firewalld Update

[Sashank999]

Hello.

Can the team please update firewalld for TCL v15.x x86_64 ?

Thank you.

[Juanito]

I’ll take a look in 4-5 days time.

[CentralWare]

@juanito: Here's your 12.x build updated to current
I've never played with firewall(d) so I was curious of what lies beneath.
It can probably be reduced further (I don't know what's essential vs. extra) so I leave it for your capable hands!
You'll probably want to update .info as well; I don't have the environment to test at this moment.

$EXTS tested under 14.x64

Code: [Select]

#!/bin/sh

APPNAME="firewalld"
VERSION="2.3.0"

EXTS="wget compiletc iptables-dev nftables-dev ebtables ipset-dev intltool python3.9 glib2-dev autoconf automake"

CUR=$(pwd); clear
. /etc/init.d/tc-functions
echo "${CYAN}Loading Support Extensions${NORMAL}"
tce-load -w ${EXTS} >/dev/null 2>&1 || exit 1
tce-load -i ${EXTS} >/dev/null 2>&1 || exit 1

cat /proc/cpuinfo | grep "processor" | awk -F ":" '{print $2}' > /tmp/nproc
while read ninfo
do
    [ ! "${ninfo}" == "" ] && nproc=$ninfo
done < /tmp/nproc
#echo "$(expr $nproc + 1)"

[ ! -f ${APPNAME}-${VERSION}.tar.bz2 ] && \
    echo "${CYAN}Downloading Source Code${NORMAL}" && \
    wget -q --no-check-certificate https://github.com/${APPNAME}/${APPNAME}/releases/download/v${VERSION}/${APPNAME}-${VERSION}.tar.bz2
[ ! -d ${APPNAME}-${VERSION} ] && \
    echo "${CYAN}Extracting Source Code${NORMAL}" && \
    tar -jxf ${APPNAME}-${VERSION}.tar.bz2

[ ! -d ${APPNAME}-${VERSION} ] && echo "${RED}SOURCE DIRECTORY NOT FOUND${NORMAL}" && exit 1

cd ${APPNAME}-${VERSION}
if [ ! -f ./.configured ]; then
    echo "${CYAN}Configuring Source Code${NORMAL}"
    CC="gcc -flto -fuse-linker-plugin -mtune=generic -Os -pipe" \
    CXX="g++ -flto -fuse-linker-plugin -mtune=generic -Os -pipe -fno-exceptions -fno-rtti" \
    ./configure --prefix=/usr/local --localstatedir=/var --disable-docs > $CUR/_config.log 2>&1 || exit
    touch ./.configured
fi

mkdir -p /tmp/build /tmp/builder
sudo rm /tmp/build -fR
sudo rm /tmp/builder -fR

echo "${CYAN}Compiling Source Code${NORMAL}"
make -j${nproc} >$CUR/_compile.log 2>&1 || exit 1

echo "${CYAN}Installing Compiled Package${NORMAL}"
make DESTDIR=/tmp/build/${APPNAME} install >$CUR/_install.log 2>&1 || exit 1

cd /tmp/build/${APPNAME}
find . -type f > $CUR/${APPNAME}.tcz.list
sed -i 's/.\/usr/\/usr/g' $CUR/${APPNAME}.tcz.list

echo "${CYAN}Preparing Package${NORMAL}"
sed -i 's/datadir = None/datadir=\/usr\/local\/share\/firewalld/g' /tmp/build/${APPNAME}/usr/local/bin/firewall-config

cd /tmp/build/${APPNAME}/usr/local
find . -type f -exec strip -s {} \; >/dev/null 2>&1

cd /tmp/build
mksquashfs ${APPNAME} $CUR/${APPNAME}.tcz >$CUR/_squash.log 2>&1 || exit 1
sudo rm ${APPNAME} -fR

cd $CUR
md5sum ${APPNAME}.tcz > ${APPNAME}.tcz.md5.txt

SIZE=$(ls -la ${APPNAME}.tcz | awk '{print $5}')
[ $SIZE -gt 1023 ] && SIZE=$(expr $SIZE / 1024) && SFX="KB"
[ $SIZE -gt 1023 ] && SIZE=$(expr $SIZE / 1024) && SFX="MB"
[ $SIZE -gt 1023 ] && SIZE=$(expr $SIZE / 1024) && SFX="GB"

echo "Title:          ${APPNAME}.tcz" > $CUR/${APPNAME}.tcz.info
echo "Description:    dynamically managed firewall" >> $CUR/${APPNAME}.tcz.info
echo "Version:        ${VERSION}" >> $CUR/${APPNAME}.tcz.info
echo "Author:         see list of sites below" >> $CUR/${APPNAME}.tcz.info
echo "Original-site:  see list of sites below" >> $CUR/${APPNAME}.tcz.info
echo "Copying-policy: see list of sites below" >> $CUR/${APPNAME}.tcz.info
echo "Size:           ${SIZE}${SFX}" >> $CUR/${APPNAME}.tcz.info
echo "Extension_by:   juanito" >> $CUR/${APPNAME}.tcz.info
echo "Tags:           firewall python python3.9" >> $CUR/${APPNAME}.tcz.info
echo "Comments:       dynamically managed firewall with support for network or firewall" >> $CUR/${APPNAME}.tcz.info
echo "                zones to define the trust level of network connections or interfaces" >> $CUR/${APPNAME}.tcz.info
echo "                ----------" >> $CUR/${APPNAME}.tcz.info
echo "                requires dbus daemon to be running" >> $CUR/${APPNAME}.tcz.info
echo "                \$ sudo firewalld" >> $CUR/${APPNAME}.tcz.info
echo "                ----------" >> $CUR/${APPNAME}.tcz.info
echo "                This extension contains:" >> $CUR/${APPNAME}.tcz.info
echo "                ${APPNAME}-${VERSION} - https://github.com/firewalld/firewalld/releases/download/v${VERSION}/${APPNAME}-${VERSION}.bz2" >> $CUR/${APPNAME}.tcz.info
echo "                ----------" >> $CUR/${APPNAME}.tcz.info
echo "Change-log:     first version" >> $CUR/${APPNAME}.tcz.info
echo "Current:        2025/01/23" >> $CUR/${APPNAME}.tcz.info
[code]


[Rich]

Hi CentralWare
Just an observation, because I'm not clear on what the exact intent was:

Code: [Select]

cat /proc/cpuinfo | grep "processor" | awk -F ":" '{print $2}' > /tmp/nproc
while read ninfo
do
    [ ! "${ninfo}" == "" ] && nproc=$ninfo
done < /tmp/nproc
#echo "$(expr $nproc + 1)"

On my system, the first command produces this:

Code: [Select]

tc@E310:~/editor$ cat /proc/cpuinfo | grep "processor" | awk -F ":" '{print $2}'
 0
 1
If you just wanted the last result from grep:

Code: [Select]

tc@E310:~/editor$ cat /proc/cpuinfo | grep "processor" | awk -F ":" '{print $2}' | tail -n1
 1
If you just wanted the number of results from grep:

Code: [Select]

tc@E310:~/editor$ cat /proc/cpuinfo | grep "processor" | awk -F ":" '{print $2}' | wc -l
2
Just my 2 cents.

[CentralWare]

Sorry, that's a cut/paste/patch from a larger function.
There's a problem using cpuinfo for determining the number of processors.

Imagine the following:

Code: [Select]

processor          : 0
...
model name         : AMD Ryzen 7 3800X 8-core processor
...
model name makes tail return invalid information.

If there were such thing as "proper" way, I'd suspect awk'ing the second field of -F: and grep'ing numeric only - which is not "fool proof" but may serve most instances

Code: [Select]

cat /proc/cpuinfo | grep processor | awk -F: '{print $2}' | grep -Eo '[0-9]{0,9}' | tail -n 1
# and then value+1
...but the next guy will say they can do it better, so, se-lä-vē!
Or is it Say La Vee!?  Everyone's got their own!                                                 (C'est la vie)

Intention: To manually count "Processor : #" to get the largest value, add one and use that count for make -j${VALUE} when nproc() is unavailable (and not having to install an extension just to have nproc() basically do the same thing in the end.)

Additionally: I don't own "every" processor ever made, thus I cannot ensure grep -Eo wouldn't fail under certain conditions, too.

[Juanito]

Before I can update firewalld, nftables needs to be rebuilt with the missing python modules as compared to the previous version in tc-14.x

@gnuser could you add the python(3.9) modules please and resubmit?

[Rich]

Hi Juanito

... @gnuser could you add the python(3.9) modules please and resubmit?

You might want to PM him. He hasn't been online in about 3 weeks.

[GNUser]

Hello Rich and Juanito. I just happened to stop by today and saw this thread.

nftables is being resistant to being compiled with python support:

Code: [Select]

$ CC="gcc -flto -fuse-linker-plugin -mtune=generic -Os -pipe" CXX="g++ -flto -fuse-linker-plugin -mtune=generic -Os -pipe -fno-exceptions -fno-rtti" ./configure --prefix=/usr/local --localstatedir=/var --disable-static --disable-man-doc --with-python-bin=/usr/local/bin/python3 --with-json --with-cli=readline
...
configure: WARNING: unrecognized options: --with-python-bin

$ CC="gcc -flto -fuse-linker-plugin -mtune=generic -Os -pipe" CXX="g++ -flto -fuse-linker-plugin -mtune=generic -Os -pipe -fno-exceptions -fno-rtti" ./configure --prefix=/usr/local --localstatedir=/var --disable-static --disable-man-doc --enable-python --with-json --with-cli=readline
...
configure: WARNING: unrecognized options: --enable-pythonI get the same result regardless of whether python3.6 or python3.9 is loaded.

It seems the relevant flag to achieve this has changed and I can't figure out what the new flag is supposed to be. If Juanito or someone else can drop me a hint, I'll be happy to recompile nftables today and resubmit it.

[GNUser]

One option is to downgrade nftables to the version we were using in 14.x x86_64, which is version 1.0.6. I'm not against it. Please advise.

[Rich]

Hi GNUser
Don't know if it helps, but I found this in the INSTALL file
for version 1.1.1.1:

Code: [Select]

Python support
 ==============
 
 CPython bindings are available for nftables under the py/ folder.  They can be
 installed using pip:

        python -m pip install py/

 A legacy setup.py script can also be used:

        ( cd py && python setup.py install )

 However, this method is deprecated.
 
 Source code
 ===========

 Netfilter's Linux kernel tree can be found at:

 git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git/
 https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git
       
 The latest version of this code can be found at:
       
 git://git.netfilter.org/nftables.git

[GNUser]

Hi Rich. I had tried both of the approaches listed.

I think what Juanito needs is for the configure step to show the last line you see here (I copy-pasted this from http://repo.tinycorelinux.net/14.x/x86_64/tcz/src/nftables/compile_nftables.txt):

Code: [Select]

nft configuration:
  cli support: readline
  enable debugging symbols: yes
  use mini-gmp: no
  enable man page:              no
  libxtables support: no
  json output support:          yes
  enable Python: yes (with /usr/local/bin/python3)
No matter what I try with the source code for nftables v1.1.1, I cannot get that "enable Python" line to appear. Maybe the line is no longer shown, regardless of whether python is enabled or not?

Something obviously changed in how nftables should be built with python support and the developers' notes are not terribly helpful in this regard.

[GNUser]

It seems now it's necessary to compile the python module as a separate step after compiling nftables.

So if nftables is installed to /tmp/dest the usual way (configure, make, make install), the module would then be built and installed like so:

Code: [Select]

cd nftables-1.1.1
mkdir -p /tmp/dest/usr/local/lib/python3.9/site-packages
python3 -m pip install --target /tmp/dest/usr/local/lib/python3.9/site-packages py/
I submitted a new extension with the python module. Caveat: I do not use firewalld, python, or this module, so the module is not tested. Hopefully it works as expected.

[Rich]

Hi GNUser
I see you already submitted an extension, but I'll post this anyway:

It looks like running make might automatically be doing
something with the py directory.

Looking for "EXTRA_DIST" in Makefile.am and Makefile.in
turned up this.
Makefile.am:

Code: [Select]

EXTRA_DIST += \
        py/pyproject.toml \
        py/setup.cfg \
        py/setup.py \
        py/src/__init__.py \
        py/src/nftables.py \
        py/src/schema.json \
        $(NULL)
Makefile.in:

Code: [Select]

EXTRA_DIST = $(am__append_13) py/pyproject.toml py/setup.cfg \
        py/setup.py py/src/__init__.py py/src/nftables.py \
        py/src/schema.json $(NULL) files tests $(NULL)
Maybe you tried this already, but I think it looks like you
first need to run make, and then:

Code: [Select]

python3.9 -m pip3.9 install py/
I don't know anything about python or pip, but I found this:

By default, Python packages installed through pip using the '--user' flag will be stored in your home directory depending on the specific version of Python they were installed with. Your home directory location, also equivalent to $HOME, will be noted by a ~.
~/.local/lib/python[VERSION]/site-packages

Alternatively, some packages may already be installed globally onto the system. All of the packages that are currently installed on the system are located at the following location, depending on the specific version of Python they were installed with.
/usr/lib/python[VERSION]/site-packages

[Juanito]

nftables and firewalld updated

I checked that firewalld and firewall-config started (both run as root), but nothing more than that.

[CentralWare]

@Everyone_Here: This is a prime example of why TCL works.

Everyone pulling together.

Kudos!