nftables, firewalld, etc.: backport from scarthgap #69
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Wang Mingyu <[email protected]> Signed-off-by: Khem Raj <[email protected]>
Drop backported patch, switch PACKAGECONFIG assignment to ?= (matches
current practice), add in editline, linenoise CLI options and xtables
option. Switch to --disable-python when building without python to avoid
a configure time warning.
We can drop UPSTREAM_CHECK_REGEX as the version no longer gets confused
by the 0.099 version which exists.
Fix buildpaths warning by switching to setuptools and add dependency on
${PN}-python to ${PN}-ptest so that the embedded paths in the compiled
python files are correct.
Signed-off-by: Alex Kiernan <[email protected]>
Signed-off-by: Khem Raj <[email protected]>
Drop 0001-avoid-naming-local-function-as-one-of-printf-family.patch as the issue has been fixed upstream. Signed-off-by: Yi Zhao <[email protected]> Signed-off-by: Khem Raj <[email protected]>
Signed-off-by: Yi Zhao <[email protected]> Signed-off-by: Khem Raj <[email protected]>
Make run-ptest use the correct libdir for multilib builds. Log the ptest output to a date stamped file and append a test summary to the end of the log. Munge the log as it is produced to: - insert the expected automake keywords: PASS and FAIL. - remove escape sequences used for ANSI colours as well as movement commands Add additional discrete tool dependencies to the nftables-ptest list since the test suite does not work with the busybox versions. Signed-off-by: Randy MacLeod <[email protected]> Signed-off-by: Khem Raj <[email protected]>
Signed-off-by: Wang Mingyu <[email protected]> Signed-off-by: Khem Raj <[email protected]>
Changes are here [1], change to xz compressed archives [1] https://www.netfilter.org/projects/nftables/files/changes-nftables-1.0.6.txt Signed-off-by: Khem Raj <[email protected]>
Using a private module from setuptools is not a good idea and no longer works with latest setuptools. it's actually better to revert to official distutils even if it is going away in the next python release. Hopefully by then upstream will transition to something supported. TMPDIR in .pyc can be addressed by simply not installing the .pyc. Signed-off-by: Alexander Kanavin <[email protected]> Signed-off-by: Khem Raj <[email protected]>
Drop backport patches. Signed-off-by: Yi Zhao <[email protected]> Signed-off-by: Khem Raj <[email protected]>
Signed-off-by: Yi Zhao <[email protected]> Signed-off-by: Khem Raj <[email protected]>
Changelog: https://netfilter.org/projects/nftables/files/changes-nftables-1.0.7.txt The COPYING text changed to highlight that "New code though is moving to GPL version 2 or any later which is the preferred license for this project these days." Although the project itself stays GPLv2 only. https://netfilter.org/licensing.html#terms The upstream replaced distutils with setuptools, so the nftables-python is now built using the standard approach. The coexistence of setuptools and automake is solved in the same way as in meta-oe/recipes-support/libiio. The removal of *.pyc is no longer necessary. Signed-off-by: Petr Gotthard <[email protected]> Signed-off-by: Khem Raj <[email protected]>
Changelog: ========= tests: nft-rule-test: Add test cases to improve code coverage tests: nft-table-test: fix typo shixuantong expr: meta: introduce broute meta expression Signed-off-by: Wang Mingyu <[email protected]> Signed-off-by: Khem Raj <[email protected]>
Required by libnetfilter-queue native build. Signed-off-by: Yi Zhao <[email protected]> Signed-off-by: Khem Raj <[email protected]>
Required by daq native build. Signed-off-by: Yi Zhao <[email protected]> Signed-off-by: Khem Raj <[email protected]>
Changelog: https://netfilter.org/projects/nftables/files/changes-nftables-1.0.8.txt Signed-off-by: Yi Zhao <[email protected]> Signed-off-by: Khem Raj <[email protected]>
Changelog: https://www.netfilter.org/projects/nftables/files/changes-nftables-1.0.9.txt Drop configure option --disable-python as it has been removed upstream. Signed-off-by: Yi Zhao <[email protected]> Signed-off-by: Khem Raj <[email protected]>
Add DESCRIPTION and HOMEPAGE. Signed-off-by: Randy MacLeod <[email protected]> Signed-off-by: Khem Raj <[email protected]>
Fix the following ptest output format issues:
- For "sed" command, change "-e" option to "-E" option. I believe the
previous "-e" option is a typo based on the manual page of "sed":
-e script, --expression=script
add the script to the commands to be executed
"-E" option, on the other hand, makes "sed" "use extended regular
expressions in the script" according to the manual page.
- The test result summary line is being treated as both a passed
testcase and a failed testcase due to this line containing substring
"[OK]" and "[FAILED]". The following is a sample test result summary
line:
I: results: [OK] 379 [SKIPPED] 1 [FAILED] 0 [TOTAL] 380
The fix is to change run-ptest to look for "I: [OK]" and
"W: [FAILED]" when determining which lines correspond to
passed/failed testcases.
- Previously, only "W: [FAILED]" out of the following testcase failure
prompts is parsed:
W: [CHK DUMP]
W: [VALGRIND]
W: [TAINTED]
W: [DUMP FAIL]
W: [FAILED]
Adding parsing for all testcase failure prompts.
Signed-off-by: William Lyu <[email protected]>
Signed-off-by: Khem Raj <[email protected]>
The following ShellCheck violations in "run-ptest" are fixed:
- line 4:
SC2164: Use 'cd ... || exit' or 'cd ... || return' in case cd fails.
- line 7:
SC2086: Double quote to prevent globbing and word splitting.
- line 9:
SC2006: Use $(...) notation instead of legacy backticks `...`.
SC2086: Double quote to prevent globbing and word splitting.
SC2126: Consider using 'grep -c' instead of 'grep|wc -l'.
- line 10:
SC2006: Use $(...) notation instead of legacy backticks `...`.
SC2086: Double quote to prevent globbing and word splitting.
SC2126: Consider using 'grep -c' instead of 'grep|wc -l'.
- line 17:
SC2086: Double quote to prevent globbing and word splitting.
Signed-off-by: William Lyu <[email protected]>
Signed-off-by: Khem Raj <[email protected]>
There are 2 failed ptest testcases. They fail because they are broken,
but the fix from the upstream is not yet available in version 1.0.9.
These testcases are:
- tests/shell/testcases/sets/reset_command_0
Fix from the upstream:
https://git.netfilter.org/nftables/commit/?id=7a6089a400a573b9a4fd92f29c00a6be7b8ef269
- tests/shell/testcases/json/0005secmark_objref_0
Fix from the upstream:
https://git.netfilter.org/nftables/commit/?id=fff913c1eefbc84eb2d9c52038ef29fe881e9ee9
Signed-off-by: William Lyu <[email protected]>
Signed-off-by: Khem Raj <[email protected]>
It gets OOMs with memory < 2G on x86_64 qemu Export NFT variable in run-ptest script its used by few tests Add required runtime dependencies for ptests to pass This also requires changes to kernel config features/nf_tables/nft_test.scc and CONFIG_VETH Signed-off-by: Khem Raj <[email protected]> (cherry-picked from f6305ba; needed to remove meta-networking/recipes-core/images/meta-networking-image-ptest.bb which is only present in scarthgap) Signed-off-by: Richard Tollerton <[email protected]>
This change adds a simple format for the skip results. The format selected is the automake "simple test" format: "result: testname" Signed-off-by: Jiaying Song <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
Update firewalld by 2 major versions, which also includes breaking and behavioral changes. Highlights from 0.9 to 1.0: - Reduced dependencies - Intra-zone forwarding by default - NAT rules moved to inet family (reduced rule set) - Default target is now similar to reject - ICMP blocks and block inversion only apply to input, not forward - tftp-client service has been removed - iptables backend is deprecated - Direct interface is deprecated - CleanupModulesOnExit defaults to no (kernel modules not unloaded) Details: - https://firewalld.org/2021/07/firewalld-1-0-0-release - firewalld/firewalld@v0.9.0...v1.0.0 From 1.0 to 1.1 is mostly a bug fix release update. Details: - https://firewalld.org/2022/02/firewalld-1-1-0-release - firewalld/firewalld@v0.9.0...v1.0.0 Improvements on the recipe: - Add ptest - Very helpful to get all the kernel modules - Long running, probably not suitable for any OE autobuilder - RRECOMMENS kernel modules, document configuration - Improve package splitting - firewalld-config and firewalld-applet depend on QT5, pyqt5 and GTK. The dependencies were not correctly set but the code was ending up on the target device. Now the code gets into a separate package but the dependeinces are probably still not complete. Since this is probably not used anyway it is not tested yet. It's still not perfect but much better than installing broken stuff to the target device. - The dependenices are added to variables instead of rdepends to keep the meta-qt5 and gnome layers optional also at build-time. - New packageconfigs: ebtables, ipset. This is mosly required to get the test suite running but probably also usable otherwise. Signed-off-by: Adrian Freihofer <[email protected]> Signed-off-by: Khem Raj <[email protected]> Cherry-picked from scarthgap; undid move to dynamic-layers/meta/python. Signed-off-by: Richard Tollerton <[email protected]>
Firewalld: This is a feature release. It also includes all bug fixes since v1.1.0. Details are here: https://firewalld.org/2022/07/firewalld-1-2-0-release Recipe: Firewalld defaults to create a log file for debug messages. This is basically an empty file until firewalld's log level is configured to debug level. Writing log files requies something like log-rotate to prevent full disks. The default for OE is to not create files and send all log messages to syslog (journald). Signed-off-by: Adrian Freihofer <[email protected]> Signed-off-by: Khem Raj <[email protected]> Cherry-picked from scarthgap; undid move to dynamic-layers/meta/python. Signed-off-by: Richard Tollerton <[email protected]>
This project uses gobject-introspection, so depend on the DISTRO_FEATURE. Signed-off-by: Ross Burton <[email protected]> Signed-off-by: Khem Raj <[email protected]> Cherry-picked from scarthgap; undid move to dynamic-layers/meta/python. Signed-off-by: Richard Tollerton <[email protected]>
This fixes the commit 046ee4b. The correct DISTRO_FEATURE is gobject-introspection-data. Signed-off-by: Petr Gotthard <[email protected]> Signed-off-by: Khem Raj <[email protected]> Cherry-picked from scarthgap; undid move to dynamic-layers/meta/python. Signed-off-by: Richard Tollerton <[email protected]>
Apart the bugfixes, the 1.3.0 introduced the following features: feat(service): add Warpinator (6de3f18) feat(dbus): reset to default settings (4d327c5) feat(service): add bareos-director bareos-filedaemon bareos-storage (7552095) feat(policy): masquerade: allow ingress zone to have interface (d8ebe1d) feat(service): add Nebula service (3f59ce9) feat(service): add Ceph Prometheus exporter (ef9d51f) feat(service): add OMG DDS service definition (9ad3d37) feat(service): add llmnr-client service (0ae765c) feat(service): add ps2link service (6d1586c) feat(service): add definition for syncthing-relay (cab0d43) Signed-off-by: Petr Gotthard <[email protected]> Signed-off-by: Khem Raj <[email protected]> Cherry-picked from scarthgap; undid move to dynamic-layers/meta/python. Signed-off-by: Richard Tollerton <[email protected]>
amstewart
approved these changes
Oct 7, 2024
There was a problem hiding this comment.
Looks good to me.
For the future: you can use git cherry-pick -x to have git automatically add a Cherry-picked from 12341234... trailer to your commits. Having that info on each commit really helps at rebase time. But I'm not going to make you go back and add them to all of these.
chaitu236
requested changes
Oct 7, 2024
Is that short addition ok? I was going to wait on ni/meta-nilrt#742 before attempting to test this. The extent of my testing so far has been confirming that firewalld still builds. This won't be in the BSI until 742 lands... I'm not sure what else can be tested short-term. |
Thanks. I assume packagefeed-ni-core, BSI builds and the BSI boots? |
Well, none of this should even be hitting the images or packagegroups yet, although in full disclosure I did just try rebuilding them and I got this error — I'm guessing it's either a transient build issue on my end or is otherwise unrelated: |
chaitu236
approved these changes
Oct 8, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Cherry-picking everything related to firewalld, nftables, libnftnl, etc. firewalld needed some manual conflict resolves related to a move to dynamic-layers in scarthgap, and some ptest changes.
Justification: I'd like to have an up-to-date base for ongoing firewall development, because firewalld has been really active as of late, and a lot of commits have landed in the upstream nftables recipes.