CrowdSec package for OpenWrt

Tested on mvebu espressobin board ultra and espressobin board v7 eMMC, in OpenWrt 21.02-RC3 et OpenWrt 19.07.7…

… ENJOY !
Note : feedback welcome ! :wink:

1 Like
1 Like

packages available now for testing also for mipsel_24kc ( like Device: Xiaomi R3P (mt7621)… )
crowdsec-openwrt/package/custom at master · erdoukki/crowdsec-openwrt · GitHub

1 Like

PR to OpenWrt Package still in progress…

May need some more work on upgrade mode !

and

I get some tweaks from the Debian packages, but it may still be enhanced…
Fill free to give feedback !

root@ULTRA-5G:~# cscli version
2021/08/25 13:46:04 version: v1.1.1-v1.1.1
2021/08/25 13:46:04 Codename: alphaga
2021/08/25 13:46:04 BuildDate: 2021-08-25_13:09:10
2021/08/25 13:46:04 GoVersion: 1.16.2
2021/08/25 13:46:04 Constraint_parser: >= 1.0, <= 2.0
2021/08/25 13:46:04 Constraint_scenario: >= 1.0, < 3.0
2021/08/25 13:46:04 Constraint_api: v1
2021/08/25 13:46:04 Constraint_acquis: >= 1.0, < 2.0
root@ULTRA-5G:~# cscli metrics
INFO[25-08-2021 01:45:37 PM] Local Api Metrics:                           
+----------------------+--------+------+
|        ROUTE         | METHOD | HITS |
+----------------------+--------+------+
| /v1/decisions/stream | GET    |   34 |
| /v1/watchers/login   | POST   |    2 |
+----------------------+--------+------+
INFO[25-08-2021 01:45:37 PM] Local Api Bouncers Metrics:                  
+------------------------------+----------------------+--------+------+
|           BOUNCER            |        ROUTE         | METHOD | HITS |
+------------------------------+----------------------+--------+------+
| cs-firewall-bouncer-EJfPpO7s | /v1/decisions/stream | GET    |   34 |
+------------------------------+----------------------+--------+------+
root@ULTRA-5G:~# cs-firewall-bouncer -V
version: v0.0.13-v0.0.13
BuildDate: 2021-08-25_13:37:07
GoVersion: 1.16.2
root@ULTRA-5G:~# uname -ar
Linux ULTRA-5G 5.4.137 #0 SMP Sat Jul 31 17:21:01 2021 aarch64 GNU/Linux
root@ULTRA-5G:~# cat /etc/openwrt_release 
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='21.02.0-rc4'
DISTRIB_REVISION='r16256-2d5ee43dc6'
DISTRIB_TARGET='mvebu/cortexa53'
DISTRIB_ARCH='aarch64_cortex-a53'
DISTRIB_DESCRIPTION='OpenWrt 21.02.0-rc4 r16256-2d5ee43dc6'
DISTRIB_TAINTS=''

I get some questions on the OpenWrt package reviews, that I am not sure to answer correctly :

Actually I want to ask, is there a reason why the user would want crowdsec-firewall-bouncer to use iptables if they have both iptables and nftables installed? If there is no functional difference then there is no need to make it user-selectable.

Is it necessary to let the user choose between iptables/nftables, when the two are installed ?
Or is it better to get something like the wizard.sh script, and detect with a preference to nftables ?

Are all of these *.yaml files (perhaps all files in /etc/crowdsec ) configuration files?

Is it necessary to save all the files between package upgrade ?
Or, like I am suggesting;

the essentials only are /etc/crowdsec/config.yaml and /etc/crowdsec/local_api_credentials.yaml
others may be modified, as far as I now.

More can be seen in the PR, but it is mainly the ones where I need advanced users feedback !

I will get more fix to the PR, depends of your feedback…

I still have to better manage API keys and cscli register between upgrade or reinstall !
I do not use cscli backup/restore and had preferred an external OpenWrt specific config file.

Anyway, all feedback is welcome.

Thanks in advance.

Hello @Gandalf :slight_smile:

imho it sounds rather dangerous to attempt to do this, I’m afraid that we might end up breaking stuff :sweat:

The plan here is to not trash any “custom” parsers and scenarios created and/or patched by the users.

Thank you very much for your work. For the latest point, hopefully we are going to improve this in the not-so-distant future to clearly split “user” configs and the ones from the hub.

Regards,

I do not understand, the wizard.sh do the detection…

Choice #1. What I mean is to do it at firewall-bouncer service restart.

  • If nftables is here, use it
  • if nftables is not here, use iptables and check ipset (wrote a message if it is missing)

Choice #2. Do a default mode detect at install (same as upper) and then use a user config mode setting.
This second choice will get more user error possibility (IMHO)

Will it be here for next release ?
If so, I can wait for it for packaging to OpenWrt ?

Regards,

Crowdsec: Initial package v1.1.1 by erdoukki · Pull Request #16244 · openwrt/packages · GitHub package approved… soon to me merged !? :grinning:

1 Like

Updating the OpenWrt Package to Crowdsec v1.2.0 and Crowdsec-Firewall-Bouncer v0.15.0…