[PR PATCH] sshguard: support dynamic firewall config and remove iptables dependency

[PR PATCH] sshguard: support dynamic firewall config and remove iptables dependency

[voidlinux-github]

[-- Attachment #1: Type: text/plain, Size: 955 bytes --]

There is a new pull request by ahesford against master on the void-packages repository

https://github.com/ahesford/void-packages sshguard
https://github.com/void-linux/void-packages/pull/18477

sshguard: support dynamic firewall config and remove iptables dependency
sshguard uses iptables as an optional firewall backend, but also natively supports the nftables firewall. I removed the explicit iptables dependency from this package and added support for a "conf" file in the service (renamed to "sshguard" from "sshguard-socklog" because it is not inextricably linked to socklog) to allow the firewall and logger service dependencies to be dynamically changed. By default, the service still expects socklog-unix and iptables.

The rename will break /var/service links to the existing "sshguard-socklog", but the post-change behavior seems to make more sense.

A patch file from https://github.com/void-linux/void-packages/pull/18477.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-sshguard-18477.patch --]
[-- Type: text/x-diff, Size: 2347 bytes --]

From 88c16f4d19b32f12e1086063f94ef6814cef0568 Mon Sep 17 00:00:00 2001
From: "Andrew J. Hesford" <ajh@sideband.org>
Date: Wed, 22 Jan 2020 16:35:49 -0500
Subject: [PATCH] sshguard: support dynamic firewall config and remove iptables
 dependency

---
 srcpkgs/sshguard/files/sshguard-socklog/run |  5 -----
 srcpkgs/sshguard/files/sshguard/run         | 11 +++++++++++
 srcpkgs/sshguard/template                   |  5 ++---
 3 files changed, 13 insertions(+), 8 deletions(-)
 delete mode 100755 srcpkgs/sshguard/files/sshguard-socklog/run
 create mode 100755 srcpkgs/sshguard/files/sshguard/run

diff --git a/srcpkgs/sshguard/files/sshguard-socklog/run b/srcpkgs/sshguard/files/sshguard-socklog/run
deleted file mode 100755
index 720e4676785..00000000000
--- a/srcpkgs/sshguard/files/sshguard-socklog/run
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/sh
-sv check iptables >/dev/null || exit 1
-sv check socklog-unix >/dev/null || exit 1
-
-exec sshguard -l /var/log/socklog/secure/current -b 200:/var/db/sshguard/blacklist.db 2>&1
diff --git a/srcpkgs/sshguard/files/sshguard/run b/srcpkgs/sshguard/files/sshguard/run
new file mode 100755
index 00000000000..a63f90834fb
--- /dev/null
+++ b/srcpkgs/sshguard/files/sshguard/run
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+# Allow the firewall and logger backends to be specified
+[ -f ./conf ] && . ./conf
+
+sv check "${FIREWALL:-iptables}" >/dev/null || exit 1
+
+sv check "${LOGGER:-socklog-unix}" >/dev/null || exit 1
+LOGFILE="${LOGFILE:-/var/log/socklog/secure/current}"
+
+exec sshguard -l "$LOGFILE" -b 200:/var/db/sshguard/blacklist.db $OPTS 2>&1
diff --git a/srcpkgs/sshguard/template b/srcpkgs/sshguard/template
index 8c08d1f1120..0d3a5506373 100644
--- a/srcpkgs/sshguard/template
+++ b/srcpkgs/sshguard/template
@@ -1,10 +1,9 @@
 # Template file for 'sshguard'
 pkgname=sshguard
 version=2.4.0
-revision=1
+revision=2
 build_style=gnu-configure
 hostmakedepends="flex"
-depends="iptables"
 short_desc="Protects networked hosts from brute force attacks"
 maintainer="Lodvær <lodvaer@gmail.com>"
 license="BSD-3-Clause"
@@ -16,7 +15,7 @@ make_dirs="/var/db/sshguard 0755 root root"
 conf_files="/etc/sshguard.conf"
 
 post_install() {
-	vsv sshguard-socklog
+	vsv sshguard
 	vconf examples/sshguard.conf.sample sshguard.conf
 	vsed -i 's@/usr/local/@/usr/@g' ${DESTDIR}/etc/sshguard.conf
 	vlicense COPYING

Re: sshguard: support dynamic firewall config and remove iptables dependency

[voidlinux-github]

[-- Attachment #1: Type: text/plain, Size: 329 bytes --]

New comment by Duncaen on void-packages repository

https://github.com/void-linux/void-packages/pull/18477#issuecomment-577402230

Comment:
Not sure what to think about the rename, this will kill sshguard from users system, the moment the package is updated.
Maybe its better to clean this one up, and add a second new service.

Re: [PR PATCH] [Updated] sshguard: support dynamic firewall config and remove iptables dependency

[voidlinux-github]

[-- Attachment #1: Type: text/plain, Size: 960 bytes --]

There is an updated pull request by ahesford against master on the void-packages repository

https://github.com/ahesford/void-packages sshguard
https://github.com/void-linux/void-packages/pull/18477

sshguard: support dynamic firewall config and remove iptables dependency
sshguard uses iptables as an optional firewall backend, but also natively supports the nftables firewall. I removed the explicit iptables dependency from this package and added support for a "conf" file in the service (renamed to "sshguard" from "sshguard-socklog" because it is not inextricably linked to socklog) to allow the firewall and logger service dependencies to be dynamically changed. By default, the service still expects socklog-unix and iptables.

The rename will break /var/service links to the existing "sshguard-socklog", but the post-change behavior seems to make more sense.

A patch file from https://github.com/void-linux/void-packages/pull/18477.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-sshguard-18477.patch --]
[-- Type: text/x-diff, Size: 1823 bytes --]

From 08359d1be970fbab3a9dc0938a7d2173527cdfed Mon Sep 17 00:00:00 2001
From: "Andrew J. Hesford" <ajh@sideband.org>
Date: Wed, 22 Jan 2020 16:35:49 -0500
Subject: [PATCH] sshguard: support dynamic firewall config and remove iptables
 dependency

---
 srcpkgs/sshguard/files/sshguard-socklog/run | 15 ++++++++++++---
 srcpkgs/sshguard/template                   |  3 +--
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/srcpkgs/sshguard/files/sshguard-socklog/run b/srcpkgs/sshguard/files/sshguard-socklog/run
index 720e4676785..746df4822ce 100755
--- a/srcpkgs/sshguard/files/sshguard-socklog/run
+++ b/srcpkgs/sshguard/files/sshguard-socklog/run
@@ -1,5 +1,14 @@
 #!/bin/sh
-sv check iptables >/dev/null || exit 1
-sv check socklog-unix >/dev/null || exit 1
 
-exec sshguard -l /var/log/socklog/secure/current -b 200:/var/db/sshguard/blacklist.db 2>&1
+# Defaults that mabe be overridden (or erased entirely) by configuration
+LOGFILE="${LOGFILE:-/var/log/socklog/secure/current}"
+BLACKLIST_SPEC="${BLACKLIST_SPEC:-200:/var/db/sshguard/blacklist.db}"
+
+# Allow the firewall and logger backends to be specified
+[ -f ./conf ] && . ./conf
+
+# If specified, add blacklist spec and log source to OPTS
+[ -n "$BLACKLIST_SPEC" ] && OPTS="-b $BLACKLIST_SPEC"
+[ -n "$LOGFILE" ] && OPTS="-l $LOGFILE $OPTS"
+
+exec sshguard $OPTS 2>&1
diff --git a/srcpkgs/sshguard/template b/srcpkgs/sshguard/template
index 8c08d1f1120..235a6129393 100644
--- a/srcpkgs/sshguard/template
+++ b/srcpkgs/sshguard/template
@@ -1,10 +1,9 @@
 # Template file for 'sshguard'
 pkgname=sshguard
 version=2.4.0
-revision=1
+revision=2
 build_style=gnu-configure
 hostmakedepends="flex"
-depends="iptables"
 short_desc="Protects networked hosts from brute force attacks"
 maintainer="Lodvær <lodvaer@gmail.com>"
 license="BSD-3-Clause"

Re: sshguard: support dynamic firewall config and remove iptables dependency

[voidlinux-github]

[-- Attachment #1: Type: text/plain, Size: 1173 bytes --]

New comment by ahesford on void-packages repository

https://github.com/void-linux/void-packages/pull/18477#issuecomment-577458415

Comment:
> Not sure what to think about the rename, this will kill sshguard from users system, the moment the package is updated.
> Maybe its better to clean this one up, and add a second new service.

If we're going to keep the old service around to avoid breakage, I see no compelling reason to create a duplicate service just to have a different name. Maybe long-term we can find a better solution, but for now, I advocate sticking with the original sshguard-socklog name.

The latest push restores the name, drops the gratuitous service checks and improves the configuration logic. It is now possible to define empty variables for the log source and blacklist databases and, if they are explicitly cleared by the user, defaults will not be subsituted by the run script. However, if the variables are defined by the user or not explicitly cleared, the proper command arguments will be passed. The new behavior allows total customization of the sshguard invocation while still making common configuration alterations straightforward.

Re: [PR PATCH] [Merged]: sshguard: support dynamic firewall config and remove iptables dependency

[voidlinux-github]

[-- Attachment #1: Type: text/plain, Size: 801 bytes --]

There's a merged pull request on the void-packages repository

sshguard: support dynamic firewall config and remove iptables dependency
https://github.com/void-linux/void-packages/pull/18477

Description:
sshguard uses iptables as an optional firewall backend, but also natively supports the nftables firewall. I removed the explicit iptables dependency from this package and added support for a "conf" file in the service (renamed to "sshguard" from "sshguard-socklog" because it is not inextricably linked to socklog) to allow the firewall and logger service dependencies to be dynamically changed. By default, the service still expects socklog-unix and iptables.

The rename will break /var/service links to the existing "sshguard-socklog", but the post-change behavior seems to make more sense.

Re: sshguard: support dynamic firewall config and remove iptables dependency

[voidlinux-github]

[-- Attachment #1: Type: text/plain, Size: 682 bytes --]

New comment by Duncaen on void-packages repository

https://github.com/void-linux/void-packages/pull/18477#issuecomment-577629922

Comment:
Thanks, this is good now.

> Maybe long-term we can find a better solution, but for now, I advocate sticking with the original sshguard-socklog name.

Maybe a symlink like `/etc/sv/sshguard-socklog -> /etc/sv/sshhuard/` would work but that would need to be tested, I can't remember a prior case of renaming a service.
Another solution might be an `INSTALL` script that changes the symlink in `/var/service` if it exists already, but that seems a bit hacky. Its an interesting issue and finding a clean solution might help in the future.

Re: sshguard: support dynamic firewall config and remove iptables dependency

[voidlinux-github]

[-- Attachment #1: Type: text/plain, Size: 1247 bytes --]

New comment by ahesford on void-packages repository

https://github.com/void-linux/void-packages/pull/18477#issuecomment-577706121

Comment:
> Maybe a symlink like `/etc/sv/sshguard-socklog -> /etc/sv/sshhuard/` would work but that would need to be tested, I can't remember a prior case of renaming a service.

I thought about a symlink but thought it was too problematic. There is some precedent: xbps-alternatives creates a symlink from /etc/sv/crond to the chosen alternative service. In this case, however, I think there is a high probability of a collision when users create an sshguard service to avoid the iptables dependency.

> Another solution might be an `INSTALL` script that changes the symlink in `/var/service` if it exists already, but that seems a bit hacky. Its an interesting issue and finding a clean solution might help in the future.

If the INSTALL script finds an existing link, and the target of that link is also a link to the new service name, the user could be prompted with a yes/no question about migrating the link. This will alert all affected users to the change and provide a one-key option to resolve the issue. Maybe some helper functions common/ could encapsulate a procedure like this for all packages.