Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/external/bsd/blacklist/bin Explain how configuration matchin...
details: https://anonhg.NetBSD.org/src/rev/16444a64e369
branches: trunk
changeset: 1008656:16444a64e369
user: christos <christos%NetBSD.org@localhost>
date: Mon Mar 30 03:02:41 2020 +0000
description:
Explain how configuration matching is done.
diffstat:
external/bsd/blacklist/bin/blacklistd.8 | 40 +++++++++++++++++++++++++++++++-
1 files changed, 38 insertions(+), 2 deletions(-)
diffs (61 lines):
diff -r abbaa5322fdf -r 16444a64e369 external/bsd/blacklist/bin/blacklistd.8
--- a/external/bsd/blacklist/bin/blacklistd.8 Mon Mar 30 02:41:06 2020 +0000
+++ b/external/bsd/blacklist/bin/blacklistd.8 Mon Mar 30 03:02:41 2020 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: blacklistd.8,v 1.20 2019/11/06 23:17:37 wiz Exp $
+.\" $NetBSD: blacklistd.8,v 1.21 2020/03/30 03:02:41 christos Exp $
.\"
.\" Copyright (c) 2015 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd November 6, 2019
+.Dd March 29, 2020
.Dt BLACKLISTD 8
.Os
.Sh NAME
@@ -65,6 +65,42 @@
If an entry is matched, a state entry is created for that tuple.
Each entry contains a number of tries limit and a duration.
.Pp
+The way
+.Nm
+does configuration entry matching is by having the client side pass the
+file dscriptor associated with the connection the client wants to blacklist
+as well as passing socket credentials.
+.Pp
+The file descriptor is used to retrieve information (address and port)
+about the remote side with
+.Xr getpeername 2
+and the local side with
+.Xr getsockname 2 .
+.Pp
+By examining the port of the local side,
+.Nm
+can determine if the client program
+.Dq owns
+the port.
+By examining the optional address portion on the local side, it can match
+interfaces.
+By examining the remote address, it can match specific allow or deny rules.
+.Pp
+Finally
+.Nm
+can examine the socket credentials to match the user in the configuration file.
+.Pp
+While this works well for TCP sockets, it cannot be relied on for unbound
+UDP sockets.
+It is also less meaningful when it comes to connections using non-privileged
+ports.
+On the other hand, if we receive a request that has a local endpoind indicating
+UDP privileged port, we can presume that the client was privileged to be
+able to acquire that port.
+.Pp
+Once an entry is matched
+.Nm
+can perform various actions.
If the action is
.Dq add
and the number of tries limit is reached, then a
Home |
Main Index |
Thread Index |
Old Index