diff options
| author | Renato Botelho <renato@netgate.com> | 2016-06-14 14:40:19 -0500 |
|---|---|---|
| committer | Renato Botelho <renato@netgate.com> | 2016-06-14 14:40:19 -0500 |
| commit | 20a32898b6944f9ebcdbb846253d812943036066 (patch) | |
| tree | 2d3bb1c4acf6d65a66c132d4c59643a3e99dfe34 /contrib/blacklist | |
| parent | 4fdb7654ef71cc3e4f0353cc46f28f652cd35605 (diff) | |
| parent | a048478c507785f68e86db1a32431aa36773ee06 (diff) | |
| download | FreeBSD-src-20a32898b6944f9ebcdbb846253d812943036066.zip FreeBSD-src-20a32898b6944f9ebcdbb846253d812943036066.tar.gz | |
Merge remote-tracking branch 'origin/master' into devel-11
Diffstat (limited to 'contrib/blacklist')
| -rw-r--r-- | contrib/blacklist/bin/blacklistctl.8 | 8 | ||||
| -rw-r--r-- | contrib/blacklist/bin/blacklistctl.c | 2 | ||||
| -rw-r--r-- | contrib/blacklist/bin/blacklistd.8 | 8 | ||||
| -rw-r--r-- | contrib/blacklist/bin/blacklistd.conf.5 | 8 | ||||
| -rw-r--r-- | contrib/blacklist/libexec/blacklistd-helper | 52 |
5 files changed, 64 insertions, 14 deletions
diff --git a/contrib/blacklist/bin/blacklistctl.8 b/contrib/blacklist/bin/blacklistctl.8 index d8ed1f0..f28ab28 100644 --- a/contrib/blacklist/bin/blacklistctl.8 +++ b/contrib/blacklist/bin/blacklistctl.8 @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd April 29, 2015 +.Dd June 7, 2016 .Dt BLACKLISTCTL 8 .Os .Sh NAME @@ -75,7 +75,11 @@ will first attempt to remove the existing rule, and then it will re-add it to make sure that there is only one rule active. .Sh HISTORY .Nm -appeared in +first appeared in .Nx 7 . +.Fx support for +.Nm +was implemented in +.Fx 11 . .Sh AUTHORS .An Christos Zoulas diff --git a/contrib/blacklist/bin/blacklistctl.c b/contrib/blacklist/bin/blacklistctl.c index d202fb1..3ac65a5 100644 --- a/contrib/blacklist/bin/blacklistctl.c +++ b/contrib/blacklist/bin/blacklistctl.c @@ -96,10 +96,10 @@ main(int argc, char *argv[]) break; case 'b': blocked = 1; + break; case 'D': dbname = optarg; break; - break; case 'd': debug++; break; diff --git a/contrib/blacklist/bin/blacklistd.8 b/contrib/blacklist/bin/blacklistd.8 index 80a53da..0d34d1e 100644 --- a/contrib/blacklist/bin/blacklistd.8 +++ b/contrib/blacklist/bin/blacklistd.8 @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd June 4, 2015 +.Dd June 7, 2016 .Dt BLACKLISTD 8 .Os .Sh NAME @@ -216,7 +216,11 @@ Socket to receive connection notifications. .Xr syslogd 8 .Sh HISTORY .Nm -appeared in +first appeared in .Nx 7 . +.Fx support for +.Nm +was implemented in +.Fx 11 . .Sh AUTHORS .An Christos Zoulas diff --git a/contrib/blacklist/bin/blacklistd.conf.5 b/contrib/blacklist/bin/blacklistd.conf.5 index 40d507b..aa10e34 100644 --- a/contrib/blacklist/bin/blacklistd.conf.5 +++ b/contrib/blacklist/bin/blacklistd.conf.5 @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd April 29, 2015 +.Dd June 7, 2016 .Dt BLACKLISTD.CONF 5 .Os .Sh NAME @@ -216,7 +216,11 @@ bnx0:ssh * * * * 3 6h .Xr blacklistd 8 .Sh HISTORY .Nm -appeared in +first appeared in .Nx 7 . +.Fx support for +.Nm +was implemented in +.Fx 11 . .Sh AUTHORS .An Christos Zoulas diff --git a/contrib/blacklist/libexec/blacklistd-helper b/contrib/blacklist/libexec/blacklistd-helper index 743ccf5..be63a9c 100644 --- a/contrib/blacklist/libexec/blacklistd-helper +++ b/contrib/blacklist/libexec/blacklistd-helper @@ -10,12 +10,20 @@ # $7 id pf= -for f in npf pf; do - if [ -f "/etc/$f.conf" ]; then - pf="$f" - break - fi -done +if [ -f "/etc/ipfw-blacklist.rc" ]; then + pf="ipfw" + . /etc/ipfw-blacklist.rc + ipfw_offset=${ipfw_offset:-2000} +fi + +if [ -z "$pf" ]; then + for f in npf pf ipf; do + if [ -f "/etc/$f.conf" ]; then + pf="$f" + break + fi + done +fi if [ -z "$pf" ]; then echo "$0: Unsupported packet filter" 1>&2 @@ -43,6 +51,21 @@ esac case "$1" in add) case "$pf" in + ipf) + /sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1 + echo block in quick $proto from $addr/$mask to \ + any port=$6 head port$6 | \ + /sbin/ipf -I -f - -s >/dev/null 2>&1 + ;; + ipfw) + # use $ipfw_offset+$port for rule number + rule=$(($ipfw_offset + $6)) + tname="port$6" + /sbin/ipfw table $tname create type addr 2>/dev/null + /sbin/ipfw -q table $tname add "$addr/$mask" + /sbin/ipfw -q add $rule drop $3 from "table("$tname")" to \ + any dst-port $6 + ;; npf) /sbin/npfctl rule "$2" add block in final $proto from \ "$addr/$mask" to any $port @@ -57,6 +80,15 @@ add) ;; rem) case "$pf" in + ipf) + /sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1 + echo block in quick $proto from $addr/$mask to \ + any port=$6 head port$6 | \ + /sbin/ipf -I -r -f - -s >/dev/null 2>&1 + ;; + ipfw) + /sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null + ;; npf) /sbin/npfctl rule "$2" rem-id "$7" ;; @@ -66,7 +98,13 @@ rem) esac ;; flush) - case "$pf" in + case "$pf" in + ipf) + /sbin/ipf -Z -I -Fi -s > /dev/null + ;; + ipfw) + /sbin/ipfw table "port$6" flush 2>/dev/null + ;; npf) /sbin/npfctl rule "$2" flush ;; |
