Re: No ipf in RPI2 evbarm 7.0.2 kernel?

[Emilian Bold <emilian.bold%gmail.com@localhost>]

BTW,  npfctl always complains about bpfjit:

npfctl: error loading the bpfjit module; performance will be degraded:
Operation not permitted
npfctl: To disable this warning `set bpf.jit off' in /etc/npf.conf

I suspect bpfjit does not exist for ARM.

I only see on disk the kernel module
/stand/evbarm/7.0/modules/bpf/bpf.kmod and modstat tells me that bpf
is a builtin module.

--emi


On Sat, Jul 7, 2018 at 12:52 AM, Emilian Bold <emilian.bold%gmail.com@localhost> wrote:
>>  I now suspect one could tweak fail2ban to use a npf table file and just call `npf reload` when blocking / unblocking IPs.
>
> Ha! Such a thing exists:
> https://github.com/fail2ban/fail2ban/blob/0.11/config/action.d/npf.conf
>
> The fail2ban NetBSD arm package is just too old to include it.
>
> --emi
>
>
> On Fri, Jul 6, 2018 at 11:59 PM, Emilian Bold <emilian.bold%gmail.com@localhost> wrote:
>> npf seems to function. Feedback:
>>
>> * the npf.conf(5) man page example is too long so I just created a
>> shorter .conf file with only the blocklist. This is how I managed to
>> lock myself out as I guess the default group just blocks everything by
>> default.
>>
>> * I needed to add npf to /etc/modules.conf which is not documented
>>
>> * I cannot use log: npflog0. ifconfig fails although I'm also loading
>> the npf_ext_log and npf_ext_normalize modules in /etc/modules.conf
>> (this is luckily mentioned in the example)
>>
>>  # ifconfig npflog0 create
>> ifconfig: clone_command: Invalid argument
>> ifconfig: exec_matches: Invalid argument
>>
>> * the example has a `table <blacklist> type hash file` which doesn't
>> work with CIDRs for some reason, it needs a 'type tree' file, whatever
>> that is.
>>
>> *  `npfctl reload` is opaque and fails although `validate` doesn't
>> complain. The error:
>>
>> npfctl: npfctl_config_send: Invalid argument
>>
>> is not telling you anything. Turns out my /etc/npf_blacklist file
>> (which gets loaded in the table) is too long! 500 lines seems to be
>> the max. Why?
>>
>> * npfctl table add is cool but it would be nice to actually write to the file.
>>
>> Anyhow, npf is looking much better! I now suspect one could tweak
>> fail2ban to use a npf table file and just call `npf reload` when
>> blocking / unblocking IPs.
>>
>> --emi
>>
>>
>> On Fri, Jul 6, 2018 at 1:00 PM, Robert Swindells <rjs%fdy2.co.uk@localhost> wrote:
>>>
>>> Emilian Bold <emilian.bold%gmail.com@localhost> wrote:
>>>>Wow! So... I just want to block an IP based on the nginx log.
>>>
>>> Ok.
>>>
>>> You already have the IP addresses in a file so don't need to have
>>> extra application support to detect and respond to new ones.
>>>
>>> Maybe run a script at regular intervals to extract the addresses
>>> and do something with them.
>>>
>>>>Honestly I would love to have just an /etc/blockips.conf file which
>>>>has IPs or CIDR addresses and maps to whatever underlying firewall
>>>>there is on the system. I just want something simple, not do the
>>>>routing for a small intranet, don't give me all these grammars to
>>>>learn. (Not criticising the support I got so far, which is awesome,
>>>>just the tooling status quo).
>>>
>>> The npf examples in /usr/share/examples/npf show how to set up a
>>> table of addresses to block.
>>>
>>> This table can be initialized from a list of addresses in a file
>>> and/or you can add addresses individually using 'npfctl table ...'.
>>>
>>>