From: S. Brusch <ne20002@gmx.ch>
Date: Sat, 12 Oct 2024 11:22:01 +0000 (+0000)
Subject: crowdsec-firewall-bouncer: updated nftables rules
X-Git-Url: http://git.openwrt.org/?a=commitdiff_plain;h=280a66ecb319fc9e3fa3cd2bbd9330846771750b;p=feed%2Fpackages.git

crowdsec-firewall-bouncer: updated nftables rules

Signed-off-by: S. Brusch <ne20002@gmx.ch>

Maintainer: Kerma Gérald <gandalf@gk2.net>
Run tested: mediatek/filogic, BPI-R3, Openwrt 23.05.5

Description:

    updated the initd script creating the nftables rules for the bouncer
    to adapt and support the crowdsec-firewall-bouncer's (from 0.0.30)
    new internal rule creation mechanism.
---

diff --git a/net/crowdsec-firewall-bouncer/Makefile b/net/crowdsec-firewall-bouncer/Makefile
index fa95de965b..152449d264 100644
--- a/net/crowdsec-firewall-bouncer/Makefile
+++ b/net/crowdsec-firewall-bouncer/Makefile
@@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=crowdsec-firewall-bouncer
 PKG_VERSION:=0.0.31
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/crowdsecurity/cs-firewall-bouncer/tar.gz/v$(PKG_VERSION)?
diff --git a/net/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.initd b/net/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.initd
index 23c4b55022..33ebbb0eae 100755
--- a/net/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.initd
+++ b/net/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.initd
@@ -41,7 +41,6 @@ init_yaml() {
 	local chain6_name
 	local retry_initial_connect
 
-	config_get set_only $section set_only '1'
 	config_get hook_priority $section priority "4"
 	config_get update_frequency $section update_frequency '10s'
 	config_get log_level $section log_level 'info'
@@ -101,13 +100,13 @@ init_yaml() {
 	nftables:
 	  ipv4:
 	    enabled: bool($ipv4)
-	    set-only: bool($set_only)
+	    set-only: false
 	    table: $TABLE
 	    chain: $chain_name
 	    priority: $hook_priority
 	  ipv6:
 	    enabled: bool($ipv6)
-	    set-only: bool($set_only)
+	    set-only: false
 	    table: $TABLE6
 	    chain: $chain6_name
 	    priority: $hook_priority
@@ -178,11 +177,13 @@ init_nftables() {
 
 		if [ "$filter_input" -eq "1" ] ; then
 			nft add chain ip "$TABLE" $chain_name-input "{ type filter hook input priority $hook_priority; policy accept; }"
-			nft add rule ip "$TABLE" $chain_name-input iifname { $interface } ct state new ip saddr @crowdsec-blacklists ${log_term} counter $deny_action
+			nft add rule ip "$TABLE" $chain_name-input ct state established,related accept
+			nft add rule ip "$TABLE" $chain_name-input iifname != { $interface } accept
 		fi
 		if [ "$filter_forward" -eq "1" ] ; then
 			nft add chain ip "$TABLE" $chain_name-forward "{ type filter hook forward priority $hook_priority; policy accept; }"
-			nft add rule ip "$TABLE" $chain_name-forward iifname { $interface } ct state new ip daddr != 224.0.0.0/4 ip saddr @crowdsec-blacklists ${log_term} counter $deny_action
+			nft add rule ip "$TABLE" $chain_name-forward ct state established,related accept
+			nft add rule ip "$TABLE" $chain_name-forward iifname != { $interface } accept
 		fi
 	fi
 
@@ -193,11 +194,13 @@ init_nftables() {
 
 		if [ "$filter_input" -eq "1" ] ; then
 			nft add chain ip6 "$TABLE6" $chain6_name-input "{ type filter hook input priority $hook_priority; policy accept; }"
-			nft add rule ip6 "$TABLE6" $chain6_name-input iifname { $interface } ct state new ip6 saddr @crowdsec6-blacklists ${log_term} counter $deny_action
+			nft add rule ip6 "$TABLE6" $chain6_name-input ct state established,related accept
+			nft add rule ip6 "$TABLE6" $chain6_name-input iifname != { $interface } accept
 		fi
 		if [ "$filter_forward" -eq "1" ] ; then
 			nft add chain ip6 "$TABLE6" $chain6_name-forward "{ type filter hook forward priority $hook_priority; policy accept; }"
-			nft add rule ip6 "$TABLE6" $chain6_name-forward iifname { $interface } ct state new ip6 saddr @crowdsec6-blacklists ${log_term} counter $deny_action
+			nft add rule ip6 "$TABLE6" $chain6_name-forward ct state established,related accept
+			nft add rule ip6 "$TABLE6" $chain6_name-forward iifname != { $interface } accept
 		fi
 	fi
 }
@@ -208,14 +211,11 @@ run_bouncer() {
 
 	local enabled
 	config_get_bool enabled $section enabled 0
-	config_get_bool set_only $section set_only 1
 
 	if [ "$enabled" -eq "1" ] ; then
 
 		init_yaml "$section"
-		if [ "$set_only" -eq "1" ] ; then
-			init_nftables "$section"
-		fi
+		init_nftables "$section"
 
 		procd_open_instance
 		procd_set_param command "$PROG" -c "$VARCONFIG"