Attachment #229957 for bug #260264

Lines 1-40 Link Here

(-)b/security/crowdsec-firewall-bouncer/Makefile (-14 / +33 lines)
1	PORTNAME= crowdsec-firewall-bouncer	1	PORTNAME= crowdsec-firewall-bouncer
2	PORTVERSION= 0.0.13	2	PORTVERSION= 0.0.17 # NOTE: change BUILD_VERSION and BUILD_TAG as well
3	DISTVERSIONPREFIX= v	3	DISTVERSIONPREFIX= v
4	CATEGORIES= security	4	CATEGORIES= security
5		5
6	MAINTAINER= sbz@FreeBSD.org	6	MAINTAINER= marco@crowdsec.net
7	COMMENT= Crowdsec bouncer written in golang for firewalls	7	COMMENT= CrowdSec bouncer written in golang for firewalls
8		8
9	LICENSE= MIT	9	LICENSE= MIT
10	LICENSE_FILE= ${WRKSRC}/LICENSE	10	LICENSE_FILE= ${WRKSRC}/LICENSE
11		11
		12	BUILD_DEPENDS= git:devel/git@lite \
		13	go:lang/go
		14
		15	USES= gmake
		16
12	RUN_DEPENDS= crowdsec>0:security/crowdsec	17	RUN_DEPENDS= crowdsec>0:security/crowdsec
13		18
14	USES= go:modules	19	USE_GITHUB= yes
		20	GH_ACCOUNT= crowdsecurity
		21	GH_PROJECT= cs-firewall-bouncer
		22	#GH_TAGNAME is automatically set from DISTVERSION
15		23
16	USE_RC_SUBR= crowdsec_firewall	24	USE_RC_SUBR= crowdsec_firewall
17		25
18	GO_MODULE= github.com/crowdsecurity/cs-firewall-bouncer	26	SUB_FILES= pkg-message \
		27	pkg-deinstall
		28
		29	# BUILD_VERSION=$(git describe --tags $(git rev-list --tags --max-count=1))
		30	# BUILD_TAG=$(git rev-parse HEAD)
		31	MAKE_ENV= BUILD_VERSION="v0.0.17" \
		32	BUILD_TAG="b330209afcdefd0046fd6790999bbb342c02f1b3"
19		33
20	GO_BUILDFLAGS= -ldflags "-s -w \	34	ETCDIR= ${PREFIX}/etc/crowdsec/bouncers
21	-X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Version=v${PORTVERSION} \
22	-X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Tag=freebsd \
23	-X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.BuildDate=`date -u '+%Y-%m-%d_%I:%M:%S%p'`"
24		35
25	SUB_FILES= pkg-message	36	do-patch:
		37	cd ${WRKSRC} && go mod download github.com/mattn/go-sqlite3
26		38
27	post-patch:	39	post-patch:
28	${REINPLACE_CMD} 's,$${BACKEND},pf,g' \	40	${REINPLACE_CMD} 's,$${BACKEND},pf,g' \
29	${WRKSRC}/config/crowdsec-firewall-bouncer.yaml	41	${WRKSRC}/config/crowdsec-firewall-bouncer.yaml
30		42
31	do-install:	43	do-install:
32	@${MKDIR} ${STAGEDIR}${ETCDIR}	44	#
		45	# Binaries
		46	#
		47
		48	${INSTALL_PROGRAM} ${WRKSRC}/crowdsec-firewall-bouncer \
		49	${STAGEDIR}${PREFIX}/bin/crowdsec-firewall-bouncer
		50
		51	#
		52	# Configuration
		53	#
33		54
		55	@${MKDIR} ${STAGEDIR}${ETCDIR}
34	${INSTALL_DATA} ${WRKSRC}/config/crowdsec-firewall-bouncer.yaml \	56	${INSTALL_DATA} ${WRKSRC}/config/crowdsec-firewall-bouncer.yaml \
35	${STAGEDIR}${ETCDIR}/crowdsec-firewall-bouncer.yaml.sample	57	${STAGEDIR}${ETCDIR}/crowdsec-firewall-bouncer.yaml.sample
36		58
37	${INSTALL_PROGRAM} ${WRKDIR}/bin/crowdsec-firewall-bouncer \
38	${STAGEDIR}${PREFIX}/bin/crowdsec-firewall-bouncer
39
40	.include <bsd.port.mk>	59	.include <bsd.port.mk>

Lines 1-5 Link Here

(-)b/security/crowdsec-firewall-bouncer/distinfo (-5 / +3 lines)
1	TIMESTAMP = 1625834541	1	TIMESTAMP = 1637702397
2	SHA256 (go/security_crowdsec-firewall-bouncer/crowdsec-firewall-bouncer-v0.0.13/v0.0.13.mod) = c4ee3539ac5bd53f013e0798add577d5daef4480ad6910a3c35c381e74b26f63	2	SHA256 (crowdsecurity-cs-firewall-bouncer-v0.0.17_GH0.tar.gz) = 53af239b86c6b554da3711e3686d7d3036d33b2e561bfb00e195b6c8a06918c8
3	SIZE (go/security_crowdsec-firewall-bouncer/crowdsec-firewall-bouncer-v0.0.13/v0.0.13.mod) = 935	3	SIZE (crowdsecurity-cs-firewall-bouncer-v0.0.17_GH0.tar.gz) = 143037
4	SHA256 (go/security_crowdsec-firewall-bouncer/crowdsec-firewall-bouncer-v0.0.13/v0.0.13.zip) = 0817452582e7ff9f92ae7c51751c6de86a277d7b772e5ac1b35dc7a3ea35aba7
5	SIZE (go/security_crowdsec-firewall-bouncer/crowdsec-firewall-bouncer-v0.0.13/v0.0.13.zip) = 148490





load_rc_config $name

: "${crowdsec_firewall_enable:=NO}"
: "${crowdsec_firewall_config:=%%ETCDIR%%/crowdsec-firewall-bouncer.yaml}"

pidfile=/var/run/${name}.pid
required_files="$crowdsec_firewall_config"
command="%%PREFIX%%/bin/crowdsec-firewall-bouncer"
start_cmd="${name}_start"
start_precmd="${name}_precmd"

crowdsec_firewall_precmd() {
    CSCLI=%%PREFIX%%/bin/cscli
    orig_line="api_key: \${API_KEY}"
    if grep "^${orig_line}" "${crowdsec_firewall_config}"; then
        SUFFIX=$(LC_CTYPE=C tr -dc A-Za-z0-9 </dev/urandom | head -c 8)
        BOUNCER="cs-firewall-bouncer-${SUFFIX}"
        if command -v $CSCLI; then
            API_KEY=$($CSCLI bouncers add "${BOUNCER}" -o raw)
            if [ -n "$API_KEY" ]; then
                sed -i "" "s/^${orig_line}/api_key: ${API_KEY}     # ${BOUNCER}/" "${crowdsec_firewall_config}"
                echo "Registered: ${BOUNCER}"
            fi
        fi
    fi
}

crowdsec_firewall_start() {
    /usr/sbin/daemon -f -p ${pidfile} -t "${desc}" -- \
        ${command} -c "${crowdsec_firewall_config}"
}

run_rc_command "$1"

Added Link Here

(-)b/security/crowdsec-firewall-bouncer/files/patch-Makefile (+11 lines)
1	--- Makefile.orig 2021-12-07 09:00:17 UTC
2	+++ Makefile
3	@@ -11,7 +11,7 @@ GOGET=$(GOCMD) get
4	BUILD_VERSION?="$(shell git describe --tags `git rev-list --tags --max-count=1`)"
5	BUILD_GOVERSION="$(shell go version \| cut -d " " -f3 \| sed -r 's/[go]+//g')"
6	BUILD_TIMESTAMP=$(shell date +%F"_"%T)
7	-BUILD_TAG="$(shell git rev-parse HEAD)"
8	+BUILD_TAG?="$(shell git rev-parse HEAD)"
9	export LD_OPTS=-ldflags "-s -w -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Version=$(BUILD_VERSION) \
10	-X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.BuildDate=$(BUILD_TIMESTAMP) \
11	-X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Tag=$(BUILD_TAG) \

Added Link Here

(-)b/security/crowdsec-firewall-bouncer/files/pkg-deinstall.in (+8 lines)
1	#!/bin/sh
2
3	case $2 in
4	DEINSTALL)
5	service crowdsec_firewall stop \|\| :
6	;;
7	esac
8





crowdsec-firewall-bouncer is installed.

The bouncer should register itself but you may want to check the
configuration file, which is now in %%ETCDIR%%/crowdsec-firewall-bouncer.yaml
(for consistency with the other platforms).

In previous versions, the configuration was in /usr/local/etc/crowdsec-firewall-bouncer, you may need
to check if you made any changes there.

If it's the first time, you need to edit your Packet Filter configuration.
Add the following in /etc/pf.conf to create the tables:

----------
# create crowdsec ipv4 table
table <crowdsec-blacklists> persist

# create crowdsec ipv6 table
table <crowdsec6-blacklists> persist

block drop in quick from <crowdsec-blacklists> to any
block drop in quick from <crowdsec6-blacklists> to any
----------

To apply the file:

# pfctl -f /etc/pf.conf

Then activate the bouncer via sysrc:

# sysrc crowdsec_firewall_enable="YES"
EOM
}

Lines 1-2 Link Here

(-)b/security/crowdsec-firewall-bouncer/pkg-plist (-2 / +3 lines)
1	@sample etc/crowdsec-firewall-bouncer/crowdsec-firewall-bouncer.yaml.sample	1	@mode 0755
2	bin/crowdsec-firewall-bouncer	2	bin/crowdsec-firewall-bouncer
3	-	3	@mode 0600
		4	@sample %%ETCDIR%%/crowdsec-firewall-bouncer.yaml.sample

Return to bug 260264

Lines 18-30 rcvar=crowdsec_firewall_enable Link Here

(-)b/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in (-6 / +27 lines)
18		18
19	load_rc_config $name	19	load_rc_config $name
20		20
21	: ${crowdsec_firewall_enable:="NO"}	21	: "${crowdsec_firewall_enable:=NO}"
22	: ${crowdsec_firewall_config:="%%PREFIX%%/etc/crowdsec-firewall-bouncer/crowdsec-firewall-bouncer.yaml"}	22	: "${crowdsec_firewall_config:=%%ETCDIR%%/crowdsec-firewall-bouncer.yaml}"
23		23
24	pidfile=/var/run/$name.pid	24	pidfile=/var/run/${name}.pid
25	required_files="$crowdsec_firewall_config"	25	required_files="$crowdsec_firewall_config"
26	procname="%%PREFIX%%/bin/crowdsec-firewall-bouncer"	26	command="%%PREFIX%%/bin/crowdsec-firewall-bouncer"
27	command=/usr/sbin/daemon	27	start_cmd="${name}_start"
28	command_args="-fp $pidfile -t '$desc' -- '$procname' -c '$crowdsec_firewall_config'"	28	start_precmd="${name}_precmd"
		29
		30	crowdsec_firewall_precmd() {
		31	CSCLI=%%PREFIX%%/bin/cscli
		32	orig_line="api_key: \${API_KEY}"
		33	if grep "^${orig_line}" "${crowdsec_firewall_config}"; then
		34	SUFFIX=$(LC_CTYPE=C tr -dc A-Za-z0-9 </dev/urandom \| head -c 8)
		35	BOUNCER="cs-firewall-bouncer-${SUFFIX}"
		36	if command -v $CSCLI; then
		37	API_KEY=$($CSCLI bouncers add "${BOUNCER}" -o raw)
		38	if [ -n "$API_KEY" ]; then
		39	sed -i "" "s/^${orig_line}/api_key: ${API_KEY} # ${BOUNCER}/" "${crowdsec_firewall_config}"
		40	echo "Registered: ${BOUNCER}"
		41	fi
		42	fi
		43	fi
		44	}
		45
		46	crowdsec_firewall_start() {
		47	/usr/sbin/daemon -f -p ${pidfile} -t "${desc}" -- \
		48	${command} -c "${crowdsec_firewall_config}"
		49	}
29		50
30	run_rc_command "$1"	51	run_rc_command "$1"

Lines 4-20 Link Here

(-)b/security/crowdsec-firewall-bouncer/files/pkg-message.in (-3 / +19 lines)
4		4
5	crowdsec-firewall-bouncer is installed.	5	crowdsec-firewall-bouncer is installed.
6		6
7	You need to edit the config file %%ETCDIR%%/crowdsec-firewall-bouncer.yaml, your pf	7	The bouncer should register itself but you may want to check the
8	config and enable rc via sysrc.	8	configuration file, which is now in %%ETCDIR%%/crowdsec-firewall-bouncer.yaml
		9	(for consistency with the other platforms).
9		10
10	Add the following in pf.conf to create the tables	11	In previous versions, the configuration was in /usr/local/etc/crowdsec-firewall-bouncer, you may need
		12	to check if you made any changes there.
11		13
		14	If it's the first time, you need to edit your Packet Filter configuration.
		15	Add the following in /etc/pf.conf to create the tables:
		16
		17	----------
12	# create crowdsec ipv4 table	18	# create crowdsec ipv4 table
13	table <crowdsec-blacklists> persist	19	table <crowdsec-blacklists> persist
14		20
15	# create crowdsec ipv6 table	21	# create crowdsec ipv6 table
16	table <crowdsec6-blacklists> persist	22	table <crowdsec6-blacklists> persist
17		23
		24	block drop in quick from <crowdsec-blacklists> to any
		25	block drop in quick from <crowdsec6-blacklists> to any
		26	----------
		27
		28	To apply the file:
		29
		30	# pfctl -f /etc/pf.conf
		31
		32	Then activate the bouncer via sysrc:
		33
18	# sysrc crowdsec_firewall_enable="YES"	34	# sysrc crowdsec_firewall_enable="YES"
19	EOM	35	EOM
20	}	36	}