FreeBSD Bugzilla – Attachment 231126 Details for
Bug 261304
security/crowdsec: upgrade to 1.2.3_1; crowdsec-firewall-bouncer: update to 0.0.22_1
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for crowdsec-firewall-bouncer 0.0.22
0001-security-crowdsec-firewall-bouncer-v0.0.22.patch (text/plain), 8.15 KB, created by
marco
on 2022-01-18 13:12:38 UTC
(
hide
)
Description:
patch for crowdsec-firewall-bouncer 0.0.22
Filename:
MIME Type:
Creator:
marco
Created:
2022-01-18 13:12:38 UTC
Size:
8.15 KB
patch
obsolete
>From 18540156c151f273645474ee7d0c600dad804fe8 Mon Sep 17 00:00:00 2001 >From: Marco Mariani <marco@crowdsec.net> >Date: Tue, 18 Jan 2022 14:06:28 +0100 >Subject: [PATCH] security/crowdsec-firewall-bouncer v0.0.22 > >--- > security/crowdsec-firewall-bouncer/Makefile | 9 +++-- > security/crowdsec-firewall-bouncer/distinfo | 6 +-- > .../crowdsec-firewall-bouncer.conf-newsyslog | 2 +- > .../files/crowdsec_firewall.in | 9 ++++- > .../files/patch-pf.go | 38 +++++++++++++++++++ > .../files/pkg-message.in | 21 +++++----- > 6 files changed, 64 insertions(+), 21 deletions(-) > create mode 100644 security/crowdsec-firewall-bouncer/files/patch-pf.go > >diff --git a/security/crowdsec-firewall-bouncer/Makefile b/security/crowdsec-firewall-bouncer/Makefile >index 6f9b4c3b9649..e6e8a0cfa707 100644 >--- a/security/crowdsec-firewall-bouncer/Makefile >+++ b/security/crowdsec-firewall-bouncer/Makefile >@@ -1,5 +1,6 @@ > PORTNAME= crowdsec-firewall-bouncer >-PORTVERSION= 0.0.20 # NOTE: change BUILD_VERSION and BUILD_TAG as well >+PORTVERSION= 0.0.22 # NOTE: change BUILD_VERSION and BUILD_TAG as well >+#PORTREVISION= > DISTVERSIONPREFIX= v > CATEGORIES= security > >@@ -19,7 +20,7 @@ RUN_DEPENDS= crowdsec>0:security/crowdsec > USE_GITHUB= yes > GH_ACCOUNT= crowdsecurity > GH_PROJECT= cs-firewall-bouncer >-GH_TAGNAME= v0.0.20-freebsd >+GH_TAGNAME= v0.0.22-freebsd > #GH_TAGNAME is automatically set from DISTVERSION > > USE_RC_SUBR= crowdsec_firewall >@@ -29,8 +30,8 @@ SUB_FILES= pkg-message \ > > # BUILD_VERSION=$(git describe --tags $(git rev-list --tags --max-count=1)) > # BUILD_TAG=$(git rev-parse HEAD) >-MAKE_ENV= BUILD_VERSION="v0.0.20" \ >- BUILD_TAG="a456a4debdf3d3551c89b8490bb942f626027310" >+MAKE_ENV= BUILD_VERSION="v0.0.22" \ >+ BUILD_TAG="50336d1ecdd97b296c3d9d4f1604afd4d59c4c3f" > > ETCDIR= ${PREFIX}/etc/crowdsec/bouncers > >diff --git a/security/crowdsec-firewall-bouncer/distinfo b/security/crowdsec-firewall-bouncer/distinfo >index 1548b93d6c60..2996074a2575 100644 >--- a/security/crowdsec-firewall-bouncer/distinfo >+++ b/security/crowdsec-firewall-bouncer/distinfo >@@ -1,3 +1,3 @@ >-TIMESTAMP = 1640213523 >-SHA256 (crowdsecurity-cs-firewall-bouncer-v0.0.20-v0.0.20-freebsd_GH0.tar.gz) = 95f8abf5f44e700e7f0a41edf5367715ce06918cb0de7a5d084bdca277563171 >-SIZE (crowdsecurity-cs-firewall-bouncer-v0.0.20-v0.0.20-freebsd_GH0.tar.gz) = 3018717 >+TIMESTAMP = 1642465397 >+SHA256 (crowdsecurity-cs-firewall-bouncer-v0.0.22-v0.0.22-freebsd_GH0.tar.gz) = c2c9eddeb52db34216fcbc540e001f7d0742c5363b78307f30de24e19cf6e57a >+SIZE (crowdsecurity-cs-firewall-bouncer-v0.0.22-v0.0.22-freebsd_GH0.tar.gz) = 3018814 >diff --git a/security/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.conf-newsyslog b/security/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.conf-newsyslog >index b26fae25b5ce..0f73ab227501 100644 >--- a/security/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.conf-newsyslog >+++ b/security/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.conf-newsyslog >@@ -1,2 +1,2 @@ > # logfilename [owner:group] mode count size(kb) when flags [/pid_file] [sig_num] >-/var/log/crowdsec-firewall-bouncer.log root:wheel 644 10 5120 * JC /var/run/crowdsec_firewall.pid >+/var/log/crowdsec-firewall-bouncer.log root:wheel 644 10 20480 * JC /var/run/crowdsec_firewall.pid >diff --git a/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in b/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in >index 6a0f96f26f8f..e166aa063f8f 100755 >--- a/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in >+++ b/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in >@@ -9,6 +9,10 @@ > # > # crowdsec_firewall_enable (bool): Set it to YES to enable crowdsec firewall. > # Default is "NO" >+# crowdsec_firewall_config (str): Set the bouncer config path. >+# Default is "%%ETCDIR%%/crowdsec-firewall-bouncer.yaml" >+# crowdsec_firewall_flags (str): extra flags to run bouncer. >+# Default is "" > > . /etc/rc.subr > >@@ -20,6 +24,7 @@ load_rc_config $name > > : "${crowdsec_firewall_enable:=NO}" > : "${crowdsec_firewall_config:=%%ETCDIR%%/crowdsec-firewall-bouncer.yaml}" >+: "${crowdsec_firewall_flags:=}" > > pidfile=/var/run/${name}.pid > required_files="$crowdsec_firewall_config" >@@ -43,7 +48,7 @@ crowdsec_firewall_precmd() { > fi > > # needs real tabs >- cat <<-EOT | /sbin/pfctl -f /dev/fd/0 >+ cat <<-EOT | /sbin/pfctl -a crowdsec -f - > table <crowdsec-blacklists> persist > table <crowdsec6-blacklists> persist > block drop in quick from <crowdsec-blacklists> to any >@@ -54,7 +59,7 @@ crowdsec_firewall_precmd() { > > crowdsec_firewall_start() { > /usr/sbin/daemon -f -p ${pidfile} -t "${desc}" -- \ >- ${command} -c "${crowdsec_firewall_config}" >+ ${command} -c "${crowdsec_firewall_config}" ${crowdsec_firewall_flags} > } > > run_rc_command "$1" >diff --git a/security/crowdsec-firewall-bouncer/files/patch-pf.go b/security/crowdsec-firewall-bouncer/files/patch-pf.go >new file mode 100644 >index 000000000000..c281f5b46d94 >--- /dev/null >+++ b/security/crowdsec-firewall-bouncer/files/patch-pf.go >@@ -0,0 +1,38 @@ >+--- pf.go.orig 2022-01-18 11:38:14 UTC >++++ pf.go >+@@ -66,7 +66,7 @@ func newPF(config *bouncerConfig) (interface{}, error) >+ func (ctx *pfContext) checkTable() error { >+ log.Infof("Checking pf table: %s", ctx.table) >+ >+- cmd := exec.Command(pfctlCmd, "-s", "Tables") >++ cmd := exec.Command(pfctlCmd, "-a", "crowdsec", "-s", "Tables") >+ out, err := cmd.CombinedOutput() >+ >+ if err != nil { >+@@ -79,7 +79,7 @@ func (ctx *pfContext) checkTable() error { >+ } >+ >+ func (ctx *pfContext) shutDown() error { >+- cmd := exec.Command(pfctlCmd, "-t", ctx.table, "-T", "flush") >++ cmd := exec.Command(pfctlCmd, "-a", "crowdsec", "-t", ctx.table, "-T", "flush") >+ log.Infof("pf table clean-up : %s", cmd.String()) >+ if out, err := cmd.CombinedOutput(); err != nil { >+ log.Errorf("Error while flushing table (%s): %v --> %s", cmd.String(), err, string(out)) >+@@ -94,7 +94,7 @@ func (ctx *pfContext) Add(decision *models.Decision) e >+ return err >+ } >+ log.Debugf(addBanFormat, backendName, *decision.Value, strconv.Itoa(int(banDuration.Seconds())), *decision.Scenario) >+- cmd := exec.Command(pfctlCmd, "-t", ctx.table, "-T", "add", *decision.Value) >++ cmd := exec.Command(pfctlCmd, "-a", "crowdsec", "-t", ctx.table, "-T", "add", *decision.Value) >+ log.Debugf("pfctl add : %s", cmd.String()) >+ if out, err := cmd.CombinedOutput(); err != nil { >+ log.Infof("Error while adding to table (%s): %v --> %s", cmd.String(), err, string(out)) >+@@ -109,7 +109,7 @@ func (ctx *pfContext) Delete(decision *models.Decision >+ return err >+ } >+ log.Debugf(delBanFormat, backendName, *decision.Value, strconv.Itoa(int(banDuration.Seconds())), *decision.Scenario) >+- cmd := exec.Command(pfctlCmd, "-t", ctx.table, "-T", "delete", *decision.Value) >++ cmd := exec.Command(pfctlCmd, "-a", "crowdsec", "-t", ctx.table, "-T", "delete", *decision.Value) >+ log.Debugf("pfctl del : %s", cmd.String()) >+ if out, err := cmd.CombinedOutput(); err != nil { >+ log.Infof("Error while deleting from table (%s): %v --> %s", cmd.String(), err, string(out)) >diff --git a/security/crowdsec-firewall-bouncer/files/pkg-message.in b/security/crowdsec-firewall-bouncer/files/pkg-message.in >index 8bcdc8d1d9d6..9bf373936f83 100644 >--- a/security/crowdsec-firewall-bouncer/files/pkg-message.in >+++ b/security/crowdsec-firewall-bouncer/files/pkg-message.in >@@ -21,23 +21,22 @@ pf_enable: NO -> YES > Enabling pf. > ---------- > >-Then activate the bouncer via sysrc: >+Add the following in /etc/pf.conf to create the firewall tables and rules: > > ---------- >-# sysrc crowdsec_firewall_enable="YES" >-crowdsec_firewall_enable: NO -> YES >-# service crowdsec_firewall start >+anchor crowdsec > ---------- > >-After a few seconds, the bouncer should have created the tables and rules: >+To apply the file: >+ >+# pfctl -f /etc/pf.conf >+ >+Then activate the bouncer via sysrc and run it: > > ---------- >-# pfctl -s Tables >-crowdsec-blacklists >-crowdsec6-blacklists >-# pfctl -s Tables -s rules >-block drop in quick from <crowdsec-blacklists> to any >-block drop in quick from <crowdsec6-blacklists> to any >+# sysrc crowdsec_firewall_enable="YES" >+crowdsec_firewall_enable: NO -> YES >+# service crowdsec_firewall start > ---------- > > EOM >-- >2.32.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=231126">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 261304
: 231126 |
231255