Removing Alias, deinstall hook?

[mmetc]

Hello!

In my crowdsec plugin, still unpublished, I create my stuff in plugins.inc.d/crowdsec.inc, then I call "configctl filter reload" at the time of installation. Not sure it's the best way, but it seems to work as I want.

My question is: can I remove the Alias objects when my plugin is uninstalled? I see some

+POST_DEINSTALL.post

scripts but should I call my php code from there? It's fine if the Alias is removed and recreated when the plugin is upgraded.

Is there a plugin that does a similar clean up?

Thanks

[...]
function add_alias_if_not_exist($name, $description, $proto) {
    $model = new OPNsense\Firewall\Alias();
    foreach ($model->aliases->alias->iterateItems() as $alias) {
        if ((string)$alias->name == $name) {
            return;
        }
    }

    $new_alias = $model->aliases->alias->Add();
    $new_alias->name = $name;
    $new_alias->description = $description;
    $new_alias->proto = $proto;
    $new_alias->type = 'external';
    $model->serializeToConfig();
    Config::getInstance()->save();
}

function crowdsec_firewall(\OPNsense\Firewall\Plugin $fw)
{
    if (!bouncer_enabled()) {
        return;
    }

    add_alias_if_not_exist('crowdsec_blacklists', 'CrowdSec (IPv4)', 'IPv4');

    $fw->registerFilterRule(
        1, /* priority */
        array(
            'ipprotocol'     => 'inet',
            'descr'          => 'CrowdSec (IPv4)',
            'from'           => '$crowdsec_blacklists',     # $ to reference an alias
            'type'           => 'block',
            'quick'          => true
        ),
        null
    );

    add_alias_if_not_exist('crowdsec6_blacklists', 'CrowdSec (IPv6)', 'IPv6');

    $fw->registerFilterRule(
        1, /* priority */
        array(
            'ipprotocol'     => 'inet6',
            'descr'          => 'CrowdSec (IPv6)',
            'from'           => '$crowdsec6_blacklists',    # $ to reference an alias
            'type'           => 'block',
            'quick'          => true
        ),
        null
    );
}
[...]

[franco]

Hi mmetc,

At the moment there is no facility for this. If you can create a GitHub ticket in core we can discuss options although we are not in a rush on this.

The deinstall-hook is problematic because it is also called during upgrades as far as pkg utility mechanics go.


Cheers,
Franco

[mmetc]

Thank you for your response, I'll create a ticket for this issue.

I can certainly tell the users to remove the aliases by hand.

As a temporary measure, I was playing with this script in +PRE_DEINSTALL.pre (or POST) but it doesn't work.

#!/bin/sh

/usr/local/bin/php << 'EOT'
<?php

@include_once("config.inc");
@include_once("certs.inc");
@include_once("util.inc");

use OPNsense\Firewall\Alias;
use OPNsense\Core\Config;

function removeAlias($name)
{
    $model = new Alias();
    foreach ($model->aliases->alias->iterateItems() as $index => $alias) {
        if (strval($alias->name) == $name) {
            if ($model->aliases->alias->del($index)) {
                $model->serializeToConfig();
            }
        }
    }
}

removeAlias('crowdsec_blacklists');
removeAlias('crowdsec6_blacklists');
EOT

[franco]

I think you missed this at the end

Config::getInstance()->save();


Cheers,
Franco

[mmetc]

Thank you, I somehow lost the notification of your reply and was coming back here to say the same thing.

Now I have a "configctl crowdsec remove-alias" event that I call from +PRE_DEINSTALL.pre and it works well.