| ################################################################################ |
| # |
| # firewalld |
| # |
| ################################################################################ |
| |
| FIREWALLD_VERSION = 2.0.2 |
| FIREWALLD_SITE = $(call github,firewalld,firewalld,v$(FIREWALLD_VERSION)) |
| FIREWALLD_LICENSE = GPL-2.0 |
| FIREWALLD_LICENSE_FILES = COPYING |
| FIREWALLD_CPE_ID_VENDOR = firewalld |
| FIREWALLD_AUTORECONF = YES |
| |
| FIREWALLD_DEPENDENCIES = \ |
| host-intltool \ |
| host-libglib2 \ |
| host-libxml2 \ |
| host-libxslt \ |
| dbus-python \ |
| gobject-introspection \ |
| jansson \ |
| nftables \ |
| python3 \ |
| python-gobject |
| |
| FIREWALLD_SELINUX_MODULES = firewalld |
| |
| # Firewalld hard codes the python shebangs to the full path of the |
| # python-interpreter. IE: #!/home/buildroot/output/host/bin/python. |
| # Force the proper python path. |
| FIREWALLD_CONF_ENV += PYTHON="/usr/bin/env python3" |
| |
| # /etc/sysconfig/firewalld is a Red Hat-ism, only referenced by |
| # the Red Hat-specific init script which isn't used, so we set |
| # --disable-sysconfig. |
| FIREWALLD_CONF_OPTS += \ |
| --disable-rpmmacros \ |
| --disable-sysconfig \ |
| --with-nft=/usr/sbin/nft \ |
| --without-ebtables \ |
| --without-ebtables-restore \ |
| --without-ipset \ |
| --without-xml-catalog |
| |
| ifeq ($(BR2_PACKAGE_IPTABLES),y) |
| FIREWALLD_DEPENDENCIES += iptables |
| FIREWALLD_CONF_OPTS += \ |
| --with-ip6tables-restore=/usr/sbin/ip6tables-restore \ |
| --with-ip6tables=/usr/sbin/ip6tables \ |
| --with-iptables-restore=/usr/sbin/iptables-restore \ |
| --with-iptables=/usr/sbin/iptables |
| else |
| FIREWALLD_CONF_OPTS += -without-iptables |
| endif |
| |
| ifeq ($(BR2_PACKAGE_SYSTEMD),y) |
| FIREWALLD_DEPENDENCIES += systemd |
| FIREWALLD_CONF_OPTS += --with-systemd-unitdir=/usr/lib/systemd/system |
| else |
| FIREWALLD_CONF_OPTS += --disable-systemd |
| endif |
| |
| define FIREWALLD_INSTALL_INIT_SYSTEMD |
| $(INSTALL) -D -m 0644 $(@D)/config/firewalld.service \ |
| $(TARGET_DIR)/usr/lib/systemd/system/firewalld.service |
| endef |
| |
| # The bundled sysvinit file requires /etc/init.d/functions which is not |
| # provided by buildroot. As such, we provide our own firewalld init file. |
| define FIREWALLD_INSTALL_INIT_SYSV |
| $(INSTALL) -D -m 0755 $(FIREWALLD_PKGDIR)/S46firewalld \ |
| $(TARGET_DIR)/etc/init.d/S46firewalld |
| endef |
| |
| # Firewalld needs ipv6 |
| # Firewalld requires almost every single nftable option selected. |
| define FIREWALLD_LINUX_CONFIG_FIXUPS |
| $(call KCONFIG_ENABLE_OPT,CONFIG_BRIDGE) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_INET) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_INET_DIAG) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NET) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_ADVANCED) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IPV6) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_FILTER) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_IPTABLES) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MANGLE) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_AH) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_EUI64) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_FRAG) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_HL) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_IPV6HEADER) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_MH) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_OPTS) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_RPFILTER) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_RT) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_SRH) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_NAT) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_RAW) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_HL) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_MASQUERADE) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_NPT) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_REJECT) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_SYNPROXY) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARP_MANGLE) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARPFILTER) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARPTABLES) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_FILTER) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_IPTABLES) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MANGLE) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_AH) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_ECN) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_RPFILTER) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_TTL) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_NAT) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_RAW) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_CLUSTERIP) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_ECN) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_MASQUERADE) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_NETMAP) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_REDIRECT) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_REJECT) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_SYNPROXY) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_TTL) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_IP) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_IPMAC) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_PORT) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IP) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPMAC) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPMARK) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORT) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORTIP) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORTNET) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_MAC) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NET) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETIFACE) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETNET) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETPORT) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETPORTNET) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_LIST_SET) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_CONNCOUNT) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_NETLINK_GLUE_CT) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_SYNPROXY) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_AMANDA) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_BROADCAST) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_EVENTS) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_FTP) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_H323) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_IRC) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_LABELS) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_MARK) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_NETBIOS_NS) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_PPTP) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_PROCFS) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SANE) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SIP) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SNMP) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TFTP) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TIMEOUT) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TIMESTAMP) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_ZONES) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK_HELPER) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK_TIMEOUT) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_DCCP) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_GRE) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_SCTP) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_UDPLITE) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_DEFRAG_IPV4) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_DEFRAG_IPV6) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_IPV4) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_IPV6) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_NETDEV) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_INET) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_IPV4) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_IPV6) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_ARP) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_BRIDGE) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_COMMON) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_IPV4) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_IPV6) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_NETDEV) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_AMANDA) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_FTP) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_H323) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IPV4) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IPV6) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IRC) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_MASQUERADE_IPV4) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_MASQUERADE_IPV6) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_NEEDED) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PPTP) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_DCCP) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_GRE) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_SCTP) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_UDPLITE) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_REDIRECT) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_SIP) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_SNMP_BASIC) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_TFTP) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_REJECT_IPV4) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_REJECT_IPV6) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_SOCKET_IPV4) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_SOCKET_IPV6) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_ARP) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_BRIDGE) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_IPV4) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_IPV6) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_NETDEV) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_SET) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TPROXY_IPV4) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TPROXY_IPV6) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_BRIDGE_REJECT) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_NAT_IPV4) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_NAT_IPV6) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_ROUTE_IPV4) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_ROUTE_IPV6) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_COMPAT) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CONNLIMIT) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_COUNTER) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CT) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_IPV4) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_IPV6) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_NETDEV) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_INET) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_IPV4) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_IPV6) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_NETDEV) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FLOW_OFFLOAD) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FWD_NETDEV) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_HASH) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_LIMIT) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_LOG) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ_IPV4) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ_IPV6) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_NAT) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_NUMGEN) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_OBJREF) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_OSF) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_QUEUE) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_QUOTA) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR_IPV4) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR_IPV6) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_INET) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_IPV4) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_IPV6) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_NETDEV) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_SOCKET) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_SYNPROXY) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_TPROXY) |
| $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_TUNNEL) |
| endef |
| |
| $(eval $(autotools-package)) |
