[src/trunk]: src/external/bsd/blacklist/libexec improve on ipfilter rules by ...

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/b943d85b6b88
branches:  trunk
changeset: 345817:b943d85b6b88
user:      christos <christos%NetBSD.org@localhost>
date:      Thu Jun 09 20:02:52 2016 +0000

description:
improve on ipfilter rules by Cy Schubert

diffstat:

 external/bsd/blacklist/libexec/blacklistd-helper |  8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

diffs (26 lines):

diff -r eb3bb7bf19dc -r b943d85b6b88 external/bsd/blacklist/libexec/blacklistd-helper
--- a/external/bsd/blacklist/libexec/blacklistd-helper  Thu Jun 09 19:04:43 2016 +0000
+++ b/external/bsd/blacklist/libexec/blacklistd-helper  Thu Jun 09 20:02:52 2016 +0000
@@ -52,8 +52,9 @@
 add)
        case "$pf" in
        ipf)
+               /sbin/ipfstat -io | /sbin/ipf -I -f -
                echo block in quick proto $proto from $addr/$mask to \
-                   any port=$port | /sbin/ipf -f -
+                   any port=$port head $port$6 | /sbin/ipf -I -f - -s
                ;;
        ipfw)
                # use $ipfw_offset+$port for rule number
@@ -79,8 +80,9 @@
 rem)
        case "$pf" in
        ipf)
-               echo "$0: $1 is unsupported by ipfilter" 1>&2
-               exit 1
+               /sbin/ipfstat -io | /sbin/ipf -I -f -
+               echo block in quick proto $proto from $addr/$mask to any \
+                   port =$port head port$6 | /sbin/ipf -r -f - -s
                ;;
        ipfw)
                /sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null