From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Julien Olivain <ju.o@free.fr>
Cc: Adam Duskett <aduskett@gmail.com>,
Thomas Petazzoni <thomas.petazzoni@bootlin.com>,
buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH v2 1/1] package/firewalld: new package
Date: Tue, 15 Aug 2023 18:30:39 +0200 [thread overview]
Message-ID: <20230815163039.GF2603@scaer> (raw)
In-Reply-To: <c4cad771de9563a40a3205c2b837d6e9@free.fr>
Julien, All,
On 2023-08-15 17:00 +0200, Julien Olivain spake thusly:
> On 14/08/2023 00:00, Thomas Petazzoni wrote:
> >On Sat, 3 Jun 2023 19:52:04 -0700
> >Adam Duskett <aduskett@gmail.com> wrote:
> >>Firewalld provides a dynamically managed firewall with
> >>support for network or firewall zones to define the trust level of
> >>network
> >>connections or interfaces.
> >One thing that would be really nice as a follow-up patch would be a
> >test case for the runtime test infrastructure. This is especially
> >relevant as it is Python based, so it is easy to miss runtime
> >dependencies that might be needed. I've added Julien Olivain in Cc, who
> >can provide guidance on that, as he has probably written some of the
> >most complex/elaborate test cases we gave in our runtime infrastructure.
>
> I'll be happy to write such a firewalld runtime test.
>
> When trying to do it, on branch next at commit eea0c9f, I was not able
> to run any of the simplest firwalld command (Python nftables module
> cannot load).
>
> With a configuration such as:
>
> make qemu_aarch64_virt_defconfig
> utils/config \
> -e BR2_PACKAGE_FIREWALLD \
> --set-str BR2_TARGET_ROOTFS_EXT2_SIZE 200M
> make olddefconfig
> make
> output/images/start-qemu.sh
>
> Running simple commands, logged as root on qemu target, such as:
>
> firewall-offline-cmd --version
> firewalld --nofork --nopid
> python -c 'import nftables'
I did about the same, starting off with qemu_aarch64_virt_defconfig,
but manually tweaked the configuration to switch to a bootlin glibc
toolchain, and manually enable firewall. And it works:
# firewalld --version
usage: firewalld [-h] [--debug [level]] [--debug-gc] [--nofork] [--nopid]
[--system-config path] [--default-config path]
[--log-target {mixed,syslog,file,console}] [--log-file path]
firewalld: error: unrecognized arguments: --version
# firewall-offline-cmd --version
1.3.2
# firewalld --nofork --nopid
2023-08-15 16:24:04 ipset not usable, disabling ipset usage in firewall. Other set backends (nftables) remain usable.
2023-08-15 16:24:04 iptables-restore and iptables are missing, IPv4 direct rules won't be usable.
2023-08-15 16:24:04 ip6tables-restore and ip6tables are missing, IPv6 direct rules won't be usable.
2023-08-15 16:24:04 ebtables-restore and ebtables are missing, eb direct rules won't be usable.
^C#
# python -c 'import nftables'
#
Regards,
Yann E. MORIN.
> All fail with output such as:
>
> Traceback (most recent call last):
> File "<string>", line 1, in <module>
> ModuleNotFoundError: No module named 'nftables'
>
> I quickly tried with updated version of libnftnl and nftables proposed
> at [1] but did not helped.
>
> Upstream nftables reworked Python integration in commits [2] [3] but
> are not yet in a release.
>
> So I believe the nftables package needs a rework, at least for its
> python support. We should first write a runtime test for it (including
> its Python support). Only then, we should be able to write a runtime
> test for firewalld.
>
> Best regards,
>
> Julien.
>
> [1] https://patchwork.ozlabs.org/project/buildroot/list/?series=368887
> [2] https://git.netfilter.org/nftables/commit/?id=b3def33efecb2f7be39fc9aefc9546907202056c
> [3] https://git.netfilter.org/nftables/commit/?id=8e603e0f7eec7c0000344a004228a30fbf0ece5c
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
prev parent reply other threads:[~2023-08-15 16:30 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-04 2:52 [Buildroot] [PATCH v2 1/1] package/firewalld: new package Adam Duskett
2023-08-13 21:59 ` Thomas Petazzoni via buildroot
2023-08-13 22:00 ` Thomas Petazzoni via buildroot
2023-08-15 15:00 ` Julien Olivain
2023-08-15 16:30 ` Yann E. MORIN [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230815163039.GF2603@scaer \
--to=yann.morin.1998@free.fr \
--cc=aduskett@gmail.com \
--cc=buildroot@buildroot.org \
--cc=ju.o@free.fr \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox