1SUMMARY = "Dynamic firewall daemon with a D-Bus interface" 2HOMEPAGE = "https://firewalld.org/" 3BUGTRACKER = "https://github.com/firewalld/firewalld/issues" 4UPSTREAM_CHECK_URI = "https://github.com/firewalld/firewalld/releases" 5LICENSE = "GPL-2.0-or-later" 6LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" 7 8SRC_URI = "\ 9 https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.bz2 \ 10 file://firewalld.init \ 11 file://run-ptest \ 12" 13SRC_URI[sha256sum] = "aba0d8ce9617b906ea4866bf0bdfb2c2d5312f53b8e9e8e9e4d49bf330da5b5e" 14 15# glib-2.0-native is needed for GSETTINGS_RULES autoconf macro from gsettings.m4 16DEPENDS = "intltool-native glib-2.0-native nftables" 17 18inherit gettext autotools-brokensep bash-completion pkgconfig python3native python3-dir gsettings systemd update-rc.d ptest features_check 19 20REQUIRED_DISTRO_FEATURES = "gobject-introspection-data" 21 22PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}" 23PACKAGECONFIG[systemd] = "--with-systemd-unitdir=${systemd_system_unitdir},--disable-systemd" 24PACKAGECONFIG[docs] = "--with-xml-catalog=${STAGING_ETCDIR_NATIVE}/xml/catalog,--disable-docs,libxslt-native docbook-xsl-stylesheets-native" 25PACKAGECONFIG[ipset] = "--with-ipset=${sbindir}/ipset,--without-ipset,,ipset" 26PACKAGECONFIG[ebtables] = "--with-ebtables=${base_sbindir}/ebtables --with-ebtables-restore=${sbindir}/ebtables-legacy-restore,--without-ebtables --without-ebtables-restore,,ebtables" 27 28# Default logging configuration: mixed syslog file console 29FIREWALLD_DEFAULT_LOG_TARGET ??= "syslog" 30 31# The UIs are not yet tested and the dependencies are probably not quite correct yet. 32# Splitting into separate packages is beneficial so that no dead code is transferred 33# to the target device. 34# Without enabling qt5, the firewalld-config package is not usable. 35# Without enabling qt5 and gtk, the firewalld-applet package is not usable. 36PACKAGECONFIG[qt5] = "" 37PACKAGECONFIG[gtk] = "" 38 39PACKAGES =+ "python3-firewall ${PN}-applet ${PN}-config ${PN}-offline-cmd ${PN}-zsh-completion ${PN}-log-rotate" 40 41# iptables, ip6tables, ebtables, and ipset *should* be unnecessary 42# when the nftables backend is available, because nftables supersedes all of them. 43# However we still need iptables and ip6tables to be available otherwise any 44# application relying on "direct passthrough" rules (such as docker) will break. 45# /etc/sysconfig/firewalld is a Red Hat-ism, only referenced by 46# the Red Hat-specific init script which we aren't using, so we disable that. 47EXTRA_OECONF = "\ 48 --with-iptables=${sbindir}/iptables \ 49 --with-iptables-restore=${sbindir}/iptables-restore \ 50 --with-ip6tables=${sbindir}/ip6tables \ 51 --with-ip6tables-restore=${sbindir}/ip6tables-restore \ 52 --disable-sysconfig \ 53" 54 55INITSCRIPT_NAME = "firewalld" 56SYSTEMD_SERVICE:${PN} = "firewalld.service" 57 58# kernel modules loaded after ptest execution (linux-yocto 5.15) 59FIREWALLD_KERNEL_MODULES ?= "\ 60 xt_tcpudp \ 61 xt_TCPMSS \ 62 xt_set \ 63 xt_sctp \ 64 xt_REDIRECT \ 65 xt_pkttype \ 66 xt_NFLOG \ 67 xt_nat \ 68 xt_MASQUERADE \ 69 xt_mark \ 70 xt_mac \ 71 xt_LOG \ 72 xt_limit \ 73 xt_dccp \ 74 xt_CT \ 75 xt_conntrack \ 76 xt_CHECKSUM \ 77 nft_redir \ 78 nft_objref \ 79 nft_nat \ 80 nft_masq \ 81 nft_log \ 82 nfnetlink_log \ 83 nf_nat_tftp \ 84 nf_nat_sip \ 85 nf_nat_ftp \ 86 nf_log_syslog \ 87 nf_conntrack_tftp \ 88 nf_conntrack_sip \ 89 nf_conntrack_netbios_ns \ 90 nf_conntrack_ftp \ 91 nf_conntrack_broadcast \ 92 ipt_REJECT \ 93 ip6t_rpfilter \ 94 ip6t_REJECT \ 95 ip_set_hash_netport \ 96 ip_set_hash_netnet \ 97 ip_set_hash_netiface \ 98 ip_set_hash_net \ 99 ip_set_hash_mac \ 100 ip_set_hash_ipportnet \ 101 ip_set_hash_ipport \ 102 ip_set_hash_ipmark \ 103 ip_set_hash_ip \ 104 ebt_ip6 \ 105 nft_fib_inet \ 106 nft_fib_ipv4 \ 107 nft_fib_ipv6 \ 108 nft_fib \ 109 nft_reject_inet \ 110 nf_reject_ipv4 \ 111 nf_reject_ipv6 \ 112 nft_reject \ 113 nft_ct \ 114 nft_chain_nat \ 115 ebtable_nat \ 116 ebtable_broute \ 117 ip6table_nat \ 118 ip6table_mangle \ 119 ip6table_raw \ 120 ip6table_security \ 121 iptable_nat \ 122 nf_nat \ 123 nf_conntrack \ 124 nf_defrag_ipv6 \ 125 nf_defrag_ipv4 \ 126 iptable_mangle \ 127 iptable_raw \ 128 iptable_security \ 129 ip_set \ 130 ebtable_filter \ 131 ebtables \ 132 ip6table_filter \ 133 ip6_tables \ 134 iptable_filter \ 135 ip_tables \ 136 x_tables \ 137 sch_fq_codel \ 138" 139 140do_configure:prepend() { 141 export DEFAULT_LOG_TARGET=${FIREWALLD_DEFAULT_LOG_TARGET} 142} 143 144do_install:append() { 145 if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'false', 'true', d)}; then 146 # firewalld ships an init script but it contains Red Hat-isms, replace it with our own 147 rm -rf ${D}${sysconfdir}/rc.d/ 148 install -d ${D}${sysconfdir}/init.d 149 install -m0755 ${WORKDIR}/firewalld.init ${D}${sysconfdir}/init.d/firewalld 150 fi 151 152 if ${@bb.utils.contains('DISTRO_FEATURES', 'polkit', 'false', 'true', d)}; then 153 # Delete polkit profiles if polkit is not available 154 rm -rf ${D}${datadir}/polkit-1 155 fi 156 157 # We ran ./configure with PYTHON pointed at the binary inside $STAGING_BINDIR_NATIVE 158 # so now we need to fix up any references to point at the proper path in the image. 159 # This hack is also in distutils.bbclass, but firewalld doesn't use distutils/setuptools. 160 if [ ${PN} != "${BPN}-native" ]; then 161 sed -i -e s:${STAGING_BINDIR_NATIVE}/python3-native/python3:${bindir}/python3:g \ 162 ${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml 163 fi 164 sed -i -e s:${STAGING_BINDIR_NATIVE}:${bindir}:g \ 165 ${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml 166 167 # This file contains Red Hat-isms. Modules get loaded without it. 168 rm -f ${D}${sysconfdir}/modprobe.d/firewalld-sysctls.conf 169} 170 171do_install_ptest:append() { 172 # Add kernel modules to the ptest script 173 if [ ${PTEST_ENABLED} = "1" ]; then 174 sed -i -e 's:@@FIREWALLD_KERNEL_MODULES@@:${FIREWALLD_KERNEL_MODULES}:g' \ 175 ${D}${PTEST_PATH}/run-ptest 176 fi 177} 178 179SUMMARY:python3-firewall = "${SUMMARY} (Python3 bindings)" 180FILES:python3-firewall = "\ 181 ${PYTHON_SITEPACKAGES_DIR}/firewall/__pycache__/*.py* \ 182 ${PYTHON_SITEPACKAGES_DIR}/firewall/*.py* \ 183 ${PYTHON_SITEPACKAGES_DIR}/firewall/config/*.py* \ 184 ${PYTHON_SITEPACKAGES_DIR}/firewall/config/__pycache__/*.py* \ 185 ${PYTHON_SITEPACKAGES_DIR}/firewall/core/*.py* \ 186 ${PYTHON_SITEPACKAGES_DIR}/firewall/core/__pycache__/*.py* \ 187 ${PYTHON_SITEPACKAGES_DIR}/firewall/core/io/*.py* \ 188 ${PYTHON_SITEPACKAGES_DIR}/firewall/core/io/__pycache__/*.py* \ 189 ${PYTHON_SITEPACKAGES_DIR}/firewall/server/*.py* \ 190 ${PYTHON_SITEPACKAGES_DIR}/firewall/server/__pycache__/*.py* \ 191" 192RDEPENDS:python3-firewall = "\ 193 python3-dbus \ 194 nftables-python \ 195 python3-pygobject \ 196" 197 198# Do not depend on QT5 layer and GTK deps if not explicitely required. 199FIREWALLD_QT5_RDEPENDS = "\ 200 ${PN}-config \ 201 hicolor-icon-theme \ 202 python3-pyqt5 \ 203 python3-pygobject \ 204 libnotify \ 205 networkmanager \ 206" 207FIREWALLD_GTK_RDEPENDS = "\ 208 gtk3 \ 209" 210 211# A QT5 based UI 212SUMMARY:${PN}-config = "${SUMMARY} (configuration application)" 213FILES:${PN}-config = "\ 214 ${bindir}/firewall-config \ 215 ${datadir}/firewalld/firewall-config.glade \ 216 ${datadir}/firewalld/gtk3_chooserbutton.py* \ 217 ${datadir}/firewalld/gtk3_niceexpander.py* \ 218 ${datadir}/applications/firewall-config.desktop \ 219 ${datadir}/metainfo/firewall-config.appdata.xml \ 220 ${datadir}/icons/hicolor/*/apps/firewall-config*.* \ 221" 222RDEPENDS:${PN}-config += "\ 223 python3-core \ 224 python3-ctypes \ 225 ${@bb.utils.contains('PACKAGECONFIG', 'qt5', '${FIREWALLD_QT5_RDEPENDS}', '', d)} \ 226" 227 228# A GTK3 applet depending on the QT5 firewall-config UI 229SUMMARY:${PN}-applet = "${SUMMARY} (panel applet)" 230FILES:${PN}-applet += "\ 231 ${bindir}/firewall-applet \ 232 ${sysconfdir}/xdg/autostart/firewall-applet.desktop \ 233 ${sysconfdir}/firewall/applet.conf \ 234 ${datadir}/icons/hicolor/*/apps/firewall-applet*.* \ 235" 236RDEPENDS:${PN}-applet += "\ 237 python3-core \ 238 python3-ctypes \ 239 ${@bb.utils.contains('PACKAGECONFIG', 'qt5', '${FIREWALLD_QT5_RDEPENDS}', '', d)} \ 240 ${@bb.utils.contains('PACKAGECONFIG', 'gtk', '${FIREWALLD_GTK_RDEPENDS}', '', d)} \ 241" 242 243SUMMARY:${PN}-offline-cmd = "${SUMMARY} (offline configuration utility)" 244FILES:${PN}-offline-cmd += " \ 245 ${bindir}/firewall-offline-cmd \ 246" 247RDEPENDS:${PN}-offline-cmd += "python3-core" 248 249SUMMARY:${PN}-log-rotate = "${SUMMARY} (log-rotate configuration)" 250FILES:${PN}-log-rotate += "${sysconfdir}/logrotate.d" 251 252# To get allmost all tests passing 253# - Enable PACKAGECONFIG ipset, ebtable 254# - Enough RAM QB_MEM = "-m 8192" (used für fancy ipset tests) 255FILES:${PN}-ptest += "\ 256 ${datadir}/firewalld/testsuite \ 257" 258RDEPENDS:${PN}-ptest += "\ 259 python3-unittest \ 260 ${PN}-offline-cmd \ 261 procps-ps \ 262 iproute2 \ 263" 264RDEPENDS:${PN}-ptest:append:libc-glibc = " glibc-utils glibc-localedata-en-us" 265 266FILES:${PN}-zsh-completion = "${datadir}/zsh/site-functions" 267 268FILES:${PN} += "\ 269 ${PYTHON_SITEPACKAGES_DIR}/firewall \ 270 ${nonarch_libdir}/firewalld \ 271 ${datadir}/dbus-1 \ 272 ${datadir}/polkit-1 \ 273 ${datadir}/metainfo \ 274 ${datadir}/glib-2.0/schemas/org.fedoraproject.FirewallConfig.gschema.xml \ 275" 276RDEPENDS:${PN} += "\ 277 python3-firewall \ 278 iptables \ 279 python3-core \ 280 python3-io \ 281 python3-fcntl \ 282 python3-syslog \ 283 python3-xml \ 284 python3-json \ 285 python3-ctypes \ 286 python3-pprint \ 287" 288# If firewalld writes a log file rotation is needed 289RRECOMMENDS:${PN} += "${@bb.utils.contains_any('FIREWALLD_DEFAULT_LOG_TARGET', [ 'mixed', 'file' ], '${PN}-log-rotate', '', d)}" 290 291# Add required kernel modules. With Yocto kernel 5.15 this currently means: 292# - features/nf_tables/nf_tables.scc 293# - features/netfilter/netfilter.scc 294# - cgl/features/audit/audit.scc 295# - cfg/net/ip6_nf.scc 296# - Plus: 297# - ebtables 298# - ipset 299# - CONFIG_IP6_NF_SECURITY=m 300# - CONFIG_IP6_NF_MATCH_RPFILTER=m 301# - CONFIG_IP6_NF_TARGET_REJECT=m 302# - CONFIG_NFT_OBJREF=m 303# - CONFIG_NFT_FIB=m 304# - CONFIG_NFT_FIB_INET=m 305# - CONFIG_NFT_FIB_IPV4=m 306# - CONFIG_NFT_FIB_IPV6=m 307# - CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m 308# - CONFIG_NETFILTER_XT_SET=m 309def get_kernel_deps(d): 310 kmodules = (d.getVar('FIREWALLD_KERNEL_MODULES') or "").split() 311 return ' '.join([ 'kernel-module-' + mod.replace('_', '-').lower() for mod in kmodules ]) 312RRECOMMENDS:${PN} += "${@get_kernel_deps(d)}" 313