From owner-svn-src-stable-11@freebsd.org Mon Apr 16 14:46:03 2018 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9BB9EF88F07; Mon, 16 Apr 2018 14:46:03 +0000 (UTC) (envelope-from lidl@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4AF59774FB; Mon, 16 Apr 2018 14:46:03 +0000 (UTC) (envelope-from lidl@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3F02A1EBAD; Mon, 16 Apr 2018 14:46:03 +0000 (UTC) (envelope-from lidl@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w3GEk2pn047177; Mon, 16 Apr 2018 14:46:02 GMT (envelope-from lidl@FreeBSD.org) Received: (from lidl@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w3GEk2cv047176; Mon, 16 Apr 2018 14:46:02 GMT (envelope-from lidl@FreeBSD.org) Message-Id: <201804161446.w3GEk2cv047176@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: lidl set sender to lidl@FreeBSD.org using -f From: Kurt Lidl Date: Mon, 16 Apr 2018 14:46:02 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r332571 - stable/11/contrib/blacklist/libexec X-SVN-Group: stable-11 X-SVN-Commit-Author: lidl X-SVN-Commit-Paths: stable/11/contrib/blacklist/libexec X-SVN-Commit-Revision: 332571 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Apr 2018 14:46:03 -0000 Author: lidl Date: Mon Apr 16 14:46:02 2018 New Revision: 332571 URL: https://svnweb.freebsd.org/changeset/base/332571 Log: MFC r328861: Update blacklist-helper to not emit messages from pf during operation. Use 'pfctl -k' when blocking a site to kill active tcp connections from the blocked address. Fix 'purge' operation for pf, which must dynamically determine which filters have been created, so the filters can be flushed by name. Modified: stable/11/contrib/blacklist/libexec/blacklistd-helper Directory Properties: stable/11/ (props changed) Modified: stable/11/contrib/blacklist/libexec/blacklistd-helper ============================================================================== --- stable/11/contrib/blacklist/libexec/blacklistd-helper Mon Apr 16 14:43:01 2018 (r332570) +++ stable/11/contrib/blacklist/libexec/blacklistd-helper Mon Apr 16 14:46:02 2018 (r332571) @@ -80,8 +80,8 @@ add) echo "block in quick $proto from to any $port" | \ /sbin/pfctl -a "$2/$6" -f - # insert $ip/$mask into per-protocol/port anchored table - /sbin/pfctl -a "$2/$6" -t "port$6" -T add "$addr/$mask" && \ - echo OK + /sbin/pfctl -qa "$2/$6" -t "port$6" -T add "$addr/$mask" && \ + /sbin/pfctl -q -k $addr && echo OK ;; esac ;; @@ -101,7 +101,7 @@ rem) /sbin/npfctl rule "$2" rem-id "$7" ;; pf) - /sbin/pfctl -a "$2/$6" -t "port$6" -T delete "$addr/$mask" && \ + /sbin/pfctl -qa "$2/$6" -t "port$6" -T delete "$addr/$mask" && \ echo OK ;; esac @@ -118,7 +118,13 @@ flush) /sbin/npfctl rule "$2" flush ;; pf) - /sbin/pfctl -a "$2/$6" -t "port$6" -T flush && echo OK + # dynamically determine which anchors exist + anchors=$(/sbin/pfctl -a $2 -s Anchors) + for anchor in $anchors; do + /sbin/pfctl -a $anchor -t "port${anchor##*/}" -T flush + /sbin/pfctl -a $anchor -F rules + done + echo OK ;; esac ;;