gandalf/secubox-openwrt
gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Remove duplicate packages and disable sheeva64 device

Browse Source 
- Remove secubox-app-crowdsec (conflicts with feeds/packages/crowdsec)
- Remove secubox-app-netifyd (conflicts with feeds/packages/netifyd)
- Fix Makefile dependencies: crowdsec-firewall-bouncer, syslog-ng
- Fix luci-app-secubox-portal Makefile (correct luci.mk path)
- Fix luci-app-secubox-security-threats (add BuildPackage)
- Disable sheeva64 device in GitHub Actions and local-build.sh
- Update documentation with correct package names

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
CyberMind-FR 2026-01-09 20:02:45 +01:00
parent 7975b22ca3
commit a6a306b021
33 changed files with 14 additions and 3236 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
.github/workflows/build-secubox-images.yml vendored
View File

@ -11,8 +11,6 @@ on:
options: options:
- espressobin-v7 - espressobin-v7
- espressobin-ultra - espressobin-ultra
- sheeva64
- sheeva64-wifi
- mochabin - mochabin
- all - all
openwrt_version: openwrt_version:
@ -79,20 +77,6 @@ jobs:
"profile": "globalscale_espressobin-ultra", "profile": "globalscale_espressobin-ultra",
"description": "ESPRESSObin Ultra (PoE, WiFi)" "description": "ESPRESSObin Ultra (PoE, WiFi)"
}, },
{
"device": "sheeva64",
"target": "mvebu",
"subtarget": "cortexa53",
"profile": "globalscale_sheeva64",
"description": "Sheeva64 (Plug computer)"
},
{
"device": "sheeva64-wifi",
"target": "mvebu",
"subtarget": "cortexa53",
"profile": "globalscale_sheeva64",
"description": "Sheeva64 WiFi (802.11ac + BT)"
},
{ {
"device": "mochabin", "device": "mochabin",
"target": "mvebu", "target": "mvebu",
@ -370,19 +354,11 @@ jobs:
EOF EOF
;; ;;
espressobin-ultra|sheeva64-wifi) espressobin-ultra)
# WiFi support # WiFi support
cat >> .config << EOF cat >> .config << EOF
CONFIG_PACKAGE_kmod-mt76=y CONFIG_PACKAGE_kmod-mt76=y
CONFIG_PACKAGE_kmod-mac80211=y CONFIG_PACKAGE_kmod-mac80211=y
EOF
;;
sheeva64*)
# Minimal for plug computer
cat >> .config << EOF
# Optimized for plug form factor
CONFIG_PACKAGE_kmod-ledtrig-heartbeat=y
EOF EOF
;; ;;
esac esac

10
package/secubox/CROWDSEC-OPENWRT-24.md
View File

@ -39,7 +39,7 @@ secubox-crowdsec-setup --install
opkg update opkg update
# Install required packages # Install required packages
opkg install crowdsec crowdsec-firewall-bouncer-nftables syslog-ng4 opkg install crowdsec crowdsec-firewall-bouncer syslog-ng
# Install LuCI dashboard (optional) # Install LuCI dashboard (optional)
opkg install luci-app-secubox-crowdsec opkg install luci-app-secubox-crowdsec
@ -55,7 +55,7 @@ opkg install luci-app-secubox-crowdsec
+--------------+--------------+ +--------------+--------------+
| | | |
+-------v-------+ +---------v---------+ +-------v-------+ +---------v---------+
| syslog-ng4 | | logread -f | | syslog-ng | | logread -f |
| (UDP 5140) | | (fallback) | | (UDP 5140) | | (fallback) |
+-------+-------+ +---------+---------+ +-------+-------+ +---------+---------+
| | | |
@ -88,7 +88,7 @@ opkg install luci-app-secubox-crowdsec
## Components ## Components
### 1. syslog-ng4 Configuration ### 1. syslog-ng Configuration
Located at `/etc/syslog-ng/syslog-ng.conf`, this configuration: Located at `/etc/syslog-ng/syslog-ng.conf`, this configuration:
- Captures all system logs via Unix socket - Captures all system logs via Unix socket
@ -306,9 +306,9 @@ secubox-crowdsec-setup --uninstall
/etc/init.d/syslog-ng stop /etc/init.d/syslog-ng stop
opkg remove luci-app-secubox-crowdsec opkg remove luci-app-secubox-crowdsec
opkg remove crowdsec-firewall-bouncer-nftables opkg remove crowdsec-firewall-bouncer
opkg remove crowdsec opkg remove crowdsec
opkg remove syslog-ng4 opkg remove syslog-ng
# Clean nftables # Clean nftables
nft delete table ip crowdsec nft delete table ip crowdsec

2
package/secubox/luci-app-secubox-crowdsec/Makefile
View File

@ -11,7 +11,7 @@ PKG_VERSION:=1.0.0
PKG_RELEASE:=1 PKG_RELEASE:=1
LUCI_TITLE:=LuCI SecuBox CrowdSec Dashboard LUCI_TITLE:=LuCI SecuBox CrowdSec Dashboard
LUCI_DEPENDS:=+luci-base +crowdsec +crowdsec-firewall-bouncer-nftables LUCI_DEPENDS:=+luci-base +crowdsec +crowdsec-firewall-bouncer
LUCI_PKGARCH:=all LUCI_PKGARCH:=all
PKG_MAINTAINER:=Gerald Kerma <gandalf@gk2.net> PKG_MAINTAINER:=Gerald Kerma <gandalf@gk2.net>

0
package/secubox/luci-app-secubox-crowdsec/root/usr/libexec/rpcd/luci.secubox-crowdsec Normal file → Executable file
View File

5
package/secubox/luci-app-secubox-portal/Makefile
View File

@ -15,7 +15,6 @@ PKG_RELEASE:=1
PKG_LICENSE:=GPL-3.0-or-later PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=SecuBox Team <secubox@example.com> PKG_MAINTAINER:=SecuBox Team <secubox@example.com>
include ../../luci.mk include $(TOPDIR)/feeds/luci/luci.mk
# call BuildPackage - OpenWrt buildance! # call BuildPackage - OpenWrt buildroot signature
$(eval $(call BuildPackage,luci-app-secubox-portal))

1
package/secubox/luci-app-secubox-security-threats/Makefile
View File

@ -25,3 +25,4 @@ PKG_FILE_MODES:=/usr/libexec/rpcd/luci.secubox-security-threats:root:root:755
include $(TOPDIR)/feeds/luci/luci.mk include $(TOPDIR)/feeds/luci/luci.mk
# call BuildPackage - OpenWrt buildroot signature # call BuildPackage - OpenWrt buildroot signature
$(eval $(call BuildPackage,luci-app-secubox-security-threats))

250
package/secubox/secubox-app-crowdsec/Makefile
View File

@ -1,250 +0,0 @@
# SPDX-License-Identifier: MIT
#
# Copyright (C) 2021-2022 Gerald Kerma <gandalf@gk2.net>
#
include $(TOPDIR)/rules.mk
PKG_NAME:=crowdsec
PKG_VERSION:=1.7.4
PKG_RELEASE:=3
PKG_ARCH:=all
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/crowdsecurity/crowdsec/tar.gz/v$(PKG_VERSION)?
PKG_HASH:=755b5c2c1a8cef24b56fd2fbc7d2942f6fc525c625a78f9c65229e5b3b305327
PKG_LICENSE:=MIT
PKG_LICENSE_FILES:=LICENSE
PKG_MAINTAINER:=Gerald Kerma <gandalf@gk2.net>
PKG_BUILD_DEPENDS:=golang/host
PKG_BUILD_PARALLEL:=1
PKG_BUILD_FLAGS:=no-mips16
CWD_SYSTEM:=openwrt
CWD_BUILD_VERSION?=v$(PKG_VERSION)
CWD_BUILD_GOVERSION:=$(shell go version 2>/dev/null | cut -d " " -f3 | sed -E 's/[go]+//g' || echo "1.23")
CWD_BUILD_CODENAME:=alphaga
CWD_BUILD_TIMESTAMP:=$(shell date +%F"_"%T)
CWD_BUILD_TAG:=openwrt-$(PKG_VERSION)-$(PKG_RELEASE)
CWD_VERSION_PKG:=github.com/crowdsecurity/go-cs-lib/version
GO_PKG:=github.com/crowdsecurity/crowdsec
GO_PKG_INSTALL_ALL:=1
GO_PKG_LDFLAGS_X:=$(CWD_VERSION_PKG).Version=$(CWD_BUILD_VERSION) \
$(CWD_VERSION_PKG).System=$(CWD_SYSTEM) \
$(CWD_VERSION_PKG).BuildDate=$(CWD_BUILD_TIMESTAMP) \
$(CWD_VERSION_PKG).Codename=$(CWD_BUILD_CODENAME) \
$(CWD_VERSION_PKG).Tag=$(CWD_BUILD_TAG) \
$(CWD_VERSION_PKG).GoVersion=$(CWD_BUILD_GOVERSION)
include $(INCLUDE_DIR)/package.mk
include $(TOPDIR)/feeds/packages/lang/golang/golang-package.mk
# Keep Go in module mode so it honors our local replacements.
GO_MOD_ARGS+=-mod=mod
CWD_GO_CSLIB_VERSION:=v0.0.24
CWD_GO_VENDOR_ROOT:=secubox-vendor
CWD_GO_VENDOR_MODULES:= \
github.com/crowdsecurity/go-cs-lib@$(CWD_GO_CSLIB_VERSION) \
github.com/crowdsecurity/time@v0.13.0-crowdsec.20250912 \
github.com/moby/moby/api@v1.52.1-0.20251116162601-e9ff10bf365a \
github.com/moby/moby/client@v0.1.1-0.20251116162601-e9ff10bf365a \
golang.org/x/crypto@v0.42.0 \
golang.org/x/mod@v0.28.0 \
golang.org/x/net@v0.44.0 \
golang.org/x/sync@v0.17.0 \
golang.org/x/sys@v0.37.0 \
golang.org/x/term@v0.35.0 \
golang.org/x/text@v0.29.0 \
golang.org/x/tools@v0.37.0 \
golang.org/x/telemetry@v0.0.0-20250908211612-aef8a434d053
define CWD/EnsureModuleSource
if [ ! -d "$(DL_DIR)/go-mod-cache/$(1)@$(2)" ]; then \
$(INSTALL_DIR) "$(DL_DIR)/go-mod-cache/cache/download/$(1)/@v"; \
wget -q -O "$(DL_DIR)/go-mod-cache/cache/download/$(1)/@v/$(2).zip" \
"https://proxy.golang.org/$(1)/@v/$(2).zip"; \
unzip -q -d "$(DL_DIR)/go-mod-cache" \
"$(DL_DIR)/go-mod-cache/cache/download/$(1)/@v/$(2).zip"; \
fi
endef
define CWD/StageVendorModule
$(call CWD/EnsureModuleSource,$(1),$(2))
rm -rf $(PKG_BUILD_DIR)/$(CWD_GO_VENDOR_ROOT)/$(1)
$(INSTALL_DIR) $(PKG_BUILD_DIR)/$(CWD_GO_VENDOR_ROOT)/$(1)
$(CP) \
$(DL_DIR)/go-mod-cache/$(1)@$(2)/. \
$(PKG_BUILD_DIR)/$(CWD_GO_VENDOR_ROOT)/$(1)/
if [ -f $(PKG_BUILD_DIR)/$(CWD_GO_VENDOR_ROOT)/$(1)/go.mod ]; then \
$(SED) 's,^go 1\.[2-9][0-9]*.*,go 1.23,' \
$(PKG_BUILD_DIR)/$(CWD_GO_VENDOR_ROOT)/$(1)/go.mod; \
fi
endef
define Build/Prepare
$(call Build/Prepare/Default)
# CrowdSec upstream requires Go 1.25+, but our SDK ships 1.23.x.
# Force the go.mod directive down so the stock toolchain can build it.
$(SED) 's,go 1\.[2-9][0-9]*.*,go 1.23,' $(PKG_BUILD_DIR)/go.mod
# Stage Go modules that require newer compilers so we can pin them locally and drop their go directive.
$(call CWD/StageVendorModule,github.com/crowdsecurity/go-cs-lib,$(CWD_GO_CSLIB_VERSION))
$(call CWD/StageVendorModule,github.com/crowdsecurity/time,v0.13.0-crowdsec.20250912)
$(call CWD/StageVendorModule,github.com/moby/moby/api,v1.52.1-0.20251116162601-e9ff10bf365a)
$(call CWD/StageVendorModule,github.com/moby/moby/client,v0.1.1-0.20251116162601-e9ff10bf365a)
$(call CWD/StageVendorModule,golang.org/x/crypto,v0.42.0)
$(call CWD/StageVendorModule,golang.org/x/mod,v0.28.0)
$(call CWD/StageVendorModule,golang.org/x/net,v0.44.0)
$(call CWD/StageVendorModule,golang.org/x/sync,v0.17.0)
$(call CWD/StageVendorModule,golang.org/x/sys,v0.37.0)
$(call CWD/StageVendorModule,golang.org/x/term,v0.35.0)
$(call CWD/StageVendorModule,golang.org/x/text,v0.29.0)
$(call CWD/StageVendorModule,golang.org/x/tools,v0.37.0)
$(call CWD/StageVendorModule,golang.org/x/telemetry,v0.0.0-20250908211612-aef8a434d053)
$(SED) 's@for line := range strings.SplitSeq@for _, line := range strings.SplitSeq@g' \
$(PKG_BUILD_DIR)/pkg/appsec/appsec_rules_collection.go
$(SED) 's@for f := range strings.SplitSeq@for _, f := range strings.SplitSeq@g' \
$(PKG_BUILD_DIR)/pkg/parser/runtime.go
$(SED) 's,strings.SplitSeq,strings.Split,g' \
$(PKG_BUILD_DIR)/pkg/appsec/appsec_rules_collection.go
$(SED) 's,strings.SplitSeq,strings.Split,g' \
$(PKG_BUILD_DIR)/pkg/parser/runtime.go
$(SED) 's@for line := range strings.SplitSeq(description, "\\n") {@for _, line := range strings.Split(description, "\\n") {@g' \
$(PKG_BUILD_DIR)/$(CWD_GO_VENDOR_ROOT)/golang.org/x/tools/internal/mcp/generate.go
$(SED) 's@for field := range strings.FieldsSeq(line) {@for _, field := range strings.Fields(line) {@g' \
$(PKG_BUILD_DIR)/$(CWD_GO_VENDOR_ROOT)/golang.org/x/tools/internal/mcp/generate.go
$(SED) 's@for line := range strings.SplitSeq(stdout.String(), "\\n") {@for _, line := range strings.Split(stdout.String(), "\\n") {@g' \
$(PKG_BUILD_DIR)/$(CWD_GO_VENDOR_ROOT)/golang.org/x/tools/internal/stdlib/generate.go
endef
define Package/crowdsec/Default
SECTION:=net
CATEGORY:=Network
TITLE:=Crowdsec detection engine
URL:=https://crowdsec.net/
endef
define Package/crowdsec
$(call Package/crowdsec/Default)
DEPENDS:=$(GO_ARCH_DEPENDS) +libc
endef
define Package/golang-crowdsec-dev
$(call Package/crowdsec/Default)
$(call GoPackage/GoSubMenu)
TITLE+= (source files)
DEPENDS:=$(GO_ARCH_DEPENDS)
PKGARCH:=all
endef
define Package/crowdsec/Default/description
Crowdsec - An open-source, lightweight agent to detect
and respond to bad behaviours.
It also automatically benefits from a global
community-wide IP reputation database.
endef
define Package/crowdsec/description
$(call Package/crowdsec/Default/description)
This package contains the main program.
endef
define Package/golang-crowdsec-dev/description
$(call Package/crowdsec/Default/description)
This package provides the source files for the program.
endef
ifneq ($(CONFIG_USE_MUSL),)
TARGET_CFLAGS += -D_LARGEFILE64_SOURCE
endif
define Package/crowdsec/install
$(call GoPackage/Package/Install/Bin,$(1))
$(INSTALL_DIR) $(1)/etc/crowdsec
$(INSTALL_DIR) $(1)/etc/crowdsec/scenarios
$(INSTALL_DIR) $(1)/etc/crowdsec/postoverflows
$(INSTALL_DIR) $(1)/etc/crowdsec/collections
$(INSTALL_DIR) $(1)/etc/crowdsec/patterns
$(INSTALL_DIR) $(1)/etc/crowdsec/hub
$(INSTALL_DATA) \
$(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/config/config.yaml \
$(1)/etc/crowdsec/
$(INSTALL_DATA) \
$(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/config/dev.yaml \
$(1)/etc/crowdsec/
$(INSTALL_DATA) \
$(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/config/user.yaml \
$(1)/etc/crowdsec/
$(INSTALL_DATA) \
$(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/config/acquis.yaml \
$(1)/etc/crowdsec/
$(INSTALL_DATA) \
$(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/config/profiles.yaml \
$(1)/etc/crowdsec/
$(INSTALL_DATA) \
$(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/config/simulation.yaml \
$(1)/etc/crowdsec/
$(INSTALL_DATA) \
$(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/config/local_api_credentials.yaml \
$(1)/etc/crowdsec/
$(INSTALL_DATA) \
$(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/config/online_api_credentials.yaml \
$(1)/etc/crowdsec/
$(CP) \
$(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/config/patterns/* \
$(1)/etc/crowdsec/patterns
# Install acquisition configuration directory and templates
$(INSTALL_DIR) $(1)/etc/crowdsec/acquis.d
$(INSTALL_DATA) \
./files/acquis.d/openwrt-syslog.yaml \
$(1)/etc/crowdsec/acquis.d/
$(INSTALL_DATA) \
./files/acquis.d/openwrt-dropbear.yaml \
$(1)/etc/crowdsec/acquis.d/
$(INSTALL_DATA) \
./files/acquis.d/openwrt-firewall.yaml \
$(1)/etc/crowdsec/acquis.d/
$(INSTALL_DATA) \
./files/acquis.d/openwrt-uhttpd.yaml \
$(1)/etc/crowdsec/acquis.d/
$(INSTALL_DIR) $(1)/srv/crowdsec/data/
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) \
./files/crowdsec.initd \
$(1)/etc/init.d/crowdsec
$(INSTALL_DIR) $(1)/etc/config
$(INSTALL_CONF) \
./files/crowdsec.config \
$(1)/etc/config/crowdsec
$(LN) /usr/bin/crowdsec-cli $(1)/usr/bin/cscli
$(INSTALL_DIR) $(1)/etc/uci-defaults
$(INSTALL_BIN) \
./files/crowdsec.defaults \
$(1)/etc/uci-defaults/99_crowdsec
endef
define Package/crowdsec/conffiles
/etc/crowdsec/
/etc/crowdsec/acquis.d/
/etc/config/crowdsec
endef
$(eval $(call GoBinPackage,crowdsec))
$(eval $(call BuildPackage,crowdsec))

236
package/secubox/secubox-app-crowdsec/README.md
View File

@ -1,236 +0,0 @@
# SecuBox App - CrowdSec
## Version
- **Package**: secubox-app-crowdsec
- **CrowdSec Core**: v1.7.4
- **Release**: 3
- **Last Updated**: January 2025
## Description
CrowdSec is an open-source, lightweight security engine that detects and responds to malicious behaviors. This SecuBox package provides CrowdSec for OpenWrt routers with automatic log acquisition configuration.
## Key Features (v1.7.4)
- WAF capability with DropRequest helper for request blocking
- Refactored syslog acquisition using RestartableStreamer
- Optional pure-go SQLite driver for better compatibility
- Enhanced logging configuration with syslog media support
- Configurable usage metrics export (api.server.disable_usage_metrics_export)
- Fixed LAPI metrics cardinality issues with Prometheus
- Data race prevention in Docker acquisition
- Database query optimization for decision streams
- **Automatic OpenWrt log acquisition configuration**
- **UCI-based acquisition management**
## Package Contents
- **Makefile**: OpenWrt package definition for CrowdSec v1.7.4
- **files/**: Configuration and init scripts
- `crowdsec.initd`: Init script for service management
- `crowdsec.config`: UCI configuration (with acquisition settings)
- `crowdsec.defaults`: Default configuration with auto-detection
- `acquis.d/`: Acquisition configuration templates
- `openwrt-syslog.yaml`: System syslog logs
- `openwrt-dropbear.yaml`: SSH/Dropbear logs
- `openwrt-firewall.yaml`: iptables/nftables firewall logs
- `openwrt-uhttpd.yaml`: uHTTPd web server logs
## Installation
```bash
# From SecuBox build environment
cd /home/reepost/CyberMindStudio/_files/secubox-openwrt
make package/secubox/secubox-app-crowdsec/compile V=s
# Install on router
opkg install crowdsec_1.7.4-3_*.ipk
```
## Configuration
### UCI Configuration
CrowdSec uses UCI for configuration in `/etc/config/crowdsec`:
```bash
# View current configuration
uci show crowdsec
# Main settings
uci set crowdsec.crowdsec.data_dir='/srv/crowdsec/data'
uci set crowdsec.crowdsec.db_path='/srv/crowdsec/data/crowdsec.db'
# Acquisition settings
uci set crowdsec.acquisition.syslog_enabled='1'
uci set crowdsec.acquisition.firewall_enabled='1'
uci set crowdsec.acquisition.ssh_enabled='1'
uci set crowdsec.acquisition.http_enabled='0'
uci set crowdsec.acquisition.syslog_path='/var/log/messages'
# Hub settings
uci set crowdsec.hub.auto_install='1'
uci set crowdsec.hub.collections='crowdsecurity/linux crowdsecurity/iptables'
uci set crowdsec.hub.update_interval='7'
uci commit crowdsec
```
### File Locations
- Main config: `/etc/crowdsec/config.yaml`
- Acquisition directory: `/etc/crowdsec/acquis.d/`
- Legacy acquisition: `/etc/crowdsec/acquis.yaml`
- Profiles: `/etc/crowdsec/profiles.yaml`
- Local API: `/etc/crowdsec/local_api_credentials.yaml`
- Data directory: `/srv/crowdsec/data/`
## Log Acquisition Configuration
### Automatic Detection
On first boot, the defaults script automatically:
1. Detects OpenWrt log file configuration
2. Identifies installed services (Dropbear, firewall)
3. Generates appropriate acquisition configs
4. Installs recommended Hub collections
### Supported Log Sources
| Log Source | Default | Collection Required |
|------------|---------|---------------------|
| System Syslog | Enabled | crowdsecurity/linux |
| SSH/Dropbear | Enabled | crowdsecurity/linux |
| Firewall (iptables/nftables) | Enabled | crowdsecurity/iptables |
| HTTP (uHTTPd/nginx) | Disabled | crowdsecurity/http-cve |
### Custom Acquisition
Add custom acquisition configs to `/etc/crowdsec/acquis.d/`:
```yaml
# /etc/crowdsec/acquis.d/custom.yaml
filenames:
- /var/log/custom-app/*.log
labels:
type: syslog
```
### Syslog Service Mode
To run CrowdSec as a syslog server (receive logs from other devices):
```bash
uci set crowdsec.acquisition.syslog_listen_addr='0.0.0.0'
uci set crowdsec.acquisition.syslog_listen_port='514'
uci commit crowdsec
/etc/init.d/crowdsec restart
```
## Service Management
```bash
# Start CrowdSec
/etc/init.d/crowdsec start
# Stop CrowdSec
/etc/init.d/crowdsec stop
# Restart CrowdSec
/etc/init.d/crowdsec restart
# Check status
/etc/init.d/crowdsec status
```
## CLI Usage
CrowdSec CLI is available via `cscli`:
```bash
# Check version
cscli version
# Check acquisition status
cscli metrics show acquisition
# List decisions
cscli decisions list
# View alerts
cscli alerts list
# Manage collections
cscli collections list
cscli collections install crowdsecurity/nginx
# Manage Hub
cscli hub update
cscli hub upgrade
# Manage bouncers
cscli bouncers list
cscli bouncers add firewall-bouncer
```
## Hub Collections for OpenWrt
### Recommended Collections
```bash
# Core Linux detection (SSH brute-force, etc.)
cscli collections install crowdsecurity/linux
# Firewall log analysis (port scan detection)
cscli collections install crowdsecurity/iptables
# Syslog parsing
cscli parsers install crowdsecurity/syslog-logs
# Whitelists for reducing false positives
cscli parsers install crowdsecurity/whitelists
```
### Optional Collections
```bash
# HTTP attack detection
cscli collections install crowdsecurity/http-cve
# nginx logs
cscli collections install crowdsecurity/nginx
# Smb/Samba
cscli collections install crowdsecurity/smb
```
## Integration with SecuBox
This package integrates with:
- **luci-app-crowdsec-dashboard** v0.5.0+
- **secubox-app-crowdsec-bouncer** - Firewall bouncer
- **SecuBox Theme System**
- **SecuBox Logging** (`secubox-log`)
## Dependencies
- Go compiler (build-time)
- SQLite3
- OpenWrt base system
## References
- Upstream: https://github.com/crowdsecurity/crowdsec
- Documentation: https://docs.crowdsec.net/
- Hub: https://hub.crowdsec.net/
- Acquisition Docs: https://docs.crowdsec.net/docs/next/log_processor/data_sources/intro/
- SecuBox Project: https://cybermind.fr
## Changelog
### v1.7.4-3 (2025-01)
- Added automatic log acquisition configuration
- Added UCI-based acquisition management
- Added acquis.d directory with OpenWrt-specific templates
- Improved Hub collection auto-installation
- Added acquisition for syslog, SSH/Dropbear, firewall, HTTP
- Enhanced defaults script with detection logic
### v1.7.4-2 (2024-12)
- Updated from v1.6.2 to v1.7.4
- Added WAF/AppSec support
- Improved syslog acquisition
- Enhanced metrics export configuration
- Fixed Prometheus cardinality issues
### v1.6.2-1 (Previous)
- Initial SecuBox integration
- Basic OpenWrt compatibility patches
## License
MIT License
## Maintainer
CyberMind.fr - Gandalf <gandalf@gk2.net>

29
package/secubox/secubox-app-crowdsec/files/acquis.d/openwrt-dropbear.yaml
View File

@ -1,29 +0,0 @@
# OpenWrt Dropbear SSH Acquisition
# This configuration monitors SSH authentication logs from Dropbear
#
# Dropbear logs are typically sent to syslog and can be found in:
# - /var/log/messages (if syslog is configured to write to file)
# - Via logread command (OpenWrt default)
#
# Required collections:
# cscli collections install crowdsecurity/linux
# cscli parsers install crowdsecurity/syslog-logs
#
# The crowdsecurity/linux collection includes SSH brute-force detection
# scenarios that work with Dropbear authentication logs.
#
# Example Dropbear log entries that will be parsed:
# dropbear[1234]: Bad password attempt for 'root' from 192.168.1.100:54321
# dropbear[1234]: Login attempt for nonexistent user 'admin' from 192.168.1.100:54321
# dropbear[1234]: Pubkey auth succeeded for 'root' with ssh-ed25519 key
# dropbear[1234]: Exit (root) from <192.168.1.100:54321>: Disconnect received
#
# Note: Since Dropbear logs go to syslog, the openwrt-syslog.yaml
# acquisition config will capture these logs. This file serves as
# documentation for Dropbear-specific detection.
# If using a dedicated auth log file:
# filenames:
# - /var/log/auth.log
# labels:
# type: syslog

40
package/secubox/secubox-app-crowdsec/files/acquis.d/openwrt-firewall.yaml
View File

@ -1,40 +0,0 @@
# OpenWrt Firewall Logs Acquisition
# This configuration monitors iptables/nftables firewall logs
#
# Required collections:
# cscli collections install crowdsecurity/iptables
#
# The crowdsecurity/iptables collection provides:
# - crowdsecurity/iptables-logs parser (for -j LOG entries)
# - crowdsecurity/iptables-scan-multi_ports scenario (port scan detection)
#
# To enable firewall logging in OpenWrt, add LOG rules to your firewall config:
#
# For nftables (OpenWrt 22.03+):
# nft add rule inet fw4 input counter log prefix "fw4-INPUT: " drop
#
# For iptables (legacy):
# iptables -A INPUT -j LOG --log-prefix "iptables-INPUT: "
#
# Or via /etc/config/firewall:
# config rule
# option name 'Log-Dropped'
# option src 'wan'
# option dest '*'
# option proto 'all'
# option target 'LOG'
# option log_prefix 'fw-DROP: '
#
# Firewall logs are typically written to kernel log (kern.log)
# or syslog depending on system configuration.
# Kernel/firewall log file acquisition
filenames:
- /var/log/kern.log
- /var/log/firewall.log
labels:
type: syslog
---
# Alternative: If firewall logs go to main syslog
# The openwrt-syslog.yaml acquisition will capture them
# as long as the iptables collection parser is installed

28
package/secubox/secubox-app-crowdsec/files/acquis.d/openwrt-syslog.yaml
View File

@ -1,28 +0,0 @@
# OpenWrt System Syslog Acquisition
# This configuration monitors OpenWrt system logs via syslog
# For local log files or syslog forwarding scenarios
#
# Note: OpenWrt uses logd by default which doesn't write to files.
# Enable syslog-ng or configure log_file in /etc/config/system
# to enable file-based log acquisition.
#
# Required collections:
# cscli collections install crowdsecurity/linux
# cscli parsers install crowdsecurity/syslog-logs
# File-based acquisition for syslog (if log_file is configured)
filenames:
- /var/log/messages
- /var/log/syslog
labels:
type: syslog
---
# Alternative: Syslog service acquisition
# Uncomment this section if using remote syslog forwarding
# or if CrowdSec should act as a syslog server
#
# source: syslog
# listen_addr: 127.0.0.1
# listen_port: 10514
# labels:
# type: syslog

29
package/secubox/secubox-app-crowdsec/files/acquis.d/openwrt-uhttpd.yaml
View File

@ -1,29 +0,0 @@
# OpenWrt uHTTPd Web Server Acquisition
# This configuration monitors uHTTPd access/error logs
#
# By default, uHTTPd logs to syslog. To enable file-based logging,
# configure uHTTPd in /etc/config/uhttpd:
#
# config uhttpd 'main'
# option access_log '/var/log/uhttpd/access.log'
# option error_log '/var/log/uhttpd/error.log'
#
# Required parsers:
# cscli parsers install crowdsecurity/syslog-logs
#
# For HTTP-based attacks, consider installing:
# cscli collections install crowdsecurity/http-cve
# cscli scenarios install crowdsecurity/http-probing
# cscli scenarios install crowdsecurity/http-bad-user-agent
# uHTTPd access logs
# filenames:
# - /var/log/uhttpd/access.log
# labels:
# type: syslog
---
# uHTTPd error logs
# filenames:
# - /var/log/uhttpd/error.log
# labels:
# type: syslog

30
package/secubox/secubox-app-crowdsec/files/crowdsec.config
View File

@ -1,30 +0,0 @@
config crowdsec 'crowdsec'
option data_dir '/srv/crowdsec/data'
option db_path '/srv/crowdsec/data/crowdsec.db'
# Acquisition configuration
config acquisition 'acquisition'
# Enable/disable specific log sources
option syslog_enabled '1'
option firewall_enabled '1'
option ssh_enabled '1'
option http_enabled '0'
# Syslog service settings (if using CrowdSec as syslog server)
option syslog_listen_addr '127.0.0.1'
option syslog_listen_port '10514'
# Log file paths (OpenWrt-specific)
option syslog_path '/var/log/messages'
option auth_log_path '/var/log/auth.log'
option kernel_log_path '/var/log/kern.log'
# Hub configuration
config hub 'hub'
# Auto-install recommended collections on first boot
option auto_install '1'
# Collections to install (space-separated)
option collections 'crowdsecurity/linux crowdsecurity/iptables'
# Additional parsers
option parsers 'crowdsecurity/syslog-logs crowdsecurity/whitelists'
# Hub update interval in days (0 to disable auto-update)
option update_interval '7'

317
package/secubox/secubox-app-crowdsec/files/crowdsec.defaults
View File

@ -1,317 +0,0 @@
#!/bin/sh
#
# CrowdSec UCI Defaults Script
# Configures CrowdSec on first install with automatic acquisition setup
#
CONFIG=/etc/crowdsec/config.yaml
ACQUIS_DIR=/etc/crowdsec/acquis.d
UCI_CONFIG=/etc/config/crowdsec
# Load UCI functions
. /lib/functions.sh
# Get UCI values with defaults
get_uci_value() {
local section="$1"
local option="$2"
local default="$3"
local value
value=$(uci -q get "crowdsec.${section}.${option}")
echo "${value:-$default}"
}
# Configure data paths
setup_paths() {
local data_dir
local db_path
data_dir=$(get_uci_value "crowdsec" "data_dir" "/srv/crowdsec/data")
db_path=$(get_uci_value "crowdsec" "db_path" "/srv/crowdsec/data/crowdsec.db")
sed -i "s,^\(\s*data_dir\s*:\s*\).*\$,\1$data_dir," $CONFIG
sed -i "s,^\(\s*db_path\s*:\s*\).*\$,\1$db_path," $CONFIG
# Create data dir & permissions if needed
if [ ! -d "${data_dir}" ]; then
mkdir -m 0755 -p "${data_dir}"
fi
}
# Create machine-id if not exists
setup_machine_id() {
if [ ! -f /etc/machine-id ]; then
cat /proc/sys/kernel/random/uuid | tr -d "-" > /etc/machine-id
echo "Created machine-id"
fi
}
# Register local API machine
register_lapi() {
if grep -q "login:" /etc/crowdsec/local_api_credentials.yaml 2>/dev/null; then
echo "Local API already registered"
else
echo "Registering local API machine..."
cscli -c /etc/crowdsec/config.yaml machines add -a -f /etc/crowdsec/local_api_credentials.yaml
fi
}
# Register with Central API (CAPI) for threat intelligence sharing
register_capi() {
if ! grep -q "login:" /etc/crowdsec/online_api_credentials.yaml 2>/dev/null; then
echo "Registering with Central API (CAPI)..."
if cscli capi register 2>/dev/null; then
echo "Successfully registered with Central API"
else
echo "WARNING: CAPI registration failed - will run in local-only mode"
# Create minimal credentials file to prevent errors
echo "url: https://api.crowdsec.net/" > /etc/crowdsec/online_api_credentials.yaml
fi
else
echo "Central API already registered"
fi
}
# Update hub index
update_hub() {
local update_interval
update_interval=$(get_uci_value "hub" "update_interval" "7")
if [ "$update_interval" = "0" ]; then
echo "Hub auto-update disabled"
return 0
fi
if [ ! -f /etc/crowdsec/hub/.index.json ] || \
[ $(find /etc/crowdsec/hub/.index.json -mtime +${update_interval} 2>/dev/null | wc -l) -gt 0 ]; then
echo "Updating hub index..."
cscli hub update 2>/dev/null || true
fi
}
# Install collections and parsers from Hub
install_hub_items() {
local auto_install
local collections
local parsers
auto_install=$(get_uci_value "hub" "auto_install" "1")
if [ "$auto_install" != "1" ]; then
echo "Hub auto-install disabled"
return 0
fi
# Install collections
collections=$(get_uci_value "hub" "collections" "crowdsecurity/linux crowdsecurity/iptables")
for collection in $collections; do
echo "Installing collection: $collection"
cscli collections install "$collection" 2>/dev/null || true
done
# Install additional parsers
parsers=$(get_uci_value "hub" "parsers" "crowdsecurity/syslog-logs crowdsecurity/whitelists")
for parser in $parsers; do
echo "Installing parser: $parser"
cscli parsers install "$parser" 2>/dev/null || true
done
# Upgrade all hub items
cscli hub upgrade 2>/dev/null || true
}
# Generate dynamic acquisition configuration
generate_acquisition_config() {
local syslog_enabled
local firewall_enabled
local ssh_enabled
local http_enabled
local syslog_path
local kernel_log_path
local auth_log_path
# Ensure acquis.d directory exists
mkdir -p "$ACQUIS_DIR"
# Get acquisition settings from UCI
syslog_enabled=$(get_uci_value "acquisition" "syslog_enabled" "1")
firewall_enabled=$(get_uci_value "acquisition" "firewall_enabled" "1")
ssh_enabled=$(get_uci_value "acquisition" "ssh_enabled" "1")
http_enabled=$(get_uci_value "acquisition" "http_enabled" "0")
syslog_path=$(get_uci_value "acquisition" "syslog_path" "/var/log/messages")
kernel_log_path=$(get_uci_value "acquisition" "kernel_log_path" "/var/log/kern.log")
auth_log_path=$(get_uci_value "acquisition" "auth_log_path" "/var/log/auth.log")
# Generate syslog acquisition config
if [ "$syslog_enabled" = "1" ]; then
echo "Configuring syslog acquisition..."
cat > "$ACQUIS_DIR/openwrt-syslog.yaml" << EOF
# OpenWrt System Syslog Acquisition
# Auto-generated by crowdsec.defaults
# Monitors system logs for security events
filenames:
- ${syslog_path}
- /var/log/syslog
labels:
type: syslog
EOF
else
rm -f "$ACQUIS_DIR/openwrt-syslog.yaml"
fi
# Generate firewall acquisition config
if [ "$firewall_enabled" = "1" ]; then
echo "Configuring firewall log acquisition..."
cat > "$ACQUIS_DIR/openwrt-firewall.yaml" << EOF
# OpenWrt Firewall Logs Acquisition
# Auto-generated by crowdsec.defaults
# Monitors iptables/nftables firewall logs for port scans
filenames:
- ${kernel_log_path}
- /var/log/firewall.log
labels:
type: syslog
EOF
# Ensure iptables collection is installed
cscli collections install crowdsecurity/iptables 2>/dev/null || true
else
rm -f "$ACQUIS_DIR/openwrt-firewall.yaml"
fi
# Generate SSH/auth acquisition config
if [ "$ssh_enabled" = "1" ]; then
echo "Configuring SSH/auth log acquisition..."
# SSH logs typically go to syslog on OpenWrt
# The syslog acquisition will capture them
# Just ensure the linux collection is installed for SSH scenarios
cscli collections install crowdsecurity/linux 2>/dev/null || true
fi
# Generate HTTP acquisition config (disabled by default)
if [ "$http_enabled" = "1" ]; then
echo "Configuring HTTP log acquisition..."
cat > "$ACQUIS_DIR/openwrt-http.yaml" << EOF
# OpenWrt HTTP Server Logs Acquisition
# Auto-generated by crowdsec.defaults
filenames:
- /var/log/uhttpd/access.log
- /var/log/nginx/access.log
labels:
type: syslog
EOF
else
rm -f "$ACQUIS_DIR/openwrt-http.yaml"
fi
}
# Configure syslog service acquisition (if CrowdSec acts as syslog server)
configure_syslog_service() {
local listen_addr
local listen_port
listen_addr=$(get_uci_value "acquisition" "syslog_listen_addr" "127.0.0.1")
listen_port=$(get_uci_value "acquisition" "syslog_listen_port" "10514")
# Only create syslog service config if non-default port is configured
if [ "$listen_port" != "10514" ] || [ "$listen_addr" != "127.0.0.1" ]; then
echo "Configuring syslog service acquisition..."
cat > "$ACQUIS_DIR/syslog-service.yaml" << EOF
# Syslog Service Acquisition
# Auto-generated by crowdsec.defaults
# CrowdSec acts as a syslog server to receive logs
source: syslog
listen_addr: ${listen_addr}
listen_port: ${listen_port}
labels:
type: syslog
EOF
fi
}
# Detect and configure OpenWrt-specific log sources
detect_openwrt_logs() {
echo "Detecting OpenWrt log sources..."
# Check if syslog-ng is installed and configured
if [ -f /etc/syslog-ng.conf ]; then
echo "syslog-ng detected"
fi
# Check if rsyslog is configured
if [ -f /etc/rsyslog.conf ]; then
echo "rsyslog detected"
fi
# Check if log_file is configured in OpenWrt system config
local log_file
log_file=$(uci -q get system.@system[0].log_file)
if [ -n "$log_file" ]; then
echo "OpenWrt log_file configured: $log_file"
# Update syslog path in UCI
uci set crowdsec.acquisition.syslog_path="$log_file"
uci commit crowdsec
fi
# Check for Dropbear (SSH server)
if [ -f /etc/init.d/dropbear ]; then
echo "Dropbear SSH server detected"
fi
# Check for firewall (fw3 or fw4)
if [ -f /etc/init.d/firewall ]; then
echo "OpenWrt firewall detected"
fi
}
# Main execution
main() {
echo "=========================================="
echo "CrowdSec Configuration - First Boot Setup"
echo "=========================================="
# Setup paths and directories
setup_paths
# Create machine-id
setup_machine_id
# Register with LAPI
register_lapi
# Register with CAPI
register_capi
# Update Hub index
update_hub
# Install Hub collections and parsers
install_hub_items
# Detect OpenWrt log sources
detect_openwrt_logs
# Generate acquisition configuration
generate_acquisition_config
# Configure syslog service if needed
configure_syslog_service
echo "=========================================="
echo "CrowdSec configuration complete!"
echo "=========================================="
echo ""
echo "Next steps:"
echo " 1. Enable and start CrowdSec: /etc/init.d/crowdsec enable && /etc/init.d/crowdsec start"
echo " 2. Check acquisition status: cscli metrics show acquisition"
echo " 3. View decisions: cscli decisions list"
echo ""
}
# Run main function
main
exit 0

44
package/secubox/secubox-app-crowdsec/files/crowdsec.initd
View File

@ -1,44 +0,0 @@
#!/bin/sh /etc/rc.common
# Copyright (C) 2021-2022 Gerald Kerma <gandalf@gk2.net>
START=99
USE_PROCD=1
NAME=crowdsec
PROG=/usr/bin/crowdsec
CONFIG=/etc/crowdsec/config.yaml
RUNCONFDIR=/srv/crowdsec/data
VARCONFIGDIR=/var/etc/crowdsec
VARCONFIG=/var/etc/crowdsec/config.yaml
service_triggers() {
procd_add_reload_trigger crowdsec
}
init_config() {
config_load crowdsec
config_get data_dir crowdsec data_dir "${RUNCONFDIR}"
config_get db_path crowdsec db_path "${RUNCONFDIR}/crowdsec.db"
# Create tmp dir & permissions if needed
if [ ! -d "${VARCONFIGDIR}" ]; then
mkdir -m 0755 -p "${VARCONFIGDIR}"
fi;
cp $CONFIG $VARCONFIG
sed -i "s,^\(\s*data_dir\s*:\s*\).*\$,\1$data_dir," $VARCONFIG
sed -i "s,^\(\s*db_path\s*:\s*\).*\$,\1$db_path," $VARCONFIG
# Create data dir & permissions if needed
if [ ! -d "${RUNCONFDIR}" ]; then
mkdir -m 0755 -p "${RUNCONFDIR}"
fi;
}
start_service() {
init_config
procd_open_instance
procd_set_param command "$PROG" -c "$VARCONFIG"
procd_close_instance
}

20
package/secubox/secubox-app-crowdsec/patches/001-fix_config_data_dir.patch
View File

@ -1,20 +0,0 @@
--- a/config/config.yaml
+++ b/config/config.yaml
@@ -8,7 +8,7 @@ common:
log_max_files: 10
config_paths:
config_dir: /etc/crowdsec/
- data_dir: /var/lib/crowdsec/data/
+ data_dir: /srv/crowdsec/data/
simulation_path: /etc/crowdsec/simulation.yaml
hub_dir: /etc/crowdsec/hub/
index_path: /etc/crowdsec/hub/.index.json
@@ -25,7 +25,7 @@ cscli:
db_config:
log_level: info
type: sqlite
- db_path: /var/lib/crowdsec/data/crowdsec.db
+ db_path: /srv/crowdsec/data/crowdsec.db
#max_open_conns: 100
#user:
#password:

19
package/secubox/secubox-app-crowdsec/patches/002-use-vendored-go-cs-lib.patch
View File

@ -1,19 +0,0 @@
--- a/go.mod
+++ b/go.mod
@@ -257,3 +257,13 @@ replace golang.org/x/time => github.com/crowdsecurity/time v0.13.0-crowdsec.2025
-replace golang.org/x/time => github.com/crowdsecurity/time v0.13.0-crowdsec.20250912
-
-replace github.com/corazawaf/coraza/v3 => github.com/crowdsecurity/coraza/v3 v3.3.3-crowdsec.20251113
+replace golang.org/x/time => ./secubox-vendor/github.com/crowdsecurity/time
+
+replace github.com/corazawaf/coraza/v3 => github.com/crowdsecurity/coraza/v3 v3.3.3-crowdsec.20251113
+replace github.com/crowdsecurity/go-cs-lib => ./secubox-vendor/github.com/crowdsecurity/go-cs-lib
+replace github.com/moby/moby/api => ./secubox-vendor/github.com/moby/moby/api
+replace github.com/moby/moby/client => ./secubox-vendor/github.com/moby/moby/client
+replace golang.org/x/crypto => ./secubox-vendor/golang.org/x/crypto
+replace golang.org/x/mod => ./secubox-vendor/golang.org/x/mod
+replace golang.org/x/net => ./secubox-vendor/golang.org/x/net
+replace golang.org/x/sync => ./secubox-vendor/golang.org/x/sync
+replace golang.org/x/sys => ./secubox-vendor/golang.org/x/sys
+replace golang.org/x/term => ./secubox-vendor/golang.org/x/term
+replace golang.org/x/text => ./secubox-vendor/golang.org/x/text

6
package/secubox/secubox-app-crowdsec/patches/003-add-x-tools-replace.patch
View File

@ -1,6 +0,0 @@
--- a/go.mod
+++ b/go.mod
@@ -269,1 +269,3 @@
replace golang.org/x/text => ./secubox-vendor/golang.org/x/text
+replace golang.org/x/tools => ./secubox-vendor/golang.org/x/tools
+replace golang.org/x/telemetry => ./secubox-vendor/golang.org/x/telemetry

439
package/secubox/secubox-app-netifyd/BUILD-INSTRUCTIONS.md
View File

@ -1,439 +0,0 @@
# Netifyd 5.2.1 Build Instructions for SecuBox OpenWrt
## Overview
Complete build instructions for integrating official Netifyd 5.2.1 into SecuBox OpenWrt solution.
## Package Structure
```
package/secubox/secubox-app-netifyd/
├── Makefile # OpenWrt package Makefile
├── Config.in # Package configuration options
├── README.md # Package documentation
├── INTEGRATION.md # Integration guide
├── BUILD-INSTRUCTIONS.md # This file
├── test-build.sh # Automated build test script
├── files/
│ ├── netifyd.init # Init script (procd)
│ ├── netifyd.config # UCI configuration
│ └── functions.sh # Helper functions
└── patches/ # Patches (if needed)
```
## Prerequisites
### System Requirements
- **Build System:** x86_64 Linux (Ubuntu 20.04+ or Debian 11+ recommended)
- **Disk Space:** ~10 GB free
- **RAM:** 4 GB minimum, 8 GB recommended
- **Time:** ~30-60 minutes for full build
### Required Build Tools
```bash
# Ubuntu/Debian
sudo apt-get update
sudo apt-get install -y \
build-essential \
clang \
flex \
bison \
g++ \
gawk \
gcc-multilib \
gettext \
git \
libncurses5-dev \
libssl-dev \
python3-distutils \
rsync \
unzip \
zlib1g-dev \
file \
wget \
curl \
subversion \
time \
libelf-dev
```
## Quick Start
### Option 1: Automated Build Test
```bash
cd /path/to/secubox-openwrt/package/secubox/secubox-app-netifyd
./test-build.sh
```
This script will:
1. Check dependencies
2. Update feeds
3. Download source
4. Build package
5. Verify package contents
### Option 2: Manual Build
```bash
# 1. Navigate to OpenWrt root
cd /path/to/secubox-openwrt
# 2. Update feeds
./scripts/feeds update -a
./scripts/feeds install -a
# 3. Configure build
make menuconfig
# Navigate to: Network > netifyd
# Select: <*> netifyd
# Also select SecuBox components:
# SecuBox > <*> luci-app-secubox-netifyd
# 4. Download source
make package/secubox/secubox-app-netifyd/download V=s
# 5. Build package
make package/secubox/secubox-app-netifyd/compile V=s
# 6. Build LuCI app
make package/secubox/luci-app-secubox-netifyd/compile V=s
```
## Detailed Build Process
### Step 1: Prepare Build Environment
```bash
# Clone SecuBox OpenWrt (if not already done)
git clone https://github.com/your-repo/secubox-openwrt.git
cd secubox-openwrt
# Initialize and update feeds
./scripts/feeds update -a
./scripts/feeds install -a
```
### Step 2: Configure Package
```bash
# Run menuconfig
make menuconfig
# Navigate through menus:
# 1. Target System: (select your hardware)
# 2. Subtarget: (select your hardware variant)
# 3. Target Profile: (select your device)
#
# 4. Network >
# <*> netifyd
# [ ] Enable local flow export (optional)
# [ ] Enable plugin support (optional)
# [*] Auto-start on boot (recommended)
#
# 5. SecuBox >
# <*> secubox-core
# <*> luci-app-secubox-netifyd
#
# 6. Save and exit
```
### Step 3: Build
```bash
# Download all sources
make download V=s
# Build toolchain (first time only, takes ~30 minutes)
make toolchain/compile V=s
# Build netifyd package
make package/secubox/secubox-app-netifyd/compile V=s
# Build LuCI app
make package/secubox/luci-app-secubox-netifyd/compile V=s
# Or build everything at once
make V=s j=$(nproc)
```
### Step 4: Locate Built Packages
```bash
# Packages will be in:
find bin/packages -name "netifyd*.ipk"
find bin/packages -name "luci-app-secubox-netifyd*.ipk"
# Example output:
# bin/packages/aarch64_cortex-a53/secubox/netifyd_5.2.1-1_aarch64_cortex-a53.ipk
# bin/packages/aarch64_cortex-a53/secubox/luci-app-secubox-netifyd_1.0.1-1_all.ipk
```
## Installation on Device
### Transfer Packages
```bash
# Find device IP (usually 192.168.1.1 or 192.168.8.1)
DEVICE_IP="192.168.1.1"
# Copy packages
scp bin/packages/*/secubox/netifyd_*.ipk root@$DEVICE_IP:/tmp/
scp bin/packages/*/secubox/luci-app-secubox-netifyd_*.ipk root@$DEVICE_IP:/tmp/
```
### Install on Device
```bash
# SSH to device
ssh root@$DEVICE_IP
# On device:
# Update package list
opkg update
# Install netifyd (will install dependencies automatically)
opkg install /tmp/netifyd_*.ipk
# Install LuCI app
opkg install /tmp/luci-app-secubox-netifyd_*.ipk
# Start services
/etc/init.d/netifyd start
/etc/init.d/netifyd enable
/etc/init.d/rpcd reload
# Verify
netifyd -s
```
## Verification
### 1. Check Service Status
```bash
# On device:
/etc/init.d/netifyd status
ps | grep netifyd
netifyd -s
```
Expected output:
```
Netify Agent/5.2.1 (openwrt; aarch64; conntrack; netlink; ...)
✓ agent is running.
• agent timestamp: [current date/time]
• agent uptime: 0d 00:XX:XX
✓ active flows: XX
...
```
### 2. Check Data Files
```bash
# Status file should exist
cat /var/run/netifyd/status.json | jq .
# Socket should exist
ls -la /var/run/netifyd/netifyd.sock
# Should show: srwxr-xr-x 1 root root 0 ... netifyd.sock
```
### 3. Test RPCD Backend
```bash
# List available methods
ubus list | grep netifyd
# Test a call
ubus call luci.secubox-netifyd get_service_status
# Should return JSON with status information
```
### 4. Access Web Interface
```bash
# Open browser to:
http://[device-ip]/cgi-bin/luci/admin/secubox/netifyd/dashboard
# Navigate to: Services > Netifyd Dashboard
# Should see:
# - Service status (running/stopped)
# - Active flows count
# - Detected devices
# - Network statistics
```
## Troubleshooting Build Issues
### Issue: Download Fails
```bash
# Check download URL
curl -I https://download.netify.ai/source/netifyd-5.2.1.tar.gz
# If fails, update PKG_SOURCE_URL in Makefile
# Or download manually:
cd dl/
wget https://download.netify.ai/source/netifyd-5.2.1.tar.gz
cd ..
```
### Issue: Compilation Errors
```bash
# Clean and retry
make package/secubox/secubox-app-netifyd/clean
make package/secubox/secubox-app-netifyd/compile V=s 2>&1 | tee build.log
# Check build.log for errors
# Common fixes:
# 1. Missing dependencies - install via package manager
# 2. Toolchain issues - rebuild toolchain
# 3. Patch failures - check patches/ directory
```
### Issue: Missing Dependencies on Device
```bash
# On device, check what's missing:
opkg install /tmp/netifyd_*.ipk
# If dependencies missing, install them:
opkg update
opkg install libcurl libmnl libnetfilter-conntrack libpcap zlib libpthread
# Then retry netifyd install
```
## Build Customization
### Minimal Build (Smallest Size)
Edit `Makefile` CONFIGURE_ARGS:
```makefile
CONFIGURE_ARGS += \
--enable-lean-and-mean \
--disable-plugins \
--disable-sink-plugins \
--disable-libtcmalloc \
--disable-jemalloc
```
### Debug Build
Edit `Makefile` CONFIGURE_ARGS:
```makefile
CONFIGURE_ARGS += \
--enable-debug \
--enable-debug-ether-type \
--enable-debug-ndpi
TARGET_CFLAGS += -g -O0
```
### Custom Features
In `make menuconfig`:
```
Network > netifyd >
[*] Enable local flow export
[*] Enable plugin support
[*] Enable sink plugins
[ ] Enable debug output
```
## Build for Multiple Architectures
```bash
# Build for different targets
TARGET_ARCHS="aarch64_cortex-a53 arm_cortex-a9 x86_64"
for arch in $TARGET_ARCHS; do
echo "Building for $arch..."
make clean
# Set target in menuconfig first
make package/secubox/secubox-app-netifyd/compile V=s
mkdir -p releases/$arch
cp bin/packages/*/secubox/netifyd_*.ipk releases/$arch/
done
```
## Creating Release Packages
```bash
# Build all packages
make package/secubox/secubox-app-netifyd/compile V=s
make package/secubox/luci-app-secubox-netifyd/compile V=s
# Create release directory
mkdir -p releases/v5.2.1/
# Copy packages
cp bin/packages/*/secubox/netifyd_*.ipk releases/v5.2.1/
cp bin/packages/*/secubox/luci-app-secubox-netifyd_*.ipk releases/v5.2.1/
# Create checksums
cd releases/v5.2.1/
sha256sum *.ipk > SHA256SUMS
cd ../..
# Create tarball
tar czf secubox-netifyd-5.2.1-release.tar.gz releases/v5.2.1/
```
## Continuous Integration
Example GitHub Actions workflow:
```yaml
name: Build Netifyd Package
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install dependencies
run: |
sudo apt-get update
sudo apt-get install -y build-essential ...
- name: Build package
run: |
cd package/secubox/secubox-app-netifyd
./test-build.sh
- name: Upload artifacts
uses: actions/upload-artifact@v3
with:
name: netifyd-packages
path: bin/packages/*/secubox/*.ipk
```
## Next Steps
After successful build and installation:
1. **Configuration:** Follow [README.md](README.md) for configuration options
2. **Integration:** See [INTEGRATION.md](INTEGRATION.md) for SecuBox integration
3. **Testing:** Run tests from [test-build.sh](test-build.sh)
4. **Documentation:** Read [README-FLOW-DATA.md](../luci-app-secubox-netifyd/README-FLOW-DATA.md) for flow data setup
## Support
- **Build Issues:** Check `build.log` and OpenWrt forums
- **Package Issues:** https://github.com/your-repo/issues
- **Netifyd Issues:** https://github.com/eglooca/netifyd/issues
- **OpenWrt Docs:** https://openwrt.org/docs/
## License
GPL-3.0-or-later (same as upstream netifyd)

114
package/secubox/secubox-app-netifyd/BUILDROOT-BUILD.md
View File

@ -1,114 +0,0 @@
# Building Netifyd with OpenWrt Buildroot
## Overview
Netifyd **requires full OpenWrt buildroot** for building because it needs system libraries that are not available in the SDK.
## Automatic Build (Recommended)
The local-build.sh script automatically detects netifyd and uses OpenWrt buildroot:
```bash
./secubox-tools/local-build.sh build netifyd
```
This will:
1. Download OpenWrt 24.10.5 source (~500 MB)
2. Setup feeds
3. Copy SecuBox packages
4. Install netifyd from SecuBox feed
5. Configure and build netifyd
**Build time:**
- First build: 15-30 minutes (downloads toolchain, builds dependencies)
- Subsequent builds: 2-5 minutes (incremental)
## What Gets Built
The buildroot provides all required dependencies:
- `libmnl` - Minimal Netlink library
- `libnetfilter-conntrack` - Connection tracking
- `libpcap` - Packet capture
- `libjson-c` - JSON parsing
- `libcurl` - HTTP client
- Kernel modules: nf_conntrack, nfnetlink, etc.
## Output
After successful build:
```bash
# Package location
./build/x86-64/netifyd_5.2.1-1_x86_64.ipk
# Also findable at
./openwrt/bin/packages/x86_64/secubox/netifyd_5.2.1-1_x86_64.ipk
```
## Manual Build
If you prefer manual control:
```bash
cd openwrt/
# Configure
make menuconfig
# Select: Network > netifyd
# Build
make package/netifyd/compile V=s
```
## Why Not SDK?
The SDK cannot build netifyd because:
- SDK only includes application-level library stubs
- Netifyd needs kernel-level libraries (libmnl, libnetfilter-conntrack)
- These libraries must be compiled against the target system
- Only full buildroot provides the complete dependency chain
## Troubleshooting
### Issue: Build fails with "libmnl not found"
**Cause:** Using SDK instead of buildroot
**Fix:** The script should auto-detect and use buildroot. If not:
```bash
# Ensure you're using the build command, not compiling directly in SDK
./secubox-tools/local-build.sh build netifyd
```
### Issue: Build takes too long
**Normal:** First build downloads toolchain and compiles base libraries (15-30 min)
**Speed up:** Use faster machine or pre-compiled SDK for dependencies
### Issue: Out of disk space
**Cause:** OpenWrt buildroot needs ~10 GB
**Fix:** Free up space or use different build directory:
```bash
OPENWRT_DIR=/path/to/large/disk/openwrt ./secubox-tools/local-build.sh build netifyd
```
## Comparison: SDK vs Buildroot
| Feature | SDK | Buildroot |
|---------|-----|-----------|
| Size | ~300 MB | ~2 GB |
| Build time | Fast (2-5 min) | Slow first time (15-30 min) |
| Can build apps | ✅ Yes | ✅ Yes |
| Can build system daemons | ❌ No | ✅ Yes |
| Kernel libraries | ❌ No | ✅ Yes |
| Full dependency tree | ❌ No | ✅ Yes |
Netifyd needs: **Buildroot**
## See Also
- [BUILD-INSTRUCTIONS.md](BUILD-INSTRUCTIONS.md) - Detailed build instructions
- [SDK-LIMITATION.md](SDK-LIMITATION.md) - Why SDK doesn't work
- [INTEGRATION.md](INTEGRATION.md) - Integration with SecuBox

42
package/secubox/secubox-app-netifyd/Config.in
View File

@ -1,42 +0,0 @@
menu "Configuration"
depends on PACKAGE_netifyd
config NETIFYD_WITH_LOCAL_EXPORT
bool "Enable local flow export"
default n
help
Enable local JSON export of flow data.
This allows the Netify Agent to write flow data to a local file
for consumption by other applications like luci-app-secubox-netifyd.
config NETIFYD_WITH_PLUGINS
bool "Enable plugin support"
default n
help
Enable plugin support for extending Netify Agent functionality.
Plugins allow custom processing of flow data and integration
with external systems.
config NETIFYD_SINK_PLUGINS
bool "Enable sink plugins"
depends on NETIFYD_WITH_PLUGINS
default n
help
Enable sink plugin support for custom data export backends.
Allows writing flow data to databases, message queues, etc.
config NETIFYD_WITH_DEBUG
bool "Enable debug output"
default n
help
Enable verbose debug logging. Useful for troubleshooting
but increases log verbosity significantly.
config NETIFYD_AUTOSTART
bool "Auto-start on boot"
default y
help
Automatically start Netify Agent when the system boots.
Can be disabled if you want manual control.
endmenu

342
package/secubox/secubox-app-netifyd/INTEGRATION.md
View File

@ -1,342 +0,0 @@
# Netifyd 5.2.1 SecuBox Integration Guide
## Quick Integration Steps
### 1. Build Both Packages
```bash
# From SecuBox OpenWrt root
cd /path/to/secubox-openwrt
# Build netifyd
make package/secubox/secubox-app-netifyd/compile V=s
# Build LuCI app
make package/secubox/luci-app-secubox-netifyd/compile V=s
```
### 2. Install on Device
```bash
# Copy packages to device
scp bin/packages/*/secubox/netifyd_5.2.1-*.ipk root@192.168.1.1:/tmp/
scp bin/packages/*/secubox/luci-app-secubox-netifyd_*.ipk root@192.168.1.1:/tmp/
# On device
opkg update
opkg install /tmp/netifyd_5.2.1-*.ipk
opkg install /tmp/luci-app-secubox-netifyd_*.ipk
```
### 3. Configure and Start
```bash
# On device
# Start netifyd
/etc/init.d/netifyd start
/etc/init.d/netifyd enable
# Reload LuCI RPCD
/etc/init.d/rpcd reload
# Clear browser cache and access web interface
# Navigate to: Services > Netifyd Dashboard
```
## Integration Points
### 1. LuCI App Integration
The `luci-app-secubox-netifyd` package integrates with netifyd through:
- **RPCD Backend:** `/usr/libexec/rpcd/luci.secubox-netifyd`
- Reads from `/var/run/netifyd/status.json`
- Provides API for dashboard data
- **Web Interface:** `/usr/share/luci/menu.d/`
- Dashboard, flows, devices, applications views
- Real-time statistics
- Service control
### 2. Data Flow
```
netifyd service
/var/run/netifyd/status.json (status data)
/var/run/netifyd/netifyd.sock (Unix socket)
RPCD Backend (luci.secubox-netifyd)
LuCI Web Interface
User Browser
```
### 3. Configuration Files
**Netifyd:**
- `/etc/config/netifyd` - UCI configuration
- `/etc/netifyd.conf` - Netifyd native config
- `/etc/netify.d/` - Persistent data directory
**LuCI App:**
- `/etc/config/secubox-netifyd` - Dashboard settings
- Socket configuration (TCP/Unix)
- Analytics settings
## Dependencies
### Required by netifyd
```
+libcurl +libmnl +libnetfilter-conntrack +libpcap
+zlib +libpthread +libstdcpp +libjson-c +ca-bundle
```
### Required by luci-app-secubox-netifyd
```
+luci-base +rpcd +netifyd +jq +secubox-core
```
## Testing Integration
### 1. Verify Netifyd is Running
```bash
# Check service status
/etc/init.d/netifyd status
# Check netifyd process
ps | grep netifyd
# View netifyd status
netifyd -s
```
### 2. Verify Data Files
```bash
# Check status file
cat /var/run/netifyd/status.json | jq .
# Check socket
ls -la /var/run/netifyd/netifyd.sock
# Check PID file
cat /var/run/netifyd/netifyd.pid
```
### 3. Test RPCD Backend
```bash
# Test RPC calls
ubus list | grep netifyd
# Get service status
ubus call luci.secubox-netifyd get_service_status
# Get dashboard data
ubus call luci.secubox-netifyd get_dashboard
# Get detected devices
ubus call luci.secubox-netifyd get_detected_devices
```
### 4. Test Web Interface
```bash
# Access LuCI
http://192.168.1.1/cgi-bin/luci/admin/secubox/netifyd/dashboard
# Check for JavaScript errors in browser console
# Verify data is loading
```
## Troubleshooting Integration
### Issue: LuCI Dashboard Shows No Data
**Cause:** Netifyd not running or no status file
**Solution:**
```bash
# Start netifyd
/etc/init.d/netifyd start
# Wait a few seconds
sleep 5
# Check status file
cat /var/run/netifyd/status.json
# Reload page
```
### Issue: RPCD Calls Fail
**Cause:** ACL permissions not set
**Solution:**
```bash
# Reload RPCD
/etc/init.d/rpcd reload
# Check ACL file
cat /usr/share/rpcd/acl.d/luci-app-secubox-netifyd.json
# Clear browser cache
```
### Issue: Service Won't Start
**Cause:** Interface configuration issues
**Solution:**
```bash
# Enable auto-detection
uci set netifyd.default.autoconfig='1'
uci commit netifyd
# Or configure manually
uci add_list netifyd.default.internal_if='br-lan'
uci add_list netifyd.default.external_if='br-wan'
uci commit netifyd
# Restart
/etc/init.d/netifyd restart
```
## Advanced Integration
### Custom Data Export
To export flow data for custom processing:
```bash
# Enable local JSON export in netifyd
uci add_list netifyd.default.options='-j /tmp/netifyd-flows.json'
uci commit netifyd
/etc/init.d/netifyd restart
# Configure LuCI app to read from file
uci set secubox-netifyd.settings.flow_export='/tmp/netifyd-flows.json'
uci commit secubox-netifyd
```
### Cloud Integration
```bash
# Enable cloud sink
netifyd --enable-sink
# Check sink status
netifyd -s | grep sink
# Agent UUID (for cloud dashboard)
netifyd -p
```
### API Integration
Example: Read data from RPCD backend in custom script:
```bash
#!/bin/sh
# Get dashboard data
DATA=$(ubus call luci.secubox-netifyd get_dashboard)
# Parse with jq
FLOWS=$(echo "$DATA" | jq -r '.stats.active_flows')
DEVICES=$(echo "$DATA" | jq -r '.stats.unique_devices')
echo "Active Flows: $FLOWS"
echo "Devices: $DEVICES"
```
## Upgrade Path
### Upgrading Netifyd
```bash
# Build new version
make package/secubox/secubox-app-netifyd/clean
make package/secubox/secubox-app-netifyd/compile V=s
# Install on device
opkg remove netifyd
opkg install /tmp/netifyd_*.ipk
# Configuration is preserved
/etc/init.d/netifyd start
```
### Upgrading LuCI App
```bash
# Build new version
make package/secubox/luci-app-secubox-netifyd/clean
make package/secubox/luci-app-secubox-netifyd/compile V=s
# Install on device
opkg upgrade /tmp/luci-app-secubox-netifyd_*.ipk
# Reload services
/etc/init.d/rpcd reload
/etc/init.d/uhttpd reload
```
## Performance Considerations
### Resource Usage
Typical resource usage on embedded device:
- **CPU:** 0.5-2% (idle), 5-10% (active traffic)
- **Memory:** 20-40 MB RSS
- **Disk:** < 1 MB for package, ~2-5 MB for runtime data
### Tuning for Low-End Devices
```bash
# Reduce threads
uci add_list netifyd.default.options='--thread-detection-cores=1'
uci add_list netifyd.default.options='-t'
# Lower limits in /etc/netifyd.conf:
# flow-max = 5000
# flow-expiry = 60
```
### Tuning for High-Traffic Networks
```bash
# Increase threads
uci add_list netifyd.default.options='--thread-detection-cores=4'
# Higher limits in /etc/netifyd.conf:
# flow-max = 65536
# flow-expiry = 300
```
## Security Considerations
1. **Packet Capture:** Netifyd requires root privileges for packet capture
2. **Data Privacy:** Flow metadata includes IP addresses, ports, protocols
3. **Cloud Sync:** Optional - can be disabled if data privacy is a concern
4. **Local Access:** Unix socket is accessible by root only
5. **Web Interface:** Protected by LuCI authentication
## Support and Documentation
- **Package Issues:** https://github.com/your-repo/issues
- **Netifyd Upstream:** https://github.com/eglooca/netifyd
- **Netify.ai Docs:** https://www.netify.ai/resources
- **OpenWrt Wiki:** https://openwrt.org/
## License
- Netifyd: GPL-3.0-or-later
- LuCI App: MIT
- Integration Code: MIT

143
package/secubox/secubox-app-netifyd/Makefile
View File

@ -1,143 +0,0 @@
#
# Copyright (C) 2016-2025 eGloo Incorporated
# Copyright (C) 2025 CyberMind.fr (SecuBox Integration)
#
# This is free software, licensed under the GNU General Public License v2.
#
include $(TOPDIR)/rules.mk
PKG_NAME:=netifyd
PKG_VERSION:=5.2.1
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://download.netify.ai/source/
PKG_HASH:=a353e957be5ef2bd18a2e65b7b3a4d9d8c1728db5d78d4dae69ec8fea486a0a7
PKG_MAINTAINER:=CyberMind <contact@cybermind.fr>
PKG_LICENSE:=GPL-3.0-or-later
PKG_LICENSE_FILES:=LICENSE
PKG_CPE_ID:=cpe:/a:netify:netifyd
PKG_FIXUP:=autoreconf
PKG_BUILD_PARALLEL:=1
PKG_INSTALL:=1
PKG_BUILD_DEPENDS:=libpcap
include $(INCLUDE_DIR)/package.mk
define Package/netifyd
SECTION:=net
CATEGORY:=Network
TITLE:=Netify Agent - Deep Packet Inspection
URL:=https://www.netify.ai/
DEPENDS:=+ca-bundle +libcurl +libmnl +libnetfilter-conntrack +libnetfilter-queue +libpcap +zlib +libpthread +libstdcpp +libjson-c +libatomic
# Optional: +ipt-conntrack-extra +libnl-tiny
endef
define Package/netifyd/description
The Netify Agent is a deep-packet inspection server which detects network
protocols and applications. These detections can be saved locally, served over
a UNIX or TCP socket, and/or "pushed" (via HTTP POSTs) to a remote third-party
server. Flow metadata, network statistics, and detection classifications are
JSON encoded for easy consumption by third-party applications.
endef
define Package/netifyd/conffiles
/etc/netifyd.conf
/etc/config/netifyd
endef
TARGET_CFLAGS += -ffunction-sections -fdata-sections -fno-caller-saves
TARGET_LDFLAGS += -Wl,--gc-sections,--as-needed
CONFIGURE_ARGS += \
--enable-lean-and-mean \
--disable-libtcmalloc \
--disable-jemalloc \
--without-systemdsystemunitdir \
--without-tmpfilesdir \
--with-persistentstatedir=/etc/netify.d \
--with-volatilestatedir=/var/run/netifyd
# Netifyd feature configuration
CONFIGURE_ARGS += \
--enable-conntrack \
--enable-netlink \
--enable-inotify \
$(if $(CONFIG_LIBCURL_ZLIB),--with-libcurl-zlib) \
$(if $(CONFIG_LIBCURL_MBEDTLS),--with-libcurl-mbedtls) \
$(if $(CONFIG_LIBCURL_OPENSSL),--with-libcurl-openssl) \
$(if $(CONFIG_LIBCURL_WOLFSSL),--with-libcurl-wolfssl)
# Optional features (disable for minimal build)
CONFIGURE_ARGS += \
--disable-plugins \
--disable-sink-plugins
# Enable for debugging
# CONFIGURE_ARGS += --enable-debug --enable-debug-ether-type --enable-debug-ndpi
define Build/InstallDev
$(INSTALL_DIR) $(1)/usr/include/netifyd
$(CP) $(PKG_INSTALL_DIR)/usr/include/netifyd/*.h $(1)/usr/include/netifyd/
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libnetifyd.{a,so*} $(1)/usr/lib/
$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libnetifyd.pc $(1)/usr/lib/pkgconfig/
endef
define Package/netifyd/install
$(INSTALL_DIR) $(1)/etc
$(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/netifyd.conf $(1)/etc
$(INSTALL_DIR) $(1)/etc/netifyd.d
$(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/netifyd.d/*.json $(1)/etc/netifyd.d/ 2>/dev/null || true
$(INSTALL_DIR) $(1)/etc/config
$(INSTALL_CONF) ./files/netifyd.config $(1)/etc/config/netifyd
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/netifyd.init $(1)/etc/init.d/netifyd
$(INSTALL_DIR) $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/netifyd $(1)/usr/sbin/
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libnetifyd.so.* $(1)/usr/lib/
$(INSTALL_DIR) $(1)/usr/share/netifyd
$(INSTALL_BIN) ./files/functions.sh $(1)/usr/share/netifyd/
$(INSTALL_DIR) $(1)/etc/netify.d
# Install plugins if they exist
if [ -d "$(PKG_INSTALL_DIR)/usr/lib/netifyd" ]; then \
$(INSTALL_DIR) $(1)/usr/lib/netifyd; \
$(CP) $(PKG_INSTALL_DIR)/usr/lib/netifyd/*.so* $(1)/usr/lib/netifyd/ 2>/dev/null || true; \
fi
endef
define Package/netifyd/postinst
#!/bin/sh
[ -n "$${IPKG_INSTROOT}" ] || {
/etc/init.d/netifyd enable
mkdir -p /var/run/netifyd
# Don't auto-start, let user configure first
echo "Netifyd installed. Configure /etc/config/netifyd and start with: /etc/init.d/netifyd start"
}
exit 0
endef
define Package/netifyd/prerm
#!/bin/sh
[ -n "$${IPKG_INSTROOT}" ] || {
/etc/init.d/netifyd stop
/etc/init.d/netifyd disable
}
exit 0
endef
$(eval $(call BuildPackage,netifyd))

435
package/secubox/secubox-app-netifyd/README.md
View File

@ -1,435 +0,0 @@
# Netifyd 5.2.1 for OpenWrt / SecuBox
Complete OpenWrt package for Netify Agent (netifyd) version 5.2.1 - Deep Packet Inspection engine.
## Overview
This package provides the latest official Netify Agent compiled for OpenWrt/SecuBox with full integration support.
### Features
- **Deep Packet Inspection (DPI)** - Detects 300+ protocols and applications
- **Flow Classification** - Real-time network flow analysis
- **Protocol Detection** - Identifies HTTP, HTTPS, SSH, DNS, BitTorrent, etc.
- **Application Detection** - Recognizes specific applications (YouTube, Netflix, WhatsApp, etc.)
- **Device Tracking** - Monitors all devices on the network
- **Cloud Integration** - Optional upload to Netify.ai cloud for analytics
- **Local Export** - Can export data locally for custom processing
- **Low Resource Usage** - Optimized "lean and mean" build for embedded systems
### Version Information
- **Netifyd Version:** 5.2.1 (Latest Official Release)
- **Source:** https://download.netify.ai/source/netifyd-5.2.1.tar.gz
- **License:** GPL-3.0-or-later
- **Maintainer:** CyberMind <contact@cybermind.fr>
## Installation
### Prerequisites
Required dependencies are automatically installed:
- libcurl
- libmnl
- libnetfilter-conntrack
- libpcap
- zlib
- libpthread
- libstdcpp
- libjson-c
- ca-bundle
### Building from Source
```bash
# From OpenWrt buildroot
cd /path/to/secubox-openwrt
# Select package
make menuconfig
# Navigate to: Network > netifyd
# Select: <M> or <*>
# Build package
make package/secubox/secubox-app-netifyd/compile V=s
# Package will be in: bin/packages/*/secubox/netifyd_5.2.1-1_*.ipk
```
### Installing on Device
```bash
# Copy package to device
scp netifyd_5.2.1-1_*.ipk root@192.168.1.1:/tmp/
# On device
opkg install /tmp/netifyd_5.2.1-1_*.ipk
```
## Configuration
### Quick Start
```bash
# Edit configuration
vi /etc/config/netifyd
# Enable auto-configuration (recommended)
uci set netifyd.default.enabled='1'
uci set netifyd.default.autoconfig='1'
uci commit netifyd
# Start service
/etc/init.d/netifyd start
/etc/init.d/netifyd enable
# Check status
netifyd -s
```
### Manual Interface Configuration
If auto-detection doesn't work, configure interfaces manually:
```bash
# Configure internal (LAN) interface
uci add_list netifyd.default.internal_if='br-lan'
# Configure external (WAN) interface
uci add_list netifyd.default.external_if='br-wan'
# Commit and restart
uci commit netifyd
/etc/init.d/netifyd restart
```
### Advanced Configuration
Edit `/etc/netifyd.conf` for advanced settings:
```ini
[netifyd]
# Enable/disable features
enable-conntrack = yes
enable-netlink = yes
# Socket configuration
socket-host = 127.0.0.1
socket-port = 7150
# Flow settings
flow-expiry = 180
flow-max = 65536
# Sink configuration (cloud upload)
sink-url = https://sink.netify.ai/
```
### Configuration Options
In `/etc/config/netifyd`:
```
config netifyd 'default'
option enabled '1'
option autoconfig '1'
# Additional options:
list options '-t' # Disable conntrack thread
list options '--thread-detection-cores=2' # Set DPI cores
list options '-j /tmp/netifyd-flows.json' # Local JSON export
list options '-v' # Verbose logging
# Manual interfaces:
list internal_if 'br-lan'
list external_if 'br-wan'
```
## Usage
### Command Line
```bash
# Show version and features
netifyd -V
# Show running status
netifyd -s
# Show agent UUID
netifyd -p
# Test configuration
netifyd -t
# Enable cloud sink
netifyd --enable-sink
# Disable cloud sink
netifyd --disable-sink
```
### Service Control
```bash
# Start service
/etc/init.d/netifyd start
# Stop service
/etc/init.d/netifyd stop
# Restart service
/etc/init.d/netifyd restart
# Check status
/etc/init.d/netifyd status
# Enable auto-start
/etc/init.d/netifyd enable
# Disable auto-start
/etc/init.d/netifyd disable
```
### Monitoring
```bash
# View status JSON
cat /var/run/netifyd/status.json | jq .
# Check running process
ps | grep netifyd
# View logs
logread | grep netifyd
# Check socket
ls -la /var/run/netifyd/
```
## Integration with SecuBox
This package integrates seamlessly with `luci-app-secubox-netifyd`:
```bash
# Install both packages
opkg install netifyd luci-app-secubox-netifyd
# Access web interface
# Navigate to: Services > Netifyd Dashboard
```
## Data Export
### Cloud Export (Netify.ai)
```bash
# Enable cloud sink
netifyd --enable-sink
# Check sink status
netifyd -s | grep sink
# View data at: https://dashboard.netify.ai
```
### Local Export
```bash
# Configure local JSON export
uci add_list netifyd.default.options='-j /tmp/netifyd-flows.json'
uci commit netifyd
/etc/init.d/netifyd restart
# View local data
cat /tmp/netifyd-flows.json | jq .
```
### Socket Export
```bash
# Connect to Unix socket
socat - UNIX-CONNECT:/var/run/netifyd/netifyd.sock
# Or TCP socket (if enabled)
nc localhost 7150
```
## Troubleshooting
### Service Won't Start
```bash
# Check configuration
netifyd -t
# Check interfaces
ip link show
# Check kernel modules
lsmod | grep nf_conntrack
# View detailed logs
logread -f | grep netifyd &
/etc/init.d/netifyd start
```
### No Flow Data
```bash
# Verify netifyd is running
ps | grep netifyd
# Check status
netifyd -s
# Verify interfaces are up
ifconfig
# Check conntrack
cat /proc/net/nf_conntrack | wc -l
```
### High CPU/Memory Usage
```bash
# Reduce detection threads
uci add_list netifyd.default.options='--thread-detection-cores=1'
# Disable conntrack thread
uci add_list netifyd.default.options='-t'
# Limit max flows
# Edit /etc/netifyd.conf:
# flow-max = 10000
# Restart service
uci commit netifyd
/etc/init.d/netifyd restart
```
### Permission Issues
```bash
# Check directories
ls -la /var/run/netifyd/
ls -la /etc/netify.d/
# Fix permissions
chmod 755 /var/run/netifyd
chmod 755 /etc/netify.d
# Recreate directories if needed
rm -rf /var/run/netifyd
/etc/init.d/netifyd start
```
## Performance Tuning
### For Low-End Devices (< 256MB RAM)
```bash
# Minimal configuration
uci set netifyd.default.options='-t'
uci add_list netifyd.default.options='--thread-detection-cores=1'
# Edit /etc/netifyd.conf:
flow-max = 5000
flow-expiry = 60
```
### For High-End Devices (> 512MB RAM)
```bash
# Maximum performance
uci add_list netifyd.default.options='--thread-detection-cores=4'
# Edit /etc/netifyd.conf:
flow-max = 65536
flow-expiry = 300
```
## File Locations
- **Binary:** `/usr/sbin/netifyd`
- **Configuration:** `/etc/netifyd.conf`
- **UCI Config:** `/etc/config/netifyd`
- **Init Script:** `/etc/init.d/netifyd`
- **Runtime Data:** `/var/run/netifyd/`
- **Persistent Data:** `/etc/netify.d/`
- **Status File:** `/var/run/netifyd/status.json`
- **Socket:** `/var/run/netifyd/netifyd.sock`
## Build Options
### Compile-Time Options
In `make menuconfig`, configure:
```
Network > netifyd
[*] Enable local flow export
[ ] Enable plugin support
[ ] Enable sink plugins
[ ] Enable debug output
[*] Auto-start on boot
```
### Minimal Build
For smallest size, disable optional features:
```bash
# Edit Makefile CONFIGURE_ARGS:
--disable-plugins
--disable-sink-plugins
--enable-lean-and-mean
```
## Security Considerations
- Netifyd requires raw packet capture capabilities
- Runs as root by default (required for packet capture)
- Cloud sink transmits flow metadata to Netify.ai
- Local Unix socket has 755 permissions by default
- Consider firewall rules if exposing TCP socket
## Updates
To update to a newer version:
```bash
# Edit Makefile
PKG_VERSION:=5.x.x
PKG_HASH:=<new-hash>
# Rebuild
make package/secubox/secubox-app-netifyd/{clean,compile}
```
## Support
- **Netify.ai:** https://www.netify.ai/
- **Documentation:** https://www.netify.ai/resources
- **GitHub:** https://github.com/eglooca/netifyd
- **SecuBox Issues:** [Your repository]
## License
This package is licensed under GPL-3.0-or-later, same as upstream netifyd.
## Credits
- **Upstream:** eGloo Incorporated (Netify.ai)
- **OpenWrt Package:** CyberMind.fr (SecuBox Integration)
- **Original OpenWrt Package:** OpenWrt Packages Team
## Changelog
### 5.2.1-1 (2025-01-05)
- Updated to official netifyd 5.2.1
- Complete repackage for SecuBox integration
- Enhanced init script with auto-detection
- Improved configuration helpers
- Added comprehensive documentation
- Optimized for embedded systems

78
package/secubox/secubox-app-netifyd/SDK-LIMITATION.md
View File

@ -1,78 +0,0 @@
# SDK Build Limitation for Netifyd
## Issue
Netifyd **cannot be built using the OpenWrt SDK** because it requires base system libraries that are not available in the SDK environment:
- `libmnl` (Minimal Netlink library)
- `libnetfilter-conntrack`
- `libpcap`
- `libjson-c`
- Various kernel modules
## Why This Happens
The OpenWrt SDK is designed for building **application packages** that depend on already-compiled system libraries. Net
ifyd is a **system-level daemon** with deep integration into the kernel networking stack, requiring libraries that must be compiled as part of the base system.
## Solution
### Build netifyd as part of firmware
```bash
# Build full SecuBox firmware with netifyd included
./secubox-tools/local-build.sh build-firmware mochabin
```
Netifyd will be automatically included in firmware builds as it's configured in the firmware package list.
### Alternative: Use Pre-Built Packages
If you need standalone `.ipk` files, build them from a full firmware build:
```bash
# After firmware build completes
find openwrt/bin/packages -name "netifyd*.ipk"
find openwrt/bin/packages -name "luci-app-secubox-netifyd*.ipk"
```
## Why SDK Builds Fail
When you try `./secubox-tools/local-build.sh build netifyd`, it fails with:
```
configure: error: Package requirements (libmnl >= 1.0.3) were not met
```
This is because:
1. SDK doesn't include kernel-level libraries
2. SDK can't compile these libraries (they require full buildroot)
3. Netifyd's configure script can't find the required dependencies
## Recommended Workflow
**For Development:**
- Build firmware with netifyd: `./secubox-tools/local-build.sh build-firmware x86-64`
- Extract netifyd IPK from `openwrt/bin/packages`
- Install on device for testing
**For Production:**
- Always include netifyd in firmware images
- Distributed as part of complete SecuBox firmware
## Technical Details
Netifyd requires these system components:
- **Kernel modules:** nf_conntrack, nfnetlink, etc.
- **System libraries:** Built against specific libc (musl/glibc)
- **Headers:** Kernel headers for netlink/conntrack
- **Build tools:** Full autotools, pkg-config with system library paths
The SDK provides none of these - it only provides a cross-compilation toolchain and application-level library stubs.
## See Also
- [BUILD-INSTRUCTIONS.md](BUILD-INSTRUCTIONS.md) - Full build instructions
- [INTEGRATION.md](INTEGRATION.md) - Integration with SecuBox
- OpenWrt docs on SDK limitations: https://openwrt.org/docs/guide-developer/toolchain/using_the_sdk

150
package/secubox/secubox-app-netifyd/files/functions.sh
View File

@ -1,150 +0,0 @@
#!/bin/sh
#
# Netifyd Helper Functions
# Copyright (C) 2016-2025 eGloo Incorporated
# Copyright (C) 2025 CyberMind.fr (SecuBox Integration)
#
# Load required kernel modules
load_modules() {
# Netfilter connection tracking
[ -d /sys/module/nf_conntrack ] || {
modprobe nf_conntrack 2>/dev/null || {
# Try older module name
modprobe ip_conntrack 2>/dev/null
}
}
# IPv6 connection tracking
[ -d /sys/module/nf_conntrack_ipv6 ] || {
modprobe nf_conntrack_ipv6 2>/dev/null
}
# Netfilter netlink
[ -d /sys/module/nfnetlink ] || {
modprobe nfnetlink 2>/dev/null
}
# Connection tracking netlink
[ -d /sys/module/nf_conntrack_netlink ] || {
modprobe nf_conntrack_netlink 2>/dev/null
}
return 0
}
# Check if netifyd is running
is_running() {
pidof netifyd >/dev/null 2>&1
return $?
}
# Get netifyd PID
get_pid() {
pidof netifyd
}
# Get netifyd version
get_version() {
netifyd -V 2>/dev/null | head -n1 | awk '{print $NF}'
}
# Get netifyd UUID
get_uuid() {
netifyd -p 2>/dev/null | tr -d '\n'
}
# Test network interface
test_interface() {
local iface="$1"
[ -z "$iface" ] && return 1
[ -d "/sys/class/net/$iface" ] && return 0
return 1
}
# Get interface list
get_interfaces() {
ls -1 /sys/class/net/ 2>/dev/null | grep -v "^lo$"
}
# Detect LAN interfaces
detect_lan_interfaces() {
local ifaces=""
# Common LAN interface names
for iface in br-lan eth0 lan0 eth0.1; do
test_interface "$iface" && {
ifaces="$ifaces $iface"
break
}
done
echo "$ifaces"
}
# Detect WAN interfaces
detect_wan_interfaces() {
local ifaces=""
# Common WAN interface names
for iface in br-wan eth1 wan eth0.2 ppp0 pppoe-wan; do
test_interface "$iface" && {
ifaces="$ifaces $iface"
break
}
done
echo "$ifaces"
}
# Auto-detect interfaces and build command line options
auto_detect_options() {
local options=""
# Detect LAN
local lan_ifaces=$(detect_lan_interfaces)
for iface in $lan_ifaces; do
options="$options -I $iface"
done
# Detect WAN
local wan_ifaces=$(detect_wan_interfaces)
for iface in $wan_ifaces; do
options="$options -E $iface"
done
echo "$options"
}
# Check if netifyd configuration is valid
check_config() {
local config_file="/etc/netifyd.conf"
[ ! -f "$config_file" ] && {
echo "Error: Configuration file not found: $config_file"
return 1
}
# Basic syntax check
grep -q "^\[" "$config_file" && return 0
echo "Warning: Configuration file may be invalid"
return 1
}
# Get interface statistics
get_interface_stats() {
local iface="$1"
[ -z "$iface" ] && return 1
[ ! -d "/sys/class/net/$iface" ] && return 1
local rx_bytes=$(cat "/sys/class/net/$iface/statistics/rx_bytes" 2>/dev/null || echo 0)
local tx_bytes=$(cat "/sys/class/net/$iface/statistics/tx_bytes" 2>/dev/null || echo 0)
local rx_packets=$(cat "/sys/class/net/$iface/statistics/rx_packets" 2>/dev/null || echo 0)
local tx_packets=$(cat "/sys/class/net/$iface/statistics/tx_packets" 2>/dev/null || echo 0)
echo "Interface: $iface"
echo " RX: $rx_bytes bytes ($rx_packets packets)"
echo " TX: $tx_bytes bytes ($tx_packets packets)"
}

28
package/secubox/secubox-app-netifyd/files/netifyd.config
View File

@ -1,28 +0,0 @@
config netifyd 'default'
option enabled '1'
# Enable auto-configuration for interfaces (internal/external)
# Disable this if you want manual control
option autoconfig '1'
# Supplementary options (examples):
# Disable connection tracking thread: -t
# Set detection cores: --thread-detection-cores=2
# Enable verbose logging: -v
# Export to local JSON: -j /tmp/netifyd-flows.json
#list options '-t'
#list options '--thread-detection-cores=2'
#list options '-j /tmp/netifyd-flows.json'
# Manual configuration of internal interfaces (LAN)
# Format: interface_name [options]
# Example: Filter out SSDP traffic
#list internal_if 'br-lan -F "not (udp and dst 239.255.255.250 and dst port 1900)"'
#list internal_if 'eth0 -A 192.168.1.0/24'
# Manual configuration of external interfaces (WAN)
# Format: interface_name [options]
#list external_if 'br-wan'
#list external_if 'eth1'
#list external_if 'ppp0 -N eth2'

152
package/secubox/secubox-app-netifyd/files/netifyd.init
View File

@ -1,152 +0,0 @@
#!/bin/sh /etc/rc.common
#
# Copyright (C) 2016-2025 eGloo Incorporated
# Copyright (C) 2025 CyberMind.fr (SecuBox Integration)
#
# This is free software, licensed under the GNU General Public License v2.
START=50
STOP=50
USE_PROCD=1
PROG=/usr/sbin/netifyd
function append_params() {
procd_append_param command "$@"
}
function append_ifopts() {
local filter=0
local filter_expr=
for a in $1; do
case $a in
-F|--device-filter)
filter=1
procd_append_param command "$a"
;;
-*)
if [ $filter -gt 0 ]; then
procd_append_param command "${filter_expr#\ }"
filter=0; filter_expr=
fi
procd_append_param command "$a"
;;
*)
if [ $filter -gt 0 ]; then
a=${a#\"}; a=${a%\"}; a=${a#\'}; a=${a%\'}
filter_expr="$filter_expr $a"
else
procd_append_param command "$a"
fi
esac
done
if [ $filter -gt 0 ]; then
procd_append_param command "${filter_expr#\ }"
fi
}
function append_internal_if() {
append_ifopts "-I $@"
}
function append_external_if() {
append_ifopts "-E $@"
}
start_netifyd() {
local autoconfig enabled instance options
instance="$1"
config_get_bool enabled "$instance" enabled 0
[ "$enabled" -eq 0 ] && return 0
# Load kernel modules if needed
[ -f /usr/share/netifyd/functions.sh ] && {
. /usr/share/netifyd/functions.sh
load_modules
}
procd_open_instance
procd_set_param file /etc/netifyd.conf
procd_set_param term_timeout 30
procd_set_param respawn 3600 15 0
procd_set_param command $PROG -R
procd_set_param stdout 1
procd_set_param stderr 1
# Add custom options
config_list_foreach "$instance" options append_params
# Auto-detect interfaces if enabled
config_get_bool autoconfig "$instance" autoconfig 1
if [ "$autoconfig" -gt 0 ]; then
NETIFYD_AUTODETECT=yes
options="$(auto_detect_options)"
[ -n "$options" ] && procd_append_param command $options
fi
# Manual interface configuration
config_list_foreach "$instance" internal_if append_internal_if
config_list_foreach "$instance" external_if append_external_if
procd_close_instance
}
start_service() {
# Ensure directories exist
[ ! -d /var/run/netifyd ] && mkdir -p /var/run/netifyd
[ ! -d /etc/netify.d ] && mkdir -p /etc/netify.d
# Set permissions
chmod 755 /var/run/netifyd
chmod 755 /etc/netify.d
# Load configuration
config_load netifyd
config_foreach start_netifyd netifyd
}
stop_service() {
# Cleanup
rm -f /var/run/netifyd/*.pid 2>/dev/null
}
reload_service() {
procd_send_signal netifyd
}
service_triggers() {
procd_add_reload_trigger "netifyd"
}
# Auto-detect internal/external interfaces
auto_detect_options() {
local options=""
local internal=""
local external=""
# Try to detect LAN interface (br-lan or eth0)
if [ -d "/sys/class/net/br-lan" ]; then
internal="br-lan"
elif [ -d "/sys/class/net/eth0" ]; then
internal="eth0"
fi
# Try to detect WAN interface
if [ -d "/sys/class/net/br-wan" ]; then
external="br-wan"
elif [ -d "/sys/class/net/eth1" ]; then
external="eth1"
elif [ -d "/sys/class/net/wan" ]; then
external="wan"
fi
# Build options
[ -n "$internal" ] && options="$options -I $internal"
[ -n "$external" ] && options="$options -E $external"
echo "$options"
}

49
package/secubox/secubox-app-netifyd/patches/001-fix-inline-static-maps.patch
View File

@ -1,49 +0,0 @@
--- a/include/nd-risks.hpp
+++ b/include/nd-risks.hpp
@@ -97,7 +97,7 @@ enum class Id : uint32_t {
TODO = 0xffffffff
};
-const std::unordered_map<Id, const char *, ndEnumHasher> Tags = {
+inline const std::unordered_map<Id, const char *, ndEnumHasher> Tags = {
{ Id::NONE, "None" },
{ Id::ANONYMOUS_SUBSCRIBER, "Anonymous Subscriber" },
@@ -174,7 +174,7 @@ inline Id GetId(const std::string &name
namespace nDPI {
-const std::unordered_map<uint16_t, Id> Risks = {
+inline const std::unordered_map<uint16_t, Id> Risks = {
{ NDPI_ANONYMOUS_SUBSCRIBER, Id::ANONYMOUS_SUBSCRIBER },
{ NDPI_BINARY_APPLICATION_TRANSFER, Id::BINARY_APPLICATION_TRANSFER },
{ NDPI_BINARY_DATA_TRANSFER, Id::BINARY_DATA_TRANSFER },
--- a/include/nd-protos.hpp
+++ b/include/nd-protos.hpp
@@ -469,7 +469,7 @@ enum class Id : uint16_t {
CUSTOM_1024 = 1024,
};
-const std::unordered_map<Id, const char *, ndEnumHasher> Tags = {
+inline const std::unordered_map<Id, const char *, ndEnumHasher> Tags = {
{ Id::AFP, "AFP" },
{ Id::AJP, "AJP" },
{ Id::ALICLOUD, "Alibaba/Cloud" },
@@ -773,7 +773,7 @@ const std::unordered_map<Id, const char
{ Id::ZOOM, "Zoom" },
};
-const std::unordered_map<Id, const char *, ndEnumHasher> Twins = {
+inline const std::unordered_map<Id, const char *, ndEnumHasher> Twins = {
{ Id::APPLE_PUSH, "netify.apple-push" },
{ Id::AVAST, "netify.avast" },
{ Id::BITCOIN, "netify.bitcoin" },
@@ -819,7 +819,7 @@ const std::unordered_map<Id, const char
{ Id::ZOOM, "netify.zoom" },
}
-const std::unordered_map<Id, std::vector<std::pair<uint16_t, Id>>, ndEnumHasher> PortMap = {
+inline const std::unordered_map<Id, std::vector<std::pair<uint16_t, Id>>, ndEnumHasher> PortMap = {
{ Id::TLS,
{
{ 53, Id::DOT },

20
package/secubox/secubox-app-netifyd/patches/002-fix-ndpi-example-linking.patch
View File

@ -1,20 +0,0 @@
--- a/libs/ndpi/example/Makefile.in
+++ b/libs/ndpi/example/Makefile.in
@@ -48,6 +48,8 @@
CFLAGS+=-pthread
+LIBS_NO_NDPI := $(filter-out $(LIBNDPI),$(LIBS))
+
all: ndpiReader$(EXE_SUFFIX) @DPDK_TARGET@
EXECUTABLE_SOURCES := ndpiReader.c ndpiSimpleIntegration.c
@@ -57,7 +59,7 @@
$(AR) rsv libndpiReader.a $(COMMON_SOURCES:%.c=%.o)
ndpiReader$(EXE_SUFFIX): libndpiReader.a $(LIBNDPI) ndpiReader.o
- $(CC) $(CFLAGS) $(LDFLAGS) ndpiReader.o libndpiReader.a $(LIBS) -o $@
+ $(CC) $(CFLAGS) $(LDFLAGS) ndpiReader.o -Wl,--start-group libndpiReader.a $(LIBNDPI) -Wl,--end-group $(LIBS_NO_NDPI) -o $@
ndpiSimpleIntegration$(EXE_SUFFIX): ndpiSimpleIntegration.o
$(CC) $(CFLAGS) $(LDFLAGS) $< $(LIBS) -o $@

157
package/secubox/secubox-app-netifyd/test-build.sh
View File

@ -1,157 +0,0 @@
#!/bin/bash
#
# Netifyd Build Test Script
# Tests the netifyd package build process
#
set -e
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
OPENWRT_ROOT="$(cd "$SCRIPT_DIR/../../.." && pwd)"
echo "================================"
echo "Netifyd 5.2.1 Build Test"
echo "================================"
echo ""
echo "OpenWrt Root: $OPENWRT_ROOT"
echo "Package Dir: $SCRIPT_DIR"
echo ""
# Check if we're in OpenWrt buildroot
if [ ! -f "$OPENWRT_ROOT/rules.mk" ]; then
echo "ERROR: Not in OpenWrt buildroot"
echo "Please run this script from the OpenWrt tree"
exit 1
fi
cd "$OPENWRT_ROOT"
echo "Step 1: Checking dependencies..."
echo "================================"
# Check for required tools
for tool in make gcc g++ wget tar patch; do
if ! command -v $tool &> /dev/null; then
echo "ERROR: Required tool not found: $tool"
exit 1
fi
echo "$tool"
done
echo ""
echo "Step 2: Updating feeds..."
echo "================================"
./scripts/feeds update -a || true
./scripts/feeds install -a || true
echo ""
echo "Step 3: Checking package configuration..."
echo "================================"
if [ ! -f "$SCRIPT_DIR/Makefile" ]; then
echo "ERROR: Makefile not found"
exit 1
fi
echo " ✓ Makefile exists"
if [ ! -f "$SCRIPT_DIR/files/netifyd.init" ]; then
echo "ERROR: Init script not found"
exit 1
fi
echo " ✓ Init script exists"
if [ ! -f "$SCRIPT_DIR/files/netifyd.config" ]; then
echo "ERROR: Config file not found"
exit 1
fi
echo " ✓ Config file exists"
echo ""
echo "Step 4: Preparing build..."
echo "================================"
# Ensure menuconfig has been run
if [ ! -f ".config" ]; then
echo "WARNING: .config not found, running defconfig..."
make defconfig
fi
echo ""
echo "Step 5: Downloading source..."
echo "================================"
make package/secubox/secubox-app-netifyd/download V=s
echo ""
echo "Step 6: Checking source..."
echo "================================"
if [ -f "dl/netifyd-5.2.1.tar.gz" ]; then
echo " ✓ Source downloaded successfully"
ls -lh dl/netifyd-5.2.1.tar.gz
else
echo "ERROR: Source not downloaded"
exit 1
fi
echo ""
echo "Step 7: Cleaning previous build..."
echo "================================"
make package/secubox/secubox-app-netifyd/clean V=s
echo ""
echo "Step 8: Building package..."
echo "================================"
echo "This may take several minutes..."
echo ""
if make package/secubox/secubox-app-netifyd/compile V=s; then
echo ""
echo "================================"
echo "BUILD SUCCESSFUL!"
echo "================================"
echo ""
# Find built package
PKG_FILE=$(find bin/packages -name "netifyd_5.2.1-*.ipk" 2>/dev/null | head -1)
if [ -n "$PKG_FILE" ]; then
echo "Package built successfully:"
ls -lh "$PKG_FILE"
echo ""
echo "Install with:"
echo " scp $PKG_FILE root@router:/tmp/"
echo " ssh root@router 'opkg install /tmp/$(basename $PKG_FILE)'"
else
echo "WARNING: Package file not found in bin/packages"
fi
else
echo ""
echo "================================"
echo "BUILD FAILED!"
echo "================================"
echo ""
echo "Check the build log above for errors"
exit 1
fi
echo ""
echo "Step 9: Verifying package contents..."
echo "================================"
if [ -n "$PKG_FILE" ]; then
echo "Package contents:"
tar -tzf "$PKG_FILE" 2>/dev/null | head -20
echo " ... (showing first 20 files)"
fi
echo ""
echo "================================"
echo "Build test completed successfully!"
echo "================================"
echo ""
echo "Next steps:"
echo "1. Install package on target device"
echo "2. Run: /etc/init.d/netifyd start"
echo "3. Check status: netifyd -s"
echo "4. View dashboard: luci-app-secubox-netifyd"
echo ""

4
package/secubox/secubox-crowdsec-setup/Makefile
View File

@ -20,13 +20,13 @@ define Package/secubox-crowdsec-setup
CATEGORY:=SecuBox CATEGORY:=SecuBox
SUBMENU:=Security SUBMENU:=Security
TITLE:=SecuBox CrowdSec Setup Utility TITLE:=SecuBox CrowdSec Setup Utility
DEPENDS:=+crowdsec +crowdsec-firewall-bouncer-nftables +syslog-ng4 DEPENDS:=+crowdsec +crowdsec-firewall-bouncer +syslog-ng
PKGARCH:=all PKGARCH:=all
endef endef
define Package/secubox-crowdsec-setup/description define Package/secubox-crowdsec-setup/description
Script d'installation automatisee de CrowdSec pour SecuBox. Script d'installation automatisee de CrowdSec pour SecuBox.
Configure syslog-ng4 pour le forwarding des logs vers CrowdSec, Configure syslog-ng pour le forwarding des logs vers CrowdSec,
installe les collections de securite, et configure le bouncer installe les collections de securite, et configure le bouncer
nftables pour fw4. nftables pour fw4.
endef endef

5
secubox-tools/local-build.sh
View File

@ -44,7 +44,7 @@ SDK_PATH="mvebu/cortexa72"
declare -A DEVICE_PROFILES=( declare -A DEVICE_PROFILES=(
["espressobin-v7"]="mvebu:cortexa53:globalscale_espressobin:ESPRESSObin V7 (1-2GB DDR4)" ["espressobin-v7"]="mvebu:cortexa53:globalscale_espressobin:ESPRESSObin V7 (1-2GB DDR4)"
["espressobin-ultra"]="mvebu:cortexa53:globalscale_espressobin-ultra:ESPRESSObin Ultra (PoE, WiFi)" ["espressobin-ultra"]="mvebu:cortexa53:globalscale_espressobin-ultra:ESPRESSObin Ultra (PoE, WiFi)"
["sheeva64"]="mvebu:cortexa53:globalscale_sheeva64:Sheeva64 (Plug computer)" # ["sheeva64"]="mvebu:cortexa53:globalscale_sheeva64:Sheeva64 (Plug computer)" # Disabled
["mochabin"]="mvebu:cortexa72:globalscale_mochabin:MOCHAbin (Quad-core A72, 10G)" ["mochabin"]="mvebu:cortexa72:globalscale_mochabin:MOCHAbin (Quad-core A72, 10G)"
["x86-64"]="x86:64:generic:x86_64 Generic PC" ["x86-64"]="x86:64:generic:x86_64 Generic PC"
) )
@ -1468,7 +1468,7 @@ CONFIG_PACKAGE_kmod-sfp=y
CONFIG_PACKAGE_kmod-phy-marvell-10g=y CONFIG_PACKAGE_kmod-phy-marvell-10g=y
EOF EOF
;; ;;
espressobin-ultra|sheeva64) espressobin-ultra)
cat >> .config << EOF cat >> .config << EOF
# WiFi support # WiFi support
@ -1862,7 +1862,6 @@ ARCHITECTURES (for package building):
DEVICES (for firmware building): DEVICES (for firmware building):
espressobin-v7 ESPRESSObin V7 (1-2GB DDR4) espressobin-v7 ESPRESSObin V7 (1-2GB DDR4)
espressobin-ultra ESPRESSObin Ultra (PoE, WiFi) espressobin-ultra ESPRESSObin Ultra (PoE, WiFi)
sheeva64 Sheeva64 (Plug computer)
mochabin MOCHAbin (Quad-core A72, 10G) mochabin MOCHAbin (Quad-core A72, 10G)
x86-64 x86_64 Generic PC x86-64 x86_64 Generic PC