From owner-freebsd-amd64@freebsd.org Thu Dec 1 15:58:35 2016 Return-Path: Delivered-To: freebsd-amd64@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 13E5CC601E5 for ; Thu, 1 Dec 2016 15:58:35 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 03BC61A87 for ; Thu, 1 Dec 2016 15:58:35 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id uB1FwYdv044583 for ; Thu, 1 Dec 2016 15:58:34 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-amd64@FreeBSD.org Subject: [Bug 214980] blacklistd and sshd incorrect counting of failed login attempts Date: Thu, 01 Dec 2016 15:58:35 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 11.0-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: lidl@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: lidl@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-amd64@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Porting FreeBSD to the AMD64 platform List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Dec 2016 15:58:35 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D214980 --- Comment #1 from Kurt Lidl --- The relevant bit of the current blacklist-helper script: ipfw) # use $ipfw_offset+$port for rule number rule=3D$(($ipfw_offset + $6)) tname=3D"port$6" /sbin/ipfw table $tname create type addr 2>/dev/null /sbin/ipfw -q table $tname add "$addr/$mask" /sbin/ipfw -q add $rule drop $3 from "table("$tname")" to \ any dst-port $6 && echo OK ;; I think that the problem is the '-q' on the last line is forcing "quiet" behaviour, and (I missed this when adapting the code from 'pf'), it no longer errors out on duplicate rules with the same number. There's two different ways to address this that come to mind immediately: 1) Check to see if the rule exists before attempting to add it, and if it already exists, don't add it a second time. 2) Attempt to add the rule without -q, but with stderr redirected to /dev/n= ull. I don't particularly like this, as it means that otherwise legitimate errors cannot be handled. I'll take a stab at implementing #1 in the next few days. (My dev machines run 'pf'.) --=20 You are receiving this mail because: You are on the CC list for the bug.=