* Re: sshguard: support dynamic firewall config and remove iptables dependency
2020-01-22 21:41 [PR PATCH] sshguard: support dynamic firewall config and remove iptables dependency voidlinux-github
@ 2020-01-22 21:49 ` voidlinux-github
2020-01-23 0:54 ` [PR PATCH] [Updated] " voidlinux-github
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: voidlinux-github @ 2020-01-22 21:49 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 329 bytes --]
New comment by Duncaen on void-packages repository
https://github.com/void-linux/void-packages/pull/18477#issuecomment-577402230
Comment:
Not sure what to think about the rename, this will kill sshguard from users system, the moment the package is updated.
Maybe its better to clean this one up, and add a second new service.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PR PATCH] [Updated] sshguard: support dynamic firewall config and remove iptables dependency
2020-01-22 21:41 [PR PATCH] sshguard: support dynamic firewall config and remove iptables dependency voidlinux-github
2020-01-22 21:49 ` voidlinux-github
@ 2020-01-23 0:54 ` voidlinux-github
2020-01-23 1:03 ` voidlinux-github
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: voidlinux-github @ 2020-01-23 0:54 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 960 bytes --]
There is an updated pull request by ahesford against master on the void-packages repository
https://github.com/ahesford/void-packages sshguard
https://github.com/void-linux/void-packages/pull/18477
sshguard: support dynamic firewall config and remove iptables dependency
sshguard uses iptables as an optional firewall backend, but also natively supports the nftables firewall. I removed the explicit iptables dependency from this package and added support for a "conf" file in the service (renamed to "sshguard" from "sshguard-socklog" because it is not inextricably linked to socklog) to allow the firewall and logger service dependencies to be dynamically changed. By default, the service still expects socklog-unix and iptables.
The rename will break /var/service links to the existing "sshguard-socklog", but the post-change behavior seems to make more sense.
A patch file from https://github.com/void-linux/void-packages/pull/18477.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-sshguard-18477.patch --]
[-- Type: text/x-diff, Size: 1823 bytes --]
From 08359d1be970fbab3a9dc0938a7d2173527cdfed Mon Sep 17 00:00:00 2001
From: "Andrew J. Hesford" <ajh@sideband.org>
Date: Wed, 22 Jan 2020 16:35:49 -0500
Subject: [PATCH] sshguard: support dynamic firewall config and remove iptables
dependency
---
srcpkgs/sshguard/files/sshguard-socklog/run | 15 ++++++++++++---
srcpkgs/sshguard/template | 3 +--
2 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/srcpkgs/sshguard/files/sshguard-socklog/run b/srcpkgs/sshguard/files/sshguard-socklog/run
index 720e4676785..746df4822ce 100755
--- a/srcpkgs/sshguard/files/sshguard-socklog/run
+++ b/srcpkgs/sshguard/files/sshguard-socklog/run
@@ -1,5 +1,14 @@
#!/bin/sh
-sv check iptables >/dev/null || exit 1
-sv check socklog-unix >/dev/null || exit 1
-exec sshguard -l /var/log/socklog/secure/current -b 200:/var/db/sshguard/blacklist.db 2>&1
+# Defaults that mabe be overridden (or erased entirely) by configuration
+LOGFILE="${LOGFILE:-/var/log/socklog/secure/current}"
+BLACKLIST_SPEC="${BLACKLIST_SPEC:-200:/var/db/sshguard/blacklist.db}"
+
+# Allow the firewall and logger backends to be specified
+[ -f ./conf ] && . ./conf
+
+# If specified, add blacklist spec and log source to OPTS
+[ -n "$BLACKLIST_SPEC" ] && OPTS="-b $BLACKLIST_SPEC"
+[ -n "$LOGFILE" ] && OPTS="-l $LOGFILE $OPTS"
+
+exec sshguard $OPTS 2>&1
diff --git a/srcpkgs/sshguard/template b/srcpkgs/sshguard/template
index 8c08d1f1120..235a6129393 100644
--- a/srcpkgs/sshguard/template
+++ b/srcpkgs/sshguard/template
@@ -1,10 +1,9 @@
# Template file for 'sshguard'
pkgname=sshguard
version=2.4.0
-revision=1
+revision=2
build_style=gnu-configure
hostmakedepends="flex"
-depends="iptables"
short_desc="Protects networked hosts from brute force attacks"
maintainer="Lodvær <lodvaer@gmail.com>"
license="BSD-3-Clause"
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: sshguard: support dynamic firewall config and remove iptables dependency
2020-01-22 21:41 [PR PATCH] sshguard: support dynamic firewall config and remove iptables dependency voidlinux-github
2020-01-22 21:49 ` voidlinux-github
2020-01-23 0:54 ` [PR PATCH] [Updated] " voidlinux-github
@ 2020-01-23 1:03 ` voidlinux-github
2020-01-23 10:53 ` [PR PATCH] [Merged]: " voidlinux-github
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: voidlinux-github @ 2020-01-23 1:03 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1173 bytes --]
New comment by ahesford on void-packages repository
https://github.com/void-linux/void-packages/pull/18477#issuecomment-577458415
Comment:
> Not sure what to think about the rename, this will kill sshguard from users system, the moment the package is updated.
> Maybe its better to clean this one up, and add a second new service.
If we're going to keep the old service around to avoid breakage, I see no compelling reason to create a duplicate service just to have a different name. Maybe long-term we can find a better solution, but for now, I advocate sticking with the original sshguard-socklog name.
The latest push restores the name, drops the gratuitous service checks and improves the configuration logic. It is now possible to define empty variables for the log source and blacklist databases and, if they are explicitly cleared by the user, defaults will not be subsituted by the run script. However, if the variables are defined by the user or not explicitly cleared, the proper command arguments will be passed. The new behavior allows total customization of the sshguard invocation while still making common configuration alterations straightforward.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PR PATCH] [Merged]: sshguard: support dynamic firewall config and remove iptables dependency
2020-01-22 21:41 [PR PATCH] sshguard: support dynamic firewall config and remove iptables dependency voidlinux-github
` (2 preceding siblings ...)
2020-01-23 1:03 ` voidlinux-github
@ 2020-01-23 10:53 ` voidlinux-github
2020-01-23 10:53 ` voidlinux-github
2020-01-23 14:31 ` voidlinux-github
5 siblings, 0 replies; 7+ messages in thread
From: voidlinux-github @ 2020-01-23 10:53 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 801 bytes --]
There's a merged pull request on the void-packages repository
sshguard: support dynamic firewall config and remove iptables dependency
https://github.com/void-linux/void-packages/pull/18477
Description:
sshguard uses iptables as an optional firewall backend, but also natively supports the nftables firewall. I removed the explicit iptables dependency from this package and added support for a "conf" file in the service (renamed to "sshguard" from "sshguard-socklog" because it is not inextricably linked to socklog) to allow the firewall and logger service dependencies to be dynamically changed. By default, the service still expects socklog-unix and iptables.
The rename will break /var/service links to the existing "sshguard-socklog", but the post-change behavior seems to make more sense.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: sshguard: support dynamic firewall config and remove iptables dependency
2020-01-22 21:41 [PR PATCH] sshguard: support dynamic firewall config and remove iptables dependency voidlinux-github
` (3 preceding siblings ...)
2020-01-23 10:53 ` [PR PATCH] [Merged]: " voidlinux-github
@ 2020-01-23 10:53 ` voidlinux-github
2020-01-23 14:31 ` voidlinux-github
5 siblings, 0 replies; 7+ messages in thread
From: voidlinux-github @ 2020-01-23 10:53 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 682 bytes --]
New comment by Duncaen on void-packages repository
https://github.com/void-linux/void-packages/pull/18477#issuecomment-577629922
Comment:
Thanks, this is good now.
> Maybe long-term we can find a better solution, but for now, I advocate sticking with the original sshguard-socklog name.
Maybe a symlink like `/etc/sv/sshguard-socklog -> /etc/sv/sshhuard/` would work but that would need to be tested, I can't remember a prior case of renaming a service.
Another solution might be an `INSTALL` script that changes the symlink in `/var/service` if it exists already, but that seems a bit hacky. Its an interesting issue and finding a clean solution might help in the future.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: sshguard: support dynamic firewall config and remove iptables dependency
2020-01-22 21:41 [PR PATCH] sshguard: support dynamic firewall config and remove iptables dependency voidlinux-github
` (4 preceding siblings ...)
2020-01-23 10:53 ` voidlinux-github
@ 2020-01-23 14:31 ` voidlinux-github
5 siblings, 0 replies; 7+ messages in thread
From: voidlinux-github @ 2020-01-23 14:31 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1247 bytes --]
New comment by ahesford on void-packages repository
https://github.com/void-linux/void-packages/pull/18477#issuecomment-577706121
Comment:
> Maybe a symlink like `/etc/sv/sshguard-socklog -> /etc/sv/sshhuard/` would work but that would need to be tested, I can't remember a prior case of renaming a service.
I thought about a symlink but thought it was too problematic. There is some precedent: xbps-alternatives creates a symlink from /etc/sv/crond to the chosen alternative service. In this case, however, I think there is a high probability of a collision when users create an sshguard service to avoid the iptables dependency.
> Another solution might be an `INSTALL` script that changes the symlink in `/var/service` if it exists already, but that seems a bit hacky. Its an interesting issue and finding a clean solution might help in the future.
If the INSTALL script finds an existing link, and the target of that link is also a link to the new service name, the user could be prompted with a yes/no question about migrating the link. This will alert all affected users to the change and provide a one-key option to resolve the issue. Maybe some helper functions common/ could encapsulate a procedure like this for all packages.
^ permalink raw reply [flat|nested] 7+ messages in thread