264 lines
11 KiB
Makefile
264 lines
11 KiB
Makefile
################################################################################
|
|
#
|
|
# firewalld
|
|
#
|
|
################################################################################
|
|
|
|
FIREWALLD_VERSION = 2.0.2
|
|
FIREWALLD_SITE = $(call github,firewalld,firewalld,v$(FIREWALLD_VERSION))
|
|
FIREWALLD_LICENSE = GPL-2.0
|
|
FIREWALLD_LICENSE_FILES = COPYING
|
|
FIREWALLD_CPE_ID_VENDOR = firewalld
|
|
FIREWALLD_AUTORECONF = YES
|
|
|
|
FIREWALLD_DEPENDENCIES = \
|
|
host-intltool \
|
|
host-libglib2 \
|
|
host-libxml2 \
|
|
host-libxslt \
|
|
dbus-python \
|
|
gobject-introspection \
|
|
jansson \
|
|
nftables \
|
|
python3 \
|
|
python-gobject
|
|
|
|
FIREWALLD_SELINUX_MODULES = firewalld
|
|
|
|
# Firewalld hard codes the python shebangs to the full path of the
|
|
# python-interpreter. IE: #!/home/buildroot/output/host/bin/python.
|
|
# Force the proper python path.
|
|
FIREWALLD_CONF_ENV += PYTHON="/usr/bin/env python3"
|
|
|
|
# /etc/sysconfig/firewalld is a Red Hat-ism, only referenced by
|
|
# the Red Hat-specific init script which isn't used, so we set
|
|
# --disable-sysconfig.
|
|
FIREWALLD_CONF_OPTS += \
|
|
--disable-rpmmacros \
|
|
--disable-sysconfig \
|
|
--with-nft=/usr/sbin/nft \
|
|
--without-ebtables \
|
|
--without-ebtables-restore \
|
|
--without-ipset \
|
|
--without-xml-catalog
|
|
|
|
ifeq ($(BR2_PACKAGE_IPTABLES),y)
|
|
FIREWALLD_DEPENDENCIES += iptables
|
|
FIREWALLD_CONF_OPTS += \
|
|
--with-ip6tables-restore=/usr/sbin/ip6tables-restore \
|
|
--with-ip6tables=/usr/sbin/ip6tables \
|
|
--with-iptables-restore=/usr/sbin/iptables-restore \
|
|
--with-iptables=/usr/sbin/iptables
|
|
else
|
|
FIREWALLD_CONF_OPTS += -without-iptables
|
|
endif
|
|
|
|
ifeq ($(BR2_PACKAGE_SYSTEMD),y)
|
|
FIREWALLD_DEPENDENCIES += systemd
|
|
FIREWALLD_CONF_OPTS += --with-systemd-unitdir=/usr/lib/systemd/system
|
|
else
|
|
FIREWALLD_CONF_OPTS += --disable-systemd
|
|
endif
|
|
|
|
define FIREWALLD_INSTALL_INIT_SYSTEMD
|
|
$(INSTALL) -D -m 0644 $(@D)/config/firewalld.service \
|
|
$(TARGET_DIR)/usr/lib/systemd/system/firewalld.service
|
|
endef
|
|
|
|
# The bundled sysvinit file requires /etc/init.d/functions which is not
|
|
# provided by buildroot. As such, we provide our own firewalld init file.
|
|
define FIREWALLD_INSTALL_INIT_SYSV
|
|
$(INSTALL) -D -m 0755 $(FIREWALLD_PKGDIR)/S46firewalld \
|
|
$(TARGET_DIR)/etc/init.d/S46firewalld
|
|
endef
|
|
|
|
# Firewalld needs ipv6
|
|
# Firewalld requires almost every single nftable option selected.
|
|
define FIREWALLD_LINUX_CONFIG_FIXUPS
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_BRIDGE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_INET)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_INET_DIAG)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NET)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_ADVANCED)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_FILTER)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_IPTABLES)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MANGLE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_AH)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_EUI64)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_FRAG)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_HL)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_IPV6HEADER)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_MH)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_OPTS)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_RPFILTER)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_RT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_SRH)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_NAT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_RAW)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_HL)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_MASQUERADE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_NPT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_REJECT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_SYNPROXY)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARP_MANGLE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARPFILTER)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARPTABLES)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_FILTER)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_IPTABLES)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MANGLE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_AH)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_ECN)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_RPFILTER)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_TTL)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_NAT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_RAW)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_CLUSTERIP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_ECN)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_MASQUERADE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_NETMAP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_REDIRECT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_REJECT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_SYNPROXY)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_TTL)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_IP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_IPMAC)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_PORT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPMAC)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPMARK)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORTIP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORTNET)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_MAC)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NET)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETIFACE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETNET)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETPORT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETPORTNET)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_LIST_SET)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_CONNCOUNT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_NETLINK_GLUE_CT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_SYNPROXY)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_AMANDA)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_BROADCAST)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_EVENTS)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_FTP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_H323)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_IRC)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_LABELS)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_MARK)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_NETBIOS_NS)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_PPTP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_PROCFS)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SANE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SIP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SNMP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TFTP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TIMEOUT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TIMESTAMP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_ZONES)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK_HELPER)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK_TIMEOUT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_DCCP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_GRE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_SCTP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_UDPLITE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_DEFRAG_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_DEFRAG_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_NETDEV)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_INET)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_ARP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_BRIDGE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_COMMON)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_NETDEV)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_AMANDA)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_FTP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_H323)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IRC)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_MASQUERADE_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_MASQUERADE_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_NEEDED)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PPTP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_DCCP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_GRE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_SCTP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_UDPLITE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_REDIRECT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_SIP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_SNMP_BASIC)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_TFTP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_REJECT_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_REJECT_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_SOCKET_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_SOCKET_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_ARP)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_BRIDGE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_NETDEV)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_SET)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TPROXY_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NF_TPROXY_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_BRIDGE_REJECT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_NAT_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_NAT_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_ROUTE_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_ROUTE_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_COMPAT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CONNLIMIT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_COUNTER)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_NETDEV)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_INET)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_NETDEV)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FLOW_OFFLOAD)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FWD_NETDEV)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_HASH)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_LIMIT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_LOG)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_NAT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_NUMGEN)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_OBJREF)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_OSF)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_QUEUE)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_QUOTA)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_INET)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_IPV4)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_IPV6)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_NETDEV)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_SOCKET)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_SYNPROXY)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_TPROXY)
|
|
$(call KCONFIG_ENABLE_OPT,CONFIG_NFT_TUNNEL)
|
|
endef
|
|
|
|
$(eval $(autotools-package))
|