Implement velia-firewall
Change-Id: I228f15fca7ed784bf1043e4074cf8e76fcd6a842
diff --git a/board/czechlight/common/linux.fragment b/board/czechlight/common/linux.fragment
index 2181c3b..2f478df 100644
--- a/board/czechlight/common/linux.fragment
+++ b/board/czechlight/common/linux.fragment
@@ -101,3 +101,7 @@
CONFIG_IKCONFIG_PROC=y
CONFIG_SCHEDSTATS=y
CONFIG_AUDIT=y
+CONFIG_NETFILTER=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_TABLES=y
+CONFIG_NFT_CT=y
diff --git a/configs/czechlight_clearfog_defconfig b/configs/czechlight_clearfog_defconfig
index e894eac..316a7ab 100644
--- a/configs/czechlight_clearfog_defconfig
+++ b/configs/czechlight_clearfog_defconfig
@@ -60,6 +60,7 @@
BR2_PACKAGE_ETHTOOL=y
BR2_PACKAGE_IPROUTE2=y
BR2_PACKAGE_NETCONF_CLI=y
+BR2_PACKAGE_NFTABLES=y
BR2_PACKAGE_OPENSSH=y
BR2_PACKAGE_TCPDUMP=y
BR2_PACKAGE_BASH=y
diff --git a/package/cla-sysrepo/czechlight-install-yang.sh b/package/cla-sysrepo/czechlight-install-yang.sh
index f0d26fa..b4484d6 100755
--- a/package/cla-sysrepo/czechlight-install-yang.sh
+++ b/package/cla-sysrepo/czechlight-install-yang.sh
@@ -117,5 +117,11 @@
sysrepoctl --change czechlight-system --permissions 0664 --apply
fi
+if [[ ! -f ${REPO}/czechlight-firewall@2021-01-25.yang ]]; then
+ sysrepoctl --search-dirs /usr/share/velia/yang --install /usr/share/velia/yang/czechlight-firewall@2021-01-25.yang
+ sysrepoctl --change czechlight-firewall --permissions 0600 --apply
+ sysrepoctl --change ietf-access-control-list --enable-feature eth --enable-feature match-on-eth --enable-feature match-on-ipv4 --enable-feature ipv4 --enable-feature match-on-ipv6 --enable-feature ipv6 --enable-feature mixed-eth-ipv4-ipv6
+fi
+
# If not do not copy here from startup -> running, running might be stale.
sysrepocfg -C startup
diff --git a/package/reset-sysrepo/reset-sysrepo.mk b/package/reset-sysrepo/reset-sysrepo.mk
index 1fba992..f52a8cd 100644
--- a/package/reset-sysrepo/reset-sysrepo.mk
+++ b/package/reset-sysrepo/reset-sysrepo.mk
@@ -23,6 +23,7 @@
netopeer2.service \
sysrepo-persistent-cfg.service \
nacm-restore.service \
+ velia-firewall.service \
velia-system.service \
velia-hardware-g1.service \
velia-hardware-g2.service \
diff --git a/package/velia/velia-firewall.service b/package/velia/velia-firewall.service
new file mode 100644
index 0000000..2f4a2f9
--- /dev/null
+++ b/package/velia/velia-firewall.service
@@ -0,0 +1,23 @@
+[Unit]
+Description=Firewall management via sysrepo
+After=syslog.target network.target czechlight-install-yang.service cfg-restore-sysrepo.service nacm-restore.service
+Before=rauc-mark-good.service
+PartOf=netopeer2.service
+Requires=czechlight-install-yang.service cfg-restore-sysrepo.service nacm-restore.service
+ConditionKernelCommandLine=czechlight
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/veliad-firewall
+PrivateTmp=yes
+PrivateDevices=no
+ProtectSystem=yes
+ProtectHome=yes
+Restart=always
+RestartSec=10s
+LogRateLimitIntervalSec=10
+LogRateLimitBurst=30000
+SyslogLevel=alert
+
+[Install]
+WantedBy=multi-user.target
diff --git a/package/velia/velia.mk b/package/velia/velia.mk
index eda5efb..0a60715 100644
--- a/package/velia/velia.mk
+++ b/package/velia/velia.mk
@@ -33,6 +33,7 @@
$(call VELIA_PREPARE_SERVICE,velia-hardware-g1)
$(call VELIA_PREPARE_SERVICE,velia-hardware-g2)
$(call VELIA_PREPARE_SERVICE,velia-system)
+ $(call VELIA_PREPARE_SERVICE,velia-firewall)
endef
$(eval $(cmake-package))