MIRRORS/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2025-07-19 15:29:08 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
3cdf5b51f1
meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_1.3.2.bb
Khem Raj ffc64e9c6f
recipes: Start WORKDIR -> UNPACKDIR transition 
Replace references of WORKDIR with UNPACKDIR where it makes sense to do
so in preparation for changing the default value of UNPACKDIR.

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-05-23 08:44:44 -07:00

313 lines
10 KiB
BlitzBasic
Raw Blame History

SUMMARY = "Dynamic firewall daemon with a D-Bus interface"
HOMEPAGE = "https://firewalld.org/"
BUGTRACKER = "https://github.com/firewalld/firewalld/issues"
UPSTREAM_CHECK_URI = "https://github.com/firewalld/firewalld/releases"
LICENSE = "GPL-2.0-or-later"
LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
SRC_URI = "\
https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.bz2 \
file://firewalld.init \
file://run-ptest \
"
SRC_URI[sha256sum] = "aba0d8ce9617b906ea4866bf0bdfb2c2d5312f53b8e9e8e9e4d49bf330da5b5e"
# glib-2.0-native is needed for GSETTINGS_RULES autoconf macro from gsettings.m4
DEPENDS = "intltool-native glib-2.0-native nftables"
inherit gettext autotools-brokensep bash-completion pkgconfig python3native python3-dir gsettings systemd update-rc.d ptest features_check
REQUIRED_DISTRO_FEATURES = "gobject-introspection-data"
PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}"
PACKAGECONFIG[systemd] = "--with-systemd-unitdir=${systemd_system_unitdir},--disable-systemd"
PACKAGECONFIG[docs] = "--with-xml-catalog=${STAGING_ETCDIR_NATIVE}/xml/catalog,--disable-docs,libxslt-native docbook-xsl-stylesheets-native"
PACKAGECONFIG[ipset] = "--with-ipset=${sbindir}/ipset,--without-ipset,,ipset"
PACKAGECONFIG[ebtables] = "--with-ebtables=${base_sbindir}/ebtables --with-ebtables-restore=${sbindir}/ebtables-legacy-restore,--without-ebtables --without-ebtables-restore,,ebtables"
# Default logging configuration: mixed syslog file console
FIREWALLD_DEFAULT_LOG_TARGET ??= "syslog"
# The UIs are not yet tested and the dependencies are probably not quite correct yet.
# Splitting into separate packages is beneficial so that no dead code is transferred
# to the target device.
# Without enabling qt5, the firewalld-config package is not usable.
# Without enabling qt5 and gtk, the firewalld-applet package is not usable.
PACKAGECONFIG[qt5] = ""
PACKAGECONFIG[gtk] = ""
PACKAGES =+ "python3-firewall ${PN}-applet ${PN}-config ${PN}-offline-cmd ${PN}-zsh-completion ${PN}-log-rotate"
# iptables, ip6tables, ebtables, and ipset *should* be unnecessary
# when the nftables backend is available, because nftables supersedes all of them.
# However we still need iptables and ip6tables to be available otherwise any
# application relying on "direct passthrough" rules (such as docker) will break.
# /etc/sysconfig/firewalld is a Red Hat-ism, only referenced by
# the Red Hat-specific init script which we aren't using, so we disable that.
EXTRA_OECONF = "\
--with-iptables=${sbindir}/iptables \
--with-iptables-restore=${sbindir}/iptables-restore \
--with-ip6tables=${sbindir}/ip6tables \
--with-ip6tables-restore=${sbindir}/ip6tables-restore \
--disable-sysconfig \
"
INITSCRIPT_NAME = "firewalld"
SYSTEMD_SERVICE:${PN} = "firewalld.service"
# kernel modules loaded after ptest execution (linux-yocto 5.15)
FIREWALLD_KERNEL_MODULES ?= "\
xt_tcpudp \
xt_TCPMSS \
xt_set \
xt_sctp \
xt_REDIRECT \
xt_pkttype \
xt_NFLOG \
xt_nat \
xt_MASQUERADE \
xt_mark \
xt_mac \
xt_LOG \
xt_limit \
xt_dccp \
xt_CT \
xt_conntrack \
xt_CHECKSUM \
nft_redir \
nft_objref \
nft_nat \
nft_masq \
nft_log \
nfnetlink_log \
nf_nat_tftp \
nf_nat_sip \
nf_nat_ftp \
nf_log_syslog \
nf_conntrack_tftp \
nf_conntrack_sip \
nf_conntrack_netbios_ns \
nf_conntrack_ftp \
nf_conntrack_broadcast \
ipt_REJECT \
ip6t_rpfilter \
ip6t_REJECT \
ip_set_hash_netport \
ip_set_hash_netnet \
ip_set_hash_netiface \
ip_set_hash_net \
ip_set_hash_mac \
ip_set_hash_ipportnet \
ip_set_hash_ipport \
ip_set_hash_ipmark \
ip_set_hash_ip \
ebt_ip6 \
nft_fib_inet \
nft_fib_ipv4 \
nft_fib_ipv6 \
nft_fib \
nft_reject_inet \
nf_reject_ipv4 \
nf_reject_ipv6 \
nft_reject \
nft_ct \
nft_chain_nat \
ebtable_nat \
ebtable_broute \
ip6table_nat \
ip6table_mangle \
ip6table_raw \
ip6table_security \
iptable_nat \
nf_nat \
nf_conntrack \
nf_defrag_ipv6 \
nf_defrag_ipv4 \
iptable_mangle \
iptable_raw \
iptable_security \
ip_set \
ebtable_filter \
ebtables \
ip6table_filter \
ip6_tables \
iptable_filter \
ip_tables \
x_tables \
sch_fq_codel \
"
do_configure:prepend() {
export DEFAULT_LOG_TARGET=${FIREWALLD_DEFAULT_LOG_TARGET}
}
do_install:append() {
if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'false', 'true', d)}; then
# firewalld ships an init script but it contains Red Hat-isms, replace it with our own
rm -rf ${D}${sysconfdir}/rc.d/
install -d ${D}${sysconfdir}/init.d
install -m0755 ${UNPACKDIR}/firewalld.init ${D}${sysconfdir}/init.d/firewalld
fi
if ${@bb.utils.contains('DISTRO_FEATURES', 'polkit', 'false', 'true', d)}; then
# Delete polkit profiles if polkit is not available
rm -rf ${D}${datadir}/polkit-1
fi
# We ran ./configure with PYTHON pointed at the binary inside $STAGING_BINDIR_NATIVE
# so now we need to fix up any references to point at the proper path in the image.
# This hack is also in distutils.bbclass, but firewalld doesn't use distutils/setuptools.
if [ ${PN} != "${BPN}-native" ]; then
sed -i -e s:${STAGING_BINDIR_NATIVE}/python3-native/python3:${bindir}/python3:g \
${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml
fi
sed -i -e s:${STAGING_BINDIR_NATIVE}:${bindir}:g \
${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml
# This file contains Red Hat-isms. Modules get loaded without it.
rm -f ${D}${sysconfdir}/modprobe.d/firewalld-sysctls.conf
}
do_install_ptest:append() {
# Add kernel modules to the ptest script
if [ ${PTEST_ENABLED} = "1" ]; then
sed -i -e 's:@@FIREWALLD_KERNEL_MODULES@@:${FIREWALLD_KERNEL_MODULES}:g' \
${D}${PTEST_PATH}/run-ptest
fi
}
SUMMARY:python3-firewall = "${SUMMARY} (Python3 bindings)"
FILES:python3-firewall = "\
${PYTHON_SITEPACKAGES_DIR}/firewall/__pycache__/*.py* \
${PYTHON_SITEPACKAGES_DIR}/firewall/*.py* \
${PYTHON_SITEPACKAGES_DIR}/firewall/config/*.py* \
${PYTHON_SITEPACKAGES_DIR}/firewall/config/__pycache__/*.py* \
${PYTHON_SITEPACKAGES_DIR}/firewall/core/*.py* \
${PYTHON_SITEPACKAGES_DIR}/firewall/core/__pycache__/*.py* \
${PYTHON_SITEPACKAGES_DIR}/firewall/core/io/*.py* \
${PYTHON_SITEPACKAGES_DIR}/firewall/core/io/__pycache__/*.py* \
${PYTHON_SITEPACKAGES_DIR}/firewall/server/*.py* \
${PYTHON_SITEPACKAGES_DIR}/firewall/server/__pycache__/*.py* \
"
RDEPENDS:python3-firewall = "\
python3-dbus \
nftables-python \
python3-pygobject \
"
# Do not depend on QT5 layer and GTK deps if not explicitely required.
FIREWALLD_QT5_RDEPENDS = "\
${PN}-config \
hicolor-icon-theme \
python3-pyqt5 \
python3-pygobject \
libnotify \
networkmanager \
"
FIREWALLD_GTK_RDEPENDS = "\
gtk3 \
"
# A QT5 based UI
SUMMARY:${PN}-config = "${SUMMARY} (configuration application)"
FILES:${PN}-config = "\
${bindir}/firewall-config \
${datadir}/firewalld/firewall-config.glade \
${datadir}/firewalld/gtk3_chooserbutton.py* \
${datadir}/firewalld/gtk3_niceexpander.py* \
${datadir}/applications/firewall-config.desktop \
${datadir}/metainfo/firewall-config.appdata.xml \
${datadir}/icons/hicolor/*/apps/firewall-config*.* \
"
RDEPENDS:${PN}-config += "\
python3-core \
python3-ctypes \
${@bb.utils.contains('PACKAGECONFIG', 'qt5', '${FIREWALLD_QT5_RDEPENDS}', '', d)} \
"
# A GTK3 applet depending on the QT5 firewall-config UI
SUMMARY:${PN}-applet = "${SUMMARY} (panel applet)"
FILES:${PN}-applet += "\
${bindir}/firewall-applet \
${sysconfdir}/xdg/autostart/firewall-applet.desktop \
${sysconfdir}/firewall/applet.conf \
${datadir}/icons/hicolor/*/apps/firewall-applet*.* \
"
RDEPENDS:${PN}-applet += "\
python3-core \
python3-ctypes \
${@bb.utils.contains('PACKAGECONFIG', 'qt5', '${FIREWALLD_QT5_RDEPENDS}', '', d)} \
${@bb.utils.contains('PACKAGECONFIG', 'gtk', '${FIREWALLD_GTK_RDEPENDS}', '', d)} \
"
SUMMARY:${PN}-offline-cmd = "${SUMMARY} (offline configuration utility)"
FILES:${PN}-offline-cmd += " \
${bindir}/firewall-offline-cmd \
"
RDEPENDS:${PN}-offline-cmd += "python3-core"
SUMMARY:${PN}-log-rotate = "${SUMMARY} (log-rotate configuration)"
FILES:${PN}-log-rotate += "${sysconfdir}/logrotate.d"
# To get allmost all tests passing
# - Enable PACKAGECONFIG ipset, ebtable
# - Enough RAM QB_MEM = "-m 8192" (used für fancy ipset tests)
FILES:${PN}-ptest += "\
${datadir}/firewalld/testsuite \
"
RDEPENDS:${PN}-ptest += "\
python3-unittest \
${PN}-offline-cmd \
procps-ps \
iproute2 \
"
RDEPENDS:${PN}-ptest:append:libc-glibc = " glibc-utils glibc-localedata-en-us"
FILES:${PN}-zsh-completion = "${datadir}/zsh/site-functions"
FILES:${PN} += "\
${PYTHON_SITEPACKAGES_DIR}/firewall \
${nonarch_libdir}/firewalld \
${datadir}/dbus-1 \
${datadir}/polkit-1 \
${datadir}/metainfo \
${datadir}/glib-2.0/schemas/org.fedoraproject.FirewallConfig.gschema.xml \
"
RDEPENDS:${PN} += "\
python3-firewall \
iptables \
python3-core \
python3-io \
python3-fcntl \
python3-syslog \
python3-xml \
python3-json \
python3-ctypes \
python3-pprint \
"
# If firewalld writes a log file rotation is needed
RRECOMMENDS:${PN} += "${@bb.utils.contains_any('FIREWALLD_DEFAULT_LOG_TARGET', [ 'mixed', 'file' ], '${PN}-log-rotate', '', d)}"
# Add required kernel modules. With Yocto kernel 5.15 this currently means:
# - features/nf_tables/nf_tables.scc
# - features/netfilter/netfilter.scc
# - cgl/features/audit/audit.scc
# - cfg/net/ip6_nf.scc
# - Plus:
# - ebtables
# - ipset
# - CONFIG_IP6_NF_SECURITY=m
# - CONFIG_IP6_NF_MATCH_RPFILTER=m
# - CONFIG_IP6_NF_TARGET_REJECT=m
# - CONFIG_NFT_OBJREF=m
# - CONFIG_NFT_FIB=m
# - CONFIG_NFT_FIB_INET=m
# - CONFIG_NFT_FIB_IPV4=m
# - CONFIG_NFT_FIB_IPV6=m
# - CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
# - CONFIG_NETFILTER_XT_SET=m
def get_kernel_deps(d):
kmodules = (d.getVar('FIREWALLD_KERNEL_MODULES') or "").split()
return ' '.join([ 'kernel-module-' + mod.replace('_', '-').lower() for mod in kmodules ])
RRECOMMENDS:${PN} += "${@get_kernel_deps(d)}"
Reference in New Issue View Git Blame Copy Permalink