| Age | Commit message (Collapse) | Author |
|---|
|
Take inspiration from the ebtables recipe in meta-networking and omit
installation of etc/ethertypes, since it is provided by netbase. If we
don't do this, the following error occurs during build:
Error: Transaction test error:
file /etc/ethertypes conflicts between attempted installs of
iptables-1.8.7-r0.core2_64 and netbase-1:6.3-r0.noarch
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
license identifiers
An automated conversion using scripts/contrib/convert-spdx-licenses.py to
convert to use the standard SPDX license identifiers. Two recipes in meta-selftest
were not converted as they're that way specifically for testing. A change in
linux-firmware was also skipped and may need a more manual tweak.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
We do not want iptables to depend on bash. So move
iptables-apply/ip6tables-apply to a separate package.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The iptables-apply is not installed which makes ip6tables-apply as an
invalid symbolic link:
$ ls -l /usr/sbin/ip6tables-apply
lrwxrwxrwx 1 root root 14 Jun 11 08:27 /usr/sbin/ip6tables-apply -> iptables-apply
$ ls -l /usr/sbin/iptables-apply
ls: cannot access '/usr/sbin/iptables-apply': No such file or directory
Backport a patch to fix the issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This release contains the following fixes and enhancements:
xtables-save/xtables-restore:
- Fix parser in `--noflush' mode incorrectly rejecting chain definitions
and empty lines.
- Fix crash when restoring or dumping while other ruleset changes happen
in parallel.
iptables-apply:
- Install the script along with `make install'.
- Introduce parameters `-c' (run command) and `-w' (save successfully
applied rules to file).
- Use `mktemp' instead of `tempfile' for temporary files.
iptables-translate:
- Support `time' match and `NOTRACK' target.
- Fix for special interface names `*', `+' and `eth++'.
ebtables-nft:
- Full among match support, including sets with mixed MAC and MAC+IP
entries.
extensions:
- connlabel: Numeric labels were rejected if a connlabel.conf existed in
the system.
- IDLETIMER: Introduce `--alarm' option.
libxtables:
- Introduce xtables_fini() to properly deinit the library and close any
loaded shared objects.
nfnl_osf:
- Fix lockup after loading the first line from fingerprints file.
- Improve error handling, don't silently exit when deleting a
non-existing fingerprint.
General:
- Fixes for undefined behaviour.
- Replace a few unsafe calls to strcpy().
- Fix some warnings when compiling with clang.
- Various fixes for valgrind-detected problems such as memory leaks and
reachable memory at program exit.
Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Commit bc66b2f45ade2c63cfd14d5388f6ca0905a23bb0 added systemd helper
unit for automatic IPv4 rule loading. Complement the effort by adding
systemd helper unit also for automatic IPv6 rule loading.
Signed-off-by: Niko Mauno <niko.mauno@iki.fi>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
In some cases a distribution may want to install rules file into a
location other than /etc/iptables/ so introduce custom recipe-level
IPTABLES_RULES_DIR parameter which allows conveniently overriding
the rules directory location.
Signed-off-by: Niko Mauno <niko.mauno@iki.fi>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Introduce cosmetic changes to recipe content, most notably
- Change indentation style to four spaces in task statements
- Reorder several entries according to oe-stylize.py suggestions
Signed-off-by: Niko Mauno <niko.mauno@iki.fi>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
There is currently no way to automatically load iptables rules in OE.
Add a systemd unit file to automatically load rules on network
connection. This is cribbed from the way ArchLinux handles iptables with
some minor modifications for OE.
New rules can be generated directly on the target using:
# iptables-save -f /etc/iptables/iptables.rules
Good documentation for writing rules offline is lacking, but the basics
are explained here:
https://unix.stackexchange.com/q/400163/49405
Signed-off-by: Jack Mitchell <jack@embed.me.uk>
Signed-off-by: Diego Rondini <diego.rondini@kynetics.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Remove upstreamed patches and manually package symlinks which aren't
handled by do_split_package.
Changelog:
http://git.netfilter.org/iptables/log/?qt=range&q=v1.8.3...v1.8.2
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Porting patch from <https://git.netfilter.org/iptables/commit/iptables/
xshared.c?id=2ae1099a42e6a0f06de305ca13a842ac83d4683e> to solve
CVE-2019-11360.
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
To enable security flash, get the build error. To fix this,
0003-extensions-format-security-fixes-in-libipt_icmp.patch is required.
Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Fix handling of escape characters in regexs and hence fix python
Deprecation warnings which will be problematic in python 3.8.
Note that some show up as:
"""
meta/classes/package.bbclass:1293: DeprecationWarning: invalid escape sequence \.
"""
where the problem isn't on 1293 in package.bbclass but in some _prepend to a
package.bbclass function in a different file like mesa.inc, often from
do_package_split() calls.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
By splitting the iptables modules into separate packages it is
possible to pick and choose the modules to install and thereby reduce
the total size of the installed modules.
Backwards compatibility is maintained by adding a recommendation of
iptables-modules, which is a meta package that depends on all the
generated packages.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
These were adding definitions for the second time
(see bug #10450 for why) or adding an include that isn't anymore
necessary for musl builds.
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Upgrade iptables from 1.6.1 to 1.6.2.
Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
This patch is generic enough, That it can be applied universally
and makes maintainence easier
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
1.6.0 -> 1.6.1
Refreshed the following patches:
a) 0001-configure-Add-option-to-enable-disable-libnfnetlink.patch
b) 0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
1.4.21 -> 1.6.0
xtables_globals structure layout has changed.
* Refreshed below listed patches to work with this release:
1. 0001-configure-Add-option-to-enable-disable-libnfnetlink.patch
2. 0001-fix-build-with-musl.patch
* Added PACKAGECONFIG for libnftnl
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
In some recipes overly-split -dbg packages were merged into PN-dbg. Unless
there's a very good reason, recipes should have a single -dev and -dbg package.
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Package libnetfilter-conntrack depends on package libnfnetlink. iptables
checks package libnetfilter-conntrack whatever its package config
libnfnetlink is enabled or not. When libnfnetlink is disabled but
package libnetfilter-conntrack exists, it fails randomly with:
| In file included from .../iptables/1.4.21-r0/iptables-1.4.21/extensions/libxt_connlabel.c:8:0:
| .../tmp/sysroots/qemumips/usr/include/libnetfilter_conntrack/libnetfilter_conntrack.h:14:42: fatal error: libnfnetlink/linux_nfnetlink.h: No such file or directory
| compilation terminated.
| GNUmakefile:96: recipe for target 'libxt_connlabel.oo' failed
Only check libnetfilter-conntrack when libnfnetlink is enabled to fix it.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Added needed headers and resuffled existing ones to get it portable
Added defined for missing TCOPTS*
Change-Id: I74977dd052c5569b00631379d7f4bacfb86cf381
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
These recipes all use pkg-config in some way but were missing
dependencies on the tool, this patch adds them.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The base_contains is kept as a compatibility method and we ought to
not use it in OE-Core so we can remove it from base metadata in
future.
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
fix-iptables-extensions-build-error.patch no longer needed.
Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
fix-link-failure-ip6t-NETMAP.patch removed;
already included in upstream.
Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Detection of libnfnetlink is automatic in configure which means
that when you have meta-networking in your cosmos, it would create
a race condition where if libnfnetlink is already staged then it
will be enabled otherwise disabled. The issue happens quite often
with sstate and high parallelism. Since the dependency libnfnetlink
is not part of OE-Core, this patch turns it into a PACKAGECONFIG
which is diabled by default and iptables is patched to provide
the knob.
If you want to enable libnfnetlink support then it can be done
in a bbappend where you are sure that you are also including
meta-networking in your distro.
While at it also turned ipv6 support into packageconfig
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
patch added to fix cross-compilation issues
Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Replaced incorrect "firstline" with correct "beginline" for telling
where license segment in file begins. Old md5sum was calculated from
the beginning of the file, not from beginning of the license segment.
Signed-off-by: Marko Lindqvist <cazfi74@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
* when libnfnetlink is available (provided by
meta-networking/recipes-filter/libnfnetlink/libnfnetlink_1.0.1.bb
it's autodetected and utils subdirectory with pf.os is used.
* unfortunately there isn't configure switch to explicitly disable
libnfnetlink and it's also in different layer so we cannot add it to
DEPENDS
* it's undeterminitic, but pf.os is the only difference AFAIK, so not
worth patching configure switch
* fixes:
iptables-1.4.15: iptables: Files/directories were installed but not
shipped
/usr/share/xtables
/usr/share/xtables/pf.os
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Signed-off-by: Constantin Musca <constantinx.musca@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Remove a patch since it is already in upstream.
Signed-off-by: Dongxiao Xu <dongxiao.xu@intel.com>
|
|
The iptables local linux/types.h overrides the kernel/sysroot
types.h. As such, we need to provide some defines that are required
to build against 3.2+ kernel headers.
ifndef protection is provided for the defines to ensure that
configuration that already have these defines are still buildable.
This commit is temporary until a new version of iptables can be
used that contains the defines.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
|
This patch is to upgrade iptables to 1.4.12.2, and introduce a patch not to check unknown symbols.
Otherwise, when it is compiled, it will report "libxtables.so.7" from LD_PRELOAD cannot be preloaded.
Signed-off-by: Shane Wang <shane.wang@intel.com>
|
|
Change do_configure_prepend() since some m4 file is needed when
doing configuration.
Define correct FILE for iptables and iptables-dbg packages.
License checksum changed (not essential part), and the license is
still GPLv2.
Signed-off-by: Dongxiao Xu <dongxiao.xu@intel.com>
|
|
Add Summary information and update descriptions as necessary.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
from 1.4.8
Signed-off-by: Qing He <qing.he@intel.com>
|
|
Having one monolithic packages directory makes it hard to find things
and is generally overwhelming. This commit splits it into several
logical sections roughly based on function, recipes.txt gives more
information about the classifications used.
The opportunity is also used to switch from "packages" to "recipes"
as used in OpenEmbedded as the term "packages" can be confusing to
people and has many different meanings.
Not all recipes have been classified yet, this is just a first pass
at separating things out. Some packages are moved to meta-extras as
they're no longer actively used or maintained.
Signed-off-by: Richard Purdie <rpurdie@linux.intel.com>
|
Trevor Gamblin
Richard Purdie
Wang Mingyu
Alexander Kanavin
Yi Zhao
Pierre-Jean Texier
Changhyeok Bae
Niko Mauno
Jack Mitchell
Anuj Mittal
Li Zhou
Peter Kjellerstedt
Alexander Kanavin
Huang Qiyu
Khem Raj
Maxin B. John
Ross Burton
Kai Kang
Otavio Salvador
Cristian Iorga
Marko Lindqvist
Martin Jansa
Constantin Musca
Dongxiao Xu
Bruce Ashfield
Shane Wang
Mark Hatle
Saul Wold
Qing He
Richard Purdie