From owner-svn-src-stable-11@freebsd.org Thu Oct 13 03:06:25 2016 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 27155C0E415; Thu, 13 Oct 2016 03:06:25 +0000 (UTC) (envelope-from lidl@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 019111578; Thu, 13 Oct 2016 03:06:24 +0000 (UTC) (envelope-from lidl@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u9D36OOZ016142; Thu, 13 Oct 2016 03:06:24 GMT (envelope-from lidl@FreeBSD.org) Received: (from lidl@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u9D36OoK016141; Thu, 13 Oct 2016 03:06:24 GMT (envelope-from lidl@FreeBSD.org) Message-Id: <201610130306.u9D36OoK016141@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: lidl set sender to lidl@FreeBSD.org using -f From: Kurt Lidl Date: Thu, 13 Oct 2016 03:06:24 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r307171 - stable/11/contrib/blacklist/libexec X-SVN-Group: stable-11 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Oct 2016 03:06:25 -0000 Author: lidl Date: Thu Oct 13 03:06:23 2016 New Revision: 307171 URL: https://svnweb.freebsd.org/changeset/base/307171 Log: MFC r306695: Make blacklist-helper commands emit a message when successful The blacklistd daemon expects to see a message on stdout, instead of just relying on the exit value from any invoked programs. Change the pf filtering to create multiple filters, attached under a the "blacklist/*" anchor point. This prevents the filtering for each port's filtering rule from overwriting the previously installed filtering rule. Check for an existing filtering rule for each port, so the installation of a given filtering rule only happens once. Reinstalling the same rule resets the counters for the pf rule, and we don't want that. Sponsored by: The FreeBSD Foundation Modified: stable/11/contrib/blacklist/libexec/blacklistd-helper Directory Properties: stable/11/ (props changed) Modified: stable/11/contrib/blacklist/libexec/blacklistd-helper ============================================================================== --- stable/11/contrib/blacklist/libexec/blacklistd-helper Thu Oct 13 03:00:56 2016 (r307170) +++ stable/11/contrib/blacklist/libexec/blacklistd-helper Thu Oct 13 03:06:23 2016 (r307171) @@ -19,8 +19,8 @@ fi if [ -z "$pf" ]; then for f in npf pf ipf; do if [ -f "/etc/$f.conf" ]; then - pf="$f" - break + pf="$f" + break fi done fi @@ -54,8 +54,8 @@ add) ipf) /sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1 echo block in quick $proto from $addr/$mask to \ - any port=$6 head port$6 | \ - /sbin/ipf -I -f - -s >/dev/null 2>&1 + any port=$6 head port$6 | \ + /sbin/ipf -I -f - -s >/dev/null 2>&1 && echo OK ;; ipfw) # use $ipfw_offset+$port for rule number @@ -64,17 +64,21 @@ add) /sbin/ipfw table $tname create type addr 2>/dev/null /sbin/ipfw -q table $tname add "$addr/$mask" /sbin/ipfw -q add $rule drop $3 from "table("$tname")" to \ - any dst-port $6 + any dst-port $6 && echo OK ;; npf) /sbin/npfctl rule "$2" add block in final $proto from \ "$addr/$mask" to any $port ;; pf) - # insert $ip/$mask into per-protocol anchored table - /sbin/pfctl -a "$2" -t "port$6" -T add "$addr/$mask" - echo "block in quick $proto from to any $port" | \ - /sbin/pfctl -a "$2" -f - + # if the filtering rule does not exist, create it + /sbin/pfctl -a "$2/$6" -sr 2>/dev/null | \ + grep -q "" || \ + echo "block in quick $proto from to any $port" | \ + /sbin/pfctl -a "$2/$6" -f - + # insert $ip/$mask into per-protocol/port anchored table + /sbin/pfctl -a "$2/$6" -t "port$6" -T add "$addr/$mask" && \ + echo OK ;; esac ;; @@ -83,33 +87,35 @@ rem) ipf) /sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1 echo block in quick $proto from $addr/$mask to \ - any port=$6 head port$6 | \ - /sbin/ipf -I -r -f - -s >/dev/null 2>&1 + any port=$6 head port$6 | \ + /sbin/ipf -I -r -f - -s >/dev/null 2>&1 && echo OK ;; ipfw) - /sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null + /sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null && \ + echo OK ;; npf) /sbin/npfctl rule "$2" rem-id "$7" ;; pf) - /sbin/pfctl -a "$2" -t "port$6" -T delete "$addr/$mask" + /sbin/pfctl -a "$2/$6" -t "port$6" -T delete "$addr/$mask" && \ + echo OK ;; esac ;; flush) case "$pf" in ipf) - /sbin/ipf -Z -I -Fi -s > /dev/null + /sbin/ipf -Z -I -Fi -s > /dev/null && echo OK ;; ipfw) - /sbin/ipfw table "port$6" flush 2>/dev/null + /sbin/ipfw table "port$6" flush 2>/dev/null && echo OK ;; npf) /sbin/npfctl rule "$2" flush ;; pf) - /sbin/pfctl -a "$2" -t "port$6" -T flush + /sbin/pfctl -a "$2/$6" -t "port$6" -T flush && echo OK ;; esac ;;