CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Tue May 19 00:56:25 UTC 2020 Modified Files: src/external/bsd/blacklist/bin: blacklistd.conf.5 Log Message: Typo fixes from FreeBSD via Ed Maste To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 src/external/bsd/blacklist/bin/blacklistd.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.conf.5 diff -u src/external/bsd/blacklist/bin/blacklistd.conf.5:1.9 src/external/bsd/blacklist/bin/blacklistd.conf.5:1.10 --- src/external/bsd/blacklist/bin/blacklistd.conf.5:1.9 Wed Nov 6 15:33:30 2019 +++ src/external/bsd/blacklist/bin/blacklistd.conf.5 Mon May 18 20:56:25 2020 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistd.conf.5,v 1.9 2019/11/06 20:33:30 para Exp $ +.\" $NetBSD: blacklistd.conf.5,v 1.10 2020/05/19 00:56:25 christos Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd June 5, 2017 +.Dd May 18, 2020 .Dt BLACKLISTD.CONF 5 .Os .Sh NAME @@ -125,18 +125,18 @@ The second field is the socket .Dv dgram , or numeric. The third field is the -.Va prococol : +.Va protocol : .Dv tcp , .Dv udp , .Dv tcp6 , .Dv udp6 , or numeric. -The fourth file is the effective user +The fourth field is the effective user .Va ( owner ) of the daemon process reporting the event, either as a username or a userid. .Pp -The rest of the fields are controlling the behavior of the filter. +The rest of the fields control the behavior of the filter. .Pp The .Va name
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: snj Date: Wed May 6 14:59:51 UTC 2020 Modified Files: src/external/bsd/blacklist/bin: blacklistd.8 Log Message: The name of the action used with blacklistd's control script is rem, not remove. From Jose Luis Duran in PR bin/55195. To generate a diff of this commit: cvs rdiff -u -r1.23 -r1.24 src/external/bsd/blacklist/bin/blacklistd.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.8 diff -u src/external/bsd/blacklist/bin/blacklistd.8:1.23 src/external/bsd/blacklist/bin/blacklistd.8:1.24 --- src/external/bsd/blacklist/bin/blacklistd.8:1.23 Tue Apr 21 13:57:12 2020 +++ src/external/bsd/blacklist/bin/blacklistd.8 Wed May 6 14:59:51 2020 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistd.8,v 1.23 2020/04/21 13:57:12 christos Exp $ +.\" $NetBSD: blacklistd.8,v 1.24 2020/05/06 14:59:51 snj Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -123,10 +123,10 @@ that is not required as all information kept. .Pp If the action is -.Dq remove +.Dq rem Then the same control script is invoked as: .Bd -literal -offset indent -control remove +control rem .Ed .Pp where
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Tue Apr 21 13:57:12 UTC 2020 Modified Files: src/external/bsd/blacklist/bin: blacklistd.8 Log Message: PR/55193: Jose Luis Duran: Fix wrong location for the db file. To generate a diff of this commit: cvs rdiff -u -r1.22 -r1.23 src/external/bsd/blacklist/bin/blacklistd.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.8 diff -u src/external/bsd/blacklist/bin/blacklistd.8:1.22 src/external/bsd/blacklist/bin/blacklistd.8:1.23 --- src/external/bsd/blacklist/bin/blacklistd.8:1.22 Mon Mar 30 04:45:09 2020 +++ src/external/bsd/blacklist/bin/blacklistd.8 Tue Apr 21 09:57:12 2020 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistd.8,v 1.22 2020/03/30 08:45:09 wiz Exp $ +.\" $NetBSD: blacklistd.8,v 1.23 2020/04/21 13:57:12 christos Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd March 29, 2020 +.Dd April 21, 2020 .Dt BLACKLISTD 8 .Os .Sh NAME @@ -189,7 +189,7 @@ The name of the configuration file to re The Berkeley DB file where .Nm stores its state, usually -.Pa /var/run/blacklistd.db . +.Pa /var/db/blacklistd.db . .It Fl d Normally, .Nm
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: wiz Date: Mon Mar 30 17:32:22 UTC 2020 Modified Files: src/external/bsd/blacklist/lib: libblacklist.3 Log Message: New sentence, new line. To generate a diff of this commit: cvs rdiff -u -r1.10 -r1.11 src/external/bsd/blacklist/lib/libblacklist.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/lib/libblacklist.3 diff -u src/external/bsd/blacklist/lib/libblacklist.3:1.10 src/external/bsd/blacklist/lib/libblacklist.3:1.11 --- src/external/bsd/blacklist/lib/libblacklist.3:1.10 Mon Mar 30 15:47:15 2020 +++ src/external/bsd/blacklist/lib/libblacklist.3 Mon Mar 30 17:32:22 2020 @@ -1,4 +1,4 @@ -.\" $NetBSD: libblacklist.3,v 1.10 2020/03/30 15:47:15 christos Exp $ +.\" $NetBSD: libblacklist.3,v 1.11 2020/03/30 17:32:22 wiz Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -96,11 +96,13 @@ There was an unsuccessful authentication A user successfully authenticated. .It Va BLACKLIST_ABUSIVE_BEHAVIOR The sending daemon has detected abusive behavior -from the remote system. The remote address should +from the remote system. +The remote address should be blocked as soon as possible. .It Va BLACKLIST_BAD_USER The sending daemon has determined the username -presented for authentication is invalid. The +presented for authentication is invalid. +The .Xr blacklistd 8 daemon compares the username to a configured list of forbidden usernames and
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: christos Date: Mon Mar 30 15:47:15 UTC 2020 Modified Files: src/external/bsd/blacklist/lib: libblacklist.3 Log Message: Clarify that we always need a valid socket To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 src/external/bsd/blacklist/lib/libblacklist.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/lib/libblacklist.3 diff -u src/external/bsd/blacklist/lib/libblacklist.3:1.9 src/external/bsd/blacklist/lib/libblacklist.3:1.10 --- src/external/bsd/blacklist/lib/libblacklist.3:1.9 Wed Nov 6 15:50:01 2019 +++ src/external/bsd/blacklist/lib/libblacklist.3 Mon Mar 30 11:47:15 2020 @@ -1,4 +1,4 @@ -.\" $NetBSD: libblacklist.3,v 1.9 2019/11/06 20:50:01 christos Exp $ +.\" $NetBSD: libblacklist.3,v 1.10 2020/03/30 15:47:15 christos Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd May 5, 2017 +.Dd March 30, 2020 .Dt LIBBLACKLIST 3 .Os .Sh NAME @@ -122,6 +122,14 @@ functions can be used with unconnected s .Xr getpeername 2 will not work, the server will pass the peer name in the message. .Pp +In all cases the file descriptor passed in the +.Fa fd +argument must be pointing to a valid socket so that +.Xr blacklistd 8 +can establish ownership of the local endpoint +using +.Xr getsockname 2 . +.Pp By default, .Xr syslogd 8 is used for message logging.
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: wiz Date: Mon Mar 30 08:45:09 UTC 2020 Modified Files: src/external/bsd/blacklist/bin: blacklistd.8 Log Message: Fix typos. To generate a diff of this commit: cvs rdiff -u -r1.21 -r1.22 src/external/bsd/blacklist/bin/blacklistd.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.8 diff -u src/external/bsd/blacklist/bin/blacklistd.8:1.21 src/external/bsd/blacklist/bin/blacklistd.8:1.22 --- src/external/bsd/blacklist/bin/blacklistd.8:1.21 Mon Mar 30 03:02:41 2020 +++ src/external/bsd/blacklist/bin/blacklistd.8 Mon Mar 30 08:45:09 2020 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistd.8,v 1.21 2020/03/30 03:02:41 christos Exp $ +.\" $NetBSD: blacklistd.8,v 1.22 2020/03/30 08:45:09 wiz Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -68,7 +68,7 @@ Each entry contains a number of tries li The way .Nm does configuration entry matching is by having the client side pass the -file dscriptor associated with the connection the client wants to blacklist +file descriptor associated with the connection the client wants to blacklist as well as passing socket credentials. .Pp The file descriptor is used to retrieve information (address and port) @@ -85,17 +85,17 @@ the port. By examining the optional address portion on the local side, it can match interfaces. By examining the remote address, it can match specific allow or deny rules. -.Pp +.Pp Finally .Nm can examine the socket credentials to match the user in the configuration file. .Pp While this works well for TCP sockets, it cannot be relied on for unbound -UDP sockets. +UDP sockets. It is also less meaningful when it comes to connections using non-privileged ports. -On the other hand, if we receive a request that has a local endpoind indicating -UDP privileged port, we can presume that the client was privileged to be +On the other hand, if we receive a request that has a local endpoint indicating +a UDP privileged port, we can presume that the client was privileged to be able to acquire that port. .Pp Once an entry is matched
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Mon Mar 30 03:02:41 UTC 2020 Modified Files: src/external/bsd/blacklist/bin: blacklistd.8 Log Message: Explain how configuration matching is done. To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.21 src/external/bsd/blacklist/bin/blacklistd.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.8 diff -u src/external/bsd/blacklist/bin/blacklistd.8:1.20 src/external/bsd/blacklist/bin/blacklistd.8:1.21 --- src/external/bsd/blacklist/bin/blacklistd.8:1.20 Wed Nov 6 18:17:37 2019 +++ src/external/bsd/blacklist/bin/blacklistd.8 Sun Mar 29 23:02:41 2020 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistd.8,v 1.20 2019/11/06 23:17:37 wiz Exp $ +.\" $NetBSD: blacklistd.8,v 1.21 2020/03/30 03:02:41 christos Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd November 6, 2019 +.Dd March 29, 2020 .Dt BLACKLISTD 8 .Os .Sh NAME @@ -65,6 +65,42 @@ with syntax specified in If an entry is matched, a state entry is created for that tuple. Each entry contains a number of tries limit and a duration. .Pp +The way +.Nm +does configuration entry matching is by having the client side pass the +file dscriptor associated with the connection the client wants to blacklist +as well as passing socket credentials. +.Pp +The file descriptor is used to retrieve information (address and port) +about the remote side with +.Xr getpeername 2 +and the local side with +.Xr getsockname 2 . +.Pp +By examining the port of the local side, +.Nm +can determine if the client program +.Dq owns +the port. +By examining the optional address portion on the local side, it can match +interfaces. +By examining the remote address, it can match specific allow or deny rules. +.Pp +Finally +.Nm +can examine the socket credentials to match the user in the configuration file. +.Pp +While this works well for TCP sockets, it cannot be relied on for unbound +UDP sockets. +It is also less meaningful when it comes to connections using non-privileged +ports. +On the other hand, if we receive a request that has a local endpoind indicating +UDP privileged port, we can presume that the client was privileged to be +able to acquire that port. +.Pp +Once an entry is matched +.Nm +can perform various actions. If the action is .Dq add and the number of tries limit is reached, then a
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Fri Mar 13 16:38:45 UTC 2020 Modified Files: src/external/bsd/blacklist/bin: conf.c Log Message: Re-enable the routing perm check now that the kernel has been fixed to return valid information. To generate a diff of this commit: cvs rdiff -u -r1.30 -r1.31 src/external/bsd/blacklist/bin/conf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/conf.c diff -u src/external/bsd/blacklist/bin/conf.c:1.30 src/external/bsd/blacklist/bin/conf.c:1.31 --- src/external/bsd/blacklist/bin/conf.c:1.30 Thu Mar 12 15:47:32 2020 +++ src/external/bsd/blacklist/bin/conf.c Fri Mar 13 12:38:45 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: conf.c,v 1.30 2020/03/12 19:47:32 christos Exp $ */ +/* $NetBSD: conf.c,v 1.31 2020/03/13 16:38:45 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include -__RCSID("$NetBSD: conf.c,v 1.30 2020/03/12 19:47:32 christos Exp $"); +__RCSID("$NetBSD: conf.c,v 1.31 2020/03/13 16:38:45 christos Exp $"); #include #ifdef HAVE_LIBUTIL_H @@ -1006,7 +1006,7 @@ confset_match(const struct confset *cs, static int conf_route_perm(int fd) { /* Disable for now, the access check in the routing socket uses curlwp */ -#if defined(RTM_IFANNOUNCE) && defined(RT_ROUNDUP) && 0 +#if defined(RTM_IFANNOUNCE) && defined(RT_ROUNDUP) /* * Send a routing message that is not supported to check for access * We expect EOPNOTSUPP for having access, since we are sending a
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Thu Mar 12 19:47:32 UTC 2020 Modified Files: src/external/bsd/blacklist/bin: conf.c Log Message: Disable routing perms check for now. To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.30 src/external/bsd/blacklist/bin/conf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/conf.c diff -u src/external/bsd/blacklist/bin/conf.c:1.29 src/external/bsd/blacklist/bin/conf.c:1.30 --- src/external/bsd/blacklist/bin/conf.c:1.29 Thu Mar 12 15:35:11 2020 +++ src/external/bsd/blacklist/bin/conf.c Thu Mar 12 15:47:32 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: conf.c,v 1.29 2020/03/12 19:35:11 christos Exp $ */ +/* $NetBSD: conf.c,v 1.30 2020/03/12 19:47:32 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include -__RCSID("$NetBSD: conf.c,v 1.29 2020/03/12 19:35:11 christos Exp $"); +__RCSID("$NetBSD: conf.c,v 1.30 2020/03/12 19:47:32 christos Exp $"); #include #ifdef HAVE_LIBUTIL_H @@ -1005,7 +1005,8 @@ confset_match(const struct confset *cs, #ifdef AF_ROUTE static int conf_route_perm(int fd) { -#if defined(RTM_IFANNOUNCE) && defined(RT_ROUNDUP) +/* Disable for now, the access check in the routing socket uses curlwp */ +#if defined(RTM_IFANNOUNCE) && defined(RT_ROUNDUP) && 0 /* * Send a routing message that is not supported to check for access * We expect EOPNOTSUPP for having access, since we are sending a
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Thu Mar 12 19:35:11 UTC 2020 Modified Files: src/external/bsd/blacklist/bin: conf.c Log Message: Handle fds that are pointing to routing sockets. If the fd has access to make changes via the routing socket, grant full permission to make filter changes. To generate a diff of this commit: cvs rdiff -u -r1.28 -r1.29 src/external/bsd/blacklist/bin/conf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/conf.c diff -u src/external/bsd/blacklist/bin/conf.c:1.28 src/external/bsd/blacklist/bin/conf.c:1.29 --- src/external/bsd/blacklist/bin/conf.c:1.28 Thu Mar 12 07:31:23 2020 +++ src/external/bsd/blacklist/bin/conf.c Thu Mar 12 15:35:11 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: conf.c,v 1.28 2020/03/12 11:31:23 roy Exp $ */ +/* $NetBSD: conf.c,v 1.29 2020/03/12 19:35:11 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include -__RCSID("$NetBSD: conf.c,v 1.28 2020/03/12 11:31:23 roy Exp $"); +__RCSID("$NetBSD: conf.c,v 1.29 2020/03/12 19:35:11 christos Exp $"); #include #ifdef HAVE_LIBUTIL_H @@ -46,6 +46,7 @@ __RCSID("$NetBSD: conf.c,v 1.28 2020/03/ #include #include #include +#include #include #include #include @@ -55,6 +56,7 @@ __RCSID("$NetBSD: conf.c,v 1.28 2020/03/ #include #include #include +#include #include #include "bl.h" @@ -90,7 +92,7 @@ advance(char **p) } static int -getnum(const char *f, size_t l, bool local, void *rp, const char *name, +conf_getnum(const char *f, size_t l, bool local, void *rp, const char *name, const char *p) { int e; @@ -127,13 +129,14 @@ out: } static int -getnfail(const char *f, size_t l, bool local, struct conf *c, const char *p) +conf_getnfail(const char *f, size_t l, bool local, struct conf *c, +const char *p) { - return getnum(f, l, local, >c_nfail, "nfail", p); + return conf_getnum(f, l, local, >c_nfail, "nfail", p); } static int -getsecs(const char *f, size_t l, bool local, struct conf *c, const char *p) +conf_getsecs(const char *f, size_t l, bool local, struct conf *c, const char *p) { int e; char *ep; @@ -193,7 +196,7 @@ out: } static int -getport(const char *f, size_t l, bool local, void *r, const char *p) +conf_getport(const char *f, size_t l, bool local, void *r, const char *p) { struct servent *sv; @@ -207,11 +210,11 @@ getport(const char *f, size_t l, bool lo return 0; } - return getnum(f, l, local, r, "service", p); + return conf_getnum(f, l, local, r, "service", p); } static int -getmask(const char *f, size_t l, bool local, const char **p, int *mask) +conf_getmask(const char *f, size_t l, bool local, const char **p, int *mask) { char *d; const char *s = *p; @@ -226,11 +229,12 @@ getmask(const char *f, size_t l, bool lo } *d++ = '\0'; - return getnum(f, l, local, mask, "mask", d); + return conf_getnum(f, l, local, mask, "mask", d); } static int -gethostport(const char *f, size_t l, bool local, struct conf *c, const char *p) +conf_gethostport(const char *f, size_t l, bool local, struct conf *c, +const char *p) { char *d; // XXX: Ok to write to string. in_port_t *port = NULL; @@ -249,7 +253,7 @@ gethostport(const char *f, size_t l, boo } else pstr = p; - if (getmask(f, l, local, , >c_lmask) == -1) + if (conf_getmask(f, l, local, , >c_lmask) == -1) goto out; if (d) { @@ -300,7 +304,7 @@ gethostport(const char *f, size_t l, boo } } - if (getport(f, l, local, >c_port, pstr) == -1) + if (conf_getport(f, l, local, >c_port, pstr) == -1) return -1; if (port && c->c_port != FSTAR && c->c_port != FEQUAL) @@ -320,7 +324,7 @@ out2: } static int -getproto(const char *f, size_t l, bool local __unused, struct conf *c, +conf_getproto(const char *f, size_t l, bool local __unused, struct conf *c, const char *p) { if (strcmp(p, "stream") == 0) { @@ -331,22 +335,22 @@ getproto(const char *f, size_t l, bool l c->c_proto = IPPROTO_UDP; return 0; } - return getnum(f, l, local, >c_proto, "protocol", p); + return conf_getnum(f, l, local, >c_proto, "protocol", p); } static int -getfamily(const char *f, size_t l, bool local __unused, struct conf *c, +conf_getfamily(const char *f, size_t l, bool local __unused, struct conf *c, const char *p) { if (strncmp(p, "tcp", 3) == 0 || strncmp(p, "udp", 3) == 0) { c->c_family = p[3] == '6' ? AF_INET6 : AF_INET; return 0; } - return getnum(f, l, local, >c_family, "family", p); + return conf_getnum(f, l, local, >c_family, "family", p); } static int -getuid(const char *f, size_t l, bool local __unused, struct conf *c, +conf_getuid(const char *f, size_t l, bool local __unused, struct conf *c, const char *p) { struct passwd *pw; @@ -356,15 +360,15 @@ getuid(const char *f, size_t l, bool loc return 0; } - return getnum(f, l, local,
CVS commit: src/external/bsd/blacklist
Module Name:src Committed By: roy Date: Thu Mar 12 11:31:23 UTC 2020 Modified Files: src/external/bsd/blacklist/bin: blacklistd.c conf.c src/external/bsd/blacklist/lib: bl.c Log Message: Revert allowing fd == -1 at the request of Christos. To generate a diff of this commit: cvs rdiff -u -r1.42 -r1.43 src/external/bsd/blacklist/bin/blacklistd.c cvs rdiff -u -r1.27 -r1.28 src/external/bsd/blacklist/bin/conf.c cvs rdiff -u -r1.30 -r1.31 src/external/bsd/blacklist/lib/bl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.c diff -u src/external/bsd/blacklist/bin/blacklistd.c:1.42 src/external/bsd/blacklist/bin/blacklistd.c:1.43 --- src/external/bsd/blacklist/bin/blacklistd.c:1.42 Wed Mar 11 02:33:18 2020 +++ src/external/bsd/blacklist/bin/blacklistd.c Thu Mar 12 11:31:23 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: blacklistd.c,v 1.42 2020/03/11 02:33:18 roy Exp $ */ +/* $NetBSD: blacklistd.c,v 1.43 2020/03/12 11:31:23 roy Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -32,7 +32,7 @@ #include "config.h" #endif #include -__RCSID("$NetBSD: blacklistd.c,v 1.42 2020/03/11 02:33:18 roy Exp $"); +__RCSID("$NetBSD: blacklistd.c,v 1.43 2020/03/12 11:31:23 roy Exp $"); #include #include @@ -119,14 +119,12 @@ getremoteaddress(bl_info_t *bi, struct s *rsl = sizeof(*rss); memset(rss, 0, *rsl); - if (bi->bi_fd != -1) { - if (getpeername(bi->bi_fd, (void *)rss, rsl) != -1) - return 0; - - if (errno != ENOTCONN) { - (*lfun)(LOG_ERR, "getpeername failed (%m)"); - return -1; - } + if (getpeername(bi->bi_fd, (void *)rss, rsl) != -1) + return 0; + + if (errno != ENOTCONN) { + (*lfun)(LOG_ERR, "getpeername failed (%m)"); + return -1; } if (bi->bi_slen == 0) { Index: src/external/bsd/blacklist/bin/conf.c diff -u src/external/bsd/blacklist/bin/conf.c:1.27 src/external/bsd/blacklist/bin/conf.c:1.28 --- src/external/bsd/blacklist/bin/conf.c:1.27 Wed Mar 11 02:12:08 2020 +++ src/external/bsd/blacklist/bin/conf.c Thu Mar 12 11:31:23 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: conf.c,v 1.27 2020/03/11 02:12:08 roy Exp $ */ +/* $NetBSD: conf.c,v 1.28 2020/03/12 11:31:23 roy Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include -__RCSID("$NetBSD: conf.c,v 1.27 2020/03/11 02:12:08 roy Exp $"); +__RCSID("$NetBSD: conf.c,v 1.28 2020/03/12 11:31:23 roy Exp $"); #include #ifdef HAVE_LIBUTIL_H @@ -1009,14 +1009,6 @@ conf_find(int fd, uid_t uid, const struc char buf[BUFSIZ]; memset(cr, 0, sizeof(*cr)); - - if (fd == -1) { - cr->c_proto = FSTAR; - cr->c_port = FSTAR; - memcpy(, rss, sizeof(lss)); - goto done_fd; - } - slen = sizeof(lss); memset(, 0, slen); if (getsockname(fd, (void *), ) == -1) { @@ -1059,7 +1051,6 @@ conf_find(int fd, uid_t uid, const struc return NULL; } -done_fd: cr->c_ss = lss; cr->c_lmask = FSTAR; cr->c_uid = (int)uid; Index: src/external/bsd/blacklist/lib/bl.c diff -u src/external/bsd/blacklist/lib/bl.c:1.30 src/external/bsd/blacklist/lib/bl.c:1.31 --- src/external/bsd/blacklist/lib/bl.c:1.30 Wed Mar 11 02:12:08 2020 +++ src/external/bsd/blacklist/lib/bl.c Thu Mar 12 11:31:23 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: bl.c,v 1.30 2020/03/11 02:12:08 roy Exp $ */ +/* $NetBSD: bl.c,v 1.31 2020/03/12 11:31:23 roy Exp $ */ /*- * Copyright (c) 2014 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include -__RCSID("$NetBSD: bl.c,v 1.30 2020/03/11 02:12:08 roy Exp $"); +__RCSID("$NetBSD: bl.c,v 1.31 2020/03/12 11:31:23 roy Exp $"); #include #include @@ -384,6 +384,7 @@ bl_send(bl_t b, bl_type_t e, int pfd, co if (bl_getsock(b, _ss, sa, slen, ctx) == -1) return -1; + ub.bl.bl_salen = slen; memcpy(ub.bl.bl_data, ctx, ctxlen); @@ -393,17 +394,15 @@ bl_send(bl_t b, bl_type_t e, int pfd, co msg.msg_iovlen = 1; msg.msg_flags = 0; - if (pfd != -1) { - msg.msg_control = ua.ctrl; - msg.msg_controllen = sizeof(ua.ctrl); - - cmsg = CMSG_FIRSTHDR(); - cmsg->cmsg_len = CMSG_LEN(sizeof(int)); - cmsg->cmsg_level = SOL_SOCKET; - cmsg->cmsg_type = SCM_RIGHTS; + msg.msg_control = ua.ctrl; + msg.msg_controllen = sizeof(ua.ctrl); + + cmsg = CMSG_FIRSTHDR(); + cmsg->cmsg_len = CMSG_LEN(sizeof(int)); + cmsg->cmsg_level = SOL_SOCKET; + cmsg->cmsg_type = SCM_RIGHTS; - memcpy(CMSG_DATA(cmsg), , sizeof(pfd)); - } + memcpy(CMSG_DATA(cmsg), , sizeof(pfd)); tried = 0; again: @@ -495,15 +494,14 @@ bl_recv(bl_t b) } - if (!(got & GOT_FD)) - bi->bi_fd = -1; - + if (got != (GOT_CRED|GOT_FD)) { + bl_log(b->b_fun, LOG_ERR, "message missing %s %s", #if GOT_CRED != 0 - if (!(got & GOT_CRED)) { - bl_log(b->b_fun, LOG_ERR, "message missing cred"); + (got & GOT_CRED) == 0 ? "cred" : +#endif + "", (got & GOT_FD) == 0 ? "fd" : ""); return NULL; } -#endif if ((size_t)rlen <= sizeof(ub.bl)) { bl_log(b->b_fun,
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: roy Date: Wed Mar 11 02:33:18 UTC 2020 Modified Files: src/external/bsd/blacklist/bin: blacklistd.c Log Message: blacklist: Don't remove a ruleset if we have already added it The noted argument is wrong - if it's already been deleted then the id we have for it is invalid. Because we don't track deletions to the ruleset, working it out is problematic at best. Instead, if we have already added the rule treat it as a non-op. This is a valid use case because we might receive a burst of messages in the downstream application for the same address and process them one by one. It's not the job of the downstream application to track blacklistd state. To generate a diff of this commit: cvs rdiff -u -r1.41 -r1.42 src/external/bsd/blacklist/bin/blacklistd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.c diff -u src/external/bsd/blacklist/bin/blacklistd.c:1.41 src/external/bsd/blacklist/bin/blacklistd.c:1.42 --- src/external/bsd/blacklist/bin/blacklistd.c:1.41 Wed Mar 11 02:12:08 2020 +++ src/external/bsd/blacklist/bin/blacklistd.c Wed Mar 11 02:33:18 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: blacklistd.c,v 1.41 2020/03/11 02:12:08 roy Exp $ */ +/* $NetBSD: blacklistd.c,v 1.42 2020/03/11 02:33:18 roy Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -32,7 +32,7 @@ #include "config.h" #endif #include -__RCSID("$NetBSD: blacklistd.c,v 1.41 2020/03/11 02:12:08 roy Exp $"); +__RCSID("$NetBSD: blacklistd.c,v 1.42 2020/03/11 02:33:18 roy Exp $"); #include #include @@ -230,24 +230,19 @@ process(bl_t bl) case BL_ADD: dbi.count++; dbi.last = ts.tv_sec; - if (dbi.id[0]) { + if (c.c_nfail != -1 && dbi.count >= c.c_nfail) { /* - * We should not be getting this since the rule - * should have blocked the address. A possible - * explanation is that someone removed that rule, - * and another would be that we got another attempt - * before we added the rule. In anycase, we remove - * and re-add the rule because we don't want to add - * it twice, because then we'd lose track of it. + * No point in re-adding the rule. + * It might exist already due to latency in processing + * and removing the rule is the wrong thing to do as + * it allows a window to attack again. */ - (*lfun)(LOG_DEBUG, "rule exists %s", dbi.id); - (void)run_change("rem", , dbi.id, 0); - dbi.id[0] = '\0'; - } - if (c.c_nfail != -1 && dbi.count >= c.c_nfail) { - int res = run_change("add", , dbi.id, sizeof(dbi.id)); - if (res == -1) -goto out; + if (dbi.id[0] == '\0') { +int res = run_change("add", , +dbi.id, sizeof(dbi.id)); +if (res == -1) + goto out; + } sockaddr_snprintf(rbuf, sizeof(rbuf), "%a", (void *)); (*lfun)(LOG_INFO,
CVS commit: src/external/bsd/blacklist
Module Name:src Committed By: roy Date: Wed Mar 11 02:12:08 UTC 2020 Modified Files: src/external/bsd/blacklist/bin: blacklistd.c conf.c src/external/bsd/blacklist/lib: bl.c Log Message: blacklist: Allow blacklist_sa to work with an invalid fd fd -1 is invalid, so don't query it for protocol, port or address. fd is supposed to represent how the client is connected, but if we are parsing route(4) messages or log files then there is no client connection to interogate. To generate a diff of this commit: cvs rdiff -u -r1.40 -r1.41 src/external/bsd/blacklist/bin/blacklistd.c cvs rdiff -u -r1.26 -r1.27 src/external/bsd/blacklist/bin/conf.c cvs rdiff -u -r1.29 -r1.30 src/external/bsd/blacklist/lib/bl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.c diff -u src/external/bsd/blacklist/bin/blacklistd.c:1.40 src/external/bsd/blacklist/bin/blacklistd.c:1.41 --- src/external/bsd/blacklist/bin/blacklistd.c:1.40 Tue Mar 10 13:36:07 2020 +++ src/external/bsd/blacklist/bin/blacklistd.c Wed Mar 11 02:12:08 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: blacklistd.c,v 1.40 2020/03/10 13:36:07 roy Exp $ */ +/* $NetBSD: blacklistd.c,v 1.41 2020/03/11 02:12:08 roy Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -32,7 +32,7 @@ #include "config.h" #endif #include -__RCSID("$NetBSD: blacklistd.c,v 1.40 2020/03/10 13:36:07 roy Exp $"); +__RCSID("$NetBSD: blacklistd.c,v 1.41 2020/03/11 02:12:08 roy Exp $"); #include #include @@ -119,12 +119,14 @@ getremoteaddress(bl_info_t *bi, struct s *rsl = sizeof(*rss); memset(rss, 0, *rsl); - if (getpeername(bi->bi_fd, (void *)rss, rsl) != -1) - return 0; - - if (errno != ENOTCONN) { - (*lfun)(LOG_ERR, "getpeername failed (%m)"); - return -1; + if (bi->bi_fd != -1) { + if (getpeername(bi->bi_fd, (void *)rss, rsl) != -1) + return 0; + + if (errno != ENOTCONN) { + (*lfun)(LOG_ERR, "getpeername failed (%m)"); + return -1; + } } if (bi->bi_slen == 0) { Index: src/external/bsd/blacklist/bin/conf.c diff -u src/external/bsd/blacklist/bin/conf.c:1.26 src/external/bsd/blacklist/bin/conf.c:1.27 --- src/external/bsd/blacklist/bin/conf.c:1.26 Tue Mar 10 13:36:07 2020 +++ src/external/bsd/blacklist/bin/conf.c Wed Mar 11 02:12:08 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: conf.c,v 1.26 2020/03/10 13:36:07 roy Exp $ */ +/* $NetBSD: conf.c,v 1.27 2020/03/11 02:12:08 roy Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include -__RCSID("$NetBSD: conf.c,v 1.26 2020/03/10 13:36:07 roy Exp $"); +__RCSID("$NetBSD: conf.c,v 1.27 2020/03/11 02:12:08 roy Exp $"); #include #ifdef HAVE_LIBUTIL_H @@ -1009,6 +1009,14 @@ conf_find(int fd, uid_t uid, const struc char buf[BUFSIZ]; memset(cr, 0, sizeof(*cr)); + + if (fd == -1) { + cr->c_proto = FSTAR; + cr->c_port = FSTAR; + memcpy(, rss, sizeof(lss)); + goto done_fd; + } + slen = sizeof(lss); memset(, 0, slen); if (getsockname(fd, (void *), ) == -1) { @@ -1051,6 +1059,7 @@ conf_find(int fd, uid_t uid, const struc return NULL; } +done_fd: cr->c_ss = lss; cr->c_lmask = FSTAR; cr->c_uid = (int)uid; Index: src/external/bsd/blacklist/lib/bl.c diff -u src/external/bsd/blacklist/lib/bl.c:1.29 src/external/bsd/blacklist/lib/bl.c:1.30 --- src/external/bsd/blacklist/lib/bl.c:1.29 Tue Mar 10 13:36:08 2020 +++ src/external/bsd/blacklist/lib/bl.c Wed Mar 11 02:12:08 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: bl.c,v 1.29 2020/03/10 13:36:08 roy Exp $ */ +/* $NetBSD: bl.c,v 1.30 2020/03/11 02:12:08 roy Exp $ */ /*- * Copyright (c) 2014 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include -__RCSID("$NetBSD: bl.c,v 1.29 2020/03/10 13:36:08 roy Exp $"); +__RCSID("$NetBSD: bl.c,v 1.30 2020/03/11 02:12:08 roy Exp $"); #include #include @@ -384,7 +384,6 @@ bl_send(bl_t b, bl_type_t e, int pfd, co if (bl_getsock(b, _ss, sa, slen, ctx) == -1) return -1; - ub.bl.bl_salen = slen; memcpy(ub.bl.bl_data, ctx, ctxlen); @@ -394,15 +393,17 @@ bl_send(bl_t b, bl_type_t e, int pfd, co msg.msg_iovlen = 1; msg.msg_flags = 0; - msg.msg_control = ua.ctrl; - msg.msg_controllen = sizeof(ua.ctrl); - - cmsg = CMSG_FIRSTHDR(); - cmsg->cmsg_len = CMSG_LEN(sizeof(int)); - cmsg->cmsg_level = SOL_SOCKET; - cmsg->cmsg_type = SCM_RIGHTS; + if (pfd != -1) { + msg.msg_control = ua.ctrl; + msg.msg_controllen = sizeof(ua.ctrl); + + cmsg = CMSG_FIRSTHDR(); + cmsg->cmsg_len = CMSG_LEN(sizeof(int)); + cmsg->cmsg_level = SOL_SOCKET; + cmsg->cmsg_type = SCM_RIGHTS; - memcpy(CMSG_DATA(cmsg), , sizeof(pfd)); + memcpy(CMSG_DATA(cmsg), , sizeof(pfd)); + } tried = 0; again: @@ -494,14 +495,15 @@ bl_recv(bl_t b) } - if (got != (GOT_CRED|GOT_FD)) { - bl_log(b->b_fun, LOG_ERR, "message missing %s %s", + if (!(got & GOT_FD)) + bi->bi_fd = -1; + #if GOT_CRED != 0 - (got & GOT_CRED) == 0 ?
CVS commit: src/external/bsd/blacklist
Module Name:src Committed By: roy Date: Tue Mar 10 13:36:08 UTC 2020 Modified Files: src/external/bsd/blacklist/bin: blacklistd.c conf.c run.c support.c src/external/bsd/blacklist/lib: bl.c Log Message: Whitespace police. To generate a diff of this commit: cvs rdiff -u -r1.39 -r1.40 src/external/bsd/blacklist/bin/blacklistd.c cvs rdiff -u -r1.25 -r1.26 src/external/bsd/blacklist/bin/conf.c cvs rdiff -u -r1.14 -r1.15 src/external/bsd/blacklist/bin/run.c cvs rdiff -u -r1.9 -r1.10 src/external/bsd/blacklist/bin/support.c cvs rdiff -u -r1.28 -r1.29 src/external/bsd/blacklist/lib/bl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.c diff -u src/external/bsd/blacklist/bin/blacklistd.c:1.39 src/external/bsd/blacklist/bin/blacklistd.c:1.40 --- src/external/bsd/blacklist/bin/blacklistd.c:1.39 Wed Nov 6 20:50:01 2019 +++ src/external/bsd/blacklist/bin/blacklistd.c Tue Mar 10 13:36:07 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: blacklistd.c,v 1.39 2019/11/06 20:50:01 christos Exp $ */ +/* $NetBSD: blacklistd.c,v 1.40 2020/03/10 13:36:07 roy Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -32,7 +32,7 @@ #include "config.h" #endif #include -__RCSID("$NetBSD: blacklistd.c,v 1.39 2019/11/06 20:50:01 christos Exp $"); +__RCSID("$NetBSD: blacklistd.c,v 1.40 2020/03/10 13:36:07 roy Exp $"); #include #include @@ -123,7 +123,7 @@ getremoteaddress(bl_info_t *bi, struct s return 0; if (errno != ENOTCONN) { - (*lfun)(LOG_ERR, "getpeername failed (%m)"); + (*lfun)(LOG_ERR, "getpeername failed (%m)"); return -1; } @@ -141,13 +141,13 @@ getremoteaddress(bl_info_t *bi, struct s break; default: (*lfun)(LOG_ERR, "bad client passed socket family %u", - (unsigned)bi->bi_ss.ss_family); + (unsigned)bi->bi_ss.ss_family); return -1; } if (*rsl != bi->bi_slen) { (*lfun)(LOG_ERR, "bad client passed socket length %u != %u", - (unsigned)*rsl, (unsigned)bi->bi_slen); + (unsigned)*rsl, (unsigned)bi->bi_slen); return -1; } @@ -157,7 +157,7 @@ getremoteaddress(bl_info_t *bi, struct s if (*rsl != rss->ss_len) { (*lfun)(LOG_ERR, "bad client passed socket internal length %u != %u", - (unsigned)*rsl, (unsigned)rss->ss_len); + (unsigned)*rsl, (unsigned)rss->ss_len); return -1; } #endif @@ -176,12 +176,12 @@ process(bl_t bl) struct timespec ts; if (clock_gettime(CLOCK_REALTIME, ) == -1) { - (*lfun)(LOG_ERR, "clock_gettime failed (%m)"); + (*lfun)(LOG_ERR, "clock_gettime failed (%m)"); return; } if ((bi = bl_recv(bl)) == NULL) { - (*lfun)(LOG_ERR, "no message (%m)"); + (*lfun)(LOG_ERR, "no message (%m)"); return; } @@ -251,7 +251,6 @@ process(bl_t bl) (*lfun)(LOG_INFO, "blocked %s/%d:%d for %d seconds", rbuf, c.c_lmask, c.c_port, c.c_duration); - } break; case BL_DELETE: @@ -264,7 +263,7 @@ process(bl_t bl) /* ignore for now */ break; default: - (*lfun)(LOG_ERR, "unknown message %d", bi->bi_type); + (*lfun)(LOG_ERR, "unknown message %d", bi->bi_type); } state_put(state, , ); @@ -306,7 +305,7 @@ update(void) void *ss = _ss; if (clock_gettime(CLOCK_REALTIME, ) == -1) { - (*lfun)(LOG_ERR, "clock_gettime failed (%m)"); + (*lfun)(LOG_ERR, "clock_gettime failed (%m)"); return; } Index: src/external/bsd/blacklist/bin/conf.c diff -u src/external/bsd/blacklist/bin/conf.c:1.25 src/external/bsd/blacklist/bin/conf.c:1.26 --- src/external/bsd/blacklist/bin/conf.c:1.25 Wed Nov 6 21:01:17 2019 +++ src/external/bsd/blacklist/bin/conf.c Tue Mar 10 13:36:07 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: conf.c,v 1.25 2019/11/06 21:01:17 christos Exp $ */ +/* $NetBSD: conf.c,v 1.26 2020/03/10 13:36:07 roy Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include -__RCSID("$NetBSD: conf.c,v 1.25 2019/11/06 21:01:17 christos Exp $"); +__RCSID("$NetBSD: conf.c,v 1.26 2020/03/10 13:36:07 roy Exp $"); #include #ifdef HAVE_LIBUTIL_H @@ -173,9 +173,9 @@ again: } break; } - } else + } else tot = im; - + if (e == 0) { c->c_duration = (int)tot; return 0; @@ -214,7 +214,7 @@ static int getmask(const char *f, size_t l, bool local, const char **p, int *mask) { char *d; - const char *s = *p; + const char *s = *p; if ((d = strchr(s, ':')) != NULL) { *d++ = '\0'; @@ -264,7 +264,7 @@ gethostport(const char *f, size_t l, boo sin6->sin6_len = sizeof(*sin6); #endif port = >sin6_port; - } + } } else if (pstr != p || strchr(p, '.') || conf_is_interface(p)) { if (pstr == p) pstr = "*"; @@ -366,11 +366,12 @@ getname(const char *f, size_t l, bool lo { if (getmask(f, l, local, , >c_rmask) == -1) return -1; - + if (strcmp(p, "*") == 0) { strlcpy(c->c_name, rulename, CONFNAMESZ); return 0; } + if (strcmp(p,
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: christos Date: Fri Mar 8 20:40:05 UTC 2019 Modified Files: src/external/bsd/blacklist/lib: Makefile Log Message: We don't need to depend on pthreads. To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/external/bsd/blacklist/lib/Makefile Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/lib/Makefile diff -u src/external/bsd/blacklist/lib/Makefile:1.6 src/external/bsd/blacklist/lib/Makefile:1.7 --- src/external/bsd/blacklist/lib/Makefile:1.6 Tue Jan 5 08:07:46 2016 +++ src/external/bsd/blacklist/lib/Makefile Fri Mar 8 15:40:05 2019 @@ -1,11 +1,11 @@ -# $NetBSD: Makefile,v 1.6 2016/01/05 13:07:46 christos Exp $ +# $NetBSD: Makefile,v 1.7 2019/03/08 20:40:05 christos Exp $ .include USE_SHLIBDIR= yes CPPFLAGS+=-D_REENTRANT -LIBDPLIBS+=pthread ${NETBSDSRCDIR}/lib/libpthread +#LIBDPLIBS+=pthread ${NETBSDSRCDIR}/lib/libpthread LIB=blacklist SRCS=bl.c blacklist.c MAN=libblacklist.3
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Wed Feb 27 02:20:19 UTC 2019 Modified Files: src/external/bsd/blacklist/bin: blacklistd.c Log Message: Instead of deleting the rules individually use flush to kill them all at once for efficiently. Also when restoring, don't nuke the database (Phil Rulon). To generate a diff of this commit: cvs rdiff -u -r1.37 -r1.38 src/external/bsd/blacklist/bin/blacklistd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.c diff -u src/external/bsd/blacklist/bin/blacklistd.c:1.37 src/external/bsd/blacklist/bin/blacklistd.c:1.38 --- src/external/bsd/blacklist/bin/blacklistd.c:1.37 Fri Feb 17 19:26:16 2017 +++ src/external/bsd/blacklist/bin/blacklistd.c Tue Feb 26 21:20:18 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: blacklistd.c,v 1.37 2017/02/18 00:26:16 christos Exp $ */ +/* $NetBSD: blacklistd.c,v 1.38 2019/02/27 02:20:18 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -32,7 +32,7 @@ #include "config.h" #endif #include -__RCSID("$NetBSD: blacklistd.c,v 1.37 2017/02/18 00:26:16 christos Exp $"); +__RCSID("$NetBSD: blacklistd.c,v 1.38 2019/02/27 02:20:18 christos Exp $"); #include #include @@ -394,7 +394,6 @@ rules_restore(void) for (f = 1; state_iterate(state, , , f) == 1; f = 0) { if (dbi.id[0] == '\0') continue; - (void)run_change("rem", , dbi.id, 0); (void)run_change("add", , dbi.id, sizeof(dbi.id)); } } @@ -491,7 +490,8 @@ main(int argc, char *argv[]) conf_parse(configfile); if (flush) { rules_flush(); - flags |= O_TRUNC; + if (!restore) + flags |= O_TRUNC; } struct pollfd *pfd = NULL; @@ -522,8 +522,11 @@ main(int argc, char *argv[]) if (state == NULL) return EXIT_FAILURE; - if (restore) + if (restore) { + if (!flush) + rules_flush(); rules_restore(); + } if (!debug) { if (daemon(0, 0) == -1)
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Tue Sep 18 22:12:19 UTC 2018 Modified Files: src/external/bsd/blacklist/bin: support.c Log Message: fix ymdhms calculation To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/external/bsd/blacklist/bin/support.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/support.c diff -u src/external/bsd/blacklist/bin/support.c:1.8 src/external/bsd/blacklist/bin/support.c:1.9 --- src/external/bsd/blacklist/bin/support.c:1.8 Mon Apr 4 11:52:56 2016 +++ src/external/bsd/blacklist/bin/support.c Tue Sep 18 18:12:19 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: support.c,v 1.8 2016/04/04 15:52:56 christos Exp $ */ +/* $NetBSD: support.c,v 1.9 2018/09/18 22:12:19 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include -__RCSID("$NetBSD: support.c,v 1.8 2016/04/04 15:52:56 christos Exp $"); +__RCSID("$NetBSD: support.c,v 1.9 2018/09/18 22:12:19 christos Exp $"); #include #include @@ -105,12 +105,16 @@ fmtydhms(char *b, size_t l, time_t t) s = t % 60; t /= 60; + m = t % 60; t /= 60; - h = t % 60; + + h = t % 24; t /= 24; - d = t % 24; - t /= 356; + + d = t % 365; + t /= 365; + y = t; z = 0;
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Thu May 24 19:21:01 UTC 2018 Modified Files: src/external/bsd/blacklist/bin: blacklistctl.c Log Message: One more possible star. To generate a diff of this commit: cvs rdiff -u -r1.22 -r1.23 src/external/bsd/blacklist/bin/blacklistctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistctl.c diff -u src/external/bsd/blacklist/bin/blacklistctl.c:1.22 src/external/bsd/blacklist/bin/blacklistctl.c:1.23 --- src/external/bsd/blacklist/bin/blacklistctl.c:1.22 Thu May 24 15:19:37 2018 +++ src/external/bsd/blacklist/bin/blacklistctl.c Thu May 24 15:21:01 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: blacklistctl.c,v 1.22 2018/05/24 19:19:37 christos Exp $ */ +/* $NetBSD: blacklistctl.c,v 1.23 2018/05/24 19:21:01 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include -__RCSID("$NetBSD: blacklistctl.c,v 1.22 2018/05/24 19:19:37 christos Exp $"); +__RCSID("$NetBSD: blacklistctl.c,v 1.23 2018/05/24 19:21:01 christos Exp $"); #include #include @@ -160,7 +160,8 @@ main(int argc, char *argv[]) else fmttime(buf, sizeof(buf), dbi.last); } - printf("%s\t%d/%d\t%-s\n", dbi.id, dbi.count, c.c_nfail, buf); + printf("%s\t%d/%s\t%-s\n", dbi.id, dbi.count, + star(mbuf, sizeof(mbuf), c.c_nfail), buf); } state_close(db); return EXIT_SUCCESS;
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Thu May 24 19:19:37 UTC 2018 Modified Files: src/external/bsd/blacklist/bin: blacklistctl.c Log Message: handle '*' entries in rules. To generate a diff of this commit: cvs rdiff -u -r1.21 -r1.22 src/external/bsd/blacklist/bin/blacklistctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistctl.c diff -u src/external/bsd/blacklist/bin/blacklistctl.c:1.21 src/external/bsd/blacklist/bin/blacklistctl.c:1.22 --- src/external/bsd/blacklist/bin/blacklistctl.c:1.21 Tue Nov 1 23:15:07 2016 +++ src/external/bsd/blacklist/bin/blacklistctl.c Thu May 24 15:19:37 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: blacklistctl.c,v 1.21 2016/11/02 03:15:07 jnemeth Exp $ */ +/* $NetBSD: blacklistctl.c,v 1.22 2018/05/24 19:19:37 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include -__RCSID("$NetBSD: blacklistctl.c,v 1.21 2016/11/02 03:15:07 jnemeth Exp $"); +__RCSID("$NetBSD: blacklistctl.c,v 1.22 2018/05/24 19:19:37 christos Exp $"); #include #include @@ -67,6 +67,15 @@ usage(int c) exit(EXIT_FAILURE); } +static const char * +star(char *buf, size_t len, int val) +{ + if (val == -1) + return "*"; + snprintf(buf, len, "%d", val); + return buf; +} + int main(int argc, char *argv[]) { @@ -128,9 +137,10 @@ main(int argc, char *argv[]) "address", remain ? "remaining time" : "last access"); for (i = 1; state_iterate(db, , , i) != 0; i = 0) { char buf[BUFSIZ]; + char mbuf[64], pbuf[64]; if (!all) { if (blocked) { -if (dbi.count < c.c_nfail) +if (c.c_nfail == -1 || dbi.count < c.c_nfail) continue; } else { if (dbi.count >= c.c_nfail) @@ -138,12 +148,18 @@ main(int argc, char *argv[]) } } sockaddr_snprintf(buf, sizeof(buf), "%a", (void *)_ss); - printf("%*.*s/%d:%d\t", wide, wide, buf, c.c_lmask, c.c_port); - if (remain) - fmtydhms(buf, sizeof(buf), - c.c_duration - (ts.tv_sec - dbi.last)); - else - fmttime(buf, sizeof(buf), dbi.last); + printf("%*.*s/%s:%s\t", wide, wide, buf, + star(mbuf, sizeof(mbuf), c.c_lmask), + star(pbuf, sizeof(pbuf), c.c_port)); + if (c.c_duration == -1) { + strlcpy(buf, "never", sizeof(buf)); + } else { + if (remain) +fmtydhms(buf, sizeof(buf), +c.c_duration - (ts.tv_sec - dbi.last)); + else +fmttime(buf, sizeof(buf), dbi.last); + } printf("%s\t%d/%d\t%-s\n", dbi.id, dbi.count, c.c_nfail, buf); } state_close(db);
CVS commit: src/external/bsd/blacklist/diff
Module Name:src Committed By: christos Date: Wed May 23 16:03:07 UTC 2018 Modified Files: src/external/bsd/blacklist/diff: ssh.diff Log Message: refresh the diffs to the latest portable To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 src/external/bsd/blacklist/diff/ssh.diff Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/diff/ssh.diff diff -u src/external/bsd/blacklist/diff/ssh.diff:1.9 src/external/bsd/blacklist/diff/ssh.diff:1.10 --- src/external/bsd/blacklist/diff/ssh.diff:1.9 Mon Jun 26 13:12:05 2017 +++ src/external/bsd/blacklist/diff/ssh.diff Wed May 23 12:03:07 2018 @@ -62,174 +62,89 @@ diff -u -u -r1.10 Makefile + +LDADD+= -lblacklist +DPADD+= ${LIBBLACKLIST} -Index: dist/auth.c -=== -RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v -retrieving revision 1.10 -diff -u -u -r1.10 auth.c dist/auth.c 19 Oct 2014 16:30:58 - 1.10 -+++ dist/auth.c 22 Jan 2015 21:39:22 - -@@ -62,6 +62,7 @@ - #include "monitor_wrap.h" - #include "krl.h" - #include "compat.h" -+#include "pfilter.h" - - #ifdef HAVE_LOGIN_CAP - #include -@@ -362,6 +363,8 @@ - compat20 ? "ssh2" : "ssh1", - authctxt->info != NULL ? ": " : "", - authctxt->info != NULL ? authctxt->info : ""); -+ if (!authctxt->postponed) -+ pfilter_notify(!authenticated); - free(authctxt->info); - authctxt->info = NULL; - } -Index: dist/sshd.c -=== -RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v -retrieving revision 1.15 -diff -u -u -r1.15 sshd.c dist/sshd.c 28 Oct 2014 21:36:16 - 1.15 -+++ dist/sshd.c 22 Jan 2015 21:39:22 - -@@ -109,6 +109,7 @@ - #include "roaming.h" - #include "ssh-sandbox.h" - #include "version.h" -+#include "pfilter.h" - - #ifdef LIBWRAP - #include -@@ -364,6 +365,7 @@ - killpg(0, SIGTERM); - } - -+ pfilter_notify(1); - /* Log error and exit. */ - sigdie("Timeout before authentication for %s", get_remote_ipaddr()); - } -@@ -1160,6 +1162,7 @@ - for (i = 0; i < options.max_startups; i++) - startup_pipes[i] = -1; - -+ pfilter_init(); - /* - * Stay listening for connections until the system crashes or - * the daemon is killed with a signal. -Index: auth1.c -=== -RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth1.c,v -retrieving revision 1.9 -diff -u -u -r1.9 auth1.c auth1.c 19 Oct 2014 16:30:58 - 1.9 -+++ auth1.c 14 Feb 2015 15:40:51 - -@@ -41,6 +41,7 @@ +diff -ru openssh-7.7p1/auth-pam.c dist/auth-pam.c +--- openssh-7.7p1/auth-pam.c 2018-04-02 01:38:28.0 -0400 dist/auth-pam.c 2018-05-23 11:56:22.206661484 -0400 +@@ -103,6 +103,7 @@ + #include "ssh-gss.h" #endif #include "monitor_wrap.h" - #include "buffer.h" +#include "pfilter.h" - /* import */ extern ServerOptions options; -@@ -445,6 +446,7 @@ - else { - debug("do_authentication: invalid user %s", user); - authctxt->pw = fakepw(); -+ pfilter_notify(1); - } + extern Buffer loginmsg; +@@ -526,6 +527,7 @@ + ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, ); + else + ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, ); ++ pfilter_notify(1); + buffer_free(); + pthread_exit(NULL); - /* Configuration may have changed as a result of Match */ -Index: auth2.c -=== -RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth2.c,v -retrieving revision 1.9 -diff -u -u -r1.9 auth2.c auth2.c 19 Oct 2014 16:30:58 - 1.9 -+++ auth2.c 14 Feb 2015 15:40:51 - -@@ -52,6 +52,7 @@ +@@ -804,6 +806,7 @@ + free(msg); + return (0); + } ++ pfilter_notify(1); + error("PAM: %s for %s%.100s from %.100s", msg, + sshpam_authctxt->valid ? "" : "illegal user ", + sshpam_authctxt->user, +diff -ru openssh-7.7p1/auth2.c dist/auth2.c +--- openssh-7.7p1/auth2.c 2018-04-02 01:38:28.0 -0400 dist/auth2.c 2018-05-23 11:57:31.022197317 -0400 +@@ -51,6 +51,7 @@ + #include "dispatch.h" #include "pathnames.h" #include "buffer.h" - #include "canohost.h" +#include "pfilter.h" #ifdef GSSAPI #include "ssh-gss.h" -@@ -256,6 +257,7 @@ +@@ -242,6 +243,7 @@ } else { - logit("input_userauth_request: invalid user %s", user); + /* Invalid user, fake password information */ authctxt->pw = fakepw(); + pfilter_notify(1); - } - #ifdef USE_PAM - if (options.use_pam) -Index: sshd.c -=== -RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v -retrieving revision 1.16 -diff -u -r1.16 sshd.c sshd.c 25 Jan 2015 15:52:44 - 1.16 -+++ sshd.c 14 Feb 2015 09:55:06 - -@@ -628,6 +628,8 @@ - explicit_bzero(pw->pw_passwd,
CVS commit: src/external/bsd/blacklist/diff
Module Name:src Committed By: christos Date: Thu Feb 1 03:32:31 UTC 2018 Added Files: src/external/bsd/blacklist/diff: postfix.diff Log Message: add a diff for smtpd To generate a diff of this commit: cvs rdiff -u -r0 -r1.1 src/external/bsd/blacklist/diff/postfix.diff Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Added files: Index: src/external/bsd/blacklist/diff/postfix.diff diff -u /dev/null src/external/bsd/blacklist/diff/postfix.diff:1.1 --- /dev/null Wed Jan 31 22:32:31 2018 +++ src/external/bsd/blacklist/diff/postfix.diff Wed Jan 31 22:32:31 2018 @@ -0,0 +1,82 @@ +Index: dist/src/smtpd/pfilter.c +=== +RCS file: dist/src/smtpd/pfilter.c +diff -N dist/src/smtpd/pfilter.c +--- /dev/null 1 Jan 1970 00:00:00 - dist/src/smtpd/pfilter.c 1 Feb 2018 03:29:09 - +@@ -0,0 +1,19 @@ ++#include "pfilter.h" ++#include /* for NULL */ ++#include ++ ++static struct blacklist *blstate; ++ ++void ++pfilter_notify(int a, int fd) ++{ ++ if (blstate == NULL) ++ blstate = blacklist_open(); ++ if (blstate == NULL) ++ return; ++ (void)blacklist_r(blstate, a, fd, "smtpd"); ++ if (a == 0) { ++ blacklist_close(blstate); ++ blstate = NULL; ++ } ++} +Index: dist/src/smtpd/pfilter.h +=== +RCS file: dist/src/smtpd/pfilter.h +diff -N dist/src/smtpd/pfilter.h +--- /dev/null 1 Jan 1970 00:00:00 - dist/src/smtpd/pfilter.h 1 Feb 2018 03:29:09 - +@@ -0,0 +1,2 @@ ++ ++void pfilter_notify(int, int); +Index: dist/src/smtpd/smtpd.c +=== +RCS file: /cvsroot/src/external/ibm-public/postfix/dist/src/smtpd/smtpd.c,v +retrieving revision 1.14 +diff -u -r1.14 smtpd.c +--- dist/src/smtpd/smtpd.c 14 Feb 2017 01:16:48 - 1.14 dist/src/smtpd/smtpd.c 1 Feb 2018 03:29:09 - +@@ -1197,6 +1197,8 @@ + #include + #include + ++#include "pfilter.h" ++ + /* + * Tunable parameters. Make sure that there is some bound on the length of + * an SMTP command, so that the mail system stays in control even when a +@@ -5048,6 +5050,7 @@ + if (state->error_count >= var_smtpd_hard_erlim) { + state->reason = REASON_ERROR_LIMIT; + state->error_mask |= MAIL_ERROR_PROTOCOL; ++ pfilter_notify(1, vstream_fileno(state->client)); + smtpd_chat_reply(state, "421 4.7.0 %s Error: too many errors", + var_myhostname); + break; +Index: libexec/smtpd/Makefile +=== +RCS file: /cvsroot/src/external/ibm-public/postfix/libexec/smtpd/Makefile,v +retrieving revision 1.6 +diff -u -r1.6 Makefile +--- libexec/smtpd/Makefile 21 May 2017 15:28:40 - 1.6 libexec/smtpd/Makefile 1 Feb 2018 03:29:09 - +@@ -13,11 +13,14 @@ + SRCS= smtpd.c smtpd_token.c smtpd_check.c smtpd_chat.c smtpd_state.c \ + smtpd_peer.c smtpd_sasl_proto.c smtpd_sasl_glue.c smtpd_proxy.c \ + smtpd_xforward.c smtpd_dsn_fix.c smtpd_milter.c smtpd_resolve.c \ +- smtpd_expand.c smtpd_haproxy.c ++ smtpd_expand.c smtpd_haproxy.c pfilter.c + + DPADD+= ${LIBPMASTER} ${LIBPMILTER} ${LIBPGLOBAL} ${LIBPDNS} ${LIBPXSASL} + LDADD+= ${LIBPMASTER} ${LIBPMILTER} ${LIBPGLOBAL} ${LIBPDNS} ${LIBPXSASL} + ++DPADD+= ${LIBBLACKLIST} ++LDADD+= -lblacklist ++ + DPADD+= ${LIBPTLS} ${LIBSSL} ${LIBCRYPTO} + LDADD+= ${LIBPTLS} -lssl -lcrypto +
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: abhinav Date: Sun Oct 22 10:31:57 UTC 2017 Modified Files: src/external/bsd/blacklist/lib: libblacklist.3 Log Message: Add comma between Nm entries To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/external/bsd/blacklist/lib/libblacklist.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/lib/libblacklist.3 diff -u src/external/bsd/blacklist/lib/libblacklist.3:1.7 src/external/bsd/blacklist/lib/libblacklist.3:1.8 --- src/external/bsd/blacklist/lib/libblacklist.3:1.7 Sat Feb 4 23:33:56 2017 +++ src/external/bsd/blacklist/lib/libblacklist.3 Sun Oct 22 10:31:57 2017 @@ -1,4 +1,4 @@ -.\" $NetBSD: libblacklist.3,v 1.7 2017/02/04 23:33:56 wiz Exp $ +.\" $NetBSD: libblacklist.3,v 1.8 2017/10/22 10:31:57 abhinav Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -35,7 +35,7 @@ .Nm blacklist_close , .Nm blacklist_r , .Nm blacklist , -.Nm blacklist_sa +.Nm blacklist_sa , .Nm blacklist_sa_r .Nd Blacklistd notification library .Sh LIBRARY
CVS commit: src/external/bsd/blacklist/diff
Module Name:src Committed By: christos Date: Mon Jun 26 17:12:05 UTC 2017 Modified Files: src/external/bsd/blacklist/diff: ssh.diff Log Message: amend the patch to close. To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/external/bsd/blacklist/diff/ssh.diff Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/diff/ssh.diff diff -u src/external/bsd/blacklist/diff/ssh.diff:1.8 src/external/bsd/blacklist/diff/ssh.diff:1.9 --- src/external/bsd/blacklist/diff/ssh.diff:1.8 Fri Jan 22 19:05:38 2016 +++ src/external/bsd/blacklist/diff/ssh.diff Mon Jun 26 13:12:05 2017 @@ -1,6 +1,6 @@ --- /dev/null 2015-01-22 23:10:33.0 -0500 +++ dist/pfilter.c 2015-01-22 23:46:03.0 -0500 -@@ -0,0 +1,28 @@ +@@ -0,0 +1,32 @@ +#include "namespace.h" +#include "includes.h" +#include "ssh.h" @@ -28,6 +28,10 @@ + // XXX: 3? + fd = packet_connection_is_on_socket() ? packet_get_connection_in() : 3; + (void)blacklist_r(blstate, a, fd, "ssh"); ++ if (a == 0) { ++ blacklist_close(blstate); ++ blstate = NULL; ++ } +} --- /dev/null 2015-01-20 21:14:44.0 -0500 +++ dist/pfilter.h 2015-01-20 20:16:20.0 -0500
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: wiz Date: Wed Jun 7 13:50:57 UTC 2017 Modified Files: src/external/bsd/blacklist/bin: blacklistd.conf.5 Log Message: Add missing argument to macro. To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/external/bsd/blacklist/bin/blacklistd.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.conf.5 diff -u src/external/bsd/blacklist/bin/blacklistd.conf.5:1.6 src/external/bsd/blacklist/bin/blacklistd.conf.5:1.7 --- src/external/bsd/blacklist/bin/blacklistd.conf.5:1.6 Mon Jun 5 21:34:58 2017 +++ src/external/bsd/blacklist/bin/blacklistd.conf.5 Wed Jun 7 13:50:57 2017 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistd.conf.5,v 1.6 2017/06/05 21:34:58 sevan Exp $ +.\" $NetBSD: blacklistd.conf.5,v 1.7 2017/06/07 13:50:57 wiz Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -201,7 +201,7 @@ or the block duration. Configuration file. .El .Sh EXAMPLES -.Bd -literal -offset +.Bd -literal -offset 8n # Block ssh, after 3 attempts for 6 hours on the bnx0 interface [local] # location type proto owner name nfail duration
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: sevan Date: Mon Jun 5 21:34:58 UTC 2017 Modified Files: src/external/bsd/blacklist/bin: blacklistd.conf.5 Log Message: Improve wording. Bump date. ok christos To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/external/bsd/blacklist/bin/blacklistd.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.conf.5 diff -u src/external/bsd/blacklist/bin/blacklistd.conf.5:1.5 src/external/bsd/blacklist/bin/blacklistd.conf.5:1.6 --- src/external/bsd/blacklist/bin/blacklistd.conf.5:1.5 Wed Jun 8 12:48:37 2016 +++ src/external/bsd/blacklist/bin/blacklistd.conf.5 Mon Jun 5 21:34:58 2017 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistd.conf.5,v 1.5 2016/06/08 12:48:37 wiz Exp $ +.\" $NetBSD: blacklistd.conf.5,v 1.6 2017/06/05 21:34:58 sevan Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd June 7, 2016 +.Dd June 5, 2017 .Dt BLACKLISTD.CONF 5 .Os .Sh NAME @@ -36,12 +36,13 @@ .Sh DESCRIPTION The .Nm -files contains configuration lines for -.Xr blacklistd 8 . -It contains one entry per line, and is similar to +files contains configuration entries for +.Xr blacklistd 8 +in a fashion similar to .Xr inetd.conf 5 . -There must be an entry for each field of the configuration file, with -entries for each field separated by a tab or a space. +Only one entry per line is permitted. +Every entry must have all fields populated. +Each field can be separated by a tab or a space. Comments are denoted by a .Dq # at the beginning of a line. @@ -109,7 +110,7 @@ The can be an IPv4 address in numeric format, an IPv6 address in numeric format and enclosed by square brackets, or an interface name. Mask modifiers are not allowed on interfaces because interfaces -have multiple address in different protocols where the mask has a different +can have multiple addresses in different protocols where the mask has a different size. .Pp The @@ -150,8 +151,8 @@ If the contains a .Dq / , the remaining portion of the name is interpreted as the mask to be -applied to the address specified in the rule, so one can block whole -subnets for a single rule violation. +applied to the address specified in the rule, causing a single rule violation to +block the entire subnet for the configured prefix. .Pp The .Va nfail @@ -176,10 +177,11 @@ for days. .Pp Matching is done first by checking the .Va local -rules one by one, from the most specific to the least specific. +rules individually, in the order of the most specific to the least specific. If a match is found, then the .Va remote -rules are applied, and if a match is found the +rules are applied. +The .Va name , .Va nfail , and @@ -191,8 +193,8 @@ rule that matched. The .Va remote rules can be used for whitelisting specific addresses, changing the mask -size, or the rule that the packet filter uses, the number of failed attempts, -or the blocked duration. +size, the rule that the packet filter uses, the number of failed attempts, +or the block duration. .Sh FILES .Bl -tag -width /etc/blacklistd.conf -compact .It Pa /etc/blacklistd.conf
CVS commit: src/external/bsd/blacklist
Module Name:src Committed By: christos Date: Thu Apr 13 17:59:34 UTC 2017 Modified Files: src/external/bsd/blacklist: README Log Message: Explain a bit more how to examine the blacklist state. To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/external/bsd/blacklist/README Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/README diff -u src/external/bsd/blacklist/README:1.7 src/external/bsd/blacklist/README:1.8 --- src/external/bsd/blacklist/README:1.7 Sun Jan 25 19:34:50 2015 +++ src/external/bsd/blacklist/README Thu Apr 13 13:59:34 2017 @@ -1,4 +1,4 @@ -# $NetBSD: README,v 1.7 2015/01/26 00:34:50 christos Exp $ +# $NetBSD: README,v 1.8 2017/04/13 17:59:34 christos Exp $ This package contains library that can be used by network daemons to communicate with a packet filter via a daemon to enforce opening and @@ -98,6 +98,16 @@ group "internal" on $int_if { ... } +You can use 'blacklistctl dump -a' to list all the current entries +in the database; the ones that have nfail / where urrent +>= otal, should have an id assosiated with them; this means that +there is a packet filter rule added for that entry. For npf, you +can examine the packet filter dynamic rule entries using 'npfctl +rule list'. The number of current entries can exceed +the total. This happens because entering packet filter rules is +asynchronous; there could be other connection before the rule +becomes activated. + Enjoy, christos
CVS commit: src/external/bsd/blacklist/libexec
Module Name:src Committed By: christos Date: Fri Mar 17 20:42:43 UTC 2017 Modified Files: src/external/bsd/blacklist/libexec: blacklistd-helper Log Message: fixes from FreeBSD via Kurt Lidl To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 \ src/external/bsd/blacklist/libexec/blacklistd-helper Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/libexec/blacklistd-helper diff -u src/external/bsd/blacklist/libexec/blacklistd-helper:1.11 src/external/bsd/blacklist/libexec/blacklistd-helper:1.12 --- src/external/bsd/blacklist/libexec/blacklistd-helper:1.11 Thu Jun 9 16:02:52 2016 +++ src/external/bsd/blacklist/libexec/blacklistd-helper Fri Mar 17 16:42:42 2017 @@ -10,10 +10,10 @@ # $7 id pf= -if [ -z "$pf" -a -f "/etc/ipfw-blacklist.rc" ]; then - pf="ipfw" - . /etc/ipfw-blacklist.rc - ipfw_offset=${ipfw_offset:-2000} +if [ -f "/etc/ipfw-blacklist.rc" ]; then + pf="ipfw" + . /etc/ipfw-blacklist.rc + ipfw_offset=${ipfw_offset:-2000} fi if [ -z "$pf" ]; then @@ -52,9 +52,10 @@ case "$1" in add) case "$pf" in ipf) - /sbin/ipfstat -io | /sbin/ipf -I -f - - echo block in quick proto $proto from $addr/$mask to \ - any port=$port head $port$6 | /sbin/ipf -I -f - -s + /sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1 + echo block in quick $proto from $addr/$mask to \ + any port=$6 head port$6 | \ + /sbin/ipf -I -f - -s >/dev/null 2>&1 && echo OK ;; ipfw) # use $ipfw_offset+$port for rule number @@ -62,52 +63,62 @@ add) tname="port$6" /sbin/ipfw table $tname create type addr 2>/dev/null /sbin/ipfw -q table $tname add "$addr/$mask" - /sbin/ipfw -q add $rule drop $3 from "table("$tname")" to \ - any dst-port $6 + # if rule number $rule does not already exist, create it + /sbin/ipfw show $rule >/dev/null 2>&1 || \ + /sbin/ipfw add $rule drop $3 from \ + table"("$tname")" to any dst-port $6 >/dev/null && \ + echo OK ;; npf) /sbin/npfctl rule "$2" add block in final $proto from \ "$addr/$mask" to any $port ;; pf) - # insert $ip/$mask into per-protocol anchored table - /sbin/pfctl -a "$2" -t "port$6" -T add "$addr/$mask" - echo "block in quick $proto fromto any $port" | \ - /sbin/pfctl -a "$2" -f - + # if the filtering rule does not exist, create it + /sbin/pfctl -a "$2/$6" -sr 2>/dev/null | \ + grep -q " " || \ + echo "block in quick $proto from to any $port" | \ + /sbin/pfctl -a "$2/$6" -f - + # insert $ip/$mask into per-protocol/port anchored table + /sbin/pfctl -a "$2/$6" -t "port$6" -T add "$addr/$mask" && \ + echo OK ;; esac ;; rem) case "$pf" in ipf) - /sbin/ipfstat -io | /sbin/ipf -I -f - - echo block in quick proto $proto from $addr/$mask to any \ - port =$port head port$6 | /sbin/ipf -r -f - -s + /sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1 + echo block in quick $proto from $addr/$mask to \ + any port=$6 head port$6 | \ + /sbin/ipf -I -r -f - -s >/dev/null 2>&1 && echo OK ;; ipfw) - /sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null + /sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null && \ + echo OK ;; npf) /sbin/npfctl rule "$2" rem-id "$7" ;; pf) - /sbin/pfctl -a "$2" -t "port$6" -T delete "$addr/$mask" + /sbin/pfctl -a "$2/$6" -t "port$6" -T delete "$addr/$mask" && \ + echo OK ;; esac ;; flush) - case "$pf" in + case "$pf" in ipf) - /sbin/ipf -Z -I -Fa -s + /sbin/ipf -Z -I -Fi -s > /dev/null && echo OK ;; ipfw) - /sbin/ipfw table "port$6" flush 2>/dev/null + /sbin/ipfw table "port$6" flush 2>/dev/null && echo OK ;; npf) /sbin/npfctl rule "$2" flush ;; pf) - /sbin/pfctl -a "$2" -t "port$6" -T flush + /sbin/pfctl -a "$2/$6" -t "port$6" -T flush && echo OK ;; esac ;;
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Sat Feb 18 00:26:16 UTC 2017 Modified Files: src/external/bsd/blacklist/bin: blacklistd.c Log Message: more debugging from Kurt Lidl To generate a diff of this commit: cvs rdiff -u -r1.36 -r1.37 src/external/bsd/blacklist/bin/blacklistd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.c diff -u src/external/bsd/blacklist/bin/blacklistd.c:1.36 src/external/bsd/blacklist/bin/blacklistd.c:1.37 --- src/external/bsd/blacklist/bin/blacklistd.c:1.36 Sun Jan 8 22:05:48 2017 +++ src/external/bsd/blacklist/bin/blacklistd.c Fri Feb 17 19:26:16 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: blacklistd.c,v 1.36 2017/01/09 03:05:48 christos Exp $ */ +/* $NetBSD: blacklistd.c,v 1.37 2017/02/18 00:26:16 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -32,7 +32,7 @@ #include "config.h" #endif #include -__RCSID("$NetBSD: blacklistd.c,v 1.36 2017/01/09 03:05:48 christos Exp $"); +__RCSID("$NetBSD: blacklistd.c,v 1.37 2017/02/18 00:26:16 christos Exp $"); #include #include @@ -207,7 +207,7 @@ process(bl_t bl) if (debug) { char b1[128], b2[128]; - (*lfun)(LOG_DEBUG, "%s: db state info for %s: count=%d/%d " + (*lfun)(LOG_DEBUG, "%s: initial db state for %s: count=%d/%d " "last=%s now=%s", __func__, rbuf, dbi.count, c.c_nfail, fmttime(b1, sizeof(b1), dbi.last), fmttime(b2, sizeof(b2), ts.tv_sec)); @@ -246,15 +246,24 @@ process(bl_t bl) case BL_DELETE: if (dbi.last == 0) goto out; + dbi.count = 0; dbi.last = 0; break; default: (*lfun)(LOG_ERR, "unknown message %d", bi->bi_type); } - if (state_put(state, , ) == -1) - goto out; + state_put(state, , ); + out: close(bi->bi_fd); + + if (debug) { + char b1[128], b2[128]; + (*lfun)(LOG_DEBUG, "%s: final db state for %s: count=%d/%d " + "last=%s now=%s", __func__, rbuf, dbi.count, c.c_nfail, + fmttime(b1, sizeof(b1), dbi.last), + fmttime(b2, sizeof(b2), ts.tv_sec)); + } } static void @@ -393,7 +402,7 @@ rules_restore(void) int main(int argc, char *argv[]) { - int c, tout, flags, flush, restore; + int c, tout, flags, flush, restore, ret; const char *spath, **blsock; size_t nblsock, maxblsock; @@ -528,7 +537,10 @@ main(int argc, char *argv[]) readconf = 0; conf_parse(configfile); } - switch (poll(pfd, (nfds_t)nfd, tout)) { + ret = poll(pfd, (nfds_t)nfd, tout); + if (debug) + (*lfun)(LOG_DEBUG, "received %d from poll()", ret); + switch (ret) { case -1: if (errno == EINTR) continue;
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: wiz Date: Sat Feb 4 23:33:56 UTC 2017 Modified Files: src/external/bsd/blacklist/lib: libblacklist.3 Log Message: Quote - to make it a minus. To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/external/bsd/blacklist/lib/libblacklist.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/lib/libblacklist.3 diff -u src/external/bsd/blacklist/lib/libblacklist.3:1.6 src/external/bsd/blacklist/lib/libblacklist.3:1.7 --- src/external/bsd/blacklist/lib/libblacklist.3:1.6 Tue Jan 31 16:55:04 2017 +++ src/external/bsd/blacklist/lib/libblacklist.3 Sat Feb 4 23:33:56 2017 @@ -1,4 +1,4 @@ -.\" $NetBSD: libblacklist.3,v 1.6 2017/01/31 16:55:04 abhinav Exp $ +.\" $NetBSD: libblacklist.3,v 1.7 2017/02/04 23:33:56 wiz Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -121,7 +121,7 @@ and return .Dv 0 on success and -.Dv -1 +.Dv \-1 on failure setting .Dv errno to an appropriate value.
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: abhinav Date: Tue Jan 31 16:55:04 UTC 2017 Modified Files: src/external/bsd/blacklist/lib: libblacklist.3 Log Message: Correct the function names in the RETURN VALUES section and use markup for errno. To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/external/bsd/blacklist/lib/libblacklist.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/lib/libblacklist.3 diff -u src/external/bsd/blacklist/lib/libblacklist.3:1.5 src/external/bsd/blacklist/lib/libblacklist.3:1.6 --- src/external/bsd/blacklist/lib/libblacklist.3:1.5 Tue Jan 31 16:31:21 2017 +++ src/external/bsd/blacklist/lib/libblacklist.3 Tue Jan 31 16:55:04 2017 @@ -1,4 +1,4 @@ -.\" $NetBSD: libblacklist.3,v 1.5 2017/01/31 16:31:21 abhinav Exp $ +.\" $NetBSD: libblacklist.3,v 1.6 2017/01/31 16:55:04 abhinav Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -106,18 +106,25 @@ All functions log errors to .Xr syslogd 8 . .Sh RETURN VALUES The function -.Fn bl_open +.Fn blacklist_open returns a cookie on success and .Dv NULL -on failure setting errno to an appropriate value. -.Pp -The -.Fn bl_send -function returns +on failure setting +.Dv errno +to an appropriate value. +.Pp +The functions +.Fn blacklist , +.Fn blacklist_sa , +and +.Fn blacklist_sa_r +return .Dv 0 on success and .Dv -1 -on failure setting errno to an appropriate value. +on failure setting +.Dv errno +to an appropriate value. .Sh SEE ALSO .Xr blacklistd.conf 5 , .Xr blacklistd 8
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: abhinav Date: Tue Jan 31 16:31:21 UTC 2017 Modified Files: src/external/bsd/blacklist/lib: libblacklist.3 Log Message: Fix a sentence. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/external/bsd/blacklist/lib/libblacklist.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/lib/libblacklist.3 diff -u src/external/bsd/blacklist/lib/libblacklist.3:1.4 src/external/bsd/blacklist/lib/libblacklist.3:1.5 --- src/external/bsd/blacklist/lib/libblacklist.3:1.4 Tue Jan 31 16:23:18 2017 +++ src/external/bsd/blacklist/lib/libblacklist.3 Tue Jan 31 16:31:21 2017 @@ -1,4 +1,4 @@ -.\" $NetBSD: libblacklist.3,v 1.4 2017/01/31 16:23:18 abhinav Exp $ +.\" $NetBSD: libblacklist.3,v 1.5 2017/01/31 16:31:21 abhinav Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -62,7 +62,7 @@ block or release port access to prevent .Pp The function .Fn blacklist_open -creates a the necessary state to communicate with +creates the necessary state to communicate with .Xr blacklistd 8 and returns a pointer to it, or .Dv NULL
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: abhinav Date: Tue Jan 31 16:23:19 UTC 2017 Modified Files: src/external/bsd/blacklist/lib: libblacklist.3 Log Message: Remove comma after the last Nm entry. To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/external/bsd/blacklist/lib/libblacklist.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/lib/libblacklist.3 diff -u src/external/bsd/blacklist/lib/libblacklist.3:1.3 src/external/bsd/blacklist/lib/libblacklist.3:1.4 --- src/external/bsd/blacklist/lib/libblacklist.3:1.3 Sun Jan 25 23:09:28 2015 +++ src/external/bsd/blacklist/lib/libblacklist.3 Tue Jan 31 16:23:18 2017 @@ -1,4 +1,4 @@ -.\" $NetBSD: libblacklist.3,v 1.3 2015/01/25 23:09:28 wiz Exp $ +.\" $NetBSD: libblacklist.3,v 1.4 2017/01/31 16:23:18 abhinav Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -36,7 +36,7 @@ .Nm blacklist_r , .Nm blacklist , .Nm blacklist_sa -.Nm blacklist_sa_r , +.Nm blacklist_sa_r .Nd Blacklistd notification library .Sh LIBRARY .Lb libblacklist
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Mon Jan 9 03:05:48 UTC 2017 Modified Files: src/external/bsd/blacklist/bin: blacklistd.c Log Message: PR/51801: Matthew Mondor: Support multiple -s options and -P and -s at the same time. To generate a diff of this commit: cvs rdiff -u -r1.35 -r1.36 src/external/bsd/blacklist/bin/blacklistd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.c diff -u src/external/bsd/blacklist/bin/blacklistd.c:1.35 src/external/bsd/blacklist/bin/blacklistd.c:1.36 --- src/external/bsd/blacklist/bin/blacklistd.c:1.35 Mon Sep 26 15:43:43 2016 +++ src/external/bsd/blacklist/bin/blacklistd.c Sun Jan 8 22:05:48 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: blacklistd.c,v 1.35 2016/09/26 19:43:43 christos Exp $ */ +/* $NetBSD: blacklistd.c,v 1.36 2017/01/09 03:05:48 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -32,7 +32,7 @@ #include "config.h" #endif #include -__RCSID("$NetBSD: blacklistd.c,v 1.35 2016/09/26 19:43:43 christos Exp $"); +__RCSID("$NetBSD: blacklistd.c,v 1.36 2017/01/09 03:05:48 christos Exp $"); #include #include @@ -394,12 +394,14 @@ int main(int argc, char *argv[]) { int c, tout, flags, flush, restore; - const char *spath, *blsock; + const char *spath, **blsock; + size_t nblsock, maxblsock; setprogname(argv[0]); spath = NULL; - blsock = _PATH_BLSOCK; + blsock = NULL; + maxblsock = nblsock = 0; flush = 0; restore = 0; tout = 0; @@ -431,7 +433,17 @@ main(int argc, char *argv[]) restore++; break; case 's': - blsock = optarg; + if (nblsock >= maxblsock) { +maxblsock += 10; +void *p = realloc(blsock, +sizeof(*blsock) * maxblsock); +if (p == NULL) +err(EXIT_FAILURE, + "Can't allocate memory for %zu sockets", + maxblsock); +blsock = p; + } + blsock[nblsock++] = optarg; break; case 't': tout = atoi(optarg) * 1000; @@ -478,9 +490,11 @@ main(int argc, char *argv[]) size_t nfd = 0; size_t maxfd = 0; - if (spath == NULL) - addfd(, , , , blsock); - else { + for (size_t i = 0; i < nblsock; i++) + addfd(, , , , blsock[i]); + free(blsock); + + if (spath) { FILE *fp = fopen(spath, "r"); char *line; if (fp == NULL) @@ -490,6 +504,8 @@ main(int argc, char *argv[]) addfd(, , , , line); fclose(fp); } + if (nfd == 0) + addfd(, , , , _PATH_BLSOCK); state = state_open(dbfile, flags, 0600); if (state == NULL)
CVS commit: src/external/bsd/blacklist/port
Module Name:src Committed By: jnemeth Date: Sat Nov 26 02:12:18 UTC 2016 Modified Files: src/external/bsd/blacklist/port: Makefile.am Log Message: Set path for includes_HEADERS. Change suggested by christos@. To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/external/bsd/blacklist/port/Makefile.am Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/port/Makefile.am diff -u src/external/bsd/blacklist/port/Makefile.am:1.5 src/external/bsd/blacklist/port/Makefile.am:1.6 --- src/external/bsd/blacklist/port/Makefile.am:1.5 Sun Nov 13 22:37:39 2016 +++ src/external/bsd/blacklist/port/Makefile.am Sat Nov 26 02:12:18 2016 @@ -1,7 +1,7 @@ # ACLOCAL_AMFLAGS = -I m4 lib_LTLIBRARIES = libblacklist.la -include_HEADERS = blacklist.h +include_HEADERS = ../include/blacklist.h bin_PROGRAMS = blacklistd blacklistctl srvtest cltest
CVS commit: src/external/bsd/blacklist/port
Module Name:src Committed By: christos Date: Sun Nov 13 22:38:22 UTC 2016 Removed Files: src/external/bsd/blacklist/port: config.h Log Message: no need for config.h; it should be auto-gened. To generate a diff of this commit: cvs rdiff -u -r1.3 -r0 src/external/bsd/blacklist/port/config.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/blacklist/port
Module Name:src Committed By: christos Date: Sun Nov 13 22:37:39 UTC 2016 Modified Files: src/external/bsd/blacklist/port: Makefile.am config.h Log Message: add include in the vpath. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/external/bsd/blacklist/port/Makefile.am cvs rdiff -u -r1.2 -r1.3 src/external/bsd/blacklist/port/config.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/port/Makefile.am diff -u src/external/bsd/blacklist/port/Makefile.am:1.4 src/external/bsd/blacklist/port/Makefile.am:1.5 --- src/external/bsd/blacklist/port/Makefile.am:1.4 Wed Jan 21 22:48:07 2015 +++ src/external/bsd/blacklist/port/Makefile.am Sun Nov 13 17:37:39 2016 @@ -5,7 +5,7 @@ include_HEADERS = blacklist.h bin_PROGRAMS = blacklistd blacklistctl srvtest cltest -VPATH = ../bin:../lib:../test +VPATH = ../bin:../lib:../test:../include AM_CPPFLAGS = -I../include -DDOT="." AM_CFLAGS = @WARNINGS@ Index: src/external/bsd/blacklist/port/config.h diff -u src/external/bsd/blacklist/port/config.h:1.2 src/external/bsd/blacklist/port/config.h:1.3 --- src/external/bsd/blacklist/port/config.h:1.2 Fri Apr 8 07:56:43 2016 +++ src/external/bsd/blacklist/port/config.h Sun Nov 13 17:37:39 2016 @@ -1,3 +1,294 @@ -#if defined(__FreeBSD__) +/* config.h. Generated from config.h.in by configure. */ +/* config.h.in. Generated from configure.ac by autoheader. */ + +/* Define if building universal (internal helper macro) */ +/* #undef AC_APPLE_UNIVERSAL_BUILD */ + +/* Define to 1 if you have the header file. */ +#define HAVE_ARPA_INET_H 1 + +/* Define to 1 if you have the `clock_gettime' function. */ +#define HAVE_CLOCK_GETTIME 1 + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_DB_185_H */ + +/* Define to 1 if you have the header file. */ +#define HAVE_DB_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_DLFCN_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_ERR_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_FCNTL_H 1 + +/* Define to 1 if you have the `fgetln' function. */ +#define HAVE_FGETLN 1 + +/* Define to 1 if you have the `fparseln' function. */ +#define HAVE_FPARSELN 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_GETOPT_H 1 + +/* Define to 1 if you have the `getprogname' function. */ +#define HAVE_GETPROGNAME 1 + +/* Define to 1 if the system has the type `intptr_t'. */ +#define HAVE_INTPTR_T 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_INTTYPES_H 1 + +/* Define to 1 if you have the `db' library (-ldb). */ +/* #undef HAVE_LIBDB */ + +/* Define to 1 if you have the `rt' library (-lrt). */ +#define HAVE_LIBRT 1 + +/* Define to 1 if you have the `util' library (-lutil). */ +#define HAVE_LIBUTIL 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_LIMITS_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_MEMORY_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_NETATALK_AT_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_NET_IF_DL_H 1 + +/* Define to 1 if you have the `pidfile' function. */ +#define HAVE_PIDFILE 1 + +/* Define to 1 if you have the `popenve' function. */ +#define HAVE_POPENVE 1 + +/* Define to 1 if you have the `sockaddr_snprintf' function. */ +#define HAVE_SOCKADDR_SNPRINTF 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_STDINT_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_STDLIB_H 1 + +/* Define to 1 if you have the `strerror' function. */ +#define HAVE_STRERROR 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_STRINGS_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_STRING_H 1 + +/* Define to 1 if you have the `strlcat' function. */ +#define HAVE_STRLCAT 1 + +/* Define to 1 if you have the `strlcpy' function. */ +#define HAVE_STRLCPY 1 + +/* Define to 1 if you have the `strtoi' function. */ +#define HAVE_STRTOI 1 + +/* Define to 1 if `sa_len' is a member of `struct sockaddr'. */ +#define HAVE_STRUCT_SOCKADDR_SA_LEN 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_SOCKET_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_STAT_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_TIME_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_TYPES_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_UN_H 1 + +/* Define to 1 if you have that is POSIX.1 compatible. */ +#define HAVE_SYS_WAIT_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_TIME_H 1 + +/* Define to 1 if the system has the type `uintptr_t'. */ +#define HAVE_UINTPTR_T 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_UNISTD_H 1 + +/* Define to 1 if you have the header file. */ +#define
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: jnemeth Date: Wed Nov 2 03:15:07 UTC 2016 Modified Files: src/external/bsd/blacklist/bin: blacklistctl.c Log Message: Correct misplaced break; from FreeBSD. Approved By: christos To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.21 src/external/bsd/blacklist/bin/blacklistctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistctl.c diff -u src/external/bsd/blacklist/bin/blacklistctl.c:1.20 src/external/bsd/blacklist/bin/blacklistctl.c:1.21 --- src/external/bsd/blacklist/bin/blacklistctl.c:1.20 Mon Apr 4 15:52:56 2016 +++ src/external/bsd/blacklist/bin/blacklistctl.c Wed Nov 2 03:15:07 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: blacklistctl.c,v 1.20 2016/04/04 15:52:56 christos Exp $ */ +/* $NetBSD: blacklistctl.c,v 1.21 2016/11/02 03:15:07 jnemeth Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include -__RCSID("$NetBSD: blacklistctl.c,v 1.20 2016/04/04 15:52:56 christos Exp $"); +__RCSID("$NetBSD: blacklistctl.c,v 1.21 2016/11/02 03:15:07 jnemeth Exp $"); #include #include @@ -96,10 +96,10 @@ main(int argc, char *argv[]) break; case 'b': blocked = 1; + break; case 'D': dbname = optarg; break; - break; case 'd': debug++; break;
CVS commit: src/external/bsd/blacklist/etc/rc.d
Module Name:src Committed By: christos Date: Mon Oct 17 22:47:16 UTC 2016 Modified Files: src/external/bsd/blacklist/etc/rc.d: blacklistd Log Message: account for socket name change. To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/external/bsd/blacklist/etc/rc.d/blacklistd Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/etc/rc.d/blacklistd diff -u src/external/bsd/blacklist/etc/rc.d/blacklistd:1.1 src/external/bsd/blacklist/etc/rc.d/blacklistd:1.2 --- src/external/bsd/blacklist/etc/rc.d/blacklistd:1.1 Thu Jan 22 12:49:41 2015 +++ src/external/bsd/blacklist/etc/rc.d/blacklistd Mon Oct 17 18:47:16 2016 @@ -1,6 +1,6 @@ #!/bin/sh # -# $NetBSD: blacklistd,v 1.1 2015/01/22 17:49:41 christos Exp $ +# $NetBSD: blacklistd,v 1.2 2016/10/17 22:47:16 christos Exp $ # # PROVIDE: blacklistd @@ -18,7 +18,7 @@ start_precmd="${name}_precmd" extra_commands="reload" _sockfile="/var/run/${name}.sockets" -_sockname="blsock" +_sockname="blacklistd.sock" blacklistd_precmd() {
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Mon Sep 26 19:43:43 UTC 2016 Modified Files: src/external/bsd/blacklist/bin: blacklistd.c state.c Log Message: restore rules after the database is open, add error message to prevent silent failure in the future. (Kurt Lidl) To generate a diff of this commit: cvs rdiff -u -r1.34 -r1.35 src/external/bsd/blacklist/bin/blacklistd.c cvs rdiff -u -r1.18 -r1.19 src/external/bsd/blacklist/bin/state.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.c diff -u src/external/bsd/blacklist/bin/blacklistd.c:1.34 src/external/bsd/blacklist/bin/blacklistd.c:1.35 --- src/external/bsd/blacklist/bin/blacklistd.c:1.34 Mon Apr 4 11:52:56 2016 +++ src/external/bsd/blacklist/bin/blacklistd.c Mon Sep 26 15:43:43 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: blacklistd.c,v 1.34 2016/04/04 15:52:56 christos Exp $ */ +/* $NetBSD: blacklistd.c,v 1.35 2016/09/26 19:43:43 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -32,7 +32,7 @@ #include "config.h" #endif #include -__RCSID("$NetBSD: blacklistd.c,v 1.34 2016/04/04 15:52:56 christos Exp $"); +__RCSID("$NetBSD: blacklistd.c,v 1.35 2016/09/26 19:43:43 christos Exp $"); #include #include @@ -473,9 +473,6 @@ main(int argc, char *argv[]) flags |= O_TRUNC; } - if (restore) - rules_restore(); - struct pollfd *pfd = NULL; bl_t *bl = NULL; size_t nfd = 0; @@ -500,6 +497,9 @@ main(int argc, char *argv[]) if (state == NULL) return EXIT_FAILURE; + if (restore) + rules_restore(); + if (!debug) { if (daemon(0, 0) == -1) err(EXIT_FAILURE, "daemon failed"); Index: src/external/bsd/blacklist/bin/state.c diff -u src/external/bsd/blacklist/bin/state.c:1.18 src/external/bsd/blacklist/bin/state.c:1.19 --- src/external/bsd/blacklist/bin/state.c:1.18 Mon Apr 4 11:52:56 2016 +++ src/external/bsd/blacklist/bin/state.c Mon Sep 26 15:43:43 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: state.c,v 1.18 2016/04/04 15:52:56 christos Exp $ */ +/* $NetBSD: state.c,v 1.19 2016/09/26 19:43:43 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include -__RCSID("$NetBSD: state.c,v 1.18 2016/04/04 15:52:56 christos Exp $"); +__RCSID("$NetBSD: state.c,v 1.19 2016/09/26 19:43:43 christos Exp $"); #include #include @@ -200,8 +200,10 @@ state_iterate(DB *db, struct conf *c, st int rv; DBT k, v; - if (db == NULL) + if (db == NULL) { + (*lfun)(LOG_ERR, "%s: called with no database file", __func__); return -1; + } first = first ? R_FIRST : R_NEXT;
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: dholland Date: Sat Jul 30 06:09:29 UTC 2016 Modified Files: src/external/bsd/blacklist/bin: blacklistd.8 Log Message: typo To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 src/external/bsd/blacklist/bin/blacklistd.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.8 diff -u src/external/bsd/blacklist/bin/blacklistd.8:1.17 src/external/bsd/blacklist/bin/blacklistd.8:1.18 --- src/external/bsd/blacklist/bin/blacklistd.8:1.17 Wed Jun 8 12:48:37 2016 +++ src/external/bsd/blacklist/bin/blacklistd.8 Sat Jul 30 06:09:29 2016 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistd.8,v 1.17 2016/06/08 12:48:37 wiz Exp $ +.\" $NetBSD: blacklistd.8,v 1.18 2016/07/30 06:09:29 dholland Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -47,7 +47,7 @@ .Nm is a daemon similar to .Xr syslogd 8 -that listens to a sockets at paths specified in the +that listens to sockets at paths specified in the .Ar sockpathsfile for notifications from other daemons about successful or failed connection attempts.
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: christos Date: Fri Jul 29 17:13:09 UTC 2016 Modified Files: src/external/bsd/blacklist/lib: bl.c Log Message: Use %s+strerro(errno) instead of %m (From Kurt Lidl) To generate a diff of this commit: cvs rdiff -u -r1.27 -r1.28 src/external/bsd/blacklist/lib/bl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/lib/bl.c diff -u src/external/bsd/blacklist/lib/bl.c:1.27 src/external/bsd/blacklist/lib/bl.c:1.28 --- src/external/bsd/blacklist/lib/bl.c:1.27 Wed Dec 30 11:42:48 2015 +++ src/external/bsd/blacklist/lib/bl.c Fri Jul 29 13:13:09 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: bl.c,v 1.27 2015/12/30 16:42:48 christos Exp $ */ +/* $NetBSD: bl.c,v 1.28 2016/07/29 17:13:09 christos Exp $ */ /*- * Copyright (c) 2014 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include -__RCSID("$NetBSD: bl.c,v 1.27 2015/12/30 16:42:48 christos Exp $"); +__RCSID("$NetBSD: bl.c,v 1.28 2016/07/29 17:13:09 christos Exp $"); #include #include @@ -152,8 +152,8 @@ bl_init(bl_t b, bool srv) b->b_fd = socket(PF_LOCAL, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK|SOCK_NOSIGPIPE, 0); if (b->b_fd == -1) { - bl_log(b->b_fun, LOG_ERR, "%s: socket failed (%m)", - __func__); + bl_log(b->b_fun, LOG_ERR, "%s: socket failed (%s)", + __func__, strerror(errno)); BL_UNLOCK(b); return -1; } @@ -200,8 +200,8 @@ bl_init(bl_t b, bool srv) */ if (b->b_connected != 1) { bl_log(b->b_fun, LOG_DEBUG, -"%s: connect failed for `%s' (%m)", -__func__, sun->sun_path); +"%s: connect failed for `%s' (%s)", +__func__, sun->sun_path, strerror(errno)); b->b_connected = 1; } BL_UNLOCK(b); @@ -220,8 +220,8 @@ bl_init(bl_t b, bool srv) errno = serrno; if (rv == -1) { bl_log(b->b_fun, LOG_ERR, - "%s: bind failed for `%s' (%m)", - __func__, sun->sun_path); + "%s: bind failed for `%s' (%s)", + __func__, sun->sun_path, strerror(errno)); goto out; } } @@ -260,7 +260,8 @@ bl_init(bl_t b, bool srv) if (setsockopt(b->b_fd, CRED_LEVEL, CRED_NAME, , (socklen_t)sizeof(one)) == -1) { bl_log(b->b_fun, LOG_ERR, "%s: setsockopt %s " - "failed (%m)", __func__, __STRING(CRED_NAME)); + "failed (%s)", __func__, __STRING(CRED_NAME), + strerror(errno)); goto out; } #endif @@ -296,7 +297,8 @@ bl_create(bool srv, const char *path, vo return b; out: free(b); - bl_log(fun, LOG_ERR, "%s: malloc failed (%m)", __func__); + bl_log(fun, LOG_ERR, "%s: malloc failed (%s)", __func__, + strerror(errno)); return NULL; } @@ -451,7 +453,8 @@ bl_recv(bl_t b) rlen = recvmsg(b->b_fd, , 0); if (rlen == -1) { - bl_log(b->b_fun, LOG_ERR, "%s: recvmsg failed (%m)", __func__); + bl_log(b->b_fun, LOG_ERR, "%s: recvmsg failed (%s)", __func__, + strerror(errno)); return NULL; }
CVS commit: src/external/bsd/blacklist/libexec
Module Name:src Committed By: christos Date: Thu Jun 9 20:02:52 UTC 2016 Modified Files: src/external/bsd/blacklist/libexec: blacklistd-helper Log Message: improve on ipfilter rules by Cy Schubert To generate a diff of this commit: cvs rdiff -u -r1.10 -r1.11 \ src/external/bsd/blacklist/libexec/blacklistd-helper Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/libexec/blacklistd-helper diff -u src/external/bsd/blacklist/libexec/blacklistd-helper:1.10 src/external/bsd/blacklist/libexec/blacklistd-helper:1.11 --- src/external/bsd/blacklist/libexec/blacklistd-helper:1.10 Thu Jun 9 14:59:31 2016 +++ src/external/bsd/blacklist/libexec/blacklistd-helper Thu Jun 9 16:02:52 2016 @@ -52,8 +52,9 @@ case "$1" in add) case "$pf" in ipf) + /sbin/ipfstat -io | /sbin/ipf -I -f - echo block in quick proto $proto from $addr/$mask to \ - any port=$port | /sbin/ipf -f - + any port=$port head $port$6 | /sbin/ipf -I -f - -s ;; ipfw) # use $ipfw_offset+$port for rule number @@ -79,8 +80,9 @@ add) rem) case "$pf" in ipf) - echo "$0: $1 is unsupported by ipfilter" 1>&2 - exit 1 + /sbin/ipfstat -io | /sbin/ipf -I -f - + echo block in quick proto $proto from $addr/$mask to any \ + port =$port head port$6 | /sbin/ipf -r -f - -s ;; ipfw) /sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null
CVS commit: src/external/bsd/blacklist/libexec
Module Name:src Committed By: christos Date: Thu Jun 9 18:59:32 UTC 2016 Modified Files: src/external/bsd/blacklist/libexec: blacklistd-helper Log Message: Support ipfw and ipf from FreeBSD To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 \ src/external/bsd/blacklist/libexec/blacklistd-helper Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/libexec/blacklistd-helper diff -u src/external/bsd/blacklist/libexec/blacklistd-helper:1.9 src/external/bsd/blacklist/libexec/blacklistd-helper:1.10 --- src/external/bsd/blacklist/libexec/blacklistd-helper:1.9 Fri Mar 11 17:40:04 2016 +++ src/external/bsd/blacklist/libexec/blacklistd-helper Thu Jun 9 14:59:31 2016 @@ -10,12 +10,20 @@ # $7 id pf= -for f in npf pf; do - if [ -f "/etc/$f.conf" ]; then - pf="$f" - break - fi -done +if [ -z "$pf" -a -f "/etc/ipfw-blacklist.rc" ]; then + pf="ipfw" + . /etc/ipfw-blacklist.rc + ipfw_offset=${ipfw_offset:-2000} +fi + +if [ -z "$pf" ]; then + for f in npf pf ipf; do + if [ -f "/etc/$f.conf" ]; then + pf="$f" + break + fi + done +fi if [ -z "$pf" ]; then echo "$0: Unsupported packet filter" 1>&2 @@ -43,6 +51,19 @@ esac case "$1" in add) case "$pf" in + ipf) + echo block in quick proto $proto from $addr/$mask to \ + any port=$port | /sbin/ipf -f - + ;; + ipfw) + # use $ipfw_offset+$port for rule number + rule=$(($ipfw_offset + $6)) + tname="port$6" + /sbin/ipfw table $tname create type addr 2>/dev/null + /sbin/ipfw -q table $tname add "$addr/$mask" + /sbin/ipfw -q add $rule drop $3 from "table("$tname")" to \ + any dst-port $6 + ;; npf) /sbin/npfctl rule "$2" add block in final $proto from \ "$addr/$mask" to any $port @@ -57,6 +78,13 @@ add) ;; rem) case "$pf" in + ipf) + echo "$0: $1 is unsupported by ipfilter" 1>&2 + exit 1 + ;; + ipfw) + /sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null + ;; npf) /sbin/npfctl rule "$2" rem-id "$7" ;; @@ -67,6 +95,12 @@ rem) ;; flush) case "$pf" in + ipf) + /sbin/ipf -Z -I -Fa -s + ;; + ipfw) + /sbin/ipfw table "port$6" flush 2>/dev/null + ;; npf) /sbin/npfctl rule "$2" flush ;;
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: wiz Date: Wed Jun 8 12:48:38 UTC 2016 Modified Files: src/external/bsd/blacklist/bin: blacklistctl.8 blacklistd.8 blacklistd.conf.5 Log Message: .Fx should only have version numbers as argument. To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/external/bsd/blacklist/bin/blacklistctl.8 cvs rdiff -u -r1.16 -r1.17 src/external/bsd/blacklist/bin/blacklistd.8 cvs rdiff -u -r1.4 -r1.5 src/external/bsd/blacklist/bin/blacklistd.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistctl.8 diff -u src/external/bsd/blacklist/bin/blacklistctl.8:1.8 src/external/bsd/blacklist/bin/blacklistctl.8:1.9 --- src/external/bsd/blacklist/bin/blacklistctl.8:1.8 Tue Jun 7 17:31:02 2016 +++ src/external/bsd/blacklist/bin/blacklistctl.8 Wed Jun 8 12:48:37 2016 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistctl.8,v 1.8 2016/06/07 17:31:02 christos Exp $ +.\" $NetBSD: blacklistctl.8,v 1.9 2016/06/08 12:48:37 wiz Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -77,7 +77,8 @@ it to make sure that there is only one r .Nm first appeared in .Nx 7 . -.Fx support for +.Fx +support for .Nm was implemented in .Fx 11 . Index: src/external/bsd/blacklist/bin/blacklistd.8 diff -u src/external/bsd/blacklist/bin/blacklistd.8:1.16 src/external/bsd/blacklist/bin/blacklistd.8:1.17 --- src/external/bsd/blacklist/bin/blacklistd.8:1.16 Tue Jun 7 17:31:02 2016 +++ src/external/bsd/blacklist/bin/blacklistd.8 Wed Jun 8 12:48:37 2016 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistd.8,v 1.16 2016/06/07 17:31:02 christos Exp $ +.\" $NetBSD: blacklistd.8,v 1.17 2016/06/08 12:48:37 wiz Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -218,7 +218,8 @@ Socket to receive connection notificatio .Nm first appeared in .Nx 7 . -.Fx support for +.Fx +support for .Nm was implemented in .Fx 11 . Index: src/external/bsd/blacklist/bin/blacklistd.conf.5 diff -u src/external/bsd/blacklist/bin/blacklistd.conf.5:1.4 src/external/bsd/blacklist/bin/blacklistd.conf.5:1.5 --- src/external/bsd/blacklist/bin/blacklistd.conf.5:1.4 Tue Jun 7 17:31:02 2016 +++ src/external/bsd/blacklist/bin/blacklistd.conf.5 Wed Jun 8 12:48:37 2016 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistd.conf.5,v 1.4 2016/06/07 17:31:02 christos Exp $ +.\" $NetBSD: blacklistd.conf.5,v 1.5 2016/06/08 12:48:37 wiz Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -218,7 +218,8 @@ bnx0:ssh * * * * 3 6h .Nm first appeared in .Nx 7 . -.Fx support for +.Fx +support for .Nm was implemented in .Fx 11 .
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Tue Jun 7 17:31:02 UTC 2016 Modified Files: src/external/bsd/blacklist/bin: blacklistctl.8 blacklistd.8 blacklistd.conf.5 Log Message: Add FreeBSD release notes (Kurt Lidl) To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/external/bsd/blacklist/bin/blacklistctl.8 cvs rdiff -u -r1.15 -r1.16 src/external/bsd/blacklist/bin/blacklistd.8 cvs rdiff -u -r1.3 -r1.4 src/external/bsd/blacklist/bin/blacklistd.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistctl.8 diff -u src/external/bsd/blacklist/bin/blacklistctl.8:1.7 src/external/bsd/blacklist/bin/blacklistctl.8:1.8 --- src/external/bsd/blacklist/bin/blacklistctl.8:1.7 Thu Apr 30 02:20:43 2015 +++ src/external/bsd/blacklist/bin/blacklistctl.8 Tue Jun 7 13:31:02 2016 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistctl.8,v 1.7 2015/04/30 06:20:43 riz Exp $ +.\" $NetBSD: blacklistctl.8,v 1.8 2016/06/07 17:31:02 christos Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd April 29, 2015 +.Dd June 7, 2016 .Dt BLACKLISTCTL 8 .Os .Sh NAME @@ -75,7 +75,11 @@ will first attempt to remove the existin it to make sure that there is only one rule active. .Sh HISTORY .Nm -appeared in +first appeared in .Nx 7 . +.Fx support for +.Nm +was implemented in +.Fx 11 . .Sh AUTHORS .An Christos Zoulas Index: src/external/bsd/blacklist/bin/blacklistd.8 diff -u src/external/bsd/blacklist/bin/blacklistd.8:1.15 src/external/bsd/blacklist/bin/blacklistd.8:1.16 --- src/external/bsd/blacklist/bin/blacklistd.8:1.15 Fri Mar 11 12:16:40 2016 +++ src/external/bsd/blacklist/bin/blacklistd.8 Tue Jun 7 13:31:02 2016 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistd.8,v 1.15 2016/03/11 17:16:40 christos Exp $ +.\" $NetBSD: blacklistd.8,v 1.16 2016/06/07 17:31:02 christos Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd June 4, 2015 +.Dd June 7, 2016 .Dt BLACKLISTD 8 .Os .Sh NAME @@ -216,7 +216,11 @@ Socket to receive connection notificatio .Xr syslogd 8 .Sh HISTORY .Nm -appeared in +first appeared in .Nx 7 . +.Fx support for +.Nm +was implemented in +.Fx 11 . .Sh AUTHORS .An Christos Zoulas Index: src/external/bsd/blacklist/bin/blacklistd.conf.5 diff -u src/external/bsd/blacklist/bin/blacklistd.conf.5:1.3 src/external/bsd/blacklist/bin/blacklistd.conf.5:1.4 --- src/external/bsd/blacklist/bin/blacklistd.conf.5:1.3 Thu Apr 30 02:20:43 2015 +++ src/external/bsd/blacklist/bin/blacklistd.conf.5 Tue Jun 7 13:31:02 2016 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistd.conf.5,v 1.3 2015/04/30 06:20:43 riz Exp $ +.\" $NetBSD: blacklistd.conf.5,v 1.4 2016/06/07 17:31:02 christos Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd April 29, 2015 +.Dd June 7, 2016 .Dt BLACKLISTD.CONF 5 .Os .Sh NAME @@ -216,7 +216,11 @@ bnx0:ssh * * * * 3 6h .Xr blacklistd 8 .Sh HISTORY .Nm -appeared in +first appeared in .Nx 7 . +.Fx support for +.Nm +was implemented in +.Fx 11 . .Sh AUTHORS .An Christos Zoulas
CVS commit: src/external/bsd/blacklist/port
Module Name:src Committed By: christos Date: Wed Jun 1 22:57:51 UTC 2016 Modified Files: src/external/bsd/blacklist/port: sockaddr_snprintf.c Log Message: Use NULL instead of 0 (Pedro Giffuni) To generate a diff of this commit: cvs rdiff -u -r1.10 -r1.11 \ src/external/bsd/blacklist/port/sockaddr_snprintf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/port/sockaddr_snprintf.c diff -u src/external/bsd/blacklist/port/sockaddr_snprintf.c:1.10 src/external/bsd/blacklist/port/sockaddr_snprintf.c:1.11 --- src/external/bsd/blacklist/port/sockaddr_snprintf.c:1.10 Tue Apr 5 08:28:57 2016 +++ src/external/bsd/blacklist/port/sockaddr_snprintf.c Wed Jun 1 18:57:51 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: sockaddr_snprintf.c,v 1.10 2016/04/05 12:28:57 christos Exp $ */ +/* $NetBSD: sockaddr_snprintf.c,v 1.11 2016/06/01 22:57:51 christos Exp $ */ /*- * Copyright (c) 2004 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ #include #if defined(LIBC_SCCS) && !defined(lint) -__RCSID("$NetBSD: sockaddr_snprintf.c,v 1.10 2016/04/05 12:28:57 christos Exp $"); +__RCSID("$NetBSD: sockaddr_snprintf.c,v 1.11 2016/06/01 22:57:51 christos Exp $"); #endif /* LIBC_SCCS and not lint */ #include @@ -219,7 +219,7 @@ sockaddr_snprintf(char * const sbuf, con case AF_LINK: sdl = ((const struct sockaddr_dl *)(const void *)sa); (void)strlcpy(addr = abuf, link_ntoa(sdl), sizeof(abuf)); - if ((w = strchr(addr, ':')) != 0) { + if ((w = strchr(addr, ':')) != NULL) { *w++ = '\0'; addr = w; }
CVS commit: src/external/bsd/blacklist/port
Module Name:src Committed By: christos Date: Fri Apr 8 11:56:43 UTC 2016 Modified Files: src/external/bsd/blacklist/port: config.h Log Message: remove HAVE_FPARSELN To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/external/bsd/blacklist/port/config.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/port/config.h diff -u src/external/bsd/blacklist/port/config.h:1.1 src/external/bsd/blacklist/port/config.h:1.2 --- src/external/bsd/blacklist/port/config.h:1.1 Tue Apr 5 08:28:57 2016 +++ src/external/bsd/blacklist/port/config.h Fri Apr 8 07:56:43 2016 @@ -1,4 +1,3 @@ #if defined(__FreeBSD__) -#define HAVE_FPARSELN #include "port.h" #endif
CVS commit: src/external/bsd/blacklist/port
Module Name:src Committed By: christos Date: Tue Apr 5 12:28:57 UTC 2016 Modified Files: src/external/bsd/blacklist/port: pidfile.c port.h sockaddr_snprintf.c Added Files: src/external/bsd/blacklist/port: config.h Log Message: more FreeBSD changes from Kurt Lidl. To generate a diff of this commit: cvs rdiff -u -r0 -r1.1 src/external/bsd/blacklist/port/config.h cvs rdiff -u -r1.1 -r1.2 src/external/bsd/blacklist/port/pidfile.c cvs rdiff -u -r1.7 -r1.8 src/external/bsd/blacklist/port/port.h cvs rdiff -u -r1.9 -r1.10 src/external/bsd/blacklist/port/sockaddr_snprintf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/port/pidfile.c diff -u src/external/bsd/blacklist/port/pidfile.c:1.1 src/external/bsd/blacklist/port/pidfile.c:1.2 --- src/external/bsd/blacklist/port/pidfile.c:1.1 Thu Jan 22 11:19:53 2015 +++ src/external/bsd/blacklist/port/pidfile.c Tue Apr 5 08:28:57 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: pidfile.c,v 1.1 2015/01/22 16:19:53 christos Exp $ */ +/* $NetBSD: pidfile.c,v 1.2 2016/04/05 12:28:57 christos Exp $ */ /*- * Copyright (c) 1999 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ #include #if defined(LIBC_SCCS) && !defined(lint) -__RCSID("$NetBSD: pidfile.c,v 1.1 2015/01/22 16:19:53 christos Exp $"); +__RCSID("$NetBSD: pidfile.c,v 1.2 2016/04/05 12:28:57 christos Exp $"); #endif #include @@ -45,6 +45,9 @@ __RCSID("$NetBSD: pidfile.c,v 1.1 2015/0 #include #include #include +#ifdef HAVE_LIBUTIL_H +#include +#endif #ifdef HAVE_UTIL_H #include #endif Index: src/external/bsd/blacklist/port/port.h diff -u src/external/bsd/blacklist/port/port.h:1.7 src/external/bsd/blacklist/port/port.h:1.8 --- src/external/bsd/blacklist/port/port.h:1.7 Fri Mar 11 12:17:35 2016 +++ src/external/bsd/blacklist/port/port.h Tue Apr 5 08:28:57 2016 @@ -78,7 +78,9 @@ int clock_gettime(int, struct timespec * #define CLOCK_REALTIME 0 #endif +#if !defined(__FreeBSD__) #define _PATH_BLCONF "conf" #define _PATH_BLCONTROL "control" #define _PATH_BLSOCK "blacklistd.sock" #define _PATH_BLSTATE "blacklistd.db" +#endif Index: src/external/bsd/blacklist/port/sockaddr_snprintf.c diff -u src/external/bsd/blacklist/port/sockaddr_snprintf.c:1.9 src/external/bsd/blacklist/port/sockaddr_snprintf.c:1.10 --- src/external/bsd/blacklist/port/sockaddr_snprintf.c:1.9 Thu Jan 22 22:29:18 2015 +++ src/external/bsd/blacklist/port/sockaddr_snprintf.c Tue Apr 5 08:28:57 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: sockaddr_snprintf.c,v 1.9 2015/01/23 03:29:18 christos Exp $ */ +/* $NetBSD: sockaddr_snprintf.c,v 1.10 2016/04/05 12:28:57 christos Exp $ */ /*- * Copyright (c) 2004 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ #include #if defined(LIBC_SCCS) && !defined(lint) -__RCSID("$NetBSD: sockaddr_snprintf.c,v 1.9 2015/01/23 03:29:18 christos Exp $"); +__RCSID("$NetBSD: sockaddr_snprintf.c,v 1.10 2016/04/05 12:28:57 christos Exp $"); #endif /* LIBC_SCCS and not lint */ #include @@ -57,6 +57,9 @@ __RCSID("$NetBSD: sockaddr_snprintf.c,v #include #include #include +#ifdef HAVE_LIBUTIL_H +#include +#endif #ifdef HAVE_UTIL_H #include #endif Added files: Index: src/external/bsd/blacklist/port/config.h diff -u /dev/null src/external/bsd/blacklist/port/config.h:1.1 --- /dev/null Tue Apr 5 08:28:57 2016 +++ src/external/bsd/blacklist/port/config.h Tue Apr 5 08:28:57 2016 @@ -0,0 +1,4 @@ +#if defined(__FreeBSD__) +#define HAVE_FPARSELN +#include "port.h" +#endif
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Mon Apr 4 15:52:56 UTC 2016 Modified Files: src/external/bsd/blacklist/bin: blacklistctl.c blacklistd.c conf.c internal.h run.c state.c support.c support.h Log Message: FreeBSD patches from Kurt Lidl. To generate a diff of this commit: cvs rdiff -u -r1.19 -r1.20 src/external/bsd/blacklist/bin/blacklistctl.c cvs rdiff -u -r1.33 -r1.34 src/external/bsd/blacklist/bin/blacklistd.c cvs rdiff -u -r1.23 -r1.24 src/external/bsd/blacklist/bin/conf.c cvs rdiff -u -r1.13 -r1.14 src/external/bsd/blacklist/bin/internal.h \ src/external/bsd/blacklist/bin/run.c cvs rdiff -u -r1.17 -r1.18 src/external/bsd/blacklist/bin/state.c cvs rdiff -u -r1.7 -r1.8 src/external/bsd/blacklist/bin/support.c cvs rdiff -u -r1.6 -r1.7 src/external/bsd/blacklist/bin/support.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistctl.c diff -u src/external/bsd/blacklist/bin/blacklistctl.c:1.19 src/external/bsd/blacklist/bin/blacklistctl.c:1.20 --- src/external/bsd/blacklist/bin/blacklistctl.c:1.19 Wed Nov 4 11:21:52 2015 +++ src/external/bsd/blacklist/bin/blacklistctl.c Mon Apr 4 11:52:56 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: blacklistctl.c,v 1.19 2015/11/04 16:21:52 christos Exp $ */ +/* $NetBSD: blacklistctl.c,v 1.20 2016/04/04 15:52:56 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,10 +33,13 @@ #endif #include -__RCSID("$NetBSD: blacklistctl.c,v 1.19 2015/11/04 16:21:52 christos Exp $"); +__RCSID("$NetBSD: blacklistctl.c,v 1.20 2016/04/04 15:52:56 christos Exp $"); #include #include +#ifdef HAVE_LIBUTIL_H +#include +#endif #ifdef HAVE_UTIL_H #include #endif Index: src/external/bsd/blacklist/bin/blacklistd.c diff -u src/external/bsd/blacklist/bin/blacklistd.c:1.33 src/external/bsd/blacklist/bin/blacklistd.c:1.34 --- src/external/bsd/blacklist/bin/blacklistd.c:1.33 Sat Jun 20 21:13:21 2015 +++ src/external/bsd/blacklist/bin/blacklistd.c Mon Apr 4 11:52:56 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: blacklistd.c,v 1.33 2015/06/21 01:13:21 christos Exp $ */ +/* $NetBSD: blacklistd.c,v 1.34 2016/04/04 15:52:56 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -32,12 +32,15 @@ #include "config.h" #endif #include -__RCSID("$NetBSD: blacklistd.c,v 1.33 2015/06/21 01:13:21 christos Exp $"); +__RCSID("$NetBSD: blacklistd.c,v 1.34 2016/04/04 15:52:56 christos Exp $"); #include #include #include +#ifdef HAVE_LIBUTIL_H +#include +#endif #ifdef HAVE_UTIL_H #include #endif Index: src/external/bsd/blacklist/bin/conf.c diff -u src/external/bsd/blacklist/bin/conf.c:1.23 src/external/bsd/blacklist/bin/conf.c:1.24 --- src/external/bsd/blacklist/bin/conf.c:1.23 Wed Jun 3 11:11:40 2015 +++ src/external/bsd/blacklist/bin/conf.c Mon Apr 4 11:52:56 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: conf.c,v 1.23 2015/06/03 15:11:40 christos Exp $ */ +/* $NetBSD: conf.c,v 1.24 2016/04/04 15:52:56 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,9 +33,15 @@ #endif #include -__RCSID("$NetBSD: conf.c,v 1.23 2015/06/03 15:11:40 christos Exp $"); +__RCSID("$NetBSD: conf.c,v 1.24 2016/04/04 15:52:56 christos Exp $"); #include +#ifdef HAVE_LIBUTIL_H +#include +#endif +#ifdef HAVE_UTIL_H +#include +#endif #include #include #include @@ -43,9 +49,6 @@ __RCSID("$NetBSD: conf.c,v 1.23 2015/06/ #include #include #include -#ifdef HAVE_UTIL_H -#include -#endif #include #include #include @@ -495,8 +498,8 @@ out: if (debug > 1) { char b1[256], b2[256]; len <<= 2; - hexdump(b1, sizeof(b1), "a1", v1, len); - hexdump(b2, sizeof(b2), "a2", v2, len); + blhexdump(b1, sizeof(b1), "a1", v1, len); + blhexdump(b2, sizeof(b2), "a2", v2, len); (*lfun)(LOG_DEBUG, "%s: %s != %s [0x%x]", __func__, b1, b2, omask); } Index: src/external/bsd/blacklist/bin/internal.h diff -u src/external/bsd/blacklist/bin/internal.h:1.13 src/external/bsd/blacklist/bin/internal.h:1.14 --- src/external/bsd/blacklist/bin/internal.h:1.13 Wed Oct 14 12:01:29 2015 +++ src/external/bsd/blacklist/bin/internal.h Mon Apr 4 11:52:56 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: internal.h,v 1.13 2015/10/14 16:01:29 christos Exp $ */ +/* $NetBSD: internal.h,v 1.14 2016/04/04 15:52:56 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -51,7 +51,7 @@ extern struct ifaddrs *ifas; #define __syslog__ __printf__ #endif -void (*lfun)(int, const char *, ...) +extern void (*lfun)(int, const char *, ...) __attribute__((__format__(__syslog__, 2, 3))); #endif /* _INTERNAL_H */ Index: src/external/bsd/blacklist/bin/run.c diff -u src/external/bsd/blacklist/bin/run.c:1.13 src/external/bsd/blacklist/bin/run.c:1.14 --- src/external/bsd/blacklist/bin/run.c:1.13 Tue Jun 2 10:02:10 2015 +++ src/external/bsd/blacklist/bin/run.c Mon Apr 4 11:52:56
CVS commit: src/external/bsd/blacklist/libexec
Module Name:src Committed By: christos Date: Fri Mar 11 22:40:04 UTC 2016 Modified Files: src/external/bsd/blacklist/libexec: blacklistd-helper Log Message: Add missing ;; (Kurt Lidl) To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/external/bsd/blacklist/libexec/blacklistd-helper Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/libexec/blacklistd-helper diff -u src/external/bsd/blacklist/libexec/blacklistd-helper:1.8 src/external/bsd/blacklist/libexec/blacklistd-helper:1.9 --- src/external/bsd/blacklist/libexec/blacklistd-helper:1.8 Fri Mar 11 12:01:59 2016 +++ src/external/bsd/blacklist/libexec/blacklistd-helper Fri Mar 11 17:40:04 2016 @@ -69,8 +69,10 @@ flush) case "$pf" in npf) /sbin/npfctl rule "$2" flush + ;; pf) /sbin/pfctl -a "$2" -t "port$6" -T flush + ;; esac ;; *)
CVS commit: src/external/bsd/blacklist/port
Module Name:src Committed By: christos Date: Fri Mar 11 17:17:35 UTC 2016 Modified Files: src/external/bsd/blacklist/port: port.h Log Message: missed one blsock To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/external/bsd/blacklist/port/port.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/port/port.h diff -u src/external/bsd/blacklist/port/port.h:1.6 src/external/bsd/blacklist/port/port.h:1.7 --- src/external/bsd/blacklist/port/port.h:1.6 Thu Jan 22 11:19:53 2015 +++ src/external/bsd/blacklist/port/port.h Fri Mar 11 12:17:35 2016 @@ -80,5 +80,5 @@ int clock_gettime(int, struct timespec * #define _PATH_BLCONF "conf" #define _PATH_BLCONTROL "control" -#define _PATH_BLSOCK "blsock" +#define _PATH_BLSOCK "blacklistd.sock" #define _PATH_BLSTATE "blacklistd.db"
CVS commit: src/external/bsd/blacklist
Module Name:src Committed By: christos Date: Fri Mar 11 17:16:40 UTC 2016 Modified Files: src/external/bsd/blacklist/bin: blacklistd.8 src/external/bsd/blacklist/include: bl.h Log Message: Give the blacklistd socket a more meaningful name. To generate a diff of this commit: cvs rdiff -u -r1.14 -r1.15 src/external/bsd/blacklist/bin/blacklistd.8 cvs rdiff -u -r1.12 -r1.13 src/external/bsd/blacklist/include/bl.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.8 diff -u src/external/bsd/blacklist/bin/blacklistd.8:1.14 src/external/bsd/blacklist/bin/blacklistd.8:1.15 --- src/external/bsd/blacklist/bin/blacklistd.8:1.14 Thu Jun 4 12:11:48 2015 +++ src/external/bsd/blacklist/bin/blacklistd.8 Fri Mar 11 12:16:40 2016 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistd.8,v 1.14 2015/06/04 16:11:48 wiz Exp $ +.\" $NetBSD: blacklistd.8,v 1.15 2016/03/11 17:16:40 christos Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -55,7 +55,7 @@ If no such file is specified, then it on specified by .Ar sockspath or if that is not specified to -.Pa /var/run/blsock . +.Pa /var/run/blacklistd.sock . Each notification contains an (action, port, protocol, address, owner) tuple that identifies the remote connection and the action. This tuple is consulted against entries in @@ -206,7 +206,7 @@ Shell script invoked to interface with t Configuration file. .It Pa /var/db/blacklistd.db Database of current connection entries. -.It Pa /var/run/blsock +.It Pa /var/run/blacklistd.sock Socket to receive connection notifications. .El .Sh SEE ALSO Index: src/external/bsd/blacklist/include/bl.h diff -u src/external/bsd/blacklist/include/bl.h:1.12 src/external/bsd/blacklist/include/bl.h:1.13 --- src/external/bsd/blacklist/include/bl.h:1.12 Thu Jan 22 11:19:53 2015 +++ src/external/bsd/blacklist/include/bl.h Fri Mar 11 12:16:40 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: bl.h,v 1.12 2015/01/22 16:19:53 christos Exp $ */ +/* $NetBSD: bl.h,v 1.13 2016/03/11 17:16:40 christos Exp $ */ /*- * Copyright (c) 2014 The NetBSD Foundation, Inc. @@ -56,7 +56,7 @@ typedef struct { #define bi_cred bi_u._bi_cred #ifndef _PATH_BLSOCK -#define _PATH_BLSOCK "/var/run/blsock" +#define _PATH_BLSOCK "/var/run/blacklistd.sock" #endif __BEGIN_DECLS
CVS commit: src/external/bsd/blacklist/libexec
Module Name:src Committed By: christos Date: Fri Mar 11 17:01:59 UTC 2016 Modified Files: src/external/bsd/blacklist/libexec: blacklistd-helper Log Message: Sort filters alphabetically; make it easier to add ipf. To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/external/bsd/blacklist/libexec/blacklistd-helper Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/libexec/blacklistd-helper diff -u src/external/bsd/blacklist/libexec/blacklistd-helper:1.7 src/external/bsd/blacklist/libexec/blacklistd-helper:1.8 --- src/external/bsd/blacklist/libexec/blacklistd-helper:1.7 Fri Mar 11 10:35:28 2016 +++ src/external/bsd/blacklist/libexec/blacklistd-helper Fri Mar 11 12:01:59 2016 @@ -9,11 +9,15 @@ # $6 port # $7 id -if [ -f /etc/pf.conf ]; then - pf="pf" -elif [ -f /etc/npf.conf ]; then - pf="npf" -else +pf= +for f in npf pf; do + if [ -f "/etc/$f.conf" ]; then + pf="$f" + break + fi +done + +if [ -z "$pf" ]; then echo "$0: Unsupported packet filter" 1>&2 exit 1 fi @@ -26,8 +30,8 @@ if [ -n "$6" ]; then port="port $6" fi -addr=$4 -mask=$5 +addr="$4" +mask="$5" case "$4" in :::*.*.*.*) if [ "$5" = 128 ]; then @@ -39,34 +43,34 @@ esac case "$1" in add) case "$pf" in + npf) + /sbin/npfctl rule "$2" add block in final $proto from \ + "$addr/$mask" to any $port + ;; pf) # insert $ip/$mask into per-protocol anchored table /sbin/pfctl -a "$2" -t "port$6" -T add "$addr/$mask" echo "block in quick $proto fromto any $port" | \ /sbin/pfctl -a "$2" -f - ;; - npf) - /sbin/npfctl rule $2 add block in final $proto from \ - $addr/$mask to any $port - ;; esac ;; rem) case "$pf" in - pf) - /sbin/pfctl -a "$2" -t "port$6" -T delete "$addr/$mask" - ;; npf) /sbin/npfctl rule "$2" rem-id "$7" ;; + pf) + /sbin/pfctl -a "$2" -t "port$6" -T delete "$addr/$mask" + ;; esac ;; flush) case "$pf" in - pf) - /sbin/pfctl -a "$2" -t "port$6" -T flush npf) /sbin/npfctl rule "$2" flush + pf) + /sbin/pfctl -a "$2" -t "port$6" -T flush esac ;; *)
CVS commit: src/external/bsd/blacklist/libexec
Module Name:src Committed By: christos Date: Fri Mar 11 15:35:29 UTC 2016 Modified Files: src/external/bsd/blacklist/libexec: blacklistd-helper Log Message: Add support for pf, thanks Kurt Lidl... To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/external/bsd/blacklist/libexec/blacklistd-helper Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/libexec/blacklistd-helper diff -u src/external/bsd/blacklist/libexec/blacklistd-helper:1.6 src/external/bsd/blacklist/libexec/blacklistd-helper:1.7 --- src/external/bsd/blacklist/libexec/blacklistd-helper:1.6 Fri Jan 22 17:31:11 2016 +++ src/external/bsd/blacklist/libexec/blacklistd-helper Fri Mar 11 10:35:28 2016 @@ -9,30 +9,65 @@ # $6 port # $7 id +if [ -f /etc/pf.conf ]; then + pf="pf" +elif [ -f /etc/npf.conf ]; then + pf="npf" +else + echo "$0: Unsupported packet filter" 1>&2 + exit 1 +fi + +if [ -n "$3" ]; then + proto="proto $3" +fi + +if [ -n "$6" ]; then + port="port $6" +fi + +addr=$4 +mask=$5 +case "$4" in +:::*.*.*.*) + if [ "$5" = 128 ]; then + mask=32 + addr=${4#:::} + fi;; +esac + case "$1" in add) - if [ -n "$3" ]; then - proto="proto $3" - fi - if [ -n "$6" ]; then - port="port $6" - fi - addr=$4 - mask=$5 - case "$4" in - :::*.*.*.*) - if [ "$5" = 128 ]; then - mask=32 - addr=${4#:::} - fi;; + case "$pf" in + pf) + # insert $ip/$mask into per-protocol anchored table + /sbin/pfctl -a "$2" -t "port$6" -T add "$addr/$mask" + echo "block in quick $proto fromto any $port" | \ + /sbin/pfctl -a "$2" -f - + ;; + npf) + /sbin/npfctl rule $2 add block in final $proto from \ + $addr/$mask to any $port + ;; esac - exec /sbin/npfctl rule $2 add block in final $proto from $addr/$mask to any $port ;; rem) - exec /sbin/npfctl rule $2 rem-id $7 + case "$pf" in + pf) + /sbin/pfctl -a "$2" -t "port$6" -T delete "$addr/$mask" + ;; + npf) + /sbin/npfctl rule "$2" rem-id "$7" + ;; + esac ;; flush) - exec /sbin/npfctl rule $2 flush + case "$pf" in + pf) + /sbin/pfctl -a "$2" -t "port$6" -T flush + npf) + /sbin/npfctl rule "$2" flush + esac ;; *) echo "$0: Unknown command '$1'" 1>&2
CVS commit: src/external/bsd/blacklist/diff
Module Name:src Committed By: christos Date: Tue Jan 26 02:54:25 UTC 2016 Modified Files: src/external/bsd/blacklist/diff: proftpd.diff Log Message: fix fd leak To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/external/bsd/blacklist/diff/proftpd.diff Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/diff/proftpd.diff diff -u src/external/bsd/blacklist/diff/proftpd.diff:1.2 src/external/bsd/blacklist/diff/proftpd.diff:1.3 --- src/external/bsd/blacklist/diff/proftpd.diff:1.2 Fri Jan 22 22:11:14 2016 +++ src/external/bsd/blacklist/diff/proftpd.diff Mon Jan 25 21:54:25 2016 @@ -1,15 +1,14 @@ Make.rules.in.orig 2016-01-22 17:33:49.0 -0500 -+++ Make.rules.in 2016-01-22 17:33:41.0 -0500 +--- Make.rules.in.orig 2015-05-27 20:25:54.0 -0400 Make.rules.in 2016-01-25 21:48:47.0 -0500 @@ -110,3 +110,8 @@ + FTPWHO_OBJS=ftpwho.o scoreboard.o misc.o BUILD_FTPWHO_OBJS=utils/ftpwho.o utils/scoreboard.o utils/misc.o - ++ +CPPFLAGS+=-DHAVE_BLACKLIST +LIBS+=-lblacklist +OBJS+= pfilter.o +BUILD_OBJS+= src/pfilter.o -+ - --- /dev/null 2016-01-22 17:30:55.0 -0500 +++ include/pfilter.h 2016-01-22 16:18:33.0 -0500 @@ -0,0 +1,3 @@ @@ -81,7 +80,7 @@ /* Child is running here */ --- /dev/null 2016-01-22 17:30:55.0 -0500 +++ src/pfilter.c 2016-01-22 16:37:55.0 -0500 -@@ -0,0 +1,40 @@ +@@ -0,0 +1,41 @@ +#include "pfilter.h" +#include "conf.h" +#include "privs.h" @@ -95,7 +94,8 @@ +pfilter_init(void) +{ +#ifdef HAVE_BLACKLIST -+ blstate = blacklist_open(); ++ if (blstate == NULL) ++ blstate = blacklist_open(); +#endif +} +
CVS commit: src/external/bsd/blacklist/libexec
Module Name:src Committed By: christos Date: Fri Jan 22 22:31:11 UTC 2016 Modified Files: src/external/bsd/blacklist/libexec: blacklistd-helper Log Message: turned mapped v4 addresses to real v4 addresses so that they work. To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/external/bsd/blacklist/libexec/blacklistd-helper Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/libexec/blacklistd-helper diff -u src/external/bsd/blacklist/libexec/blacklistd-helper:1.5 src/external/bsd/blacklist/libexec/blacklistd-helper:1.6 --- src/external/bsd/blacklist/libexec/blacklistd-helper:1.5 Tue Jun 2 10:02:39 2015 +++ src/external/bsd/blacklist/libexec/blacklistd-helper Fri Jan 22 17:31:11 2016 @@ -17,7 +17,16 @@ add) if [ -n "$6" ]; then port="port $6" fi - exec /sbin/npfctl rule $2 add block in final $proto from $4/$5 to any $port + addr=$4 + mask=$5 + case "$4" in + :::*.*.*.*) + if [ "$5" = 128 ]; then + mask=32 + addr=${4#:::} + fi;; + esac + exec /sbin/npfctl rule $2 add block in final $proto from $addr/$mask to any $port ;; rem) exec /sbin/npfctl rule $2 rem-id $7
CVS commit: src/external/bsd/blacklist/diff
Module Name:src Committed By: christos Date: Sat Jan 23 00:05:54 UTC 2016 Added Files: src/external/bsd/blacklist/diff: proftpd.diff Log Message: add proftpd diffs. To generate a diff of this commit: cvs rdiff -u -r0 -r1.1 src/external/bsd/blacklist/diff/proftpd.diff Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Added files: Index: src/external/bsd/blacklist/diff/proftpd.diff diff -u /dev/null src/external/bsd/blacklist/diff/proftpd.diff:1.1 --- /dev/null Fri Jan 22 19:05:54 2016 +++ src/external/bsd/blacklist/diff/proftpd.diff Fri Jan 22 19:05:54 2016 @@ -0,0 +1,130 @@ +--- Make.rules.in.orig 2016-01-22 17:33:49.0 -0500 Make.rules.in 2016-01-22 17:33:41.0 -0500 +@@ -110,3 +110,8 @@ + FTPWHO_OBJS=ftpwho.o scoreboard.o misc.o + BUILD_FTPWHO_OBJS=utils/ftpwho.o utils/scoreboard.o utils/misc.o + ++CPPFLAGS+=-DHAVE_BLACKLIST ++LIBS+=-lblacklist ++OBJS+= pfilter.o ++BUILD_OBJS+= src/pfilter.o ++ +$NetBSD: proftpd.diff,v 1.1 2016/01/23 00:05:54 christos Exp $ + +Make this pkgsrc friendly. + +Linking ftpdctl does not (seem to) require all the libraries needed for +various proftpd modules. It definitely cannot include -lwrap. + +--- /dev/null 2016-01-22 17:30:55.0 -0500 include/pfilter.h 2016-01-22 16:18:33.0 -0500 +@@ -0,0 +1,3 @@ ++ ++void pfilter_notify(int); ++void pfilter_init(void); +--- modules/mod_auth.c.orig 2015-05-27 20:25:54.0 -0400 modules/mod_auth.c 2016-01-22 16:21:06.0 -0500 +@@ -30,6 +30,7 @@ + + #include "conf.h" + #include "privs.h" ++#include "pfilter.h" + + extern pid_t mpid; + +@@ -84,6 +85,8 @@ + _("Login timeout (%d %s): closing control connection"), TimeoutLogin, + TimeoutLogin != 1 ? "seconds" : "second"); + ++ pfilter_notify(1); ++ + /* It's possible that any listeners of this event might terminate the +* session process themselves (e.g. mod_ban). So write out that the +* TimeoutLogin has been exceeded to the log here, in addition to the +@@ -913,6 +916,7 @@ + pr_memscrub(pass, strlen(pass)); + } + ++ pfilter_notify(1); + pr_log_auth(PR_LOG_NOTICE, "SECURITY VIOLATION: Root login attempted"); + return 0; + } +@@ -1726,6 +1730,7 @@ + return 1; + + auth_failure: ++ pfilter_notify(1); + if (pass) + pr_memscrub(pass, strlen(pass)); + session.user = session.group = NULL; +--- src/main.c.orig 2016-01-22 17:36:43.0 -0500 src/main.c 2016-01-22 17:37:58.0 -0500 +@@ -49,6 +49,7 @@ + #endif + + #include "privs.h" ++#include "pfilter.h" + + int (*cmd_auth_chk)(cmd_rec *); + void (*cmd_handler)(server_rec *, conn_t *); +@@ -1050,6 +1051,7 @@ + pid_t pid; + sigset_t sig_set; + ++ pfilter_init(); + if (!nofork) { + + /* A race condition exists on heavily loaded servers where the parent +@@ -1169,7 +1171,8 @@ + + /* Reseed pseudo-randoms */ + srand((unsigned int) (time(NULL) * getpid())); +- ++#else ++ pfilter_init(); + #endif /* PR_DEVEL_NO_FORK */ + + /* Child is running here */ +--- /dev/null 2016-01-22 17:30:55.0 -0500 src/pfilter.c 2016-01-22 16:37:55.0 -0500 +@@ -0,0 +1,40 @@ ++#include "pfilter.h" ++#include "conf.h" ++#include "privs.h" ++#ifdef HAVE_BLACKLIST ++#include ++#endif ++ ++static struct blacklist *blstate; ++ ++void ++pfilter_init(void) ++{ ++#ifdef HAVE_BLACKLIST ++ blstate = blacklist_open(); ++#endif ++} ++ ++void ++pfilter_notify(int a) ++{ ++#ifdef HAVE_BLACKLIST ++ conn_t *c = session.c; ++ int fd; ++ ++ if (c == NULL) ++ return; ++ if (c->rfd != -1) ++ fd = c->rfd; ++ else if (c->wfd != -1) ++ fd = c->wfd; ++ else ++ return; ++ ++ if (blstate == NULL) ++ pfilter_init(); ++ if (blstate == NULL) ++ return; ++ (void)blacklist_r(blstate, a, fd, "proftpd"); ++#endif ++}
CVS commit: src/external/bsd/blacklist/diff
Module Name:src Committed By: christos Date: Sat Jan 23 00:05:38 UTC 2016 Modified Files: src/external/bsd/blacklist/diff: ssh.diff Log Message: add more points. To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/external/bsd/blacklist/diff/ssh.diff Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/diff/ssh.diff diff -u src/external/bsd/blacklist/diff/ssh.diff:1.7 src/external/bsd/blacklist/diff/ssh.diff:1.8 --- src/external/bsd/blacklist/diff/ssh.diff:1.7 Sat May 30 17:05:18 2015 +++ src/external/bsd/blacklist/diff/ssh.diff Fri Jan 22 19:05:38 2016 @@ -1,7 +1,8 @@ --- /dev/null 2015-01-22 23:10:33.0 -0500 +++ dist/pfilter.c 2015-01-22 23:46:03.0 -0500 -@@ -0,0 +1,27 @@ +@@ -0,0 +1,28 @@ +#include "namespace.h" ++#include "includes.h" +#include "ssh.h" +#include "packet.h" +#include "log.h" @@ -175,3 +176,56 @@ diff -u -r1.16 sshd.c if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, +Index: auth-pam.c +=== +RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth-pam.c,v +retrieving revision 1.7 +diff -u -u -r1.7 auth-pam.c +--- auth-pam.c 3 Jul 2015 00:59:59 - 1.7 auth-pam.c 23 Jan 2016 00:01:16 - +@@ -114,6 +114,7 @@ + #include "ssh-gss.h" + #endif + #include "monitor_wrap.h" ++#include "pfilter.h" + + extern ServerOptions options; + extern Buffer loginmsg; +@@ -809,6 +810,7 @@ + free(msg); + return (0); + } ++ pfilter_notify(1); + error("PAM: %s for %s%.100s from %.100s", msg, + sshpam_authctxt->valid ? "" : "illegal user ", + sshpam_authctxt->user, +Index: auth.c +=== +RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v +retrieving revision 1.15 +diff -u -u -r1.15 auth.c +--- auth.c 21 Aug 2015 08:20:59 - 1.15 auth.c 23 Jan 2016 00:01:16 - +@@ -656,6 +656,7 @@ + + pw = getpwnam(user); + if (pw == NULL) { ++ pfilter_notify(1); + logit("Invalid user %.100s from %.100s", + user, get_remote_ipaddr()); + return (NULL); +Index: auth1.c +=== +RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth1.c,v +retrieving revision 1.12 +diff -u -u -r1.12 auth1.c +--- auth1.c 3 Jul 2015 00:59:59 - 1.12 auth1.c 23 Jan 2016 00:01:16 - +@@ -376,6 +376,7 @@ + char *msg; + size_t len; + ++ pfilter_notify(1); + error("Access denied for user %s by PAM account " + "configuration", authctxt->user); + len = buffer_len();
CVS commit: src/external/bsd/blacklist/diff
Module Name:src Committed By: christos Date: Sat Jan 23 03:11:14 UTC 2016 Modified Files: src/external/bsd/blacklist/diff: proftpd.diff Log Message: cleanup pkgsrc junk To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/external/bsd/blacklist/diff/proftpd.diff Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/diff/proftpd.diff diff -u src/external/bsd/blacklist/diff/proftpd.diff:1.1 src/external/bsd/blacklist/diff/proftpd.diff:1.2 --- src/external/bsd/blacklist/diff/proftpd.diff:1.1 Fri Jan 22 19:05:54 2016 +++ src/external/bsd/blacklist/diff/proftpd.diff Fri Jan 22 22:11:14 2016 @@ -9,12 +9,6 @@ +OBJS+= pfilter.o +BUILD_OBJS+= src/pfilter.o + -$NetBSD: proftpd.diff,v 1.1 2016/01/23 00:05:54 christos Exp $ - -Make this pkgsrc friendly. - -Linking ftpdctl does not (seem to) require all the libraries needed for -various proftpd modules. It definitely cannot include -lwrap. --- /dev/null 2016-01-22 17:30:55.0 -0500 +++ include/pfilter.h 2016-01-22 16:18:33.0 -0500
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: christos Date: Wed Dec 30 16:42:48 UTC 2015 Modified Files: src/external/bsd/blacklist/lib: Makefile bl.c Log Message: Add a mutex to prevent races during initialization code from multiple threads. Found in named. To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/external/bsd/blacklist/lib/Makefile cvs rdiff -u -r1.26 -r1.27 src/external/bsd/blacklist/lib/bl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/lib/Makefile diff -u src/external/bsd/blacklist/lib/Makefile:1.3 src/external/bsd/blacklist/lib/Makefile:1.4 --- src/external/bsd/blacklist/lib/Makefile:1.3 Thu Jan 22 13:46:15 2015 +++ src/external/bsd/blacklist/lib/Makefile Wed Dec 30 11:42:48 2015 @@ -1,7 +1,10 @@ -# $NetBSD: Makefile,v 1.3 2015/01/22 18:46:15 christos Exp $ +# $NetBSD: Makefile,v 1.4 2015/12/30 16:42:48 christos Exp $ USE_SHLIBDIR= yes +CPPFLAGS+=-D_REENTRANT +DPADD+=${LIBPTHREAD} +LPADD+=-lpthread LIB=blacklist SRCS=bl.c blacklist.c MAN=libblacklist.3 Index: src/external/bsd/blacklist/lib/bl.c diff -u src/external/bsd/blacklist/lib/bl.c:1.26 src/external/bsd/blacklist/lib/bl.c:1.27 --- src/external/bsd/blacklist/lib/bl.c:1.26 Wed May 27 21:01:37 2015 +++ src/external/bsd/blacklist/lib/bl.c Wed Dec 30 11:42:48 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: bl.c,v 1.26 2015/05/28 01:01:37 christos Exp $ */ +/* $NetBSD: bl.c,v 1.27 2015/12/30 16:42:48 christos Exp $ */ /*- * Copyright (c) 2014 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include -__RCSID("$NetBSD: bl.c,v 1.26 2015/05/28 01:01:37 christos Exp $"); +__RCSID("$NetBSD: bl.c,v 1.27 2015/12/30 16:42:48 christos Exp $"); #include #include @@ -53,6 +53,9 @@ __RCSID("$NetBSD: bl.c,v 1.26 2015/05/28 #include #include #include +#ifdef _REENTRANT +#include +#endif #include "bl.h" @@ -66,6 +69,16 @@ typedef struct { } bl_message_t; struct blacklist { +#ifdef _REENTRANT + pthread_mutex_t b_mutex; +# define BL_INIT(b) pthread_mutex_init(>b_mutex, NULL) +# define BL_LOCK(b) pthread_mutex_lock(>b_mutex) +# define BL_UNLOCK(b) pthread_mutex_unlock(>b_mutex) +#else +# define BL_INIT(b) do {} while(/*CONSTCOND*/0) +# define BL_LOCK(b) BL_INIT(b) +# define BL_UNLOCK(b) BL_INIT(b) +#endif int b_fd; int b_connected; struct sockaddr_un b_sun; @@ -88,13 +101,17 @@ bl_getfd(bl_t b) } static void -bl_reset(bl_t b) +bl_reset(bl_t b, bool locked) { int serrno = errno; + if (!locked) + BL_LOCK(b); close(b->b_fd); errno = serrno; b->b_fd = -1; b->b_connected = -1; + if (!locked) + BL_UNLOCK(b); } static void @@ -129,12 +146,15 @@ bl_init(bl_t b, bool srv) #define SOCK_NOSIGPIPE 0 #endif + BL_LOCK(b); + if (b->b_fd == -1) { b->b_fd = socket(PF_LOCAL, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK|SOCK_NOSIGPIPE, 0); if (b->b_fd == -1) { bl_log(b->b_fun, LOG_ERR, "%s: socket failed (%m)", __func__); + BL_UNLOCK(b); return -1; } #if SOCK_CLOEXEC == 0 @@ -153,9 +173,16 @@ bl_init(bl_t b, bool srv) #endif } - if (bl_isconnected(b)) + if (bl_isconnected(b)) { + BL_UNLOCK(b); return 0; + } + /* + * We try to connect anyway even when we are a server to verify + * that no other server is listening to the socket. If we succeed + * to connect and we are a server, someone else owns it. + */ rv = connect(b->b_fd, (const void *)sun, (socklen_t)sizeof(*sun)); if (rv == 0) { if (srv) { @@ -177,6 +204,7 @@ bl_init(bl_t b, bool srv) __func__, sun->sun_path); b->b_connected = 1; } + BL_UNLOCK(b); return -1; } bl_log(b->b_fun, LOG_DEBUG, "Connected to blacklist server", @@ -237,9 +265,11 @@ bl_init(bl_t b, bool srv) } #endif + BL_UNLOCK(b); return 0; out: - bl_reset(b); + bl_reset(b, true); + BL_UNLOCK(b); return -1; } @@ -252,6 +282,7 @@ bl_create(bool srv, const char *path, vo b->b_fun = fun == NULL ? vsyslog : fun; b->b_fd = -1; b->b_connected = -1; + BL_INIT(b); memset(>b_sun, 0, sizeof(b->b_sun)); b->b_sun.sun_family = AF_LOCAL; @@ -272,7 +303,7 @@ out: void bl_destroy(bl_t b) { - bl_reset(b); + bl_reset(b, false); free(b); } @@ -377,7 +408,7 @@ again: return -1; if ((sendmsg(b->b_fd, , 0) == -1) && tried++ < NTRIES) { - bl_reset(b); + bl_reset(b, false); goto again; } return tried >= NTRIES ? -1 : 0;
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: christos Date: Wed Dec 30 17:57:20 UTC 2015 Modified Files: src/external/bsd/blacklist/lib: Makefile Log Message: typo To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/external/bsd/blacklist/lib/Makefile Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/lib/Makefile diff -u src/external/bsd/blacklist/lib/Makefile:1.4 src/external/bsd/blacklist/lib/Makefile:1.5 --- src/external/bsd/blacklist/lib/Makefile:1.4 Wed Dec 30 11:42:48 2015 +++ src/external/bsd/blacklist/lib/Makefile Wed Dec 30 12:57:20 2015 @@ -1,10 +1,10 @@ -# $NetBSD: Makefile,v 1.4 2015/12/30 16:42:48 christos Exp $ +# $NetBSD: Makefile,v 1.5 2015/12/30 17:57:20 christos Exp $ USE_SHLIBDIR= yes CPPFLAGS+=-D_REENTRANT DPADD+=${LIBPTHREAD} -LPADD+=-lpthread +LDADD+=-lpthread LIB=blacklist SRCS=bl.c blacklist.c MAN=libblacklist.3
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Wed Nov 4 16:21:52 UTC 2015 Modified Files: src/external/bsd/blacklist/bin: blacklistctl.c Log Message: add 'n' to getopt To generate a diff of this commit: cvs rdiff -u -r1.18 -r1.19 src/external/bsd/blacklist/bin/blacklistctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistctl.c diff -u src/external/bsd/blacklist/bin/blacklistctl.c:1.18 src/external/bsd/blacklist/bin/blacklistctl.c:1.19 --- src/external/bsd/blacklist/bin/blacklistctl.c:1.18 Tue Jun 2 10:02:10 2015 +++ src/external/bsd/blacklist/bin/blacklistctl.c Wed Nov 4 11:21:52 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: blacklistctl.c,v 1.18 2015/06/02 14:02:10 christos Exp $ */ +/* $NetBSD: blacklistctl.c,v 1.19 2015/11/04 16:21:52 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include -__RCSID("$NetBSD: blacklistctl.c,v 1.18 2015/06/02 14:02:10 christos Exp $"); +__RCSID("$NetBSD: blacklistctl.c,v 1.19 2015/11/04 16:21:52 christos Exp $"); #include #include @@ -85,7 +85,7 @@ main(int argc, char *argv[]) argc--; argv++; - while ((o = getopt(argc, argv, "abD:drw")) != -1) + while ((o = getopt(argc, argv, "abD:dnrw")) != -1) switch (o) { case 'a': all = 1;
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Wed Oct 14 16:01:29 UTC 2015 Modified Files: src/external/bsd/blacklist/bin: internal.h Log Message: syslog attribute. To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.13 src/external/bsd/blacklist/bin/internal.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/internal.h diff -u src/external/bsd/blacklist/bin/internal.h:1.12 src/external/bsd/blacklist/bin/internal.h:1.13 --- src/external/bsd/blacklist/bin/internal.h:1.12 Tue Jan 27 14:40:37 2015 +++ src/external/bsd/blacklist/bin/internal.h Wed Oct 14 12:01:29 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: internal.h,v 1.12 2015/01/27 19:40:37 christos Exp $ */ +/* $NetBSD: internal.h,v 1.13 2015/10/14 16:01:29 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -47,7 +47,11 @@ extern const char *rulename; extern const char *controlprog; extern struct ifaddrs *ifas; +#if !defined(__syslog_attribute__) && !defined(__syslog__) +#define __syslog__ __printf__ +#endif + void (*lfun)(int, const char *, ...) -__attribute__((__format__(__printf__, 2, 3))); +__attribute__((__format__(__syslog__, 2, 3))); #endif /* _INTERNAL_H */
CVS commit: src/external/bsd/blacklist/etc
Module Name:src Committed By: christos Date: Sun Jul 12 11:27:53 UTC 2015 Modified Files: src/external/bsd/blacklist/etc: blacklistd.conf Log Message: simplify, comment out testing entries To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/external/bsd/blacklist/etc/blacklistd.conf Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/etc/blacklistd.conf diff -u src/external/bsd/blacklist/etc/blacklistd.conf:1.5 src/external/bsd/blacklist/etc/blacklistd.conf:1.6 --- src/external/bsd/blacklist/etc/blacklistd.conf:1.5 Wed Jun 3 11:13:15 2015 +++ src/external/bsd/blacklist/etc/blacklistd.conf Sun Jul 12 07:27:52 2015 @@ -1,19 +1,14 @@ # Blacklist rule # adr/mask:port type proto owner name nfail disable [local] -ssh stream tcp * * 3 6h -ssh stream tcp6 * * 3 6h -ftp stream tcp * * 3 6h -ftp stream tcp6 * * 3 6h -domain stream tcp named * 3 12h -domain dgram udp named * 3 12h -domain stream tcp6 named * 3 12h -domain dgram udp6 named * 3 12h -6161 stream tcp6 christos * 2 10m +ssh stream * * * 3 6h +ftp stream * * * 3 6h +domain * * named * 3 12h +#6161 stream tcp6 christos * 2 10m * * * * * 3 60 # adr/mask:port type proto owner name nfail disable [remote] -129.168.0.0/16 * * * = * * -6161 = = = =/24 = = -* stream tcp * = = = +#129.168.0.0/16 * * * = * * +#6161 = = = =/24 = = +#* stream tcp * = = =
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Sun Jun 21 01:13:21 UTC 2015 Modified Files: src/external/bsd/blacklist/bin: blacklistd.c Log Message: Restart the loop each time we delete an entry because the hash code does not handle it well. Is that a db bug? To generate a diff of this commit: cvs rdiff -u -r1.32 -r1.33 src/external/bsd/blacklist/bin/blacklistd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.c diff -u src/external/bsd/blacklist/bin/blacklistd.c:1.32 src/external/bsd/blacklist/bin/blacklistd.c:1.33 --- src/external/bsd/blacklist/bin/blacklistd.c:1.32 Wed Jan 28 17:30:42 2015 +++ src/external/bsd/blacklist/bin/blacklistd.c Sat Jun 20 21:13:21 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: blacklistd.c,v 1.32 2015/01/28 22:30:42 christos Exp $ */ +/* $NetBSD: blacklistd.c,v 1.33 2015/06/21 01:13:21 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -32,7 +32,7 @@ #include config.h #endif #include sys/cdefs.h -__RCSID($NetBSD: blacklistd.c,v 1.32 2015/01/28 22:30:42 christos Exp $); +__RCSID($NetBSD: blacklistd.c,v 1.33 2015/06/21 01:13:21 christos Exp $); #include sys/types.h #include sys/socket.h @@ -284,6 +284,7 @@ update(void) return; } +again: for (n = 0, f = 1; state_iterate(state, c, dbi, f) == 1; f = 0, n++) { @@ -305,6 +306,7 @@ update(void) buf, c.c_lmask, c.c_port, c.c_duration); } state_del(state, c); + goto again; } }
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: wiz Date: Thu Jun 4 16:11:48 UTC 2015 Modified Files: src/external/bsd/blacklist/bin: blacklistd.8 Log Message: Whitespace and macro fixes. To generate a diff of this commit: cvs rdiff -u -r1.13 -r1.14 src/external/bsd/blacklist/bin/blacklistd.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.8 diff -u src/external/bsd/blacklist/bin/blacklistd.8:1.13 src/external/bsd/blacklist/bin/blacklistd.8:1.14 --- src/external/bsd/blacklist/bin/blacklistd.8:1.13 Thu Jun 4 16:01:09 2015 +++ src/external/bsd/blacklist/bin/blacklistd.8 Thu Jun 4 16:11:48 2015 @@ -1,4 +1,4 @@ -.\ $NetBSD: blacklistd.8,v 1.13 2015/06/04 16:01:09 christos Exp $ +.\ $NetBSD: blacklistd.8,v 1.14 2015/06/04 16:11:48 wiz Exp $ .\ .\ Copyright (c) 2015 The NetBSD Foundation, Inc. .\ All rights reserved. @@ -111,7 +111,6 @@ seconds (default .Dv 15 ) and removes entries and block rules using the control program as necessary. .Pp -.Pp The following options are available: .Bl -tag -width indent .It Fl C Ar controlprog @@ -120,13 +119,13 @@ Use to communicate with the packet filter, usually .Pa /libexec/blacklistd-helper . The following arguments are passed to the control program: -.Bl -tag -width protocol indent +.Bl -tag -width protocol .It action -The action to perform: +The action to perform: .Dv add , .Dv rem , or -.Dv flush +.Dv flush to add, remove or flush a firewall rule. .It name The rule name.
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Thu Jun 4 16:01:09 UTC 2015 Modified Files: src/external/bsd/blacklist/bin: blacklistd.8 Log Message: Document the options as a list instead of embedded text. To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.13 src/external/bsd/blacklist/bin/blacklistd.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.8 diff -u src/external/bsd/blacklist/bin/blacklistd.8:1.12 src/external/bsd/blacklist/bin/blacklistd.8:1.13 --- src/external/bsd/blacklist/bin/blacklistd.8:1.12 Tue Jun 2 17:03:46 2015 +++ src/external/bsd/blacklist/bin/blacklistd.8 Thu Jun 4 12:01:09 2015 @@ -1,4 +1,4 @@ -.\ $NetBSD: blacklistd.8,v 1.12 2015/06/02 21:03:46 snj Exp $ +.\ $NetBSD: blacklistd.8,v 1.13 2015/06/04 16:01:09 christos Exp $ .\ .\ Copyright (c) 2015 The NetBSD Foundation, Inc. .\ All rights reserved. @@ -27,7 +27,7 @@ .\ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\ POSSIBILITY OF SUCH DAMAGE. .\ -.Dd April 29, 2015 +.Dd June 4, 2015 .Dt BLACKLISTD 8 .Os .Sh NAME @@ -90,7 +90,7 @@ If the action is .Dq remove Then the same control script is invoked as: .Bd -literal -offset indent -control add rulename proto address mask port +control remove rulename proto address mask port id .Ed .Pp where @@ -103,19 +103,6 @@ action. maintains a database of known connections in .Ar dbfile . On startup it reads entries from that file, and updates its internal state. -If the -.Fl f -flag is specified, then the database is truncated an all the rules named -.Ar rulename -are deleted by invoking the control script as: -.Bd -literal -offset indent -control flush rulename -.Ed -If the -.Fl r -flag is specified, the firewall rules are re-read from the internal database -and are removed and re-added. -This helps for packet filters that don't retain state across reboots. .Pp .Nm checks the list of active entries every @@ -124,22 +111,94 @@ seconds (default .Dv 15 ) and removes entries and block rules using the control program as necessary. .Pp +.Pp +The following options are available: +.Bl -tag -width indent +.It Fl C Ar controlprog +Use +.Ar controlprog +to communicate with the packet filter, usually +.Pa /libexec/blacklistd-helper . +The following arguments are passed to the control program: +.Bl -tag -width protocol indent +.It action +The action to perform: +.Dv add , +.Dv rem , +or +.Dv flush +to add, remove or flush a firewall rule. +.It name +The rule name. +.It protocol +The optional protocol name (can be empty): +.Dv tcp , +.Dv tcp6 , +.Dv udp , +.Dv udp6 . +.It address +The IPv4 or IPv6 numeric address to be blocked or released. +.It mask +The numeric mask to be applied to the blocked or released address +.It port +The optional numeric port to be blocked (can be empty). +.It id +For packet filters that support removal of rules by rule identifier, the +identifier of the rule to be removed. +The add command is expected to return the rule identifier string to stdout. +.El +.It Fl c Ar configuration +The name of the configuration file to read, usually +.Pa /etc/blacklistd.conf . +.It Fl D Ar dbfile +The Berkeley DB file where +.Nm +stores its state, usually +.Pa /var/run/blacklistd.db . +.It Fl d Normally, .Nm -disassociates itself from the terminal and writes messages to -.Xr syslogd 8 , -unless the +disassociates itself from the terminal unless the .Fl d flag is specified, in which case it stays in the foreground. -The -.Fl v -cases +.It Fl f +Truncate the state database and flush all the rules named +.Ar rulename +are deleted by invoking the control script as: +.Bd -literal -offset indent +control flush rulename +.Ed +.It Fl P Ar sockspathsfile +A file containing a list of pathnames, one per line that +.Nm +will create sockets to listen to. +This is useful for chrooted environments. +.It Fl R Ar rulename +Specify the default rule name for the packet filter rules, usually +.Dv blacklistd . +.It Fl r +Re-read the firewall rules from the internal database, then +remove and re-add them. +This helps for packet filters that don't retain state across reboots. +.It Fl s Ar sockpath +Add +.Ar sockpath +to the list of Unix sockets +.Nm +listens to. +.It Fl t Ar timeout +The interval in seconds +.Nm +polls the state file to update the rules. +.It Fl v +Cause .Nm to print diagnostic messages to .Dv stdout instead of .Xr syslogd 8 . +.El .Sh FILES .Bl -tag -width /libexec/blacklistd-helper -compact .It Pa /libexec/blacklistd-helper
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Wed Jun 3 15:11:40 UTC 2015 Modified Files: src/external/bsd/blacklist/bin: conf.c Log Message: dissallow interface spec in remote config (since we check against the remote address, it does not make sense). To generate a diff of this commit: cvs rdiff -u -r1.22 -r1.23 src/external/bsd/blacklist/bin/conf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/conf.c diff -u src/external/bsd/blacklist/bin/conf.c:1.22 src/external/bsd/blacklist/bin/conf.c:1.23 --- src/external/bsd/blacklist/bin/conf.c:1.22 Tue Jun 2 16:52:00 2015 +++ src/external/bsd/blacklist/bin/conf.c Wed Jun 3 11:11:40 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: conf.c,v 1.22 2015/06/02 20:52:00 christos Exp $ */ +/* $NetBSD: conf.c,v 1.23 2015/06/03 15:11:40 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include sys/cdefs.h -__RCSID($NetBSD: conf.c,v 1.22 2015/06/02 20:52:00 christos Exp $); +__RCSID($NetBSD: conf.c,v 1.23 2015/06/03 15:11:40 christos Exp $); #include stdio.h #include string.h @@ -271,6 +271,8 @@ gethostport(const char *f, size_t l, boo (*lfun)(LOG_DEBUG, %s: host4 %s, __func__, p); if (strcmp(p, *) != 0) { if (conf_is_interface(p)) { +if (!local) + goto out2; if (debug) (*lfun)(LOG_DEBUG, %s: interface %s, __func__, p); @@ -308,6 +310,10 @@ out1: (*lfun)(LOG_ERR, %s: %s, %zu: Can't specify mask %d with interface [%s], __func__, f, l, c-c_lmask, p); return -1; +out2: + (*lfun)(LOG_ERR, %s: %s, %zu: Interface spec does not make sense + with remote config [%s], __func__, f, l, p); + return -1; } static int @@ -490,7 +496,7 @@ out: char b1[256], b2[256]; len = 2; hexdump(b1, sizeof(b1), a1, v1, len); - hexdump(b2, sizeof(b2), a1, v2, len); + hexdump(b2, sizeof(b2), a2, v2, len); (*lfun)(LOG_DEBUG, %s: %s != %s [0x%x], __func__, b1, b2, omask); }
CVS commit: src/external/bsd/blacklist/etc
Module Name:src Committed By: christos Date: Wed Jun 3 15:13:15 UTC 2015 Modified Files: src/external/bsd/blacklist/etc: blacklistd.conf Log Message: remove interface example from remote config. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/external/bsd/blacklist/etc/blacklistd.conf Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/etc/blacklistd.conf diff -u src/external/bsd/blacklist/etc/blacklistd.conf:1.4 src/external/bsd/blacklist/etc/blacklistd.conf:1.5 --- src/external/bsd/blacklist/etc/blacklistd.conf:1.4 Sat May 30 18:40:17 2015 +++ src/external/bsd/blacklist/etc/blacklistd.conf Wed Jun 3 11:13:15 2015 @@ -14,7 +14,6 @@ domain dgram udp6 named * 3 12h # adr/mask:port type proto owner name nfail disable [remote] -bge0 stream tcp * =/24 = = 129.168.0.0/16 * * * = * * 6161 = = = =/24 = = * stream tcp * = = =
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Tue Jun 2 20:52:00 UTC 2015 Modified Files: src/external/bsd/blacklist/bin: conf.c Log Message: restore address length before printing. To generate a diff of this commit: cvs rdiff -u -r1.21 -r1.22 src/external/bsd/blacklist/bin/conf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/conf.c diff -u src/external/bsd/blacklist/bin/conf.c:1.21 src/external/bsd/blacklist/bin/conf.c:1.22 --- src/external/bsd/blacklist/bin/conf.c:1.21 Tue Jun 2 10:02:10 2015 +++ src/external/bsd/blacklist/bin/conf.c Tue Jun 2 16:52:00 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: conf.c,v 1.21 2015/06/02 14:02:10 christos Exp $ */ +/* $NetBSD: conf.c,v 1.22 2015/06/02 20:52:00 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include sys/cdefs.h -__RCSID($NetBSD: conf.c,v 1.21 2015/06/02 14:02:10 christos Exp $); +__RCSID($NetBSD: conf.c,v 1.22 2015/06/02 20:52:00 christos Exp $); #include stdio.h #include string.h @@ -488,6 +488,7 @@ conf_amask_eq(const void *v1, const void out: if (debug 1) { char b1[256], b2[256]; + len = 2; hexdump(b1, sizeof(b1), a1, v1, len); hexdump(b2, sizeof(b2), a1, v2, len); (*lfun)(LOG_DEBUG, %s: %s != %s [0x%x], __func__,
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: snj Date: Tue Jun 2 21:03:46 UTC 2015 Modified Files: src/external/bsd/blacklist/bin: blacklistd.8 Log Message: prune bogus comma from Nm args To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 src/external/bsd/blacklist/bin/blacklistd.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.8 diff -u src/external/bsd/blacklist/bin/blacklistd.8:1.11 src/external/bsd/blacklist/bin/blacklistd.8:1.12 --- src/external/bsd/blacklist/bin/blacklistd.8:1.11 Thu Apr 30 06:20:43 2015 +++ src/external/bsd/blacklist/bin/blacklistd.8 Tue Jun 2 21:03:46 2015 @@ -1,4 +1,4 @@ -.\ $NetBSD: blacklistd.8,v 1.11 2015/04/30 06:20:43 riz Exp $ +.\ $NetBSD: blacklistd.8,v 1.12 2015/06/02 21:03:46 snj Exp $ .\ .\ Copyright (c) 2015 The NetBSD Foundation, Inc. .\ All rights reserved. @@ -31,7 +31,7 @@ .Dt BLACKLISTD 8 .Os .Sh NAME -.Nm blacklistd , +.Nm blacklistd .Nd block and release ports on demand to avoid DoS abuse .Sh SYNOPSIS .Nm
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Tue Jun 2 14:02:10 UTC 2015 Modified Files: src/external/bsd/blacklist/bin: blacklistctl.c conf.c run.c state.c support.c support.h Log Message: Add more debugging, simplify. Use symbolic constants: -2=FEQUALS, -1=FSTAR To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 src/external/bsd/blacklist/bin/blacklistctl.c cvs rdiff -u -r1.20 -r1.21 src/external/bsd/blacklist/bin/conf.c cvs rdiff -u -r1.12 -r1.13 src/external/bsd/blacklist/bin/run.c cvs rdiff -u -r1.16 -r1.17 src/external/bsd/blacklist/bin/state.c cvs rdiff -u -r1.6 -r1.7 src/external/bsd/blacklist/bin/support.c cvs rdiff -u -r1.5 -r1.6 src/external/bsd/blacklist/bin/support.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistctl.c diff -u src/external/bsd/blacklist/bin/blacklistctl.c:1.17 src/external/bsd/blacklist/bin/blacklistctl.c:1.18 --- src/external/bsd/blacklist/bin/blacklistctl.c:1.17 Mon Feb 2 17:01:55 2015 +++ src/external/bsd/blacklist/bin/blacklistctl.c Tue Jun 2 10:02:10 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: blacklistctl.c,v 1.17 2015/02/02 22:01:55 christos Exp $ */ +/* $NetBSD: blacklistctl.c,v 1.18 2015/06/02 14:02:10 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include sys/cdefs.h -__RCSID($NetBSD: blacklistctl.c,v 1.17 2015/02/02 22:01:55 christos Exp $); +__RCSID($NetBSD: blacklistctl.c,v 1.18 2015/06/02 14:02:10 christos Exp $); #include stdio.h #include time.h @@ -85,7 +85,7 @@ main(int argc, char *argv[]) argc--; argv++; - while ((o = getopt(argc, argv, abdrw)) != -1) + while ((o = getopt(argc, argv, abD:drw)) != -1) switch (o) { case 'a': all = 1; @@ -93,6 +93,9 @@ main(int argc, char *argv[]) break; case 'b': blocked = 1; + case 'D': + dbname = optarg; + break; break; case 'd': debug++; Index: src/external/bsd/blacklist/bin/conf.c diff -u src/external/bsd/blacklist/bin/conf.c:1.20 src/external/bsd/blacklist/bin/conf.c:1.21 --- src/external/bsd/blacklist/bin/conf.c:1.20 Sat May 30 18:39:14 2015 +++ src/external/bsd/blacklist/bin/conf.c Tue Jun 2 10:02:10 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: conf.c,v 1.20 2015/05/30 22:39:14 christos Exp $ */ +/* $NetBSD: conf.c,v 1.21 2015/06/02 14:02:10 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include sys/cdefs.h -__RCSID($NetBSD: conf.c,v 1.20 2015/05/30 22:39:14 christos Exp $); +__RCSID($NetBSD: conf.c,v 1.21 2015/06/02 14:02:10 christos Exp $); #include stdio.h #include string.h @@ -56,6 +56,7 @@ __RCSID($NetBSD: conf.c,v 1.20 2015/05/ #include bl.h #include internal.h +#include support.h #include conf.h @@ -71,6 +72,9 @@ struct sockaddr_if { static int conf_is_interface(const char *); +#define FSTAR -1 +#define FEQUAL -2 + static void advance(char **p) { @@ -91,13 +95,13 @@ getnum(const char *f, size_t l, bool loc int *r = rp; if (strcmp(p, *) == 0) { - *r = -1; + *r = FSTAR; return 0; } if (strcmp(p, =) == 0) { if (local) goto out; - *r = -2; + *r = FEQUAL; return 0; } @@ -134,13 +138,13 @@ getsecs(const char *f, size_t l, bool lo tot = 0; if (strcmp(p, *) == 0) { - c-c_duration = -1; + c-c_duration = FSTAR; return 0; } if (strcmp(p, =) == 0) { if (local) goto out; - c-c_duration = -2; + c-c_duration = FEQUAL; return 0; } again: @@ -204,39 +208,22 @@ getport(const char *f, size_t l, bool lo } static int -getmask(const char *f, size_t l, bool local __unused, const char **p, int def) +getmask(const char *f, size_t l, bool local, const char **p, int *mask) { char *d; - int e; - intmax_t im; const char *s = *p; if ((d = strchr(s, ':')) != NULL) { *d++ = '\0'; *p = d; } - if ((d = strchr(s, '/')) == NULL) - return def; - - *d++ = '\0'; - if (strcmp(d, =) == 0) { - if (local) - goto out; - return -2; + if ((d = strchr(s, '/')) == NULL) { + *mask = FSTAR; + return 0; } - if (strcmp(d, *) == 0) - return def; - - im = strtoi(d, NULL, 0, 0, def, e); - if (e == 0) - return (int)im; - (*lfun)(LOG_ERR, %s: %s, %zu: Bad mask [%s], __func__, f, l, d); - return -1; -out: - (*lfun)(LOG_ERR, %s: %s, %zu: `=' name not allowed in local - config, __func__, f, l); - return -1; + *d++ = '\0'; + return getnum(f, l, local, mask, mask, d); } static int @@ -247,8 +234,8 @@ gethostport(const char *f, size_t l, boo const char *pstr; if (strcmp(p, *) == 0) { - c-c_port = -1; - c-c_lmask = -1; + c-c_port = FSTAR; + c-c_lmask = FSTAR; return 0; } @@ -259,12 +246,9 @@ gethostport(const char *f, size_t l, boo } else pstr = p; - if ((c-c_lmask = getmask(f, l, local, pstr, 256)) == -1) + if (getmask(f, l, local, pstr, c-c_lmask) == -1) goto out; - if (c-c_lmask == 256) -
CVS commit: src/external/bsd/blacklist/libexec
Module Name:src Committed By: christos Date: Tue Jun 2 14:02:39 UTC 2015 Modified Files: src/external/bsd/blacklist/libexec: blacklistd-helper Log Message: make proto and port optional To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/external/bsd/blacklist/libexec/blacklistd-helper Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/libexec/blacklistd-helper diff -u src/external/bsd/blacklist/libexec/blacklistd-helper:1.4 src/external/bsd/blacklist/libexec/blacklistd-helper:1.5 --- src/external/bsd/blacklist/libexec/blacklistd-helper:1.4 Wed Jan 28 20:05:25 2015 +++ src/external/bsd/blacklist/libexec/blacklistd-helper Tue Jun 2 10:02:39 2015 @@ -11,7 +11,13 @@ case $1 in add) - exec /sbin/npfctl rule $2 add block in final proto $3 from $4/$5 to any port $6 + if [ -n $3 ]; then + proto=proto $3 + fi + if [ -n $6 ]; then + port=port $6 + fi + exec /sbin/npfctl rule $2 add block in final $proto from $4/$5 to any $port ;; rem) exec /sbin/npfctl rule $2 rem-id $7
CVS commit: src/external/bsd/blacklist/diff
Module Name:src Committed By: christos Date: Sat May 30 21:05:18 UTC 2015 Modified Files: src/external/bsd/blacklist/diff: ssh.diff Log Message: add prototype To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/external/bsd/blacklist/diff/ssh.diff Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/diff/ssh.diff diff -u src/external/bsd/blacklist/diff/ssh.diff:1.6 src/external/bsd/blacklist/diff/ssh.diff:1.7 --- src/external/bsd/blacklist/diff/ssh.diff:1.6 Sat Feb 14 14:05:59 2015 +++ src/external/bsd/blacklist/diff/ssh.diff Sat May 30 17:05:18 2015 @@ -11,7 +11,7 @@ +static struct blacklist *blstate; + +void -+pfilter_init() ++pfilter_init(void) +{ + blstate = blacklist_open(); +}
CVS commit: src/external/bsd/blacklist/test
Module Name:src Committed By: christos Date: Sat May 30 22:40:38 UTC 2015 Modified Files: src/external/bsd/blacklist/test: Makefile srvtest.c Log Message: Add ability to test using a local socket. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/external/bsd/blacklist/test/Makefile cvs rdiff -u -r1.9 -r1.10 src/external/bsd/blacklist/test/srvtest.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/test/Makefile diff -u src/external/bsd/blacklist/test/Makefile:1.2 src/external/bsd/blacklist/test/Makefile:1.3 --- src/external/bsd/blacklist/test/Makefile:1.2 Thu Jan 22 00:03:52 2015 +++ src/external/bsd/blacklist/test/Makefile Sat May 30 18:40:38 2015 @@ -1,10 +1,11 @@ -# $NetBSD: Makefile,v 1.2 2015/01/22 05:03:52 christos Exp $ +# $NetBSD: Makefile,v 1.3 2015/05/30 22:40:38 christos Exp $ MKMAN=no PROGS=srvtest cltest SRCS.srvtest = srvtest.c SRCS.cltest = cltest.c +CPPFLAGS+=-DBLDEBUG LDADD+=-lutil DPADD+=${LIBUTIL} Index: src/external/bsd/blacklist/test/srvtest.c diff -u src/external/bsd/blacklist/test/srvtest.c:1.9 src/external/bsd/blacklist/test/srvtest.c:1.10 --- src/external/bsd/blacklist/test/srvtest.c:1.9 Thu Jan 22 00:35:55 2015 +++ src/external/bsd/blacklist/test/srvtest.c Sat May 30 18:40:38 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: srvtest.c,v 1.9 2015/01/22 05:35:55 christos Exp $ */ +/* $NetBSD: srvtest.c,v 1.10 2015/05/30 22:40:38 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include sys/cdefs.h -__RCSID($NetBSD: srvtest.c,v 1.9 2015/01/22 05:35:55 christos Exp $); +__RCSID($NetBSD: srvtest.c,v 1.10 2015/05/30 22:40:38 christos Exp $); #include sys/types.h #include sys/socket.h @@ -49,6 +49,10 @@ __RCSID($NetBSD: srvtest.c,v 1.9 2015/0 #include err.h #include blacklist.h +#ifdef BLDEBUG +#include bl.h +static void *b; +#endif #ifndef INFTIM #define INFTIM -1 @@ -66,7 +70,11 @@ process_tcp(int afd) err(1, read); buffer[sizeof(buffer) - 1] = '\0'; printf(%s: sending %d %s\n, getprogname(), afd, buffer); +#ifdef BLDEBUG + blacklist_r(b, 1, afd, buffer); +#else blacklist(1, afd, buffer); +#endif exit(0); } @@ -177,6 +185,10 @@ main(int argc, char *argv[]) signal(SIGCHLD, SIG_IGN); +#ifdef BLDEBUG + b = bl_create(false, blsock, vsyslog); +#endif + while ((c = getopt(argc, argv, up:)) != -1) switch (c) { case 'u':
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Sat May 30 22:39:14 UTC 2015 Modified Files: src/external/bsd/blacklist/bin: conf.c Log Message: Centralize and fix =/* parsing, now =/24 works again. XXX: pullup-7 To generate a diff of this commit: cvs rdiff -u -r1.19 -r1.20 src/external/bsd/blacklist/bin/conf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/conf.c diff -u src/external/bsd/blacklist/bin/conf.c:1.19 src/external/bsd/blacklist/bin/conf.c:1.20 --- src/external/bsd/blacklist/bin/conf.c:1.19 Wed May 27 18:39:01 2015 +++ src/external/bsd/blacklist/bin/conf.c Sat May 30 18:39:14 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: conf.c,v 1.19 2015/05/27 22:39:01 christos Exp $ */ +/* $NetBSD: conf.c,v 1.20 2015/05/30 22:39:14 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include sys/cdefs.h -__RCSID($NetBSD: conf.c,v 1.19 2015/05/27 22:39:01 christos Exp $); +__RCSID($NetBSD: conf.c,v 1.20 2015/05/30 22:39:14 christos Exp $); #include stdio.h #include string.h @@ -83,20 +83,38 @@ advance(char **p) } static int -getnum(const char *f, size_t l, void *r, const char *p) +getnum(const char *f, size_t l, bool local, void *rp, const char *name, +const char *p) { int e; intmax_t im; + int *r = rp; + + if (strcmp(p, *) == 0) { + *r = -1; + return 0; + } + if (strcmp(p, =) == 0) { + if (local) + goto out; + *r = -2; + return 0; + } im = strtoi(p, NULL, 0, 0, INT_MAX, e); if (e == 0) { - *(int *)r = (int)im; + *r = (int)im; return 0; } if (f == NULL) return -1; - (*lfun)(LOG_ERR, %s: %s, %zu: Bad number [%s], __func__, f, l, p); + (*lfun)(LOG_ERR, %s: %s, %zu: Bad number for %s [%s], __func__, f, l, + name, p); + return -1; +out: + (*lfun)(LOG_ERR, %s: %s, %zu: `=' for %s not allowed in local config, + __func__, f, l, name); return -1; } @@ -104,25 +122,7 @@ getnum(const char *f, size_t l, void *r, static int getnfail(const char *f, size_t l, bool local, struct conf *c, const char *p) { - if (strcmp(p, *) == 0) { - c-c_nfail = -1; - return 0; - } - if (strcmp(p, =) == 0) { - if (local) - goto out; - c-c_nfail = -2; - return 0; - } - if (getnum(NULL, 0, c-c_nfail, p) == 0) - return 0; - - (*lfun)(LOG_ERR, %s: %s, %zu: Bad nfail [%s], __func__, f, l, p); - return -1; -out: - (*lfun)(LOG_ERR, %s: %s, %zu: `=' nfail not allowed in local config, - __func__, f, l); - return -1; + return getnum(f, l, local, c-c_nfail, nfail, p); } static int @@ -186,7 +186,7 @@ out: } static int -getport(const char *f, size_t l, void *r, const char *p) +getport(const char *f, size_t l, bool local, void *r, const char *p) { struct servent *sv; @@ -200,11 +200,7 @@ getport(const char *f, size_t l, void *r return 0; } - if (getnum(NULL, 0, r, p) == 0) - return 0; - - (*lfun)(LOG_ERR, %s: %s, %zu: Bad service [%s], __func__, f, l, p); - return -1; + return getnum(f, l, local, r, service, p); } static int @@ -317,7 +313,7 @@ gethostport(const char *f, size_t l, boo if (strcmp(pstr, *) == 0) c-c_port = -1; - else if (getport(f, l, c-c_port, pstr) == -1) + else if (getport(f, l, local, c-c_port, pstr) == -1) return -1; if (port c-c_port != -1) @@ -336,10 +332,6 @@ static int getproto(const char *f, size_t l, bool local __unused, struct conf *c, const char *p) { - if (strcmp(p, *) == 0) { - c-c_proto = -1; - return 0; - } if (strcmp(p, stream) == 0) { c-c_proto = IPPROTO_TCP; return 0; @@ -348,31 +340,18 @@ getproto(const char *f, size_t l, bool l c-c_proto = IPPROTO_UDP; return 0; } - if (getnum(NULL, 0, c-c_proto, p) == 0) - return 0; - - (*lfun)(LOG_ERR, %s: %s, %zu: Bad protocol [%s], __func__, f, l, p); - return -1; + return getnum(f, l, local, c-c_proto, protocol, p); } static int getfamily(const char *f, size_t l, bool local __unused, struct conf *c, const char *p) { - if (strcmp(p, *) == 0) { - c-c_family = -1; - return 0; - } - if (strncmp(p, tcp, 3) == 0 || strncmp(p, udp, 3) == 0) { c-c_family = p[3] == '6' ? AF_INET6 : AF_INET; return 0; } - if (getnum(NULL, 0, c-c_family, p) == 0) - return 0; - - (*lfun)(LOG_ERR, %s: %s, %zu: Bad family [%s], __func__, f, l, p); - return -1; + return getnum(f, l, local, c-c_family, family, p); } static int @@ -381,21 +360,12 @@ getuid(const char *f, size_t l, bool loc { struct passwd *pw; - if (strcmp(p, *) == 0) { - c-c_uid = -1; - return 0; - } - if ((pw = getpwnam(p)) != NULL) { c-c_uid = (int)pw-pw_uid; return 0; } - if (getnum(NULL, 0, c-c_uid, p) == 0) - return 0; - - (*lfun)(LOG_ERR, %s: %s, %zu: Bad user [%s], __func__, f, l, p); - return -1; + return getnum(f, l, local, c-c_uid, user, p); } @@ -720,7 +690,7 @@ conf_eq(const struct conf *c1, const str return 0; #define CMP(a, b, f) \ - if ((a)-f != (b)-f
CVS commit: src/external/bsd/blacklist/etc
Module Name:src Committed By: christos Date: Sat May 30 22:40:17 UTC 2015 Modified Files: src/external/bsd/blacklist/etc: blacklistd.conf Log Message: fix example. To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/external/bsd/blacklist/etc/blacklistd.conf Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/etc/blacklistd.conf diff -u src/external/bsd/blacklist/etc/blacklistd.conf:1.3 src/external/bsd/blacklist/etc/blacklistd.conf:1.4 --- src/external/bsd/blacklist/etc/blacklistd.conf:1.3 Tue Jan 27 14:40:37 2015 +++ src/external/bsd/blacklist/etc/blacklistd.conf Sat May 30 18:40:17 2015 @@ -13,6 +13,8 @@ domain dgram udp6 named * 3 12h * * * * * 3 60 # adr/mask:port type proto owner name nfail disable +[remote] bge0 stream tcp * =/24 = = 129.168.0.0/16 * * * = * * -default stream tcp * = = = +6161 = = = =/24 = = +* stream tcp * = = =
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: christos Date: Thu May 28 01:01:37 UTC 2015 Modified Files: src/external/bsd/blacklist/lib: bl.c Log Message: put back setting uid and gid to -1 if they are not available. To generate a diff of this commit: cvs rdiff -u -r1.25 -r1.26 src/external/bsd/blacklist/lib/bl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/lib/bl.c diff -u src/external/bsd/blacklist/lib/bl.c:1.25 src/external/bsd/blacklist/lib/bl.c:1.26 --- src/external/bsd/blacklist/lib/bl.c:1.25 Wed May 27 18:37:13 2015 +++ src/external/bsd/blacklist/lib/bl.c Wed May 27 21:01:37 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: bl.c,v 1.25 2015/05/27 22:37:13 christos Exp $ */ +/* $NetBSD: bl.c,v 1.26 2015/05/28 01:01:37 christos Exp $ */ /*- * Copyright (c) 2014 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include sys/cdefs.h -__RCSID($NetBSD: bl.c,v 1.25 2015/05/27 22:37:13 christos Exp $); +__RCSID($NetBSD: bl.c,v 1.26 2015/05/28 01:01:37 christos Exp $); #include sys/param.h #include sys/types.h @@ -483,6 +483,10 @@ bl_recv(bl_t b) bi-bi_type = ub.bl.bl_type; bi-bi_slen = ub.bl.bl_salen; bi-bi_ss = ub.bl.bl_ss; +#ifndef CRED_MESSAGE + bi-bi_uid = -1; + bi-bi_gid = -1; +#endif strlcpy(bi-bi_msg, ub.bl.bl_data, MIN(sizeof(bi-bi_msg), ((size_t)rlen - sizeof(ub.bl) + 1))); return bi;
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Wed May 27 22:37:37 UTC 2015 Modified Files: src/external/bsd/blacklist/bin: state.c Log Message: print the key in human readable form when debugging. To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.16 src/external/bsd/blacklist/bin/state.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/state.c diff -u src/external/bsd/blacklist/bin/state.c:1.15 src/external/bsd/blacklist/bin/state.c:1.16 --- src/external/bsd/blacklist/bin/state.c:1.15 Tue Jan 27 14:40:37 2015 +++ src/external/bsd/blacklist/bin/state.c Wed May 27 18:37:37 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: state.c,v 1.15 2015/01/27 19:40:37 christos Exp $ */ +/* $NetBSD: state.c,v 1.16 2015/05/27 22:37:37 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include sys/cdefs.h -__RCSID($NetBSD: state.c,v 1.15 2015/01/27 19:40:37 christos Exp $); +__RCSID($NetBSD: state.c,v 1.16 2015/05/27 22:37:37 christos Exp $); #include sys/types.h #include sys/socket.h @@ -115,6 +115,9 @@ dumpkey(const struct conf *k) z = sizeof(buf); } (*lfun)(LOG_DEBUG, %s, buf); + (*lfun)(LOG_DEBUG, %s: %s, __func__, + conf_print(buf, sizeof(buf), , , k)); + } int
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: christos Date: Wed May 27 22:37:13 UTC 2015 Modified Files: src/external/bsd/blacklist/lib: bl.c Log Message: Make sure that we get the socket messages we expect, otherwise return NULL. To generate a diff of this commit: cvs rdiff -u -r1.24 -r1.25 src/external/bsd/blacklist/lib/bl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/lib/bl.c diff -u src/external/bsd/blacklist/lib/bl.c:1.24 src/external/bsd/blacklist/lib/bl.c:1.25 --- src/external/bsd/blacklist/lib/bl.c:1.24 Mon Feb 2 20:22:08 2015 +++ src/external/bsd/blacklist/lib/bl.c Wed May 27 18:37:13 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: bl.c,v 1.24 2015/02/03 01:22:08 christos Exp $ */ +/* $NetBSD: bl.c,v 1.25 2015/05/27 22:37:13 christos Exp $ */ /*- * Copyright (c) 2014 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include sys/cdefs.h -__RCSID($NetBSD: bl.c,v 1.24 2015/02/03 01:22:08 christos Exp $); +__RCSID($NetBSD: bl.c,v 1.25 2015/05/27 22:37:13 christos Exp $); #include sys/param.h #include sys/types.h @@ -199,6 +199,7 @@ bl_init(bl_t b, bool srv) } b-b_connected = 0; +#define GOT_FD 1 #if defined(LOCAL_CREDS) #define CRED_LEVEL 0 #define CRED_NAME LOCAL_CREDS @@ -207,6 +208,7 @@ bl_init(bl_t b, bool srv) #define CRED_MESSAGE SCM_CREDS #define CRED_SIZE SOCKCREDSIZE(NGROUPS_MAX) #define CRED_TYPE struct sockcred +#define GOT_CRED 2 #elif defined(SO_PASSCRED) #define CRED_LEVEL SOL_SOCKET #define CRED_NAME SO_PASSCRED @@ -215,7 +217,9 @@ bl_init(bl_t b, bool srv) #define CRED_MESSAGE SCM_CREDENTIALS #define CRED_SIZE sizeof(struct ucred) #define CRED_TYPE struct ucred +#define GOT_CRED 2 #else +#define GOT_CRED 0 /* * getpeereid() and LOCAL_PEERCRED don't help here * because we are not a stream socket! @@ -395,9 +399,13 @@ bl_recv(bl_t b) bl_message_t bl; char buf[512]; } ub; + int got; ssize_t rlen; bl_info_t *bi = b-b_info; + got = 0; + memset(bi, 0, sizeof(*bi)); + iov.iov_base = ub.buf; iov.iov_len = sizeof(ub); @@ -433,12 +441,14 @@ bl_recv(bl_t b) continue; } memcpy(bi-bi_fd, CMSG_DATA(cmsg), sizeof(bi-bi_fd)); + got |= GOT_FD; break; #ifdef CRED_MESSAGE case CRED_MESSAGE: sc = (void *)CMSG_DATA(cmsg); bi-bi_uid = sc-CRED_SC_UID; bi-bi_gid = sc-CRED_SC_GID; + got |= GOT_CRED; break; #endif default: @@ -450,6 +460,16 @@ bl_recv(bl_t b) } + if (got != (GOT_CRED|GOT_FD)) { + bl_log(b-b_fun, LOG_ERR, message missing %s %s, +#if GOT_CRED != 0 + (got GOT_CRED) == 0 ? cred : +#endif + , (got GOT_FD) == 0 ? fd : ); + + return NULL; + } + if ((size_t)rlen = sizeof(ub.bl)) { bl_log(b-b_fun, LOG_ERR, message too short %zd, rlen); return NULL; @@ -463,10 +483,6 @@ bl_recv(bl_t b) bi-bi_type = ub.bl.bl_type; bi-bi_slen = ub.bl.bl_salen; bi-bi_ss = ub.bl.bl_ss; -#ifndef CRED_MESSAGE - bi-bi_uid = -1; - bi-bi_gid = -1; -#endif strlcpy(bi-bi_msg, ub.bl.bl_data, MIN(sizeof(bi-bi_msg), ((size_t)rlen - sizeof(ub.bl) + 1))); return bi;
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Wed May 27 22:39:01 UTC 2015 Modified Files: src/external/bsd/blacklist/bin: conf.c Log Message: Merge the uid data too, so that we don't end up with multiple entries when we don't care about the uid in the config file. In this case sshd returns either uid=root|sshd depending on how we failed, so we used to get two entries. To generate a diff of this commit: cvs rdiff -u -r1.18 -r1.19 src/external/bsd/blacklist/bin/conf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/conf.c diff -u src/external/bsd/blacklist/bin/conf.c:1.18 src/external/bsd/blacklist/bin/conf.c:1.19 --- src/external/bsd/blacklist/bin/conf.c:1.18 Tue Jan 27 19:42:15 2015 +++ src/external/bsd/blacklist/bin/conf.c Wed May 27 18:39:01 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: conf.c,v 1.18 2015/01/28 00:42:15 christos Exp $ */ +/* $NetBSD: conf.c,v 1.19 2015/05/27 22:39:01 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include sys/cdefs.h -__RCSID($NetBSD: conf.c,v 1.18 2015/01/28 00:42:15 christos Exp $); +__RCSID($NetBSD: conf.c,v 1.19 2015/05/27 22:39:01 christos Exp $); #include stdio.h #include string.h @@ -882,6 +882,7 @@ conf_apply(struct conf *c, const struct conf_print(buf, sizeof(buf), to:\t, , c)); } memcpy(c-c_name, sc-c_name, CONFNAMESZ); + c-c_uid = sc-c_uid; c-c_rmask = sc-c_rmask; c-c_nfail = sc-c_nfail; c-c_duration = sc-c_duration; @@ -908,6 +909,8 @@ conf_merge(struct conf *c, const struct if (sc-c_name[0]) memcpy(c-c_name, sc-c_name, CONFNAMESZ); + if (sc-c_uid != -2) + c-c_uid = sc-c_uid; if (sc-c_rmask != -2) c-c_lmask = c-c_rmask = sc-c_rmask; if (sc-c_nfail != -2)
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: riz Date: Thu Apr 30 06:20:43 UTC 2015 Modified Files: src/external/bsd/blacklist/bin: blacklistctl.8 blacklistd.8 blacklistd.conf.5 Log Message: blacklistd and friends will actually be in NetBSD 7. To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/external/bsd/blacklist/bin/blacklistctl.8 cvs rdiff -u -r1.10 -r1.11 src/external/bsd/blacklist/bin/blacklistd.8 cvs rdiff -u -r1.2 -r1.3 src/external/bsd/blacklist/bin/blacklistd.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistctl.8 diff -u src/external/bsd/blacklist/bin/blacklistctl.8:1.6 src/external/bsd/blacklist/bin/blacklistctl.8:1.7 --- src/external/bsd/blacklist/bin/blacklistctl.8:1.6 Wed Jan 28 16:47:00 2015 +++ src/external/bsd/blacklist/bin/blacklistctl.8 Thu Apr 30 06:20:43 2015 @@ -1,4 +1,4 @@ -.\ $NetBSD: blacklistctl.8,v 1.6 2015/01/28 16:47:00 christos Exp $ +.\ $NetBSD: blacklistctl.8,v 1.7 2015/04/30 06:20:43 riz Exp $ .\ .\ Copyright (c) 2015 The NetBSD Foundation, Inc. .\ All rights reserved. @@ -27,7 +27,7 @@ .\ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\ POSSIBILITY OF SUCH DAMAGE. .\ -.Dd January 28, 2015 +.Dd April 29, 2015 .Dt BLACKLISTCTL 8 .Os .Sh NAME @@ -76,6 +76,6 @@ it to make sure that there is only one r .Sh HISTORY .Nm appeared in -.Nx 8 . +.Nx 7 . .Sh AUTHORS .An Christos Zoulas Index: src/external/bsd/blacklist/bin/blacklistd.8 diff -u src/external/bsd/blacklist/bin/blacklistd.8:1.10 src/external/bsd/blacklist/bin/blacklistd.8:1.11 --- src/external/bsd/blacklist/bin/blacklistd.8:1.10 Wed Jan 28 22:30:42 2015 +++ src/external/bsd/blacklist/bin/blacklistd.8 Thu Apr 30 06:20:43 2015 @@ -1,4 +1,4 @@ -.\ $NetBSD: blacklistd.8,v 1.10 2015/01/28 22:30:42 christos Exp $ +.\ $NetBSD: blacklistd.8,v 1.11 2015/04/30 06:20:43 riz Exp $ .\ .\ Copyright (c) 2015 The NetBSD Foundation, Inc. .\ All rights reserved. @@ -27,7 +27,7 @@ .\ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\ POSSIBILITY OF SUCH DAMAGE. .\ -.Dd January 25, 2015 +.Dd April 29, 2015 .Dt BLACKLISTD 8 .Os .Sh NAME @@ -159,6 +159,6 @@ Socket to receive connection notificatio .Sh HISTORY .Nm appeared in -.Nx 8 . +.Nx 7 . .Sh AUTHORS .An Christos Zoulas Index: src/external/bsd/blacklist/bin/blacklistd.conf.5 diff -u src/external/bsd/blacklist/bin/blacklistd.conf.5:1.2 src/external/bsd/blacklist/bin/blacklistd.conf.5:1.3 --- src/external/bsd/blacklist/bin/blacklistd.conf.5:1.2 Wed Jan 28 07:32:28 2015 +++ src/external/bsd/blacklist/bin/blacklistd.conf.5 Thu Apr 30 06:20:43 2015 @@ -1,4 +1,4 @@ -.\ $NetBSD: blacklistd.conf.5,v 1.2 2015/01/28 07:32:28 wiz Exp $ +.\ $NetBSD: blacklistd.conf.5,v 1.3 2015/04/30 06:20:43 riz Exp $ .\ .\ Copyright (c) 2015 The NetBSD Foundation, Inc. .\ All rights reserved. @@ -27,7 +27,7 @@ .\ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\ POSSIBILITY OF SUCH DAMAGE. .\ -.Dd January 25, 2015 +.Dd April 29, 2015 .Dt BLACKLISTD.CONF 5 .Os .Sh NAME @@ -217,6 +217,6 @@ bnx0:ssh * * * * 3 6h .Sh HISTORY .Nm appeared in -.Nx 8 . +.Nx 7 . .Sh AUTHORS .An Christos Zoulas
CVS commit: src/external/bsd/blacklist/diff
Module Name:src Committed By: christos Date: Sat Feb 14 15:42:17 UTC 2015 Modified Files: src/external/bsd/blacklist/diff: ssh.diff Log Message: Add the bad user diff. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/external/bsd/blacklist/diff/ssh.diff Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/diff/ssh.diff diff -u src/external/bsd/blacklist/diff/ssh.diff:1.4 src/external/bsd/blacklist/diff/ssh.diff:1.5 --- src/external/bsd/blacklist/diff/ssh.diff:1.4 Fri Jan 23 18:28:45 2015 +++ src/external/bsd/blacklist/diff/ssh.diff Sat Feb 14 10:42:17 2015 @@ -112,3 +112,49 @@ diff -u -u -r1.15 sshd.c /* * Stay listening for connections until the system crashes or * the daemon is killed with a signal. +Index: auth1.c +=== +RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth1.c,v +retrieving revision 1.9 +diff -u -u -r1.9 auth1.c +--- auth1.c 19 Oct 2014 16:30:58 - 1.9 auth1.c 14 Feb 2015 15:40:51 - +@@ -41,6 +41,7 @@ + #endif + #include monitor_wrap.h + #include buffer.h ++#include pfilter.h + + /* import */ + extern ServerOptions options; +@@ -445,6 +446,7 @@ + else { + debug(do_authentication: invalid user %s, user); + authctxt-pw = fakepw(); ++ pfilter_notify(1); + } + + /* Configuration may have changed as a result of Match */ +Index: auth2.c +=== +RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth2.c,v +retrieving revision 1.9 +diff -u -u -r1.9 auth2.c +--- auth2.c 19 Oct 2014 16:30:58 - 1.9 auth2.c 14 Feb 2015 15:40:51 - +@@ -52,6 +52,7 @@ + #include pathnames.h + #include buffer.h + #include canohost.h ++#include pfilter.h + + #ifdef GSSAPI + #include ssh-gss.h +@@ -256,6 +257,7 @@ + } else { + logit(input_userauth_request: invalid user %s, user); + authctxt-pw = fakepw(); ++ pfilter_notify(1); + } + #ifdef USE_PAM + if (options.use_pam)
CVS commit: src/external/bsd/blacklist/diff
Module Name:src Committed By: christos Date: Sat Feb 14 19:05:59 UTC 2015 Modified Files: src/external/bsd/blacklist/diff: ssh.diff Log Message: one more pfilter_init() To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/external/bsd/blacklist/diff/ssh.diff Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/diff/ssh.diff diff -u src/external/bsd/blacklist/diff/ssh.diff:1.5 src/external/bsd/blacklist/diff/ssh.diff:1.6 --- src/external/bsd/blacklist/diff/ssh.diff:1.5 Sat Feb 14 10:42:17 2015 +++ src/external/bsd/blacklist/diff/ssh.diff Sat Feb 14 14:05:59 2015 @@ -158,3 +158,20 @@ diff -u -u -r1.9 auth2.c } #ifdef USE_PAM if (options.use_pam) +Index: sshd.c +=== +RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v +retrieving revision 1.16 +diff -u -r1.16 sshd.c +--- sshd.c 25 Jan 2015 15:52:44 - 1.16 sshd.c 14 Feb 2015 09:55:06 - +@@ -628,6 +628,8 @@ + explicit_bzero(pw-pw_passwd, strlen(pw-pw_passwd)); + endpwent(); + ++ pfilter_init(); ++ + /* Change our root directory */ + if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) + fatal(chroot(\%s\): %s, _PATH_PRIVSEP_CHROOT_DIR, +
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Mon Feb 2 22:01:55 UTC 2015 Modified Files: src/external/bsd/blacklist/bin: blacklistctl.c Log Message: CID/1267866: Missing break in switch To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.17 src/external/bsd/blacklist/bin/blacklistctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistctl.c diff -u src/external/bsd/blacklist/bin/blacklistctl.c:1.16 src/external/bsd/blacklist/bin/blacklistctl.c:1.17 --- src/external/bsd/blacklist/bin/blacklistctl.c:1.16 Tue Jan 27 14:40:36 2015 +++ src/external/bsd/blacklist/bin/blacklistctl.c Mon Feb 2 17:01:55 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: blacklistctl.c,v 1.16 2015/01/27 19:40:36 christos Exp $ */ +/* $NetBSD: blacklistctl.c,v 1.17 2015/02/02 22:01:55 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include sys/cdefs.h -__RCSID($NetBSD: blacklistctl.c,v 1.16 2015/01/27 19:40:36 christos Exp $); +__RCSID($NetBSD: blacklistctl.c,v 1.17 2015/02/02 22:01:55 christos Exp $); #include stdio.h #include time.h @@ -99,6 +99,7 @@ main(int argc, char *argv[]) break; case 'n': noheader = 1; + break; case 'r': remain = 1; break;
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: christos Date: Mon Feb 2 22:03:45 UTC 2015 Modified Files: src/external/bsd/blacklist/lib: bl.c Log Message: CID/126787{0,1}: Uninitialized msg_flags To generate a diff of this commit: cvs rdiff -u -r1.22 -r1.23 src/external/bsd/blacklist/lib/bl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/lib/bl.c diff -u src/external/bsd/blacklist/lib/bl.c:1.22 src/external/bsd/blacklist/lib/bl.c:1.23 --- src/external/bsd/blacklist/lib/bl.c:1.22 Thu Jan 22 15:11:33 2015 +++ src/external/bsd/blacklist/lib/bl.c Mon Feb 2 17:03:45 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: bl.c,v 1.22 2015/01/22 20:11:33 christos Exp $ */ +/* $NetBSD: bl.c,v 1.23 2015/02/02 22:03:45 christos Exp $ */ /*- * Copyright (c) 2014 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include sys/cdefs.h -__RCSID($NetBSD: bl.c,v 1.22 2015/01/22 20:11:33 christos Exp $); +__RCSID($NetBSD: bl.c,v 1.23 2015/02/02 22:03:45 christos Exp $); #include sys/param.h #include sys/types.h @@ -355,6 +355,7 @@ bl_send(bl_t b, bl_type_t e, int pfd, co msg.msg_namelen = 0; msg.msg_iov = iov; msg.msg_iovlen = 1; + msg.msg_flags = 0; msg.msg_control = ua.ctrl; msg.msg_controllen = sizeof(ua.ctrl); @@ -404,6 +405,7 @@ bl_recv(bl_t b) msg.msg_namelen = 0; msg.msg_iov = iov; msg.msg_iovlen = 1; + msg.msc_flags = 0; msg.msg_control = ua.ctrl; msg.msg_controllen = sizeof(ua.ctrl) + 100;
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: christos Date: Tue Feb 3 01:22:08 UTC 2015 Modified Files: src/external/bsd/blacklist/lib: bl.c Log Message: fix typo. To generate a diff of this commit: cvs rdiff -u -r1.23 -r1.24 src/external/bsd/blacklist/lib/bl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/lib/bl.c diff -u src/external/bsd/blacklist/lib/bl.c:1.23 src/external/bsd/blacklist/lib/bl.c:1.24 --- src/external/bsd/blacklist/lib/bl.c:1.23 Mon Feb 2 17:03:45 2015 +++ src/external/bsd/blacklist/lib/bl.c Mon Feb 2 20:22:08 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: bl.c,v 1.23 2015/02/02 22:03:45 christos Exp $ */ +/* $NetBSD: bl.c,v 1.24 2015/02/03 01:22:08 christos Exp $ */ /*- * Copyright (c) 2014 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include sys/cdefs.h -__RCSID($NetBSD: bl.c,v 1.23 2015/02/02 22:03:45 christos Exp $); +__RCSID($NetBSD: bl.c,v 1.24 2015/02/03 01:22:08 christos Exp $); #include sys/param.h #include sys/types.h @@ -405,7 +405,7 @@ bl_recv(bl_t b) msg.msg_namelen = 0; msg.msg_iov = iov; msg.msg_iovlen = 1; - msg.msc_flags = 0; + msg.msg_flags = 0; msg.msg_control = ua.ctrl; msg.msg_controllen = sizeof(ua.ctrl) + 100;
CVS commit: src/external/bsd/blacklist/libexec
Module Name:src Committed By: christos Date: Thu Jan 29 01:05:25 UTC 2015 Modified Files: src/external/bsd/blacklist/libexec: blacklistd-helper Log Message: fix comment To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/external/bsd/blacklist/libexec/blacklistd-helper Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/libexec/blacklistd-helper diff -u src/external/bsd/blacklist/libexec/blacklistd-helper:1.3 src/external/bsd/blacklist/libexec/blacklistd-helper:1.4 --- src/external/bsd/blacklist/libexec/blacklistd-helper:1.3 Tue Jan 27 14:49:37 2015 +++ src/external/bsd/blacklist/libexec/blacklistd-helper Wed Jan 28 20:05:25 2015 @@ -6,7 +6,7 @@ # $3 protocol # $4 address # $5 mask -# $6 proto +# $6 port # $7 id case $1 in
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Wed Jan 28 22:30:42 UTC 2015 Modified Files: src/external/bsd/blacklist/bin: blacklistd.8 blacklistd.c Log Message: add an option to restore rules, and run the flush command only once per rule name. To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 src/external/bsd/blacklist/bin/blacklistd.8 cvs rdiff -u -r1.31 -r1.32 src/external/bsd/blacklist/bin/blacklistd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.8 diff -u src/external/bsd/blacklist/bin/blacklistd.8:1.9 src/external/bsd/blacklist/bin/blacklistd.8:1.10 --- src/external/bsd/blacklist/bin/blacklistd.8:1.9 Tue Jan 27 14:40:36 2015 +++ src/external/bsd/blacklist/bin/blacklistd.8 Wed Jan 28 17:30:42 2015 @@ -1,4 +1,4 @@ -.\ $NetBSD: blacklistd.8,v 1.9 2015/01/27 19:40:36 christos Exp $ +.\ $NetBSD: blacklistd.8,v 1.10 2015/01/28 22:30:42 christos Exp $ .\ .\ Copyright (c) 2015 The NetBSD Foundation, Inc. .\ All rights reserved. @@ -35,12 +35,12 @@ .Nd block and release ports on demand to avoid DoS abuse .Sh SYNOPSIS .Nm -.Op Fl dvf +.Op Fl dfrv .Op Fl C Ar controlprog .Op Fl c Ar configfile .Op Fl D Ar dbfile .Op Fl P Ar sockpathsfile -.Op Fl r Ar rulename +.Op Fl R Ar rulename .Op Fl s Ar sockpath .Op Fl t Ar timeout .Sh DESCRIPTION @@ -111,6 +111,11 @@ are deleted by invoking the control scri .Bd -literal -offset indent control flush rulename .Ed +If the +.Fl r +flag is specified, the firewall rules are re-read from the internal database +and are removed and re-added. +This helps for packet filters that don't retain state across reboots. .Pp .Nm checks the list of active entries every Index: src/external/bsd/blacklist/bin/blacklistd.c diff -u src/external/bsd/blacklist/bin/blacklistd.c:1.31 src/external/bsd/blacklist/bin/blacklistd.c:1.32 --- src/external/bsd/blacklist/bin/blacklistd.c:1.31 Wed Jan 28 00:08:55 2015 +++ src/external/bsd/blacklist/bin/blacklistd.c Wed Jan 28 17:30:42 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: blacklistd.c,v 1.31 2015/01/28 05:08:55 christos Exp $ */ +/* $NetBSD: blacklistd.c,v 1.32 2015/01/28 22:30:42 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -32,7 +32,7 @@ #include config.h #endif #include sys/cdefs.h -__RCSID($NetBSD: blacklistd.c,v 1.31 2015/01/28 05:08:55 christos Exp $); +__RCSID($NetBSD: blacklistd.c,v 1.32 2015/01/28 22:30:42 christos Exp $); #include sys/types.h #include sys/socket.h @@ -104,7 +104,7 @@ usage(int c) { if (c) warnx(Unknown option `%c', (char)c); - fprintf(stderr, Usage: %s [-vdf] [-c config] [-r rulename] + fprintf(stderr, Usage: %s [-vdfr] [-c config] [-R rulename] [-P sockpathsfile] [-C controlprog] [-D dbfile] [-s sockpath] [-t timeout]\n, getprogname()); exit(EXIT_FAILURE); @@ -273,11 +273,11 @@ static void update(void) { struct timespec ts; - struct sockaddr_storage ss; struct conf c; struct dbinfo dbi; unsigned int f, n; char buf[128]; + void *ss = c.c_ss; if (clock_gettime(CLOCK_REALTIME, ts) == -1) { (*lfun)(LOG_ERR, clock_gettime failed (%m)); @@ -290,21 +290,18 @@ update(void) time_t when = c.c_duration + dbi.last; if (debug 1) { char b1[64], b2[64]; - sockaddr_snprintf(buf, sizeof(buf), %a:%p, - (void *)ss); - (*lfun)(LOG_DEBUG, - %s:[%u] %s count=%d duration=%d last=%s - now=%s, __func__, n, buf, dbi.count, - c.c_duration, fmttime(b1, sizeof(b1), dbi.last), - fmttime(b2, sizeof(b2), ts.tv_sec)); + sockaddr_snprintf(buf, sizeof(buf), %a:%p, ss); + (*lfun)(LOG_DEBUG, %s:[%u] %s count=%d duration=%d + last=%s now=%s, __func__, n, buf, dbi.count, + c.c_duration, fmttime(b1, sizeof(b1), dbi.last), + fmttime(b2, sizeof(b2), ts.tv_sec)); } if (c.c_duration == -1 || when = ts.tv_sec) continue; if (dbi.id[0]) { run_change(rem, c, dbi.id, 0); - sockaddr_snprintf(buf, sizeof(buf), %a, (void *)ss); - syslog(LOG_INFO, - released %s/%d:%d after %d seconds, + sockaddr_snprintf(buf, sizeof(buf), %a, ss); + syslog(LOG_INFO, released %s/%d:%d after %d seconds, buf, c.c_lmask, c.c_port, c.c_duration); } state_del(state, c); @@ -334,20 +331,75 @@ addfd(struct pollfd **pfdp, bl_t **blp, *nfd += 1; } +static void +uniqueadd(struct conf ***listp, size_t *nlist, size_t *mlist, struct conf *c) +{ + struct conf **list = *listp; + + if (c-c_name[0] == '\0') + return; + for (size_t i = 0; i *nlist; i++) { + if (strcmp(list[i]-c_name, c-c_name) == 0) + return; + } + if (*nlist == *mlist) { + *mlist += 10; + void *p = realloc(*listp, *mlist * sizeof(*list)); + if (p == NULL) + err(EXIT_FAILURE, Can't allocate for rule list); + list = *listp = p; + } + list[(*nlist)++] = c; +} + +static void +rules_flush(void) +{ + struct conf **list; + size_t nlist, mlist; + + list = NULL; +
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Wed Jan 28 16:47:00 UTC 2015 Modified Files: src/external/bsd/blacklist/bin: blacklistctl.8 Log Message: explain why nfail maxfail in the report. To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/external/bsd/blacklist/bin/blacklistctl.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistctl.8 diff -u src/external/bsd/blacklist/bin/blacklistctl.8:1.5 src/external/bsd/blacklist/bin/blacklistctl.8:1.6 --- src/external/bsd/blacklist/bin/blacklistctl.8:1.5 Sun Jan 25 23:12:46 2015 +++ src/external/bsd/blacklist/bin/blacklistctl.8 Wed Jan 28 11:47:00 2015 @@ -1,4 +1,4 @@ -.\ $NetBSD: blacklistctl.8,v 1.5 2015/01/26 04:12:46 christos Exp $ +.\ $NetBSD: blacklistctl.8,v 1.6 2015/01/28 16:47:00 christos Exp $ .\ .\ Copyright (c) 2015 The NetBSD Foundation, Inc. .\ All rights reserved. @@ -27,7 +27,7 @@ .\ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\ POSSIBILITY OF SUCH DAMAGE. .\ -.Dd January 25, 2015 +.Dd January 28, 2015 .Dt BLACKLISTCTL 8 .Os .Sh NAME @@ -61,6 +61,18 @@ flag, makes the display wide enough for .El .Sh SEE ALSO .Xr blacklistd 8 +.Sh NOTES +Sometimes the reported number of failed attempts can exceed the number +of attempts that +.Xr blacklistd 8 +is configured to block. +This can happen either because the rule has been removed manually, or +because there were more attempts in flight while the rule block was being +added. +This condition is normal; in that case +.Xr blacklistd 8 +will first attempt to remove the existing rule, and then it will re-add +it to make sure that there is only one rule active. .Sh HISTORY .Nm appeared in
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Tue Jan 27 20:16:11 UTC 2015 Modified Files: src/external/bsd/blacklist/bin: conf.c Log Message: apply the mask to the resulting address correctly. To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.17 src/external/bsd/blacklist/bin/conf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/conf.c diff -u src/external/bsd/blacklist/bin/conf.c:1.16 src/external/bsd/blacklist/bin/conf.c:1.17 --- src/external/bsd/blacklist/bin/conf.c:1.16 Tue Jan 27 14:40:36 2015 +++ src/external/bsd/blacklist/bin/conf.c Tue Jan 27 15:16:11 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: conf.c,v 1.16 2015/01/27 19:40:36 christos Exp $ */ +/* $NetBSD: conf.c,v 1.17 2015/01/27 20:16:11 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include sys/cdefs.h -__RCSID($NetBSD: conf.c,v 1.16 2015/01/27 19:40:36 christos Exp $); +__RCSID($NetBSD: conf.c,v 1.17 2015/01/27 20:16:11 christos Exp $); #include stdio.h #include string.h @@ -521,10 +521,10 @@ conf_amask_eq(const void *v1, const void for (size_t i = 0; i len; i++) { if (mask 32) { - m = (uint32_t)~0; + m = htonl((uint32_t)~0); mask -= 32; } else if (mask) { - m = MASK(mask); + m = htonl(MASK(mask)); mask = 0; } else return 1; @@ -557,12 +557,13 @@ conf_apply_mask(void *v, size_t len, int for (size_t i = 0; i len; i++) { if (mask 32) { - m = (uint32_t)~0; + m = htonl((uint32_t)~0); mask -= 32; } else if (mask) { - m = MASK(mask); + m = htonl(MASK(mask)); mask = 0; - } + } else + m = 0; a[i] = m; } } @@ -1099,6 +1100,8 @@ conf_find(int fd, uid_t uid, const struc conf_addr_set(cr, rss); /* match the remote config */ confset_match(rconf, cr, conf_merge); + /* to apply the mask */ + conf_addr_set(cr, cr-c_ss); return cr; }
CVS commit: src/external/bsd/blacklist
Module Name:src Committed By: christos Date: Tue Jan 27 19:40:37 UTC 2015 Modified Files: src/external/bsd/blacklist/bin: Makefile blacklistctl.c blacklistd.8 blacklistd.c conf.c conf.h internal.c internal.h run.c run.h state.c state.h support.c src/external/bsd/blacklist/etc: blacklistd.conf src/external/bsd/blacklist/libexec: blacklistd-helper Added Files: src/external/bsd/blacklist/bin: blacklistd.conf.5 Log Message: - separate man page for blacklistd and blacklistd.conf, requested by wiz@ - allow separate configurations for local and remote addresses, implementing effectively whitelists, requested by dh@ - allow the mask of the filter to be specified, requested by dh@ - the db file format has been changed to accommodate these changes, and needs to be removed. To generate a diff of this commit: cvs rdiff -u -r1.10 -r1.11 src/external/bsd/blacklist/bin/Makefile cvs rdiff -u -r1.15 -r1.16 src/external/bsd/blacklist/bin/blacklistctl.c \ src/external/bsd/blacklist/bin/conf.c cvs rdiff -u -r1.8 -r1.9 src/external/bsd/blacklist/bin/blacklistd.8 cvs rdiff -u -r1.29 -r1.30 src/external/bsd/blacklist/bin/blacklistd.c cvs rdiff -u -r0 -r1.1 src/external/bsd/blacklist/bin/blacklistd.conf.5 cvs rdiff -u -r1.5 -r1.6 src/external/bsd/blacklist/bin/conf.h \ src/external/bsd/blacklist/bin/support.c cvs rdiff -u -r1.4 -r1.5 src/external/bsd/blacklist/bin/internal.c \ src/external/bsd/blacklist/bin/run.h \ src/external/bsd/blacklist/bin/state.h cvs rdiff -u -r1.11 -r1.12 src/external/bsd/blacklist/bin/internal.h \ src/external/bsd/blacklist/bin/run.c cvs rdiff -u -r1.14 -r1.15 src/external/bsd/blacklist/bin/state.c cvs rdiff -u -r1.2 -r1.3 src/external/bsd/blacklist/etc/blacklistd.conf cvs rdiff -u -r1.1 -r1.2 src/external/bsd/blacklist/libexec/blacklistd-helper Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/Makefile diff -u src/external/bsd/blacklist/bin/Makefile:1.10 src/external/bsd/blacklist/bin/Makefile:1.11 --- src/external/bsd/blacklist/bin/Makefile:1.10 Thu Jan 22 12:49:41 2015 +++ src/external/bsd/blacklist/bin/Makefile Tue Jan 27 14:40:36 2015 @@ -1,11 +1,10 @@ -# $NetBSD: Makefile,v 1.10 2015/01/22 17:49:41 christos Exp $ +# $NetBSD: Makefile,v 1.11 2015/01/27 19:40:36 christos Exp $ BINDIR=/sbin PROGS=blacklistd blacklistctl -MAN.blacklistd=blacklistd.8 +MAN.blacklistd=blacklistd.8 blacklistd.conf.5 MAN.blacklistctl=blacklistctl.8 -MLINKS=blacklistd.8 blacklistd.conf.5 SRCS.blacklistd = blacklistd.c conf.c run.c state.c support.c internal.c SRCS.blacklistctl = blacklistctl.c conf.c state.c support.c internal.c DBG=-g Index: src/external/bsd/blacklist/bin/blacklistctl.c diff -u src/external/bsd/blacklist/bin/blacklistctl.c:1.15 src/external/bsd/blacklist/bin/blacklistctl.c:1.16 --- src/external/bsd/blacklist/bin/blacklistctl.c:1.15 Sun Jan 25 21:31:52 2015 +++ src/external/bsd/blacklist/bin/blacklistctl.c Tue Jan 27 14:40:36 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: blacklistctl.c,v 1.15 2015/01/26 02:31:52 christos Exp $ */ +/* $NetBSD: blacklistctl.c,v 1.16 2015/01/27 19:40:36 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include sys/cdefs.h -__RCSID($NetBSD: blacklistctl.c,v 1.15 2015/01/26 02:31:52 christos Exp $); +__RCSID($NetBSD: blacklistctl.c,v 1.16 2015/01/27 19:40:36 christos Exp $); #include stdio.h #include time.h @@ -70,7 +70,6 @@ main(int argc, char *argv[]) const char *dbname = _PATH_BLSTATE; DB *db; struct conf c; - struct sockaddr_storage ss; struct dbinfo dbi; unsigned int i; struct timespec ts; @@ -118,9 +117,9 @@ main(int argc, char *argv[]) clock_gettime(CLOCK_REALTIME, ts); wide = wide ? 8 * 4 + 7 : 4 * 3 + 3; if (!noheader) - printf(%*.*s:port\tid\tnfail\t%s\n, wide, wide, + printf(%*.*s/ma:port\tid\tnfail\t%s\n, wide, wide, address, remain ? remaining time : last access); - for (i = 1; state_iterate(db, ss, c, dbi, i) != 0; i = 0) { + for (i = 1; state_iterate(db, c, dbi, i) != 0; i = 0) { char buf[BUFSIZ]; if (!all) { if (blocked) { @@ -131,8 +130,8 @@ main(int argc, char *argv[]) continue; } } - sockaddr_snprintf(buf, sizeof(buf), %a, (void *)ss); - printf(%*.*s:%d\t, wide, wide, buf, c.c_port); + sockaddr_snprintf(buf, sizeof(buf), %a, (void *)c.c_ss); + printf(%*.*s/%d:%d\t, wide, wide, buf, c.c_lmask, c.c_port); if (remain) fmtydhms(buf, sizeof(buf), c.c_duration - (ts.tv_sec - dbi.last)); Index: src/external/bsd/blacklist/bin/conf.c diff -u src/external/bsd/blacklist/bin/conf.c:1.15 src/external/bsd/blacklist/bin/conf.c:1.16 --- src/external/bsd/blacklist/bin/conf.c:1.15 Sun Jan 25 16:06:04 2015 +++ src/external/bsd/blacklist/bin/conf.c Tue Jan 27 14:40:36 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: conf.c,v 1.15 2015/01/25 21:06:04
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Wed Jan 28 00:42:15 UTC 2015 Modified Files: src/external/bsd/blacklist/bin: conf.c Log Message: one would think that I'd learn to cast htons() by now... To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 src/external/bsd/blacklist/bin/conf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/conf.c diff -u src/external/bsd/blacklist/bin/conf.c:1.17 src/external/bsd/blacklist/bin/conf.c:1.18 --- src/external/bsd/blacklist/bin/conf.c:1.17 Tue Jan 27 15:16:11 2015 +++ src/external/bsd/blacklist/bin/conf.c Tue Jan 27 19:42:15 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: conf.c,v 1.17 2015/01/27 20:16:11 christos Exp $ */ +/* $NetBSD: conf.c,v 1.18 2015/01/28 00:42:15 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include sys/cdefs.h -__RCSID($NetBSD: conf.c,v 1.17 2015/01/27 20:16:11 christos Exp $); +__RCSID($NetBSD: conf.c,v 1.18 2015/01/28 00:42:15 christos Exp $); #include stdio.h #include string.h @@ -608,7 +608,7 @@ conf_addr_set(struct conf *c, const stru abort(); } - *port = htons(c-c_port); + *port = htons((in_port_t)c-c_port); conf_apply_mask(addr, alen, c-c_lmask); if (c-c_lmask == -1) c-c_lmask = (int)(alen * 8);
CVS commit: src/external/bsd/blacklist/libexec
Module Name:src Committed By: christos Date: Tue Jan 27 19:49:38 UTC 2015 Modified Files: src/external/bsd/blacklist/libexec: blacklistd-helper Log Message: we are passing the port now To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/external/bsd/blacklist/libexec/blacklistd-helper Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/libexec/blacklistd-helper diff -u src/external/bsd/blacklist/libexec/blacklistd-helper:1.2 src/external/bsd/blacklist/libexec/blacklistd-helper:1.3 --- src/external/bsd/blacklist/libexec/blacklistd-helper:1.2 Tue Jan 27 14:40:37 2015 +++ src/external/bsd/blacklist/libexec/blacklistd-helper Tue Jan 27 14:49:37 2015 @@ -1,6 +1,6 @@ #!/bin/sh -echo run $@ 12 -set -x +#echo run $@ 12 +#set -x # $1 command # $2 rulename # $3 protocol @@ -11,19 +11,6 @@ set -x case $1 in add) - # GRR! -# case $4 in -# *:*) -# case $5 in -# 128) addr=$4;; -# *) addr=$4/$5;; -# esac;; -# *) -# case $5 in -# 32) addr=$4;; -# *) addr=$4/$5;; -# esac;; -# esac exec /sbin/npfctl rule $2 add block in final proto $3 from $4/$5 to any port $6 ;; rem)
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: wiz Date: Wed Jan 28 07:32:28 UTC 2015 Modified Files: src/external/bsd/blacklist/bin: blacklistd.conf.5 Log Message: Sort SEE ALSO. Nit fixes. To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/external/bsd/blacklist/bin/blacklistd.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.conf.5 diff -u src/external/bsd/blacklist/bin/blacklistd.conf.5:1.1 src/external/bsd/blacklist/bin/blacklistd.conf.5:1.2 --- src/external/bsd/blacklist/bin/blacklistd.conf.5:1.1 Tue Jan 27 19:40:36 2015 +++ src/external/bsd/blacklist/bin/blacklistd.conf.5 Wed Jan 28 07:32:28 2015 @@ -1,4 +1,4 @@ -.\ $NetBSD: blacklistd.conf.5,v 1.1 2015/01/27 19:40:36 christos Exp $ +.\ $NetBSD: blacklistd.conf.5,v 1.2 2015/01/28 07:32:28 wiz Exp $ .\ .\ Copyright (c) 2015 The NetBSD Foundation, Inc. .\ All rights reserved. @@ -87,7 +87,7 @@ are used to match the .Va local or .Va remote -addresses whereas, the last 3 fields +addresses, whereas the last 3 fields .Va name , .Va nfail , and @@ -100,7 +100,7 @@ as an address, mask, and port. The syntax for the .Va location is: -.Bd -literal -offset indent: +.Bd -literal -offset indent [address|interface][/mask][:port] .Ed .Pp @@ -130,8 +130,8 @@ The third field is the .Dv tcp6 , .Dv udp6 , or numeric. -The fourth file is the effective user ( -.Va owner ) +The fourth file is the effective user +.Va ( owner ) of the daemon process reporting the event, either as a username or a userid. .Pp @@ -140,7 +140,7 @@ The rest of the fields are controlling t The .Va name field, is the name of the packet filter rule to be used. -If the +If the .Va name starts with a .Dq - , @@ -212,8 +212,8 @@ bnx0:ssh * * * * 3 6h 8.8.0.0/16:ssh * * * /24 = = .Ed .Sh SEE ALSO -.Xr blacklistd 8 , -.Xr blacklistctl 8 +.Xr blacklistctl 8 , +.Xr blacklistd 8 .Sh HISTORY .Nm appeared in
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Wed Jan 28 05:08:55 UTC 2015 Modified Files: src/external/bsd/blacklist/bin: blacklistd.c Log Message: Don't add a rule twice, but attempt to replace it. To generate a diff of this commit: cvs rdiff -u -r1.30 -r1.31 src/external/bsd/blacklist/bin/blacklistd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.c diff -u src/external/bsd/blacklist/bin/blacklistd.c:1.30 src/external/bsd/blacklist/bin/blacklistd.c:1.31 --- src/external/bsd/blacklist/bin/blacklistd.c:1.30 Tue Jan 27 14:40:36 2015 +++ src/external/bsd/blacklist/bin/blacklistd.c Wed Jan 28 00:08:55 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: blacklistd.c,v 1.30 2015/01/27 19:40:36 christos Exp $ */ +/* $NetBSD: blacklistd.c,v 1.31 2015/01/28 05:08:55 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -32,7 +32,7 @@ #include config.h #endif #include sys/cdefs.h -__RCSID($NetBSD: blacklistd.c,v 1.30 2015/01/27 19:40:36 christos Exp $); +__RCSID($NetBSD: blacklistd.c,v 1.31 2015/01/28 05:08:55 christos Exp $); #include sys/types.h #include sys/socket.h @@ -217,11 +217,16 @@ process(bl_t bl) if (dbi.id[0]) { /* * We should not be getting this since the rule - * should have blocked the address. Since a possible + * should have blocked the address. A possible * explanation is that someone removed that rule, - * we attempt to add it again, but we log an error. + * and another would be that we got another attempt + * before we added the rule. In anycase, we remove + * and re-add the rule because we don't want to add + * it twice, because then we'd lose track of it. */ - (*lfun)(LOG_ERR, rule exists %s, dbi.id); + (*lfun)(LOG_DEBUG, rule exists %s, dbi.id); + (void)run_change(rem, c, dbi.id, 0); + dbi.id[0] = '\0'; } if (c.c_nfail != -1 dbi.count = c.c_nfail) { int res = run_change(add, c, dbi.id, sizeof(dbi.id));
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Sun Jan 25 22:59:40 UTC 2015 Modified Files: src/external/bsd/blacklist/bin: blacklistd.8 Log Message: sync rem control script api To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/external/bsd/blacklist/bin/blacklistd.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistd.8 diff -u src/external/bsd/blacklist/bin/blacklistd.8:1.6 src/external/bsd/blacklist/bin/blacklistd.8:1.7 --- src/external/bsd/blacklist/bin/blacklistd.8:1.6 Sun Jan 25 15:59:39 2015 +++ src/external/bsd/blacklist/bin/blacklistd.8 Sun Jan 25 17:59:40 2015 @@ -1,4 +1,4 @@ -.\ $NetBSD: blacklistd.8,v 1.6 2015/01/25 20:59:39 christos Exp $ +.\ $NetBSD: blacklistd.8,v 1.7 2015/01/25 22:59:40 christos Exp $ .\ .\ Copyright (c) 2015 The NetBSD Foundation, Inc. .\ All rights reserved. @@ -27,7 +27,7 @@ .\ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\ POSSIBILITY OF SUCH DAMAGE. .\ -.Dd January 24, 2015 +.Dd January 25, 2015 .Dt BLACKLISTD 8 .Os .Sh NAME @@ -78,14 +78,16 @@ The .Ar rulename argument can be set from the command line (default .Dv blacklistd ). -The script should print a numerical id to stdout as a handle for -the rule that can be used later to remove that connection. +The script could print a numerical id to stdout as a handle for +the rule that can be used later to remove that connection, but +that is not required as all information to remove the rule is +kept. .Pp If the action is .Dq remove Then the same control script is invoked as: .Bd -literal -offset indent -control rem rulename id +control rem rulename proto port address id .Ed .Pp where
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: wiz Date: Sun Jan 25 23:07:16 UTC 2015 Modified Files: src/external/bsd/blacklist/bin: blacklistctl.8 blacklistd.8 Log Message: Minor cleanups. XXX: blacklistd.conf.5 should be a separate man page, or the Xr to it in blacklistd(8) should be removed. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/external/bsd/blacklist/bin/blacklistctl.8 cvs rdiff -u -r1.7 -r1.8 src/external/bsd/blacklist/bin/blacklistd.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/bin/blacklistctl.8 diff -u src/external/bsd/blacklist/bin/blacklistctl.8:1.2 src/external/bsd/blacklist/bin/blacklistctl.8:1.3 --- src/external/bsd/blacklist/bin/blacklistctl.8:1.2 Sat Jan 24 18:34:05 2015 +++ src/external/bsd/blacklist/bin/blacklistctl.8 Sun Jan 25 23:07:16 2015 @@ -1,5 +1,5 @@ -.\ $NetBSD: blacklistctl.8,v 1.2 2015/01/24 18:34:05 christos Exp $ -.\ +.\ $NetBSD: blacklistctl.8,v 1.3 2015/01/25 23:07:16 wiz Exp $ +.\ .\ Copyright (c) 2015 The NetBSD Foundation, Inc. .\ All rights reserved. .\ @@ -26,7 +26,7 @@ .\ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) .\ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\ POSSIBILITY OF SUCH DAMAGE. -.\ +.\ .Dd January 24, 2015 .Dt BLACKLISTCTL 8 .Os @@ -35,8 +35,8 @@ .Nd display and change the state of blacklistd .Sh SYNOPSIS .Nm -dump -.Op Fl abdr +.Cm dump +.Op Fl abdr .Sh DESCRIPTION .Nm is a program used to display the state of @@ -58,6 +58,6 @@ Show the remaining blocked time instead .Sh HISTORY .Nm appeared in -.Nx 8 +.Nx 8 . .Sh AUTHORS .An Christos Zoulas Index: src/external/bsd/blacklist/bin/blacklistd.8 diff -u src/external/bsd/blacklist/bin/blacklistd.8:1.7 src/external/bsd/blacklist/bin/blacklistd.8:1.8 --- src/external/bsd/blacklist/bin/blacklistd.8:1.7 Sun Jan 25 22:59:40 2015 +++ src/external/bsd/blacklist/bin/blacklistd.8 Sun Jan 25 23:07:16 2015 @@ -1,5 +1,5 @@ -.\ $NetBSD: blacklistd.8,v 1.7 2015/01/25 22:59:40 christos Exp $ -.\ +.\ $NetBSD: blacklistd.8,v 1.8 2015/01/25 23:07:16 wiz Exp $ +.\ .\ Copyright (c) 2015 The NetBSD Foundation, Inc. .\ All rights reserved. .\ @@ -26,7 +26,7 @@ .\ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) .\ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\ POSSIBILITY OF SUCH DAMAGE. -.\ +.\ .Dd January 25, 2015 .Dt BLACKLISTD 8 .Os @@ -37,8 +37,8 @@ .Sh SYNOPSIS .Nm .Op Fl dvf -.Op Fl c Ar configfile .Op Fl C Ar controlprog +.Op Fl c Ar configfile .Op Fl D Ar dbfile .Op Fl r Ar rulename .Op Fl P Ar sockpathsfile @@ -47,13 +47,13 @@ .Nm is a daemon similar to .Xr syslogd 8 -that listens to a sockets at paths specified in the +that listens to a sockets at paths specified in the .Ar sockpathsfile for notifications from other daemons about successful or failed connection attempts. If no such file is specified, then it only listens to the default socket .Pa /var/run/blsock . -Each notification contains a (action, port, protocol, address, owner) tuple +Each notification contains an (action, port, protocol, address, owner) tuple that identifies the remote connection and the action. This tuple is consulted against entries in .Ar configfile @@ -76,8 +76,8 @@ and should invoke a packet filter comman specified by the arguments. The .Ar rulename -argument can be set from the command line (default -.Dv blacklistd ). +argument can be set from the command line (default +.Dv blacklistd ) . The script could print a numerical id to stdout as a handle for the rule that can be used later to remove that connection, but that is not required as all information to remove the rule is @@ -90,7 +90,7 @@ Then the same control script is invoked control rem rulename proto port address id .Ed .Pp -where +where .Ar id is the number returned from the .Dq add @@ -117,15 +117,15 @@ seconds (default and removes entries and block rules using the control program as necessary. .Pp The configuration file contains one tuple per line, and is similar to -.Xr inetd.conf . +.Xr inetd.conf 5 . There must be an entry for each field of the configuration file, with entries for each field separated by a tab or a space. Comments are denoted by a .Dq # at the beginning of a line. There must be an entry for each field; entries can be numeric or symbolic, -where appropriate ( -.Dv service , +where appropriate +.Dv ( service , .Dv user ) and can be .Dq * @@ -148,13 +148,13 @@ disassociates itself from the terminal a unless the .Fl d flag is specified, in which case it stays in the foreground. -The +The .Fl v cases .Nm to print diagnostic messages to -.Dv stdout +.Dv stdout instead of .Xr syslogd 8 . .Sh FILES @@ -170,11 +170,12 @@ Socket to receive connection notificatio .El .Sh SEE ALSO .Xr blacklistd.conf 5 ,
CVS commit: src/external/bsd/blacklist/lib
Module Name:src Committed By: wiz Date: Sun Jan 25 23:09:28 UTC 2015 Modified Files: src/external/bsd/blacklist/lib: libblacklist.3 Log Message: Minor fixes. XXX: libblacklist needs to be defined. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/external/bsd/blacklist/lib/libblacklist.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/blacklist/lib/libblacklist.3 diff -u src/external/bsd/blacklist/lib/libblacklist.3:1.2 src/external/bsd/blacklist/lib/libblacklist.3:1.3 --- src/external/bsd/blacklist/lib/libblacklist.3:1.2 Thu Jan 22 05:40:34 2015 +++ src/external/bsd/blacklist/lib/libblacklist.3 Sun Jan 25 23:09:28 2015 @@ -1,4 +1,4 @@ -.\ $NetBSD: libblacklist.3,v 1.2 2015/01/22 05:40:34 christos Exp $ +.\ $NetBSD: libblacklist.3,v 1.3 2015/01/25 23:09:28 wiz Exp $ .\ .\ Copyright (c) 2015 The NetBSD Foundation, Inc. .\ All rights reserved. @@ -26,17 +26,17 @@ .\ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) .\ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\ POSSIBILITY OF SUCH DAMAGE. -.\ -.Dd January 22, 2016 +.\ +.Dd January 22, 2015 .Dt LIBBLACKLIST 3 .Os .Sh NAME .Nm blacklist_open , .Nm blacklist_close , -.Nm blacklist_r , +.Nm blacklist_r , .Nm blacklist , .Nm blacklist_sa -.Nm blacklist_sa_r , +.Nm blacklist_sa_r , .Nd Blacklistd notification library .Sh LIBRARY .Lb libblacklist @@ -98,7 +98,7 @@ The .Fn blacklist_sa and .Fn blacklist_sa_r -can be used with unconnected sockets, where +functions can be used with unconnected sockets, where .Xr getpeername 2 will not work, the server will pass the peer name in the message. .Pp @@ -112,14 +112,14 @@ returns a cookie on success and on failure setting errno to an appropriate value. .Pp The -.Fn bl_send , +.Fn bl_send function returns .Dv 0 on success and .Dv -1 on failure setting errno to an appropriate value. .Sh SEE ALSO -.Xr blacklistd 8 , -.Xr blacklistd.conf 5 +.Xr blacklistd.conf 5 , +.Xr blacklistd 8 .Sh AUTHORS .An Christos Zoulas
CVS commit: src/external/bsd/blacklist/bin
Module Name:src Committed By: christos Date: Sun Jan 25 23:15:56 UTC 2015 Removed Files: src/external/bsd/blacklist/bin: blacklist.h Log Message: this has been moved. To generate a diff of this commit: cvs rdiff -u -r1.3 -r0 src/external/bsd/blacklist/bin/blacklist.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.