meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_1.2.0.bb

SUMMARY = "Dynamic firewall daemon with a D-Bus interface"
HOMEPAGE = "https://firewalld.org/"
BUGTRACKER = "https://github.com/firewalld/firewalld/issues"
UPSTREAM_CHECK_URI = "https://github.com/firewalld/firewalld/releases"
LICENSE = "GPL-2.0-or-later"
LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"

SRC_URI = "\
    https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.gz \
    file://firewalld.init \
    file://run-ptest \
"
SRC_URI[sha256sum] = "28fd90e88bda0dfd460f370f353474811b2e295d7eb27f0d7d18ffa3d786eeb7"

# glib-2.0-native is needed for GSETTINGS_RULES autoconf macro from gsettings.m4
DEPENDS = "intltool-native glib-2.0-native nftables"

inherit gettext autotools-brokensep bash-completion pkgconfig python3native python3-dir gsettings systemd update-rc.d ptest

PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}"
PACKAGECONFIG[systemd] = "--with-systemd-unitdir=${systemd_system_unitdir},--disable-systemd"
PACKAGECONFIG[docs] = "--with-xml-catalog=${STAGING_ETCDIR_NATIVE}/xml/catalog,--disable-docs,libxslt-native docbook-xsl-stylesheets-native"
PACKAGECONFIG[ipset] = "--with-ipset=${sbindir}/ipset,--without-ipset,,ipset"
PACKAGECONFIG[ebtables] = "--with-ebtables=${base_sbindir}/ebtables --with-ebtables-restore=${sbindir}/ebtables-legacy-restore,--without-ebtables --without-ebtables-restore,,ebtables"

# Default logging configuration: mixed syslog file console
FIREWALLD_DEFAULT_LOG_TARGET ??= "syslog"

# The UIs are not yet tested and the dependencies are probably not quite correct yet.
# Splitting into separate packages is beneficial so that no dead code is transferred
# to the target device.
# Without enabling qt5, the firewalld-config package is not usable.
# Without enabling qt5 and gtk, the firewalld-applet package is not usable.
PACKAGECONFIG[qt5] = ""
PACKAGECONFIG[gtk] = ""

PACKAGES =+ "python3-firewall ${PN}-applet ${PN}-config ${PN}-offline-cmd ${PN}-zsh-completion ${PN}-log-rotate"

# iptables, ip6tables, ebtables, and ipset *should* be unnecessary
# when the nftables backend is available, because nftables supersedes all of them.
# However we still need iptables and ip6tables to be available otherwise any
# application relying on "direct passthrough" rules (such as docker) will break.
# /etc/sysconfig/firewalld is a Red Hat-ism, only referenced by
# the Red Hat-specific init script which we aren't using, so we disable that.
EXTRA_OECONF = "\
    --with-iptables=${sbindir}/iptables \
    --with-iptables-restore=${sbindir}/iptables-restore \
    --with-ip6tables=${sbindir}/ip6tables \
    --with-ip6tables-restore=${sbindir}/ip6tables-restore \
    --disable-sysconfig \
"

INITSCRIPT_NAME = "firewalld"
SYSTEMD_SERVICE:${PN} = "firewalld.service"

# kernel modules loaded after ptest execution (linux-yocto 5.15)
FIREWALLD_KERNEL_MODULES ?= "\
    xt_tcpudp \
    xt_TCPMSS \
    xt_set \
    xt_sctp \
    xt_REDIRECT \
    xt_pkttype \
    xt_NFLOG \
    xt_nat \
    xt_MASQUERADE \
    xt_mark \
    xt_mac \
    xt_LOG \
    xt_limit \
    xt_dccp \
    xt_CT \
    xt_conntrack \
    xt_CHECKSUM \
    nft_redir \
    nft_objref \
    nft_nat \
    nft_masq \
    nft_log \
    nfnetlink_log \
    nf_nat_tftp \
    nf_nat_sip \
    nf_nat_ftp \
    nf_log_syslog \
    nf_conntrack_tftp \
    nf_conntrack_sip \
    nf_conntrack_netbios_ns \
    nf_conntrack_ftp \
    nf_conntrack_broadcast \
    ipt_REJECT \
    ip6t_rpfilter \
    ip6t_REJECT \
    ip_set_hash_netport \
    ip_set_hash_netnet \
    ip_set_hash_netiface \
    ip_set_hash_net \
    ip_set_hash_mac \
    ip_set_hash_ipportnet \
    ip_set_hash_ipport \
    ip_set_hash_ipmark \
    ip_set_hash_ip \
    ebt_ip6 \
    nft_fib_inet \
    nft_fib_ipv4 \
    nft_fib_ipv6 \
    nft_fib \
    nft_reject_inet \
    nf_reject_ipv4 \
    nf_reject_ipv6 \
    nft_reject \
    nft_ct \
    nft_chain_nat \
    ebtable_nat \
    ebtable_broute \
    ip6table_nat \
    ip6table_mangle \
    ip6table_raw \
    ip6table_security \
    iptable_nat \
    nf_nat \
    nf_conntrack \
    nf_defrag_ipv6 \
    nf_defrag_ipv4 \
    iptable_mangle \
    iptable_raw \
    iptable_security \
    ip_set \
    ebtable_filter \
    ebtables \
    ip6table_filter \
    ip6_tables \
    iptable_filter \
    ip_tables \
    x_tables \
    sch_fq_codel \
"

do_configure:prepend() {
    export DEFAULT_LOG_TARGET=${FIREWALLD_DEFAULT_LOG_TARGET}
}

do_install:append() {
    if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'false', 'true', d)}; then
        # firewalld ships an init script but it contains Red Hat-isms, replace it with our own
        rm -rf ${D}${sysconfdir}/rc.d/
        install -d ${D}${sysconfdir}/init.d
        install -m0755 ${WORKDIR}/firewalld.init ${D}${sysconfdir}/init.d/firewalld
    fi

    if ${@bb.utils.contains('DISTRO_FEATURES', 'polkit', 'false', 'true', d)}; then
        # Delete polkit profiles if polkit is not available
        rm -rf ${D}${datadir}/polkit-1
    fi

    # We ran ./configure with PYTHON pointed at the binary inside $STAGING_BINDIR_NATIVE
    # so now we need to fix up any references to point at the proper path in the image.
    # This hack is also in distutils.bbclass, but firewalld doesn't use distutils/setuptools.
    if [ ${PN} != "${BPN}-native" ]; then
        sed -i -e s:${STAGING_BINDIR_NATIVE}/python3-native/python3:${bindir}/python3:g \
            ${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml
    fi
    sed -i -e s:${STAGING_BINDIR_NATIVE}:${bindir}:g \
        ${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml

    # This file contains Red Hat-isms. Modules get loaded without it.
    rm -f ${D}${sysconfdir}/modprobe.d/firewalld-sysctls.conf
}

do_install_ptest:append() {
    # Add kernel modules to the ptest script
    if [ ${PTEST_ENABLED} = "1" ]; then
        sed -i -e 's:@@FIREWALLD_KERNEL_MODULES@@:${FIREWALLD_KERNEL_MODULES}:g' \
            ${D}${PTEST_PATH}/run-ptest
    fi
}

SUMMARY:python3-firewall = "${SUMMARY} (Python3 bindings)"
FILES:python3-firewall = "\
    ${PYTHON_SITEPACKAGES_DIR}/firewall/__pycache__/*.py* \
    ${PYTHON_SITEPACKAGES_DIR}/firewall/*.py* \
    ${PYTHON_SITEPACKAGES_DIR}/firewall/config/*.py* \
    ${PYTHON_SITEPACKAGES_DIR}/firewall/config/__pycache__/*.py* \
    ${PYTHON_SITEPACKAGES_DIR}/firewall/core/*.py* \
    ${PYTHON_SITEPACKAGES_DIR}/firewall/core/__pycache__/*.py* \
    ${PYTHON_SITEPACKAGES_DIR}/firewall/core/io/*.py* \
    ${PYTHON_SITEPACKAGES_DIR}/firewall/core/io/__pycache__/*.py* \
    ${PYTHON_SITEPACKAGES_DIR}/firewall/server/*.py* \
    ${PYTHON_SITEPACKAGES_DIR}/firewall/server/__pycache__/*.py* \
"
RDEPENDS:python3-firewall = "\
    python3-dbus \
    nftables-python \
    python3-pygobject \
"

# Do not depend on QT5 layer and GTK deps if not explicitely required.
FIREWALLD_QT5_RDEPENDS = "\
    ${PN}-config \
    hicolor-icon-theme \
    python3-pyqt5 \
    python3-pygobject \
    libnotify \
    networkmanager \
"
FIREWALLD_GTK_RDEPENDS = "\
    gtk3 \
"

# A QT5 based UI
SUMMARY:${PN}-config = "${SUMMARY} (configuration application)"
FILES:${PN}-config = "\
    ${bindir}/firewall-config \
    ${datadir}/firewalld/firewall-config.glade \
    ${datadir}/firewalld/gtk3_chooserbutton.py* \
    ${datadir}/firewalld/gtk3_niceexpander.py* \
    ${datadir}/applications/firewall-config.desktop \
    ${datadir}/metainfo/firewall-config.appdata.xml \
    ${datadir}/icons/hicolor/*/apps/firewall-config*.* \
"
RDEPENDS:${PN}-config += "\
    python3-core \
    python3-ctypes \
    ${@bb.utils.contains('PACKAGECONFIG', 'qt5', '${FIREWALLD_QT5_RDEPENDS}', '', d)} \
"

# A GTK3 applet depending on the QT5 firewall-config UI
SUMMARY:${PN}-applet = "${SUMMARY} (panel applet)"
FILES:${PN}-applet += "\
    ${bindir}/firewall-applet \
    ${sysconfdir}/xdg/autostart/firewall-applet.desktop \
    ${sysconfdir}/firewall/applet.conf \
    ${datadir}/icons/hicolor/*/apps/firewall-applet*.* \
"
RDEPENDS:${PN}-applet += "\
    python3-core \
    python3-ctypes \
    ${@bb.utils.contains('PACKAGECONFIG', 'qt5', '${FIREWALLD_QT5_RDEPENDS}', '', d)} \
    ${@bb.utils.contains('PACKAGECONFIG', 'gtk', '${FIREWALLD_GTK_RDEPENDS}', '', d)} \
"

SUMMARY:${PN}-offline-cmd = "${SUMMARY} (offline configuration utility)"
FILES:${PN}-offline-cmd += " \
    ${bindir}/firewall-offline-cmd \
"
RDEPENDS:${PN}-offline-cmd += "python3-core"

SUMMARY:${PN}-log-rotate = "${SUMMARY} (log-rotate configuration)"
FILES:${PN}-log-rotate += "${sysconfdir}/logrotate.d"

# To get allmost all tests passing
# - Enable PACKAGECONFIG ipset, ebtable
# - Enough RAM QB_MEM = "-m 8192" (used für fancy ipset tests)
FILES:${PN}-ptest += "\
    ${datadir}/firewalld/testsuite \
"
RDEPENDS:${PN}-ptest += "\
    python3-unittest \
    ${PN}-offline-cmd \
    procps-ps \
    iproute2 \
"
RDEPENDS:${PN}-ptest:append:libc-glibc = " glibc-utils glibc-localedata-en-us"

FILES:${PN}-zsh-completion = "${datadir}/zsh/site-functions"

FILES:${PN} += "\
    ${PYTHON_SITEPACKAGES_DIR}/firewall \
    ${nonarch_libdir}/firewalld \
    ${datadir}/dbus-1 \
    ${datadir}/polkit-1 \
    ${datadir}/metainfo \
    ${datadir}/glib-2.0/schemas/org.fedoraproject.FirewallConfig.gschema.xml \
"
RDEPENDS:${PN} += "\
    python3-firewall \
    iptables \
    python3-core \
    python3-io \
    python3-fcntl \
    python3-syslog \
    python3-xml \
    python3-json \
    python3-ctypes \
    python3-pprint \
"
# If firewalld writes a log file rotation is needed
RRECOMMENDS:${PN} += "${@bb.utils.contains_any('FIREWALLD_DEFAULT_LOG_TARGET', [ 'mixed', 'file' ], '${PN}-log-rotate', '', d)}"

# Add required kernel modules. With Yocto kernel 5.15 this currently means:
# - features/nf_tables/nf_tables.scc
# - features/netfilter/netfilter.scc
# - cgl/features/audit/audit.scc
# - cfg/net/ip6_nf.scc
# - Plus:
#   - ebtables
#   - ipset
#   - CONFIG_IP6_NF_SECURITY=m
#   - CONFIG_IP6_NF_MATCH_RPFILTER=m
#   - CONFIG_IP6_NF_TARGET_REJECT=m
#   - CONFIG_NFT_OBJREF=m
#   - CONFIG_NFT_FIB=m
#   - CONFIG_NFT_FIB_INET=m
#   - CONFIG_NFT_FIB_IPV4=m
#   - CONFIG_NFT_FIB_IPV6=m
#   - CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
#   - CONFIG_NETFILTER_XT_SET=m
def get_kernel_deps(d):
    kmodules = (d.getVar('FIREWALLD_KERNEL_MODULES') or "").split()
    return ' '.join([ 'kernel-module-' + mod.replace('_', '-').lower() for mod in kmodules ])
RRECOMMENDS:${PN} += "${@get_kernel_deps(d)}"