* [Buildroot] [PATCH 1/3] package/libnftnl: bump to version 1.2.5
@ 2023-04-12 22:26 Adam Duskett
2023-04-12 22:26 ` [Buildroot] [PATCH 2/3] package/nftables: bump to version 1.0.7 Adam Duskett
` (3 more replies)
0 siblings, 4 replies; 12+ messages in thread
From: Adam Duskett @ 2023-04-12 22:26 UTC (permalink / raw)
To: buildroot; +Cc: Adam Duskett, Thomas Petazzoni
Also: Switch to tar.xz as the package is not distributed as a .bz2 any longer.
Signed-off-by: Adam Duskett <aduskett@gmail.com>
---
package/libnftnl/libnftnl.hash | 2 +-
package/libnftnl/libnftnl.mk | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/package/libnftnl/libnftnl.hash b/package/libnftnl/libnftnl.hash
index 113110fc1b..0cb3917f2d 100644
--- a/package/libnftnl/libnftnl.hash
+++ b/package/libnftnl/libnftnl.hash
@@ -1,3 +1,3 @@
# From http://www.netfilter.org/projects/libnftnl/downloads.html
-sha256 e916ea9b79f9518560b9a187251a7c042442a9ecbce7f36be7908888605d0255 libnftnl-1.2.3.tar.bz2
+sha256 966de0a8120c8a53db859889749368bfb2cba0c4f0b4c1a30d264eccc45f1226 libnftnl-1.2.5.tar.xz
sha256 98193898c663001eff2fdcfb676e210c13042bc1a05e8d570c363efa396f8e24 COPYING
diff --git a/package/libnftnl/libnftnl.mk b/package/libnftnl/libnftnl.mk
index fd87f70091..a7045337d0 100644
--- a/package/libnftnl/libnftnl.mk
+++ b/package/libnftnl/libnftnl.mk
@@ -4,9 +4,9 @@
#
################################################################################
-LIBNFTNL_VERSION = 1.2.3
+LIBNFTNL_VERSION = 1.2.5
LIBNFTNL_SITE = https://netfilter.org/projects/libnftnl/files
-LIBNFTNL_SOURCE = libnftnl-$(LIBNFTNL_VERSION).tar.bz2
+LIBNFTNL_SOURCE = libnftnl-$(LIBNFTNL_VERSION).tar.xz
LIBNFTNL_LICENSE = GPL-2.0+
LIBNFTNL_LICENSE_FILES = COPYING
LIBNFTNL_INSTALL_STAGING = YES
--
2.40.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [Buildroot] [PATCH 2/3] package/nftables: bump to version 1.0.7
2023-04-12 22:26 [Buildroot] [PATCH 1/3] package/libnftnl: bump to version 1.2.5 Adam Duskett
@ 2023-04-12 22:26 ` Adam Duskett
2023-05-12 19:18 ` Peter Korsgaard
2023-06-13 12:53 ` Peter Korsgaard
2023-04-12 22:26 ` [Buildroot] [PATCH 3/3] package/firewalld: new package Adam Duskett
` (2 subsequent siblings)
3 siblings, 2 replies; 12+ messages in thread
From: Adam Duskett @ 2023-04-12 22:26 UTC (permalink / raw)
To: buildroot; +Cc: Adam Duskett, Thomas Petazzoni
Other changes:
- Switch to tar.xz as the package is not distributed as a .bz2 any longer.
- Update the sha256sum of the license file, as it has been updated to
include the following text:
"Original author of nftables distributed the code under the terms of the
GPL version 2 *only*. New code though is moving to GPL version 2 or any
later which is the preferred license for this project these days."
The author has also changed from Patrick McHardy <kaber@trash.net> to
Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Adam Duskett <aduskett@gmail.com>
---
package/nftables/nftables.hash | 4 ++--
package/nftables/nftables.mk | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/package/nftables/nftables.hash b/package/nftables/nftables.hash
index 5e5134b61d..7e1e856229 100644
--- a/package/nftables/nftables.hash
+++ b/package/nftables/nftables.hash
@@ -1,3 +1,3 @@
# From https://netfilter.org/projects/nftables/downloads.html
-sha256 8d1b4b18393af43698d10baa25d2b9b6397969beecac7816c35dd0714e4de50a nftables-1.0.5.tar.bz2
-sha256 c17bc4fa5b2434c6f283ffcb2312e5bf3c7cdf5787b79505f094d8de734ac53e COPYING
+sha256 c12ac941fff9adaedf17367d5ce213789b98a0d314277bc22b3d71e10891f412 nftables-1.0.7.tar.xz
+sha256 4ee1e51baf5f3166712fa0c3e01338c7257e50ddef245d28bb14ad68f6070ba5 COPYING
diff --git a/package/nftables/nftables.mk b/package/nftables/nftables.mk
index 9d60736d7f..b0a14bd429 100644
--- a/package/nftables/nftables.mk
+++ b/package/nftables/nftables.mk
@@ -4,8 +4,8 @@
#
################################################################################
-NFTABLES_VERSION = 1.0.5
-NFTABLES_SOURCE = nftables-$(NFTABLES_VERSION).tar.bz2
+NFTABLES_VERSION = 1.0.7
+NFTABLES_SOURCE = nftables-$(NFTABLES_VERSION).tar.xz
NFTABLES_SITE = https://www.netfilter.org/projects/nftables/files
NFTABLES_DEPENDENCIES = libmnl libnftnl host-pkgconf $(TARGET_NLS_DEPENDENCIES)
NFTABLES_LICENSE = GPL-2.0
--
2.40.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [Buildroot] [PATCH 3/3] package/firewalld: new package
2023-04-12 22:26 [Buildroot] [PATCH 1/3] package/libnftnl: bump to version 1.2.5 Adam Duskett
2023-04-12 22:26 ` [Buildroot] [PATCH 2/3] package/nftables: bump to version 1.0.7 Adam Duskett
@ 2023-04-12 22:26 ` Adam Duskett
2023-04-13 9:29 ` Marcus Hoffmann via buildroot
2023-05-12 19:17 ` [Buildroot] [PATCH 1/3] package/libnftnl: bump to version 1.2.5 Peter Korsgaard
2023-06-13 12:53 ` Peter Korsgaard
3 siblings, 1 reply; 12+ messages in thread
From: Adam Duskett @ 2023-04-12 22:26 UTC (permalink / raw)
To: buildroot; +Cc: Adam Duskett, Thomas Petazzoni
Firewalld provides a dynamically managed firewall with
support for network or firewall zones to define the trust level of network
connections or interfaces.
Items of note:
- Setting PYTHON="/usr/bin/env python$(PYTHON3_VERSION_MAJOR)" prevents
Firewalld from setting the shebang in the installed python files to the
full path to the python interpreter used when building.
- The bundled provided SYSV init file has several bashisms and requires
/etc/init.d/functions which buildroot doesn't provide. So instead, a more
simple init.d file is provided in the package directory, which does not
require bash.
- Firewalld >= 1.0.0 requires a linux kernel version of 5.3 or later.
Because Buildroot does not have a mechanism to detect what version a user
is compiling if the kernel is external, there is no way to prevent a user
with an external kernel older than 5.3 to select this package.
- To run, Firewalld requires enabling almost every single nftables option in
the kernel menuconfig. Indeed for a regular user, this task is quite a
time-consuming operation, and missing even one required nftables option
results in firewalld failing to start.
Through a mix of trial and error and talking to the upstream developers,
the package selects the minimum amount of kernel options required for
runtime. Understandably the list is daunting. However, these options
have passed run-time tests with kernel 5.3 (the minimum kernel version
required) and kernel 6.2.10 (the latest kernel version as of this commit
log.)
As such, it is safe to say these options will work for anybody wanting to
use firewalld with a supported kernel version of 4.18 or higher.
Signed-off-by: Adam Duskett <aduskett@gmail.com>
---
package/Config.in | 1 +
package/firewalld/Config.in | 43 ++++++
package/firewalld/S46firewalld | 66 ++++++++
package/firewalld/firewalld.hash | 3 +
package/firewalld/firewalld.mk | 257 +++++++++++++++++++++++++++++++
5 files changed, 370 insertions(+)
create mode 100644 package/firewalld/Config.in
create mode 100644 package/firewalld/S46firewalld
create mode 100644 package/firewalld/firewalld.hash
create mode 100644 package/firewalld/firewalld.mk
diff --git a/package/Config.in b/package/Config.in
index 760dda6ac1..78f3fca6ed 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2311,6 +2311,7 @@ endif
source "package/fail2ban/Config.in"
source "package/fastd/Config.in"
source "package/fcgiwrap/Config.in"
+ source "package/firewalld/Config.in"
source "package/flannel/Config.in"
source "package/fmc/Config.in"
source "package/fping/Config.in"
diff --git a/package/firewalld/Config.in b/package/firewalld/Config.in
new file mode 100644
index 0000000000..2265fe9dd4
--- /dev/null
+++ b/package/firewalld/Config.in
@@ -0,0 +1,43 @@
+config BR2_PACKAGE_FIREWALLD
+ bool "firewalld"
+ depends on BR2_USE_MMU # gobject-introspection, python-gobject
+ depends on BR2_PACKAGE_GOBJECT_INTROSPECTION_ARCH_SUPPORTS
+ depends on BR2_USE_WCHAR # glib2, dbus-python, nftables
+ depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 # gobject-introspection
+ depends on BR2_TOOLCHAIN_HAS_THREADS # dbus-python
+ depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12
+ depends on BR2_TOOLCHAIN_USES_GLIBC # gobject-introspection
+ depends on BR2_HOST_GCC_AT_LEAST_8 # gobject-introspection -> host-qemu
+ depends on BR2_PACKAGE_PYTHON3 # dbus-python, gobject-introspection
+ select BR2_PACKAGE_DBUS # dbus-python
+ select BR2_PACKAGE_DBUS_PYTHON
+ select BR2_PACKAGE_GOBJECT_INTROSPECTION
+ select BR2_PACKAGE_JANSSON # Uses the nftables json interface
+ select BR2_PACKAGE_NFTABLES
+ select BR2_PACKAGE_PYTHON_GOBJECT
+ help
+ Firewalld provides a dynamically managed firewall with
+ support for network or firewall zones to define the trust
+ level of network connections or interfaces. It has support
+ for IPv4, IPv6 firewall settings and for ethernet bridges and
+ a separation of runtime and permanent configuration options.
+ It also provides an interface for services or applications to
+ add ip*tables and ebtables rules directly.
+
+ Note: Firewalld uses nftables as the backend as requires
+ kernel version >= 4.18.
+
+ https://github.com/firewalld/firewalld
+
+comment "firewalld needs python3"
+ depends on !BR2_PACKAGE_PYTHON3
+ depends on BR2_PACKAGE_GOBJECT_INTROSPECTION_ARCH_SUPPORTS
+
+comment "firewalld needs a glibc toolchain w/ wchar, dynamic library, headers >= 3.12, gcc >= 4.9, host gcc >= 8"
+ depends on BR2_USE_MMU
+ depends on BR2_PACKAGE_GOBJECT_INTROSPECTION_ARCH_SUPPORTS
+ depends on !BR2_TOOLCHAIN_USES_GLIBC || \
+ !BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12 || \
+ !BR2_USE_WCHAR || BR2_STATIC_LIBS || \
+ !BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 || \
+ !BR2_HOST_GCC_AT_LEAST_8
diff --git a/package/firewalld/S46firewalld b/package/firewalld/S46firewalld
new file mode 100644
index 0000000000..40f43e1f57
--- /dev/null
+++ b/package/firewalld/S46firewalld
@@ -0,0 +1,66 @@
+#!/bin/sh
+
+DAEMON=firewalld
+PIDFILE=/var/run/$DAEMON.pid
+
+start() {
+ printf "Starting firewalld: "
+ start-stop-daemon -S -q --exec $DAEMON
+ status=$?
+ if [ "$status" -eq 0 ]; then
+ echo "OK"
+ else
+ echo "FAIL"
+ fi
+}
+stop() {
+ printf "Stopping firewalld: "
+ start-stop-daemon --stop --quiet --pidfile $PIDFILE
+ status=$?
+ if [ "$status" -eq 0 ]; then
+ echo "OK"
+ else
+ echo "FAIL"
+ fi
+}
+
+reload(){
+ printf "Reloading firewalld: "
+ firewall-cmd --reload
+ status=$?
+ if [ "$status" -eq 0 ]; then
+ echo "OK"
+ else
+ echo "FAIL"
+ fi
+}
+
+restart() {
+ stop
+ start
+}
+
+status(){
+ firewall-cmd --state
+}
+
+case "$1" in
+ start)
+ start
+ ;;
+ stop)
+ stop
+ ;;
+ restart)
+ restart
+ ;;
+ reload)
+ reload
+ ;;
+ status)
+ status
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|restart|reload|status}"
+ exit 1
+esac
diff --git a/package/firewalld/firewalld.hash b/package/firewalld/firewalld.hash
new file mode 100644
index 0000000000..462bff5b42
--- /dev/null
+++ b/package/firewalld/firewalld.hash
@@ -0,0 +1,3 @@
+# Locally computed
+sha256 bf26db8937305f1641798f9bf71545fec9c0241c4b2a512a6a93225e0b2cd310 firewalld-1.3.0.tar.gz
+sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING
diff --git a/package/firewalld/firewalld.mk b/package/firewalld/firewalld.mk
new file mode 100644
index 0000000000..efb0686720
--- /dev/null
+++ b/package/firewalld/firewalld.mk
@@ -0,0 +1,257 @@
+################################################################################
+#
+# firewalld
+#
+################################################################################
+
+FIREWALLD_VERSION = 1.3.0
+FIREWALLD_SITE = $(call github,firewalld,firewalld,v$(FIREWALLD_VERSION))
+FIREWALLD_LICENSE = GPL-2.0
+FIREWALLD_LICENSE_FILES = COPYING
+FIREWALLD_AUTORECONF = YES
+
+FIREWALLD_DEPENDENCIES = \
+ host-intltool \
+ host-libglib2 \
+ host-libxml2 \
+ host-libxslt \
+ dbus-python \
+ gobject-introspection \
+ jansson \
+ nftables \
+ python3 \
+ python-gobject
+
+# Firewalld hard codes the python shebangs to the full path of the
+# python-interpreter. IE: #!/home/buildroot/output/host/bin/python.
+# Force the proper python path.
+FIREWALLD_CONF_ENV += PYTHON="/usr/bin/env python3"
+
+# /etc/sysconfig/firewalld is a Red Hat-ism, only referenced by
+# the Red Hat-specific init script which isn't used, so we set
+# --disable-sysconfig.
+FIREWALLD_CONF_OPTS += \
+ --disable-rpmmacros \
+ --disable-sysconfig \
+ --with-nft=/usr/sbin/nft \
+ --without-ebtables \
+ --without-ebtables-restore \
+ --without-ipset \
+ --without-xml-catalog
+
+ifeq ($(BR2_PACKAGE_IPTABLES),y)
+FIREWALLD_DEPENDENCIES += iptables
+FIREWALLD_CONF_OPTS += \
+ --with-ip6tables-restore=/usr/sbin/ip6tables-restore \
+ --with-ip6tables=/usr/sbin/ip6tables \
+ --with-iptables-restore=/usr/sbin/iptables-restore \
+ --with-iptables=/usr/sbin/iptables
+else
+FIREWALLD_CONF_OPTS += -without-iptables
+endif
+
+ifeq ($(BR2_SYSTEM_ENABLE_NLS),y)
+FIREWALLD_CONF_OPTS += --enable-nls
+endif
+
+ifeq ($(BR2_PACKAGE_SYSTEMD),y)
+FIREWALLD_DEPENDENCIES += systemd
+FIREWALLD_CONF_OPTS += --with-systemd-unitdir=/usr/lib/systemd/system
+else
+FIREWALLD_CONF_OPTS += --disable-systemd
+endif
+
+define FIREWALLD_INSTALL_INIT_SYSTEMD
+ $(INSTALL) -D -m 0644 $(@D)/config/firewalld.service \
+ $(TARGET_DIR)/usr/lib/systemd/system/firewalld.service
+endef
+
+# The bundled sysvinit file requires /etc/init.d/functions which is not
+# provided by buildroot. As such, we provide our own firewalld init file.
+define FIREWALLD_INSTALL_INIT_SYSV
+ $(INSTALL) -D -m 0755 $(FIREWALLD_PKGDIR)/S46firewalld \
+ $(TARGET_DIR)/etc/init.d/S46firewalld
+endef
+
+# Firewalld requires almost every single nftable option selected.
+define FIREWALLD_LINUX_CONFIG_FIXUPS
+ $(call KCONFIG_ENABLE_OPT,CONFIG_BRIDGE)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_FILTER)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_IPTABLES)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MANGLE)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_AH)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_EUI64)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_FRAG)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_HL)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_IPV6HEADER)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_MH)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_OPTS)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_RPFILTER)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_RT)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_SRH)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_NAT)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_RAW)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_HL)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_MASQUERADE)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_NPT)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_REJECT)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_SYNPROXY)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARP_MANGLE)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARPFILTER)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARPTABLES)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_FILTER)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_IPTABLES)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MANGLE)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_AH)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_ECN)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_RPFILTER)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_TTL)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_NAT)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_RAW)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_CLUSTERIP)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_ECN)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_MASQUERADE)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_NETMAP)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_REDIRECT)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_REJECT)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_SYNPROXY)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_TTL)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_IP)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_IPMAC)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_PORT)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IP)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPMAC)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPMARK)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORT)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORTIP)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORTNET)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_MAC)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NET)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETIFACE)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETNET)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETPORT)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETPORTNET)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_LIST_SET)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_CONNCOUNT)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_NETLINK_GLUE_CT)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_SYNPROXY)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_AMANDA)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_BROADCAST)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_EVENTS)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_FTP)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_H323)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_IRC)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_LABELS)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_MARK)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_NETBIOS_NS)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_PPTP)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_PROCFS)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SANE)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SIP)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SNMP)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TFTP)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TIMEOUT)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TIMESTAMP)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_ZONES)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK_HELPER)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK_TIMEOUT)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_DCCP)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_GRE)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_SCTP)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_UDPLITE)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_DEFRAG_IPV4)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_DEFRAG_IPV6)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_IPV4)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_IPV6)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_NETDEV)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_INET)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_IPV4)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_IPV6)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_ARP)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_BRIDGE)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_COMMON)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_IPV4)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_IPV6)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_NETDEV)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_AMANDA)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_FTP)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_H323)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IPV4)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IPV6)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IRC)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_MASQUERADE_IPV4)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_MASQUERADE_IPV6)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_NEEDED)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PPTP)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_DCCP)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_GRE)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_SCTP)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_UDPLITE)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_REDIRECT)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_SIP)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_SNMP_BASIC)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_TFTP)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_REJECT_IPV4)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_REJECT_IPV6)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_SOCKET_IPV4)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_SOCKET_IPV6)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_ARP)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_BRIDGE)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_IPV4)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_IPV6)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_NETDEV)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_SET)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TPROXY_IPV4)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TPROXY_IPV6)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_BRIDGE_REJECT)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_NAT_IPV4)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_NAT_IPV6)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_ROUTE_IPV4)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_ROUTE_IPV6)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_COMPAT)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CONNLIMIT)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_COUNTER)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CT)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_IPV4)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_IPV6)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_NETDEV)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_INET)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_IPV4)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_IPV6)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_NETDEV)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FLOW_OFFLOAD)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FWD_NETDEV)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_HASH)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_LIMIT)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_LOG)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ_IPV4)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ_IPV6)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_NAT)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_NUMGEN)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_OBJREF)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_OSF)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_QUEUE)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_QUOTA)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR_IPV4)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR_IPV6)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_INET)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_IPV4)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_IPV6)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_NETDEV)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_SOCKET)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_SYNPROXY)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_TPROXY)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_TUNNEL)
+endef
+
+$(eval $(autotools-package))
--
2.40.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [Buildroot] [PATCH 3/3] package/firewalld: new package
2023-04-12 22:26 ` [Buildroot] [PATCH 3/3] package/firewalld: new package Adam Duskett
@ 2023-04-13 9:29 ` Marcus Hoffmann via buildroot
2023-04-19 22:26 ` Adam Duskett
0 siblings, 1 reply; 12+ messages in thread
From: Marcus Hoffmann via buildroot @ 2023-04-13 9:29 UTC (permalink / raw)
To: Adam Duskett, buildroot; +Cc: Thomas Petazzoni
Hi Adam,
thanks for submitting this! I tried to package firewalld a while back
but eventually gave up.
I'll try to test this soon.
Marcus
On 13.04.23 00:26, Adam Duskett wrote:
> Firewalld provides a dynamically managed firewall with
> support for network or firewall zones to define the trust level of network
> connections or interfaces.
>
> Items of note:
>
> - Setting PYTHON="/usr/bin/env python$(PYTHON3_VERSION_MAJOR)" prevents
> Firewalld from setting the shebang in the installed python files to the
> full path to the python interpreter used when building.
>
> - The bundled provided SYSV init file has several bashisms and requires
> /etc/init.d/functions which buildroot doesn't provide. So instead, a more
> simple init.d file is provided in the package directory, which does not
> require bash.
>
> - Firewalld >= 1.0.0 requires a linux kernel version of 5.3 or later.
> Because Buildroot does not have a mechanism to detect what version a user
> is compiling if the kernel is external, there is no way to prevent a user
> with an external kernel older than 5.3 to select this package.
>
> - To run, Firewalld requires enabling almost every single nftables option in
> the kernel menuconfig. Indeed for a regular user, this task is quite a
> time-consuming operation, and missing even one required nftables option
> results in firewalld failing to start.
>
> Through a mix of trial and error and talking to the upstream developers,
> the package selects the minimum amount of kernel options required for
> runtime. Understandably the list is daunting. However, these options
> have passed run-time tests with kernel 5.3 (the minimum kernel version
> required) and kernel 6.2.10 (the latest kernel version as of this commit
> log.)
>
> As such, it is safe to say these options will work for anybody wanting to
> use firewalld with a supported kernel version of 4.18 or higher.
>
> Signed-off-by: Adam Duskett <aduskett@gmail.com>
> ---
> package/Config.in | 1 +
> package/firewalld/Config.in | 43 ++++++
> package/firewalld/S46firewalld | 66 ++++++++
> package/firewalld/firewalld.hash | 3 +
> package/firewalld/firewalld.mk | 257 +++++++++++++++++++++++++++++++
> 5 files changed, 370 insertions(+)
> create mode 100644 package/firewalld/Config.in
> create mode 100644 package/firewalld/S46firewalld
> create mode 100644 package/firewalld/firewalld.hash
> create mode 100644 package/firewalld/firewalld.mk
>
> diff --git a/package/Config.in b/package/Config.in
> index 760dda6ac1..78f3fca6ed 100644
> --- a/package/Config.in
> +++ b/package/Config.in
> @@ -2311,6 +2311,7 @@ endif
> source "package/fail2ban/Config.in"
> source "package/fastd/Config.in"
> source "package/fcgiwrap/Config.in"
> + source "package/firewalld/Config.in"
> source "package/flannel/Config.in"
> source "package/fmc/Config.in"
> source "package/fping/Config.in"
> diff --git a/package/firewalld/Config.in b/package/firewalld/Config.in
> new file mode 100644
> index 0000000000..2265fe9dd4
> --- /dev/null
> +++ b/package/firewalld/Config.in
> @@ -0,0 +1,43 @@
> +config BR2_PACKAGE_FIREWALLD
> + bool "firewalld"
> + depends on BR2_USE_MMU # gobject-introspection, python-gobject
> + depends on BR2_PACKAGE_GOBJECT_INTROSPECTION_ARCH_SUPPORTS
> + depends on BR2_USE_WCHAR # glib2, dbus-python, nftables
> + depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 # gobject-introspection
> + depends on BR2_TOOLCHAIN_HAS_THREADS # dbus-python
> + depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12
> + depends on BR2_TOOLCHAIN_USES_GLIBC # gobject-introspection
> + depends on BR2_HOST_GCC_AT_LEAST_8 # gobject-introspection -> host-qemu
> + depends on BR2_PACKAGE_PYTHON3 # dbus-python, gobject-introspection
> + select BR2_PACKAGE_DBUS # dbus-python
> + select BR2_PACKAGE_DBUS_PYTHON
> + select BR2_PACKAGE_GOBJECT_INTROSPECTION
> + select BR2_PACKAGE_JANSSON # Uses the nftables json interface
> + select BR2_PACKAGE_NFTABLES
> + select BR2_PACKAGE_PYTHON_GOBJECT
> + help
> + Firewalld provides a dynamically managed firewall with
> + support for network or firewall zones to define the trust
> + level of network connections or interfaces. It has support
> + for IPv4, IPv6 firewall settings and for ethernet bridges and
> + a separation of runtime and permanent configuration options.
> + It also provides an interface for services or applications to
> + add ip*tables and ebtables rules directly.
> +
> + Note: Firewalld uses nftables as the backend as requires
> + kernel version >= 4.18.
The double *as* seems like a typo here somehow? Or at least I can't
quite parse this sentence as it stands.
> +
> + https://github.com/firewalld/firewalld
> +
> +comment "firewalld needs python3"
> + depends on !BR2_PACKAGE_PYTHON3
> + depends on BR2_PACKAGE_GOBJECT_INTROSPECTION_ARCH_SUPPORTS
> +
> +comment "firewalld needs a glibc toolchain w/ wchar, dynamic library, headers >= 3.12, gcc >= 4.9, host gcc >= 8"
> + depends on BR2_USE_MMU
> + depends on BR2_PACKAGE_GOBJECT_INTROSPECTION_ARCH_SUPPORTS
> + depends on !BR2_TOOLCHAIN_USES_GLIBC || \
> + !BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12 || \
> + !BR2_USE_WCHAR || BR2_STATIC_LIBS || \
> + !BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 || \
> + !BR2_HOST_GCC_AT_LEAST_8
> diff --git a/package/firewalld/S46firewalld b/package/firewalld/S46firewalld
> new file mode 100644
> index 0000000000..40f43e1f57
> --- /dev/null
> +++ b/package/firewalld/S46firewalld
> @@ -0,0 +1,66 @@
> +#!/bin/sh
> +
> +DAEMON=firewalld
> +PIDFILE=/var/run/$DAEMON.pid
> +
> +start() {
> + printf "Starting firewalld: "
> + start-stop-daemon -S -q --exec $DAEMON
> + status=$?
> + if [ "$status" -eq 0 ]; then
> + echo "OK"
> + else
> + echo "FAIL"
> + fi
> +}
> +stop() {
> + printf "Stopping firewalld: "
> + start-stop-daemon --stop --quiet --pidfile $PIDFILE
> + status=$?
> + if [ "$status" -eq 0 ]; then
> + echo "OK"
> + else
> + echo "FAIL"
> + fi
> +}
> +
> +reload(){
> + printf "Reloading firewalld: "
> + firewall-cmd --reload
> + status=$?
> + if [ "$status" -eq 0 ]; then
> + echo "OK"
> + else
> + echo "FAIL"
> + fi
> +}
> +
> +restart() {
> + stop
> + start
> +}
> +
> +status(){
> + firewall-cmd --state
> +}
> +
> +case "$1" in
> + start)
> + start
> + ;;
> + stop)
> + stop
> + ;;
> + restart)
> + restart
> + ;;
> + reload)
> + reload
> + ;;
> + status)
> + status
> + ;;
> + *)
> + echo "Usage: $0 {start|stop|restart|reload|status}"
> + exit 1
> +esac
> diff --git a/package/firewalld/firewalld.hash b/package/firewalld/firewalld.hash
> new file mode 100644
> index 0000000000..462bff5b42
> --- /dev/null
> +++ b/package/firewalld/firewalld.hash
> @@ -0,0 +1,3 @@
> +# Locally computed
> +sha256 bf26db8937305f1641798f9bf71545fec9c0241c4b2a512a6a93225e0b2cd310 firewalld-1.3.0.tar.gz
> +sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING
> diff --git a/package/firewalld/firewalld.mk b/package/firewalld/firewalld.mk
> new file mode 100644
> index 0000000000..efb0686720
> --- /dev/null
> +++ b/package/firewalld/firewalld.mk
> @@ -0,0 +1,257 @@
> +################################################################################
> +#
> +# firewalld
> +#
> +################################################################################
> +
> +FIREWALLD_VERSION = 1.3.0
> +FIREWALLD_SITE = $(call github,firewalld,firewalld,v$(FIREWALLD_VERSION))
> +FIREWALLD_LICENSE = GPL-2.0
> +FIREWALLD_LICENSE_FILES = COPYING
> +FIREWALLD_AUTORECONF = YES
> +
> +FIREWALLD_DEPENDENCIES = \
> + host-intltool \
> + host-libglib2 \
> + host-libxml2 \
> + host-libxslt \
> + dbus-python \
> + gobject-introspection \
> + jansson \
> + nftables \
> + python3 \
> + python-gobject
> +
> +# Firewalld hard codes the python shebangs to the full path of the
> +# python-interpreter. IE: #!/home/buildroot/output/host/bin/python.
> +# Force the proper python path.
> +FIREWALLD_CONF_ENV += PYTHON="/usr/bin/env python3"
> +
> +# /etc/sysconfig/firewalld is a Red Hat-ism, only referenced by
> +# the Red Hat-specific init script which isn't used, so we set
> +# --disable-sysconfig.
> +FIREWALLD_CONF_OPTS += \
> + --disable-rpmmacros \
> + --disable-sysconfig \
> + --with-nft=/usr/sbin/nft \
> + --without-ebtables \
> + --without-ebtables-restore \
> + --without-ipset \
> + --without-xml-catalog
> +
> +ifeq ($(BR2_PACKAGE_IPTABLES),y)
> +FIREWALLD_DEPENDENCIES += iptables
> +FIREWALLD_CONF_OPTS += \
> + --with-ip6tables-restore=/usr/sbin/ip6tables-restore \
> + --with-ip6tables=/usr/sbin/ip6tables \
> + --with-iptables-restore=/usr/sbin/iptables-restore \
> + --with-iptables=/usr/sbin/iptables
> +else
> +FIREWALLD_CONF_OPTS += -without-iptables
> +endif
> +
> +ifeq ($(BR2_SYSTEM_ENABLE_NLS),y)
> +FIREWALLD_CONF_OPTS += --enable-nls
> +endif
> +
> +ifeq ($(BR2_PACKAGE_SYSTEMD),y)
> +FIREWALLD_DEPENDENCIES += systemd
> +FIREWALLD_CONF_OPTS += --with-systemd-unitdir=/usr/lib/systemd/system
> +else
> +FIREWALLD_CONF_OPTS += --disable-systemd
> +endif
> +
> +define FIREWALLD_INSTALL_INIT_SYSTEMD
> + $(INSTALL) -D -m 0644 $(@D)/config/firewalld.service \
> + $(TARGET_DIR)/usr/lib/systemd/system/firewalld.service
> +endef
> +
> +# The bundled sysvinit file requires /etc/init.d/functions which is not
> +# provided by buildroot. As such, we provide our own firewalld init file.
> +define FIREWALLD_INSTALL_INIT_SYSV
> + $(INSTALL) -D -m 0755 $(FIREWALLD_PKGDIR)/S46firewalld \
> + $(TARGET_DIR)/etc/init.d/S46firewalld
> +endef
> +
> +# Firewalld requires almost every single nftable option selected.
> +define FIREWALLD_LINUX_CONFIG_FIXUPS
> + $(call KCONFIG_ENABLE_OPT,CONFIG_BRIDGE)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_FILTER)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_IPTABLES)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MANGLE)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_AH)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_EUI64)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_FRAG)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_HL)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_IPV6HEADER)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_MH)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_OPTS)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_RPFILTER)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_RT)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_SRH)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_NAT)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_RAW)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_HL)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_MASQUERADE)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_NPT)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_REJECT)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_SYNPROXY)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARP_MANGLE)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARPFILTER)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARPTABLES)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_FILTER)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_IPTABLES)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MANGLE)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_AH)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_ECN)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_RPFILTER)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_TTL)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_NAT)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_RAW)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_CLUSTERIP)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_ECN)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_MASQUERADE)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_NETMAP)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_REDIRECT)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_REJECT)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_SYNPROXY)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_TTL)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_IP)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_IPMAC)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_PORT)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IP)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPMAC)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPMARK)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORT)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORTIP)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORTNET)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_MAC)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NET)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETIFACE)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETNET)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETPORT)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETPORTNET)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_LIST_SET)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_CONNCOUNT)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_NETLINK_GLUE_CT)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_SYNPROXY)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_AMANDA)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_BROADCAST)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_EVENTS)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_FTP)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_H323)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_IRC)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_LABELS)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_MARK)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_NETBIOS_NS)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_PPTP)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_PROCFS)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SANE)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SIP)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SNMP)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TFTP)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TIMEOUT)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TIMESTAMP)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_ZONES)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK_HELPER)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK_TIMEOUT)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_DCCP)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_GRE)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_SCTP)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_UDPLITE)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_DEFRAG_IPV4)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_DEFRAG_IPV6)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_IPV4)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_IPV6)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_NETDEV)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_INET)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_IPV4)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_IPV6)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_ARP)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_BRIDGE)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_COMMON)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_IPV4)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_IPV6)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_NETDEV)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_AMANDA)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_FTP)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_H323)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IPV4)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IPV6)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IRC)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_MASQUERADE_IPV4)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_MASQUERADE_IPV6)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_NEEDED)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PPTP)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_DCCP)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_GRE)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_SCTP)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_UDPLITE)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_REDIRECT)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_SIP)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_SNMP_BASIC)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_TFTP)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_REJECT_IPV4)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_REJECT_IPV6)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_SOCKET_IPV4)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_SOCKET_IPV6)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_ARP)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_BRIDGE)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_IPV4)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_IPV6)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_NETDEV)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_SET)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TPROXY_IPV4)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TPROXY_IPV6)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_BRIDGE_REJECT)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_NAT_IPV4)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_NAT_IPV6)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_ROUTE_IPV4)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_ROUTE_IPV6)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_COMPAT)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CONNLIMIT)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_COUNTER)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CT)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_IPV4)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_IPV6)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_NETDEV)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_INET)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_IPV4)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_IPV6)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_NETDEV)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FLOW_OFFLOAD)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FWD_NETDEV)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_HASH)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_LIMIT)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_LOG)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ_IPV4)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ_IPV6)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_NAT)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_NUMGEN)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_OBJREF)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_OSF)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_QUEUE)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_QUOTA)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR_IPV4)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR_IPV6)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_INET)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_IPV4)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_IPV6)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_NETDEV)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_SOCKET)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_SYNPROXY)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_TPROXY)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_TUNNEL)
> +endef
> +
> +$(eval $(autotools-package))
________________________________
othermo GmbH | Sitz der Gesellschaft: Alzenau | Amtsgericht Aschaffenburg: HRB 14783 | USt-IdNr.: DE319977978 | Geschäftsführung: Dr. Dennis Metz.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [Buildroot] [PATCH 3/3] package/firewalld: new package
2023-04-13 9:29 ` Marcus Hoffmann via buildroot
@ 2023-04-19 22:26 ` Adam Duskett
0 siblings, 0 replies; 12+ messages in thread
From: Adam Duskett @ 2023-04-19 22:26 UTC (permalink / raw)
To: Marcus Hoffmann; +Cc: Thomas Petazzoni, buildroot
[-- Attachment #1.1: Type: text/plain, Size: 22749 bytes --]
Hell Marcus! Thanks for testing!
On Thu, Apr 13, 2023 at 2:29 AM Marcus Hoffmann <marcus.hoffmann@othermo.de>
wrote:
> Hi Adam,
>
> thanks for submitting this! I tried to package firewalld a while back
> but eventually gave up.
>
> I'll try to test this soon.
>
> Marcus
>
> On 13.04.23 00:26, Adam Duskett wrote:
> > Firewalld provides a dynamically managed firewall with
> > support for network or firewall zones to define the trust level of
> network
> > connections or interfaces.
> >
> > Items of note:
> >
> > - Setting PYTHON="/usr/bin/env python$(PYTHON3_VERSION_MAJOR)" prevents
> > Firewalld from setting the shebang in the installed python files to
> the
> > full path to the python interpreter used when building.
> >
> > - The bundled provided SYSV init file has several bashisms and requires
> > /etc/init.d/functions which buildroot doesn't provide. So instead, a
> more
> > simple init.d file is provided in the package directory, which does
> not
> > require bash.
> >
> > - Firewalld >= 1.0.0 requires a linux kernel version of 5.3 or later.
> > Because Buildroot does not have a mechanism to detect what version a
> user
> > is compiling if the kernel is external, there is no way to prevent a
> user
> > with an external kernel older than 5.3 to select this package.
> >
> > - To run, Firewalld requires enabling almost every single nftables
> option in
> > the kernel menuconfig. Indeed for a regular user, this task is quite
> a
> > time-consuming operation, and missing even one required nftables
> option
> > results in firewalld failing to start.
> >
> > Through a mix of trial and error and talking to the upstream
> developers,
> > the package selects the minimum amount of kernel options required for
> > runtime. Understandably the list is daunting. However, these options
> > have passed run-time tests with kernel 5.3 (the minimum kernel
> version
> > required) and kernel 6.2.10 (the latest kernel version as of this
> commit
> > log.)
> >
> > As such, it is safe to say these options will work for anybody wanting to
> > use firewalld with a supported kernel version of 4.18 or higher.
> >
> > Signed-off-by: Adam Duskett <aduskett@gmail.com>
> > ---
> > package/Config.in | 1 +
> > package/firewalld/Config.in | 43 ++++++
> > package/firewalld/S46firewalld | 66 ++++++++
> > package/firewalld/firewalld.hash | 3 +
> > package/firewalld/firewalld.mk | 257 +++++++++++++++++++++++++++++++
> > 5 files changed, 370 insertions(+)
> > create mode 100644 package/firewalld/Config.in
> > create mode 100644 package/firewalld/S46firewalld
> > create mode 100644 package/firewalld/firewalld.hash
> > create mode 100644 package/firewalld/firewalld.mk
> >
> > diff --git a/package/Config.in b/package/Config.in
> > index 760dda6ac1..78f3fca6ed 100644
> > --- a/package/Config.in
> > +++ b/package/Config.in
> > @@ -2311,6 +2311,7 @@ endif
> > source "package/fail2ban/Config.in"
> > source "package/fastd/Config.in"
> > source "package/fcgiwrap/Config.in"
> > + source "package/firewalld/Config.in"
> > source "package/flannel/Config.in"
> > source "package/fmc/Config.in"
> > source "package/fping/Config.in"
> > diff --git a/package/firewalld/Config.in b/package/firewalld/Config.in
> > new file mode 100644
> > index 0000000000..2265fe9dd4
> > --- /dev/null
> > +++ b/package/firewalld/Config.in
> > @@ -0,0 +1,43 @@
> > +config BR2_PACKAGE_FIREWALLD
> > + bool "firewalld"
> > + depends on BR2_USE_MMU # gobject-introspection, python-gobject
> > + depends on BR2_PACKAGE_GOBJECT_INTROSPECTION_ARCH_SUPPORTS
> > + depends on BR2_USE_WCHAR # glib2, dbus-python, nftables
> > + depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 # gobject-introspection
> > + depends on BR2_TOOLCHAIN_HAS_THREADS # dbus-python
> > + depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12
> > + depends on BR2_TOOLCHAIN_USES_GLIBC # gobject-introspection
> > + depends on BR2_HOST_GCC_AT_LEAST_8 # gobject-introspection ->
> host-qemu
> > + depends on BR2_PACKAGE_PYTHON3 # dbus-python, gobject-introspection
> > + select BR2_PACKAGE_DBUS # dbus-python
> > + select BR2_PACKAGE_DBUS_PYTHON
> > + select BR2_PACKAGE_GOBJECT_INTROSPECTION
> > + select BR2_PACKAGE_JANSSON # Uses the nftables json interface
> > + select BR2_PACKAGE_NFTABLES
> > + select BR2_PACKAGE_PYTHON_GOBJECT
> > + help
> > + Firewalld provides a dynamically managed firewall with
> > + support for network or firewall zones to define the trust
> > + level of network connections or interfaces. It has support
> > + for IPv4, IPv6 firewall settings and for ethernet bridges and
> > + a separation of runtime and permanent configuration options.
> > + It also provides an interface for services or applications to
> > + add ip*tables and ebtables rules directly.
> > +
> > + Note: Firewalld uses nftables as the backend as requires
> > + kernel version >= 4.18.
>
> The double *as* seems like a typo here somehow? Or at least I can't
> quite parse this sentence as it stands.
>
Yes, this was a mistake. Including the 4.18. It was taken from a previous
patch set of mine from over two years ago!
It should read:
Note: Firewalld uses nftables as the backend and requires kernel version
>= 5.3
>
> > +
> > + https://github.com/firewalld/firewalld
> > +
> > +comment "firewalld needs python3"
> > + depends on !BR2_PACKAGE_PYTHON3
> > + depends on BR2_PACKAGE_GOBJECT_INTROSPECTION_ARCH_SUPPORTS
> > +
> > +comment "firewalld needs a glibc toolchain w/ wchar, dynamic library,
> headers >= 3.12, gcc >= 4.9, host gcc >= 8"
> > + depends on BR2_USE_MMU
> > + depends on BR2_PACKAGE_GOBJECT_INTROSPECTION_ARCH_SUPPORTS
> > + depends on !BR2_TOOLCHAIN_USES_GLIBC || \
> > + !BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12 || \
> > + !BR2_USE_WCHAR || BR2_STATIC_LIBS || \
> > + !BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 || \
> > + !BR2_HOST_GCC_AT_LEAST_8
> > diff --git a/package/firewalld/S46firewalld
> b/package/firewalld/S46firewalld
> > new file mode 100644
> > index 0000000000..40f43e1f57
> > --- /dev/null
> > +++ b/package/firewalld/S46firewalld
> > @@ -0,0 +1,66 @@
> > +#!/bin/sh
> > +
> > +DAEMON=firewalld
> > +PIDFILE=/var/run/$DAEMON.pid
> > +
> > +start() {
> > + printf "Starting firewalld: "
> > + start-stop-daemon -S -q --exec $DAEMON
> > + status=$?
> > + if [ "$status" -eq 0 ]; then
> > + echo "OK"
> > + else
> > + echo "FAIL"
> > + fi
> > +}
> > +stop() {
> > + printf "Stopping firewalld: "
> > + start-stop-daemon --stop --quiet --pidfile $PIDFILE
> > + status=$?
> > + if [ "$status" -eq 0 ]; then
> > + echo "OK"
> > + else
> > + echo "FAIL"
> > + fi
> > +}
> > +
> > +reload(){
> > + printf "Reloading firewalld: "
> > + firewall-cmd --reload
> > + status=$?
> > + if [ "$status" -eq 0 ]; then
> > + echo "OK"
> > + else
> > + echo "FAIL"
> > + fi
> > +}
> > +
> > +restart() {
> > + stop
> > + start
> > +}
> > +
> > +status(){
> > + firewall-cmd --state
> > +}
> > +
> > +case "$1" in
> > + start)
> > + start
> > + ;;
> > + stop)
> > + stop
> > + ;;
> > + restart)
> > + restart
> > + ;;
> > + reload)
> > + reload
> > + ;;
> > + status)
> > + status
> > + ;;
> > + *)
> > + echo "Usage: $0 {start|stop|restart|reload|status}"
> > + exit 1
> > +esac
> > diff --git a/package/firewalld/firewalld.hash
> b/package/firewalld/firewalld.hash
> > new file mode 100644
> > index 0000000000..462bff5b42
> > --- /dev/null
> > +++ b/package/firewalld/firewalld.hash
> > @@ -0,0 +1,3 @@
> > +# Locally computed
> > +sha256
> bf26db8937305f1641798f9bf71545fec9c0241c4b2a512a6a93225e0b2cd310
> firewalld-1.3.0.tar.gz
> > +sha256
> 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING
> > diff --git a/package/firewalld/firewalld.mk b/package/firewalld/
> firewalld.mk
> > new file mode 100644
> > index 0000000000..efb0686720
> > --- /dev/null
> > +++ b/package/firewalld/firewalld.mk
> > @@ -0,0 +1,257 @@
> >
> +################################################################################
> > +#
> > +# firewalld
> > +#
> >
> +################################################################################
> > +
> > +FIREWALLD_VERSION = 1.3.0
> > +FIREWALLD_SITE = $(call
> github,firewalld,firewalld,v$(FIREWALLD_VERSION))
> > +FIREWALLD_LICENSE = GPL-2.0
> > +FIREWALLD_LICENSE_FILES = COPYING
> > +FIREWALLD_AUTORECONF = YES
> > +
> > +FIREWALLD_DEPENDENCIES = \
> > + host-intltool \
> > + host-libglib2 \
> > + host-libxml2 \
> > + host-libxslt \
> > + dbus-python \
> > + gobject-introspection \
> > + jansson \
> > + nftables \
> > + python3 \
> > + python-gobject
> > +
> > +# Firewalld hard codes the python shebangs to the full path of the
> > +# python-interpreter. IE: #!/home/buildroot/output/host/bin/python.
> > +# Force the proper python path.
> > +FIREWALLD_CONF_ENV += PYTHON="/usr/bin/env python3"
> > +
> > +# /etc/sysconfig/firewalld is a Red Hat-ism, only referenced by
> > +# the Red Hat-specific init script which isn't used, so we set
> > +# --disable-sysconfig.
> > +FIREWALLD_CONF_OPTS += \
> > + --disable-rpmmacros \
> > + --disable-sysconfig \
> > + --with-nft=/usr/sbin/nft \
> > + --without-ebtables \
> > + --without-ebtables-restore \
> > + --without-ipset \
> > + --without-xml-catalog
> > +
> > +ifeq ($(BR2_PACKAGE_IPTABLES),y)
> > +FIREWALLD_DEPENDENCIES += iptables
> > +FIREWALLD_CONF_OPTS += \
> > + --with-ip6tables-restore=/usr/sbin/ip6tables-restore \
> > + --with-ip6tables=/usr/sbin/ip6tables \
> > + --with-iptables-restore=/usr/sbin/iptables-restore \
> > + --with-iptables=/usr/sbin/iptables
> > +else
> > +FIREWALLD_CONF_OPTS += -without-iptables
> > +endif
> > +
> > +ifeq ($(BR2_SYSTEM_ENABLE_NLS),y)
> > +FIREWALLD_CONF_OPTS += --enable-nls
> > +endif
> > +
> > +ifeq ($(BR2_PACKAGE_SYSTEMD),y)
> > +FIREWALLD_DEPENDENCIES += systemd
> > +FIREWALLD_CONF_OPTS += --with-systemd-unitdir=/usr/lib/systemd/system
> > +else
> > +FIREWALLD_CONF_OPTS += --disable-systemd
> > +endif
> > +
> > +define FIREWALLD_INSTALL_INIT_SYSTEMD
> > + $(INSTALL) -D -m 0644 $(@D)/config/firewalld.service \
> > + $(TARGET_DIR)/usr/lib/systemd/system/firewalld.service
> > +endef
> > +
> > +# The bundled sysvinit file requires /etc/init.d/functions which is not
> > +# provided by buildroot. As such, we provide our own firewalld init
> file.
> > +define FIREWALLD_INSTALL_INIT_SYSV
> > + $(INSTALL) -D -m 0755 $(FIREWALLD_PKGDIR)/S46firewalld \
> > + $(TARGET_DIR)/etc/init.d/S46firewalld
> > +endef
> > +
> > +# Firewalld requires almost every single nftable option selected.
> > +define FIREWALLD_LINUX_CONFIG_FIXUPS
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_BRIDGE)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_FILTER)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_IPTABLES)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MANGLE)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_AH)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_EUI64)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_FRAG)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_HL)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_IPV6HEADER)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_MH)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_OPTS)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_RPFILTER)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_RT)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_SRH)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_NAT)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_RAW)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_HL)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_MASQUERADE)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_NPT)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_REJECT)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_SYNPROXY)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARP_MANGLE)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARPFILTER)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARPTABLES)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_FILTER)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_IPTABLES)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MANGLE)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_AH)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_ECN)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_RPFILTER)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_TTL)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_NAT)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_RAW)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_CLUSTERIP)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_ECN)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_MASQUERADE)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_NETMAP)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_REDIRECT)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_REJECT)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_SYNPROXY)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_TTL)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_IP)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_IPMAC)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_PORT)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IP)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPMAC)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPMARK)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORT)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORTIP)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORTNET)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_MAC)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NET)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETIFACE)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETNET)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETPORT)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETPORTNET)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_LIST_SET)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_CONNCOUNT)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_NETLINK_GLUE_CT)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_SYNPROXY)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_AMANDA)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_BROADCAST)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_EVENTS)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_FTP)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_H323)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_IRC)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_LABELS)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_MARK)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_NETBIOS_NS)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_PPTP)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_PROCFS)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SANE)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SIP)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SNMP)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TFTP)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TIMEOUT)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TIMESTAMP)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_ZONES)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK_HELPER)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK_TIMEOUT)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_DCCP)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_GRE)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_SCTP)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_UDPLITE)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_DEFRAG_IPV4)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_DEFRAG_IPV6)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_IPV4)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_IPV6)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_NETDEV)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_INET)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_IPV4)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_IPV6)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_ARP)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_BRIDGE)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_COMMON)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_IPV4)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_IPV6)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_NETDEV)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_AMANDA)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_FTP)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_H323)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IPV4)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IPV6)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IRC)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_MASQUERADE_IPV4)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_MASQUERADE_IPV6)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_NEEDED)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PPTP)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_DCCP)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_GRE)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_SCTP)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_UDPLITE)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_REDIRECT)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_SIP)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_SNMP_BASIC)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_TFTP)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_REJECT_IPV4)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_REJECT_IPV6)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_SOCKET_IPV4)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_SOCKET_IPV6)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_ARP)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_BRIDGE)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_IPV4)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_IPV6)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_NETDEV)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_SET)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TPROXY_IPV4)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TPROXY_IPV6)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_BRIDGE_REJECT)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_NAT_IPV4)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_NAT_IPV6)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_ROUTE_IPV4)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_ROUTE_IPV6)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_COMPAT)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CONNLIMIT)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_COUNTER)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CT)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_IPV4)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_IPV6)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_NETDEV)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_INET)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_IPV4)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_IPV6)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_NETDEV)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FLOW_OFFLOAD)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FWD_NETDEV)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_HASH)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_LIMIT)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_LOG)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ_IPV4)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ_IPV6)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_NAT)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_NUMGEN)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_OBJREF)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_OSF)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_QUEUE)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_QUOTA)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR_IPV4)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR_IPV6)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_INET)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_IPV4)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_IPV6)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_NETDEV)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_SOCKET)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_SYNPROXY)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_TPROXY)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_TUNNEL)
> > +endef
> > +
> > +$(eval $(autotools-package))
> ________________________________
>
> othermo GmbH | Sitz der Gesellschaft: Alzenau | Amtsgericht Aschaffenburg:
> HRB 14783 | USt-IdNr.: DE319977978 | Geschäftsführung: Dr. Dennis Metz.
>
[-- Attachment #1.2: Type: text/html, Size: 27370 bytes --]
[-- Attachment #2: Type: text/plain, Size: 150 bytes --]
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [Buildroot] [PATCH 1/3] package/libnftnl: bump to version 1.2.5
2023-04-12 22:26 [Buildroot] [PATCH 1/3] package/libnftnl: bump to version 1.2.5 Adam Duskett
2023-04-12 22:26 ` [Buildroot] [PATCH 2/3] package/nftables: bump to version 1.0.7 Adam Duskett
2023-04-12 22:26 ` [Buildroot] [PATCH 3/3] package/firewalld: new package Adam Duskett
@ 2023-05-12 19:17 ` Peter Korsgaard
2023-05-13 20:13 ` Yann E. MORIN
2023-06-13 12:53 ` Peter Korsgaard
3 siblings, 1 reply; 12+ messages in thread
From: Peter Korsgaard @ 2023-05-12 19:17 UTC (permalink / raw)
To: Adam Duskett; +Cc: Thomas Petazzoni, buildroot
>>>>> "Adam" == Adam Duskett <aduskett@gmail.com> writes:
> Also: Switch to tar.xz as the package is not distributed as a .bz2 any longer.
> Signed-off-by: Adam Duskett <aduskett@gmail.com>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [Buildroot] [PATCH 2/3] package/nftables: bump to version 1.0.7
2023-04-12 22:26 ` [Buildroot] [PATCH 2/3] package/nftables: bump to version 1.0.7 Adam Duskett
@ 2023-05-12 19:18 ` Peter Korsgaard
2023-05-13 20:12 ` Yann E. MORIN
2023-06-13 12:53 ` Peter Korsgaard
1 sibling, 1 reply; 12+ messages in thread
From: Peter Korsgaard @ 2023-05-12 19:18 UTC (permalink / raw)
To: Adam Duskett; +Cc: Thomas Petazzoni, buildroot
>>>>> "Adam" == Adam Duskett <aduskett@gmail.com> writes:
> Other changes:
> - Switch to tar.xz as the package is not distributed as a .bz2 any longer.
> - Update the sha256sum of the license file, as it has been updated to
> include the following text:
> "Original author of nftables distributed the code under the terms of the
> GPL version 2 *only*. New code though is moving to GPL version 2 or any
> later which is the preferred license for this project these days."
> The author has also changed from Patrick McHardy <kaber@trash.net> to
> Pablo Neira Ayuso <pablo@netfilter.org>
But the combination is presumably still GPL-v2-only for now?
> Signed-off-by: Adam Duskett <aduskett@gmail.com>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [Buildroot] [PATCH 2/3] package/nftables: bump to version 1.0.7
2023-05-12 19:18 ` Peter Korsgaard
@ 2023-05-13 20:12 ` Yann E. MORIN
2023-05-14 18:42 ` Peter Korsgaard
0 siblings, 1 reply; 12+ messages in thread
From: Yann E. MORIN @ 2023-05-13 20:12 UTC (permalink / raw)
To: Peter Korsgaard; +Cc: Thomas Petazzoni, Adam Duskett, buildroot
Peter, All,
On 2023-05-12 21:18 +0200, Peter Korsgaard spake thusly:
> >>>>> "Adam" == Adam Duskett <aduskett@gmail.com> writes:
> > Other changes:
> > - Switch to tar.xz as the package is not distributed as a .bz2 any longer.
> > - Update the sha256sum of the license file, as it has been updated to
> > include the following text:
> > "Original author of nftables distributed the code under the terms of the
> > GPL version 2 *only*. New code though is moving to GPL version 2 or any
> > later which is the preferred license for this project these days."
> > The author has also changed from Patrick McHardy <kaber@trash.net> to
> > Pablo Neira Ayuso <pablo@netfilter.org>
> But the combination is presumably still GPL-v2-only for now?
I would believe so, yes.
> > Signed-off-by: Adam Duskett <aduskett@gmail.com>
> Committed, thanks.
Since you did not push, I did. ;-)
Applied to master, thanks.
Regards,
Yann E. MORIN.
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [Buildroot] [PATCH 1/3] package/libnftnl: bump to version 1.2.5
2023-05-12 19:17 ` [Buildroot] [PATCH 1/3] package/libnftnl: bump to version 1.2.5 Peter Korsgaard
@ 2023-05-13 20:13 ` Yann E. MORIN
0 siblings, 0 replies; 12+ messages in thread
From: Yann E. MORIN @ 2023-05-13 20:13 UTC (permalink / raw)
To: Peter Korsgaard; +Cc: Thomas Petazzoni, Adam Duskett, buildroot
Adam. All,
On 2023-05-12 21:17 +0200, Peter Korsgaard spake thusly:
> >>>>> "Adam" == Adam Duskett <aduskett@gmail.com> writes:
> > Also: Switch to tar.xz as the package is not distributed as a .bz2 any longer.
> > Signed-off-by: Adam Duskett <aduskett@gmail.com>
> Committed, thanks.
To affirm Peter's action: applied to master, thanks. ;-)
Regards,
Yann E. MORIN.
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [Buildroot] [PATCH 2/3] package/nftables: bump to version 1.0.7
2023-05-13 20:12 ` Yann E. MORIN
@ 2023-05-14 18:42 ` Peter Korsgaard
0 siblings, 0 replies; 12+ messages in thread
From: Peter Korsgaard @ 2023-05-14 18:42 UTC (permalink / raw)
To: Yann E. MORIN; +Cc: Thomas Petazzoni, Adam Duskett, buildroot
>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:
> Peter, All,
> On 2023-05-12 21:18 +0200, Peter Korsgaard spake thusly:
>> >>>>> "Adam" == Adam Duskett <aduskett@gmail.com> writes:
>> > Other changes:
>> > - Switch to tar.xz as the package is not distributed as a .bz2 any longer.
>> > - Update the sha256sum of the license file, as it has been updated to
>> > include the following text:
>> > "Original author of nftables distributed the code under the terms of the
>> > GPL version 2 *only*. New code though is moving to GPL version 2 or any
>> > later which is the preferred license for this project these days."
>> > The author has also changed from Patrick McHardy <kaber@trash.net> to
>> > Pablo Neira Ayuso <pablo@netfilter.org>
>> But the combination is presumably still GPL-v2-only for now?
> I would believe so, yes.
>> > Signed-off-by: Adam Duskett <aduskett@gmail.com>
>> Committed, thanks.
> Since you did not push, I did. ;-)
Ups, indeed - Thanks!
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [Buildroot] [PATCH 1/3] package/libnftnl: bump to version 1.2.5
2023-04-12 22:26 [Buildroot] [PATCH 1/3] package/libnftnl: bump to version 1.2.5 Adam Duskett
` (2 preceding siblings ...)
2023-05-12 19:17 ` [Buildroot] [PATCH 1/3] package/libnftnl: bump to version 1.2.5 Peter Korsgaard
@ 2023-06-13 12:53 ` Peter Korsgaard
3 siblings, 0 replies; 12+ messages in thread
From: Peter Korsgaard @ 2023-06-13 12:53 UTC (permalink / raw)
To: Adam Duskett; +Cc: Thomas Petazzoni, buildroot
>>>>> "Adam" == Adam Duskett <aduskett@gmail.com> writes:
> Also: Switch to tar.xz as the package is not distributed as a .bz2 any longer.
> Signed-off-by: Adam Duskett <aduskett@gmail.com>
Committed to 2023.02.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [Buildroot] [PATCH 2/3] package/nftables: bump to version 1.0.7
2023-04-12 22:26 ` [Buildroot] [PATCH 2/3] package/nftables: bump to version 1.0.7 Adam Duskett
2023-05-12 19:18 ` Peter Korsgaard
@ 2023-06-13 12:53 ` Peter Korsgaard
1 sibling, 0 replies; 12+ messages in thread
From: Peter Korsgaard @ 2023-06-13 12:53 UTC (permalink / raw)
To: Adam Duskett; +Cc: Thomas Petazzoni, buildroot
>>>>> "Adam" == Adam Duskett <aduskett@gmail.com> writes:
> Other changes:
> - Switch to tar.xz as the package is not distributed as a .bz2 any longer.
> - Update the sha256sum of the license file, as it has been updated to
> include the following text:
> "Original author of nftables distributed the code under the terms of the
> GPL version 2 *only*. New code though is moving to GPL version 2 or any
> later which is the preferred license for this project these days."
> The author has also changed from Patrick McHardy <kaber@trash.net> to
> Pablo Neira Ayuso <pablo@netfilter.org>
> Signed-off-by: Adam Duskett <aduskett@gmail.com>
Committed to 2023.02.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2023-06-13 12:53 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-04-12 22:26 [Buildroot] [PATCH 1/3] package/libnftnl: bump to version 1.2.5 Adam Duskett
2023-04-12 22:26 ` [Buildroot] [PATCH 2/3] package/nftables: bump to version 1.0.7 Adam Duskett
2023-05-12 19:18 ` Peter Korsgaard
2023-05-13 20:12 ` Yann E. MORIN
2023-05-14 18:42 ` Peter Korsgaard
2023-06-13 12:53 ` Peter Korsgaard
2023-04-12 22:26 ` [Buildroot] [PATCH 3/3] package/firewalld: new package Adam Duskett
2023-04-13 9:29 ` Marcus Hoffmann via buildroot
2023-04-19 22:26 ` Adam Duskett
2023-05-12 19:17 ` [Buildroot] [PATCH 1/3] package/libnftnl: bump to version 1.2.5 Peter Korsgaard
2023-05-13 20:13 ` Yann E. MORIN
2023-06-13 12:53 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox