mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 05:49:57 +00:00
Code Issues Projects Releases Wiki Activity

ufw: backport patches, update RRECOMMENDS, python3 support, tests

Browse Source 
Backport patches:
  using conntrack instead of state eliminating warning
  support setup.py build (python 3)
  adjust runtime tests to use daytime port (netbase changes)
  empty out IPT_MODULES (nf conntrack warning)
  check-requirements patch for python 3.8
Update, add patches for python 3 interpreter
Add ufw-test package. Backport fixes for check-requirements script
Update kernel RRECOMMENDS for linux-yocto 5.4 in dunfell

For dunfell

Signed-off-by: Jate Sujjavanich <jatedev@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Jate Sujjavanich
2021-07-23 04:17:24 +00:00
committed by Armin Kuster
parent 5eff5262e3
commit da09c4c743
9 changed files with 18155 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-networking/recipes-connectivity/ufw/ufw/0006-check-requirements-get-error.patch
+36
View File
@@ -0,0 +1,36 @@
* check-requirements now gives iptables output on failure. Patch thanks to
S. Nizio.
Written by Jamie Strandboge <jamie@canonical.com>
The patch was imported from git://git.launchpad.net/ufw
commit id 9a6d8beb4cb1d1646c7d2a19e4aea9898f4571bb
Removed ChangeLog patch due to backport status of this patch.
Upstream-Status: Backport
Signed-off-by: Jate Sujjavanich <jatedev@gmail.com>
--- check-requirements.orig 2012-12-03 16:37:20.214274095 +0100
+++ ufw-0.33/tests/check-requirements 2012-12-03 16:40:16.298728133 +0100
@@ -29,14 +29,19 @@
runtime="yes"
shift 1
fi
- if $@ >/dev/null 2>&1 ; then
+ local output ret=0
+ # make sure to always return success below because of set -e
+ output=$( "$@" 2>&1 ) || ret=$?
+ if [ $ret -eq 0 ]; then
echo pass
else
if [ "$runtime" = "yes" ]; then
echo "FAIL (no runtime support)"
+ echo "error was: $output"
error_runtime="yes"
else
echo FAIL
+ echo "error was: $output"
error="yes"
fi
fi
meta-networking/recipes-connectivity/ufw/ufw/0007-use-conntrack-instead-of-state-module.patch
+14903
View File
File diff suppressed because it is too large Load Diff
meta-networking/recipes-connectivity/ufw/ufw/0008-support-.-setup.py-build-LP-819600.patch
+93
View File
@@ -0,0 +1,93 @@
support ./setup.py build (LP: #819600)
Written by Jamie Strandboge <jamie@canonical.com>
The patch was imported from git://git.launchpad.net/ufw
commit id 10dc74cdc0948e4038d2921e7428cbf2896df98c
Removed ChangeLog patch due to backport status of this patch.
Modified for statement to match the one in 0.33 setup.py
Upstream-Status: Backport
Signed-off-by: Jate Sujjavanich <jatedev@gmail.com>
diff --git a/setup.py b/setup.py
index 730c568..4e1ec9a 100644
--- a/setup.py
+++ b/setup.py
@@ -64,37 +64,44 @@ class Install(_install, object):
real_sharedir = os.path.join(real_prefix, 'share', 'ufw')
# Update the modules' paths
- for file in [ 'common.py', 'util.py' ]:
- print("Updating " + file)
- subprocess.call(["sed",
- "-i",
- "s%#CONFIG_PREFIX#%" + real_confdir + "%g",
- os.path.join('staging', file)])
-
- subprocess.call(["sed",
- "-i",
- "s%#STATE_PREFIX#%" + real_statedir + "%g",
- os.path.join('staging', file)])
-
- subprocess.call(["sed",
- "-i",
- "s%#PREFIX#%" + real_prefix + "%g",
- os.path.join('staging', file)])
-
- subprocess.call(["sed",
- "-i",
- "s%#IPTABLES_DIR#%" + iptables_dir + "%g",
- os.path.join('staging', file)])
-
- subprocess.call(["sed",
- "-i",
- "s%#SHARE_DIR#%" + real_sharedir + "%g",
- os.path.join('staging', file)])
-
- subprocess.call(["sed",
- "-i.jjm",
- "s%/sbin/iptables%" + iptables_exe + "%g",
- os.path.join('staging', file)])
+ for fn in [ 'common.py', 'util.py' ]:
+ # 'staging' is used with just 'install' but build_lib is used when
+ # using 'build'. We could probably override 'def build()' but this
+ # at least works
+ for d in [os.path.join(self.build_lib, "ufw"), 'staging']:
+ f = os.path.join(d, fn)
+ if not os.path.exists(f):
+ continue
+ print("Updating " + f)
+ subprocess.call(["sed",
+ "-i",
+ "s%#CONFIG_PREFIX#%" + real_confdir + "%g",
+ f])
+
+ subprocess.call(["sed",
+ "-i",
+ "s%#STATE_PREFIX#%" + real_statedir + "%g",
+ f])
+
+ subprocess.call(["sed",
+ "-i",
+ "s%#PREFIX#%" + real_prefix + "%g",
+ f])
+
+ subprocess.call(["sed",
+ "-i",
+ "s%#IPTABLES_DIR#%" + iptables_dir + "%g",
+ f])
+
+ subprocess.call(["sed",
+ "-i",
+ "s%#SHARE_DIR#%" + real_sharedir + "%g",
+ f])
+
+ subprocess.call(["sed",
+ "-i.jjm",
+ "s%/sbin/iptables%" + iptables_exe + "%g",
+ f])
# Now byte-compile everything
super(Install, self).run()
meta-networking/recipes-connectivity/ufw/ufw/0009-adjust-runtime-tests-to-use-daytime-port.patch
+2895
View File
File diff suppressed because it is too large Load Diff
meta-networking/recipes-connectivity/ufw/ufw/0010-empty-out-IPT_MODULES-and-update-documentation.patch
+106
View File
@@ -0,0 +1,106 @@
empty our IPT_MODULES and update documentation
empty out IPT_MODULES and update documentation regarding modern use of
connection tracking modules.
Patch from git://git.launchpad.net/ufw
Commit aefb842b73726c245157096fb8992c3e82833147
Written by Jamie Strandboge <jamie@ubuntu.com>
Merged patch so they applied to 0.33 with missing code. Unit tests are not
in this version.
Upstream-Status: Backport
Signed-off-by: Jate Sujjavanich <jatedev@gmail.com>
diff --git a/conf/ufw.defaults b/conf/ufw.defaults
index 330ad88..b3eba8f 100644
--- a/conf/ufw.defaults
+++ b/conf/ufw.defaults
@@ -34,12 +34,13 @@ MANAGE_BUILTINS=no
# only enable if using iptables backend
IPT_SYSCTL=#CONFIG_PREFIX#/ufw/sysctl.conf
-# Extra connection tracking modules to load. Complete list can be found in
-# net/netfilter/Kconfig of your kernel source. Some common modules:
+# Extra connection tracking modules to load. IPT_MODULES should typically be
+# empty for new installations and modules added only as needed. See
+# 'CONNECTION HELPERS' from 'man ufw-framework' for details. Complete list can
+# be found in net/netfilter/Kconfig of your kernel source. Some common modules:
# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support
# nf_conntrack_netbios_ns: NetBIOS (samba) client support
# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
# nf_conntrack_ftp, nf_nat_ftp: active FTP support
# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
-IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"
-
+IPT_MODULES=""
diff --git a/doc/ufw-framework.8 b/doc/ufw-framework.8
index eef28e1..97dc8c5 100644
--- a/doc/ufw-framework.8
+++ b/doc/ufw-framework.8
@@ -115,5 +115,10 @@ IPT_MODULES in #CONFIG_PREFIX#/default/ufw. Some popular modules to load are:
nf_conntrack_tftp
nf_nat_tftp
+.PP
+Unconditional loading of connection tracking modules (nf_conntrack_*) in this
+manner is deprecated. \fBufw\fR continues to support the functionality but new
+configuration should only contain the specific modules required for the site.
+For more information, see CONNECTION HELPERS.
.SH "KERNEL PARAMETERS"
.PP
@@ 240,5 +245,50 @@ Add the necessary \fBufw\fR rules:
# ufw allow in on eth1 from 10.0.0.100 to any port 22 proto tcp
+.SH "CONNECTION HELPERS"
+.PP
+Various protocols require the use of netfilter connection tracking helpers to
+group related packets into RELATED flows to make rulesets clearer and more
+precise. For example, with a couple of kernel modules and a couple of rules, a
+ruleset could simply allow a connection to FTP port 21, then the kernel would
+examine the traffic and mark the other FTP data packets as RELATED to the
+initial connection.
+.PP
+When the helpers were first introduced, one could only configure the modules as
+part of module load (eg, if your FTP server listened on a different port than
+21, you'd have to load the nf_conntrack_ftp module specifying the correct
+port). Over time it was understood that unconditionally using connection
+helpers could lead to abuse, in part because some protocols allow user
+specified data that would allow traversing the firewall in undesired ways. As
+of kernel 4.7, automatic conntrack helper assignment (ie, handling packets for
+a given port and all IP addresses) is disabled (the old behavior can be
+restored by setting net/netfilter/nf_conntrack_helper=1 in
+#CONFIG_PREFIX#/ufw/sysctl.conf). Firewalls should now instead use the CT
+target to associate traffic with a particular helper and then set RELATED rules
+to use the helper. This allows sites to tailor the use of helpers and help
+avoid abuse.
+.PP
+In general, to use helpers securely, the following needs to happen:
+.IP 1.
+net/netfilter/nf_conntrack_helper should be set to 0 (default)
+.IP 2.
+create a rule for the start of a connection (eg for FTP, port 21)
+.IP 3.
+create a helper rule to associate the helper with this connection
+.IP 4.
+create a helper rule to associate a RELATED flow with this connection
+.IP 5.
+if needed, add the corresponding nf_conntrack_* module to IPT_MODULES
+.IP 6.
+optionally add the corresponding nf_nat_* module to IPT_MODULES
+.PP
+In general it is desirable to make connection helper rules as specific as
+possible and ensure anti\-spoofing is correctly setup for your site to avoid
+security issues in your ruleset. For more information, see ANTI\-SPOOFING,
+above, and <https://home.regit.org/netfilter-en/secure-use-of-helpers/>.
+.PP
+Currently helper rules must be managed in via the RULES FILES. A future version
+of \fBufw\fR will introduce syntax for working with helper rules.
+
.SH SEE ALSO
.PP
\fBufw\fR(8), \fBiptables\fR(8), \fBip6tables\fR(8), \fBiptables\-restore\fR(8), \fBip6tables\-restore\fR(8), \fBsysctl\fR(8), \fBsysctl.conf\fR(5)
meta-networking/recipes-connectivity/ufw/ufw/0011-tests-check-requirements--simplify-and-support-python-3.8.patch
+33
View File
@@ -0,0 +1,33 @@
tests/check-requirements: simplify and support python 3.8
Written by: Jamie Strandboge <jamie@ubuntu.com>
The patch was imported from git://git.launchpad.net/ufw
commit id e30f8bc2aeb317d152e74a270a8e1336de06cee6
Upstream-Status: Backport
Signed-off-by: Jate Sujjavanich <jatedev@gmail.com>
diff --git a/tests/check-requirements b/tests/check-requirements
index e873703..82fab08 100755
--- a/tests/check-requirements
+++ b/tests/check-requirements
@@ -45,7 +45,7 @@ runcmd() {
# check python
found_python="no"
echo -n "Has python: "
-for exe in python2.7 python2.6 python2.5 python3.2 python; do
+for exe in python3 python2 python; do
if ! which $exe >/dev/null 2>&1; then
continue
fi
@@ -54,7 +54,7 @@ for exe in python2.7 python2.6 python2.5 python3.2 python; do
echo "pass (binary: $exe, version: $v, py2)"
found_python="yes"
break
- elif echo "$v" | grep -q "^3.[2]"; then
+ elif echo "$v" | grep -q "^3.[2-8]"; then
echo "pass (binary: $exe, version: $v, py3)"
found_python="yes"
break
meta-networking/recipes-connectivity/ufw/ufw/Add-code-to-detect-openembedded-python-interpreter.patch
+33
View File
@@ -0,0 +1,33 @@
Add code to detect openembedded python interpreter
OE does not use /usr/bin/env as part of the interpreter, so it does not
update ufw with the interpreter name.
Upstream-Status: Inappropriate (Embedded)
Signed-off-by: Jate Sujjavanich <jatedev@gmail.com>
---
setup.py | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/setup.py b/setup.py
index 75c1105..3f9a5e0 100644
--- a/setup.py
+++ b/setup.py
@@ -128,6 +128,14 @@ class Install(_install, object):
"-i.jjm",
"1s%^#.*python.*%#! " + sys.executable + "%g",
'staging/ufw'])
+ elif '-native/python' in sys.executable and \
+ os.path.basename(sys.executable) in ['python', 'python3']:
+ print("Detected oe native python " + os.path.basename(sys.executable))
+ subprocess.call(["sed",
+ "-i.jjm",
+ "1s%python$%"
+ + os.path.basename(sys.executable) + "%g",
+ 'staging/ufw'])
self.copy_file('staging/ufw', script)
self.copy_file('doc/ufw.8', manpage)
--
2.7.4
meta-networking/recipes-connectivity/ufw/ufw/setup-only-make-one-reference-to-env.patch
+12 -2
View File
@@ -14,6 +14,10 @@ detected or specified on the build line.
Upstream-Status: Inappropriate [ embedded specific ]
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Added conditional to handle sys.executable without env on python3
Signed-off-by Jate Sujjavanich <jatedev@gmail.com>
---
setup.py | 34 ++++++++++++++++++++++++++++------
1 file changed, 28 insertions(+), 6 deletions(-)
@@ -43,7 +47,7 @@ index b13d11c..73acdef 100644
# Now byte-compile everything
super(Install, self).run()
@@ -107,12 +112,23 @@ class Install(_install, object):
@@ -107,12 +112,29 @@ class Install(_install, object):
for f in [ script, manpage, manpage_f ]:
self.mkpath(os.path.dirname(f))
@@ -62,7 +66,13 @@ index b13d11c..73acdef 100644
- 'staging/ufw'])
+ print("Updating staging/ufw to use (%s)" % (sys.executable))
+
+ if re.search("(/usr/bin/env)", sys.executable):
+ if not re.search("(/usr/bin/env)", sys.executable):
+ print("Did not find 'env' in sys.executable (%s)" % (sys.executable))
+ subprocess.call(["sed",
+ "-i",
+ "1s%^#.*python.*%#! /usr/bin/env " + sys.executable + "%g",
+ 'staging/ufw'])
+ elif re.search("(/usr/bin/env)", sys.executable):
+ print("found 'env' in sys.executable (%s)" % (sys.executable))
+ subprocess.call(["sed",
+ "-i.jjm",
meta-networking/recipes-connectivity/ufw/ufw_0.33.bb
+44 -5
View File
@@ -16,6 +16,13 @@ SRC_URI = " \
file://0003-fix-typeerror-on-error.patch \
file://0004-lp1039729.patch \
file://0005-lp1191197.patch \
file://0006-check-requirements-get-error.patch \
file://0007-use-conntrack-instead-of-state-module.patch \
file://0008-support-.-setup.py-build-LP-819600.patch \
file://0009-adjust-runtime-tests-to-use-daytime-port.patch \
file://0010-empty-out-IPT_MODULES-and-update-documentation.patch \
file://0011-tests-check-requirements--simplify-and-support-python-3.8.patch \
file://Add-code-to-detect-openembedded-python-interpreter.patch \
"
UPSTREAM_CHECK_URI = "https://launchpad.net/ufw"
@@ -25,6 +32,17 @@ SRC_URI[sha256sum] = "5f85a8084ad3539b547bec097286948233188c971f498890316dec170b
inherit setuptools3 features_check
do_install_append() {
install -d ${D}${datadir}/${PN}/test
cp -R --no-dereference --preserve=mode,links -v ${S}/* ${D}${datadir}/${PN}/test
}
PACKAGES =+ "${PN}-test"
RDEPENDS_${PN}-test += "bash"
FILES_${PN}-test += "${datadir}/${PN}/test"
# To test, install ufw-test package. You can enter /usr/share/ufw/test and run as root:
# PYTHONPATH=tests/testarea/lib/python ./run_tests.sh -s -i python3 root
RDEPENDS_${PN} = " \
iptables \
python3 \
@@ -33,14 +51,35 @@ RDEPENDS_${PN} = " \
RRECOMMENDS_${PN} = " \
kernel-module-ipv6 \
kernel-module-nf-conntrack-ipv6 \
kernel-module-ipt-reject \
kernel-module-iptable-mangle \
kernel-module-iptable-raw \
kernel-module-ip6table-raw \
kernel-module-ip6t-reject \
kernel-module-ip6t-rt \
kernel-module-ip6table-mangle \
kernel-module-nf-conntrack \
kernel-module-nf-log-common \
kernel-module-nf-conntrack-broadcast \
kernel-module-nf-conntrack-ftp \
kernel-module-nf-conntrack-netbios-ns \
kernel-module-nf-log-ipv4 \
kernel-module-nf-log-ipv6 \
kernel-module-nf-addrtype \
kernel-module-nf-limit \
kernel-module-nf-log \
kernel-module-nf-recent \
kernel-module-nf-log-ipv4 \
kernel-module-nf-log-ipv6 \
kernel-module-nf-nat-ftp \
kernel-module-xt-addrtype \
kernel-module-xt-comment \
kernel-module-xt-conntrack \
kernel-module-xt-hashlimit \
kernel-module-xt-hl \
kernel-module-xt-multiport \
kernel-module-xt-ratetest \
kernel-module-xt-socket \
kernel-module-xt-tcpudp \
kernel-module-xt-limit \
kernel-module-xt-log \
kernel-module-xt-recent \
"
# Certain items are explicitly put under /lib, not base_libdir when installed.