Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/external/bsd/blocklist Import blocklist from https://github....
details: https://anonhg.NetBSD.org/src/rev/3647b18de944
branches: trunk
changeset: 934647:3647b18de944
user: christos <christos%NetBSD.org@localhost>
date: Mon Jun 15 01:52:52 2020 +0000
description:
Import blocklist from https://github.com/zoulasc/blocklist.
This is the same code as blacklist from the HEAD of the NetBSD tree.
diffstat:
external/bsd/blocklist/Makefile | 5 +
external/bsd/blocklist/Makefile.inc | 10 +
external/bsd/blocklist/README | 113 ++
external/bsd/blocklist/TODO | 21 +
external/bsd/blocklist/bin/Makefile | 15 +
external/bsd/blocklist/bin/blocklistctl.8 | 86 +
external/bsd/blocklist/bin/blocklistctl.c | 168 +++
external/bsd/blocklist/bin/blocklistd.8 | 284 +++++
external/bsd/blocklist/bin/blocklistd.c | 576 ++++++++++
external/bsd/blocklist/bin/blocklistd.conf.5 | 229 ++++
external/bsd/blocklist/bin/conf.c | 1223 ++++++++++++++++++++++
external/bsd/blocklist/bin/conf.h | 65 +
external/bsd/blocklist/bin/internal.c | 48 +
external/bsd/blocklist/bin/internal.h | 57 +
external/bsd/blocklist/bin/run.c | 156 ++
external/bsd/blocklist/bin/run.h | 41 +
external/bsd/blocklist/bin/state.c | 235 ++++
external/bsd/blocklist/bin/state.h | 62 +
external/bsd/blocklist/bin/support.c | 161 ++
external/bsd/blocklist/bin/support.h | 44 +
external/bsd/blocklist/diff/ftpd.diff | 91 +
external/bsd/blocklist/diff/named.diff | 216 +++
external/bsd/blocklist/diff/postfix.diff | 82 +
external/bsd/blocklist/diff/proftpd.diff | 124 ++
external/bsd/blocklist/diff/ssh.diff | 150 ++
external/bsd/blocklist/etc/Makefile | 10 +
external/bsd/blocklist/etc/blocklistd.conf | 14 +
external/bsd/blocklist/etc/npf.conf | 15 +
external/bsd/blocklist/etc/rc.d/Makefile | 6 +
external/bsd/blocklist/etc/rc.d/blocklistd | 57 +
external/bsd/blocklist/include/Makefile | 10 +
external/bsd/blocklist/include/bl.h | 78 +
external/bsd/blocklist/include/blocklist.h | 55 +
external/bsd/blocklist/lib/Makefile | 19 +
external/bsd/blocklist/lib/bl.c | 526 +++++++++
external/bsd/blocklist/lib/blocklist.c | 108 +
external/bsd/blocklist/lib/libblocklist.3 | 167 +++
external/bsd/blocklist/lib/shlib_version | 2 +
external/bsd/blocklist/libexec/Makefile | 6 +
external/bsd/blocklist/libexec/blocklistd-helper | 129 ++
external/bsd/blocklist/port/Makefile.am | 25 +
external/bsd/blocklist/port/_strtoi.h | 93 +
external/bsd/blocklist/port/clock_gettime.c | 17 +
external/bsd/blocklist/port/configure.ac | 91 +
external/bsd/blocklist/port/fgetln.c | 106 +
external/bsd/blocklist/port/fparseln.c | 236 ++++
external/bsd/blocklist/port/getprogname.c | 24 +
external/bsd/blocklist/port/m4/.cvsignore | 1 +
external/bsd/blocklist/port/pidfile.c | 183 +++
external/bsd/blocklist/port/popenve.c | 274 ++++
external/bsd/blocklist/port/port.h | 86 +
external/bsd/blocklist/port/sockaddr_snprintf.c | 383 ++++++
external/bsd/blocklist/port/strlcat.c | 96 +
external/bsd/blocklist/port/strlcpy.c | 78 +
external/bsd/blocklist/port/strtoi.c | 61 +
external/bsd/blocklist/test/Makefile | 12 +
external/bsd/blocklist/test/cltest.c | 136 ++
external/bsd/blocklist/test/srvtest.c | 220 +++
58 files changed, 7586 insertions(+), 0 deletions(-)
diffs (truncated from 7818 to 300 lines):
diff -r 9d717769d8e9 -r 3647b18de944 external/bsd/blocklist/Makefile
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/blocklist/Makefile Mon Jun 15 01:52:52 2020 +0000
@@ -0,0 +1,5 @@
+# $NetBSD: Makefile,v 1.1.1.1 2020/06/15 01:52:52 christos Exp $
+
+SUBDIR = lib .WAIT include bin etc libexec
+
+.include <bsd.subdir.mk>
diff -r 9d717769d8e9 -r 3647b18de944 external/bsd/blocklist/Makefile.inc
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/blocklist/Makefile.inc Mon Jun 15 01:52:52 2020 +0000
@@ -0,0 +1,10 @@
+# $NetBSD: Makefile.inc,v 1.1.1.1 2020/06/15 01:52:52 christos Exp $
+
+WARNS=6
+.if !defined(LIB)
+LDADD+= -lblocklist
+DPADD+= ${LIBBLACKLIST}
+.endif
+CPPFLAGS+= -I${.CURDIR}/../include
+CPPFLAGS+=-DHAVE_STRUCT_SOCKADDR_SA_LEN -DHAVE_UTIL_H -DHAVE_DB_H
+
diff -r 9d717769d8e9 -r 3647b18de944 external/bsd/blocklist/README
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/blocklist/README Mon Jun 15 01:52:52 2020 +0000
@@ -0,0 +1,113 @@
+# $NetBSD: README,v 1.1.1.1 2020/06/15 01:52:52 christos Exp $
+
+This package contains library that can be used by network daemons to
+communicate with a packet filter via a daemon to enforce opening and
+closing ports dynamically based on policy.
+
+The interface to the packet filter is in libexec/blocklistd-helper
+(this is currently designed for npf) and the configuration file
+(inspired from inetd.conf) is in etc/blocklistd.conf.
+
+On NetBSD you can find an example npf.conf and blocklistd.conf in
+/usr/share/examples/blocklistd; you need to adjust the interface
+in npf.conf and copy both files to /etc; then you just enable
+blocklistd=YES in /etc/rc.conf, start it up, and you are all set.
+
+There is also a startup file in etc/rc.d/blocklistd
+
+Patches to various daemons to add blocklisting capabilitiers are in the
+"diff" directory:
+ - OpenSSH: diff/ssh.diff [tcp socket example]
+ - Bind: diff/named.diff [both tcp and udp]
+ - ftpd: diff/ftpd.diff [tcp]
+
+These patches have been applied to NetBSD-current.
+
+The network daemon (for example sshd) communicates to blocklistd, via
+a unix socket like syslog. The library calls are simple and everything
+is handled by the library. In the simplest form the only thing the
+daemon needs to do is to call:
+
+ blocklist(action, acceptedfd, message);
+
+Where:
+ action = 0 -> successful login clear blocklist state
+ 1 -> failed login, add to the failed count
+ acceptedfd -> the file descriptor where the server is
+ connected to the remote client. It is used
+ to determine the listening socket, and the
+ remote address. This allows any program to
+ contact the blocklist daemon, since the verification
+ if the program has access to the listening
+ socket is done by virtue that the port
+ number is retrieved from the kernel.
+ message -> an optional string that is used in debugging logs.
+
+Unfortunately there is no way to get information about the "peer"
+from a udp socket, because there is no connection and that information
+is kept with the server. In that case the daemon can provide the
+peer information to blocklistd via:
+
+ blocklist_sa(action, acceptedfd, sockaddr, sockaddr_len, message);
+
+The configuration file contains entries of the form:
+
+# Blacklist rule
+# host/Port type protocol owner name nfail disable
+192.168.1.1:ssh stream tcp * -int 10 1m
+8.8.8.8:ssh stream tcp * -ext 6 60m
+ssh stream tcp6 * * 6 60m
+http stream tcp * * 6 60m
+
+Here note that owner is * because the connection is done from the
+child ssh socket which runs with user privs. We treat ipv4 connections
+differently by maintaining two different rules one for the external
+interface and one from the internal We also register for both tcp
+and tcp6 since those are different listening sockets and addresses;
+we don't bother with ipv6 and separate rules. We use nfail = 6,
+because ssh allows 3 password attempts per connection, and this
+will let us have 2 connections before blocking. Finally we block
+for an hour; we could block forever too by specifying * in the
+duration column.
+
+blocklistd and the library use syslog(3) to report errors. The
+blocklist filter state is persisted automatically in /var/db/blocklistd.db
+so that if the daemon is restarted, it remembers what connections
+is currently handling. To start from a fresh state (if you restart
+npf too for example), you can use -f. To watch the daemon at work,
+you can use -d.
+
+The current control file is designed for npf, and it uses the
+dynamic rule feature. You need to create a dynamic rule in your
+/etc/npf.conf on the group referring to the interface you want to block
+called blocklistd as follows:
+
+ext_if=bge0
+int_if=sk0
+
+group "external" on $ext_if {
+ ...
+ ruleset "blocklistd-ext"
+ ruleset "blocklistd"
+ ...
+}
+
+group "internal" on $int_if {
+ ...
+ ruleset "blocklistd-int"
+ ...
+}
+
+You can use 'blocklistctl dump -a' to list all the current entries
+in the database; the ones that have nfail <c>/<t> where <c>urrent
+>= <t>otal, should have an id assosiated with them; this means that
+there is a packet filter rule added for that entry. For npf, you
+can examine the packet filter dynamic rule entries using 'npfctl
+rule <rulename> list'. The number of current entries can exceed
+the total. This happens because entering packet filter rules is
+asynchronous; there could be other connection before the rule
+becomes activated.
+
+Enjoy,
+
+christos
diff -r 9d717769d8e9 -r 3647b18de944 external/bsd/blocklist/TODO
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/blocklist/TODO Mon Jun 15 01:52:52 2020 +0000
@@ -0,0 +1,21 @@
+# $NetBSD: TODO,v 1.1.1.1 2020/06/15 01:52:52 christos Exp $
+
+- don't poll periodically, find the next timeout
+- use the socket also for commands? Or separate socket?
+- add functionality to the control program. Should it change the database
+ directly, or talk to the daemon to have it do it?
+- perhaps handle interfaces too instead of addresses for dynamic ip?
+ <bge0/4>? What to do with multiple addresses?
+- perhaps rate limit against DoS
+- perhaps instead of scanning the list have a sparse map by port?
+- do we want to use libnpf directly for efficiency?
+- add more daemons ftpd?
+- do we care about the db state becoming too large?
+- instead of a yes = bump one, no = return to 0 interface, do we want
+ to have something more flexible like?
+ +n
+ -n
+ block
+ unblock
+- do we need an api in blocklistctl to perform maintenance
+- fix the blocklistctl output to be more user friendly
diff -r 9d717769d8e9 -r 3647b18de944 external/bsd/blocklist/bin/Makefile
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/blocklist/bin/Makefile Mon Jun 15 01:52:52 2020 +0000
@@ -0,0 +1,15 @@
+# $NetBSD: Makefile,v 1.1.1.1 2020/06/15 01:52:52 christos Exp $
+
+BINDIR=/sbin
+
+PROGS=blocklistd blocklistctl
+MAN.blocklistd=blocklistd.8 blocklistd.conf.5
+MAN.blocklistctl=blocklistctl.8
+SRCS.blocklistd = blocklistd.c conf.c run.c state.c support.c internal.c
+SRCS.blocklistctl = blocklistctl.c conf.c state.c support.c internal.c
+DBG=-g
+
+LDADD+=-lutil
+DPADD+=${LIBUTIL}
+
+.include <bsd.prog.mk>
diff -r 9d717769d8e9 -r 3647b18de944 external/bsd/blocklist/bin/blocklistctl.8
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/blocklist/bin/blocklistctl.8 Mon Jun 15 01:52:52 2020 +0000
@@ -0,0 +1,86 @@
+.\" $NetBSD: blocklistctl.8,v 1.1.1.1 2020/06/15 01:52:52 christos Exp $
+.\"
+.\" Copyright (c) 2015 The NetBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" This code is derived from software contributed to The NetBSD Foundation
+.\" by Christos Zoulas.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd June 7, 2016
+.Dt BLACKLISTCTL 8
+.Os
+.Sh NAME
+.Nm blocklistctl
+.Nd display and change the state of blocklistd
+.Sh SYNOPSIS
+.Nm
+.Cm dump
+.Op Fl abdnrw
+.Sh DESCRIPTION
+.Nm
+is a program used to display the state of
+.Xr blocklistd 8
+.Pp
+The following options are available:
+.Bl -tag -width indent
+.It Fl a
+Show all database entries, by default it shows only the embryonic ones.
+.It Fl b
+Show only the blocked entries.
+.It Fl d
+Increase debugging level.
+.It Fl n
+Don't display a header.
+.It Fl r
+Show the remaining blocked time instead of the last activity time.
+.It Fl w
+Normally the width of addresses is good for IPv4, the
+.Fl w
+flag, makes the display wide enough for IPv6 addresses.
+.El
+.Sh SEE ALSO
+.Xr blocklistd 8
+.Sh NOTES
+Sometimes the reported number of failed attempts can exceed the number
+of attempts that
+.Xr blocklistd 8
+is configured to block.
+This can happen either because the rule has been removed manually, or
+because there were more attempts in flight while the rule block was being
+added.
+This condition is normal; in that case
+.Xr blocklistd 8
+will first attempt to remove the existing rule, and then it will re-add
+it to make sure that there is only one rule active.
+.Sh HISTORY
+.Nm
+first appeared in
+.Nx 7 .
+.Fx
+support for
+.Nm
+was implemented in
+.Fx 11 .
+.Sh AUTHORS
+.An Christos Zoulas
diff -r 9d717769d8e9 -r 3647b18de944 external/bsd/blocklist/bin/blocklistctl.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/blocklist/bin/blocklistctl.c Mon Jun 15 01:52:52 2020 +0000
@@ -0,0 +1,168 @@
+/* $NetBSD: blocklistctl.c,v 1.1.1.1 2020/06/15 01:52:53 christos Exp $ */
+
+/*-
+ * Copyright (c) 2015 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Christos Zoulas.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
Home |
Main Index |
Thread Index |
Old Index