From owner-svn-src-all@freebsd.org Mon Feb 27 04:05:36 2017 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 42782CEF4EE; Mon, 27 Feb 2017 04:05:36 +0000 (UTC) (envelope-from lidl@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id ED6B7FED; Mon, 27 Feb 2017 04:05:35 +0000 (UTC) (envelope-from lidl@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v1R45Zv5066480; Mon, 27 Feb 2017 04:05:35 GMT (envelope-from lidl@FreeBSD.org) Received: (from lidl@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v1R45ZsB066479; Mon, 27 Feb 2017 04:05:35 GMT (envelope-from lidl@FreeBSD.org) Message-Id: <201702270405.v1R45ZsB066479@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: lidl set sender to lidl@FreeBSD.org using -f From: Kurt Lidl Date: Mon, 27 Feb 2017 04:05:35 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r314324 - stable/11/contrib/blacklist/libexec X-SVN-Group: stable-11 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Feb 2017 04:05:36 -0000 Author: lidl Date: Mon Feb 27 04:05:34 2017 New Revision: 314324 URL: https://svnweb.freebsd.org/changeset/base/314324 Log: MFC r314111: Improve ipfw rule creation for blacklist-helper script When blocking an address, the blacklist-helper script needs to do the following things for the ipfw packet filter: - create a table to hold the addresses to be blocked, so lookups can be done quickly, and place the address to be blocked in that table - create rule that does the lookup in the table and blocks the packet The ipfw system allows multiple rules to be inserted for a given rule number. There only needs to be one rule to do the lookup per port. Modify the script to probe for the existence of the rule before attempting to create it, so only one rule is inserted, rather than one rule per blocked address. PR: 214980 Reported by: azhegalov (at) gmail.com Reviewed by: emaste Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D9681 Modified: stable/11/contrib/blacklist/libexec/blacklistd-helper Modified: stable/11/contrib/blacklist/libexec/blacklistd-helper ============================================================================== --- stable/11/contrib/blacklist/libexec/blacklistd-helper Mon Feb 27 03:52:32 2017 (r314323) +++ stable/11/contrib/blacklist/libexec/blacklistd-helper Mon Feb 27 04:05:34 2017 (r314324) @@ -63,8 +63,11 @@ add) tname="port$6" /sbin/ipfw table $tname create type addr 2>/dev/null /sbin/ipfw -q table $tname add "$addr/$mask" - /sbin/ipfw -q add $rule drop $3 from "table("$tname")" to \ - any dst-port $6 && echo OK + # if rule number $rule does not already exist, create it + /sbin/ipfw show $rule >/dev/null 2>&1 || \ + /sbin/ipfw add $rule drop $3 from \ + table"("$tname")" to any dst-port $6 >/dev/null && \ + echo OK ;; npf) /sbin/npfctl rule "$2" add block in final $proto from \