From: Yann E. MORIN <yann.morin.1998@free.fr>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 4/5] package/firewalld: new package
Date: Tue, 7 Apr 2020 10:04:59 +0200 [thread overview]
Message-ID: <20200407080459.GH22325@scaer> (raw)
In-Reply-To: <20200330234616.1665466-4-aduskett@gmail.com>
Adam, All,
On 2020-03-30 16:46 -0700, aduskett at gmail.com spake thusly:
> From: Adam Duskett <Aduskett@gmail.com>
>
> Firewalld provides a dynamically managed firewall with support for network or
> firewall zones to define the trust level of network connections or interfaces.
> It has support for IPv4, IPv6 firewall settings and for ethernet bridges and
> a separation of runtime and permanent configuration options.
>
> It also provides an interface for services or applications to add iptables and
> ebtables rules directly.
Again, repeating the package description in the commit log is not that
useful...
> Signed-off-by: Adam Duskett <Aduskett@gmail.com>
> ---
[--SNIP--]
> diff --git a/package/firewalld/0001-Add-an-option-to-disable-building-documentation.patch b/package/firewalld/0001-Add-an-option-to-disable-building-documentation.patch
> new file mode 100644
> index 0000000000..150a74a4a5
> --- /dev/null
> +++ b/package/firewalld/0001-Add-an-option-to-disable-building-documentation.patch
> @@ -0,0 +1,90 @@
> +From 1627f1046515e93f7acb34fbfededecf9e1b16a7 Mon Sep 17 00:00:00 2001
> +From: Adam Duskett <Aduskett@gmail.com>
> +Date: Sun, 29 Mar 2020 16:28:06 -0700
> +Subject: [PATCH] improvement: build: add an option to disable building
> + documentation
> +
> +For embedded applications such as Buildroot or Yocto, the man pages may not be
> +desired or even capable of being built.
> +
> +On line 45 of configure.ac there is the line:
> +JH_CHECK_XML_CATALOG([http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl], [DocBook XSL Stylesheets])
> +
> +There are three issues with this:
> + - It requires building the xml-catalog package.
> + - It automatically defaults to the host systems xml-catalog
> + instead of the cross environments.
> + - It isn't necessary to have a functioning firewalld.
> +
> +Create a new option: --disable-docs. By default, build the documentation, but
> +if a user passes --disable-docs documentation will no longer be built as
> +desired.
> +
> +Upstream-Status: Merged
> +See: https://github.com/firewalld/firewalld/pull/596
The usual way we identify backoprted patches is not from their merge
request, but by stating how it wsa backported, like:
Backported-from: 1627f1046515e93f7acb34fbfededecf9e1b16a7
oe:
upstream commit: 1627f1046515e93f7acb34fbfededecf9e1b16a7
[--SNIP--]
> diff --git a/package/firewalld/Config.in b/package/firewalld/Config.in
> new file mode 100644
> index 0000000000..2b74655b1a
> --- /dev/null
> +++ b/package/firewalld/Config.in
> @@ -0,0 +1,42 @@
> +config BR2_PACKAGE_FIREWALLD
> + bool "firewalld"
> + depends on BR2_USE_MMU # ebtables, gobject-introspection
> + depends on BR2_USE_WCHAR # dbus-python, gettext
> + depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12 # nftables
> + depends on BR2_PACKAGE_HOST_QEMU_ARCH_SUPPORTS # gobject-introspection
Move that one up below MMU, as it is an arch-related dependency.
> + depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 # gobject-introspection
> + depends on BR2_TOOLCHAIN_HAS_THREADS # dbus-python
> + depends on BR2_TOOLCHAIN_USES_GLIBC # gobject-introspection
> + depends on BR2_PACKAGE_DBUS # dbus-python
You should select dbus (and thus inherit its dependencies).
> + depends on BR2_PACKAGE_PYTHON3 # gobject-introspection
> + select BR2_PACKAGE_DBUS_PYTHON
> + select BR2_PACKAGE_EBTABLES
> + select BR2_PACKAGE_GETTEXT
> + select BR2_PACKAGE_GOBJECT_INTROSPECTION
> + select BR2_PACKAGE_IPSET
> + select BR2_PACKAGE_IPTABLES
> + select BR2_PACKAGE_JANSSON # Runtime
> + select BR2_PACKAGE_NFTABLES
> + select BR2_PACKAGE_PYTHON_DECORATOR
> + select BR2_PACKAGE_PYTHON_GOBJECT
> + select BR2_PACKAGE_PYTHON_SIX
> + select BR2_PACKAGE_PYTHON_SLIP_DBUS
> + help
> + Firewalld provides a dynamically managed firewall with
> + support for network or firewall zones to define the trust
> + level of network connections or interfaces. It has support
> + for IPv4, IPv6 firewall settings and for ethernet bridges and
> + a separation of runtime and permanent configuration options.
> + It also provides an interface for services or applications to
> + add ip*tables and ebtables rules directly.
> +
> + https://github.com/firewalld/firewalld
> +
> +comment "firewalld needs python3"
> + depends on !BR2_PACKAGE_PYTHON3
> +
> +comment "firewalld needs a glibc toolchain w/ wchar, threads, gcc >= 4.9"
> + depends on BR2_USE_MMU || !BR2_USE_WCHAR
> + depends on BR2_PACKAGE_DBUS && BR2_PACKAGE_HOST_QEMU_ARCH_SUPPORTS
> + depends on !BR2_TOOLCHAIN_USES_GLIBC || \
> + !BR2_TOOLCHAIN_HAS_THREADS || !BR2_TOOLCHAIN_GCC_AT_LEAST_4_9
As for for python-slip-dbus, I don;t much like that we have two
comments. Can you see at making it a single one, please?
> diff --git a/package/firewalld/firewalld.hash b/package/firewalld/firewalld.hash
> new file mode 100644
> index 0000000000..ed4ac54a67
> --- /dev/null
> +++ b/package/firewalld/firewalld.hash
> @@ -0,0 +1,3 @@
> +# Locally computed
> +sha256 cfdf40890bca18892d1695bd902ede695cb2a61e1fcf809a2f8c394ca788a31e firewalld-v0.8.1.tar.gz
> +sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING
Two spaces between fields in hash file, please.
> diff --git a/package/firewalld/firewalld.init b/package/firewalld/firewalld.init
> new file mode 100644
> index 0000000000..72c9f7a31a
> --- /dev/null
> +++ b/package/firewalld/firewalld.init
> @@ -0,0 +1,52 @@
> +#!/bin/sh
> +
> +firewalld=/usr/sbin/firewalld
> +pidfile=/var/run/firewalld.pid
> +
> +start() {
> + printf "Starting firewalld: "
> + start-stop-daemon -S -q --exec $firewalld
> + [ $? = 0 ] && echo "OK" || echo "FAIL"
> +}
> +stop() {
> + printf "Stopping firewalld: "
> + start-stop-daemon --stop --quiet --pidfile $pidfile
> + [ $? = 0 ] && echo "OK" || echo "FAIL"
> +}
> +
> +reload(){
> + printf "Reloading firewalld: "
> + firewall-cmd --reload
> + [ $? = 0 ] && echo "OK" || echo "FAIL"
> +}
> +
> +restart() {
> + stop
> + start
> +}
> +
> +status(){
> + firewall-cmd --state
> +}
> +
> +
> +case "$1" in
> + start)
> + start
> + ;;
> + stop)
> + stop
> + ;;
> + restart)
> + restart
> + ;;
> + reload)
> + reload
> + ;;
> + status)
> + status
> + ;;
case "${1}" in
start|stop|....)
${1}
;;
*)
echo "usage..."
;;
esac
> + *)
> + echo "Usage: $0 {start|stop|restart|reload|status}"
> + exit 1
> +esac
> diff --git a/package/firewalld/firewalld.mk b/package/firewalld/firewalld.mk
> new file mode 100644
> index 0000000000..e028a01c84
> --- /dev/null
> +++ b/package/firewalld/firewalld.mk
> @@ -0,0 +1,79 @@
> +################################################################################
> +#
> +# firewalld
> +#
> +################################################################################
> +
> +FIREWALLD_VERSION = v0.8.1
> +FIREWALLD_SITE = $(call github,firewalld,firewalld,$(FIREWALLD_VERSION))
> +FIREWALLD_LICENSE = GPL-2.0
> +FIREWALLD_LICENSE_FILES = COPYING
> +FIREWALLD_AUTORECONF = YES
> +FIREWALLD_DEPENDENCIES = \
> + host-intltool \
> + host-libglib2 \
> + host-libxml2 \
> + host-libxslt \
> + dbus-python \
> + dbus-python \
> + ebtables \
> + gettext \
> + gobject-introspection \
> + ipset \
> + iptables \
> + jansson \
> + nftables \
> + python3 \
> + python-decorator \
> + python-gobject \
> + python-six \
> + python-slip-dbus
> +
> +define FIREWALLD_RUN_AUTOGEN
> + cd $(@D) && $(HOST_DIR)/bin/intltoolize --force
> +endef
> +FIREWALLD_PRE_CONFIGURE_HOOKS += FIREWALLD_RUN_AUTOGEN
This warrants a bit of explanations in the commit log.
> +# iptables, ip6tables, ebtables, and ipset *should* be unnecessary
> +# when the nftables backend is available, because nftables supersedes all of
> +# them. However we still need to build and install iptables and ip6tables
> +# because application relying on direct passthrough rules (IE docker) will
> +# break.
> +# /etc/sysconfig/firewalld is a Red Hat-ism, only referenced by
> +# the Red Hat-specific init script which isn't used.
Why do you need this blurb about /etc/sysconfig/firewalld? We don't have
anything about it below, so referring to it is confusing... Unless you
are referring to the option --disable-sysconfig?
> +FIREWALLD_CONF_OPTS += \
> + --disable-rpmmacros \
> + --disable-sysconfig \
> + --with-ip6tables-restore=/usr/sbin/ip6tables-restore \
> + --with-ip6tables=/usr/sbin/ip6tables \
> + --with-iptables-restore=/usr/sbin/iptables-restore \
> + --with-iptables=/usr/sbin/iptables \
> + --with-nft=/usr/sbin/nft \
> + --without-ebtables \
> + --without-ebtables-restore \
> + --without-ipset \
> + --without-xml-catalog
> +
> +
Only one empty line.
Thanks!
Regards,
Yann E. MORIN.
> +# Firewalld hard codes the python shebangs to the full path of the
> +# python-interpreter. IE: #!/home/buildroot/output/host/bin/python.
> +# Force the proper python path.
> +FIREWALLD_CONF_ENV += PYTHON="/usr/bin/env python$(PYTHON3_VERSION_MAJOR)"
> +
> +ifeq ($(BR2_PACKAGE_SYSTEMD),y)
> +FIREWALLD_CONF_OPTS += --with-systemd-unitdir=/usr/lib/systemd/system
> +else
> +FIREWALLD_CONF_OPTS += --disable-systemd
> +endif
> +
> +define FIREWALLD_INSTALL_INIT_SYSTEMD
> + $(INSTALL) -D -m 0644 $(FIREWALLD_PKGDIR)/firewalld.service \
> + $(TARGET_DIR)/usr/lib/systemd/system/firewalld.service
> +endef
> +
> +define FIREWALLD_INSTALL_INIT_SYSV
> + $(INSTALL) -m 0755 -D $(FIREWALLD_PKGDIR)/firewalld.init \
> + $(TARGET_DIR)/etc/init.d/S41firewalld
> +endef
> +
> +$(eval $(autotools-package))
> --
> 2.25.1
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
next prev parent reply other threads:[~2020-04-07 8:04 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-30 23:46 [Buildroot] [PATCH 1/5] package/nftables: check for python aduskett at gmail.com
2020-03-30 23:46 ` [Buildroot] [PATCH 2/5] linux: add automatic nftables config selection aduskett at gmail.com
2020-04-07 7:49 ` Yann E. MORIN
2020-03-30 23:46 ` [Buildroot] [PATCH 3/5] package/python-slip-dbus: new package aduskett at gmail.com
2020-04-06 21:02 ` Yann E. MORIN
2020-03-30 23:46 ` [Buildroot] [PATCH 4/5] package/firewalld: " aduskett at gmail.com
2020-04-07 8:04 ` Yann E. MORIN [this message]
2020-03-30 23:46 ` [Buildroot] [PATCH 5/5] linux: add automatic firewalld config selection aduskett at gmail.com
2020-04-07 7:50 ` Yann E. MORIN
2020-04-01 20:18 ` [Buildroot] [PATCH 1/5] package/nftables: check for python Yann E. MORIN
2020-04-08 11:33 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200407080459.GH22325@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.