Author: lidl Date: Sun Jun 12 23:34:48 2016 New Revision: 301843 URL: https://svnweb.freebsd.org/changeset/base/301843
Log: Add ipfilter support to blacklistd-helper In addition to adding initial support for the ipfilter packet filtering system, wrap a few long lines, perform whitespace cleanup and sync with upstream changes made in NetBSD. Submitted by: cy Reviewed by: cy Approved by: re (hrs) Relnotes: YES Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D6823 Modified: head/contrib/blacklist/libexec/blacklistd-helper Modified: head/contrib/blacklist/libexec/blacklistd-helper ============================================================================== --- head/contrib/blacklist/libexec/blacklistd-helper Sun Jun 12 23:26:38 2016 (r301842) +++ head/contrib/blacklist/libexec/blacklistd-helper Sun Jun 12 23:34:48 2016 (r301843) @@ -10,12 +10,6 @@ # $7 id pf= -for f in npf pf; do - if [ -f "/etc/$f.conf" ]; then - pf="$f" - break - fi -done if [ -f "/etc/ipfw-blacklist.rc" ]; then pf="ipfw" . /etc/ipfw-blacklist.rc @@ -23,6 +17,15 @@ if [ -f "/etc/ipfw-blacklist.rc" ]; then fi if [ -z "$pf" ]; then + for f in npf pf ipf; do + if [ -f "/etc/$f.conf" ]; then + pf="$f" + break + fi + done +fi + +if [ -z "$pf" ]; then echo "$0: Unsupported packet filter" 1>&2 exit 1 fi @@ -48,12 +51,20 @@ esac case "$1" in add) case "$pf" in + ipf) + /sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1 + echo block in quick $proto from $addr/$mask to \ + any port=$6 head port$6 | \ + /sbin/ipf -I -f - -s >/dev/null 2>&1 + ;; ipfw) - rule=$(( $ipfw_offset + $6 )) # use $ipfw_offset+$port for rule number + # use $ipfw_offset+$port for rule number + rule=$(($ipfw_offset + $6)) tname="port$6" /sbin/ipfw table $tname create type addr 2>/dev/null /sbin/ipfw -q table $tname add "$addr/$mask" - /sbin/ipfw -q add $rule drop $3 from "table("$tname")" to any dst-port $6 + /sbin/ipfw -q add $rule drop $3 from "table("$tname")" to \ + any dst-port $6 ;; npf) /sbin/npfctl rule "$2" add block in final $proto from \ @@ -69,6 +80,12 @@ add) ;; rem) case "$pf" in + ipf) + /sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1 + echo block in quick $proto from $addr/$mask to \ + any port=$6 head port$6 | \ + /sbin/ipf -I -r -f - -s >/dev/null 2>&1 + ;; ipfw) /sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null ;; @@ -81,7 +98,10 @@ rem) esac ;; flush) - case "$pf" in + case "$pf" in + ipf) + /sbin/ipf -Z -I -Fi -s > /dev/null + ;; ipfw) /sbin/ipfw table "port$6" flush 2>/dev/null ;; _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
