From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Julien Olivain <ju.o@free.fr>
Cc: Adam Duskett <aduskett@gmail.com>,
Thomas Petazzoni <thomas.petazzoni@bootlin.com>,
buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH v2 1/1] package/firewalld: new package
Date: Tue, 15 Aug 2023 18:30:39 +0200 [thread overview]
Message-ID: <20230815163039.GF2603@scaer> (raw)
In-Reply-To: <c4cad771de9563a40a3205c2b837d6e9@free.fr>
Julien, All,
On 2023-08-15 17:00 +0200, Julien Olivain spake thusly:
> On 14/08/2023 00:00, Thomas Petazzoni wrote:
> >On Sat, 3 Jun 2023 19:52:04 -0700
> >Adam Duskett <aduskett@gmail.com> wrote:
> >>Firewalld provides a dynamically managed firewall with
> >>support for network or firewall zones to define the trust level of
> >>network
> >>connections or interfaces.
> >One thing that would be really nice as a follow-up patch would be a
> >test case for the runtime test infrastructure. This is especially
> >relevant as it is Python based, so it is easy to miss runtime
> >dependencies that might be needed. I've added Julien Olivain in Cc, who
> >can provide guidance on that, as he has probably written some of the
> >most complex/elaborate test cases we gave in our runtime infrastructure.
>
> I'll be happy to write such a firewalld runtime test.
>
> When trying to do it, on branch next at commit eea0c9f, I was not able
> to run any of the simplest firwalld command (Python nftables module
> cannot load).
>
> With a configuration such as:
>
> make qemu_aarch64_virt_defconfig
> utils/config \
> -e BR2_PACKAGE_FIREWALLD \
> --set-str BR2_TARGET_ROOTFS_EXT2_SIZE 200M
> make olddefconfig
> make
> output/images/start-qemu.sh
>
> Running simple commands, logged as root on qemu target, such as:
>
> firewall-offline-cmd --version
> firewalld --nofork --nopid
> python -c 'import nftables'
I did about the same, starting off with qemu_aarch64_virt_defconfig,
but manually tweaked the configuration to switch to a bootlin glibc
toolchain, and manually enable firewall. And it works:
# firewalld --version
usage: firewalld [-h] [--debug [level]] [--debug-gc] [--nofork] [--nopid]
[--system-config path] [--default-config path]
[--log-target {mixed,syslog,file,console}] [--log-file path]
firewalld: error: unrecognized arguments: --version
# firewall-offline-cmd --version
1.3.2
# firewalld --nofork --nopid
2023-08-15 16:24:04 ipset not usable, disabling ipset usage in firewall. Other set backends (nftables) remain usable.
2023-08-15 16:24:04 iptables-restore and iptables are missing, IPv4 direct rules won't be usable.
2023-08-15 16:24:04 ip6tables-restore and ip6tables are missing, IPv6 direct rules won't be usable.
2023-08-15 16:24:04 ebtables-restore and ebtables are missing, eb direct rules won't be usable.
^C#
# python -c 'import nftables'
#
Regards,
Yann E. MORIN.
> All fail with output such as:
>
> Traceback (most recent call last):
> File "<string>", line 1, in <module>
> ModuleNotFoundError: No module named 'nftables'
>
> I quickly tried with updated version of libnftnl and nftables proposed
> at [1] but did not helped.
>
> Upstream nftables reworked Python integration in commits [2] [3] but
> are not yet in a release.
>
> So I believe the nftables package needs a rework, at least for its
> python support. We should first write a runtime test for it (including
> its Python support). Only then, we should be able to write a runtime
> test for firewalld.
>
> Best regards,
>
> Julien.
>
> [1] https://patchwork.ozlabs.org/project/buildroot/list/?series=368887
> [2] https://git.netfilter.org/nftables/commit/?id=b3def33efecb2f7be39fc9aefc9546907202056c
> [3] https://git.netfilter.org/nftables/commit/?id=8e603e0f7eec7c0000344a004228a30fbf0ece5c
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
prev parent reply other threads:[~2023-08-15 16:30 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-04 2:52 [Buildroot] [PATCH v2 1/1] package/firewalld: new package Adam Duskett
2023-08-13 21:59 ` Thomas Petazzoni via buildroot
2023-08-13 22:00 ` Thomas Petazzoni via buildroot
2023-08-15 15:00 ` Julien Olivain
2023-08-15 16:30 ` Yann E. MORIN [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230815163039.GF2603@scaer \
--to=yann.morin.1998@free.fr \
--cc=aduskett@gmail.com \
--cc=buildroot@buildroot.org \
--cc=ju.o@free.fr \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.