From patchwork Fri Jul 26 16:20:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fiona Klute X-Patchwork-Id: 1965348 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org) Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WVtKM44Q2z1yY5 for ; Sat, 27 Jul 2024 02:20:55 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 8D10C60B9A; Fri, 26 Jul 2024 16:20:51 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id Fs48e9MogdUu; Fri, 26 Jul 2024 16:20:50 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.166.34; helo=ash.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 9047760BA0 Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp3.osuosl.org (Postfix) with ESMTP id 9047760BA0; Fri, 26 Jul 2024 16:20:50 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id B94881BF860 for ; Fri, 26 Jul 2024 16:20:45 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id A725680B4C for ; Fri, 26 Jul 2024 16:20:45 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id Y-nVu026UdVA for ; Fri, 26 Jul 2024 16:20:44 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=212.227.15.19; helo=mout.gmx.net; envelope-from=fiona.klute@gmx.de; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp1.osuosl.org D09C380B3A DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org D09C380B3A Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) by smtp1.osuosl.org (Postfix) with ESMTPS id D09C380B3A for ; Fri, 26 Jul 2024 16:20:42 +0000 (UTC) X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from haruka.lan ([85.22.115.174]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1Mk0Ne-1rrTIZ3cHA-00oa5E; Fri, 26 Jul 2024 18:20:35 +0200 To: buildroot@buildroot.org Date: Fri, 26 Jul 2024 18:20:06 +0200 Message-ID: <20240726162013.2183792-2-fiona.klute@gmx.de> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240726162013.2183792-1-fiona.klute@gmx.de> References: <20240726162013.2183792-1-fiona.klute@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:G3Dv3ruiLOOriXjRRty9R3aSLr4QHMyXoJCkIKsbFW/fLBBOJXZ pkVUJV/AlzsK95Bw+Y9zO1DkmVmjTaTHqWV8gBHV+7tJaOKq9r86Ecb2frkwVIOBJyOfgor 24DbiQDObrGK9YflOyxdszb39NUs0svLUH29jhOZsZ9r8fZycvWjI829RFYAv4Wsyvfr2uc jo4soewrrG24eW9fp5POA== UI-OutboundReport: notjunk:1;M01:P0:5TjFFCbirlQ=;5r6L1Vr+FK/FM2/kdRVnWIj0Lo2 /mfM+4ZmGL3toN8TMzrSfFtcy2Rjzf5462c7UCgrSfO1iFx+iWRTVYCPJxOczuAUDsVSlBr4l +2M7XQ7fITusQhwsT4aKFfDM1L5e4WKDT2Qs66EYATSwTrTQ6QI+v+XG8F2IQkKxCn4SbGrpV ln5EbwKBVl5poxLslmkihDd73ZYM7UR2utLoVyCTNmdAMLu/3pw1S4jegg/MMlpQ5zkMHjf6f O9+mye3HneYF95DjNW6ZUZ4dffyPZ/45hwPC/VM3AmXYXm9mw/3yc+7pFpzoUHPzwnRWNOshj mjpMWo88m8K4iNmE0QNEngC6vSt9UzsjTZ1pGPsc8sY9A5qQQRzC3Jf22j0nlvh6xTuMWiS/C zdxtflSlfri9xbuUUWldUxNf55iT3Je9VMRPwhMdrl36Wl2cmLJomVGLQJ7jb3BpIR6MPOHLJ qC/KKp9FK0Zzg+HhQIk+3nx1iK+Eyt9TmaDAhw7cOqaDZ3B/RxXGPGgndpqJNspJR1ht1tyIu MfUeMPD6QFPXBtVR+8owQHBHEenrBlGC1WgbpMo4u7P/LTA5lvYYvi+vWiyWe5fPQNN5Cg04D b55IRYbDV+Gz83oWJl7+VE4wIF5D6fr5sL6xPT+nCyHJSArTuh15bXUfCRqAposgd2eDzOHr1 O1RJ0ONilkIwDzhNjmXro+QNyvr4BOYXE448aibXeWDt969SYuEbuc3WDkglTsK3frGui6jsh cfJ+UJD89nixjWi3non08A6BpUMJU5CxaBi+qA9wwodmQIGDRdAywgVf7a9s1f7OigtVUERNj a9o1EVOWJuFjS/0K9L3zLMIA== X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de; s=s31663417; t=1722010836; x=1722615636; i=fiona.klute@gmx.de; bh=p5LzqX0BZlGdwgFcamDhhuFE6ByJ17AQbesBUZOmIh8=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:Message-ID:In-Reply-To: References:MIME-Version:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=BVKuth3DN/rE9cP5HXTQ9ch7qpwr9qDauBOZHwVvRi13z+IzBoGTO0R/M4Vd4TLA i4JEjZlToVcUfsDsw6bGpSma5z+WOu8sum8TawLGJwFp7fBxUCJ81MwC6G9pUZC78 sZA6AFRWW5mbDxVJ4pzbj9nbZap3lP2D+e5ZxcTT5TGpBHrU/k3cT1q5o0kj59FCQ aDAJRGx/KiwLeGI9vxKiD12XzrSNbDFGMIpn4dA+dPff5YaZIrYdTxXtqC1oTz7Vf wMCJanTmwHSc6a8/usaVLCFB9dyhsMVlsEP+dnUl0ti0f5r1usw33WHTNnwEtvxou sIo3QjCORwc/d6Qxdg== X-Mailman-Original-Authentication-Results: smtp1.osuosl.org; dmarc=pass (p=quarantine dis=none) header.from=gmx.de X-Mailman-Original-Authentication-Results: smtp1.osuosl.org; dkim=pass (2048-bit key) header.d=gmx.de header.i=fiona.klute@gmx.de header.a=rsa-sha256 header.s=s31663417 header.b=BVKuth3D Subject: [Buildroot] [PATCH v4 1/6] package/nftables: add init script X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Fiona Klute via buildroot From: Fiona Klute Reply-To: Fiona Klute Cc: Julien Olivain , Fiona Klute , Ricardo Martincoski Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" From: "Fiona Klute (WIWA)" The init script handles an nftables ruleset file with support for atomic reloading. By default the ruleset is expected in /etc/nftables.conf, the location can be changed in /etc/default/nftables. If the ruleset file does not exist on start, the script does nothing and shows a warning about that fact. Signed-off-by: Fiona Klute (WIWA) --- Changes v1 -> v2: * clarify comments & commit message * nftables init script: Warning about missing flush in ruleset on reload * nftables init script: check for rules file only on start * nftables init script: return nft return code from start/stop functions package/nftables/S35nftables | 66 ++++++++++++++++++++++++++++++++++++ package/nftables/nftables.mk | 5 +++ 2 files changed, 71 insertions(+) create mode 100644 package/nftables/S35nftables -- 2.45.2 diff --git a/package/nftables/S35nftables b/package/nftables/S35nftables new file mode 100644 index 0000000000..8605ff7e76 --- /dev/null +++ b/package/nftables/S35nftables @@ -0,0 +1,66 @@ +#!/bin/sh + +DAEMON="nftables" + +# Main ruleset file, override in /etc/default/nftables if you want a +# different location. The file should include a "flush ruleset" +# command to atomically replace any previous rules on reload (instead +# of adding to them). +NFTABLES_CONFIG="/etc/nftables.conf" + +# shellcheck source=/dev/null +[ -r "/etc/default/$DAEMON" ] && . "/etc/default/$DAEMON" + +start() { + printf "Loading nftables rules: " + # Run only if the ruleset file exists. + if [ ! -f "${NFTABLES_CONFIG}" ]; then + echo "${NFTABLES_CONFIG} does not exist, nothing to do." + return 0 + fi + /usr/sbin/nft --file "${NFTABLES_CONFIG}" + status=$? + if [ "$status" -eq 0 ]; then + echo "OK" + else + echo "FAIL" + fi + return "$status" +} + +stop() { + printf "Clearing nftables rules: " + /usr/sbin/nft flush ruleset + status=$? + if [ "$status" -eq 0 ]; then + echo "OK" + else + echo "FAIL" + fi + return "$status" +} + +restart() { + stop + start +} + +reload() { + FLUSH='flush ruleset' + if ! grep -q -x "$FLUSH" "${NFTABLES_CONFIG}"; then + printf 'WARNING: no "%s" in %s, duplicated rules likely\n' \ + "$FLUSH" "${NFTABLES_CONFIG}" + fi + start +} + +case "$1" in + start|stop|restart|reload) + "$1" + ;; + *) + echo "Usage: $0 {start|stop|restart|reload}" + exit 1 +esac + +exit $? diff --git a/package/nftables/nftables.mk b/package/nftables/nftables.mk index 9cba243372..d74ca2da64 100644 --- a/package/nftables/nftables.mk +++ b/package/nftables/nftables.mk @@ -57,6 +57,11 @@ define NFTABLES_LINUX_CONFIG_FIXUPS $(call KCONFIG_ENABLE_OPT,CONFIG_NF_TABLES_INET) endef +define NFTABLES_INSTALL_INIT_SYSV + $(INSTALL) -m 0755 -D package/nftables/S35nftables \ + $(TARGET_DIR)/etc/init.d/S35nftables +endef + $(eval $(autotools-package)) # Legacy: we used to handle it in this .mk From patchwork Fri Jul 26 16:20:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fiona Klute X-Patchwork-Id: 1965349 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org) Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WVtKQ3kZ3z1yY5 for ; Sat, 27 Jul 2024 02:20:58 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 39CD360B68; Fri, 26 Jul 2024 16:20:55 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id lENZiF4dngBT; Fri, 26 Jul 2024 16:20:54 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.166.34; helo=ash.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org B78C860BAD Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp3.osuosl.org (Postfix) with ESMTP id B78C860BAD; Fri, 26 Jul 2024 16:20:53 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id F31791BF860 for ; Fri, 26 Jul 2024 16:20:46 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id EE62F60B66 for ; Fri, 26 Jul 2024 16:20:46 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id ytxi42tz1Tfx for ; Fri, 26 Jul 2024 16:20:43 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=212.227.15.15; helo=mout.gmx.net; envelope-from=fiona.klute@gmx.de; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp3.osuosl.org 8F9B460B4C DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 8F9B460B4C Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) by smtp3.osuosl.org (Postfix) with ESMTPS id 8F9B460B4C for ; Fri, 26 Jul 2024 16:20:42 +0000 (UTC) X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from haruka.lan ([85.22.115.174]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1Mlf4S-1rojTS41Vy-00qEmM; Fri, 26 Jul 2024 18:20:37 +0200 To: buildroot@buildroot.org Date: Fri, 26 Jul 2024 18:20:07 +0200 Message-ID: <20240726162013.2183792-3-fiona.klute@gmx.de> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240726162013.2183792-1-fiona.klute@gmx.de> References: <20240726162013.2183792-1-fiona.klute@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:h9QheMIdfUNz2Ym00qIG33JtcPI2HqkTvLryHyF59X64S4vw4/v 6UVak2m/hhrhgMIZxw6FGF8poY7wxPpiggFYQDJKmjk9Iv1hmBj1S9PLVjA+ZT6CGZkJuV8 nXgmEfzzG/6AA4Y6pko4dU1564TswDy5bHxzKfLxq2eogGumULb9JUJ46gxMckJtK2BxjIS 9bOagwtwytALeowySyA7w== UI-OutboundReport: notjunk:1;M01:P0:REnNkH7fkVU=;pM8Zfix4Xg5wfO+AJQByHQifhpV hd/LGpd7CIWzPdi58rAQt2sAoJlOIhK+KPYbXJ/N4eE6XfDmL1Xg9TlvexHSdXXp2qvqdpr5R GzWxXD0S2CoNujPIxSug7BQjzeD0GDn0BxXkGHVFErzHXr8Jsk0XJbKBasZZ3HkkIYpuwaDXc t2cGg60QyB2OFfuQjH6fkAlCIDrdwB7IPevnVTSn6nyopis+AwBJn1B8iG0M4iX32lPm4sOI7 stCCR5Kzx6PTFQDpj5m5SepJhcuOkcsWoXTI5/st54ePUQTI2r6CoKQTgiQQzJphxAyzbaDQ9 HN9hFJxAOhcvWpTR6GiwvJmRac8OKnjSiuzhEqOoclMRNACHWNxzxX49Ny2xk+usoVDuQx+Ag qtwaXoBOqfA7AylLjO07h1Lz9mGyJeK29OIjSosh4nxF0fWGEWJF1BGJLBtP61kbGwS58aMPA hFzbtdMrqdLH74EikkvnJOpkJSFXck8w+8i0eq2fAXQ/gl/bPedh+sYmJ4AeFSsIxq8KGWFQ2 P/I6elOaeNK2Co5Y881eY76UQjV60Ei/Us+wEbcZYbo0EwNN8ak+n9dby8rNETJf6MkT9xSN+ 9J2M4kUDqsgfCfze63VMwPJCr2luuIUTloTzb60hWNBdTveiZXERYFDS5Xol7DsIW43da6V4t LQ+loyhzcc4/fTVNJRkZVLRU5mHQUmmyeN5z+a043v2PEqAXxwKIgzspiYTrXuYLWf91sE9U0 6CPdpScqDlvgcQ0fnn+CdqCE+ygdly/jFeWt2XD7Tuz/XtKSZHl75wRIrBzCLG2aSHYm1kx3R NsMT0qR9VQ6RWhmIuBjWR6qQ== X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de; s=s31663417; t=1722010837; x=1722615637; i=fiona.klute@gmx.de; bh=dbbHIJye4XgLNhTaw1LDSzARexqsWKRfIQEBvZrk9gc=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:Message-ID:In-Reply-To: References:MIME-Version:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=lbDx79vUXtLJfv74mSypmAAofUE/IUPTp/s4qpTJmJniD0IcieF1YOcZr6/H+Vjr 0OZdNlHwjen0ZIu7s7drph0dcUmvqdeLlNca4zOpOBECAsf8SBzz2Zm0Ah9zX6m2/ pJGI+uhIvXYsw4MA4yx4OKSvCgW7l8zTWs1xaNYAjIiSi8wIG64+W+T5bhmMRkzS6 kaWeMrNh7hDKANQmf49qZZSyb0K6bYlB97rAFIOPchSmq95q6pTj0p4LQCu/ojbVB ZYg1RQ82/ZSR+extbNgUF437FC5jKBCv/5C0IA0A3q/bkV+8mTIe2j2u4g0IPyvrE GESQ8cTMpNTfbBJDbg== X-Mailman-Original-Authentication-Results: smtp3.osuosl.org; dmarc=pass (p=quarantine dis=none) header.from=gmx.de X-Mailman-Original-Authentication-Results: smtp3.osuosl.org; dkim=pass (2048-bit key) header.d=gmx.de header.i=fiona.klute@gmx.de header.a=rsa-sha256 header.s=s31663417 header.b=lbDx79vU Subject: [Buildroot] [PATCH v4 2/6] package/iptables: optionally default to nftables compat X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Fiona Klute via buildroot From: Fiona Klute Reply-To: Fiona Klute Cc: Julien Olivain , Fiona Klute , Ricardo Martincoski Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" From: "Fiona Klute (WIWA)" For an nftables-based firewall setup it may be desirable to use iptables-nft as the "iptables" binary, in particular to better integrate legacy applications that do not support nftables directly and call iptables. If the BR2_PACKAGE_IPTABLES_NFTABLES_DEFAULT option introduced by this patch is enabled, iptables, iptables-restore, and iptables-save are symlinked to the -nft version of iptables. The -legacy options can still be called directly if desired. Signed-off-by: Fiona Klute (WIWA) --- Changes v3 -> v4: * set ip6tables symlinks when selecting nftables compat Changes v1 -> v2: * clarify commit message package/iptables/Config.in | 12 ++++++++++++ package/iptables/iptables.mk | 12 ++++++++++++ 2 files changed, 24 insertions(+) -- 2.45.2 diff --git a/package/iptables/Config.in b/package/iptables/Config.in index e6b12603e0..ef02c26242 100644 --- a/package/iptables/Config.in +++ b/package/iptables/Config.in @@ -24,6 +24,18 @@ config BR2_PACKAGE_IPTABLES_NFTABLES help Build nftables compat utilities. +if BR2_PACKAGE_IPTABLES_NFTABLES + +config BR2_PACKAGE_IPTABLES_NFTABLES_DEFAULT + bool "use nftables compat by default" + help + Make the nftables compat variant of iptables, iptables-save, + and iptables-restore the default. This only adjusts symlinks + in /usr/sbin, the legacy variants can still be called + directly. + +endif + comment "nftables compat needs a toolchain w/ wchar, dynamic library, headers >= 3.12" depends on !BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12 || \ !BR2_USE_WCHAR || BR2_STATIC_LIBS diff --git a/package/iptables/iptables.mk b/package/iptables/iptables.mk index 6712136962..dbf7fbf5e1 100644 --- a/package/iptables/iptables.mk +++ b/package/iptables/iptables.mk @@ -62,4 +62,16 @@ define IPTABLES_INSTALL_INIT_SYSV touch $(TARGET_DIR)/etc/iptables.conf endef +ifeq ($(BR2_PACKAGE_IPTABLES_NFTABLES_DEFAULT),y) +define IPTABLES_MAKE_NFTABLES_DEFAULT + ln -sf xtables-nft-multi $(TARGET_DIR)/usr/sbin/iptables + ln -sf xtables-nft-multi $(TARGET_DIR)/usr/sbin/iptables-restore + ln -sf xtables-nft-multi $(TARGET_DIR)/usr/sbin/iptables-save + ln -sf xtables-nft-multi $(TARGET_DIR)/usr/sbin/ip6tables + ln -sf xtables-nft-multi $(TARGET_DIR)/usr/sbin/ip6tables-restore + ln -sf xtables-nft-multi $(TARGET_DIR)/usr/sbin/ip6tables-save +endef +IPTABLES_POST_INSTALL_TARGET_HOOKS += IPTABLES_MAKE_NFTABLES_DEFAULT +endif + $(eval $(autotools-package)) From patchwork Fri Jul 26 16:20:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fiona Klute X-Patchwork-Id: 1965351 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org (client-ip=140.211.166.136; helo=smtp3.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org) Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WVtKW4MxRz1yY5 for ; Sat, 27 Jul 2024 02:21:03 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id D6F4560B6F; Fri, 26 Jul 2024 16:21:01 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id X4oL8O3fyum0; Fri, 26 Jul 2024 16:21:01 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.166.34; helo=ash.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 5B47560E7B Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp3.osuosl.org (Postfix) with ESMTP id 5B47560E7B; Fri, 26 Jul 2024 16:21:00 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id 815921BF860 for ; Fri, 26 Jul 2024 16:20:50 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 4047D60B5F for ; Fri, 26 Jul 2024 16:20:50 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id BBU-ZFwkuxLN for ; Fri, 26 Jul 2024 16:20:49 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=212.227.15.15; helo=mout.gmx.net; envelope-from=fiona.klute@gmx.de; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp3.osuosl.org CCF9960B60 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org CCF9960B60 Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) by smtp3.osuosl.org (Postfix) with ESMTPS id CCF9960B60 for ; Fri, 26 Jul 2024 16:20:45 +0000 (UTC) X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from haruka.lan ([85.22.115.174]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1Mq2nA-1rt9Jn4Bm6-00low2; Fri, 26 Jul 2024 18:20:38 +0200 To: buildroot@buildroot.org Date: Fri, 26 Jul 2024 18:20:08 +0200 Message-ID: <20240726162013.2183792-4-fiona.klute@gmx.de> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240726162013.2183792-1-fiona.klute@gmx.de> References: <20240726162013.2183792-1-fiona.klute@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:AcAWgCK1dTOf5ox7g0Kl9Ticd0rsPoaBNPskv9aoYpTc05BLbix F7yrSUJd4o1Ig/6GBaGNSiKlgwP4InDQv8Bz4ST86UovAAUpadw5y/Pp7ZtfCfkmKev2U38 ft6itwe0lmjrTZUSpoTcrcTFJD0q5LdVwDF4kirTD2W0/sFIrVZVy/qg8UEcu+ECCxeeT+M cQlN+I69guDG2eSbxM5LA== UI-OutboundReport: notjunk:1;M01:P0:rjUDArbAqIk=;dxkgN7rIYl4oNKhMcUsf24Y7Rdo tKhybljoJi7msuDM0zbMN4Qh1UIe1PMQnpwTyHo7McUlxzGe6q/dhA7okGLaF42MBQ3FZz9cK rTmfVMtRYHqxsGdm9RYSgu/20wVXlRZO6+UTr5QhcxifmERrvNM4KKy8/xpfbl+snHGhgxvB0 ew9eZnlN6LcOKNnByeBDKcpsO84yCcowf/IGH4F4UWD+7n6rtJWNjrfY6rUi75PuqdJ58y8rV G8Twmu+OUhG1H29TWPEUNcCXAnCni/ojRQ8iezQesNurgMx3zaS1bD/3z2ifk8UzkQ87mA6Ik UN8oVhFfiy6WJ8jKA4BDNMnHa/O09DR+r/DDmneI2QbINuqFUPr1DQUOXxZj48+hw7XPYhie0 ixbwseDVFZdcP1qSX0q8IdJnM79aJf5jg3pwwR9UVp1BhUwykRQ0cBV/TPfN23ZKE2XYss/LF QxhhjAE7a6P2JBWgQ1GvdmQsEOliJpiNMVSii/NxnHodt49OIdULUJNlOotqVEkpCNtlt4N/c Pl7OxxBxA2qJFlA5x5ncg7kdghBAOf7wHa4zdSkUWuqLLV4AUyK8V7H/bh/kIY8R2KiDrGZ4P Toc6+k1TAzA3bCfxeGHtTnB4DkNHU8kSYwRjbSb/Ua8PXyAl8Q+a7TDDTLHxwsZ+EpP8jVxRs tB8bFlOQqn5gbdDCrdmfhKcP7meazEkRY8jBfPIorUnA4FAhEoBvkddbbp4yEGUD+dwc4QTXj gYI3OzDHBDNWsaNhUibMw0W7yfvRpQXPmzOUc+8KepCCeW1ZCq5euSUV12pimOa9cF1lBWMii 0L5di/DP7P2UucshFu/Y4N+A== X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de; s=s31663417; t=1722010838; x=1722615638; i=fiona.klute@gmx.de; bh=LYL6W0SuPyiiKknGKZmGP43s5L/ouS96jkn1qJdYMAk=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:Message-ID:In-Reply-To: References:MIME-Version:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=nwDNEfn2n8w8WE97W2MOzCIBcz2hynNKvBdSj0s/5EHgYxefOvlLCT2E9+GN0HLX B9PJtZaVN0KK4EMSwHKBKGYXN+LXltbKrEeLHEys/Dh1G7Rzu7OZokCCBdm31fWVz 88jGlQyUAT3VwXBYwFu8uVZcxtBsK/e4rVXlRGRBPRlmWrcMM2vi0ossbjVz/WlMy zIpNA84/vYlooMunJwpgOkU+9HBaJkvrHZWKnUQPCiWGBo09XMODGtJB7szZII2mD VkyM77n5wbQR8bEwdPAC2xl59Z+de8so/aKquQwJovYAzvw+bhCZm7VxH6yU8IrGV 6uzpYwsBUoDhxQRNDQ== X-Mailman-Original-Authentication-Results: smtp3.osuosl.org; dmarc=pass (p=quarantine dis=none) header.from=gmx.de X-Mailman-Original-Authentication-Results: smtp3.osuosl.org; dkim=pass (2048-bit key) header.d=gmx.de header.i=fiona.klute@gmx.de header.a=rsa-sha256 header.s=s31663417 header.b=nwDNEfn2 Subject: [Buildroot] [PATCH v4 3/6] package/iptables: check for rules in init script X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Fiona Klute via buildroot From: Fiona Klute Reply-To: Fiona Klute Cc: Julien Olivain , Fiona Klute , Ricardo Martincoski Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" From: "Fiona Klute (WIWA)" Instead of installing an empty rules file, the init script now checks if the rules file exists and does nothing on start if it doesn't. Stop remains unchanged so users can still delete the rules file and then use the stop command to flush rules from the kernel. Also fix the shellcheck warning about the unused IPTABLES_ARGS variable, and use long form options for iptables commands. Signed-off-by: Fiona Klute (WIWA) --- Changes v2 -> v3: * replace "iptables -F" with "iptables --flush" .checkpackageignore | 1 - package/iptables/S35iptables | 14 +++++++++----- package/iptables/iptables.mk | 1 - 3 files changed, 9 insertions(+), 7 deletions(-) -- 2.45.2 diff --git a/.checkpackageignore b/.checkpackageignore index 5e45edf765..fd08e0f5f8 100644 --- a/.checkpackageignore +++ b/.checkpackageignore @@ -667,7 +667,6 @@ package/ipmitool/0002-Fix-enterprise-numbers-URL.patch lib_patch.Upstream package/ipmitool/0003-Do-not-require-the-IANA-PEN-registry-file.patch lib_patch.Upstream package/ipmitool/0004-configure.ac-allow-disabling-registry-downloads.patch lib_patch.Upstream package/iprutils/0001-configure.ac-add-AC_USE_SYSTEM_EXTENSIONS.patch lib_patch.Upstream -package/iptables/S35iptables Shellcheck package/irda-utils/0001-daemon.patch lib_patch.Sob lib_patch.Upstream package/irda-utils/0002-nommu.patch lib_patch.Sob lib_patch.Upstream package/irda-utils/0003-subdir.patch lib_patch.Sob lib_patch.Upstream diff --git a/package/iptables/S35iptables b/package/iptables/S35iptables index a2de29d222..d6ff4a4762 100644 --- a/package/iptables/S35iptables +++ b/package/iptables/S35iptables @@ -2,11 +2,16 @@ DAEMON="iptables" -IPTABLES_ARGS="" +IPTABLES_CONF="/etc/iptables.conf" start() { printf 'Starting %s: ' "$DAEMON" - iptables-restore /etc/iptables.conf + # Run only if IPTABLES_CONF exists. + if [ ! -f "${IPTABLES_CONF}" ]; then + echo "${IPTABLES_CONF} does not exist, nothing to do." + return 0 + fi + iptables-restore "$IPTABLES_CONF" status=$? if [ "$status" -eq 0 ]; then echo "OK" @@ -18,7 +23,7 @@ start() { stop() { printf 'Stopping %s: ' "$DAEMON" - iptables -F + iptables --flush status=$? if [ "$status" -eq 0 ]; then echo "OK" @@ -30,13 +35,12 @@ stop() { restart() { stop - sleep 1 start } save() { printf 'Saving %s: ' "$DAEMON" - iptables-save -f /etc/iptables.conf + iptables-save --file "$IPTABLES_CONF" status=$? if [ "$status" -eq 0 ]; then echo "OK" diff --git a/package/iptables/iptables.mk b/package/iptables/iptables.mk index dbf7fbf5e1..e7495c1085 100644 --- a/package/iptables/iptables.mk +++ b/package/iptables/iptables.mk @@ -59,7 +59,6 @@ endef define IPTABLES_INSTALL_INIT_SYSV $(INSTALL) -m 0755 -D package/iptables/S35iptables \ $(TARGET_DIR)/etc/init.d/S35iptables - touch $(TARGET_DIR)/etc/iptables.conf endef ifeq ($(BR2_PACKAGE_IPTABLES_NFTABLES_DEFAULT),y) From patchwork Fri Jul 26 16:20:09 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Fiona Klute X-Patchwork-Id: 1965350 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org) Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WVtKS4JyXz1yY5 for ; Sat, 27 Jul 2024 02:21:00 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 6D93260B79; Fri, 26 Jul 2024 16:20:58 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id QyAzn8exxdUJ; Fri, 26 Jul 2024 16:20:57 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.166.34; helo=ash.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org A5DD060C31 Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp3.osuosl.org (Postfix) with ESMTP id A5DD060C31; Fri, 26 Jul 2024 16:20:56 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id 4879D1BF860 for ; Fri, 26 Jul 2024 16:20:47 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 4176360B4C for ; Fri, 26 Jul 2024 16:20:47 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id 5yUp8-Gsk1iv for ; Fri, 26 Jul 2024 16:20:45 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=212.227.15.15; helo=mout.gmx.net; envelope-from=fiona.klute@gmx.de; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp3.osuosl.org 8287860B50 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 8287860B50 Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) by smtp3.osuosl.org (Postfix) with ESMTPS id 8287860B50 for ; Fri, 26 Jul 2024 16:20:44 +0000 (UTC) X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from haruka.lan ([85.22.115.174]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MMGRA-1spSUr0QK6-00OVGE; Fri, 26 Jul 2024 18:20:39 +0200 To: buildroot@buildroot.org Date: Fri, 26 Jul 2024 18:20:09 +0200 Message-ID: <20240726162013.2183792-5-fiona.klute@gmx.de> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240726162013.2183792-1-fiona.klute@gmx.de> References: <20240726162013.2183792-1-fiona.klute@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:eDJh/+YeBghlAQwuNnFfNTQrkxZPL+I8JM5Cl/0nRediq3CXgE+ 4FStmVPglmQm7lNusU6AMRJIWTKkdZKm25gGZ346/b5bXG10AbrwBGCumYbiigbMmZSxxrR JSg3FbSP1g+MqEgVm9a31ISKFTlpyJqn8ANzkXwK2XZ4sgKMkH+s3AgsRbbosZu3LrlppfC xQAQCu+tTA7oQc9RfhWpA== UI-OutboundReport: notjunk:1;M01:P0:MVa7O2iiw/Q=;shACQVNGsCAUcxqws1KxsGiaFaN h68GncSzLRn3LGrPvtDCisF+X85cS063Z0mpj+2O1PcvEvXseKp3u58N6pJ/8PbwtdCFgCd3u mPJflWsviX+MalFz52uyj7suzNLXp80gVq2i7mRm0lsGLfWllOSFxdbvQFN+2SeXP5ESV+Z16 LoSX5R2Roym7kgPgsHR0YPZDFoYsPLPU5EhND6gk/0fU8EtGbhFqvlqHXQwMuOr9u3LZe8OvD i4uPyEj7FvrxTspeFrLuo48Y6m4eqbQ5ublW+fQ26y+fxbr+NUMIw1kfQW8SnipYMDcN8XJR4 tPrT+nS0RBxW9u4zmYLsvGBhZNkhw+cKhXtlEns9Qpml9zfPXKPKksfI2+yx6u4zFza7hMG1c +eJC2RAShY2So6yf3LQOZmv+h8OsrhNMsy79vtfCst7x/YOfKB268ILjB5XCsumbhXld2SGyP YsBCOOEMsjxbApJ+UfruRcHUFi49G+2ujg/FS0NmyNxY5DIjdCEuMukKI+x/ow7HPwI0ITMDE 149znaoKzqp1JXUB94B4jAzGjpwbU+Asj3ZjZkHf85BqrIlzQ0qUNGhzmgoBZK/Vc4k8N3up7 67UcLQPgTDd3/BfFRLU1ek9dw4PAdjTs7giVDNc7k5TnVFsmILLi5Od8QNUnd2lS8XYODvWoQ YZ4t61qezSIkm8UFPLOQHKMAvfY6WGTktEUaK2R6q5kEbTEafMYg5sRKbHKv3p3JGNfnOXBS0 8JXGt+XfOrOGO8uq/+ze0LXmvEPPmMZSU/wsPF64F9disvcsy4aDbsI5U8gp5PPPGyBJDuUOV oHchJ6oeB59GV65hL/sOaonw== X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de; s=s31663417; t=1722010839; x=1722615639; i=fiona.klute@gmx.de; bh=/zrwxYcuaZu/XaMlx2LixGPWoC1We4m23DG6+VT60mY=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:Message-ID:In-Reply-To: References:MIME-Version:Content-Type:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=sTkQ8ncZHq9vEgOKPZ1B/UzPvkHqYeGf/qVUySpz0GODCK+cDmFDqtn3ZpEpxoVF EYbhYyWWn3n3lKytDFDqG1lqjXuyL9X8aqOXFjcRRmqRpTSdRwcX4qGSLqm4GYDOW HOXgFY42lOn2Kt1MXgTsuK3Ct2vAkwnDUmYirTX2EOZTKcmJUTAiaWM9jO/bAAUxZ Qjxf5CKP64FmsnVQE+mYBLxJ0zvLJSLS5S5gcSCxWsjPExJGnxy5T9UsvC6ExPC4G ZeHVhgkgUpBKZsDfOdqQRww51CYFg38lu/OlwV+yRPgewG5xRTqiXjfzS7Zslrai+ dz3wSi0YUwd3MV+mZg== X-Mailman-Original-Authentication-Results: smtp3.osuosl.org; dmarc=pass (p=quarantine dis=none) header.from=gmx.de X-Mailman-Original-Authentication-Results: smtp3.osuosl.org; dkim=pass (2048-bit key) header.d=gmx.de header.i=fiona.klute@gmx.de header.a=rsa-sha256 header.s=s31663417 header.b=sTkQ8ncZ Subject: [Buildroot] [PATCH v4 4/6] support/testing: test for nftables init script X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Fiona Klute via buildroot From: Fiona Klute Reply-To: Fiona Klute Cc: Julien Olivain , Fiona Klute , Ricardo Martincoski Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" From: "Fiona Klute (WIWA)" The new test checks that a pre-defined rules file can be loaded and works as expected, and that after flushing the blocked IP responds to ping again. Signed-off-by: Fiona Klute (WIWA) --- DEVELOPERS | 1 + .../testing/tests/package/test_nftables.py | 37 ++++++++++++++++++- .../rootfs-overlay/etc/nftables.conf | 8 ++++ 3 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 support/testing/tests/package/test_nftables/rootfs-overlay/etc/nftables.conf -- 2.45.2 diff --git a/DEVELOPERS b/DEVELOPERS index 9a8c92f122..c358954645 100644 --- a/DEVELOPERS +++ b/DEVELOPERS @@ -1108,6 +1108,7 @@ F: package/python-pymodbus/ N: Fiona Klute F: package/python-pyasynchat/ F: package/python-pyasyncore/ +F: support/testing/tests/package/test_nftables.py N: Flávio Tapajós F: configs/asus_tinker-s_rk3288_defconfig diff --git a/support/testing/tests/package/test_nftables.py b/support/testing/tests/package/test_nftables.py index 142e7d0352..2622c7e822 100644 --- a/support/testing/tests/package/test_nftables.py +++ b/support/testing/tests/package/test_nftables.py @@ -85,7 +85,7 @@ class TestNftables(infra.basetest.BRTest): # supposed to fail earlier is now supposed to succeed. self.assertRunOk(ping_test_cmd) - def test_run(self): + def boot_vm(self): img = os.path.join(self.builddir, "images", "rootfs.cpio.gz") kern = os.path.join(self.builddir, "images", "Image") self.emulator.boot(arch="aarch64", @@ -97,6 +97,9 @@ class TestNftables(infra.basetest.BRTest): "-initrd", img]) self.emulator.login() + def test_run(self): + self.boot_vm() + # We check the program can execute. self.assertRunOk("nft --version") @@ -107,3 +110,35 @@ class TestNftables(infra.basetest.BRTest): # We run again the same test sequence using our simple nft # python implementation, to check the language bindings. self.nftables_test(prog="/root/nft.py") + + +class TestNftablesInit(TestNftables): + config = TestNftables.config + \ + """ + BR2_INIT_BUSYBOX=y + """ + + def test_run(self): + self.boot_vm() + + # start with known state (rules from /etc/nftables.conf) + self.assertRunOk("/etc/init.d/S35nftables reload") + + # Same concept as in TestNftables.nftables_test: The rules + # should allow ping to 127.0.0.1, but not 127.0.0.2. + ping_cmd_prefix = "ping -c 3 -i 0.5 -W 2 " + self.assertRunOk(ping_cmd_prefix + "127.0.0.1") + _, exit_code = self.emulator.run(ping_cmd_prefix + "127.0.0.2") + self.assertNotEqual(exit_code, 0) + + # Stop should flush the rules, ping to both addresses should + # work now. + self.assertRunOk("/etc/init.d/S35nftables stop") + self.assertRunOk(ping_cmd_prefix + "127.0.0.1") + self.assertRunOk(ping_cmd_prefix + "127.0.0.2") + + # Start is essentially the same as reload, check that + # 127.0.0.2 gets blocked again. + self.assertRunOk("/etc/init.d/S35nftables start") + _, exit_code = self.emulator.run(ping_cmd_prefix + "127.0.0.2") + self.assertNotEqual(exit_code, 0) diff --git a/support/testing/tests/package/test_nftables/rootfs-overlay/etc/nftables.conf b/support/testing/tests/package/test_nftables/rootfs-overlay/etc/nftables.conf new file mode 100644 index 0000000000..a04af1d634 --- /dev/null +++ b/support/testing/tests/package/test_nftables/rootfs-overlay/etc/nftables.conf @@ -0,0 +1,8 @@ +flush ruleset + +table inet filter { + chain input { + type filter hook input priority filter; policy accept; + ip daddr 127.0.0.2 icmp type echo-request drop + } +} From patchwork Fri Jul 26 16:20:10 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fiona Klute X-Patchwork-Id: 1965353 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org (client-ip=140.211.166.136; helo=smtp3.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org) Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WVtKd4pHZz1yY5 for ; Sat, 27 Jul 2024 02:21:09 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 24CAB60B66; Fri, 26 Jul 2024 16:21:08 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id Zta9Dt6yr0zL; Fri, 26 Jul 2024 16:21:07 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.166.34; helo=ash.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org B806660E90 Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp3.osuosl.org (Postfix) with ESMTP id B806660E90; Fri, 26 Jul 2024 16:21:06 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id DB1DC1BF860 for ; Fri, 26 Jul 2024 16:20:52 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id C58E960BAB for ; Fri, 26 Jul 2024 16:20:52 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id cxqui8GxGBj5 for ; Fri, 26 Jul 2024 16:20:49 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=212.227.15.19; helo=mout.gmx.net; envelope-from=fiona.klute@gmx.de; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp3.osuosl.org C1C7560B65 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org C1C7560B65 Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) by smtp3.osuosl.org (Postfix) with ESMTPS id C1C7560B65 for ; Fri, 26 Jul 2024 16:20:46 +0000 (UTC) X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from haruka.lan ([85.22.115.174]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MyKHm-1sNHLf3yrk-00rlTM; Fri, 26 Jul 2024 18:20:40 +0200 To: buildroot@buildroot.org Date: Fri, 26 Jul 2024 18:20:10 +0200 Message-ID: <20240726162013.2183792-6-fiona.klute@gmx.de> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240726162013.2183792-1-fiona.klute@gmx.de> References: <20240726162013.2183792-1-fiona.klute@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:tRS+PqpQHR84jOiVS6CQna+rgSgS/eQ4zu64c9QQqN3N4PrzhW9 X66Mw6IPmiIms+581v/AAJHoBxk7DbuTKOqSg28cjOIukg7/iNXHHBKD2wkzDJn9mbRegGL nS1SkhCClLzznrvE8vb0Q33ZvSqi4S9lrxrbTM3xouQNolKfre3MhlA3QlkjAWLZNtzrMw7 ptI6godT4E2X8iSGp66TQ== UI-OutboundReport: notjunk:1;M01:P0:8HAZkIylUNU=;9Ncc/CTRFhfvjRXVl6LTdsNeVn+ NevR1QuzWuxpIjOQ3DJ/9f+JWbqwFRH0D/Q9pZf5Wtgq7Fb+dhHN6WxXtGE4xS+GuOqCdNH8O VXlXjRZEn1Xv0Tjz2HiZDxIyADoKvKDFt+t67+VV4aH4zE8AQ32y3etwGM3+GS6H8joayyv1H yZkk52WXU4v1lNXpWmdhR7+Yu6sggB+xkiS1EQzCWQHnzo3iwjz0bFpc6l/3rYDmIusRqv0YW ZViLGj66fzHv2ZY684t01PaZSuLtz4ZYQuKL+QsXQWTshE4RrMb1C1gu/PMTsS5dcIFzUjjYE lJMQsIJo8/Ml8a0ChsU5pjyHXTRvOS90OxHQMxPyLhkimq76ZbtU01ZNeAPICsWZuKU5S6ckb yLlHKBUQiGn1netdEtZUcUkSmbVmrChBfVmdNtSfttCs4R6a2WsqUMAPeS4aLQj1erm3iMu4Y KumM7h+FSuFZhvqH/MBVYCM2+DCP3Fn+3GzY6F5djiEtVBWTri7Rtaz25mBw7ihTY6LzWWUME WfE6TfCqFecv6JZn/4Iw34fTN8FPZdJ2JhtAX3BDEiv8qhVruZTBCiCon0S2V+NzPnq0zwmqK R+46goYQTTf39/i/HV6YiXFNiqtmQCaQSa2qPgs6FttJXIjatvZoVztnoMAwDQD1yHEqh2BBj tTHxs11b1N/cmoUccGeNEWxY1EwiX0UYpBhnZCLWh+xFqb3FslN/aBP7H5mV7+bKvcN6q6Cz7 +xyoKoVrtn46Ko82CgAjIb4W+F696in1eJ7HRkFVzE6f1Dn5x1MLpH/9neDxa+CmO5PF1YXLg uN250e+V12zBJOp3h111VP3Q== X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de; s=s31663417; t=1722010840; x=1722615640; i=fiona.klute@gmx.de; bh=BN/FXo6B97C0eR9xXMWvWc+SIFPrj5qF6kwluHeap9o=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:Message-ID:In-Reply-To: References:MIME-Version:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=clXJ/fi5dFeVQPdHap9mo22KfnSZlojkF5+HLoBi6J9vzoFVbcrzH2G0/1NQ4yhy 1rXVpvv2L5oXcoBKQR1HNnB24jSsyUnD7reArBiEeAibwyf9hHPRuDcKE7OKMhNbp 14J5ec90Be0Um4mxuLgq/DhqWqvbffQcPSNx/GlzooDZfjiju3VkBlPJctxNsyltd 7eYRkk/9SP9ifHTfvzcKhIlNuBxxY/JSgR0Ewqpf6O59M/SymLoS9lt7KuuI5OBCy oFHqSxCxbKcRfxwMHQXgPMhdvMdweZID7fc8BfDPTn3l4QUZMnI2s2Sgr+WICeCTB jO3oSJZQpKs1sZLVmg== X-Mailman-Original-Authentication-Results: smtp3.osuosl.org; dmarc=pass (p=quarantine dis=none) header.from=gmx.de X-Mailman-Original-Authentication-Results: smtp3.osuosl.org; dkim=pass (2048-bit key) header.d=gmx.de header.i=fiona.klute@gmx.de header.a=rsa-sha256 header.s=s31663417 header.b=clXJ/fi5 Subject: [Buildroot] [PATCH v4 5/6] support/testing: include init script in iptables test X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Fiona Klute via buildroot From: Fiona Klute Reply-To: Fiona Klute Cc: Julien Olivain , Fiona Klute , Ricardo Martincoski Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" From: "Fiona Klute (WIWA)" Check a save/start/stop cycle based on the rules created by direct commands in the pre-existing test. Signed-off-by: Fiona Klute (WIWA) --- Changes v2 -> v3: * remove change to init script that belongs in patch 3 support/testing/tests/package/test_iptables.py | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) -- 2.45.2 diff --git a/support/testing/tests/package/test_iptables.py b/support/testing/tests/package/test_iptables.py index ee57b31558..e807fc9e83 100644 --- a/support/testing/tests/package/test_iptables.py +++ b/support/testing/tests/package/test_iptables.py @@ -11,6 +11,7 @@ class TestIptables(infra.basetest.BRTest): """ BR2_aarch64=y BR2_TOOLCHAIN_EXTERNAL=y + BR2_INIT_BUSYBOX=y BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0" BR2_LINUX_KERNEL=y BR2_LINUX_KERNEL_CUSTOM_VERSION=y @@ -70,9 +71,26 @@ class TestIptables(infra.basetest.BRTest): _, exit_code = self.emulator.run(ping_test_cmd) self.assertNotEqual(exit_code, 0) + # Save the current rules to test the init script later. + self.assertRunOk("/etc/init.d/S35iptables save") + # We delete our only rule #1 in the INPUT chain. self.assertRunOk("iptables --delete INPUT 1") # Since we deleted the rule, the ping test command which was # supposed to fail earlier is now supposed to succeed. self.assertRunOk(ping_test_cmd) + + # Load the rules as saved before. + self.assertRunOk("/etc/init.d/S35iptables start") + + # Ping to 127.0.0.2 is expected to fail again. + _, exit_code = self.emulator.run(ping_test_cmd) + self.assertNotEqual(exit_code, 0) + + # And flush the rules again. + self.assertRunOk("/etc/init.d/S35iptables stop") + + # Since we deleted the rule, the ping test command which was + # supposed to fail earlier is now supposed to succeed. + self.assertRunOk(ping_test_cmd) From patchwork Fri Jul 26 16:20:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fiona Klute X-Patchwork-Id: 1965352 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org) Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WVtKZ6190z1yY5 for ; Sat, 27 Jul 2024 02:21:06 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id EEAE060E7B; Fri, 26 Jul 2024 16:21:04 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id jfTZx-6P1rUK; Fri, 26 Jul 2024 16:21:04 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.166.34; helo=ash.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org A629860E85 Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp3.osuosl.org (Postfix) with ESMTP id A629860E85; Fri, 26 Jul 2024 16:21:03 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id 50FE21BF860 for ; Fri, 26 Jul 2024 16:20:51 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 4B52740F73 for ; Fri, 26 Jul 2024 16:20:51 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id B1dKUf6q3s0x for ; Fri, 26 Jul 2024 16:20:50 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=212.227.15.18; helo=mout.gmx.net; envelope-from=fiona.klute@gmx.de; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp2.osuosl.org D6FB840118 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org D6FB840118 Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by smtp2.osuosl.org (Postfix) with ESMTPS id D6FB840118 for ; Fri, 26 Jul 2024 16:20:49 +0000 (UTC) X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from haruka.lan ([85.22.115.174]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MG9kM-1sWJt70cF2-009jYe; Fri, 26 Jul 2024 18:20:41 +0200 To: buildroot@buildroot.org Date: Fri, 26 Jul 2024 18:20:11 +0200 Message-ID: <20240726162013.2183792-7-fiona.klute@gmx.de> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240726162013.2183792-1-fiona.klute@gmx.de> References: <20240726162013.2183792-1-fiona.klute@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:sh8ifhzjMLGSPGU3fIrwcsee+u+xOmpNrcglqzMUbuOs4WK7pfi tGCauuK7Ont29BXFIE2b2iBCMQheRjTipCBKUfUzjzRNZvxPqkJEj16BWUEPP0L1+tA1ZQ1 LYxWaJBlbMBhi3nrtSuO8jR38Ybu9GjwNffHOHkB/EG7SIyhMp0fksH7o5eSmUaPgOawVnp /vpmFPaTJ2ZqHhfje1NjQ== UI-OutboundReport: notjunk:1;M01:P0:vAG0aTqrvhk=;PqwCnqv4rDQ2495XY/t8VcMglXc mdeYZOVF/TiBptO0pdx0Rty9p3PI071mJfW5s6WmzObJIv6xMW86xn2frclGP1DOqXWlGanty GaEx6Pf0I37NxMXL0TFTzL6pSA484H6a/aA18yeuh3lHv8wtIsHsBM+CVdzyrLkjGVLMD4QQK gonPhzh78IvNpryRGchMn+fCPz+w6d8HpJq+xwxiAufE5c9uBP2uR37O73k7Fo7oqbiOxqKTU B72P2xNgevqm4unlK1nGreCD6/Nx4ThpSCLvatkjfgrmX05nbNB1DofRPNxb80Bi+6SV9+9YO QRwj5UdhvwRrGSMUl08HWtX86QMoUtBkAuuAqHXxgWcNcsBqzpUIP1CPNtQ5kbFIMA1FNLwjH ijtw1ISS/620w/bTos+Hhvbwd4LGfvNcrFzZQ5L7KHgJE7XPteShm8cdH1EhGG6VOIcUjkmWk 7BL4MyCeAQYqAnSFKgeATSRgUTb5Cesbifbx7rvQxVkFtEQG1G6wCEMXrAaOV12RqbVy3LR6w YKjhCGMW/PrcgmsM2+/BL2VlgKVHr6g2Ghk+L84PPpe/IZHK7wFBEYzmw2MPAkr+uT3bV2Y6i iM4BpIayLHYL5EmhxxNWp0bZXNeLOwxZkgJDsA1Gf0ozXf9XwgWOWrG9jaY3I+iXy2RQBoZSt 8xoeBzo06qIEuu9wN9br3MjkcPynNDlI0yf8bkr8hOA28/bmJVttPR0YPit6VMGj27LdhCt2T wcS948dnzVLiGCR4s0DzYnWTWqDl1UoruyUXsADs4MJqbhot633Pl9D0bGEeD4ZOygBTlhy4h RRq3o4aYU3nlHLhNPmWeiQcA== X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de; s=s31663417; t=1722010841; x=1722615641; i=fiona.klute@gmx.de; bh=QTbawq7YN9vk2UMCjZtdMo7/fUd64zxOa2Tpry5bhlo=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:Message-ID:In-Reply-To: References:MIME-Version:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=IBZap7W2MfXr10bFwjAZZuNS7IlpEUFEvdUDHbECIC0KhKRjPVileJ69kIMiXvxu Ocr5ALfeIUz9bDmrGDj4Pssm4JdvKQ6lCjLB1Uhy/DSEXMg6BY4zMZDr6py3h5ttU gkt5T9g5IQKb7FTKN0dLSMYyjG3sR7VMB14mcGdqf+OGIwDkJosLocFTKFXiWe3S5 eHqpRhfesGXmBa8TzrbqGO/+toRawh3SlxRFx/+GVTzgnLskuQ1kD5yOs4v/qTwHw X+McmrMCPak1KGZCSYnchpRvt1EF/T2uzHvgRoLOWPFs6kTdTS+lU6YCvBdrRhZSq 1rdozJTFuO4Fj35O8A== X-Mailman-Original-Authentication-Results: smtp2.osuosl.org; dmarc=pass (p=quarantine dis=none) header.from=gmx.de X-Mailman-Original-Authentication-Results: smtp2.osuosl.org; dkim=pass (2048-bit key, unprotected) header.d=gmx.de header.i=fiona.klute@gmx.de header.a=rsa-sha256 header.s=s31663417 header.b=IBZap7W2 Subject: [Buildroot] [PATCH v4 6/6] support/testing: fix MyPy warnings about BRConfigTest X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Fiona Klute via buildroot From: Fiona Klute Reply-To: Fiona Klute Cc: Julien Olivain , Fiona Klute , Ricardo Martincoski Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" From: "Fiona Klute (WIWA)" This removes warnings in editors/IDEs with MyPy typechecking integration. Test classes override "config" with strings (different type than None). Signed-off-by: Fiona Klute (WIWA) --- I haven't seen any other type annotations in the testing code, if they're not welcome please just drop this patch from the series. Personally I think they're good to avoid bugs. support/testing/infra/basetest.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- 2.45.2 diff --git a/support/testing/infra/basetest.py b/support/testing/infra/basetest.py index 12d96415da..9fb9dffc53 100644 --- a/support/testing/infra/basetest.py +++ b/support/testing/infra/basetest.py @@ -24,8 +24,8 @@ MINIMAL_CONFIG = \ class BRConfigTest(unittest.TestCase): """Test up to the configure stage.""" - config = None - br2_external = list() + config: str + br2_external: list[str] = list() downloaddir = None outputdir = None logtofile = True