From 05473865dc8b7bc5d39e386a219694245e9d1114 Mon Sep 17 00:00:00 2001
From: "S. Brusch" <ne20002@gmx.ch>
Date: Mon, 30 Jan 2023 20:40:13 +0100
Subject: [PATCH] crowdsec-firewall-bouncer: add app

Signed-off-by: S. Brusch <ne20002@gmx.ch>

Maintainer: S. Brusch <ne20002@gmx.ch>
Compile tested: no compile, script
Run tested: ipq40xx/generic, Fritzbox 4040, Openwrt 22.03.3

Description: this is the luci app for crowdsec-firewall-bouncer package
---
 .../Makefile                                  | 16 +++++
 .../model/cbi/crowdsec-firewall-bouncer.lua   | 64 +++++++++++++++++++
 .../luci-app-crowdsec-firewall-bouncer.json   | 14 ++++
 .../luci-app-crowdsec-firewall-bouncer.json   | 11 ++++
 4 files changed, 105 insertions(+)
 create mode 100644 applications/luci-app-crowdsec-firewall-bouncer/Makefile
 create mode 100644 applications/luci-app-crowdsec-firewall-bouncer/luasrc/model/cbi/crowdsec-firewall-bouncer.lua
 create mode 100644 applications/luci-app-crowdsec-firewall-bouncer/root/usr/share/luci/menu.d/luci-app-crowdsec-firewall-bouncer.json
 create mode 100644 applications/luci-app-crowdsec-firewall-bouncer/root/usr/share/rpcd/acl.d/luci-app-crowdsec-firewall-bouncer.json

diff --git a/applications/luci-app-crowdsec-firewall-bouncer/Makefile b/applications/luci-app-crowdsec-firewall-bouncer/Makefile
new file mode 100644
index 000000000000..682928ad901d
--- /dev/null
+++ b/applications/luci-app-crowdsec-firewall-bouncer/Makefile
@@ -0,0 +1,16 @@
+#
+# Copyright (C) 2010 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+LUCI_TITLE:=CrowdSec firewall bouncer LuCI interface
+LUCI_DEPENDS:=+luci-compat +luci-mod-admin-full +crowdsec-firewall-bouncer
+
+PKG_MAINTAINER:=S. Brusch <ne20002@gmx.ch>
+PKG_LICENSE:=Apache-2.0
+
+include ../../luci.mk
diff --git a/applications/luci-app-crowdsec-firewall-bouncer/luasrc/model/cbi/crowdsec-firewall-bouncer.lua b/applications/luci-app-crowdsec-firewall-bouncer/luasrc/model/cbi/crowdsec-firewall-bouncer.lua
new file mode 100644
index 000000000000..b336e29fc5e7
--- /dev/null
+++ b/applications/luci-app-crowdsec-firewall-bouncer/luasrc/model/cbi/crowdsec-firewall-bouncer.lua
@@ -0,0 +1,64 @@
+--[[
+LuCI - Lua Configuration Interface
+
+Copyright 2023 S. Brusch <ne20002@gmx.ch>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+$Id$
+]]--
+
+local wa = require "luci.tools.webadmin"
+local net = require "luci.model.network".init()
+local sys = require "luci.sys"
+local ifaces = sys.net:devices()
+
+m = Map("crowdsec", translate("CrowdSec"),
+	translate("Gain <a href=\"http://www.crowdsec.net\">crowd-sourced</a> protection against malicious IPs. " ..
+		" Benefit from the most accurate CTI in the world. "))
+
+s = m:section(TypedSection, "bouncer", translate("Bouncer"))
+s.anonymous = true
+-- BASIC
+e = s:option(Flag, "enabled", translate("Enable"))
+e.rmempty = false
+
+o = s:option(Value, "api_url", translate("URL of local API"),
+                translate("The URL of your local CrowdSec API instance. "))
+o.optional = false
+
+o = s:option(Value, "api_key", translate("API key"),
+                translate("The key of your bouncer as registered on the local CrowdSec API. "))
+o.password = true
+o.optional = false
+
+o = s:option(Value, "interface", translate("Filtered interfaces"),
+        translate("List of interfaces with traffic to be filtered. "))
+    o.template = "cbi/network_ifacelist"
+    o.widget = "checkbox"
+    o.cast = "table"
+    o.noinactive = true
+    o.nocreate = true
+
+o = s:option(Flag, "ipv6", translate("Enable support for IPv6"),
+				translate("If unchecked IPv6 will not be filtered. "))
+o.rmempty = false
+
+o = s:option(Flag, "filter_input", translate("Filter input chain"),
+				translate("Block packets from filtered interfaces addressed to the router itself. "))
+o.rmempty = false
+
+o = s:option(Flag, "filter_forward", translate("Filter forward chain"),
+				translate("Block packets from filtered interfaces addressed to devices in your network. "))
+o.rmempty = false
+
+o = s:option(Flag, "deny_log", translate("Log filtered ip addresses"),
+				translate("If checked, a log statement will be added to the firewall rule and blocked " ..
+                    "ip addresses will be logged to System Log. "))
+o.rmempty = false
+
+return m
diff --git a/applications/luci-app-crowdsec-firewall-bouncer/root/usr/share/luci/menu.d/luci-app-crowdsec-firewall-bouncer.json b/applications/luci-app-crowdsec-firewall-bouncer/root/usr/share/luci/menu.d/luci-app-crowdsec-firewall-bouncer.json
new file mode 100644
index 000000000000..297373cc8dff
--- /dev/null
+++ b/applications/luci-app-crowdsec-firewall-bouncer/root/usr/share/luci/menu.d/luci-app-crowdsec-firewall-bouncer.json
@@ -0,0 +1,14 @@
+{
+	"admin/network/firewall/crowdsec-firewall-bouncer": {
+		"title": "CrowdSec Bouncer",
+		"order": 60,
+		"action": {
+			"type": "cbi",
+			"path": "crowdsec-firewall-bouncer",
+			"post": { "cbi.submit": true }
+		},
+		"depends": {
+			"acl": [ "luci-app-crowdsec-firewall-bouncer" ]
+		}
+	}
+}
diff --git a/applications/luci-app-crowdsec-firewall-bouncer/root/usr/share/rpcd/acl.d/luci-app-crowdsec-firewall-bouncer.json b/applications/luci-app-crowdsec-firewall-bouncer/root/usr/share/rpcd/acl.d/luci-app-crowdsec-firewall-bouncer.json
new file mode 100644
index 000000000000..f0b0ae330e9a
--- /dev/null
+++ b/applications/luci-app-crowdsec-firewall-bouncer/root/usr/share/rpcd/acl.d/luci-app-crowdsec-firewall-bouncer.json
@@ -0,0 +1,11 @@
+{
+	"luci-app-crowdsec-firewall-bouncer": {
+		"description": "Grant UCI access for luci-app-crowdsec-firewall-bouncer",
+		"read": {
+			"uci": [ "crowdsec" ]
+		},
+		"write": {
+			"uci": [ "crowdsec" ]
+		}
+	}
+}