mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-04-20 11:38:34 +00:00
Code Issues Projects Releases Wiki Activity

ufw: Uncomplicated Firewall recipe

Browse Source 
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
This commit is contained in:
Joe MacDonald
2014-11-10 21:51:46 -05:00
parent 9f925e5237
commit 2cc1bd9dd0
8 changed files with 464 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
meta-networking/recipes-connectivity/ufw/ufw/0001-optimize-boot.patch Normal file
View File

@@ -0,0 +1,25 @@
Author: Jamie Strandboge <jamie@canonical.com>
Description: to improve boot speed when disabled, don't source all of
ufw-init-functions (which also sources in other files).
Upstream-Status: Inappropriate [ not author ]
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Index: ufw-0.31/src/ufw-init
===================================================================
--- ufw-0.31.orig/src/ufw-init 2012-03-09 17:07:11.000000000 -0600
+++ ufw-0.31/src/ufw-init 2012-03-17 09:37:51.000000000 -0500
@@ -18,6 +18,12 @@
#
set -e
+# Debian/Ubuntu: small boot speed improvement
+. "#CONFIG_PREFIX#/ufw/ufw.conf"
+if [ "$1" = "start" ] && [ "$2" = "quiet" ] && [ "$ENABLED" = "no" ]; then
+ exit 0
+fi
+
if [ -s "#STATE_PREFIX#/ufw-init-functions" ]; then
. "#STATE_PREFIX#/ufw-init-functions"
else

118
meta-networking/recipes-connectivity/ufw/ufw/0002-lp1044361.patch Normal file
View File

@@ -0,0 +1,118 @@
Origin: r795, r796
Description: move netfilter capabilities checking into initcaps(), and call
initcaps() only when we need it.
Bug-Ubuntu: https://launchpad.net/bugs/1044361
Upstream-Status: Inappropriate [ not author ]
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Index: ufw-0.33/src/backend_iptables.py
===================================================================
--- ufw-0.33.orig/src/backend_iptables.py 2012-09-23 09:58:34.000000000 -0500
+++ ufw-0.33/src/backend_iptables.py 2012-09-23 09:58:36.000000000 -0500
@@ -160,6 +160,9 @@
out += "> " + _("Checking raw ip6tables\n")
return out
+ # Initialize the capabilities database
+ self.initcaps()
+
args = ['-n', '-v', '-x', '-L']
items = []
items6 = []
@@ -470,6 +473,9 @@
if self.dryrun:
return False
+ # Initialize the capabilities database
+ self.initcaps()
+
prefix = "ufw"
exe = self.iptables
if v6:
@@ -684,6 +690,9 @@
except Exception:
raise
+ # Initialize the capabilities database
+ self.initcaps()
+
chain_prefix = "ufw"
rules = self.rules
if v6:
@@ -830,6 +839,10 @@
* updating user rules file
* reloading the user rules file if rule is modified
'''
+
+ # Initialize the capabilities database
+ self.initcaps()
+
rstr = ""
if rule.v6:
@@ -1073,6 +1086,9 @@
if self.dryrun:
return
+ # Initialize the capabilities database
+ self.initcaps()
+
rules_t = []
try:
rules_t = self._get_logging_rules(level)
Index: ufw-0.33/src/backend.py
===================================================================
--- ufw-0.33.orig/src/backend.py 2012-09-23 09:58:34.000000000 -0500
+++ ufw-0.33/src/backend.py 2012-09-23 09:59:03.000000000 -0500
@@ -21,7 +21,7 @@
import stat
import sys
import ufw.util
-from ufw.util import warn, debug
+from ufw.util import error, warn, debug
from ufw.common import UFWError, config_dir, iptables_dir, UFWRule
import ufw.applications
@@ -68,6 +68,17 @@
err_msg = _("Couldn't determine iptables version")
raise UFWError(err_msg)
+ # Initialize via initcaps only when we need it (LP: #1044361)
+ self.caps = None
+
+ def initcaps(self):
+ '''Initialize the capabilities database. This needs to be called
+ before accessing the database.'''
+
+ # Only initialize if not initialized already
+ if self.caps != None:
+ return
+
self.caps = {}
self.caps['limit'] = {}
@@ -78,14 +89,20 @@
# Try to get capabilities from the running system if root
if self.do_checks and os.getuid() == 0 and not self.dryrun:
# v4
- nf_caps = ufw.util.get_netfilter_capabilities(self.iptables)
+ try:
+ nf_caps = ufw.util.get_netfilter_capabilities(self.iptables)
+ except OSError as e:
+ error("initcaps\n%s" % e)
if 'recent-set' in nf_caps and 'recent-update' in nf_caps:
self.caps['limit']['4'] = True
else:
self.caps['limit']['4'] = False
# v6
- nf_caps = ufw.util.get_netfilter_capabilities(self.ip6tables)
+ try:
+ nf_caps = ufw.util.get_netfilter_capabilities(self.ip6tables)
+ except OSError as e:
+ error("initcaps\n%s" % e)
if 'recent-set' in nf_caps and 'recent-update' in nf_caps:
self.caps['limit']['6'] = True
else:

20
meta-networking/recipes-connectivity/ufw/ufw/0003-fix-typeerror-on-error.patch Normal file
View File

@@ -0,0 +1,20 @@
Origin: r797
Description: src/backend_iptables.py: fix misplaced parenthesis
Upstream-Status: Inappropriate [ not author ]
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Index: ufw-0.33/src/backend_iptables.py
===================================================================
--- ufw-0.33.orig/src/backend_iptables.py 2012-09-24 08:51:13.000000000 -0500
+++ ufw-0.33/src/backend_iptables.py 2012-09-24 08:52:00.000000000 -0500
@@ -1075,7 +1075,7 @@
exe = self.ip6tables
(rc, out) = cmd([exe] + args)
if rc != 0:
- err_msg = _("Could not perform '%s'") % (args)
+ err_msg = _("Could not perform '%s'" % (args))
if fail_ok:
debug("FAILOK: " + err_msg)
else:

40
meta-networking/recipes-connectivity/ufw/ufw/0004-lp1039729.patch Normal file
View File

@@ -0,0 +1,40 @@
Origin: r803, r804
Description: Don't call get_netfilter_capabilities() with ipv6 if ipv6 is
disabled.
Bug-Ubuntu: https://launchpad.net/ufw/bugs/1039729
Upstream-Status: Inappropriate [ not author ]
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Index: ufw-0.33/src/backend.py
===================================================================
--- ufw-0.33.orig/src/backend.py 2012-12-04 09:21:57.000000000 -0600
+++ ufw-0.33/src/backend.py 2012-12-04 09:22:40.000000000 -0600
@@ -98,15 +98,17 @@
else:
self.caps['limit']['4'] = False
- # v6
- try:
- nf_caps = ufw.util.get_netfilter_capabilities(self.ip6tables)
- except OSError as e:
- error("initcaps\n%s" % e)
- if 'recent-set' in nf_caps and 'recent-update' in nf_caps:
- self.caps['limit']['6'] = True
- else:
- self.caps['limit']['6'] = False
+ # v6 (skip capabilities check for ipv6 if ipv6 is disabled in ufw
+ # because the system may not have ipv6 support (LP: #1039729)
+ if self.use_ipv6():
+ try:
+ nf_caps = ufw.util.get_netfilter_capabilities(self.ip6tables)
+ except OSError as e:
+ error("initcaps\n%s" % e)
+ if 'recent-set' in nf_caps and 'recent-update' in nf_caps:
+ self.caps['limit']['6'] = True
+ else:
+ self.caps['limit']['6'] = False
def is_enabled(self):
'''Is firewall configured as enabled'''

32
meta-networking/recipes-connectivity/ufw/ufw/0005-lp1191197.patch Normal file
View File

@@ -0,0 +1,32 @@
Origin: r816
Description: add check for -m rt --rt-type 0
Bug-Ubuntu: https://launchpad.net/bugs/1191197
Forwarded: yes
Upstream-Status: Inappropriate [ not author ]
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Index: ufw-0.33/tests/check-requirements
===================================================================
--- ufw-0.33.orig/tests/check-requirements 2012-08-17 16:12:49.000000000 -0500
+++ ufw-0.33/tests/check-requirements 2013-06-15 07:47:00.000000000 -0500
@@ -3,7 +3,7 @@
# check-requirements: verify all the required iptables functionality is
# available
#
-# Copyright 2008-2012 Canonical Ltd.
+# Copyright 2008-2013 Canonical Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 3,
@@ -218,6 +218,9 @@
echo -n "icmpv6 with hl ($j): "
runcmd $exe -A $c -p icmpv6 --icmpv6-type $j -m hl --hl-eq 255 -j ACCEPT
done
+
+ echo -n "ipv6 rt: "
+ runcmd $exe -A $c -m rt --rt-type 0 -j ACCEPT
fi
echo ""

107
meta-networking/recipes-connectivity/ufw/ufw/setup-add-an-option-to-specify-iptables-location.patch Normal file
View File

@@ -0,0 +1,107 @@
From c54d36d0582a60fd281cd9287077cea205fd849d Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@mentor.com>
Date: Thu, 27 Nov 2014 15:20:34 -0500
Subject: [PATCH] setup: add an option to specify iptables location
When cross-compiling it isn't certain that the location of iptables on the
target will be the same as on the host. It also doesn't make sense the
test the version of the host during setup. We provide an option to
specify an alternate iptables directory. This is assumed to be a
cross-compile environment and therefore no attempt is made to verify the
version of iptables to be used.
Upstream-Status: Pending
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
setup.py | 69 ++++++++++++++++++++++++++++++++++++----------------------------
1 file changed, 39 insertions(+), 30 deletions(-)
diff --git a/setup.py b/setup.py
index 6fb3751..b13d11c 100644
--- a/setup.py
+++ b/setup.py
@@ -225,41 +225,50 @@ shutil.copytree('src', 'staging')
os.unlink(os.path.join('staging', 'ufw-init'))
os.unlink(os.path.join('staging', 'ufw-init-functions'))
+iptables_set = 0
iptables_exe = ''
iptables_dir = ''
-for e in ['iptables']:
- for dir in ['/sbin', '/bin', '/usr/sbin', '/usr/bin', '/usr/local/sbin', \
- '/usr/local/bin']:
- if e == "iptables":
- if os.path.exists(os.path.join(dir, e)):
- iptables_dir = dir
- iptables_exe = os.path.join(iptables_dir, "iptables")
- print("Found '%s'" % iptables_exe)
- else:
- continue
-
- if iptables_exe != "":
- break
-
-
-if iptables_exe == '':
- print("ERROR: could not find required binary 'iptables'", file=sys.stderr)
- sys.exit(1)
-
-for e in ['ip6tables', 'iptables-restore', 'ip6tables-restore']:
- if not os.path.exists(os.path.join(iptables_dir, e)):
- print("ERROR: could not find required binary '%s'" % (e), file=sys.stderr)
+if "--iptables-dir" in sys.argv:
+ iptables_dir = sys.argv[sys.argv.index("--iptables-dir") + 1]
+ iptables_exe = os.path.join(iptables_dir, "iptables")
+ iptables_set = 1
+ print("INFO: iptables manually set: '%s'" % (iptables_exe))
+ sys.argv.remove(iptables_dir)
+ sys.argv.remove("--iptables-dir")
+
+if not iptables_set:
+ for e in ['iptables']:
+ for dir in ['/sbin', '/bin', '/usr/sbin', '/usr/bin', '/usr/local/sbin', \
+ '/usr/local/bin']:
+ if e == "iptables":
+ if os.path.exists(os.path.join(dir, e)):
+ iptables_dir = dir
+ iptables_exe = os.path.join(iptables_dir, "iptables")
+ print("Found '%s'" % iptables_exe)
+ else:
+ continue
+
+ if iptables_exe != "":
+ break
+
+ if iptables_exe == '':
+ print("ERROR: could not find required binary 'iptables'", file=sys.stderr)
sys.exit(1)
-(rc, out) = cmd([iptables_exe, '-V'])
-if rc != 0:
- raise OSError(errno.ENOENT, "Could not find version for '%s'" % \
- (iptables_exe))
-version = re.sub('^v', '', re.split('\s', str(out))[1])
-print("Found '%s' version '%s'" % (iptables_exe, version))
-if version < "1.4":
- print("WARN: version '%s' has limited IPv6 support. See README for details." % (version), file=sys.stderr)
+ for e in ['ip6tables', 'iptables-restore', 'ip6tables-restore']:
+ if not os.path.exists(os.path.join(iptables_dir, e)):
+ print("ERROR: could not find required binary '%s'" % (e), file=sys.stderr)
+ sys.exit(1)
+
+ (rc, out) = cmd([iptables_exe, '-V'])
+ if rc != 0:
+ raise OSError(errno.ENOENT, "Could not find version for '%s'" % \
+ (iptables_exe))
+ version = re.sub('^v', '', re.split('\s', str(out))[1])
+ print("Found '%s' version '%s'" % (iptables_exe, version))
+ if version < "1.4":
+ print("WARN: version '%s' has limited IPv6 support. See README for details." % (version), file=sys.stderr)
setup (name='ufw',
version=ufw_version,
--
1.9.1

77
meta-networking/recipes-connectivity/ufw/ufw/setup-only-make-one-reference-to-env.patch Normal file
View File

@@ -0,0 +1,77 @@
From be53eea06a5655fdc98f47a73be8277b65bb42ed Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@mentor.com>
Date: Tue, 11 Nov 2014 21:41:14 -0500
Subject: [PATCH] setup: only make one reference to env
If sys.executable happens to be '/usr/bin/env python' or something
similar, the setup script will result in 'ufw' getting /usr/bin/env
repeated on the top line. This causes an error at runtime. Perform a
quick sanity check on sys.executable before doing the substitution.
While we're at it, change the default value of 'exe' to the one we either
detected or specified on the build line.
Upstream-Status: Inappropriate [ embedded specific ]
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
setup.py | 34 ++++++++++++++++++++++++++++------
1 file changed, 28 insertions(+), 6 deletions(-)
diff --git a/setup.py b/setup.py
index b13d11c..73acdef 100644
--- a/setup.py
+++ b/setup.py
@@ -64,7 +64,7 @@ class Install(_install, object):
real_sharedir = os.path.join(real_prefix, 'share', 'ufw')
# Update the modules' paths
- for file in [ 'common.py' ]:
+ for file in [ 'common.py', 'util.py' ]:
print("Updating " + file)
subprocess.call(["sed",
"-i",
@@ -91,6 +91,11 @@ class Install(_install, object):
"s%#SHARE_DIR#%" + real_sharedir + "%g",
os.path.join('staging', file)])
+ subprocess.call(["sed",
+ "-i.jjm",
+ "s%/sbin/iptables%" + iptables_exe + "%g",
+ os.path.join('staging', file)])
+
# Now byte-compile everything
super(Install, self).run()
@@ -107,12 +112,23 @@ class Install(_install, object):
for f in [ script, manpage, manpage_f ]:
self.mkpath(os.path.dirname(f))
+ # if sys.executable == /usr/bin/env python* the result will be the top
+ # of ufw getting:
+ #
+ # #! /usr/bin/env /usr/bin/env python
+ #
+ # which is not ideal
+ #
# update the interpreter to that of the one the user specified for setup
- print("Updating staging/ufw to use %s" % (sys.executable))
- subprocess.call(["sed",
- "-i",
- "1s%^#.*python.*%#! /usr/bin/env " + sys.executable + "%g",
- 'staging/ufw'])
+ print("Updating staging/ufw to use (%s)" % (sys.executable))
+
+ if re.search("(/usr/bin/env)", sys.executable):
+ print("found 'env' in sys.executable (%s)" % (sys.executable))
+ subprocess.call(["sed",
+ "-i.jjm",
+ "1s%^#.*python.*%#! " + sys.executable + "%g",
+ 'staging/ufw'])
+
self.copy_file('staging/ufw', script)
self.copy_file('doc/ufw.8', manpage)
self.copy_file('doc/ufw-framework.8', manpage_f)
--
1.9.1

45
meta-networking/recipes-connectivity/ufw/ufw_0.33.bb Normal file
View File

@@ -0,0 +1,45 @@
SUMMARY = "Uncomplicated Firewall"
DESCRIPTION = "UFW stands for Uncomplicated Firewall, and is program for \
managing a netfilter firewall. It provides a command line interface and aims \
to be uncomplicated and easy to use."
HOMEPAGE = "https://launchpad.net/ufw"
LICENSE = "GPLv3"
LIC_FILES_CHKSUM = "file://COPYING;md5=f27defe1e96c2e1ecd4e0c9be8967949"
SRC_URI = " \
https://launchpad.net/ufw/0.33/0.33/+download/ufw-0.33.tar.gz \
file://setup-add-an-option-to-specify-iptables-location.patch \
file://setup-only-make-one-reference-to-env.patch \
file://0001-optimize-boot.patch \
file://0002-lp1044361.patch \
file://0003-fix-typeerror-on-error.patch \
file://0004-lp1039729.patch \
file://0005-lp1191197.patch \
"
SRC_URI[md5sum] = "3747b453d76709e5a99da209fc0bb5f5"
SRC_URI[sha256sum] = "5f85a8084ad3539b547bec097286948233188c971f498890316dec170bdd1da8"
inherit setuptools distro_features_check
RDEPENDS_${PN} = " \
iptables \
python \
python-modules \
"
RRECOMMENDS_${PN} = " \
kernel-module-ipv6 \
"
FILES_${PN} += " \
${sbindir}/* \
${datadir}/ufw/* \
${base_libdir}/ufw/* \
${sysconfdir}/ufw/* \
${sysconfdir}/default/ufw \
"
REQUIRED_DISTRO_FEATURES = "ipv6"
DISTUTILS_BUILD_ARGS_append = " --iptables-dir /usr/sbin"
DISTUTILS_INSTALL_ARGS_append = " --iptables-dir /usr/sbin"