Tested on mvebu espressobin board ultra and espressobin board v7 eMMC, in OpenWrt 21.02-RC3 et OpenWrt 19.07.7…
… ENJOY !
Note : feedback welcome ! 
1 Like
1 Like
packages available now for testing also for mipsel_24kc ( like Device: Xiaomi R3P (mt7621)… )
→ crowdsec-openwrt/package/custom at master · erdoukki/crowdsec-openwrt · GitHub
1 Like
PR to OpenWrt Package still in progress…
May need some more work on upgrade mode !
and
I get some tweaks from the Debian packages, but it may still be enhanced…
Fill free to give feedback !
root@ULTRA-5G:~# cscli version
2021/08/25 13:46:04 version: v1.1.1-v1.1.1
2021/08/25 13:46:04 Codename: alphaga
2021/08/25 13:46:04 BuildDate: 2021-08-25_13:09:10
2021/08/25 13:46:04 GoVersion: 1.16.2
2021/08/25 13:46:04 Constraint_parser: >= 1.0, <= 2.0
2021/08/25 13:46:04 Constraint_scenario: >= 1.0, < 3.0
2021/08/25 13:46:04 Constraint_api: v1
2021/08/25 13:46:04 Constraint_acquis: >= 1.0, < 2.0
root@ULTRA-5G:~# cscli metrics
INFO[25-08-2021 01:45:37 PM] Local Api Metrics:
+----------------------+--------+------+
| ROUTE | METHOD | HITS |
+----------------------+--------+------+
| /v1/decisions/stream | GET | 34 |
| /v1/watchers/login | POST | 2 |
+----------------------+--------+------+
INFO[25-08-2021 01:45:37 PM] Local Api Bouncers Metrics:
+------------------------------+----------------------+--------+------+
| BOUNCER | ROUTE | METHOD | HITS |
+------------------------------+----------------------+--------+------+
| cs-firewall-bouncer-EJfPpO7s | /v1/decisions/stream | GET | 34 |
+------------------------------+----------------------+--------+------+
root@ULTRA-5G:~# cs-firewall-bouncer -V
version: v0.0.13-v0.0.13
BuildDate: 2021-08-25_13:37:07
GoVersion: 1.16.2
root@ULTRA-5G:~# uname -ar
Linux ULTRA-5G 5.4.137 #0 SMP Sat Jul 31 17:21:01 2021 aarch64 GNU/Linux
root@ULTRA-5G:~# cat /etc/openwrt_release
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='21.02.0-rc4'
DISTRIB_REVISION='r16256-2d5ee43dc6'
DISTRIB_TARGET='mvebu/cortexa53'
DISTRIB_ARCH='aarch64_cortex-a53'
DISTRIB_DESCRIPTION='OpenWrt 21.02.0-rc4 r16256-2d5ee43dc6'
DISTRIB_TAINTS=''
I get some questions on the OpenWrt package reviews, that I am not sure to answer correctly :
Actually I want to ask, is there a reason why the user would want crowdsec-firewall-bouncer to use iptables if they have both iptables and nftables installed? If there is no functional difference then there is no need to make it user-selectable.
Is it necessary to let the user choose between iptables/nftables, when the two are installed ?
Or is it better to get something like the wizard.sh script, and detect with a preference to nftables ?
Are all of these *.yaml files (perhaps all files in
/etc/crowdsec) configuration files?
Is it necessary to save all the files between package upgrade ?
Or, like I am suggesting;
the essentials only are
/etc/crowdsec/config.yamland/etc/crowdsec/local_api_credentials.yaml
others may be modified, as far as I now.
More can be seen in the PR, but it is mainly the ones where I need advanced users feedback !
I will get more fix to the PR, depends of your feedback…
I still have to better manage API keys and cscli register between upgrade or reinstall !
I do not use cscli backup/restore and had preferred an external OpenWrt specific config file.
Anyway, all feedback is welcome.
Thanks in advance.
Hello @Gandalf 
imho it sounds rather dangerous to attempt to do this, I’m afraid that we might end up breaking stuff 
The plan here is to not trash any “custom” parsers and scenarios created and/or patched by the users.
Thank you very much for your work. For the latest point, hopefully we are going to improve this in the not-so-distant future to clearly split “user” configs and the ones from the hub.
Regards,
I do not understand, the wizard.sh do the detection…
Choice #1. What I mean is to do it at firewall-bouncer service restart.
- If nftables is here, use it
- if nftables is not here, use iptables and check ipset (wrote a message if it is missing)
Choice #2. Do a default mode detect at install (same as upper) and then use a user config mode setting.
This second choice will get more user error possibility (IMHO)
Will it be here for next release ?
If so, I can wait for it for packaging to OpenWrt ?
Regards,
Crowdsec: Initial package v1.1.1 by erdoukki · Pull Request #16244 · openwrt/packages · GitHub package approved… soon to me merged !? 
1 Like
Updating the OpenWrt Package to Crowdsec v1.2.0 and Crowdsec-Firewall-Bouncer v0.15.0…
1 Like
This is a long time process…
Some good news about it;
The PR is now in two parts, the main Crowdsec component crowdsec: initial package v1.2.0 by erdoukki · Pull Request #16244 · openwrt/packages · GitHub and the Firewall Bouncer crowdsec-firewall-bouncer: initial package v0.0.15 by erdoukki · Pull Request #16844 · openwrt/packages · GitHub …
They both have been reviewed, both approved twice, and may be merged in few days in snapshot !
Merged today ! 
Will try to make it available also in 21.02.x
great work on this Gandalf, many years ago I dream’t of simple, open, and seamless distributed security for SOHO… having a build a few people use, and having this package in the OpenWrt repo’s takes this one step closer…
I’m new to crowdsec, but I will definitely be having a crack at it over the next month or two…
cheers
1 Like
It’s the dream that shapes the world
(Aboriginal concept)
1 Like
The PR was merged this morning and packages will be available in few days for 21.02 !
Actually discussed here at OpenWrt Forum : Crowdsec: initial packages v1.2.0 for OpenWrt - For Developers - OpenWrt Forum
Welcome to the new users from the OpenWrt community…
More to come, soon !
OpenWrt packages updated to version 1.2.1 of crowdsec.
Same, pushed also in 21.02
2 Likes