Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 9 Jun 2016 15:19:48 +0000 (UTC)
From:      Kurt Lidl <lidl@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r301736 - head/contrib/blacklist/libexec
Message-ID:  <201606091519.u59FJm84017293@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: lidl
Date: Thu Jun  9 15:19:48 2016
New Revision: 301736
URL: https://svnweb.freebsd.org/changeset/base/301736

Log:
  Add IPFW support to blacklistd-helper
  
  Relnotes:	YES
  Sponsored by:	The FreeBSD Foundation
  Differential Revision:	https://reviews.freebsd.org/D6753

Modified:
  head/contrib/blacklist/libexec/blacklistd-helper

Modified: head/contrib/blacklist/libexec/blacklistd-helper
==============================================================================
--- head/contrib/blacklist/libexec/blacklistd-helper	Thu Jun  9 14:44:05 2016	(r301735)
+++ head/contrib/blacklist/libexec/blacklistd-helper	Thu Jun  9 15:19:48 2016	(r301736)
@@ -16,6 +16,11 @@ for f in npf pf; do
 		break
 	fi
 done
+if [ -f "/etc/ipfw-blacklist.rc" ]; then
+	pf="ipfw"
+	. /etc/ipfw-blacklist.rc
+	ipfw_offset=${ipfw_offset:-2000}
+fi
 
 if [ -z "$pf" ]; then
 	echo "$0: Unsupported packet filter" 1>&2
@@ -43,6 +48,13 @@ esac
 case "$1" in
 add)
 	case "$pf" in
+	ipfw)
+		rule=$(( $ipfw_offset + $6 )) # use $ipfw_offset+$port for rule number
+		tname="port$6"
+		/sbin/ipfw table $tname create type addr 2>/dev/null
+		/sbin/ipfw -q table $tname add "$addr/$mask"
+		/sbin/ipfw -q add $rule drop $3 from "table("$tname")" to any dst-port $6
+		;;
 	npf)
 		/sbin/npfctl rule "$2" add block in final $proto from \
 		    "$addr/$mask" to any $port
@@ -57,6 +69,9 @@ add)
 	;;
 rem)
 	case "$pf" in
+	ipfw)
+		/sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null
+		;;
 	npf)
 		/sbin/npfctl rule "$2" rem-id "$7"
 		;;
@@ -67,6 +82,9 @@ rem)
 	;;
 flush)
 	case "$pf" in 
+	ipfw)
+		/sbin/ipfw table "port$6" flush 2>/dev/null
+		;;
 	npf)
 		/sbin/npfctl rule "$2" flush
 		;;

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201606091519.u59FJm84017293>