From owner-svn-src-all@freebsd.org Sun Feb 4 19:43:52 2018 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 97E67EEC570; Sun, 4 Feb 2018 19:43:52 +0000 (UTC) (envelope-from lidl@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 491486F19D; Sun, 4 Feb 2018 19:43:52 +0000 (UTC) (envelope-from lidl@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 435591E862; Sun, 4 Feb 2018 19:43:52 +0000 (UTC) (envelope-from lidl@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w14JhqME012465; Sun, 4 Feb 2018 19:43:52 GMT (envelope-from lidl@FreeBSD.org) Received: (from lidl@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w14JhqR4012464; Sun, 4 Feb 2018 19:43:52 GMT (envelope-from lidl@FreeBSD.org) Message-Id: <201802041943.w14JhqR4012464@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: lidl set sender to lidl@FreeBSD.org using -f From: Kurt Lidl Date: Sun, 4 Feb 2018 19:43:52 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r328861 - head/contrib/blacklist/libexec X-SVN-Group: head X-SVN-Commit-Author: lidl X-SVN-Commit-Paths: head/contrib/blacklist/libexec X-SVN-Commit-Revision: 328861 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Feb 2018 19:43:52 -0000 Author: lidl Date: Sun Feb 4 19:43:51 2018 New Revision: 328861 URL: https://svnweb.freebsd.org/changeset/base/328861 Log: Update blacklist-helper to not emit messages from pf during operation. Use 'pfctl -k' when blocking a site to kill active tcp connections from the blocked address. Fix 'purge' operation for pf, which must dynamically determine which filters have been created, so the filters can be flushed by name. MFC after: 2 weeks Modified: head/contrib/blacklist/libexec/blacklistd-helper Modified: head/contrib/blacklist/libexec/blacklistd-helper ============================================================================== --- head/contrib/blacklist/libexec/blacklistd-helper Sun Feb 4 19:14:09 2018 (r328860) +++ head/contrib/blacklist/libexec/blacklistd-helper Sun Feb 4 19:43:51 2018 (r328861) @@ -80,8 +80,8 @@ add) echo "block in quick $proto from to any $port" | \ /sbin/pfctl -a "$2/$6" -f - # insert $ip/$mask into per-protocol/port anchored table - /sbin/pfctl -a "$2/$6" -t "port$6" -T add "$addr/$mask" && \ - echo OK + /sbin/pfctl -qa "$2/$6" -t "port$6" -T add "$addr/$mask" && \ + /sbin/pfctl -q -k $addr && echo OK ;; esac ;; @@ -101,7 +101,7 @@ rem) /sbin/npfctl rule "$2" rem-id "$7" ;; pf) - /sbin/pfctl -a "$2/$6" -t "port$6" -T delete "$addr/$mask" && \ + /sbin/pfctl -qa "$2/$6" -t "port$6" -T delete "$addr/$mask" && \ echo OK ;; esac @@ -118,7 +118,13 @@ flush) /sbin/npfctl rule "$2" flush ;; pf) - /sbin/pfctl -a "$2/$6" -t "port$6" -T flush && echo OK + # dynamically determine which anchors exist + anchors=$(/sbin/pfctl -a $2 -s Anchors) + for anchor in $anchors; do + /sbin/pfctl -a $anchor -t "port${anchor##*/}" -T flush + /sbin/pfctl -a $anchor -F rules + done + echo OK ;; esac ;;