3 files changed, 318 insertions, 92 deletions
diff --git a/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/files/run-ptest b/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/files/run-ptest
new file mode 100644
index 0000000000..9d3ec79042
--- /dev/null
+++ b/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/files/run-ptest
@@ -0,0 +1,21 @@
+#!/bin/sh
+ret_val=0
+# Check if all the kernel modules are available
+FIREWALLD_KERNEL_MODULES="@@FIREWALLD_KERNEL_MODULES@@"
+for m in $FIREWALLD_KERNEL_MODULES; do
+    if modprobe $m; then
+        echo "PASS: loading $m"
+    else
+        echo "FAIL: loading $m"
+        ret_val=1
+    fi
+done
+# Run the test suite from firewalld
+# Failing testsuites: 203 226 241 250 270 280 281 282 285 286
+# Problem icmpv6 compared against ipv6-icmptype?
+/usr/share/firewalld/testsuite/testsuite -C /tmp -A || ret_val=1
+exit $ret_val
diff --git a/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_0.9.4.bb b/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_0.9.4.bb
deleted file mode 100644
index 1dea339535..0000000000
--- a/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_0.9.4.bb
+++ /dev/null
@@ -1,92 +0,0 @@
-SUMMARY = "Dynamic firewall daemon with a D-Bus interface"
-HOMEPAGE = "https://firewalld.org/"
-BUGTRACKER = "https://github.com/firewalld/firewalld/issues"
-UPSTREAM_CHECK_URI = "https://github.com/firewalld/firewalld/releases"
-LICENSE = "GPL-2.0-or-later"
-LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
-SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.gz \
-           file://firewalld.init \
-"
-SRC_URI[sha256sum] = "52c5e3d5b1e2efc0e86c22b2bc1f7fd80908cc2d8130157dc2a3517a59b0a760"
-# glib-2.0-native is needed for GSETTINGS_RULES autoconf macro from gsettings.m4
-DEPENDS = "intltool-native glib-2.0-native nftables"
-inherit gettext autotools bash-completion pkgconfig python3native gsettings systemd update-rc.d
-PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}"
-PACKAGECONFIG[systemd] = "--with-systemd-unitdir=${systemd_system_unitdir},--disable-systemd"
-PACKAGECONFIG[docs] = "--with-xml-catalog=${STAGING_ETCDIR_NATIVE}/xml/catalog,--disable-docs,libxslt-native docbook-xsl-stylesheets-native"
-PACKAGES += "${PN}-zsh-completion"
-# iptables, ip6tables, ebtables, and ipset *should* be unnecessary
-# when the nftables backend is available, because nftables supersedes all of them.
-# However we still need iptables and ip6tables to be available otherwise any
-# application relying on "direct passthrough" rules (such as docker) will break.
-# /etc/sysconfig/firewalld is a Red Hat-ism, only referenced by
-# the Red Hat-specific init script which we aren't using, so we disable that.
-EXTRA_OECONF = "\
-    --without-ipset \
-    --with-iptables=${sbindir}/iptables \
-    --with-iptables-restore=${sbindir}/iptables-restore \
-    --with-ip6tables=${sbindir}/ip6tables \
-    --with-ip6tables-restore=${sbindir}/ip6tables-restore \
-    --without-ebtables \
-    --without-ebtables-restore \
-    --disable-sysconfig \
-"
-INITSCRIPT_NAME = "firewalld"
-SYSTEMD_SERVICE:${PN} = "firewalld.service"
-do_install:append() {
-    if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
-        :
-    else
-        # firewalld ships an init script but it contains Red Hat-isms, replace it with our own
-        rm -rf ${D}${sysconfdir}/rc.d/
-        install -d ${D}${sysconfdir}/init.d
-        install -m0755 ${WORKDIR}/firewalld.init ${D}${sysconfdir}/init.d/firewalld
-    fi
-    # We ran ./configure with PYTHON pointed at the binary inside $STAGING_BINDIR_NATIVE
-    # so now we need to fix up any references to point at the proper path in the image.
-    # This hack is also in distutils.bbclass, but firewalld doesn't use distutils/setuptools.
-    if [ ${PN} != "${BPN}-native" ]; then
-        sed -i -e s:${STAGING_BINDIR_NATIVE}/python3-native/python3:${bindir}/python3:g \
-            ${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml
-    fi
-    sed -i -e s:${STAGING_BINDIR_NATIVE}:${bindir}:g \
-        ${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml
-    # This file contains Red Hat-isms. Modules get loaded without it.
-    rm -f ${D}${sysconfdir}/modprobe.d/firewalld-sysctls.conf
-}
-FILES:${PN} += "\
-    ${PYTHON_SITEPACKAGES_DIR}/firewall \
-    ${nonarch_libdir}/firewalld \
-    ${datadir}/dbus-1 \
-    ${datadir}/polkit-1 \
-    ${datadir}/metainfo \
-"
-FILES:${PN}-zsh-completion = "${datadir}/zsh/site-functions"
-RDEPENDS:${PN} = "\
-    nftables-python \
-    iptables \
-    python3-core \
-    python3-io \
-    python3-fcntl \
-    python3-shell \
-    python3-syslog \
-    python3-xml \
-    python3-dbus \
-    python3-slip-dbus \
-    python3-decorator \
-    python3-pygobject \
-    python3-json \
-    python3-ctypes \
-"
diff --git a/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_1.1.1.bb b/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_1.1.1.bb
new file mode 100644
index 0000000000..00e851f450
--- /dev/null
+++ b/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_1.1.1.bb
@@ -0,0 +1,297 @@
+SUMMARY = "Dynamic firewall daemon with a D-Bus interface"
+HOMEPAGE = "https://firewalld.org/"
+BUGTRACKER = "https://github.com/firewalld/firewalld/issues"
+UPSTREAM_CHECK_URI = "https://github.com/firewalld/firewalld/releases"
+LICENSE = "GPL-2.0-or-later"
+LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
+SRC_URI = "\
+    https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.gz \
+    file://firewalld.init \
+    file://run-ptest \
+"
+SRC_URI[sha256sum] = "1dcd314ff836b2ce69f15f60fc7d50bd77ed359d784f9b3c07f2d394ea570e4c"
+# glib-2.0-native is needed for GSETTINGS_RULES autoconf macro from gsettings.m4
+DEPENDS = "intltool-native glib-2.0-native nftables"
+inherit gettext autotools-brokensep bash-completion pkgconfig python3native python3-dir gsettings systemd update-rc.d ptest
+PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}"
+PACKAGECONFIG[systemd] = "--with-systemd-unitdir=${systemd_system_unitdir},--disable-systemd"
+PACKAGECONFIG[docs] = "--with-xml-catalog=${STAGING_ETCDIR_NATIVE}/xml/catalog,--disable-docs,libxslt-native docbook-xsl-stylesheets-native"
+PACKAGECONFIG[ipset] = "--with-ipset=${sbindir}/ipset,--without-ipset,,ipset"
+PACKAGECONFIG[ebtables] = "--with-ebtables=${base_sbindir}/ebtables --with-ebtables-restore=${sbindir}/ebtables-legacy-restore,--without-ebtables --without-ebtables-restore,,ebtables"
+# The UIs are not yet tested and the dependencies are probably not quite correct yet.
+# Splitting into separate packages is beneficial so that no dead code is transferred
+# to the target device.
+# Without enabling qt5, the firewalld-config package is not usable.
+# Without enabling qt5 and gtk, the firewalld-applet package is not usable.
+PACKAGECONFIG[qt5] = ""
+PACKAGECONFIG[gtk] = ""
+PACKAGES =+ "python3-firewall ${PN}-applet ${PN}-config ${PN}-offline-cmd ${PN}-zsh-completion"
+# iptables, ip6tables, ebtables, and ipset *should* be unnecessary
+# when the nftables backend is available, because nftables supersedes all of them.
+# However we still need iptables and ip6tables to be available otherwise any
+# application relying on "direct passthrough" rules (such as docker) will break.
+# /etc/sysconfig/firewalld is a Red Hat-ism, only referenced by
+# the Red Hat-specific init script which we aren't using, so we disable that.
+EXTRA_OECONF = "\
+    --with-iptables=${sbindir}/iptables \
+    --with-iptables-restore=${sbindir}/iptables-restore \
+    --with-ip6tables=${sbindir}/ip6tables \
+    --with-ip6tables-restore=${sbindir}/ip6tables-restore \
+    --disable-sysconfig \
+"
+INITSCRIPT_NAME = "firewalld"
+SYSTEMD_SERVICE:${PN} = "firewalld.service"
+# kernel modules loaded after ptest execution (linux-yocto 5.15)
+FIREWALLD_KERNEL_MODULES ?= "\
+    xt_tcpudp \
+    xt_TCPMSS \
+    xt_set \
+    xt_sctp \
+    xt_REDIRECT \
+    xt_pkttype \
+    xt_NFLOG \
+    xt_nat \
+    xt_MASQUERADE \
+    xt_mark \
+    xt_mac \
+    xt_LOG \
+    xt_limit \
+    xt_dccp \
+    xt_CT \
+    xt_conntrack \
+    xt_CHECKSUM \
+    nft_redir \
+    nft_objref \
+    nft_nat \
+    nft_masq \
+    nft_log \
+    nfnetlink_log \
+    nf_nat_tftp \
+    nf_nat_sip \
+    nf_nat_ftp \
+    nf_log_syslog \
+    nf_conntrack_tftp \
+    nf_conntrack_sip \
+    nf_conntrack_netbios_ns \
+    nf_conntrack_ftp \
+    nf_conntrack_broadcast \
+    ipt_REJECT \
+    ip6t_rpfilter \
+    ip6t_REJECT \
+    ip_set_hash_netport \
+    ip_set_hash_netnet \
+    ip_set_hash_netiface \
+    ip_set_hash_net \
+    ip_set_hash_mac \
+    ip_set_hash_ipportnet \
+    ip_set_hash_ipport \
+    ip_set_hash_ipmark \
+    ip_set_hash_ip \
+    ebt_ip6 \
+    nft_fib_inet \
+    nft_fib_ipv4 \
+    nft_fib_ipv6 \
+    nft_fib \
+    nft_reject_inet \
+    nf_reject_ipv4 \
+    nf_reject_ipv6 \
+    nft_reject \
+    nft_ct \
+    nft_chain_nat \
+    ebtable_nat \
+    ebtable_broute \
+    ip6table_nat \
+    ip6table_mangle \
+    ip6table_raw \
+    ip6table_security \
+    iptable_nat \
+    nf_nat \
+    nf_conntrack \
+    nf_defrag_ipv6 \
+    nf_defrag_ipv4 \
+    iptable_mangle \
+    iptable_raw \
+    iptable_security \
+    ip_set \
+    ebtable_filter \
+    ebtables \
+    ip6table_filter \
+    ip6_tables \
+    iptable_filter \
+    ip_tables \
+    x_tables \
+    sch_fq_codel \
+"
+do_install:append() {
+    if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'false', 'true', d)}; then
+        # firewalld ships an init script but it contains Red Hat-isms, replace it with our own
+        rm -rf ${D}${sysconfdir}/rc.d/
+        install -d ${D}${sysconfdir}/init.d
+        install -m0755 ${WORKDIR}/firewalld.init ${D}${sysconfdir}/init.d/firewalld
+    fi
+    if ${@bb.utils.contains('DISTRO_FEATURES', 'polkit', 'false', 'true', d)}; then
+        # Delete polkit profiles if polkit is not available
+        rm -rf ${D}${datadir}/polkit-1
+    fi
+    # We ran ./configure with PYTHON pointed at the binary inside $STAGING_BINDIR_NATIVE
+    # so now we need to fix up any references to point at the proper path in the image.
+    # This hack is also in distutils.bbclass, but firewalld doesn't use distutils/setuptools.
+    if [ ${PN} != "${BPN}-native" ]; then
+        sed -i -e s:${STAGING_BINDIR_NATIVE}/python3-native/python3:${bindir}/python3:g \
+            ${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml
+    fi
+    sed -i -e s:${STAGING_BINDIR_NATIVE}:${bindir}:g \
+        ${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml
+    # This file contains Red Hat-isms. Modules get loaded without it.
+    rm -f ${D}${sysconfdir}/modprobe.d/firewalld-sysctls.conf
+}
+do_install_ptest:append() {
+    # Add kernel modules to the ptest script
+    if [ ${PTEST_ENABLED} = "1" ]; then
+        sed -i -e 's:@@FIREWALLD_KERNEL_MODULES@@:${FIREWALLD_KERNEL_MODULES}:g' \
+            ${D}${PTEST_PATH}/run-ptest
+    fi
+}
+SUMMARY:python3-firewall = "${SUMMARY} (Python3 bindings)"
+FILES:python3-firewall = "\
+    ${PYTHON_SITEPACKAGES_DIR}/firewall/__pycache__/*.py* \
+    ${PYTHON_SITEPACKAGES_DIR}/firewall/*.py* \
+    ${PYTHON_SITEPACKAGES_DIR}/firewall/config/*.py* \
+    ${PYTHON_SITEPACKAGES_DIR}/firewall/config/__pycache__/*.py* \
+    ${PYTHON_SITEPACKAGES_DIR}/firewall/core/*.py* \
+    ${PYTHON_SITEPACKAGES_DIR}/firewall/core/__pycache__/*.py* \
+    ${PYTHON_SITEPACKAGES_DIR}/firewall/core/io/*.py* \
+    ${PYTHON_SITEPACKAGES_DIR}/firewall/core/io/__pycache__/*.py* \
+    ${PYTHON_SITEPACKAGES_DIR}/firewall/server/*.py* \
+    ${PYTHON_SITEPACKAGES_DIR}/firewall/server/__pycache__/*.py* \
+"
+RDEPENDS:python3-firewall = "\
+    python3-dbus \
+    nftables-python \
+    python3-pygobject \
+"
+# Do not depend on QT5 layer and GTK deps if not explicitely required.
+FIREWALLD_QT5_RDEPENDS = "\
+    ${PN}-config \
+    hicolor-icon-theme \
+    python3-pyqt5 \
+    python3-pygobject \
+    libnotify \
+    networkmanager \
+"
+FIREWALLD_GTK_RDEPENDS = "\
+    gtk3 \
+"
+# A QT5 based UI
+SUMMARY:${PN}-config = "${SUMMARY} (configuration application)"
+FILES:${PN}-config = "\
+    ${bindir}/firewall-config \
+    ${datadir}/firewalld/firewall-config.glade \
+    ${datadir}/firewalld/gtk3_chooserbutton.py* \
+    ${datadir}/firewalld/gtk3_niceexpander.py* \
+    ${datadir}/applications/firewall-config.desktop \
+    ${datadir}/metainfo/firewall-config.appdata.xml \
+    ${datadir}/icons/hicolor/*/apps/firewall-config*.* \
+"
+RDEPENDS:${PN}-config += "\
+    python3-core \
+    python3-ctypes \
+    ${@bb.utils.contains('PACKAGECONFIG', 'qt5', '${FIREWALLD_QT5_RDEPENDS}', '', d)} \
+"
+# A GTK3 applet depending on the QT5 firewall-config UI
+SUMMARY:${PN}-applet = "${SUMMARY} (panel applet)"
+FILES:${PN}-applet += "\
+    ${bindir}/firewall-applet \
+    ${sysconfdir}/xdg/autostart/firewall-applet.desktop \
+    ${sysconfdir}/firewall/applet.conf \
+    ${datadir}/icons/hicolor/*/apps/firewall-applet*.* \
+"
+RDEPENDS:${PN}-applet += "\
+    python3-core \
+    python3-ctypes \
+    ${@bb.utils.contains('PACKAGECONFIG', 'qt5', '${FIREWALLD_QT5_RDEPENDS}', '', d)} \
+    ${@bb.utils.contains('PACKAGECONFIG', 'gtk', '${FIREWALLD_GTK_RDEPENDS}', '', d)} \
+"
+SUMMARY:${PN}-offline-cmd = "${SUMMARY} (offline configuration utility)"
+FILES:${PN}-offline-cmd += " \
+    ${bindir}/firewall-offline-cmd \
+"
+RDEPENDS:${PN}-offline-cmd += "python3-core"
+# To get allmost all tests passing
+# - Enable PACKAGECONFIG ipset, ebtable
+# - Enough RAM QB_MEM = "-m 8192" (used für fancy ipset tests)
+FILES:${PN}-ptest += "\
+    ${datadir}/firewalld/testsuite \
+"
+RDEPENDS:${PN}-ptest += "\
+    python3-unittest \
+    ${PN}-offline-cmd \
+    procps-ps \
+    iproute2 \
+"
+RDEPENDS:${PN}-ptest:append:libc-glibc = " glibc-utils glibc-localedata-en-us"
+FILES:${PN}-zsh-completion = "${datadir}/zsh/site-functions"
+FILES:${PN} += "\
+    ${PYTHON_SITEPACKAGES_DIR}/firewall \
+    ${nonarch_libdir}/firewalld \
+    ${datadir}/dbus-1 \
+    ${datadir}/polkit-1 \
+    ${datadir}/metainfo \
+    ${datadir}/glib-2.0/schemas/org.fedoraproject.FirewallConfig.gschema.xml \
+"
+RDEPENDS:${PN} += "\
+    python3-firewall \
+    iptables \
+    python3-core \
+    python3-io \
+    python3-fcntl \
+    python3-syslog \
+    python3-xml \
+    python3-json \
+    python3-ctypes \
+    python3-pprint \
+"
+# Add required kernel modules. With Yocto kernel 5.15 this currently means:
+# - features/nf_tables/nf_tables.scc
+# - features/netfilter/netfilter.scc
+# - cgl/features/audit/audit.scc
+# - cfg/net/ip6_nf.scc
+# - Plus:
+#   - ebtables
+#   - ipset
+#   - CONFIG_IP6_NF_SECURITY=m
+#   - CONFIG_IP6_NF_MATCH_RPFILTER=m
+#   - CONFIG_IP6_NF_TARGET_REJECT=m
+#   - CONFIG_NFT_OBJREF=m
+#   - CONFIG_NFT_FIB=m
+#   - CONFIG_NFT_FIB_INET=m
+#   - CONFIG_NFT_FIB_IPV4=m
+#   - CONFIG_NFT_FIB_IPV6=m
+#   - CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
+#   - CONFIG_NETFILTER_XT_SET=m
+def get_kernel_deps(d):
+    kmodules = (d.getVar('FIREWALLD_KERNEL_MODULES') or "").split()
+    return ' '.join([ 'kernel-module-' + mod.replace('_', '-').lower() for mod in kmodules ])
+RRECOMMENDS:${PN} += "${@get_kernel_deps(d)}"

diff --git a/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/files/run-ptest b/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/files/run-ptest new file mode 100644 index 0000000000..9d3ec79042 --- /dev/null +++ b/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/files/run-ptest
@@ -0,0 +1,21 @@
		1	#!/bin/sh
		2
		3	ret_val=0
		4
		5	# Check if all the kernel modules are available
		6	FIREWALLD_KERNEL_MODULES="@@FIREWALLD_KERNEL_MODULES@@"
		7	for m in $FIREWALLD_KERNEL_MODULES; do
		8	if modprobe $m; then
		9	echo "PASS: loading $m"
		10	else
		11	echo "FAIL: loading $m"
		12	ret_val=1
		13	fi
		14	done
		15
		16	# Run the test suite from firewalld
		17	# Failing testsuites: 203 226 241 250 270 280 281 282 285 286
		18	# Problem icmpv6 compared against ipv6-icmptype?
		19	/usr/share/firewalld/testsuite/testsuite -C /tmp -A \|\| ret_val=1
		20
		21	exit $ret_val


diff --git a/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_0.9.4.bb b/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_0.9.4.bb deleted file mode 100644 index 1dea339535..0000000000 --- a/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_0.9.4.bb +++ /dev/null
@@ -1,92 +0,0 @@
1	SUMMARY = "Dynamic firewall daemon with a D-Bus interface"
2	HOMEPAGE = "https://firewalld.org/"
3	BUGTRACKER = "https://github.com/firewalld/firewalld/issues"
4	UPSTREAM_CHECK_URI = "https://github.com/firewalld/firewalld/releases"
5	LICENSE = "GPL-2.0-or-later"
6	LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
7
8	SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.gz \
9	file://firewalld.init \
10	"
11	SRC_URI[sha256sum] = "52c5e3d5b1e2efc0e86c22b2bc1f7fd80908cc2d8130157dc2a3517a59b0a760"
12
13	# glib-2.0-native is needed for GSETTINGS_RULES autoconf macro from gsettings.m4
14	DEPENDS = "intltool-native glib-2.0-native nftables"
15
16	inherit gettext autotools bash-completion pkgconfig python3native gsettings systemd update-rc.d
17
18	PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}"
19	PACKAGECONFIG[systemd] = "--with-systemd-unitdir=${systemd_system_unitdir},--disable-systemd"
20	PACKAGECONFIG[docs] = "--with-xml-catalog=${STAGING_ETCDIR_NATIVE}/xml/catalog,--disable-docs,libxslt-native docbook-xsl-stylesheets-native"
21
22	PACKAGES += "${PN}-zsh-completion"
23
24	# iptables, ip6tables, ebtables, and ipset should be unnecessary
25	# when the nftables backend is available, because nftables supersedes all of them.
26	# However we still need iptables and ip6tables to be available otherwise any
27	# application relying on "direct passthrough" rules (such as docker) will break.
28	# /etc/sysconfig/firewalld is a Red Hat-ism, only referenced by
29	# the Red Hat-specific init script which we aren't using, so we disable that.
30	EXTRA_OECONF = "\
31	--without-ipset \
32	--with-iptables=${sbindir}/iptables \
33	--with-iptables-restore=${sbindir}/iptables-restore \
34	--with-ip6tables=${sbindir}/ip6tables \
35	--with-ip6tables-restore=${sbindir}/ip6tables-restore \
36	--without-ebtables \
37	--without-ebtables-restore \
38	--disable-sysconfig \
39	"
40
41	INITSCRIPT_NAME = "firewalld"
42	SYSTEMD_SERVICE:${PN} = "firewalld.service"
43
44	do_install:append() {
45	if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
46	:
47	else
48	# firewalld ships an init script but it contains Red Hat-isms, replace it with our own
49	rm -rf ${D}${sysconfdir}/rc.d/
50	install -d ${D}${sysconfdir}/init.d
51	install -m0755 ${WORKDIR}/firewalld.init ${D}${sysconfdir}/init.d/firewalld
52	fi
53
54	# We ran ./configure with PYTHON pointed at the binary inside $STAGING_BINDIR_NATIVE
55	# so now we need to fix up any references to point at the proper path in the image.
56	# This hack is also in distutils.bbclass, but firewalld doesn't use distutils/setuptools.
57	if [ ${PN} != "${BPN}-native" ]; then
58	sed -i -e s:${STAGING_BINDIR_NATIVE}/python3-native/python3:${bindir}/python3:g \
59	${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml
60	fi
61	sed -i -e s:${STAGING_BINDIR_NATIVE}:${bindir}:g \
62	${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml
63
64	# This file contains Red Hat-isms. Modules get loaded without it.
65	rm -f ${D}${sysconfdir}/modprobe.d/firewalld-sysctls.conf
66	}
67
68	FILES:${PN} += "\
69	${PYTHON_SITEPACKAGES_DIR}/firewall \
70	${nonarch_libdir}/firewalld \
71	${datadir}/dbus-1 \
72	${datadir}/polkit-1 \
73	${datadir}/metainfo \
74	"
75	FILES:${PN}-zsh-completion = "${datadir}/zsh/site-functions"
76
77	RDEPENDS:${PN} = "\
78	nftables-python \
79	iptables \
80	python3-core \
81	python3-io \
82	python3-fcntl \
83	python3-shell \
84	python3-syslog \
85	python3-xml \
86	python3-dbus \
87	python3-slip-dbus \
88	python3-decorator \
89	python3-pygobject \
90	python3-json \
91	python3-ctypes \
92	"


diff --git a/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_1.1.1.bb b/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_1.1.1.bb new file mode 100644 index 0000000000..00e851f450 --- /dev/null +++ b/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_1.1.1.bb
@@ -0,0 +1,297 @@
		1	SUMMARY = "Dynamic firewall daemon with a D-Bus interface"
		2	HOMEPAGE = "https://firewalld.org/"
		3	BUGTRACKER = "https://github.com/firewalld/firewalld/issues"
		4	UPSTREAM_CHECK_URI = "https://github.com/firewalld/firewalld/releases"
		5	LICENSE = "GPL-2.0-or-later"
		6	LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
		7
		8	SRC_URI = "\
		9	https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.gz \
		10	file://firewalld.init \
		11	file://run-ptest \
		12	"
		13	SRC_URI[sha256sum] = "1dcd314ff836b2ce69f15f60fc7d50bd77ed359d784f9b3c07f2d394ea570e4c"
		14
		15	# glib-2.0-native is needed for GSETTINGS_RULES autoconf macro from gsettings.m4
		16	DEPENDS = "intltool-native glib-2.0-native nftables"
		17
		18	inherit gettext autotools-brokensep bash-completion pkgconfig python3native python3-dir gsettings systemd update-rc.d ptest
		19
		20	PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}"
		21	PACKAGECONFIG[systemd] = "--with-systemd-unitdir=${systemd_system_unitdir},--disable-systemd"
		22	PACKAGECONFIG[docs] = "--with-xml-catalog=${STAGING_ETCDIR_NATIVE}/xml/catalog,--disable-docs,libxslt-native docbook-xsl-stylesheets-native"
		23	PACKAGECONFIG[ipset] = "--with-ipset=${sbindir}/ipset,--without-ipset,,ipset"
		24	PACKAGECONFIG[ebtables] = "--with-ebtables=${base_sbindir}/ebtables --with-ebtables-restore=${sbindir}/ebtables-legacy-restore,--without-ebtables --without-ebtables-restore,,ebtables"
		25
		26	# The UIs are not yet tested and the dependencies are probably not quite correct yet.
		27	# Splitting into separate packages is beneficial so that no dead code is transferred
		28	# to the target device.
		29	# Without enabling qt5, the firewalld-config package is not usable.
		30	# Without enabling qt5 and gtk, the firewalld-applet package is not usable.
		31	PACKAGECONFIG[qt5] = ""
		32	PACKAGECONFIG[gtk] = ""
		33
		34	PACKAGES =+ "python3-firewall ${PN}-applet ${PN}-config ${PN}-offline-cmd ${PN}-zsh-completion"
		35
		36	# iptables, ip6tables, ebtables, and ipset should be unnecessary
		37	# when the nftables backend is available, because nftables supersedes all of them.
		38	# However we still need iptables and ip6tables to be available otherwise any
		39	# application relying on "direct passthrough" rules (such as docker) will break.
		40	# /etc/sysconfig/firewalld is a Red Hat-ism, only referenced by
		41	# the Red Hat-specific init script which we aren't using, so we disable that.
		42	EXTRA_OECONF = "\
		43	--with-iptables=${sbindir}/iptables \
		44	--with-iptables-restore=${sbindir}/iptables-restore \
		45	--with-ip6tables=${sbindir}/ip6tables \
		46	--with-ip6tables-restore=${sbindir}/ip6tables-restore \
		47	--disable-sysconfig \
		48	"
		49
		50	INITSCRIPT_NAME = "firewalld"
		51	SYSTEMD_SERVICE:${PN} = "firewalld.service"
		52
		53	# kernel modules loaded after ptest execution (linux-yocto 5.15)
		54	FIREWALLD_KERNEL_MODULES ?= "\
		55	xt_tcpudp \
		56	xt_TCPMSS \
		57	xt_set \
		58	xt_sctp \
		59	xt_REDIRECT \
		60	xt_pkttype \
		61	xt_NFLOG \
		62	xt_nat \
		63	xt_MASQUERADE \
		64	xt_mark \
		65	xt_mac \
		66	xt_LOG \
		67	xt_limit \
		68	xt_dccp \
		69	xt_CT \
		70	xt_conntrack \
		71	xt_CHECKSUM \
		72	nft_redir \
		73	nft_objref \
		74	nft_nat \
		75	nft_masq \
		76	nft_log \
		77	nfnetlink_log \
		78	nf_nat_tftp \
		79	nf_nat_sip \
		80	nf_nat_ftp \
		81	nf_log_syslog \
		82	nf_conntrack_tftp \
		83	nf_conntrack_sip \
		84	nf_conntrack_netbios_ns \
		85	nf_conntrack_ftp \
		86	nf_conntrack_broadcast \
		87	ipt_REJECT \
		88	ip6t_rpfilter \
		89	ip6t_REJECT \
		90	ip_set_hash_netport \
		91	ip_set_hash_netnet \
		92	ip_set_hash_netiface \
		93	ip_set_hash_net \
		94	ip_set_hash_mac \
		95	ip_set_hash_ipportnet \
		96	ip_set_hash_ipport \
		97	ip_set_hash_ipmark \
		98	ip_set_hash_ip \
		99	ebt_ip6 \
		100	nft_fib_inet \
		101	nft_fib_ipv4 \
		102	nft_fib_ipv6 \
		103	nft_fib \
		104	nft_reject_inet \
		105	nf_reject_ipv4 \
		106	nf_reject_ipv6 \
		107	nft_reject \
		108	nft_ct \
		109	nft_chain_nat \
		110	ebtable_nat \
		111	ebtable_broute \
		112	ip6table_nat \
		113	ip6table_mangle \
		114	ip6table_raw \
		115	ip6table_security \
		116	iptable_nat \
		117	nf_nat \
		118	nf_conntrack \
		119	nf_defrag_ipv6 \
		120	nf_defrag_ipv4 \
		121	iptable_mangle \
		122	iptable_raw \
		123	iptable_security \
		124	ip_set \
		125	ebtable_filter \
		126	ebtables \
		127	ip6table_filter \
		128	ip6_tables \
		129	iptable_filter \
		130	ip_tables \
		131	x_tables \
		132	sch_fq_codel \
		133	"
		134
		135	do_install:append() {
		136	if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'false', 'true', d)}; then
		137	# firewalld ships an init script but it contains Red Hat-isms, replace it with our own
		138	rm -rf ${D}${sysconfdir}/rc.d/
		139	install -d ${D}${sysconfdir}/init.d
		140	install -m0755 ${WORKDIR}/firewalld.init ${D}${sysconfdir}/init.d/firewalld
		141	fi
		142
		143	if ${@bb.utils.contains('DISTRO_FEATURES', 'polkit', 'false', 'true', d)}; then
		144	# Delete polkit profiles if polkit is not available
		145	rm -rf ${D}${datadir}/polkit-1
		146	fi
		147
		148	# We ran ./configure with PYTHON pointed at the binary inside $STAGING_BINDIR_NATIVE
		149	# so now we need to fix up any references to point at the proper path in the image.
		150	# This hack is also in distutils.bbclass, but firewalld doesn't use distutils/setuptools.
		151	if [ ${PN} != "${BPN}-native" ]; then
		152	sed -i -e s:${STAGING_BINDIR_NATIVE}/python3-native/python3:${bindir}/python3:g \
		153	${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml
		154	fi
		155	sed -i -e s:${STAGING_BINDIR_NATIVE}:${bindir}:g \
		156	${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml
		157
		158	# This file contains Red Hat-isms. Modules get loaded without it.
		159	rm -f ${D}${sysconfdir}/modprobe.d/firewalld-sysctls.conf
		160	}
		161
		162	do_install_ptest:append() {
		163	# Add kernel modules to the ptest script
		164	if [ ${PTEST_ENABLED} = "1" ]; then
		165	sed -i -e 's:@@FIREWALLD_KERNEL_MODULES@@:${FIREWALLD_KERNEL_MODULES}:g' \
		166	${D}${PTEST_PATH}/run-ptest
		167	fi
		168	}
		169
		170	SUMMARY:python3-firewall = "${SUMMARY} (Python3 bindings)"
		171	FILES:python3-firewall = "\
		172	${PYTHON_SITEPACKAGES_DIR}/firewall/__pycache__/.py \
		173	${PYTHON_SITEPACKAGES_DIR}/firewall/.py \
		174	${PYTHON_SITEPACKAGES_DIR}/firewall/config/.py \
		175	${PYTHON_SITEPACKAGES_DIR}/firewall/config/__pycache__/.py \
		176	${PYTHON_SITEPACKAGES_DIR}/firewall/core/.py \
		177	${PYTHON_SITEPACKAGES_DIR}/firewall/core/__pycache__/.py \
		178	${PYTHON_SITEPACKAGES_DIR}/firewall/core/io/.py \
		179	${PYTHON_SITEPACKAGES_DIR}/firewall/core/io/__pycache__/.py \
		180	${PYTHON_SITEPACKAGES_DIR}/firewall/server/.py \
		181	${PYTHON_SITEPACKAGES_DIR}/firewall/server/__pycache__/.py \
		182	"
		183	RDEPENDS:python3-firewall = "\
		184	python3-dbus \
		185	nftables-python \
		186	python3-pygobject \
		187	"
		188
		189	# Do not depend on QT5 layer and GTK deps if not explicitely required.
		190	FIREWALLD_QT5_RDEPENDS = "\
		191	${PN}-config \
		192	hicolor-icon-theme \
		193	python3-pyqt5 \
		194	python3-pygobject \
		195	libnotify \
		196	networkmanager \
		197	"
		198	FIREWALLD_GTK_RDEPENDS = "\
		199	gtk3 \
		200	"
		201
		202	# A QT5 based UI
		203	SUMMARY:${PN}-config = "${SUMMARY} (configuration application)"
		204	FILES:${PN}-config = "\
		205	${bindir}/firewall-config \
		206	${datadir}/firewalld/firewall-config.glade \
		207	${datadir}/firewalld/gtk3_chooserbutton.py* \
		208	${datadir}/firewalld/gtk3_niceexpander.py* \
		209	${datadir}/applications/firewall-config.desktop \
		210	${datadir}/metainfo/firewall-config.appdata.xml \
		211	${datadir}/icons/hicolor//apps/firewall-config.* \
		212	"
		213	RDEPENDS:${PN}-config += "\
		214	python3-core \
		215	python3-ctypes \
		216	${@bb.utils.contains('PACKAGECONFIG', 'qt5', '${FIREWALLD_QT5_RDEPENDS}', '', d)} \
		217	"
		218
		219	# A GTK3 applet depending on the QT5 firewall-config UI
		220	SUMMARY:${PN}-applet = "${SUMMARY} (panel applet)"
		221	FILES:${PN}-applet += "\
		222	${bindir}/firewall-applet \
		223	${sysconfdir}/xdg/autostart/firewall-applet.desktop \
		224	${sysconfdir}/firewall/applet.conf \
		225	${datadir}/icons/hicolor//apps/firewall-applet.* \
		226	"
		227	RDEPENDS:${PN}-applet += "\
		228	python3-core \
		229	python3-ctypes \
		230	${@bb.utils.contains('PACKAGECONFIG', 'qt5', '${FIREWALLD_QT5_RDEPENDS}', '', d)} \
		231	${@bb.utils.contains('PACKAGECONFIG', 'gtk', '${FIREWALLD_GTK_RDEPENDS}', '', d)} \
		232	"
		233
		234	SUMMARY:${PN}-offline-cmd = "${SUMMARY} (offline configuration utility)"
		235	FILES:${PN}-offline-cmd += " \
		236	${bindir}/firewall-offline-cmd \
		237	"
		238	RDEPENDS:${PN}-offline-cmd += "python3-core"
		239
		240	# To get allmost all tests passing
		241	# - Enable PACKAGECONFIG ipset, ebtable
		242	# - Enough RAM QB_MEM = "-m 8192" (used für fancy ipset tests)
		243	FILES:${PN}-ptest += "\
		244	${datadir}/firewalld/testsuite \
		245	"
		246	RDEPENDS:${PN}-ptest += "\
		247	python3-unittest \
		248	${PN}-offline-cmd \
		249	procps-ps \
		250	iproute2 \
		251	"
		252	RDEPENDS:${PN}-ptest:append:libc-glibc = " glibc-utils glibc-localedata-en-us"
		253
		254	FILES:${PN}-zsh-completion = "${datadir}/zsh/site-functions"
		255
		256	FILES:${PN} += "\
		257	${PYTHON_SITEPACKAGES_DIR}/firewall \
		258	${nonarch_libdir}/firewalld \
		259	${datadir}/dbus-1 \
		260	${datadir}/polkit-1 \
		261	${datadir}/metainfo \
		262	${datadir}/glib-2.0/schemas/org.fedoraproject.FirewallConfig.gschema.xml \
		263	"
		264	RDEPENDS:${PN} += "\
		265	python3-firewall \
		266	iptables \
		267	python3-core \
		268	python3-io \
		269	python3-fcntl \
		270	python3-syslog \
		271	python3-xml \
		272	python3-json \
		273	python3-ctypes \
		274	python3-pprint \
		275	"
		276	# Add required kernel modules. With Yocto kernel 5.15 this currently means:
		277	# - features/nf_tables/nf_tables.scc
		278	# - features/netfilter/netfilter.scc
		279	# - cgl/features/audit/audit.scc
		280	# - cfg/net/ip6_nf.scc
		281	# - Plus:
		282	# - ebtables
		283	# - ipset
		284	# - CONFIG_IP6_NF_SECURITY=m
		285	# - CONFIG_IP6_NF_MATCH_RPFILTER=m
		286	# - CONFIG_IP6_NF_TARGET_REJECT=m
		287	# - CONFIG_NFT_OBJREF=m
		288	# - CONFIG_NFT_FIB=m
		289	# - CONFIG_NFT_FIB_INET=m
		290	# - CONFIG_NFT_FIB_IPV4=m
		291	# - CONFIG_NFT_FIB_IPV6=m
		292	# - CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
		293	# - CONFIG_NETFILTER_XT_SET=m
		294	def get_kernel_deps(d):
		295	kmodules = (d.getVar('FIREWALLD_KERNEL_MODULES') or "").split()
		296	return ' '.join([ 'kernel-module-' + mod.replace('_', '-').lower() for mod in kmodules ])
		297	RRECOMMENDS:${PN} += "${@get_kernel_deps(d)}"