NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
bin/59779: ip addresses exceeding blocklistd max tries are not added to npf ruleset
>Number: 59779
>Category: bin
>Synopsis: due to unknown circumstances, ip addresses that exceed the blacklistd max tries limit by multiple times, are not being added to the npf ruleset
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Nov 20 17:30:01 +0000 2025
>Originator: ocb
>Release: NetBSD 10.1
>Environment:
System: NetBSD mail 10.0 NetBSD 10.0 (GENERIC) #0: Thu Mar 28 08:33:33 UTC 2024 mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/amd64/compile/GENERIC amd64
Architecture: x86_64
Machine: amd64
>Description:
# uname -a
NetBSD server 10.0 NetBSD 10.0 (GENERIC) #0: Thu Mar 28 08:33:33 UTC 2024 mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/amd64/compile/GENERIC amd64
# vmstat
procs memory page disks faults cpu
r b avm fre flt re pi po fr sr w0 d1 in sy cs us sy id
0 0 20332 755484 31 0 0 0 3 3 3 3 11 85 20 0 0 100
# cpuctl list
Num HwId Unbound LWPs Interrupts Last change #Intr
---- ---- ------------ ---------- ------------------------ -----
0 0 online intr Tue Oct 7 13:22:48 2025 13
# cat /etc/blocklistd.conf
[local]
smtp stream tcp postfix * 5 24h
submission stream tcp postfix * 5 24h
imaps stream tcp * * 5 24h
ssh stream tcp root * 9 720h
# npfctl show
# filtering: active
# config: loaded
table <blocklistd> type ipset
table <suspicious> type lpm
procedure "normalize"
procedure "log"
group default { # id="1"
pass final on lo0 all # id="2"
block in final family inet6 all # id="3"
block out final family inet6 all # id="4"
ruleset "blocklistd" # id="5"
block in final from <blocklistd> # id="6"
block in final from <suspicious> # id="7"
pass stateful out final all # id="8"
pass stateful in final proto tcp flags S/FSRA to ifaddrs(wm0) port 22 # id="9"
pass stateful in final proto tcp flags S/FSRA to ifaddrs(wm0) port { 25 } # id="a"
block in final all # id="b"
}
# cat check.sh
blocklistctl dump -a | awk 'NR == 1 { next }
{
nfail = ($2 ~ /\//) ? $2 : $3
split(nfail, p, "/")
max_tries = p[2]
if (p[1] > max_tries) {
ip = $1
gsub(/\/32:.*/, "", ip)
check = "npfctl rule blocklistd list | grep -q " ip
if (system(check) == 0) { print "found: " $0 } else { print "missing: " $0 }
}
}'
# ksh check.sh
found: 27.79.5.231/32:22 79 10/9 2025/10/28 03:10:41
found: 142.93.78.93/32:22 fd 10/9 2025/11/14 22:34:48
found: 165.227.39.168/32:22 a0 10/9 2025/11/01 18:39:09
missing: 80.94.95.115/32:22 1f19 1413/9 2025/11/16 17:55:06
missing: 80.94.95.116/32:22 1f13 1575/9 2025/11/16 16:29:58
found: 27.79.41.80/32:22 5a 10/9 2025/10/25 01:06:13
found: 27.79.3.60/32:22 84 13/9 2025/10/29 01:57:02
found: 112.164.20.69/32:22 51 10/9 2025/10/23 05:50:37
found: 107.170.38.86/32:22 ae 10/9 2025/11/03 23:58:05
found: 107.170.72.244/32:22 e0 10/9 2025/11/10 17:22:00
missing: 35.240.174.82/32:22 400 19/9 2025/10/28 00:02:00
missing: 92.118.39.34/32:22 3cf 36/9 2025/10/27 00:32:24
missing: 92.118.39.36/32:22 3cb 36/9 2025/10/28 03:51:12
missing: 92.118.39.37/32:22 3dc 37/9 2025/10/27 04:55:49
missing: 185.156.73.233/32:22 1f34 2849/9 2025/11/16 18:27:09
missing: 194.0.234.93/32:22 1f37 440/9 2025/10/22 11:25:27
found: 107.170.48.43/32:22 ce 10/9 2025/11/08 14:38:08
missing: 139.19.117.130/32:22 1f3e 690/9 2025/11/20 16:37:05
found: 134.199.150.131/32:22 4e 10/9 2025/10/23 05:37:30
missing: 92.118.39.83/32:22 3c6 37/9 2025/10/28 02:07:48
missing: 92.118.39.84/32:22 3de 25/9 2025/10/26 03:28:37
found: 64.226.125.110/32:22 b8 10/9 2025/11/06 04:30:25
missing: 92.118.39.92/32:22 3bf 121/9 2025/11/16 17:38:39
missing: 92.118.39.95/32:22 3ef 141/9 2025/11/20 03:18:55
missing: 62.60.131.157/32:22 373 245/9 2025/11/20 16:34:55
missing: 92.118.39.100/32:22 3c7 33/9 2025/10/27 21:32:48
missing: 196.251.71.24/32:22 42c 156/9 2025/10/22 18:44:46
missing: 92.118.39.101/32:22 3da 32/9 2025/10/27 23:03:00
found: 159.65.23.136/32:22 ef 10/9 2025/11/12 20:35:31
found: 171.231.181.124/32:22 56 10/9 2025/10/24 07:38:59
missing: 78.128.112.74/32:22 33f 405/9 2025/11/13 17:37:06
missing: 92.118.39.115/32:22 3c0 30/9 2025/10/28 01:12:49
found: 157.245.233.19/32:22 77 10/9 2025/10/27 17:21:55
missing: 150.241.246.148/32:22 40a 12/9 2025/10/28 07:04:06
found: 27.79.7.34/32:22 64 12/9 2025/10/25 18:15:09
found: 116.110.3.15/32:22 a5 10/9 2025/11/02 08:43:36
found: 116.110.215.187/32:22 bc 11/9 2025/11/06 12:25:28
missing: 45.156.185.224/32:22 424 24/9 2025/11/05 12:19:13
found: 64.227.171.121/32:22 12c 10/9 2025/11/19 16:33:35
missing: 216.10.247.49/32:22 432 34/9 2025/11/09 16:21:47
missing: 92.118.39.152/32:22 3dd 27/9 2025/10/27 12:45:40
found: 23.94.27.110/32:22 10b 48/9 2025/11/16 12:42:25
found: 116.110.210.141/32:22 8e 12/9 2025/10/30 12:25:01
found: 134.199.167.173/32:22 113 10/9 2025/11/17 06:59:06
found: 116.99.172.63/32:22 59 12/9 2025/10/25 01:06:04
missing: 35.234.34.126/32:22 436 19/9 2025/10/25 02:35:06
missing: 92.118.39.180/32:22 3cc 28/9 2025/10/26 20:03:31
found: 171.243.149.221/32:22 8a 11/9 2025/10/29 19:45:31
found: 146.190.18.176/32:22 90 10/9 2025/10/30 20:13:13
found: 27.79.7.118/32:22 63 11/9 2025/10/25 18:15:04
found: 171.231.176.133/32:22 9e 13/9 2025/11/01 15:51:41
found: 27.79.40.59/32:22 b6 10/9 2025/11/05 09:09:43
missing: 147.182.205.88/32:22 3f1 10/9 2025/10/27 19:36:40
missing: 45.148.10.196/32:22 3ab 45/9 2025/11/01 15:07:58
found: 116.110.149.156/32:22 8d 10/9 2025/10/30 12:24:52
missing: 193.32.162.146/32:22 1f4c 361/9 2025/11/17 04:48:15
found: 116.110.3.115/32:22 46 11/9 2025/10/22 03:34:01
missing: 185.246.128.171/32:22 393 1281/9 2025/11/13 07:30:03
missing: 193.32.162.151/32:22 446 204/9 2025/11/18 21:02:16
missing: 196.251.88.103/32:22 1fe0 16370/9 2025/11/11 01:20:20
missing: 194.0.234.19/32:22 1efd 1257/9 2025/10/22 12:56:47
found: 157.230.131.249/32:22 62 10/9 2025/10/25 15:34:52
missing: 193.32.162.157/32:22 1efc 4427/9 2025/11/19 00:37:45
missing: 122.165.60.231/32:22 437 70/9 2025/11/19 16:06:57
This is the blocklistd database IP address dump, which is then compared against npf blocklistd ruleset. IP addresses that exceed the limit by a number of times are missing in the npf ruleset, even though they have received the npf identifier. Only entries that exceed the max tries limit are taken under consideration in the script.
# blocklistctl dump -a | wc -l
535
# npfctl rule "blocklistd" list | wc -l
239
We have another virtual machine, with a few differences, it runs NetBSD 10.1 with virtio network driver and has 2 vCPU cores.
# uname -a
NetBSD server 10.1 NetBSD 10.1 (GENERIC) #0: Mon Dec 16 13:08:11 UTC 2024 mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/amd64/compile/GENERIC amd64
# vmstat
procs memory page disk faults cpu
r b avm fre flt re pi po fr sr l0 in sy cs us sy id
0 0 1102752 111216 89 0 0 0 6 6 2 273 106 19 0 0 100
# cpuctl list
Num HwId Unbound LWPs Interrupts Last change #Intr
---- ---- ------------ ---------- ------------------------ -----
0 0 online intr Tue Oct 28 13:14:02 2025 13
1 1 online intr Tue Oct 28 13:14:02 2025 0
# cat /etc/blocklistd.conf
[local]
smtp stream tcp postfix * 5 24h
submission stream tcp postfix * 5 24h
imaps stream tcp * * 5 24h
ssh stream tcp root * 10 720h
# npfctl show
# filtering: active
# config: loaded
table <blocklistd> type ipset
table <suspicious> type lpm
procedure "normalize"
procedure "log"
group default { # id="1"
pass final on lo0 all # id="2"
block in final family inet6 all # id="3"
block out final family inet6 all # id="4"
ruleset "blocklistd" # id="5"
block in final from <blocklistd> # id="6"
block in final from <suspicious> # id="7"
pass stateful out final all # id="8"
pass stateful in final proto tcp flags S/FSRA to ifaddrs(vioif0) port 22 # id="9"
pass stateful in final proto tcp flags S/FSRA to ifaddrs(vioif0) port { 80, 443 } # id="a"
block in final all # id="b"
}
# ksh check.sh
found: 47.236.83.35/32:22 3c 18/10 2025/11/11 06:35:28
found: 116.99.171.117/32:22 2c 11/10 2025/11/09 06:57:48
found: 27.79.4.203/32:22 6f 11/10 2025/11/18 09:24:58
found: 142.59.21.159/32:22 66 17/10 2025/11/17 04:54:59
found: 101.47.48.205/32:22 67 34/10 2025/11/17 05:09:20
found: 8.217.77.179/32:22 2b 17/10 2025/11/09 03:35:31
found: 171.243.150.249/32:22 68 11/10 2025/11/17 16:23:10
found: 185.243.5.131/32:22 6a 59/10 2025/11/17 16:37:46
# blocklistctl dump -a | wc -l
1342
# npfctl rule "blocklistd" list | wc -l
86
Here, we conclude that this machine has more entries in the blocklistd database, fewer IP addresses that exceed the max tries limit, and no missing IP addresses in the npf blocklistd ruleset.
I haven't got much time to investigate this further at this moment.
>Fix:
Unknown
Home |
Main Index |
Thread Index |
Old Index