| SUMMARY = "Dynamic firewall daemon with a D-Bus interface" |
| HOMEPAGE = "https://firewalld.org/" |
| BUGTRACKER = "https://github.com/firewalld/firewalld/issues" |
| UPSTREAM_CHECK_URI = "https://github.com/firewalld/firewalld/releases" |
| LICENSE = "GPL-2.0-or-later" |
| LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" |
| |
| SRC_URI = "\ |
| https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.gz \ |
| file://firewalld.init \ |
| file://run-ptest \ |
| " |
| SRC_URI[sha256sum] = "28fd90e88bda0dfd460f370f353474811b2e295d7eb27f0d7d18ffa3d786eeb7" |
| |
| # glib-2.0-native is needed for GSETTINGS_RULES autoconf macro from gsettings.m4 |
| DEPENDS = "intltool-native glib-2.0-native nftables" |
| |
| inherit gettext autotools-brokensep bash-completion pkgconfig python3native python3-dir gsettings systemd update-rc.d ptest |
| |
| PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}" |
| PACKAGECONFIG[systemd] = "--with-systemd-unitdir=${systemd_system_unitdir},--disable-systemd" |
| PACKAGECONFIG[docs] = "--with-xml-catalog=${STAGING_ETCDIR_NATIVE}/xml/catalog,--disable-docs,libxslt-native docbook-xsl-stylesheets-native" |
| PACKAGECONFIG[ipset] = "--with-ipset=${sbindir}/ipset,--without-ipset,,ipset" |
| PACKAGECONFIG[ebtables] = "--with-ebtables=${base_sbindir}/ebtables --with-ebtables-restore=${sbindir}/ebtables-legacy-restore,--without-ebtables --without-ebtables-restore,,ebtables" |
| |
| # Default logging configuration: mixed syslog file console |
| FIREWALLD_DEFAULT_LOG_TARGET ??= "syslog" |
| |
| # The UIs are not yet tested and the dependencies are probably not quite correct yet. |
| # Splitting into separate packages is beneficial so that no dead code is transferred |
| # to the target device. |
| # Without enabling qt5, the firewalld-config package is not usable. |
| # Without enabling qt5 and gtk, the firewalld-applet package is not usable. |
| PACKAGECONFIG[qt5] = "" |
| PACKAGECONFIG[gtk] = "" |
| |
| PACKAGES =+ "python3-firewall ${PN}-applet ${PN}-config ${PN}-offline-cmd ${PN}-zsh-completion ${PN}-log-rotate" |
| |
| # iptables, ip6tables, ebtables, and ipset *should* be unnecessary |
| # when the nftables backend is available, because nftables supersedes all of them. |
| # However we still need iptables and ip6tables to be available otherwise any |
| # application relying on "direct passthrough" rules (such as docker) will break. |
| # /etc/sysconfig/firewalld is a Red Hat-ism, only referenced by |
| # the Red Hat-specific init script which we aren't using, so we disable that. |
| EXTRA_OECONF = "\ |
| --with-iptables=${sbindir}/iptables \ |
| --with-iptables-restore=${sbindir}/iptables-restore \ |
| --with-ip6tables=${sbindir}/ip6tables \ |
| --with-ip6tables-restore=${sbindir}/ip6tables-restore \ |
| --disable-sysconfig \ |
| " |
| |
| INITSCRIPT_NAME = "firewalld" |
| SYSTEMD_SERVICE:${PN} = "firewalld.service" |
| |
| # kernel modules loaded after ptest execution (linux-yocto 5.15) |
| FIREWALLD_KERNEL_MODULES ?= "\ |
| xt_tcpudp \ |
| xt_TCPMSS \ |
| xt_set \ |
| xt_sctp \ |
| xt_REDIRECT \ |
| xt_pkttype \ |
| xt_NFLOG \ |
| xt_nat \ |
| xt_MASQUERADE \ |
| xt_mark \ |
| xt_mac \ |
| xt_LOG \ |
| xt_limit \ |
| xt_dccp \ |
| xt_CT \ |
| xt_conntrack \ |
| xt_CHECKSUM \ |
| nft_redir \ |
| nft_objref \ |
| nft_nat \ |
| nft_masq \ |
| nft_log \ |
| nfnetlink_log \ |
| nf_nat_tftp \ |
| nf_nat_sip \ |
| nf_nat_ftp \ |
| nf_log_syslog \ |
| nf_conntrack_tftp \ |
| nf_conntrack_sip \ |
| nf_conntrack_netbios_ns \ |
| nf_conntrack_ftp \ |
| nf_conntrack_broadcast \ |
| ipt_REJECT \ |
| ip6t_rpfilter \ |
| ip6t_REJECT \ |
| ip_set_hash_netport \ |
| ip_set_hash_netnet \ |
| ip_set_hash_netiface \ |
| ip_set_hash_net \ |
| ip_set_hash_mac \ |
| ip_set_hash_ipportnet \ |
| ip_set_hash_ipport \ |
| ip_set_hash_ipmark \ |
| ip_set_hash_ip \ |
| ebt_ip6 \ |
| nft_fib_inet \ |
| nft_fib_ipv4 \ |
| nft_fib_ipv6 \ |
| nft_fib \ |
| nft_reject_inet \ |
| nf_reject_ipv4 \ |
| nf_reject_ipv6 \ |
| nft_reject \ |
| nft_ct \ |
| nft_chain_nat \ |
| ebtable_nat \ |
| ebtable_broute \ |
| ip6table_nat \ |
| ip6table_mangle \ |
| ip6table_raw \ |
| ip6table_security \ |
| iptable_nat \ |
| nf_nat \ |
| nf_conntrack \ |
| nf_defrag_ipv6 \ |
| nf_defrag_ipv4 \ |
| iptable_mangle \ |
| iptable_raw \ |
| iptable_security \ |
| ip_set \ |
| ebtable_filter \ |
| ebtables \ |
| ip6table_filter \ |
| ip6_tables \ |
| iptable_filter \ |
| ip_tables \ |
| x_tables \ |
| sch_fq_codel \ |
| " |
| |
| do_configure:prepend() { |
| export DEFAULT_LOG_TARGET=${FIREWALLD_DEFAULT_LOG_TARGET} |
| } |
| |
| do_install:append() { |
| if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'false', 'true', d)}; then |
| # firewalld ships an init script but it contains Red Hat-isms, replace it with our own |
| rm -rf ${D}${sysconfdir}/rc.d/ |
| install -d ${D}${sysconfdir}/init.d |
| install -m0755 ${WORKDIR}/firewalld.init ${D}${sysconfdir}/init.d/firewalld |
| fi |
| |
| if ${@bb.utils.contains('DISTRO_FEATURES', 'polkit', 'false', 'true', d)}; then |
| # Delete polkit profiles if polkit is not available |
| rm -rf ${D}${datadir}/polkit-1 |
| fi |
| |
| # We ran ./configure with PYTHON pointed at the binary inside $STAGING_BINDIR_NATIVE |
| # so now we need to fix up any references to point at the proper path in the image. |
| # This hack is also in distutils.bbclass, but firewalld doesn't use distutils/setuptools. |
| if [ ${PN} != "${BPN}-native" ]; then |
| sed -i -e s:${STAGING_BINDIR_NATIVE}/python3-native/python3:${bindir}/python3:g \ |
| ${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml |
| fi |
| sed -i -e s:${STAGING_BINDIR_NATIVE}:${bindir}:g \ |
| ${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml |
| |
| # This file contains Red Hat-isms. Modules get loaded without it. |
| rm -f ${D}${sysconfdir}/modprobe.d/firewalld-sysctls.conf |
| } |
| |
| do_install_ptest:append() { |
| # Add kernel modules to the ptest script |
| if [ ${PTEST_ENABLED} = "1" ]; then |
| sed -i -e 's:@@FIREWALLD_KERNEL_MODULES@@:${FIREWALLD_KERNEL_MODULES}:g' \ |
| ${D}${PTEST_PATH}/run-ptest |
| fi |
| } |
| |
| SUMMARY:python3-firewall = "${SUMMARY} (Python3 bindings)" |
| FILES:python3-firewall = "\ |
| ${PYTHON_SITEPACKAGES_DIR}/firewall/__pycache__/*.py* \ |
| ${PYTHON_SITEPACKAGES_DIR}/firewall/*.py* \ |
| ${PYTHON_SITEPACKAGES_DIR}/firewall/config/*.py* \ |
| ${PYTHON_SITEPACKAGES_DIR}/firewall/config/__pycache__/*.py* \ |
| ${PYTHON_SITEPACKAGES_DIR}/firewall/core/*.py* \ |
| ${PYTHON_SITEPACKAGES_DIR}/firewall/core/__pycache__/*.py* \ |
| ${PYTHON_SITEPACKAGES_DIR}/firewall/core/io/*.py* \ |
| ${PYTHON_SITEPACKAGES_DIR}/firewall/core/io/__pycache__/*.py* \ |
| ${PYTHON_SITEPACKAGES_DIR}/firewall/server/*.py* \ |
| ${PYTHON_SITEPACKAGES_DIR}/firewall/server/__pycache__/*.py* \ |
| " |
| RDEPENDS:python3-firewall = "\ |
| python3-dbus \ |
| nftables-python \ |
| python3-pygobject \ |
| " |
| |
| # Do not depend on QT5 layer and GTK deps if not explicitely required. |
| FIREWALLD_QT5_RDEPENDS = "\ |
| ${PN}-config \ |
| hicolor-icon-theme \ |
| python3-pyqt5 \ |
| python3-pygobject \ |
| libnotify \ |
| networkmanager \ |
| " |
| FIREWALLD_GTK_RDEPENDS = "\ |
| gtk3 \ |
| " |
| |
| # A QT5 based UI |
| SUMMARY:${PN}-config = "${SUMMARY} (configuration application)" |
| FILES:${PN}-config = "\ |
| ${bindir}/firewall-config \ |
| ${datadir}/firewalld/firewall-config.glade \ |
| ${datadir}/firewalld/gtk3_chooserbutton.py* \ |
| ${datadir}/firewalld/gtk3_niceexpander.py* \ |
| ${datadir}/applications/firewall-config.desktop \ |
| ${datadir}/metainfo/firewall-config.appdata.xml \ |
| ${datadir}/icons/hicolor/*/apps/firewall-config*.* \ |
| " |
| RDEPENDS:${PN}-config += "\ |
| python3-core \ |
| python3-ctypes \ |
| ${@bb.utils.contains('PACKAGECONFIG', 'qt5', '${FIREWALLD_QT5_RDEPENDS}', '', d)} \ |
| " |
| |
| # A GTK3 applet depending on the QT5 firewall-config UI |
| SUMMARY:${PN}-applet = "${SUMMARY} (panel applet)" |
| FILES:${PN}-applet += "\ |
| ${bindir}/firewall-applet \ |
| ${sysconfdir}/xdg/autostart/firewall-applet.desktop \ |
| ${sysconfdir}/firewall/applet.conf \ |
| ${datadir}/icons/hicolor/*/apps/firewall-applet*.* \ |
| " |
| RDEPENDS:${PN}-applet += "\ |
| python3-core \ |
| python3-ctypes \ |
| ${@bb.utils.contains('PACKAGECONFIG', 'qt5', '${FIREWALLD_QT5_RDEPENDS}', '', d)} \ |
| ${@bb.utils.contains('PACKAGECONFIG', 'gtk', '${FIREWALLD_GTK_RDEPENDS}', '', d)} \ |
| " |
| |
| SUMMARY:${PN}-offline-cmd = "${SUMMARY} (offline configuration utility)" |
| FILES:${PN}-offline-cmd += " \ |
| ${bindir}/firewall-offline-cmd \ |
| " |
| RDEPENDS:${PN}-offline-cmd += "python3-core" |
| |
| SUMMARY:${PN}-log-rotate = "${SUMMARY} (log-rotate configuration)" |
| FILES:${PN}-log-rotate += "${sysconfdir}/logrotate.d" |
| |
| # To get allmost all tests passing |
| # - Enable PACKAGECONFIG ipset, ebtable |
| # - Enough RAM QB_MEM = "-m 8192" (used für fancy ipset tests) |
| FILES:${PN}-ptest += "\ |
| ${datadir}/firewalld/testsuite \ |
| " |
| RDEPENDS:${PN}-ptest += "\ |
| python3-unittest \ |
| ${PN}-offline-cmd \ |
| procps-ps \ |
| iproute2 \ |
| " |
| RDEPENDS:${PN}-ptest:append:libc-glibc = " glibc-utils glibc-localedata-en-us" |
| |
| FILES:${PN}-zsh-completion = "${datadir}/zsh/site-functions" |
| |
| FILES:${PN} += "\ |
| ${PYTHON_SITEPACKAGES_DIR}/firewall \ |
| ${nonarch_libdir}/firewalld \ |
| ${datadir}/dbus-1 \ |
| ${datadir}/polkit-1 \ |
| ${datadir}/metainfo \ |
| ${datadir}/glib-2.0/schemas/org.fedoraproject.FirewallConfig.gschema.xml \ |
| " |
| RDEPENDS:${PN} += "\ |
| python3-firewall \ |
| iptables \ |
| python3-core \ |
| python3-io \ |
| python3-fcntl \ |
| python3-syslog \ |
| python3-xml \ |
| python3-json \ |
| python3-ctypes \ |
| python3-pprint \ |
| " |
| # If firewalld writes a log file rotation is needed |
| RRECOMMENDS:${PN} += "${@bb.utils.contains_any('FIREWALLD_DEFAULT_LOG_TARGET', [ 'mixed', 'file' ], '${PN}-log-rotate', '', d)}" |
| |
| # Add required kernel modules. With Yocto kernel 5.15 this currently means: |
| # - features/nf_tables/nf_tables.scc |
| # - features/netfilter/netfilter.scc |
| # - cgl/features/audit/audit.scc |
| # - cfg/net/ip6_nf.scc |
| # - Plus: |
| # - ebtables |
| # - ipset |
| # - CONFIG_IP6_NF_SECURITY=m |
| # - CONFIG_IP6_NF_MATCH_RPFILTER=m |
| # - CONFIG_IP6_NF_TARGET_REJECT=m |
| # - CONFIG_NFT_OBJREF=m |
| # - CONFIG_NFT_FIB=m |
| # - CONFIG_NFT_FIB_INET=m |
| # - CONFIG_NFT_FIB_IPV4=m |
| # - CONFIG_NFT_FIB_IPV6=m |
| # - CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m |
| # - CONFIG_NETFILTER_XT_SET=m |
| def get_kernel_deps(d): |
| kmodules = (d.getVar('FIREWALLD_KERNEL_MODULES') or "").split() |
| return ' '.join([ 'kernel-module-' + mod.replace('_', '-').lower() for mod in kmodules ]) |
| RRECOMMENDS:${PN} += "${@get_kernel_deps(d)}" |