Module Name: src
Committed By: snj
Date: Fri Aug 7 04:10:23 UTC 2015
Modified Files:
src/external/bsd/blacklist/bin [netbsd-7]: blacklistctl.c blacklistd.c
conf.c run.c state.c support.c support.h
src/external/bsd/blacklist/etc [netbsd-7]: blacklistd.conf
src/external/bsd/blacklist/libexec [netbsd-7]: blacklistd-helper
Log Message:
Pull up following revision(s) (requested by christos in ticket #922):
external/bsd/blacklist/bin/blacklistctl.c: revision 1.18
external/bsd/blacklist/bin/blacklistd.c: revision 1.33
external/bsd/blacklist/bin/run.c: revision 1.13
external/bsd/blacklist/bin/conf.c: revisions 1.21-1.23
external/bsd/blacklist/bin/state.c: revisions 1.16, 1.17
external/bsd/blacklist/bin/support.c: revision 1.7
external/bsd/blacklist/bin/support.h: revision 1.6
external/bsd/blacklist/etc/blacklistd.conf: revisions 1.5, 1.6
external/bsd/blacklist/libexec/blacklistd-helper: revision 1.5
print the key in human readable form when debugging.
--
Add more debugging, simplify.
Use symbolic constants: -2=FEQUALS, -1=FSTAR
--
make proto and port optional
--
restore address length before printing.
--
dissallow interface spec in remote config (since we check against the remote
address, it does not make sense).
--
remove interface example from remote config.
--
simplify, comment out testing entries
--
Restart the loop each time we delete an entry because the hash code does
not handle it well. Is that a db bug?
To generate a diff of this commit:
cvs rdiff -u -r1.17.2.2 -r1.17.2.3 \
src/external/bsd/blacklist/bin/blacklistctl.c
cvs rdiff -u -r1.32.2.2 -r1.32.2.3 \
src/external/bsd/blacklist/bin/blacklistd.c
cvs rdiff -u -r1.18.2.3 -r1.18.2.4 src/external/bsd/blacklist/bin/conf.c
cvs rdiff -u -r1.12.2.2 -r1.12.2.3 src/external/bsd/blacklist/bin/run.c
cvs rdiff -u -r1.15.2.2 -r1.15.2.3 src/external/bsd/blacklist/bin/state.c
cvs rdiff -u -r1.6.2.2 -r1.6.2.3 src/external/bsd/blacklist/bin/support.c
cvs rdiff -u -r1.5.2.2 -r1.5.2.3 src/external/bsd/blacklist/bin/support.h
cvs rdiff -u -r1.3.2.3 -r1.3.2.4 \
src/external/bsd/blacklist/etc/blacklistd.conf
cvs rdiff -u -r1.4.2.2 -r1.4.2.3 \
src/external/bsd/blacklist/libexec/blacklistd-helper
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/blacklist/bin/blacklistctl.c
diff -u src/external/bsd/blacklist/bin/blacklistctl.c:1.17.2.2 src/external/bsd/blacklist/bin/blacklistctl.c:1.17.2.3
--- src/external/bsd/blacklist/bin/blacklistctl.c:1.17.2.2 Thu Apr 30 06:07:33 2015
+++ src/external/bsd/blacklist/bin/blacklistctl.c Fri Aug 7 04:10:23 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklistctl.c,v 1.17.2.2 2015/04/30 06:07:33 riz Exp $ */
+/* $NetBSD: blacklistctl.c,v 1.17.2.3 2015/08/07 04:10:23 snj Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include <sys/cdefs.h>
-__RCSID("$NetBSD: blacklistctl.c,v 1.17.2.2 2015/04/30 06:07:33 riz Exp $");
+__RCSID("$NetBSD: blacklistctl.c,v 1.17.2.3 2015/08/07 04:10:23 snj Exp $");
#include <stdio.h>
#include <time.h>
@@ -85,7 +85,7 @@ main(int argc, char *argv[])
argc--;
argv++;
- while ((o = getopt(argc, argv, "abdrw")) != -1)
+ while ((o = getopt(argc, argv, "abD:drw")) != -1)
switch (o) {
case 'a':
all = 1;
@@ -93,6 +93,9 @@ main(int argc, char *argv[])
break;
case 'b':
blocked = 1;
+ case 'D':
+ dbname = optarg;
+ break;
break;
case 'd':
debug++;
Index: src/external/bsd/blacklist/bin/blacklistd.c
diff -u src/external/bsd/blacklist/bin/blacklistd.c:1.32.2.2 src/external/bsd/blacklist/bin/blacklistd.c:1.32.2.3
--- src/external/bsd/blacklist/bin/blacklistd.c:1.32.2.2 Thu Apr 30 06:07:33 2015
+++ src/external/bsd/blacklist/bin/blacklistd.c Fri Aug 7 04:10:23 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklistd.c,v 1.32.2.2 2015/04/30 06:07:33 riz Exp $ */
+/* $NetBSD: blacklistd.c,v 1.32.2.3 2015/08/07 04:10:23 snj Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
#include "config.h"
#endif
#include <sys/cdefs.h>
-__RCSID("$NetBSD: blacklistd.c,v 1.32.2.2 2015/04/30 06:07:33 riz Exp $");
+__RCSID("$NetBSD: blacklistd.c,v 1.32.2.3 2015/08/07 04:10:23 snj Exp $");
#include <sys/types.h>
#include <sys/socket.h>
@@ -284,6 +284,7 @@ update(void)
return;
}
+again:
for (n = 0, f = 1; state_iterate(state, &c, &dbi, f) == 1;
f = 0, n++)
{
@@ -305,6 +306,7 @@ update(void)
buf, c.c_lmask, c.c_port, c.c_duration);
}
state_del(state, &c);
+ goto again;
}
}
Index: src/external/bsd/blacklist/bin/conf.c
diff -u src/external/bsd/blacklist/bin/conf.c:1.18.2.3 src/external/bsd/blacklist/bin/conf.c:1.18.2.4
--- src/external/bsd/blacklist/bin/conf.c:1.18.2.3 Tue Jun 2 20:32:44 2015
+++ src/external/bsd/blacklist/bin/conf.c Fri Aug 7 04:10:23 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: conf.c,v 1.18.2.3 2015/06/02 20:32:44 snj Exp $ */
+/* $NetBSD: conf.c,v 1.18.2.4 2015/08/07 04:10:23 snj Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include <sys/cdefs.h>
-__RCSID("$NetBSD: conf.c,v 1.18.2.3 2015/06/02 20:32:44 snj Exp $");
+__RCSID("$NetBSD: conf.c,v 1.18.2.4 2015/08/07 04:10:23 snj Exp $");
#include <stdio.h>
#include <string.h>
@@ -56,6 +56,7 @@ __RCSID("$NetBSD: conf.c,v 1.18.2.3 2015
#include "bl.h"
#include "internal.h"
+#include "support.h"
#include "conf.h"
@@ -71,6 +72,9 @@ struct sockaddr_if {
static int conf_is_interface(const char *);
+#define FSTAR -1
+#define FEQUAL -2
+
static void
advance(char **p)
{
@@ -91,13 +95,13 @@ getnum(const char *f, size_t l, bool loc
int *r = rp;
if (strcmp(p, "*") == 0) {
- *r = -1;
+ *r = FSTAR;
return 0;
}
if (strcmp(p, "=") == 0) {
if (local)
goto out;
- *r = -2;
+ *r = FEQUAL;
return 0;
}
@@ -134,13 +138,13 @@ getsecs(const char *f, size_t l, bool lo
tot = 0;
if (strcmp(p, "*") == 0) {
- c->c_duration = -1;
+ c->c_duration = FSTAR;
return 0;
}
if (strcmp(p, "=") == 0) {
if (local)
goto out;
- c->c_duration = -2;
+ c->c_duration = FEQUAL;
return 0;
}
again:
@@ -204,39 +208,22 @@ getport(const char *f, size_t l, bool lo
}
static int
-getmask(const char *f, size_t l, bool local __unused, const char **p, int def)
+getmask(const char *f, size_t l, bool local, const char **p, int *mask)
{
char *d;
- int e;
- intmax_t im;
const char *s = *p;
if ((d = strchr(s, ':')) != NULL) {
*d++ = '\0';
*p = d;
}
- if ((d = strchr(s, '/')) == NULL)
- return def;
-
- *d++ = '\0';
- if (strcmp(d, "=") == 0) {
- if (local)
- goto out;
- return -2;
+ if ((d = strchr(s, '/')) == NULL) {
+ *mask = FSTAR;
+ return 0;
}
- if (strcmp(d, "*") == 0)
- return def;
-
- im = strtoi(d, NULL, 0, 0, def, &e);
- if (e == 0)
- return (int)im;
- (*lfun)(LOG_ERR, "%s: %s, %zu: Bad mask [%s]", __func__, f, l, d);
- return -1;
-out:
- (*lfun)(LOG_ERR, "%s: %s, %zu: `=' name not allowed in local"
- " config", __func__, f, l);
- return -1;
+ *d++ = '\0';
+ return getnum(f, l, local, mask, "mask", d);
}
static int
@@ -247,8 +234,8 @@ gethostport(const char *f, size_t l, boo
const char *pstr;
if (strcmp(p, "*") == 0) {
- c->c_port = -1;
- c->c_lmask = -1;
+ c->c_port = FSTAR;
+ c->c_lmask = FSTAR;
return 0;
}
@@ -259,12 +246,9 @@ gethostport(const char *f, size_t l, boo
} else
pstr = p;
- if ((c->c_lmask = getmask(f, l, local, &pstr, 256)) == -1)
+ if (getmask(f, l, local, &pstr, &c->c_lmask) == -1)
goto out;
- if (c->c_lmask == 256)
- c->c_lmask = -1;
-
if (d) {
struct sockaddr_in6 *sin6 = (void *)&c->c_ss;
if (debug)
@@ -287,10 +271,12 @@ gethostport(const char *f, size_t l, boo
(*lfun)(LOG_DEBUG, "%s: host4 %s", __func__, p);
if (strcmp(p, "*") != 0) {
if (conf_is_interface(p)) {
+ if (!local)
+ goto out2;
if (debug)
(*lfun)(LOG_DEBUG, "%s: interface %s",
__func__, p);
- if (c->c_lmask != -1)
+ if (c->c_lmask != FSTAR)
goto out1;
sif->sif_family = AF_MAX;
strlcpy(sif->sif_name, p,
@@ -311,12 +297,10 @@ gethostport(const char *f, size_t l, boo
}
}
- if (strcmp(pstr, "*") == 0)
- c->c_port = -1;
- else if (getport(f, l, local, &c->c_port, pstr) == -1)
+ if (getport(f, l, local, &c->c_port, pstr) == -1)
return -1;
- if (port && c->c_port != -1)
+ if (port && c->c_port != FSTAR && c->c_port != FEQUAL)
*port = htons((in_port_t)c->c_port);
return 0;
out:
@@ -326,6 +310,10 @@ out1:
(*lfun)(LOG_ERR, "%s: %s, %zu: Can't specify mask %d with "
"interface [%s]", __func__, f, l, c->c_lmask, p);
return -1;
+out2:
+ (*lfun)(LOG_ERR, "%s: %s, %zu: Interface spec does not make sense "
+ "with remote config [%s]", __func__, f, l, p);
+ return -1;
}
static int
@@ -373,10 +361,8 @@ static int
getname(const char *f, size_t l, bool local, struct conf *c,
const char *p)
{
- if ((c->c_rmask = getmask(f, l, local, &p, 256)) == -1)
+ if (getmask(f, l, local, &p, &c->c_rmask) == -1)
return -1;
- if (c->c_rmask == 256)
- c->c_rmask = local ? -1 : -2;
if (strcmp(p, "*") == 0) {
strlcpy(c->c_name, rulename, CONFNAMESZ);
@@ -475,12 +461,15 @@ conf_amask_eq(const void *v1, const void
const uint32_t *a1 = v1;
const uint32_t *a2 = v2;
uint32_t m;
+ int omask = mask;
len >>= 2;
switch (mask) {
- case -1:
- return memcmp(v1, v2, len) == 0;
- case -2:
+ case FSTAR:
+ if (memcmp(v1, v2, len) == 0)
+ return 1;
+ goto out;
+ case FEQUAL:
(*lfun)(LOG_CRIT, "%s: Internal error: bad mask %d", __func__,
mask);
@@ -499,9 +488,19 @@ conf_amask_eq(const void *v1, const void
} else
return 1;
if ((a1[i] & m) != (a2[i] & m))
- return 0;
+ goto out;
}
return 1;
+out:
+ if (debug > 1) {
+ char b1[256], b2[256];
+ len <<= 2;
+ hexdump(b1, sizeof(b1), "a1", v1, len);
+ hexdump(b2, sizeof(b2), "a2", v2, len);
+ (*lfun)(LOG_DEBUG, "%s: %s != %s [0x%x]", __func__,
+ b1, b2, omask);
+ }
+ return 0;
}
/*
@@ -514,9 +513,9 @@ conf_apply_mask(void *v, size_t len, int
uint32_t m;
switch (mask) {
- case -1:
+ case FSTAR:
return;
- case -2:
+ case FEQUAL:
(*lfun)(LOG_CRIT, "%s: Internal error: bad mask %d", __func__,
mask);
abort();
@@ -580,7 +579,7 @@ conf_addr_set(struct conf *c, const stru
*port = htons((in_port_t)c->c_port);
conf_apply_mask(addr, alen, c->c_lmask);
- if (c->c_lmask == -1)
+ if (c->c_lmask == FSTAR)
c->c_lmask = (int)(alen * 8);
if (debug) {
char buf[128];
@@ -690,7 +689,7 @@ conf_eq(const struct conf *c1, const str
return 0;
#define CMP(a, b, f) \
- if ((a)->f != (b)->f && (b)->f != -1 && (b)->f != -2) { \
+ if ((a)->f != (b)->f && (b)->f != FSTAR && (b)->f != FEQUAL) { \
if (debug > 1) \
(*lfun)(LOG_DEBUG, "%s: %s fail %d != %d", __func__, \
__STRING(f), (a)->f, (b)->f); \
@@ -708,9 +707,9 @@ static const char *
conf_num(char *b, size_t l, int n)
{
switch (n) {
- case -1:
+ case FSTAR:
return "*";
- case -2:
+ case FEQUAL:
return "=";
default:
snprintf(b, l, "%d", n);
@@ -739,7 +738,7 @@ fmtport(char *b, size_t l, int port)
{
char buf[128];
- if (port == -1)
+ if (port == FSTAR)
return;
if (b[0] == '\0' || strcmp(b, "*") == 0)
@@ -756,9 +755,9 @@ fmtmask(char *b, size_t l, int fam, int
char buf[128];
switch (mask) {
- case -1:
+ case FSTAR:
return "";
- case -2:
+ case FEQUAL:
if (strcmp(b, "=") == 0)
return "";
else {
@@ -829,8 +828,8 @@ conf_print(char *buf, size_t len, const
conf_namemask(hb, sizeof(hb), c), delim,
N(3, c->c_nfail), delim, N(4, c->c_duration));
else
- snprintf(buf, len, "%starget=%s, proto=%s, family=%s, "
- "uid=%s, name=%s, nfail=%s, duration=%s", pref,
+ snprintf(buf, len, "%starget:%s, proto:%s, family:%s, "
+ "uid:%s, name:%s, nfail:%s, duration:%s", pref,
ha, N(0, c->c_proto), N(1, c->c_family), N(2, c->c_uid),
conf_namemask(hb, sizeof(hb), c),
N(3, c->c_nfail), N(4, c->c_duration));
@@ -879,13 +878,13 @@ conf_merge(struct conf *c, const struct
if (sc->c_name[0])
memcpy(c->c_name, sc->c_name, CONFNAMESZ);
- if (sc->c_uid != -2)
+ if (sc->c_uid != FEQUAL)
c->c_uid = sc->c_uid;
- if (sc->c_rmask != -2)
+ if (sc->c_rmask != FEQUAL)
c->c_lmask = c->c_rmask = sc->c_rmask;
- if (sc->c_nfail != -2)
+ if (sc->c_nfail != FEQUAL)
c->c_nfail = sc->c_nfail;
- if (sc->c_duration != -2)
+ if (sc->c_duration != FEQUAL)
c->c_duration = sc->c_duration;
if (debug)
(*lfun)(LOG_DEBUG, "%s: %s", __func__,
@@ -1050,13 +1049,13 @@ conf_find(int fd, uid_t uid, const struc
}
cr->c_ss = lss;
- cr->c_lmask = -1;
+ cr->c_lmask = FSTAR;
cr->c_uid = (int)uid;
cr->c_family = lss.ss_family;
cr->c_name[0] = '\0';
- cr->c_rmask = -1;
- cr->c_nfail = -1;
- cr->c_duration = -1;
+ cr->c_rmask = FSTAR;
+ cr->c_nfail = FSTAR;
+ cr->c_duration = FSTAR;
if (debug)
(*lfun)(LOG_DEBUG, "%s", conf_print(buf, sizeof(buf),
Index: src/external/bsd/blacklist/bin/run.c
diff -u src/external/bsd/blacklist/bin/run.c:1.12.2.2 src/external/bsd/blacklist/bin/run.c:1.12.2.3
--- src/external/bsd/blacklist/bin/run.c:1.12.2.2 Thu Apr 30 06:07:33 2015
+++ src/external/bsd/blacklist/bin/run.c Fri Aug 7 04:10:23 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: run.c,v 1.12.2.2 2015/04/30 06:07:33 riz Exp $ */
+/* $NetBSD: run.c,v 1.12.2.3 2015/08/07 04:10:23 snj Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include <sys/cdefs.h>
-__RCSID("$NetBSD: run.c,v 1.12.2.2 2015/04/30 06:07:33 riz Exp $");
+__RCSID("$NetBSD: run.c,v 1.12.2.3 2015/08/07 04:10:23 snj Exp $");
#include <stdio.h>
#ifdef HAVE_UTIL_H
@@ -116,6 +116,9 @@ run_change(const char *how, const struct
size_t off;
switch (c->c_proto) {
+ case -1:
+ prname = "";
+ break;
case IPPROTO_TCP:
prname = "tcp";
break;
@@ -127,7 +130,11 @@ run_change(const char *how, const struct
return -1;
}
- snprintf(poname, sizeof(poname), "%d", c->c_port);
+ if (c->c_port != -1)
+ snprintf(poname, sizeof(poname), "%d", c->c_port);
+ else
+ poname[0] = '\0';
+
snprintf(maskname, sizeof(maskname), "%d", c->c_lmask);
sockaddr_snprintf(adname, sizeof(adname), "%a", (const void *)&c->c_ss);
Index: src/external/bsd/blacklist/bin/state.c
diff -u src/external/bsd/blacklist/bin/state.c:1.15.2.2 src/external/bsd/blacklist/bin/state.c:1.15.2.3
--- src/external/bsd/blacklist/bin/state.c:1.15.2.2 Thu Apr 30 06:07:33 2015
+++ src/external/bsd/blacklist/bin/state.c Fri Aug 7 04:10:23 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: state.c,v 1.15.2.2 2015/04/30 06:07:33 riz Exp $ */
+/* $NetBSD: state.c,v 1.15.2.3 2015/08/07 04:10:23 snj Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include <sys/cdefs.h>
-__RCSID("$NetBSD: state.c,v 1.15.2.2 2015/04/30 06:07:33 riz Exp $");
+__RCSID("$NetBSD: state.c,v 1.15.2.3 2015/08/07 04:10:23 snj Exp $");
#include <sys/types.h>
#include <sys/socket.h>
@@ -47,6 +47,7 @@ __RCSID("$NetBSD: state.c,v 1.15.2.2 201
#include "bl.h"
#include "internal.h"
#include "conf.h"
+#include "support.h"
#include "state.h"
static HASHINFO openinfo = {
@@ -102,19 +103,11 @@ static void
dumpkey(const struct conf *k)
{
char buf[10240];
- size_t z;
- int r;
- const unsigned char *p = (const void *)k;
- const unsigned char *e = p + sizeof(*k);
- r = snprintf(buf, sizeof(buf), "%s: ", __func__);
- if (r == -1 || (z = (size_t)r) >= sizeof(buf))
- z = sizeof(buf);
- while (p < e) {
- r = snprintf(buf + z, sizeof(buf) - z, "%.2x", *p++);
- if (r == -1 || (z += (size_t)r) >= sizeof(buf))
- z = sizeof(buf);
- }
+ hexdump(buf, sizeof(buf), __func__, k, sizeof(*k));
(*lfun)(LOG_DEBUG, "%s", buf);
+ (*lfun)(LOG_DEBUG, "%s: %s", __func__,
+ conf_print(buf, sizeof(buf), "", "", k));
+
}
int
Index: src/external/bsd/blacklist/bin/support.c
diff -u src/external/bsd/blacklist/bin/support.c:1.6.2.2 src/external/bsd/blacklist/bin/support.c:1.6.2.3
--- src/external/bsd/blacklist/bin/support.c:1.6.2.2 Thu Apr 30 06:07:33 2015
+++ src/external/bsd/blacklist/bin/support.c Fri Aug 7 04:10:23 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: support.c,v 1.6.2.2 2015/04/30 06:07:33 riz Exp $ */
+/* $NetBSD: support.c,v 1.6.2.3 2015/08/07 04:10:23 snj Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include <sys/cdefs.h>
-__RCSID("$NetBSD: support.c,v 1.6.2.2 2015/04/30 06:07:33 riz Exp $");
+__RCSID("$NetBSD: support.c,v 1.6.2.3 2015/08/07 04:10:23 snj Exp $");
#include <time.h>
#include <string.h>
@@ -131,3 +131,27 @@ fmtydhms(char *b, size_t l, time_t t)
APPEND(s)
return b;
}
+
+ssize_t
+hexdump(char *buf, size_t len, const char *str, const void *b, size_t l)
+{
+ size_t z, cz;
+ int r;
+ const unsigned char *p = b;
+ const unsigned char *e = p + l;
+
+ r = snprintf(buf, len, "%s: ", str);
+ if (r == -1)
+ return -1;
+ if ((cz = z = (size_t)r) >= len)
+ cz = len;
+
+ while (p < e) {
+ r = snprintf(buf + cz, len - cz, "%.2x", *p++);
+ if (r == -1)
+ return -1;
+ if ((cz = (z += (size_t)r)) >= len)
+ cz = len;
+ }
+ return (ssize_t)z;
+}
Index: src/external/bsd/blacklist/bin/support.h
diff -u src/external/bsd/blacklist/bin/support.h:1.5.2.2 src/external/bsd/blacklist/bin/support.h:1.5.2.3
--- src/external/bsd/blacklist/bin/support.h:1.5.2.2 Thu Apr 30 06:07:33 2015
+++ src/external/bsd/blacklist/bin/support.h Fri Aug 7 04:10:23 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: support.h,v 1.5.2.2 2015/04/30 06:07:33 riz Exp $ */
+/* $NetBSD: support.h,v 1.5.2.3 2015/08/07 04:10:23 snj Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -38,6 +38,7 @@ void vdlog(int, const char *, va_list)
__attribute__((__format__(__printf__, 2, 0)));
void dlog(int, const char *, ...)
__attribute__((__format__(__printf__, 2, 3)));
+ssize_t hexdump(char *, size_t, const char *, const void *, size_t);
__END_DECLS
#endif /* _SUPPORT_H */
Index: src/external/bsd/blacklist/etc/blacklistd.conf
diff -u src/external/bsd/blacklist/etc/blacklistd.conf:1.3.2.3 src/external/bsd/blacklist/etc/blacklistd.conf:1.3.2.4
--- src/external/bsd/blacklist/etc/blacklistd.conf:1.3.2.3 Tue Jun 2 20:32:44 2015
+++ src/external/bsd/blacklist/etc/blacklistd.conf Fri Aug 7 04:10:23 2015
@@ -1,20 +1,14 @@
# Blacklist rule
# adr/mask:port type proto owner name nfail disable
[local]
-ssh stream tcp * * 3 6h
-ssh stream tcp6 * * 3 6h
-ftp stream tcp * * 3 6h
-ftp stream tcp6 * * 3 6h
-domain stream tcp named * 3 12h
-domain dgram udp named * 3 12h
-domain stream tcp6 named * 3 12h
-domain dgram udp6 named * 3 12h
-6161 stream tcp6 christos * 2 10m
+ssh stream * * * 3 6h
+ftp stream * * * 3 6h
+domain * * named * 3 12h
+#6161 stream tcp6 christos * 2 10m
* * * * * 3 60
# adr/mask:port type proto owner name nfail disable
[remote]
-bge0 stream tcp * =/24 = =
-129.168.0.0/16 * * * = * *
-6161 = = = =/24 = =
-* stream tcp * = = =
+#129.168.0.0/16 * * * = * *
+#6161 = = = =/24 = =
+#* stream tcp * = = =
Index: src/external/bsd/blacklist/libexec/blacklistd-helper
diff -u src/external/bsd/blacklist/libexec/blacklistd-helper:1.4.2.2 src/external/bsd/blacklist/libexec/blacklistd-helper:1.4.2.3
--- src/external/bsd/blacklist/libexec/blacklistd-helper:1.4.2.2 Thu Apr 30 06:07:34 2015
+++ src/external/bsd/blacklist/libexec/blacklistd-helper Fri Aug 7 04:10:23 2015
@@ -11,7 +11,13 @@
case "$1" in
add)
- exec /sbin/npfctl rule $2 add block in final proto $3 from $4/$5 to any port $6
+ if [ -n "$3" ]; then
+ proto="proto $3"
+ fi
+ if [ -n "$6" ]; then
+ port="port $6"
+ fi
+ exec /sbin/npfctl rule $2 add block in final $proto from $4/$5 to any $port
;;
rem)
exec /sbin/npfctl rule $2 rem-id $7
