1SUMMARY = "Dynamic firewall daemon with a D-Bus interface"
2HOMEPAGE = "https://firewalld.org/"
3BUGTRACKER = "https://github.com/firewalld/firewalld/issues"
4UPSTREAM_CHECK_URI = "https://github.com/firewalld/firewalld/releases"
5LICENSE = "GPL-2.0-or-later"
6LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
7
8SRC_URI = "\
9    https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.bz2 \
10    file://firewalld.init \
11    file://run-ptest \
12"
13SRC_URI[sha256sum] = "aba0d8ce9617b906ea4866bf0bdfb2c2d5312f53b8e9e8e9e4d49bf330da5b5e"
14
15# glib-2.0-native is needed for GSETTINGS_RULES autoconf macro from gsettings.m4
16DEPENDS = "intltool-native glib-2.0-native nftables"
17
18inherit gettext autotools-brokensep bash-completion pkgconfig python3native python3-dir gsettings systemd update-rc.d ptest features_check
19
20REQUIRED_DISTRO_FEATURES = "gobject-introspection-data"
21
22PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}"
23PACKAGECONFIG[systemd] = "--with-systemd-unitdir=${systemd_system_unitdir},--disable-systemd"
24PACKAGECONFIG[docs] = "--with-xml-catalog=${STAGING_ETCDIR_NATIVE}/xml/catalog,--disable-docs,libxslt-native docbook-xsl-stylesheets-native"
25PACKAGECONFIG[ipset] = "--with-ipset=${sbindir}/ipset,--without-ipset,,ipset"
26PACKAGECONFIG[ebtables] = "--with-ebtables=${base_sbindir}/ebtables --with-ebtables-restore=${sbindir}/ebtables-legacy-restore,--without-ebtables --without-ebtables-restore,,ebtables"
27
28# Default logging configuration: mixed syslog file console
29FIREWALLD_DEFAULT_LOG_TARGET ??= "syslog"
30
31# The UIs are not yet tested and the dependencies are probably not quite correct yet.
32# Splitting into separate packages is beneficial so that no dead code is transferred
33# to the target device.
34# Without enabling qt5, the firewalld-config package is not usable.
35# Without enabling qt5 and gtk, the firewalld-applet package is not usable.
36PACKAGECONFIG[qt5] = ""
37PACKAGECONFIG[gtk] = ""
38
39PACKAGES =+ "python3-firewall ${PN}-applet ${PN}-config ${PN}-offline-cmd ${PN}-zsh-completion ${PN}-log-rotate"
40
41# iptables, ip6tables, ebtables, and ipset *should* be unnecessary
42# when the nftables backend is available, because nftables supersedes all of them.
43# However we still need iptables and ip6tables to be available otherwise any
44# application relying on "direct passthrough" rules (such as docker) will break.
45# /etc/sysconfig/firewalld is a Red Hat-ism, only referenced by
46# the Red Hat-specific init script which we aren't using, so we disable that.
47EXTRA_OECONF = "\
48    --with-iptables=${sbindir}/iptables \
49    --with-iptables-restore=${sbindir}/iptables-restore \
50    --with-ip6tables=${sbindir}/ip6tables \
51    --with-ip6tables-restore=${sbindir}/ip6tables-restore \
52    --disable-sysconfig \
53"
54
55INITSCRIPT_NAME = "firewalld"
56SYSTEMD_SERVICE:${PN} = "firewalld.service"
57
58# kernel modules loaded after ptest execution (linux-yocto 5.15)
59FIREWALLD_KERNEL_MODULES ?= "\
60    xt_tcpudp \
61    xt_TCPMSS \
62    xt_set \
63    xt_sctp \
64    xt_REDIRECT \
65    xt_pkttype \
66    xt_NFLOG \
67    xt_nat \
68    xt_MASQUERADE \
69    xt_mark \
70    xt_mac \
71    xt_LOG \
72    xt_limit \
73    xt_dccp \
74    xt_CT \
75    xt_conntrack \
76    xt_CHECKSUM \
77    nft_redir \
78    nft_objref \
79    nft_nat \
80    nft_masq \
81    nft_log \
82    nfnetlink_log \
83    nf_nat_tftp \
84    nf_nat_sip \
85    nf_nat_ftp \
86    nf_log_syslog \
87    nf_conntrack_tftp \
88    nf_conntrack_sip \
89    nf_conntrack_netbios_ns \
90    nf_conntrack_ftp \
91    nf_conntrack_broadcast \
92    ipt_REJECT \
93    ip6t_rpfilter \
94    ip6t_REJECT \
95    ip_set_hash_netport \
96    ip_set_hash_netnet \
97    ip_set_hash_netiface \
98    ip_set_hash_net \
99    ip_set_hash_mac \
100    ip_set_hash_ipportnet \
101    ip_set_hash_ipport \
102    ip_set_hash_ipmark \
103    ip_set_hash_ip \
104    ebt_ip6 \
105    nft_fib_inet \
106    nft_fib_ipv4 \
107    nft_fib_ipv6 \
108    nft_fib \
109    nft_reject_inet \
110    nf_reject_ipv4 \
111    nf_reject_ipv6 \
112    nft_reject \
113    nft_ct \
114    nft_chain_nat \
115    ebtable_nat \
116    ebtable_broute \
117    ip6table_nat \
118    ip6table_mangle \
119    ip6table_raw \
120    ip6table_security \
121    iptable_nat \
122    nf_nat \
123    nf_conntrack \
124    nf_defrag_ipv6 \
125    nf_defrag_ipv4 \
126    iptable_mangle \
127    iptable_raw \
128    iptable_security \
129    ip_set \
130    ebtable_filter \
131    ebtables \
132    ip6table_filter \
133    ip6_tables \
134    iptable_filter \
135    ip_tables \
136    x_tables \
137    sch_fq_codel \
138"
139
140do_configure:prepend() {
141    export DEFAULT_LOG_TARGET=${FIREWALLD_DEFAULT_LOG_TARGET}
142}
143
144do_install:append() {
145    if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'false', 'true', d)}; then
146        # firewalld ships an init script but it contains Red Hat-isms, replace it with our own
147        rm -rf ${D}${sysconfdir}/rc.d/
148        install -d ${D}${sysconfdir}/init.d
149        install -m0755 ${WORKDIR}/firewalld.init ${D}${sysconfdir}/init.d/firewalld
150    fi
151
152    if ${@bb.utils.contains('DISTRO_FEATURES', 'polkit', 'false', 'true', d)}; then
153        # Delete polkit profiles if polkit is not available
154        rm -rf ${D}${datadir}/polkit-1
155    fi
156
157    # We ran ./configure with PYTHON pointed at the binary inside $STAGING_BINDIR_NATIVE
158    # so now we need to fix up any references to point at the proper path in the image.
159    # This hack is also in distutils.bbclass, but firewalld doesn't use distutils/setuptools.
160    if [ ${PN} != "${BPN}-native" ]; then
161        sed -i -e s:${STAGING_BINDIR_NATIVE}/python3-native/python3:${bindir}/python3:g \
162            ${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml
163    fi
164    sed -i -e s:${STAGING_BINDIR_NATIVE}:${bindir}:g \
165        ${D}${bindir}/* ${D}${sbindir}/* ${D}${sysconfdir}/firewalld/*.xml
166
167    # This file contains Red Hat-isms. Modules get loaded without it.
168    rm -f ${D}${sysconfdir}/modprobe.d/firewalld-sysctls.conf
169}
170
171do_install_ptest:append() {
172    # Add kernel modules to the ptest script
173    if [ ${PTEST_ENABLED} = "1" ]; then
174        sed -i -e 's:@@FIREWALLD_KERNEL_MODULES@@:${FIREWALLD_KERNEL_MODULES}:g' \
175            ${D}${PTEST_PATH}/run-ptest
176    fi
177}
178
179SUMMARY:python3-firewall = "${SUMMARY} (Python3 bindings)"
180FILES:python3-firewall = "\
181    ${PYTHON_SITEPACKAGES_DIR}/firewall/__pycache__/*.py* \
182    ${PYTHON_SITEPACKAGES_DIR}/firewall/*.py* \
183    ${PYTHON_SITEPACKAGES_DIR}/firewall/config/*.py* \
184    ${PYTHON_SITEPACKAGES_DIR}/firewall/config/__pycache__/*.py* \
185    ${PYTHON_SITEPACKAGES_DIR}/firewall/core/*.py* \
186    ${PYTHON_SITEPACKAGES_DIR}/firewall/core/__pycache__/*.py* \
187    ${PYTHON_SITEPACKAGES_DIR}/firewall/core/io/*.py* \
188    ${PYTHON_SITEPACKAGES_DIR}/firewall/core/io/__pycache__/*.py* \
189    ${PYTHON_SITEPACKAGES_DIR}/firewall/server/*.py* \
190    ${PYTHON_SITEPACKAGES_DIR}/firewall/server/__pycache__/*.py* \
191"
192RDEPENDS:python3-firewall = "\
193    python3-dbus \
194    nftables-python \
195    python3-pygobject \
196"
197
198# Do not depend on QT5 layer and GTK deps if not explicitely required.
199FIREWALLD_QT5_RDEPENDS = "\
200    ${PN}-config \
201    hicolor-icon-theme \
202    python3-pyqt5 \
203    python3-pygobject \
204    libnotify \
205    networkmanager \
206"
207FIREWALLD_GTK_RDEPENDS = "\
208    gtk3 \
209"
210
211# A QT5 based UI
212SUMMARY:${PN}-config = "${SUMMARY} (configuration application)"
213FILES:${PN}-config = "\
214    ${bindir}/firewall-config \
215    ${datadir}/firewalld/firewall-config.glade \
216    ${datadir}/firewalld/gtk3_chooserbutton.py* \
217    ${datadir}/firewalld/gtk3_niceexpander.py* \
218    ${datadir}/applications/firewall-config.desktop \
219    ${datadir}/metainfo/firewall-config.appdata.xml \
220    ${datadir}/icons/hicolor/*/apps/firewall-config*.* \
221"
222RDEPENDS:${PN}-config += "\
223    python3-core \
224    python3-ctypes \
225    ${@bb.utils.contains('PACKAGECONFIG', 'qt5', '${FIREWALLD_QT5_RDEPENDS}', '', d)} \
226"
227
228# A GTK3 applet depending on the QT5 firewall-config UI
229SUMMARY:${PN}-applet = "${SUMMARY} (panel applet)"
230FILES:${PN}-applet += "\
231    ${bindir}/firewall-applet \
232    ${sysconfdir}/xdg/autostart/firewall-applet.desktop \
233    ${sysconfdir}/firewall/applet.conf \
234    ${datadir}/icons/hicolor/*/apps/firewall-applet*.* \
235"
236RDEPENDS:${PN}-applet += "\
237    python3-core \
238    python3-ctypes \
239    ${@bb.utils.contains('PACKAGECONFIG', 'qt5', '${FIREWALLD_QT5_RDEPENDS}', '', d)} \
240    ${@bb.utils.contains('PACKAGECONFIG', 'gtk', '${FIREWALLD_GTK_RDEPENDS}', '', d)} \
241"
242
243SUMMARY:${PN}-offline-cmd = "${SUMMARY} (offline configuration utility)"
244FILES:${PN}-offline-cmd += " \
245    ${bindir}/firewall-offline-cmd \
246"
247RDEPENDS:${PN}-offline-cmd += "python3-core"
248
249SUMMARY:${PN}-log-rotate = "${SUMMARY} (log-rotate configuration)"
250FILES:${PN}-log-rotate += "${sysconfdir}/logrotate.d"
251
252# To get allmost all tests passing
253# - Enable PACKAGECONFIG ipset, ebtable
254# - Enough RAM QB_MEM = "-m 8192" (used für fancy ipset tests)
255FILES:${PN}-ptest += "\
256    ${datadir}/firewalld/testsuite \
257"
258RDEPENDS:${PN}-ptest += "\
259    python3-unittest \
260    ${PN}-offline-cmd \
261    procps-ps \
262    iproute2 \
263"
264RDEPENDS:${PN}-ptest:append:libc-glibc = " glibc-utils glibc-localedata-en-us"
265
266FILES:${PN}-zsh-completion = "${datadir}/zsh/site-functions"
267
268FILES:${PN} += "\
269    ${PYTHON_SITEPACKAGES_DIR}/firewall \
270    ${nonarch_libdir}/firewalld \
271    ${datadir}/dbus-1 \
272    ${datadir}/polkit-1 \
273    ${datadir}/metainfo \
274    ${datadir}/glib-2.0/schemas/org.fedoraproject.FirewallConfig.gschema.xml \
275"
276RDEPENDS:${PN} += "\
277    python3-firewall \
278    iptables \
279    python3-core \
280    python3-io \
281    python3-fcntl \
282    python3-syslog \
283    python3-xml \
284    python3-json \
285    python3-ctypes \
286    python3-pprint \
287"
288# If firewalld writes a log file rotation is needed
289RRECOMMENDS:${PN} += "${@bb.utils.contains_any('FIREWALLD_DEFAULT_LOG_TARGET', [ 'mixed', 'file' ], '${PN}-log-rotate', '', d)}"
290
291# Add required kernel modules. With Yocto kernel 5.15 this currently means:
292# - features/nf_tables/nf_tables.scc
293# - features/netfilter/netfilter.scc
294# - cgl/features/audit/audit.scc
295# - cfg/net/ip6_nf.scc
296# - Plus:
297#   - ebtables
298#   - ipset
299#   - CONFIG_IP6_NF_SECURITY=m
300#   - CONFIG_IP6_NF_MATCH_RPFILTER=m
301#   - CONFIG_IP6_NF_TARGET_REJECT=m
302#   - CONFIG_NFT_OBJREF=m
303#   - CONFIG_NFT_FIB=m
304#   - CONFIG_NFT_FIB_INET=m
305#   - CONFIG_NFT_FIB_IPV4=m
306#   - CONFIG_NFT_FIB_IPV6=m
307#   - CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
308#   - CONFIG_NETFILTER_XT_SET=m
309def get_kernel_deps(d):
310    kmodules = (d.getVar('FIREWALLD_KERNEL_MODULES') or "").split()
311    return ' '.join([ 'kernel-module-' + mod.replace('_', '-').lower() for mod in kmodules ])
312RRECOMMENDS:${PN} += "${@get_kernel_deps(d)}"
313