d460845391
Firewalld requires IPV6 to function. We also should enable the other dependencies such as networking support to ensure all other options in the giant list of kernel config options are selected properly. Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
264 lines
11 KiB
Makefile
264 lines
11 KiB
Makefile
################################################################################
|
|
#
|
|
# firewalld
|
|
#
|
|
################################################################################
|
|
|
|
FIREWALLD_VERSION = 2.0.1
|
|
FIREWALLD_SITE = $(call github,firewalld,firewalld,v$(FIREWALLD_VERSION))
|
|
FIREWALLD_LICENSE = GPL-2.0
|
|
FIREWALLD_LICENSE_FILES = COPYING
|
|
FIREWALLD_CPE_ID_VENDOR = firewalld
|
|
FIREWALLD_AUTORECONF = YES
|
|
|
|
FIREWALLD_DEPENDENCIES = \
|
|
host-intltool \
|
|
host-libglib2 \
|
|
host-libxml2 \
|
|
host-libxslt \
|
|
dbus-python \
|
|
gobject-introspection \
|
|
jansson \
|
|
nftables \
|
|
python3 \
|
|
python-gobject
|
|
|
|
FIREWALLD_SELINUX_MODULES = firewalld
|
|
|
|
# Firewalld hard codes the python shebangs to the full path of the
|
|
# python-interpreter. IE: #!/home/buildroot/output/host/bin/python.
|
|
# Force the proper python path.
|
|
FIREWALLD_CONF_ENV += PYTHON="/usr/bin/env python3"
|
|
|
|
# /etc/sysconfig/firewalld is a Red Hat-ism, only referenced by
|
|
# the Red Hat-specific init script which isn't used, so we set
|
|
# --disable-sysconfig.
|
|
FIREWALLD_CONF_OPTS += \
|
|
--disable-rpmmacros \
|
|
--disable-sysconfig \
|
|
--with-nft=/usr/sbin/nft \
|
|
--without-ebtables \
|
|
--without-ebtables-restore \
|
|
--without-ipset \
|
|
--without-xml-catalog
|
|
|
|
ifeq ($(BR2_PACKAGE_IPTABLES),y)
|
|
FIREWALLD_DEPENDENCIES += iptables
|
|
FIREWALLD_CONF_OPTS += \
|
|
--with-ip6tables-restore=/usr/sbin/ip6tables-restore \
|
|
--with-ip6tables=/usr/sbin/ip6tables \
|
|
--with-iptables-restore=/usr/sbin/iptables-restore \
|
|
--with-iptables=/usr/sbin/iptables
|
|
else
|
|
FIREWALLD_CONF_OPTS += -without-iptables
|
|
endif
|
|
|
|
ifeq ($(BR2_PACKAGE_SYSTEMD),y)
|
|
FIREWALLD_DEPENDENCIES += systemd
|
|
FIREWALLD_CONF_OPTS += --with-systemd-unitdir=/usr/lib/systemd/system
|
|
else
|
|
FIREWALLD_CONF_OPTS += --disable-systemd
|
|
endif
|
|
|
|
define FIREWALLD_INSTALL_INIT_SYSTEMD
|
|
$(INSTALL) -D -m 0644 $(@D)/config/firewalld.service \
|
|
$(TARGET_DIR)/usr/lib/systemd/system/firewalld.service
|
|
endef
|
|
|
|
# The bundled sysvinit file requires /etc/init.d/functions which is not
|
|
# provided by buildroot. As such, we provide our own firewalld init file.
|
|
define FIREWALLD_INSTALL_INIT_SYSV
|
|
$(INSTALL) -D -m 0755 $(FIREWALLD_PKGDIR)/S46firewalld \
|
|
$(TARGET_DIR)/etc/init.d/S46firewalld
|
|
endef
|
|
|
|
# Firewalld needs ipv6
|
|
# Firewalld requires almost every single nftable option selected.
|
|
define FIREWALLD_LINUX_CONFIG_FIXUPS
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_BRIDGE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_INET)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_INET_DIAG)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NET)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_ADVANCED)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_FILTER)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_IPTABLES)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MANGLE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_AH)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_EUI64)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_FRAG)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_HL)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_IPV6HEADER)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_MH)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_OPTS)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_RPFILTER)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_RT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_SRH)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_NAT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_RAW)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_HL)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_MASQUERADE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_NPT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_REJECT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_SYNPROXY)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARP_MANGLE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARPFILTER)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARPTABLES)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_FILTER)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_IPTABLES)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MANGLE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_AH)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_ECN)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_RPFILTER)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_TTL)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_NAT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_RAW)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_CLUSTERIP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_ECN)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_MASQUERADE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_NETMAP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_REDIRECT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_REJECT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_SYNPROXY)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_TTL)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_IP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_IPMAC)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_PORT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPMAC)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPMARK)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORTIP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORTNET)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_MAC)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NET)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETIFACE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETNET)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETPORT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETPORTNET)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_LIST_SET)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_CONNCOUNT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_NETLINK_GLUE_CT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_SYNPROXY)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_AMANDA)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_BROADCAST)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_EVENTS)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_FTP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_H323)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_IRC)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_LABELS)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_MARK)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_NETBIOS_NS)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_PPTP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_PROCFS)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SANE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SIP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SNMP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TFTP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TIMEOUT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TIMESTAMP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_ZONES)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK_HELPER)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK_TIMEOUT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_DCCP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_GRE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_SCTP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_UDPLITE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_DEFRAG_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_DEFRAG_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_NETDEV)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_INET)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_ARP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_BRIDGE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_COMMON)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_NETDEV)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_AMANDA)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_FTP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_H323)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IRC)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_MASQUERADE_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_MASQUERADE_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_NEEDED)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PPTP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_DCCP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_GRE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_SCTP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_UDPLITE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_REDIRECT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_SIP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_SNMP_BASIC)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_TFTP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_REJECT_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_REJECT_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_SOCKET_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_SOCKET_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_ARP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_BRIDGE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_NETDEV)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_SET)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TPROXY_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TPROXY_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_BRIDGE_REJECT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_NAT_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_NAT_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_ROUTE_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_ROUTE_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_COMPAT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CONNLIMIT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_COUNTER)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_NETDEV)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_INET)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_NETDEV)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FLOW_OFFLOAD)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FWD_NETDEV)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_HASH)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_LIMIT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_LOG)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_NAT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_NUMGEN)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_OBJREF)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_OSF)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_QUEUE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_QUOTA)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_INET)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_NETDEV)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_SOCKET)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_SYNPROXY)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_TPROXY)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_TUNNEL)
|
|
endef
|
|
|
|
$(eval $(autotools-package))
|