Hello!
In my crowdsec plugin, still unpublished, I create my stuff in plugins.inc.d/crowdsec.inc, then I call "configctl filter reload" at the time of installation. Not sure it's the best way, but it seems to work as I want.
My question is: can I remove the Alias objects when my plugin is uninstalled? I see some
+POST_DEINSTALL.post
scripts but should I call my php code from there? It's fine if the Alias is removed and recreated when the plugin is upgraded.
Is there a plugin that does a similar clean up?
Thanks
[...]
function add_alias_if_not_exist($name, $description, $proto) {
$model = new OPNsense\Firewall\Alias();
foreach ($model->aliases->alias->iterateItems() as $alias) {
if ((string)$alias->name == $name) {
return;
}
}
$new_alias = $model->aliases->alias->Add();
$new_alias->name = $name;
$new_alias->description = $description;
$new_alias->proto = $proto;
$new_alias->type = 'external';
$model->serializeToConfig();
Config::getInstance()->save();
}
function crowdsec_firewall(\OPNsense\Firewall\Plugin $fw)
{
if (!bouncer_enabled()) {
return;
}
add_alias_if_not_exist('crowdsec_blacklists', 'CrowdSec (IPv4)', 'IPv4');
$fw->registerFilterRule(
1, /* priority */
array(
'ipprotocol' => 'inet',
'descr' => 'CrowdSec (IPv4)',
'from' => '$crowdsec_blacklists', # $ to reference an alias
'type' => 'block',
'quick' => true
),
null
);
add_alias_if_not_exist('crowdsec6_blacklists', 'CrowdSec (IPv6)', 'IPv6');
$fw->registerFilterRule(
1, /* priority */
array(
'ipprotocol' => 'inet6',
'descr' => 'CrowdSec (IPv6)',
'from' => '$crowdsec6_blacklists', # $ to reference an alias
'type' => 'block',
'quick' => true
),
null
);
}
[...]
Hi mmetc,
At the moment there is no facility for this. If you can create a GitHub ticket in core we can discuss options although we are not in a rush on this.
The deinstall-hook is problematic because it is also called during upgrades as far as pkg utility mechanics go.
Cheers,
Franco
Thank you for your response, I'll create a ticket for this issue.
I can certainly tell the users to remove the aliases by hand.
As a temporary measure, I was playing with this script in +PRE_DEINSTALL.pre (or POST) but it doesn't work.
#!/bin/sh
/usr/local/bin/php << 'EOT'
<?php
@include_once("config.inc");
@include_once("certs.inc");
@include_once("util.inc");
use OPNsense\Firewall\Alias;
use OPNsense\Core\Config;
function removeAlias($name)
{
$model = new Alias();
foreach ($model->aliases->alias->iterateItems() as $index => $alias) {
if (strval($alias->name) == $name) {
if ($model->aliases->alias->del($index)) {
$model->serializeToConfig();
}
}
}
}
removeAlias('crowdsec_blacklists');
removeAlias('crowdsec6_blacklists');
EOT
I think you missed this at the end ;)
Config::getInstance()->save();
Cheers,
Franco
Thank you, I somehow lost the notification of your reply and was coming back here to say the same thing.
Now I have a "configctl crowdsec remove-alias" event that I call from +PRE_DEINSTALL.pre and it works well.