From patchwork Thu May 7 23:14:53 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adam Duskett X-Patchwork-Id: 1285672 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.136; helo=silver.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=MQnyDvGh; dkim-atps=neutral Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49J8SV6PKBz9sRY for ; Fri, 8 May 2020 09:15:06 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id B376126E0E; Thu, 7 May 2020 23:15:04 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uCeWdivkaZNJ; Thu, 7 May 2020 23:15:02 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by silver.osuosl.org (Postfix) with ESMTP id 5D2E720789; Thu, 7 May 2020 23:15:02 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id 6A2971BF3BD for ; Thu, 7 May 2020 23:15:01 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 66CBC879CB for ; Thu, 7 May 2020 23:15:01 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tYmBv0wD-AM7 for ; Thu, 7 May 2020 23:15:01 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-pf1-f195.google.com (mail-pf1-f195.google.com [209.85.210.195]) by fraxinus.osuosl.org (Postfix) with ESMTPS id EE47C86EF9 for ; Thu, 7 May 2020 23:15:00 +0000 (UTC) Received: by mail-pf1-f195.google.com with SMTP id f7so3769528pfa.9 for ; Thu, 07 May 2020 16:15:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=hGZpo5v4SCKUmGTwDwiIOZ4Ysf6xVxhJ5palc2gcUtw=; b=MQnyDvGhw/oycM6Z8lDGlHAMbcEMFc2RgZDE6YzpPiduvAfXvUL2DkKz7jLcxw7ZEb wYGmZTbeArbNb6D6uCWOvUToWZODbVXTLHwzhWnr+t99aMud5nkQwz2pugINhQC32B6k UspREs7bLInn7dxjr/y1hIx1gW5DYmqBKaWXhGpudU1TOoWaEPDTy6nt0tRUvTi/O6p/ 0Ksf9yl5BqgXgBV5NsTPrdVjnlMi3tpe05VB4D/IyJOli54QhIV6NjfuW4Jad/c7bS6Q XL8YTn6bg5sEY/BQQ1F6W99Ar0R2XDFRWa7UfQlloZdxCTdleyinDGg+4UJzGjkxfOCd 35xA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=hGZpo5v4SCKUmGTwDwiIOZ4Ysf6xVxhJ5palc2gcUtw=; b=k0RFc+3fIwxmfb7KIToHpi+qRlDDVRZX92qJ0cIyEoKnP/2S6Ec7bFX8DJouNZxOHU TdDkiZS7iiVSVWbeLelAWI8Oxj7hW4QPCSe1MiQ3fkWhxkPLC/oGaBzDJjjuiOoRg1zp OsH5i5K07R0lFmePlI46S1EPKvpbcOkTdmPpjT2z8Sj83dW3h2Ae6Q3hiand54T6j7x6 l2Djnj0vHomzKC/QgB8eqOputOHwXrN9Xz+Agkx4uGAYxoCeQitPUzxBvpBAvj0w2WAF yOt8km3XN6JzA9JBtBG7zDOrkg3D2E9VrM4TLSIBxPLfZ95Uo0xGtjkbqHVqhOI4G9FR XtCQ== X-Gm-Message-State: AGi0PubDYpM3F4zs+bZS4ihaES1L9TkWgpyn6BLwTF7wbJG97VpFQlVO LJbt8e8Ya+U4SUX1GxNnJ/O83FggO+c= X-Google-Smtp-Source: APiQypIguDgh8vV3IOBh1EXFQwxvVZZFXY95fE3EnYhM2pozsf3vuTU1duu3Wi9qd+jhFTtoem5BYQ== X-Received: by 2002:aa7:988e:: with SMTP id r14mr16727312pfl.146.1588893300215; Thu, 07 May 2020 16:15:00 -0700 (PDT) Received: from localhost.localdomain ([178.128.184.60]) by smtp.gmail.com with ESMTPSA id t206sm4385126pfc.212.2020.05.07.16.14.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 May 2020 16:14:59 -0700 (PDT) From: aduskett@gmail.com To: buildroot@buildroot.org Date: Thu, 7 May 2020 16:14:53 -0700 Message-Id: <20200507231457.2093052-1-aduskett@gmail.com> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Subject: [Buildroot] [PATCH/next v4 1/5] package/nftable: bear the kernel options munging X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Asaf Kahlon , Adam Duskett Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" From: Adam Duskett Signed-off-by: Adam Duskett --- Changes v1 -> v4: - Add this patch to the series package/nftables/nftables.mk | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/package/nftables/nftables.mk b/package/nftables/nftables.mk index 7f797797db..c5503e2039 100644 --- a/package/nftables/nftables.mk +++ b/package/nftables/nftables.mk @@ -47,4 +47,10 @@ endif NFTABLES_CONF_ENV = LIBS="$(NFTABLES_LIBS)" +define NFTABLES_LINUX_CONFIG_FIXUPS + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_INET) +endef + $(eval $(autotools-package)) From patchwork Thu May 7 23:14:54 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adam Duskett X-Patchwork-Id: 1285673 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.136; helo=silver.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=jRpAmOXB; dkim-atps=neutral Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49J8Sx6nnlz9sRf for ; Fri, 8 May 2020 09:15:29 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id BF5DA26EB6; Thu, 7 May 2020 23:15:27 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BmAsKk4QWQW2; Thu, 7 May 2020 23:15:25 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by silver.osuosl.org (Postfix) with ESMTP id D153120789; Thu, 7 May 2020 23:15:24 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id 3DA021BF3BD for ; Thu, 7 May 2020 23:15:03 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 3AB0488A2B for ; Thu, 7 May 2020 23:15:03 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zFw8eLvXC2LN for ; Thu, 7 May 2020 23:15:02 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-pg1-f173.google.com (mail-pg1-f173.google.com [209.85.215.173]) by whitealder.osuosl.org (Postfix) with ESMTPS id 1EBD988900 for ; Thu, 7 May 2020 23:15:02 +0000 (UTC) Received: by mail-pg1-f173.google.com with SMTP id 207so3497963pgc.6 for ; Thu, 07 May 2020 16:15:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=aiWH76o4BsMC1RqHVfDGMVv0i5YJq/wGd71yhIeft5E=; b=jRpAmOXBdD0b9zTtcMMgUSUb2Vhzb1h1ns5RuKPgVPNKGlEe9ABXgBucAacEbqZNhL VWDnOBOxCnJZmltHldsKBMkueuauqSqk1+aI97WY9x6icJpVyuBU7VZI46QlwX+sKS93 tRKnRA32pC73hDJqkEndc80ndH7Z2r2kuAesafbidsOmK69HptRyZIVDIrxzMeXimkBD 2dXJ/q5Rg+FBRNC/nvWXhVdIT7LJkd9E+/gAC/NRuCQ72utLa6AxUsoJqByI0OksPaYs owm3JWWeH0FgfpjXZcGOFmluSt+hFW6CfV+sTrn1kdKwGclGdMpD7jkursL7JhVoLA5X vy/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=aiWH76o4BsMC1RqHVfDGMVv0i5YJq/wGd71yhIeft5E=; b=eMhcQXnZq07dY+6KJHAAi+4bSlocXcc6/UvqrzbNacF7KQthi/q3pKRf9pDnkgSfec JBznL+6ZwljbGyQsYuxgkMyiikRgPFGeqiWyNUJFXoxaf824N9NdwGj943+G+guA6Xvr u5b45EEUWV09/7LMSYGkFWerC/p94opYYKt/vAZqcIbiZDDjIrb/P2HqQLBU8Mi1MhVc 2PjAk8C9h2eiNdoURGJhvj1ydaoCF6Ani5S/tADybysVuMTOc3BkgPDcoSV4DIAAPg4n zvv2viYpW4YmNs1JKDryRlCvXCXGo482MgbngdLbrr7H8Cy5XT2aPJBm6vLZmgLX/grd oj4A== X-Gm-Message-State: AGi0PuaWpTe0k6NEC9OauISy9q+x2ZrSVGTOf5javDmXhqs+0xcFL+Ij FMMYxY+jak4XTVIZaecvrmbOviqe4AE= X-Google-Smtp-Source: APiQypJEXbg8va9+yplLjkMc6YW4JJ4CRpL0TK06tBGkKohYsP/senvtvDnpc8XC+VGYzBMIiK9X6w== X-Received: by 2002:aa7:914f:: with SMTP id 15mr17360435pfi.176.1588893301268; Thu, 07 May 2020 16:15:01 -0700 (PDT) Received: from localhost.localdomain ([178.128.184.60]) by smtp.gmail.com with ESMTPSA id t206sm4385126pfc.212.2020.05.07.16.15.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 May 2020 16:15:00 -0700 (PDT) From: aduskett@gmail.com To: buildroot@buildroot.org Date: Thu, 7 May 2020 16:14:54 -0700 Message-Id: <20200507231457.2093052-2-aduskett@gmail.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200507231457.2093052-1-aduskett@gmail.com> References: <20200507231457.2093052-1-aduskett@gmail.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH/next v4 2/5] package/python-slip-dbus: new package X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Asaf Kahlon , Adam Duskett Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" From: Adam Duskett This package provides a dbus.service.Object derivative that ends itself after a certain time without being used and/or if there are no clients anymore on the message bus. The package also provides a set of convenience functions and decorators for integrating a dbus service with PolicyKit. Firewalld depends on this package. Signed-off-by: Adam Duskett --- Changes v1 -> v2: - Combine dependency comment (Yann) - Add a more detailed commit message. (Yann) - Add an explination for the PYTHON_SLIP_DBUS_APPEND_VERSION hook. (Yann) Changes v3 -> v4: - Clean up sed logic (Yann) - Switch to using the tar.bz2 package from github (Yann) - Add a missing dependency on wchar (Yann) DEVELOPERS | 1 + package/Config.in | 1 + package/python-slip-dbus/Config.in | 28 +++++++++++++++++++ .../python-slip-dbus/python-slip-dbus.hash | 3 ++ package/python-slip-dbus/python-slip-dbus.mk | 23 +++++++++++++++ 5 files changed, 56 insertions(+) create mode 100644 package/python-slip-dbus/Config.in create mode 100644 package/python-slip-dbus/python-slip-dbus.hash create mode 100644 package/python-slip-dbus/python-slip-dbus.mk diff --git a/DEVELOPERS b/DEVELOPERS index e427ab15d4..906dfb92b3 100644 --- a/DEVELOPERS +++ b/DEVELOPERS @@ -75,6 +75,7 @@ F: package/python-nested-dict/ F: package/python-pbr/ F: package/python-pip/ F: package/python-psycopg2/ +F: package/python-slip-dbus/ F: package/python-smmap2/ F: package/python-sqlalchemy/ F: package/python-sqlparse/ diff --git a/package/Config.in b/package/Config.in index c12676d859..206a73f168 100644 --- a/package/Config.in +++ b/package/Config.in @@ -1151,6 +1151,7 @@ menu "External python modules" source "package/python-singledispatch/Config.in" source "package/python-sip/Config.in" source "package/python-six/Config.in" + source "package/python-slip-dbus/Config.in" source "package/python-slob/Config.in" source "package/python-smbus-cffi/Config.in" source "package/python-smmap2/Config.in" diff --git a/package/python-slip-dbus/Config.in b/package/python-slip-dbus/Config.in new file mode 100644 index 0000000000..25854f2708 --- /dev/null +++ b/package/python-slip-dbus/Config.in @@ -0,0 +1,28 @@ +config BR2_PACKAGE_PYTHON_SLIP_DBUS + bool "python-slip-dbus" + depends on BR2_USE_MMU # libglib2, gobject-introspection + depends on BR2_USE_WCHAR # dbus-python + depends on BR2_PACKAGE_HOST_QEMU_ARCH_SUPPORTS # gobject-introspection + depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 # gobject-introspection + depends on BR2_TOOLCHAIN_HAS_THREADS # dbus, dbus-python, python3 + depends on BR2_TOOLCHAIN_USES_GLIBC # gobject-introspection + depends on BR2_PACKAGE_PYTHON3 # gobject-introspection, python-gobject + select BR2_PACKAGE_DBUS # runtime + select BR2_PACKAGE_DBUS_PYTHON # runtime + select BR2_PACKAGE_PYTHON_DECORATOR # runtime + select BR2_PACKAGE_PYTHON_GOBJECT # runtime + select BR2_PACKAGE_PYTHON_SIX # runtime + help + A dbus.service.Object derivative that ends + itself after a certain time without being used and/or if there + are no clients anymore on the message bus, as well as + convenience functions and decorators for integrating a dbus + service with PolicyKit. + + https://github.com/nphilipp/python-slip + +comment "python-slip-dbus needs python3, and a glibc toolchain w/ gcc >= 4.9, wchar, threads" + depends on BR2_USE_MMU + depends on BR2_PACKAGE_HOST_QEMU_ARCH_SUPPORTS + depends on !BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 || !BR2_TOOLCHAIN_USES_GLIBC \ + || !BR2_TOOLCHAIN_HAS_THREADS || !BR2_PACKAGE_PYTHON3 diff --git a/package/python-slip-dbus/python-slip-dbus.hash b/package/python-slip-dbus/python-slip-dbus.hash new file mode 100644 index 0000000000..2dd3658396 --- /dev/null +++ b/package/python-slip-dbus/python-slip-dbus.hash @@ -0,0 +1,3 @@ +# Locally computed +sha256 c726c086f0dd93a0ac7a0176f383a12af91b6657b78a301e3f5b25d9f8d4d10b python-slip-0.6.5.tar.bz2 +sha256 1ca3e8f71b7de618968e7ea9fe47822d9e704dc476aef8544033abedec355225 COPYING diff --git a/package/python-slip-dbus/python-slip-dbus.mk b/package/python-slip-dbus/python-slip-dbus.mk new file mode 100644 index 0000000000..a587c351aa --- /dev/null +++ b/package/python-slip-dbus/python-slip-dbus.mk @@ -0,0 +1,23 @@ +################################################################################ +# +# python-slip-dbus +# +################################################################################ + +PYTHON_SLIP_DBUS_VERSION = 0.6.5 +PYTHON_SLIP_DBUS_SOURCE = python-slip-$(PYTHON_SLIP_DBUS_VERSION).tar.bz2 +PYTHON_SLIP_DBUS_SITE = https://github.com/nphilipp/python-slip/releases/download/python-slip-$(PYTHON_SLIP_DBUS_VERSION) +PYTHON_SLIP_DBUS_LICENSE = GPL-2.0+ +PYTHON_SLIP_DBUS_LICENSE_FILES = COPYING +PYTHON_SLIP_DBUS_SETUP_TYPE = distutils +PYTHON_SLIP_DBUS_DEPENDENCIES = python-gobject + +# Python-slip-dbus only packages a setup.py.in file with a @VERSION@ variable, +# so we must create the file ourselves and sed the appropriate version number. +define PYTHON_SLIP_DBUS_APPEND_VERSION + sed -e 's/@VERSION@/$(PYTHON_SLIP_DBUS_VERSION)/g' \ + $(@D)/setup.py.in >$(@D)/setup.py +endef +PYTHON_SLIP_DBUS_PRE_CONFIGURE_HOOKS += PYTHON_SLIP_DBUS_APPEND_VERSION + +$(eval $(python-package)) From patchwork Thu May 7 23:14:55 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adam Duskett X-Patchwork-Id: 1285676 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=LuCWUxaV; dkim-atps=neutral Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49J8T93PbCz9sRY for ; Fri, 8 May 2020 09:15:41 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 92BD48980C; Thu, 7 May 2020 23:15:35 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9YgPW2ETN9Ua; Thu, 7 May 2020 23:15:30 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by hemlock.osuosl.org (Postfix) with ESMTP id BA1DD897FC; Thu, 7 May 2020 23:15:29 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id 43AEC1BF3BD for ; Thu, 7 May 2020 23:15:12 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 2DF5D2050A for ; Thu, 7 May 2020 23:15:12 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NlPFBTF7B6Ow for ; Thu, 7 May 2020 23:15:03 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-pl1-f195.google.com (mail-pl1-f195.google.com [209.85.214.195]) by silver.osuosl.org (Postfix) with ESMTPS id 6C0FE26798 for ; Thu, 7 May 2020 23:15:03 +0000 (UTC) Received: by mail-pl1-f195.google.com with SMTP id s20so2710450plp.6 for ; Thu, 07 May 2020 16:15:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=Ve6Y7t5b9SRgQ+fTZLtFlDC0xSob7+2iK5Xt7/KIvww=; b=LuCWUxaVAWqpiixVEc16SGyEIJWJcxc+MUNejiTZ8ILIih1fuZR1ZTNJBY6TvTyrGB G7KIf4zqvjFcl9894dU8GetbwkAjFH6Q/L/RscKGNQNrstTt9pdUZUlmz2+coEMxic52 X2Hc6YwjVjaqYPwJTIUVBfcuCDD9SDL3NJqHkj39B8F6F+AFLgedPY+Rgic5JZdvG+pk /2CjoNsGwoH5bMIe9tguwRJAGayRWxeFEV3h2ho8iBNeeKNsU+7kHFw+i9kQhUR6t+uL SRVx/9ErQ34sUIaIpqbW0OdRG/Sjz006RQL0g3vQkjsm0Q855XO8uA2EwJFKsrPTskyU 03TA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Ve6Y7t5b9SRgQ+fTZLtFlDC0xSob7+2iK5Xt7/KIvww=; b=EDIY9EIjXcwE7G7fyJ+/3dr+3wbbulkQWS/FQFCVbTvUH/a9tHvo061GoY50OywC8y YuNhoaNt5e2WgKUGT+mBEiHYcx3ENOPyGp1irl3eUk4v4DPh3Z9qci5NopH5IrlEZSzl n3XhPYnxu94sI5WHJ/HH+XHQonRfmPZx4exS0J2C2lCHs1cTnZsvBeqAbxwB4Etyjk4p StWQqOZ9U484a0qsWVCHJ6n4IAs4VbVjEOK5loO0EgzbJ58Cs1XLThJWiSpn3ALhjr7z TKOBgYX7zQp02TW1biZVGlVEQU19MQskr0onTrxl8LTJSuYs3jJvwWdj+khPXHfCU5ho 7/YQ== X-Gm-Message-State: AGi0PuZNM9LxdECWHwnApL3TKolDT4i7hEvJahVXf958X+UrxUesyy3v iKdc2qZO0mmBF+TJc0vzqpk5uss8XJg= X-Google-Smtp-Source: APiQypI6TR3el8JDz6hc7usWzxJTHAD9zNacCxgyoytqool5bcHcLNfKR131VJ9SQNKlij+A0e/1Tg== X-Received: by 2002:a17:902:bd87:: with SMTP id q7mr15710453pls.92.1588893302441; Thu, 07 May 2020 16:15:02 -0700 (PDT) Received: from localhost.localdomain ([178.128.184.60]) by smtp.gmail.com with ESMTPSA id t206sm4385126pfc.212.2020.05.07.16.15.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 May 2020 16:15:01 -0700 (PDT) From: aduskett@gmail.com To: buildroot@buildroot.org Date: Thu, 7 May 2020 16:14:55 -0700 Message-Id: <20200507231457.2093052-3-aduskett@gmail.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200507231457.2093052-1-aduskett@gmail.com> References: <20200507231457.2093052-1-aduskett@gmail.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH/next v4 3/5] package/firewalld: new package X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Asaf Kahlon , Adam Duskett Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" From: Adam Duskett Firewalld provides a dynamically managed firewall with support for network or firewall zones to define the trust level of network connections or interfaces. Items of note: - Iptables is set as a requirement because many applications such as Docker require direct-passthrough rules which firewalld does not support. - Setting PYTHON="/usr/bin/env python$(PYTHON3_VERSION_MAJOR)" prevents Firewalld from setting the shebang in the installed python files to the full path to the python interpreter used when building. - The bundled provided SYSV init file has several bashisms and requires /etc/init.d/functions which buildroot doesn't provide. So instead, a more simple init.d file is provided in the package directory, which does not require bash. - Firewalld >= 0.6.0 requires a linux kernel version of 4.18 or later. Because Buildroot does not have a mechanism to detect what version a user is compiling if the kernel is external, there is no way to prevent a user with an external kernel older than 4.18 to select this package. As such, there is a note in the Config.in help text that notifies users of the kernel version requirement. See https://firewalld.org/2018/07/firewalld-0-6-0-release for more details. - As of this writing, firewalld does indeed require nftables, even if a user specifies iptables, ipset, or ebtables as the firewalld backend. There is an issue for this limitation here: https://github.com/firewalld/firewalld/issues/563 As such, until a future release resolves this issue, Firewalld must select nftables and requires kernel 4.18 or later. In the future, it may be possible to add support for different backends without requiring nftables, which would then support older kernel versions. Signed-off-by: Adam Duskett --- Changes v1 -> v2: - Select DBUS (Yann) - Add some extra comments in the Makefile (Yann) - Add a more detailed commit message. (Yann) - Move dependency lines (Yann) - Combine dependency message (Yann) - Cleanup init file (Yann) - Install the systemd file. - Bump version from 0.8.1 to 0.8.2. - Drop upstream patch. Changes v2 -> v3: - Fix subject line. Changes v3 -> v4: - Add an explination about nftables in the commit message. - Add a note that firewalld requires kernel 4.18 in the Config.in - Add a better explination as to why Jansson is needed in the Config.in - Remove selecting ebtables and ipset from the Config.in (Yann) - Use the release tar.gz instead of the the github helper macro (Yann) - Remove ebtables and ipset from firewalld.mk (Yann) - Remove the FIREWALLD_RUN_AUTOGEN macro thanks to the above tar.gz (Yann) - Remove the call --with-nft=/usr/sbin/nft as the nft binary is no longer used, in favor of the native nft JSON interface. - Add a check for NLS and set --enable-nls if BR2_SYSTEM_ENABLE_NLS is set. - Add a call to --enable-systemd if systemd is selected (Yann) DEVELOPERS | 1 + package/Config.in | 1 + package/firewalld/Config.in | 40 ++++++++++++++++ package/firewalld/S41firewalld | 40 ++++++++++++++++ package/firewalld/firewalld.hash | 3 ++ package/firewalld/firewalld.mk | 81 ++++++++++++++++++++++++++++++++ 6 files changed, 166 insertions(+) create mode 100644 package/firewalld/Config.in create mode 100644 package/firewalld/S41firewalld create mode 100644 package/firewalld/firewalld.hash create mode 100644 package/firewalld/firewalld.mk diff --git a/DEVELOPERS b/DEVELOPERS index 906dfb92b3..474306fc77 100644 --- a/DEVELOPERS +++ b/DEVELOPERS @@ -31,6 +31,7 @@ F: package/audit/ F: package/busybox/ F: package/checkpolicy/ F: package/cppdb/ +F: package/firewalld/ F: package/gobject-introspection/ F: package/gstreamer1/gstreamer1/ F: package/gstreamer1/gstreamer1-mm/ diff --git a/package/Config.in b/package/Config.in index 206a73f168..c9e473e231 100644 --- a/package/Config.in +++ b/package/Config.in @@ -2034,6 +2034,7 @@ menu "Networking applications" source "package/fail2ban/Config.in" source "package/fastd/Config.in" source "package/fcgiwrap/Config.in" + source "package/firewalld/Config.in" source "package/flannel/Config.in" source "package/fmc/Config.in" source "package/fping/Config.in" diff --git a/package/firewalld/Config.in b/package/firewalld/Config.in new file mode 100644 index 0000000000..b6a57c04ee --- /dev/null +++ b/package/firewalld/Config.in @@ -0,0 +1,40 @@ +config BR2_PACKAGE_FIREWALLD + bool "firewalld" + depends on BR2_USE_MMU # gobject-introspection + depends on BR2_USE_WCHAR # dbus-python, gettext + depends on BR2_PACKAGE_HOST_QEMU_ARCH_SUPPORTS # gobject-introspection + depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 # gobject-introspection + depends on BR2_TOOLCHAIN_HAS_THREADS # dbus-python + depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12 # nftables + depends on BR2_TOOLCHAIN_USES_GLIBC # gobject-introspection + depends on BR2_PACKAGE_PYTHON3 # gobject-introspection + select BR2_PACKAGE_DBUS # dbus-python + select BR2_PACKAGE_DBUS_PYTHON + select BR2_PACKAGE_GETTEXT + select BR2_PACKAGE_GOBJECT_INTROSPECTION + select BR2_PACKAGE_IPTABLES + select BR2_PACKAGE_JANSSON # Uses the nftables json interface + select BR2_PACKAGE_NFTABLES + select BR2_PACKAGE_PYTHON_DECORATOR + select BR2_PACKAGE_PYTHON_GOBJECT + select BR2_PACKAGE_PYTHON_SIX + select BR2_PACKAGE_PYTHON_SLIP_DBUS + help + Firewalld provides a dynamically managed firewall with + support for network or firewall zones to define the trust + level of network connections or interfaces. It has support + for IPv4, IPv6 firewall settings and for ethernet bridges and + a separation of runtime and permanent configuration options. + It also provides an interface for services or applications to + add ip*tables and ebtables rules directly. + + Note: Firewalld uses nftables as the backend as requires + kernel version >= 4.18. + + https://github.com/firewalld/firewalld + +comment "firewalld needs python3, and a glibc toolchain w/ gcc >= 4.9, threads" + depends on BR2_USE_MMU + depends on BR2_PACKAGE_HOST_QEMU_ARCH_SUPPORTS + depends on !BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 || !BR2_TOOLCHAIN_USES_GLIBC \ + || !BR2_TOOLCHAIN_HAS_THREADS || !BR2_PACKAGE_PYTHON3 diff --git a/package/firewalld/S41firewalld b/package/firewalld/S41firewalld new file mode 100644 index 0000000000..270435f1f8 --- /dev/null +++ b/package/firewalld/S41firewalld @@ -0,0 +1,40 @@ +#!/bin/sh + +firewalld=/usr/sbin/firewalld +pidfile=/var/run/firewalld.pid + +start() { + printf "Starting firewalld: " + start-stop-daemon -S -q --exec ${firewalld} + [ $? = 0 ] && echo "OK" || echo "FAIL" +} + +stop() { + printf "Stopping firewalld: " + start-stop-daemon --stop --quiet --pidfile ${pidfile} + [ $? = 0 ] && echo "OK" || echo "FAIL" +} + +reload(){ + printf "Reloading firewalld: " + firewall-cmd --reload + [ $? = 0 ] && echo "OK" || echo "FAIL" +} + +restart() { + stop + start +} + +status(){ + firewall-cmd --state +} + +case "${1}" in + start|stop|restart|reload|status) + ${1} + ;; + *) + echo "Usage: $0 {start|stop|restart|reload|status}" + exit 1 +esac diff --git a/package/firewalld/firewalld.hash b/package/firewalld/firewalld.hash new file mode 100644 index 0000000000..7ac5f08d55 --- /dev/null +++ b/package/firewalld/firewalld.hash @@ -0,0 +1,3 @@ +# Locally computed +sha256 391a750a2bfb9db1179829a136451daf256660b591d380ce504fd4e896f7d797 firewalld-0.8.2.tar.gz +sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING diff --git a/package/firewalld/firewalld.mk b/package/firewalld/firewalld.mk new file mode 100644 index 0000000000..8fcd01ec32 --- /dev/null +++ b/package/firewalld/firewalld.mk @@ -0,0 +1,81 @@ +################################################################################ +# +# firewalld +# +################################################################################ + +FIREWALLD_VERSION = 0.8.2 +# Use the release tarball to avoid having to use autoreconf +FIREWALLD_SITE = https://github.com/firewalld/firewalld/releases/download/v$(FIREWALLD_VERSION) +FIREWALLD_LICENSE = GPL-2.0 +FIREWALLD_LICENSE_FILES = COPYING + +FIREWALLD_DEPENDENCIES = \ + host-intltool \ + host-libglib2 \ + host-libxml2 \ + host-libxslt \ + dbus-python \ + gettext \ + gobject-introspection \ + iptables \ + jansson \ + nftables \ + python3 \ + python-decorator \ + python-gobject \ + python-six \ + python-slip-dbus + +# Firewalld hard codes the python shebangs to the full path of the +# python-interpreter. IE: #!/home/buildroot/output/host/bin/python. +# Force the proper python path. +FIREWALLD_CONF_ENV += PYTHON="/usr/bin/env python$(PYTHON3_VERSION_MAJOR)" + +# iptables, ip6tables, ebtables, and ipset *should* be unnecessary +# when the nftables backend is available, because nftables supersedes all of +# them. However we still need to build and install iptables and ip6tables +# because application relying on direct passthrough rules (IE docker) will +# break. +# /etc/sysconfig/firewalld is a RedHat-ism, only referenced by +# the RedHat specific init script which isn't used, so we set +# --disable-sysconfig. +FIREWALLD_CONF_OPTS += \ + --disable-nls \ + --disable-rpmmacros \ + --disable-sysconfig \ + --with-ip6tables-restore=/usr/sbin/ip6tables-restore \ + --with-ip6tables=/usr/sbin/ip6tables \ + --with-iptables-restore=/usr/sbin/iptables-restore \ + --with-iptables=/usr/sbin/iptables \ + --without-ebtables \ + --without-ebtables-restore \ + --without-ipset \ + --without-xml-catalog + +ifeq ($(BR2_SYSTEM_ENABLE_NLS),y) +FIREWALLD_CONF_OPTS += --enable-nls +endif + +ifeq ($(BR2_PACKAGE_SYSTEMD),y) +FIREWALLD_DEPENDENCIES += systemd +FIREWALLD_CONF_OPTS += \ + --enable-systemd \ + --with-systemd-unitdir=/usr/lib/systemd/system +else +FIREWALLD_CONF_OPTS += --disable-systemd +endif + +define FIREWALLD_INSTALL_INIT_SYSTEMD + $(INSTALL) -D -m 0644 $(@D)/config/firewalld.service \ + $(TARGET_DIR)/usr/lib/systemd/system/firewalld.service +endef + +# The bundled sysvinit file requires /etc/init.d/functions which is not +# provided by buildroot. As such, we provide our own firewalld init file. +define FIREWALLD_INSTALL_INIT_SYSV + $(INSTALL) -D -m 0755 $(FIREWALLD_PKGDIR)/S41firewalld \ + $(TARGET_DIR)/etc/init.d/S41firewalld +endef + +$(eval $(autotools-package)) From patchwork Thu May 7 23:14:56 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adam Duskett X-Patchwork-Id: 1285675 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=UADxMJcV; dkim-atps=neutral Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49J8T13SLCz9sRY for ; Fri, 8 May 2020 09:15:33 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id E6E32897FF; Thu, 7 May 2020 23:15:29 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hseaG8u5OAvq; Thu, 7 May 2020 23:15:28 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by hemlock.osuosl.org (Postfix) with ESMTP id 7467A897F4; Thu, 7 May 2020 23:15:28 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id CCFC51BF3BD for ; Thu, 7 May 2020 23:15:11 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id B47ED20438 for ; Thu, 7 May 2020 23:15:11 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FQ-yZgf6o7kR for ; Thu, 7 May 2020 23:15:05 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-pl1-f193.google.com (mail-pl1-f193.google.com [209.85.214.193]) by silver.osuosl.org (Postfix) with ESMTPS id 899B52050A for ; Thu, 7 May 2020 23:15:04 +0000 (UTC) Received: by mail-pl1-f193.google.com with SMTP id f15so2715676plr.3 for ; Thu, 07 May 2020 16:15:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=n+goVw6C1rqwOCkpeWGARgyRsQSms9C0wavCA/aEAnA=; b=UADxMJcVwCnYmY1GGuT0n+npxWg9jkinwP/G4E5g2VLBWEgRiFYvTRnuOISItgnXC4 qEKZu4ta95y+RVMs7VtmIEB7dFrWmKkuRAyH3qN9aIZUYDLDa+VVpxVtTMO5sN9xcuyX wL3nVgRd66c1mzGzeb13iwajcYBGuejCHvpBWFmMKCRYterO4W8goYSP1qzGLMj26rmu CjJ9NlynviE0hrILK2DNUuYswGkTZ22dKbDLM2KZFSt8kb4na1xH0r8Y6Nh3ry39XWRZ cpIyv4DfOpgWN3JN3gS6o8GGSB77ZEpxb6ER1F63e7/U5DMgZF4e5Ak6+ShqqYBlgHjW HyXA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=n+goVw6C1rqwOCkpeWGARgyRsQSms9C0wavCA/aEAnA=; b=N38potIPT+xWmTCtBeAUoWyAjaQgVJG3mcEMt2n02MmjD6NUuu0CUKlyBgij0xfd8a xWXYvybKFVk0BleEs6sz8eBJ3M8xbLanF7XD8XppK6tnn0hHcJP6qwSgWYoNLR1tbnTo Cbn1bmxXC/VOv6W3uzMmpvkn1o8Hm3lr97nrHWXSZdNDz1tProIAMnZzD0TxULZJXxYl nHotAYCsBu1bEsIi0BIitHOGAffRvr7l7MQbCdXAD2GVZ8PwG2qFj9VlTkL9A5/S9JeK YEbfpzwnCuElFe6xX0jxGKcpogJX1YTOsxp044dtWYnTstMzGjZtpaqNOobUlrU+Dg+5 jyhA== X-Gm-Message-State: AGi0PuY6nB5B0ZO7hI423WVY0uNMYkYpbIsv+MDZ3Q3vl5KzjBAfGdeG K9X9WD1gT9tCYev7x4X1HZNJUS3PC3Y= X-Google-Smtp-Source: APiQypLv3bAVkyjkPLvHN2MNMQv8DdPqM44VY1TPoAm3/LTHHXvIR28rML3pudKxPRJH5yrEB2F7iA== X-Received: by 2002:a17:902:261:: with SMTP id 88mr15903225plc.152.1588893303647; Thu, 07 May 2020 16:15:03 -0700 (PDT) Received: from localhost.localdomain ([178.128.184.60]) by smtp.gmail.com with ESMTPSA id t206sm4385126pfc.212.2020.05.07.16.15.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 May 2020 16:15:03 -0700 (PDT) From: aduskett@gmail.com To: buildroot@buildroot.org Date: Thu, 7 May 2020 16:14:56 -0700 Message-Id: <20200507231457.2093052-4-aduskett@gmail.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200507231457.2093052-1-aduskett@gmail.com> References: <20200507231457.2093052-1-aduskett@gmail.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH/next v4 4/5] package/firewalld: bear the kernel options munging X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Asaf Kahlon , Adam Duskett Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" From: Adam Duskett To run, Firewalld requires enabling almost every single nftables option in the kernel menuconfig. Indeed for a regular user, this task is quite a time-consuming operation, and missing even one required nftables option results in firewalld failing to start. Through a mix of trial and error and talking to the upstream developers, attached is the minimum amount of kernel options required for runtime. Understandably this list is daunting. However, these options have passed run-time tests with kernel 4.18 (the minimum kernel version required) and kernel 5.6.11 (the latest kernel version as of this commit log.) As such, it is safe to say these options will work for anybody wanting to use firewalld with a supported kernel version of 4.18 or higher. Signed-off-by: Adam Duskett --- Changes v1 -> v4: - Add this patch to the series package/firewalld/firewalld.mk | 252 +++++++++++++++++++++++++++++++++ 1 file changed, 252 insertions(+) diff --git a/package/firewalld/firewalld.mk b/package/firewalld/firewalld.mk index 8fcd01ec32..dd0f284a5c 100644 --- a/package/firewalld/firewalld.mk +++ b/package/firewalld/firewalld.mk @@ -78,4 +78,256 @@ define FIREWALLD_INSTALL_INIT_SYSV $(TARGET_DIR)/etc/init.d/S41firewalld endef +# Firewalld requires almost every single nftables rule enabled in the kernel to +# properly start. As such, if a user selects the firewalld package, it is much +# easier to select these options for them, much like we do for systemd or +# iptables. +define FIREWALLD_LINUX_CONFIG_FIXUPS + $(call KCONFIG_ENABLE_OPT,CONFIG_IPV6) + $(call KCONFIG_ENABLE_OPT,CONFIG_BRIDGE) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_COMMON) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_NETDEV) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_CONNCOUNT) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_MARK) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_ZONES) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_PROCFS) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_EVENTS) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TIMEOUT) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TIMESTAMP) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_LABELS) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_DCCP) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_GRE) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_SCTP) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_UDPLITE) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_AMANDA) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_FTP) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_H323) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_IRC) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_BROADCAST) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_NETBIOS_NS) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SNMP) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_PPTP) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SANE) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SIP) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TFTP) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK_TIMEOUT) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK_HELPER) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_NETLINK_GLUE_CT) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_NEEDED) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_DCCP) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_UDPLITE) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_SCTP) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_AMANDA) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_FTP) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IRC) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_SIP) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_TFTP) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_REDIRECT) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_SYNPROXY) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_SET) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_NETDEV) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_NUMGEN) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CT) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FLOW_OFFLOAD) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_COUNTER) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CONNLIMIT) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_LOG) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_LIMIT) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_NAT) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_TUNNEL) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_OBJREF) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_QUEUE) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_QUOTA) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_BRIDGE_META) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_INET) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_COMPAT) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_HASH) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_INET) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_SOCKET) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_OSF) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_TPROXY) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_NETDEV) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_NETDEV) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FWD_NETDEV) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_NETDEV) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_INET) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MARK) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_CONNMARK) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_SET) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_TARGET_CHECKSUM) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_TARGET_CLASSIFY) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_TARGET_CONNMARK) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_TARGET_CT) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_TARGET_DSCP) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_TARGET_HMARK) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_TARGET_IDLETIMER) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_TARGET_LED) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_TARGET_LOG) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_TARGET_MARK) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_TARGET_NFLOG) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_TARGET_NFQUEUE) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_TARGET_NOTRACK) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_TARGET_RATEEST) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_TARGET_TEE) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_TARGET_TPROXY) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_TARGET_TRACE) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_TARGET_TCPMSS) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_ADDRTYPE) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_BPF) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_CGROUP) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_CLUSTER) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_COMMENT) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_CONNBYTES) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_CONNLABEL) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_CONNLIMIT) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_CONNMARK) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_CONNTRACK) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_CPU) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_DCCP) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_DEVGROUP) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_DSCP) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_ESP) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_HELPER) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_IPCOMP) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_IPRANGE) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_L2TP) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_LENGTH) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_LIMIT) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_MAC) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_MARK) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_MULTIPORT) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_NFACCT) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_OSF) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_OWNER) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_POLICY) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_PHYSDEV) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_PKTTYPE) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_QUOTA) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_RATEEST) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_REALM) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_RECENT) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_SCTP) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_SOCKET) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_STATE) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_STATISTIC) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_STRING) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_TCPMSS) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_TIME) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_U32) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_IP) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_IPMAC) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_PORT) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IP) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPMARK) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORT) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORTIP) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORTNET) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPMAC) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_MAC) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETPORTNET) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NET) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETNET) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETPORT) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETIFACE) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_LIST_SET) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_DEFRAG_IPV4) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_SOCKET_IPV4) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TPROXY_IPV4) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_IPV4) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_ROUTE_IPV4) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_IPV4) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_IPV4) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_IPV4) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_ARP) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_NETLINK_ACCT) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_NETLINK_QUEUE) + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_NETLINK_LOG) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_IPV4) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_IPV4) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_ARP) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_IPV4) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_REJECT_IPV4) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IPV4) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_MASQUERADE_IPV4) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_NAT_IPV4) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ_IPV4) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR_IPV4) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_SNMP_BASIC) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_GRE) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PPTP) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_H323) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_IPTABLES) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_AH) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_ECN) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_RPFILTER) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_TTL) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_FILTER) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_REJECT) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_SYNPROXY) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_NAT) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_MASQUERADE) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_NETMAP) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_REDIRECT) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MANGLE) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_CLUSTERIP) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_ECN) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_TTL) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_RAW) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARPTABLES) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARPFILTER) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARP_MANGLE) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_SOCKET_IPV6) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TPROXY_IPV6) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_IPV6) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_ROUTE_IPV6) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_NAT_IPV6) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ_IPV6) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR_IPV6) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_IPV6) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_IPV6) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_IPV6) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_IPV6) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_IPV6) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_REJECT_IPV6) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_IPV6) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IPV6) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_MASQUERADE_IPV6) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_IPTABLES) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_AH) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_EUI64) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_FRAG) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_OPTS) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_HL) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_IPV6HEADER) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_MH) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_RPFILTER) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_RT) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_SRH) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_HL) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_FILTER) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_REJECT) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_SYNPROXY) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MANGLE) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_RAW) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_NAT) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_MASQUERADE) + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_NPT) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_DEFRAG_IPV6) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_BRIDGE) + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_BRIDGE_REJECT) + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_BRIDGE) +endef + $(eval $(autotools-package)) From patchwork Thu May 7 23:14:57 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adam Duskett X-Patchwork-Id: 1285674 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.137; helo=fraxinus.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=o14PbJC+; dkim-atps=neutral Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49J8Sy5rCSz9sSW for ; Fri, 8 May 2020 09:15:30 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 51DF587AFF; Thu, 7 May 2020 23:15:29 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BQhQE70KwZHo; Thu, 7 May 2020 23:15:27 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by fraxinus.osuosl.org (Postfix) with ESMTP id 7620087AE0; Thu, 7 May 2020 23:15:27 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id 2EEC21BF3BD for ; Thu, 7 May 2020 23:15:06 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 2C36988A2B for ; Thu, 7 May 2020 23:15:06 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rx9wZEcmLd1e for ; Thu, 7 May 2020 23:15:05 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-pg1-f181.google.com (mail-pg1-f181.google.com [209.85.215.181]) by whitealder.osuosl.org (Postfix) with ESMTPS id 7709088900 for ; Thu, 7 May 2020 23:15:05 +0000 (UTC) Received: by mail-pg1-f181.google.com with SMTP id a4so3517064pgc.0 for ; Thu, 07 May 2020 16:15:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=V+63kqzWr4LA3EHDvAhKuijJ8UDv/YpTss3L+ggXZmU=; b=o14PbJC+ydIfc62kTlzgue3wtBYPOLw0NZq6XSG++80lelmuSu0Qg9lq2pseXeP82D ng2Sp3/0E4UkiQSyGLknvKkTvKuIx4gj3GohRWyPvbm5QD0EcLh1oQQLyOjZR3Zo5XWv 2fXEoU2CHXgtQ91y7k5eKa6T1BBYOqVkfEcvzGGCFtgK+sf0J0oFOvjAcGYo1i10Y+2x n/kIzg2mjFwzvJrtGWO3lPIZFeqBWqnRtLyZNWYp7YmcfpB1OdWD43iQFvZEWMTP5cRc QTrp9zlwgnirxSUs9KW2qtdKkovNcTrA6yl7qnPA3m/EWOuRTEwVoieuk+ZcAgYWUit2 eZnQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=V+63kqzWr4LA3EHDvAhKuijJ8UDv/YpTss3L+ggXZmU=; b=UNurx3eo6L6it7oeUJ0zqQ7+8eJ6Pfu8O5lUetx5fzV+pnDCPK9EPLGBMD87v1tB5c pPrapjVP0u8pct8NpsepJM1IUAQaZVx/BrE7Y0HHDZqE4GgMv8KCfs5NVe2DnBjQ0TIS 8T4BEQfl3H65WAPxkGXEm6gAiNkT05iztDKLqNNDxaXGeB978PGDadDpYDeI+GrwJzpr E3PbHmpzwAvtdjMDEfduuGodvTeWPIqhr7LAX/P2hUH3mdw80QYK68a0qWy2NcqrieMA 08Ee5QZoGbmp2/DLNuYDfuZo6bY7AyRWrZGix73jupyckYK4NohZguESiA+i3oYlxuEO Uzwg== X-Gm-Message-State: AGi0PuYxi8El+ZtVv2Dic+EkzPFi4JrvBc0vqADt/3sV8qpV6qbP/8/z 5zpRzf7SY/+8xxKvAZxmmxRq8076UQw= X-Google-Smtp-Source: APiQypK8cLQYDMFC8cDH7K2MxcCiztsl13hL5YWP2bNJ4KDqGFZPsnyUM8Eo6MIYtLhvjzCwc6tBlA== X-Received: by 2002:aa7:8bc5:: with SMTP id s5mr17040950pfd.19.1588893304702; Thu, 07 May 2020 16:15:04 -0700 (PDT) Received: from localhost.localdomain ([178.128.184.60]) by smtp.gmail.com with ESMTPSA id t206sm4385126pfc.212.2020.05.07.16.15.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 May 2020 16:15:04 -0700 (PDT) From: aduskett@gmail.com To: buildroot@buildroot.org Date: Thu, 7 May 2020 16:14:57 -0700 Message-Id: <20200507231457.2093052-5-aduskett@gmail.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200507231457.2093052-1-aduskett@gmail.com> References: <20200507231457.2093052-1-aduskett@gmail.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH/next v4 5/5] support/testing: add firewalld test case X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Asaf Kahlon , Adam Duskett Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" From: Adam Duskett This test case runs firewalld using both system and sysvinit. The tests perform the following tasks: - Start and login - run `firewalld-cmd --state` with the expected output of "running" and a return code of 0. Signed-off-by: Adam Duskett --- Changes v1 -> v4: - Add this patch to the series .gitlab-ci.yml | 2 + DEVELOPERS | 1 + .../testing/tests/package/test_firewalld.py | 98 +++++++++++++++++++ 3 files changed, 101 insertions(+) create mode 100644 support/testing/tests/package/test_firewalld.py diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index fa8e077a07..68785f32b8 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -402,6 +402,8 @@ tests.package.test_crudini.TestCrudiniPy2: { extends: .runtime_test } tests.package.test_crudini.TestCrudiniPy3: { extends: .runtime_test } tests.package.test_docker_compose.TestDockerCompose: { extends: .runtime_test } tests.package.test_dropbear.TestDropbear: { extends: .runtime_test } +tests.package.test_firewalld.TestFirewalldSystemd: { extends: .runtime_test } +tests.package.test_firewalld.TestFirewalldSysVInit: { extends: .runtime_test } tests.package.test_glxinfo.TestGlxinfo: { extends: .runtime_test } tests.package.test_gst1_python.TestGst1Python: { extends: .runtime_test } tests.package.test_ipython.TestIPythonPy3: { extends: .runtime_test } diff --git a/DEVELOPERS b/DEVELOPERS index 474306fc77..74bea58942 100644 --- a/DEVELOPERS +++ b/DEVELOPERS @@ -89,6 +89,7 @@ F: package/setools/ F: package/sngrep/ F: package/spidermonkey/ F: package/systemd/ +F: support/testing/tests/package/test_firewalld.py F: support/testing/tests/package/test_gst1_python.py F: support/testing/tests/package/test_python_gobject.py diff --git a/support/testing/tests/package/test_firewalld.py b/support/testing/tests/package/test_firewalld.py new file mode 100644 index 0000000000..4fbccfacfa --- /dev/null +++ b/support/testing/tests/package/test_firewalld.py @@ -0,0 +1,98 @@ +"""Test firewalld for both systemd and sysvinit.""" +import os +from tests.package.test_python import TestPythonPackageBase + + +class TestFirewalldSystemd(TestPythonPackageBase): + """Build the kernel as firewalld requires all of the nftable options.""" + + __test__ = True + config = \ + """ + BR2_arm=y + BR2_cortex_a9=y + BR2_ARM_ENABLE_VFP=y + BR2_TOOLCHAIN_EXTERNAL=y + BR2_LINUX_KERNEL=y + BR2_LINUX_KERNEL_CUSTOM_VERSION=y + BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.39" + BR2_LINUX_KERNEL_DEFCONFIG="vexpress" + BR2_LINUX_KERNEL_DTS_SUPPORT=y + BR2_LINUX_KERNEL_INTREE_DTS_NAME="vexpress-v2p-ca9" + BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0" + BR2_INIT_SYSTEMD=y + BR2_PACKAGE_PYTHON3=y + BR2_PACKAGE_FIREWALLD=y + BR2_TARGET_ROOTFS_CPIO=y + # BR2_TARGET_ROOTFS_TAR is not set + """ + + def wait_boot(self): + """Boot time is longer than the default multiplier.""" + self.emulator.timeout_multiplier *= 10 + self.emulator.login() + + def test_run(self): + cpio_file = os.path.join(self.builddir, "images", "rootfs.cpio") + kernel_file = os.path.join(self.builddir, "images", "zImage") + dtb_file = os.path.join(self.builddir, "images", "vexpress-v2p-ca9.dtb") + self.emulator.boot(arch="armv7", + kernel=kernel_file, + kernel_cmdline=["console=ttyAMA0,115200"], + options=[ + "-initrd", cpio_file, + "-dtb", dtb_file, + "-M", "vexpress-a9" + ]) + self.wait_boot() + cmd = "firewall-cmd --state" + output, exit_code = self.emulator.run(cmd, timeout=10) + self.assertIn("running", output[0]) + self.assertEqual(exit_code, 0) + + +class TestFirewalldSysVInit(TestPythonPackageBase): + """Build the kernel as firewalld requires all of the nftable options.""" + + __test__ = True + config = \ + """ + BR2_arm=y + BR2_cortex_a9=y + BR2_ARM_ENABLE_VFP=y + BR2_TOOLCHAIN_EXTERNAL=y + BR2_LINUX_KERNEL=y + BR2_LINUX_KERNEL_CUSTOM_VERSION=y + BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.39" + BR2_LINUX_KERNEL_DEFCONFIG="vexpress" + BR2_LINUX_KERNEL_DTS_SUPPORT=y + BR2_LINUX_KERNEL_INTREE_DTS_NAME="vexpress-v2p-ca9" + BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0" + BR2_PACKAGE_PYTHON3=y + BR2_PACKAGE_FIREWALLD=y + BR2_TARGET_ROOTFS_CPIO=y + # BR2_TARGET_ROOTFS_TAR is not set + """ + + def wait_boot(self): + """Boot time is longer than the default multiplier.""" + self.emulator.timeout_multiplier *= 10 + self.emulator.login() + + def test_run(self): + cpio_file = os.path.join(self.builddir, "images", "rootfs.cpio") + kernel_file = os.path.join(self.builddir, "images", "zImage") + dtb_file = os.path.join(self.builddir, "images", "vexpress-v2p-ca9.dtb") + self.emulator.boot(arch="armv7", + kernel=kernel_file, + kernel_cmdline=["console=ttyAMA0,115200"], + options=[ + "-initrd", cpio_file, + "-dtb", dtb_file, + "-M", "vexpress-a9" + ]) + self.wait_boot() + cmd = "firewall-cmd --state" + output, exit_code = self.emulator.run(cmd, timeout=10) + self.assertIn("running", output[0]) + self.assertEqual(exit_code, 0)