# SPDX-License-Identifier: MIT # # Copyright (C) 2021-2022 Gerald Kerma # Copyright (C) 2024-2025 CyberMind.fr (SecuBox adaptation) # # SecuBox CrowdSec Firewall Bouncer - nftables integration # include $(TOPDIR)/rules.mk PKG_NAME:=secubox-app-cs-firewall-bouncer PKG_VERSION:=0.0.31 PKG_RELEASE:=4 # Source from upstream CrowdSec # Note: v0.0.31 is the last version compatible with Go 1.23 (OpenWrt 24.10 SDK) PKG_SOURCE:=crowdsec-firewall-bouncer-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/crowdsecurity/cs-firewall-bouncer/tar.gz/v$(PKG_VERSION)? PKG_HASH:=c34963f0680ae296ae974d8f6444a2d1e2dd7617e7b05d4ad85c320529eec5f5 PKG_BUILD_DIR:=$(BUILD_DIR)/cs-firewall-bouncer-$(PKG_VERSION) PKG_LICENSE:=MIT PKG_LICENSE_FILES:=LICENSE PKG_MAINTAINER:=CyberMind PKG_BUILD_DEPENDS:=golang/host PKG_BUILD_PARALLEL:=1 PKG_BUILD_FLAGS:=no-mips16 GO_PKG:=github.com/crowdsecurity/cs-firewall-bouncer # Build version information GO_PKG_LDFLAGS_X:= \ github.com/crowdsecurity/go-cs-lib/version.Tag=v$(PKG_VERSION)-secubox \ github.com/crowdsecurity/go-cs-lib/version.Timestamp=$(SOURCE_DATE_EPOCH) \ github.com/crowdsecurity/go-cs-lib/version.GoVersion=$(shell $(GO_STAGING_DIR)/bin/go version | cut -d" " -f3) include $(INCLUDE_DIR)/package.mk include $(TOPDIR)/feeds/packages/lang/golang/golang-package.mk define Package/secubox-app-cs-firewall-bouncer/Default SECTION:=net CATEGORY:=Network SUBMENU:=SecuBox TITLE:=SecuBox CrowdSec Firewall Bouncer URL:=https://github.com/crowdsecurity/cs-firewall-bouncer endef define Package/secubox-app-cs-firewall-bouncer $(call Package/secubox-app-cs-firewall-bouncer/Default) DEPENDS:=$(GO_ARCH_DEPENDS) +nftables PROVIDES:=crowdsec-firewall-bouncer CONFLICTS:=crowdsec-firewall-bouncer endef define Package/secubox-app-cs-firewall-bouncer/description SecuBox CrowdSec Firewall Bouncer for OpenWrt. Fetches decisions from CrowdSec Local API and enforces them using nftables. Supports both IPv4 and IPv6 blocking with timeout-based set entries for automatic expiration. Features: - Native nftables integration - IPv4 and IPv6 support - Input and forward chain filtering - Interface-based filtering - Automatic restart on firewall reload - procd service management endef define Package/secubox-app-cs-firewall-bouncer/conffiles /etc/config/crowdsec endef define Package/secubox-app-cs-firewall-bouncer/install $(call GoPackage/Package/Install/Bin,$(1)) $(INSTALL_DIR) $(1)/etc/config $(INSTALL_CONF) ./files/crowdsec.config $(1)/etc/config/crowdsec $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/crowdsec-firewall-bouncer.initd $(1)/etc/init.d/crowdsec-firewall-bouncer # Hotplug script to restart bouncer when firewall reloads $(INSTALL_DIR) $(1)/etc/hotplug.d/iface $(INSTALL_DATA) ./files/hotplug.d/99-crowdsec-bouncer $(1)/etc/hotplug.d/iface/99-crowdsec-bouncer # UCI defaults script for auto-registration with CrowdSec LAPI $(INSTALL_DIR) $(1)/etc/uci-defaults $(INSTALL_BIN) ./files/crowdsec-bouncer.defaults $(1)/etc/uci-defaults/99_crowdsec-bouncer endef $(eval $(call GoBinPackage,secubox-app-cs-firewall-bouncer)) $(eval $(call BuildPackage,secubox-app-cs-firewall-bouncer))