From owner-svn-src-all@freebsd.org Sun Jun 12 23:34:50 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4B4C3AF0B17; Sun, 12 Jun 2016 23:34:50 +0000 (UTC) (envelope-from lidl@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E14942F47; Sun, 12 Jun 2016 23:34:49 +0000 (UTC) (envelope-from lidl@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u5CNYnUA010446; Sun, 12 Jun 2016 23:34:49 GMT (envelope-from lidl@FreeBSD.org) Received: (from lidl@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u5CNYn1w010445; Sun, 12 Jun 2016 23:34:49 GMT (envelope-from lidl@FreeBSD.org) Message-Id: <201606122334.u5CNYn1w010445@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: lidl set sender to lidl@FreeBSD.org using -f From: Kurt Lidl Date: Sun, 12 Jun 2016 23:34:49 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r301843 - head/contrib/blacklist/libexec X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Jun 2016 23:34:50 -0000 Author: lidl Date: Sun Jun 12 23:34:48 2016 New Revision: 301843 URL: https://svnweb.freebsd.org/changeset/base/301843 Log: Add ipfilter support to blacklistd-helper In addition to adding initial support for the ipfilter packet filtering system, wrap a few long lines, perform whitespace cleanup and sync with upstream changes made in NetBSD. Submitted by: cy Reviewed by: cy Approved by: re (hrs) Relnotes: YES Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D6823 Modified: head/contrib/blacklist/libexec/blacklistd-helper Modified: head/contrib/blacklist/libexec/blacklistd-helper ============================================================================== --- head/contrib/blacklist/libexec/blacklistd-helper Sun Jun 12 23:26:38 2016 (r301842) +++ head/contrib/blacklist/libexec/blacklistd-helper Sun Jun 12 23:34:48 2016 (r301843) @@ -10,12 +10,6 @@ # $7 id pf= -for f in npf pf; do - if [ -f "/etc/$f.conf" ]; then - pf="$f" - break - fi -done if [ -f "/etc/ipfw-blacklist.rc" ]; then pf="ipfw" . /etc/ipfw-blacklist.rc @@ -23,6 +17,15 @@ if [ -f "/etc/ipfw-blacklist.rc" ]; then fi if [ -z "$pf" ]; then + for f in npf pf ipf; do + if [ -f "/etc/$f.conf" ]; then + pf="$f" + break + fi + done +fi + +if [ -z "$pf" ]; then echo "$0: Unsupported packet filter" 1>&2 exit 1 fi @@ -48,12 +51,20 @@ esac case "$1" in add) case "$pf" in + ipf) + /sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1 + echo block in quick $proto from $addr/$mask to \ + any port=$6 head port$6 | \ + /sbin/ipf -I -f - -s >/dev/null 2>&1 + ;; ipfw) - rule=$(( $ipfw_offset + $6 )) # use $ipfw_offset+$port for rule number + # use $ipfw_offset+$port for rule number + rule=$(($ipfw_offset + $6)) tname="port$6" /sbin/ipfw table $tname create type addr 2>/dev/null /sbin/ipfw -q table $tname add "$addr/$mask" - /sbin/ipfw -q add $rule drop $3 from "table("$tname")" to any dst-port $6 + /sbin/ipfw -q add $rule drop $3 from "table("$tname")" to \ + any dst-port $6 ;; npf) /sbin/npfctl rule "$2" add block in final $proto from \ @@ -69,6 +80,12 @@ add) ;; rem) case "$pf" in + ipf) + /sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1 + echo block in quick $proto from $addr/$mask to \ + any port=$6 head port$6 | \ + /sbin/ipf -I -r -f - -s >/dev/null 2>&1 + ;; ipfw) /sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null ;; @@ -81,7 +98,10 @@ rem) esac ;; flush) - case "$pf" in + case "$pf" in + ipf) + /sbin/ipf -Z -I -Fi -s > /dev/null + ;; ipfw) /sbin/ipfw table "port$6" flush 2>/dev/null ;;