Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/CHRISTOS]: src/external/bsd/blocklist Import blocklist from https://gith...



details:   https://anonhg.NetBSD.org/src/rev/f780c3d57a2d
branches:  CHRISTOS
changeset: 934638:f780c3d57a2d
user:      christos <christos%NetBSD.org@localhost>
date:      Mon Jun 15 01:52:52 2020 +0000

description:
Import blocklist from https://github.com/zoulasc/blocklist.
This is the same code as blacklist from the HEAD of the NetBSD tree.

diffstat:

 external/bsd/blocklist/Makefile                  |     5 +
 external/bsd/blocklist/Makefile.inc              |    10 +
 external/bsd/blocklist/README                    |   113 ++
 external/bsd/blocklist/TODO                      |    21 +
 external/bsd/blocklist/bin/Makefile              |    15 +
 external/bsd/blocklist/bin/blocklistctl.8        |    86 +
 external/bsd/blocklist/bin/blocklistctl.c        |   168 +++
 external/bsd/blocklist/bin/blocklistd.8          |   284 +++++
 external/bsd/blocklist/bin/blocklistd.c          |   576 ++++++++++
 external/bsd/blocklist/bin/blocklistd.conf.5     |   229 ++++
 external/bsd/blocklist/bin/conf.c                |  1223 ++++++++++++++++++++++
 external/bsd/blocklist/bin/conf.h                |    65 +
 external/bsd/blocklist/bin/internal.c            |    48 +
 external/bsd/blocklist/bin/internal.h            |    57 +
 external/bsd/blocklist/bin/run.c                 |   156 ++
 external/bsd/blocklist/bin/run.h                 |    41 +
 external/bsd/blocklist/bin/state.c               |   235 ++++
 external/bsd/blocklist/bin/state.h               |    62 +
 external/bsd/blocklist/bin/support.c             |   161 ++
 external/bsd/blocklist/bin/support.h             |    44 +
 external/bsd/blocklist/diff/ftpd.diff            |    91 +
 external/bsd/blocklist/diff/named.diff           |   216 +++
 external/bsd/blocklist/diff/postfix.diff         |    82 +
 external/bsd/blocklist/diff/proftpd.diff         |   124 ++
 external/bsd/blocklist/diff/ssh.diff             |   150 ++
 external/bsd/blocklist/etc/Makefile              |    10 +
 external/bsd/blocklist/etc/blocklistd.conf       |    14 +
 external/bsd/blocklist/etc/npf.conf              |    15 +
 external/bsd/blocklist/etc/rc.d/Makefile         |     6 +
 external/bsd/blocklist/etc/rc.d/blocklistd       |    57 +
 external/bsd/blocklist/include/Makefile          |    10 +
 external/bsd/blocklist/include/bl.h              |    78 +
 external/bsd/blocklist/include/blocklist.h       |    55 +
 external/bsd/blocklist/lib/Makefile              |    19 +
 external/bsd/blocklist/lib/bl.c                  |   526 +++++++++
 external/bsd/blocklist/lib/blocklist.c           |   108 +
 external/bsd/blocklist/lib/libblocklist.3        |   167 +++
 external/bsd/blocklist/lib/shlib_version         |     2 +
 external/bsd/blocklist/libexec/Makefile          |     6 +
 external/bsd/blocklist/libexec/blocklistd-helper |   129 ++
 external/bsd/blocklist/port/Makefile.am          |    25 +
 external/bsd/blocklist/port/_strtoi.h            |    93 +
 external/bsd/blocklist/port/clock_gettime.c      |    17 +
 external/bsd/blocklist/port/configure.ac         |    91 +
 external/bsd/blocklist/port/fgetln.c             |   106 +
 external/bsd/blocklist/port/fparseln.c           |   236 ++++
 external/bsd/blocklist/port/getprogname.c        |    24 +
 external/bsd/blocklist/port/m4/.cvsignore        |     1 +
 external/bsd/blocklist/port/pidfile.c            |   183 +++
 external/bsd/blocklist/port/popenve.c            |   274 ++++
 external/bsd/blocklist/port/port.h               |    86 +
 external/bsd/blocklist/port/sockaddr_snprintf.c  |   383 ++++++
 external/bsd/blocklist/port/strlcat.c            |    96 +
 external/bsd/blocklist/port/strlcpy.c            |    78 +
 external/bsd/blocklist/port/strtoi.c             |    61 +
 external/bsd/blocklist/test/Makefile             |    12 +
 external/bsd/blocklist/test/cltest.c             |   136 ++
 external/bsd/blocklist/test/srvtest.c            |   220 +++
 58 files changed, 7586 insertions(+), 0 deletions(-)

diffs (truncated from 7818 to 300 lines):

diff -r c29d41e08c28 -r f780c3d57a2d external/bsd/blocklist/Makefile
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/blocklist/Makefile   Mon Jun 15 01:52:52 2020 +0000
@@ -0,0 +1,5 @@
+# $NetBSD: Makefile,v 1.1.1.1 2020/06/15 01:52:52 christos Exp $
+
+SUBDIR = lib .WAIT include bin etc libexec
+
+.include <bsd.subdir.mk>
diff -r c29d41e08c28 -r f780c3d57a2d external/bsd/blocklist/Makefile.inc
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/blocklist/Makefile.inc       Mon Jun 15 01:52:52 2020 +0000
@@ -0,0 +1,10 @@
+#      $NetBSD: Makefile.inc,v 1.1.1.1 2020/06/15 01:52:52 christos Exp $
+
+WARNS=6
+.if !defined(LIB)
+LDADD+=        -lblocklist
+DPADD+= ${LIBBLACKLIST}
+.endif
+CPPFLAGS+= -I${.CURDIR}/../include
+CPPFLAGS+=-DHAVE_STRUCT_SOCKADDR_SA_LEN -DHAVE_UTIL_H -DHAVE_DB_H
+
diff -r c29d41e08c28 -r f780c3d57a2d external/bsd/blocklist/README
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/blocklist/README     Mon Jun 15 01:52:52 2020 +0000
@@ -0,0 +1,113 @@
+# $NetBSD: README,v 1.1.1.1 2020/06/15 01:52:52 christos Exp $
+
+This package contains library that can be used by network daemons to
+communicate with a packet filter via a daemon to enforce opening and
+closing ports dynamically based on policy.
+
+The interface to the packet filter is in libexec/blocklistd-helper
+(this is currently designed for npf) and the configuration file
+(inspired from inetd.conf) is in etc/blocklistd.conf.
+
+On NetBSD you can find an example npf.conf and blocklistd.conf in
+/usr/share/examples/blocklistd; you need to adjust the interface
+in npf.conf and copy both files to /etc; then you just enable
+blocklistd=YES in /etc/rc.conf, start it up, and you are all set.
+
+There is also a startup file in etc/rc.d/blocklistd
+
+Patches to various daemons to add blocklisting capabilitiers are in the
+"diff" directory:
+    - OpenSSH: diff/ssh.diff [tcp socket example]
+    - Bind: diff/named.diff [both tcp and udp]
+    - ftpd: diff/ftpd.diff [tcp]
+
+These patches have been applied to NetBSD-current.
+
+The network daemon (for example sshd) communicates to blocklistd, via
+a unix socket like syslog. The library calls are simple and everything
+is handled by the library. In the simplest form the only thing the
+daemon needs to do is to call:
+
+       blocklist(action, acceptedfd, message);
+
+Where:
+       action = 0 -> successful login clear blocklist state
+                1 -> failed login, add to the failed count
+       acceptedfd -> the file descriptor where the server is
+                     connected to the remote client. It is used
+                     to determine the listening socket, and the
+                     remote address. This allows any program to
+                     contact the blocklist daemon, since the verification
+                     if the program has access to the listening
+                     socket is done by virtue that the port
+                     number is retrieved from the kernel.
+       message    -> an optional string that is used in debugging logs.
+
+Unfortunately there is no way to get information about the "peer"
+from a udp socket, because there is no connection and that information
+is kept with the server. In that case the daemon can provide the
+peer information to blocklistd via:
+
+       blocklist_sa(action, acceptedfd, sockaddr, sockaddr_len, message);
+
+The configuration file contains entries of the form:
+
+# Blacklist rule
+# host/Port    type    protocol        owner   name    nfail   disable
+192.168.1.1:ssh        stream  tcp             *       -int    10      1m
+8.8.8.8:ssh    stream  tcp             *       -ext    6       60m
+ssh            stream  tcp6            *       *       6       60m
+http           stream  tcp             *       *       6       60m
+
+Here note that owner is * because the connection is done from the
+child ssh socket which runs with user privs. We treat ipv4 connections
+differently by maintaining two different rules one for the external
+interface and one from the internal We also register for both tcp
+and tcp6 since those are different listening sockets and addresses;
+we don't bother with ipv6 and separate rules. We use nfail = 6,
+because ssh allows 3 password attempts per connection, and this
+will let us have 2 connections before blocking. Finally we block
+for an hour; we could block forever too by specifying * in the
+duration column.
+
+blocklistd and the library use syslog(3) to report errors. The
+blocklist filter state is persisted automatically in /var/db/blocklistd.db
+so that if the daemon is restarted, it remembers what connections
+is currently handling. To start from a fresh state (if you restart
+npf too for example), you can use -f. To watch the daemon at work,
+you can use -d.
+
+The current control file is designed for npf, and it uses the
+dynamic rule feature. You need to create a dynamic rule in your
+/etc/npf.conf on the group referring to the interface you want to block
+called blocklistd as follows:
+
+ext_if=bge0
+int_if=sk0
+       
+group "external" on $ext_if {
+       ...
+        ruleset "blocklistd-ext" 
+        ruleset "blocklistd" 
+       ...
+}
+
+group "internal" on $int_if {
+       ...
+        ruleset "blocklistd-int" 
+       ...
+}
+
+You can use 'blocklistctl dump -a' to list all the current entries
+in the database; the ones that have nfail <c>/<t> where <c>urrent
+>= <t>otal, should have an id assosiated with them; this means that
+there is a packet filter rule added for that entry. For npf, you
+can examine the packet filter dynamic rule entries using 'npfctl
+rule <rulename> list'.  The number of current entries can exceed
+the total. This happens because entering packet filter rules is
+asynchronous; there could be other connection before the rule
+becomes activated.
+
+Enjoy,
+
+christos
diff -r c29d41e08c28 -r f780c3d57a2d external/bsd/blocklist/TODO
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/blocklist/TODO       Mon Jun 15 01:52:52 2020 +0000
@@ -0,0 +1,21 @@
+# $NetBSD: TODO,v 1.1.1.1 2020/06/15 01:52:52 christos Exp $
+
+- don't poll periodically, find the next timeout
+- use the socket also for commands? Or separate socket?
+- add functionality to the control program. Should it change the database
+  directly, or talk to the daemon to have it do it?
+- perhaps handle interfaces too instead of addresses for dynamic ip?
+  <bge0/4>? What to do with multiple addresses?
+- perhaps rate limit against DoS
+- perhaps instead of scanning the list have a sparse map by port?
+- do we want to use libnpf directly for efficiency?
+- add more daemons ftpd?
+- do we care about the db state becoming too large? 
+- instead of a yes = bump one, no = return to 0 interface, do we want
+  to have something more flexible like?
+       +n
+       -n
+       block
+       unblock
+- do we need an api in blocklistctl to perform maintenance
+- fix the blocklistctl output to be more user friendly
diff -r c29d41e08c28 -r f780c3d57a2d external/bsd/blocklist/bin/Makefile
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/blocklist/bin/Makefile       Mon Jun 15 01:52:52 2020 +0000
@@ -0,0 +1,15 @@
+# $NetBSD: Makefile,v 1.1.1.1 2020/06/15 01:52:52 christos Exp $
+
+BINDIR=/sbin
+
+PROGS=blocklistd blocklistctl
+MAN.blocklistd=blocklistd.8 blocklistd.conf.5
+MAN.blocklistctl=blocklistctl.8
+SRCS.blocklistd = blocklistd.c conf.c run.c state.c support.c internal.c
+SRCS.blocklistctl = blocklistctl.c conf.c state.c support.c internal.c
+DBG=-g
+
+LDADD+=-lutil
+DPADD+=${LIBUTIL}
+
+.include <bsd.prog.mk>
diff -r c29d41e08c28 -r f780c3d57a2d external/bsd/blocklist/bin/blocklistctl.8
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/blocklist/bin/blocklistctl.8 Mon Jun 15 01:52:52 2020 +0000
@@ -0,0 +1,86 @@
+.\" $NetBSD: blocklistctl.8,v 1.1.1.1 2020/06/15 01:52:52 christos Exp $
+.\"
+.\" Copyright (c) 2015 The NetBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" This code is derived from software contributed to The NetBSD Foundation
+.\" by Christos Zoulas.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd June 7, 2016
+.Dt BLACKLISTCTL 8
+.Os
+.Sh NAME
+.Nm blocklistctl
+.Nd display and change the state of blocklistd
+.Sh SYNOPSIS
+.Nm
+.Cm dump
+.Op Fl abdnrw
+.Sh DESCRIPTION
+.Nm
+is a program used to display the state of
+.Xr blocklistd 8
+.Pp
+The following options are available:
+.Bl -tag -width indent
+.It Fl a
+Show all database entries, by default it shows only the embryonic ones.
+.It Fl b
+Show only the blocked entries.
+.It Fl d
+Increase debugging level.
+.It Fl n
+Don't display a header.
+.It Fl r
+Show the remaining blocked time instead of the last activity time.
+.It Fl w
+Normally the width of addresses is good for IPv4, the
+.Fl w
+flag, makes the display wide enough for IPv6 addresses.
+.El
+.Sh SEE ALSO
+.Xr blocklistd 8
+.Sh NOTES
+Sometimes the reported number of failed attempts can exceed the number
+of attempts that
+.Xr blocklistd 8
+is configured to block.
+This can happen either because the rule has been removed manually, or
+because there were more attempts in flight while the rule block was being
+added.
+This condition is normal; in that case
+.Xr blocklistd 8
+will first attempt to remove the existing rule, and then it will re-add
+it to make sure that there is only one rule active.
+.Sh HISTORY
+.Nm
+first appeared in
+.Nx 7 .
+.Fx
+support for
+.Nm
+was implemented in
+.Fx 11 .
+.Sh AUTHORS
+.An Christos Zoulas
diff -r c29d41e08c28 -r f780c3d57a2d external/bsd/blocklist/bin/blocklistctl.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/blocklist/bin/blocklistctl.c Mon Jun 15 01:52:52 2020 +0000
@@ -0,0 +1,168 @@
+/*     $NetBSD: blocklistctl.c,v 1.1.1.1 2020/06/15 01:52:53 christos Exp $    */
+
+/*-
+ * Copyright (c) 2015 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Christos Zoulas.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS



Home | Main Index | Thread Index | Old Index