadir}/icons/hicolor/*/apps/firewall-config*.* \
+"
+RDEPENDS:${PN}-config += "\
+    python3-core \
+    python3-ctypes \
+    ${@bb.utils.contains('PACKAGECONFIG', 'qt5', '${FIREWALLD_QT5_RDEPENDS}', '', d)} \
+"
+# A GTK3 applet depending on the QT5 firewall-config UI
+SUMMARY:${PN}-applet = "${SUMMARY} (panel applet)"
+FILES:${PN}-applet += "\
+    ${bindir}/firewall-applet \
+    ${sysconfdir}/xdg/autostart/firewall-applet.desktop \
+    ${sysconfdir}/firewall/applet.conf \
+    ${datadir}/icons/hicolor/*/apps/firewall-applet*.* \
+"
+RDEPENDS:${PN}-applet += "\
+    python3-core \
+    python3-ctypes \
+    ${@bb.utils.contains('PACKAGECONFIG', 'qt5', '${FIREWALLD_QT5_RDEPENDS}', '', d)} \
+    ${@bb.utils.contains('PACKAGECONFIG', 'gtk', '${FIREWALLD_GTK_RDEPENDS}', '', d)} \
+"
+SUMMARY:${PN}-offline-cmd = "${SUMMARY} (offline configuration utility)"
+FILES:${PN}-offline-cmd += " \
+    ${bindir}/firewall-offline-cmd \
+"
+RDEPENDS:${PN}-offline-cmd += "python3-core"
+# To get allmost all tests passing
+# - Enable PACKAGECONFIG ipset, ebtable
+# - Enough RAM QB_MEM = "-m 8192" (used für fancy ipset tests)
+FILES:${PN}-ptest += "\
+    ${datadir}/firewalld/testsuite \
+"
+RDEPENDS:${PN}-ptest += "\
+    python3-unittest \
+    ${PN}-offline-cmd \
+    procps-ps \
+    iproute2 \
+"
+RDEPENDS:${PN}-ptest:append:libc-glibc = " glibc-utils glibc-localedata-en-us"
+FILES:${PN}-zsh-completion = "${datadir}/zsh/site-functions"
+FILES:${PN} += "\
+    ${PYTHON_SITEPACKAGES_DIR}/firewall \
+    ${nonarch_libdir}/firewalld \
+    ${datadir}/dbus-1 \
+    ${datadir}/polkit-1 \
+    ${datadir}/metainfo \
+    ${datadir}/glib-2.0/schemas/org.fedoraproject.FirewallConfig.gschema.xml \
+"
+RDEPENDS:${PN} += "\
+    python3-firewall \
+    iptables \
+    python3-core \
+    python3-io \
+    python3-fcntl \
+    python3-syslog \
+    python3-xml \
+    python3-json \
+    python3-ctypes \
+    python3-pprint \
+"
+# Add required kernel modules. With Yocto kernel 5.15 this currently means:
+# - features/nf_tables/nf_tables.scc
+# - features/netfilter/netfilter.scc
+# - cgl/features/audit/audit.scc
+# - cfg/net/ip6_nf.scc
+# - Plus:
+#   - ebtables
+#   - ipset
+#   - CONFIG_IP6_NF_SECURITY=m
+#   - CONFIG_IP6_NF_MATCH_RPFILTER=m
+#   - CONFIG_IP6_NF_TARGET_REJECT=m
+#   - CONFIG_NFT_OBJREF=m
+#   - CONFIG_NFT_FIB=m
+#   - CONFIG_NFT_FIB_INET=m
+#   - CONFIG_NFT_FIB_IPV4=m
+#   - CONFIG_NFT_FIB_IPV6=m
+#   - CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
+#   - CONFIG_NETFILTER_XT_SET=m
+def get_kernel_deps(d):
+    kmodules = (d.getVar('FIREWALLD_KERNEL_MODULES') or "").split()
+    return ' '.join([ 'kernel-module-' + mod.replace('_', '-').lower() for mod in kmodules ])
+RRECOMMENDS:${PN} += "${@get_kernel_deps(d)}"
author	Adrian Freihofer <adrian.freihofer@gmail.com>	2022-06-08 14:53:57 +0200
committer	Khem Raj <raj.khem@gmail.com>	2022-06-30 07:01:37 -0400
commit	63d620555073c4fca5e70737095b7700047ad5b2 (patch)
tree	12b52996c016468d8fd3dd0fa13922bdd2e1777e /meta-networking/dynamic-layers
parent	11df15765c1c16572dfbbbe2831de6ad39f0ed63 (diff)
download	meta-openembedded-63d620555073c4fca5e70737095b7700047ad5b2.tar.gz

diff --git a/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/files/run-ptest b/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/files/run-ptest new file mode 100644 index 000000000..9d3ec7904 --- /dev/null +++ b/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/files/run-ptest
@@ -0,0 +1,21 @@
		1	#!/bin/sh
		2
		3	ret_val=0
		4
		5	# Check if all the kernel modules are available
		6	FIREWALLD_KERNEL_MODULES="@@FIREWALLD_KERNEL_MODULES@@"
		7	for m in $FIREWALLD_KERNEL_MODULES; do
		8	if modprobe $m; then
		9	echo "PASS: loading $m"
		10	else
		11	echo "FAIL: loading $m"
		12	ret_val=1
		13	fi
		14	done
		15
		16	# Run the test suite from firewalld
		17	# Failing testsuites: 203 226 241 250 270 280 281 282 285 286
		18	# Problem icmpv6 compared against ipv6-icmptype?
		19	/usr/share/firewalld/testsuite/testsuite -C /tmp -A \|\| ret_val=1
		20
		21	exit $ret_val


diff --git a/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_0.9.4.bb b/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_0.9.4.bb deleted file mode 100644 index 1dea33953..000000000 --- a/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_0.9.4.bb +++ /dev/null
@@ -1,92 +0,0 @@
1	SUMMARY = "Dynamic firewall daemon with a D-Bus interface"
2	HOMEPAGE = "https://firewalld.org/"
3	BUGTRACKER = "https://github.com/firewalld/firewalld/issues"
4	UPSTREAM_CHECK_URI = "https://github.com/firewalld/firewalld/releases"
5	LICENSE = "GPL-2.0-or-later"
6	LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
7
8	SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.gz \
9	file://firewalld.init \
10	"
11	SRC_URI[sha256sum] = "52c5e3d5b1e2efc0e86c22b2bc1f7fd80908cc2d8130157dc2a3517a59b0a760"
12
13	# glib-2.0-native is needed for GSETTINGS_RULES autoconf macro from gsettings.m4
14	DEPENDS = "intltool-native glib-2.0-native nftables"
15
16	inherit gettext autotools bash-completion pkgconfig python3native gsettings systemd update-rc.d
17
18	PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}"
19	PACKAGECONFIG[systemd] = "--with-systemd-unitdir=${systemd_system_unitdir},--disable-systemd"
20	PACKAGECONFIG[docs] = "--with-xml-catalog=${STAGING_ETCDIR_NATIVE}/xml/catalog,--disable-docs,libxslt-native docbook-xsl-stylesheets-native"
21
22	PACKAGES += "${PN}-zsh-completion"
23
24	# iptables, ip6tables, ebtables, and ipset should be unnecessary
25	# when the nftables backend is available, because nftables supersedes all of them.
26	# However we still need iptables and ip6tables to be available otherwise any
27	# application relying on "direct passthrough" rules (such as docker) will break.
28	# /etc/sysconfig/firewalld is a Red Hat-ism, only referenced by
29	# the Red Hat-specific init script which we aren't using, so we disable that.
30	EXTRA_OECONF = "\
31	--without-ipset \
32	--with-iptables=${sbindir}/iptables \
33	--with-iptables-restore=${sbindir}/iptables-restore \
34	--with-ip6tables=${sbindir}/ip6tables \
35	--with-ip6tables-restore=${sbindir}/ip6tables-restore \
36	--without-ebtables \
37	--without-ebtables-restore \
38	--disable-sysconfig \
39	"
40
41	INITSCRIPT_NAME = "firewalld"
42	SYSTEMD_SERVICE:${PN} = "firewalld.service"
43
44	do_install:append() {
45	if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
46	:
47	else
48	# firewalld ships an init script but it contains Red Hat-isms, replace it with our own
49	rm -rf ${D}${sysconfdir}/rc.d/
50	install -d ${D}${sysconfdir}/init.d
51	install -m0755 ${WORKDIR}/firewalld.init ${D}${sysconfdir}/init.d/firewalld
52	fi
53
54	# We ran ./configure with PYTHON pointed at the binary inside $STAGING_BINDIR_NATIVE
55	# so now we need to fix up any references to point at the proper path in the image.
56	# This hack is also in distutils.bbclass, but firewalld doesn't use distutils/setuptools.
57	if [ ${PN} != "${BPN}-native" ]; then
58	sed -i -e s:${STAGING_BINDIR_NATIVE}/python3-native/python3:${bindir}/python3:g \
59	${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml
60	fi
61	sed -i -e s:${STAGING_BINDIR_NATIVE}:${bindir}:g \
62	${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml
63
64	# This file contains Red Hat-isms. Modules get loaded without it.
65	rm -f ${D}${sysconfdir}/modprobe.d/firewalld-sysctls.conf
66	}
67
68	FILES:${PN} += "\
69	${PYTHON_SITEPACKAGES_DIR}/firewall \
70	${nonarch_libdir}/firewalld \
71	${datadir}/dbus-1 \
72	${datadir}/polkit-1 \
73	${datadir}/metainfo \
74	"
75	FILES:${PN}-zsh-completion = "${datadir}/zsh/site-functions"
76
77	RDEPENDS:${PN} = "\
78	nftables-python \
79	iptables \
80	python3-core \
81	python3-io \
82	python3-fcntl \
83	python3-shell \
84	python3-syslog \
85	python3-xml \
86	python3-dbus \
87	python3-slip-dbus \
88	python3-decorator \
89	python3-pygobject \
90	python3-json \
91	python3-ctypes \
92	"


diff --git a/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_1.1.1.bb b/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_1.1.1.bb new file mode 100644 index 000000000..00e851f45 --- /dev/null +++ b/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_1.1.1.bb
@@ -0,0 +1,297 @@
		1	SUMMARY = "Dynamic firewall daemon with a D-Bus interface"
		2	HOMEPAGE = "https://firewalld.org/"
		3	BUGTRACKER = "https://github.com/firewalld/firewalld/issues"
		4	UPSTREAM_CHECK_URI = "https://github.com/firewalld/firewalld/releases"
		5	LICENSE = "GPL-2.0-or-later"
		6	LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
		7
		8	SRC_URI = "\
		9	https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.gz \
		10	file://firewalld.init \
		11	file://run-ptest \
		12	"
		13	SRC_URI[sha256sum] = "1dcd314ff836b2ce69f15f60fc7d50bd77ed359d784f9b3c07f2d394ea570e4c"
		14
		15	# glib-2.0-native is needed for GSETTINGS_RULES autoconf macro from gsettings.m4
		16	DEPENDS = "intltool-native glib-2.0-native nftables"
		17
		18	inherit gettext autotools-brokensep bash-completion pkgconfig python3native python3-dir gsettings systemd update-rc.d ptest
		19
		20	PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}"
		21	PACKAGECONFIG[systemd] = "--with-systemd-unitdir=${systemd_system_unitdir},--disable-systemd"
		22	PACKAGECONFIG[docs] = "--with-xml-catalog=${STAGING_ETCDIR_NATIVE}/xml/catalog,--disable-docs,libxslt-native docbook-xsl-stylesheets-native"
		23	PACKAGECONFIG[ipset] = "--with-ipset=${sbindir}/ipset,--without-ipset,,ipset"
		24	PACKAGECONFIG[ebtables] = "--with-ebtables=${base_sbindir}/ebtables --with-ebtables-restore=${sbindir}/ebtables-legacy-restore,--without-ebtables --without-ebtables-restore,,ebtables"
		25
		26	# The UIs are not yet tested and the dependencies are probably not quite correct yet.
		27	# Splitting into separate packages is beneficial so that no dead code is transferred
		28	# to the target device.
		29	# Without enabling qt5, the firewalld-config package is not usable.
		30	# Without enabling qt5 and gtk, the firewalld-applet package is not usable.
		31	PACKAGECONFIG[qt5] = ""
		32	PACKAGECONFIG[gtk] = ""
		33
		34	PACKAGES =+ "python3-firewall ${PN}-applet ${PN}-config ${PN}-offline-cmd ${PN}-zsh-completion"
		35
		36	# iptables, ip6tables, ebtables, and ipset should be unnecessary
		37	# when the nftables backend is available, because nftables supersedes all of them.
		38	# However we still need iptables and ip6tables to be available otherwise any
		39	# application relying on "direct passthrough" rules (such as docker) will break.
		40	# /etc/sysconfig/firewalld is a Red Hat-ism, only referenced by
		41	# the Red Hat-specific init script which we aren't using, so we disable that.
		42	EXTRA_OECONF = "\
		43	--with-iptables=${sbindir}/iptables \
		44	--with-iptables-restore=${sbindir}/iptables-restore \
		45	--with-ip6tables=${sbindir}/ip6tables \
		46	--with-ip6tables-restore=${sbindir}/ip6tables-restore \
		47	--disable-sysconfig \
		48	"
		49
		50	INITSCRIPT_NAME = "firewalld"
		51	SYSTEMD_SERVICE:${PN} = "firewalld.service"
		52
		53	# kernel modules loaded after ptest execution (linux-yocto 5.15)
		54	FIREWALLD_KERNEL_MODULES ?= "\
		55	xt_tcpudp \
		56	xt_TCPMSS \
		57	xt_set \
		58	xt_sctp \
		59	xt_REDIRECT \
		60	xt_pkttype \
		61	xt_NFLOG \
		62	xt_nat \
		63	xt_MASQUERADE \
		64	xt_mark \
		65	xt_mac \
		66	xt_LOG \
		67	xt_limit \
		68	xt_dccp \
		69	xt_CT \
		70	xt_conntrack \
		71	xt_CHECKSUM \
		72	nft_redir \
		73	nft_objref \
		74	nft_nat \
		75	nft_masq \
		76	nft_log \
		77	nfnetlink_log \
		78	nf_nat_tftp \
		79	nf_nat_sip \
		80	nf_nat_ftp \
		81	nf_log_syslog \
		82	nf_conntrack_tftp \
		83	nf_conntrack_sip \
		84	nf_conntrack_netbios_ns \
		85	nf_conntrack_ftp \
		86	nf_conntrack_broadcast \
		87	ipt_REJECT \
		88	ip6t_rpfilter \
		89	ip6t_REJECT \
		90	ip_set_hash_netport \
		91	ip_set_hash_netnet \
		92	ip_set_hash_netiface \
		93	ip_set_hash_net \
		94	ip_set_hash_mac \
		95	ip_set_hash_ipportnet \
		96	ip_set_hash_ipport \
		97	ip_set_hash_ipmark \
		98	ip_set_hash_ip \
		99	ebt_ip6 \
		100	nft_fib_inet \
		101	nft_fib_ipv4 \
		102	nft_fib_ipv6 \
		103	nft_fib \
		104	nft_reject_inet \
		105	nf_reject_ipv4 \
		106	nf_reject_ipv6 \
		107	nft_reject \
		108	nft_ct \
		109	nft_chain_nat \
		110	ebtable_nat \
		111	ebtable_broute \
		112	ip6table_nat \
		113	ip6table_mangle \
		114	ip6table_raw \
		115	ip6table_security \
		116	iptable_nat \
		117	nf_nat \
		118	nf_conntrack \
		119	nf_defrag_ipv6 \
		120	nf_defrag_ipv4 \
		121	iptable_mangle \
		122	iptable_raw \
		123	iptable_security \
		124	ip_set \
		125	ebtable_filter \
		126	ebtables \
		127	ip6table_filter \
		128	ip6_tables \
		129	iptable_filter \
		130	ip_tables \
		131	x_tables \
		132	sch_fq_codel \
		133	"
		134
		135	do_install:append() {
		136	if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'false', 'true', d)}; then
		137	# firewalld ships an init script but it contains Red Hat-isms, replace it with our own
		138	rm -rf ${D}${sysconfdir}/rc.d/
		139	install -d ${D}${sysconfdir}/init.d
		140	install -m0755 ${WORKDIR}/firewalld.init ${D}${sysconfdir}/init.d/firewalld
		141	fi
		142
		143	if ${@bb.utils.contains('DISTRO_FEATURES', 'polkit', 'false', 'true', d)}; then
		144	# Delete polkit profiles if polkit is not available
		145	rm -rf ${D}${datadir}/polkit-1
		146	fi
		147
		148	# We ran ./configure with PYTHON pointed at the binary inside $STAGING_BINDIR_NATIVE
		149	# so now we need to fix up any references to point at the proper path in the image.
		150	# This hack is also in distutils.bbclass, but firewalld doesn't use distutils/setuptools.
		151	if [ ${PN} != "${BPN}-native" ]; then
		152	sed -i -e s:${STAGING_BINDIR_NATIVE}/python3-native/python3:${bindir}/python3:g \
		153	${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml
		154	fi
		155	sed -i -e s:${STAGING_BINDIR_NATIVE}:${bindir}:g \
		156	${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml
		157
		158	# This file contains Red Hat-isms. Modules get loaded without it.
		159	rm -f ${D}${sysconfdir}/modprobe.d/firewalld-sysctls.conf
		160	}
		161
		162	do_install_ptest:append() {
		163	# Add kernel modules to the ptest script
		164	if [ ${PTEST_ENABLED} = "1" ]; then
		165	sed -i -e 's:@@FIREWALLD_KERNEL_MODULES@@:${FIREWALLD_KERNEL_MODULES}:g' \
		166	${D}${PTEST_PATH}/run-ptest
		167	fi
		168	}
		169
		170	SUMMARY:python3-firewall = "${SUMMARY} (Python3 bindings)"
		171	FILES:python3-firewall = "\
		172	${PYTHON_SITEPACKAGES_DIR}/firewall/__pycache__/.py \
		173	${PYTHON_SITEPACKAGES_DIR}/firewall/.py \
		174	${PYTHON_SITEPACKAGES_DIR}/firewall/config/.py \
		175	${PYTHON_SITEPACKAGES_DIR}/firewall/config/__pycache__/.py \
		176	${PYTHON_SITEPACKAGES_DIR}/firewall/core/.py \
		177	${PYTHON_SITEPACKAGES_DIR}/firewall/core/__pycache__/.py \
		178	${PYTHON_SITEPACKAGES_DIR}/firewall/core/io/.py \
		179	${PYTHON_SITEPACKAGES_DIR}/firewall/core/io/__pycache__/.py \
		180	${PYTHON_SITEPACKAGES_DIR}/firewall/server/.py \
		181	${PYTHON_SITEPACKAGES_DIR}/firewall/server/__pycache__/.py \
		182	"
		183	RDEPENDS:python3-firewall = "\
		184	python3-dbus \
		185	nftables-python \
		186	python3-pygobject \
		187	"
		188
		189	# Do not depend on QT5 layer and GTK deps if not explicitely required.
		190	FIREWALLD_QT5_RDEPENDS = "\
		191	${PN}-config \
		192	hicolor-icon-theme \
		193	python3-pyqt5 \
		194	python3-pygobject \
		195	libnotify \
		196	networkmanager \
		197	"
		198	FIREWALLD_GTK_RDEPENDS = "\
		199	gtk3 \
		200	"
		201
		202	# A QT5 based UI
		203	SUMMARY:${PN}-config = "${SUMMARY} (configuration application)"
		204	FILES:${PN}-config = "\
		205	${bindir}/firewall-config \
		206	${datadir}/firewalld/firewall-config.glade \
		207	${datadir}/firewalld/gtk3_chooserbutton.py* \
		208	${datadir}/firewalld/gtk3_niceexpander.py* \
		209	${datadir}/applications/firewall-config.desktop \
		210	${datadir}/metainfo/firewall-config.appdata.xml \
		211	${datadir}/icons/hicolor//apps/firewall-config.* \
		212	"
		213	RDEPENDS:${PN}-config += "\
		214	python3-core \
		215	python3-ctypes \
		216	${@bb.utils.contains('PACKAGECONFIG', 'qt5', '${FIREWALLD_QT5_RDEPENDS}', '', d)} \
		217	"
		218
		219	# A GTK3 applet depending on the QT5 firewall-config UI
		220	SUMMARY:${PN}-applet = "${SUMMARY} (panel applet)"
		221	FILES:${PN}-applet += "\
		222	${bindir}/firewall-applet \
		223	${sysconfdir}/xdg/autostart/firewall-applet.desktop \
		224	${sysconfdir}/firewall/applet.conf \
		225	${datadir}/icons/hicolor//apps/firewall-applet.* \
		226	"
		227	RDEPENDS:${PN}-applet += "\
		228	python3-core \
		229	python3-ctypes \
		230	${@bb.utils.contains('PACKAGECONFIG', 'qt5', '${FIREWALLD_QT5_RDEPENDS}', '', d)} \
		231	${@bb.utils.contains('PACKAGECONFIG', 'gtk', '${FIREWALLD_GTK_RDEPENDS}', '', d)} \
		232	"
		233
		234	SUMMARY:${PN}-offline-cmd = "${SUMMARY} (offline configuration utility)"
		235	FILES:${PN}-offline-cmd += " \
		236	${bindir}/firewall-offline-cmd \
		237	"
		238	RDEPENDS:${PN}-offline-cmd += "python3-core"
		239
		240	# To get allmost all tests passing
		241	# - Enable PACKAGECONFIG ipset, ebtable
		242	# - Enough RAM QB_MEM = "-m 8192" (used für fancy ipset tests)
		243	FILES:${PN}-ptest += "\
		244	${datadir}/firewalld/testsuite \
		245	"
		246	RDEPENDS:${PN}-ptest += "\
		247	python3-unittest \
		248	${PN}-offline-cmd \
		249	procps-ps \
		250	iproute2 \
		251	"
		252	RDEPENDS:${PN}-ptest:append:libc-glibc = " glibc-utils glibc-localedata-en-us"
		253
		254	FILES:${PN}-zsh-completion = "${datadir}/zsh/site-functions"
		255
		256	FILES:${PN} += "\
		257	${PYTHON_SITEPACKAGES_DIR}/firewall \
		258	${nonarch_libdir}/firewalld \
		259	${datadir}/dbus-1 \
		260	${datadir}/polkit-1 \
		261	${datadir}/metainfo \
		262	${datadir}/glib-2.0/schemas/org.fedoraproject.FirewallConfig.gschema.xml \
		263	"
		264	RDEPENDS:${PN} += "\
		265	python3-firewall \
		266	iptables \
		267	python3-core \
		268	python3-io \
		269	python3-fcntl \
		270	python3-syslog \
		271	python3-xml \
		272	python3-json \
		273	python3-ctypes \
		274	python3-pprint \
		275	"
		276	# Add required kernel modules. With Yocto kernel 5.15 this currently means:
		277	# - features/nf_tables/nf_tables.scc
		278	# - features/netfilter/netfilter.scc
		279	# - cgl/features/audit/audit.scc
		280	# - cfg/net/ip6_nf.scc
		281	# - Plus:
		282	# - ebtables
		283	# - ipset
		284	# - CONFIG_IP6_NF_SECURITY=m
		285	# - CONFIG_IP6_NF_MATCH_RPFILTER=m
		286	# - CONFIG_IP6_NF_TARGET_REJECT=m
		287	# - CONFIG_NFT_OBJREF=m
		288	# - CONFIG_NFT_FIB=m
		289	# - CONFIG_NFT_FIB_INET=m
		290	# - CONFIG_NFT_FIB_IPV4=m
		291	# - CONFIG_NFT_FIB_IPV6=m
		292	# - CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
		293	# - CONFIG_NETFILTER_XT_SET=m
		294	def get_kernel_deps(d):
		295	kmodules = (d.getVar('FIREWALLD_KERNEL_MODULES') or "").split()
		296	return ' '.join([ 'kernel-module-' + mod.replace('_', '-').lower() for mod in kmodules ])
		297	RRECOMMENDS:${PN} += "${@get_kernel_deps(d)}"