diff --git a/security/crowdsec-firewall-bouncer/Makefile b/security/crowdsec-firewall-bouncer/Makefile index d308b5c8d4d7..f4488f4953aa 100644 --- a/security/crowdsec-firewall-bouncer/Makefile +++ b/security/crowdsec-firewall-bouncer/Makefile @@ -1,53 +1,51 @@ PORTNAME= crowdsec-firewall-bouncer DISTVERSIONPREFIX= v -DISTVERSION= 0.0.27 -PORTREVISION= 2 -DISTVERSIONSUFFIX= -freebsd +DISTVERSION= 0.0.28 CATEGORIES= security MAINTAINER= marco@crowdsec.net COMMENT= CrowdSec bouncer written in golang for firewalls WWW= https://github.com/crowdsecurity/cs-firewall-bouncer LICENSE= MIT LICENSE_FILE= ${WRKSRC}/LICENSE -BUILD_DEPENDS= git:devel/git@lite - -USES= gmake go:no_targets - -USE_GITHUB= yes -GH_ACCOUNT= crowdsecurity -GH_PROJECT= cs-firewall-bouncer -_BUILD_TAG= f1f8b379 +USES= go:modules +_COMMIT= af6e7e2 +_BUILD_DATE= $$(date -u "+%F_%T") USE_RC_SUBR= crowdsec_firewall -MAKE_ARGS= BUILD_VERSION="${DISTVERSIONFULL}" \ - BUILD_TAG="${_BUILD_TAG}" \ - BUILD_VENDOR_FLAGS="-mod=vendor -modcacherw" +GO_MODULE= github.com/crowdsecurity/cs-firewall-bouncer +GO_TARGET= ${PORTNAME}:./${PORTNAME} +GO_BUILDFLAGS= -trimpath -tags netgo \ + -ldflags="\ + -a -s -w -extldflags '-static' \ + -X github.com/crowdsecurity/go-cs-lib/version.Version=${DISTVERSIONPREFIX}${DISTVERSION}-freebsd \ + -X github.com/crowdsecurity/go-cs-lib/version.BuildDate=${_BUILD_DATE} \ + -X github.com/crowdsecurity/go-cs-lib/version.Tag=${_COMMIT}" -SUB_FILES= pkg-deinstall pkg-install pkg-message +CGO_ENABLED= 0 -ETCDIR= ${PREFIX}/etc/crowdsec/bouncers +SUB_FILES= pkg-deinstall \ + pkg-install \ + pkg-message -post-patch: - ${REINPLACE_CMD} 's,$${BACKEND},pf,g' \ - ${WRKSRC}/config/crowdsec-firewall-bouncer.yaml +ETCDIR= ${PREFIX}/etc/crowdsec/bouncers do-install: # # Binaries # - ${INSTALL_PROGRAM} ${WRKSRC}/crowdsec-firewall-bouncer \ - ${STAGEDIR}${PREFIX}/bin/crowdsec-firewall-bouncer + ${INSTALL_PROGRAM} ${WRKDIR}/bin/${PORTNAME} \ + ${STAGEDIR}${PREFIX}/bin/${PORTNAME} # # Configuration # @${MKDIR} ${STAGEDIR}${ETCDIR} - ${INSTALL_DATA} ${WRKSRC}/config/crowdsec-firewall-bouncer.yaml \ - ${STAGEDIR}${ETCDIR}/crowdsec-firewall-bouncer.yaml.sample + ${INSTALL_DATA} ${WRKSRC}/config/${PORTNAME}.yaml \ + ${STAGEDIR}${ETCDIR}/${PORTNAME}.yaml.sample .include diff --git a/security/crowdsec-firewall-bouncer/distinfo b/security/crowdsec-firewall-bouncer/distinfo index a43c4d5e59c7..4a349fd2bda7 100644 --- a/security/crowdsec-firewall-bouncer/distinfo +++ b/security/crowdsec-firewall-bouncer/distinfo @@ -1,3 +1,5 @@ -TIMESTAMP = 1684281311 -SHA256 (crowdsecurity-cs-firewall-bouncer-v0.0.27-freebsd_GH0.tar.gz) = 1dba0604d0ff7d9035e2e2adcff42cddf7d0b63f23dd973ce692b6e18ee65126 -SIZE (crowdsecurity-cs-firewall-bouncer-v0.0.27-freebsd_GH0.tar.gz) = 2600838 +TIMESTAMP = 1696243362 +SHA256 (go/security_crowdsec-firewall-bouncer/crowdsec-firewall-bouncer-v0.0.28/v0.0.28.mod) = 8da878a2e78081ce7fd2b81f210eb146f87fa77f4c0b5b3857d1e6a4551dd048 +SIZE (go/security_crowdsec-firewall-bouncer/crowdsec-firewall-bouncer-v0.0.28/v0.0.28.mod) = 2632 +SHA256 (go/security_crowdsec-firewall-bouncer/crowdsec-firewall-bouncer-v0.0.28/v0.0.28.zip) = 6aeaa00beee415f68b2f7a4d98e6b3c83c239f3fe8b1e8be93f34b13e77c940e +SIZE (go/security_crowdsec-firewall-bouncer/crowdsec-firewall-bouncer-v0.0.28/v0.0.28.zip) = 181050 diff --git a/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in b/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in old mode 100755 new mode 100644 index 475bb4ae0e53..dd2e10d6f918 --- a/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in +++ b/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in @@ -1,58 +1,98 @@ #!/bin/sh # # PROVIDE: crowdsec_firewall # REQUIRE: LOGIN DAEMON NETWORKING # KEYWORD: shutdown # # Add the following lines to /etc/rc.conf.local or /etc/rc.conf # to enable this service: # # crowdsec_firewall_enable (bool): Set it to YES to enable crowdsec firewall. # Default is "NO" # crowdsec_firewall_config (str): Set the bouncer config path. # Default is "%%ETCDIR%%/crowdsec-firewall-bouncer.yaml" +# crowdsec_firewall_name (str): Name of the bouncer to register. +# Default is dynamically generated. # crowdsec_firewall_flags (str): extra flags to run bouncer. # Default is "" . /etc/rc.subr name=crowdsec_firewall desc="Crowdsec Firewall" rcvar=crowdsec_firewall_enable -load_rc_config $name +load_rc_config "$name" : "${crowdsec_firewall_enable:=NO}" : "${crowdsec_firewall_config:=%%ETCDIR%%/crowdsec-firewall-bouncer.yaml}" +: "${crowdsec_firewall_name:=cs-firewall-bouncer-$(date +%s)}" : "${crowdsec_firewall_flags:=}" pidfile=/var/run/${name}.pid required_files="$crowdsec_firewall_config" command="%%PREFIX%%/bin/crowdsec-firewall-bouncer" start_cmd="${name}_start" +stop_cmd="${name}_stop" start_precmd="${name}_precmd" +configtest_cmd="${name}_configtest" +extra_commands="configtest" crowdsec_firewall_precmd() { CSCLI=%%PREFIX%%/bin/cscli - orig_line="api_key: \${API_KEY}" + # there might be quotes + orig_line="api_key: .*\${API_KEY}.*" # IF the bouncer is not configured if grep -q "^${orig_line}" "${crowdsec_firewall_config}"; then - BOUNCER="cs-firewall-bouncer-$(date +%s)" # AND crowdsec is installed.. if command -v "$CSCLI" >/dev/null; then # THEN, register it to the local API - API_KEY=$($CSCLI bouncers add "${BOUNCER}" -o raw) + API_KEY=$($CSCLI bouncers add "${crowdsec_firewall_name}" -o raw) if [ -n "$API_KEY" ]; then - sed -i "" "s/^${orig_line}/api_key: ${API_KEY} # ${BOUNCER}/" "${crowdsec_firewall_config}" - echo "Registered: ${BOUNCER}" + sed -i "" "s|^${orig_line}|api_key: ${API_KEY} # ${crowdsec_firewall_name}|" "${crowdsec_firewall_config}" + echo "Registered: ${crowdsec_firewall_name}" fi fi fi } +crowdsec_firewall_stop() +{ + if [ ! -f "$pidfile" ]; then + echo "${name} is not running." + return + fi + pid=$(cat "$pidfile") + if kill -0 "$pid" >/dev/null 2>&1; then + echo "Stopping ${name}." + kill -s TERM "$pid" >/dev/null 2>&1 + # shellcheck disable=SC2034 + for i in $(seq 1 20); do + sleep 1 + if ! kill -0 "$pid" >/dev/null 2>&1; then + rm -f "$pidfile" + return + fi + done + echo "Timeout, terminating ${name} with SIGKILL." + kill -s KILL "$pid" >/dev/null 2>&1 + rm -f "$pidfile" + else + echo "${name} is not running." + fi +} + crowdsec_firewall_start() { - /usr/sbin/daemon -f -p ${pidfile} -t "${desc}" -- \ - ${command} -c "${crowdsec_firewall_config}" ${crowdsec_firewall_flags} + /usr/sbin/daemon -f -p "$pidfile" -t "$desc" -- \ + "$command" -c "$crowdsec_firewall_config" ${crowdsec_firewall_flags} +} + +crowdsec_firewall_configtest() +{ + echo "Performing sanity check on ${name} configuration." + if "$command" -c "$crowdsec_firewall_config" -t; then + echo "Configuration test OK" + fi } run_rc_command "$1" diff --git a/security/crowdsec-firewall-bouncer/files/pkg-deinstall.in b/security/crowdsec-firewall-bouncer/files/pkg-deinstall.in old mode 100755 new mode 100644 diff --git a/security/crowdsec-firewall-bouncer/files/pkg-install.in b/security/crowdsec-firewall-bouncer/files/pkg-install.in old mode 100755 new mode 100644 diff --git a/security/crowdsec-firewall-bouncer/files/pkg-message.in b/security/crowdsec-firewall-bouncer/files/pkg-message.in index 85b8a16382d5..336b3e4fd4dd 100644 --- a/security/crowdsec-firewall-bouncer/files/pkg-message.in +++ b/security/crowdsec-firewall-bouncer/files/pkg-message.in @@ -1,47 +1,52 @@ [ { type: install message: < YES # service pf start Enabling pf. ---------- Add the following in /etc/pf.conf to create the firewall tables and rules: ---------- table persist table persist block drop in quick from to any block drop in quick from to any ---------- To apply the file: # pfctl -f /etc/pf.conf Then activate the bouncer via sysrc and run it: ---------- # sysrc crowdsec_firewall_enable="YES" crowdsec_firewall_enable: NO -> YES # service crowdsec_firewall start ---------- EOM } ]