Revert attempted MFC. It included unwanted changes.

3 files changed, 42 insertions, 145 deletions

diff --git a/contrib/blacklist/bin/blacklistd.8 b/contrib/blacklist/bin/blacklistd.8
index 9ec52d5..8349c78 100644
--- a/contrib/blacklist/bin/blacklistd.8
+++ b/contrib/blacklist/bin/blacklistd.8
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd Dec 6, 2017
+.Dd June 7, 2016
 .Dt BLACKLISTD 8
 .Os
 .Sh NAME
@@ -35,7 +35,7 @@
 .Nd block and release ports on demand to avoid DoS abuse
 .Sh SYNOPSIS
 .Nm
-.Op Fl Bdfrv
+.Op Fl dfrv
 .Op Fl C Ar controlprog
 .Op Fl c Ar configfile
 .Op Fl D Ar dbfile
@@ -154,8 +154,6 @@ The Berkeley DB file where
 .Nm
 stores its state, usually
 .Pa /var/run/blacklistd.db .
-.It Fl B
-Disable processing of bad-usernames.
 .It Fl d
 Normally,
 .Nm
diff --git a/contrib/blacklist/bin/blacklistd.c b/contrib/blacklist/bin/blacklistd.c
index 48e5130..632d1d0 100644
--- a/contrib/blacklist/bin/blacklistd.c
+++ b/contrib/blacklist/bin/blacklistd.c
@@ -76,7 +76,6 @@ static DB *state;
 static const char *dbfile = _PATH_BLSTATE;
 static sig_atomic_t readconf;
 static sig_atomic_t done;
-static int Bflag;
 static int vflag;
 
 static void
@@ -165,85 +164,12 @@ getremoteaddress(bl_info_t *bi, struct sockaddr_storage *rss, socklen_t *rsl)
 	return 0;
 }
 
-static const char *badnames_email[] = {
-	"info",
-	"root",
-	"admin",
-	"support",
-	"webmaster",
-	"sales",
-	"postmaster",
-	"marketing",
-	"administrator",
-	"default",
-	"noreply",
-	"ftpuser",
-	"backup",
-	"webadmin",
-	"security",
-	NULL
-};
-
-static const char *badnames_ssh[] = {
-	"admin",
-	"support",
-	"pi",
-	"info",
-	"root",
-	"guest",
-	"webmaster",
-	"ubnt",
-	"abuse",
-	"default",
-	"apache",
-	"nginx",
-	"cisco",
-	"administrator",
-	"ftpuser",
-	"supervisor",
-	"mysql",
-	"postgres",
-	"oracle",
-	"security",
-	"nagios",
-	"webadmin",
-	"usuario",
-	"uucp",
-	"PlcmSpIp",
-	" 0101",
-	NULL
-};
-
-static int
-lookup_username(int proto, int port, const char *username)
-{
-	int i;
-	const char **names;
-
-	if (proto != IPPROTO_TCP)
-		return 0;
-
-	if (port == 22)
-		names = badnames_ssh;
-	else if (port == 25 || port == 587)
-		names = badnames_email;
-	else
-		return 0;
-
-	for (i = 0; names[i] != NULL; i++) {
-		if (strcmp(username, names[i]) == 0)
-			return 1;
-	}
-	return 0;
-}
-
 static void
 process(bl_t bl)
 {
 	struct sockaddr_storage rss;
 	socklen_t rsl;
 	char rbuf[BUFSIZ];
-	int runadd, rundelete;
 	bl_info_t *bi;
 	struct conf c;
 	struct dbinfo dbi;
@@ -287,74 +213,59 @@ process(bl_t bl)
 		    fmttime(b2, sizeof(b2), ts.tv_sec));
 	}
 
-	runadd = rundelete = 0;
-
 	switch (bi->bi_type) {
 	case BL_ABUSE:
 		/*
 		 * If the application has signaled abusive behavior,
-		 * set the number of fails to be the configured limit.
+		 * set the number of fails to be one less than the
+		 * configured limit.  Fallthrough to the normal BL_ADD
+		 * processing, which will increment the failure count
+		 * to the threshhold, and block the abusive address.
 		 */
 		if (c.c_nfail != -1)
-			dbi.count = c.c_nfail;
-		rundelete = 1;
-		runadd = 1;
+			dbi.count = c.c_nfail - 1;
+		/*FALLTHROUGH*/
+	case BL_ADD:
+		dbi.count++;
+		dbi.last = ts.tv_sec;
+		if (dbi.id[0]) {
+			/*
+			 * We should not be getting this since the rule
+			 * should have blocked the address. A possible
+			 * explanation is that someone removed that rule,
+			 * and another would be that we got another attempt
+			 * before we added the rule. In anycase, we remove
+			 * and re-add the rule because we don't want to add
+			 * it twice, because then we'd lose track of it.
+			 */
+			(*lfun)(LOG_DEBUG, "rule exists %s", dbi.id);
+			(void)run_change("rem", &c, dbi.id, 0);
+			dbi.id[0] = '\0';
+		}
+		if (c.c_nfail != -1 && dbi.count >= c.c_nfail) {
+			int res = run_change("add", &c, dbi.id, sizeof(dbi.id));
+			if (res == -1)
+				goto out;
+			sockaddr_snprintf(rbuf, sizeof(rbuf), "%a",
+			    (void *)&rss);
+			(*lfun)(LOG_INFO,
+			    "blocked %s/%d:%d for %d seconds",
+			    rbuf, c.c_lmask, c.c_port, c.c_duration);
+				
+		}
 		break;
 	case BL_DELETE:
 		if (dbi.last == 0)
 			goto out;
 		dbi.count = 0;
 		dbi.last = 0;
-		rundelete = 1;
 		break;
 	case BL_BADUSER:
-		(*lfun)(LOG_DEBUG, "BL_BADUSER: username %s", bi->bi_msg);
-		dbi.count--;
-		if (Bflag == 0 && lookup_username(c.c_proto, c.c_port, bi->bi_msg) == 1) {
-			dbi.count = c.c_nfail - 1;
-			(*lfun)(LOG_DEBUG, "BL_BADUSER: found %s on list (port: %d)", bi->bi_msg, c.c_port);
-		}
-		/* FALLTHROUGH */
-	case BL_ADD:
-		dbi.count++;
-		dbi.last = ts.tv_sec;
-		if (c.c_nfail != -1 && dbi.count >= c.c_nfail) {
-			rundelete = 1;
-			runadd = 1;
-		}
+		/* ignore for now */
 		break;
 	default:
 		(*lfun)(LOG_ERR, "unknown message %d", bi->bi_type); 
 	}
-
-	if (rundelete && c.c_duration != -1) {
-		/*
-		 * We should not be getting this since the rule
-		 * should have blocked the address. A possible
-		 * explanation is that someone removed that rule,
-		 * and another would be that we got another attempt
-		 * before we added the rule. In anycase, we remove
-		 * and re-add the rule because we don't want to add
-		 * it twice, because then we'd lose track of it.
-		 */
-		if (dbi.id[0]) {
-			(*lfun)(LOG_INFO, "rule exists %s", dbi.id);
-			(void)run_change("rem", &c, dbi.id, 0);
-			dbi.id[0] = '\0';
-		}
-	}
-	if (runadd) {
-		int res = run_change("add", &c, dbi.id, sizeof(dbi.id));
-		if (res == -1)
-			goto out;
-		sockaddr_snprintf(rbuf, sizeof(rbuf), "%a",
-		    (void *)&rss);
-		(*lfun)(LOG_INFO,
-		    "blocked %s/%d:%d for %d seconds",
-		    rbuf, c.c_lmask, c.c_port, c.c_duration);
-	}
-
-	/* persist the data */
 	state_put(state, &c, &dbi);
 
 out:
@@ -493,16 +404,13 @@ rules_restore(void)
 	struct conf c;
 	struct dbinfo dbi;
 	unsigned int f;
-	static int addremove;
 
 	for (f = 1; state_iterate(state, &c, &dbi, f) == 1; f = 0) {
 		if (dbi.id[0] == '\0')
 			continue;
 		(void)run_change("rem", &c, dbi.id, 0);
 		(void)run_change("add", &c, dbi.id, sizeof(dbi.id));
-		addremove++;
 	}
-	(*lfun)(LOG_INFO, "removed and re-added %d addresses", addremove);
 }
 
 int
@@ -521,11 +429,8 @@ main(int argc, char *argv[])
 	restore = 0;
 	tout = 0;
 	flags = O_RDWR|O_EXCL|O_CLOEXEC;
-	while ((c = getopt(argc, argv, "BC:c:D:dfP:rR:s:t:v")) != -1) {
+	while ((c = getopt(argc, argv, "C:c:D:dfP:rR:s:t:v")) != -1) {
 		switch (c) {
-		case 'B':
-			Bflag++;
-			break;
 		case 'C':
 			controlprog = optarg;
 			break;
diff --git a/contrib/blacklist/libexec/blacklistd-helper b/contrib/blacklist/libexec/blacklistd-helper
index 1af320d..2d0a89e 100644
--- a/contrib/blacklist/libexec/blacklistd-helper
+++ b/contrib/blacklist/libexec/blacklistd-helper
@@ -80,8 +80,8 @@ add)
 		    echo "block in quick $proto from <port$6> to any $port" | \
 		    /sbin/pfctl -a "$2/$6" -f -
 		# insert $ip/$mask into per-protocol/port anchored table
-		/sbin/pfctl -qa "$2/$6" -t "port$6" -T add "$addr/$mask" && \
-		    /sbin/pfctl -q -k $addr && echo OK
+		/sbin/pfctl -a "$2/$6" -t "port$6" -T add "$addr/$mask" && \
+		    echo OK
 		;;
 	esac
 	;;
@@ -101,7 +101,7 @@ rem)
 		/sbin/npfctl rule "$2" rem-id "$7"
 		;;
 	pf)
-		/sbin/pfctl -qa "$2/$6" -t "port$6" -T delete "$addr/$mask" && \
+		/sbin/pfctl -a "$2/$6" -t "port$6" -T delete "$addr/$mask" && \
 		    echo OK
 		;;
 	esac
@@ -118,13 +118,7 @@ flush)
 		/sbin/npfctl rule "$2" flush
 		;;
 	pf)
-		# dynamically determine which anchors exist
-		anchors=$(/sbin/pfctl -a $2 -s Anchors)
-		for anchor in $anchors; do
-			/sbin/pfctl -a $anchor -t "port${anchor##*/}" -T flush
-			/sbin/pfctl -a $anchor -F rules
-		done
-		echo OK
+		/sbin/pfctl -a "$2/$6" -t "port$6" -T flush && echo OK
 		;;
 	esac
 	;;