Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 16 Apr 2018 14:46:02 +0000 (UTC)
From:      Kurt Lidl <lidl@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   svn commit: r332571 - stable/11/contrib/blacklist/libexec
Message-ID:  <201804161446.w3GEk2cv047176@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: lidl
Date: Mon Apr 16 14:46:02 2018
New Revision: 332571
URL: https://svnweb.freebsd.org/changeset/base/332571

Log:
  MFC r328861: Update blacklist-helper to not emit messages from pf during operation.
  
  Use 'pfctl -k' when blocking a site to kill active tcp connections
  from the blocked address.
  
  Fix 'purge' operation for pf, which must dynamically determine which
  filters have been created, so the filters can be flushed by name.

Modified:
  stable/11/contrib/blacklist/libexec/blacklistd-helper
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/contrib/blacklist/libexec/blacklistd-helper
==============================================================================
--- stable/11/contrib/blacklist/libexec/blacklistd-helper	Mon Apr 16 14:43:01 2018	(r332570)
+++ stable/11/contrib/blacklist/libexec/blacklistd-helper	Mon Apr 16 14:46:02 2018	(r332571)
@@ -80,8 +80,8 @@ add)
 		    echo "block in quick $proto from <port$6> to any $port" | \
 		    /sbin/pfctl -a "$2/$6" -f -
 		# insert $ip/$mask into per-protocol/port anchored table
-		/sbin/pfctl -a "$2/$6" -t "port$6" -T add "$addr/$mask" && \
-		    echo OK
+		/sbin/pfctl -qa "$2/$6" -t "port$6" -T add "$addr/$mask" && \
+		    /sbin/pfctl -q -k $addr && echo OK
 		;;
 	esac
 	;;
@@ -101,7 +101,7 @@ rem)
 		/sbin/npfctl rule "$2" rem-id "$7"
 		;;
 	pf)
-		/sbin/pfctl -a "$2/$6" -t "port$6" -T delete "$addr/$mask" && \
+		/sbin/pfctl -qa "$2/$6" -t "port$6" -T delete "$addr/$mask" && \
 		    echo OK
 		;;
 	esac
@@ -118,7 +118,13 @@ flush)
 		/sbin/npfctl rule "$2" flush
 		;;
 	pf)
-		/sbin/pfctl -a "$2/$6" -t "port$6" -T flush && echo OK
+		# dynamically determine which anchors exist
+		anchors=$(/sbin/pfctl -a $2 -s Anchors)
+		for anchor in $anchors; do
+			/sbin/pfctl -a $anchor -t "port${anchor##*/}" -T flush
+			/sbin/pfctl -a $anchor -F rules
+		done
+		echo OK
 		;;
 	esac
 	;;

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201804161446.w3GEk2cv047176>