1################################################################################ 2# 3# firewalld 4# 5################################################################################ 6 7FIREWALLD_VERSION = 2.0.2 8FIREWALLD_SITE = $(call github,firewalld,firewalld,v$(FIREWALLD_VERSION)) 9FIREWALLD_LICENSE = GPL-2.0 10FIREWALLD_LICENSE_FILES = COPYING 11FIREWALLD_CPE_ID_VENDOR = firewalld 12FIREWALLD_AUTORECONF = YES 13 14FIREWALLD_DEPENDENCIES = \ 15 host-intltool \ 16 host-libglib2 \ 17 host-libxml2 \ 18 host-libxslt \ 19 dbus-python \ 20 gobject-introspection \ 21 jansson \ 22 nftables \ 23 python3 \ 24 python-gobject 25 26FIREWALLD_SELINUX_MODULES = firewalld 27 28# Firewalld hard codes the python shebangs to the full path of the 29# python-interpreter. IE: #!/home/buildroot/output/host/bin/python. 30# Force the proper python path. 31FIREWALLD_CONF_ENV += PYTHON="/usr/bin/env python3" 32 33# /etc/sysconfig/firewalld is a Red Hat-ism, only referenced by 34# the Red Hat-specific init script which isn't used, so we set 35# --disable-sysconfig. 36FIREWALLD_CONF_OPTS += \ 37 --disable-rpmmacros \ 38 --disable-sysconfig \ 39 --with-nft=/usr/sbin/nft \ 40 --without-ebtables \ 41 --without-ebtables-restore \ 42 --without-ipset \ 43 --without-xml-catalog 44 45ifeq ($(BR2_PACKAGE_IPTABLES),y) 46FIREWALLD_DEPENDENCIES += iptables 47FIREWALLD_CONF_OPTS += \ 48 --with-ip6tables-restore=/usr/sbin/ip6tables-restore \ 49 --with-ip6tables=/usr/sbin/ip6tables \ 50 --with-iptables-restore=/usr/sbin/iptables-restore \ 51 --with-iptables=/usr/sbin/iptables 52else 53FIREWALLD_CONF_OPTS += -without-iptables 54endif 55 56ifeq ($(BR2_PACKAGE_SYSTEMD),y) 57FIREWALLD_DEPENDENCIES += systemd 58FIREWALLD_CONF_OPTS += --with-systemd-unitdir=/usr/lib/systemd/system 59else 60FIREWALLD_CONF_OPTS += --disable-systemd 61endif 62 63define FIREWALLD_INSTALL_INIT_SYSTEMD 64 $(INSTALL) -D -m 0644 $(@D)/config/firewalld.service \ 65 $(TARGET_DIR)/usr/lib/systemd/system/firewalld.service 66endef 67 68# The bundled sysvinit file requires /etc/init.d/functions which is not 69# provided by buildroot. As such, we provide our own firewalld init file. 70define FIREWALLD_INSTALL_INIT_SYSV 71 $(INSTALL) -D -m 0755 $(FIREWALLD_PKGDIR)/S46firewalld \ 72 $(TARGET_DIR)/etc/init.d/S46firewalld 73endef 74 75# Firewalld needs ipv6 76# Firewalld requires almost every single nftable option selected. 77define FIREWALLD_LINUX_CONFIG_FIXUPS 78 $(call KCONFIG_ENABLE_OPT,CONFIG_BRIDGE) 79 $(call KCONFIG_ENABLE_OPT,CONFIG_INET) 80 $(call KCONFIG_ENABLE_OPT,CONFIG_INET_DIAG) 81 $(call KCONFIG_ENABLE_OPT,CONFIG_NET) 82 $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER) 83 $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_ADVANCED) 84 $(call KCONFIG_ENABLE_OPT,CONFIG_IPV6) 85 $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_FILTER) 86 $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_IPTABLES) 87 $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MANGLE) 88 $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_AH) 89 $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_EUI64) 90 $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_FRAG) 91 $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_HL) 92 $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_IPV6HEADER) 93 $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_MH) 94 $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_OPTS) 95 $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_RPFILTER) 96 $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_RT) 97 $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_MATCH_SRH) 98 $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_NAT) 99 $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_RAW) 100 $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_HL) 101 $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_MASQUERADE) 102 $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_NPT) 103 $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_REJECT) 104 $(call KCONFIG_ENABLE_OPT,CONFIG_IP6_NF_TARGET_SYNPROXY) 105 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARP_MANGLE) 106 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARPFILTER) 107 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_ARPTABLES) 108 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_FILTER) 109 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_IPTABLES) 110 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MANGLE) 111 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_AH) 112 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_ECN) 113 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_RPFILTER) 114 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_MATCH_TTL) 115 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_NAT) 116 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_RAW) 117 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_CLUSTERIP) 118 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_ECN) 119 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_MASQUERADE) 120 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_NETMAP) 121 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_REDIRECT) 122 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_REJECT) 123 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_SYNPROXY) 124 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_TTL) 125 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET) 126 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_IP) 127 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_IPMAC) 128 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_BITMAP_PORT) 129 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IP) 130 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPMAC) 131 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPMARK) 132 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORT) 133 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORTIP) 134 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_IPPORTNET) 135 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_MAC) 136 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NET) 137 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETIFACE) 138 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETNET) 139 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETPORT) 140 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_HASH_NETPORTNET) 141 $(call KCONFIG_ENABLE_OPT,CONFIG_IP_SET_LIST_SET) 142 $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_CONNCOUNT) 143 $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_NETLINK_GLUE_CT) 144 $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_SYNPROXY) 145 $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES) 146 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK) 147 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_AMANDA) 148 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_BROADCAST) 149 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_EVENTS) 150 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_FTP) 151 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_H323) 152 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_IRC) 153 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_LABELS) 154 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_MARK) 155 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_NETBIOS_NS) 156 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_PPTP) 157 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_PROCFS) 158 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SANE) 159 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SIP) 160 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_SNMP) 161 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TFTP) 162 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TIMEOUT) 163 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_TIMESTAMP) 164 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK_ZONES) 165 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK) 166 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK_HELPER) 167 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_NETLINK_TIMEOUT) 168 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_DCCP) 169 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_GRE) 170 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_SCTP) 171 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_CT_PROTO_UDPLITE) 172 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_DEFRAG_IPV4) 173 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_DEFRAG_IPV6) 174 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_IPV4) 175 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_IPV6) 176 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_DUP_NETDEV) 177 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE) 178 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_INET) 179 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_IPV4) 180 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_FLOW_TABLE_IPV6) 181 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_ARP) 182 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_BRIDGE) 183 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_COMMON) 184 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_IPV4) 185 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_IPV6) 186 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_LOG_NETDEV) 187 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT) 188 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_AMANDA) 189 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_FTP) 190 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_H323) 191 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IPV4) 192 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IPV6) 193 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_IRC) 194 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_MASQUERADE_IPV4) 195 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_MASQUERADE_IPV6) 196 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_NEEDED) 197 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PPTP) 198 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_DCCP) 199 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_GRE) 200 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_SCTP) 201 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_PROTO_UDPLITE) 202 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_REDIRECT) 203 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_SIP) 204 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_SNMP_BASIC) 205 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_NAT_TFTP) 206 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_REJECT_IPV4) 207 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_REJECT_IPV6) 208 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_SOCKET_IPV4) 209 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_SOCKET_IPV6) 210 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_ARP) 211 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_BRIDGE) 212 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_IPV4) 213 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_IPV6) 214 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_NETDEV) 215 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_SET) 216 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TPROXY_IPV4) 217 $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TPROXY_IPV6) 218 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_BRIDGE_REJECT) 219 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_NAT_IPV4) 220 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_NAT_IPV6) 221 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_ROUTE_IPV4) 222 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CHAIN_ROUTE_IPV6) 223 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_COMPAT) 224 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CONNLIMIT) 225 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_COUNTER) 226 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_CT) 227 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_IPV4) 228 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_IPV6) 229 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_DUP_NETDEV) 230 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB) 231 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_INET) 232 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_IPV4) 233 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_IPV6) 234 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FIB_NETDEV) 235 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FLOW_OFFLOAD) 236 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_FWD_NETDEV) 237 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_HASH) 238 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_LIMIT) 239 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_LOG) 240 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ) 241 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ_IPV4) 242 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_MASQ_IPV6) 243 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_NAT) 244 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_NUMGEN) 245 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_OBJREF) 246 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_OSF) 247 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_QUEUE) 248 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_QUOTA) 249 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR) 250 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR_IPV4) 251 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REDIR_IPV6) 252 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT) 253 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_INET) 254 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_IPV4) 255 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_IPV6) 256 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_REJECT_NETDEV) 257 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_SOCKET) 258 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_SYNPROXY) 259 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_TPROXY) 260 $(call KCONFIG_ENABLE_OPT,CONFIG_NFT_TUNNEL) 261endef 262 263$(eval $(autotools-package)) 264