From nobody Mon Feb 21 20:29:11 2022 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 804AC19D80EA; Mon, 21 Feb 2022 20:29:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4K2Yml2CLqz3tPQ; Mon, 21 Feb 2022 20:29:11 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1645475351; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=1XA/qgxcCzvZcXRcOkYGwddnAat0ye8NgQ0ogLCfezw=; b=sNUQHxhr3Y3w5Us5T8bnMdUTHp3pPOaBlAqa228IVx2V6Ib2ao7WWBwg6MYaALxx6uxKzd goPyYCnxY58O69B12kN918LIGg6LER9sk9CTcVzFcn7oGDYhm2T8ej9/y8pwSGgkzo+pbf lhdqxNdLfYSkFrwNAo8zf8MA3iOobCgNMzcQyhO8LuEr7viXAvd5D68UH9Bp+5M7UNAlc/ 3TgIi6KmGH5/4ymi1CE1paN4d3mDPZy4dfegvHo7ZWMvWu1Ki7wt/ODkV101ll0X5HulHH xhCYHXE56zgk6MPJdAL8iCIqJeEeBQxbUYi1Sz+ZP0ix6mTOJW5szBikOkZx2w== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 2C1A616EE7; Mon, 21 Feb 2022 20:29:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 21LKTBW8032001; Mon, 21 Feb 2022 20:29:11 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 21LKTBLF032000; Mon, 21 Feb 2022 20:29:11 GMT (envelope-from git) Date: Mon, 21 Feb 2022 20:29:11 GMT Message-Id: <202202212029.21LKTBLF032000@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Florian Smeets Subject: git: 286b8544474d - main - security/crowdsec-firewall-bouncer: Update to 0.0.23.r2 List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: flo X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 286b8544474d3cf3d457cf42e0e70183f12c8850 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1645475351; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=1XA/qgxcCzvZcXRcOkYGwddnAat0ye8NgQ0ogLCfezw=; b=KnhbycKmax1UHAODPQtLRSdMzSNczTIEsiaqyAifD7q4OMHwmxJ+rhTa2fqeksZ7fH1PfC LMWDqPE5t+BbRJ4GL4bnRE7yrpiCiy1EPs0lriBw7Y/xqMqT7TCbfXeson6iuaJ3RLSVV0 vFV+ARnp8+JBm43tX0cZ4BiHpbinvOxo5loNpF2z266u5pe3ftdLfe/RDYsi+fTwmW+G7l ZRYgVHwFUkTUCPPXtJEND34ZFfqUkAMIJaxjANbnS4Oo2fnBEM6fKXm4nfbz/an9BSd8Xc 3TJdtKkoF28+FqR2ai81pMw96krGEGvqq6Tn9gOMLC+sQ9FDlD474Hhltc2ZRQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1645475351; a=rsa-sha256; cv=none; b=MbTRNtHpQAiiX0qivhwBE11kgmYxt5AzBMLnTFS31SKBiOFWMuSDgDAuZMSIjz/uQTdOSv IZKM2a4QFl18FS/y7utepCtJrxQLTEF6wOZRdNfHOSwEGkgdjct9HqZV6wa9Z6lhRhvbZS Z6CdZy4rtGrpDN69a/Bx1EHWfvbpAJrh4cEP4myO3P0HIOPHy70HnHmdY9k7DgXcxHym11 B/6m90FzUrWZuAV5wghCh/q9wgXm8Xi/SRiQj50Y8MyldGxTEp77zzi0CqCyYpaerqtYKr N1EiyBWo3Q1VFrtsd+++WfvcmFBEp6NsXF5i2tAD37KmaymKo10Xfay2wj38zg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by flo: URL: https://cgit.FreeBSD.org/ports/commit/?id=286b8544474d3cf3d457cf42e0e70183f12c8850 commit 286b8544474d3cf3d457cf42e0e70183f12c8850 Author: Marco Mariani AuthorDate: 2022-02-21 20:25:17 +0000 Commit: Florian Smeets CommitDate: 2022-02-21 20:27:44 +0000 security/crowdsec-firewall-bouncer: Update to 0.0.23.r2 - updated executable to upstream v0.0.23-rc2 - reverted configuration to manual editing of pf.conf (optionally with an anchor) - removed log rotation with newsyslog (implemented natively in the executable) - removed dependency on crowdsec package (can be on an external host) --- security/crowdsec-firewall-bouncer/Makefile | 20 ++++------------ security/crowdsec-firewall-bouncer/distinfo | 6 ++--- .../files/crowdsec-firewall-bouncer.conf-newsyslog | 2 -- .../files/crowdsec_firewall.in | 21 ++++++++-------- .../crowdsec-firewall-bouncer/files/patch-Makefile | 24 +++++++++++-------- .../files/pkg-deinstall.in | 0 .../crowdsec-firewall-bouncer/files/pkg-install.in | 0 .../crowdsec-firewall-bouncer/files/pkg-message.in | 28 ++++++++++++---------- security/crowdsec-firewall-bouncer/pkg-plist | 3 --- 9 files changed, 47 insertions(+), 57 deletions(-) diff --git a/security/crowdsec-firewall-bouncer/Makefile b/security/crowdsec-firewall-bouncer/Makefile index a52441bcfc53..db4d992dcf88 100644 --- a/security/crowdsec-firewall-bouncer/Makefile +++ b/security/crowdsec-firewall-bouncer/Makefile @@ -1,5 +1,5 @@ PORTNAME= crowdsec-firewall-bouncer -PORTVERSION= 0.0.20 # NOTE: change BUILD_VERSION and BUILD_TAG as well +PORTVERSION= 0.0.23.r2 # NOTE: change BUILD_VERSION and BUILD_TAG as well DISTVERSIONPREFIX= v CATEGORIES= security @@ -14,24 +14,20 @@ BUILD_DEPENDS= git:devel/git@lite \ USES= gmake -RUN_DEPENDS= crowdsec>0:security/crowdsec - USE_GITHUB= yes GH_ACCOUNT= crowdsecurity GH_PROJECT= cs-firewall-bouncer -GH_TAGNAME= v0.0.20-freebsd +GH_TAGNAME= v0.0.23.r2-freebsd #GH_TAGNAME is automatically set from DISTVERSION USE_RC_SUBR= crowdsec_firewall -SUB_FILES= pkg-message \ - pkg-install \ - pkg-deinstall +SUB_FILES= pkg-deinstall pkg-install pkg-message # BUILD_VERSION=$(git describe --tags $(git rev-list --tags --max-count=1)) # BUILD_TAG=$(git rev-parse HEAD) -MAKE_ENV= BUILD_VERSION="v0.0.20" \ - BUILD_TAG="a456a4debdf3d3551c89b8490bb942f626027310" +MAKE_ENV= BUILD_TAG="bc4bb1d531d47ad94ead2dce3a11f6391b1e8619" \ + BUILD_VERSION="v0.0.23-rc2" ETCDIR= ${PREFIX}/etc/crowdsec/bouncers @@ -55,10 +51,4 @@ do-install: ${INSTALL_DATA} ${WRKSRC}/config/crowdsec-firewall-bouncer.yaml \ ${STAGEDIR}${ETCDIR}/crowdsec-firewall-bouncer.yaml.sample - # - # Log rotation - # - - ${INSTALL_DATA} ${FILESDIR}/crowdsec-firewall-bouncer.conf-newsyslog ${STAGEDIR}${PREFIX}/etc/newsyslog.conf.d/crowdsec-firewall-bouncer.conf.sample - .include diff --git a/security/crowdsec-firewall-bouncer/distinfo b/security/crowdsec-firewall-bouncer/distinfo index 1548b93d6c60..0cdb9bb30d8c 100644 --- a/security/crowdsec-firewall-bouncer/distinfo +++ b/security/crowdsec-firewall-bouncer/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1640213523 -SHA256 (crowdsecurity-cs-firewall-bouncer-v0.0.20-v0.0.20-freebsd_GH0.tar.gz) = 95f8abf5f44e700e7f0a41edf5367715ce06918cb0de7a5d084bdca277563171 -SIZE (crowdsecurity-cs-firewall-bouncer-v0.0.20-v0.0.20-freebsd_GH0.tar.gz) = 3018717 +TIMESTAMP = 1645218461 +SHA256 (crowdsecurity-cs-firewall-bouncer-v0.0.23.r2-v0.0.23.r2-freebsd_GH0.tar.gz) = efb34044e8a648c1ec505fef64de3e4901ac760e732b647650f8e46547c7fe87 +SIZE (crowdsecurity-cs-firewall-bouncer-v0.0.23.r2-v0.0.23.r2-freebsd_GH0.tar.gz) = 3053462 diff --git a/security/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.conf-newsyslog b/security/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.conf-newsyslog deleted file mode 100644 index b26fae25b5ce..000000000000 --- a/security/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.conf-newsyslog +++ /dev/null @@ -1,2 +0,0 @@ -# logfilename [owner:group] mode count size(kb) when flags [/pid_file] [sig_num] -/var/log/crowdsec-firewall-bouncer.log root:wheel 644 10 5120 * JC /var/run/crowdsec_firewall.pid diff --git a/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in b/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in index 6a0f96f26f8f..9ae41cef717b 100755 --- a/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in +++ b/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in @@ -1,7 +1,7 @@ #!/bin/sh # # PROVIDE: crowdsec_firewall -# REQUIRE: LOGIN DAEMON NETWORKING crowdsec +# REQUIRE: LOGIN DAEMON NETWORKING # KEYWORD: shutdown # # Add the following lines to /etc/rc.conf.local or /etc/rc.conf @@ -9,6 +9,10 @@ # # crowdsec_firewall_enable (bool): Set it to YES to enable crowdsec firewall. # Default is "NO" +# crowdsec_firewall_config (str): Set the bouncer config path. +# Default is "%%ETCDIR%%/crowdsec-firewall-bouncer.yaml" +# crowdsec_firewall_flags (str): extra flags to run bouncer. +# Default is "" . /etc/rc.subr @@ -20,6 +24,7 @@ load_rc_config $name : "${crowdsec_firewall_enable:=NO}" : "${crowdsec_firewall_config:=%%ETCDIR%%/crowdsec-firewall-bouncer.yaml}" +: "${crowdsec_firewall_flags:=}" pidfile=/var/run/${name}.pid required_files="$crowdsec_firewall_config" @@ -30,10 +35,13 @@ start_precmd="${name}_precmd" crowdsec_firewall_precmd() { CSCLI=%%PREFIX%%/bin/cscli orig_line="api_key: \${API_KEY}" + # IF the bouncer is not configured if grep -q "^${orig_line}" "${crowdsec_firewall_config}"; then SUFFIX=$(LC_CTYPE=C tr -dc A-Za-z0-9 /dev/null; then + # THEN, register it to the local API API_KEY=$($CSCLI bouncers add "${BOUNCER}" -o raw) if [ -n "$API_KEY" ]; then sed -i "" "s/^${orig_line}/api_key: ${API_KEY} # ${BOUNCER}/" "${crowdsec_firewall_config}" @@ -41,20 +49,11 @@ crowdsec_firewall_precmd() { fi fi fi - - # needs real tabs - cat <<-EOT | /sbin/pfctl -f /dev/fd/0 - table persist - table persist - block drop in quick from to any - block drop in quick from to any - EOT - } crowdsec_firewall_start() { /usr/sbin/daemon -f -p ${pidfile} -t "${desc}" -- \ - ${command} -c "${crowdsec_firewall_config}" + ${command} -c "${crowdsec_firewall_config}" ${crowdsec_firewall_flags} } run_rc_command "$1" diff --git a/security/crowdsec-firewall-bouncer/files/patch-Makefile b/security/crowdsec-firewall-bouncer/files/patch-Makefile index df450e5e1b27..d8f1e8f79f4e 100644 --- a/security/crowdsec-firewall-bouncer/files/patch-Makefile +++ b/security/crowdsec-firewall-bouncer/files/patch-Makefile @@ -1,11 +1,15 @@ ---- Makefile.orig 2021-12-22 22:57:23 UTC +--- Makefile.orig 2022-02-11 13:22:37 UTC +++ Makefile -@@ -11,7 +11,7 @@ BUILD_VERSION?="$(shell git describe --tags `git rev-l - BUILD_GOVERSION="$(shell go version | cut -d " " -f3 | sed -r 's/[go]+//g')" - BUILD_TIMESTAMP=$(shell date +%F"_"%T) - BUILD_TAG?="$(shell git rev-parse HEAD)" --export LD_OPTS=-ldflags "-s -w -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Version=$(BUILD_VERSION) \ -+export LD_OPTS=-mod vendor -modcacherw --ldflags "-s -w -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Version=$(BUILD_VERSION) \ - -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.BuildDate=$(BUILD_TIMESTAMP) \ - -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Tag=$(BUILD_TAG) \ - -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.GoVersion=$(BUILD_GOVERSION)" +@@ -54,10 +54,10 @@ lint: + golangci-lint run + + static: goversion clean +- $(GOBUILD) -ldflags "$(LDFLAGS_STATIC)" -o $(BINARY_NAME) -v -a -tags netgo ++ $(GOBUILD) -mod vendor -modcacherw -ldflags "$(LDFLAGS_STATIC)" -o $(BINARY_NAME) -v -a -tags netgo + + build: goversion clean +- $(GOBUILD) -ldflags "$(LDFLAGS_DYNAMIC)" -o $(BINARY_NAME) -v ++ $(GOBUILD) -mod vendor -modcacherw -ldflags "$(LDFLAGS_DYNAMIC)" -o $(BINARY_NAME) -v + + test: + @$(GOTEST) -ldflags "$(LDFLAGS_DYNAMIC)" -v ./... diff --git a/security/crowdsec-firewall-bouncer/files/pkg-deinstall.in b/security/crowdsec-firewall-bouncer/files/pkg-deinstall.in old mode 100644 new mode 100755 diff --git a/security/crowdsec-firewall-bouncer/files/pkg-install.in b/security/crowdsec-firewall-bouncer/files/pkg-install.in old mode 100644 new mode 100755 diff --git a/security/crowdsec-firewall-bouncer/files/pkg-message.in b/security/crowdsec-firewall-bouncer/files/pkg-message.in index 8bcdc8d1d9d6..489267594020 100644 --- a/security/crowdsec-firewall-bouncer/files/pkg-message.in +++ b/security/crowdsec-firewall-bouncer/files/pkg-message.in @@ -4,8 +4,8 @@ crowdsec-firewall-bouncer is installed. -The bouncer should register itself but you may want to check the -configuration file, which is now in %%ETCDIR%%/crowdsec-firewall-bouncer.yaml +The bouncer should register itself with the Local API but you may want to check the +configuration file, which has been moved to %%ETCDIR%%/crowdsec-firewall-bouncer.yaml (for consistency with the other platforms). In previous versions, the configuration was in /usr/local/etc/crowdsec-firewall-bouncer, you may need @@ -21,23 +21,25 @@ pf_enable: NO -> YES Enabling pf. ---------- -Then activate the bouncer via sysrc: +Add the following in /etc/pf.conf to create the firewall tables and rules: ---------- -# sysrc crowdsec_firewall_enable="YES" -crowdsec_firewall_enable: NO -> YES -# service crowdsec_firewall start +table persist +table persist +block drop in quick from to any +block drop in quick from to any ---------- -After a few seconds, the bouncer should have created the tables and rules: +To apply the file: + +# pfctl -f /etc/pf.conf + +Then activate the bouncer via sysrc and run it: ---------- -# pfctl -s Tables -crowdsec-blacklists -crowdsec6-blacklists -# pfctl -s Tables -s rules -block drop in quick from to any -block drop in quick from to any +# sysrc crowdsec_firewall_enable="YES" +crowdsec_firewall_enable: NO -> YES +# service crowdsec_firewall start ---------- EOM diff --git a/security/crowdsec-firewall-bouncer/pkg-plist b/security/crowdsec-firewall-bouncer/pkg-plist index ecbf8e901981..6a41287c1e57 100644 --- a/security/crowdsec-firewall-bouncer/pkg-plist +++ b/security/crowdsec-firewall-bouncer/pkg-plist @@ -1,7 +1,4 @@ @mode 0755 bin/crowdsec-firewall-bouncer -@dir etc/newsyslog.conf.d @mode 0600 @sample %%ETCDIR%%/crowdsec-firewall-bouncer.yaml.sample -@mode 0644 -@sample etc/newsyslog.conf.d/crowdsec-firewall-bouncer.conf.sample