Andrew Geissler | 615f2f1 | 2022-07-15 14:00:58 -0500 | [diff] [blame^] | 1 | SUMMARY = "Dynamic firewall daemon with a D-Bus interface" |
| 2 | HOMEPAGE = "https://firewalld.org/" |
| 3 | BUGTRACKER = "https://github.com/firewalld/firewalld/issues" |
| 4 | UPSTREAM_CHECK_URI = "https://github.com/firewalld/firewalld/releases" |
| 5 | LICENSE = "GPL-2.0-or-later" |
| 6 | LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" |
| 7 | |
| 8 | SRC_URI = "\ |
| 9 | https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.gz \ |
| 10 | file://firewalld.init \ |
| 11 | file://run-ptest \ |
| 12 | " |
| 13 | SRC_URI[sha256sum] = "28fd90e88bda0dfd460f370f353474811b2e295d7eb27f0d7d18ffa3d786eeb7" |
| 14 | |
| 15 | # glib-2.0-native is needed for GSETTINGS_RULES autoconf macro from gsettings.m4 |
| 16 | DEPENDS = "intltool-native glib-2.0-native nftables" |
| 17 | |
| 18 | inherit gettext autotools-brokensep bash-completion pkgconfig python3native python3-dir gsettings systemd update-rc.d ptest |
| 19 | |
| 20 | PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}" |
| 21 | PACKAGECONFIG[systemd] = "--with-systemd-unitdir=${systemd_system_unitdir},--disable-systemd" |
| 22 | PACKAGECONFIG[docs] = "--with-xml-catalog=${STAGING_ETCDIR_NATIVE}/xml/catalog,--disable-docs,libxslt-native docbook-xsl-stylesheets-native" |
| 23 | PACKAGECONFIG[ipset] = "--with-ipset=${sbindir}/ipset,--without-ipset,,ipset" |
| 24 | PACKAGECONFIG[ebtables] = "--with-ebtables=${base_sbindir}/ebtables --with-ebtables-restore=${sbindir}/ebtables-legacy-restore,--without-ebtables --without-ebtables-restore,,ebtables" |
| 25 | |
| 26 | # Default logging configuration: mixed syslog file console |
| 27 | FIREWALLD_DEFAULT_LOG_TARGET ??= "syslog" |
| 28 | |
| 29 | # The UIs are not yet tested and the dependencies are probably not quite correct yet. |
| 30 | # Splitting into separate packages is beneficial so that no dead code is transferred |
| 31 | # to the target device. |
| 32 | # Without enabling qt5, the firewalld-config package is not usable. |
| 33 | # Without enabling qt5 and gtk, the firewalld-applet package is not usable. |
| 34 | PACKAGECONFIG[qt5] = "" |
| 35 | PACKAGECONFIG[gtk] = "" |
| 36 | |
| 37 | PACKAGES =+ "python3-firewall ${PN}-applet ${PN}-config ${PN}-offline-cmd ${PN}-zsh-completion ${PN}-log-rotate" |
| 38 | |
| 39 | # iptables, ip6tables, ebtables, and ipset *should* be unnecessary |
| 40 | # when the nftables backend is available, because nftables supersedes all of them. |
| 41 | # However we still need iptables and ip6tables to be available otherwise any |
| 42 | # application relying on "direct passthrough" rules (such as docker) will break. |
| 43 | # /etc/sysconfig/firewalld is a Red Hat-ism, only referenced by |
| 44 | # the Red Hat-specific init script which we aren't using, so we disable that. |
| 45 | EXTRA_OECONF = "\ |
| 46 | --with-iptables=${sbindir}/iptables \ |
| 47 | --with-iptables-restore=${sbindir}/iptables-restore \ |
| 48 | --with-ip6tables=${sbindir}/ip6tables \ |
| 49 | --with-ip6tables-restore=${sbindir}/ip6tables-restore \ |
| 50 | --disable-sysconfig \ |
| 51 | " |
| 52 | |
| 53 | INITSCRIPT_NAME = "firewalld" |
| 54 | SYSTEMD_SERVICE:${PN} = "firewalld.service" |
| 55 | |
| 56 | # kernel modules loaded after ptest execution (linux-yocto 5.15) |
| 57 | FIREWALLD_KERNEL_MODULES ?= "\ |
| 58 | xt_tcpudp \ |
| 59 | xt_TCPMSS \ |
| 60 | xt_set \ |
| 61 | xt_sctp \ |
| 62 | xt_REDIRECT \ |
| 63 | xt_pkttype \ |
| 64 | xt_NFLOG \ |
| 65 | xt_nat \ |
| 66 | xt_MASQUERADE \ |
| 67 | xt_mark \ |
| 68 | xt_mac \ |
| 69 | xt_LOG \ |
| 70 | xt_limit \ |
| 71 | xt_dccp \ |
| 72 | xt_CT \ |
| 73 | xt_conntrack \ |
| 74 | xt_CHECKSUM \ |
| 75 | nft_redir \ |
| 76 | nft_objref \ |
| 77 | nft_nat \ |
| 78 | nft_masq \ |
| 79 | nft_log \ |
| 80 | nfnetlink_log \ |
| 81 | nf_nat_tftp \ |
| 82 | nf_nat_sip \ |
| 83 | nf_nat_ftp \ |
| 84 | nf_log_syslog \ |
| 85 | nf_conntrack_tftp \ |
| 86 | nf_conntrack_sip \ |
| 87 | nf_conntrack_netbios_ns \ |
| 88 | nf_conntrack_ftp \ |
| 89 | nf_conntrack_broadcast \ |
| 90 | ipt_REJECT \ |
| 91 | ip6t_rpfilter \ |
| 92 | ip6t_REJECT \ |
| 93 | ip_set_hash_netport \ |
| 94 | ip_set_hash_netnet \ |
| 95 | ip_set_hash_netiface \ |
| 96 | ip_set_hash_net \ |
| 97 | ip_set_hash_mac \ |
| 98 | ip_set_hash_ipportnet \ |
| 99 | ip_set_hash_ipport \ |
| 100 | ip_set_hash_ipmark \ |
| 101 | ip_set_hash_ip \ |
| 102 | ebt_ip6 \ |
| 103 | nft_fib_inet \ |
| 104 | nft_fib_ipv4 \ |
| 105 | nft_fib_ipv6 \ |
| 106 | nft_fib \ |
| 107 | nft_reject_inet \ |
| 108 | nf_reject_ipv4 \ |
| 109 | nf_reject_ipv6 \ |
| 110 | nft_reject \ |
| 111 | nft_ct \ |
| 112 | nft_chain_nat \ |
| 113 | ebtable_nat \ |
| 114 | ebtable_broute \ |
| 115 | ip6table_nat \ |
| 116 | ip6table_mangle \ |
| 117 | ip6table_raw \ |
| 118 | ip6table_security \ |
| 119 | iptable_nat \ |
| 120 | nf_nat \ |
| 121 | nf_conntrack \ |
| 122 | nf_defrag_ipv6 \ |
| 123 | nf_defrag_ipv4 \ |
| 124 | iptable_mangle \ |
| 125 | iptable_raw \ |
| 126 | iptable_security \ |
| 127 | ip_set \ |
| 128 | ebtable_filter \ |
| 129 | ebtables \ |
| 130 | ip6table_filter \ |
| 131 | ip6_tables \ |
| 132 | iptable_filter \ |
| 133 | ip_tables \ |
| 134 | x_tables \ |
| 135 | sch_fq_codel \ |
| 136 | " |
| 137 | |
| 138 | do_configure:prepend() { |
| 139 | export DEFAULT_LOG_TARGET=${FIREWALLD_DEFAULT_LOG_TARGET} |
| 140 | } |
| 141 | |
| 142 | do_install:append() { |
| 143 | if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'false', 'true', d)}; then |
| 144 | # firewalld ships an init script but it contains Red Hat-isms, replace it with our own |
| 145 | rm -rf ${D}${sysconfdir}/rc.d/ |
| 146 | install -d ${D}${sysconfdir}/init.d |
| 147 | install -m0755 ${WORKDIR}/firewalld.init ${D}${sysconfdir}/init.d/firewalld |
| 148 | fi |
| 149 | |
| 150 | if ${@bb.utils.contains('DISTRO_FEATURES', 'polkit', 'false', 'true', d)}; then |
| 151 | # Delete polkit profiles if polkit is not available |
| 152 | rm -rf ${D}${datadir}/polkit-1 |
| 153 | fi |
| 154 | |
| 155 | # We ran ./configure with PYTHON pointed at the binary inside $STAGING_BINDIR_NATIVE |
| 156 | # so now we need to fix up any references to point at the proper path in the image. |
| 157 | # This hack is also in distutils.bbclass, but firewalld doesn't use distutils/setuptools. |
| 158 | if [ ${PN} != "${BPN}-native" ]; then |
| 159 | sed -i -e s:${STAGING_BINDIR_NATIVE}/python3-native/python3:${bindir}/python3:g \ |
| 160 | ${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml |
| 161 | fi |
| 162 | sed -i -e s:${STAGING_BINDIR_NATIVE}:${bindir}:g \ |
| 163 | ${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml |
| 164 | |
| 165 | # This file contains Red Hat-isms. Modules get loaded without it. |
| 166 | rm -f ${D}${sysconfdir}/modprobe.d/firewalld-sysctls.conf |
| 167 | } |
| 168 | |
| 169 | do_install_ptest:append() { |
| 170 | # Add kernel modules to the ptest script |
| 171 | if [ ${PTEST_ENABLED} = "1" ]; then |
| 172 | sed -i -e 's:@@FIREWALLD_KERNEL_MODULES@@:${FIREWALLD_KERNEL_MODULES}:g' \ |
| 173 | ${D}${PTEST_PATH}/run-ptest |
| 174 | fi |
| 175 | } |
| 176 | |
| 177 | SUMMARY:python3-firewall = "${SUMMARY} (Python3 bindings)" |
| 178 | FILES:python3-firewall = "\ |
| 179 | ${PYTHON_SITEPACKAGES_DIR}/firewall/__pycache__/*.py* \ |
| 180 | ${PYTHON_SITEPACKAGES_DIR}/firewall/*.py* \ |
| 181 | ${PYTHON_SITEPACKAGES_DIR}/firewall/config/*.py* \ |
| 182 | ${PYTHON_SITEPACKAGES_DIR}/firewall/config/__pycache__/*.py* \ |
| 183 | ${PYTHON_SITEPACKAGES_DIR}/firewall/core/*.py* \ |
| 184 | ${PYTHON_SITEPACKAGES_DIR}/firewall/core/__pycache__/*.py* \ |
| 185 | ${PYTHON_SITEPACKAGES_DIR}/firewall/core/io/*.py* \ |
| 186 | ${PYTHON_SITEPACKAGES_DIR}/firewall/core/io/__pycache__/*.py* \ |
| 187 | ${PYTHON_SITEPACKAGES_DIR}/firewall/server/*.py* \ |
| 188 | ${PYTHON_SITEPACKAGES_DIR}/firewall/server/__pycache__/*.py* \ |
| 189 | " |
| 190 | RDEPENDS:python3-firewall = "\ |
| 191 | python3-dbus \ |
| 192 | nftables-python \ |
| 193 | python3-pygobject \ |
| 194 | " |
| 195 | |
| 196 | # Do not depend on QT5 layer and GTK deps if not explicitely required. |
| 197 | FIREWALLD_QT5_RDEPENDS = "\ |
| 198 | ${PN}-config \ |
| 199 | hicolor-icon-theme \ |
| 200 | python3-pyqt5 \ |
| 201 | python3-pygobject \ |
| 202 | libnotify \ |
| 203 | networkmanager \ |
| 204 | " |
| 205 | FIREWALLD_GTK_RDEPENDS = "\ |
| 206 | gtk3 \ |
| 207 | " |
| 208 | |
| 209 | # A QT5 based UI |
| 210 | SUMMARY:${PN}-config = "${SUMMARY} (configuration application)" |
| 211 | FILES:${PN}-config = "\ |
| 212 | ${bindir}/firewall-config \ |
| 213 | ${datadir}/firewalld/firewall-config.glade \ |
| 214 | ${datadir}/firewalld/gtk3_chooserbutton.py* \ |
| 215 | ${datadir}/firewalld/gtk3_niceexpander.py* \ |
| 216 | ${datadir}/applications/firewall-config.desktop \ |
| 217 | ${datadir}/metainfo/firewall-config.appdata.xml \ |
| 218 | ${datadir}/icons/hicolor/*/apps/firewall-config*.* \ |
| 219 | " |
| 220 | RDEPENDS:${PN}-config += "\ |
| 221 | python3-core \ |
| 222 | python3-ctypes \ |
| 223 | ${@bb.utils.contains('PACKAGECONFIG', 'qt5', '${FIREWALLD_QT5_RDEPENDS}', '', d)} \ |
| 224 | " |
| 225 | |
| 226 | # A GTK3 applet depending on the QT5 firewall-config UI |
| 227 | SUMMARY:${PN}-applet = "${SUMMARY} (panel applet)" |
| 228 | FILES:${PN}-applet += "\ |
| 229 | ${bindir}/firewall-applet \ |
| 230 | ${sysconfdir}/xdg/autostart/firewall-applet.desktop \ |
| 231 | ${sysconfdir}/firewall/applet.conf \ |
| 232 | ${datadir}/icons/hicolor/*/apps/firewall-applet*.* \ |
| 233 | " |
| 234 | RDEPENDS:${PN}-applet += "\ |
| 235 | python3-core \ |
| 236 | python3-ctypes \ |
| 237 | ${@bb.utils.contains('PACKAGECONFIG', 'qt5', '${FIREWALLD_QT5_RDEPENDS}', '', d)} \ |
| 238 | ${@bb.utils.contains('PACKAGECONFIG', 'gtk', '${FIREWALLD_GTK_RDEPENDS}', '', d)} \ |
| 239 | " |
| 240 | |
| 241 | SUMMARY:${PN}-offline-cmd = "${SUMMARY} (offline configuration utility)" |
| 242 | FILES:${PN}-offline-cmd += " \ |
| 243 | ${bindir}/firewall-offline-cmd \ |
| 244 | " |
| 245 | RDEPENDS:${PN}-offline-cmd += "python3-core" |
| 246 | |
| 247 | SUMMARY:${PN}-log-rotate = "${SUMMARY} (log-rotate configuration)" |
| 248 | FILES:${PN}-log-rotate += "${sysconfdir}/logrotate.d" |
| 249 | |
| 250 | # To get allmost all tests passing |
| 251 | # - Enable PACKAGECONFIG ipset, ebtable |
| 252 | # - Enough RAM QB_MEM = "-m 8192" (used für fancy ipset tests) |
| 253 | FILES:${PN}-ptest += "\ |
| 254 | ${datadir}/firewalld/testsuite \ |
| 255 | " |
| 256 | RDEPENDS:${PN}-ptest += "\ |
| 257 | python3-unittest \ |
| 258 | ${PN}-offline-cmd \ |
| 259 | procps-ps \ |
| 260 | iproute2 \ |
| 261 | " |
| 262 | RDEPENDS:${PN}-ptest:append:libc-glibc = " glibc-utils glibc-localedata-en-us" |
| 263 | |
| 264 | FILES:${PN}-zsh-completion = "${datadir}/zsh/site-functions" |
| 265 | |
| 266 | FILES:${PN} += "\ |
| 267 | ${PYTHON_SITEPACKAGES_DIR}/firewall \ |
| 268 | ${nonarch_libdir}/firewalld \ |
| 269 | ${datadir}/dbus-1 \ |
| 270 | ${datadir}/polkit-1 \ |
| 271 | ${datadir}/metainfo \ |
| 272 | ${datadir}/glib-2.0/schemas/org.fedoraproject.FirewallConfig.gschema.xml \ |
| 273 | " |
| 274 | RDEPENDS:${PN} += "\ |
| 275 | python3-firewall \ |
| 276 | iptables \ |
| 277 | python3-core \ |
| 278 | python3-io \ |
| 279 | python3-fcntl \ |
| 280 | python3-syslog \ |
| 281 | python3-xml \ |
| 282 | python3-json \ |
| 283 | python3-ctypes \ |
| 284 | python3-pprint \ |
| 285 | " |
| 286 | # If firewalld writes a log file rotation is needed |
| 287 | RRECOMMENDS:${PN} += "${@bb.utils.contains_any('FIREWALLD_DEFAULT_LOG_TARGET', [ 'mixed', 'file' ], '${PN}-log-rotate', '', d)}" |
| 288 | |
| 289 | # Add required kernel modules. With Yocto kernel 5.15 this currently means: |
| 290 | # - features/nf_tables/nf_tables.scc |
| 291 | # - features/netfilter/netfilter.scc |
| 292 | # - cgl/features/audit/audit.scc |
| 293 | # - cfg/net/ip6_nf.scc |
| 294 | # - Plus: |
| 295 | # - ebtables |
| 296 | # - ipset |
| 297 | # - CONFIG_IP6_NF_SECURITY=m |
| 298 | # - CONFIG_IP6_NF_MATCH_RPFILTER=m |
| 299 | # - CONFIG_IP6_NF_TARGET_REJECT=m |
| 300 | # - CONFIG_NFT_OBJREF=m |
| 301 | # - CONFIG_NFT_FIB=m |
| 302 | # - CONFIG_NFT_FIB_INET=m |
| 303 | # - CONFIG_NFT_FIB_IPV4=m |
| 304 | # - CONFIG_NFT_FIB_IPV6=m |
| 305 | # - CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m |
| 306 | # - CONFIG_NETFILTER_XT_SET=m |
| 307 | def get_kernel_deps(d): |
| 308 | kmodules = (d.getVar('FIREWALLD_KERNEL_MODULES') or "").split() |
| 309 | return ' '.join([ 'kernel-module-' + mod.replace('_', '-').lower() for mod in kmodules ]) |
| 310 | RRECOMMENDS:${PN} += "${@get_kernel_deps(d)}" |