diff --git a/security/crowdsec-firewall-bouncer/Makefile b/security/crowdsec-firewall-bouncer/Makefile index 60925f445797..36a868801a50 100644 --- a/security/crowdsec-firewall-bouncer/Makefile +++ b/security/crowdsec-firewall-bouncer/Makefile @@ -1,40 +1,59 @@ PORTNAME= crowdsec-firewall-bouncer -PORTVERSION= 0.0.13 +PORTVERSION= 0.0.17 # NOTE: change BUILD_VERSION and BUILD_TAG as well DISTVERSIONPREFIX= v CATEGORIES= security -MAINTAINER= sbz@FreeBSD.org -COMMENT= Crowdsec bouncer written in golang for firewalls +MAINTAINER= marco@crowdsec.net +COMMENT= CrowdSec bouncer written in golang for firewalls LICENSE= MIT LICENSE_FILE= ${WRKSRC}/LICENSE +BUILD_DEPENDS= git:devel/git@lite \ + go:lang/go + +USES= gmake + RUN_DEPENDS= crowdsec>0:security/crowdsec -USES= go:modules +USE_GITHUB= yes +GH_ACCOUNT= crowdsecurity +GH_PROJECT= cs-firewall-bouncer +#GH_TAGNAME is automatically set from DISTVERSION USE_RC_SUBR= crowdsec_firewall -GO_MODULE= github.com/crowdsecurity/cs-firewall-bouncer +SUB_FILES= pkg-message \ + pkg-deinstall + +# BUILD_VERSION=$(git describe --tags $(git rev-list --tags --max-count=1)) +# BUILD_TAG=$(git rev-parse HEAD) +MAKE_ENV= BUILD_VERSION="v0.0.17" \ + BUILD_TAG="b330209afcdefd0046fd6790999bbb342c02f1b3" -GO_BUILDFLAGS= -ldflags "-s -w \ - -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Version=v${PORTVERSION} \ - -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Tag=freebsd \ - -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.BuildDate=`date -u '+%Y-%m-%d_%I:%M:%S%p'`" +ETCDIR= ${PREFIX}/etc/crowdsec/bouncers -SUB_FILES= pkg-message +do-patch: + cd ${WRKSRC} && go mod download github.com/mattn/go-sqlite3 post-patch: ${REINPLACE_CMD} 's,$${BACKEND},pf,g' \ ${WRKSRC}/config/crowdsec-firewall-bouncer.yaml do-install: - @${MKDIR} ${STAGEDIR}${ETCDIR} + # + # Binaries + # + + ${INSTALL_PROGRAM} ${WRKSRC}/crowdsec-firewall-bouncer \ + ${STAGEDIR}${PREFIX}/bin/crowdsec-firewall-bouncer + + # + # Configuration + # + @${MKDIR} ${STAGEDIR}${ETCDIR} ${INSTALL_DATA} ${WRKSRC}/config/crowdsec-firewall-bouncer.yaml \ ${STAGEDIR}${ETCDIR}/crowdsec-firewall-bouncer.yaml.sample - ${INSTALL_PROGRAM} ${WRKDIR}/bin/crowdsec-firewall-bouncer \ - ${STAGEDIR}${PREFIX}/bin/crowdsec-firewall-bouncer - .include diff --git a/security/crowdsec-firewall-bouncer/distinfo b/security/crowdsec-firewall-bouncer/distinfo index cf74c8b81d95..001ca177529b 100644 --- a/security/crowdsec-firewall-bouncer/distinfo +++ b/security/crowdsec-firewall-bouncer/distinfo @@ -1,5 +1,3 @@ -TIMESTAMP = 1625834541 -SHA256 (go/security_crowdsec-firewall-bouncer/crowdsec-firewall-bouncer-v0.0.13/v0.0.13.mod) = c4ee3539ac5bd53f013e0798add577d5daef4480ad6910a3c35c381e74b26f63 -SIZE (go/security_crowdsec-firewall-bouncer/crowdsec-firewall-bouncer-v0.0.13/v0.0.13.mod) = 935 -SHA256 (go/security_crowdsec-firewall-bouncer/crowdsec-firewall-bouncer-v0.0.13/v0.0.13.zip) = 0817452582e7ff9f92ae7c51751c6de86a277d7b772e5ac1b35dc7a3ea35aba7 -SIZE (go/security_crowdsec-firewall-bouncer/crowdsec-firewall-bouncer-v0.0.13/v0.0.13.zip) = 148490 +TIMESTAMP = 1637702397 +SHA256 (crowdsecurity-cs-firewall-bouncer-v0.0.17_GH0.tar.gz) = 53af239b86c6b554da3711e3686d7d3036d33b2e561bfb00e195b6c8a06918c8 +SIZE (crowdsecurity-cs-firewall-bouncer-v0.0.17_GH0.tar.gz) = 143037 diff --git a/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in b/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in index 1bc55e6ca263..ee3dcc9f7325 100755 --- a/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in +++ b/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in @@ -1,30 +1,51 @@ #!/bin/sh # # PROVIDE: crowdsec_firewall # REQUIRE: LOGIN DAEMON NETWORKING # KEYWORD: shutdown # # Add the following lines to /etc/rc.conf.local or /etc/rc.conf # to enable this service: # # crowdsec_firewall_enable (bool): Set it to YES to enable crowdsec firewall. # Default is "NO" . /etc/rc.subr name=crowdsec_firewall desc="Crowdsec Firewall" rcvar=crowdsec_firewall_enable load_rc_config $name -: ${crowdsec_firewall_enable:="NO"} -: ${crowdsec_firewall_config:="%%PREFIX%%/etc/crowdsec-firewall-bouncer/crowdsec-firewall-bouncer.yaml"} +: "${crowdsec_firewall_enable:=NO}" +: "${crowdsec_firewall_config:=%%ETCDIR%%/crowdsec-firewall-bouncer.yaml}" -pidfile=/var/run/$name.pid +pidfile=/var/run/${name}.pid required_files="$crowdsec_firewall_config" -procname="%%PREFIX%%/bin/crowdsec-firewall-bouncer" -command=/usr/sbin/daemon -command_args="-fp $pidfile -t '$desc' -- '$procname' -c '$crowdsec_firewall_config'" +command="%%PREFIX%%/bin/crowdsec-firewall-bouncer" +start_cmd="${name}_start" +start_precmd="${name}_precmd" + +crowdsec_firewall_precmd() { + CSCLI=%%PREFIX%%/bin/cscli + orig_line="api_key: \${API_KEY}" + if grep -q "^${orig_line}" "${crowdsec_firewall_config}"; then + SUFFIX=$(LC_CTYPE=C tr -dc A-Za-z0-9 /dev/null; then + API_KEY=$($CSCLI bouncers add "${BOUNCER}" -o raw) + if [ -n "$API_KEY" ]; then + sed -i "" "s/^${orig_line}/api_key: ${API_KEY} # ${BOUNCER}/" "${crowdsec_firewall_config}" + echo "Registered: ${BOUNCER}" + fi + fi + fi +} + +crowdsec_firewall_start() { + /usr/sbin/daemon -f -p ${pidfile} -t "${desc}" -- \ + ${command} -c "${crowdsec_firewall_config}" +} run_rc_command "$1" diff --git a/security/crowdsec-firewall-bouncer/files/patch-Makefile b/security/crowdsec-firewall-bouncer/files/patch-Makefile new file mode 100644 index 000000000000..6d9e9a2e2f42 --- /dev/null +++ b/security/crowdsec-firewall-bouncer/files/patch-Makefile @@ -0,0 +1,11 @@ +--- Makefile.orig 2021-12-07 09:00:17 UTC ++++ Makefile +@@ -11,7 +11,7 @@ GOGET=$(GOCMD) get + BUILD_VERSION?="$(shell git describe --tags `git rev-list --tags --max-count=1`)" + BUILD_GOVERSION="$(shell go version | cut -d " " -f3 | sed -r 's/[go]+//g')" + BUILD_TIMESTAMP=$(shell date +%F"_"%T) +-BUILD_TAG="$(shell git rev-parse HEAD)" ++BUILD_TAG?="$(shell git rev-parse HEAD)" + export LD_OPTS=-ldflags "-s -w -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Version=$(BUILD_VERSION) \ + -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.BuildDate=$(BUILD_TIMESTAMP) \ + -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Tag=$(BUILD_TAG) \ diff --git a/security/crowdsec-firewall-bouncer/files/pkg-deinstall.in b/security/crowdsec-firewall-bouncer/files/pkg-deinstall.in new file mode 100644 index 000000000000..0324401c6e19 --- /dev/null +++ b/security/crowdsec-firewall-bouncer/files/pkg-deinstall.in @@ -0,0 +1,8 @@ +#!/bin/sh + +case $2 in + DEINSTALL) + service crowdsec_firewall stop || : + ;; +esac + diff --git a/security/crowdsec-firewall-bouncer/files/pkg-message.in b/security/crowdsec-firewall-bouncer/files/pkg-message.in index 46710f5d090a..3929d468efd0 100644 --- a/security/crowdsec-firewall-bouncer/files/pkg-message.in +++ b/security/crowdsec-firewall-bouncer/files/pkg-message.in @@ -1,21 +1,37 @@ [ { type: install message: < persist # create crowdsec ipv6 table table persist +block drop in quick from to any +block drop in quick from to any +---------- + +To apply the file: + +# pfctl -f /etc/pf.conf + +Then activate the bouncer via sysrc: + # sysrc crowdsec_firewall_enable="YES" EOM } ] diff --git a/security/crowdsec-firewall-bouncer/pkg-plist b/security/crowdsec-firewall-bouncer/pkg-plist index d47d3e2429aa..6a41287c1e57 100644 --- a/security/crowdsec-firewall-bouncer/pkg-plist +++ b/security/crowdsec-firewall-bouncer/pkg-plist @@ -1,2 +1,4 @@ -@sample etc/crowdsec-firewall-bouncer/crowdsec-firewall-bouncer.yaml.sample +@mode 0755 bin/crowdsec-firewall-bouncer +@mode 0600 +@sample %%ETCDIR%%/crowdsec-firewall-bouncer.yaml.sample