MFC r314111: Improve ipfw rule creation for blacklist-helper script

When blocking an address, the blacklist-helper script
needs to do the following things for the ipfw packet
filter:

 - create a table to hold the addresses to be blocked,
   so lookups can be done quickly, and place the address
   to be blocked in that table
 - create rule that does the lookup in the table and
   blocks the packet

The ipfw system allows multiple rules to be inserted for
a given rule number.  There only needs to be one rule
to do the lookup per port.  Modify the script to probe
for the existence of the rule before attempting to create
it, so only one rule is inserted, rather than one rule per
blocked address.

PR:		214980
Reported by:	azhegalov (at) gmail.com
Reviewed by:	emaste
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D9681

1 files changed, 5 insertions, 2 deletions

diff --git a/contrib/blacklist/libexec/blacklistd-helper b/contrib/blacklist/libexec/blacklistd-helper
index b5932f6..37f94a6 100644
--- a/contrib/blacklist/libexec/blacklistd-helper
+++ b/contrib/blacklist/libexec/blacklistd-helper
@@ -63,8 +63,11 @@ add)
 		tname="port$6"
 		/sbin/ipfw table $tname create type addr 2>/dev/null
 		/sbin/ipfw -q table $tname add "$addr/$mask"
-		/sbin/ipfw -q add $rule drop $3 from "table("$tname")" to \
-		    any dst-port $6 && echo OK
+		# if rule number $rule does not already exist, create it
+		/sbin/ipfw show $rule >/dev/null 2>&1 || \
+			/sbin/ipfw add $rule drop $3 from \
+			table"("$tname")" to any dst-port $6 >/dev/null && \
+			echo OK
 		;;
 	npf)
 		/sbin/npfctl rule "$2" add block in final $proto from \