readd net/fastnetmon, requested and tested by Tom Smyth

2026-06-17 23:13:55 +02:00 · 2026-05-26 09:26:35 +00:00
parent 02ed60f50a
commit 58ba22972f
13 changed files with 267 additions and 3 deletions
@@ -3,7 +3,7 @@ CATEGORIES =	devel databases
 DISTFILES =

 # API.rev
-PKGNAME =	quirks-7.199
+PKGNAME =	quirks-7.200
 PKG_ARCH =	*
 MAINTAINER =	Marc Espie <espie@openbsd.org>

@@ -1,7 +1,7 @@
 #! /usr/bin/perl

 # ex:ts=8 sw=4:
-# $OpenBSD: Quirks.pm,v 1.1805 2026/05/24 08:23:35 matthieu Exp $
+# $OpenBSD: Quirks.pm,v 1.1806 2026/05/26 09:26:35 sthen Exp $
 #
 # Copyright (c) 2009 Marc Espie <espie@openbsd.org>
 #
@@ -1001,7 +1001,6 @@ setup_obsolete_reason(
 	5 => 'pycha',
 	10 => 'gotosocial',
 	5 => 'xsd',
-	4 => 'fastnetmon',
 	3 => 'kross-interpreters-kf5',
 	3 => 'py3-notmuch',
 	3 => 'pop3d',
@@ -1130,6 +1129,7 @@ my $obsolete_message = {
 	15 => "use rspamd's internal milter support instead",
 	16 => "dependencies for recent versions can't be met",
 	17 => "outdated port, security problems in the last ported version",
+	18 => "renamed upstream",
 	46 => "setuid-root software with a track record of security issues",
 	47 => "DNS network daemon running as root and not using random source ports. use DNS64 support in unbound or isc-bind",
 	48 => "1.x does not support current PHP, 2.x is tricky to package, see https://github.com/leenooks/phpLDAPadmin/wiki/Installation-Instructions#install-from-the-source-code",
@@ -104,6 +104,7 @@
     SUBDIR += ettercap,no_x11
     SUBDIR += exabgp
     SUBDIR += ezstream
+     SUBDIR += fastnetmon
     SUBDIR += filezilla
     SUBDIR += flare-messenger
     SUBDIR += flickcurl
@@ -0,0 +1,89 @@
+COMMENT=	DDoS detector with multiple packet capture engines
+
+GH_ACCOUNT=	pavel-odintsov
+GH_PROJECT=	fastnetmon
+GH_COMMIT=	78ae82822ad6188ccacbe6cfe5e8274c5b3a3689
+#GH_TAGNAME=	v1.2.8
+DISTNAME=	fastnetmon-1.2.9pre20260425
+WRKSRC=		${WRKDIST}/src
+
+HOMEPAGE=	https://fastnetmon.com/guides/
+
+CATEGORIES=	net security
+
+# GPLv2
+PERMIT_PACKAGE=	Yes
+
+MODULES=	devel/cmake
+
+WANTLIB += ${COMPILER_LIBCXX} absl_base absl_borrowed_fixup_buffer
+WANTLIB += absl_city absl_civil_time absl_cord absl_cord_internal
+WANTLIB += absl_cordz_functions absl_cordz_handle absl_cordz_info
+WANTLIB += absl_crc32c absl_crc_cord_state absl_crc_cpu_detect
+WANTLIB += absl_crc_internal absl_debugging_internal absl_decode_rust_punycode
+WANTLIB += absl_demangle_internal absl_demangle_rust absl_die_if_null
+WANTLIB += absl_examine_stack absl_exponential_biased absl_flags_commandlineflag
+WANTLIB += absl_flags_commandlineflag_internal absl_flags_config
+WANTLIB += absl_flags_internal absl_flags_marshalling absl_flags_private_handle_accessor
+WANTLIB += absl_flags_program_name absl_flags_reflection absl_graphcycles_internal
+WANTLIB += absl_hash absl_hashtablez_sampler absl_int128 absl_kernel_timeout_internal
+WANTLIB += absl_leak_check absl_log_entry absl_log_globals absl_log_initialize
+WANTLIB += absl_log_internal_check_op absl_log_internal_conditions
+WANTLIB += absl_log_internal_fnmatch absl_log_internal_format
+WANTLIB += absl_log_internal_globals absl_log_internal_log_sink_set
+WANTLIB += absl_log_internal_message absl_log_internal_nullguard
+WANTLIB += absl_log_internal_proto absl_log_internal_structured_proto
+WANTLIB += absl_log_severity absl_log_sink absl_malloc_internal
+WANTLIB += absl_random_distributions absl_random_internal_entropy_pool
+WANTLIB += absl_random_internal_platform absl_random_internal_randen
+WANTLIB += absl_random_internal_randen_hwaes absl_random_internal_randen_hwaes_impl
+WANTLIB += absl_random_internal_randen_slow absl_random_internal_seed_material
+WANTLIB += absl_random_seed_gen_exception absl_random_seed_sequences
+WANTLIB += absl_raw_hash_set absl_raw_logging_internal absl_spinlock_wait
+WANTLIB += absl_stacktrace absl_status absl_statusor absl_str_format_internal
+WANTLIB += absl_strerror absl_strings absl_strings_internal absl_symbolize
+WANTLIB += absl_synchronization absl_throw_delegate absl_time
+WANTLIB += absl_time_zone absl_tracing_internal absl_utf8_for_code_point
+WANTLIB += absl_vlog_config_internal boost_atomic-mt boost_chrono-mt
+WANTLIB += boost_container-mt boost_date_time-mt boost_program_options-mt
+WANTLIB += boost_regex-mt boost_serialization-mt boost_thread-mt
+WANTLIB += c crypto curses form gpr grpc grpc++ hiredis log4cpp
+WANTLIB += m pcap protobuf ssl utf8_validity
+
+COMPILER=	base-clang
+
+BUILD_DEPENDS=	devel/capnproto # static
+LIB_DEPENDS=	devel/abseil-cpp \
+		devel/boost \
+		devel/log4cpp \
+		devel/protobuf \
+		databases/libhiredis \
+		net/grpc
+
+# mongodb support requires mongo-c-driver, which needs fiddling for libbind
+CONFIGURE_ARGS=	-DENABLE_DPI_SUPPORT=Off \
+		-DENABLE_MONGODB_SUPPORT=Off \
+		-DENABLE_NETMAP_SUPPORT=Off \
+		-DSET_ABSOLUTE_INSTALL_PATH=Off
+DEBUG_PACKAGES=	${BUILD_PACKAGES}
+CXXFLAGS +=	-DBOOST_STACKTRACE_GNU_SOURCE_NOT_REQUIRED
+
+pre-configure:
+	${SUBST_CMD} ${WRKSRC}/CMakeLists.txt
+	sed -i -e 's,/var/log,&/fastnetmon,g;' \
+		-e 's,/var/run,&/fastnetmon,g;' \
+		-e 's,/etc,${SYSCONFDIR}/fastnetmon,g' \
+		-e 's,/usr/local,${PREFIX},g' \
+		${WRKSRC}/fast_platform.h.template \
+		${WRKSRC}/fastnetmon.conf ${WRKSRC}/scripts/*pl \
+		${WRKSRC}/scripts/*py ${WRKSRC}/scripts/*sh
+
+post-install:
+	${INSTALL_DATA_DIR} ${PREFIX}/share/examples/fastnetmon/
+	${INSTALL_DATA} ${WRKSRC}/notify_about_attack.sh \
+		${WRKSRC}/scripts/!(perllib) \
+		${PREFIX}/share/examples/fastnetmon/
+	cd ${PREFIX}/share/examples/fastnetmon/; \
+	rm *build*.pl install*.pl reformat_code_with_clang_format.sh
+
+.include <bsd.port.mk>
@@ -0,0 +1,2 @@
+SHA256 (fastnetmon-1.2.9pre20260425-78ae8282.tar.gz) = 6wfxb+xA2kd/Z6OjfChlc2nata4vRDNR7D1BfPl67EM=
+SIZE (fastnetmon-1.2.9pre20260425-78ae8282.tar.gz) = 1495368
@@ -0,0 +1,38 @@
+Index: src/CMakeLists.txt
+--- src/CMakeLists.txt.orig
+++ src/CMakeLists.txt
+@@ -185,15 +185,15 @@ message(STATUS "Commit hash: ${GIT_LAST_COMMIT_HASH_SH
+ set(FASTNETMON_APPLICATION_VERSION "${FASTNETMON_VERSION_MAJOR}.${FASTNETMON_VERSION_MINOR}.${FASTNETMON_VERSION_PATCH} ${GIT_LAST_COMMIT_HASH_SHORT}")
+ 
+ # Set standard values which work for majority of platforms
+-set(FASTNETMON_PID_PATH "/var/run/fastnetmon.pid")
+-set(FASTNETMON_CONFIGURATION_PATH "/etc/fastnetmon.conf")
+-set(FASTNETMON_LOG_FILE_PATH "/var/log/fastnetmon.log")
+set(FASTNETMON_PID_PATH "/var/run/fastnetmon/fastnetmon.pid")
+set(FASTNETMON_CONFIGURATION_PATH "${SYSCONFDIR}/fastnetmon/fastnetmon.conf")
+set(FASTNETMON_LOG_FILE_PATH "/var/log/fastnetmon/fastnetmon.log")
+ set(FASTNETMON_ATTACK_DETAILS_FOLDER "/var/log/fastnetmon_attacks")
+-set(FASTNETMON_NOTIFY_SCRIPT_PATH_DEFAULT "/usr/local/bin/notify_about_attack.sh")
+-set(FASTNETMON_NETWORK_WHITELIST_PATH "/etc/networks_whitelist")
+-set(FASTNETMON_NETWORKS_LIST_PATH "/etc/networks_list")
+-set(FASTNETMON_BACKTRACE_PATH "/var/log/fastnetmon_backtrace.dump")
+-set(FASTNETMON_WHITELIST_RULES_PATH "/etc/whitelist_rules")
+set(FASTNETMON_NOTIFY_SCRIPT_PATH_DEFAULT "${SYSCONFDIR}/fastnetmon/notify_about_attack.sh")
+set(FASTNETMON_NETWORK_WHITELIST_PATH "${SYSCONFDIR}/fastnetmon/networks_whitelist")
+set(FASTNETMON_NETWORKS_LIST_PATH "${SYSCONFDIR}/fastnetmon/networks_list")
+set(FASTNETMON_BACKTRACE_PATH "/var/log/fastnetmon/fastnetmon_backtrace.dump")
+set(FASTNETMON_WHITELIST_RULES_PATH "${SYSCONFDIR}/fastnetmon/whitelist_rules")
+ 
+ # For FreeBSD based platforms we need to adjust them
+ if (${CMAKE_SYSTEM_NAME} STREQUAL "FreeBSD" OR ${CMAKE_SYSTEM_NAME} STREQUAL "DragonFly")
+@@ -1167,6 +1167,10 @@ elseif (${CMAKE_SYSTEM_NAME} STREQUAL "Linux")
+     endif()
+ elseif (${CMAKE_SYSTEM_NAME} STREQUAL "Darwin")
+     message(STATUS "We run on Apple platform")
+elseif(${CMAKE_SYSTEM_NAME} STREQUAL "OpenBSD")
+    set(CMAKE_INSTALL_BINDIR "${PREFIX}/bin")
+    set(CMAKE_INSTALL_SBINDIR "${PREFIX}/sbin")
+    set(CMAKE_INSTALL_SYSCONFDIR "${PREFIX}/share/examples/fastnetmon")
+ else()
+     message(STATUS "We run on platform ${CMAKE_SYSTEM_NAME} and we do not touch install paths")
+     # Do not touch these variables and use default values
@@ -0,0 +1,12 @@
+Index: src/fast_endianless.hpp
+--- src/fast_endianless.hpp.orig
+++ src/fast_endianless.hpp
+@@ -5,6 +5,8 @@
+ #ifdef _WIN32
+ #include <winsock2.h>
+ #else
+// For int32_t
+#include <sys/types.h>
+ #include <arpa/inet.h>
+ #endif 
+ 
@@ -0,0 +1,34 @@
+from https://github.com/freebsd/freebsd-ports/blob/f009564d752e90a9070d32d97b901964044134c4/net-mgmt/fastnetmon/files/patch-fast__library.cpp
+
+Index: src/fast_library.cpp
+--- src/fast_library.cpp.orig
+++ src/fast_library.cpp
+@@ -36,6 +36,11 @@
+ 
+ #include "iana_ip_protocols.hpp"
+ 
+// For pthread_set_name_np
+#if defined(__FreeBSD__) || defined(__DragonFly__) || defined(__OpenBSD__)
+#include <pthread_np.h>
+#endif
+
+ boost::regex regular_expression_cidr_pattern("^\\d+\\.\\d+\\.\\d+\\.\\d+\\/\\d+$");
+ boost::regex regular_expression_host_pattern("^\\d+\\.\\d+\\.\\d+\\.\\d+$");
+ 
+@@ -1202,12 +1207,16 @@ bool set_boost_process_name(boost::thread* thread, con
+     char new_process_name[16];
+     strcpy(new_process_name, process_name.c_str());
+ 
+#if defined(__FreeBSD__) || defined(__DragonFly__) || defined(__OpenBSD__)
+    pthread_set_name_np(thread->native_handle(), new_process_name);
+#else
+     int result = pthread_setname_np(thread->native_handle(), new_process_name);
+ 
+     if (result != 0) {
+         logger << log4cpp::Priority::ERROR << "pthread_setname_np failed with code: " << result;
+         logger << log4cpp::Priority::ERROR << "Failed to set process name for " << process_name;
+     }
+#endif
+ 
+     return true;
+ }
@@ -0,0 +1,12 @@
+Index: src/notify_about_attack.sh
+--- src/notify_about_attack.sh.orig
+++ src/notify_about_attack.sh
+@@ -9,7 +9,7 @@
+ #  $4 Attack action: ban or unban
+ #
+ 
+-email_notify="please_fix_this_email@domain.com"
+email_notify="please_fix_this_email@example.com"
+ 
+ # For ban action we will receive attack details to stdin
+ # Please do not remove "cat" command because
@@ -0,0 +1,8 @@
+FastNetMon is a very high performance DDoS detector built on top of
+multiple packet capture engines: NetFlow, IPFIX, sFLOW.
+
+It could detect malicious traffic in your network and immediately block
+it with BGP blackhole or BGP flow spec rules.
+
+It has solid support for all top network vendors and has unlimited
+scalability due to flexible design.
@@ -0,0 +1,29 @@
+@newgroup _fastnetmon:814
+@newuser _fastnetmon:814:_fastnetmon::FastNetMon User:/nonexistent:/sbin/nologin
+@extraunexec rm -rf /var/log/fastnetmon/*
+@extraunexec rm -rf /var/log/fastnetmon_attacks/*
+@rcscript ${RCDIR}/fastnetmon
+@bin bin/fastnetmon_api_client
+@bin bin/fastnetmon_client
+@man man/man1/fastnetmon_client.1
+@man man/man8/fastnetmon.8
+@bin sbin/fastnetmon
+share/doc/pkg-readmes/${PKGSTEM}
+share/examples/fastnetmon/
+@sample ${SYSCONFDIR}/fastnetmon/
+share/examples/fastnetmon/fastnetmon.conf
+@sample ${SYSCONFDIR}/fastnetmon/fastnetmon.conf
+share/examples/fastnetmon/fastnetmon_notify.py
+share/examples/fastnetmon/ipfix_csv_processor.pl
+share/examples/fastnetmon/networks_list
+@sample ${SYSCONFDIR}/fastnetmon/networks_list
+share/examples/fastnetmon/networks_whitelist
+@sample ${SYSCONFDIR}/fastnetmon/networks_whitelist
+share/examples/fastnetmon/notify_about_attack.sh
+@sample ${SYSCONFDIR}/fastnetmon/notify_about_attack.sh
+share/examples/fastnetmon/notify_with_discord.sh
+share/examples/fastnetmon/notify_with_slack.sh
+@owner _fastnetmon
+@group _fastnetmon
+@sample /var/log/fastnetmon/
+@sample /var/log/fastnetmon_attacks/
@@ -0,0 +1,27 @@
+-----------------------------------------------------------------------
+| Running ${PKGSTEM} on OpenBSD
+-----------------------------------------------------------------------
+
+NetFlow input from pf
+---------------------
+By default FastNetMon listens on port 2055 for incoming NetFlow data. This can
+be obtained from pflow(4). Minimal pf.conf addition to export all states through
+pflow(4):
+
+	set state-defaults pflow
+
+And create a pflow0 with:
+
+	# ifconfig pflow0 flowsrc 127.0.0.1 flowdst 127.0.0.1:2055
+
+The default protocol version (5) works fine with FastNetMon.
+
+Configuration
+-------------
+At the very minimum the known networks need to be recorded in
+${SYSCONFDIR}/fastnetmon/networks_list in CIDR notation, otherwise all traffic
+is classified as "other traffic".
+
+Also a notification script needs to be configured and installed to actually
+perform a ban. A stub is provided in
+${PREFIX}/share/examples/fastnetmon/notify_about_attack.sh
@@ -0,0 +1,12 @@
+#!/bin/ksh
+
+daemon="${TRUEPREFIX}/sbin/fastnetmon --daemonize"
+daemon_user="_fastnetmon"
+
+. /etc/rc.d/rc.subr
+
+rc_pre() {
+	install -d -m 750 -o ${daemon_user} /var/run/fastnetmon
+}
+
+rc_cmd $1