Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/external/bsd/blacklist - separate man page for blacklistd an...
details: https://anonhg.NetBSD.org/src/rev/4a482429ec72
branches: trunk
changeset: 335871:4a482429ec72
user: christos <christos%NetBSD.org@localhost>
date: Tue Jan 27 19:40:36 2015 +0000
description:
- separate man page for blacklistd and blacklistd.conf, requested by wiz@
- allow separate configurations for local and remote addresses, implementing
effectively whitelists, requested by dh@
- allow the mask of the filter to be specified, requested by dh@
- the db file format has been changed to accommodate these changes, and
needs to be removed.
diffstat:
external/bsd/blacklist/bin/Makefile | 5 +-
external/bsd/blacklist/bin/blacklistctl.c | 13 +-
external/bsd/blacklist/bin/blacklistd.8 | 40 +-
external/bsd/blacklist/bin/blacklistd.c | 57 +-
external/bsd/blacklist/bin/blacklistd.conf.5 | 222 ++++++
external/bsd/blacklist/bin/conf.c | 821 ++++++++++++++++++----
external/bsd/blacklist/bin/conf.h | 15 +-
external/bsd/blacklist/bin/internal.c | 8 +-
external/bsd/blacklist/bin/internal.h | 8 +-
external/bsd/blacklist/bin/run.c | 14 +-
external/bsd/blacklist/bin/run.h | 5 +-
external/bsd/blacklist/bin/state.c | 88 +-
external/bsd/blacklist/bin/state.h | 13 +-
external/bsd/blacklist/bin/support.c | 6 +-
external/bsd/blacklist/etc/blacklistd.conf | 28 +-
external/bsd/blacklist/libexec/blacklistd-helper | 26 +-
16 files changed, 1031 insertions(+), 338 deletions(-)
diffs (truncated from 2199 to 300 lines):
diff -r f928b7285e0c -r 4a482429ec72 external/bsd/blacklist/bin/Makefile
--- a/external/bsd/blacklist/bin/Makefile Tue Jan 27 18:20:56 2015 +0000
+++ b/external/bsd/blacklist/bin/Makefile Tue Jan 27 19:40:36 2015 +0000
@@ -1,11 +1,10 @@
-# $NetBSD: Makefile,v 1.10 2015/01/22 17:49:41 christos Exp $
+# $NetBSD: Makefile,v 1.11 2015/01/27 19:40:36 christos Exp $
BINDIR=/sbin
PROGS=blacklistd blacklistctl
-MAN.blacklistd=blacklistd.8
+MAN.blacklistd=blacklistd.8 blacklistd.conf.5
MAN.blacklistctl=blacklistctl.8
-MLINKS=blacklistd.8 blacklistd.conf.5
SRCS.blacklistd = blacklistd.c conf.c run.c state.c support.c internal.c
SRCS.blacklistctl = blacklistctl.c conf.c state.c support.c internal.c
DBG=-g
diff -r f928b7285e0c -r 4a482429ec72 external/bsd/blacklist/bin/blacklistctl.c
--- a/external/bsd/blacklist/bin/blacklistctl.c Tue Jan 27 18:20:56 2015 +0000
+++ b/external/bsd/blacklist/bin/blacklistctl.c Tue Jan 27 19:40:36 2015 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklistctl.c,v 1.15 2015/01/26 02:31:52 christos Exp $ */
+/* $NetBSD: blacklistctl.c,v 1.16 2015/01/27 19:40:36 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include <sys/cdefs.h>
-__RCSID("$NetBSD: blacklistctl.c,v 1.15 2015/01/26 02:31:52 christos Exp $");
+__RCSID("$NetBSD: blacklistctl.c,v 1.16 2015/01/27 19:40:36 christos Exp $");
#include <stdio.h>
#include <time.h>
@@ -70,7 +70,6 @@
const char *dbname = _PATH_BLSTATE;
DB *db;
struct conf c;
- struct sockaddr_storage ss;
struct dbinfo dbi;
unsigned int i;
struct timespec ts;
@@ -118,9 +117,9 @@
clock_gettime(CLOCK_REALTIME, &ts);
wide = wide ? 8 * 4 + 7 : 4 * 3 + 3;
if (!noheader)
- printf("%*.*s:port\tid\tnfail\t%s\n", wide, wide,
+ printf("%*.*s/ma:port\tid\tnfail\t%s\n", wide, wide,
"address", remain ? "remaining time" : "last access");
- for (i = 1; state_iterate(db, &ss, &c, &dbi, i) != 0; i = 0) {
+ for (i = 1; state_iterate(db, &c, &dbi, i) != 0; i = 0) {
char buf[BUFSIZ];
if (!all) {
if (blocked) {
@@ -131,8 +130,8 @@
continue;
}
}
- sockaddr_snprintf(buf, sizeof(buf), "%a", (void *)&ss);
- printf("%*.*s:%d\t", wide, wide, buf, c.c_port);
+ sockaddr_snprintf(buf, sizeof(buf), "%a", (void *)&c.c_ss);
+ printf("%*.*s/%d:%d\t", wide, wide, buf, c.c_lmask, c.c_port);
if (remain)
fmtydhms(buf, sizeof(buf),
c.c_duration - (ts.tv_sec - dbi.last));
diff -r f928b7285e0c -r 4a482429ec72 external/bsd/blacklist/bin/blacklistd.8
--- a/external/bsd/blacklist/bin/blacklistd.8 Tue Jan 27 18:20:56 2015 +0000
+++ b/external/bsd/blacklist/bin/blacklistd.8 Tue Jan 27 19:40:36 2015 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: blacklistd.8,v 1.8 2015/01/25 23:07:16 wiz Exp $
+.\" $NetBSD: blacklistd.8,v 1.9 2015/01/27 19:40:36 christos Exp $
.\"
.\" Copyright (c) 2015 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -32,7 +32,6 @@
.Os
.Sh NAME
.Nm blacklistd ,
-.Nm blacklistd.conf
.Nd block and release ports on demand to avoid DoS abuse
.Sh SYNOPSIS
.Nm
@@ -40,8 +39,9 @@
.Op Fl C Ar controlprog
.Op Fl c Ar configfile
.Op Fl D Ar dbfile
+.Op Fl P Ar sockpathsfile
.Op Fl r Ar rulename
-.Op Fl P Ar sockpathsfile
+.Op Fl s Ar sockpath
.Op Fl t Ar timeout
.Sh DESCRIPTION
.Nm
@@ -51,7 +51,10 @@
.Ar sockpathsfile
for notifications from other daemons about successful or failed connection
attempts.
-If no such file is specified, then it only listens to the default socket
+If no such file is specified, then it only listens to the socket path
+specified by
+.Ar sockspath
+or if that is not specified to
.Pa /var/run/blsock .
Each notification contains an (action, port, protocol, address, owner) tuple
that identifies the remote connection and the action.
@@ -69,7 +72,7 @@
.Ar controlprog
is invoked with arguments:
.Bd -literal -offset indent
-control add <rulename> <proto> <port> <address>
+control add <rulename> <proto> <address> <mask> <port>
.Ed
.Pp
and should invoke a packet filter command to block the connection
@@ -87,7 +90,7 @@
.Dq remove
Then the same control script is invoked as:
.Bd -literal -offset indent
-control rem <rulename> <proto> <port> <address> <id>
+control add <rulename> <proto> <address> <mask> <port>
.Ed
.Pp
where
@@ -116,31 +119,6 @@
.Dv 15 )
and removes entries and block rules using the control program as necessary.
.Pp
-The configuration file contains one tuple per line, and is similar to
-.Xr inetd.conf 5 .
-There must be an entry for each field of the configuration file, with
-entries for each field separated by a tab or a space.
-Comments are denoted by a
-.Dq #
-at the beginning of a line.
-There must be an entry for each field; entries can be numeric or symbolic,
-where appropriate
-.Dv ( service ,
-.Dv user )
-and can be
-.Dq *
-for all fields.
-The fields of the configuration file are as follows:
-.Bd -literal -offset indent
-[address|interface:]service
-socket-type
-protocol
-user
-rulename
-nfail
-duration
-.Ed
-.Pp
Normally,
.Nm
disassociates itself from the terminal and writes messages to
diff -r f928b7285e0c -r 4a482429ec72 external/bsd/blacklist/bin/blacklistd.c
--- a/external/bsd/blacklist/bin/blacklistd.c Tue Jan 27 18:20:56 2015 +0000
+++ b/external/bsd/blacklist/bin/blacklistd.c Tue Jan 27 19:40:36 2015 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklistd.c,v 1.29 2015/01/25 20:59:39 christos Exp $ */
+/* $NetBSD: blacklistd.c,v 1.30 2015/01/27 19:40:36 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
#include "config.h"
#endif
#include <sys/cdefs.h>
-__RCSID("$NetBSD: blacklistd.c,v 1.29 2015/01/25 20:59:39 christos Exp $");
+__RCSID("$NetBSD: blacklistd.c,v 1.30 2015/01/27 19:40:36 christos Exp $");
#include <sys/types.h>
#include <sys/socket.h>
@@ -71,7 +71,7 @@
static const char *configfile = _PATH_BLCONF;
static DB *state;
static const char *dbfile = _PATH_BLSTATE;
-static sig_atomic_t rconf;
+static sig_atomic_t readconf;
static sig_atomic_t done;
static int vflag;
@@ -90,7 +90,7 @@
static void
sighup(int n __unused)
{
- rconf++;
+ readconf++;
}
static void
@@ -106,7 +106,7 @@
warnx("Unknown option `%c'", (char)c);
fprintf(stderr, "Usage: %s [-vdf] [-c <config>] [-r <rulename>] "
"[-P <sockpathsfile>] [-C <controlprog>] [-D <dbfile>] "
- "[-t <timeout>]\n", getprogname());
+ "[-s <sockpath>] [-t <timeout>]\n", getprogname());
exit(EXIT_FAILURE);
}
@@ -193,13 +193,13 @@
(unsigned long)bi->bi_gid);
}
- if (conf_find(bi->bi_fd, bi->bi_uid, &c) == NULL) {
+ if (conf_find(bi->bi_fd, bi->bi_uid, &rss, &c) == NULL) {
(*lfun)(LOG_DEBUG, "no rule matched");
goto out;
}
- if (state_get(state, &rss, &c, &dbi) == -1)
+ if (state_get(state, &c, &dbi) == -1)
goto out;
if (debug) {
@@ -224,15 +224,14 @@
(*lfun)(LOG_ERR, "rule exists %s", dbi.id);
}
if (c.c_nfail != -1 && dbi.count >= c.c_nfail) {
- int res = run_change("add", &c, &rss,
- dbi.id, sizeof(dbi.id));
+ int res = run_change("add", &c, dbi.id, sizeof(dbi.id));
if (res == -1)
goto out;
sockaddr_snprintf(rbuf, sizeof(rbuf), "%a",
(void *)&rss);
(*lfun)(LOG_INFO,
- "blocked %s at port %d for %d seconds",
- rbuf, c.c_port, c.c_duration);
+ "blocked %s/%d:%d for %d seconds",
+ rbuf, c.c_lmask, c.c_port, c.c_duration);
}
break;
@@ -244,7 +243,7 @@
default:
(*lfun)(LOG_ERR, "unknown message %d", bi->bi_type);
}
- if (state_put(state, &rss, &c, &dbi) == -1)
+ if (state_put(state, &c, &dbi) == -1)
goto out;
out:
close(bi->bi_fd);
@@ -280,7 +279,7 @@
return;
}
- for (n = 0, f = 1; state_iterate(state, &ss, &c, &dbi, f) == 1;
+ for (n = 0, f = 1; state_iterate(state, &c, &dbi, f) == 1;
f = 0, n++)
{
time_t when = c.c_duration + dbi.last;
@@ -297,13 +296,13 @@
if (c.c_duration == -1 || when >= ts.tv_sec)
continue;
if (dbi.id[0]) {
- run_change("rem", &c, &ss, dbi.id, 0);
+ run_change("rem", &c, dbi.id, 0);
sockaddr_snprintf(buf, sizeof(buf), "%a", (void *)&ss);
syslog(LOG_INFO,
- "released %s at port %d after %d seconds",
- buf, c.c_port, c.c_duration);
+ "released %s/%d:%d after %d seconds",
+ buf, c.c_lmask, c.c_port, c.c_duration);
}
- state_del(state, &ss, &c);
+ state_del(state, &c);
}
}
@@ -334,15 +333,16 @@
main(int argc, char *argv[])
{
int c, tout, flags, reset;
- const char *spath;
+ const char *spath, *blsock;
setprogname(argv[0]);
spath = NULL;
+ blsock = _PATH_BLSOCK;
reset = 0;
tout = 0;
flags = O_RDWR|O_EXCL|O_CLOEXEC;
- while ((c = getopt(argc, argv, "C:c:D:dfr:P:t:v")) != -1) {
+ while ((c = getopt(argc, argv, "C:c:D:dfr:P:s:t:v")) != -1) {
switch (c) {
case 'C':
controlprog = optarg;
@@ -359,11 +359,14 @@
case 'f':
reset++;
break;
+ case 'P':
+ spath = optarg;
+ break;
case 'r':
rulename = optarg;
Home |
Main Index |
Thread Index |
Old Index