Enhancement: basic and full featured versions

Question

Enhancement: basic and full featured versions

ne20002 opened this issue 2 years ago · 7 comments

ne20002 commented 2 years ago

Making the packages of crowdsec and crowdsec-firewall-bouncer for OpenWrt I realized that the package size is quite big and may be problematic for many OpenWrt devices with limited space.

As OpenWrt's fw4 is based on nftables and as other features of CrowdSec's firewall bouncer are not needed I wonder of it would be possible to create a full version and a smaller basic one with minimal features.

Answer 1 · 2023-03-13T17:07:26.000Z

Just thinking if is just a specific needs could you use something like https://docs.crowdsec.net/docs/next/bouncers/custom ? then write a custom script to add and remove from a nftables list? cause under the hood thats all the firewall bouncer is doing.

Custom bouncer current build size is 12MB
Firewall bouncer current build size is 13MB

So there not much saving really. I can make the assumption even removing everything down to base would still be 10+MB

Answer 2 · 2023-03-13T20:56:51.000Z

I gained 200k by removing pf and iptables. So still 12MB.

Answer 3 · 2023-03-14T07:19:55.000Z

You could implement this in pure shell script. That would be the only way I could see you getting a smaller package size

Answer 4 · 2023-03-18T11:12:34.000Z

I believe that building on the original CrowdSec code and repository would be the way to go instead of creating a new bouncer based on shell script or Python.
But, as for OpenWrt the creation of nftable rules is done in the package the bouncer would only need to receive data from lapi and push them into the given nftable sets (and also remove ips if those are unbanned).
It does not need iptables (shouldn't be used anymore in general), metrics (caused to much cpu load on the router) or stuff to create the tables/rules. Simple retrieve lists of ips and push them to nftables sets would be sufficiant.

Answer 5 · 2023-03-18T11:27:56.000Z

Yeah, but we tested it, and you only saved 200kb by removing the other code parts. So there isn't a lot of code saving.

Answer 6 · 2023-03-21T12:08:03.000Z

I personally have no experience with Go, but looking on the size of the package and looking on what the bouncer does compared to other packages' functionality I just find the package huge ...

Answer 7 · 2023-03-21T12:37:59.000Z

Then I will close this issue, as we have stated the results and if it still too big then the only other recommendation is writing a shell script as the binary is just a wrapper to execute cmd commands so it is doable without this package.