[Buildroot] [PATCH v2 1/1] package/firewalld: new package

Julien Olivain ju.o at free.fr
Tue Aug 15 15:00:29 UTC 2023 

Hi Thomas, Adam, all,

I'm adding Yegor Yefremov in CC, since he is registered as a
nftables developer.

On 14/08/2023 00:00, Thomas Petazzoni wrote:
> On Sat,  3 Jun 2023 19:52:04 -0700
> Adam Duskett <aduskett at gmail.com> wrote:
> 
>> Firewalld provides a dynamically managed firewall with
>> support for network or firewall zones to define the trust level of 
>> network
>> connections or interfaces.
> 
> One thing that would be really nice as a follow-up patch would be a
> test case for the runtime test infrastructure. This is especially
> relevant as it is Python based, so it is easy to miss runtime
> dependencies that might be needed. I've added Julien Olivain in Cc, who
> can provide guidance on that, as he has probably written some of the
> most complex/elaborate test cases we gave in our runtime 
> infrastructure.

I'll be happy to write such a firewalld runtime test.

When trying to do it, on branch next at commit eea0c9f, I was not able
to run any of the simplest firwalld command (Python nftables module
cannot load).

With a configuration such as:

     make qemu_aarch64_virt_defconfig
     utils/config \
         -e BR2_PACKAGE_FIREWALLD \
         --set-str BR2_TARGET_ROOTFS_EXT2_SIZE 200M
     make olddefconfig
     make
     output/images/start-qemu.sh

Running simple commands, logged as root on qemu target, such as:

     firewall-offline-cmd --version
     firewalld --nofork --nopid
     python -c 'import nftables'

All fail with output such as:

     Traceback (most recent call last):
       File "<string>", line 1, in <module>
     ModuleNotFoundError: No module named 'nftables'

I quickly tried with updated version of libnftnl and nftables proposed
at [1] but did not helped.

Upstream nftables reworked Python integration in commits [2] [3] but
are not yet in a release.

So I believe the nftables package needs a rework, at least for its
python support. We should first write a runtime test for it (including
its Python support). Only then, we should be able to write a runtime
test for firewalld.

Best regards,

Julien.

[1] https://patchwork.ozlabs.org/project/buildroot/list/?series=368887
[2] 
https://git.netfilter.org/nftables/commit/?id=b3def33efecb2f7be39fc9aefc9546907202056c
[3] 
https://git.netfilter.org/nftables/commit/?id=8e603e0f7eec7c0000344a004228a30fbf0ece5c

More information about the buildroot mailing list