From nobody Wed Oct 04 20:02:54 2023 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S15G63m2Tz4w4gY; Wed, 4 Oct 2023 20:02:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4S15G630mzz4GFl; Wed, 4 Oct 2023 20:02:54 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696449774; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Mv6wiCNyWBHAC5UFn5IvplJx+CU8qJMkvlMJHpewLP0=; b=SyHXcfTVQPxpU1R0xJ3GoGdO2NqGqc43+4SjxY1r4IoFgl4NQvJmvQWbVbC1QlWWpUFUVq YVA7NLvCNILe5EACovKbtswAUn4VzqKHSeTXDIZkPYp0GeDEtMM7zo6TkgiGEKlJzigbSr qo4kR6YXIkuJCry98Sipc++8s28IGbKbEz4Y0/+XHpXpkvNyU+pvDWUp6zTNHmPhysW9VS DYVMTIROKAVRYbhr2ZBBy7d1jTvS7aONJuUhek02ML6U0UwUCcciBkG5jRoKv6PaA8NvGa 8eLfJDhujhVjSy16oPvJk8IRZxdycM5GOqLgE/NzaIxAkBj8polRbLKcihTkYw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1696449774; a=rsa-sha256; cv=none; b=woh9Glr6EjYl6CWOqOSODnNadaCeo3BBiI7ahppNZiIsKMf0jEW+8TqSTXZ2P9DKhgTwTc yU8/ZmR7AehlUzT+drzaiJLRJewQWmF+zdnlybMXZ2g0feZ+kJSkTSFYfm+PeyAXLA4MGr eFwmg3+hpzSO5kJELtbkMGZfOfPxPZF4XWlgG5tUvam5T4AxhnnFssLj/hVQac3/jEfpA1 DlTDFFdZ/nKjuTT25IMb9+zJepjkhWP9LobzRbjP9laDI1jeU4vNGNzQWbZvsQwthS34rO PC7Sipk3GnGDjeUvs8yU2Hx/i2whqMXO+iOVD5x5uNlhQ73ikwA+TwaKA+O7Dg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696449774; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Mv6wiCNyWBHAC5UFn5IvplJx+CU8qJMkvlMJHpewLP0=; b=pFci03ERM9qptM27VlBq5/trAxDE3nSVBEmqJLJ1+hRd6lp+qloGwi5Rtu6iDe4AWDXKaT m8cpoi5uavW+gKo0vvc9z+/MT73k3gflXayhJl19JrfRKhlZQiXkAQb4zkx+TeenL7KgU6 rpJz5YFeY1bhwCaqdh6frXPfkwLlv0JyabH5fTuOkhKdzMQbdB5fx99231+vENPDlOmMqu QPZ3nvPN1OzKtOPTx9z/sgw41ZQFwzmWKlMfPx5YDnndwAndxp+JTpVAqVSbkwF4u/Tcv5 Spo6EhQK9w3dInhiLEYs9ZCd1h7seQY0KkcGJLezUiYOppIzIxsphi71EF5gPw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4S15G626Gdzrs4; Wed, 4 Oct 2023 20:02:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 394K2sCl056096; Wed, 4 Oct 2023 20:02:54 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 394K2sEC056093; Wed, 4 Oct 2023 20:02:54 GMT (envelope-from git) Date: Wed, 4 Oct 2023 20:02:54 GMT Message-Id: <202310042002.394K2sEC056093@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Robert Clausecker Subject: git: 714e7fb44f51 - main - security/crowdsec-firewall-bouncer: update to v0.0.28 List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: fuz X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 714e7fb44f516d31f08b657b2eb9a66ae1fbf9c7 Auto-Submitted: auto-generated The branch main has been updated by fuz: URL: https://cgit.FreeBSD.org/ports/commit/?id=714e7fb44f516d31f08b657b2eb9a66ae1fbf9c7 commit 714e7fb44f516d31f08b657b2eb9a66ae1fbf9c7 Author: Marco Mariani AuthorDate: 2023-10-02 12:51:29 +0000 Commit: Robert Clausecker CommitDate: 2023-10-04 19:59:57 +0000 security/crowdsec-firewall-bouncer: update to v0.0.28 Changelog: https://github.com/crowdsecurity/cs-firewall-bouncer/releases/tag/v0.0.28 PR: 274213 --- security/crowdsec-firewall-bouncer/Makefile | 44 ++++++++--------- security/crowdsec-firewall-bouncer/distinfo | 8 ++-- .../files/crowdsec_firewall.in | 56 ++++++++++++++++++---- .../files/pkg-deinstall.in | 0 .../crowdsec-firewall-bouncer/files/pkg-install.in | 0 .../crowdsec-firewall-bouncer/files/pkg-message.in | 7 ++- 6 files changed, 80 insertions(+), 35 deletions(-) diff --git a/security/crowdsec-firewall-bouncer/Makefile b/security/crowdsec-firewall-bouncer/Makefile index d308b5c8d4d7..f4488f4953aa 100644 --- a/security/crowdsec-firewall-bouncer/Makefile +++ b/security/crowdsec-firewall-bouncer/Makefile @@ -1,8 +1,6 @@ PORTNAME= crowdsec-firewall-bouncer DISTVERSIONPREFIX= v -DISTVERSION= 0.0.27 -PORTREVISION= 2 -DISTVERSIONSUFFIX= -freebsd +DISTVERSION= 0.0.28 CATEGORIES= security MAINTAINER= marco@crowdsec.net @@ -12,42 +10,42 @@ WWW= https://github.com/crowdsecurity/cs-firewall-bouncer LICENSE= MIT LICENSE_FILE= ${WRKSRC}/LICENSE -BUILD_DEPENDS= git:devel/git@lite - -USES= gmake go:no_targets - -USE_GITHUB= yes -GH_ACCOUNT= crowdsecurity -GH_PROJECT= cs-firewall-bouncer -_BUILD_TAG= f1f8b379 +USES= go:modules +_COMMIT= af6e7e2 +_BUILD_DATE= $$(date -u "+%F_%T") USE_RC_SUBR= crowdsec_firewall -MAKE_ARGS= BUILD_VERSION="${DISTVERSIONFULL}" \ - BUILD_TAG="${_BUILD_TAG}" \ - BUILD_VENDOR_FLAGS="-mod=vendor -modcacherw" +GO_MODULE= github.com/crowdsecurity/cs-firewall-bouncer +GO_TARGET= ${PORTNAME}:./${PORTNAME} +GO_BUILDFLAGS= -trimpath -tags netgo \ + -ldflags="\ + -a -s -w -extldflags '-static' \ + -X github.com/crowdsecurity/go-cs-lib/version.Version=${DISTVERSIONPREFIX}${DISTVERSION}-freebsd \ + -X github.com/crowdsecurity/go-cs-lib/version.BuildDate=${_BUILD_DATE} \ + -X github.com/crowdsecurity/go-cs-lib/version.Tag=${_COMMIT}" -SUB_FILES= pkg-deinstall pkg-install pkg-message +CGO_ENABLED= 0 -ETCDIR= ${PREFIX}/etc/crowdsec/bouncers +SUB_FILES= pkg-deinstall \ + pkg-install \ + pkg-message -post-patch: - ${REINPLACE_CMD} 's,$${BACKEND},pf,g' \ - ${WRKSRC}/config/crowdsec-firewall-bouncer.yaml +ETCDIR= ${PREFIX}/etc/crowdsec/bouncers do-install: # # Binaries # - ${INSTALL_PROGRAM} ${WRKSRC}/crowdsec-firewall-bouncer \ - ${STAGEDIR}${PREFIX}/bin/crowdsec-firewall-bouncer + ${INSTALL_PROGRAM} ${WRKDIR}/bin/${PORTNAME} \ + ${STAGEDIR}${PREFIX}/bin/${PORTNAME} # # Configuration # @${MKDIR} ${STAGEDIR}${ETCDIR} - ${INSTALL_DATA} ${WRKSRC}/config/crowdsec-firewall-bouncer.yaml \ - ${STAGEDIR}${ETCDIR}/crowdsec-firewall-bouncer.yaml.sample + ${INSTALL_DATA} ${WRKSRC}/config/${PORTNAME}.yaml \ + ${STAGEDIR}${ETCDIR}/${PORTNAME}.yaml.sample .include diff --git a/security/crowdsec-firewall-bouncer/distinfo b/security/crowdsec-firewall-bouncer/distinfo index a43c4d5e59c7..4a349fd2bda7 100644 --- a/security/crowdsec-firewall-bouncer/distinfo +++ b/security/crowdsec-firewall-bouncer/distinfo @@ -1,3 +1,5 @@ -TIMESTAMP = 1684281311 -SHA256 (crowdsecurity-cs-firewall-bouncer-v0.0.27-freebsd_GH0.tar.gz) = 1dba0604d0ff7d9035e2e2adcff42cddf7d0b63f23dd973ce692b6e18ee65126 -SIZE (crowdsecurity-cs-firewall-bouncer-v0.0.27-freebsd_GH0.tar.gz) = 2600838 +TIMESTAMP = 1696243362 +SHA256 (go/security_crowdsec-firewall-bouncer/crowdsec-firewall-bouncer-v0.0.28/v0.0.28.mod) = 8da878a2e78081ce7fd2b81f210eb146f87fa77f4c0b5b3857d1e6a4551dd048 +SIZE (go/security_crowdsec-firewall-bouncer/crowdsec-firewall-bouncer-v0.0.28/v0.0.28.mod) = 2632 +SHA256 (go/security_crowdsec-firewall-bouncer/crowdsec-firewall-bouncer-v0.0.28/v0.0.28.zip) = 6aeaa00beee415f68b2f7a4d98e6b3c83c239f3fe8b1e8be93f34b13e77c940e +SIZE (go/security_crowdsec-firewall-bouncer/crowdsec-firewall-bouncer-v0.0.28/v0.0.28.zip) = 181050 diff --git a/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in b/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in old mode 100755 new mode 100644 index 475bb4ae0e53..dd2e10d6f918 --- a/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in +++ b/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in @@ -11,6 +11,8 @@ # Default is "NO" # crowdsec_firewall_config (str): Set the bouncer config path. # Default is "%%ETCDIR%%/crowdsec-firewall-bouncer.yaml" +# crowdsec_firewall_name (str): Name of the bouncer to register. +# Default is dynamically generated. # crowdsec_firewall_flags (str): extra flags to run bouncer. # Default is "" @@ -20,39 +22,77 @@ name=crowdsec_firewall desc="Crowdsec Firewall" rcvar=crowdsec_firewall_enable -load_rc_config $name +load_rc_config "$name" : "${crowdsec_firewall_enable:=NO}" : "${crowdsec_firewall_config:=%%ETCDIR%%/crowdsec-firewall-bouncer.yaml}" +: "${crowdsec_firewall_name:=cs-firewall-bouncer-$(date +%s)}" : "${crowdsec_firewall_flags:=}" pidfile=/var/run/${name}.pid required_files="$crowdsec_firewall_config" command="%%PREFIX%%/bin/crowdsec-firewall-bouncer" start_cmd="${name}_start" +stop_cmd="${name}_stop" start_precmd="${name}_precmd" +configtest_cmd="${name}_configtest" +extra_commands="configtest" crowdsec_firewall_precmd() { CSCLI=%%PREFIX%%/bin/cscli - orig_line="api_key: \${API_KEY}" + # there might be quotes + orig_line="api_key: .*\${API_KEY}.*" # IF the bouncer is not configured if grep -q "^${orig_line}" "${crowdsec_firewall_config}"; then - BOUNCER="cs-firewall-bouncer-$(date +%s)" # AND crowdsec is installed.. if command -v "$CSCLI" >/dev/null; then # THEN, register it to the local API - API_KEY=$($CSCLI bouncers add "${BOUNCER}" -o raw) + API_KEY=$($CSCLI bouncers add "${crowdsec_firewall_name}" -o raw) if [ -n "$API_KEY" ]; then - sed -i "" "s/^${orig_line}/api_key: ${API_KEY} # ${BOUNCER}/" "${crowdsec_firewall_config}" - echo "Registered: ${BOUNCER}" + sed -i "" "s|^${orig_line}|api_key: ${API_KEY} # ${crowdsec_firewall_name}|" "${crowdsec_firewall_config}" + echo "Registered: ${crowdsec_firewall_name}" fi fi fi } +crowdsec_firewall_stop() +{ + if [ ! -f "$pidfile" ]; then + echo "${name} is not running." + return + fi + pid=$(cat "$pidfile") + if kill -0 "$pid" >/dev/null 2>&1; then + echo "Stopping ${name}." + kill -s TERM "$pid" >/dev/null 2>&1 + # shellcheck disable=SC2034 + for i in $(seq 1 20); do + sleep 1 + if ! kill -0 "$pid" >/dev/null 2>&1; then + rm -f "$pidfile" + return + fi + done + echo "Timeout, terminating ${name} with SIGKILL." + kill -s KILL "$pid" >/dev/null 2>&1 + rm -f "$pidfile" + else + echo "${name} is not running." + fi +} + crowdsec_firewall_start() { - /usr/sbin/daemon -f -p ${pidfile} -t "${desc}" -- \ - ${command} -c "${crowdsec_firewall_config}" ${crowdsec_firewall_flags} + /usr/sbin/daemon -f -p "$pidfile" -t "$desc" -- \ + "$command" -c "$crowdsec_firewall_config" ${crowdsec_firewall_flags} +} + +crowdsec_firewall_configtest() +{ + echo "Performing sanity check on ${name} configuration." + if "$command" -c "$crowdsec_firewall_config" -t; then + echo "Configuration test OK" + fi } run_rc_command "$1" diff --git a/security/crowdsec-firewall-bouncer/files/pkg-deinstall.in b/security/crowdsec-firewall-bouncer/files/pkg-deinstall.in old mode 100755 new mode 100644 diff --git a/security/crowdsec-firewall-bouncer/files/pkg-install.in b/security/crowdsec-firewall-bouncer/files/pkg-install.in old mode 100755 new mode 100644 diff --git a/security/crowdsec-firewall-bouncer/files/pkg-message.in b/security/crowdsec-firewall-bouncer/files/pkg-message.in index 85b8a16382d5..336b3e4fd4dd 100644 --- a/security/crowdsec-firewall-bouncer/files/pkg-message.in +++ b/security/crowdsec-firewall-bouncer/files/pkg-message.in @@ -4,10 +4,15 @@ crowdsec-firewall-bouncer is installed. +Note: If you are using OPNsense or pfSense, ignore the following instructions and use the settings page of the +CrowdSec plugin. + +----- + If you are running crowdsec on this machine, the bouncer will register itself with the Local API when it's started the first time. -If the LAPI is on another machine, you need to manually register the bouncer +If the LAPI is on a different machine, you need to manually register the bouncer and fill api_key and api_url in %%ETCDIR%%/crowdsec-firewall-bouncer.yaml before starting the service.