diff options
Diffstat (limited to 'meta-networking/recipes-filter/nftables')
6 files changed, 222 insertions, 93 deletions
diff --git a/meta-networking/recipes-filter/nftables/nftables/0001-examples-compile-with-make-check-and-add-AM_CPPFLAGS.patch b/meta-networking/recipes-filter/nftables/nftables/0001-examples-compile-with-make-check-and-add-AM_CPPFLAGS.patch deleted file mode 100644 index 65ab2dfd8c..0000000000 --- a/meta-networking/recipes-filter/nftables/nftables/0001-examples-compile-with-make-check-and-add-AM_CPPFLAGS.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 18a08fb7f0443f8bde83393bd6f69e23a04246b3 Mon Sep 17 00:00:00 2001 -From: Pablo Neira Ayuso <pablo@netfilter.org> -Date: Tue, 22 Feb 2022 00:56:36 +0100 -Subject: [PATCH] examples: compile with `make check' and add AM_CPPFLAGS - -Compile examples via `make check' like libnftnl does. Use AM_CPPFLAGS to -specify local headers via -I. - -Unfortunately, `make distcheck' did not catch this compile time error in -my system, since it was using the nftables/libnftables.h file of the -previous nftables release. - -Fixes: 5b364657a35f ("build: missing SUBIRS update") -Fixes: caf2a6ad2d22 ("examples: add libnftables example program") -Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> - -Upstream-Status: Backport -[http://git.netfilter.org/nftables/commit/?id=18a08fb7f0443f8bde83393bd6f69e23a04246b3] - -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> ---- - examples/Makefile.am | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/examples/Makefile.am b/examples/Makefile.am -index c972170d..3b8b0b67 100644 ---- a/examples/Makefile.am -+++ b/examples/Makefile.am -@@ -1,4 +1,6 @@ --noinst_PROGRAMS = nft-buffer \ -+check_PROGRAMS = nft-buffer \ - nft-json-file - -+AM_CPPFLAGS = -I$(top_srcdir)/include -+ - LDADD = $(top_builddir)/src/libnftables.la --- -2.25.1 - diff --git a/meta-networking/recipes-filter/nftables/nftables/0001-tests-shell-Fix-sets-reset_command_0-for-current-ker.patch b/meta-networking/recipes-filter/nftables/nftables/0001-tests-shell-Fix-sets-reset_command_0-for-current-ker.patch new file mode 100644 index 0000000000..164182bb1e --- /dev/null +++ b/meta-networking/recipes-filter/nftables/nftables/0001-tests-shell-Fix-sets-reset_command_0-for-current-ker.patch @@ -0,0 +1,53 @@ +From 7a6089a400a573b9a4fd92f29c00a6be7b8ef269 Mon Sep 17 00:00:00 2001 +From: Phil Sutter <phil@nwl.cc> +Date: Thu, 2 Nov 2023 16:02:14 +0100 +Subject: [PATCH] tests: shell: Fix sets/reset_command_0 for current kernels + +Since kernel commit 4c90bba60c26 ("netfilter: nf_tables: do not refresh +timeout when resetting element"), element reset won't touch expiry +anymore. Invert the one check to make sure it remains unaltered, drop +the other testing behaviour for per-element timeouts. + +Signed-off-by: Phil Sutter <phil@nwl.cc> + +Upstream-Status: Backport +[https://git.netfilter.org/nftables/commit/?id=7a6089a400a573b9a4fd92f29c00a6be7b8ef269] + +Signed-off-by: William Lyu <William.Lyu@windriver.com> +--- + tests/shell/testcases/sets/reset_command_0 | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +diff --git a/tests/shell/testcases/sets/reset_command_0 b/tests/shell/testcases/sets/reset_command_0 +index e663dac8..d38ddb3f 100755 +--- a/tests/shell/testcases/sets/reset_command_0 ++++ b/tests/shell/testcases/sets/reset_command_0 +@@ -44,10 +44,10 @@ elem='element t s { 1.0.0.1 . udp . 53 }' + grep 'elements = ' | drop_seconds | uniq | wc -l) == 1 ]] + echo OK + +-echo -n "counters and expiry are reset: " ++echo -n "counters are reset, expiry left alone: " + NEW=$($NFT "get $elem") + grep -q 'counter packets 0 bytes 0' <<< "$NEW" +-[[ $(expires_minutes <<< "$NEW") -gt 20 ]] ++[[ $(expires_minutes <<< "$NEW") -lt 20 ]] + echo OK + + echo -n "get map elem matches reset map elem: " +@@ -80,12 +80,6 @@ OUT=$($NFT reset map t m) + $DIFF -u <(echo "$EXP") <(echo "$OUT") + echo OK + +-echo -n "reset command respects per-element timeout: " +-VAL=$($NFT get element t s '{ 2.0.0.2 . tcp . 22 }' | expires_minutes) +-[[ $VAL -lt 15 ]] # custom timeout applies +-[[ $VAL -gt 10 ]] # expires was reset +-echo OK +- + echo -n "remaining elements are reset: " + OUT=$($NFT list ruleset) + grep -q '2.0.0.2 . tcp . 22 counter packets 0 bytes 0' <<< "$OUT" +-- +2.43.0 + diff --git a/meta-networking/recipes-filter/nftables/nftables/0001-tests-shell-skip-secmark-tests-if-kernel-does-not-su.patch b/meta-networking/recipes-filter/nftables/nftables/0001-tests-shell-skip-secmark-tests-if-kernel-does-not-su.patch new file mode 100644 index 0000000000..2a966ab443 --- /dev/null +++ b/meta-networking/recipes-filter/nftables/nftables/0001-tests-shell-skip-secmark-tests-if-kernel-does-not-su.patch @@ -0,0 +1,46 @@ +From fff913c1eefbc84eb2d9c52038ef29fe881e9ee9 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso <pablo@netfilter.org> +Date: Tue, 21 Nov 2023 21:16:38 +0100 +Subject: [PATCH] tests: shell: skip secmark tests if kernel does not support + it + +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> + +Upstream-Status: Backport +[https://git.netfilter.org/nftables/commit/?id=fff913c1eefbc84eb2d9c52038ef29fe881e9ee9] + +Signed-off-by: William Lyu <William.Lyu@windriver.com> +--- + tests/shell/features/secmark.nft | 7 +++++++ + tests/shell/testcases/json/0005secmark_objref_0 | 1 + + 2 files changed, 8 insertions(+) + create mode 100644 tests/shell/features/secmark.nft + +diff --git a/tests/shell/features/secmark.nft b/tests/shell/features/secmark.nft +new file mode 100644 +index 00000000..ccbb572f +--- /dev/null ++++ b/tests/shell/features/secmark.nft +@@ -0,0 +1,7 @@ ++# fb961945457f ("netfilter: nf_tables: add SECMARK support") ++# v4.20-rc1~14^2~125^2~5 ++table inet x { ++ secmark ssh_server { ++ "system_u:object_r:ssh_server_packet_t:s0" ++ } ++} +diff --git a/tests/shell/testcases/json/0005secmark_objref_0 b/tests/shell/testcases/json/0005secmark_objref_0 +index 992d1b00..5c44f093 100755 +--- a/tests/shell/testcases/json/0005secmark_objref_0 ++++ b/tests/shell/testcases/json/0005secmark_objref_0 +@@ -1,6 +1,7 @@ + #!/bin/bash + + # NFT_TEST_REQUIRES(NFT_TEST_HAVE_json) ++# NFT_TEST_REQUIRES(NFT_TEST_HAVE_secmark) + + set -e + +-- +2.43.0 + diff --git a/meta-networking/recipes-filter/nftables/nftables/run-ptest b/meta-networking/recipes-filter/nftables/nftables/run-ptest index 611b844853..32ddf9f455 100644 --- a/meta-networking/recipes-filter/nftables/nftables/run-ptest +++ b/meta-networking/recipes-filter/nftables/nftables/run-ptest @@ -1,2 +1,18 @@ #!/bin/sh -tests/shell/run-tests.sh -v + +NFTABLESLIB=@libdir@/nftables +cd ${NFTABLESLIB}/ptest || exit 1 + +LOG="${NFTABLESLIB}/ptest/nftables_ptest_$(date +%Y%m%d-%H%M%S).log" +NFT=nft +tests/shell/run-tests.sh -v | sed -E '/I: \[OK\]/ s/^/PASS: / ; /W: \[(CHK DUMP|VALGRIND|TAINTED|DUMP FAIL|FAILED)\]/ s/^/FAIL: /' | sed "s,\x1B\[[0-9;]*[a-zA-Z],,g" | tee -a "${LOG}" + +passed=$(grep -c PASS: "${LOG}") +failed=$(grep -c FAIL: "${LOG}") +all=$((passed + failed)) + +( echo "=== Test Summary ===" + echo "TOTAL: ${all}" + echo "PASSED: ${passed}" + echo "FAILED: ${failed}" +) | tee -a "${LOG}" diff --git a/meta-networking/recipes-filter/nftables/nftables_1.0.2.bb b/meta-networking/recipes-filter/nftables/nftables_1.0.2.bb deleted file mode 100644 index e078be79a1..0000000000 --- a/meta-networking/recipes-filter/nftables/nftables_1.0.2.bb +++ /dev/null @@ -1,53 +0,0 @@ -SUMMARY = "Netfilter Tables userspace utillites" -SECTION = "net" -LICENSE = "GPL-2.0-only" -LIC_FILES_CHKSUM = "file://COPYING;md5=d1a78fdd879a263a5e0b42d1fc565e79" - -DEPENDS = "libmnl libnftnl bison-native \ - ${@bb.utils.contains('PACKAGECONFIG', 'mini-gmp', '', 'gmp', d)}" - -# Ensure we reject the 0.099 version by matching at least two dots -UPSTREAM_CHECK_REGEX = "nftables-(?P<pver>\d+(\.\d+){2,}).tar.bz2" - -SRC_URI = "http://www.netfilter.org/projects/nftables/files/${BP}.tar.bz2 \ - file://0001-examples-compile-with-make-check-and-add-AM_CPPFLAGS.patch \ - file://run-ptest \ - " - -SRC_URI[sha256sum] = "0b28a36ffcf4567b841de7bd3f37918b1fed27859eb48bdec51e1f7a83954c02" - -inherit autotools manpages pkgconfig ptest - -PACKAGECONFIG ??= "python readline json" -PACKAGECONFIG[json] = "--with-json, --without-json, jansson" -PACKAGECONFIG[manpages] = "--enable-man-doc, --disable-man-doc, asciidoc-native" -PACKAGECONFIG[mini-gmp] = "--with-mini-gmp, --without-mini-gmp" -PACKAGECONFIG[python] = "--enable-python --with-python-bin=${PYTHON}, --with-python-bin="", python3" -PACKAGECONFIG[readline] = "--with-cli=readline, --without-cli, readline" -PACKAGECONFIG[xtables] = "--with-xtables, --without-xtables, iptables" - -inherit ${@bb.utils.contains('PACKAGECONFIG', 'python', 'python3native', '', d)} - -RRECOMMENDS:${PN} += "kernel-module-nf-tables" - -PACKAGES =+ "${PN}-python" -FILES:${PN}-python = "${nonarch_libdir}/${PYTHON_DIR}" -RDEPENDS:${PN}-python = "python3-core python3-json ${PN}" - -RDEPENDS:${PN}-ptest += " make bash python3-core python3-ctypes python3-json python3-misc util-linux" - -TESTDIR = "tests" - -PRIVATE_LIBS:${PN}-ptest:append = "libnftables.so.1" - -do_install_ptest() { - cp -rf ${S}/build-aux ${D}${PTEST_PATH} - cp -rf ${S}/src ${D}${PTEST_PATH} - mkdir -p ${D}${PTEST_PATH}/src/.libs - cp -rf ${B}/src/.libs/* ${D}${PTEST_PATH}/src/.libs - cp -rf ${B}/src/.libs/nft ${D}${PTEST_PATH}/src/ - cp -rf ${S}/py ${D}${PTEST_PATH} - cp -rf ${S}/${TESTDIR} ${D}${PTEST_PATH}/${TESTDIR} - sed -i 's#/usr/bin/python#/usr/bin/python3#' ${D}${PTEST_PATH}/${TESTDIR}/json_echo/run-test.py - sed -i 's#/usr/bin/env python#/usr/bin/env python3#' ${D}${PTEST_PATH}/${TESTDIR}/py/nft-test.py -} diff --git a/meta-networking/recipes-filter/nftables/nftables_1.0.9.bb b/meta-networking/recipes-filter/nftables/nftables_1.0.9.bb new file mode 100644 index 0000000000..7718922742 --- /dev/null +++ b/meta-networking/recipes-filter/nftables/nftables_1.0.9.bb @@ -0,0 +1,106 @@ +SUMMARY = "Netfilter Tables userspace utillites" +DESCRIPTION = "nftables replaces the popular {ip,ip6,arp,eb}tables. \ + This software provides an in-kernel packet classification framework \ + that is based on a network-specific Virtual Machine (VM), \ + nft, a userspace command line tool and libnftables, a high-level userspace library." +HOMEPAGE = "https://netfilter.org/projects/nftables" +SECTION = "net" +LICENSE = "GPL-2.0-only" +LIC_FILES_CHKSUM = "file://COPYING;md5=81ec33bb3e47b460fc993ac768c74b62" + +DEPENDS = "libmnl libnftnl bison-native \ + ${@bb.utils.contains('PACKAGECONFIG', 'mini-gmp', '', 'gmp', d)}" + +SRC_URI = "http://www.netfilter.org/projects/nftables/files/${BP}.tar.xz \ + file://0001-tests-shell-Fix-sets-reset_command_0-for-current-ker.patch \ + file://0001-tests-shell-skip-secmark-tests-if-kernel-does-not-su.patch \ + file://run-ptest \ + " +SRC_URI[sha256sum] = "a3c304cd9ba061239ee0474f9afb938a9bb99d89b960246f66f0c3a0a85e14cd" + +inherit autotools manpages pkgconfig ptest + +PACKAGECONFIG ?= "python readline json" +PACKAGECONFIG[editline] = "--with-cli=editline, , libedit, , , linenoise readline" +PACKAGECONFIG[json] = "--with-json, --without-json, jansson" +PACKAGECONFIG[linenoise] = "--with-cli=linenoise, , linenoise, , , editline readline" +PACKAGECONFIG[manpages] = "--enable-man-doc, --disable-man-doc, asciidoc-native" +PACKAGECONFIG[mini-gmp] = "--with-mini-gmp, --without-mini-gmp" +PACKAGECONFIG[python] = ",, python3-setuptools-native" +PACKAGECONFIG[readline] = "--with-cli=readline, , readline, , , editline linenoise" +PACKAGECONFIG[xtables] = "--with-xtables, --without-xtables, iptables" + +EXTRA_OECONF = " \ + ${@bb.utils.contains_any('PACKAGECONFIG', 'editline linenoise readline', '', '--without-cli', d)}" + +SETUPTOOLS_SETUP_PATH = "${S}/py" + +inherit ${@bb.utils.contains('PACKAGECONFIG', 'python', 'setuptools3', '', d)} + +PACKAGES =+ "${PN}-python" +FILES:${PN}-python = "${PYTHON_SITEPACKAGES_DIR}" +RDEPENDS:${PN}-python = "python3-core python3-json ${PN}" + +# Explicitly define do_configure, do_compile and do_install because both autotools and setuptools3 +# have EXPORT_FUNCTIONS do_configure do_compile do_install +do_configure() { + autotools_do_configure + if ${@bb.utils.contains('PACKAGECONFIG', 'python', 'true', 'false', d)}; then + setuptools3_do_configure + fi +} + +do_compile() { + autotools_do_compile + if ${@bb.utils.contains('PACKAGECONFIG', 'python', 'true', 'false', d)}; then + setuptools3_do_compile + fi +} + +do_install() { + autotools_do_install + if ${@bb.utils.contains('PACKAGECONFIG', 'python', 'true', 'false', d)}; then + setuptools3_do_install + fi +} + +RDEPENDS:${PN}-ptest += " ${PN}-python bash coreutils make iproute2 iputils-ping procps python3-core python3-ctypes python3-json python3-misc sed util-linux" + +RRECOMMENDS:${PN}-ptest += "\ +kernel-module-nft-chain-nat kernel-module-nft-queue \ +kernel-module-nft-compat kernel-module-nft-quota \ +kernel-module-nft-connlimit kernel-module-nft-redir \ +kernel-module-nft-ct kernel-module-nft-reject \ +kernel-module-nft-flow-offload kernel-module-nft-reject-inet \ +kernel-module-nft-hash kernel-module-nft-reject-ipv4 \ +kernel-module-nft-limit kernel-module-nft-reject-ipv6 \ +kernel-module-nft-log kernel-module-nft-socket \ +kernel-module-nft-masq kernel-module-nft-synproxy \ +kernel-module-nft-nat kernel-module-nft-tunnel \ +kernel-module-nft-numgen kernel-module-nft-xfrm \ +kernel-module-nft-osf \ +kernel-module-nf-flow-table \ +kernel-module-nf-flow-table-inet \ +kernel-module-nf-nat \ +kernel-module-nf-log-syslog \ +kernel-module-nf-nat-ftp \ +kernel-module-nf-nat-sip \ +kernel-module-8021q \ +kernel-module-dummy" + +TESTDIR = "tests" + +PRIVATE_LIBS:${PN}-ptest:append = " libnftables.so.1" + +do_install_ptest() { + cp -rf ${S}/build-aux ${D}${PTEST_PATH} + cp -rf ${S}/src ${D}${PTEST_PATH} + mkdir -p ${D}${PTEST_PATH}/src/.libs + cp -rf ${B}/src/.libs/* ${D}${PTEST_PATH}/src/.libs + cp -rf ${B}/src/.libs/nft ${D}${PTEST_PATH}/src/ + cp -rf ${S}/${TESTDIR} ${D}${PTEST_PATH}/${TESTDIR} + sed -i 's#/usr/bin/python#/usr/bin/python3#' ${D}${PTEST_PATH}/${TESTDIR}/json_echo/run-test.py + sed -i 's#/usr/bin/env python#/usr/bin/env python3#' ${D}${PTEST_PATH}/${TESTDIR}/py/nft-test.py + # handle multilib + sed -i s:@libdir@:${libdir}:g ${D}${PTEST_PATH}/run-ptest +} |