From nobody Mon Oct 13 00:27:12 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4clJ8M6R21z6BWfX for ; Mon, 13 Oct 2025 00:27:31 +0000 (UTC) (envelope-from jlduran@gmail.com) Received: from mail-qk1-f176.google.com (mail-qk1-f176.google.com [209.85.222.176]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4clJ8L5Fylz48Bm for ; Mon, 13 Oct 2025 00:27:25 +0000 (UTC) (envelope-from jlduran@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=freebsd.org (policy=none); spf=pass (mx1.freebsd.org: domain of jlduran@gmail.com designates 209.85.222.176 as permitted sender) smtp.mailfrom=jlduran@gmail.com Received: by mail-qk1-f176.google.com with SMTP id af79cd13be357-8625f8624d8so72736385a.3 for ; Sun, 12 Oct 2025 17:27:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760315244; x=1760920044; h=content-transfer-encoding:to:subject:message-id:date:from:reply-to :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DJn68D3GdWvHerBqn6EiecNr2QgcFiMY/q47+QQyl3k=; b=sGFcBic9rYfVT8oj1q/mani7CO83/JHrErmFNHEDbUTNpfGIanhqk4tI4Ce47hzBGW oy9woCpB/QbVS+wB7ZxNXdCYj+v2r+Nbx5t5Hkd7F9WmtwIXtl5SBZ1jjF88ciUzLmKN 4NT+t645XD+PgJ2WsKpRLd670KUJolGCa8UsypoBoqXhtGeU/8wbupXIuvaolvW4lmuq YP5+GDQ/S2gVXkWeH2721gEW7BbE8/X3n/xNq8CM3fX7hY+8JeiqhOIkgW3NfBelCdsO RZdxx6KT80x44Su0TKpXUW9cvnBDDm7RelWFSDxjAnNi45YDAkOrc/bpZD5JWfrKwImu I7Ig== X-Forwarded-Encrypted: i=1; AJvYcCWixVEPZQbe5Gvfoh3jHILflDagRdwvDZIXtpp8nGa7oXof6d3h+aISMedswlWzQcKni9AkA5eRfswkmTX00qZJrs3glw==@freebsd.org X-Gm-Message-State: AOJu0YxM00WElQu23tTxJhMMpTk6FDVvA06ATqnh2/5ANIMJtC34h5P3 km9CkyTcMlsrw8ksvyWPnbXBfdQnR4tEE2odFctlsMb04giIWnjsIkGAUhG0NXrS X-Gm-Gg: ASbGncsfGQouL8giw8sAF43DR+tbi9j5YQ8JCz3x03/Q0jYknAwP9wHAYYSqnRvm6zl qqu1tGZm6eSEljSvWp4XbkC7aHwTW8xtDsQXcoOrZkmC7vTlqvSf5v+1T8mejsdH+AhtJhsWC5Z kc+/70ZqvrW0dMRO1oqGQWXkX9W5N4Yj2j7j2c691Rh/xoZ7/9fILyIJIQ/ooRqk4HJSg9R+qst IWyNFIgIbE8XwO5ZtEesSHqi4Ipl8dBoq/gBV4rds7fYPLkBqF4uBlQtAEt+NvKwkjqce6Qjf4/ nUNa1ZAtZTeDGrsG5mZopp9FpzeHobltrxrVy7AVBvVznF9ePMrygJldZrn3KxE9hiRTXu5UVt9 PhbLFdHITFoSGVnB4ENCBEXo+lMalbPLLvbMudWPqHE6ku3NJD+Ny7IBpV94FmQFY+a8U//Y2FI fOMUT6Kopkv24eQx5F X-Google-Smtp-Source: AGHT+IFzxGT564Lq2fWM3SN3VMyArct9A7SOG6heJc2wkoBoztJIiqLNVGfluvC/PxlIiHSZTgUONg== X-Received: by 2002:a05:6214:1d23:b0:876:2e1a:e77b with SMTP id 6a1803df08f44-87b2efac6f2mr188289476d6.7.1760315244077; Sun, 12 Oct 2025 17:27:24 -0700 (PDT) Received: from mail-qk1-f171.google.com (mail-qk1-f171.google.com. [209.85.222.171]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-87bc345bf4bsm61126876d6.1.2025.10.12.17.27.23 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 12 Oct 2025 17:27:23 -0700 (PDT) Received: by mail-qk1-f171.google.com with SMTP id af79cd13be357-85a9d0d9170so65988785a.1 for ; Sun, 12 Oct 2025 17:27:23 -0700 (PDT) X-Forwarded-Encrypted: i=1; AJvYcCUk6/25vxRDrqYpmc4ljw8cwT3zNVEPeW+nLwnc3O4vXDfeSqOtf6hsg3zdFb4TvBvoKrvCEHfi0RYVWhELx/bmVXfEtA==@freebsd.org X-Received: by 2002:ac8:5a03:0:b0:4b3:4590:ab6d with SMTP id d75a77b69052e-4e6eacdec00mr186376071cf.7.1760315243375; Sun, 12 Oct 2025 17:27:23 -0700 (PDT) List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 References: <202510121718.59CHIkWb030841@gitrepo.freebsd.org> In-Reply-To: <202510121718.59CHIkWb030841@gitrepo.freebsd.org> Reply-To: jlduran@freebsd.org From: Jose Luis Duran Date: Sun, 12 Oct 2025 21:27:12 -0300 X-Gmail-Original-Message-ID: X-Gm-Features: AS18NWCuj6-Y29abJPUOqE9xhvr367M6LNalvScx1mYyeTQcUzTx0Ew1hz5-tjs Message-ID: Subject: Re: git: 7238317403b9 - main - blocklist: Rename blacklist to blocklist To: src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: - X-Spamd-Result: default: False [-1.50 / 15.00]; NEURAL_HAM_SHORT(-0.98)[-0.985]; NEURAL_HAM_LONG(-0.97)[-0.969]; NEURAL_SPAM_MEDIUM(0.35)[0.352]; FORGED_SENDER(0.30)[jlduran@freebsd.org,jlduran@gmail.com]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c]; MIME_GOOD(-0.10)[text/plain]; DMARC_POLICY_SOFTFAIL(0.10)[freebsd.org : SPF not aligned (relaxed), No valid DKIM,none]; RCVD_TLS_LAST(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; FREEMAIL_ENVFROM(0.00)[gmail.com]; REPLYTO_DOM_EQ_TO_DOM(0.00)[]; MISSING_XM_UA(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[209.85.222.176:from,209.85.222.171:received]; FREEFALL_USER(0.00)[jlduran]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; TO_DN_NONE(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; REPLYTO_ADDR_EQ_FROM(0.00)[]; FROM_NEQ_ENVFROM(0.00)[jlduran@freebsd.org,jlduran@gmail.com]; HAS_REPLYTO(0.00)[jlduran@freebsd.org]; PREVIOUSLY_DELIVERED(0.00)[dev-commits-src-main@freebsd.org]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[dev-commits-src-main@freebsd.org]; RCVD_VIA_SMTP_AUTH(0.00)[]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.222.176:from]; FROM_HAS_DN(0.00)[] X-Rspamd-Queue-Id: 4clJ8L5Fylz48Bm I just broke the metalog_reader.lua -c check with the rename of blocklist. As blacklist man pages are just a symlink from blocklist, it ends up installing blocklist man pages twice and reporting a duplicate error. $ /usr/libexec/flua tools/pkgbase/metalog_reader.lua -c /usr/obj/usr/src/arm64.aarch64/worldstage/METALOG error: ./usr/share/man/man3/libblocklist.3.gz file repeated with same meta: line 11229,11242 error: ./usr/share/man/man5/blocklistd.conf.5.gz file repeated with same meta: line 37809,37819 error: ./usr/share/man/man8/blocklistctl.8.gz file repeated with same meta: line 37803,37814 error: ./usr/share/man/man8/blocklistd.8.gz file repeated with same meta: line 37808,37818 The trivial fix is yet again: duplication. In this case, the man pages for blacklist (not symlinked to blocklist). To be submitted shortly. Sorry! On Sun, Oct 12, 2025 at 2:18=E2=80=AFPM Jose Luis Duran wrote: > > The branch main has been updated by jlduran: > > URL: https://cgit.FreeBSD.org/src/commit/?id=3D7238317403b95a8e35cf0bc7cd= 66fbd78ecbe521 > > commit 7238317403b95a8e35cf0bc7cd66fbd78ecbe521 > Author: Jose Luis Duran > AuthorDate: 2025-10-12 17:14:27 +0000 > Commit: Jose Luis Duran > CommitDate: 2025-10-12 17:14:27 +0000 > > blocklist: Rename blacklist to blocklist > > Follow up upstream rename from blacklist to blocklist. > > - Old names and rc scripts are still valid, but emitting an ugly warn= ing > - Old firewall rules and anchor names should work, but emitting an ug= ly > warning > - Old MK_BLACKLIST* knobs are wired to the new ones > > Although care has been taken not to break current configurations, thi= s > is a large patch containing mostly duplicated code. If issues arise,= it > will be swiftly reverted. > > Reviewed by: ivy (pkgbase) > Approved by: emaste (mentor) > MFC after: 2 days > Relnotes: yes > --- > contrib/blocklist/bin/blacklistctl.c | 170 ++++++ > contrib/blocklist/bin/blacklistd.c | 592 +++++++++++++++= ++++++ > contrib/blocklist/bin/old_internal.c | 50 ++ > contrib/blocklist/bin/old_internal.h | 58 ++ > contrib/blocklist/include/blacklist.h | 65 +++ > contrib/blocklist/include/old_bl.h | 80 +++ > contrib/blocklist/lib/blacklist.c | 117 ++++ > contrib/blocklist/lib/old_bl.c | 554 +++++++++++++++= ++++ > crypto/openssh/auth-pam.c | 4 +- > crypto/openssh/auth.c | 8 +- > crypto/openssh/{blacklist.c =3D> blocklist.c} | 16 +- > .../{blacklist_client.h =3D> blocklist_client.h} | 30 +- > crypto/openssh/monitor.c | 8 +- > crypto/openssh/servconf.c | 18 +- > crypto/openssh/servconf.h | 2 +- > crypto/openssh/sshd-session.c | 10 +- > crypto/openssh/sshd_config | 2 +- > crypto/openssh/sshd_config.5 | 14 +- > lib/Makefile | 1 + > lib/libblacklist/Makefile | 24 +- > lib/libblocklist/Makefile | 30 ++ > lib/libblocklist/Makefile.depend | 16 + > lib/libsysdecode/Makefile.depend | 2 +- > libexec/Makefile | 6 +- > libexec/blacklistd-helper/Makefile | 7 - > libexec/blocklistd-helper/Makefile | 10 + > .../Makefile.depend | 0 > libexec/blocklistd-helper/blacklistd-helper | 293 ++++++++++ > libexec/fingerd/Makefile | 8 +- > libexec/fingerd/Makefile.depend.options | 2 +- > libexec/fingerd/fingerd.c | 16 +- > libexec/rc/rc.conf | 6 +- > libexec/rc/rc.d/Makefile | 5 +- > libexec/rc/rc.d/blacklistd | 10 +- > libexec/rc/rc.d/blocklistd | 46 ++ > release/packages/ucl/blocklist-all.ucl | 8 +- > secure/libexec/sshd-auth/Makefile | 10 +- > secure/libexec/sshd-session/Makefile | 10 +- > secure/usr.sbin/sshd/Makefile.depend.options | 2 +- > share/man/man5/periodic.conf.5 | 2 +- > share/man/man5/src.conf.5 | 43 +- > share/mk/bsd.libnames.mk | 1 + > share/mk/local.dirdeps-options.mk | 1 + > share/mk/src.libnames.mk | 10 +- > share/mk/src.opts.mk | 10 + > targets/pseudo/userland/Makefile.depend | 6 + > targets/pseudo/userland/lib/Makefile.depend | 4 + > targets/pseudo/userland/libexec/Makefile.depend | 4 +- > tools/build/mk/OptionalObsoleteFiles.inc | 21 +- > tools/build/options/WITHOUT_BLACKLIST | 6 +- > tools/build/options/WITHOUT_BLACKLIST_SUPPORT | 8 +- > tools/build/options/WITHOUT_BLOCKLIST | 4 + > tools/build/options/WITHOUT_BLOCKLIST_SUPPORT | 6 + > usr.sbin/Makefile | 2 + > usr.sbin/blacklistctl/Makefile | 10 +- > usr.sbin/blacklistd/Makefile | 13 +- > usr.sbin/blacklistd/blacklistd.conf | 10 +- > usr.sbin/blocklistctl/Makefile | 22 + > usr.sbin/blocklistctl/Makefile.depend | 18 + > usr.sbin/blocklistd/Makefile | 23 + > usr.sbin/blocklistd/Makefile.depend | 18 + > usr.sbin/blocklistd/blocklistd.conf | 16 + > usr.sbin/periodic/etc/security/520.pfdenied | 2 +- > 63 files changed, 2426 insertions(+), 144 deletions(-) > > diff --git a/contrib/blocklist/bin/blacklistctl.c b/contrib/blocklist/bin= /blacklistctl.c > new file mode 100644 > index 000000000000..6298a08b10b4 > --- /dev/null > +++ b/contrib/blocklist/bin/blacklistctl.c > @@ -0,0 +1,170 @@ > +/* $NetBSD: blocklistctl.c,v 1.4 2025/02/11 17:48:30 christos Exp $ = */ > + > +/*- > + * Copyright (c) 2015 The NetBSD Foundation, Inc. > + * All rights reserved. > + * > + * This code is derived from software contributed to The NetBSD Foundati= on > + * by Christos Zoulas. > + * > + * Redistribution and use in source and binary forms, with or without > + * modification, are permitted provided that the following conditions > + * are met: > + * 1. Redistributions of source code must retain the above copyright > + * notice, this list of conditions and the following disclaimer. > + * 2. Redistributions in binary form must reproduce the above copyright > + * notice, this list of conditions and the following disclaimer in th= e > + * documentation and/or other materials provided with the distributio= n. > + * > + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBU= TORS > + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT L= IMITED > + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTI= CULAR > + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBU= TORS > + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, O= R > + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF > + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSIN= ESS > + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER = IN > + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS= E) > + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED O= F THE > + * POSSIBILITY OF SUCH DAMAGE. > + */ > +#ifdef HAVE_CONFIG_H > +#include "config.h" > +#endif > + > +#ifdef HAVE_SYS_CDEFS_H > +#include > +#endif > +__RCSID("$NetBSD: blocklistctl.c,v 1.4 2025/02/11 17:48:30 christos Exp = $"); > + > +#include > +#include > +#ifdef HAVE_LIBUTIL_H > +#include > +#endif > +#ifdef HAVE_UTIL_H > +#include > +#endif > +#include > +#include > +#include > +#include > +#include > +#include > +#include > + > +#include "conf.h" > +#include "state.h" > +#include "old_internal.h" > +#include "support.h" > + > +static __dead void > +usage(int c) > +{ > + if (c =3D=3D 0) > + warnx("Missing/unknown command"); > + else if (c !=3D '?') > + warnx("Unknown option `%c'", (char)c); > + fprintf(stderr, > + "Usage: %s dump [-abdnrw] [-D dbname]\n", getprogname()); > + exit(EXIT_FAILURE); > +} > + > +static const char * > +star(char *buf, size_t len, int val) > +{ > + if (val =3D=3D -1) > + return "*"; > + snprintf(buf, len, "%d", val); > + return buf; > +} > + > +int > +main(int argc, char *argv[]) > +{ > + const char *dbname =3D _PATH_BLSTATE; > + DB *db; > + struct conf c; > + struct dbinfo dbi; > + unsigned int i; > + struct timespec ts; > + int all, blocked, remain, wide, noheader; > + int o; > + > + noheader =3D wide =3D blocked =3D all =3D remain =3D 0; > + lfun =3D dlog; > + > + if (argc =3D=3D 1 || strcmp(argv[1], "dump") !=3D 0) > + usage(0); > + > + argc--; > + argv++; > + > + while ((o =3D getopt(argc, argv, "abD:dnrw")) !=3D -1) > + switch (o) { > + case 'a': > + all =3D 1; > + blocked =3D 0; > + break; > + case 'b': > + blocked =3D 1; > + break; > + case 'D': > + dbname =3D optarg; > + break; > + case 'd': > + debug++; > + break; > + case 'n': > + noheader =3D 1; > + break; > + case 'r': > + remain =3D 1; > + break; > + case 'w': > + wide =3D 1; > + break; > + default: > + usage(o); > + } > + > + db =3D state_open(dbname, O_RDONLY, 0); > + if (db =3D=3D NULL) > + err(EXIT_FAILURE, "Can't open `%s'", dbname); > + > + clock_gettime(CLOCK_REALTIME, &ts); > + wide =3D wide ? 8 * 4 + 7 : 4 * 3 + 3; > + if (!noheader) > + printf("%*.*s/ma:port\tid\tnfail\t%s\n", wide, wide, > + "address", remain ? "remaining time" : "last access")= ; > + for (i =3D 1; state_iterate(db, &c, &dbi, i) !=3D 0; i =3D 0) { > + char buf[BUFSIZ]; > + char mbuf[64], pbuf[64]; > + if (!all) { > + if (blocked) { > + if (c.c_nfail =3D=3D -1 || dbi.count < c.= c_nfail) > + continue; > + } else { > + if (dbi.count >=3D c.c_nfail) > + continue; > + } > + } > + sockaddr_snprintf(buf, sizeof(buf), "%a", (void *)&c.c_ss= ); > + printf("%*.*s/%s:%s\t", wide, wide, buf, > + star(mbuf, sizeof(mbuf), c.c_lmask), > + star(pbuf, sizeof(pbuf), c.c_port)); > + if (c.c_duration =3D=3D -1) { > + strlcpy(buf, "never", sizeof(buf)); > + } else { > + if (remain) > + fmtydhms(buf, sizeof(buf), > + c.c_duration - (ts.tv_sec - dbi.last)= ); > + else > + fmttime(buf, sizeof(buf), dbi.last); > + } > + printf("%s\t%d/%s\t%-s\n", dbi.id, dbi.count, > + star(mbuf, sizeof(mbuf), c.c_nfail), buf); > + } > + state_close(db); > + return EXIT_SUCCESS; > +} > diff --git a/contrib/blocklist/bin/blacklistd.c b/contrib/blocklist/bin/b= lacklistd.c > new file mode 100644 > index 000000000000..ded3075ed707 > --- /dev/null > +++ b/contrib/blocklist/bin/blacklistd.c > @@ -0,0 +1,592 @@ > +/* $NetBSD: blocklistd.c,v 1.10 2025/03/26 17:09:35 christos Exp $ *= / > + > +/*- > + * Copyright (c) 2015 The NetBSD Foundation, Inc. > + * All rights reserved. > + * > + * This code is derived from software contributed to The NetBSD Foundati= on > + * by Christos Zoulas. > + * > + * Redistribution and use in source and binary forms, with or without > + * modification, are permitted provided that the following conditions > + * are met: > + * 1. Redistributions of source code must retain the above copyright > + * notice, this list of conditions and the following disclaimer. > + * 2. Redistributions in binary form must reproduce the above copyright > + * notice, this list of conditions and the following disclaimer in th= e > + * documentation and/or other materials provided with the distributio= n. > + * > + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBU= TORS > + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT L= IMITED > + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTI= CULAR > + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBU= TORS > + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, O= R > + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF > + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSIN= ESS > + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER = IN > + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS= E) > + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED O= F THE > + * POSSIBILITY OF SUCH DAMAGE. > + */ > +#ifdef HAVE_CONFIG_H > +#include "config.h" > +#endif > + > +#ifdef HAVE_SYS_CDEFS_H > +#include > +#endif > +__RCSID("$NetBSD: blocklistd.c,v 1.10 2025/03/26 17:09:35 christos Exp $= "); > + > +#include > +#include > +#include > + > +#ifdef HAVE_LIBUTIL_H > +#include > +#endif > +#ifdef HAVE_UTIL_H > +#include > +#endif > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > + > +#include "old_bl.h" > +#include "old_internal.h" > +#include "conf.h" > +#include "run.h" > +#include "state.h" > +#include "support.h" > + > +static const char *configfile =3D _PATH_BLCONF; > +static DB *state; > +static const char *dbfile =3D _PATH_BLSTATE; > +static sig_atomic_t readconf; > +static sig_atomic_t done; > +static int vflag; > + > +static void > +sigusr1(int n __unused) > +{ > + debug++; > +} > + > +static void > +sigusr2(int n __unused) > +{ > + debug--; > +} > + > +static void > +sighup(int n __unused) > +{ > + readconf++; > +} > + > +static void > +sigdone(int n __unused) > +{ > + done++; > +} > + > +static __dead void > +usage(int c) > +{ > + if (c !=3D '?') > + warnx("Unknown option `%c'", (char)c); > + fprintf(stderr, "Usage: %s [-vdfr] [-c ] [-R ] = " > + "[-P ] [-C ] [-D ] " > + "[-s ] [-t ]\n", getprogname()); > + exit(EXIT_FAILURE); > +} > + > +static int > +getremoteaddress(bl_info_t *bi, struct sockaddr_storage *rss, socklen_t = *rsl) > +{ > + *rsl =3D sizeof(*rss); > + memset(rss, 0, *rsl); > + > + if (getpeername(bi->bi_fd, (void *)rss, rsl) !=3D -1) > + return 0; > + > + if (errno !=3D ENOTCONN) { > + (*lfun)(LOG_ERR, "getpeername failed (%m)"); > + return -1; > + } > + > + if (bi->bi_slen =3D=3D 0) { > + (*lfun)(LOG_ERR, "unconnected socket with no peer in mess= age"); > + return -1; > + } > + > + switch (bi->bi_ss.ss_family) { > + case AF_INET: > + *rsl =3D sizeof(struct sockaddr_in); > + break; > + case AF_INET6: > + *rsl =3D sizeof(struct sockaddr_in6); > + break; > + default: > + (*lfun)(LOG_ERR, "bad client passed socket family %u", > + (unsigned)bi->bi_ss.ss_family); > + return -1; > + } > + > + if (*rsl !=3D bi->bi_slen) { > + (*lfun)(LOG_ERR, "bad client passed socket length %u !=3D= %u", > + (unsigned)*rsl, (unsigned)bi->bi_slen); > + return -1; > + } > + > + memcpy(rss, &bi->bi_ss, *rsl); > + > +#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN > + if (*rsl !=3D rss->ss_len) { > + (*lfun)(LOG_ERR, > + "bad client passed socket internal length %u !=3D %u"= , > + (unsigned)*rsl, (unsigned)rss->ss_len); > + return -1; > + } > +#endif > + return 0; > +} > + > +static void > +process(bl_t bl) > +{ > + struct sockaddr_storage rss; > + socklen_t rsl; > + char rbuf[BUFSIZ]; > + bl_info_t *bi; > + struct conf c; > + struct dbinfo dbi; > + struct timespec ts; > + > + memset(&dbi, 0, sizeof(dbi)); > + memset(&c, 0, sizeof(c)); > + if (clock_gettime(CLOCK_REALTIME, &ts) =3D=3D -1) { > + (*lfun)(LOG_ERR, "clock_gettime failed (%m)"); > + return; > + } > + > + if ((bi =3D bl_recv(bl)) =3D=3D NULL) { > + (*lfun)(LOG_ERR, "no message (%m)"); > + return; > + } > + > + if (getremoteaddress(bi, &rss, &rsl) =3D=3D -1) > + goto out; > + > + if (debug || bi->bi_msg[0]) { > + sockaddr_snprintf(rbuf, sizeof(rbuf), "%a:%p", (void *)&r= ss); > + (*lfun)(bi->bi_msg[0] ? LOG_INFO : LOG_DEBUG, > + "processing type=3D%d fd=3D%d remote=3D%s msg=3D%s ui= d=3D%lu gid=3D%lu", > + bi->bi_type, bi->bi_fd, rbuf, > + bi->bi_msg, (unsigned long)bi->bi_uid, > + (unsigned long)bi->bi_gid); > + } > + > + if (conf_find(bi->bi_fd, bi->bi_uid, &rss, &c) =3D=3D NULL) { > + (*lfun)(LOG_DEBUG, "no rule matched"); > + goto out; > + } > + > + > + if (state_get(state, &c, &dbi) =3D=3D -1) > + goto out; > + > + if (debug) { > + char b1[128], b2[128]; > + (*lfun)(LOG_DEBUG, "%s: initial db state for %s: count=3D= %d/%d " > + "last=3D%s now=3D%s", __func__, rbuf, dbi.count, c.c_= nfail, > + fmttime(b1, sizeof(b1), dbi.last), > + fmttime(b2, sizeof(b2), ts.tv_sec)); > + } > + > + switch (bi->bi_type) { > + case BL_ABUSE: > + /* > + * If the application has signaled abusive behavior, > + * set the number of fails to be one less than the > + * configured limit. Fallthrough to the normal BL_ADD > + * processing, which will increment the failure count > + * to the threshhold, and block the abusive address. > + */ > + if (c.c_nfail !=3D -1) > + dbi.count =3D c.c_nfail - 1; > + /*FALLTHROUGH*/ > + case BL_ADD: > + dbi.count++; > + dbi.last =3D ts.tv_sec; > + if (c.c_nfail !=3D -1 && dbi.count >=3D c.c_nfail) { > + /* > + * No point in re-adding the rule. > + * It might exist already due to latency in proce= ssing > + * and removing the rule is the wrong thing to do= as > + * it allows a window to attack again. > + */ > + if (dbi.id[0] =3D=3D '\0') { > + int res =3D run_change("add", &c, > + dbi.id, sizeof(dbi.id)); > + if (res =3D=3D -1) > + goto out; > + } > + sockaddr_snprintf(rbuf, sizeof(rbuf), "%a", > + (void *)&rss); > + (*lfun)(LOG_INFO, > + "blocked %s/%d:%d for %d seconds", > + rbuf, c.c_lmask, c.c_port, c.c_duration); > + } > + break; > + case BL_DELETE: > + if (dbi.last =3D=3D 0) > + goto out; > + dbi.count =3D 0; > + dbi.last =3D 0; > + break; > + case BL_BADUSER: > + /* ignore for now */ > + break; > + default: > + (*lfun)(LOG_ERR, "unknown message %d", bi->bi_type); > + } > + state_put(state, &c, &dbi); > + > +out: > + close(bi->bi_fd); > + > + if (debug) { > + char b1[128], b2[128]; > + (*lfun)(LOG_DEBUG, "%s: final db state for %s: count=3D%d= /%d " > + "last=3D%s now=3D%s", __func__, rbuf, dbi.count, c.c_= nfail, > + fmttime(b1, sizeof(b1), dbi.last), > + fmttime(b2, sizeof(b2), ts.tv_sec)); > + } > +} > + > +static void > +update_interfaces(void) > +{ > + struct ifaddrs *oifas, *nifas; > + > + if (getifaddrs(&nifas) =3D=3D -1) > + return; > + > + oifas =3D ifas; > + ifas =3D nifas; > + > + if (oifas) > + freeifaddrs(oifas); > +} > + > +static void > +update(void) > +{ > + struct timespec ts; > + struct conf c; > + struct dbinfo dbi; > + unsigned int f, n; > + char buf[128]; > + void *ss =3D &c.c_ss; > + > + if (clock_gettime(CLOCK_REALTIME, &ts) =3D=3D -1) { > + (*lfun)(LOG_ERR, "clock_gettime failed (%m)"); > + return; > + } > + > +again: > + for (n =3D 0, f =3D 1; state_iterate(state, &c, &dbi, f) =3D=3D 1= ; > + f =3D 0, n++) > + { > + time_t when =3D c.c_duration + dbi.last; > + if (debug > 1) { > + char b1[64], b2[64]; > + sockaddr_snprintf(buf, sizeof(buf), "%a:%p", ss); > + (*lfun)(LOG_DEBUG, "%s:[%u] %s count=3D%d duratio= n=3D%d " > + "last=3D%s " "now=3D%s", __func__, n, buf, db= i.count, > + c.c_duration, fmttime(b1, sizeof(b1), dbi.las= t), > + fmttime(b2, sizeof(b2), ts.tv_sec)); > + } > + if (c.c_duration =3D=3D -1 || when >=3D ts.tv_sec) > + continue; > + if (dbi.id[0]) { > + run_change("rem", &c, dbi.id, 0); > + sockaddr_snprintf(buf, sizeof(buf), "%a", ss); > + (*lfun)(LOG_INFO, "released %s/%d:%d after %d sec= onds", > + buf, c.c_lmask, c.c_port, c.c_duration); > + } > + state_del(state, &c); > + goto again; > + } > +} > + > +static void > +addfd(struct pollfd **pfdp, bl_t **blp, size_t *nfd, size_t *maxfd, > + const char *path) > +{ > + bl_t bl =3D bl_create(true, path, vflag ? vdlog : vsyslog_r); > + if (bl =3D=3D NULL || !bl_isconnected(bl)) > + exit(EXIT_FAILURE); > + if (*nfd >=3D *maxfd) { > + *maxfd +=3D 10; > + *blp =3D realloc(*blp, sizeof(**blp) * *maxfd); > + if (*blp =3D=3D NULL) > + err(EXIT_FAILURE, "malloc"); > + *pfdp =3D realloc(*pfdp, sizeof(**pfdp) * *maxfd); > + if (*pfdp =3D=3D NULL) > + err(EXIT_FAILURE, "malloc"); > + } > + > + (*pfdp)[*nfd].fd =3D bl_getfd(bl); > + (*pfdp)[*nfd].events =3D POLLIN; > + (*blp)[*nfd] =3D bl; > + *nfd +=3D 1; > +} > + > +static void > +uniqueadd(struct conf ***listp, size_t *nlist, size_t *mlist, struct con= f *c) > +{ > + struct conf **list =3D *listp; > + > + if (c->c_name[0] =3D=3D '\0') > + return; > + for (size_t i =3D 0; i < *nlist; i++) { > + if (strcmp(list[i]->c_name, c->c_name) =3D=3D 0) > + return; > + } > + if (*nlist =3D=3D *mlist) { > + *mlist +=3D 10; > + void *p =3D realloc(*listp, *mlist * sizeof(*list)); > + if (p =3D=3D NULL) > + err(EXIT_FAILURE, "Can't allocate for rule list")= ; > + list =3D *listp =3D p; > + } > + list[(*nlist)++] =3D c; > +} > + > +static void > +rules_flush(void) > +{ > + struct conf **list; > + size_t nlist, mlist; > + > + list =3D NULL; > + mlist =3D nlist =3D 0; > + for (size_t i =3D 0; i < rconf.cs_n; i++) > + uniqueadd(&list, &nlist, &mlist, &rconf.cs_c[i]); > + for (size_t i =3D 0; i < lconf.cs_n; i++) > + uniqueadd(&list, &nlist, &mlist, &lconf.cs_c[i]); > + > + for (size_t i =3D 0; i < nlist; i++) > + run_flush(list[i]); > + free(list); > +} > + > +static void > +rules_restore(void) > +{ > + DB *db; > + struct conf c; > + struct dbinfo dbi; > + unsigned int f; > + > + db =3D state_open(dbfile, O_RDONLY, 0); > + if (db =3D=3D NULL) { > + (*lfun)(LOG_ERR, "Can't open `%s' to restore state (%m)", > + dbfile); > + return; > + } > + for (f =3D 1; state_iterate(db, &c, &dbi, f) =3D=3D 1; f =3D 0) { > + if (dbi.id[0] =3D=3D '\0') > + continue; > + (void)run_change("add", &c, dbi.id, sizeof(dbi.id)); > + state_put(state, &c, &dbi); > + } > + state_close(db); > + state_sync(state); > +} > + > +int > +main(int argc, char *argv[]) > +{ > + int c, tout, flags, flush, restore, ret; > + const char *spath, **blsock; > + size_t nblsock, maxblsock; > + > + setprogname(argv[0]); > + > + spath =3D NULL; > + blsock =3D NULL; > + maxblsock =3D nblsock =3D 0; > + flush =3D 0; > + restore =3D 0; > + tout =3D 0; > + flags =3D O_RDWR|O_EXCL|O_CLOEXEC; > + while ((c =3D getopt(argc, argv, "C:c:D:dfP:rR:s:t:v")) !=3D -1) = { > + switch (c) { > + case 'C': > + controlprog =3D optarg; > + break; > + case 'c': > + configfile =3D optarg; > + break; > + case 'D': > + dbfile =3D optarg; > + break; > + case 'd': > + debug++; > + break; > + case 'f': > + flush++; > + break; > + case 'P': > + spath =3D optarg; > + break; > + case 'R': > + rulename =3D optarg; > + break; > + case 'r': > + restore++; > + break; > + case 's': > + if (nblsock >=3D maxblsock) { > + maxblsock +=3D 10; > + void *p =3D realloc(blsock, > + sizeof(*blsock) * maxblsock); > + if (p =3D=3D NULL) > + err(EXIT_FAILURE, > + "Can't allocate memory for %zu so= ckets", > + maxblsock); > + blsock =3D p; > + } > + blsock[nblsock++] =3D optarg; > + break; > + case 't': > + tout =3D atoi(optarg) * 1000; > + break; > + case 'v': > + vflag++; > + break; > + default: > + usage(c); > + } > + } > + > + argc -=3D optind; > + if (argc) > + usage('?'); > + > + signal(SIGHUP, sighup); > + signal(SIGINT, sigdone); > + signal(SIGQUIT, sigdone); > + signal(SIGTERM, sigdone); > + signal(SIGUSR1, sigusr1); > + signal(SIGUSR2, sigusr2); > + > + openlog(getprogname(), LOG_PID, LOG_DAEMON); > + > + if (debug) { > + lfun =3D dlog; > + if (tout =3D=3D 0) > + tout =3D 5000; > + } else { > + if (tout =3D=3D 0) > + tout =3D 15000; > + } > + > + update_interfaces(); > + conf_parse(configfile); > + if (flush) { > + rules_flush(); > + if (!restore) > + flags |=3D O_TRUNC; > + } > + > + struct pollfd *pfd =3D NULL; > + bl_t *bl =3D NULL; > + size_t nfd =3D 0; > + size_t maxfd =3D 0; > + > + for (size_t i =3D 0; i < nblsock; i++) > + addfd(&pfd, &bl, &nfd, &maxfd, blsock[i]); > + free(blsock); > + > + if (spath) { > + FILE *fp =3D fopen(spath, "r"); > + char *line; > + if (fp =3D=3D NULL) > + err(EXIT_FAILURE, "Can't open `%s'", spath); > + for (; (line =3D fparseln(fp, NULL, NULL, NULL, 0)) !=3D = NULL; > + free(line)) > + addfd(&pfd, &bl, &nfd, &maxfd, line); > + fclose(fp); > + } > + if (nfd =3D=3D 0) > + addfd(&pfd, &bl, &nfd, &maxfd, _PATH_BLSOCK); > + > + state =3D state_open(dbfile, flags, 0600); > + if (state =3D=3D NULL) > + state =3D state_open(dbfile, flags | O_CREAT, 0600); > + if (state =3D=3D NULL) > + return EXIT_FAILURE; > + > + if (restore) { > + if (!flush) > + rules_flush(); > + rules_restore(); > + } > + > + if (!debug) { > + if (daemon(0, 0) =3D=3D -1) > + err(EXIT_FAILURE, "daemon failed"); > + if (pidfile(NULL) =3D=3D -1) > + err(EXIT_FAILURE, "Can't create pidfile"); > + } > + > + for (size_t t =3D 0; !done; t++) { > + if (readconf) { > + readconf =3D 0; > + conf_parse(configfile); > + } > + ret =3D poll(pfd, (nfds_t)nfd, tout); > + if (debug) > + (*lfun)(LOG_DEBUG, "received %d from poll()", ret= ); > + switch (ret) { > + case -1: > + if (errno =3D=3D EINTR) > + continue; > + (*lfun)(LOG_ERR, "poll (%m)"); > + return EXIT_FAILURE; > + case 0: > + state_sync(state); > + break; > + default: > + for (size_t i =3D 0; i < nfd; i++) > + if (pfd[i].revents & POLLIN) > + process(bl[i]); > + } > + if (t % 100 =3D=3D 0) > + state_sync(state); > + if (t % 10000 =3D=3D 0) > + update_interfaces(); > + update(); > + } > + state_close(state); > + return 0; > +} > diff --git a/contrib/blocklist/bin/old_internal.c b/contrib/blocklist/bin= /old_internal.c > new file mode 100644 > index 000000000000..79093cc8b8ab > --- /dev/null > +++ b/contrib/blocklist/bin/old_internal.c > @@ -0,0 +1,50 @@ > +/* $NetBSD: internal.c,v 1.2 2025/02/11 17:48:30 christos Exp $ *= / > + > +/*- > + * Copyright (c) 2015 The NetBSD Foundation, Inc. > + * All rights reserved. > + * > + * This code is derived from software contributed to The NetBSD Foundati= on > + * by Christos Zoulas. > + * > + * Redistribution and use in source and binary forms, with or without > + * modification, are permitted provided that the following conditions > + * are met: > + * 1. Redistributions of source code must retain the above copyright > + * notice, this list of conditions and the following disclaimer. > + * 2. Redistributions in binary form must reproduce the above copyright > + * notice, this list of conditions and the following disclaimer in th= e > + * documentation and/or other materials provided with the distributio= n. > + * > + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBU= TORS > + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT L= IMITED > + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTI= CULAR > + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBU= TORS > + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, O= R > + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF > + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSIN= ESS > + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER = IN > + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS= E) > + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED O= F THE > + * POSSIBILITY OF SUCH DAMAGE. > + */ > +#ifdef HAVE_CONFIG_H > +#include "config.h" > +#endif > + > +#ifdef HAVE_SYS_CDEFS_H > +#include > +#endif > +__RCSID("$NetBSD: internal.c,v 1.2 2025/02/11 17:48:30 christos Exp $"); > + > +#include > +#include > +#include "conf.h" > +#include "old_internal.h" > + > +int debug; > +const char *rulename =3D "blacklistd"; > +const char *controlprog =3D _PATH_BLCONTROL; > +struct confset lconf, rconf; > +struct ifaddrs *ifas; > +void (*lfun)(int, const char *, ...) =3D syslog; > diff --git a/contrib/blocklist/bin/old_internal.h b/contrib/blocklist/bin= /old_internal.h > new file mode 100644 > index 000000000000..becee563e81d > --- /dev/null > +++ b/contrib/blocklist/bin/old_internal.h > @@ -0,0 +1,58 @@ > +/* $NetBSD: internal.h,v 1.1.1.1 2020/06/15 01:52:53 christos Exp $ = */ > + > +/*- > + * Copyright (c) 2015 The NetBSD Foundation, Inc. > + * All rights reserved. > + * > + * This code is derived from software contributed to The NetBSD Foundati= on > + * by Christos Zoulas. > + * > + * Redistribution and use in source and binary forms, with or without > + * modification, are permitted provided that the following conditions > + * are met: > + * 1. Redistributions of source code must retain the above copyright > + * notice, this list of conditions and the following disclaimer. > + * 2. Redistributions in binary form must reproduce the above copyright > + * notice, this list of conditions and the following disclaimer in th= e > + * documentation and/or other materials provided with the distributio= n. > + * > + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBU= TORS > + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT L= IMITED > + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTI= CULAR > + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBU= TORS > + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, O= R > + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF > + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSIN= ESS > + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER = IN > + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS= E) > + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED O= F THE > + * POSSIBILITY OF SUCH DAMAGE. > + */ > +#ifndef _OLD_INTERNAL_H > +#define _OLD_INTERNAL_H > + > +#ifndef _PATH_BLCONF > +#define _PATH_BLCONF "/etc/blacklistd.conf" > +#endif > +#ifndef _PATH_BLCONTROL > +#define _PATH_BLCONTROL "/usr/libexec/blacklistd-helper" > +#endif > +#ifndef _PATH_BLSTATE > +/* We want the new name, the old one would be incompatible after 24932b6= */ > +#define _PATH_BLSTATE "/var/db/blocklistd.db" > +#endif > + > +extern struct confset rconf, lconf; > +extern int debug; > +extern const char *rulename; > +extern const char *controlprog; > +extern struct ifaddrs *ifas; > + > +#if !defined(__syslog_attribute__) && !defined(__syslog__) > +#define __syslog__ __printf__ > +#endif > + > +extern void (*lfun)(int, const char *, ...) > + __attribute__((__format__(__syslog__, 2, 3))); > + > *** 2507 LINES SKIPPED *** --=20 Jose Luis Duran