XCAppCollection
/
XCVMKit-OS


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263
							################################################################################
#
# firewalld
#
################################################################################

FIREWALLD_VERSION = 2.0.2
FIREWALLD_SITE = $(call github,firewalld,firewalld,v$(FIREWALLD_VERSION))
FIREWALLD_LICENSE = GPL-2.0
FIREWALLD_LICENSE_FILES = COPYING
FIREWALLD_CPE_ID_VENDOR = firewalld
FIREWALLD_AUTORECONF = YES

FIREWALLD_DEPENDENCIES = \
	host-intltool \
	host-libglib2 \
	host-libxml2 \
	host-libxslt \
	dbus-python \
	gobject-introspection \
	jansson \
	nftables \
	python3 \
	python-gobject

FIREWALLD_SELINUX_MODULES = firewalld

# Firewalld hard codes the python shebangs to the full path of the
# python-interpreter. IE: #!/home/buildroot/output/host/bin/python.
# Force the proper python path.
FIREWALLD_CONF_ENV += PYTHON="/usr/bin/env python3"

# /etc/sysconfig/firewalld is a Red Hat-ism, only referenced by
# the Red Hat-specific init script which isn't used, so we set
# --disable-sysconfig.
FIREWALLD_CONF_OPTS += \
	--disable-rpmmacros \
	--disable-sysconfig \
	--with-nft=/usr/sbin/nft \
	--without-ebtables \
	--without-ebtables-restore \
	--without-ipset \
	--without-xml-catalog

ifeq ($(BR2_PACKAGE_IPTABLES),y)
FIREWALLD_DEPENDENCIES += iptables
FIREWALLD_CONF_OPTS += \
	--with-ip6tables-restore=/usr/sbin/ip6tables-restore \
	--with-ip6tables=/usr/sbin/ip6tables \
	--with-iptables-restore=/usr/sbin/iptables-restore \
	--with-iptables=/usr/sbin/iptables
else
FIREWALLD_CONF_OPTS += -without-iptables
endif

ifeq ($(BR2_PACKAGE_SYSTEMD),y)
FIREWALLD_DEPENDENCIES += systemd
FIREWALLD_CONF_OPTS += --with-systemd-unitdir=/usr/lib/systemd/system
else
FIREWALLD_CONF_OPTS += --disable-systemd
endif

define FIREWALLD_INSTALL_INIT_SYSTEMD
	$(INSTALL) -D -m 0644 $(@D)/config/firewalld.service \
		$(TARGET_DIR)/usr/lib/systemd/system/firewalld.service
endef

# The bundled sysvinit file requires /etc/init.d/functions which is not
# provided by buildroot. As such, we provide our own firewalld init file.
define FIREWALLD_INSTALL_INIT_SYSV
	$(INSTALL) -D -m 0755 $(FIREWALLD_PKGDIR)/S46firewalld \
		$(TARGET_DIR)/etc/init.d/S46firewalld
endef

# Firewalld needs ipv6
# Firewalld requires almost every single nftable option selected.
define FIREWALLD_LINUX_CONFIG_FIXUPS
	$(call KCONFIG_ENABLE_OPT,CONFIG_BRIDGE)
	$(call KCONFIG_ENABLE_OPT,CONFIG_INET)
	$(call KCONFIG_ENABLE_OPT,CONFIG_INET_DIAG)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NET)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_ADVANCED)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IPV6)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_FILTER)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_IPTABLES)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MANGLE)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_AH)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_EUI64)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_FRAG)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_HL)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_IPV6HEADER)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_MH)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_OPTS)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_RPFILTER)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_RT)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_SRH)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_NAT)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_RAW)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_HL)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_MASQUERADE)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_NPT)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_REJECT)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_SYNPROXY)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARP_MANGLE)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARPFILTER)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARPTABLES)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_FILTER)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_IPTABLES)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MANGLE)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_AH)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_ECN)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_RPFILTER)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_TTL)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_NAT)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_RAW)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_CLUSTERIP)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_ECN)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_MASQUERADE)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_NETMAP)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_REDIRECT)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_REJECT)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_SYNPROXY)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_TTL)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_IP)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_IPMAC)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_PORT)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IP)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPMAC)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPMARK)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORT)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORTIP)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORTNET)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_MAC)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NET)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETIFACE)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETNET)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETPORT)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETPORTNET)
	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_LIST_SET)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_CONNCOUNT)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_NETLINK_GLUE_CT)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_SYNPROXY)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_AMANDA)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_BROADCAST)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_EVENTS)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_FTP)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_H323)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_IRC)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_LABELS)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_MARK)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_NETBIOS_NS)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_PPTP)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_PROCFS)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SANE)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SIP)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SNMP)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TFTP)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TIMEOUT)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TIMESTAMP)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_ZONES)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK_HELPER)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK_TIMEOUT)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_DCCP)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_GRE)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_SCTP)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_UDPLITE)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_DEFRAG_IPV4)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_DEFRAG_IPV6)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_IPV4)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_IPV6)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_NETDEV)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_INET)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_IPV4)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_IPV6)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_ARP)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_BRIDGE)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_COMMON)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_IPV4)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_IPV6)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_NETDEV)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_AMANDA)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_FTP)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_H323)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IPV4)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IPV6)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IRC)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_MASQUERADE_IPV4)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_MASQUERADE_IPV6)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_NEEDED)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PPTP)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_DCCP)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_GRE)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_SCTP)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_UDPLITE)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_REDIRECT)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_SIP)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_SNMP_BASIC)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_TFTP)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_REJECT_IPV4)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_REJECT_IPV6)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_SOCKET_IPV4)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_SOCKET_IPV6)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_ARP)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_BRIDGE)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_IPV4)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_IPV6)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_NETDEV)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_SET)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TPROXY_IPV4)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TPROXY_IPV6)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_BRIDGE_REJECT)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_NAT_IPV4)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_NAT_IPV6)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_ROUTE_IPV4)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_ROUTE_IPV6)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_COMPAT)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CONNLIMIT)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_COUNTER)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CT)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_IPV4)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_IPV6)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_NETDEV)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_INET)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_IPV4)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_IPV6)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_NETDEV)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FLOW_OFFLOAD)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FWD_NETDEV)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_HASH)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_LIMIT)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_LOG)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ_IPV4)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ_IPV6)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_NAT)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_NUMGEN)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_OBJREF)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_OSF)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_QUEUE)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_QUOTA)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR_IPV4)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR_IPV6)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_INET)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_IPV4)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_IPV6)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_NETDEV)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_SOCKET)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_SYNPROXY)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_TPROXY)
	$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_TUNNEL)
endef

$(eval $(autotools-package))