M8fzdT7Mo2qctvuWVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1760403452; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=avv082mq+TMVcgd90z4b7ULaO4CHaccqui1zyKSKpBY=; b=g9Az4Rt+fx5We1S+0HFd/+yFOURQBB4AnLwbSQ9BO9hHMvwNiODer/wHMLEdCEQUv54j+P Zy9VLIhkkfmj21UeG+0UnSxR6mM6QJSuQV71KPo/Bamr1+0FVMZdJpolnCgLrjcITQnGf0 QPW8gMG5ZdSu0ynpjIDCI9KeVvK9RJ7j3lXZF+hziB9xVPA9uC0Y3qccAg8bh4TOmopSmU qT14a+gLsnFfHmAfShWGCHdtuKBCM5zqL41dL3fesCnvnmhbx5syrXC09h7fkHnKgD22tl DcDnf7WOEmT80I5cVswoMe4b7/fd54Axq8PhhZl8UrE0Y4J+25UuE5hzLXE8WA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1760403452; a=rsa-sha256; cv=none; b=vrh+M7JjnQ8hpWyUamOoo9+LT8MkKbeL7LQFF6XxOvZq0Mk3Z0ME9/FnxpOwXMXq251CoY GKqkZXM1drQhiwVyJepknmOGdB3u1YnSGPV8mSG8+Tg+Gl7hfuMsUEdWs1h5NGLGOe5GcN sLv2FcvQ3ydhOBhl/bLLaywYB0RScYXSaitQxeSlrI0urZ7XDM3W565LdvC8bBb0ZeDzPd /g5nSz5qHuxyutWmARwNC8gEl4QWcbIwBvwkkyxCY0fon+pFJ/iqnAk2EfODPNiXGBItAX 2AXpGyDTVwVdupb6jdSkpPr9k7iLzbRonBqV1Q63fyXH23KRVPHNNbiEGa9pXA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4clwmX3r19zVVB; Tue, 14 Oct 2025 00:57:32 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 59E0vW5a021562; Tue, 14 Oct 2025 00:57:32 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 59E0vWb1021559; Tue, 14 Oct 2025 00:57:32 GMT (envelope-from git) Date: Tue, 14 Oct 2025 00:57:32 GMT Message-Id: <202510140057.59E0vWb1021559@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Jose Luis Duran Subject: git: a719ef67e8ed - stable/15 - blocklist: Revert upstream commit ddf6d71 List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jlduran X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: a719ef67e8ed2cbae5f397d2a4680a02495b79ab Auto-Submitted: auto-generated The branch stable/15 has been updated by jlduran: URL: https://cgit.FreeBSD.org/src/commit/?id=a719ef67e8ed2cbae5f397d2a4680a02495b79ab commit a719ef67e8ed2cbae5f397d2a4680a02495b79ab Author: Jose Luis Duran AuthorDate: 2025-10-11 14:15:03 +0000 Commit: Jose Luis Duran CommitDate: 2025-10-14 00:52:47 +0000 blocklist: Revert upstream commit ddf6d71 Upstream commit ddf6d71 ("implement BLOCKLIST_BAD_USER as a "one-count" failure") introduced BLOCKLIST_BAD_USER with a one-count failure mechanism. BLOCKLIST_AUTH_FAIL was implemented with a two-count failure mechanism. Since we have been utilizing BLOCKLIST_AUTH_FAIL, the number of failed attempts now doubles towards the maximum limit (nfails), giving system administrators the impression that the number of failed authentication attempts is inaccurate. Revert this commit until a consensus has been reached. We do not want to introduce yet another breaking change with the renaming of the library. Approved by: emaste (mentor) MFC after: 2 days (cherry picked from commit 4d56eb007b18881becb2107f87bd2a7edca3e6bf) --- contrib/blocklist/bin/blocklistd.c | 18 +++++++++--------- contrib/blocklist/lib/libblocklist.3 | 32 +++++++++++++++++++------------- 2 files changed, 28 insertions(+), 22 deletions(-) diff --git a/contrib/blocklist/bin/blocklistd.c b/contrib/blocklist/bin/blocklistd.c index 4846b507c8d1..03a1dbbf056c 100644 --- a/contrib/blocklist/bin/blocklistd.c +++ b/contrib/blocklist/bin/blocklistd.c @@ -222,19 +222,16 @@ process(bl_t bl) switch (bi->bi_type) { case BL_ABUSE: /* - * If the application has signaled abusive behavior, set the - * number of fails to be two less than the configured limit. - * Fall through to the normal BL_ADD and BL_BADUSER processing, - * which will increment the failure count to the threshhold, and - * block the abusive address. + * If the application has signaled abusive behavior, + * set the number of fails to be one less than the + * configured limit. Fallthrough to the normal BL_ADD + * processing, which will increment the failure count + * to the threshhold, and block the abusive address. */ if (c.c_nfail != -1) - dbi.count = c.c_nfail - 2; + dbi.count = c.c_nfail - 1; /*FALLTHROUGH*/ case BL_ADD: - dbi.count++; /* will become += 2 */ - /*FALLTHROUGH*/ - case BL_BADUSER: dbi.count++; dbi.last = ts.tv_sec; if (c.c_nfail != -1 && dbi.count >= c.c_nfail) { @@ -263,6 +260,9 @@ process(bl_t bl) dbi.count = 0; dbi.last = 0; break; + case BL_BADUSER: + /* ignore for now */ + break; default: (*lfun)(LOG_ERR, "unknown message %d", bi->bi_type); } diff --git a/contrib/blocklist/lib/libblocklist.3 b/contrib/blocklist/lib/libblocklist.3 index 7a016625a047..fd6eb93eb756 100644 --- a/contrib/blocklist/lib/libblocklist.3 +++ b/contrib/blocklist/lib/libblocklist.3 @@ -106,20 +106,26 @@ The .Ar action parameter can take these values: .Bl -tag -width ".Dv BLOCKLIST_ABUSIVE_BEHAVIOR" -.It Va BLOCKLIST_BAD_USER -The sending daemon has determined the username presented for -authentication is invalid. -This is considered as one failure count. -.It Va BLOCKLIST_AUTH_FAIL +.It Dv BLOCKLIST_AUTH_FAIL There was an unsuccessful authentication attempt. -This is considered as two failure counts together. -.It Va BLOCKLIST_ABUSIVE_BEHAVIOR -The sending daemon has detected abusive behavior from the remote system. -This is considered as a total immediate failure. -The remote address will be blocked as soon as possible. -.It Va BLOCKLIST_AUTH_OK -A valid user successfully authenticated. -Any entry for the remote address will be removed as soon as possible. +.It Dv BLOCKLIST_AUTH_OK +A user successfully authenticated. +.It Dv BLOCKLIST_ABUSIVE_BEHAVIOR +The sending daemon has detected abusive behavior +from the remote system. +The remote address should +be blocked as soon as possible. +.It Dv BLOCKLIST_BAD_USER +The sending daemon has determined the username +presented for authentication is invalid. +The +.Xr blocklistd 8 +daemon compares the username to a configured list of forbidden +usernames and +blocks the address immediately if a forbidden username matches. +(The +.Dv BLOCKLIST_BAD_USER +support is not currently available.) .El .Pp The