nftables, firewalld, etc.: backport from scarthgap#69
Merged
chaitu236 merged 27 commits intoni:nilrt/master/kirkstonefrom Oct 8, 2024
Merged
nftables, firewalld, etc.: backport from scarthgap#69chaitu236 merged 27 commits intoni:nilrt/master/kirkstonefrom
chaitu236 merged 27 commits intoni:nilrt/master/kirkstonefrom
Conversation
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
Drop backported patch, switch PACKAGECONFIG assignment to ?= (matches
current practice), add in editline, linenoise CLI options and xtables
option. Switch to --disable-python when building without python to avoid
a configure time warning.
We can drop UPSTREAM_CHECK_REGEX as the version no longer gets confused
by the 0.099 version which exists.
Fix buildpaths warning by switching to setuptools and add dependency on
${PN}-python to ${PN}-ptest so that the embedded paths in the compiled
python files are correct.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Drop 0001-avoid-naming-local-function-as-one-of-printf-family.patch as the issue has been fixed upstream. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
Make run-ptest use the correct libdir for multilib builds. Log the ptest output to a date stamped file and append a test summary to the end of the log. Munge the log as it is produced to: - insert the expected automake keywords: PASS and FAIL. - remove escape sequences used for ANSI colours as well as movement commands Add additional discrete tool dependencies to the nftables-ptest list since the test suite does not work with the busybox versions. Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changes are here [1], change to xz compressed archives [1] https://www.netfilter.org/projects/nftables/files/changes-nftables-1.0.6.txt Signed-off-by: Khem Raj <raj.khem@gmail.com>
Using a private module from setuptools is not a good idea and no longer works with latest setuptools. it's actually better to revert to official distutils even if it is going away in the next python release. Hopefully by then upstream will transition to something supported. TMPDIR in .pyc can be addressed by simply not installing the .pyc. Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Khem Raj <raj.khem@gmail.com>
Drop backport patches. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog: https://netfilter.org/projects/nftables/files/changes-nftables-1.0.7.txt The COPYING text changed to highlight that "New code though is moving to GPL version 2 or any later which is the preferred license for this project these days." Although the project itself stays GPLv2 only. https://netfilter.org/licensing.html#terms The upstream replaced distutils with setuptools, so the nftables-python is now built using the standard approach. The coexistence of setuptools and automake is solved in the same way as in meta-oe/recipes-support/libiio. The removal of *.pyc is no longer necessary. Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz> Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog: ========= tests: nft-rule-test: Add test cases to improve code coverage tests: nft-table-test: fix typo shixuantong expr: meta: introduce broute meta expression Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
Required by libnetfilter-queue native build. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
Required by daq native build. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog: https://netfilter.org/projects/nftables/files/changes-nftables-1.0.8.txt Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog: https://www.netfilter.org/projects/nftables/files/changes-nftables-1.0.9.txt Drop configure option --disable-python as it has been removed upstream. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add DESCRIPTION and HOMEPAGE. Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fix the following ptest output format issues:
- For "sed" command, change "-e" option to "-E" option. I believe the
previous "-e" option is a typo based on the manual page of "sed":
-e script, --expression=script
add the script to the commands to be executed
"-E" option, on the other hand, makes "sed" "use extended regular
expressions in the script" according to the manual page.
- The test result summary line is being treated as both a passed
testcase and a failed testcase due to this line containing substring
"[OK]" and "[FAILED]". The following is a sample test result summary
line:
I: results: [OK] 379 [SKIPPED] 1 [FAILED] 0 [TOTAL] 380
The fix is to change run-ptest to look for "I: [OK]" and
"W: [FAILED]" when determining which lines correspond to
passed/failed testcases.
- Previously, only "W: [FAILED]" out of the following testcase failure
prompts is parsed:
W: [CHK DUMP]
W: [VALGRIND]
W: [TAINTED]
W: [DUMP FAIL]
W: [FAILED]
Adding parsing for all testcase failure prompts.
Signed-off-by: William Lyu <William.Lyu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The following ShellCheck violations in "run-ptest" are fixed:
- line 4:
SC2164: Use 'cd ... || exit' or 'cd ... || return' in case cd fails.
- line 7:
SC2086: Double quote to prevent globbing and word splitting.
- line 9:
SC2006: Use $(...) notation instead of legacy backticks `...`.
SC2086: Double quote to prevent globbing and word splitting.
SC2126: Consider using 'grep -c' instead of 'grep|wc -l'.
- line 10:
SC2006: Use $(...) notation instead of legacy backticks `...`.
SC2086: Double quote to prevent globbing and word splitting.
SC2126: Consider using 'grep -c' instead of 'grep|wc -l'.
- line 17:
SC2086: Double quote to prevent globbing and word splitting.
Signed-off-by: William Lyu <William.Lyu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
There are 2 failed ptest testcases. They fail because they are broken,
but the fix from the upstream is not yet available in version 1.0.9.
These testcases are:
- tests/shell/testcases/sets/reset_command_0
Fix from the upstream:
https://git.netfilter.org/nftables/commit/?id=7a6089a400a573b9a4fd92f29c00a6be7b8ef269
- tests/shell/testcases/json/0005secmark_objref_0
Fix from the upstream:
https://git.netfilter.org/nftables/commit/?id=fff913c1eefbc84eb2d9c52038ef29fe881e9ee9
Signed-off-by: William Lyu <William.Lyu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
It gets OOMs with memory < 2G on x86_64 qemu Export NFT variable in run-ptest script its used by few tests Add required runtime dependencies for ptests to pass This also requires changes to kernel config features/nf_tables/nft_test.scc and CONFIG_VETH Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry-picked from f6305ba; needed to remove meta-networking/recipes-core/images/meta-networking-image-ptest.bb which is only present in scarthgap) Signed-off-by: Richard Tollerton <rich.tollerton@ni.com>
This change adds a simple format for the skip results. The format selected is the automake "simple test" format: "result: testname" Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Update firewalld by 2 major versions, which also includes breaking and behavioral changes. Highlights from 0.9 to 1.0: - Reduced dependencies - Intra-zone forwarding by default - NAT rules moved to inet family (reduced rule set) - Default target is now similar to reject - ICMP blocks and block inversion only apply to input, not forward - tftp-client service has been removed - iptables backend is deprecated - Direct interface is deprecated - CleanupModulesOnExit defaults to no (kernel modules not unloaded) Details: - https://firewalld.org/2021/07/firewalld-1-0-0-release - firewalld/firewalld@v0.9.0...v1.0.0 From 1.0 to 1.1 is mostly a bug fix release update. Details: - https://firewalld.org/2022/02/firewalld-1-1-0-release - firewalld/firewalld@v0.9.0...v1.0.0 Improvements on the recipe: - Add ptest - Very helpful to get all the kernel modules - Long running, probably not suitable for any OE autobuilder - RRECOMMENS kernel modules, document configuration - Improve package splitting - firewalld-config and firewalld-applet depend on QT5, pyqt5 and GTK. The dependencies were not correctly set but the code was ending up on the target device. Now the code gets into a separate package but the dependeinces are probably still not complete. Since this is probably not used anyway it is not tested yet. It's still not perfect but much better than installing broken stuff to the target device. - The dependenices are added to variables instead of rdepends to keep the meta-qt5 and gnome layers optional also at build-time. - New packageconfigs: ebtables, ipset. This is mosly required to get the test suite running but probably also usable otherwise. Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Cherry-picked from scarthgap; undid move to dynamic-layers/meta/python. Signed-off-by: Richard Tollerton <rich.tollerton@ni.com>
Firewalld: This is a feature release. It also includes all bug fixes since v1.1.0. Details are here: https://firewalld.org/2022/07/firewalld-1-2-0-release Recipe: Firewalld defaults to create a log file for debug messages. This is basically an empty file until firewalld's log level is configured to debug level. Writing log files requies something like log-rotate to prevent full disks. The default for OE is to not create files and send all log messages to syslog (journald). Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Cherry-picked from scarthgap; undid move to dynamic-layers/meta/python. Signed-off-by: Richard Tollerton <rich.tollerton@ni.com>
This project uses gobject-introspection, so depend on the DISTRO_FEATURE. Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Cherry-picked from scarthgap; undid move to dynamic-layers/meta/python. Signed-off-by: Richard Tollerton <rich.tollerton@ni.com>
This fixes the commit 046ee4b. The correct DISTRO_FEATURE is gobject-introspection-data. Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz> Signed-off-by: Khem Raj <raj.khem@gmail.com> Cherry-picked from scarthgap; undid move to dynamic-layers/meta/python. Signed-off-by: Richard Tollerton <rich.tollerton@ni.com>
Apart the bugfixes, the 1.3.0 introduced the following features: feat(service): add Warpinator (6de3f18) feat(dbus): reset to default settings (4d327c5) feat(service): add bareos-director bareos-filedaemon bareos-storage (7552095) feat(policy): masquerade: allow ingress zone to have interface (d8ebe1d) feat(service): add Nebula service (3f59ce9) feat(service): add Ceph Prometheus exporter (ef9d51f) feat(service): add OMG DDS service definition (9ad3d37) feat(service): add llmnr-client service (0ae765c) feat(service): add ps2link service (6d1586c) feat(service): add definition for syncthing-relay (cab0d43) Signed-off-by: Petr Gotthard <petr.gotthard@advantech.cz> Signed-off-by: Khem Raj <raj.khem@gmail.com> Cherry-picked from scarthgap; undid move to dynamic-layers/meta/python. Signed-off-by: Richard Tollerton <rich.tollerton@ni.com>
amstewart
approved these changes
Oct 7, 2024
amstewart
left a comment
There was a problem hiding this comment.
Looks good to me.
For the future: you can use git cherry-pick -x to have git automatically add a Cherry-picked from 12341234... trailer to your commits. Having that info on each commit really helps at rebase time. But I'm not going to make you go back and add them to all of these.
chaitu236
requested changes
Oct 7, 2024
chaitu236
left a comment
There was a problem hiding this comment.
Can you please add some info in the PR description on why these backports are needed in kirkstone?
Also, please mention testing done and WI# if any.
Author
Is that short addition ok? I was going to wait on ni/meta-nilrt#742 before attempting to test this. The extent of my testing so far has been confirming that firewalld still builds. This won't be in the BSI until 742 lands... I'm not sure what else can be tested short-term. |
Thanks. I assume packagefeed-ni-core, BSI builds and the BSI boots? |
Author
Well, none of this should even be hitting the images or packagegroups yet, although in full disclosure I did just try rebuilding them and I got this error — I'm guessing it's either a transient build issue on my end or is otherwise unrelated: |
chaitu236
approved these changes
Oct 8, 2024
Shreejit-03
pushed a commit
to Shreejit-03/meta-openembedded
that referenced
this pull request
Feb 23, 2026
Remove patches that have been integrated upstream: - Serial setup handling respecting user intent - POSIX-compliant termios baud rate configuration - Type safety and error handling improvements $ git --no-pager log --oneline 1a81f3c7be08..e3461097252e e3461097252e Merge pull request ni#61 from MaxKrummenacher/master 988deaad893b Merge pull request ni#69 from ivitro/fix/termios-use-cfset-speed 03aae5517cda Merge pull request ni#68 from ivitro/fix-serial-setup-handling e124c19e97e9 Fix -Wstringop-overflow warning in process_write_data 363f569a531f Use cfsetispeed/cfsetospeed for baud configuration 9012c3366433 Fix serial setup handling to respect user intent 8a8aba302529 linux-serial-test.c: fix potential hang in while loop 8a5709984363 linux-serial-test.c: fix returned error code Signed-off-by: Vitor Soares <vitor.soares@toradex.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
14 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Cherry-picking everything related to firewalld, nftables, libnftnl, etc. firewalld needed some manual conflict resolves related to a move to dynamic-layers in scarthgap, and some ptest changes.
Justification: I'd like to have an up-to-date base for ongoing firewall development, because firewalld has been really active as of late, and a lot of commits have landed in the upstream nftables recipes.