git: 286b8544474d - main - security/crowdsec-firewall-bouncer: Update to 0.0.23.r2
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 21 Feb 2022 20:29:11 UTC
The branch main has been updated by flo:
URL: https://cgit.FreeBSD.org/ports/commit/?id=286b8544474d3cf3d457cf42e0e70183f12c8850
commit 286b8544474d3cf3d457cf42e0e70183f12c8850
Author: Marco Mariani <marco@crowdsec.net>
AuthorDate: 2022-02-21 20:25:17 +0000
Commit: Florian Smeets <flo@FreeBSD.org>
CommitDate: 2022-02-21 20:27:44 +0000
security/crowdsec-firewall-bouncer: Update to 0.0.23.r2
- updated executable to upstream v0.0.23-rc2
- reverted configuration to manual editing of pf.conf (optionally
with an anchor)
- removed log rotation with newsyslog (implemented natively in the
executable)
- removed dependency on crowdsec package (can be on an external host)
---
security/crowdsec-firewall-bouncer/Makefile | 20 ++++------------
security/crowdsec-firewall-bouncer/distinfo | 6 ++---
.../files/crowdsec-firewall-bouncer.conf-newsyslog | 2 --
.../files/crowdsec_firewall.in | 21 ++++++++--------
.../crowdsec-firewall-bouncer/files/patch-Makefile | 24 +++++++++++--------
.../files/pkg-deinstall.in | 0
.../crowdsec-firewall-bouncer/files/pkg-install.in | 0
.../crowdsec-firewall-bouncer/files/pkg-message.in | 28 ++++++++++++----------
security/crowdsec-firewall-bouncer/pkg-plist | 3 ---
9 files changed, 47 insertions(+), 57 deletions(-)
diff --git a/security/crowdsec-firewall-bouncer/Makefile b/security/crowdsec-firewall-bouncer/Makefile
index a52441bcfc53..db4d992dcf88 100644
--- a/security/crowdsec-firewall-bouncer/Makefile
+++ b/security/crowdsec-firewall-bouncer/Makefile
@@ -1,5 +1,5 @@
PORTNAME= crowdsec-firewall-bouncer
-PORTVERSION= 0.0.20 # NOTE: change BUILD_VERSION and BUILD_TAG as well
+PORTVERSION= 0.0.23.r2 # NOTE: change BUILD_VERSION and BUILD_TAG as well
DISTVERSIONPREFIX= v
CATEGORIES= security
@@ -14,24 +14,20 @@ BUILD_DEPENDS= git:devel/git@lite \
USES= gmake
-RUN_DEPENDS= crowdsec>0:security/crowdsec
-
USE_GITHUB= yes
GH_ACCOUNT= crowdsecurity
GH_PROJECT= cs-firewall-bouncer
-GH_TAGNAME= v0.0.20-freebsd
+GH_TAGNAME= v0.0.23.r2-freebsd
#GH_TAGNAME is automatically set from DISTVERSION
USE_RC_SUBR= crowdsec_firewall
-SUB_FILES= pkg-message \
- pkg-install \
- pkg-deinstall
+SUB_FILES= pkg-deinstall pkg-install pkg-message
# BUILD_VERSION=$(git describe --tags $(git rev-list --tags --max-count=1))
# BUILD_TAG=$(git rev-parse HEAD)
-MAKE_ENV= BUILD_VERSION="v0.0.20" \
- BUILD_TAG="a456a4debdf3d3551c89b8490bb942f626027310"
+MAKE_ENV= BUILD_TAG="bc4bb1d531d47ad94ead2dce3a11f6391b1e8619" \
+ BUILD_VERSION="v0.0.23-rc2"
ETCDIR= ${PREFIX}/etc/crowdsec/bouncers
@@ -55,10 +51,4 @@ do-install:
${INSTALL_DATA} ${WRKSRC}/config/crowdsec-firewall-bouncer.yaml \
${STAGEDIR}${ETCDIR}/crowdsec-firewall-bouncer.yaml.sample
- #
- # Log rotation
- #
-
- ${INSTALL_DATA} ${FILESDIR}/crowdsec-firewall-bouncer.conf-newsyslog ${STAGEDIR}${PREFIX}/etc/newsyslog.conf.d/crowdsec-firewall-bouncer.conf.sample
-
.include <bsd.port.mk>
diff --git a/security/crowdsec-firewall-bouncer/distinfo b/security/crowdsec-firewall-bouncer/distinfo
index 1548b93d6c60..0cdb9bb30d8c 100644
--- a/security/crowdsec-firewall-bouncer/distinfo
+++ b/security/crowdsec-firewall-bouncer/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1640213523
-SHA256 (crowdsecurity-cs-firewall-bouncer-v0.0.20-v0.0.20-freebsd_GH0.tar.gz) = 95f8abf5f44e700e7f0a41edf5367715ce06918cb0de7a5d084bdca277563171
-SIZE (crowdsecurity-cs-firewall-bouncer-v0.0.20-v0.0.20-freebsd_GH0.tar.gz) = 3018717
+TIMESTAMP = 1645218461
+SHA256 (crowdsecurity-cs-firewall-bouncer-v0.0.23.r2-v0.0.23.r2-freebsd_GH0.tar.gz) = efb34044e8a648c1ec505fef64de3e4901ac760e732b647650f8e46547c7fe87
+SIZE (crowdsecurity-cs-firewall-bouncer-v0.0.23.r2-v0.0.23.r2-freebsd_GH0.tar.gz) = 3053462
diff --git a/security/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.conf-newsyslog b/security/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.conf-newsyslog
deleted file mode 100644
index b26fae25b5ce..000000000000
--- a/security/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.conf-newsyslog
+++ /dev/null
@@ -1,2 +0,0 @@
-# logfilename [owner:group] mode count size(kb) when flags [/pid_file] [sig_num]
-/var/log/crowdsec-firewall-bouncer.log root:wheel 644 10 5120 * JC /var/run/crowdsec_firewall.pid
diff --git a/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in b/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in
index 6a0f96f26f8f..9ae41cef717b 100755
--- a/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in
+++ b/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in
@@ -1,7 +1,7 @@
#!/bin/sh
#
# PROVIDE: crowdsec_firewall
-# REQUIRE: LOGIN DAEMON NETWORKING crowdsec
+# REQUIRE: LOGIN DAEMON NETWORKING
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf.local or /etc/rc.conf
@@ -9,6 +9,10 @@
#
# crowdsec_firewall_enable (bool): Set it to YES to enable crowdsec firewall.
# Default is "NO"
+# crowdsec_firewall_config (str): Set the bouncer config path.
+# Default is "%%ETCDIR%%/crowdsec-firewall-bouncer.yaml"
+# crowdsec_firewall_flags (str): extra flags to run bouncer.
+# Default is ""
. /etc/rc.subr
@@ -20,6 +24,7 @@ load_rc_config $name
: "${crowdsec_firewall_enable:=NO}"
: "${crowdsec_firewall_config:=%%ETCDIR%%/crowdsec-firewall-bouncer.yaml}"
+: "${crowdsec_firewall_flags:=}"
pidfile=/var/run/${name}.pid
required_files="$crowdsec_firewall_config"
@@ -30,10 +35,13 @@ start_precmd="${name}_precmd"
crowdsec_firewall_precmd() {
CSCLI=%%PREFIX%%/bin/cscli
orig_line="api_key: \${API_KEY}"
+ # IF the bouncer is not configured
if grep -q "^${orig_line}" "${crowdsec_firewall_config}"; then
SUFFIX=$(LC_CTYPE=C tr -dc A-Za-z0-9 </dev/urandom | head -c 8)
BOUNCER="cs-firewall-bouncer-${SUFFIX}"
+ # AND crowdsec is installed..
if command -v "$CSCLI" >/dev/null; then
+ # THEN, register it to the local API
API_KEY=$($CSCLI bouncers add "${BOUNCER}" -o raw)
if [ -n "$API_KEY" ]; then
sed -i "" "s/^${orig_line}/api_key: ${API_KEY} # ${BOUNCER}/" "${crowdsec_firewall_config}"
@@ -41,20 +49,11 @@ crowdsec_firewall_precmd() {
fi
fi
fi
-
- # needs real tabs
- cat <<-EOT | /sbin/pfctl -f /dev/fd/0
- table <crowdsec-blacklists> persist
- table <crowdsec6-blacklists> persist
- block drop in quick from <crowdsec-blacklists> to any
- block drop in quick from <crowdsec6-blacklists> to any
- EOT
-
}
crowdsec_firewall_start() {
/usr/sbin/daemon -f -p ${pidfile} -t "${desc}" -- \
- ${command} -c "${crowdsec_firewall_config}"
+ ${command} -c "${crowdsec_firewall_config}" ${crowdsec_firewall_flags}
}
run_rc_command "$1"
diff --git a/security/crowdsec-firewall-bouncer/files/patch-Makefile b/security/crowdsec-firewall-bouncer/files/patch-Makefile
index df450e5e1b27..d8f1e8f79f4e 100644
--- a/security/crowdsec-firewall-bouncer/files/patch-Makefile
+++ b/security/crowdsec-firewall-bouncer/files/patch-Makefile
@@ -1,11 +1,15 @@
---- Makefile.orig 2021-12-22 22:57:23 UTC
+--- Makefile.orig 2022-02-11 13:22:37 UTC
+++ Makefile
-@@ -11,7 +11,7 @@ BUILD_VERSION?="$(shell git describe --tags `git rev-l
- BUILD_GOVERSION="$(shell go version | cut -d " " -f3 | sed -r 's/[go]+//g')"
- BUILD_TIMESTAMP=$(shell date +%F"_"%T)
- BUILD_TAG?="$(shell git rev-parse HEAD)"
--export LD_OPTS=-ldflags "-s -w -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Version=$(BUILD_VERSION) \
-+export LD_OPTS=-mod vendor -modcacherw --ldflags "-s -w -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Version=$(BUILD_VERSION) \
- -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.BuildDate=$(BUILD_TIMESTAMP) \
- -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Tag=$(BUILD_TAG) \
- -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.GoVersion=$(BUILD_GOVERSION)"
+@@ -54,10 +54,10 @@ lint:
+ golangci-lint run
+
+ static: goversion clean
+- $(GOBUILD) -ldflags "$(LDFLAGS_STATIC)" -o $(BINARY_NAME) -v -a -tags netgo
++ $(GOBUILD) -mod vendor -modcacherw -ldflags "$(LDFLAGS_STATIC)" -o $(BINARY_NAME) -v -a -tags netgo
+
+ build: goversion clean
+- $(GOBUILD) -ldflags "$(LDFLAGS_DYNAMIC)" -o $(BINARY_NAME) -v
++ $(GOBUILD) -mod vendor -modcacherw -ldflags "$(LDFLAGS_DYNAMIC)" -o $(BINARY_NAME) -v
+
+ test:
+ @$(GOTEST) -ldflags "$(LDFLAGS_DYNAMIC)" -v ./...
diff --git a/security/crowdsec-firewall-bouncer/files/pkg-deinstall.in b/security/crowdsec-firewall-bouncer/files/pkg-deinstall.in
old mode 100644
new mode 100755
diff --git a/security/crowdsec-firewall-bouncer/files/pkg-install.in b/security/crowdsec-firewall-bouncer/files/pkg-install.in
old mode 100644
new mode 100755
diff --git a/security/crowdsec-firewall-bouncer/files/pkg-message.in b/security/crowdsec-firewall-bouncer/files/pkg-message.in
index 8bcdc8d1d9d6..489267594020 100644
--- a/security/crowdsec-firewall-bouncer/files/pkg-message.in
+++ b/security/crowdsec-firewall-bouncer/files/pkg-message.in
@@ -4,8 +4,8 @@
crowdsec-firewall-bouncer is installed.
-The bouncer should register itself but you may want to check the
-configuration file, which is now in %%ETCDIR%%/crowdsec-firewall-bouncer.yaml
+The bouncer should register itself with the Local API but you may want to check the
+configuration file, which has been moved to %%ETCDIR%%/crowdsec-firewall-bouncer.yaml
(for consistency with the other platforms).
In previous versions, the configuration was in /usr/local/etc/crowdsec-firewall-bouncer, you may need
@@ -21,23 +21,25 @@ pf_enable: NO -> YES
Enabling pf.
----------
-Then activate the bouncer via sysrc:
+Add the following in /etc/pf.conf to create the firewall tables and rules:
----------
-# sysrc crowdsec_firewall_enable="YES"
-crowdsec_firewall_enable: NO -> YES
-# service crowdsec_firewall start
+table <crowdsec-blacklists> persist
+table <crowdsec6-blacklists> persist
+block drop in quick from <crowdsec-blacklists> to any
+block drop in quick from <crowdsec6-blacklists> to any
----------
-After a few seconds, the bouncer should have created the tables and rules:
+To apply the file:
+
+# pfctl -f /etc/pf.conf
+
+Then activate the bouncer via sysrc and run it:
----------
-# pfctl -s Tables
-crowdsec-blacklists
-crowdsec6-blacklists
-# pfctl -s Tables -s rules
-block drop in quick from <crowdsec-blacklists> to any
-block drop in quick from <crowdsec6-blacklists> to any
+# sysrc crowdsec_firewall_enable="YES"
+crowdsec_firewall_enable: NO -> YES
+# service crowdsec_firewall start
----------
EOM
diff --git a/security/crowdsec-firewall-bouncer/pkg-plist b/security/crowdsec-firewall-bouncer/pkg-plist
index ecbf8e901981..6a41287c1e57 100644
--- a/security/crowdsec-firewall-bouncer/pkg-plist
+++ b/security/crowdsec-firewall-bouncer/pkg-plist
@@ -1,7 +1,4 @@
@mode 0755
bin/crowdsec-firewall-bouncer
-@dir etc/newsyslog.conf.d
@mode 0600
@sample %%ETCDIR%%/crowdsec-firewall-bouncer.yaml.sample
-@mode 0644
-@sample etc/newsyslog.conf.d/crowdsec-firewall-bouncer.conf.sample