ufw: Uncomplicated Firewall recipe

Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
author: Joe MacDonald <joe_macdonald@mentor.com> 2014-11-10 21:51:46 -0500
committer: Joe MacDonald <joe_macdonald@mentor.com> 2014-12-03 16:39:50 -0500
commit: 2cc1bd9dd060f5002c2fde7aacba86fe230c12af (patch)
tree: ba89d45559013688303661d10ddb444ad9fa7cfa
parent: 9f925e52370571e1e38ad190f1a5c18473dd87da (diff)
download: meta-openembedded-2cc1bd9dd060f5002c2fde7aacba86fe230c12af.tar.gz
8 files changed, 464 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/ufw/ufw/0001-optimize-boot.patch b/meta-networking/recipes-connectivity/ufw/ufw/0001-optimize-boot.patch
new file mode 100644
index 0000000000..a1e56b7cac
--- /dev/null
+++ b/meta-networking/recipes-connectivity/ufw/ufw/0001-optimize-boot.patch
@@ -0,0 +1,25 @@
+Author: Jamie Strandboge <jamie@canonical.com>
+Description: to improve boot speed when disabled, don't source all of
+ ufw-init-functions (which also sources in other files).
+Upstream-Status: Inappropriate [ not author ]
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Index: ufw-0.31/src/ufw-init
+===================================================================
+--- ufw-0.31.orig/src/ufw-init  2012-03-09 17:07:11.000000000 -0600
+++ ufw-0.31/src/ufw-init       2012-03-17 09:37:51.000000000 -0500
+@@ -18,6 +18,12 @@
+ #
+ set -e
+ 
+# Debian/Ubuntu: small boot speed improvement
+. "#CONFIG_PREFIX#/ufw/ufw.conf"
+if [ "$1" = "start" ] && [ "$2" = "quiet" ] && [ "$ENABLED" = "no" ]; then
+    exit 0
+fi
+
+ if [ -s "#STATE_PREFIX#/ufw-init-functions" ]; then
+     . "#STATE_PREFIX#/ufw-init-functions"
+ else
diff --git a/meta-networking/recipes-connectivity/ufw/ufw/0002-lp1044361.patch b/meta-networking/recipes-connectivity/ufw/ufw/0002-lp1044361.patch
new file mode 100644
index 0000000000..804c18bc9e
--- /dev/null
+++ b/meta-networking/recipes-connectivity/ufw/ufw/0002-lp1044361.patch
@@ -0,0 +1,118 @@
+Origin: r795, r796
+Description: move netfilter capabilities checking into initcaps(), and call
+ initcaps() only when we need it.
+Bug-Ubuntu: https://launchpad.net/bugs/1044361
+Upstream-Status: Inappropriate [ not author ]
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Index: ufw-0.33/src/backend_iptables.py
+===================================================================
+--- ufw-0.33.orig/src/backend_iptables.py       2012-09-23 09:58:34.000000000 -0500
+++ ufw-0.33/src/backend_iptables.py    2012-09-23 09:58:36.000000000 -0500
+@@ -160,6 +160,9 @@
+             out += "> " + _("Checking raw ip6tables\n")
+             return out
+ 
+        # Initialize the capabilities database
+        self.initcaps()
+
+         args = ['-n', '-v', '-x', '-L']
+         items = []
+         items6 = []
+@@ -470,6 +473,9 @@
+         if self.dryrun:
+             return False
+ 
+        # Initialize the capabilities database
+        self.initcaps()
+
+         prefix = "ufw"
+         exe = self.iptables
+         if v6:
+@@ -684,6 +690,9 @@
+         except Exception:
+             raise
+ 
+        # Initialize the capabilities database
+        self.initcaps()
+
+         chain_prefix = "ufw"
+         rules = self.rules
+         if v6:
+@@ -830,6 +839,10 @@
+         * updating user rules file
+         * reloading the user rules file if rule is modified
+         '''
+
+        # Initialize the capabilities database
+        self.initcaps()
+
+         rstr = ""
+ 
+         if rule.v6:
+@@ -1073,6 +1086,9 @@
+         if self.dryrun:
+             return
+ 
+        # Initialize the capabilities database
+        self.initcaps()
+
+         rules_t = []
+         try:
+             rules_t = self._get_logging_rules(level)
+Index: ufw-0.33/src/backend.py
+===================================================================
+--- ufw-0.33.orig/src/backend.py        2012-09-23 09:58:34.000000000 -0500
+++ ufw-0.33/src/backend.py     2012-09-23 09:59:03.000000000 -0500
+@@ -21,7 +21,7 @@
+ import stat
+ import sys
+ import ufw.util
+-from ufw.util import warn, debug
+from ufw.util import error, warn, debug
+ from ufw.common import UFWError, config_dir, iptables_dir, UFWRule
+ import ufw.applications
+ 
+@@ -68,6 +68,17 @@
+             err_msg = _("Couldn't determine iptables version")
+             raise UFWError(err_msg)
+ 
+        # Initialize via initcaps only when we need it (LP: #1044361)
+        self.caps = None
+
+    def initcaps(self):
+        '''Initialize the capabilities database. This needs to be called
+           before accessing the database.'''
+
+        # Only initialize if not initialized already
+        if self.caps != None:
+            return
+
+         self.caps = {}
+         self.caps['limit'] = {}
+ 
+@@ -78,14 +89,20 @@
+         # Try to get capabilities from the running system if root
+         if self.do_checks and os.getuid() == 0 and not self.dryrun:
+             # v4
+-            nf_caps = ufw.util.get_netfilter_capabilities(self.iptables)
+            try:
+                nf_caps = ufw.util.get_netfilter_capabilities(self.iptables)
+            except OSError as e:
+                error("initcaps\n%s" % e)
+             if 'recent-set' in nf_caps and 'recent-update' in nf_caps:
+                 self.caps['limit']['4'] = True
+             else:
+                 self.caps['limit']['4'] = False
+ 
+             # v6
+-            nf_caps = ufw.util.get_netfilter_capabilities(self.ip6tables)
+            try:
+                nf_caps = ufw.util.get_netfilter_capabilities(self.ip6tables)
+            except OSError as e:
+                error("initcaps\n%s" % e)
+             if 'recent-set' in nf_caps and 'recent-update' in nf_caps:
+                 self.caps['limit']['6'] = True
+             else:
diff --git a/meta-networking/recipes-connectivity/ufw/ufw/0003-fix-typeerror-on-error.patch b/meta-networking/recipes-connectivity/ufw/ufw/0003-fix-typeerror-on-error.patch
new file mode 100644
index 0000000000..b259fdf781
--- /dev/null
+++ b/meta-networking/recipes-connectivity/ufw/ufw/0003-fix-typeerror-on-error.patch
@@ -0,0 +1,20 @@
+Origin: r797
+Description: src/backend_iptables.py: fix misplaced parenthesis
+Upstream-Status: Inappropriate [ not author ]
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Index: ufw-0.33/src/backend_iptables.py
+===================================================================
+--- ufw-0.33.orig/src/backend_iptables.py       2012-09-24 08:51:13.000000000 -0500
+++ ufw-0.33/src/backend_iptables.py    2012-09-24 08:52:00.000000000 -0500
+@@ -1075,7 +1075,7 @@
+             exe = self.ip6tables
+         (rc, out) = cmd([exe] + args)
+         if rc != 0:
+-            err_msg = _("Could not perform '%s'") % (args)
+            err_msg = _("Could not perform '%s'" % (args))
+             if fail_ok:
+                 debug("FAILOK: " + err_msg)
+             else:
diff --git a/meta-networking/recipes-connectivity/ufw/ufw/0004-lp1039729.patch b/meta-networking/recipes-connectivity/ufw/ufw/0004-lp1039729.patch
new file mode 100644
index 0000000000..695b265671
--- /dev/null
+++ b/meta-networking/recipes-connectivity/ufw/ufw/0004-lp1039729.patch
@@ -0,0 +1,40 @@
+Origin: r803, r804
+Description: Don't call get_netfilter_capabilities() with ipv6 if ipv6 is
+ disabled.
+Bug-Ubuntu: https://launchpad.net/ufw/bugs/1039729
+Upstream-Status: Inappropriate [ not author ]
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Index: ufw-0.33/src/backend.py
+===================================================================
+--- ufw-0.33.orig/src/backend.py        2012-12-04 09:21:57.000000000 -0600
+++ ufw-0.33/src/backend.py     2012-12-04 09:22:40.000000000 -0600
+@@ -98,15 +98,17 @@
+             else:
+                 self.caps['limit']['4'] = False
+ 
+-            # v6
+-            try:
+-                nf_caps = ufw.util.get_netfilter_capabilities(self.ip6tables)
+-            except OSError as e:
+-                error("initcaps\n%s" % e)
+-            if 'recent-set' in nf_caps and 'recent-update' in nf_caps:
+-                self.caps['limit']['6'] = True
+-            else:
+-                self.caps['limit']['6'] = False
+            # v6 (skip capabilities check for ipv6 if ipv6 is disabled in ufw
+            # because the system may not have ipv6 support (LP: #1039729)
+            if self.use_ipv6():
+                try:
+                    nf_caps = ufw.util.get_netfilter_capabilities(self.ip6tables)
+                except OSError as e:
+                    error("initcaps\n%s" % e)
+                if 'recent-set' in nf_caps and 'recent-update' in nf_caps:
+                    self.caps['limit']['6'] = True
+                else:
+                    self.caps['limit']['6'] = False
+ 
+     def is_enabled(self):
+         '''Is firewall configured as enabled'''
diff --git a/meta-networking/recipes-connectivity/ufw/ufw/0005-lp1191197.patch b/meta-networking/recipes-connectivity/ufw/ufw/0005-lp1191197.patch
new file mode 100644
index 0000000000..b760d3fd33
--- /dev/null
+++ b/meta-networking/recipes-connectivity/ufw/ufw/0005-lp1191197.patch
@@ -0,0 +1,32 @@
+Origin: r816
+Description: add check for -m rt --rt-type 0
+Bug-Ubuntu: https://launchpad.net/bugs/1191197
+Forwarded: yes
+Upstream-Status: Inappropriate [ not author ]
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Index: ufw-0.33/tests/check-requirements
+===================================================================
+--- ufw-0.33.orig/tests/check-requirements      2012-08-17 16:12:49.000000000 -0500
+++ ufw-0.33/tests/check-requirements   2013-06-15 07:47:00.000000000 -0500
+@@ -3,7 +3,7 @@
+ # check-requirements: verify all the required iptables functionality is
+ # available
+ #
+-# Copyright 2008-2012 Canonical Ltd.
+# Copyright 2008-2013 Canonical Ltd.
+ #
+ #    This program is free software: you can redistribute it and/or modify
+ #    it under the terms of the GNU General Public License version 3,
+@@ -218,6 +218,9 @@
+             echo -n "icmpv6 with hl ($j): "
+             runcmd $exe -A $c -p icmpv6 --icmpv6-type $j -m hl --hl-eq 255 -j ACCEPT
+         done
+
+        echo -n "ipv6 rt: "
+        runcmd $exe -A $c -m rt --rt-type 0 -j ACCEPT
+     fi
+ 
+     echo ""
diff --git a/meta-networking/recipes-connectivity/ufw/ufw/setup-add-an-option-to-specify-iptables-location.patch b/meta-networking/recipes-connectivity/ufw/ufw/setup-add-an-option-to-specify-iptables-location.patch
new file mode 100644
index 0000000000..5117423387
--- /dev/null
+++ b/meta-networking/recipes-connectivity/ufw/ufw/setup-add-an-option-to-specify-iptables-location.patch
@@ -0,0 +1,107 @@
+From c54d36d0582a60fd281cd9287077cea205fd849d Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Thu, 27 Nov 2014 15:20:34 -0500
+Subject: [PATCH] setup: add an option to specify iptables location
+When cross-compiling it isn't certain that the location of iptables on the
+target will be the same as on the host.  It also doesn't make sense the
+test the version of the host during setup.  We provide an option to
+specify an alternate iptables directory.  This is assumed to be a
+cross-compile environment and therefore no attempt is made to verify the
+version of iptables to be used.
+Upstream-Status: Pending
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ setup.py | 69 ++++++++++++++++++++++++++++++++++++----------------------------
+ 1 file changed, 39 insertions(+), 30 deletions(-)
+diff --git a/setup.py b/setup.py
+index 6fb3751..b13d11c 100644
+--- a/setup.py
+++ b/setup.py
+@@ -225,41 +225,50 @@ shutil.copytree('src', 'staging')
+ os.unlink(os.path.join('staging', 'ufw-init'))
+ os.unlink(os.path.join('staging', 'ufw-init-functions'))
+ 
+iptables_set = 0
+ iptables_exe = ''
+ iptables_dir = ''
+ 
+-for e in ['iptables']:
+-    for dir in ['/sbin', '/bin', '/usr/sbin', '/usr/bin', '/usr/local/sbin', \
+-                '/usr/local/bin']:
+-        if e == "iptables":
+-            if os.path.exists(os.path.join(dir, e)):
+-                iptables_dir = dir
+-                iptables_exe = os.path.join(iptables_dir, "iptables")
+-                print("Found '%s'" % iptables_exe)
+-            else:
+-                continue
+-
+-        if iptables_exe != "":
+-            break
+-
+-
+-if iptables_exe == '':
+-    print("ERROR: could not find required binary 'iptables'", file=sys.stderr)
+-    sys.exit(1)
+-
+-for e in ['ip6tables', 'iptables-restore', 'ip6tables-restore']:
+-    if not os.path.exists(os.path.join(iptables_dir, e)):
+-        print("ERROR: could not find required binary '%s'" % (e), file=sys.stderr)
+if "--iptables-dir" in sys.argv:
+    iptables_dir = sys.argv[sys.argv.index("--iptables-dir") + 1]
+    iptables_exe = os.path.join(iptables_dir, "iptables")
+    iptables_set = 1
+    print("INFO: iptables manually set: '%s'" % (iptables_exe))
+    sys.argv.remove(iptables_dir)
+    sys.argv.remove("--iptables-dir")
+
+if not iptables_set:
+    for e in ['iptables']:
+        for dir in ['/sbin', '/bin', '/usr/sbin', '/usr/bin', '/usr/local/sbin', \
+                    '/usr/local/bin']:
+            if e == "iptables":
+                if os.path.exists(os.path.join(dir, e)):
+                    iptables_dir = dir
+                    iptables_exe = os.path.join(iptables_dir, "iptables")
+                    print("Found '%s'" % iptables_exe)
+                else:
+                    continue
+
+            if iptables_exe != "":
+                break
+
+    if iptables_exe == '':
+        print("ERROR: could not find required binary 'iptables'", file=sys.stderr)
+         sys.exit(1)
+ 
+-(rc, out) = cmd([iptables_exe, '-V'])
+-if rc != 0:
+-    raise OSError(errno.ENOENT, "Could not find version for '%s'" % \
+-                  (iptables_exe))
+-version = re.sub('^v', '', re.split('\s', str(out))[1])
+-print("Found '%s' version '%s'" % (iptables_exe, version))
+-if version < "1.4":
+-    print("WARN: version '%s' has limited IPv6 support. See README for details." % (version), file=sys.stderr)
+    for e in ['ip6tables', 'iptables-restore', 'ip6tables-restore']:
+        if not os.path.exists(os.path.join(iptables_dir, e)):
+            print("ERROR: could not find required binary '%s'" % (e), file=sys.stderr)
+            sys.exit(1)
+
+    (rc, out) = cmd([iptables_exe, '-V'])
+    if rc != 0:
+        raise OSError(errno.ENOENT, "Could not find version for '%s'" % \
+                      (iptables_exe))
+    version = re.sub('^v', '', re.split('\s', str(out))[1])
+    print("Found '%s' version '%s'" % (iptables_exe, version))
+    if version < "1.4":
+        print("WARN: version '%s' has limited IPv6 support. See README for details." % (version), file=sys.stderr)
+ 
+ setup (name='ufw',
+       version=ufw_version,
+-- 
+1.9.1
diff --git a/meta-networking/recipes-connectivity/ufw/ufw/setup-only-make-one-reference-to-env.patch b/meta-networking/recipes-connectivity/ufw/ufw/setup-only-make-one-reference-to-env.patch
new file mode 100644
index 0000000000..ff704b5a46
--- /dev/null
+++ b/meta-networking/recipes-connectivity/ufw/ufw/setup-only-make-one-reference-to-env.patch
@@ -0,0 +1,77 @@
+From be53eea06a5655fdc98f47a73be8277b65bb42ed Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Tue, 11 Nov 2014 21:41:14 -0500
+Subject: [PATCH] setup: only make one reference to env
+If sys.executable happens to be '/usr/bin/env python' or something
+similar, the setup script will result in 'ufw' getting /usr/bin/env
+repeated on the top line.  This causes an error at runtime.  Perform a
+quick sanity check on sys.executable before doing the substitution.
+While we're at it, change the default value of 'exe' to the one we either
+detected or specified on the build line.
+Upstream-Status: Inappropriate [ embedded specific ]
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ setup.py | 34 ++++++++++++++++++++++++++++------
+ 1 file changed, 28 insertions(+), 6 deletions(-)
+diff --git a/setup.py b/setup.py
+index b13d11c..73acdef 100644
+--- a/setup.py
+++ b/setup.py
+@@ -64,7 +64,7 @@ class Install(_install, object):
+         real_sharedir = os.path.join(real_prefix, 'share', 'ufw')
+ 
+         # Update the modules' paths
+-        for file in [ 'common.py' ]:
+        for file in [ 'common.py', 'util.py' ]:
+             print("Updating " + file)
+             subprocess.call(["sed",
+                              "-i",
+@@ -91,6 +91,11 @@ class Install(_install, object):
+                              "s%#SHARE_DIR#%" + real_sharedir + "%g",
+                              os.path.join('staging', file)])
+ 
+            subprocess.call(["sed",
+                             "-i.jjm",
+                             "s%/sbin/iptables%" + iptables_exe + "%g",
+                             os.path.join('staging', file)])
+
+         # Now byte-compile everything
+         super(Install, self).run()
+ 
+@@ -107,12 +112,23 @@ class Install(_install, object):
+         for f in [ script, manpage, manpage_f ]:
+             self.mkpath(os.path.dirname(f))
+ 
+        # if sys.executable == /usr/bin/env python* the result will be the top
+        # of ufw getting:
+        #
+        #  #! /usr/bin/env /usr/bin/env python
+        #
+        # which is not ideal
+        #
+         # update the interpreter to that of the one the user specified for setup
+-        print("Updating staging/ufw to use %s" % (sys.executable))
+-        subprocess.call(["sed",
+-                         "-i",
+-                         "1s%^#.*python.*%#! /usr/bin/env " + sys.executable + "%g",
+-                         'staging/ufw'])
+        print("Updating staging/ufw to use (%s)" % (sys.executable))
+
+        if re.search("(/usr/bin/env)", sys.executable):
+            print("found 'env' in sys.executable (%s)" % (sys.executable))
+            subprocess.call(["sed",
+                             "-i.jjm",
+                             "1s%^#.*python.*%#! " + sys.executable + "%g",
+                             'staging/ufw'])
+
+         self.copy_file('staging/ufw', script)
+         self.copy_file('doc/ufw.8', manpage)
+         self.copy_file('doc/ufw-framework.8', manpage_f)
+-- 
+1.9.1
diff --git a/meta-networking/recipes-connectivity/ufw/ufw_0.33.bb b/meta-networking/recipes-connectivity/ufw/ufw_0.33.bb
new file mode 100644
index 0000000000..467f2a81fb
--- /dev/null
+++ b/meta-networking/recipes-connectivity/ufw/ufw_0.33.bb
@@ -0,0 +1,45 @@
+SUMMARY = "Uncomplicated Firewall"
+DESCRIPTION = "UFW stands for Uncomplicated Firewall, and is program for \
+managing a netfilter firewall. It provides a command line interface and aims \
+to be uncomplicated and easy to use."
+HOMEPAGE = "https://launchpad.net/ufw"
+LICENSE = "GPLv3"
+LIC_FILES_CHKSUM = "file://COPYING;md5=f27defe1e96c2e1ecd4e0c9be8967949"
+SRC_URI = " \
+           https://launchpad.net/ufw/0.33/0.33/+download/ufw-0.33.tar.gz \
+           file://setup-add-an-option-to-specify-iptables-location.patch \
+           file://setup-only-make-one-reference-to-env.patch \
+           file://0001-optimize-boot.patch \
+           file://0002-lp1044361.patch \
+           file://0003-fix-typeerror-on-error.patch \
+           file://0004-lp1039729.patch \
+           file://0005-lp1191197.patch \
+"
+SRC_URI[md5sum] = "3747b453d76709e5a99da209fc0bb5f5"
+SRC_URI[sha256sum] = "5f85a8084ad3539b547bec097286948233188c971f498890316dec170bdd1da8"
+inherit setuptools distro_features_check
+RDEPENDS_${PN} = " \
+                  iptables \
+                  python \
+                  python-modules \
+                 "
+RRECOMMENDS_${PN} = " \
+                     kernel-module-ipv6 \
+"
+FILES_${PN} += " \
+                ${sbindir}/* \
+                ${datadir}/ufw/* \
+                ${base_libdir}/ufw/* \
+                ${sysconfdir}/ufw/* \
+                ${sysconfdir}/default/ufw \
+"
+REQUIRED_DISTRO_FEATURES = "ipv6"
+DISTUTILS_BUILD_ARGS_append = " --iptables-dir /usr/sbin"
+DISTUTILS_INSTALL_ARGS_append = " --iptables-dir /usr/sbin"
author	Joe MacDonald <joe_macdonald@mentor.com>	2014-11-10 21:51:46 -0500
committer	Joe MacDonald <joe_macdonald@mentor.com>	2014-12-03 16:39:50 -0500
commit	2cc1bd9dd060f5002c2fde7aacba86fe230c12af (patch)
tree	ba89d45559013688303661d10ddb444ad9fa7cfa
parent	9f925e52370571e1e38ad190f1a5c18473dd87da (diff)
download	meta-openembedded-2cc1bd9dd060f5002c2fde7aacba86fe230c12af.tar.gz

diff --git a/meta-networking/recipes-connectivity/ufw/ufw/0001-optimize-boot.patch b/meta-networking/recipes-connectivity/ufw/ufw/0001-optimize-boot.patch new file mode 100644 index 0000000000..a1e56b7cac --- /dev/null +++ b/meta-networking/recipes-connectivity/ufw/ufw/0001-optimize-boot.patch
@@ -0,0 +1,25 @@
	1	Author: Jamie Strandboge <jamie@canonical.com>
	2	Description: to improve boot speed when disabled, don't source all of
	3	ufw-init-functions (which also sources in other files).
	4
	5	Upstream-Status: Inappropriate [ not author ]
	6
	7	Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
	8
	9	Index: ufw-0.31/src/ufw-init
	10	===================================================================
	11	--- ufw-0.31.orig/src/ufw-init 2012-03-09 17:07:11.000000000 -0600
	12	+++ ufw-0.31/src/ufw-init 2012-03-17 09:37:51.000000000 -0500
	13	@@ -18,6 +18,12 @@
	14	#
	15	set -e
	16
	17	+# Debian/Ubuntu: small boot speed improvement
	18	+. "#CONFIG_PREFIX#/ufw/ufw.conf"
	19	+if [ "$1" = "start" ] && [ "$2" = "quiet" ] && [ "$ENABLED" = "no" ]; then
	20	+ exit 0
	21	+fi
	22	+
	23	if [ -s "#STATE_PREFIX#/ufw-init-functions" ]; then
	24	. "#STATE_PREFIX#/ufw-init-functions"
	25	else


diff --git a/meta-networking/recipes-connectivity/ufw/ufw/0002-lp1044361.patch b/meta-networking/recipes-connectivity/ufw/ufw/0002-lp1044361.patch new file mode 100644 index 0000000000..804c18bc9e --- /dev/null +++ b/meta-networking/recipes-connectivity/ufw/ufw/0002-lp1044361.patch
@@ -0,0 +1,118 @@
	1	Origin: r795, r796
	2	Description: move netfilter capabilities checking into initcaps(), and call
	3	initcaps() only when we need it.
	4	Bug-Ubuntu: https://launchpad.net/bugs/1044361
	5
	6	Upstream-Status: Inappropriate [ not author ]
	7
	8	Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
	9
	10	Index: ufw-0.33/src/backend_iptables.py
	11	===================================================================
	12	--- ufw-0.33.orig/src/backend_iptables.py 2012-09-23 09:58:34.000000000 -0500
	13	+++ ufw-0.33/src/backend_iptables.py 2012-09-23 09:58:36.000000000 -0500
	14	@@ -160,6 +160,9 @@
	15	out += "> " + _("Checking raw ip6tables\n")
	16	return out
	17
	18	+ # Initialize the capabilities database
	19	+ self.initcaps()
	20	+
	21	args = ['-n', '-v', '-x', '-L']
	22	items = []
	23	items6 = []
	24	@@ -470,6 +473,9 @@
	25	if self.dryrun:
	26	return False
	27
	28	+ # Initialize the capabilities database
	29	+ self.initcaps()
	30	+
	31	prefix = "ufw"
	32	exe = self.iptables
	33	if v6:
	34	@@ -684,6 +690,9 @@
	35	except Exception:
	36	raise
	37
	38	+ # Initialize the capabilities database
	39	+ self.initcaps()
	40	+
	41	chain_prefix = "ufw"
	42	rules = self.rules
	43	if v6:
	44	@@ -830,6 +839,10 @@
	45	* updating user rules file
	46	* reloading the user rules file if rule is modified
	47	'''
	48	+
	49	+ # Initialize the capabilities database
	50	+ self.initcaps()
	51	+
	52	rstr = ""
	53
	54	if rule.v6:
	55	@@ -1073,6 +1086,9 @@
	56	if self.dryrun:
	57	return
	58
	59	+ # Initialize the capabilities database
	60	+ self.initcaps()
	61	+
	62	rules_t = []
	63	try:
	64	rules_t = self._get_logging_rules(level)
	65	Index: ufw-0.33/src/backend.py
	66	===================================================================
	67	--- ufw-0.33.orig/src/backend.py 2012-09-23 09:58:34.000000000 -0500
	68	+++ ufw-0.33/src/backend.py 2012-09-23 09:59:03.000000000 -0500
	69	@@ -21,7 +21,7 @@
	70	import stat
	71	import sys
	72	import ufw.util
	73	-from ufw.util import warn, debug
	74	+from ufw.util import error, warn, debug
	75	from ufw.common import UFWError, config_dir, iptables_dir, UFWRule
	76	import ufw.applications
	77
	78	@@ -68,6 +68,17 @@
	79	err_msg = _("Couldn't determine iptables version")
	80	raise UFWError(err_msg)
	81
	82	+ # Initialize via initcaps only when we need it (LP: #1044361)
	83	+ self.caps = None
	84	+
	85	+ def initcaps(self):
	86	+ '''Initialize the capabilities database. This needs to be called
	87	+ before accessing the database.'''
	88	+
	89	+ # Only initialize if not initialized already
	90	+ if self.caps != None:
	91	+ return
	92	+
	93	self.caps = {}
	94	self.caps['limit'] = {}
	95
	96	@@ -78,14 +89,20 @@
	97	# Try to get capabilities from the running system if root
	98	if self.do_checks and os.getuid() == 0 and not self.dryrun:
	99	# v4
	100	- nf_caps = ufw.util.get_netfilter_capabilities(self.iptables)
	101	+ try:
	102	+ nf_caps = ufw.util.get_netfilter_capabilities(self.iptables)
	103	+ except OSError as e:
	104	+ error("initcaps\n%s" % e)
	105	if 'recent-set' in nf_caps and 'recent-update' in nf_caps:
	106	self.caps['limit']['4'] = True
	107	else:
	108	self.caps['limit']['4'] = False
	109
	110	# v6
	111	- nf_caps = ufw.util.get_netfilter_capabilities(self.ip6tables)
	112	+ try:
	113	+ nf_caps = ufw.util.get_netfilter_capabilities(self.ip6tables)
	114	+ except OSError as e:
	115	+ error("initcaps\n%s" % e)
	116	if 'recent-set' in nf_caps and 'recent-update' in nf_caps:
	117	self.caps['limit']['6'] = True
	118	else:


diff --git a/meta-networking/recipes-connectivity/ufw/ufw/0003-fix-typeerror-on-error.patch b/meta-networking/recipes-connectivity/ufw/ufw/0003-fix-typeerror-on-error.patch new file mode 100644 index 0000000000..b259fdf781 --- /dev/null +++ b/meta-networking/recipes-connectivity/ufw/ufw/0003-fix-typeerror-on-error.patch
@@ -0,0 +1,20 @@
	1	Origin: r797
	2	Description: src/backend_iptables.py: fix misplaced parenthesis
	3
	4	Upstream-Status: Inappropriate [ not author ]
	5
	6	Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
	7
	8	Index: ufw-0.33/src/backend_iptables.py
	9	===================================================================
	10	--- ufw-0.33.orig/src/backend_iptables.py 2012-09-24 08:51:13.000000000 -0500
	11	+++ ufw-0.33/src/backend_iptables.py 2012-09-24 08:52:00.000000000 -0500
	12	@@ -1075,7 +1075,7 @@
	13	exe = self.ip6tables
	14	(rc, out) = cmd([exe] + args)
	15	if rc != 0:
	16	- err_msg = _("Could not perform '%s'") % (args)
	17	+ err_msg = _("Could not perform '%s'" % (args))
	18	if fail_ok:
	19	debug("FAILOK: " + err_msg)
	20	else:


diff --git a/meta-networking/recipes-connectivity/ufw/ufw/0004-lp1039729.patch b/meta-networking/recipes-connectivity/ufw/ufw/0004-lp1039729.patch new file mode 100644 index 0000000000..695b265671 --- /dev/null +++ b/meta-networking/recipes-connectivity/ufw/ufw/0004-lp1039729.patch
@@ -0,0 +1,40 @@
	1	Origin: r803, r804
	2	Description: Don't call get_netfilter_capabilities() with ipv6 if ipv6 is
	3	disabled.
	4	Bug-Ubuntu: https://launchpad.net/ufw/bugs/1039729
	5
	6	Upstream-Status: Inappropriate [ not author ]
	7
	8	Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
	9
	10	Index: ufw-0.33/src/backend.py
	11	===================================================================
	12	--- ufw-0.33.orig/src/backend.py 2012-12-04 09:21:57.000000000 -0600
	13	+++ ufw-0.33/src/backend.py 2012-12-04 09:22:40.000000000 -0600
	14	@@ -98,15 +98,17 @@
	15	else:
	16	self.caps['limit']['4'] = False
	17
	18	- # v6
	19	- try:
	20	- nf_caps = ufw.util.get_netfilter_capabilities(self.ip6tables)
	21	- except OSError as e:
	22	- error("initcaps\n%s" % e)
	23	- if 'recent-set' in nf_caps and 'recent-update' in nf_caps:
	24	- self.caps['limit']['6'] = True
	25	- else:
	26	- self.caps['limit']['6'] = False
	27	+ # v6 (skip capabilities check for ipv6 if ipv6 is disabled in ufw
	28	+ # because the system may not have ipv6 support (LP: #1039729)
	29	+ if self.use_ipv6():
	30	+ try:
	31	+ nf_caps = ufw.util.get_netfilter_capabilities(self.ip6tables)
	32	+ except OSError as e:
	33	+ error("initcaps\n%s" % e)
	34	+ if 'recent-set' in nf_caps and 'recent-update' in nf_caps:
	35	+ self.caps['limit']['6'] = True
	36	+ else:
	37	+ self.caps['limit']['6'] = False
	38
	39	def is_enabled(self):
	40	'''Is firewall configured as enabled'''


diff --git a/meta-networking/recipes-connectivity/ufw/ufw/0005-lp1191197.patch b/meta-networking/recipes-connectivity/ufw/ufw/0005-lp1191197.patch new file mode 100644 index 0000000000..b760d3fd33 --- /dev/null +++ b/meta-networking/recipes-connectivity/ufw/ufw/0005-lp1191197.patch
@@ -0,0 +1,32 @@
	1	Origin: r816
	2	Description: add check for -m rt --rt-type 0
	3	Bug-Ubuntu: https://launchpad.net/bugs/1191197
	4	Forwarded: yes
	5
	6	Upstream-Status: Inappropriate [ not author ]
	7
	8	Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
	9
	10	Index: ufw-0.33/tests/check-requirements
	11	===================================================================
	12	--- ufw-0.33.orig/tests/check-requirements 2012-08-17 16:12:49.000000000 -0500
	13	+++ ufw-0.33/tests/check-requirements 2013-06-15 07:47:00.000000000 -0500
	14	@@ -3,7 +3,7 @@
	15	# check-requirements: verify all the required iptables functionality is
	16	# available
	17	#
	18	-# Copyright 2008-2012 Canonical Ltd.
	19	+# Copyright 2008-2013 Canonical Ltd.
	20	#
	21	# This program is free software: you can redistribute it and/or modify
	22	# it under the terms of the GNU General Public License version 3,
	23	@@ -218,6 +218,9 @@
	24	echo -n "icmpv6 with hl ($j): "
	25	runcmd $exe -A $c -p icmpv6 --icmpv6-type $j -m hl --hl-eq 255 -j ACCEPT
	26	done
	27	+
	28	+ echo -n "ipv6 rt: "
	29	+ runcmd $exe -A $c -m rt --rt-type 0 -j ACCEPT
	30	fi
	31
	32	echo ""


diff --git a/meta-networking/recipes-connectivity/ufw/ufw/setup-add-an-option-to-specify-iptables-location.patch b/meta-networking/recipes-connectivity/ufw/ufw/setup-add-an-option-to-specify-iptables-location.patch new file mode 100644 index 0000000000..5117423387 --- /dev/null +++ b/meta-networking/recipes-connectivity/ufw/ufw/setup-add-an-option-to-specify-iptables-location.patch
@@ -0,0 +1,107 @@
	1	From c54d36d0582a60fd281cd9287077cea205fd849d Mon Sep 17 00:00:00 2001
	2	From: Joe MacDonald <joe_macdonald@mentor.com>
	3	Date: Thu, 27 Nov 2014 15:20:34 -0500
	4	Subject: [PATCH] setup: add an option to specify iptables location
	5
	6	When cross-compiling it isn't certain that the location of iptables on the
	7	target will be the same as on the host. It also doesn't make sense the
	8	test the version of the host during setup. We provide an option to
	9	specify an alternate iptables directory. This is assumed to be a
	10	cross-compile environment and therefore no attempt is made to verify the
	11	version of iptables to be used.
	12
	13	Upstream-Status: Pending
	14
	15	Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
	16	---
	17	setup.py \| 69 ++++++++++++++++++++++++++++++++++++----------------------------
	18	1 file changed, 39 insertions(+), 30 deletions(-)
	19
	20	diff --git a/setup.py b/setup.py
	21	index 6fb3751..b13d11c 100644
	22	--- a/setup.py
	23	+++ b/setup.py
	24	@@ -225,41 +225,50 @@ shutil.copytree('src', 'staging')
	25	os.unlink(os.path.join('staging', 'ufw-init'))
	26	os.unlink(os.path.join('staging', 'ufw-init-functions'))
	27
	28	+iptables_set = 0
	29	iptables_exe = ''
	30	iptables_dir = ''
	31
	32	-for e in ['iptables']:
	33	- for dir in ['/sbin', '/bin', '/usr/sbin', '/usr/bin', '/usr/local/sbin', \
	34	- '/usr/local/bin']:
	35	- if e == "iptables":
	36	- if os.path.exists(os.path.join(dir, e)):
	37	- iptables_dir = dir
	38	- iptables_exe = os.path.join(iptables_dir, "iptables")
	39	- print("Found '%s'" % iptables_exe)
	40	- else:
	41	- continue
	42	-
	43	- if iptables_exe != "":
	44	- break
	45	-
	46	-
	47	-if iptables_exe == '':
	48	- print("ERROR: could not find required binary 'iptables'", file=sys.stderr)
	49	- sys.exit(1)
	50	-
	51	-for e in ['ip6tables', 'iptables-restore', 'ip6tables-restore']:
	52	- if not os.path.exists(os.path.join(iptables_dir, e)):
	53	- print("ERROR: could not find required binary '%s'" % (e), file=sys.stderr)
	54	+if "--iptables-dir" in sys.argv:
	55	+ iptables_dir = sys.argv[sys.argv.index("--iptables-dir") + 1]
	56	+ iptables_exe = os.path.join(iptables_dir, "iptables")
	57	+ iptables_set = 1
	58	+ print("INFO: iptables manually set: '%s'" % (iptables_exe))
	59	+ sys.argv.remove(iptables_dir)
	60	+ sys.argv.remove("--iptables-dir")
	61	+
	62	+if not iptables_set:
	63	+ for e in ['iptables']:
	64	+ for dir in ['/sbin', '/bin', '/usr/sbin', '/usr/bin', '/usr/local/sbin', \
	65	+ '/usr/local/bin']:
	66	+ if e == "iptables":
	67	+ if os.path.exists(os.path.join(dir, e)):
	68	+ iptables_dir = dir
	69	+ iptables_exe = os.path.join(iptables_dir, "iptables")
	70	+ print("Found '%s'" % iptables_exe)
	71	+ else:
	72	+ continue
	73	+
	74	+ if iptables_exe != "":
	75	+ break
	76	+
	77	+ if iptables_exe == '':
	78	+ print("ERROR: could not find required binary 'iptables'", file=sys.stderr)
	79	sys.exit(1)
	80
	81	-(rc, out) = cmd([iptables_exe, '-V'])
	82	-if rc != 0:
	83	- raise OSError(errno.ENOENT, "Could not find version for '%s'" % \
	84	- (iptables_exe))
	85	-version = re.sub('^v', '', re.split('\s', str(out))[1])
	86	-print("Found '%s' version '%s'" % (iptables_exe, version))
	87	-if version < "1.4":
	88	- print("WARN: version '%s' has limited IPv6 support. See README for details." % (version), file=sys.stderr)
	89	+ for e in ['ip6tables', 'iptables-restore', 'ip6tables-restore']:
	90	+ if not os.path.exists(os.path.join(iptables_dir, e)):
	91	+ print("ERROR: could not find required binary '%s'" % (e), file=sys.stderr)
	92	+ sys.exit(1)
	93	+
	94	+ (rc, out) = cmd([iptables_exe, '-V'])
	95	+ if rc != 0:
	96	+ raise OSError(errno.ENOENT, "Could not find version for '%s'" % \
	97	+ (iptables_exe))
	98	+ version = re.sub('^v', '', re.split('\s', str(out))[1])
	99	+ print("Found '%s' version '%s'" % (iptables_exe, version))
	100	+ if version < "1.4":
	101	+ print("WARN: version '%s' has limited IPv6 support. See README for details." % (version), file=sys.stderr)
	102
	103	setup (name='ufw',
	104	version=ufw_version,
	105	--
	106	1.9.1
	107


diff --git a/meta-networking/recipes-connectivity/ufw/ufw/setup-only-make-one-reference-to-env.patch b/meta-networking/recipes-connectivity/ufw/ufw/setup-only-make-one-reference-to-env.patch new file mode 100644 index 0000000000..ff704b5a46 --- /dev/null +++ b/meta-networking/recipes-connectivity/ufw/ufw/setup-only-make-one-reference-to-env.patch
@@ -0,0 +1,77 @@
	1	From be53eea06a5655fdc98f47a73be8277b65bb42ed Mon Sep 17 00:00:00 2001
	2	From: Joe MacDonald <joe_macdonald@mentor.com>
	3	Date: Tue, 11 Nov 2014 21:41:14 -0500
	4	Subject: [PATCH] setup: only make one reference to env
	5
	6	If sys.executable happens to be '/usr/bin/env python' or something
	7	similar, the setup script will result in 'ufw' getting /usr/bin/env
	8	repeated on the top line. This causes an error at runtime. Perform a
	9	quick sanity check on sys.executable before doing the substitution.
	10
	11	While we're at it, change the default value of 'exe' to the one we either
	12	detected or specified on the build line.
	13
	14	Upstream-Status: Inappropriate [ embedded specific ]
	15
	16	Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
	17	---
	18	setup.py \| 34 ++++++++++++++++++++++++++++------
	19	1 file changed, 28 insertions(+), 6 deletions(-)
	20
	21	diff --git a/setup.py b/setup.py
	22	index b13d11c..73acdef 100644
	23	--- a/setup.py
	24	+++ b/setup.py
	25	@@ -64,7 +64,7 @@ class Install(_install, object):
	26	real_sharedir = os.path.join(real_prefix, 'share', 'ufw')
	27
	28	# Update the modules' paths
	29	- for file in [ 'common.py' ]:
	30	+ for file in [ 'common.py', 'util.py' ]:
	31	print("Updating " + file)
	32	subprocess.call(["sed",
	33	"-i",
	34	@@ -91,6 +91,11 @@ class Install(_install, object):
	35	"s%#SHARE_DIR#%" + real_sharedir + "%g",
	36	os.path.join('staging', file)])
	37
	38	+ subprocess.call(["sed",
	39	+ "-i.jjm",
	40	+ "s%/sbin/iptables%" + iptables_exe + "%g",
	41	+ os.path.join('staging', file)])
	42	+
	43	# Now byte-compile everything
	44	super(Install, self).run()
	45
	46	@@ -107,12 +112,23 @@ class Install(_install, object):
	47	for f in [ script, manpage, manpage_f ]:
	48	self.mkpath(os.path.dirname(f))
	49
	50	+ # if sys.executable == /usr/bin/env python* the result will be the top
	51	+ # of ufw getting:
	52	+ #
	53	+ # #! /usr/bin/env /usr/bin/env python
	54	+ #
	55	+ # which is not ideal
	56	+ #
	57	# update the interpreter to that of the one the user specified for setup
	58	- print("Updating staging/ufw to use %s" % (sys.executable))
	59	- subprocess.call(["sed",
	60	- "-i",
	61	- "1s%^#.python.%#! /usr/bin/env " + sys.executable + "%g",
	62	- 'staging/ufw'])
	63	+ print("Updating staging/ufw to use (%s)" % (sys.executable))
	64	+
	65	+ if re.search("(/usr/bin/env)", sys.executable):
	66	+ print("found 'env' in sys.executable (%s)" % (sys.executable))
	67	+ subprocess.call(["sed",
	68	+ "-i.jjm",
	69	+ "1s%^#.python.%#! " + sys.executable + "%g",
	70	+ 'staging/ufw'])
	71	+
	72	self.copy_file('staging/ufw', script)
	73	self.copy_file('doc/ufw.8', manpage)
	74	self.copy_file('doc/ufw-framework.8', manpage_f)
	75	--
	76	1.9.1
	77


diff --git a/meta-networking/recipes-connectivity/ufw/ufw_0.33.bb b/meta-networking/recipes-connectivity/ufw/ufw_0.33.bb new file mode 100644 index 0000000000..467f2a81fb --- /dev/null +++ b/meta-networking/recipes-connectivity/ufw/ufw_0.33.bb
@@ -0,0 +1,45 @@
	1	SUMMARY = "Uncomplicated Firewall"
	2	DESCRIPTION = "UFW stands for Uncomplicated Firewall, and is program for \
	3	managing a netfilter firewall. It provides a command line interface and aims \
	4	to be uncomplicated and easy to use."
	5	HOMEPAGE = "https://launchpad.net/ufw"
	6	LICENSE = "GPLv3"
	7	LIC_FILES_CHKSUM = "file://COPYING;md5=f27defe1e96c2e1ecd4e0c9be8967949"
	8
	9	SRC_URI = " \
	10	https://launchpad.net/ufw/0.33/0.33/+download/ufw-0.33.tar.gz \
	11	file://setup-add-an-option-to-specify-iptables-location.patch \
	12	file://setup-only-make-one-reference-to-env.patch \
	13	file://0001-optimize-boot.patch \
	14	file://0002-lp1044361.patch \
	15	file://0003-fix-typeerror-on-error.patch \
	16	file://0004-lp1039729.patch \
	17	file://0005-lp1191197.patch \
	18	"
	19	SRC_URI[md5sum] = "3747b453d76709e5a99da209fc0bb5f5"
	20	SRC_URI[sha256sum] = "5f85a8084ad3539b547bec097286948233188c971f498890316dec170bdd1da8"
	21
	22	inherit setuptools distro_features_check
	23
	24	RDEPENDS_${PN} = " \
	25	iptables \
	26	python \
	27	python-modules \
	28	"
	29
	30	RRECOMMENDS_${PN} = " \
	31	kernel-module-ipv6 \
	32	"
	33
	34	FILES_${PN} += " \
	35	${sbindir}/* \
	36	${datadir}/ufw/* \
	37	${base_libdir}/ufw/* \
	38	${sysconfdir}/ufw/* \
	39	${sysconfdir}/default/ufw \
	40	"
	41
	42	REQUIRED_DISTRO_FEATURES = "ipv6"
	43
	44	DISTUTILS_BUILD_ARGS_append = " --iptables-dir /usr/sbin"
	45	DISTUTILS_INSTALL_ARGS_append = " --iptables-dir /usr/sbin"