CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Tue May 19 00:56:25 UTC 2020 Modified Files: src/external/bsd/blacklist/bin: blacklistd.conf.5 Log Message: Typo fixes from FreeBSD via Ed Maste To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 src/external/bsd/blacklist/bin/blacklistd.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.conf.5 diff -u src/external/bsd/blacklist/bin/blacklistd.conf.5:1.9 src/external/bsd/blacklist/bin/blacklistd.conf.5:1.10 --- src/external/bsd/blacklist/bin/blacklistd.conf.5:1.9 Wed Nov 6 15:33:30 2019 +++ src/external/bsd/blacklist/bin/blacklistd.conf.5 Mon May 18 20:56:25 2020 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistd.conf.5,v 1.9 2019/11/06 20:33:30 para Exp $ +.\" $NetBSD: blacklistd.conf.5,v 1.10 2020/05/19 00:56:25 christos Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd June 5, 2017 +.Dd May 18, 2020 .Dt BLACKLISTD.CONF 5 .Os .Sh NAME @@ -125,18 +125,18 @@ The second field is the socket .Dv dgram , or numeric. The third field is the -.Va prococol : +.Va protocol : .Dv tcp , .Dv udp , .Dv tcp6 , .Dv udp6 , or numeric. -The fourth file is the effective user +The fourth field is the effective user .Va ( owner ) of the daemon process reporting the event, either as a username or a userid. .Pp -The rest of the fields are controlling the behavior of the filter. +The rest of the fields control the behavior of the filter. .Pp The .Va name
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Tue May 19 00:56:25 UTC 2020 Modified Files: src/external/bsd/blacklist/bin: blacklistd.conf.5 Log Message: Typo fixes from FreeBSD via Ed Maste To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 src/external/bsd/blacklist/bin/blacklistd.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: snj Date: Wed May 6 14:59:51 UTC 2020 Modified Files: src/external/bsd/blacklist/bin: blacklistd.8 Log Message: The name of the action used with blacklistd's control script is rem, not remove. From Jose Luis Duran in PR bin/55195. To generate a diff of this commit: cvs rdiff -u -r1.23 -r1.24 src/external/bsd/blacklist/bin/blacklistd.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.8 diff -u src/external/bsd/blacklist/bin/blacklistd.8:1.23 src/external/bsd/blacklist/bin/blacklistd.8:1.24 --- src/external/bsd/blacklist/bin/blacklistd.8:1.23 Tue Apr 21 13:57:12 2020 +++ src/external/bsd/blacklist/bin/blacklistd.8 Wed May 6 14:59:51 2020 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistd.8,v 1.23 2020/04/21 13:57:12 christos Exp $ +.\" $NetBSD: blacklistd.8,v 1.24 2020/05/06 14:59:51 snj Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -123,10 +123,10 @@ that is not required as all information kept. .Pp If the action is -.Dq remove +.Dq rem Then the same control script is invoked as: .Bd -literal -offset indent -control remove +control rem .Ed .Pp where
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: snj Date: Wed May 6 14:59:51 UTC 2020 Modified Files: src/external/bsd/blacklist/bin: blacklistd.8 Log Message: The name of the action used with blacklistd's control script is rem, not remove. From Jose Luis Duran in PR bin/55195. To generate a diff of this commit: cvs rdiff -u -r1.23 -r1.24 src/external/bsd/blacklist/bin/blacklistd.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Tue Apr 21 13:57:12 UTC 2020 Modified Files: src/external/bsd/blacklist/bin: blacklistd.8 Log Message: PR/55193: Jose Luis Duran: Fix wrong location for the db file. To generate a diff of this commit: cvs rdiff -u -r1.22 -r1.23 src/external/bsd/blacklist/bin/blacklistd.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Tue Apr 21 13:57:12 UTC 2020 Modified Files: src/external/bsd/blacklist/bin: blacklistd.8 Log Message: PR/55193: Jose Luis Duran: Fix wrong location for the db file. To generate a diff of this commit: cvs rdiff -u -r1.22 -r1.23 src/external/bsd/blacklist/bin/blacklistd.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.8 diff -u src/external/bsd/blacklist/bin/blacklistd.8:1.22 src/external/bsd/blacklist/bin/blacklistd.8:1.23 --- src/external/bsd/blacklist/bin/blacklistd.8:1.22 Mon Mar 30 04:45:09 2020 +++ src/external/bsd/blacklist/bin/blacklistd.8 Tue Apr 21 09:57:12 2020 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistd.8,v 1.22 2020/03/30 08:45:09 wiz Exp $ +.\" $NetBSD: blacklistd.8,v 1.23 2020/04/21 13:57:12 christos Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd March 29, 2020 +.Dd April 21, 2020 .Dt BLACKLISTD 8 .Os .Sh NAME @@ -189,7 +189,7 @@ The name of the configuration file to re The Berkeley DB file where .Nm stores its state, usually -.Pa /var/run/blacklistd.db . +.Pa /var/db/blacklistd.db . .It Fl d Normally, .Nm
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: wiz Date: Mon Mar 30 17:32:22 UTC 2020 Modified Files: src/external/bsd/blacklist/lib: libblacklist.3 Log Message: New sentence, new line. To generate a diff of this commit: cvs rdiff -u -r1.10 -r1.11 src/external/bsd/blacklist/lib/libblacklist.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/lib/libblacklist.3 diff -u src/external/bsd/blacklist/lib/libblacklist.3:1.10 src/external/bsd/blacklist/lib/libblacklist.3:1.11 --- src/external/bsd/blacklist/lib/libblacklist.3:1.10 Mon Mar 30 15:47:15 2020 +++ src/external/bsd/blacklist/lib/libblacklist.3 Mon Mar 30 17:32:22 2020 @@ -1,4 +1,4 @@ -.\" $NetBSD: libblacklist.3,v 1.10 2020/03/30 15:47:15 christos Exp $ +.\" $NetBSD: libblacklist.3,v 1.11 2020/03/30 17:32:22 wiz Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -96,11 +96,13 @@ There was an unsuccessful authentication A user successfully authenticated. .It Va BLACKLIST_ABUSIVE_BEHAVIOR The sending daemon has detected abusive behavior -from the remote system. The remote address should +from the remote system. +The remote address should be blocked as soon as possible. .It Va BLACKLIST_BAD_USER The sending daemon has determined the username -presented for authentication is invalid. The +presented for authentication is invalid. +The .Xr blacklistd 8 daemon compares the username to a configured list of forbidden usernames and
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: wiz Date: Mon Mar 30 17:32:22 UTC 2020 Modified Files: src/external/bsd/blacklist/lib: libblacklist.3 Log Message: New sentence, new line. To generate a diff of this commit: cvs rdiff -u -r1.10 -r1.11 src/external/bsd/blacklist/lib/libblacklist.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: christos Date: Mon Mar 30 15:47:15 UTC 2020 Modified Files: src/external/bsd/blacklist/lib: libblacklist.3 Log Message: Clarify that we always need a valid socket To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 src/external/bsd/blacklist/lib/libblacklist.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/lib/libblacklist.3 diff -u src/external/bsd/blacklist/lib/libblacklist.3:1.9 src/external/bsd/blacklist/lib/libblacklist.3:1.10 --- src/external/bsd/blacklist/lib/libblacklist.3:1.9 Wed Nov 6 15:50:01 2019 +++ src/external/bsd/blacklist/lib/libblacklist.3 Mon Mar 30 11:47:15 2020 @@ -1,4 +1,4 @@ -.\" $NetBSD: libblacklist.3,v 1.9 2019/11/06 20:50:01 christos Exp $ +.\" $NetBSD: libblacklist.3,v 1.10 2020/03/30 15:47:15 christos Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd May 5, 2017 +.Dd March 30, 2020 .Dt LIBBLACKLIST 3 .Os .Sh NAME @@ -122,6 +122,14 @@ functions can be used with unconnected s .Xr getpeername 2 will not work, the server will pass the peer name in the message. .Pp +In all cases the file descriptor passed in the +.Fa fd +argument must be pointing to a valid socket so that +.Xr blacklistd 8 +can establish ownership of the local endpoint +using +.Xr getsockname 2 . +.Pp By default, .Xr syslogd 8 is used for message logging.
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: christos Date: Mon Mar 30 15:47:15 UTC 2020 Modified Files: src/external/bsd/blacklist/lib: libblacklist.3 Log Message: Clarify that we always need a valid socket To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 src/external/bsd/blacklist/lib/libblacklist.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: wiz Date: Mon Mar 30 08:45:09 UTC 2020 Modified Files: src/external/bsd/blacklist/bin: blacklistd.8 Log Message: Fix typos. To generate a diff of this commit: cvs rdiff -u -r1.21 -r1.22 src/external/bsd/blacklist/bin/blacklistd.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.8 diff -u src/external/bsd/blacklist/bin/blacklistd.8:1.21 src/external/bsd/blacklist/bin/blacklistd.8:1.22 --- src/external/bsd/blacklist/bin/blacklistd.8:1.21 Mon Mar 30 03:02:41 2020 +++ src/external/bsd/blacklist/bin/blacklistd.8 Mon Mar 30 08:45:09 2020 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistd.8,v 1.21 2020/03/30 03:02:41 christos Exp $ +.\" $NetBSD: blacklistd.8,v 1.22 2020/03/30 08:45:09 wiz Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -68,7 +68,7 @@ Each entry contains a number of tries li The way .Nm does configuration entry matching is by having the client side pass the -file dscriptor associated with the connection the client wants to blacklist +file descriptor associated with the connection the client wants to blacklist as well as passing socket credentials. .Pp The file descriptor is used to retrieve information (address and port) @@ -85,17 +85,17 @@ the port. By examining the optional address portion on the local side, it can match interfaces. By examining the remote address, it can match specific allow or deny rules. -.Pp +.Pp Finally .Nm can examine the socket credentials to match the user in the configuration file. .Pp While this works well for TCP sockets, it cannot be relied on for unbound -UDP sockets. +UDP sockets. It is also less meaningful when it comes to connections using non-privileged ports. -On the other hand, if we receive a request that has a local endpoind indicating -UDP privileged port, we can presume that the client was privileged to be +On the other hand, if we receive a request that has a local endpoint indicating +a UDP privileged port, we can presume that the client was privileged to be able to acquire that port. .Pp Once an entry is matched
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: wiz Date: Mon Mar 30 08:45:09 UTC 2020 Modified Files: src/external/bsd/blacklist/bin: blacklistd.8 Log Message: Fix typos. To generate a diff of this commit: cvs rdiff -u -r1.21 -r1.22 src/external/bsd/blacklist/bin/blacklistd.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Mon Mar 30 03:02:41 UTC 2020 Modified Files: src/external/bsd/blacklist/bin: blacklistd.8 Log Message: Explain how configuration matching is done. To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.21 src/external/bsd/blacklist/bin/blacklistd.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Mon Mar 30 03:02:41 UTC 2020 Modified Files: src/external/bsd/blacklist/bin: blacklistd.8 Log Message: Explain how configuration matching is done. To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.21 src/external/bsd/blacklist/bin/blacklistd.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.8 diff -u src/external/bsd/blacklist/bin/blacklistd.8:1.20 src/external/bsd/blacklist/bin/blacklistd.8:1.21 --- src/external/bsd/blacklist/bin/blacklistd.8:1.20 Wed Nov 6 18:17:37 2019 +++ src/external/bsd/blacklist/bin/blacklistd.8 Sun Mar 29 23:02:41 2020 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistd.8,v 1.20 2019/11/06 23:17:37 wiz Exp $ +.\" $NetBSD: blacklistd.8,v 1.21 2020/03/30 03:02:41 christos Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd November 6, 2019 +.Dd March 29, 2020 .Dt BLACKLISTD 8 .Os .Sh NAME @@ -65,6 +65,42 @@ with syntax specified in If an entry is matched, a state entry is created for that tuple. Each entry contains a number of tries limit and a duration. .Pp +The way +.Nm +does configuration entry matching is by having the client side pass the +file dscriptor associated with the connection the client wants to blacklist +as well as passing socket credentials. +.Pp +The file descriptor is used to retrieve information (address and port) +about the remote side with +.Xr getpeername 2 +and the local side with +.Xr getsockname 2 . +.Pp +By examining the port of the local side, +.Nm +can determine if the client program +.Dq owns +the port. +By examining the optional address portion on the local side, it can match +interfaces. +By examining the remote address, it can match specific allow or deny rules. +.Pp +Finally +.Nm +can examine the socket credentials to match the user in the configuration file. +.Pp +While this works well for TCP sockets, it cannot be relied on for unbound +UDP sockets. +It is also less meaningful when it comes to connections using non-privileged +ports. +On the other hand, if we receive a request that has a local endpoind indicating +UDP privileged port, we can presume that the client was privileged to be +able to acquire that port. +.Pp +Once an entry is matched +.Nm +can perform various actions. If the action is .Dq add and the number of tries limit is reached, then a
CVS commit: src/external/bsd/blacklist/bin
Module Name:src
Committed By: christos
Date: Fri Mar 13 16:38:45 UTC 2020
Modified Files:
src/external/bsd/blacklist/bin: conf.c
Log Message:
Re-enable the routing perm check now that the kernel has been fixed to return
valid information.
To generate a diff of this commit:
cvs rdiff -u -r1.30 -r1.31 src/external/bsd/blacklist/bin/conf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/blacklist/bin/conf.c
diff -u src/external/bsd/blacklist/bin/conf.c:1.30 src/external/bsd/blacklist/bin/conf.c:1.31
--- src/external/bsd/blacklist/bin/conf.c:1.30 Thu Mar 12 15:47:32 2020
+++ src/external/bsd/blacklist/bin/conf.c Fri Mar 13 12:38:45 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: conf.c,v 1.30 2020/03/12 19:47:32 christos Exp $ */
+/* $NetBSD: conf.c,v 1.31 2020/03/13 16:38:45 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include
-__RCSID("$NetBSD: conf.c,v 1.30 2020/03/12 19:47:32 christos Exp $");
+__RCSID("$NetBSD: conf.c,v 1.31 2020/03/13 16:38:45 christos Exp $");
#include
#ifdef HAVE_LIBUTIL_H
@@ -1006,7 +1006,7 @@ confset_match(const struct confset *cs,
static int
conf_route_perm(int fd) {
/* Disable for now, the access check in the routing socket uses curlwp */
-#if defined(RTM_IFANNOUNCE) && defined(RT_ROUNDUP) && 0
+#if defined(RTM_IFANNOUNCE) && defined(RT_ROUNDUP)
/*
* Send a routing message that is not supported to check for access
* We expect EOPNOTSUPP for having access, since we are sending a
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Fri Mar 13 16:38:45 UTC 2020 Modified Files: src/external/bsd/blacklist/bin: conf.c Log Message: Re-enable the routing perm check now that the kernel has been fixed to return valid information. To generate a diff of this commit: cvs rdiff -u -r1.30 -r1.31 src/external/bsd/blacklist/bin/conf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Thu Mar 12 19:47:32 UTC 2020 Modified Files: src/external/bsd/blacklist/bin: conf.c Log Message: Disable routing perms check for now. To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.30 src/external/bsd/blacklist/bin/conf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/bin
Module Name:src
Committed By: christos
Date: Thu Mar 12 19:47:32 UTC 2020
Modified Files:
src/external/bsd/blacklist/bin: conf.c
Log Message:
Disable routing perms check for now.
To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.30 src/external/bsd/blacklist/bin/conf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/blacklist/bin/conf.c
diff -u src/external/bsd/blacklist/bin/conf.c:1.29 src/external/bsd/blacklist/bin/conf.c:1.30
--- src/external/bsd/blacklist/bin/conf.c:1.29 Thu Mar 12 15:35:11 2020
+++ src/external/bsd/blacklist/bin/conf.c Thu Mar 12 15:47:32 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: conf.c,v 1.29 2020/03/12 19:35:11 christos Exp $ */
+/* $NetBSD: conf.c,v 1.30 2020/03/12 19:47:32 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include
-__RCSID("$NetBSD: conf.c,v 1.29 2020/03/12 19:35:11 christos Exp $");
+__RCSID("$NetBSD: conf.c,v 1.30 2020/03/12 19:47:32 christos Exp $");
#include
#ifdef HAVE_LIBUTIL_H
@@ -1005,7 +1005,8 @@ confset_match(const struct confset *cs,
#ifdef AF_ROUTE
static int
conf_route_perm(int fd) {
-#if defined(RTM_IFANNOUNCE) && defined(RT_ROUNDUP)
+/* Disable for now, the access check in the routing socket uses curlwp */
+#if defined(RTM_IFANNOUNCE) && defined(RT_ROUNDUP) && 0
/*
* Send a routing message that is not supported to check for access
* We expect EOPNOTSUPP for having access, since we are sending a
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Thu Mar 12 19:35:11 UTC 2020 Modified Files: src/external/bsd/blacklist/bin: conf.c Log Message: Handle fds that are pointing to routing sockets. If the fd has access to make changes via the routing socket, grant full permission to make filter changes. To generate a diff of this commit: cvs rdiff -u -r1.28 -r1.29 src/external/bsd/blacklist/bin/conf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/bin
Module Name:src
Committed By: christos
Date: Thu Mar 12 19:35:11 UTC 2020
Modified Files:
src/external/bsd/blacklist/bin: conf.c
Log Message:
Handle fds that are pointing to routing sockets. If the fd has access to
make changes via the routing socket, grant full permission to make filter
changes.
To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.29 src/external/bsd/blacklist/bin/conf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/blacklist/bin/conf.c
diff -u src/external/bsd/blacklist/bin/conf.c:1.28 src/external/bsd/blacklist/bin/conf.c:1.29
--- src/external/bsd/blacklist/bin/conf.c:1.28 Thu Mar 12 07:31:23 2020
+++ src/external/bsd/blacklist/bin/conf.c Thu Mar 12 15:35:11 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: conf.c,v 1.28 2020/03/12 11:31:23 roy Exp $ */
+/* $NetBSD: conf.c,v 1.29 2020/03/12 19:35:11 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include
-__RCSID("$NetBSD: conf.c,v 1.28 2020/03/12 11:31:23 roy Exp $");
+__RCSID("$NetBSD: conf.c,v 1.29 2020/03/12 19:35:11 christos Exp $");
#include
#ifdef HAVE_LIBUTIL_H
@@ -46,6 +46,7 @@ __RCSID("$NetBSD: conf.c,v 1.28 2020/03/
#include
#include
#include
+#include
#include
#include
#include
@@ -55,6 +56,7 @@ __RCSID("$NetBSD: conf.c,v 1.28 2020/03/
#include
#include
#include
+#include
#include
#include "bl.h"
@@ -90,7 +92,7 @@ advance(char **p)
}
static int
-getnum(const char *f, size_t l, bool local, void *rp, const char *name,
+conf_getnum(const char *f, size_t l, bool local, void *rp, const char *name,
const char *p)
{
int e;
@@ -127,13 +129,14 @@ out:
}
static int
-getnfail(const char *f, size_t l, bool local, struct conf *c, const char *p)
+conf_getnfail(const char *f, size_t l, bool local, struct conf *c,
+const char *p)
{
- return getnum(f, l, local, >c_nfail, "nfail", p);
+ return conf_getnum(f, l, local, >c_nfail, "nfail", p);
}
static int
-getsecs(const char *f, size_t l, bool local, struct conf *c, const char *p)
+conf_getsecs(const char *f, size_t l, bool local, struct conf *c, const char *p)
{
int e;
char *ep;
@@ -193,7 +196,7 @@ out:
}
static int
-getport(const char *f, size_t l, bool local, void *r, const char *p)
+conf_getport(const char *f, size_t l, bool local, void *r, const char *p)
{
struct servent *sv;
@@ -207,11 +210,11 @@ getport(const char *f, size_t l, bool lo
return 0;
}
- return getnum(f, l, local, r, "service", p);
+ return conf_getnum(f, l, local, r, "service", p);
}
static int
-getmask(const char *f, size_t l, bool local, const char **p, int *mask)
+conf_getmask(const char *f, size_t l, bool local, const char **p, int *mask)
{
char *d;
const char *s = *p;
@@ -226,11 +229,12 @@ getmask(const char *f, size_t l, bool lo
}
*d++ = '\0';
- return getnum(f, l, local, mask, "mask", d);
+ return conf_getnum(f, l, local, mask, "mask", d);
}
static int
-gethostport(const char *f, size_t l, bool local, struct conf *c, const char *p)
+conf_gethostport(const char *f, size_t l, bool local, struct conf *c,
+const char *p)
{
char *d; // XXX: Ok to write to string.
in_port_t *port = NULL;
@@ -249,7 +253,7 @@ gethostport(const char *f, size_t l, boo
} else
pstr = p;
- if (getmask(f, l, local, , >c_lmask) == -1)
+ if (conf_getmask(f, l, local, , >c_lmask) == -1)
goto out;
if (d) {
@@ -300,7 +304,7 @@ gethostport(const char *f, size_t l, boo
}
}
- if (getport(f, l, local, >c_port, pstr) == -1)
+ if (conf_getport(f, l, local, >c_port, pstr) == -1)
return -1;
if (port && c->c_port != FSTAR && c->c_port != FEQUAL)
@@ -320,7 +324,7 @@ out2:
}
static int
-getproto(const char *f, size_t l, bool local __unused, struct conf *c,
+conf_getproto(const char *f, size_t l, bool local __unused, struct conf *c,
const char *p)
{
if (strcmp(p, "stream") == 0) {
@@ -331,22 +335,22 @@ getproto(const char *f, size_t l, bool l
c->c_proto = IPPROTO_UDP;
return 0;
}
- return getnum(f, l, local, >c_proto, "protocol", p);
+ return conf_getnum(f, l, local, >c_proto, "protocol", p);
}
static int
-getfamily(const char *f, size_t l, bool local __unused, struct conf *c,
+conf_getfamily(const char *f, size_t l, bool local __unused, struct conf *c,
const char *p)
{
if (strncmp(p, "tcp", 3) == 0 || strncmp(p, "udp", 3) == 0) {
c->c_family = p[3] == '6' ? AF_INET6 : AF_INET;
return 0;
}
- return getnum(f, l, local, >c_family, "family", p);
+ return conf_getnum(f, l, local, >c_family, "family", p);
}
static int
-getuid(const char *f, size_t l, bool local __unused, struct conf *c,
+conf_getuid(const char *f, size_t l, bool local __unused, struct conf *c,
const char *p)
{
struct passwd *pw;
@@ -356,15 +360,15 @@ getuid(const char *f, size_t l, bool loc
return 0;
}
- return getnum(f, l, local,
Re: CVS commit: src/external/bsd/blacklist
> > I'll revert this for the time being. Thanks, I am working on fixing the routing socket to have a perms check. christos signature.asc Description: Message signed with OpenPGP
Re: CVS commit: src/external/bsd/blacklist/bin
> If we just re-add the rule, we should either get an error that it already > exists which we should gracefully handle or it just overwrites the existing > rule. > I don't see the point in deleting something which by your logic is already > deleted. Yes, we could re-add unconditionally. Is that what the code does now? christos signature.asc Description: Message signed with OpenPGP
CVS commit: src/external/bsd/blacklist
Module Name:src
Committed By: roy
Date: Thu Mar 12 11:31:23 UTC 2020
Modified Files:
src/external/bsd/blacklist/bin: blacklistd.c conf.c
src/external/bsd/blacklist/lib: bl.c
Log Message:
Revert allowing fd == -1 at the request of Christos.
To generate a diff of this commit:
cvs rdiff -u -r1.42 -r1.43 src/external/bsd/blacklist/bin/blacklistd.c
cvs rdiff -u -r1.27 -r1.28 src/external/bsd/blacklist/bin/conf.c
cvs rdiff -u -r1.30 -r1.31 src/external/bsd/blacklist/lib/bl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/blacklist/bin/blacklistd.c
diff -u src/external/bsd/blacklist/bin/blacklistd.c:1.42 src/external/bsd/blacklist/bin/blacklistd.c:1.43
--- src/external/bsd/blacklist/bin/blacklistd.c:1.42 Wed Mar 11 02:33:18 2020
+++ src/external/bsd/blacklist/bin/blacklistd.c Thu Mar 12 11:31:23 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklistd.c,v 1.42 2020/03/11 02:33:18 roy Exp $ */
+/* $NetBSD: blacklistd.c,v 1.43 2020/03/12 11:31:23 roy Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
#include "config.h"
#endif
#include
-__RCSID("$NetBSD: blacklistd.c,v 1.42 2020/03/11 02:33:18 roy Exp $");
+__RCSID("$NetBSD: blacklistd.c,v 1.43 2020/03/12 11:31:23 roy Exp $");
#include
#include
@@ -119,14 +119,12 @@ getremoteaddress(bl_info_t *bi, struct s
*rsl = sizeof(*rss);
memset(rss, 0, *rsl);
- if (bi->bi_fd != -1) {
- if (getpeername(bi->bi_fd, (void *)rss, rsl) != -1)
- return 0;
-
- if (errno != ENOTCONN) {
- (*lfun)(LOG_ERR, "getpeername failed (%m)");
- return -1;
- }
+ if (getpeername(bi->bi_fd, (void *)rss, rsl) != -1)
+ return 0;
+
+ if (errno != ENOTCONN) {
+ (*lfun)(LOG_ERR, "getpeername failed (%m)");
+ return -1;
}
if (bi->bi_slen == 0) {
Index: src/external/bsd/blacklist/bin/conf.c
diff -u src/external/bsd/blacklist/bin/conf.c:1.27 src/external/bsd/blacklist/bin/conf.c:1.28
--- src/external/bsd/blacklist/bin/conf.c:1.27 Wed Mar 11 02:12:08 2020
+++ src/external/bsd/blacklist/bin/conf.c Thu Mar 12 11:31:23 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: conf.c,v 1.27 2020/03/11 02:12:08 roy Exp $ */
+/* $NetBSD: conf.c,v 1.28 2020/03/12 11:31:23 roy Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include
-__RCSID("$NetBSD: conf.c,v 1.27 2020/03/11 02:12:08 roy Exp $");
+__RCSID("$NetBSD: conf.c,v 1.28 2020/03/12 11:31:23 roy Exp $");
#include
#ifdef HAVE_LIBUTIL_H
@@ -1009,14 +1009,6 @@ conf_find(int fd, uid_t uid, const struc
char buf[BUFSIZ];
memset(cr, 0, sizeof(*cr));
-
- if (fd == -1) {
- cr->c_proto = FSTAR;
- cr->c_port = FSTAR;
- memcpy(, rss, sizeof(lss));
- goto done_fd;
- }
-
slen = sizeof(lss);
memset(, 0, slen);
if (getsockname(fd, (void *), ) == -1) {
@@ -1059,7 +1051,6 @@ conf_find(int fd, uid_t uid, const struc
return NULL;
}
-done_fd:
cr->c_ss = lss;
cr->c_lmask = FSTAR;
cr->c_uid = (int)uid;
Index: src/external/bsd/blacklist/lib/bl.c
diff -u src/external/bsd/blacklist/lib/bl.c:1.30 src/external/bsd/blacklist/lib/bl.c:1.31
--- src/external/bsd/blacklist/lib/bl.c:1.30 Wed Mar 11 02:12:08 2020
+++ src/external/bsd/blacklist/lib/bl.c Thu Mar 12 11:31:23 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: bl.c,v 1.30 2020/03/11 02:12:08 roy Exp $ */
+/* $NetBSD: bl.c,v 1.31 2020/03/12 11:31:23 roy Exp $ */
/*-
* Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include
-__RCSID("$NetBSD: bl.c,v 1.30 2020/03/11 02:12:08 roy Exp $");
+__RCSID("$NetBSD: bl.c,v 1.31 2020/03/12 11:31:23 roy Exp $");
#include
#include
@@ -384,6 +384,7 @@ bl_send(bl_t b, bl_type_t e, int pfd, co
if (bl_getsock(b, _ss, sa, slen, ctx) == -1)
return -1;
+
ub.bl.bl_salen = slen;
memcpy(ub.bl.bl_data, ctx, ctxlen);
@@ -393,17 +394,15 @@ bl_send(bl_t b, bl_type_t e, int pfd, co
msg.msg_iovlen = 1;
msg.msg_flags = 0;
- if (pfd != -1) {
- msg.msg_control = ua.ctrl;
- msg.msg_controllen = sizeof(ua.ctrl);
-
- cmsg = CMSG_FIRSTHDR();
- cmsg->cmsg_len = CMSG_LEN(sizeof(int));
- cmsg->cmsg_level = SOL_SOCKET;
- cmsg->cmsg_type = SCM_RIGHTS;
+ msg.msg_control = ua.ctrl;
+ msg.msg_controllen = sizeof(ua.ctrl);
+
+ cmsg = CMSG_FIRSTHDR();
+ cmsg->cmsg_len = CMSG_LEN(sizeof(int));
+ cmsg->cmsg_level = SOL_SOCKET;
+ cmsg->cmsg_type = SCM_RIGHTS;
- memcpy(CMSG_DATA(cmsg), , sizeof(pfd));
- }
+ memcpy(CMSG_DATA(cmsg), , sizeof(pfd));
tried = 0;
again:
@@ -495,15 +494,14 @@ bl_recv(bl_t b)
}
- if (!(got & GOT_FD))
- bi->bi_fd = -1;
-
+ if (got != (GOT_CRED|GOT_FD)) {
+ bl_log(b->b_fun, LOG_ERR, "message missing %s %s",
#if GOT_CRED != 0
- if (!(got & GOT_CRED)) {
- bl_log(b->b_fun, LOG_ERR, "message missing cred");
+ (got & GOT_CRED) == 0 ? "cred" :
+#endif
+ "", (got & GOT_FD) == 0 ? "fd" : "");
return NULL;
}
-#endif
if ((size_t)rlen <= sizeof(ub.bl)) {
bl_log(b->b_fun,
CVS commit: src/external/bsd/blacklist
Module Name:src Committed By: roy Date: Thu Mar 12 11:31:23 UTC 2020 Modified Files: src/external/bsd/blacklist/bin: blacklistd.c conf.c src/external/bsd/blacklist/lib: bl.c Log Message: Revert allowing fd == -1 at the request of Christos. To generate a diff of this commit: cvs rdiff -u -r1.42 -r1.43 src/external/bsd/blacklist/bin/blacklistd.c cvs rdiff -u -r1.27 -r1.28 src/external/bsd/blacklist/bin/conf.c cvs rdiff -u -r1.30 -r1.31 src/external/bsd/blacklist/lib/bl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Re: CVS commit: src/external/bsd/blacklist
On 11/03/2020 15:02, Christos Zoulas wrote: In article <20200311021208.bfb5cf...@cvs.netbsd.org>, Roy Marples wrote: -=-=-=-=-=- Module Name:src Committed By: roy Date: Wed Mar 11 02:12:08 UTC 2020 Modified Files: src/external/bsd/blacklist/bin: blacklistd.c conf.c src/external/bsd/blacklist/lib: bl.c Log Message: blacklist: Allow blacklist_sa to work with an invalid fd fd -1 is invalid, so don't query it for protocol, port or address. fd is supposed to represent how the client is connected, but if we are parsing route(4) messages or log files then there is no client connection to interogate. Yes, but this (with the cmsg passed in the fd) is how we do access control. If you can't figure out if the remote owns the socket, then anyone can DoS the system by writing messages to the daemon? I'll revert this for the time being. Roy
Re: CVS commit: src/external/bsd/blacklist/bin
On 11/03/2020 15:12, Christos Zoulas wrote: In article <20200311023318.c6a7ff...@cvs.netbsd.org>, Roy Marples wrote: -=-=-=-=-=- Module Name:src Committed By: roy Date: Wed Mar 11 02:33:18 UTC 2020 Modified Files: src/external/bsd/blacklist/bin: blacklistd.c Log Message: blacklist: Don't remove a ruleset if we have already added it The noted argument is wrong - if it's already been deleted then the id we have for it is invalid. Because we don't track deletions to the ruleset, working it out is problematic at best. Instead, if we have already added the rule treat it as a non-op. This is a valid use case because we might receive a burst of messages in the downstream application for the same address and process them one by one. It's not the job of the downstream application to track blacklistd state. The comment was correct. You need to consider the case where someone manually deleted the rule directly from the packet filter. The database will think it is there, but now you'll never add it again. If we just re-add the rule, we should either get an error that it already exists which we should gracefully handle or it just overwrites the existing rule. I don't see the point in deleting something which by your logic is already deleted. Roy
Re: CVS commit: src/external/bsd/blacklist/bin
In article <20200311023318.c6a7ff...@cvs.netbsd.org>, Roy Marples wrote: >-=-=-=-=-=- > >Module Name: src >Committed By: roy >Date: Wed Mar 11 02:33:18 UTC 2020 > >Modified Files: > src/external/bsd/blacklist/bin: blacklistd.c > >Log Message: >blacklist: Don't remove a ruleset if we have already added it > >The noted argument is wrong - if it's already been deleted then the id we >have for it is invalid. >Because we don't track deletions to the ruleset, working it out is >problematic at best. > >Instead, if we have already added the rule treat it as a non-op. > >This is a valid use case because we might receive a burst of messages >in the downstream application for the same address and process them >one by one. It's not the job of the downstream application to track >blacklistd state. The comment was correct. You need to consider the case where someone manually deleted the rule directly from the packet filter. The database will think it is there, but now you'll never add it again. christos
Re: CVS commit: src/external/bsd/blacklist
In article <20200311021208.bfb5cf...@cvs.netbsd.org>, Roy Marples wrote: >-=-=-=-=-=- > >Module Name: src >Committed By: roy >Date: Wed Mar 11 02:12:08 UTC 2020 > >Modified Files: > src/external/bsd/blacklist/bin: blacklistd.c conf.c > src/external/bsd/blacklist/lib: bl.c > >Log Message: >blacklist: Allow blacklist_sa to work with an invalid fd > >fd -1 is invalid, so don't query it for protocol, port or address. > >fd is supposed to represent how the client is connected, but if we are >parsing route(4) messages or log files then there is no client connection >to interogate. Yes, but this (with the cmsg passed in the fd) is how we do access control. If you can't figure out if the remote owns the socket, then anyone can DoS the system by writing messages to the daemon? christos
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: roy Date: Wed Mar 11 02:33:18 UTC 2020 Modified Files: src/external/bsd/blacklist/bin: blacklistd.c Log Message: blacklist: Don't remove a ruleset if we have already added it The noted argument is wrong - if it's already been deleted then the id we have for it is invalid. Because we don't track deletions to the ruleset, working it out is problematic at best. Instead, if we have already added the rule treat it as a non-op. This is a valid use case because we might receive a burst of messages in the downstream application for the same address and process them one by one. It's not the job of the downstream application to track blacklistd state. To generate a diff of this commit: cvs rdiff -u -r1.41 -r1.42 src/external/bsd/blacklist/bin/blacklistd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/bin
Module Name:src
Committed By: roy
Date: Wed Mar 11 02:33:18 UTC 2020
Modified Files:
src/external/bsd/blacklist/bin: blacklistd.c
Log Message:
blacklist: Don't remove a ruleset if we have already added it
The noted argument is wrong - if it's already been deleted then the id we
have for it is invalid.
Because we don't track deletions to the ruleset, working it out is
problematic at best.
Instead, if we have already added the rule treat it as a non-op.
This is a valid use case because we might receive a burst of messages
in the downstream application for the same address and process them
one by one. It's not the job of the downstream application to track
blacklistd state.
To generate a diff of this commit:
cvs rdiff -u -r1.41 -r1.42 src/external/bsd/blacklist/bin/blacklistd.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/blacklist/bin/blacklistd.c
diff -u src/external/bsd/blacklist/bin/blacklistd.c:1.41 src/external/bsd/blacklist/bin/blacklistd.c:1.42
--- src/external/bsd/blacklist/bin/blacklistd.c:1.41 Wed Mar 11 02:12:08 2020
+++ src/external/bsd/blacklist/bin/blacklistd.c Wed Mar 11 02:33:18 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklistd.c,v 1.41 2020/03/11 02:12:08 roy Exp $ */
+/* $NetBSD: blacklistd.c,v 1.42 2020/03/11 02:33:18 roy Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
#include "config.h"
#endif
#include
-__RCSID("$NetBSD: blacklistd.c,v 1.41 2020/03/11 02:12:08 roy Exp $");
+__RCSID("$NetBSD: blacklistd.c,v 1.42 2020/03/11 02:33:18 roy Exp $");
#include
#include
@@ -230,24 +230,19 @@ process(bl_t bl)
case BL_ADD:
dbi.count++;
dbi.last = ts.tv_sec;
- if (dbi.id[0]) {
+ if (c.c_nfail != -1 && dbi.count >= c.c_nfail) {
/*
- * We should not be getting this since the rule
- * should have blocked the address. A possible
- * explanation is that someone removed that rule,
- * and another would be that we got another attempt
- * before we added the rule. In anycase, we remove
- * and re-add the rule because we don't want to add
- * it twice, because then we'd lose track of it.
+ * No point in re-adding the rule.
+ * It might exist already due to latency in processing
+ * and removing the rule is the wrong thing to do as
+ * it allows a window to attack again.
*/
- (*lfun)(LOG_DEBUG, "rule exists %s", dbi.id);
- (void)run_change("rem", , dbi.id, 0);
- dbi.id[0] = '\0';
- }
- if (c.c_nfail != -1 && dbi.count >= c.c_nfail) {
- int res = run_change("add", , dbi.id, sizeof(dbi.id));
- if (res == -1)
-goto out;
+ if (dbi.id[0] == '\0') {
+int res = run_change("add", ,
+dbi.id, sizeof(dbi.id));
+if (res == -1)
+ goto out;
+ }
sockaddr_snprintf(rbuf, sizeof(rbuf), "%a",
(void *));
(*lfun)(LOG_INFO,
CVS commit: src/external/bsd/blacklist
Module Name:src
Committed By: roy
Date: Wed Mar 11 02:12:08 UTC 2020
Modified Files:
src/external/bsd/blacklist/bin: blacklistd.c conf.c
src/external/bsd/blacklist/lib: bl.c
Log Message:
blacklist: Allow blacklist_sa to work with an invalid fd
fd -1 is invalid, so don't query it for protocol, port or address.
fd is supposed to represent how the client is connected, but if we are
parsing route(4) messages or log files then there is no client connection
to interogate.
To generate a diff of this commit:
cvs rdiff -u -r1.40 -r1.41 src/external/bsd/blacklist/bin/blacklistd.c
cvs rdiff -u -r1.26 -r1.27 src/external/bsd/blacklist/bin/conf.c
cvs rdiff -u -r1.29 -r1.30 src/external/bsd/blacklist/lib/bl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/blacklist/bin/blacklistd.c
diff -u src/external/bsd/blacklist/bin/blacklistd.c:1.40 src/external/bsd/blacklist/bin/blacklistd.c:1.41
--- src/external/bsd/blacklist/bin/blacklistd.c:1.40 Tue Mar 10 13:36:07 2020
+++ src/external/bsd/blacklist/bin/blacklistd.c Wed Mar 11 02:12:08 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklistd.c,v 1.40 2020/03/10 13:36:07 roy Exp $ */
+/* $NetBSD: blacklistd.c,v 1.41 2020/03/11 02:12:08 roy Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
#include "config.h"
#endif
#include
-__RCSID("$NetBSD: blacklistd.c,v 1.40 2020/03/10 13:36:07 roy Exp $");
+__RCSID("$NetBSD: blacklistd.c,v 1.41 2020/03/11 02:12:08 roy Exp $");
#include
#include
@@ -119,12 +119,14 @@ getremoteaddress(bl_info_t *bi, struct s
*rsl = sizeof(*rss);
memset(rss, 0, *rsl);
- if (getpeername(bi->bi_fd, (void *)rss, rsl) != -1)
- return 0;
-
- if (errno != ENOTCONN) {
- (*lfun)(LOG_ERR, "getpeername failed (%m)");
- return -1;
+ if (bi->bi_fd != -1) {
+ if (getpeername(bi->bi_fd, (void *)rss, rsl) != -1)
+ return 0;
+
+ if (errno != ENOTCONN) {
+ (*lfun)(LOG_ERR, "getpeername failed (%m)");
+ return -1;
+ }
}
if (bi->bi_slen == 0) {
Index: src/external/bsd/blacklist/bin/conf.c
diff -u src/external/bsd/blacklist/bin/conf.c:1.26 src/external/bsd/blacklist/bin/conf.c:1.27
--- src/external/bsd/blacklist/bin/conf.c:1.26 Tue Mar 10 13:36:07 2020
+++ src/external/bsd/blacklist/bin/conf.c Wed Mar 11 02:12:08 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: conf.c,v 1.26 2020/03/10 13:36:07 roy Exp $ */
+/* $NetBSD: conf.c,v 1.27 2020/03/11 02:12:08 roy Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include
-__RCSID("$NetBSD: conf.c,v 1.26 2020/03/10 13:36:07 roy Exp $");
+__RCSID("$NetBSD: conf.c,v 1.27 2020/03/11 02:12:08 roy Exp $");
#include
#ifdef HAVE_LIBUTIL_H
@@ -1009,6 +1009,14 @@ conf_find(int fd, uid_t uid, const struc
char buf[BUFSIZ];
memset(cr, 0, sizeof(*cr));
+
+ if (fd == -1) {
+ cr->c_proto = FSTAR;
+ cr->c_port = FSTAR;
+ memcpy(, rss, sizeof(lss));
+ goto done_fd;
+ }
+
slen = sizeof(lss);
memset(, 0, slen);
if (getsockname(fd, (void *), ) == -1) {
@@ -1051,6 +1059,7 @@ conf_find(int fd, uid_t uid, const struc
return NULL;
}
+done_fd:
cr->c_ss = lss;
cr->c_lmask = FSTAR;
cr->c_uid = (int)uid;
Index: src/external/bsd/blacklist/lib/bl.c
diff -u src/external/bsd/blacklist/lib/bl.c:1.29 src/external/bsd/blacklist/lib/bl.c:1.30
--- src/external/bsd/blacklist/lib/bl.c:1.29 Tue Mar 10 13:36:08 2020
+++ src/external/bsd/blacklist/lib/bl.c Wed Mar 11 02:12:08 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: bl.c,v 1.29 2020/03/10 13:36:08 roy Exp $ */
+/* $NetBSD: bl.c,v 1.30 2020/03/11 02:12:08 roy Exp $ */
/*-
* Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include
-__RCSID("$NetBSD: bl.c,v 1.29 2020/03/10 13:36:08 roy Exp $");
+__RCSID("$NetBSD: bl.c,v 1.30 2020/03/11 02:12:08 roy Exp $");
#include
#include
@@ -384,7 +384,6 @@ bl_send(bl_t b, bl_type_t e, int pfd, co
if (bl_getsock(b, _ss, sa, slen, ctx) == -1)
return -1;
-
ub.bl.bl_salen = slen;
memcpy(ub.bl.bl_data, ctx, ctxlen);
@@ -394,15 +393,17 @@ bl_send(bl_t b, bl_type_t e, int pfd, co
msg.msg_iovlen = 1;
msg.msg_flags = 0;
- msg.msg_control = ua.ctrl;
- msg.msg_controllen = sizeof(ua.ctrl);
-
- cmsg = CMSG_FIRSTHDR();
- cmsg->cmsg_len = CMSG_LEN(sizeof(int));
- cmsg->cmsg_level = SOL_SOCKET;
- cmsg->cmsg_type = SCM_RIGHTS;
+ if (pfd != -1) {
+ msg.msg_control = ua.ctrl;
+ msg.msg_controllen = sizeof(ua.ctrl);
+
+ cmsg = CMSG_FIRSTHDR();
+ cmsg->cmsg_len = CMSG_LEN(sizeof(int));
+ cmsg->cmsg_level = SOL_SOCKET;
+ cmsg->cmsg_type = SCM_RIGHTS;
- memcpy(CMSG_DATA(cmsg), , sizeof(pfd));
+ memcpy(CMSG_DATA(cmsg), , sizeof(pfd));
+ }
tried = 0;
again:
@@ -494,14 +495,15 @@ bl_recv(bl_t b)
}
- if (got != (GOT_CRED|GOT_FD)) {
- bl_log(b->b_fun, LOG_ERR, "message missing %s %s",
+ if (!(got & GOT_FD))
+ bi->bi_fd = -1;
+
#if GOT_CRED != 0
- (got & GOT_CRED) == 0 ?
CVS commit: src/external/bsd/blacklist
Module Name:src Committed By: roy Date: Wed Mar 11 02:12:08 UTC 2020 Modified Files: src/external/bsd/blacklist/bin: blacklistd.c conf.c src/external/bsd/blacklist/lib: bl.c Log Message: blacklist: Allow blacklist_sa to work with an invalid fd fd -1 is invalid, so don't query it for protocol, port or address. fd is supposed to represent how the client is connected, but if we are parsing route(4) messages or log files then there is no client connection to interogate. To generate a diff of this commit: cvs rdiff -u -r1.40 -r1.41 src/external/bsd/blacklist/bin/blacklistd.c cvs rdiff -u -r1.26 -r1.27 src/external/bsd/blacklist/bin/conf.c cvs rdiff -u -r1.29 -r1.30 src/external/bsd/blacklist/lib/bl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist
Module Name:src
Committed By: roy
Date: Tue Mar 10 13:36:08 UTC 2020
Modified Files:
src/external/bsd/blacklist/bin: blacklistd.c conf.c run.c support.c
src/external/bsd/blacklist/lib: bl.c
Log Message:
Whitespace police.
To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.40 src/external/bsd/blacklist/bin/blacklistd.c
cvs rdiff -u -r1.25 -r1.26 src/external/bsd/blacklist/bin/conf.c
cvs rdiff -u -r1.14 -r1.15 src/external/bsd/blacklist/bin/run.c
cvs rdiff -u -r1.9 -r1.10 src/external/bsd/blacklist/bin/support.c
cvs rdiff -u -r1.28 -r1.29 src/external/bsd/blacklist/lib/bl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/blacklist/bin/blacklistd.c
diff -u src/external/bsd/blacklist/bin/blacklistd.c:1.39 src/external/bsd/blacklist/bin/blacklistd.c:1.40
--- src/external/bsd/blacklist/bin/blacklistd.c:1.39 Wed Nov 6 20:50:01 2019
+++ src/external/bsd/blacklist/bin/blacklistd.c Tue Mar 10 13:36:07 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklistd.c,v 1.39 2019/11/06 20:50:01 christos Exp $ */
+/* $NetBSD: blacklistd.c,v 1.40 2020/03/10 13:36:07 roy Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
#include "config.h"
#endif
#include
-__RCSID("$NetBSD: blacklistd.c,v 1.39 2019/11/06 20:50:01 christos Exp $");
+__RCSID("$NetBSD: blacklistd.c,v 1.40 2020/03/10 13:36:07 roy Exp $");
#include
#include
@@ -123,7 +123,7 @@ getremoteaddress(bl_info_t *bi, struct s
return 0;
if (errno != ENOTCONN) {
- (*lfun)(LOG_ERR, "getpeername failed (%m)");
+ (*lfun)(LOG_ERR, "getpeername failed (%m)");
return -1;
}
@@ -141,13 +141,13 @@ getremoteaddress(bl_info_t *bi, struct s
break;
default:
(*lfun)(LOG_ERR, "bad client passed socket family %u",
- (unsigned)bi->bi_ss.ss_family);
+ (unsigned)bi->bi_ss.ss_family);
return -1;
}
if (*rsl != bi->bi_slen) {
(*lfun)(LOG_ERR, "bad client passed socket length %u != %u",
- (unsigned)*rsl, (unsigned)bi->bi_slen);
+ (unsigned)*rsl, (unsigned)bi->bi_slen);
return -1;
}
@@ -157,7 +157,7 @@ getremoteaddress(bl_info_t *bi, struct s
if (*rsl != rss->ss_len) {
(*lfun)(LOG_ERR,
"bad client passed socket internal length %u != %u",
- (unsigned)*rsl, (unsigned)rss->ss_len);
+ (unsigned)*rsl, (unsigned)rss->ss_len);
return -1;
}
#endif
@@ -176,12 +176,12 @@ process(bl_t bl)
struct timespec ts;
if (clock_gettime(CLOCK_REALTIME, ) == -1) {
- (*lfun)(LOG_ERR, "clock_gettime failed (%m)");
+ (*lfun)(LOG_ERR, "clock_gettime failed (%m)");
return;
}
if ((bi = bl_recv(bl)) == NULL) {
- (*lfun)(LOG_ERR, "no message (%m)");
+ (*lfun)(LOG_ERR, "no message (%m)");
return;
}
@@ -251,7 +251,6 @@ process(bl_t bl)
(*lfun)(LOG_INFO,
"blocked %s/%d:%d for %d seconds",
rbuf, c.c_lmask, c.c_port, c.c_duration);
-
}
break;
case BL_DELETE:
@@ -264,7 +263,7 @@ process(bl_t bl)
/* ignore for now */
break;
default:
- (*lfun)(LOG_ERR, "unknown message %d", bi->bi_type);
+ (*lfun)(LOG_ERR, "unknown message %d", bi->bi_type);
}
state_put(state, , );
@@ -306,7 +305,7 @@ update(void)
void *ss = _ss;
if (clock_gettime(CLOCK_REALTIME, ) == -1) {
- (*lfun)(LOG_ERR, "clock_gettime failed (%m)");
+ (*lfun)(LOG_ERR, "clock_gettime failed (%m)");
return;
}
Index: src/external/bsd/blacklist/bin/conf.c
diff -u src/external/bsd/blacklist/bin/conf.c:1.25 src/external/bsd/blacklist/bin/conf.c:1.26
--- src/external/bsd/blacklist/bin/conf.c:1.25 Wed Nov 6 21:01:17 2019
+++ src/external/bsd/blacklist/bin/conf.c Tue Mar 10 13:36:07 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: conf.c,v 1.25 2019/11/06 21:01:17 christos Exp $ */
+/* $NetBSD: conf.c,v 1.26 2020/03/10 13:36:07 roy Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include
-__RCSID("$NetBSD: conf.c,v 1.25 2019/11/06 21:01:17 christos Exp $");
+__RCSID("$NetBSD: conf.c,v 1.26 2020/03/10 13:36:07 roy Exp $");
#include
#ifdef HAVE_LIBUTIL_H
@@ -173,9 +173,9 @@ again:
}
break;
}
- } else
+ } else
tot = im;
-
+
if (e == 0) {
c->c_duration = (int)tot;
return 0;
@@ -214,7 +214,7 @@ static int
getmask(const char *f, size_t l, bool local, const char **p, int *mask)
{
char *d;
- const char *s = *p;
+ const char *s = *p;
if ((d = strchr(s, ':')) != NULL) {
*d++ = '\0';
@@ -264,7 +264,7 @@ gethostport(const char *f, size_t l, boo
sin6->sin6_len = sizeof(*sin6);
#endif
port = >sin6_port;
- }
+ }
} else if (pstr != p || strchr(p, '.') || conf_is_interface(p)) {
if (pstr == p)
pstr = "*";
@@ -366,11 +366,12 @@ getname(const char *f, size_t l, bool lo
{
if (getmask(f, l, local, , >c_rmask) == -1)
return -1;
-
+
if (strcmp(p, "*") == 0) {
strlcpy(c->c_name, rulename, CONFNAMESZ);
return 0;
}
+
if (strcmp(p,
CVS commit: src/external/bsd/blacklist
Module Name:src Committed By: roy Date: Tue Mar 10 13:36:08 UTC 2020 Modified Files: src/external/bsd/blacklist/bin: blacklistd.c conf.c run.c support.c src/external/bsd/blacklist/lib: bl.c Log Message: Whitespace police. To generate a diff of this commit: cvs rdiff -u -r1.39 -r1.40 src/external/bsd/blacklist/bin/blacklistd.c cvs rdiff -u -r1.25 -r1.26 src/external/bsd/blacklist/bin/conf.c cvs rdiff -u -r1.14 -r1.15 src/external/bsd/blacklist/bin/run.c cvs rdiff -u -r1.9 -r1.10 src/external/bsd/blacklist/bin/support.c cvs rdiff -u -r1.28 -r1.29 src/external/bsd/blacklist/lib/bl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: tnn Date: Mon Nov 11 09:24:56 UTC 2019 Modified Files: src/external/bsd/blacklist/lib: blacklist.c Log Message: silence sign-conversion warning from clang To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/external/bsd/blacklist/lib/blacklist.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/lib
Module Name:src
Committed By: tnn
Date: Mon Nov 11 09:24:56 UTC 2019
Modified Files:
src/external/bsd/blacklist/lib: blacklist.c
Log Message:
silence sign-conversion warning from clang
To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/external/bsd/blacklist/lib/blacklist.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/blacklist/lib/blacklist.c
diff -u src/external/bsd/blacklist/lib/blacklist.c:1.6 src/external/bsd/blacklist/lib/blacklist.c:1.7
--- src/external/bsd/blacklist/lib/blacklist.c:1.6 Wed Nov 6 20:50:01 2019
+++ src/external/bsd/blacklist/lib/blacklist.c Mon Nov 11 09:24:56 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklist.c,v 1.6 2019/11/06 20:50:01 christos Exp $ */
+/* $NetBSD: blacklist.c,v 1.7 2019/11/11 09:24:56 tnn Exp $ */
/*-
* Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include
-__RCSID("$NetBSD: blacklist.c,v 1.6 2019/11/06 20:50:01 christos Exp $");
+__RCSID("$NetBSD: blacklist.c,v 1.7 2019/11/11 09:24:56 tnn Exp $");
#include
#include
@@ -61,7 +61,7 @@ int
blacklist_sa_r(struct blacklist *bl, int action, int rfd,
const struct sockaddr *sa, socklen_t slen, const char *msg)
{
- int internal_action;
+ bl_type_t internal_action;
/* internal values are not the same as user application values */
switch (action) {
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: wiz Date: Wed Nov 6 23:17:37 UTC 2019 Modified Files: src/external/bsd/blacklist/bin: blacklistd.8 Log Message: Add missing El. Use more markup. To generate a diff of this commit: cvs rdiff -u -r1.19 -r1.20 src/external/bsd/blacklist/bin/blacklistd.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: wiz Date: Wed Nov 6 23:17:37 UTC 2019 Modified Files: src/external/bsd/blacklist/bin: blacklistd.8 Log Message: Add missing El. Use more markup. To generate a diff of this commit: cvs rdiff -u -r1.19 -r1.20 src/external/bsd/blacklist/bin/blacklistd.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.8 diff -u src/external/bsd/blacklist/bin/blacklistd.8:1.19 src/external/bsd/blacklist/bin/blacklistd.8:1.20 --- src/external/bsd/blacklist/bin/blacklistd.8:1.19 Wed Nov 6 20:29:46 2019 +++ src/external/bsd/blacklist/bin/blacklistd.8 Wed Nov 6 23:17:37 2019 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistd.8,v 1.19 2019/11/06 20:29:46 christos Exp $ +.\" $NetBSD: blacklistd.8,v 1.20 2019/11/06 23:17:37 wiz Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -197,23 +197,24 @@ diagnostic messages to .Dv stdout instead of .Xr syslogd 8 . +.El .Sh SIGNAL HANDLING .Nm deals with the following signals: .Bl -tag -width "USR2" -.It HUP +.It Dv HUP Receipt of this signal causes .Nm to re-read the configuration file. -.It INT, TERM & QUIT +.It Dv INT , Dv TERM & Dv QUIT These signals tell .Nm to exit in an orderly fashion. -.It USR1 +.It Dv USR1 This signal tells .Nm to increase the internal debugging level by 1. -.It USR2 +.It Dv USR2 This signal tells .Nm to decrease the internal debugging level by 1.
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Wed Nov 6 21:01:18 UTC 2019 Modified Files: src/external/bsd/blacklist/bin: conf.c Log Message: Ordinarily, the continue clause of the for-loop would free 'line.' In this case we instead return early, missing the free. Add an explicit free to avoid the leak. Found via coverity. >From Conrad Meyer @ FreeBSD r331230 To generate a diff of this commit: cvs rdiff -u -r1.24 -r1.25 src/external/bsd/blacklist/bin/conf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/bin
Module Name:src
Committed By: christos
Date: Wed Nov 6 21:01:18 UTC 2019
Modified Files:
src/external/bsd/blacklist/bin: conf.c
Log Message:
Ordinarily, the continue clause of the for-loop would free 'line.' In this
case we instead return early, missing the free. Add an explicit free to
avoid the leak. Found via coverity.
>From Conrad Meyer @ FreeBSD r331230
To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.25 src/external/bsd/blacklist/bin/conf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/blacklist/bin/conf.c
diff -u src/external/bsd/blacklist/bin/conf.c:1.24 src/external/bsd/blacklist/bin/conf.c:1.25
--- src/external/bsd/blacklist/bin/conf.c:1.24 Mon Apr 4 11:52:56 2016
+++ src/external/bsd/blacklist/bin/conf.c Wed Nov 6 16:01:17 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: conf.c,v 1.24 2016/04/04 15:52:56 christos Exp $ */
+/* $NetBSD: conf.c,v 1.25 2019/11/06 21:01:17 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include
-__RCSID("$NetBSD: conf.c,v 1.24 2016/04/04 15:52:56 christos Exp $");
+__RCSID("$NetBSD: conf.c,v 1.25 2019/11/06 21:01:17 christos Exp $");
#include
#ifdef HAVE_LIBUTIL_H
@@ -1119,6 +1119,7 @@ conf_parse(const char *f)
confset_free();
confset_free();
fclose(fp);
+free(line);
return;
}
}
CVS commit: src/external/bsd/blacklist
Module Name:src Committed By: christos Date: Wed Nov 6 20:50:01 UTC 2019 Modified Files: src/external/bsd/blacklist/bin: blacklistd.c src/external/bsd/blacklist/include: bl.h blacklist.h src/external/bsd/blacklist/lib: blacklist.c libblacklist.3 Log Message: The original blacklist library supported two operations - a notification of a failed auth attempt, and a notification of a successful auth attempt. Implements a third option - notification of abusive behavior, and accepts, but does not act on a forth type - "bad username". It is envisioned that a system administrator will configure a small list of "known bad usernames" that should be blocked immediately. >From Kurt Lidl @ FreeBSD To generate a diff of this commit: cvs rdiff -u -r1.38 -r1.39 src/external/bsd/blacklist/bin/blacklistd.c cvs rdiff -u -r1.13 -r1.14 src/external/bsd/blacklist/include/bl.h cvs rdiff -u -r1.3 -r1.4 src/external/bsd/blacklist/include/blacklist.h cvs rdiff -u -r1.5 -r1.6 src/external/bsd/blacklist/lib/blacklist.c cvs rdiff -u -r1.8 -r1.9 src/external/bsd/blacklist/lib/libblacklist.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist
Module Name:src
Committed By: christos
Date: Wed Nov 6 20:50:01 UTC 2019
Modified Files:
src/external/bsd/blacklist/bin: blacklistd.c
src/external/bsd/blacklist/include: bl.h blacklist.h
src/external/bsd/blacklist/lib: blacklist.c libblacklist.3
Log Message:
The original blacklist library supported two operations - a
notification of a failed auth attempt, and a notification of a
successful auth attempt.
Implements a third option - notification of abusive behavior, and
accepts, but does not act on a forth type - "bad username". It is
envisioned that a system administrator will configure a small list
of "known bad usernames" that should be blocked immediately.
>From Kurt Lidl @ FreeBSD
To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.39 src/external/bsd/blacklist/bin/blacklistd.c
cvs rdiff -u -r1.13 -r1.14 src/external/bsd/blacklist/include/bl.h
cvs rdiff -u -r1.3 -r1.4 src/external/bsd/blacklist/include/blacklist.h
cvs rdiff -u -r1.5 -r1.6 src/external/bsd/blacklist/lib/blacklist.c
cvs rdiff -u -r1.8 -r1.9 src/external/bsd/blacklist/lib/libblacklist.3
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/blacklist/bin/blacklistd.c
diff -u src/external/bsd/blacklist/bin/blacklistd.c:1.38 src/external/bsd/blacklist/bin/blacklistd.c:1.39
--- src/external/bsd/blacklist/bin/blacklistd.c:1.38 Tue Feb 26 21:20:18 2019
+++ src/external/bsd/blacklist/bin/blacklistd.c Wed Nov 6 15:50:01 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklistd.c,v 1.38 2019/02/27 02:20:18 christos Exp $ */
+/* $NetBSD: blacklistd.c,v 1.39 2019/11/06 20:50:01 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
#include "config.h"
#endif
#include
-__RCSID("$NetBSD: blacklistd.c,v 1.38 2019/02/27 02:20:18 christos Exp $");
+__RCSID("$NetBSD: blacklistd.c,v 1.39 2019/11/06 20:50:01 christos Exp $");
#include
#include
@@ -214,6 +214,17 @@ process(bl_t bl)
}
switch (bi->bi_type) {
+ case BL_ABUSE:
+ /*
+ * If the application has signaled abusive behavior,
+ * set the number of fails to be one less than the
+ * configured limit. Fallthrough to the normal BL_ADD
+ * processing, which will increment the failure count
+ * to the threshhold, and block the abusive address.
+ */
+ if (c.c_nfail != -1)
+ dbi.count = c.c_nfail - 1;
+ /*FALLTHROUGH*/
case BL_ADD:
dbi.count++;
dbi.last = ts.tv_sec;
@@ -249,6 +260,9 @@ process(bl_t bl)
dbi.count = 0;
dbi.last = 0;
break;
+ case BL_BADUSER:
+ /* ignore for now */
+ break;
default:
(*lfun)(LOG_ERR, "unknown message %d", bi->bi_type);
}
Index: src/external/bsd/blacklist/include/bl.h
diff -u src/external/bsd/blacklist/include/bl.h:1.13 src/external/bsd/blacklist/include/bl.h:1.14
--- src/external/bsd/blacklist/include/bl.h:1.13 Fri Mar 11 12:16:40 2016
+++ src/external/bsd/blacklist/include/bl.h Wed Nov 6 15:50:01 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: bl.h,v 1.13 2016/03/11 17:16:40 christos Exp $ */
+/* $NetBSD: bl.h,v 1.14 2019/11/06 20:50:01 christos Exp $ */
/*-
* Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -40,7 +40,9 @@
typedef enum {
BL_INVALID,
BL_ADD,
- BL_DELETE
+ BL_DELETE,
+ BL_ABUSE,
+ BL_BADUSER
} bl_type_t;
typedef struct {
Index: src/external/bsd/blacklist/include/blacklist.h
diff -u src/external/bsd/blacklist/include/blacklist.h:1.3 src/external/bsd/blacklist/include/blacklist.h:1.4
--- src/external/bsd/blacklist/include/blacklist.h:1.3 Fri Jan 23 13:48:56 2015
+++ src/external/bsd/blacklist/include/blacklist.h Wed Nov 6 15:50:01 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklist.h,v 1.3 2015/01/23 18:48:56 christos Exp $ */
+/* $NetBSD: blacklist.h,v 1.4 2019/11/06 20:50:01 christos Exp $ */
/*-
* Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -43,4 +43,13 @@ int blacklist_sa_r(struct blacklist *, i
const struct sockaddr *, socklen_t, const char *);
__END_DECLS
+/* action values for user applications */
+#define BLACKLIST_API_ENUM 1
+enum {
+BLACKLIST_AUTH_OK = 0,
+BLACKLIST_AUTH_FAIL,
+BLACKLIST_ABUSIVE_BEHAVIOR,
+BLACKLIST_BAD_USER
+};
+
#endif /* _BLACKLIST_H */
Index: src/external/bsd/blacklist/lib/blacklist.c
diff -u src/external/bsd/blacklist/lib/blacklist.c:1.5 src/external/bsd/blacklist/lib/blacklist.c:1.6
--- src/external/bsd/blacklist/lib/blacklist.c:1.5 Thu Jan 22 11:19:53 2015
+++ src/external/bsd/blacklist/lib/blacklist.c Wed Nov 6 15:50:01 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklist.c,v 1.5 2015/01/22 16:19:53 christos Exp $ */
+/* $NetBSD: blacklist.c,v 1.6 2019/11/06 20:50:01 christos Exp $ */
/*-
* Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include
-__RCSID("$NetBSD: blacklist.c,v 1.5 2015/01/22 16:19:53 christos Exp $");
+__RCSID("$NetBSD: blacklist.c,v 1.6 2019/11/06 20:50:01 christos Exp $");
#include
#include
@@
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: para Date: Wed Nov 6 20:33:30 UTC 2019 Modified Files: src/external/bsd/blacklist/bin: blacklistd.conf.5 Log Message: fix stupid typo... To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/external/bsd/blacklist/bin/blacklistd.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: para Date: Wed Nov 6 20:33:30 UTC 2019 Modified Files: src/external/bsd/blacklist/bin: blacklistd.conf.5 Log Message: fix stupid typo... To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/external/bsd/blacklist/bin/blacklistd.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.conf.5 diff -u src/external/bsd/blacklist/bin/blacklistd.conf.5:1.8 src/external/bsd/blacklist/bin/blacklistd.conf.5:1.9 --- src/external/bsd/blacklist/bin/blacklistd.conf.5:1.8 Wed Nov 6 20:29:41 2019 +++ src/external/bsd/blacklist/bin/blacklistd.conf.5 Wed Nov 6 20:33:30 2019 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistd.conf.5,v 1.8 2019/11/06 20:29:41 para Exp $ +.\" $NetBSD: blacklistd.conf.5,v 1.9 2019/11/06 20:33:30 para Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -36,7 +36,7 @@ .Sh DESCRIPTION The .Nm -files contain configuration entries for +file contains configuration entries for .Xr blacklistd 8 in a fashion similar to .Xr inetd.conf 5 .
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: para Date: Wed Nov 6 20:29:42 UTC 2019 Modified Files: src/external/bsd/blacklist/bin: blacklistd.conf.5 Log Message: blacklistd.conf.5: pluralization fix (as currently comitted in FreeBSD) To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/external/bsd/blacklist/bin/blacklistd.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Wed Nov 6 20:29:46 UTC 2019 Modified Files: src/external/bsd/blacklist/bin: blacklistd.8 Log Message: Add signal documentation from Kurt Lidl @ FreeBSD s/don't/do not/ To generate a diff of this commit: cvs rdiff -u -r1.18 -r1.19 src/external/bsd/blacklist/bin/blacklistd.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.8 diff -u src/external/bsd/blacklist/bin/blacklistd.8:1.18 src/external/bsd/blacklist/bin/blacklistd.8:1.19 --- src/external/bsd/blacklist/bin/blacklistd.8:1.18 Sat Jul 30 02:09:29 2016 +++ src/external/bsd/blacklist/bin/blacklistd.8 Wed Nov 6 15:29:46 2019 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistd.8,v 1.18 2016/07/30 06:09:29 dholland Exp $ +.\" $NetBSD: blacklistd.8,v 1.19 2019/11/06 20:29:46 christos Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd June 7, 2016 +.Dd November 6, 2019 .Dt BLACKLISTD 8 .Os .Sh NAME @@ -178,7 +178,7 @@ Specify the default rule name for the pa .It Fl r Re-read the firewall rules from the internal database, then remove and re-add them. -This helps for packet filters that don't retain state across reboots. +This helps for packet filters that do not retain state across reboots. .It Fl s Ar sockpath Add .Ar sockpath @@ -197,6 +197,26 @@ diagnostic messages to .Dv stdout instead of .Xr syslogd 8 . +.Sh SIGNAL HANDLING +.Nm +deals with the following signals: +.Bl -tag -width "USR2" +.It HUP +Receipt of this signal causes +.Nm +to re-read the configuration file. +.It INT, TERM & QUIT +These signals tell +.Nm +to exit in an orderly fashion. +.It USR1 +This signal tells +.Nm +to increase the internal debugging level by 1. +.It USR2 +This signal tells +.Nm +to decrease the internal debugging level by 1. .El .Sh FILES .Bl -tag -width /libexec/blacklistd-helper -compact
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Wed Nov 6 20:29:46 UTC 2019 Modified Files: src/external/bsd/blacklist/bin: blacklistd.8 Log Message: Add signal documentation from Kurt Lidl @ FreeBSD s/don't/do not/ To generate a diff of this commit: cvs rdiff -u -r1.18 -r1.19 src/external/bsd/blacklist/bin/blacklistd.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: para Date: Wed Nov 6 20:29:42 UTC 2019 Modified Files: src/external/bsd/blacklist/bin: blacklistd.conf.5 Log Message: blacklistd.conf.5: pluralization fix (as currently comitted in FreeBSD) To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/external/bsd/blacklist/bin/blacklistd.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.conf.5 diff -u src/external/bsd/blacklist/bin/blacklistd.conf.5:1.7 src/external/bsd/blacklist/bin/blacklistd.conf.5:1.8 --- src/external/bsd/blacklist/bin/blacklistd.conf.5:1.7 Wed Jun 7 13:50:57 2017 +++ src/external/bsd/blacklist/bin/blacklistd.conf.5 Wed Nov 6 20:29:41 2019 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistd.conf.5,v 1.7 2017/06/07 13:50:57 wiz Exp $ +.\" $NetBSD: blacklistd.conf.5,v 1.8 2019/11/06 20:29:41 para Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -36,7 +36,7 @@ .Sh DESCRIPTION The .Nm -files contains configuration entries for +files contain configuration entries for .Xr blacklistd 8 in a fashion similar to .Xr inetd.conf 5 .
CVS commit: src/external/bsd/blacklist/lib
Module Name:src
Committed By: christos
Date: Fri Mar 8 20:40:05 UTC 2019
Modified Files:
src/external/bsd/blacklist/lib: Makefile
Log Message:
We don't need to depend on pthreads.
To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/external/bsd/blacklist/lib/Makefile
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/blacklist/lib/Makefile
diff -u src/external/bsd/blacklist/lib/Makefile:1.6 src/external/bsd/blacklist/lib/Makefile:1.7
--- src/external/bsd/blacklist/lib/Makefile:1.6 Tue Jan 5 08:07:46 2016
+++ src/external/bsd/blacklist/lib/Makefile Fri Mar 8 15:40:05 2019
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.6 2016/01/05 13:07:46 christos Exp $
+# $NetBSD: Makefile,v 1.7 2019/03/08 20:40:05 christos Exp $
.include
USE_SHLIBDIR= yes
CPPFLAGS+=-D_REENTRANT
-LIBDPLIBS+=pthread ${NETBSDSRCDIR}/lib/libpthread
+#LIBDPLIBS+=pthread ${NETBSDSRCDIR}/lib/libpthread
LIB=blacklist
SRCS=bl.c blacklist.c
MAN=libblacklist.3
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: christos Date: Fri Mar 8 20:40:05 UTC 2019 Modified Files: src/external/bsd/blacklist/lib: Makefile Log Message: We don't need to depend on pthreads. To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/external/bsd/blacklist/lib/Makefile Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/bin
Module Name:src
Committed By: christos
Date: Wed Feb 27 02:20:19 UTC 2019
Modified Files:
src/external/bsd/blacklist/bin: blacklistd.c
Log Message:
Instead of deleting the rules individually use flush to kill them all at
once for efficiently. Also when restoring, don't nuke the database
(Phil Rulon).
To generate a diff of this commit:
cvs rdiff -u -r1.37 -r1.38 src/external/bsd/blacklist/bin/blacklistd.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/blacklist/bin/blacklistd.c
diff -u src/external/bsd/blacklist/bin/blacklistd.c:1.37 src/external/bsd/blacklist/bin/blacklistd.c:1.38
--- src/external/bsd/blacklist/bin/blacklistd.c:1.37 Fri Feb 17 19:26:16 2017
+++ src/external/bsd/blacklist/bin/blacklistd.c Tue Feb 26 21:20:18 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklistd.c,v 1.37 2017/02/18 00:26:16 christos Exp $ */
+/* $NetBSD: blacklistd.c,v 1.38 2019/02/27 02:20:18 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
#include "config.h"
#endif
#include
-__RCSID("$NetBSD: blacklistd.c,v 1.37 2017/02/18 00:26:16 christos Exp $");
+__RCSID("$NetBSD: blacklistd.c,v 1.38 2019/02/27 02:20:18 christos Exp $");
#include
#include
@@ -394,7 +394,6 @@ rules_restore(void)
for (f = 1; state_iterate(state, , , f) == 1; f = 0) {
if (dbi.id[0] == '\0')
continue;
- (void)run_change("rem", , dbi.id, 0);
(void)run_change("add", , dbi.id, sizeof(dbi.id));
}
}
@@ -491,7 +490,8 @@ main(int argc, char *argv[])
conf_parse(configfile);
if (flush) {
rules_flush();
- flags |= O_TRUNC;
+ if (!restore)
+ flags |= O_TRUNC;
}
struct pollfd *pfd = NULL;
@@ -522,8 +522,11 @@ main(int argc, char *argv[])
if (state == NULL)
return EXIT_FAILURE;
- if (restore)
+ if (restore) {
+ if (!flush)
+ rules_flush();
rules_restore();
+ }
if (!debug) {
if (daemon(0, 0) == -1)
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Wed Feb 27 02:20:19 UTC 2019 Modified Files: src/external/bsd/blacklist/bin: blacklistd.c Log Message: Instead of deleting the rules individually use flush to kill them all at once for efficiently. Also when restoring, don't nuke the database (Phil Rulon). To generate a diff of this commit: cvs rdiff -u -r1.37 -r1.38 src/external/bsd/blacklist/bin/blacklistd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Tue Sep 18 22:12:19 UTC 2018 Modified Files: src/external/bsd/blacklist/bin: support.c Log Message: fix ymdhms calculation To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/external/bsd/blacklist/bin/support.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/bin
Module Name:src
Committed By: christos
Date: Tue Sep 18 22:12:19 UTC 2018
Modified Files:
src/external/bsd/blacklist/bin: support.c
Log Message:
fix ymdhms calculation
To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 src/external/bsd/blacklist/bin/support.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/blacklist/bin/support.c
diff -u src/external/bsd/blacklist/bin/support.c:1.8 src/external/bsd/blacklist/bin/support.c:1.9
--- src/external/bsd/blacklist/bin/support.c:1.8 Mon Apr 4 11:52:56 2016
+++ src/external/bsd/blacklist/bin/support.c Tue Sep 18 18:12:19 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: support.c,v 1.8 2016/04/04 15:52:56 christos Exp $ */
+/* $NetBSD: support.c,v 1.9 2018/09/18 22:12:19 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include
-__RCSID("$NetBSD: support.c,v 1.8 2016/04/04 15:52:56 christos Exp $");
+__RCSID("$NetBSD: support.c,v 1.9 2018/09/18 22:12:19 christos Exp $");
#include
#include
@@ -105,12 +105,16 @@ fmtydhms(char *b, size_t l, time_t t)
s = t % 60;
t /= 60;
+
m = t % 60;
t /= 60;
- h = t % 60;
+
+ h = t % 24;
t /= 24;
- d = t % 24;
- t /= 356;
+
+ d = t % 365;
+ t /= 365;
+
y = t;
z = 0;
CVS commit: src/external/bsd/blacklist/bin
Module Name:src
Committed By: christos
Date: Thu May 24 19:21:01 UTC 2018
Modified Files:
src/external/bsd/blacklist/bin: blacklistctl.c
Log Message:
One more possible star.
To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.23 src/external/bsd/blacklist/bin/blacklistctl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/blacklist/bin/blacklistctl.c
diff -u src/external/bsd/blacklist/bin/blacklistctl.c:1.22 src/external/bsd/blacklist/bin/blacklistctl.c:1.23
--- src/external/bsd/blacklist/bin/blacklistctl.c:1.22 Thu May 24 15:19:37 2018
+++ src/external/bsd/blacklist/bin/blacklistctl.c Thu May 24 15:21:01 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklistctl.c,v 1.22 2018/05/24 19:19:37 christos Exp $ */
+/* $NetBSD: blacklistctl.c,v 1.23 2018/05/24 19:21:01 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include
-__RCSID("$NetBSD: blacklistctl.c,v 1.22 2018/05/24 19:19:37 christos Exp $");
+__RCSID("$NetBSD: blacklistctl.c,v 1.23 2018/05/24 19:21:01 christos Exp $");
#include
#include
@@ -160,7 +160,8 @@ main(int argc, char *argv[])
else
fmttime(buf, sizeof(buf), dbi.last);
}
- printf("%s\t%d/%d\t%-s\n", dbi.id, dbi.count, c.c_nfail, buf);
+ printf("%s\t%d/%s\t%-s\n", dbi.id, dbi.count,
+ star(mbuf, sizeof(mbuf), c.c_nfail), buf);
}
state_close(db);
return EXIT_SUCCESS;
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Thu May 24 19:21:01 UTC 2018 Modified Files: src/external/bsd/blacklist/bin: blacklistctl.c Log Message: One more possible star. To generate a diff of this commit: cvs rdiff -u -r1.22 -r1.23 src/external/bsd/blacklist/bin/blacklistctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/bin
Module Name:src
Committed By: christos
Date: Thu May 24 19:19:37 UTC 2018
Modified Files:
src/external/bsd/blacklist/bin: blacklistctl.c
Log Message:
handle '*' entries in rules.
To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.22 src/external/bsd/blacklist/bin/blacklistctl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/blacklist/bin/blacklistctl.c
diff -u src/external/bsd/blacklist/bin/blacklistctl.c:1.21 src/external/bsd/blacklist/bin/blacklistctl.c:1.22
--- src/external/bsd/blacklist/bin/blacklistctl.c:1.21 Tue Nov 1 23:15:07 2016
+++ src/external/bsd/blacklist/bin/blacklistctl.c Thu May 24 15:19:37 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklistctl.c,v 1.21 2016/11/02 03:15:07 jnemeth Exp $ */
+/* $NetBSD: blacklistctl.c,v 1.22 2018/05/24 19:19:37 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include
-__RCSID("$NetBSD: blacklistctl.c,v 1.21 2016/11/02 03:15:07 jnemeth Exp $");
+__RCSID("$NetBSD: blacklistctl.c,v 1.22 2018/05/24 19:19:37 christos Exp $");
#include
#include
@@ -67,6 +67,15 @@ usage(int c)
exit(EXIT_FAILURE);
}
+static const char *
+star(char *buf, size_t len, int val)
+{
+ if (val == -1)
+ return "*";
+ snprintf(buf, len, "%d", val);
+ return buf;
+}
+
int
main(int argc, char *argv[])
{
@@ -128,9 +137,10 @@ main(int argc, char *argv[])
"address", remain ? "remaining time" : "last access");
for (i = 1; state_iterate(db, , , i) != 0; i = 0) {
char buf[BUFSIZ];
+ char mbuf[64], pbuf[64];
if (!all) {
if (blocked) {
-if (dbi.count < c.c_nfail)
+if (c.c_nfail == -1 || dbi.count < c.c_nfail)
continue;
} else {
if (dbi.count >= c.c_nfail)
@@ -138,12 +148,18 @@ main(int argc, char *argv[])
}
}
sockaddr_snprintf(buf, sizeof(buf), "%a", (void *)_ss);
- printf("%*.*s/%d:%d\t", wide, wide, buf, c.c_lmask, c.c_port);
- if (remain)
- fmtydhms(buf, sizeof(buf),
- c.c_duration - (ts.tv_sec - dbi.last));
- else
- fmttime(buf, sizeof(buf), dbi.last);
+ printf("%*.*s/%s:%s\t", wide, wide, buf,
+ star(mbuf, sizeof(mbuf), c.c_lmask),
+ star(pbuf, sizeof(pbuf), c.c_port));
+ if (c.c_duration == -1) {
+ strlcpy(buf, "never", sizeof(buf));
+ } else {
+ if (remain)
+fmtydhms(buf, sizeof(buf),
+c.c_duration - (ts.tv_sec - dbi.last));
+ else
+fmttime(buf, sizeof(buf), dbi.last);
+ }
printf("%s\t%d/%d\t%-s\n", dbi.id, dbi.count, c.c_nfail, buf);
}
state_close(db);
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Thu May 24 19:19:37 UTC 2018 Modified Files: src/external/bsd/blacklist/bin: blacklistctl.c Log Message: handle '*' entries in rules. To generate a diff of this commit: cvs rdiff -u -r1.21 -r1.22 src/external/bsd/blacklist/bin/blacklistctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/diff
Module Name:src
Committed By: christos
Date: Wed May 23 16:03:07 UTC 2018
Modified Files:
src/external/bsd/blacklist/diff: ssh.diff
Log Message:
refresh the diffs to the latest portable
To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.10 src/external/bsd/blacklist/diff/ssh.diff
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/blacklist/diff/ssh.diff
diff -u src/external/bsd/blacklist/diff/ssh.diff:1.9 src/external/bsd/blacklist/diff/ssh.diff:1.10
--- src/external/bsd/blacklist/diff/ssh.diff:1.9 Mon Jun 26 13:12:05 2017
+++ src/external/bsd/blacklist/diff/ssh.diff Wed May 23 12:03:07 2018
@@ -62,174 +62,89 @@ diff -u -u -r1.10 Makefile
+
+LDADD+= -lblacklist
+DPADD+= ${LIBBLACKLIST}
-Index: dist/auth.c
-===
-RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v
-retrieving revision 1.10
-diff -u -u -r1.10 auth.c
dist/auth.c 19 Oct 2014 16:30:58 - 1.10
-+++ dist/auth.c 22 Jan 2015 21:39:22 -
-@@ -62,6 +62,7 @@
- #include "monitor_wrap.h"
- #include "krl.h"
- #include "compat.h"
-+#include "pfilter.h"
-
- #ifdef HAVE_LOGIN_CAP
- #include
-@@ -362,6 +363,8 @@
- compat20 ? "ssh2" : "ssh1",
- authctxt->info != NULL ? ": " : "",
- authctxt->info != NULL ? authctxt->info : "");
-+ if (!authctxt->postponed)
-+ pfilter_notify(!authenticated);
- free(authctxt->info);
- authctxt->info = NULL;
- }
-Index: dist/sshd.c
-===
-RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v
-retrieving revision 1.15
-diff -u -u -r1.15 sshd.c
dist/sshd.c 28 Oct 2014 21:36:16 - 1.15
-+++ dist/sshd.c 22 Jan 2015 21:39:22 -
-@@ -109,6 +109,7 @@
- #include "roaming.h"
- #include "ssh-sandbox.h"
- #include "version.h"
-+#include "pfilter.h"
-
- #ifdef LIBWRAP
- #include
-@@ -364,6 +365,7 @@
- killpg(0, SIGTERM);
- }
-
-+ pfilter_notify(1);
- /* Log error and exit. */
- sigdie("Timeout before authentication for %s", get_remote_ipaddr());
- }
-@@ -1160,6 +1162,7 @@
- for (i = 0; i < options.max_startups; i++)
- startup_pipes[i] = -1;
-
-+ pfilter_init();
- /*
- * Stay listening for connections until the system crashes or
- * the daemon is killed with a signal.
-Index: auth1.c
-===
-RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth1.c,v
-retrieving revision 1.9
-diff -u -u -r1.9 auth1.c
auth1.c 19 Oct 2014 16:30:58 - 1.9
-+++ auth1.c 14 Feb 2015 15:40:51 -
-@@ -41,6 +41,7 @@
+diff -ru openssh-7.7p1/auth-pam.c dist/auth-pam.c
+--- openssh-7.7p1/auth-pam.c 2018-04-02 01:38:28.0 -0400
dist/auth-pam.c 2018-05-23 11:56:22.206661484 -0400
+@@ -103,6 +103,7 @@
+ #include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
- #include "buffer.h"
+#include "pfilter.h"
- /* import */
extern ServerOptions options;
-@@ -445,6 +446,7 @@
- else {
- debug("do_authentication: invalid user %s", user);
- authctxt->pw = fakepw();
-+ pfilter_notify(1);
- }
+ extern Buffer loginmsg;
+@@ -526,6 +527,7 @@
+ ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, );
+ else
+ ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, );
++ pfilter_notify(1);
+ buffer_free();
+ pthread_exit(NULL);
- /* Configuration may have changed as a result of Match */
-Index: auth2.c
-===
-RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth2.c,v
-retrieving revision 1.9
-diff -u -u -r1.9 auth2.c
auth2.c 19 Oct 2014 16:30:58 - 1.9
-+++ auth2.c 14 Feb 2015 15:40:51 -
-@@ -52,6 +52,7 @@
+@@ -804,6 +806,7 @@
+ free(msg);
+ return (0);
+ }
++ pfilter_notify(1);
+ error("PAM: %s for %s%.100s from %.100s", msg,
+ sshpam_authctxt->valid ? "" : "illegal user ",
+ sshpam_authctxt->user,
+diff -ru openssh-7.7p1/auth2.c dist/auth2.c
+--- openssh-7.7p1/auth2.c 2018-04-02 01:38:28.0 -0400
dist/auth2.c 2018-05-23 11:57:31.022197317 -0400
+@@ -51,6 +51,7 @@
+ #include "dispatch.h"
#include "pathnames.h"
#include "buffer.h"
- #include "canohost.h"
+#include "pfilter.h"
#ifdef GSSAPI
#include "ssh-gss.h"
-@@ -256,6 +257,7 @@
+@@ -242,6 +243,7 @@
} else {
- logit("input_userauth_request: invalid user %s", user);
+ /* Invalid user, fake password information */
authctxt->pw = fakepw();
+ pfilter_notify(1);
- }
- #ifdef USE_PAM
- if (options.use_pam)
-Index: sshd.c
-===
-RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v
-retrieving revision 1.16
-diff -u -r1.16 sshd.c
sshd.c 25 Jan 2015 15:52:44 - 1.16
-+++ sshd.c 14 Feb 2015 09:55:06 -
-@@ -628,6 +628,8 @@
- explicit_bzero(pw->pw_passwd,
CVS commit: src/external/bsd/blacklist/diff
Module Name:src Committed By: christos Date: Wed May 23 16:03:07 UTC 2018 Modified Files: src/external/bsd/blacklist/diff: ssh.diff Log Message: refresh the diffs to the latest portable To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 src/external/bsd/blacklist/diff/ssh.diff Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/diff
Module Name:src
Committed By: christos
Date: Thu Feb 1 03:32:31 UTC 2018
Added Files:
src/external/bsd/blacklist/diff: postfix.diff
Log Message:
add a diff for smtpd
To generate a diff of this commit:
cvs rdiff -u -r0 -r1.1 src/external/bsd/blacklist/diff/postfix.diff
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Added files:
Index: src/external/bsd/blacklist/diff/postfix.diff
diff -u /dev/null src/external/bsd/blacklist/diff/postfix.diff:1.1
--- /dev/null Wed Jan 31 22:32:31 2018
+++ src/external/bsd/blacklist/diff/postfix.diff Wed Jan 31 22:32:31 2018
@@ -0,0 +1,82 @@
+Index: dist/src/smtpd/pfilter.c
+===
+RCS file: dist/src/smtpd/pfilter.c
+diff -N dist/src/smtpd/pfilter.c
+--- /dev/null 1 Jan 1970 00:00:00 -
dist/src/smtpd/pfilter.c 1 Feb 2018 03:29:09 -
+@@ -0,0 +1,19 @@
++#include "pfilter.h"
++#include /* for NULL */
++#include
++
++static struct blacklist *blstate;
++
++void
++pfilter_notify(int a, int fd)
++{
++ if (blstate == NULL)
++ blstate = blacklist_open();
++ if (blstate == NULL)
++ return;
++ (void)blacklist_r(blstate, a, fd, "smtpd");
++ if (a == 0) {
++ blacklist_close(blstate);
++ blstate = NULL;
++ }
++}
+Index: dist/src/smtpd/pfilter.h
+===
+RCS file: dist/src/smtpd/pfilter.h
+diff -N dist/src/smtpd/pfilter.h
+--- /dev/null 1 Jan 1970 00:00:00 -
dist/src/smtpd/pfilter.h 1 Feb 2018 03:29:09 -
+@@ -0,0 +1,2 @@
++
++void pfilter_notify(int, int);
+Index: dist/src/smtpd/smtpd.c
+===
+RCS file: /cvsroot/src/external/ibm-public/postfix/dist/src/smtpd/smtpd.c,v
+retrieving revision 1.14
+diff -u -r1.14 smtpd.c
+--- dist/src/smtpd/smtpd.c 14 Feb 2017 01:16:48 - 1.14
dist/src/smtpd/smtpd.c 1 Feb 2018 03:29:09 -
+@@ -1197,6 +1197,8 @@
+ #include
+ #include
+
++#include "pfilter.h"
++
+ /*
+ * Tunable parameters. Make sure that there is some bound on the length of
+ * an SMTP command, so that the mail system stays in control even when a
+@@ -5048,6 +5050,7 @@
+ if (state->error_count >= var_smtpd_hard_erlim) {
+ state->reason = REASON_ERROR_LIMIT;
+ state->error_mask |= MAIL_ERROR_PROTOCOL;
++ pfilter_notify(1, vstream_fileno(state->client));
+ smtpd_chat_reply(state, "421 4.7.0 %s Error: too many errors",
+ var_myhostname);
+ break;
+Index: libexec/smtpd/Makefile
+===
+RCS file: /cvsroot/src/external/ibm-public/postfix/libexec/smtpd/Makefile,v
+retrieving revision 1.6
+diff -u -r1.6 Makefile
+--- libexec/smtpd/Makefile 21 May 2017 15:28:40 - 1.6
libexec/smtpd/Makefile 1 Feb 2018 03:29:09 -
+@@ -13,11 +13,14 @@
+ SRCS= smtpd.c smtpd_token.c smtpd_check.c smtpd_chat.c smtpd_state.c \
+ smtpd_peer.c smtpd_sasl_proto.c smtpd_sasl_glue.c smtpd_proxy.c \
+ smtpd_xforward.c smtpd_dsn_fix.c smtpd_milter.c smtpd_resolve.c \
+- smtpd_expand.c smtpd_haproxy.c
++ smtpd_expand.c smtpd_haproxy.c pfilter.c
+
+ DPADD+= ${LIBPMASTER} ${LIBPMILTER} ${LIBPGLOBAL} ${LIBPDNS} ${LIBPXSASL}
+ LDADD+= ${LIBPMASTER} ${LIBPMILTER} ${LIBPGLOBAL} ${LIBPDNS} ${LIBPXSASL}
+
++DPADD+= ${LIBBLACKLIST}
++LDADD+= -lblacklist
++
+ DPADD+= ${LIBPTLS} ${LIBSSL} ${LIBCRYPTO}
+ LDADD+= ${LIBPTLS} -lssl -lcrypto
+
CVS commit: src/external/bsd/blacklist/diff
Module Name:src Committed By: christos Date: Thu Feb 1 03:32:31 UTC 2018 Added Files: src/external/bsd/blacklist/diff: postfix.diff Log Message: add a diff for smtpd To generate a diff of this commit: cvs rdiff -u -r0 -r1.1 src/external/bsd/blacklist/diff/postfix.diff Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: abhinav Date: Sun Oct 22 10:31:57 UTC 2017 Modified Files: src/external/bsd/blacklist/lib: libblacklist.3 Log Message: Add comma between Nm entries To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/external/bsd/blacklist/lib/libblacklist.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/lib/libblacklist.3 diff -u src/external/bsd/blacklist/lib/libblacklist.3:1.7 src/external/bsd/blacklist/lib/libblacklist.3:1.8 --- src/external/bsd/blacklist/lib/libblacklist.3:1.7 Sat Feb 4 23:33:56 2017 +++ src/external/bsd/blacklist/lib/libblacklist.3 Sun Oct 22 10:31:57 2017 @@ -1,4 +1,4 @@ -.\" $NetBSD: libblacklist.3,v 1.7 2017/02/04 23:33:56 wiz Exp $ +.\" $NetBSD: libblacklist.3,v 1.8 2017/10/22 10:31:57 abhinav Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -35,7 +35,7 @@ .Nm blacklist_close , .Nm blacklist_r , .Nm blacklist , -.Nm blacklist_sa +.Nm blacklist_sa , .Nm blacklist_sa_r .Nd Blacklistd notification library .Sh LIBRARY
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: abhinav Date: Sun Oct 22 10:31:57 UTC 2017 Modified Files: src/external/bsd/blacklist/lib: libblacklist.3 Log Message: Add comma between Nm entries To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/external/bsd/blacklist/lib/libblacklist.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/diff
Module Name:src
Committed By: christos
Date: Mon Jun 26 17:12:05 UTC 2017
Modified Files:
src/external/bsd/blacklist/diff: ssh.diff
Log Message:
amend the patch to close.
To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 src/external/bsd/blacklist/diff/ssh.diff
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/blacklist/diff/ssh.diff
diff -u src/external/bsd/blacklist/diff/ssh.diff:1.8 src/external/bsd/blacklist/diff/ssh.diff:1.9
--- src/external/bsd/blacklist/diff/ssh.diff:1.8 Fri Jan 22 19:05:38 2016
+++ src/external/bsd/blacklist/diff/ssh.diff Mon Jun 26 13:12:05 2017
@@ -1,6 +1,6 @@
--- /dev/null 2015-01-22 23:10:33.0 -0500
+++ dist/pfilter.c 2015-01-22 23:46:03.0 -0500
-@@ -0,0 +1,28 @@
+@@ -0,0 +1,32 @@
+#include "namespace.h"
+#include "includes.h"
+#include "ssh.h"
@@ -28,6 +28,10 @@
+ // XXX: 3?
+ fd = packet_connection_is_on_socket() ? packet_get_connection_in() : 3;
+ (void)blacklist_r(blstate, a, fd, "ssh");
++ if (a == 0) {
++ blacklist_close(blstate);
++ blstate = NULL;
++ }
+}
--- /dev/null 2015-01-20 21:14:44.0 -0500
+++ dist/pfilter.h 2015-01-20 20:16:20.0 -0500
CVS commit: src/external/bsd/blacklist/diff
Module Name:src Committed By: christos Date: Mon Jun 26 17:12:05 UTC 2017 Modified Files: src/external/bsd/blacklist/diff: ssh.diff Log Message: amend the patch to close. To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/external/bsd/blacklist/diff/ssh.diff Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: wiz Date: Wed Jun 7 13:50:57 UTC 2017 Modified Files: src/external/bsd/blacklist/bin: blacklistd.conf.5 Log Message: Add missing argument to macro. To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/external/bsd/blacklist/bin/blacklistd.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.conf.5 diff -u src/external/bsd/blacklist/bin/blacklistd.conf.5:1.6 src/external/bsd/blacklist/bin/blacklistd.conf.5:1.7 --- src/external/bsd/blacklist/bin/blacklistd.conf.5:1.6 Mon Jun 5 21:34:58 2017 +++ src/external/bsd/blacklist/bin/blacklistd.conf.5 Wed Jun 7 13:50:57 2017 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistd.conf.5,v 1.6 2017/06/05 21:34:58 sevan Exp $ +.\" $NetBSD: blacklistd.conf.5,v 1.7 2017/06/07 13:50:57 wiz Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -201,7 +201,7 @@ or the block duration. Configuration file. .El .Sh EXAMPLES -.Bd -literal -offset +.Bd -literal -offset 8n # Block ssh, after 3 attempts for 6 hours on the bnx0 interface [local] # location type proto owner name nfail duration
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: wiz Date: Wed Jun 7 13:50:57 UTC 2017 Modified Files: src/external/bsd/blacklist/bin: blacklistd.conf.5 Log Message: Add missing argument to macro. To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/external/bsd/blacklist/bin/blacklistd.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: sevan Date: Mon Jun 5 21:34:58 UTC 2017 Modified Files: src/external/bsd/blacklist/bin: blacklistd.conf.5 Log Message: Improve wording. Bump date. ok christos To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/external/bsd/blacklist/bin/blacklistd.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.conf.5 diff -u src/external/bsd/blacklist/bin/blacklistd.conf.5:1.5 src/external/bsd/blacklist/bin/blacklistd.conf.5:1.6 --- src/external/bsd/blacklist/bin/blacklistd.conf.5:1.5 Wed Jun 8 12:48:37 2016 +++ src/external/bsd/blacklist/bin/blacklistd.conf.5 Mon Jun 5 21:34:58 2017 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistd.conf.5,v 1.5 2016/06/08 12:48:37 wiz Exp $ +.\" $NetBSD: blacklistd.conf.5,v 1.6 2017/06/05 21:34:58 sevan Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd June 7, 2016 +.Dd June 5, 2017 .Dt BLACKLISTD.CONF 5 .Os .Sh NAME @@ -36,12 +36,13 @@ .Sh DESCRIPTION The .Nm -files contains configuration lines for -.Xr blacklistd 8 . -It contains one entry per line, and is similar to +files contains configuration entries for +.Xr blacklistd 8 +in a fashion similar to .Xr inetd.conf 5 . -There must be an entry for each field of the configuration file, with -entries for each field separated by a tab or a space. +Only one entry per line is permitted. +Every entry must have all fields populated. +Each field can be separated by a tab or a space. Comments are denoted by a .Dq # at the beginning of a line. @@ -109,7 +110,7 @@ The can be an IPv4 address in numeric format, an IPv6 address in numeric format and enclosed by square brackets, or an interface name. Mask modifiers are not allowed on interfaces because interfaces -have multiple address in different protocols where the mask has a different +can have multiple addresses in different protocols where the mask has a different size. .Pp The @@ -150,8 +151,8 @@ If the contains a .Dq / , the remaining portion of the name is interpreted as the mask to be -applied to the address specified in the rule, so one can block whole -subnets for a single rule violation. +applied to the address specified in the rule, causing a single rule violation to +block the entire subnet for the configured prefix. .Pp The .Va nfail @@ -176,10 +177,11 @@ for days. .Pp Matching is done first by checking the .Va local -rules one by one, from the most specific to the least specific. +rules individually, in the order of the most specific to the least specific. If a match is found, then the .Va remote -rules are applied, and if a match is found the +rules are applied. +The .Va name , .Va nfail , and @@ -191,8 +193,8 @@ rule that matched. The .Va remote rules can be used for whitelisting specific addresses, changing the mask -size, or the rule that the packet filter uses, the number of failed attempts, -or the blocked duration. +size, the rule that the packet filter uses, the number of failed attempts, +or the block duration. .Sh FILES .Bl -tag -width /etc/blacklistd.conf -compact .It Pa /etc/blacklistd.conf
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: sevan Date: Mon Jun 5 21:34:58 UTC 2017 Modified Files: src/external/bsd/blacklist/bin: blacklistd.conf.5 Log Message: Improve wording. Bump date. ok christos To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/external/bsd/blacklist/bin/blacklistd.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist
Module Name:src
Committed By: christos
Date: Thu Apr 13 17:59:34 UTC 2017
Modified Files:
src/external/bsd/blacklist: README
Log Message:
Explain a bit more how to examine the blacklist state.
To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 src/external/bsd/blacklist/README
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/blacklist/README
diff -u src/external/bsd/blacklist/README:1.7 src/external/bsd/blacklist/README:1.8
--- src/external/bsd/blacklist/README:1.7 Sun Jan 25 19:34:50 2015
+++ src/external/bsd/blacklist/README Thu Apr 13 13:59:34 2017
@@ -1,4 +1,4 @@
-# $NetBSD: README,v 1.7 2015/01/26 00:34:50 christos Exp $
+# $NetBSD: README,v 1.8 2017/04/13 17:59:34 christos Exp $
This package contains library that can be used by network daemons to
communicate with a packet filter via a daemon to enforce opening and
@@ -98,6 +98,16 @@ group "internal" on $int_if {
...
}
+You can use 'blacklistctl dump -a' to list all the current entries
+in the database; the ones that have nfail / where urrent
+>= otal, should have an id assosiated with them; this means that
+there is a packet filter rule added for that entry. For npf, you
+can examine the packet filter dynamic rule entries using 'npfctl
+rule list'. The number of current entries can exceed
+the total. This happens because entering packet filter rules is
+asynchronous; there could be other connection before the rule
+becomes activated.
+
Enjoy,
christos
CVS commit: src/external/bsd/blacklist
Module Name:src Committed By: christos Date: Thu Apr 13 17:59:34 UTC 2017 Modified Files: src/external/bsd/blacklist: README Log Message: Explain a bit more how to examine the blacklist state. To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/external/bsd/blacklist/README Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/libexec
Module Name:src Committed By: christos Date: Fri Mar 17 20:42:43 UTC 2017 Modified Files: src/external/bsd/blacklist/libexec: blacklistd-helper Log Message: fixes from FreeBSD via Kurt Lidl To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 \ src/external/bsd/blacklist/libexec/blacklistd-helper Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/libexec
Module Name:src
Committed By: christos
Date: Fri Mar 17 20:42:43 UTC 2017
Modified Files:
src/external/bsd/blacklist/libexec: blacklistd-helper
Log Message:
fixes from FreeBSD via Kurt Lidl
To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 \
src/external/bsd/blacklist/libexec/blacklistd-helper
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/blacklist/libexec/blacklistd-helper
diff -u src/external/bsd/blacklist/libexec/blacklistd-helper:1.11 src/external/bsd/blacklist/libexec/blacklistd-helper:1.12
--- src/external/bsd/blacklist/libexec/blacklistd-helper:1.11 Thu Jun 9 16:02:52 2016
+++ src/external/bsd/blacklist/libexec/blacklistd-helper Fri Mar 17 16:42:42 2017
@@ -10,10 +10,10 @@
# $7 id
pf=
-if [ -z "$pf" -a -f "/etc/ipfw-blacklist.rc" ]; then
- pf="ipfw"
- . /etc/ipfw-blacklist.rc
- ipfw_offset=${ipfw_offset:-2000}
+if [ -f "/etc/ipfw-blacklist.rc" ]; then
+ pf="ipfw"
+ . /etc/ipfw-blacklist.rc
+ ipfw_offset=${ipfw_offset:-2000}
fi
if [ -z "$pf" ]; then
@@ -52,9 +52,10 @@ case "$1" in
add)
case "$pf" in
ipf)
- /sbin/ipfstat -io | /sbin/ipf -I -f -
- echo block in quick proto $proto from $addr/$mask to \
- any port=$port head $port$6 | /sbin/ipf -I -f - -s
+ /sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1
+ echo block in quick $proto from $addr/$mask to \
+ any port=$6 head port$6 | \
+ /sbin/ipf -I -f - -s >/dev/null 2>&1 && echo OK
;;
ipfw)
# use $ipfw_offset+$port for rule number
@@ -62,52 +63,62 @@ add)
tname="port$6"
/sbin/ipfw table $tname create type addr 2>/dev/null
/sbin/ipfw -q table $tname add "$addr/$mask"
- /sbin/ipfw -q add $rule drop $3 from "table("$tname")" to \
- any dst-port $6
+ # if rule number $rule does not already exist, create it
+ /sbin/ipfw show $rule >/dev/null 2>&1 || \
+ /sbin/ipfw add $rule drop $3 from \
+ table"("$tname")" to any dst-port $6 >/dev/null && \
+ echo OK
;;
npf)
/sbin/npfctl rule "$2" add block in final $proto from \
"$addr/$mask" to any $port
;;
pf)
- # insert $ip/$mask into per-protocol anchored table
- /sbin/pfctl -a "$2" -t "port$6" -T add "$addr/$mask"
- echo "block in quick $proto from to any $port" | \
- /sbin/pfctl -a "$2" -f -
+ # if the filtering rule does not exist, create it
+ /sbin/pfctl -a "$2/$6" -sr 2>/dev/null | \
+ grep -q "" || \
+ echo "block in quick $proto from to any $port" | \
+ /sbin/pfctl -a "$2/$6" -f -
+ # insert $ip/$mask into per-protocol/port anchored table
+ /sbin/pfctl -a "$2/$6" -t "port$6" -T add "$addr/$mask" && \
+ echo OK
;;
esac
;;
rem)
case "$pf" in
ipf)
- /sbin/ipfstat -io | /sbin/ipf -I -f -
- echo block in quick proto $proto from $addr/$mask to any \
- port =$port head port$6 | /sbin/ipf -r -f - -s
+ /sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1
+ echo block in quick $proto from $addr/$mask to \
+ any port=$6 head port$6 | \
+ /sbin/ipf -I -r -f - -s >/dev/null 2>&1 && echo OK
;;
ipfw)
- /sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null
+ /sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null && \
+ echo OK
;;
npf)
/sbin/npfctl rule "$2" rem-id "$7"
;;
pf)
- /sbin/pfctl -a "$2" -t "port$6" -T delete "$addr/$mask"
+ /sbin/pfctl -a "$2/$6" -t "port$6" -T delete "$addr/$mask" && \
+ echo OK
;;
esac
;;
flush)
- case "$pf" in
+ case "$pf" in
ipf)
- /sbin/ipf -Z -I -Fa -s
+ /sbin/ipf -Z -I -Fi -s > /dev/null && echo OK
;;
ipfw)
- /sbin/ipfw table "port$6" flush 2>/dev/null
+ /sbin/ipfw table "port$6" flush 2>/dev/null && echo OK
;;
npf)
/sbin/npfctl rule "$2" flush
;;
pf)
- /sbin/pfctl -a "$2" -t "port$6" -T flush
+ /sbin/pfctl -a "$2/$6" -t "port$6" -T flush && echo OK
;;
esac
;;
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Sat Feb 18 00:26:16 UTC 2017 Modified Files: src/external/bsd/blacklist/bin: blacklistd.c Log Message: more debugging from Kurt Lidl To generate a diff of this commit: cvs rdiff -u -r1.36 -r1.37 src/external/bsd/blacklist/bin/blacklistd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/bin
Module Name:src
Committed By: christos
Date: Sat Feb 18 00:26:16 UTC 2017
Modified Files:
src/external/bsd/blacklist/bin: blacklistd.c
Log Message:
more debugging from Kurt Lidl
To generate a diff of this commit:
cvs rdiff -u -r1.36 -r1.37 src/external/bsd/blacklist/bin/blacklistd.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/blacklist/bin/blacklistd.c
diff -u src/external/bsd/blacklist/bin/blacklistd.c:1.36 src/external/bsd/blacklist/bin/blacklistd.c:1.37
--- src/external/bsd/blacklist/bin/blacklistd.c:1.36 Sun Jan 8 22:05:48 2017
+++ src/external/bsd/blacklist/bin/blacklistd.c Fri Feb 17 19:26:16 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklistd.c,v 1.36 2017/01/09 03:05:48 christos Exp $ */
+/* $NetBSD: blacklistd.c,v 1.37 2017/02/18 00:26:16 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
#include "config.h"
#endif
#include
-__RCSID("$NetBSD: blacklistd.c,v 1.36 2017/01/09 03:05:48 christos Exp $");
+__RCSID("$NetBSD: blacklistd.c,v 1.37 2017/02/18 00:26:16 christos Exp $");
#include
#include
@@ -207,7 +207,7 @@ process(bl_t bl)
if (debug) {
char b1[128], b2[128];
- (*lfun)(LOG_DEBUG, "%s: db state info for %s: count=%d/%d "
+ (*lfun)(LOG_DEBUG, "%s: initial db state for %s: count=%d/%d "
"last=%s now=%s", __func__, rbuf, dbi.count, c.c_nfail,
fmttime(b1, sizeof(b1), dbi.last),
fmttime(b2, sizeof(b2), ts.tv_sec));
@@ -246,15 +246,24 @@ process(bl_t bl)
case BL_DELETE:
if (dbi.last == 0)
goto out;
+ dbi.count = 0;
dbi.last = 0;
break;
default:
(*lfun)(LOG_ERR, "unknown message %d", bi->bi_type);
}
- if (state_put(state, , ) == -1)
- goto out;
+ state_put(state, , );
+
out:
close(bi->bi_fd);
+
+ if (debug) {
+ char b1[128], b2[128];
+ (*lfun)(LOG_DEBUG, "%s: final db state for %s: count=%d/%d "
+ "last=%s now=%s", __func__, rbuf, dbi.count, c.c_nfail,
+ fmttime(b1, sizeof(b1), dbi.last),
+ fmttime(b2, sizeof(b2), ts.tv_sec));
+ }
}
static void
@@ -393,7 +402,7 @@ rules_restore(void)
int
main(int argc, char *argv[])
{
- int c, tout, flags, flush, restore;
+ int c, tout, flags, flush, restore, ret;
const char *spath, **blsock;
size_t nblsock, maxblsock;
@@ -528,7 +537,10 @@ main(int argc, char *argv[])
readconf = 0;
conf_parse(configfile);
}
- switch (poll(pfd, (nfds_t)nfd, tout)) {
+ ret = poll(pfd, (nfds_t)nfd, tout);
+ if (debug)
+ (*lfun)(LOG_DEBUG, "received %d from poll()", ret);
+ switch (ret) {
case -1:
if (errno == EINTR)
continue;
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: wiz Date: Sat Feb 4 23:33:56 UTC 2017 Modified Files: src/external/bsd/blacklist/lib: libblacklist.3 Log Message: Quote - to make it a minus. To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/external/bsd/blacklist/lib/libblacklist.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/lib/libblacklist.3 diff -u src/external/bsd/blacklist/lib/libblacklist.3:1.6 src/external/bsd/blacklist/lib/libblacklist.3:1.7 --- src/external/bsd/blacklist/lib/libblacklist.3:1.6 Tue Jan 31 16:55:04 2017 +++ src/external/bsd/blacklist/lib/libblacklist.3 Sat Feb 4 23:33:56 2017 @@ -1,4 +1,4 @@ -.\" $NetBSD: libblacklist.3,v 1.6 2017/01/31 16:55:04 abhinav Exp $ +.\" $NetBSD: libblacklist.3,v 1.7 2017/02/04 23:33:56 wiz Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -121,7 +121,7 @@ and return .Dv 0 on success and -.Dv -1 +.Dv \-1 on failure setting .Dv errno to an appropriate value.
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: wiz Date: Sat Feb 4 23:33:56 UTC 2017 Modified Files: src/external/bsd/blacklist/lib: libblacklist.3 Log Message: Quote - to make it a minus. To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/external/bsd/blacklist/lib/libblacklist.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: abhinav Date: Tue Jan 31 16:55:04 UTC 2017 Modified Files: src/external/bsd/blacklist/lib: libblacklist.3 Log Message: Correct the function names in the RETURN VALUES section and use markup for errno. To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/external/bsd/blacklist/lib/libblacklist.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/lib/libblacklist.3 diff -u src/external/bsd/blacklist/lib/libblacklist.3:1.5 src/external/bsd/blacklist/lib/libblacklist.3:1.6 --- src/external/bsd/blacklist/lib/libblacklist.3:1.5 Tue Jan 31 16:31:21 2017 +++ src/external/bsd/blacklist/lib/libblacklist.3 Tue Jan 31 16:55:04 2017 @@ -1,4 +1,4 @@ -.\" $NetBSD: libblacklist.3,v 1.5 2017/01/31 16:31:21 abhinav Exp $ +.\" $NetBSD: libblacklist.3,v 1.6 2017/01/31 16:55:04 abhinav Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -106,18 +106,25 @@ All functions log errors to .Xr syslogd 8 . .Sh RETURN VALUES The function -.Fn bl_open +.Fn blacklist_open returns a cookie on success and .Dv NULL -on failure setting errno to an appropriate value. -.Pp -The -.Fn bl_send -function returns +on failure setting +.Dv errno +to an appropriate value. +.Pp +The functions +.Fn blacklist , +.Fn blacklist_sa , +and +.Fn blacklist_sa_r +return .Dv 0 on success and .Dv -1 -on failure setting errno to an appropriate value. +on failure setting +.Dv errno +to an appropriate value. .Sh SEE ALSO .Xr blacklistd.conf 5 , .Xr blacklistd 8
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: abhinav Date: Tue Jan 31 16:55:04 UTC 2017 Modified Files: src/external/bsd/blacklist/lib: libblacklist.3 Log Message: Correct the function names in the RETURN VALUES section and use markup for errno. To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/external/bsd/blacklist/lib/libblacklist.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: abhinav Date: Tue Jan 31 16:31:21 UTC 2017 Modified Files: src/external/bsd/blacklist/lib: libblacklist.3 Log Message: Fix a sentence. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/external/bsd/blacklist/lib/libblacklist.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/lib/libblacklist.3 diff -u src/external/bsd/blacklist/lib/libblacklist.3:1.4 src/external/bsd/blacklist/lib/libblacklist.3:1.5 --- src/external/bsd/blacklist/lib/libblacklist.3:1.4 Tue Jan 31 16:23:18 2017 +++ src/external/bsd/blacklist/lib/libblacklist.3 Tue Jan 31 16:31:21 2017 @@ -1,4 +1,4 @@ -.\" $NetBSD: libblacklist.3,v 1.4 2017/01/31 16:23:18 abhinav Exp $ +.\" $NetBSD: libblacklist.3,v 1.5 2017/01/31 16:31:21 abhinav Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -62,7 +62,7 @@ block or release port access to prevent .Pp The function .Fn blacklist_open -creates a the necessary state to communicate with +creates the necessary state to communicate with .Xr blacklistd 8 and returns a pointer to it, or .Dv NULL
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: abhinav Date: Tue Jan 31 16:31:21 UTC 2017 Modified Files: src/external/bsd/blacklist/lib: libblacklist.3 Log Message: Fix a sentence. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/external/bsd/blacklist/lib/libblacklist.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: abhinav Date: Tue Jan 31 16:23:19 UTC 2017 Modified Files: src/external/bsd/blacklist/lib: libblacklist.3 Log Message: Remove comma after the last Nm entry. To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/external/bsd/blacklist/lib/libblacklist.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: abhinav Date: Tue Jan 31 16:23:19 UTC 2017 Modified Files: src/external/bsd/blacklist/lib: libblacklist.3 Log Message: Remove comma after the last Nm entry. To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/external/bsd/blacklist/lib/libblacklist.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/lib/libblacklist.3 diff -u src/external/bsd/blacklist/lib/libblacklist.3:1.3 src/external/bsd/blacklist/lib/libblacklist.3:1.4 --- src/external/bsd/blacklist/lib/libblacklist.3:1.3 Sun Jan 25 23:09:28 2015 +++ src/external/bsd/blacklist/lib/libblacklist.3 Tue Jan 31 16:23:18 2017 @@ -1,4 +1,4 @@ -.\" $NetBSD: libblacklist.3,v 1.3 2015/01/25 23:09:28 wiz Exp $ +.\" $NetBSD: libblacklist.3,v 1.4 2017/01/31 16:23:18 abhinav Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -36,7 +36,7 @@ .Nm blacklist_r , .Nm blacklist , .Nm blacklist_sa -.Nm blacklist_sa_r , +.Nm blacklist_sa_r .Nd Blacklistd notification library .Sh LIBRARY .Lb libblacklist
CVS commit: src/external/bsd/blacklist/bin
Module Name:src
Committed By: christos
Date: Mon Jan 9 03:05:48 UTC 2017
Modified Files:
src/external/bsd/blacklist/bin: blacklistd.c
Log Message:
PR/51801: Matthew Mondor: Support multiple -s options and -P and -s at the
same time.
To generate a diff of this commit:
cvs rdiff -u -r1.35 -r1.36 src/external/bsd/blacklist/bin/blacklistd.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/blacklist/bin/blacklistd.c
diff -u src/external/bsd/blacklist/bin/blacklistd.c:1.35 src/external/bsd/blacklist/bin/blacklistd.c:1.36
--- src/external/bsd/blacklist/bin/blacklistd.c:1.35 Mon Sep 26 15:43:43 2016
+++ src/external/bsd/blacklist/bin/blacklistd.c Sun Jan 8 22:05:48 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklistd.c,v 1.35 2016/09/26 19:43:43 christos Exp $ */
+/* $NetBSD: blacklistd.c,v 1.36 2017/01/09 03:05:48 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
#include "config.h"
#endif
#include
-__RCSID("$NetBSD: blacklistd.c,v 1.35 2016/09/26 19:43:43 christos Exp $");
+__RCSID("$NetBSD: blacklistd.c,v 1.36 2017/01/09 03:05:48 christos Exp $");
#include
#include
@@ -394,12 +394,14 @@ int
main(int argc, char *argv[])
{
int c, tout, flags, flush, restore;
- const char *spath, *blsock;
+ const char *spath, **blsock;
+ size_t nblsock, maxblsock;
setprogname(argv[0]);
spath = NULL;
- blsock = _PATH_BLSOCK;
+ blsock = NULL;
+ maxblsock = nblsock = 0;
flush = 0;
restore = 0;
tout = 0;
@@ -431,7 +433,17 @@ main(int argc, char *argv[])
restore++;
break;
case 's':
- blsock = optarg;
+ if (nblsock >= maxblsock) {
+maxblsock += 10;
+void *p = realloc(blsock,
+sizeof(*blsock) * maxblsock);
+if (p == NULL)
+err(EXIT_FAILURE,
+ "Can't allocate memory for %zu sockets",
+ maxblsock);
+blsock = p;
+ }
+ blsock[nblsock++] = optarg;
break;
case 't':
tout = atoi(optarg) * 1000;
@@ -478,9 +490,11 @@ main(int argc, char *argv[])
size_t nfd = 0;
size_t maxfd = 0;
- if (spath == NULL)
- addfd(, , , , blsock);
- else {
+ for (size_t i = 0; i < nblsock; i++)
+ addfd(, , , , blsock[i]);
+ free(blsock);
+
+ if (spath) {
FILE *fp = fopen(spath, "r");
char *line;
if (fp == NULL)
@@ -490,6 +504,8 @@ main(int argc, char *argv[])
addfd(, , , , line);
fclose(fp);
}
+ if (nfd == 0)
+ addfd(, , , , _PATH_BLSOCK);
state = state_open(dbfile, flags, 0600);
if (state == NULL)
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Mon Jan 9 03:05:48 UTC 2017 Modified Files: src/external/bsd/blacklist/bin: blacklistd.c Log Message: PR/51801: Matthew Mondor: Support multiple -s options and -P and -s at the same time. To generate a diff of this commit: cvs rdiff -u -r1.35 -r1.36 src/external/bsd/blacklist/bin/blacklistd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/port
Module Name:src Committed By: jnemeth Date: Sat Nov 26 02:12:18 UTC 2016 Modified Files: src/external/bsd/blacklist/port: Makefile.am Log Message: Set path for includes_HEADERS. Change suggested by christos@. To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/external/bsd/blacklist/port/Makefile.am Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/port/Makefile.am diff -u src/external/bsd/blacklist/port/Makefile.am:1.5 src/external/bsd/blacklist/port/Makefile.am:1.6 --- src/external/bsd/blacklist/port/Makefile.am:1.5 Sun Nov 13 22:37:39 2016 +++ src/external/bsd/blacklist/port/Makefile.am Sat Nov 26 02:12:18 2016 @@ -1,7 +1,7 @@ # ACLOCAL_AMFLAGS = -I m4 lib_LTLIBRARIES = libblacklist.la -include_HEADERS = blacklist.h +include_HEADERS = ../include/blacklist.h bin_PROGRAMS = blacklistd blacklistctl srvtest cltest
CVS commit: src/external/bsd/blacklist/port
Module Name:src Committed By: jnemeth Date: Sat Nov 26 02:12:18 UTC 2016 Modified Files: src/external/bsd/blacklist/port: Makefile.am Log Message: Set path for includes_HEADERS. Change suggested by christos@. To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/external/bsd/blacklist/port/Makefile.am Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/port
Module Name:src Committed By: christos Date: Sun Nov 13 22:38:22 UTC 2016 Removed Files: src/external/bsd/blacklist/port: config.h Log Message: no need for config.h; it should be auto-gened. To generate a diff of this commit: cvs rdiff -u -r1.3 -r0 src/external/bsd/blacklist/port/config.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/port
Module Name:src Committed By: christos Date: Sun Nov 13 22:37:39 UTC 2016 Modified Files: src/external/bsd/blacklist/port: Makefile.am config.h Log Message: add include in the vpath. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/external/bsd/blacklist/port/Makefile.am cvs rdiff -u -r1.2 -r1.3 src/external/bsd/blacklist/port/config.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/port/Makefile.am diff -u src/external/bsd/blacklist/port/Makefile.am:1.4 src/external/bsd/blacklist/port/Makefile.am:1.5 --- src/external/bsd/blacklist/port/Makefile.am:1.4 Wed Jan 21 22:48:07 2015 +++ src/external/bsd/blacklist/port/Makefile.am Sun Nov 13 17:37:39 2016 @@ -5,7 +5,7 @@ include_HEADERS = blacklist.h bin_PROGRAMS = blacklistd blacklistctl srvtest cltest -VPATH = ../bin:../lib:../test +VPATH = ../bin:../lib:../test:../include AM_CPPFLAGS = -I../include -DDOT="." AM_CFLAGS = @WARNINGS@ Index: src/external/bsd/blacklist/port/config.h diff -u src/external/bsd/blacklist/port/config.h:1.2 src/external/bsd/blacklist/port/config.h:1.3 --- src/external/bsd/blacklist/port/config.h:1.2 Fri Apr 8 07:56:43 2016 +++ src/external/bsd/blacklist/port/config.h Sun Nov 13 17:37:39 2016 @@ -1,3 +1,294 @@ -#if defined(__FreeBSD__) +/* config.h. Generated from config.h.in by configure. */ +/* config.h.in. Generated from configure.ac by autoheader. */ + +/* Define if building universal (internal helper macro) */ +/* #undef AC_APPLE_UNIVERSAL_BUILD */ + +/* Define to 1 if you have the header file. */ +#define HAVE_ARPA_INET_H 1 + +/* Define to 1 if you have the `clock_gettime' function. */ +#define HAVE_CLOCK_GETTIME 1 + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_DB_185_H */ + +/* Define to 1 if you have the header file. */ +#define HAVE_DB_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_DLFCN_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_ERR_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_FCNTL_H 1 + +/* Define to 1 if you have the `fgetln' function. */ +#define HAVE_FGETLN 1 + +/* Define to 1 if you have the `fparseln' function. */ +#define HAVE_FPARSELN 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_GETOPT_H 1 + +/* Define to 1 if you have the `getprogname' function. */ +#define HAVE_GETPROGNAME 1 + +/* Define to 1 if the system has the type `intptr_t'. */ +#define HAVE_INTPTR_T 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_INTTYPES_H 1 + +/* Define to 1 if you have the `db' library (-ldb). */ +/* #undef HAVE_LIBDB */ + +/* Define to 1 if you have the `rt' library (-lrt). */ +#define HAVE_LIBRT 1 + +/* Define to 1 if you have the `util' library (-lutil). */ +#define HAVE_LIBUTIL 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_LIMITS_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_MEMORY_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_NETATALK_AT_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_NET_IF_DL_H 1 + +/* Define to 1 if you have the `pidfile' function. */ +#define HAVE_PIDFILE 1 + +/* Define to 1 if you have the `popenve' function. */ +#define HAVE_POPENVE 1 + +/* Define to 1 if you have the `sockaddr_snprintf' function. */ +#define HAVE_SOCKADDR_SNPRINTF 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_STDINT_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_STDLIB_H 1 + +/* Define to 1 if you have the `strerror' function. */ +#define HAVE_STRERROR 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_STRINGS_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_STRING_H 1 + +/* Define to 1 if you have the `strlcat' function. */ +#define HAVE_STRLCAT 1 + +/* Define to 1 if you have the `strlcpy' function. */ +#define HAVE_STRLCPY 1 + +/* Define to 1 if you have the `strtoi' function. */ +#define HAVE_STRTOI 1 + +/* Define to 1 if `sa_len' is a member of `struct sockaddr'. */ +#define HAVE_STRUCT_SOCKADDR_SA_LEN 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_SOCKET_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_STAT_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_TIME_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_TYPES_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_UN_H 1 + +/* Define to 1 if you have that is POSIX.1 compatible. */ +#define HAVE_SYS_WAIT_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_TIME_H 1 + +/* Define to 1 if the system has the type `uintptr_t'. */ +#define HAVE_UINTPTR_T 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_UNISTD_H 1 + +/* Define to 1 if you have the header file. */ +#define
CVS commit: src/external/bsd/blacklist/port
Module Name:src Committed By: christos Date: Sun Nov 13 22:38:22 UTC 2016 Removed Files: src/external/bsd/blacklist/port: config.h Log Message: no need for config.h; it should be auto-gened. To generate a diff of this commit: cvs rdiff -u -r1.3 -r0 src/external/bsd/blacklist/port/config.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/port
Module Name:src Committed By: christos Date: Sun Nov 13 22:37:39 UTC 2016 Modified Files: src/external/bsd/blacklist/port: Makefile.am config.h Log Message: add include in the vpath. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/external/bsd/blacklist/port/Makefile.am cvs rdiff -u -r1.2 -r1.3 src/external/bsd/blacklist/port/config.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: jnemeth Date: Wed Nov 2 03:15:07 UTC 2016 Modified Files: src/external/bsd/blacklist/bin: blacklistctl.c Log Message: Correct misplaced break; from FreeBSD. Approved By: christos To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.21 src/external/bsd/blacklist/bin/blacklistctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/bin
Module Name:src
Committed By: jnemeth
Date: Wed Nov 2 03:15:07 UTC 2016
Modified Files:
src/external/bsd/blacklist/bin: blacklistctl.c
Log Message:
Correct misplaced break; from FreeBSD.
Approved By: christos
To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.21 src/external/bsd/blacklist/bin/blacklistctl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/blacklist/bin/blacklistctl.c
diff -u src/external/bsd/blacklist/bin/blacklistctl.c:1.20 src/external/bsd/blacklist/bin/blacklistctl.c:1.21
--- src/external/bsd/blacklist/bin/blacklistctl.c:1.20 Mon Apr 4 15:52:56 2016
+++ src/external/bsd/blacklist/bin/blacklistctl.c Wed Nov 2 03:15:07 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklistctl.c,v 1.20 2016/04/04 15:52:56 christos Exp $ */
+/* $NetBSD: blacklistctl.c,v 1.21 2016/11/02 03:15:07 jnemeth Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include
-__RCSID("$NetBSD: blacklistctl.c,v 1.20 2016/04/04 15:52:56 christos Exp $");
+__RCSID("$NetBSD: blacklistctl.c,v 1.21 2016/11/02 03:15:07 jnemeth Exp $");
#include
#include
@@ -96,10 +96,10 @@ main(int argc, char *argv[])
break;
case 'b':
blocked = 1;
+ break;
case 'D':
dbname = optarg;
break;
- break;
case 'd':
debug++;
break;
CVS commit: src/external/bsd/blacklist/etc/rc.d
Module Name:src
Committed By: christos
Date: Mon Oct 17 22:47:16 UTC 2016
Modified Files:
src/external/bsd/blacklist/etc/rc.d: blacklistd
Log Message:
account for socket name change.
To generate a diff of this commit:
cvs rdiff -u -r1.1 -r1.2 src/external/bsd/blacklist/etc/rc.d/blacklistd
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/blacklist/etc/rc.d/blacklistd
diff -u src/external/bsd/blacklist/etc/rc.d/blacklistd:1.1 src/external/bsd/blacklist/etc/rc.d/blacklistd:1.2
--- src/external/bsd/blacklist/etc/rc.d/blacklistd:1.1 Thu Jan 22 12:49:41 2015
+++ src/external/bsd/blacklist/etc/rc.d/blacklistd Mon Oct 17 18:47:16 2016
@@ -1,6 +1,6 @@
#!/bin/sh
#
-# $NetBSD: blacklistd,v 1.1 2015/01/22 17:49:41 christos Exp $
+# $NetBSD: blacklistd,v 1.2 2016/10/17 22:47:16 christos Exp $
#
# PROVIDE: blacklistd
@@ -18,7 +18,7 @@ start_precmd="${name}_precmd"
extra_commands="reload"
_sockfile="/var/run/${name}.sockets"
-_sockname="blsock"
+_sockname="blacklistd.sock"
blacklistd_precmd()
{
CVS commit: src/external/bsd/blacklist/etc/rc.d
Module Name:src Committed By: christos Date: Mon Oct 17 22:47:16 UTC 2016 Modified Files: src/external/bsd/blacklist/etc/rc.d: blacklistd Log Message: account for socket name change. To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/external/bsd/blacklist/etc/rc.d/blacklistd Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Mon Sep 26 19:43:43 UTC 2016 Modified Files: src/external/bsd/blacklist/bin: blacklistd.c state.c Log Message: restore rules after the database is open, add error message to prevent silent failure in the future. (Kurt Lidl) To generate a diff of this commit: cvs rdiff -u -r1.34 -r1.35 src/external/bsd/blacklist/bin/blacklistd.c cvs rdiff -u -r1.18 -r1.19 src/external/bsd/blacklist/bin/state.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/bin
Module Name:src
Committed By: christos
Date: Mon Sep 26 19:43:43 UTC 2016
Modified Files:
src/external/bsd/blacklist/bin: blacklistd.c state.c
Log Message:
restore rules after the database is open, add error message to prevent
silent failure in the future. (Kurt Lidl)
To generate a diff of this commit:
cvs rdiff -u -r1.34 -r1.35 src/external/bsd/blacklist/bin/blacklistd.c
cvs rdiff -u -r1.18 -r1.19 src/external/bsd/blacklist/bin/state.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/blacklist/bin/blacklistd.c
diff -u src/external/bsd/blacklist/bin/blacklistd.c:1.34 src/external/bsd/blacklist/bin/blacklistd.c:1.35
--- src/external/bsd/blacklist/bin/blacklistd.c:1.34 Mon Apr 4 11:52:56 2016
+++ src/external/bsd/blacklist/bin/blacklistd.c Mon Sep 26 15:43:43 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklistd.c,v 1.34 2016/04/04 15:52:56 christos Exp $ */
+/* $NetBSD: blacklistd.c,v 1.35 2016/09/26 19:43:43 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
#include "config.h"
#endif
#include
-__RCSID("$NetBSD: blacklistd.c,v 1.34 2016/04/04 15:52:56 christos Exp $");
+__RCSID("$NetBSD: blacklistd.c,v 1.35 2016/09/26 19:43:43 christos Exp $");
#include
#include
@@ -473,9 +473,6 @@ main(int argc, char *argv[])
flags |= O_TRUNC;
}
- if (restore)
- rules_restore();
-
struct pollfd *pfd = NULL;
bl_t *bl = NULL;
size_t nfd = 0;
@@ -500,6 +497,9 @@ main(int argc, char *argv[])
if (state == NULL)
return EXIT_FAILURE;
+ if (restore)
+ rules_restore();
+
if (!debug) {
if (daemon(0, 0) == -1)
err(EXIT_FAILURE, "daemon failed");
Index: src/external/bsd/blacklist/bin/state.c
diff -u src/external/bsd/blacklist/bin/state.c:1.18 src/external/bsd/blacklist/bin/state.c:1.19
--- src/external/bsd/blacklist/bin/state.c:1.18 Mon Apr 4 11:52:56 2016
+++ src/external/bsd/blacklist/bin/state.c Mon Sep 26 15:43:43 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: state.c,v 1.18 2016/04/04 15:52:56 christos Exp $ */
+/* $NetBSD: state.c,v 1.19 2016/09/26 19:43:43 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include
-__RCSID("$NetBSD: state.c,v 1.18 2016/04/04 15:52:56 christos Exp $");
+__RCSID("$NetBSD: state.c,v 1.19 2016/09/26 19:43:43 christos Exp $");
#include
#include
@@ -200,8 +200,10 @@ state_iterate(DB *db, struct conf *c, st
int rv;
DBT k, v;
- if (db == NULL)
+ if (db == NULL) {
+ (*lfun)(LOG_ERR, "%s: called with no database file", __func__);
return -1;
+ }
first = first ? R_FIRST : R_NEXT;
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: dholland Date: Sat Jul 30 06:09:29 UTC 2016 Modified Files: src/external/bsd/blacklist/bin: blacklistd.8 Log Message: typo To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 src/external/bsd/blacklist/bin/blacklistd.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.8 diff -u src/external/bsd/blacklist/bin/blacklistd.8:1.17 src/external/bsd/blacklist/bin/blacklistd.8:1.18 --- src/external/bsd/blacklist/bin/blacklistd.8:1.17 Wed Jun 8 12:48:37 2016 +++ src/external/bsd/blacklist/bin/blacklistd.8 Sat Jul 30 06:09:29 2016 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistd.8,v 1.17 2016/06/08 12:48:37 wiz Exp $ +.\" $NetBSD: blacklistd.8,v 1.18 2016/07/30 06:09:29 dholland Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -47,7 +47,7 @@ .Nm is a daemon similar to .Xr syslogd 8 -that listens to a sockets at paths specified in the +that listens to sockets at paths specified in the .Ar sockpathsfile for notifications from other daemons about successful or failed connection attempts.
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: dholland Date: Sat Jul 30 06:09:29 UTC 2016 Modified Files: src/external/bsd/blacklist/bin: blacklistd.8 Log Message: typo To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 src/external/bsd/blacklist/bin/blacklistd.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
