From patchwork Tue Jul 23 10:28:26 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fiona Klute X-Patchwork-Id: 1963726 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org (client-ip=140.211.166.138; helo=smtp1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org) Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WStg55HvJz1yXp for ; Tue, 23 Jul 2024 20:29:21 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 1A94C8128C; Tue, 23 Jul 2024 10:29:20 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id sGe_29LorTao; Tue, 23 Jul 2024 10:29:18 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.166.34; helo=ash.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 76126812B4 Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp1.osuosl.org (Postfix) with ESMTP id 76126812B4; Tue, 23 Jul 2024 10:29:18 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id 53A2E1BF20F for ; Tue, 23 Jul 2024 10:29:04 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 4E708607E3 for ; Tue, 23 Jul 2024 10:29:04 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id YVzudkauus4F for ; Tue, 23 Jul 2024 10:29:03 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=212.227.17.21; helo=mout.gmx.net; envelope-from=fiona.klute@gmx.de; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp3.osuosl.org 0FE3F607E9 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 0FE3F607E9 Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) by smtp3.osuosl.org (Postfix) with ESMTPS id 0FE3F607E9 for ; Tue, 23 Jul 2024 10:29:02 +0000 (UTC) X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from haruka.lan ([85.22.125.116]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MYNJq-1srm9H1ZGE-00HpVo; Tue, 23 Jul 2024 12:28:53 +0200 To: buildroot@buildroot.org Date: Tue, 23 Jul 2024 12:28:26 +0200 Message-ID: <20240723102832.2522307-2-fiona.klute@gmx.de> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240723102832.2522307-1-fiona.klute@gmx.de> References: <20240723102832.2522307-1-fiona.klute@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:8k6QZUS6pgg0eALvS810gLIqbloZ4UKFPBB9MDQ5Oz0t79nurCd 2vGq4yJMEL9hB8NkFQTTD+1Z8eYjhaYe+lCWvFjB11U43hzf9NhXfIKRd/ZDaRQbZJzOW4x cPfr4XWGZLUnI+R7CV/+83seJGSXnUYVUGvBivJO83D/LjPFMwMhnhy5ubMC5nzQq+s+bFh QxFhccdhYfM8/4iNrM34w== UI-OutboundReport: notjunk:1;M01:P0:seB0TPMWZpw=;GXGcZjyJ8O4wJwaPwbQjM3+pPxO 7Pz6WfpfYxfeTMVIU5bg+hiHM8VS0SHx/6HBxcrAgWKLCi1/XOph1g+8LkoAVxWYnqArEHUHb Y6rbxPoFNK7LJIbOEtCwAVljfrtgB4g5SuwI03KPJeNF/8zefsPM6N0wHIn050PEi3D5MJuGs 3ggpAkwlr/mRz7E9U/YIFW2lfEVcgDz91X6g4BKEBPiNy5cXzhsu6ipKEI1VWOw/9jNTBOLXv SgWPp3XSSLgDnm9pbzGFzVzBT8GMNtY5Z+0xw5mx9g0HG8wmKL2YOwYL/ZdMXD+jckvErcEti TQn8Rn5YNmbHWimyyciPRETyTIFkqynuO3SXtom2THM+GMXf43k3cY0xJREZujqbA2j/k1/mq A2WaXPrqs2ueVm7giKve3Q8YMist5q8p/KV9rdZhgmk3jDuLtXBvv4zZkL7Vo5N9HDRL3Gr5d 1YCtmjbGgIvNpZPNgJKXS7OvaC5u1ZmbhyfWPDA0pWm+0MAG9KFJw4iMufnMyg4HUu1As+pQ+ uXaBGigd8hacNLU6guC0xZlkOwCQGYSN0qmGhy6f6s1QHKh57Pkqybq/9E0kCNnNsjWPCNeoc 5srRfI3K9faQinicb/t8k36VoQVUtYW8LZeg9k5puGj6oivdlNa3jRvPOjapiwwk7OKMYyEZu eu/Ssc0IxI83P8JhIAHZws/TZFxO2rLJRVwT62qmMPaxEgPmTjTbydIrBLR6OAReqNmt884uO UZPB92KbJops45ENe//mzGmeuxNxdD5yIV7ROisv5RBohh8LxaJmo8z7Gk59sN8AAzZcSl230 fVMLHlxPbJswsMeI3314sOmA== X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de; s=s31663417; t=1721730533; x=1722335333; i=fiona.klute@gmx.de; bh=p5LzqX0BZlGdwgFcamDhhuFE6ByJ17AQbesBUZOmIh8=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:Message-ID:In-Reply-To: References:MIME-Version:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=Lbw+wmXXpfPSBUJlfm55InXWZSfEYwmirhRGny2TW7go7P33awGIZayWUvoSqyX3 IfXMNxhpaKo078Kebflpf6kIwK3r3yT15uUDNbHzHnAxZfaTLka/DaZ948xKukI/S je1biIgpTS9CGrZrizfu+DgZPD7yxuSVUoFFi3/2LuQsZzdZcl2O0p8W+5oDUsVY9 WJv1bIkl7rJ6wYlKSf0nwHHfdMnHpEXY8nTDIbHD4sWDnsPHjAGCScvtulAkgnbD9 VorNq0sAPxyUviCG41xPpw55uwM011FQfqOuyUaIUHOgqJFQPx9x2qaBpUC37wHEM t1tFOmpychNS88Y02Q== X-Mailman-Original-Authentication-Results: smtp3.osuosl.org; dmarc=pass (p=quarantine dis=none) header.from=gmx.de X-Mailman-Original-Authentication-Results: smtp3.osuosl.org; dkim=pass (2048-bit key) header.d=gmx.de header.i=fiona.klute@gmx.de header.a=rsa-sha256 header.s=s31663417 header.b=Lbw+wmXX Subject: [Buildroot] [PATCH v2 1/6] package/nftables: add init script X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Fiona Klute via buildroot From: Fiona Klute Reply-To: Fiona Klute Cc: Julien Olivain , Fiona Klute , Ricardo Martincoski Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" From: "Fiona Klute (WIWA)" The init script handles an nftables ruleset file with support for atomic reloading. By default the ruleset is expected in /etc/nftables.conf, the location can be changed in /etc/default/nftables. If the ruleset file does not exist on start, the script does nothing and shows a warning about that fact. Signed-off-by: Fiona Klute (WIWA) --- Changes v1 -> v2: * clarify comments & commit message * nftables init script: Warning about missing flush in ruleset on reload * nftables init script: check for rules file only on start * nftables init script: return nft return code from start/stop functions package/nftables/S35nftables | 66 ++++++++++++++++++++++++++++++++++++ package/nftables/nftables.mk | 5 +++ 2 files changed, 71 insertions(+) create mode 100644 package/nftables/S35nftables -- 2.45.2 diff --git a/package/nftables/S35nftables b/package/nftables/S35nftables new file mode 100644 index 0000000000..8605ff7e76 --- /dev/null +++ b/package/nftables/S35nftables @@ -0,0 +1,66 @@ +#!/bin/sh + +DAEMON="nftables" + +# Main ruleset file, override in /etc/default/nftables if you want a +# different location. The file should include a "flush ruleset" +# command to atomically replace any previous rules on reload (instead +# of adding to them). +NFTABLES_CONFIG="/etc/nftables.conf" + +# shellcheck source=/dev/null +[ -r "/etc/default/$DAEMON" ] && . "/etc/default/$DAEMON" + +start() { + printf "Loading nftables rules: " + # Run only if the ruleset file exists. + if [ ! -f "${NFTABLES_CONFIG}" ]; then + echo "${NFTABLES_CONFIG} does not exist, nothing to do." + return 0 + fi + /usr/sbin/nft --file "${NFTABLES_CONFIG}" + status=$? + if [ "$status" -eq 0 ]; then + echo "OK" + else + echo "FAIL" + fi + return "$status" +} + +stop() { + printf "Clearing nftables rules: " + /usr/sbin/nft flush ruleset + status=$? + if [ "$status" -eq 0 ]; then + echo "OK" + else + echo "FAIL" + fi + return "$status" +} + +restart() { + stop + start +} + +reload() { + FLUSH='flush ruleset' + if ! grep -q -x "$FLUSH" "${NFTABLES_CONFIG}"; then + printf 'WARNING: no "%s" in %s, duplicated rules likely\n' \ + "$FLUSH" "${NFTABLES_CONFIG}" + fi + start +} + +case "$1" in + start|stop|restart|reload) + "$1" + ;; + *) + echo "Usage: $0 {start|stop|restart|reload}" + exit 1 +esac + +exit $? diff --git a/package/nftables/nftables.mk b/package/nftables/nftables.mk index 9cba243372..d74ca2da64 100644 --- a/package/nftables/nftables.mk +++ b/package/nftables/nftables.mk @@ -57,6 +57,11 @@ define NFTABLES_LINUX_CONFIG_FIXUPS $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_INET) endef +define NFTABLES_INSTALL_INIT_SYSV + $(INSTALL) -m 0755 -D package/nftables/S35nftables \ + $(TARGET_DIR)/etc/init.d/S35nftables +endef + $(eval $(autotools-package)) # Legacy: we used to handle it in this .mk From patchwork Tue Jul 23 10:28:27 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fiona Klute X-Patchwork-Id: 1963725 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org) Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WStg25m6Yz1yXp for ; Tue, 23 Jul 2024 20:29:18 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id A5AF88126D; Tue, 23 Jul 2024 10:29:16 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id l_azZ1uSv0fI; Tue, 23 Jul 2024 10:29:15 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.166.34; helo=ash.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 391AD8128D Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp1.osuosl.org (Postfix) with ESMTP id 391AD8128D; Tue, 23 Jul 2024 10:29:15 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id 6485B1BF969 for ; Tue, 23 Jul 2024 10:29:03 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 522DD400B5 for ; Tue, 23 Jul 2024 10:29:03 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id KspwCbGmjbUB for ; Tue, 23 Jul 2024 10:29:02 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=212.227.17.20; helo=mout.gmx.net; envelope-from=fiona.klute@gmx.de; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp2.osuosl.org B86A2403B3 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org B86A2403B3 Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by smtp2.osuosl.org (Postfix) with ESMTPS id B86A2403B3 for ; Tue, 23 Jul 2024 10:29:01 +0000 (UTC) X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from haruka.lan ([85.22.125.116]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MlNtF-1s28CG3NxV-00hjJn; Tue, 23 Jul 2024 12:28:53 +0200 To: buildroot@buildroot.org Date: Tue, 23 Jul 2024 12:28:27 +0200 Message-ID: <20240723102832.2522307-3-fiona.klute@gmx.de> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240723102832.2522307-1-fiona.klute@gmx.de> References: <20240723102832.2522307-1-fiona.klute@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:VmMVWeQRBH89O4bst5P0TwVcu2QW+LhL0l1jHpA/fb2ah/OmczK K950ZFdMVSkTTdmMy9/2Llu4enXGC1psDO0yThBaWyijn/xz6Zxg5790VlaW3on981KeRB8 tbkJQk3vbRGgUXhLagxa4ibNmYQz7B+6JsGVacour8onl6KvGn21gHW8JHF3EhRGczISnJy 5mq3Wdrus2qij3XKHQX8w== UI-OutboundReport: notjunk:1;M01:P0:Tc9z0XX89Rs=;tGjPnKlZve6m73cJAEJNJmsZJTa jAQL+NFrKF/JcGqqRtlWZN3Id0BxaFg0lVCB/Vytv4oOunHhZCO8WWdLy0KtBOiXkHfAMoBKY vu/iw4aQMtGRL2PJeYRMsDOqtnpES4WHLXC4j55Vn8V229WYwdPKUTg1Ovtar/uf0WNqYnL7C 4mUSIAx0fkX8aeA2XS6vwjnYeNhvMqPZUjs9xYRn1EYequXkU7jyANpIyfQmuESgqk9UY7PeT QGx2Sj2rpKtLFQ/0epOt3PJtIq5K7Gu4a6DeUivzeYH9SaPUwyCm2oW7dvDnaQ9QlowTJglxf WyS7BErq8DoqlHX7n+C4YRSL5Yqw5zuxACBaiDx1cq1GCdb4Zsik7o+QkFZ4mz7P2zWAUydd9 MS8awzHibYp9QLE5tMzAJCCqIyawbeoVRtO3Eu+Pp131EeAjX4smYqo5+UmTlYewtXDjhFU+9 YlTKbnScl7OqOxpVNzQO/fpWmviGWcFixzomhvzIiyX2EJYfuCufqgMqU54FpJibQbKmimyvp 6UEj8ikoqnoRB2vVfqt9yJ4k/UlHlrH/RCkd7y4usUBbe387PmwoqE8lG/2Y4kDo8OmZeO+nh 1hrDxJye5lR5VWhAMiEPyEx34IHHBaorrURpG6rSC3Ad/Hmvy1lrQCoN1A+ZFx4FP9YO9R4RU IsDqLH1NHvdirHlasKw5BEAFw5LMyjAndzhFM+8ajS8CCmSvqpBJBDrNN2gqz9/tNxQ5VRKrc azXLtu8mSLc4yR4xJTjoz9O328ShGu+wFbNkvPNMCCLPUxC+deCO9tQ+Dr8rgN0pUzeEj/IEL IERr03i5pszlOepcQUZcWQuQ== X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de; s=s31663417; t=1721730534; x=1722335334; i=fiona.klute@gmx.de; bh=ABHmcBEXmrt2vP/g4pCEWuCaGan7A6enfqX7V37nk+0=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:Message-ID:In-Reply-To: References:MIME-Version:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=O2t7tJ/PwW62EEVLbvTW1Kahg/6vSJ28ULZPwtuT7X+1i3ft+L8WnoMbM9VM+eQJ NBuAHovqkoSnqQ2SMlQ4Dnvu7sHQVYZ19NCayULqEeKprFRiVdtnapth9YOMICwMq ttZC2xRu1iES2I0Eqqs1f88ETwnBk1OlX8jAw4ha6hg9la9L7DfuTwMmm1mhM+RXd VE8YAqE6aHz/1tn4lXwGxB+zaJyMgDddkY2bdGXJxyO3L+J0fr6Pb3Du8UqzCF0Jp Y74V7KOY8RK17irutYcbowC08Jv7qvQ1pEF4OySNQipp3YFKb3hP96C7P/vJEcN10 c7QSc8p//ONPkkKb1A== X-Mailman-Original-Authentication-Results: smtp2.osuosl.org; dmarc=pass (p=quarantine dis=none) header.from=gmx.de X-Mailman-Original-Authentication-Results: smtp2.osuosl.org; dkim=pass (2048-bit key, unprotected) header.d=gmx.de header.i=fiona.klute@gmx.de header.a=rsa-sha256 header.s=s31663417 header.b=O2t7tJ/P Subject: [Buildroot] [PATCH v2 2/6] package/iptables: optionally default to nftables compat X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Fiona Klute via buildroot From: Fiona Klute Reply-To: Fiona Klute Cc: Julien Olivain , Fiona Klute , Ricardo Martincoski Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" From: "Fiona Klute (WIWA)" For an nftables-based firewall setup it may be desirable to use iptables-nft as the "iptables" binary, in particular to better integrate legacy applications that do not support nftables directly and call iptables. If the BR2_PACKAGE_IPTABLES_NFTABLES_DEFAULT option introduced by this patch is enabled, iptables, iptables-restore, and iptables-save are symlinked to the -nft version of iptables. The -legacy options can still be called directly if desired. Signed-off-by: Fiona Klute (WIWA) --- Changes v1 -> v2: * clarify commit message package/iptables/Config.in | 12 ++++++++++++ package/iptables/iptables.mk | 9 +++++++++ 2 files changed, 21 insertions(+) -- 2.45.2 diff --git a/package/iptables/Config.in b/package/iptables/Config.in index e6b12603e0..ef02c26242 100644 --- a/package/iptables/Config.in +++ b/package/iptables/Config.in @@ -24,6 +24,18 @@ config BR2_PACKAGE_IPTABLES_NFTABLES help Build nftables compat utilities. +if BR2_PACKAGE_IPTABLES_NFTABLES + +config BR2_PACKAGE_IPTABLES_NFTABLES_DEFAULT + bool "use nftables compat by default" + help + Make the nftables compat variant of iptables, iptables-save, + and iptables-restore the default. This only adjusts symlinks + in /usr/sbin, the legacy variants can still be called + directly. + +endif + comment "nftables compat needs a toolchain w/ wchar, dynamic library, headers >= 3.12" depends on !BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12 || \ !BR2_USE_WCHAR || BR2_STATIC_LIBS diff --git a/package/iptables/iptables.mk b/package/iptables/iptables.mk index 6712136962..257834b8cd 100644 --- a/package/iptables/iptables.mk +++ b/package/iptables/iptables.mk @@ -62,4 +62,13 @@ define IPTABLES_INSTALL_INIT_SYSV touch $(TARGET_DIR)/etc/iptables.conf endef +ifeq ($(BR2_PACKAGE_IPTABLES_NFTABLES_DEFAULT),y) +define IPTABLES_MAKE_NFTABLES_DEFAULT + ln -sf xtables-nft-multi $(TARGET_DIR)/usr/sbin/iptables + ln -sf xtables-nft-multi $(TARGET_DIR)/usr/sbin/iptables-restore + ln -sf xtables-nft-multi $(TARGET_DIR)/usr/sbin/iptables-save +endef +IPTABLES_POST_INSTALL_TARGET_HOOKS += IPTABLES_MAKE_NFTABLES_DEFAULT +endif + $(eval $(autotools-package)) From patchwork Tue Jul 23 10:28:28 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fiona Klute X-Patchwork-Id: 1963723 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org) Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WStfv4MDcz1yXp for ; Tue, 23 Jul 2024 20:29:11 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id D547581292; Tue, 23 Jul 2024 10:29:09 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id neNOpnN-6x2O; Tue, 23 Jul 2024 10:29:08 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.166.34; helo=ash.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 54FD181298 Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp1.osuosl.org (Postfix) with ESMTP id 54FD181298; Tue, 23 Jul 2024 10:29:08 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id 1B1361BF20F for ; Tue, 23 Jul 2024 10:29:03 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 1596F607F6 for ; Tue, 23 Jul 2024 10:29:03 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id EgerRukOtdQ0 for ; Tue, 23 Jul 2024 10:29:02 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=212.227.17.20; helo=mout.gmx.net; envelope-from=fiona.klute@gmx.de; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp3.osuosl.org B4B67607E3 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org B4B67607E3 Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by smtp3.osuosl.org (Postfix) with ESMTPS id B4B67607E3 for ; Tue, 23 Jul 2024 10:29:01 +0000 (UTC) X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from haruka.lan ([85.22.125.116]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MqJqN-1s0Uq515Ax-00ZUmv; Tue, 23 Jul 2024 12:28:54 +0200 To: buildroot@buildroot.org Date: Tue, 23 Jul 2024 12:28:28 +0200 Message-ID: <20240723102832.2522307-4-fiona.klute@gmx.de> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240723102832.2522307-1-fiona.klute@gmx.de> References: <20240723102832.2522307-1-fiona.klute@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:GjIzJQQopoZqY3muTTk78FOR9oUxu/TaAKB539v0fnXno14BbR0 eTJoih4VCli1mV6EebvjJrpoZV5IJ2G2gHEX8WgRBKdEFpPFgZ4X8sJBd+mG+S2oqWN6lKR qcDDeqMMRc39TEKAbT2pvAr7rrjNKAuDweKEXVb5Y4jXZZpjXkxW5P8sb1DZ/lskWc07b+e /msZIR7Y++crLdgokMhLQ== UI-OutboundReport: notjunk:1;M01:P0:Ry63+31GJiY=;Q/ngkSN7AZ1obvK2hbyqp59pRbv 7N9a+Nfpxf49FKqFQ/o4sSra/X5Ga7m6fogzjUfZWQU9iJBYU6jk5rEHk7yJ4Rk+nLKSTVAGL htfuiJnRApjYZXcm1Wzo3ctpQabCrVzwwydrM+PPFv3kDeEwkCCBZPF+Ztv0zPEUpSDFvHmT1 tTvqcjwSIJWedrQ1QQ9Z1fQRWQsz93lN0LnMq2QQAf5Ekoz01onHoIsZKnJ2hosZAdbStRk62 hT4G7vdXkdWn1GKrDSm8wm2rdgz2HLiryG9xTSCbvZu0S0avTxSzNtWMm0sk/cZQbmIjonrEb XX0mworr7tzjugBMrf2qt3JwLqdtm6qK4PDjvjs2ZG6KkotDXq3XB4axrOTyq77XbPi6PI9nG R8xAV2ndziVIv2tIOM5/QyOk0/21xOQ32UPfzlifGPv7BWzdrHRPyJtrNwwf6umnXY22aJXBX tvWCKitsFqAXWU/xM1lnHRK3AZvJ5tmKLqRTpexcBHFCIsPlvhZbAmxIhZJvrsLYwn5tQ+wu2 vNjm+w16KSPu7XXg8ZKkNrG8eeG68TkG0vjg2S//9FHgRqGZEaZgyTJyOoYEErNOxx/4KwR5R 7eh6/8rCNIsLei5EkUReE0nWVuHRWXzJm3XtHCmZP7+8DIpuu38tTX9u3nPVw3n79iSHpq6CL OxHZYgFUKwc6ET5UgdGXmNgxMTyitwnlY9LsK5o4HryL9m87xKAWwVYBF9SZE+jXMGwel0T67 izOAXw9nzUtfUN+lS8tNgFdEBFF+qw/02TDOC9EzBYdEZvmPcow5kl8vvGJxixUXTPnb412AQ EDbFp4XzUvDJCLVfCX91wt3A== X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de; s=s31663417; t=1721730534; x=1722335334; i=fiona.klute@gmx.de; bh=pg9CFa2GVUXQZVqGGR48iPl2z/8frWfIs+LphYAzDi0=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:Message-ID:In-Reply-To: References:MIME-Version:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=Ok43p7ivKZbtAACxxioJgEOuLLTmkQ2On3Ef5GXiOuC8piEdVTQ9viQXKi8ZLFiM U2XIZ7XPBwgBXY7j4SMMTd+YT399ifLSYXFXlf3ye80zWMLY9y1/fsQjSoJXqrMl7 CsoeGG2Z0Q51Oa1ZAWKTR4+MIqzOBl6M1yBLPOcqr5wYgNQfglOpPkLkY8t7MC165 D55akiZ639pRZr5XuBkRaPq9TzNIv8NeGctz69PeOaZvJc1aMsPWeUA0f7QtuZsQD SR1B0C3/uu91PQe13r4lPElJU7sEwAXKya/4JLEoUv0A0z131ByfBdD+qAZYY6FwY GaR76FYgS8aljbf43g== X-Mailman-Original-Authentication-Results: smtp3.osuosl.org; dmarc=pass (p=quarantine dis=none) header.from=gmx.de X-Mailman-Original-Authentication-Results: smtp3.osuosl.org; dkim=pass (2048-bit key) header.d=gmx.de header.i=fiona.klute@gmx.de header.a=rsa-sha256 header.s=s31663417 header.b=Ok43p7iv Subject: [Buildroot] [PATCH v2 3/6] package/iptables: check for rules in init script X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Fiona Klute via buildroot From: Fiona Klute Reply-To: Fiona Klute Cc: Julien Olivain , Fiona Klute , Ricardo Martincoski Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" From: "Fiona Klute (WIWA)" Instead of installing an empty rules file, the init script now checks if the rules file exists and does nothing on start if it doesn't. Stop remains unchanged so users can still delete the rules file and then use the stop command to flush rules from the kernel. Also fix the shellcheck warning about the unused IPTABLES_ARGS variable, and use long form option for iptables-save. Signed-off-by: Fiona Klute (WIWA) --- .checkpackageignore | 1 - package/iptables/S35iptables | 12 ++++++++---- package/iptables/iptables.mk | 1 - 3 files changed, 8 insertions(+), 6 deletions(-) -- 2.45.2 diff --git a/.checkpackageignore b/.checkpackageignore index 760ae29cfb..4152a5c74e 100644 --- a/.checkpackageignore +++ b/.checkpackageignore @@ -676,7 +676,6 @@ package/ipmitool/0002-Fix-enterprise-numbers-URL.patch lib_patch.Upstream package/ipmitool/0003-Do-not-require-the-IANA-PEN-registry-file.patch lib_patch.Upstream package/ipmitool/0004-configure.ac-allow-disabling-registry-downloads.patch lib_patch.Upstream package/iprutils/0001-configure.ac-add-AC_USE_SYSTEM_EXTENSIONS.patch lib_patch.Upstream -package/iptables/S35iptables Shellcheck package/irda-utils/0001-daemon.patch lib_patch.Sob lib_patch.Upstream package/irda-utils/0002-nommu.patch lib_patch.Sob lib_patch.Upstream package/irda-utils/0003-subdir.patch lib_patch.Sob lib_patch.Upstream diff --git a/package/iptables/S35iptables b/package/iptables/S35iptables index a2de29d222..a67d0886a9 100644 --- a/package/iptables/S35iptables +++ b/package/iptables/S35iptables @@ -2,11 +2,16 @@ DAEMON="iptables" -IPTABLES_ARGS="" +IPTABLES_CONF="/etc/iptables.conf" start() { printf 'Starting %s: ' "$DAEMON" - iptables-restore /etc/iptables.conf + # Run only if IPTABLES_CONF exists. + if [ ! -f "${IPTABLES_CONF}" ]; then + echo "${IPTABLES_CONF} does not exist, nothing to do." + return 0 + fi + iptables-restore "$IPTABLES_CONF" status=$? if [ "$status" -eq 0 ]; then echo "OK" @@ -30,13 +35,12 @@ stop() { restart() { stop - sleep 1 start } save() { printf 'Saving %s: ' "$DAEMON" - iptables-save -f /etc/iptables.conf + iptables-save --file "$IPTABLES_CONF" status=$? if [ "$status" -eq 0 ]; then echo "OK" diff --git a/package/iptables/iptables.mk b/package/iptables/iptables.mk index 257834b8cd..13e80a6966 100644 --- a/package/iptables/iptables.mk +++ b/package/iptables/iptables.mk @@ -59,7 +59,6 @@ endef define IPTABLES_INSTALL_INIT_SYSV $(INSTALL) -m 0755 -D package/iptables/S35iptables \ $(TARGET_DIR)/etc/init.d/S35iptables - touch $(TARGET_DIR)/etc/iptables.conf endef ifeq ($(BR2_PACKAGE_IPTABLES_NFTABLES_DEFAULT),y) From patchwork Tue Jul 23 10:28:29 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Fiona Klute X-Patchwork-Id: 1963724 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org (client-ip=140.211.166.138; helo=smtp1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org) Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WStfz6tlGz1yXp for ; Tue, 23 Jul 2024 20:29:15 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 14F43812A3; Tue, 23 Jul 2024 10:29:14 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id fmJlt1chtpFl; Tue, 23 Jul 2024 10:29:12 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.166.34; helo=ash.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 0E274812A4 Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp1.osuosl.org (Postfix) with ESMTP id 0E274812A4; Tue, 23 Jul 2024 10:29:12 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id 5E7C51BF20F for ; Tue, 23 Jul 2024 10:29:03 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 5818D402B8 for ; Tue, 23 Jul 2024 10:29:03 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id M7-H2WlomEJN for ; Tue, 23 Jul 2024 10:29:02 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=212.227.17.20; helo=mout.gmx.net; envelope-from=fiona.klute@gmx.de; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp4.osuosl.org BBD24402AB DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org BBD24402AB Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by smtp4.osuosl.org (Postfix) with ESMTPS id BBD24402AB for ; Tue, 23 Jul 2024 10:29:01 +0000 (UTC) X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from haruka.lan ([85.22.125.116]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1M26vB-1sTjn52sDR-00GPND; Tue, 23 Jul 2024 12:28:54 +0200 To: buildroot@buildroot.org Date: Tue, 23 Jul 2024 12:28:29 +0200 Message-ID: <20240723102832.2522307-5-fiona.klute@gmx.de> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240723102832.2522307-1-fiona.klute@gmx.de> References: <20240723102832.2522307-1-fiona.klute@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:7SzbQ/SbWytQ7Z+du8ssemguywK/CoJnKuCLgtoQs0k9I2Nh2bG QK9FiHYTmrb7VyfK/CGVwDxLw/FfUhx7pGlM0uP4/WoE/KoiPUJAl+wLr52blfzKSV0aoW9 p0yHTuDBEwJni8KEWDizQErX2BDbJ1cq1tLGhPtxNqddggi1cdh/Kw9ECoI9u49WzWqbSGI 77cQ1BiKLGp3s3EaVELbw== UI-OutboundReport: notjunk:1;M01:P0:0Y5m0cYgOko=;Q7NfYsBRr4iwp8SRJXAC2oOfv/Y 42EhkK3LN9pFzOCPieSimrUT2QwjymVQWvTdsBFcuUOERVoHZqbYfWW3vl5CiqChqAf4mcbh8 XQuGzry/EfyG3h/qRINtzODW3u4NPBs/x+ppm233UDjtFXJf8jPrZA5FOadlqaSUbf2mvG/ef PmjWvfyISEpnCKJuH3CmXdLBBQposqDMhd/qtglP74g6ImVfIVjeOevQ+1cqMm5ovuG9AS/1k QppZROFvekqqgJ6fafEOrz/SLSMrS+P9/pND8hxZ8aOkdoWmAuFrYvuRaRi/7RRRiau+X96Mb X0WiutBFSsc5ZHZQ/nE231VBR1DbRlSqLwntCQCNev9MbqGqLAw0+f+6eCYmE0hrsQ3rtF8K+ qyWENIUsPTQ1Lkrar07X5jKTr9LVv++OKJGTxsgC+WntxfIuuI6wigiy9aEp63boD5mIxidla zAxWVjFVV88lfYA3zejQ7c7L172b2noEfTKhjy+lxHGlmwyIjnvMLMWiWpK5e7w9fNoGNggyD WNx99B94CfPS2XtihxN+sqAQkZR0KjjfzHBaYz7aOvZbl0l8MbcKpCdPy1wZFxGa/S7vhWydb wkxSQwMt9QwTvoIGruyT/viJLoLfxzds9geOezgK+00Uxe7YmIQFWw4KdOLTq133Bam27kSaf 4eSrEQPF+hjrEMLuXuHLKZQpyB5pZvV5UO+7TutjFpb2yPGVhf4ejigH8j8OieYBiOMubjTMs JPnhIsF95bef6zMUa93PFmxvHXeEwisgYNYGQ+5G/1woPsmCpkB6RONtRQeoPjgWtJpQnCnZ0 4RDkCWPnJH9u0FJgOk8ejUeg== X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de; s=s31663417; t=1721730534; x=1722335334; i=fiona.klute@gmx.de; bh=qJJTxKL9Lh7grpBOddrHtkG3fPJ1ONIinCD9kUtE1Xg=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:Message-ID:In-Reply-To: References:MIME-Version:Content-Type:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=sgwhO9dx7/FvLDJEq9OCutyASp0NwoC7NrpES4nhNZYawfNtNWy+YJ5/HDO5DJ9t XvVuXSZWSy3p0ktC4wAKCHLI5WhyqZC7MR6jwnmfmeKVIROkTI4s4zPmkuJtIbLys tKp7lRMRVfyZtjgYzOoaVbjY+qocazPlXJS8CSs2INDFiGinNjJypNoxpWrH7Uq1d 24R8JGvZ7uFwGGcfb/MVQvIJZw2jcoKLLTLL/gSTjGuOmxsBcZ1+ikzIxAf700psw +8SfdgHCaPu0WmV54OHV6vNQsjLUTJISChNrDk1xq0VLNCd70C+58qoCKcmhi+uMC JC+JS3mZIJus6W7mWA== X-Mailman-Original-Authentication-Results: smtp4.osuosl.org; dmarc=pass (p=quarantine dis=none) header.from=gmx.de X-Mailman-Original-Authentication-Results: smtp4.osuosl.org; dkim=pass (2048-bit key, unprotected) header.d=gmx.de header.i=fiona.klute@gmx.de header.a=rsa-sha256 header.s=s31663417 header.b=sgwhO9dx Subject: [Buildroot] [PATCH v2 4/6] support/testing: test for nftables init script X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Fiona Klute via buildroot From: Fiona Klute Reply-To: Fiona Klute Cc: Julien Olivain , Fiona Klute , Ricardo Martincoski Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" From: "Fiona Klute (WIWA)" The new test checks that a pre-defined rules file can be loaded and works as expected, and that after flushing the blocked IP responds to ping again. Signed-off-by: Fiona Klute (WIWA) --- DEVELOPERS | 1 + .../testing/tests/package/test_nftables.py | 37 ++++++++++++++++++- .../rootfs-overlay/etc/nftables.conf | 8 ++++ 3 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 support/testing/tests/package/test_nftables/rootfs-overlay/etc/nftables.conf -- 2.45.2 diff --git a/DEVELOPERS b/DEVELOPERS index 3650321d6f..36418f9d6f 100644 --- a/DEVELOPERS +++ b/DEVELOPERS @@ -1108,6 +1108,7 @@ F: package/python-pymodbus/ N: Fiona Klute F: package/python-pyasynchat/ F: package/python-pyasyncore/ +F: support/testing/tests/package/test_nftables.py N: Flávio Tapajós F: configs/asus_tinker-s_rk3288_defconfig diff --git a/support/testing/tests/package/test_nftables.py b/support/testing/tests/package/test_nftables.py index 142e7d0352..2622c7e822 100644 --- a/support/testing/tests/package/test_nftables.py +++ b/support/testing/tests/package/test_nftables.py @@ -85,7 +85,7 @@ class TestNftables(infra.basetest.BRTest): # supposed to fail earlier is now supposed to succeed. self.assertRunOk(ping_test_cmd) - def test_run(self): + def boot_vm(self): img = os.path.join(self.builddir, "images", "rootfs.cpio.gz") kern = os.path.join(self.builddir, "images", "Image") self.emulator.boot(arch="aarch64", @@ -97,6 +97,9 @@ class TestNftables(infra.basetest.BRTest): "-initrd", img]) self.emulator.login() + def test_run(self): + self.boot_vm() + # We check the program can execute. self.assertRunOk("nft --version") @@ -107,3 +110,35 @@ class TestNftables(infra.basetest.BRTest): # We run again the same test sequence using our simple nft # python implementation, to check the language bindings. self.nftables_test(prog="/root/nft.py") + + +class TestNftablesInit(TestNftables): + config = TestNftables.config + \ + """ + BR2_INIT_BUSYBOX=y + """ + + def test_run(self): + self.boot_vm() + + # start with known state (rules from /etc/nftables.conf) + self.assertRunOk("/etc/init.d/S35nftables reload") + + # Same concept as in TestNftables.nftables_test: The rules + # should allow ping to 127.0.0.1, but not 127.0.0.2. + ping_cmd_prefix = "ping -c 3 -i 0.5 -W 2 " + self.assertRunOk(ping_cmd_prefix + "127.0.0.1") + _, exit_code = self.emulator.run(ping_cmd_prefix + "127.0.0.2") + self.assertNotEqual(exit_code, 0) + + # Stop should flush the rules, ping to both addresses should + # work now. + self.assertRunOk("/etc/init.d/S35nftables stop") + self.assertRunOk(ping_cmd_prefix + "127.0.0.1") + self.assertRunOk(ping_cmd_prefix + "127.0.0.2") + + # Start is essentially the same as reload, check that + # 127.0.0.2 gets blocked again. + self.assertRunOk("/etc/init.d/S35nftables start") + _, exit_code = self.emulator.run(ping_cmd_prefix + "127.0.0.2") + self.assertNotEqual(exit_code, 0) diff --git a/support/testing/tests/package/test_nftables/rootfs-overlay/etc/nftables.conf b/support/testing/tests/package/test_nftables/rootfs-overlay/etc/nftables.conf new file mode 100644 index 0000000000..a04af1d634 --- /dev/null +++ b/support/testing/tests/package/test_nftables/rootfs-overlay/etc/nftables.conf @@ -0,0 +1,8 @@ +flush ruleset + +table inet filter { + chain input { + type filter hook input priority filter; policy accept; + ip daddr 127.0.0.2 icmp type echo-request drop + } +} From patchwork Tue Jul 23 10:28:30 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fiona Klute X-Patchwork-Id: 1963727 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org) Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WStgB0kDGz1yXp for ; Tue, 23 Jul 2024 20:29:26 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 7AC58812B7; Tue, 23 Jul 2024 10:29:24 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id j2shF2OyE4R3; Tue, 23 Jul 2024 10:29:22 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.166.34; helo=ash.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 62EFA81295 Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp1.osuosl.org (Postfix) with ESMTP id 62EFA81295; Tue, 23 Jul 2024 10:29:22 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id A615B1BF20F for ; Tue, 23 Jul 2024 10:29:06 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 92DD7402BF for ; Tue, 23 Jul 2024 10:29:06 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id N0S5qU25nEhb for ; Tue, 23 Jul 2024 10:29:05 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=212.227.17.21; helo=mout.gmx.net; envelope-from=fiona.klute@gmx.de; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp4.osuosl.org 24005402AB DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 24005402AB Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) by smtp4.osuosl.org (Postfix) with ESMTPS id 24005402AB for ; Tue, 23 Jul 2024 10:29:04 +0000 (UTC) X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from haruka.lan ([85.22.125.116]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1M1HZi-1sTSwP0Yxu-00FaQS; Tue, 23 Jul 2024 12:28:55 +0200 To: buildroot@buildroot.org Date: Tue, 23 Jul 2024 12:28:30 +0200 Message-ID: <20240723102832.2522307-6-fiona.klute@gmx.de> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240723102832.2522307-1-fiona.klute@gmx.de> References: <20240723102832.2522307-1-fiona.klute@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:So/zTiVAkUjvEua2+vMsn+2jCQJGVQPxzScXr+X5wJCi8Hcro5M PU6t+ZD0b82nD/hQKO2IqxTaw/4IibXpghi2W+75VdLvhH6bvEQ7JgfuYVdmeKhCaYgYNo3 BsMp1irPviPTZwluQ2rhIqx7018zqQ5Xm4giGmDvKuvdw4fHVIKsJlmFnOg1KD6Cyn7k/Kg YL0ngaOVT1+ifMPWKofFw== UI-OutboundReport: notjunk:1;M01:P0:1KB1PMZmrQ0=;Oouk1tppOsHPkhEPel7neIRHHtw SDCaZDcR7l2j3oT3KEnjM70iv+bdFkVnV70rrtMaDzJrU8Unh9Zay+kkemfOBcmRMXbU8rYz8 eNH+dIrNIrvfySWnAk4GRDjvmf+ib1rO925mPQ1RSc2dfs9e/hCS0gP8uR2rRXQKs7owZCh3T j0ZOJpZDFxsn6M2KO9H01hIKGsExwQjmp21bSo0eFpb1gK2PYd9Pfgt0UbLzo81BLiMFsfQh5 RnDc58z5vwrK/rWSWkIPcYG5Buh64/ypD1c7hVa3Oc7aVHW1Aeg7AtxXcWekK8Bf11HJsLMqi kTBOv91TpX6lBQBBaKy/+9hmVgbL316a34MZiQ1VUN4PG3WvfjIe1ioD22/dN2rGQyd5PUEKr CD8Yc5RFlfzwHNElvD8tG/6YXEgwWAnbFO4PTYDHIbhhaGZVdG2Ix7cLdYn2hJgdc7mmKc7Yr cqXR+AnphQZFT46/PkpsKyEFxShal1Q9NhNfxZ2FGLu+hyei7CokB4A2Y4amCKpvDjoND8gc7 QvfLtlduYlyj38w5fI+6TY5AIqFzxyrIEA8HRuZK6RB5PqXWw5ejVtqchIwb9FbUZlq6YLZTU qr0LH2yo+FAMH4RwUeoCDnHmnq9pQe7GzSnb5AsmGCEaOTuE3XEevimfV9TjEiMFfBfBwKOaU 1BDXwtExeuqkwBT2VnJjUnr9YKRQz0PQYNkvSTO9kcgz8yEbLT9fno/nVidhVcJx5FH35il7V 2oGwLFj3vg2fnYNZS2jMTmSm7bMmOfsB1x+Ha2L0YB5RDAsd9ewgsujafldt428bJI77tfUNT zrdjJrWeBokxOBDHzecMBfBg== X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de; s=s31663417; t=1721730535; x=1722335335; i=fiona.klute@gmx.de; bh=5c7xNOLw40thNTl1Tp0LD91YMs7Wp4xUyJcbzvtRJLg=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:Message-ID:In-Reply-To: References:MIME-Version:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=hn6N7Hwvq/0/Teo7eu0TnXKUjH7rxu93fVc0uU5e/M9I8D0XmVDUn4jKC4gTeHl4 nyENJxphVe9rYbfdFv5r5Ae7uuLtrKcUarNswM8ePr6or1HEvhT76m9KdsEunm2v9 8AU3DE6NSZXVM9iZoK57Ur7VQsagihMYdLg+Ynp9frq2QJDktv6imWVKo9IqbvN3v S41TOs63my10Y82huB+FPw3kv2pn1G+407zyhvMPFFonlXv7C8BOWGkU66QINxiMR gwGRHZOGQ1DOAtGTWuAKDCVbcyZyqKB2u6ELB8uK47tk5UOHaYubV5IjhFuyAHX7D 1bPPgrH/SFNJnSK9Bw== X-Mailman-Original-Authentication-Results: smtp4.osuosl.org; dmarc=pass (p=quarantine dis=none) header.from=gmx.de X-Mailman-Original-Authentication-Results: smtp4.osuosl.org; dkim=pass (2048-bit key) header.d=gmx.de header.i=fiona.klute@gmx.de header.a=rsa-sha256 header.s=s31663417 header.b=hn6N7Hwv Subject: [Buildroot] [PATCH v2 5/6] support/testing: include init script in iptables test X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Fiona Klute via buildroot From: Fiona Klute Reply-To: Fiona Klute Cc: Julien Olivain , Fiona Klute , Ricardo Martincoski Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" From: "Fiona Klute (WIWA)" Check a save/start/stop cycle based on the rules created by direct commands in the pre-existing test. Signed-off-by: Fiona Klute (WIWA) --- package/iptables/S35iptables | 2 +- support/testing/tests/package/test_iptables.py | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) -- 2.45.2 diff --git a/package/iptables/S35iptables b/package/iptables/S35iptables index a67d0886a9..d6ff4a4762 100644 --- a/package/iptables/S35iptables +++ b/package/iptables/S35iptables @@ -23,7 +23,7 @@ start() { stop() { printf 'Stopping %s: ' "$DAEMON" - iptables -F + iptables --flush status=$? if [ "$status" -eq 0 ]; then echo "OK" diff --git a/support/testing/tests/package/test_iptables.py b/support/testing/tests/package/test_iptables.py index ee57b31558..e807fc9e83 100644 --- a/support/testing/tests/package/test_iptables.py +++ b/support/testing/tests/package/test_iptables.py @@ -11,6 +11,7 @@ class TestIptables(infra.basetest.BRTest): """ BR2_aarch64=y BR2_TOOLCHAIN_EXTERNAL=y + BR2_INIT_BUSYBOX=y BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0" BR2_LINUX_KERNEL=y BR2_LINUX_KERNEL_CUSTOM_VERSION=y @@ -70,9 +71,26 @@ class TestIptables(infra.basetest.BRTest): _, exit_code = self.emulator.run(ping_test_cmd) self.assertNotEqual(exit_code, 0) + # Save the current rules to test the init script later. + self.assertRunOk("/etc/init.d/S35iptables save") + # We delete our only rule #1 in the INPUT chain. self.assertRunOk("iptables --delete INPUT 1") # Since we deleted the rule, the ping test command which was # supposed to fail earlier is now supposed to succeed. self.assertRunOk(ping_test_cmd) + + # Load the rules as saved before. + self.assertRunOk("/etc/init.d/S35iptables start") + + # Ping to 127.0.0.2 is expected to fail again. + _, exit_code = self.emulator.run(ping_test_cmd) + self.assertNotEqual(exit_code, 0) + + # And flush the rules again. + self.assertRunOk("/etc/init.d/S35iptables stop") + + # Since we deleted the rule, the ping test command which was + # supposed to fail earlier is now supposed to succeed. + self.assertRunOk(ping_test_cmd) From patchwork Tue Jul 23 10:28:31 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fiona Klute X-Patchwork-Id: 1963722 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org) Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WStfr1sByz1yXp for ; Tue, 23 Jul 2024 20:29:08 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id AA8F681255; Tue, 23 Jul 2024 10:29:06 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id M3fUP-8g9x36; Tue, 23 Jul 2024 10:29:05 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.166.34; helo=ash.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org A76EB81272 Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp1.osuosl.org (Postfix) with ESMTP id A76EB81272; Tue, 23 Jul 2024 10:29:05 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id E451C1BF20F for ; Tue, 23 Jul 2024 10:29:02 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id DEE45607F6 for ; Tue, 23 Jul 2024 10:29:02 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id XVmIX4kARZQS for ; Tue, 23 Jul 2024 10:29:02 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=212.227.17.20; helo=mout.gmx.net; envelope-from=fiona.klute@gmx.de; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp3.osuosl.org B51AC607E9 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org B51AC607E9 Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by smtp3.osuosl.org (Postfix) with ESMTPS id B51AC607E9 for ; Tue, 23 Jul 2024 10:29:01 +0000 (UTC) X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from haruka.lan ([85.22.125.116]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MiJVG-1rqpnt2bP4-00j9QK; Tue, 23 Jul 2024 12:28:55 +0200 To: buildroot@buildroot.org Date: Tue, 23 Jul 2024 12:28:31 +0200 Message-ID: <20240723102832.2522307-7-fiona.klute@gmx.de> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240723102832.2522307-1-fiona.klute@gmx.de> References: <20240723102832.2522307-1-fiona.klute@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:XdrUWZX0HOiHXg6QTDPcB0ZB17RcGve3JVd3LdYTrvqFvzD8Y5o slMwvvpiF0hQJq7mD5WZIddv9aklUiXMOSiwzERHIUiTJVB1kOFwQyIjiYjfFQ0IyTZciqc tHRIyAnD/0c5lK1eKiFw9zvCb5ZQzIzfDFeql2zJ+fclcu7dNg97K1zFKR9PA8mBjihzetE +fA5LwRR8KUXVgzFVb6kQ== UI-OutboundReport: notjunk:1;M01:P0:TRREG+UbEQ8=;4Ef4gpaBLIHkzMbesYs7omqM2zf ZJ12TAJUvoCBXxU7kOuhx5FH9zrqo4v/o0PhsvaVPxnYYV3BSmnKy8ew+GbOrGExt71p6Y/93 rf4HQJOeQm4tx8xrqtUx/TDayjSm8b7qnBUKnqxtB3xxwKdP4zlZd8dShLerheCb2uXl70Kjm QqT5cpN+okczgCVzJ3EBduijgxBy5CXZ4lgK3hyHbq10spvZA+rnkZ4tn7w4ym7v8Jgyw3Ae5 5fXeMi3CKb/KQiNRshtICqQihRS+ZXQmCLDOdQjMuDRMphqv/HYnXr7tr/6bP4CKGAlSxKTNM 84iMBGkfTqEKUt6Jtepyt7hdcJ1o523hR2kQCACBZqAX9fvABVGF/gglS9YkAk89X/YAkGn7Q eB1UMgtZAGDMeJlZv/NZxQRD6yoCLxd79kl76kHqWQ5J7A6yq9/YESKaUYhPLzDCk2j4K93K/ GiD6JNTraPDxltoct92ew8ZvsKKbDkJMoCCdg4tsRQW212D4be3L9QzpvjvuBbOAmMkFu88Zv sfXLLrP5tE0mQCfeVvbqS+1FkxUadw2JlHnDT0bMKbFaBCA289G7vkM0xkyruZ4Ck/ABByzg8 BCdZC5hOlmdIkdlp0NE6VMyy17IodC1Wh66tIYtpwFFn344w/kSKekKi8Fdwv2eL2y1fOSMHU JuoEfYy4XlUobBBnDB1ATmccX+YusC2+XvlQrsPk70W4JXCX5qcd0vaj4W7xG7yMkGs1LB78O R/2fq92TpJiUgV7zb31f+KSTCmQYJmnjC4557hNnTnhorH7u5UVY2UcIngkiy4B3HqJrnn5BT hZ/13QZ/bDCMtWIsHpJ2HUfQ== X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de; s=s31663417; t=1721730535; x=1722335335; i=fiona.klute@gmx.de; bh=QTbawq7YN9vk2UMCjZtdMo7/fUd64zxOa2Tpry5bhlo=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:Message-ID:In-Reply-To: References:MIME-Version:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=E105kev3N/p575sQ7YAyP92WDxqV63wAmdRk+n3eM5oemSFbLgtqsSxTR437rB/p 0qe/Pp5m/85T2VluSFeA+B33WvL1XKswsbm4OI2FWWhoDJ5uVWDCQ+vAJL/wnLjCp uvjRJdYlw0p/ybjpXXYA2DvYIJIc/hZkJGRgSkY7irN91R6ruPssjktr3C3DHUiMb r8On9/jn1bLAE995cBWFpHPXMBMKijAME2LMQ+/YrVITDBe9+/7sqf8pKoyWeaNwY T1JEJTw+ncuG2ehirCdTKCKS6o1Rs1+8Xt/UFKGMcKqmQ9ZrkOYck/FA0n2VsW+4l X0LDVEWnBUptnr/UQw== X-Mailman-Original-Authentication-Results: smtp3.osuosl.org; dmarc=pass (p=quarantine dis=none) header.from=gmx.de X-Mailman-Original-Authentication-Results: smtp3.osuosl.org; dkim=pass (2048-bit key) header.d=gmx.de header.i=fiona.klute@gmx.de header.a=rsa-sha256 header.s=s31663417 header.b=E105kev3 Subject: [Buildroot] [PATCH v2 6/6] support/testing: fix MyPy warnings about BRConfigTest X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Fiona Klute via buildroot From: Fiona Klute Reply-To: Fiona Klute Cc: Julien Olivain , Fiona Klute , Ricardo Martincoski Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" From: "Fiona Klute (WIWA)" This removes warnings in editors/IDEs with MyPy typechecking integration. Test classes override "config" with strings (different type than None). Signed-off-by: Fiona Klute (WIWA) --- I haven't seen any other type annotations in the testing code, if they're not welcome please just drop this patch from the series. Personally I think they're good to avoid bugs. support/testing/infra/basetest.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- 2.45.2 diff --git a/support/testing/infra/basetest.py b/support/testing/infra/basetest.py index 12d96415da..9fb9dffc53 100644 --- a/support/testing/infra/basetest.py +++ b/support/testing/infra/basetest.py @@ -24,8 +24,8 @@ MINIMAL_CONFIG = \ class BRConfigTest(unittest.TestCase): """Test up to the configure stage.""" - config = None - br2_external = list() + config: str + br2_external: list[str] = list() downloaddir = None outputdir = None logtofile = True