From nobody Fri Dec 17 12:39:42 2021 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id D023018FC7D3; Fri, 17 Dec 2021 12:39:42 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JFpTV3B6Yz3FQj; Fri, 17 Dec 2021 12:39:42 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4D1331C186; Fri, 17 Dec 2021 12:39:42 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1BHCdgSx053777; Fri, 17 Dec 2021 12:39:42 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1BHCdgJV053776; Fri, 17 Dec 2021 12:39:42 GMT (envelope-from git) Date: Fri, 17 Dec 2021 12:39:42 GMT Message-Id: <202112171239.1BHCdgJV053776@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Sofian Brabez Subject: git: 04d93cdfdfe4 - main - security/crowdsec-firewall-bouncer: update to 0.0.17 List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: sbz X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 04d93cdfdfe4a4aab87b84021f0c486f8980feb7 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1639744782; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=6h9uqq2LnbHMFJBtW0gtDGpTSj3eOVqTN6vvcvUs0wk=; b=vwB+WrlvflQY/iHDMke83zDi4bWg+8bjsvjnzwVG1eVmSoLZ2ybN/CLofLttqZy+7ZTy9p 2QSaqmHMk0VCx64esugoKpPgzM50zoelxN25cZs4uJIHuIAcHTdwrJsU19/SCagqnG3Nh+ Yku4GyajBtv7HMJKOvaToSI2SMiWPa8KpPkk2ZfYrAWaXku2L24mv7pk8pwBWqMPmCE8sI OVNrzh3uN3fInxFeFbQ3Iqyp2JIAEQGJ6MW9gqueUEjdkaK23dSqDRU53tTIteJa1Mgvdu KBXcITrGfBr3PY2nOab0dItoJj8pVHmTYpKKk3CYxWZnCMmYi65jhwNfkV8O0Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1639744782; a=rsa-sha256; cv=none; b=XW2/5STXb2y9TnZUq4jw5+Vb7VfRpvrAUXTIVCZYHScpMxxTSjQFneqpaLYkcBDVBMQy2+ WP3WoIkQwGeZxjDyWhp7TSL8l/uCy1zDnCpfjs0U66dbBghgxrU+Iy/PL8dtUufSsMDocv u7vVDRKvdBcYAKVN1wu2KhBW0dZQzM5qo7xde+esArNTZli0L6FIqRq3jBDa5qk+Hel+Gr VLdt7G5WiAuP/b142WJGQNVYxgtcYlP4ZFiQLshOu/57R2qZH1M4apqoysdHQw7a/p9BqG w+XuMrVHRezIwyi1IE0RhoQxX2uXo2yVdSX2I8UrDbrBi5P8DCvfztpqOpo98A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by sbz: URL: https://cgit.FreeBSD.org/ports/commit/?id=04d93cdfdfe4a4aab87b84021f0c486f8980feb7 commit 04d93cdfdfe4a4aab87b84021f0c486f8980feb7 Author: Sofian Brabez AuthorDate: 2021-12-16 19:37:18 +0000 Commit: Sofian Brabez CommitDate: 2021-12-17 12:32:57 +0000 security/crowdsec-firewall-bouncer: update to 0.0.17 Update to 0.0.17 release and pass the maintainership to the submitter. PR: 260264 --- security/crowdsec-firewall-bouncer/Makefile | 47 +++++++++++++++------- security/crowdsec-firewall-bouncer/distinfo | 8 ++-- .../files/crowdsec_firewall.in | 33 ++++++++++++--- .../crowdsec-firewall-bouncer/files/patch-Makefile | 11 +++++ .../files/pkg-deinstall.in | 8 ++++ .../crowdsec-firewall-bouncer/files/pkg-message.in | 22 ++++++++-- security/crowdsec-firewall-bouncer/pkg-plist | 4 +- 7 files changed, 104 insertions(+), 29 deletions(-) diff --git a/security/crowdsec-firewall-bouncer/Makefile b/security/crowdsec-firewall-bouncer/Makefile index 60925f445797..36a868801a50 100644 --- a/security/crowdsec-firewall-bouncer/Makefile +++ b/security/crowdsec-firewall-bouncer/Makefile @@ -1,40 +1,59 @@ PORTNAME= crowdsec-firewall-bouncer -PORTVERSION= 0.0.13 +PORTVERSION= 0.0.17 # NOTE: change BUILD_VERSION and BUILD_TAG as well DISTVERSIONPREFIX= v CATEGORIES= security -MAINTAINER= sbz@FreeBSD.org -COMMENT= Crowdsec bouncer written in golang for firewalls +MAINTAINER= marco@crowdsec.net +COMMENT= CrowdSec bouncer written in golang for firewalls LICENSE= MIT LICENSE_FILE= ${WRKSRC}/LICENSE +BUILD_DEPENDS= git:devel/git@lite \ + go:lang/go + +USES= gmake + RUN_DEPENDS= crowdsec>0:security/crowdsec -USES= go:modules +USE_GITHUB= yes +GH_ACCOUNT= crowdsecurity +GH_PROJECT= cs-firewall-bouncer +#GH_TAGNAME is automatically set from DISTVERSION USE_RC_SUBR= crowdsec_firewall -GO_MODULE= github.com/crowdsecurity/cs-firewall-bouncer +SUB_FILES= pkg-message \ + pkg-deinstall + +# BUILD_VERSION=$(git describe --tags $(git rev-list --tags --max-count=1)) +# BUILD_TAG=$(git rev-parse HEAD) +MAKE_ENV= BUILD_VERSION="v0.0.17" \ + BUILD_TAG="b330209afcdefd0046fd6790999bbb342c02f1b3" -GO_BUILDFLAGS= -ldflags "-s -w \ - -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Version=v${PORTVERSION} \ - -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Tag=freebsd \ - -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.BuildDate=`date -u '+%Y-%m-%d_%I:%M:%S%p'`" +ETCDIR= ${PREFIX}/etc/crowdsec/bouncers -SUB_FILES= pkg-message +do-patch: + cd ${WRKSRC} && go mod download github.com/mattn/go-sqlite3 post-patch: ${REINPLACE_CMD} 's,$${BACKEND},pf,g' \ ${WRKSRC}/config/crowdsec-firewall-bouncer.yaml do-install: - @${MKDIR} ${STAGEDIR}${ETCDIR} + # + # Binaries + # + + ${INSTALL_PROGRAM} ${WRKSRC}/crowdsec-firewall-bouncer \ + ${STAGEDIR}${PREFIX}/bin/crowdsec-firewall-bouncer + + # + # Configuration + # + @${MKDIR} ${STAGEDIR}${ETCDIR} ${INSTALL_DATA} ${WRKSRC}/config/crowdsec-firewall-bouncer.yaml \ ${STAGEDIR}${ETCDIR}/crowdsec-firewall-bouncer.yaml.sample - ${INSTALL_PROGRAM} ${WRKDIR}/bin/crowdsec-firewall-bouncer \ - ${STAGEDIR}${PREFIX}/bin/crowdsec-firewall-bouncer - .include diff --git a/security/crowdsec-firewall-bouncer/distinfo b/security/crowdsec-firewall-bouncer/distinfo index cf74c8b81d95..001ca177529b 100644 --- a/security/crowdsec-firewall-bouncer/distinfo +++ b/security/crowdsec-firewall-bouncer/distinfo @@ -1,5 +1,3 @@ -TIMESTAMP = 1625834541 -SHA256 (go/security_crowdsec-firewall-bouncer/crowdsec-firewall-bouncer-v0.0.13/v0.0.13.mod) = c4ee3539ac5bd53f013e0798add577d5daef4480ad6910a3c35c381e74b26f63 -SIZE (go/security_crowdsec-firewall-bouncer/crowdsec-firewall-bouncer-v0.0.13/v0.0.13.mod) = 935 -SHA256 (go/security_crowdsec-firewall-bouncer/crowdsec-firewall-bouncer-v0.0.13/v0.0.13.zip) = 0817452582e7ff9f92ae7c51751c6de86a277d7b772e5ac1b35dc7a3ea35aba7 -SIZE (go/security_crowdsec-firewall-bouncer/crowdsec-firewall-bouncer-v0.0.13/v0.0.13.zip) = 148490 +TIMESTAMP = 1637702397 +SHA256 (crowdsecurity-cs-firewall-bouncer-v0.0.17_GH0.tar.gz) = 53af239b86c6b554da3711e3686d7d3036d33b2e561bfb00e195b6c8a06918c8 +SIZE (crowdsecurity-cs-firewall-bouncer-v0.0.17_GH0.tar.gz) = 143037 diff --git a/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in b/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in index 1bc55e6ca263..ee3dcc9f7325 100755 --- a/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in +++ b/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in @@ -18,13 +18,34 @@ rcvar=crowdsec_firewall_enable load_rc_config $name -: ${crowdsec_firewall_enable:="NO"} -: ${crowdsec_firewall_config:="%%PREFIX%%/etc/crowdsec-firewall-bouncer/crowdsec-firewall-bouncer.yaml"} +: "${crowdsec_firewall_enable:=NO}" +: "${crowdsec_firewall_config:=%%ETCDIR%%/crowdsec-firewall-bouncer.yaml}" -pidfile=/var/run/$name.pid +pidfile=/var/run/${name}.pid required_files="$crowdsec_firewall_config" -procname="%%PREFIX%%/bin/crowdsec-firewall-bouncer" -command=/usr/sbin/daemon -command_args="-fp $pidfile -t '$desc' -- '$procname' -c '$crowdsec_firewall_config'" +command="%%PREFIX%%/bin/crowdsec-firewall-bouncer" +start_cmd="${name}_start" +start_precmd="${name}_precmd" + +crowdsec_firewall_precmd() { + CSCLI=%%PREFIX%%/bin/cscli + orig_line="api_key: \${API_KEY}" + if grep -q "^${orig_line}" "${crowdsec_firewall_config}"; then + SUFFIX=$(LC_CTYPE=C tr -dc A-Za-z0-9 /dev/null; then + API_KEY=$($CSCLI bouncers add "${BOUNCER}" -o raw) + if [ -n "$API_KEY" ]; then + sed -i "" "s/^${orig_line}/api_key: ${API_KEY} # ${BOUNCER}/" "${crowdsec_firewall_config}" + echo "Registered: ${BOUNCER}" + fi + fi + fi +} + +crowdsec_firewall_start() { + /usr/sbin/daemon -f -p ${pidfile} -t "${desc}" -- \ + ${command} -c "${crowdsec_firewall_config}" +} run_rc_command "$1" diff --git a/security/crowdsec-firewall-bouncer/files/patch-Makefile b/security/crowdsec-firewall-bouncer/files/patch-Makefile new file mode 100644 index 000000000000..6d9e9a2e2f42 --- /dev/null +++ b/security/crowdsec-firewall-bouncer/files/patch-Makefile @@ -0,0 +1,11 @@ +--- Makefile.orig 2021-12-07 09:00:17 UTC ++++ Makefile +@@ -11,7 +11,7 @@ GOGET=$(GOCMD) get + BUILD_VERSION?="$(shell git describe --tags `git rev-list --tags --max-count=1`)" + BUILD_GOVERSION="$(shell go version | cut -d " " -f3 | sed -r 's/[go]+//g')" + BUILD_TIMESTAMP=$(shell date +%F"_"%T) +-BUILD_TAG="$(shell git rev-parse HEAD)" ++BUILD_TAG?="$(shell git rev-parse HEAD)" + export LD_OPTS=-ldflags "-s -w -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Version=$(BUILD_VERSION) \ + -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.BuildDate=$(BUILD_TIMESTAMP) \ + -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Tag=$(BUILD_TAG) \ diff --git a/security/crowdsec-firewall-bouncer/files/pkg-deinstall.in b/security/crowdsec-firewall-bouncer/files/pkg-deinstall.in new file mode 100644 index 000000000000..0324401c6e19 --- /dev/null +++ b/security/crowdsec-firewall-bouncer/files/pkg-deinstall.in @@ -0,0 +1,8 @@ +#!/bin/sh + +case $2 in + DEINSTALL) + service crowdsec_firewall stop || : + ;; +esac + diff --git a/security/crowdsec-firewall-bouncer/files/pkg-message.in b/security/crowdsec-firewall-bouncer/files/pkg-message.in index 46710f5d090a..3929d468efd0 100644 --- a/security/crowdsec-firewall-bouncer/files/pkg-message.in +++ b/security/crowdsec-firewall-bouncer/files/pkg-message.in @@ -4,17 +4,33 @@ crowdsec-firewall-bouncer is installed. -You need to edit the config file %%ETCDIR%%/crowdsec-firewall-bouncer.yaml, your pf -config and enable rc via sysrc. +The bouncer should register itself but you may want to check the +configuration file, which is now in %%ETCDIR%%/crowdsec-firewall-bouncer.yaml +(for consistency with the other platforms). -Add the following in pf.conf to create the tables +In previous versions, the configuration was in /usr/local/etc/crowdsec-firewall-bouncer, you may need +to check if you made any changes there. +If it's the first time, you need to edit your Packet Filter configuration. +Add the following in /etc/pf.conf to create the tables: + +---------- # create crowdsec ipv4 table table persist # create crowdsec ipv6 table table persist +block drop in quick from to any +block drop in quick from to any +---------- + +To apply the file: + +# pfctl -f /etc/pf.conf + +Then activate the bouncer via sysrc: + # sysrc crowdsec_firewall_enable="YES" EOM } diff --git a/security/crowdsec-firewall-bouncer/pkg-plist b/security/crowdsec-firewall-bouncer/pkg-plist index d47d3e2429aa..6a41287c1e57 100644 --- a/security/crowdsec-firewall-bouncer/pkg-plist +++ b/security/crowdsec-firewall-bouncer/pkg-plist @@ -1,2 +1,4 @@ -@sample etc/crowdsec-firewall-bouncer/crowdsec-firewall-bouncer.yaml.sample +@mode 0755 bin/crowdsec-firewall-bouncer +@mode 0600 +@sample %%ETCDIR%%/crowdsec-firewall-bouncer.yaml.sample