[src/trunk]: src/external/bsd/blacklist update for udp

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/external/bsd/blacklist update for udp
From: christos <christos%NetBSD.org@localhost>
Date: Tue, 31 Jul 2018 19:09:40 +0000

details:   https://anonhg.NetBSD.org/src/rev/3a670737a3f4
branches:  trunk
changeset: 335745:3a670737a3f4
user:      christos <christos%NetBSD.org@localhost>
date:      Thu Jan 22 19:08:43 2015 +0000

description:
update for udp

diffstat:

 external/bsd/blacklist/README |  20 ++++++++++++++++----
 1 files changed, 16 insertions(+), 4 deletions(-)

diffs (49 lines):

diff -r 587da0c36246 -r 3a670737a3f4 external/bsd/blacklist/README
--- a/external/bsd/blacklist/README     Thu Jan 22 19:04:28 2015 +0000
+++ b/external/bsd/blacklist/README     Thu Jan 22 19:08:43 2015 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: README,v 1.5 2015/01/22 17:49:41 christos Exp $
+# $NetBSD: README,v 1.6 2015/01/22 19:08:43 christos Exp $
 
 This package contains library that can be used by network daemons to
 communicate with a packet filter via a daemon to enforce opening and
@@ -8,10 +8,14 @@
 (this is currently designed for npf) and the configuration file
 (inspired from inetd.conf) is in etc/blacklistd.conf.
 
+There is also a startup file in etc/rc.d/blacklistd
+
 Patches to various daemons to add blacklisting capabilitiers are in the
-diff directory:
-    - OpenSSH: diff/ssh.diff
-    - Bind: diff/named.diff
+"diff" directory:
+    - OpenSSH: diff/ssh.diff [tcp socket example]
+    - Bind: diff/named.diff [both tcp and udp]
+
+These patches don't include the Makefile changes, but should be obvious.
 
 The network daemon (for example sshd) communicates to blacklistd, via
 a unix socket like syslog. The library calls are simple and everything
@@ -33,6 +37,13 @@
                      number is retrieved from the kernel.
        message    -> an optional string that is used in debugging logs.
 
+Unfortunately there is no way to get information about the "peer"
+from a udp socket, because there is no connection and that information
+is kept with the server. In that case the daemon can provide the
+peer information to blacklistd via:
+
+       blacklist_sa(action, acceptedfd, sockaddr, sockaddr_len, message);
+
 The configuration file contains entries of the form:
 
 # Blacklist rule
@@ -80,6 +91,7 @@
         ruleset "blacklistd-int" 
        ...
 }
+
 Enjoy,
 
 christos

Prev by Date: [src/trunk]: src/external/bsd/blacklist/port fix NetBSD
Next by Date: [src/trunk]: src/etc It doesn't make sense to start wpa_supplicant from an rc...
Previous by Thread: [src/trunk]: src/external/bsd/blacklist/port fix NetBSD
Next by Thread: [src/trunk]: src/etc It doesn't make sense to start wpa_supplicant from an rc...
Indexes:

Home | Main Index | Thread Index | Old Index