| Age | Commit message (Collapse) | Author |
|---|
|
(From OE-Core rev: 7d5c46abf904de5c9770e466baef38705f46695e)
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core rev: d81f9f3ed497241d6ac93d3c756eb55747eb07a0)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
We do not want iptables to depend on bash. So move
iptables-apply/ip6tables-apply to a separate package.
(From OE-Core rev: 9a2386443af23d4b713b9635a0275165565ef8f4)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The iptables-apply is not installed which makes ip6tables-apply as an
invalid symbolic link:
$ ls -l /usr/sbin/ip6tables-apply
lrwxrwxrwx 1 root root 14 Jun 11 08:27 /usr/sbin/ip6tables-apply -> iptables-apply
$ ls -l /usr/sbin/iptables-apply
ls: cannot access '/usr/sbin/iptables-apply': No such file or directory
Backport a patch to fix the issue.
(From OE-Core rev: c3070d3b2e31a31fc32294972e7a3fae46b6e70f)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This release contains the following fixes and enhancements:
xtables-save/xtables-restore:
- Fix parser in `--noflush' mode incorrectly rejecting chain definitions
and empty lines.
- Fix crash when restoring or dumping while other ruleset changes happen
in parallel.
iptables-apply:
- Install the script along with `make install'.
- Introduce parameters `-c' (run command) and `-w' (save successfully
applied rules to file).
- Use `mktemp' instead of `tempfile' for temporary files.
iptables-translate:
- Support `time' match and `NOTRACK' target.
- Fix for special interface names `*', `+' and `eth++'.
ebtables-nft:
- Full among match support, including sets with mixed MAC and MAC+IP
entries.
extensions:
- connlabel: Numeric labels were rejected if a connlabel.conf existed in
the system.
- IDLETIMER: Introduce `--alarm' option.
libxtables:
- Introduce xtables_fini() to properly deinit the library and close any
loaded shared objects.
nfnl_osf:
- Fix lockup after loading the first line from fingerprints file.
- Improve error handling, don't silently exit when deleting a
non-existing fingerprint.
General:
- Fixes for undefined behaviour.
- Replace a few unsafe calls to strcpy().
- Fix some warnings when compiling with clang.
- Various fixes for valgrind-detected problems such as memory leaks and
reachable memory at program exit.
(From OE-Core rev: 0d28b963d91503c557adf87e096eb7a98dff6c76)
Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core rev: 490dd755899a149a36cbb2e60a08a37e0c93d225)
Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Commit bc66b2f45ade2c63cfd14d5388f6ca0905a23bb0 added systemd helper
unit for automatic IPv4 rule loading. Complement the effort by adding
systemd helper unit also for automatic IPv6 rule loading.
(From OE-Core rev: 3b8df6b6aba3632de7c3c01c8468fbcedb032493)
Signed-off-by: Niko Mauno <niko.mauno@iki.fi>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
In some cases a distribution may want to install rules file into a
location other than /etc/iptables/ so introduce custom recipe-level
IPTABLES_RULES_DIR parameter which allows conveniently overriding
the rules directory location.
(From OE-Core rev: 64eeedcdc586c221e3684861ba85e8e4bc9c5dd1)
Signed-off-by: Niko Mauno <niko.mauno@iki.fi>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Introduce cosmetic changes to recipe content, most notably
- Change indentation style to four spaces in task statements
- Reorder several entries according to oe-stylize.py suggestions
(From OE-Core rev: c1d162b6165f11b7b5ae5c6066e7683d5e1379fc)
Signed-off-by: Niko Mauno <niko.mauno@iki.fi>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
There is currently no way to automatically load iptables rules in OE.
Add a systemd unit file to automatically load rules on network
connection. This is cribbed from the way ArchLinux handles iptables with
some minor modifications for OE.
New rules can be generated directly on the target using:
# iptables-save -f /etc/iptables/iptables.rules
Good documentation for writing rules offline is lacking, but the basics
are explained here:
https://unix.stackexchange.com/q/400163/49405
(From OE-Core rev: 76d3574d17c38d93ba4660bdae5730ac222994d4)
Signed-off-by: Jack Mitchell <jack@embed.me.uk>
Signed-off-by: Diego Rondini <diego.rondini@kynetics.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Remove upstreamed patches and manually package symlinks which aren't
handled by do_split_package.
Changelog:
http://git.netfilter.org/iptables/log/?qt=range&q=v1.8.3...v1.8.2
(From OE-Core rev: 845af88f86f143ca0b119f0489397cd505571cae)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Porting patch from <https://git.netfilter.org/iptables/commit/iptables/
xshared.c?id=2ae1099a42e6a0f06de305ca13a842ac83d4683e> to solve
CVE-2019-11360.
(From OE-Core rev: 5a38ef7eef9ecef2d27ae89f01691072bb94a25e)
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
To enable security flash, get the build error. To fix this,
0003-extensions-format-security-fixes-in-libipt_icmp.patch is required.
(From OE-Core rev: 2e135cea41c1276566a7390320468d1925481558)
Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Fix handling of escape characters in regexs and hence fix python
Deprecation warnings which will be problematic in python 3.8.
Note that some show up as:
"""
meta/classes/package.bbclass:1293: DeprecationWarning: invalid escape sequence \.
"""
where the problem isn't on 1293 in package.bbclass but in some _prepend to a
package.bbclass function in a different file like mesa.inc, often from
do_package_split() calls.
(From OE-Core rev: 4b1c0c7d5525fc4cea9e0f02ec54e92a6fbc6199)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
By splitting the iptables modules into separate packages it is
possible to pick and choose the modules to install and thereby reduce
the total size of the installed modules.
Backwards compatibility is maintained by adding a recommendation of
iptables-modules, which is a meta package that depends on all the
generated packages.
(From OE-Core rev: 2e99caca64704d1ec51f4f65048d945e5ff1384f)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
These were adding definitions for the second time
(see bug #10450 for why) or adding an include that isn't anymore
necessary for musl builds.
(From OE-Core rev: bed5ea53c74c4b444b2145e7a83ca9fd44ea30ec)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Upgrade iptables from 1.6.1 to 1.6.2.
(From OE-Core rev: 1bca3f22d48d138086752e61569ddc9cf8e9cf79)
Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This patch is generic enough, That it can be applied universally
and makes maintainence easier
(From OE-Core rev: f769b8389091b4ffaff8f6f8fc7e53462ce176a5)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core rev: 0a1427bf9aeeda6bee2cc0af8da4ea5fd90aef6f)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
1.6.0 -> 1.6.1
Refreshed the following patches:
a) 0001-configure-Add-option-to-enable-disable-libnfnetlink.patch
b) 0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch
(From OE-Core rev: 0148bb131b2ac68f168562e9eaedce8aa4e4a875)
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
1.4.21 -> 1.6.0
xtables_globals structure layout has changed.
* Refreshed below listed patches to work with this release:
1. 0001-configure-Add-option-to-enable-disable-libnfnetlink.patch
2. 0001-fix-build-with-musl.patch
* Added PACKAGECONFIG for libnftnl
(From OE-Core rev: 8609c4e5eadfdd60664640c4ae07e250c98dd86b)
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
In some recipes overly-split -dbg packages were merged into PN-dbg. Unless
there's a very good reason, recipes should have a single -dev and -dbg package.
(From OE-Core rev: a3b000643898d7402b9e57c02e8d10e677cc9722)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Package libnetfilter-conntrack depends on package libnfnetlink. iptables
checks package libnetfilter-conntrack whatever its package config
libnfnetlink is enabled or not. When libnfnetlink is disabled but
package libnetfilter-conntrack exists, it fails randomly with:
| In file included from .../iptables/1.4.21-r0/iptables-1.4.21/extensions/libxt_connlabel.c:8:0:
| .../tmp/sysroots/qemumips/usr/include/libnetfilter_conntrack/libnetfilter_conntrack.h:14:42: fatal error: libnfnetlink/linux_nfnetlink.h: No such file or directory
| compilation terminated.
| GNUmakefile:96: recipe for target 'libxt_connlabel.oo' failed
Only check libnetfilter-conntrack when libnfnetlink is enabled to fix it.
(From OE-Core rev: 31f34494b842d6c49b040db70ba5da428594f32c)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Added needed headers and resuffled existing ones to get it portable
Added defined for missing TCOPTS*
Change-Id: I74977dd052c5569b00631379d7f4bacfb86cf381
(From OE-Core rev: d30fba63286dc8f5ac72ac65fae6af6001e58ec2)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
These recipes all use pkg-config in some way but were missing
dependencies on the tool, this patch adds them.
(From OE-Core rev: 2543b14dd0ca13005be0df027543431fc8e882ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The base_contains is kept as a compatibility method and we ought to
not use it in OE-Core so we can remove it from base metadata in
future.
(From OE-Core rev: d83b16dbf0862be387f84228710cb165c6d2b03b)
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core rev: 0be4c3e22e164ee56b658cbcfae748b302b4b531)
Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
fix-iptables-extensions-build-error.patch no longer needed.
(From OE-Core rev: 02971543527e993b60132ddb101a9093efa3f324)
Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
fix-link-failure-ip6t-NETMAP.patch removed;
already included in upstream.
(From OE-Core rev: f5f2959391721a98d4259421650d90ccf475b025)
Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Detection of libnfnetlink is automatic in configure which means
that when you have meta-networking in your cosmos, it would create
a race condition where if libnfnetlink is already staged then it
will be enabled otherwise disabled. The issue happens quite often
with sstate and high parallelism. Since the dependency libnfnetlink
is not part of OE-Core, this patch turns it into a PACKAGECONFIG
which is diabled by default and iptables is patched to provide
the knob.
If you want to enable libnfnetlink support then it can be done
in a bbappend where you are sure that you are also including
meta-networking in your distro.
While at it also turned ipv6 support into packageconfig
(From OE-Core rev: 0332551d90c866c5874529e81819b81b534e14be)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
patch added to fix cross-compilation issues
(From OE-Core rev: f6c7d5e0590e3e70fb435e747ffdb9fe586e7bfc)
Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Replaced incorrect "firstline" with correct "beginline" for telling
where license segment in file begins. Old md5sum was calculated from
the beginning of the file, not from beginning of the license segment.
(From OE-Core rev: bc36eadd5dee7390977629358cab3f13d6ddcf5c)
Signed-off-by: Marko Lindqvist <cazfi74@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core rev: 88869fc442c9387f70a408b64f874a947909f0d5)
Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
* when libnfnetlink is available (provided by
meta-networking/recipes-filter/libnfnetlink/libnfnetlink_1.0.1.bb
it's autodetected and utils subdirectory with pf.os is used.
* unfortunately there isn't configure switch to explicitly disable
libnfnetlink and it's also in different layer so we cannot add it to
DEPENDS
* it's undeterminitic, but pf.os is the only difference AFAIK, so not
worth patching configure switch
* fixes:
iptables-1.4.15: iptables: Files/directories were installed but not
shipped
/usr/share/xtables
/usr/share/xtables/pf.os
(From OE-Core rev: b789152b56ddbd6761989327cae558558401fd46)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core rev: e69976e4938e9a5a30a0876052521dd62e97bbac)
Signed-off-by: Constantin Musca <constantinx.musca@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core rev: 2afc6203baec508043d5ad672756b527f9d81111)
Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Remove a patch since it is already in upstream.
(From OE-Core rev: 90f32e0fffaef55415088f523e282ca3c08fa7ee)
Signed-off-by: Dongxiao Xu <dongxiao.xu@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The iptables local linux/types.h overrides the kernel/sysroot
types.h. As such, we need to provide some defines that are required
to build against 3.2+ kernel headers.
ifndef protection is provided for the defines to ensure that
configuration that already have these defines are still buildable.
This commit is temporary until a new version of iptables can be
used that contains the defines.
(From OE-Core rev: 1642f519bb30b3ebcfb6170cdbbc0e327d057012)
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This patch is to upgrade iptables to 1.4.12.2, and introduce a patch not to check unknown symbols.
Otherwise, when it is compiled, it will report "libxtables.so.7" from LD_PRELOAD cannot be preloaded.
(From OE-Core rev: 27ed7024cf2ee9c9f84246fd931bc390cb638851)
Signed-off-by: Shane Wang <shane.wang@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Change do_configure_prepend() since some m4 file is needed when
doing configuration.
Define correct FILE for iptables and iptables-dbg packages.
License checksum changed (not essential part), and the license is
still GPLv2.
(From OE-Core rev: de034bf830bec1b64260ac8516dd584163716ef4)
Signed-off-by: Dongxiao Xu <dongxiao.xu@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Add Summary information and update descriptions as necessary.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
from 1.4.8
Signed-off-by: Qing He <qing.he@intel.com>
|
|
Having one monolithic packages directory makes it hard to find things
and is generally overwhelming. This commit splits it into several
logical sections roughly based on function, recipes.txt gives more
information about the classifications used.
The opportunity is also used to switch from "packages" to "recipes"
as used in OpenEmbedded as the term "packages" can be confusing to
people and has many different meanings.
Not all recipes have been classified yet, this is just a first pass
at separating things out. Some packages are moved to meta-extras as
they're no longer actively used or maintained.
Signed-off-by: Richard Purdie <rpurdie@linux.intel.com>
|
Wang Mingyu
Alexander Kanavin
Yi Zhao
Pierre-Jean Texier
Changhyeok Bae
Niko Mauno
Jack Mitchell
Anuj Mittal
Li Zhou
Richard Purdie
Peter Kjellerstedt
Alexander Kanavin
Huang Qiyu
Khem Raj
Maxin B. John
Ross Burton
Kai Kang
Otavio Salvador
Cristian Iorga
Marko Lindqvist
Martin Jansa
Constantin Musca
Dongxiao Xu
Bruce Ashfield
Shane Wang
Mark Hatle
Saul Wold
Qing He
Richard Purdie