feat(ipfw): add FreeBSD ipfw backend support

README.md

@@ -22,6 +22,7 @@ Supported firewalls:
  - nftables (IPv4 :heavy_check_mark: / IPv6 :heavy_check_mark: )
  - ipset only (IPv4 :heavy_check_mark: / IPv6 :heavy_check_mark: )
  - pf (IPV4 :heavy_check_mark: / IPV6 :heavy_check_mark: )
+ - ipfw (IPV4 :heavy_check_mark: / IPV6 :heavy_check_mark: )
 
 # Installation
 

config/crowdsec-firewall-bouncer.yaml

@@ -57,6 +57,10 @@ pf:
   # an empty string disables the anchor
   anchor_name: ""
 
+# ipfw (FreeBSD): the bouncer only manages the "blacklists_ipv4"/"blacklists_ipv6"
+# named tables above, you must create them and the rule(s) referencing them
+# (e.g. "ipfw add deny ip from table(crowdsec-blacklists) to any") beforehand.
+
 prometheus:
   enabled: false
   listen_addr: 127.0.0.1

pkg/backend/backend.go

@@ -11,6 +11,7 @@ import (
 
 	"github.com/crowdsecurity/cs-firewall-bouncer/pkg/cfg"
 	"github.com/crowdsecurity/cs-firewall-bouncer/pkg/dryrun"
+	"github.com/crowdsecurity/cs-firewall-bouncer/pkg/ipfw"
 	"github.com/crowdsecurity/cs-firewall-bouncer/pkg/iptables"
 	"github.com/crowdsecurity/cs-firewall-bouncer/pkg/nftables"
 	"github.com/crowdsecurity/cs-firewall-bouncer/pkg/pf"
@@ -59,6 +60,10 @@ func isPFSupported(runtimeOS string) bool {
 	return supported
 }
 
+func isIPFWSupported(runtimeOS string) bool {
+	return runtimeOS == "freebsd"
+}
+
 func NewBackend(config *cfg.BouncerConfig) (*BackendCTX, error) {
 	var err error
 
@@ -102,6 +107,15 @@ func NewBackend(config *cfg.BouncerConfig) (*BackendCTX, error) {
 		if err != nil {
 			return nil, err
 		}
+	case cfg.IpfwMode:
+		if !isIPFWSupported(runtime.GOOS) {
+			log.Warning("ipfw mode can only work with freebsd. It is available on other platforms only for testing purposes")
+		}
+
+		b.firewall, err = ipfw.NewIPFW(config)
+		if err != nil {
+			return nil, err
+		}
 	case "dry-run":
 		b.firewall, err = dryrun.NewDryRun(config)
 		if err != nil {

pkg/cfg/config.go

@@ -31,6 +31,7 @@ const (
 	IptablesMode = "iptables"
 	NftablesMode = "nftables"
 	PfMode       = "pf"
+	IpfwMode     = "ipfw"
 	DryRunMode   = "dry-run"
 )
 
@@ -146,7 +147,7 @@ func NewConfig(reader io.Reader) (*BouncerConfig, error) {
 		if err != nil {
 			return nil, err
 		}
-	case IpsetMode, IptablesMode:
+	case IpsetMode, IptablesMode, IpfwMode:
 		// nothing specific to do
 	case PfMode:
 		err := pfConfig(config)

pkg/ipfw/ipfw.go

@@ -0,0 +1,178 @@
+package ipfw
+
+import (
+	"fmt"
+	"os/exec"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/crowdsecurity/crowdsec/pkg/models"
+
+	"github.com/crowdsecurity/cs-firewall-bouncer/pkg/cfg"
+	"github.com/crowdsecurity/cs-firewall-bouncer/pkg/types"
+)
+
+type ipfw struct {
+	inet              *ipfwContext
+	inet6             *ipfwContext
+	decisionsToAdd    []*models.Decision
+	decisionsToDelete []*models.Decision
+}
+
+const ipfwCmd = "/sbin/ipfw"
+
+func NewIPFW(config *cfg.BouncerConfig) (types.Backend, error) {
+	ret := &ipfw{}
+
+	inetCtx := &ipfwContext{
+		table:   config.BlacklistsIpv4,
+		version: "ipv4",
+	}
+
+	inet6Ctx := &ipfwContext{
+		table:   config.BlacklistsIpv6,
+		version: "ipv6",
+	}
+
+	if !config.DisableIPV4 {
+		ret.inet = inetCtx
+	}
+
+	if !config.DisableIPV6 {
+		ret.inet6 = inet6Ctx
+	}
+
+	return ret, nil
+}
+
+func execIpfw(arg ...string) *exec.Cmd {
+	log.Debugf("Running: %s %s", ipfwCmd, arg)
+
+	return exec.Command(ipfwCmd, arg...)
+}
+
+func (fw *ipfw) Init() error {
+	if _, err := exec.LookPath(ipfwCmd); err != nil {
+		return fmt.Errorf("%s command not found: %w", ipfwCmd, err)
+	}
+
+	if fw.inet != nil {
+		if err := fw.inet.init(); err != nil {
+			return err
+		}
+	}
+
+	if fw.inet6 != nil {
+		if err := fw.inet6.init(); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (fw *ipfw) Commit() error {
+	defer fw.reset()
+
+	if err := fw.commitDeletedDecisions(); err != nil {
+		return err
+	}
+
+	return fw.commitAddedDecisions()
+}
+
+func (fw *ipfw) Add(decision *models.Decision) error {
+	fw.decisionsToAdd = append(fw.decisionsToAdd, decision)
+	return nil
+}
+
+func (fw *ipfw) reset() {
+	fw.decisionsToAdd = make([]*models.Decision, 0)
+	fw.decisionsToDelete = make([]*models.Decision, 0)
+}
+
+func (fw *ipfw) commitDeletedDecisions() error {
+	ipv4decisions := make([]*models.Decision, 0)
+	ipv6decisions := make([]*models.Decision, 0)
+
+	for _, d := range fw.decisionsToDelete {
+		if strings.Contains(*d.Value, ":") && fw.inet6 != nil {
+			ipv6decisions = append(ipv6decisions, d)
+		} else if fw.inet != nil {
+			ipv4decisions = append(ipv4decisions, d)
+		}
+	}
+
+	if len(ipv6decisions) > 0 {
+		if fw.inet6 == nil {
+			log.Debugf("not removing '%d' decisions because ipv6 is disabled", len(ipv6decisions))
+		} else if err := fw.inet6.delete(ipv6decisions); err != nil {
+			return err
+		}
+	}
+
+	if len(ipv4decisions) > 0 {
+		if fw.inet == nil {
+			log.Debugf("not removing '%d' decisions because ipv4 is disabled", len(ipv4decisions))
+		} else if err := fw.inet.delete(ipv4decisions); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (fw *ipfw) commitAddedDecisions() error {
+	ipv4decisions := make([]*models.Decision, 0)
+	ipv6decisions := make([]*models.Decision, 0)
+
+	for _, d := range fw.decisionsToAdd {
+		if strings.Contains(*d.Value, ":") && fw.inet6 != nil {
+			ipv6decisions = append(ipv6decisions, d)
+		} else if fw.inet != nil {
+			ipv4decisions = append(ipv4decisions, d)
+		}
+	}
+
+	if len(ipv6decisions) > 0 {
+		if fw.inet6 == nil {
+			log.Debugf("not adding '%d' decisions because ipv6 is disabled", len(ipv6decisions))
+		} else if err := fw.inet6.add(ipv6decisions); err != nil {
+			return err
+		}
+	}
+
+	if len(ipv4decisions) > 0 {
+		if fw.inet == nil {
+			log.Debugf("not adding '%d' decisions because ipv4 is disabled", len(ipv4decisions))
+		} else if err := fw.inet.add(ipv4decisions); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (fw *ipfw) Delete(decision *models.Decision) error {
+	fw.decisionsToDelete = append(fw.decisionsToDelete, decision)
+	return nil
+}
+
+func (fw *ipfw) ShutDown() error {
+	log.Infof("flushing 'crowdsec' table(s)")
+
+	if fw.inet != nil {
+		if err := fw.inet.shutDown(); err != nil {
+			return fmt.Errorf("unable to flush %s table (%s): ", fw.inet.version, fw.inet.table)
+		}
+	}
+
+	if fw.inet6 != nil {
+		if err := fw.inet6.shutDown(); err != nil {
+			return fmt.Errorf("unable to flush %s table (%s): ", fw.inet6.version, fw.inet6.table)
+		}
+	}
+
+	return nil
+}

pkg/ipfw/ipfw_context.go

@@ -0,0 +1,148 @@
+package ipfw
+
+import (
+	"bufio"
+	"fmt"
+	"os"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/crowdsecurity/crowdsec/pkg/models"
+)
+
+type ipfwContext struct {
+	table   string
+	version string
+}
+
+const backendName = "ipfw"
+
+func decisionsToIPs(decisions []*models.Decision) []string {
+	ips := make([]string, 0, len(decisions))
+
+	for _, d := range decisions {
+		if d == nil || d.Value == nil {
+			continue
+		}
+
+		ips = append(ips, *d.Value)
+	}
+
+	return ips
+}
+
+// writeScript writes a sequence of "table <name> <action> <ip>" commands to a
+// temp file, to be run in a single batch with "ipfw -q <file>".
+func writeScript(table, action string, ips []string) (string, error) {
+	f, err := os.CreateTemp("", "crowdsec-ipfw-*.txt")
+	if err != nil {
+		return "", err
+	}
+
+	name := f.Name()
+	done := false
+
+	defer func() {
+		if !done {
+			_ = f.Close()
+			_ = os.Remove(name)
+		}
+	}()
+
+	w := bufio.NewWriter(f)
+	for _, ip := range ips {
+		if _, err = fmt.Fprintf(w, "table %s %s %s\n", table, action, ip); err != nil {
+			return "", err
+		}
+	}
+
+	if err = w.Flush(); err != nil {
+		return "", err
+	}
+
+	if err = f.Close(); err != nil {
+		return "", err
+	}
+
+	done = true
+
+	return name, nil
+}
+
+// checkTable makes sure the table already exists, it must be created
+// beforehand along with the rule(s) referencing it (e.g. "deny ip from
+// table(<name>) to any"), the bouncer only manages table membership.
+func (ctx *ipfwContext) checkTable() error {
+	log.Infof("Checking ipfw table: %s", ctx.table)
+
+	cmd := execIpfw("table", ctx.table, "info")
+
+	if out, err := cmd.CombinedOutput(); err != nil {
+		return fmt.Errorf("table %s doesn't exist: %s - %w", ctx.table, out, err)
+	}
+
+	return nil
+}
+
+func (ctx *ipfwContext) shutDown() error {
+	cmd := execIpfw("table", ctx.table, "flush")
+	log.Infof("ipfw table clean-up: %s", cmd)
+
+	if out, err := cmd.CombinedOutput(); err != nil {
+		log.Errorf("Error while flushing table (%s): %v --> %s", cmd, err, out)
+	}
+
+	return nil
+}
+
+func (ctx *ipfwContext) add(decisions []*models.Decision) error {
+	log.Debugf("Adding %d decisions", len(decisions))
+
+	ips := decisionsToIPs(decisions)
+
+	file, err := writeScript(ctx.table, "add", ips)
+	if err != nil {
+		return fmt.Errorf("writing decisions to temp file: %w", err)
+	}
+	defer os.Remove(file)
+
+	cmd := execIpfw("-q", file)
+	if out, err := cmd.CombinedOutput(); err != nil {
+		return fmt.Errorf("error while adding to table (%s): %w --> %s", cmd, err, out)
+	}
+
+	return nil
+}
+
+func (ctx *ipfwContext) delete(decisions []*models.Decision) error {
+	log.Debugf("Removing %d decisions", len(decisions))
+
+	ips := decisionsToIPs(decisions)
+
+	file, err := writeScript(ctx.table, "delete", ips)
+	if err != nil {
+		return fmt.Errorf("writing decisions to temp file: %w", err)
+	}
+	defer os.Remove(file)
+
+	cmd := execIpfw("-q", file)
+	if out, err := cmd.CombinedOutput(); err != nil {
+		log.Infof("Error while deleting from table (%s): %v --> %s", cmd, err, out)
+	}
+
+	return nil
+}
+
+func (ctx *ipfwContext) init() error {
+	if err := ctx.shutDown(); err != nil {
+		return fmt.Errorf("ipfw table flush failed: %w", err)
+	}
+
+	if err := ctx.checkTable(); err != nil {
+		return fmt.Errorf("ipfw init failed: %w", err)
+	}
+
+	log.Infof("%s initiated for %s", backendName, ctx.version)
+
+	return nil
+}