gandalf/secubox-openwrt
gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Remove duplicate packages and disable sheeva64 device

Browse Source 
- Remove secubox-app-crowdsec (conflicts with feeds/packages/crowdsec)
- Remove secubox-app-netifyd (conflicts with feeds/packages/netifyd)
- Fix Makefile dependencies: crowdsec-firewall-bouncer, syslog-ng
- Fix luci-app-secubox-portal Makefile (correct luci.mk path)
- Fix luci-app-secubox-security-threats (add BuildPackage)
- Disable sheeva64 device in GitHub Actions and local-build.sh
- Update documentation with correct package names

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
CyberMind-FR 2026-01-09 20:02:45 +01:00
parent 7975b22ca3
commit a6a306b021
33 changed files with 14 additions and 3236 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
.github/workflows/build-secubox-images.yml vendored
View File

@ -11,8 +11,6 @@ on:
options:
- espressobin-v7
- espressobin-ultra
- sheeva64
- sheeva64-wifi
- mochabin
- all
openwrt_version:
@ -79,20 +77,6 @@ jobs:
"profile": "globalscale_espressobin-ultra",
"description": "ESPRESSObin Ultra (PoE, WiFi)"
},
{
"device": "sheeva64",
"target": "mvebu",
"subtarget": "cortexa53",
"profile": "globalscale_sheeva64",
"description": "Sheeva64 (Plug computer)"
},
{
"device": "sheeva64-wifi",
"target": "mvebu",
"subtarget": "cortexa53",
"profile": "globalscale_sheeva64",
"description": "Sheeva64 WiFi (802.11ac + BT)"
},
{
"device": "mochabin",
"target": "mvebu",
@ -370,19 +354,11 @@ jobs:
EOF
;;
espressobin-ultra|sheeva64-wifi)
espressobin-ultra)
# WiFi support
cat >> .config << EOF
CONFIG_PACKAGE_kmod-mt76=y
CONFIG_PACKAGE_kmod-mac80211=y
EOF
;;
sheeva64*)
# Minimal for plug computer
cat >> .config << EOF
# Optimized for plug form factor
CONFIG_PACKAGE_kmod-ledtrig-heartbeat=y
EOF
;;
esac

10
package/secubox/CROWDSEC-OPENWRT-24.md
View File

@ -39,7 +39,7 @@ secubox-crowdsec-setup --install
opkg update
# Install required packages
opkg install crowdsec crowdsec-firewall-bouncer-nftables syslog-ng4
opkg install crowdsec crowdsec-firewall-bouncer syslog-ng
# Install LuCI dashboard (optional)
opkg install luci-app-secubox-crowdsec
@ -55,7 +55,7 @@ opkg install luci-app-secubox-crowdsec
+--------------+--------------+
| |
+-------v-------+ +---------v---------+
| syslog-ng4 | | logread -f |
| syslog-ng | | logread -f |
| (UDP 5140) | | (fallback) |
+-------+-------+ +---------+---------+
| |
@ -88,7 +88,7 @@ opkg install luci-app-secubox-crowdsec
## Components
### 1. syslog-ng4 Configuration
### 1. syslog-ng Configuration
Located at `/etc/syslog-ng/syslog-ng.conf`, this configuration:
- Captures all system logs via Unix socket
@ -306,9 +306,9 @@ secubox-crowdsec-setup --uninstall
/etc/init.d/syslog-ng stop
opkg remove luci-app-secubox-crowdsec
opkg remove crowdsec-firewall-bouncer-nftables
opkg remove crowdsec-firewall-bouncer
opkg remove crowdsec
opkg remove syslog-ng4
opkg remove syslog-ng
# Clean nftables
nft delete table ip crowdsec

2
package/secubox/luci-app-secubox-crowdsec/Makefile
View File

@ -11,7 +11,7 @@ PKG_VERSION:=1.0.0
PKG_RELEASE:=1
LUCI_TITLE:=LuCI SecuBox CrowdSec Dashboard
LUCI_DEPENDS:=+luci-base +crowdsec +crowdsec-firewall-bouncer-nftables
LUCI_DEPENDS:=+luci-base +crowdsec +crowdsec-firewall-bouncer
LUCI_PKGARCH:=all
PKG_MAINTAINER:=Gerald Kerma <gandalf@gk2.net>

0
package/secubox/luci-app-secubox-crowdsec/root/usr/libexec/rpcd/luci.secubox-crowdsec Normal file → Executable file
View File

5
package/secubox/luci-app-secubox-portal/Makefile
View File

@ -15,7 +15,6 @@ PKG_RELEASE:=1
PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=SecuBox Team <secubox@example.com>
include ../../luci.mk
include $(TOPDIR)/feeds/luci/luci.mk
# call BuildPackage - OpenWrt buildance!
$(eval $(call BuildPackage,luci-app-secubox-portal))
# call BuildPackage - OpenWrt buildroot signature

1
package/secubox/luci-app-secubox-security-threats/Makefile
View File

@ -25,3 +25,4 @@ PKG_FILE_MODES:=/usr/libexec/rpcd/luci.secubox-security-threats:root:root:755
include $(TOPDIR)/feeds/luci/luci.mk
# call BuildPackage - OpenWrt buildroot signature
$(eval $(call BuildPackage,luci-app-secubox-security-threats))

250
package/secubox/secubox-app-crowdsec/Makefile
View File

@ -1,250 +0,0 @@
# SPDX-License-Identifier: MIT
#
# Copyright (C) 2021-2022 Gerald Kerma <gandalf@gk2.net>
#
include $(TOPDIR)/rules.mk
PKG_NAME:=crowdsec
PKG_VERSION:=1.7.4
PKG_RELEASE:=3
PKG_ARCH:=all
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/crowdsecurity/crowdsec/tar.gz/v$(PKG_VERSION)?
PKG_HASH:=755b5c2c1a8cef24b56fd2fbc7d2942f6fc525c625a78f9c65229e5b3b305327
PKG_LICENSE:=MIT
PKG_LICENSE_FILES:=LICENSE
PKG_MAINTAINER:=Gerald Kerma <gandalf@gk2.net>
PKG_BUILD_DEPENDS:=golang/host
PKG_BUILD_PARALLEL:=1
PKG_BUILD_FLAGS:=no-mips16
CWD_SYSTEM:=openwrt
CWD_BUILD_VERSION?=v$(PKG_VERSION)
CWD_BUILD_GOVERSION:=$(shell go version 2>/dev/null | cut -d " " -f3 | sed -E 's/[go]+//g' || echo "1.23")
CWD_BUILD_CODENAME:=alphaga
CWD_BUILD_TIMESTAMP:=$(shell date +%F"_"%T)
CWD_BUILD_TAG:=openwrt-$(PKG_VERSION)-$(PKG_RELEASE)
CWD_VERSION_PKG:=github.com/crowdsecurity/go-cs-lib/version
GO_PKG:=github.com/crowdsecurity/crowdsec
GO_PKG_INSTALL_ALL:=1
GO_PKG_LDFLAGS_X:=$(CWD_VERSION_PKG).Version=$(CWD_BUILD_VERSION) \
$(CWD_VERSION_PKG).System=$(CWD_SYSTEM) \
$(CWD_VERSION_PKG).BuildDate=$(CWD_BUILD_TIMESTAMP) \
$(CWD_VERSION_PKG).Codename=$(CWD_BUILD_CODENAME) \
$(CWD_VERSION_PKG).Tag=$(CWD_BUILD_TAG) \
$(CWD_VERSION_PKG).GoVersion=$(CWD_BUILD_GOVERSION)
include $(INCLUDE_DIR)/package.mk
include $(TOPDIR)/feeds/packages/lang/golang/golang-package.mk
# Keep Go in module mode so it honors our local replacements.
GO_MOD_ARGS+=-mod=mod
CWD_GO_CSLIB_VERSION:=v0.0.24
CWD_GO_VENDOR_ROOT:=secubox-vendor
CWD_GO_VENDOR_MODULES:= \
github.com/crowdsecurity/go-cs-lib@$(CWD_GO_CSLIB_VERSION) \
github.com/crowdsecurity/time@v0.13.0-crowdsec.20250912 \
github.com/moby/moby/api@v1.52.1-0.20251116162601-e9ff10bf365a \
github.com/moby/moby/client@v0.1.1-0.20251116162601-e9ff10bf365a \
golang.org/x/crypto@v0.42.0 \
golang.org/x/mod@v0.28.0 \
golang.org/x/net@v0.44.0 \
golang.org/x/sync@v0.17.0 \
golang.org/x/sys@v0.37.0 \
golang.org/x/term@v0.35.0 \
golang.org/x/text@v0.29.0 \
golang.org/x/tools@v0.37.0 \
golang.org/x/telemetry@v0.0.0-20250908211612-aef8a434d053
define CWD/EnsureModuleSource
if [ ! -d "$(DL_DIR)/go-mod-cache/$(1)@$(2)" ]; then \
$(INSTALL_DIR) "$(DL_DIR)/go-mod-cache/cache/download/$(1)/@v"; \
wget -q -O "$(DL_DIR)/go-mod-cache/cache/download/$(1)/@v/$(2).zip" \
"https://proxy.golang.org/$(1)/@v/$(2).zip"; \
unzip -q -d "$(DL_DIR)/go-mod-cache" \
"$(DL_DIR)/go-mod-cache/cache/download/$(1)/@v/$(2).zip"; \
fi
endef
define CWD/StageVendorModule
$(call CWD/EnsureModuleSource,$(1),$(2))
rm -rf $(PKG_BUILD_DIR)/$(CWD_GO_VENDOR_ROOT)/$(1)
$(INSTALL_DIR) $(PKG_BUILD_DIR)/$(CWD_GO_VENDOR_ROOT)/$(1)
$(CP) \
$(DL_DIR)/go-mod-cache/$(1)@$(2)/. \
$(PKG_BUILD_DIR)/$(CWD_GO_VENDOR_ROOT)/$(1)/
if [ -f $(PKG_BUILD_DIR)/$(CWD_GO_VENDOR_ROOT)/$(1)/go.mod ]; then \
$(SED) 's,^go 1\.[2-9][0-9]*.*,go 1.23,' \
$(PKG_BUILD_DIR)/$(CWD_GO_VENDOR_ROOT)/$(1)/go.mod; \
fi
endef
define Build/Prepare
$(call Build/Prepare/Default)
# CrowdSec upstream requires Go 1.25+, but our SDK ships 1.23.x.
# Force the go.mod directive down so the stock toolchain can build it.
$(SED) 's,go 1\.[2-9][0-9]*.*,go 1.23,' $(PKG_BUILD_DIR)/go.mod
# Stage Go modules that require newer compilers so we can pin them locally and drop their go directive.
$(call CWD/StageVendorModule,github.com/crowdsecurity/go-cs-lib,$(CWD_GO_CSLIB_VERSION))
$(call CWD/StageVendorModule,github.com/crowdsecurity/time,v0.13.0-crowdsec.20250912)
$(call CWD/StageVendorModule,github.com/moby/moby/api,v1.52.1-0.20251116162601-e9ff10bf365a)
$(call CWD/StageVendorModule,github.com/moby/moby/client,v0.1.1-0.20251116162601-e9ff10bf365a)
$(call CWD/StageVendorModule,golang.org/x/crypto,v0.42.0)
$(call CWD/StageVendorModule,golang.org/x/mod,v0.28.0)
$(call CWD/StageVendorModule,golang.org/x/net,v0.44.0)
$(call CWD/StageVendorModule,golang.org/x/sync,v0.17.0)
$(call CWD/StageVendorModule,golang.org/x/sys,v0.37.0)
$(call CWD/StageVendorModule,golang.org/x/term,v0.35.0)
$(call CWD/StageVendorModule,golang.org/x/text,v0.29.0)
$(call CWD/StageVendorModule,golang.org/x/tools,v0.37.0)
$(call CWD/StageVendorModule,golang.org/x/telemetry,v0.0.0-20250908211612-aef8a434d053)
$(SED) 's@for line := range strings.SplitSeq@for _, line := range strings.SplitSeq@g' \
$(PKG_BUILD_DIR)/pkg/appsec/appsec_rules_collection.go
$(SED) 's@for f := range strings.SplitSeq@for _, f := range strings.SplitSeq@g' \
$(PKG_BUILD_DIR)/pkg/parser/runtime.go
$(SED) 's,strings.SplitSeq,strings.Split,g' \
$(PKG_BUILD_DIR)/pkg/appsec/appsec_rules_collection.go
$(SED) 's,strings.SplitSeq,strings.Split,g' \
$(PKG_BUILD_DIR)/pkg/parser/runtime.go
$(SED) 's@for line := range strings.SplitSeq(description, "\\n") {@for _, line := range strings.Split(description, "\\n") {@g' \
$(PKG_BUILD_DIR)/$(CWD_GO_VENDOR_ROOT)/golang.org/x/tools/internal/mcp/generate.go
$(SED) 's@for field := range strings.FieldsSeq(line) {@for _, field := range strings.Fields(line) {@g' \
$(PKG_BUILD_DIR)/$(CWD_GO_VENDOR_ROOT)/golang.org/x/tools/internal/mcp/generate.go
$(SED) 's@for line := range strings.SplitSeq(stdout.String(), "\\n") {@for _, line := range strings.Split(stdout.String(), "\\n") {@g' \
$(PKG_BUILD_DIR)/$(CWD_GO_VENDOR_ROOT)/golang.org/x/tools/internal/stdlib/generate.go
endef
define Package/crowdsec/Default
SECTION:=net
CATEGORY:=Network
TITLE:=Crowdsec detection engine
URL:=https://crowdsec.net/
endef
define Package/crowdsec
$(call Package/crowdsec/Default)
DEPENDS:=$(GO_ARCH_DEPENDS) +libc
endef
define Package/golang-crowdsec-dev
$(call Package/crowdsec/Default)
$(call GoPackage/GoSubMenu)
TITLE+= (source files)
DEPENDS:=$(GO_ARCH_DEPENDS)
PKGARCH:=all
endef
define Package/crowdsec/Default/description
Crowdsec - An open-source, lightweight agent to detect
and respond to bad behaviours.
It also automatically benefits from a global
community-wide IP reputation database.
endef
define Package/crowdsec/description
$(call Package/crowdsec/Default/description)
This package contains the main program.
endef
define Package/golang-crowdsec-dev/description
$(call Package/crowdsec/Default/description)
This package provides the source files for the program.
endef
ifneq ($(CONFIG_USE_MUSL),)
TARGET_CFLAGS += -D_LARGEFILE64_SOURCE
endif
define Package/crowdsec/install
$(call GoPackage/Package/Install/Bin,$(1))
$(INSTALL_DIR) $(1)/etc/crowdsec
$(INSTALL_DIR) $(1)/etc/crowdsec/scenarios
$(INSTALL_DIR) $(1)/etc/crowdsec/postoverflows
$(INSTALL_DIR) $(1)/etc/crowdsec/collections
$(INSTALL_DIR) $(1)/etc/crowdsec/patterns
$(INSTALL_DIR) $(1)/etc/crowdsec/hub
$(INSTALL_DATA) \
$(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/config/config.yaml \
$(1)/etc/crowdsec/
$(INSTALL_DATA) \
$(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/config/dev.yaml \
$(1)/etc/crowdsec/
$(INSTALL_DATA) \
$(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/config/user.yaml \
$(1)/etc/crowdsec/
$(INSTALL_DATA) \
$(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/config/acquis.yaml \
$(1)/etc/crowdsec/
$(INSTALL_DATA) \
$(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/config/profiles.yaml \
$(1)/etc/crowdsec/
$(INSTALL_DATA) \
$(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/config/simulation.yaml \
$(1)/etc/crowdsec/
$(INSTALL_DATA) \
$(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/config/local_api_credentials.yaml \
$(1)/etc/crowdsec/
$(INSTALL_DATA) \
$(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/config/online_api_credentials.yaml \
$(1)/etc/crowdsec/
$(CP) \
$(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/config/patterns/* \
$(1)/etc/crowdsec/patterns
# Install acquisition configuration directory and templates
$(INSTALL_DIR) $(1)/etc/crowdsec/acquis.d
$(INSTALL_DATA) \
./files/acquis.d/openwrt-syslog.yaml \
$(1)/etc/crowdsec/acquis.d/
$(INSTALL_DATA) \
./files/acquis.d/openwrt-dropbear.yaml \
$(1)/etc/crowdsec/acquis.d/
$(INSTALL_DATA) \
./files/acquis.d/openwrt-firewall.yaml \
$(1)/etc/crowdsec/acquis.d/
$(INSTALL_DATA) \
./files/acquis.d/openwrt-uhttpd.yaml \
$(1)/etc/crowdsec/acquis.d/
$(INSTALL_DIR) $(1)/srv/crowdsec/data/
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) \
./files/crowdsec.initd \
$(1)/etc/init.d/crowdsec
$(INSTALL_DIR) $(1)/etc/config
$(INSTALL_CONF) \
./files/crowdsec.config \
$(1)/etc/config/crowdsec
$(LN) /usr/bin/crowdsec-cli $(1)/usr/bin/cscli
$(INSTALL_DIR) $(1)/etc/uci-defaults
$(INSTALL_BIN) \
./files/crowdsec.defaults \
$(1)/etc/uci-defaults/99_crowdsec
endef
define Package/crowdsec/conffiles
/etc/crowdsec/
/etc/crowdsec/acquis.d/
/etc/config/crowdsec
endef
$(eval $(call GoBinPackage,crowdsec))
$(eval $(call BuildPackage,crowdsec))

236
package/secubox/secubox-app-crowdsec/README.md
View File

@ -1,236 +0,0 @@
# SecuBox App - CrowdSec
## Version
- **Package**: secubox-app-crowdsec
- **CrowdSec Core**: v1.7.4
- **Release**: 3
- **Last Updated**: January 2025
## Description
CrowdSec is an open-source, lightweight security engine that detects and responds to malicious behaviors. This SecuBox package provides CrowdSec for OpenWrt routers with automatic log acquisition configuration.
## Key Features (v1.7.4)
- WAF capability with DropRequest helper for request blocking
- Refactored syslog acquisition using RestartableStreamer
- Optional pure-go SQLite driver for better compatibility
- Enhanced logging configuration with syslog media support
- Configurable usage metrics export (api.server.disable_usage_metrics_export)
- Fixed LAPI metrics cardinality issues with Prometheus
- Data race prevention in Docker acquisition
- Database query optimization for decision streams
- **Automatic OpenWrt log acquisition configuration**
- **UCI-based acquisition management**
## Package Contents
- **Makefile**: OpenWrt package definition for CrowdSec v1.7.4
- **files/**: Configuration and init scripts
- `crowdsec.initd`: Init script for service management
- `crowdsec.config`: UCI configuration (with acquisition settings)
- `crowdsec.defaults`: Default configuration with auto-detection
- `acquis.d/`: Acquisition configuration templates
- `openwrt-syslog.yaml`: System syslog logs
- `openwrt-dropbear.yaml`: SSH/Dropbear logs
- `openwrt-firewall.yaml`: iptables/nftables firewall logs
- `openwrt-uhttpd.yaml`: uHTTPd web server logs
## Installation
```bash
# From SecuBox build environment
cd /home/reepost/CyberMindStudio/_files/secubox-openwrt
make package/secubox/secubox-app-crowdsec/compile V=s
# Install on router
opkg install crowdsec_1.7.4-3_*.ipk
```
## Configuration
### UCI Configuration
CrowdSec uses UCI for configuration in `/etc/config/crowdsec`:
```bash
# View current configuration
uci show crowdsec
# Main settings
uci set crowdsec.crowdsec.data_dir='/srv/crowdsec/data'
uci set crowdsec.crowdsec.db_path='/srv/crowdsec/data/crowdsec.db'
# Acquisition settings
uci set crowdsec.acquisition.syslog_enabled='1'
uci set crowdsec.acquisition.firewall_enabled='1'
uci set crowdsec.acquisition.ssh_enabled='1'
uci set crowdsec.acquisition.http_enabled='0'
uci set crowdsec.acquisition.syslog_path='/var/log/messages'
# Hub settings
uci set crowdsec.hub.auto_install='1'
uci set crowdsec.hub.collections='crowdsecurity/linux crowdsecurity/iptables'
uci set crowdsec.hub.update_interval='7'
uci commit crowdsec
```
### File Locations
- Main config: `/etc/crowdsec/config.yaml`
- Acquisition directory: `/etc/crowdsec/acquis.d/`
- Legacy acquisition: `/etc/crowdsec/acquis.yaml`
- Profiles: `/etc/crowdsec/profiles.yaml`
- Local API: `/etc/crowdsec/local_api_credentials.yaml`
- Data directory: `/srv/crowdsec/data/`
## Log Acquisition Configuration
### Automatic Detection
On first boot, the defaults script automatically:
1. Detects OpenWrt log file configuration
2. Identifies installed services (Dropbear, firewall)
3. Generates appropriate acquisition configs
4. Installs recommended Hub collections
### Supported Log Sources
| Log Source | Default | Collection Required |
|------------|---------|---------------------|
| System Syslog | Enabled | crowdsecurity/linux |
| SSH/Dropbear | Enabled | crowdsecurity/linux |
| Firewall (iptables/nftables) | Enabled | crowdsecurity/iptables |
| HTTP (uHTTPd/nginx) | Disabled | crowdsecurity/http-cve |
### Custom Acquisition
Add custom acquisition configs to `/etc/crowdsec/acquis.d/`:
```yaml
# /etc/crowdsec/acquis.d/custom.yaml
filenames:
- /var/log/custom-app/*.log
labels:
type: syslog
```
### Syslog Service Mode
To run CrowdSec as a syslog server (receive logs from other devices):
```bash
uci set crowdsec.acquisition.syslog_listen_addr='0.0.0.0'
uci set crowdsec.acquisition.syslog_listen_port='514'
uci commit crowdsec
/etc/init.d/crowdsec restart
```
## Service Management
```bash
# Start CrowdSec
/etc/init.d/crowdsec start
# Stop CrowdSec
/etc/init.d/crowdsec stop
# Restart CrowdSec
/etc/init.d/crowdsec restart
# Check status
/etc/init.d/crowdsec status
```
## CLI Usage
CrowdSec CLI is available via `cscli`:
```bash
# Check version
cscli version
# Check acquisition status
cscli metrics show acquisition
# List decisions
cscli decisions list
# View alerts
cscli alerts list
# Manage collections
cscli collections list
cscli collections install crowdsecurity/nginx
# Manage Hub
cscli hub update
cscli hub upgrade
# Manage bouncers
cscli bouncers list
cscli bouncers add firewall-bouncer
```
## Hub Collections for OpenWrt
### Recommended Collections
```bash
# Core Linux detection (SSH brute-force, etc.)
cscli collections install crowdsecurity/linux
# Firewall log analysis (port scan detection)
cscli collections install crowdsecurity/iptables
# Syslog parsing
cscli parsers install crowdsecurity/syslog-logs
# Whitelists for reducing false positives
cscli parsers install crowdsecurity/whitelists
```
### Optional Collections
```bash
# HTTP attack detection
cscli collections install crowdsecurity/http-cve
# nginx logs
cscli collections install crowdsecurity/nginx
# Smb/Samba
cscli collections install crowdsecurity/smb
```
## Integration with SecuBox
This package integrates with:
- **luci-app-crowdsec-dashboard** v0.5.0+
- **secubox-app-crowdsec-bouncer** - Firewall bouncer
- **SecuBox Theme System**
- **SecuBox Logging** (`secubox-log`)
## Dependencies
- Go compiler (build-time)
- SQLite3
- OpenWrt base system
## References
- Upstream: https://github.com/crowdsecurity/crowdsec
- Documentation: https://docs.crowdsec.net/
- Hub: https://hub.crowdsec.net/
- Acquisition Docs: https://docs.crowdsec.net/docs/next/log_processor/data_sources/intro/
- SecuBox Project: https://cybermind.fr
## Changelog
### v1.7.4-3 (2025-01)
- Added automatic log acquisition configuration
- Added UCI-based acquisition management
- Added acquis.d directory with OpenWrt-specific templates
- Improved Hub collection auto-installation
- Added acquisition for syslog, SSH/Dropbear, firewall, HTTP
- Enhanced defaults script with detection logic
### v1.7.4-2 (2024-12)
- Updated from v1.6.2 to v1.7.4
- Added WAF/AppSec support
- Improved syslog acquisition
- Enhanced metrics export configuration
- Fixed Prometheus cardinality issues
### v1.6.2-1 (Previous)
- Initial SecuBox integration
- Basic OpenWrt compatibility patches
## License
MIT License
## Maintainer
CyberMind.fr - Gandalf <gandalf@gk2.net>

29
package/secubox/secubox-app-crowdsec/files/acquis.d/openwrt-dropbear.yaml
View File

@ -1,29 +0,0 @@
# OpenWrt Dropbear SSH Acquisition
# This configuration monitors SSH authentication logs from Dropbear
#
# Dropbear logs are typically sent to syslog and can be found in:
# - /var/log/messages (if syslog is configured to write to file)
# - Via logread command (OpenWrt default)
#
# Required collections:
# cscli collections install crowdsecurity/linux
# cscli parsers install crowdsecurity/syslog-logs
#
# The crowdsecurity/linux collection includes SSH brute-force detection
# scenarios that work with Dropbear authentication logs.
#
# Example Dropbear log entries that will be parsed:
# dropbear[1234]: Bad password attempt for 'root' from 192.168.1.100:54321
# dropbear[1234]: Login attempt for nonexistent user 'admin' from 192.168.1.100:54321
# dropbear[1234]: Pubkey auth succeeded for 'root' with ssh-ed25519 key
# dropbear[1234]: Exit (root) from <192.168.1.100:54321>: Disconnect received
#
# Note: Since Dropbear logs go to syslog, the openwrt-syslog.yaml
# acquisition config will capture these logs. This file serves as
# documentation for Dropbear-specific detection.
# If using a dedicated auth log file:
# filenames:
# - /var/log/auth.log
# labels:
# type: syslog

40
package/secubox/secubox-app-crowdsec/files/acquis.d/openwrt-firewall.yaml
View File

@ -1,40 +0,0 @@
# OpenWrt Firewall Logs Acquisition
# This configuration monitors iptables/nftables firewall logs
#
# Required collections:
# cscli collections install crowdsecurity/iptables
#
# The crowdsecurity/iptables collection provides:
# - crowdsecurity/iptables-logs parser (for -j LOG entries)
# - crowdsecurity/iptables-scan-multi_ports scenario (port scan detection)
#
# To enable firewall logging in OpenWrt, add LOG rules to your firewall config:
#
# For nftables (OpenWrt 22.03+):
# nft add rule inet fw4 input counter log prefix "fw4-INPUT: " drop
#
# For iptables (legacy):
# iptables -A INPUT -j LOG --log-prefix "iptables-INPUT: "
#
# Or via /etc/config/firewall:
# config rule
# option name 'Log-Dropped'
# option src 'wan'
# option dest '*'
# option proto 'all'
# option target 'LOG'
# option log_prefix 'fw-DROP: '
#
# Firewall logs are typically written to kernel log (kern.log)
# or syslog depending on system configuration.
# Kernel/firewall log file acquisition
filenames:
- /var/log/kern.log
- /var/log/firewall.log
labels:
type: syslog
---
# Alternative: If firewall logs go to main syslog
# The openwrt-syslog.yaml acquisition will capture them
# as long as the iptables collection parser is installed

28
package/secubox/secubox-app-crowdsec/files/acquis.d/openwrt-syslog.yaml
View File

@ -1,28 +0,0 @@
# OpenWrt System Syslog Acquisition
# This configuration monitors OpenWrt system logs via syslog
# For local log files or syslog forwarding scenarios
#
# Note: OpenWrt uses logd by default which doesn't write to files.
# Enable syslog-ng or configure log_file in /etc/config/system
# to enable file-based log acquisition.
#
# Required collections:
# cscli collections install crowdsecurity/linux
# cscli parsers install crowdsecurity/syslog-logs
# File-based acquisition for syslog (if log_file is configured)
filenames:
- /var/log/messages
- /var/log/syslog
labels:
type: syslog
---
# Alternative: Syslog service acquisition
# Uncomment this section if using remote syslog forwarding
# or if CrowdSec should act as a syslog server
#
# source: syslog
# listen_addr: 127.0.0.1
# listen_port: 10514
# labels:
# type: syslog

29
package/secubox/secubox-app-crowdsec/files/acquis.d/openwrt-uhttpd.yaml
View File

@ -1,29 +0,0 @@
# OpenWrt uHTTPd Web Server Acquisition
# This configuration monitors uHTTPd access/error logs
#
# By default, uHTTPd logs to syslog. To enable file-based logging,
# configure uHTTPd in /etc/config/uhttpd:
#
# config uhttpd 'main'
# option access_log '/var/log/uhttpd/access.log'
# option error_log '/var/log/uhttpd/error.log'
#
# Required parsers:
# cscli parsers install crowdsecurity/syslog-logs
#
# For HTTP-based attacks, consider installing:
# cscli collections install crowdsecurity/http-cve
# cscli scenarios install crowdsecurity/http-probing
# cscli scenarios install crowdsecurity/http-bad-user-agent
# uHTTPd access logs
# filenames:
# - /var/log/uhttpd/access.log
# labels:
# type: syslog
---
# uHTTPd error logs
# filenames:
# - /var/log/uhttpd/error.log
# labels:
# type: syslog

30
package/secubox/secubox-app-crowdsec/files/crowdsec.config
View File

@ -1,30 +0,0 @@
config crowdsec 'crowdsec'
option data_dir '/srv/crowdsec/data'
option db_path '/srv/crowdsec/data/crowdsec.db'
# Acquisition configuration
config acquisition 'acquisition'
# Enable/disable specific log sources
option syslog_enabled '1'
option firewall_enabled '1'
option ssh_enabled '1'
option http_enabled '0'
# Syslog service settings (if using CrowdSec as syslog server)
option syslog_listen_addr '127.0.0.1'
option syslog_listen_port '10514'
# Log file paths (OpenWrt-specific)
option syslog_path '/var/log/messages'
option auth_log_path '/var/log/auth.log'
option kernel_log_path '/var/log/kern.log'
# Hub configuration
config hub 'hub'
# Auto-install recommended collections on first boot
option auto_install '1'
# Collections to install (space-separated)
option collections 'crowdsecurity/linux crowdsecurity/iptables'
# Additional parsers
option parsers 'crowdsecurity/syslog-logs crowdsecurity/whitelists'
# Hub update interval in days (0 to disable auto-update)
option update_interval '7'

317
package/secubox/secubox-app-crowdsec/files/crowdsec.defaults
View File

@ -1,317 +0,0 @@
#!/bin/sh
#
# CrowdSec UCI Defaults Script
# Configures CrowdSec on first install with automatic acquisition setup
#
CONFIG=/etc/crowdsec/config.yaml
ACQUIS_DIR=/etc/crowdsec/acquis.d
UCI_CONFIG=/etc/config/crowdsec
# Load UCI functions
. /lib/functions.sh
# Get UCI values with defaults
get_uci_value() {
local section="$1"
local option="$2"
local default="$3"
local value
value=$(uci -q get "crowdsec.${section}.${option}")
echo "${value:-$default}"
}
# Configure data paths
setup_paths() {
local data_dir
local db_path
data_dir=$(get_uci_value "crowdsec" "data_dir" "/srv/crowdsec/data")
db_path=$(get_uci_value "crowdsec" "db_path" "/srv/crowdsec/data/crowdsec.db")
sed -i "s,^\(\s*data_dir\s*:\s*\).*\$,\1$data_dir," $CONFIG
sed -i "s,^\(\s*db_path\s*:\s*\).*\$,\1$db_path," $CONFIG
# Create data dir & permissions if needed
if [ ! -d "${data_dir}" ]; then
mkdir -m 0755 -p "${data_dir}"
fi
}
# Create machine-id if not exists
setup_machine_id() {
if [ ! -f /etc/machine-id ]; then
cat /proc/sys/kernel/random/uuid | tr -d "-" > /etc/machine-id
echo "Created machine-id"
fi
}
# Register local API machine
register_lapi() {
if grep -q "login:" /etc/crowdsec/local_api_credentials.yaml 2>/dev/null; then
echo "Local API already registered"
else
echo "Registering local API machine..."
cscli -c /etc/crowdsec/config.yaml machines add -a -f /etc/crowdsec/local_api_credentials.yaml
fi
}
# Register with Central API (CAPI) for threat intelligence sharing
register_capi() {
if ! grep -q "login:" /etc/crowdsec/online_api_credentials.yaml 2>/dev/null; then
echo "Registering with Central API (CAPI)..."
if cscli capi register 2>/dev/null; then
echo "Successfully registered with Central API"
else
echo "WARNING: CAPI registration failed - will run in local-only mode"
# Create minimal credentials file to prevent errors
echo "url: https://api.crowdsec.net/" > /etc/crowdsec/online_api_credentials.yaml
fi
else
echo "Central API already registered"
fi
}
# Update hub index
update_hub() {
local update_interval
update_interval=$(get_uci_value "hub" "update_interval" "7")
if [ "$update_interval" = "0" ]; then
echo "Hub auto-update disabled"
return 0
fi
if [ ! -f /etc/crowdsec/hub/.index.json ] || \
[ $(find /etc/crowdsec/hub/.index.json -mtime +${update_interval} 2>/dev/null | wc -l) -gt 0 ]; then
echo "Updating hub index..."
cscli hub update 2>/dev/null || true
fi
}
# Install collections and parsers from Hub
install_hub_items() {
local auto_install
local collections
local parsers
auto_install=$(get_uci_value "hub" "auto_install" "1")
if [ "$auto_install" != "1" ]; then
echo "Hub auto-install disabled"
return 0
fi
# Install collections
collections=$(get_uci_value "hub" "collections" "crowdsecurity/linux crowdsecurity/iptables")
for collection in $collections; do
echo "Installing collection: $collection"
cscli collections install "$collection" 2>/dev/null || true
done
# Install additional parsers
parsers=$(get_uci_value "hub" "parsers" "crowdsecurity/syslog-logs crowdsecurity/whitelists")
for parser in $parsers; do
echo "Installing parser: $parser"
cscli parsers install "$parser" 2>/dev/null || true
done
# Upgrade all hub items
cscli hub upgrade 2>/dev/null || true
}
# Generate dynamic acquisition configuration
generate_acquisition_config() {
local syslog_enabled
local firewall_enabled
local ssh_enabled
local http_enabled
local syslog_path
local kernel_log_path
local auth_log_path
# Ensure acquis.d directory exists
mkdir -p "$ACQUIS_DIR"
# Get acquisition settings from UCI
syslog_enabled=$(get_uci_value "acquisition" "syslog_enabled" "1")
firewall_enabled=$(get_uci_value "acquisition" "firewall_enabled" "1")
ssh_enabled=$(get_uci_value "acquisition" "ssh_enabled" "1")
http_enabled=$(get_uci_value "acquisition" "http_enabled" "0")
syslog_path=$(get_uci_value "acquisition" "syslog_path" "/var/log/messages")
kernel_log_path=$(get_uci_value "acquisition" "kernel_log_path" "/var/log/kern.log")
auth_log_path=$(get_uci_value "acquisition" "auth_log_path" "/var/log/auth.log")
# Generate syslog acquisition config
if [ "$syslog_enabled" = "1" ]; then
echo "Configuring syslog acquisition..."
cat > "$ACQUIS_DIR/openwrt-syslog.yaml" << EOF
# OpenWrt System Syslog Acquisition
# Auto-generated by crowdsec.defaults
# Monitors system logs for security events
filenames:
- ${syslog_path}
- /var/log/syslog
labels:
type: syslog
EOF
else
rm -f "$ACQUIS_DIR/openwrt-syslog.yaml"
fi
# Generate firewall acquisition config
if [ "$firewall_enabled" = "1" ]; then
echo "Configuring firewall log acquisition..."
cat > "$ACQUIS_DIR/openwrt-firewall.yaml" << EOF
# OpenWrt Firewall Logs Acquisition
# Auto-generated by crowdsec.defaults
# Monitors iptables/nftables firewall logs for port scans
filenames:
- ${kernel_log_path}
- /var/log/firewall.log
labels:
type: syslog
EOF
# Ensure iptables collection is installed
cscli collections install crowdsecurity/iptables 2>/dev/null || true
else
rm -f "$ACQUIS_DIR/openwrt-firewall.yaml"
fi
# Generate SSH/auth acquisition config
if [ "$ssh_enabled" = "1" ]; then
echo "Configuring SSH/auth log acquisition..."
# SSH logs typically go to syslog on OpenWrt
# The syslog acquisition will capture them
# Just ensure the linux collection is installed for SSH scenarios
cscli collections install crowdsecurity/linux 2>/dev/null || true
fi
# Generate HTTP acquisition config (disabled by default)
if [ "$http_enabled" = "1" ]; then
echo "Configuring HTTP log acquisition..."
cat > "$ACQUIS_DIR/openwrt-http.yaml" << EOF
# OpenWrt HTTP Server Logs Acquisition
# Auto-generated by crowdsec.defaults
filenames:
- /var/log/uhttpd/access.log
- /var/log/nginx/access.log
labels:
type: syslog
EOF
else
rm -f "$ACQUIS_DIR/openwrt-http.yaml"
fi
}
# Configure syslog service acquisition (if CrowdSec acts as syslog server)
configure_syslog_service() {
local listen_addr
local listen_port
listen_addr=$(get_uci_value "acquisition" "syslog_listen_addr" "127.0.0.1")
listen_port=$(get_uci_value "acquisition" "syslog_listen_port" "10514")
# Only create syslog service config if non-default port is configured
if [ "$listen_port" != "10514" ] || [ "$listen_addr" != "127.0.0.1" ]; then
echo "Configuring syslog service acquisition..."
cat > "$ACQUIS_DIR/syslog-service.yaml" << EOF
# Syslog Service Acquisition
# Auto-generated by crowdsec.defaults
# CrowdSec acts as a syslog server to receive logs
source: syslog
listen_addr: ${listen_addr}
listen_port: ${listen_port}
labels:
type: syslog
EOF
fi
}
# Detect and configure OpenWrt-specific log sources
detect_openwrt_logs() {
echo "Detecting OpenWrt log sources..."
# Check if syslog-ng is installed and configured
if [ -f /etc/syslog-ng.conf ]; then
echo "syslog-ng detected"
fi
# Check if rsyslog is configured
if [ -f /etc/rsyslog.conf ]; then
echo "rsyslog detected"
fi
# Check if log_file is configured in OpenWrt system config
local log_file
log_file=$(uci -q get system.@system[0].log_file)
if [ -n "$log_file" ]; then
echo "OpenWrt log_file configured: $log_file"
# Update syslog path in UCI
uci set crowdsec.acquisition.syslog_path="$log_file"
uci commit crowdsec
fi
# Check for Dropbear (SSH server)
if [ -f /etc/init.d/dropbear ]; then
echo "Dropbear SSH server detected"
fi
# Check for firewall (fw3 or fw4)
if [ -f /etc/init.d/firewall ]; then
echo "OpenWrt firewall detected"
fi
}
# Main execution
main() {
echo "=========================================="
echo "CrowdSec Configuration - First Boot Setup"
echo "=========================================="
# Setup paths and directories
setup_paths
# Create machine-id
setup_machine_id
# Register with LAPI
register_lapi
# Register with CAPI
register_capi
# Update Hub index
update_hub
# Install Hub collections and parsers
install_hub_items
# Detect OpenWrt log sources
detect_openwrt_logs
# Generate acquisition configuration
generate_acquisition_config
# Configure syslog service if needed
configure_syslog_service
echo "=========================================="
echo "CrowdSec configuration complete!"
echo "=========================================="
echo ""
echo "Next steps:"
echo " 1. Enable and start CrowdSec: /etc/init.d/crowdsec enable && /etc/init.d/crowdsec start"
echo " 2. Check acquisition status: cscli metrics show acquisition"
echo " 3. View decisions: cscli decisions list"
echo ""
}
# Run main function
main
exit 0

44
package/secubox/secubox-app-crowdsec/files/crowdsec.initd
View File

@ -1,44 +0,0 @@
#!/bin/sh /etc/rc.common
# Copyright (C) 2021-2022 Gerald Kerma <gandalf@gk2.net>
START=99
USE_PROCD=1
NAME=crowdsec
PROG=/usr/bin/crowdsec
CONFIG=/etc/crowdsec/config.yaml
RUNCONFDIR=/srv/crowdsec/data
VARCONFIGDIR=/var/etc/crowdsec
VARCONFIG=/var/etc/crowdsec/config.yaml
service_triggers() {
procd_add_reload_trigger crowdsec
}
init_config() {
config_load crowdsec
config_get data_dir crowdsec data_dir "${RUNCONFDIR}"
config_get db_path crowdsec db_path "${RUNCONFDIR}/crowdsec.db"
# Create tmp dir & permissions if needed
if [ ! -d "${VARCONFIGDIR}" ]; then
mkdir -m 0755 -p "${VARCONFIGDIR}"
fi;
cp $CONFIG $VARCONFIG
sed -i "s,^\(\s*data_dir\s*:\s*\).*\$,\1$data_dir," $VARCONFIG
sed -i "s,^\(\s*db_path\s*:\s*\).*\$,\1$db_path," $VARCONFIG
# Create data dir & permissions if needed
if [ ! -d "${RUNCONFDIR}" ]; then
mkdir -m 0755 -p "${RUNCONFDIR}"
fi;
}
start_service() {
init_config
procd_open_instance
procd_set_param command "$PROG" -c "$VARCONFIG"
procd_close_instance
}

20
package/secubox/secubox-app-crowdsec/patches/001-fix_config_data_dir.patch
View File

@ -1,20 +0,0 @@
--- a/config/config.yaml
+++ b/config/config.yaml
@@ -8,7 +8,7 @@ common:
log_max_files: 10
config_paths:
config_dir: /etc/crowdsec/
- data_dir: /var/lib/crowdsec/data/
+ data_dir: /srv/crowdsec/data/
simulation_path: /etc/crowdsec/simulation.yaml
hub_dir: /etc/crowdsec/hub/
index_path: /etc/crowdsec/hub/.index.json
@@ -25,7 +25,7 @@ cscli:
db_config:
log_level: info
type: sqlite
- db_path: /var/lib/crowdsec/data/crowdsec.db
+ db_path: /srv/crowdsec/data/crowdsec.db
#max_open_conns: 100
#user:
#password:

19
package/secubox/secubox-app-crowdsec/patches/002-use-vendored-go-cs-lib.patch
View File

@ -1,19 +0,0 @@
--- a/go.mod
+++ b/go.mod
@@ -257,3 +257,13 @@ replace golang.org/x/time => github.com/crowdsecurity/time v0.13.0-crowdsec.2025
-replace golang.org/x/time => github.com/crowdsecurity/time v0.13.0-crowdsec.20250912
-
-replace github.com/corazawaf/coraza/v3 => github.com/crowdsecurity/coraza/v3 v3.3.3-crowdsec.20251113
+replace golang.org/x/time => ./secubox-vendor/github.com/crowdsecurity/time
+
+replace github.com/corazawaf/coraza/v3 => github.com/crowdsecurity/coraza/v3 v3.3.3-crowdsec.20251113
+replace github.com/crowdsecurity/go-cs-lib => ./secubox-vendor/github.com/crowdsecurity/go-cs-lib
+replace github.com/moby/moby/api => ./secubox-vendor/github.com/moby/moby/api
+replace github.com/moby/moby/client => ./secubox-vendor/github.com/moby/moby/client
+replace golang.org/x/crypto => ./secubox-vendor/golang.org/x/crypto
+replace golang.org/x/mod => ./secubox-vendor/golang.org/x/mod
+replace golang.org/x/net => ./secubox-vendor/golang.org/x/net
+replace golang.org/x/sync => ./secubox-vendor/golang.org/x/sync
+replace golang.org/x/sys => ./secubox-vendor/golang.org/x/sys
+replace golang.org/x/term => ./secubox-vendor/golang.org/x/term
+replace golang.org/x/text => ./secubox-vendor/golang.org/x/text

6
package/secubox/secubox-app-crowdsec/patches/003-add-x-tools-replace.patch
View File

@ -1,6 +0,0 @@
--- a/go.mod
+++ b/go.mod
@@ -269,1 +269,3 @@
replace golang.org/x/text => ./secubox-vendor/golang.org/x/text
+replace golang.org/x/tools => ./secubox-vendor/golang.org/x/tools
+replace golang.org/x/telemetry => ./secubox-vendor/golang.org/x/telemetry

439
package/secubox/secubox-app-netifyd/BUILD-INSTRUCTIONS.md
View File

@ -1,439 +0,0 @@
# Netifyd 5.2.1 Build Instructions for SecuBox OpenWrt
## Overview
Complete build instructions for integrating official Netifyd 5.2.1 into SecuBox OpenWrt solution.
## Package Structure
```
package/secubox/secubox-app-netifyd/
├── Makefile # OpenWrt package Makefile
├── Config.in # Package configuration options
├── README.md # Package documentation
├── INTEGRATION.md # Integration guide
├── BUILD-INSTRUCTIONS.md # This file
├── test-build.sh # Automated build test script
├── files/
│ ├── netifyd.init # Init script (procd)
│ ├── netifyd.config # UCI configuration
│ └── functions.sh # Helper functions
└── patches/ # Patches (if needed)
```
## Prerequisites
### System Requirements
- **Build System:** x86_64 Linux (Ubuntu 20.04+ or Debian 11+ recommended)
- **Disk Space:** ~10 GB free
- **RAM:** 4 GB minimum, 8 GB recommended
- **Time:** ~30-60 minutes for full build
### Required Build Tools
```bash
# Ubuntu/Debian
sudo apt-get update
sudo apt-get install -y \
build-essential \
clang \
flex \
bison \
g++ \
gawk \
gcc-multilib \
gettext \
git \
libncurses5-dev \
libssl-dev \
python3-distutils \
rsync \
unzip \
zlib1g-dev \
file \
wget \
curl \
subversion \
time \
libelf-dev
```
## Quick Start
### Option 1: Automated Build Test
```bash
cd /path/to/secubox-openwrt/package/secubox/secubox-app-netifyd
./test-build.sh
```
This script will:
1. Check dependencies
2. Update feeds
3. Download source
4. Build package
5. Verify package contents
### Option 2: Manual Build
```bash
# 1. Navigate to OpenWrt root
cd /path/to/secubox-openwrt
# 2. Update feeds
./scripts/feeds update -a
./scripts/feeds install -a
# 3. Configure build
make menuconfig
# Navigate to: Network > netifyd
# Select: <*> netifyd
# Also select SecuBox components:
# SecuBox > <*> luci-app-secubox-netifyd
# 4. Download source
make package/secubox/secubox-app-netifyd/download V=s
# 5. Build package
make package/secubox/secubox-app-netifyd/compile V=s
# 6. Build LuCI app
make package/secubox/luci-app-secubox-netifyd/compile V=s
```
## Detailed Build Process
### Step 1: Prepare Build Environment
```bash
# Clone SecuBox OpenWrt (if not already done)
git clone https://github.com/your-repo/secubox-openwrt.git
cd secubox-openwrt
# Initialize and update feeds
./scripts/feeds update -a
./scripts/feeds install -a
```
### Step 2: Configure Package
```bash
# Run menuconfig
make menuconfig
# Navigate through menus:
# 1. Target System: (select your hardware)
# 2. Subtarget: (select your hardware variant)
# 3. Target Profile: (select your device)
#
# 4. Network >
# <*> netifyd
# [ ] Enable local flow export (optional)
# [ ] Enable plugin support (optional)
# [*] Auto-start on boot (recommended)
#
# 5. SecuBox >
# <*> secubox-core
# <*> luci-app-secubox-netifyd
#
# 6. Save and exit
```
### Step 3: Build
```bash
# Download all sources
make download V=s
# Build toolchain (first time only, takes ~30 minutes)
make toolchain/compile V=s
# Build netifyd package
make package/secubox/secubox-app-netifyd/compile V=s
# Build LuCI app
make package/secubox/luci-app-secubox-netifyd/compile V=s
# Or build everything at once
make V=s j=$(nproc)
```
### Step 4: Locate Built Packages
```bash
# Packages will be in:
find bin/packages -name "netifyd*.ipk"
find bin/packages -name "luci-app-secubox-netifyd*.ipk"
# Example output:
# bin/packages/aarch64_cortex-a53/secubox/netifyd_5.2.1-1_aarch64_cortex-a53.ipk
# bin/packages/aarch64_cortex-a53/secubox/luci-app-secubox-netifyd_1.0.1-1_all.ipk
```
## Installation on Device
### Transfer Packages
```bash
# Find device IP (usually 192.168.1.1 or 192.168.8.1)
DEVICE_IP="192.168.1.1"
# Copy packages
scp bin/packages/*/secubox/netifyd_*.ipk root@$DEVICE_IP:/tmp/
scp bin/packages/*/secubox/luci-app-secubox-netifyd_*.ipk root@$DEVICE_IP:/tmp/
```
### Install on Device
```bash
# SSH to device
ssh root@$DEVICE_IP
# On device:
# Update package list
opkg update
# Install netifyd (will install dependencies automatically)
opkg install /tmp/netifyd_*.ipk
# Install LuCI app
opkg install /tmp/luci-app-secubox-netifyd_*.ipk
# Start services
/etc/init.d/netifyd start
/etc/init.d/netifyd enable
/etc/init.d/rpcd reload
# Verify
netifyd -s
```
## Verification
### 1. Check Service Status
```bash
# On device:
/etc/init.d/netifyd status
ps | grep netifyd
netifyd -s
```
Expected output:
```
Netify Agent/5.2.1 (openwrt; aarch64; conntrack; netlink; ...)
✓ agent is running.
• agent timestamp: [current date/time]
• agent uptime: 0d 00:XX:XX
✓ active flows: XX
...
```
### 2. Check Data Files
```bash
# Status file should exist
cat /var/run/netifyd/status.json | jq .
# Socket should exist
ls -la /var/run/netifyd/netifyd.sock
# Should show: srwxr-xr-x 1 root root 0 ... netifyd.sock
```
### 3. Test RPCD Backend
```bash
# List available methods
ubus list | grep netifyd
# Test a call
ubus call luci.secubox-netifyd get_service_status
# Should return JSON with status information
```
### 4. Access Web Interface
```bash
# Open browser to:
http://[device-ip]/cgi-bin/luci/admin/secubox/netifyd/dashboard
# Navigate to: Services > Netifyd Dashboard
# Should see:
# - Service status (running/stopped)
# - Active flows count
# - Detected devices
# - Network statistics
```
## Troubleshooting Build Issues
### Issue: Download Fails
```bash
# Check download URL
curl -I https://download.netify.ai/source/netifyd-5.2.1.tar.gz
# If fails, update PKG_SOURCE_URL in Makefile
# Or download manually:
cd dl/
wget https://download.netify.ai/source/netifyd-5.2.1.tar.gz
cd ..
```
### Issue: Compilation Errors
```bash
# Clean and retry
make package/secubox/secubox-app-netifyd/clean
make package/secubox/secubox-app-netifyd/compile V=s 2>&1 | tee build.log
# Check build.log for errors
# Common fixes:
# 1. Missing dependencies - install via package manager
# 2. Toolchain issues - rebuild toolchain
# 3. Patch failures - check patches/ directory
```
### Issue: Missing Dependencies on Device
```bash
# On device, check what's missing:
opkg install /tmp/netifyd_*.ipk
# If dependencies missing, install them:
opkg update
opkg install libcurl libmnl libnetfilter-conntrack libpcap zlib libpthread
# Then retry netifyd install
```
## Build Customization
### Minimal Build (Smallest Size)
Edit `Makefile` CONFIGURE_ARGS:
```makefile
CONFIGURE_ARGS += \
--enable-lean-and-mean \
--disable-plugins \
--disable-sink-plugins \
--disable-libtcmalloc \
--disable-jemalloc
```
### Debug Build
Edit `Makefile` CONFIGURE_ARGS:
```makefile
CONFIGURE_ARGS += \
--enable-debug \
--enable-debug-ether-type \
--enable-debug-ndpi
TARGET_CFLAGS += -g -O0
```
### Custom Features
In `make menuconfig`:
```
Network > netifyd >
[*] Enable local flow export
[*] Enable plugin support
[*] Enable sink plugins
[ ] Enable debug output
```
## Build for Multiple Architectures
```bash
# Build for different targets
TARGET_ARCHS="aarch64_cortex-a53 arm_cortex-a9 x86_64"
for arch in $TARGET_ARCHS; do
echo "Building for $arch..."
make clean
# Set target in menuconfig first
make package/secubox/secubox-app-netifyd/compile V=s
mkdir -p releases/$arch
cp bin/packages/*/secubox/netifyd_*.ipk releases/$arch/
done
```
## Creating Release Packages
```bash
# Build all packages
make package/secubox/secubox-app-netifyd/compile V=s
make package/secubox/luci-app-secubox-netifyd/compile V=s
# Create release directory
mkdir -p releases/v5.2.1/
# Copy packages
cp bin/packages/*/secubox/netifyd_*.ipk releases/v5.2.1/
cp bin/packages/*/secubox/luci-app-secubox-netifyd_*.ipk releases/v5.2.1/
# Create checksums
cd releases/v5.2.1/
sha256sum *.ipk > SHA256SUMS
cd ../..
# Create tarball
tar czf secubox-netifyd-5.2.1-release.tar.gz releases/v5.2.1/
```
## Continuous Integration
Example GitHub Actions workflow:
```yaml
name: Build Netifyd Package
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install dependencies
run: |
sudo apt-get update
sudo apt-get install -y build-essential ...
- name: Build package
run: |
cd package/secubox/secubox-app-netifyd
./test-build.sh
- name: Upload artifacts
uses: actions/upload-artifact@v3
with:
name: netifyd-packages
path: bin/packages/*/secubox/*.ipk
```
## Next Steps
After successful build and installation:
1. **Configuration:** Follow [README.md](README.md) for configuration options
2. **Integration:** See [INTEGRATION.md](INTEGRATION.md) for SecuBox integration
3. **Testing:** Run tests from [test-build.sh](test-build.sh)
4. **Documentation:** Read [README-FLOW-DATA.md](../luci-app-secubox-netifyd/README-FLOW-DATA.md) for flow data setup
## Support
- **Build Issues:** Check `build.log` and OpenWrt forums
- **Package Issues:** https://github.com/your-repo/issues
- **Netifyd Issues:** https://github.com/eglooca/netifyd/issues
- **OpenWrt Docs:** https://openwrt.org/docs/
## License
GPL-3.0-or-later (same as upstream netifyd)

114
package/secubox/secubox-app-netifyd/BUILDROOT-BUILD.md
View File

@ -1,114 +0,0 @@
# Building Netifyd with OpenWrt Buildroot
## Overview
Netifyd **requires full OpenWrt buildroot** for building because it needs system libraries that are not available in the SDK.
## Automatic Build (Recommended)
The local-build.sh script automatically detects netifyd and uses OpenWrt buildroot:
```bash
./secubox-tools/local-build.sh build netifyd
```
This will:
1. Download OpenWrt 24.10.5 source (~500 MB)
2. Setup feeds
3. Copy SecuBox packages
4. Install netifyd from SecuBox feed
5. Configure and build netifyd
**Build time:**
- First build: 15-30 minutes (downloads toolchain, builds dependencies)
- Subsequent builds: 2-5 minutes (incremental)
## What Gets Built
The buildroot provides all required dependencies:
- `libmnl` - Minimal Netlink library
- `libnetfilter-conntrack` - Connection tracking
- `libpcap` - Packet capture
- `libjson-c` - JSON parsing
- `libcurl` - HTTP client
- Kernel modules: nf_conntrack, nfnetlink, etc.
## Output
After successful build:
```bash
# Package location
./build/x86-64/netifyd_5.2.1-1_x86_64.ipk
# Also findable at
./openwrt/bin/packages/x86_64/secubox/netifyd_5.2.1-1_x86_64.ipk
```
## Manual Build
If you prefer manual control:
```bash
cd openwrt/
# Configure
make menuconfig
# Select: Network > netifyd
# Build
make package/netifyd/compile V=s
```
## Why Not SDK?
The SDK cannot build netifyd because:
- SDK only includes application-level library stubs
- Netifyd needs kernel-level libraries (libmnl, libnetfilter-conntrack)
- These libraries must be compiled against the target system
- Only full buildroot provides the complete dependency chain
## Troubleshooting
### Issue: Build fails with "libmnl not found"
**Cause:** Using SDK instead of buildroot
**Fix:** The script should auto-detect and use buildroot. If not:
```bash
# Ensure you're using the build command, not compiling directly in SDK
./secubox-tools/local-build.sh build netifyd
```
### Issue: Build takes too long
**Normal:** First build downloads toolchain and compiles base libraries (15-30 min)
**Speed up:** Use faster machine or pre-compiled SDK for dependencies
### Issue: Out of disk space
**Cause:** OpenWrt buildroot needs ~10 GB
**Fix:** Free up space or use different build directory:
```bash
OPENWRT_DIR=/path/to/large/disk/openwrt ./secubox-tools/local-build.sh build netifyd
```
## Comparison: SDK vs Buildroot
| Feature | SDK | Buildroot |
|---------|-----|-----------|
| Size | ~300 MB | ~2 GB |
| Build time | Fast (2-5 min) | Slow first time (15-30 min) |
| Can build apps | ✅ Yes | ✅ Yes |
| Can build system daemons | ❌ No | ✅ Yes |
| Kernel libraries | ❌ No | ✅ Yes |
| Full dependency tree | ❌ No | ✅ Yes |
Netifyd needs: **Buildroot**
## See Also
- [BUILD-INSTRUCTIONS.md](BUILD-INSTRUCTIONS.md) - Detailed build instructions
- [SDK-LIMITATION.md](SDK-LIMITATION.md) - Why SDK doesn't work
- [INTEGRATION.md](INTEGRATION.md) - Integration with SecuBox

42
package/secubox/secubox-app-netifyd/Config.in
View File

@ -1,42 +0,0 @@
menu "Configuration"
depends on PACKAGE_netifyd
config NETIFYD_WITH_LOCAL_EXPORT
bool "Enable local flow export"
default n
help
Enable local JSON export of flow data.
This allows the Netify Agent to write flow data to a local file
for consumption by other applications like luci-app-secubox-netifyd.
config NETIFYD_WITH_PLUGINS
bool "Enable plugin support"
default n
help
Enable plugin support for extending Netify Agent functionality.
Plugins allow custom processing of flow data and integration
with external systems.
config NETIFYD_SINK_PLUGINS
bool "Enable sink plugins"
depends on NETIFYD_WITH_PLUGINS
default n
help
Enable sink plugin support for custom data export backends.
Allows writing flow data to databases, message queues, etc.
config NETIFYD_WITH_DEBUG
bool "Enable debug output"
default n
help
Enable verbose debug logging. Useful for troubleshooting
but increases log verbosity significantly.
config NETIFYD_AUTOSTART
bool "Auto-start on boot"
default y
help
Automatically start Netify Agent when the system boots.
Can be disabled if you want manual control.
endmenu

342
package/secubox/secubox-app-netifyd/INTEGRATION.md
View File

@ -1,342 +0,0 @@
# Netifyd 5.2.1 SecuBox Integration Guide
## Quick Integration Steps
### 1. Build Both Packages
```bash
# From SecuBox OpenWrt root
cd /path/to/secubox-openwrt
# Build netifyd
make package/secubox/secubox-app-netifyd/compile V=s
# Build LuCI app
make package/secubox/luci-app-secubox-netifyd/compile V=s
```
### 2. Install on Device
```bash
# Copy packages to device
scp bin/packages/*/secubox/netifyd_5.2.1-*.ipk root@192.168.1.1:/tmp/
scp bin/packages/*/secubox/luci-app-secubox-netifyd_*.ipk root@192.168.1.1:/tmp/
# On device
opkg update
opkg install /tmp/netifyd_5.2.1-*.ipk
opkg install /tmp/luci-app-secubox-netifyd_*.ipk
```
### 3. Configure and Start
```bash
# On device
# Start netifyd
/etc/init.d/netifyd start
/etc/init.d/netifyd enable
# Reload LuCI RPCD
/etc/init.d/rpcd reload
# Clear browser cache and access web interface
# Navigate to: Services > Netifyd Dashboard
```
## Integration Points
### 1. LuCI App Integration
The `luci-app-secubox-netifyd` package integrates with netifyd through:
- **RPCD Backend:** `/usr/libexec/rpcd/luci.secubox-netifyd`
- Reads from `/var/run/netifyd/status.json`
- Provides API for dashboard data
- **Web Interface:** `/usr/share/luci/menu.d/`
- Dashboard, flows, devices, applications views
- Real-time statistics
- Service control
### 2. Data Flow
```
netifyd service
/var/run/netifyd/status.json (status data)
/var/run/netifyd/netifyd.sock (Unix socket)
RPCD Backend (luci.secubox-netifyd)
LuCI Web Interface
User Browser
```
### 3. Configuration Files
**Netifyd:**
- `/etc/config/netifyd` - UCI configuration
- `/etc/netifyd.conf` - Netifyd native config
- `/etc/netify.d/` - Persistent data directory
**LuCI App:**
- `/etc/config/secubox-netifyd` - Dashboard settings
- Socket configuration (TCP/Unix)
- Analytics settings
## Dependencies
### Required by netifyd
```
+libcurl +libmnl +libnetfilter-conntrack +libpcap
+zlib +libpthread +libstdcpp +libjson-c +ca-bundle
```
### Required by luci-app-secubox-netifyd
```
+luci-base +rpcd +netifyd +jq +secubox-core
```
## Testing Integration
### 1. Verify Netifyd is Running
```bash
# Check service status
/etc/init.d/netifyd status
# Check netifyd process
ps | grep netifyd
# View netifyd status
netifyd -s
```
### 2. Verify Data Files
```bash
# Check status file
cat /var/run/netifyd/status.json | jq .
# Check socket
ls -la /var/run/netifyd/netifyd.sock
# Check PID file
cat /var/run/netifyd/netifyd.pid
```
### 3. Test RPCD Backend
```bash
# Test RPC calls
ubus list | grep netifyd
# Get service status
ubus call luci.secubox-netifyd get_service_status
# Get dashboard data
ubus call luci.secubox-netifyd get_dashboard
# Get detected devices
ubus call luci.secubox-netifyd get_detected_devices
```
### 4. Test Web Interface
```bash
# Access LuCI
http://192.168.1.1/cgi-bin/luci/admin/secubox/netifyd/dashboard
# Check for JavaScript errors in browser console
# Verify data is loading
```
## Troubleshooting Integration
### Issue: LuCI Dashboard Shows No Data
**Cause:** Netifyd not running or no status file
**Solution:**
```bash
# Start netifyd
/etc/init.d/netifyd start
# Wait a few seconds
sleep 5
# Check status file
cat /var/run/netifyd/status.json
# Reload page
```
### Issue: RPCD Calls Fail
**Cause:** ACL permissions not set
**Solution:**
```bash
# Reload RPCD
/etc/init.d/rpcd reload
# Check ACL file
cat /usr/share/rpcd/acl.d/luci-app-secubox-netifyd.json
# Clear browser cache
```
### Issue: Service Won't Start
**Cause:** Interface configuration issues
**Solution:**
```bash
# Enable auto-detection
uci set netifyd.default.autoconfig='1'
uci commit netifyd
# Or configure manually
uci add_list netifyd.default.internal_if='br-lan'
uci add_list netifyd.default.external_if='br-wan'
uci commit netifyd
# Restart
/etc/init.d/netifyd restart
```
## Advanced Integration
### Custom Data Export
To export flow data for custom processing:
```bash
# Enable local JSON export in netifyd
uci add_list netifyd.default.options='-j /tmp/netifyd-flows.json'
uci commit netifyd
/etc/init.d/netifyd restart
# Configure LuCI app to read from file
uci set secubox-netifyd.settings.flow_export='/tmp/netifyd-flows.json'
uci commit secubox-netifyd
```
### Cloud Integration
```bash
# Enable cloud sink
netifyd --enable-sink
# Check sink status
netifyd -s | grep sink
# Agent UUID (for cloud dashboard)
netifyd -p
```
### API Integration
Example: Read data from RPCD backend in custom script:
```bash
#!/bin/sh
# Get dashboard data
DATA=$(ubus call luci.secubox-netifyd get_dashboard)
# Parse with jq
FLOWS=$(echo "$DATA" | jq -r '.stats.active_flows')
DEVICES=$(echo "$DATA" | jq -r '.stats.unique_devices')
echo "Active Flows: $FLOWS"
echo "Devices: $DEVICES"
```
## Upgrade Path
### Upgrading Netifyd
```bash
# Build new version
make package/secubox/secubox-app-netifyd/clean
make package/secubox/secubox-app-netifyd/compile V=s
# Install on device
opkg remove netifyd
opkg install /tmp/netifyd_*.ipk
# Configuration is preserved
/etc/init.d/netifyd start
```
### Upgrading LuCI App
```bash
# Build new version
make package/secubox/luci-app-secubox-netifyd/clean
make package/secubox/luci-app-secubox-netifyd/compile V=s
# Install on device
opkg upgrade /tmp/luci-app-secubox-netifyd_*.ipk
# Reload services
/etc/init.d/rpcd reload
/etc/init.d/uhttpd reload
```
## Performance Considerations
### Resource Usage
Typical resource usage on embedded device:
- **CPU:** 0.5-2% (idle), 5-10% (active traffic)
- **Memory:** 20-40 MB RSS
- **Disk:** < 1 MB for package, ~2-5 MB for runtime data
### Tuning for Low-End Devices
```bash
# Reduce threads
uci add_list netifyd.default.options='--thread-detection-cores=1'
uci add_list netifyd.default.options='-t'
# Lower limits in /etc/netifyd.conf:
# flow-max = 5000
# flow-expiry = 60
```
### Tuning for High-Traffic Networks
```bash
# Increase threads
uci add_list netifyd.default.options='--thread-detection-cores=4'
# Higher limits in /etc/netifyd.conf:
# flow-max = 65536
# flow-expiry = 300
```
## Security Considerations
1. **Packet Capture:** Netifyd requires root privileges for packet capture
2. **Data Privacy:** Flow metadata includes IP addresses, ports, protocols
3. **Cloud Sync:** Optional - can be disabled if data privacy is a concern
4. **Local Access:** Unix socket is accessible by root only
5. **Web Interface:** Protected by LuCI authentication
## Support and Documentation
- **Package Issues:** https://github.com/your-repo/issues
- **Netifyd Upstream:** https://github.com/eglooca/netifyd
- **Netify.ai Docs:** https://www.netify.ai/resources
- **OpenWrt Wiki:** https://openwrt.org/
## License
- Netifyd: GPL-3.0-or-later
- LuCI App: MIT
- Integration Code: MIT

143
package/secubox/secubox-app-netifyd/Makefile
View File

@ -1,143 +0,0 @@
#
# Copyright (C) 2016-2025 eGloo Incorporated
# Copyright (C) 2025 CyberMind.fr (SecuBox Integration)
#
# This is free software, licensed under the GNU General Public License v2.
#
include $(TOPDIR)/rules.mk
PKG_NAME:=netifyd
PKG_VERSION:=5.2.1
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://download.netify.ai/source/
PKG_HASH:=a353e957be5ef2bd18a2e65b7b3a4d9d8c1728db5d78d4dae69ec8fea486a0a7
PKG_MAINTAINER:=CyberMind <contact@cybermind.fr>
PKG_LICENSE:=GPL-3.0-or-later
PKG_LICENSE_FILES:=LICENSE
PKG_CPE_ID:=cpe:/a:netify:netifyd
PKG_FIXUP:=autoreconf
PKG_BUILD_PARALLEL:=1
PKG_INSTALL:=1
PKG_BUILD_DEPENDS:=libpcap
include $(INCLUDE_DIR)/package.mk
define Package/netifyd
SECTION:=net
CATEGORY:=Network
TITLE:=Netify Agent - Deep Packet Inspection
URL:=https://www.netify.ai/
DEPENDS:=+ca-bundle +libcurl +libmnl +libnetfilter-conntrack +libnetfilter-queue +libpcap +zlib +libpthread +libstdcpp +libjson-c +libatomic
# Optional: +ipt-conntrack-extra +libnl-tiny
endef
define Package/netifyd/description
The Netify Agent is a deep-packet inspection server which detects network
protocols and applications. These detections can be saved locally, served over
a UNIX or TCP socket, and/or "pushed" (via HTTP POSTs) to a remote third-party
server. Flow metadata, network statistics, and detection classifications are
JSON encoded for easy consumption by third-party applications.
endef
define Package/netifyd/conffiles
/etc/netifyd.conf
/etc/config/netifyd
endef
TARGET_CFLAGS += -ffunction-sections -fdata-sections -fno-caller-saves
TARGET_LDFLAGS += -Wl,--gc-sections,--as-needed
CONFIGURE_ARGS += \
--enable-lean-and-mean \
--disable-libtcmalloc \
--disable-jemalloc \
--without-systemdsystemunitdir \
--without-tmpfilesdir \
--with-persistentstatedir=/etc/netify.d \
--with-volatilestatedir=/var/run/netifyd
# Netifyd feature configuration
CONFIGURE_ARGS += \
--enable-conntrack \
--enable-netlink \
--enable-inotify \
$(if $(CONFIG_LIBCURL_ZLIB),--with-libcurl-zlib) \
$(if $(CONFIG_LIBCURL_MBEDTLS),--with-libcurl-mbedtls) \
$(if $(CONFIG_LIBCURL_OPENSSL),--with-libcurl-openssl) \
$(if $(CONFIG_LIBCURL_WOLFSSL),--with-libcurl-wolfssl)
# Optional features (disable for minimal build)
CONFIGURE_ARGS += \
--disable-plugins \
--disable-sink-plugins
# Enable for debugging
# CONFIGURE_ARGS += --enable-debug --enable-debug-ether-type --enable-debug-ndpi
define Build/InstallDev
$(INSTALL_DIR) $(1)/usr/include/netifyd
$(CP) $(PKG_INSTALL_DIR)/usr/include/netifyd/*.h $(1)/usr/include/netifyd/
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libnetifyd.{a,so*} $(1)/usr/lib/
$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libnetifyd.pc $(1)/usr/lib/pkgconfig/
endef
define Package/netifyd/install
$(INSTALL_DIR) $(1)/etc
$(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/netifyd.conf $(1)/etc
$(INSTALL_DIR) $(1)/etc/netifyd.d
$(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/netifyd.d/*.json $(1)/etc/netifyd.d/ 2>/dev/null || true
$(INSTALL_DIR) $(1)/etc/config
$(INSTALL_CONF) ./files/netifyd.config $(1)/etc/config/netifyd
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/netifyd.init $(1)/etc/init.d/netifyd
$(INSTALL_DIR) $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/netifyd $(1)/usr/sbin/
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libnetifyd.so.* $(1)/usr/lib/
$(INSTALL_DIR) $(1)/usr/share/netifyd
$(INSTALL_BIN) ./files/functions.sh $(1)/usr/share/netifyd/
$(INSTALL_DIR) $(1)/etc/netify.d
# Install plugins if they exist
if [ -d "$(PKG_INSTALL_DIR)/usr/lib/netifyd" ]; then \
$(INSTALL_DIR) $(1)/usr/lib/netifyd; \
$(CP) $(PKG_INSTALL_DIR)/usr/lib/netifyd/*.so* $(1)/usr/lib/netifyd/ 2>/dev/null || true; \
fi
endef
define Package/netifyd/postinst
#!/bin/sh
[ -n "$${IPKG_INSTROOT}" ] || {
/etc/init.d/netifyd enable
mkdir -p /var/run/netifyd
# Don't auto-start, let user configure first
echo "Netifyd installed. Configure /etc/config/netifyd and start with: /etc/init.d/netifyd start"
}
exit 0
endef
define Package/netifyd/prerm
#!/bin/sh
[ -n "$${IPKG_INSTROOT}" ] || {
/etc/init.d/netifyd stop
/etc/init.d/netifyd disable
}
exit 0
endef
$(eval $(call BuildPackage,netifyd))

435
package/secubox/secubox-app-netifyd/README.md
View File

@ -1,435 +0,0 @@
# Netifyd 5.2.1 for OpenWrt / SecuBox
Complete OpenWrt package for Netify Agent (netifyd) version 5.2.1 - Deep Packet Inspection engine.
## Overview
This package provides the latest official Netify Agent compiled for OpenWrt/SecuBox with full integration support.
### Features
- **Deep Packet Inspection (DPI)** - Detects 300+ protocols and applications
- **Flow Classification** - Real-time network flow analysis
- **Protocol Detection** - Identifies HTTP, HTTPS, SSH, DNS, BitTorrent, etc.
- **Application Detection** - Recognizes specific applications (YouTube, Netflix, WhatsApp, etc.)
- **Device Tracking** - Monitors all devices on the network
- **Cloud Integration** - Optional upload to Netify.ai cloud for analytics
- **Local Export** - Can export data locally for custom processing
- **Low Resource Usage** - Optimized "lean and mean" build for embedded systems
### Version Information
- **Netifyd Version:** 5.2.1 (Latest Official Release)
- **Source:** https://download.netify.ai/source/netifyd-5.2.1.tar.gz
- **License:** GPL-3.0-or-later
- **Maintainer:** CyberMind <contact@cybermind.fr>
## Installation
### Prerequisites
Required dependencies are automatically installed:
- libcurl
- libmnl
- libnetfilter-conntrack
- libpcap
- zlib
- libpthread
- libstdcpp
- libjson-c
- ca-bundle
### Building from Source
```bash
# From OpenWrt buildroot
cd /path/to/secubox-openwrt
# Select package
make menuconfig
# Navigate to: Network > netifyd
# Select: <M> or <*>
# Build package
make package/secubox/secubox-app-netifyd/compile V=s
# Package will be in: bin/packages/*/secubox/netifyd_5.2.1-1_*.ipk
```
### Installing on Device
```bash
# Copy package to device
scp netifyd_5.2.1-1_*.ipk root@192.168.1.1:/tmp/
# On device
opkg install /tmp/netifyd_5.2.1-1_*.ipk
```
## Configuration
### Quick Start
```bash
# Edit configuration
vi /etc/config/netifyd
# Enable auto-configuration (recommended)
uci set netifyd.default.enabled='1'
uci set netifyd.default.autoconfig='1'
uci commit netifyd
# Start service
/etc/init.d/netifyd start
/etc/init.d/netifyd enable
# Check status
netifyd -s
```
### Manual Interface Configuration
If auto-detection doesn't work, configure interfaces manually:
```bash
# Configure internal (LAN) interface
uci add_list netifyd.default.internal_if='br-lan'
# Configure external (WAN) interface
uci add_list netifyd.default.external_if='br-wan'
# Commit and restart
uci commit netifyd
/etc/init.d/netifyd restart
```
### Advanced Configuration
Edit `/etc/netifyd.conf` for advanced settings:
```ini
[netifyd]
# Enable/disable features
enable-conntrack = yes
enable-netlink = yes
# Socket configuration
socket-host = 127.0.0.1
socket-port = 7150
# Flow settings
flow-expiry = 180
flow-max = 65536
# Sink configuration (cloud upload)
sink-url = https://sink.netify.ai/
```
### Configuration Options
In `/etc/config/netifyd`:
```
config netifyd 'default'
option enabled '1'
option autoconfig '1'
# Additional options:
list options '-t' # Disable conntrack thread
list options '--thread-detection-cores=2' # Set DPI cores
list options '-j /tmp/netifyd-flows.json' # Local JSON export
list options '-v' # Verbose logging
# Manual interfaces:
list internal_if 'br-lan'
list external_if 'br-wan'
```
## Usage
### Command Line
```bash
# Show version and features
netifyd -V
# Show running status
netifyd -s
# Show agent UUID
netifyd -p
# Test configuration
netifyd -t
# Enable cloud sink
netifyd --enable-sink
# Disable cloud sink
netifyd --disable-sink
```
### Service Control
```bash
# Start service
/etc/init.d/netifyd start
# Stop service
/etc/init.d/netifyd stop
# Restart service
/etc/init.d/netifyd restart
# Check status
/etc/init.d/netifyd status
# Enable auto-start
/etc/init.d/netifyd enable
# Disable auto-start
/etc/init.d/netifyd disable
```
### Monitoring
```bash
# View status JSON
cat /var/run/netifyd/status.json | jq .
# Check running process
ps | grep netifyd
# View logs
logread | grep netifyd
# Check socket
ls -la /var/run/netifyd/
```
## Integration with SecuBox
This package integrates seamlessly with `luci-app-secubox-netifyd`:
```bash
# Install both packages
opkg install netifyd luci-app-secubox-netifyd
# Access web interface
# Navigate to: Services > Netifyd Dashboard
```
## Data Export
### Cloud Export (Netify.ai)
```bash
# Enable cloud sink
netifyd --enable-sink
# Check sink status
netifyd -s | grep sink
# View data at: https://dashboard.netify.ai
```
### Local Export
```bash
# Configure local JSON export
uci add_list netifyd.default.options='-j /tmp/netifyd-flows.json'
uci commit netifyd
/etc/init.d/netifyd restart
# View local data
cat /tmp/netifyd-flows.json | jq .
```
### Socket Export
```bash
# Connect to Unix socket
socat - UNIX-CONNECT:/var/run/netifyd/netifyd.sock
# Or TCP socket (if enabled)
nc localhost 7150
```
## Troubleshooting
### Service Won't Start
```bash
# Check configuration
netifyd -t
# Check interfaces
ip link show
# Check kernel modules
lsmod | grep nf_conntrack
# View detailed logs
logread -f | grep netifyd &
/etc/init.d/netifyd start
```
### No Flow Data
```bash
# Verify netifyd is running
ps | grep netifyd
# Check status
netifyd -s
# Verify interfaces are up
ifconfig
# Check conntrack
cat /proc/net/nf_conntrack | wc -l
```
### High CPU/Memory Usage
```bash
# Reduce detection threads
uci add_list netifyd.default.options='--thread-detection-cores=1'
# Disable conntrack thread
uci add_list netifyd.default.options='-t'
# Limit max flows
# Edit /etc/netifyd.conf:
# flow-max = 10000
# Restart service
uci commit netifyd
/etc/init.d/netifyd restart
```
### Permission Issues
```bash
# Check directories
ls -la /var/run/netifyd/
ls -la /etc/netify.d/
# Fix permissions
chmod 755 /var/run/netifyd
chmod 755 /etc/netify.d
# Recreate directories if needed
rm -rf /var/run/netifyd
/etc/init.d/netifyd start
```
## Performance Tuning
### For Low-End Devices (< 256MB RAM)
```bash
# Minimal configuration
uci set netifyd.default.options='-t'
uci add_list netifyd.default.options='--thread-detection-cores=1'
# Edit /etc/netifyd.conf:
flow-max = 5000
flow-expiry = 60
```
### For High-End Devices (> 512MB RAM)
```bash
# Maximum performance
uci add_list netifyd.default.options='--thread-detection-cores=4'
# Edit /etc/netifyd.conf:
flow-max = 65536
flow-expiry = 300
```
## File Locations
- **Binary:** `/usr/sbin/netifyd`
- **Configuration:** `/etc/netifyd.conf`
- **UCI Config:** `/etc/config/netifyd`
- **Init Script:** `/etc/init.d/netifyd`
- **Runtime Data:** `/var/run/netifyd/`
- **Persistent Data:** `/etc/netify.d/`
- **Status File:** `/var/run/netifyd/status.json`
- **Socket:** `/var/run/netifyd/netifyd.sock`
## Build Options
### Compile-Time Options
In `make menuconfig`, configure:
```
Network > netifyd
[*] Enable local flow export
[ ] Enable plugin support
[ ] Enable sink plugins
[ ] Enable debug output
[*] Auto-start on boot
```
### Minimal Build
For smallest size, disable optional features:
```bash
# Edit Makefile CONFIGURE_ARGS:
--disable-plugins
--disable-sink-plugins
--enable-lean-and-mean
```
## Security Considerations
- Netifyd requires raw packet capture capabilities
- Runs as root by default (required for packet capture)
- Cloud sink transmits flow metadata to Netify.ai
- Local Unix socket has 755 permissions by default
- Consider firewall rules if exposing TCP socket
## Updates
To update to a newer version:
```bash
# Edit Makefile
PKG_VERSION:=5.x.x
PKG_HASH:=<new-hash>
# Rebuild
make package/secubox/secubox-app-netifyd/{clean,compile}
```
## Support
- **Netify.ai:** https://www.netify.ai/
- **Documentation:** https://www.netify.ai/resources
- **GitHub:** https://github.com/eglooca/netifyd
- **SecuBox Issues:** [Your repository]
## License
This package is licensed under GPL-3.0-or-later, same as upstream netifyd.
## Credits
- **Upstream:** eGloo Incorporated (Netify.ai)
- **OpenWrt Package:** CyberMind.fr (SecuBox Integration)
- **Original OpenWrt Package:** OpenWrt Packages Team
## Changelog
### 5.2.1-1 (2025-01-05)
- Updated to official netifyd 5.2.1
- Complete repackage for SecuBox integration
- Enhanced init script with auto-detection
- Improved configuration helpers
- Added comprehensive documentation
- Optimized for embedded systems

78
package/secubox/secubox-app-netifyd/SDK-LIMITATION.md
View File

@ -1,78 +0,0 @@
# SDK Build Limitation for Netifyd
## Issue
Netifyd **cannot be built using the OpenWrt SDK** because it requires base system libraries that are not available in the SDK environment:
- `libmnl` (Minimal Netlink library)
- `libnetfilter-conntrack`
- `libpcap`
- `libjson-c`
- Various kernel modules
## Why This Happens
The OpenWrt SDK is designed for building **application packages** that depend on already-compiled system libraries. Net
ifyd is a **system-level daemon** with deep integration into the kernel networking stack, requiring libraries that must be compiled as part of the base system.
## Solution
### Build netifyd as part of firmware
```bash
# Build full SecuBox firmware with netifyd included
./secubox-tools/local-build.sh build-firmware mochabin
```
Netifyd will be automatically included in firmware builds as it's configured in the firmware package list.
### Alternative: Use Pre-Built Packages
If you need standalone `.ipk` files, build them from a full firmware build:
```bash
# After firmware build completes
find openwrt/bin/packages -name "netifyd*.ipk"
find openwrt/bin/packages -name "luci-app-secubox-netifyd*.ipk"
```
## Why SDK Builds Fail
When you try `./secubox-tools/local-build.sh build netifyd`, it fails with:
```
configure: error: Package requirements (libmnl >= 1.0.3) were not met
```
This is because:
1. SDK doesn't include kernel-level libraries
2. SDK can't compile these libraries (they require full buildroot)
3. Netifyd's configure script can't find the required dependencies
## Recommended Workflow
**For Development:**
- Build firmware with netifyd: `./secubox-tools/local-build.sh build-firmware x86-64`
- Extract netifyd IPK from `openwrt/bin/packages`
- Install on device for testing
**For Production:**
- Always include netifyd in firmware images
- Distributed as part of complete SecuBox firmware
## Technical Details
Netifyd requires these system components:
- **Kernel modules:** nf_conntrack, nfnetlink, etc.
- **System libraries:** Built against specific libc (musl/glibc)
- **Headers:** Kernel headers for netlink/conntrack
- **Build tools:** Full autotools, pkg-config with system library paths
The SDK provides none of these - it only provides a cross-compilation toolchain and application-level library stubs.
## See Also
- [BUILD-INSTRUCTIONS.md](BUILD-INSTRUCTIONS.md) - Full build instructions
- [INTEGRATION.md](INTEGRATION.md) - Integration with SecuBox
- OpenWrt docs on SDK limitations: https://openwrt.org/docs/guide-developer/toolchain/using_the_sdk

150
package/secubox/secubox-app-netifyd/files/functions.sh
View File

@ -1,150 +0,0 @@
#!/bin/sh
#
# Netifyd Helper Functions
# Copyright (C) 2016-2025 eGloo Incorporated
# Copyright (C) 2025 CyberMind.fr (SecuBox Integration)
#
# Load required kernel modules
load_modules() {
# Netfilter connection tracking
[ -d /sys/module/nf_conntrack ] || {
modprobe nf_conntrack 2>/dev/null || {
# Try older module name
modprobe ip_conntrack 2>/dev/null
}
}
# IPv6 connection tracking
[ -d /sys/module/nf_conntrack_ipv6 ] || {
modprobe nf_conntrack_ipv6 2>/dev/null
}
# Netfilter netlink
[ -d /sys/module/nfnetlink ] || {
modprobe nfnetlink 2>/dev/null
}
# Connection tracking netlink
[ -d /sys/module/nf_conntrack_netlink ] || {
modprobe nf_conntrack_netlink 2>/dev/null
}
return 0
}
# Check if netifyd is running
is_running() {
pidof netifyd >/dev/null 2>&1
return $?
}
# Get netifyd PID
get_pid() {
pidof netifyd
}
# Get netifyd version
get_version() {
netifyd -V 2>/dev/null | head -n1 | awk '{print $NF}'
}
# Get netifyd UUID
get_uuid() {
netifyd -p 2>/dev/null | tr -d '\n'
}
# Test network interface
test_interface() {
local iface="$1"
[ -z "$iface" ] && return 1
[ -d "/sys/class/net/$iface" ] && return 0
return 1
}
# Get interface list
get_interfaces() {
ls -1 /sys/class/net/ 2>/dev/null | grep -v "^lo$"
}
# Detect LAN interfaces
detect_lan_interfaces() {
local ifaces=""
# Common LAN interface names
for iface in br-lan eth0 lan0 eth0.1; do
test_interface "$iface" && {
ifaces="$ifaces $iface"
break
}
done
echo "$ifaces"
}
# Detect WAN interfaces
detect_wan_interfaces() {
local ifaces=""
# Common WAN interface names
for iface in br-wan eth1 wan eth0.2 ppp0 pppoe-wan; do
test_interface "$iface" && {
ifaces="$ifaces $iface"
break
}
done
echo "$ifaces"
}
# Auto-detect interfaces and build command line options
auto_detect_options() {
local options=""
# Detect LAN
local lan_ifaces=$(detect_lan_interfaces)
for iface in $lan_ifaces; do
options="$options -I $iface"
done
# Detect WAN
local wan_ifaces=$(detect_wan_interfaces)
for iface in $wan_ifaces; do
options="$options -E $iface"
done
echo "$options"
}
# Check if netifyd configuration is valid
check_config() {
local config_file="/etc/netifyd.conf"
[ ! -f "$config_file" ] && {
echo "Error: Configuration file not found: $config_file"
return 1
}
# Basic syntax check
grep -q "^\[" "$config_file" && return 0
echo "Warning: Configuration file may be invalid"
return 1
}
# Get interface statistics
get_interface_stats() {
local iface="$1"
[ -z "$iface" ] && return 1
[ ! -d "/sys/class/net/$iface" ] && return 1
local rx_bytes=$(cat "/sys/class/net/$iface/statistics/rx_bytes" 2>/dev/null || echo 0)
local tx_bytes=$(cat "/sys/class/net/$iface/statistics/tx_bytes" 2>/dev/null || echo 0)
local rx_packets=$(cat "/sys/class/net/$iface/statistics/rx_packets" 2>/dev/null || echo 0)
local tx_packets=$(cat "/sys/class/net/$iface/statistics/tx_packets" 2>/dev/null || echo 0)
echo "Interface: $iface"
echo " RX: $rx_bytes bytes ($rx_packets packets)"
echo " TX: $tx_bytes bytes ($tx_packets packets)"
}

28
package/secubox/secubox-app-netifyd/files/netifyd.config
View File

@ -1,28 +0,0 @@
config netifyd 'default'
option enabled '1'
# Enable auto-configuration for interfaces (internal/external)
# Disable this if you want manual control
option autoconfig '1'
# Supplementary options (examples):
# Disable connection tracking thread: -t
# Set detection cores: --thread-detection-cores=2
# Enable verbose logging: -v
# Export to local JSON: -j /tmp/netifyd-flows.json
#list options '-t'
#list options '--thread-detection-cores=2'
#list options '-j /tmp/netifyd-flows.json'
# Manual configuration of internal interfaces (LAN)
# Format: interface_name [options]
# Example: Filter out SSDP traffic
#list internal_if 'br-lan -F "not (udp and dst 239.255.255.250 and dst port 1900)"'
#list internal_if 'eth0 -A 192.168.1.0/24'
# Manual configuration of external interfaces (WAN)
# Format: interface_name [options]
#list external_if 'br-wan'
#list external_if 'eth1'
#list external_if 'ppp0 -N eth2'

152
package/secubox/secubox-app-netifyd/files/netifyd.init
View File

@ -1,152 +0,0 @@
#!/bin/sh /etc/rc.common
#
# Copyright (C) 2016-2025 eGloo Incorporated
# Copyright (C) 2025 CyberMind.fr (SecuBox Integration)
#
# This is free software, licensed under the GNU General Public License v2.
START=50
STOP=50
USE_PROCD=1
PROG=/usr/sbin/netifyd
function append_params() {
procd_append_param command "$@"
}
function append_ifopts() {
local filter=0
local filter_expr=
for a in $1; do
case $a in
-F|--device-filter)
filter=1
procd_append_param command "$a"
;;
-*)
if [ $filter -gt 0 ]; then
procd_append_param command "${filter_expr#\ }"
filter=0; filter_expr=
fi
procd_append_param command "$a"
;;
*)
if [ $filter -gt 0 ]; then
a=${a#\"}; a=${a%\"}; a=${a#\'}; a=${a%\'}
filter_expr="$filter_expr $a"
else
procd_append_param command "$a"
fi
esac
done
if [ $filter -gt 0 ]; then
procd_append_param command "${filter_expr#\ }"
fi
}
function append_internal_if() {
append_ifopts "-I $@"
}
function append_external_if() {
append_ifopts "-E $@"
}
start_netifyd() {
local autoconfig enabled instance options
instance="$1"
config_get_bool enabled "$instance" enabled 0
[ "$enabled" -eq 0 ] && return 0
# Load kernel modules if needed
[ -f /usr/share/netifyd/functions.sh ] && {
. /usr/share/netifyd/functions.sh
load_modules
}
procd_open_instance
procd_set_param file /etc/netifyd.conf
procd_set_param term_timeout 30
procd_set_param respawn 3600 15 0
procd_set_param command $PROG -R
procd_set_param stdout 1
procd_set_param stderr 1
# Add custom options
config_list_foreach "$instance" options append_params
# Auto-detect interfaces if enabled
config_get_bool autoconfig "$instance" autoconfig 1
if [ "$autoconfig" -gt 0 ]; then
NETIFYD_AUTODETECT=yes
options="$(auto_detect_options)"
[ -n "$options" ] && procd_append_param command $options
fi
# Manual interface configuration
config_list_foreach "$instance" internal_if append_internal_if
config_list_foreach "$instance" external_if append_external_if
procd_close_instance
}
start_service() {
# Ensure directories exist
[ ! -d /var/run/netifyd ] && mkdir -p /var/run/netifyd
[ ! -d /etc/netify.d ] && mkdir -p /etc/netify.d
# Set permissions
chmod 755 /var/run/netifyd
chmod 755 /etc/netify.d
# Load configuration
config_load netifyd
config_foreach start_netifyd netifyd
}
stop_service() {
# Cleanup
rm -f /var/run/netifyd/*.pid 2>/dev/null
}
reload_service() {
procd_send_signal netifyd
}
service_triggers() {
procd_add_reload_trigger "netifyd"
}
# Auto-detect internal/external interfaces
auto_detect_options() {
local options=""
local internal=""
local external=""
# Try to detect LAN interface (br-lan or eth0)
if [ -d "/sys/class/net/br-lan" ]; then
internal="br-lan"
elif [ -d "/sys/class/net/eth0" ]; then
internal="eth0"
fi
# Try to detect WAN interface
if [ -d "/sys/class/net/br-wan" ]; then
external="br-wan"
elif [ -d "/sys/class/net/eth1" ]; then
external="eth1"
elif [ -d "/sys/class/net/wan" ]; then
external="wan"
fi
# Build options
[ -n "$internal" ] && options="$options -I $internal"
[ -n "$external" ] && options="$options -E $external"
echo "$options"
}

49
package/secubox/secubox-app-netifyd/patches/001-fix-inline-static-maps.patch
View File

@ -1,49 +0,0 @@
--- a/include/nd-risks.hpp
+++ b/include/nd-risks.hpp
@@ -97,7 +97,7 @@ enum class Id : uint32_t {
TODO = 0xffffffff
};
-const std::unordered_map<Id, const char *, ndEnumHasher> Tags = {
+inline const std::unordered_map<Id, const char *, ndEnumHasher> Tags = {
{ Id::NONE, "None" },
{ Id::ANONYMOUS_SUBSCRIBER, "Anonymous Subscriber" },
@@ -174,7 +174,7 @@ inline Id GetId(const std::string &name
namespace nDPI {
-const std::unordered_map<uint16_t, Id> Risks = {
+inline const std::unordered_map<uint16_t, Id> Risks = {
{ NDPI_ANONYMOUS_SUBSCRIBER, Id::ANONYMOUS_SUBSCRIBER },
{ NDPI_BINARY_APPLICATION_TRANSFER, Id::BINARY_APPLICATION_TRANSFER },
{ NDPI_BINARY_DATA_TRANSFER, Id::BINARY_DATA_TRANSFER },
--- a/include/nd-protos.hpp
+++ b/include/nd-protos.hpp
@@ -469,7 +469,7 @@ enum class Id : uint16_t {
CUSTOM_1024 = 1024,
};
-const std::unordered_map<Id, const char *, ndEnumHasher> Tags = {
+inline const std::unordered_map<Id, const char *, ndEnumHasher> Tags = {
{ Id::AFP, "AFP" },
{ Id::AJP, "AJP" },
{ Id::ALICLOUD, "Alibaba/Cloud" },
@@ -773,7 +773,7 @@ const std::unordered_map<Id, const char
{ Id::ZOOM, "Zoom" },
};
-const std::unordered_map<Id, const char *, ndEnumHasher> Twins = {
+inline const std::unordered_map<Id, const char *, ndEnumHasher> Twins = {
{ Id::APPLE_PUSH, "netify.apple-push" },
{ Id::AVAST, "netify.avast" },
{ Id::BITCOIN, "netify.bitcoin" },
@@ -819,7 +819,7 @@ const std::unordered_map<Id, const char
{ Id::ZOOM, "netify.zoom" },
}
-const std::unordered_map<Id, std::vector<std::pair<uint16_t, Id>>, ndEnumHasher> PortMap = {
+inline const std::unordered_map<Id, std::vector<std::pair<uint16_t, Id>>, ndEnumHasher> PortMap = {
{ Id::TLS,
{
{ 53, Id::DOT },

20
package/secubox/secubox-app-netifyd/patches/002-fix-ndpi-example-linking.patch
View File

@ -1,20 +0,0 @@
--- a/libs/ndpi/example/Makefile.in
+++ b/libs/ndpi/example/Makefile.in
@@ -48,6 +48,8 @@
CFLAGS+=-pthread
+LIBS_NO_NDPI := $(filter-out $(LIBNDPI),$(LIBS))
+
all: ndpiReader$(EXE_SUFFIX) @DPDK_TARGET@
EXECUTABLE_SOURCES := ndpiReader.c ndpiSimpleIntegration.c
@@ -57,7 +59,7 @@
$(AR) rsv libndpiReader.a $(COMMON_SOURCES:%.c=%.o)
ndpiReader$(EXE_SUFFIX): libndpiReader.a $(LIBNDPI) ndpiReader.o
- $(CC) $(CFLAGS) $(LDFLAGS) ndpiReader.o libndpiReader.a $(LIBS) -o $@
+ $(CC) $(CFLAGS) $(LDFLAGS) ndpiReader.o -Wl,--start-group libndpiReader.a $(LIBNDPI) -Wl,--end-group $(LIBS_NO_NDPI) -o $@
ndpiSimpleIntegration$(EXE_SUFFIX): ndpiSimpleIntegration.o
$(CC) $(CFLAGS) $(LDFLAGS) $< $(LIBS) -o $@

157
package/secubox/secubox-app-netifyd/test-build.sh
View File

@ -1,157 +0,0 @@
#!/bin/bash
#
# Netifyd Build Test Script
# Tests the netifyd package build process
#
set -e
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
OPENWRT_ROOT="$(cd "$SCRIPT_DIR/../../.." && pwd)"
echo "================================"
echo "Netifyd 5.2.1 Build Test"
echo "================================"
echo ""
echo "OpenWrt Root: $OPENWRT_ROOT"
echo "Package Dir: $SCRIPT_DIR"
echo ""
# Check if we're in OpenWrt buildroot
if [ ! -f "$OPENWRT_ROOT/rules.mk" ]; then
echo "ERROR: Not in OpenWrt buildroot"
echo "Please run this script from the OpenWrt tree"
exit 1
fi
cd "$OPENWRT_ROOT"
echo "Step 1: Checking dependencies..."
echo "================================"
# Check for required tools
for tool in make gcc g++ wget tar patch; do
if ! command -v $tool &> /dev/null; then
echo "ERROR: Required tool not found: $tool"
exit 1
fi
echo "$tool"
done
echo ""
echo "Step 2: Updating feeds..."
echo "================================"
./scripts/feeds update -a || true
./scripts/feeds install -a || true
echo ""
echo "Step 3: Checking package configuration..."
echo "================================"
if [ ! -f "$SCRIPT_DIR/Makefile" ]; then
echo "ERROR: Makefile not found"
exit 1
fi
echo " ✓ Makefile exists"
if [ ! -f "$SCRIPT_DIR/files/netifyd.init" ]; then
echo "ERROR: Init script not found"
exit 1
fi
echo " ✓ Init script exists"
if [ ! -f "$SCRIPT_DIR/files/netifyd.config" ]; then
echo "ERROR: Config file not found"
exit 1
fi
echo " ✓ Config file exists"
echo ""
echo "Step 4: Preparing build..."
echo "================================"
# Ensure menuconfig has been run
if [ ! -f ".config" ]; then
echo "WARNING: .config not found, running defconfig..."
make defconfig
fi
echo ""
echo "Step 5: Downloading source..."
echo "================================"
make package/secubox/secubox-app-netifyd/download V=s
echo ""
echo "Step 6: Checking source..."
echo "================================"
if [ -f "dl/netifyd-5.2.1.tar.gz" ]; then
echo " ✓ Source downloaded successfully"
ls -lh dl/netifyd-5.2.1.tar.gz
else
echo "ERROR: Source not downloaded"
exit 1
fi
echo ""
echo "Step 7: Cleaning previous build..."
echo "================================"
make package/secubox/secubox-app-netifyd/clean V=s
echo ""
echo "Step 8: Building package..."
echo "================================"
echo "This may take several minutes..."
echo ""
if make package/secubox/secubox-app-netifyd/compile V=s; then
echo ""
echo "================================"
echo "BUILD SUCCESSFUL!"
echo "================================"
echo ""
# Find built package
PKG_FILE=$(find bin/packages -name "netifyd_5.2.1-*.ipk" 2>/dev/null | head -1)
if [ -n "$PKG_FILE" ]; then
echo "Package built successfully:"
ls -lh "$PKG_FILE"
echo ""
echo "Install with:"
echo " scp $PKG_FILE root@router:/tmp/"
echo " ssh root@router 'opkg install /tmp/$(basename $PKG_FILE)'"
else
echo "WARNING: Package file not found in bin/packages"
fi
else
echo ""
echo "================================"
echo "BUILD FAILED!"
echo "================================"
echo ""
echo "Check the build log above for errors"
exit 1
fi
echo ""
echo "Step 9: Verifying package contents..."
echo "================================"
if [ -n "$PKG_FILE" ]; then
echo "Package contents:"
tar -tzf "$PKG_FILE" 2>/dev/null | head -20
echo " ... (showing first 20 files)"
fi
echo ""
echo "================================"
echo "Build test completed successfully!"
echo "================================"
echo ""
echo "Next steps:"
echo "1. Install package on target device"
echo "2. Run: /etc/init.d/netifyd start"
echo "3. Check status: netifyd -s"
echo "4. View dashboard: luci-app-secubox-netifyd"
echo ""

4
package/secubox/secubox-crowdsec-setup/Makefile
View File

@ -20,13 +20,13 @@ define Package/secubox-crowdsec-setup
CATEGORY:=SecuBox
SUBMENU:=Security
TITLE:=SecuBox CrowdSec Setup Utility
DEPENDS:=+crowdsec +crowdsec-firewall-bouncer-nftables +syslog-ng4
DEPENDS:=+crowdsec +crowdsec-firewall-bouncer +syslog-ng
PKGARCH:=all
endef
define Package/secubox-crowdsec-setup/description
Script d'installation automatisee de CrowdSec pour SecuBox.
Configure syslog-ng4 pour le forwarding des logs vers CrowdSec,
Configure syslog-ng pour le forwarding des logs vers CrowdSec,
installe les collections de securite, et configure le bouncer
nftables pour fw4.
endef

5
secubox-tools/local-build.sh
View File

@ -44,7 +44,7 @@ SDK_PATH="mvebu/cortexa72"
declare -A DEVICE_PROFILES=(
["espressobin-v7"]="mvebu:cortexa53:globalscale_espressobin:ESPRESSObin V7 (1-2GB DDR4)"
["espressobin-ultra"]="mvebu:cortexa53:globalscale_espressobin-ultra:ESPRESSObin Ultra (PoE, WiFi)"
["sheeva64"]="mvebu:cortexa53:globalscale_sheeva64:Sheeva64 (Plug computer)"
# ["sheeva64"]="mvebu:cortexa53:globalscale_sheeva64:Sheeva64 (Plug computer)" # Disabled
["mochabin"]="mvebu:cortexa72:globalscale_mochabin:MOCHAbin (Quad-core A72, 10G)"
["x86-64"]="x86:64:generic:x86_64 Generic PC"
)
@ -1468,7 +1468,7 @@ CONFIG_PACKAGE_kmod-sfp=y
CONFIG_PACKAGE_kmod-phy-marvell-10g=y
EOF
;;
espressobin-ultra|sheeva64)
espressobin-ultra)
cat >> .config << EOF
# WiFi support
@ -1862,7 +1862,6 @@ ARCHITECTURES (for package building):
DEVICES (for firmware building):
espressobin-v7 ESPRESSObin V7 (1-2GB DDR4)
espressobin-ultra ESPRESSObin Ultra (PoE, WiFi)
sheeva64 Sheeva64 (Plug computer)
mochabin MOCHAbin (Quad-core A72, 10G)
x86-64 x86_64 Generic PC