# SPDX-License-Identifier: GPL-2.0-only

include $(TOPDIR)/rules.mk

PKG_NAME:=suricata
PKG_VERSION:=8.0.0
PKG_RELEASE:=1

# suricata-8.0.0-mine_version
PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL:=https://github.com/guca11/SuricataIDS-onlyCode.git
PKG_MIRROR_HASH:=skip
PKG_SOURCE_DATE:=2024-12-04
PKG_SOURCE_VERSION:=aarch64-musl

# suricata-8.0.0 original
#PKG_SOURCE_PROTO:=git
#PKG_SOURCE_URL:=https://github.com/OISF/suricata.git
#PKG_MIRROR_HASH:=skip
#PKG_SOURCE_DATE:=2024-11-04
#PKG_SOURCE_VERSION:=b1e7917d4fc1f5bcb56c7b31461514a62dfb6042

PKG_CONFIG_DEPENDS:=CONFIG_KERNEL_XDP_SOCKETS

#PKG_FIXUP:=autoreconf
#PKG_REMOVE_FILES:=autogen.sh
PKG_FIXUP:=patch-libtool

PKG_BUILD_DEPENDS:=rust/host python3/host

include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/bpf.mk
include $(INCLUDE_DIR)/nls.mk
include ../../lang/rust/rust-values.mk

define Package/suricata
    SUBMENU:=Firewall
    SECTION:=net
    CATEGORY:=Network
    DEPENDS:=@!SMALL_FLASH @!LOW_MEMORY_FOOTPRINT +libexpat +jansson +libelf +libbpf +libbsd +libpcre2 +libyaml +libpcap +libcap-ng $(ICONV_DEPENDS) $(INTL_DEPENDS) \
        +nspr +libnss +liblz4 +libatomic +libnet-1.2.x +libxdp +libnfnetlink +libunwind +libhiredis +luajit +(TARGET_x86||TARGET_x86_64):hyperscan-runtime +SURICATA_ENABLE_PFRING:libpfring +zlib \
	+SURICATA_ENABLE_NFLOG:libnetfilter-log \
	+SURICATA_ENABLE_NFQUEUE:libnetfilter-queue +SURICATA_ENABLE_NFQUEUE:iptables-mod-nfqueue \
	+SURICATA_ENABLE_HIREDIS:libhiredis +SURICATA_ENABLE_HIREDIS:libevent2  +SURICATA_ENABLE_HIREDIS:libevent2-pthreads \
	+SURICATA_ENABLE_LIBMAGIC:libmagic \
	+SURICATA_ENABLE_GEOIP:libmaxminddb \
	+SURICATA_ENABLE_PYTHON:python3 +SURICATA_ENABLE_PYTHON:python3-yaml 
  TITLE:=OISF Suricata IDS
  URL:=https://www.openinfosecfoundation.org/
  MENU:=1
endef

define Package/suricata/description
	Suricata is an open source-based intrusion detection system (IDS), intrusion
	prevention system (IPS), and Network Monitoring System (NMS)
endef

define Package/suricata/config
  source "$(SOURCE)/Config.in"
endef

TARGET_CFLAGS += -I$(STAGING_DIR)/usr/include/hs -w -I$(PKG_BUILD_DIR)/src -I$(PKG_BUILD_DIR)/rust/gen -D_GNU_SOURCE

CONFIGURE_VARS += \
  HAVE_PF_RING_FLOW_OFFLOAD=1 \
  pfring_recv_chunk=yes

CONFIGURE_ARGS += \
  --target=$(RUSTC_TARGET_ARCH) \
  --host=$(RUSTC_TARGET_ARCH) \
  --build=$(RUSTC_HOST_ARCH) \
  --enable-shared \
  --disable-gccmarch-native \
  --disable-gccprofile \
  --with-gnu-ld \
  --with-sysroot=$(STAGING_DIR) \
  --enable-mail \
  --enable-raw \
  --enable-ntp \
  --enable-telnet \
  --disable-esp \
  --disable-vxlan \
  --disable-vntag \
  --disable-vlan \
  --disable-sll \
  --disable-sip \
  --disable-sctp \
  --disable-ppp \
  --disable-nsh \
  --disable-nfs \
  --disable-mpls \
  --disable-gre \
  --disable-geneve \
  --disable-erspan \
  --disable-enip \
  --disable-dnp3 \
  --disable-chdlc \
#	--enable-non-bundled-htp \
#	--with-libhtp-includes=$(STAGING_DIR_HOSTPKG)/include \
#	--with-libhtp-libraries=$(STAGING_DIR_HOSTPKG)/lib
#	--with-sysroot=$(TOOLCHAIN_DIR)

ifeq ($(CONFIG_SURICATA_ENABLE_PYTHON),y)
CONFIGURE_ARGS += --enable-python
endif
ifeq ($(CONFIG_SURICATA_ENABLE_PFRING),y)
#CONFIGURE_ARGS += --enable-pfring
endif
ifeq ($(CONFIG_SURICATA_ENABLE_LUAJIT),y)
CONFIGURE_ARGS += --enable-luajit
endif
ifeq ($(CONFIG_SURICATA_ENABLE_GCCPROTECT),y)
CONFIGURE_ARGS += --enable-gccprotect
endif
ifeq ($(CONFIG_SURICATA_ENABLE_GCCPROFILE),n)
CONFIGURE_ARGS += --enable-gccprofile
endif

# For now, x86_64 targets can't use PIE
ifneq ($(CONFIG_TARGET_x86),y)
  ifeq ($(CONFIG_PKG_ASLR_PIE_ALL),y)
    CONFIGURE_ARGS += --enable-pie
  else
    ifeq ($(CONFIG_PKG_ASLR_PIE_REGULAR),y)
      CONFIGURE_ARGS += --enable-pie
    endif
  endif
endif

ifeq ($(CONFIG_SURICATA_ENABLE_NFQUEUE),y)
CONFIGURE_ARGS += --enable-nfqueue
endif

ifeq ($(CONFIG_SURICATA_ENABLE_GEOIP),y)
CONFIGURE_ARGS += --enable-geoip
endif

ifeq ($(CONFIG_SURICATA_ENABLE_LIBMAGIC),y)
CONFIGURE_ARGS += --enable-libmagic
endif

ifeq ($(CONFIG_SURICATA_ENABLE_DEBUG),y)
TARGET_CXXFLAGS += -ggdb3
CONFIGURE_ARGS += --enable-debug
endif

ifeq ($(CONFIG_SURICATA_ENABLE_HIREDIS),y)
CONFIGURE_ARGS += --enable-hiredis
endif

ifeq ($(CONFIG_SURICATA_ENABLE_EBPF),y)
CONFIGURE_ARGS += --enable-ebpf --enable-ebpf-build
endif

ifeq ($(CONFIG_SURICATA_ENABLE_NFLOG),y)
CONFIGURE_ARGS += --enable-nflog
endif

define Build/Configure
	( \
		$(CONFIGURE_VARS) cargo install --force --root $(STAGING_DIR)/host cbindgen ; \
		cd $(PKG_BUILD_DIR) && $(CONFIGURE_VARS) ./scripts/bundle.sh ; \
		cd $(PKG_BUILD_DIR) && $(CONFIGURE_VARS) ./autogen.sh && $(CONFIGURE_VARS) ./configure $(CONFIGURE_ARGS) ; \
	)
	$(call Build/Configure/Default)
endef

define Build/Install
	$(call Build/Install/Default,install)
	$(call Build/Install/Default,install-conf)
endef

define Package/suricata/conffiles
/etc/config/suricata
/etc/suricata/
endef

define Package/suricata/install
	$(INSTALL_DIR) $(1)/usr/bin
	$(SED) '1c\#!/usr/bin/python3\' -i $(PKG_INSTALL_DIR)/usr/bin/{suricatactl,suricatasc,suricata-update}
	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/suricata $(1)/usr/bin/suricata
	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/suricatactl $(1)/usr/bin/suricatactl
	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/suricatasc $(1)/usr/bin/suricatasc
	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/suricata-update $(1)/usr/bin/suricata-update
	
	$(INSTALL_DIR) $(1)/usr/lib
	$(CP) -r $(PKG_INSTALL_DIR)/usr/lib/* $(1)/usr/lib/

	$(INSTALL_DIR) $(1)/usr/include
	$(CP) -r $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/

	$(INSTALL_DIR) $(1)/etc/suricata
	$(CP) $(PKG_BUILD_DIR)/suricata.yaml \
	$(PKG_BUILD_DIR)/etc/classification.config \
	$(PKG_BUILD_DIR)/threshold.config \
	$(PKG_BUILD_DIR)/etc/reference.config \
	$(1)/etc/suricata/

	$(INSTALL_DIR) $(1)/usr/share/suricata/rules
	$(CP) $(PKG_INSTALL_DIR)/usr/share/suricata/rules/* $(1)/usr/share/suricata/rules/

	$(INSTALL_DIR) $(1)/etc/init.d
	$(INSTALL_DIR) $(1)/etc/config

	$(INSTALL_BIN) ./files/etc/init.d/suricata $(1)/etc/init.d/suricata
	$(INSTALL_CONF) ./files/etc/config/suricata $(1)/etc/config/suricata
endef

$(eval $(call BuildPackage,suricata))
