Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/external/bsd/blacklist/bin add an option to restore rules, a...
details: https://anonhg.NetBSD.org/src/rev/c3c1ae928c5e
branches: trunk
changeset: 335887:c3c1ae928c5e
user: christos <christos%NetBSD.org@localhost>
date: Wed Jan 28 22:30:42 2015 +0000
description:
add an option to restore rules, and run the flush command only once per
rule name.
diffstat:
external/bsd/blacklist/bin/blacklistd.8 | 11 ++-
external/bsd/blacklist/bin/blacklistd.c | 103 ++++++++++++++++++++++++-------
2 files changed, 87 insertions(+), 27 deletions(-)
diffs (223 lines):
diff -r 303f52599aef -r c3c1ae928c5e external/bsd/blacklist/bin/blacklistd.8
--- a/external/bsd/blacklist/bin/blacklistd.8 Wed Jan 28 16:47:00 2015 +0000
+++ b/external/bsd/blacklist/bin/blacklistd.8 Wed Jan 28 22:30:42 2015 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: blacklistd.8,v 1.9 2015/01/27 19:40:36 christos Exp $
+.\" $NetBSD: blacklistd.8,v 1.10 2015/01/28 22:30:42 christos Exp $
.\"
.\" Copyright (c) 2015 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -35,12 +35,12 @@
.Nd block and release ports on demand to avoid DoS abuse
.Sh SYNOPSIS
.Nm
-.Op Fl dvf
+.Op Fl dfrv
.Op Fl C Ar controlprog
.Op Fl c Ar configfile
.Op Fl D Ar dbfile
.Op Fl P Ar sockpathsfile
-.Op Fl r Ar rulename
+.Op Fl R Ar rulename
.Op Fl s Ar sockpath
.Op Fl t Ar timeout
.Sh DESCRIPTION
@@ -111,6 +111,11 @@
.Bd -literal -offset indent
control flush <rulename>
.Ed
+If the
+.Fl r
+flag is specified, the firewall rules are re-read from the internal database
+and are removed and re-added.
+This helps for packet filters that don't retain state across reboots.
.Pp
.Nm
checks the list of active entries every
diff -r 303f52599aef -r c3c1ae928c5e external/bsd/blacklist/bin/blacklistd.c
--- a/external/bsd/blacklist/bin/blacklistd.c Wed Jan 28 16:47:00 2015 +0000
+++ b/external/bsd/blacklist/bin/blacklistd.c Wed Jan 28 22:30:42 2015 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklistd.c,v 1.31 2015/01/28 05:08:55 christos Exp $ */
+/* $NetBSD: blacklistd.c,v 1.32 2015/01/28 22:30:42 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
#include "config.h"
#endif
#include <sys/cdefs.h>
-__RCSID("$NetBSD: blacklistd.c,v 1.31 2015/01/28 05:08:55 christos Exp $");
+__RCSID("$NetBSD: blacklistd.c,v 1.32 2015/01/28 22:30:42 christos Exp $");
#include <sys/types.h>
#include <sys/socket.h>
@@ -104,7 +104,7 @@
{
if (c)
warnx("Unknown option `%c'", (char)c);
- fprintf(stderr, "Usage: %s [-vdf] [-c <config>] [-r <rulename>] "
+ fprintf(stderr, "Usage: %s [-vdfr] [-c <config>] [-R <rulename>] "
"[-P <sockpathsfile>] [-C <controlprog>] [-D <dbfile>] "
"[-s <sockpath>] [-t <timeout>]\n", getprogname());
exit(EXIT_FAILURE);
@@ -273,11 +273,11 @@
update(void)
{
struct timespec ts;
- struct sockaddr_storage ss;
struct conf c;
struct dbinfo dbi;
unsigned int f, n;
char buf[128];
+ void *ss = &c.c_ss;
if (clock_gettime(CLOCK_REALTIME, &ts) == -1) {
(*lfun)(LOG_ERR, "clock_gettime failed (%m)");
@@ -290,21 +290,18 @@
time_t when = c.c_duration + dbi.last;
if (debug > 1) {
char b1[64], b2[64];
- sockaddr_snprintf(buf, sizeof(buf), "%a:%p",
- (void *)&ss);
- (*lfun)(LOG_DEBUG,
- "%s:[%u] %s count=%d duration=%d last=%s "
- "now=%s", __func__, n, buf, dbi.count,
- c.c_duration, fmttime(b1, sizeof(b1), dbi.last),
- fmttime(b2, sizeof(b2), ts.tv_sec));
+ sockaddr_snprintf(buf, sizeof(buf), "%a:%p", ss);
+ (*lfun)(LOG_DEBUG, "%s:[%u] %s count=%d duration=%d "
+ "last=%s " "now=%s", __func__, n, buf, dbi.count,
+ c.c_duration, fmttime(b1, sizeof(b1), dbi.last),
+ fmttime(b2, sizeof(b2), ts.tv_sec));
}
if (c.c_duration == -1 || when >= ts.tv_sec)
continue;
if (dbi.id[0]) {
run_change("rem", &c, dbi.id, 0);
- sockaddr_snprintf(buf, sizeof(buf), "%a", (void *)&ss);
- syslog(LOG_INFO,
- "released %s/%d:%d after %d seconds",
+ sockaddr_snprintf(buf, sizeof(buf), "%a", ss);
+ syslog(LOG_INFO, "released %s/%d:%d after %d seconds",
buf, c.c_lmask, c.c_port, c.c_duration);
}
state_del(state, &c);
@@ -334,20 +331,75 @@
*nfd += 1;
}
+static void
+uniqueadd(struct conf ***listp, size_t *nlist, size_t *mlist, struct conf *c)
+{
+ struct conf **list = *listp;
+
+ if (c->c_name[0] == '\0')
+ return;
+ for (size_t i = 0; i < *nlist; i++) {
+ if (strcmp(list[i]->c_name, c->c_name) == 0)
+ return;
+ }
+ if (*nlist == *mlist) {
+ *mlist += 10;
+ void *p = realloc(*listp, *mlist * sizeof(*list));
+ if (p == NULL)
+ err(EXIT_FAILURE, "Can't allocate for rule list");
+ list = *listp = p;
+ }
+ list[(*nlist)++] = c;
+}
+
+static void
+rules_flush(void)
+{
+ struct conf **list;
+ size_t nlist, mlist;
+
+ list = NULL;
+ mlist = nlist = 0;
+ for (size_t i = 0; i < rconf.cs_n; i++)
+ uniqueadd(&list, &nlist, &mlist, &rconf.cs_c[i]);
+ for (size_t i = 0; i < lconf.cs_n; i++)
+ uniqueadd(&list, &nlist, &mlist, &lconf.cs_c[i]);
+
+ for (size_t i = 0; i < nlist; i++)
+ run_flush(list[i]);
+ free(list);
+}
+
+static void
+rules_restore(void)
+{
+ struct conf c;
+ struct dbinfo dbi;
+ unsigned int f;
+
+ for (f = 1; state_iterate(state, &c, &dbi, f) == 1; f = 0) {
+ if (dbi.id[0] == '\0')
+ continue;
+ (void)run_change("rem", &c, dbi.id, 0);
+ (void)run_change("add", &c, dbi.id, sizeof(dbi.id));
+ }
+}
+
int
main(int argc, char *argv[])
{
- int c, tout, flags, reset;
+ int c, tout, flags, flush, restore;
const char *spath, *blsock;
setprogname(argv[0]);
spath = NULL;
blsock = _PATH_BLSOCK;
- reset = 0;
+ flush = 0;
+ restore = 0;
tout = 0;
flags = O_RDWR|O_EXCL|O_CLOEXEC;
- while ((c = getopt(argc, argv, "C:c:D:dfr:P:s:t:v")) != -1) {
+ while ((c = getopt(argc, argv, "C:c:D:dfP:rR:s:t:v")) != -1) {
switch (c) {
case 'C':
controlprog = optarg;
@@ -362,13 +414,16 @@
debug++;
break;
case 'f':
- reset++;
+ flush++;
break;
case 'P':
spath = optarg;
break;
+ case 'R':
+ rulename = optarg;
+ break;
case 'r':
- rulename = optarg;
+ restore++;
break;
case 's':
blsock = optarg;
@@ -408,14 +463,14 @@
update_interfaces();
conf_parse(configfile);
- if (reset) {
- for (size_t i = 0; i < rconf.cs_n; i++)
- run_flush(&rconf.cs_c[i]);
- for (size_t i = 0; i < lconf.cs_n; i++)
- run_flush(&lconf.cs_c[i]);
+ if (flush) {
+ rules_flush();
flags |= O_TRUNC;
}
+ if (restore)
+ rules_restore();
+
struct pollfd *pfd = NULL;
bl_t *bl = NULL;
size_t nfd = 0;
Home |
Main Index |
Thread Index |
Old Index