diff options
| author | Ed Maste <emaste@FreeBSD.org> | 2020-06-15 13:44:37 +0000 |
|---|---|---|
| committer | Ed Maste <emaste@FreeBSD.org> | 2020-06-15 13:44:37 +0000 |
| commit | e6a066ac3e8fdf1fcd4f3f2ca1b82bd55eb2da2a (patch) | |
| tree | d6a99e0065ab5d39b716a0d5272ef21055745e0c | |
| parent | 6fa63e1816f543db1c68320f442e30f95d8f9f78 (diff) | |
| download | src-test-vendor/blocklist.tar.gz src-test-vendor/blocklist.zip | |
blocklist: update to 2020-06-15 snapshotvendor/blocklist/20200615vendor/blocklist
Upstream hash 7093cd90cc9eae6bf9fa6b66f679ea6b15451c1e
Obtained from: https://github.com/zoulasc/blocklist
Sponsored by: The FreeBSD Foundation
Notes
Notes:
svn path=/vendor/blocklist/dist/; revision=362197
svn path=/vendor/blocklist/20200615/; revision=362198; tag=vendor/blocklist/20200615
53 files changed, 654 insertions, 361 deletions
diff --git a/Makefile b/Makefile index da4411d0ca759..5ad82e43319e4 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.2 2015/01/22 17:49:41 christos Exp $ +# $NetBSD: Makefile,v 1.1 2015/01/21 16:16:00 christos Exp $ SUBDIR = lib .WAIT include bin etc libexec diff --git a/Makefile.inc b/Makefile.inc index 85c82783cd353..60c9aaf0bf29f 100644 --- a/Makefile.inc +++ b/Makefile.inc @@ -1,9 +1,9 @@ -# $NetBSD: Makefile.inc,v 1.3 2015/01/23 03:57:22 christos Exp $ +# $NetBSD: Makefile.inc,v 1.2 2015/01/22 04:20:50 christos Exp $ WARNS=6 .if !defined(LIB) -LDADD+= -lblacklist -DPADD+= ${LIBBLACKLIST} +LDADD+= -lblocklist +DPADD+= ${LIBBLOCKLIST} .endif CPPFLAGS+= -I${.CURDIR}/../include CPPFLAGS+=-DHAVE_STRUCT_SOCKADDR_SA_LEN -DHAVE_UTIL_H -DHAVE_DB_H @@ -1,21 +1,21 @@ -# $NetBSD: README,v 1.8 2017/04/13 17:59:34 christos Exp $ +# $NetBSD: README,v 1.7 2015/01/26 00:34:50 christos Exp $ This package contains library that can be used by network daemons to communicate with a packet filter via a daemon to enforce opening and closing ports dynamically based on policy. -The interface to the packet filter is in libexec/blacklistd-helper +The interface to the packet filter is in libexec/blocklistd-helper (this is currently designed for npf) and the configuration file -(inspired from inetd.conf) is in etc/blacklistd.conf. +(inspired from inetd.conf) is in etc/blocklistd.conf. -On NetBSD you can find an example npf.conf and blacklistd.conf in -/usr/share/examples/blacklistd; you need to adjust the interface +On NetBSD you can find an example npf.conf and blocklistd.conf in +/usr/share/examples/blocklistd; you need to adjust the interface in npf.conf and copy both files to /etc; then you just enable -blacklistd=YES in /etc/rc.conf, start it up, and you are all set. +blocklistd=YES in /etc/rc.conf, start it up, and you are all set. -There is also a startup file in etc/rc.d/blacklistd +There is also a startup file in etc/rc.d/blocklistd -Patches to various daemons to add blacklisting capabilitiers are in the +Patches to various daemons to add blocklisting capabilitiers are in the "diff" directory: - OpenSSH: diff/ssh.diff [tcp socket example] - Bind: diff/named.diff [both tcp and udp] @@ -23,21 +23,21 @@ Patches to various daemons to add blacklisting capabilitiers are in the These patches have been applied to NetBSD-current. -The network daemon (for example sshd) communicates to blacklistd, via +The network daemon (for example sshd) communicates to blocklistd, via a unix socket like syslog. The library calls are simple and everything is handled by the library. In the simplest form the only thing the daemon needs to do is to call: - blacklist(action, acceptedfd, message); + blocklist(action, acceptedfd, message); Where: - action = 0 -> successful login clear blacklist state + action = 0 -> successful login clear blocklist state 1 -> failed login, add to the failed count acceptedfd -> the file descriptor where the server is connected to the remote client. It is used to determine the listening socket, and the remote address. This allows any program to - contact the blacklist daemon, since the verification + contact the blocklist daemon, since the verification if the program has access to the listening socket is done by virtue that the port number is retrieved from the kernel. @@ -46,9 +46,9 @@ Where: Unfortunately there is no way to get information about the "peer" from a udp socket, because there is no connection and that information is kept with the server. In that case the daemon can provide the -peer information to blacklistd via: +peer information to blocklistd via: - blacklist_sa(action, acceptedfd, sockaddr, sockaddr_len, message); + blocklist_sa(action, acceptedfd, sockaddr, sockaddr_len, message); The configuration file contains entries of the form: @@ -70,8 +70,8 @@ will let us have 2 connections before blocking. Finally we block for an hour; we could block forever too by specifying * in the duration column. -blacklistd and the library use syslog(3) to report errors. The -blacklist filter state is persisted automatically in /var/db/blacklistd.db +blocklistd and the library use syslog(3) to report errors. The +blocklist filter state is persisted automatically in /var/db/blocklistd.db so that if the daemon is restarted, it remembers what connections is currently handling. To start from a fresh state (if you restart npf too for example), you can use -f. To watch the daemon at work, @@ -80,25 +80,25 @@ you can use -d. The current control file is designed for npf, and it uses the dynamic rule feature. You need to create a dynamic rule in your /etc/npf.conf on the group referring to the interface you want to block -called blacklistd as follows: +called blocklistd as follows: ext_if=bge0 int_if=sk0 group "external" on $ext_if { ... - ruleset "blacklistd-ext" - ruleset "blacklistd" + ruleset "blocklistd-ext" + ruleset "blocklistd" ... } group "internal" on $int_if { ... - ruleset "blacklistd-int" + ruleset "blocklistd-int" ... } -You can use 'blacklistctl dump -a' to list all the current entries +You can use 'blocklistctl dump -a' to list all the current entries in the database; the ones that have nfail <c>/<t> where <c>urrent >= <t>otal, should have an id assosiated with them; this means that there is a packet filter rule added for that entry. For npf, you @@ -1,4 +1,4 @@ -# $NetBSD: TODO,v 1.7 2015/01/23 21:34:01 christos Exp $ +# $NetBSD: TODO,v 1.6 2015/01/22 18:15:56 christos Exp $ - don't poll periodically, find the next timeout - use the socket also for commands? Or separate socket? @@ -17,5 +17,5 @@ -n block unblock -- do we need an api in blacklistctl to perform maintenance -- fix the blacklistctl output to be more user friendly +- do we need an api in blocklistctl to perform maintenance +- fix the blocklistctl output to be more user friendly diff --git a/bin/Makefile b/bin/Makefile index 280c72fd3af16..d935e10e7ea93 100644 --- a/bin/Makefile +++ b/bin/Makefile @@ -1,12 +1,12 @@ -# $NetBSD: Makefile,v 1.11 2015/01/27 19:40:36 christos Exp $ +# $NetBSD: Makefile,v 1.10 2015/01/22 17:49:41 christos Exp $ BINDIR=/sbin -PROGS=blacklistd blacklistctl -MAN.blacklistd=blacklistd.8 blacklistd.conf.5 -MAN.blacklistctl=blacklistctl.8 -SRCS.blacklistd = blacklistd.c conf.c run.c state.c support.c internal.c -SRCS.blacklistctl = blacklistctl.c conf.c state.c support.c internal.c +PROGS=blocklistd blocklistctl +MAN.blocklistd=blocklistd.8 blocklistd.conf.5 +MAN.blocklistctl=blocklistctl.8 +SRCS.blocklistd = blocklistd.c conf.c run.c state.c support.c internal.c +SRCS.blocklistctl = blocklistctl.c conf.c state.c support.c internal.c DBG=-g LDADD+=-lutil diff --git a/bin/blocklistctl.8 b/bin/blocklistctl.8 index 7c65211177452..f3de48a6a9bda 100644 --- a/bin/blocklistctl.8 +++ b/bin/blocklistctl.8 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistctl.8,v 1.9 2016/06/08 12:48:37 wiz Exp $ +.\" $NetBSD: blocklistctl.8,v 1.8 2016/06/07 17:31:02 christos Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -28,11 +28,11 @@ .\" POSSIBILITY OF SUCH DAMAGE. .\" .Dd June 7, 2016 -.Dt BLACKLISTCTL 8 +.Dt BLOCKLISTCTL 8 .Os .Sh NAME -.Nm blacklistctl -.Nd display and change the state of blacklistd +.Nm blocklistctl +.Nd display and change the state of blocklistd .Sh SYNOPSIS .Nm .Cm dump @@ -40,7 +40,7 @@ .Sh DESCRIPTION .Nm is a program used to display the state of -.Xr blacklistd 8 +.Xr blocklistd 8 .Pp The following options are available: .Bl -tag -width indent @@ -60,17 +60,17 @@ Normally the width of addresses is good for IPv4, the flag, makes the display wide enough for IPv6 addresses. .El .Sh SEE ALSO -.Xr blacklistd 8 +.Xr blocklistd 8 .Sh NOTES Sometimes the reported number of failed attempts can exceed the number of attempts that -.Xr blacklistd 8 +.Xr blocklistd 8 is configured to block. This can happen either because the rule has been removed manually, or because there were more attempts in flight while the rule block was being added. This condition is normal; in that case -.Xr blacklistd 8 +.Xr blocklistd 8 will first attempt to remove the existing rule, and then it will re-add it to make sure that there is only one rule active. .Sh HISTORY diff --git a/bin/blocklistctl.c b/bin/blocklistctl.c index aebbf72acc5e6..a11ae8739ccaf 100644 --- a/bin/blocklistctl.c +++ b/bin/blocklistctl.c @@ -1,4 +1,4 @@ -/* $NetBSD: blacklistctl.c,v 1.23 2018/05/24 19:21:01 christos Exp $ */ +/* $NetBSD: blocklistctl.c,v 1.22 2018/05/24 19:19:37 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include <sys/cdefs.h> -__RCSID("$NetBSD: blacklistctl.c,v 1.23 2018/05/24 19:21:01 christos Exp $"); +__RCSID("$NetBSD: blocklistctl.c,v 1.22 2018/05/24 19:19:37 christos Exp $"); #include <stdio.h> #include <time.h> diff --git a/bin/blocklistd.8 b/bin/blocklistd.8 index 5846047304dce..c28e8ac08e909 100644 --- a/bin/blocklistd.8 +++ b/bin/blocklistd.8 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistd.8,v 1.18 2016/07/30 06:09:29 dholland Exp $ +.\" $NetBSD: blocklistd.8,v 1.23 2020/04/21 13:57:12 christos Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,11 +27,11 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd June 7, 2016 -.Dt BLACKLISTD 8 +.Dd April 21, 2020 +.Dt BLOCKLISTD 8 .Os .Sh NAME -.Nm blacklistd +.Nm blocklistd .Nd block and release ports on demand to avoid DoS abuse .Sh SYNOPSIS .Nm @@ -55,16 +55,52 @@ If no such file is specified, then it only listens to the socket path specified by .Ar sockspath or if that is not specified to -.Pa /var/run/blacklistd.sock . +.Pa /var/run/blocklistd.sock . Each notification contains an (action, port, protocol, address, owner) tuple that identifies the remote connection and the action. This tuple is consulted against entries in .Ar configfile with syntax specified in -.Xr blacklistd.conf 5 . +.Xr blocklistd.conf 5 . If an entry is matched, a state entry is created for that tuple. Each entry contains a number of tries limit and a duration. .Pp +The way +.Nm +does configuration entry matching is by having the client side pass the +file descriptor associated with the connection the client wants to blocklist +as well as passing socket credentials. +.Pp +The file descriptor is used to retrieve information (address and port) +about the remote side with +.Xr getpeername 2 +and the local side with +.Xr getsockname 2 . +.Pp +By examining the port of the local side, +.Nm +can determine if the client program +.Dq owns +the port. +By examining the optional address portion on the local side, it can match +interfaces. +By examining the remote address, it can match specific allow or deny rules. +.Pp +Finally +.Nm +can examine the socket credentials to match the user in the configuration file. +.Pp +While this works well for TCP sockets, it cannot be relied on for unbound +UDP sockets. +It is also less meaningful when it comes to connections using non-privileged +ports. +On the other hand, if we receive a request that has a local endpoint indicating +a UDP privileged port, we can presume that the client was privileged to be +able to acquire that port. +.Pp +Once an entry is matched +.Nm +can perform various actions. If the action is .Dq add and the number of tries limit is reached, then a @@ -80,17 +116,17 @@ specified by the arguments. The .Ar rulename argument can be set from the command line (default -.Dv blacklistd ) . +.Dv blocklistd ) . The script could print a numerical id to stdout as a handle for the rule that can be used later to remove that connection, but that is not required as all information to remove the rule is kept. .Pp If the action is -.Dq remove +.Dq rem Then the same control script is invoked as: .Bd -literal -offset indent -control remove <rulename> <proto> <address> <mask> <port> <id> +control rem <rulename> <proto> <address> <mask> <port> <id> .Ed .Pp where @@ -117,7 +153,7 @@ The following options are available: Use .Ar controlprog to communicate with the packet filter, usually -.Pa /libexec/blacklistd-helper . +.Pa /libexec/blocklistd-helper . The following arguments are passed to the control program: .Bl -tag -width protocol .It action @@ -148,12 +184,12 @@ The add command is expected to return the rule identifier string to stdout. .El .It Fl c Ar configuration The name of the configuration file to read, usually -.Pa /etc/blacklistd.conf . +.Pa /etc/blocklistd.conf . .It Fl D Ar dbfile The Berkeley DB file where .Nm stores its state, usually -.Pa /var/run/blacklistd.db . +.Pa /var/db/blocklistd.db . .It Fl d Normally, .Nm @@ -174,11 +210,11 @@ will create sockets to listen to. This is useful for chrooted environments. .It Fl R Ar rulename Specify the default rule name for the packet filter rules, usually -.Dv blacklistd . +.Dv blocklistd . .It Fl r Re-read the firewall rules from the internal database, then remove and re-add them. -This helps for packet filters that don't retain state across reboots. +This helps for packet filters that do not retain state across reboots. .It Fl s Ar sockpath Add .Ar sockpath @@ -198,20 +234,41 @@ diagnostic messages to instead of .Xr syslogd 8 . .El +.Sh SIGNAL HANDLING +.Nm +deals with the following signals: +.Bl -tag -width "USR2" +.It Dv HUP +Receipt of this signal causes +.Nm +to re-read the configuration file. +.It Dv INT , Dv TERM & Dv QUIT +These signals tell +.Nm +to exit in an orderly fashion. +.It Dv USR1 +This signal tells +.Nm +to increase the internal debugging level by 1. +.It Dv USR2 +This signal tells +.Nm +to decrease the internal debugging level by 1. +.El .Sh FILES -.Bl -tag -width /libexec/blacklistd-helper -compact -.It Pa /libexec/blacklistd-helper +.Bl -tag -width /libexec/blocklistd-helper -compact +.It Pa /libexec/blocklistd-helper Shell script invoked to interface with the packet filter. -.It Pa /etc/blacklistd.conf +.It Pa /etc/blocklistd.conf Configuration file. -.It Pa /var/db/blacklistd.db +.It Pa /var/db/blocklistd.db Database of current connection entries. -.It Pa /var/run/blacklistd.sock +.It Pa /var/run/blocklistd.sock Socket to receive connection notifications. .El .Sh SEE ALSO -.Xr blacklistd.conf 5 , -.Xr blacklistctl 8 , +.Xr blocklistd.conf 5 , +.Xr blocklistctl 8 , .Xr npfctl 8 , .Xr syslogd 8 .Sh HISTORY diff --git a/bin/blocklistd.c b/bin/blocklistd.c index ac92bbf2ffbf9..01dd629aecd0e 100644 --- a/bin/blocklistd.c +++ b/bin/blocklistd.c @@ -1,4 +1,4 @@ -/* $NetBSD: blacklistd.c,v 1.38 2019/02/27 02:20:18 christos Exp $ */ +/* $NetBSD: blocklistd.c,v 1.42 2020/03/11 02:33:18 roy Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -32,7 +32,7 @@ #include "config.h" #endif #include <sys/cdefs.h> -__RCSID("$NetBSD: blacklistd.c,v 1.38 2019/02/27 02:20:18 christos Exp $"); +__RCSID("$NetBSD: blocklistd.c,v 1.42 2020/03/11 02:33:18 roy Exp $"); #include <sys/types.h> #include <sys/socket.h> @@ -123,7 +123,7 @@ getremoteaddress(bl_info_t *bi, struct sockaddr_storage *rss, socklen_t *rsl) return 0; if (errno != ENOTCONN) { - (*lfun)(LOG_ERR, "getpeername failed (%m)"); + (*lfun)(LOG_ERR, "getpeername failed (%m)"); return -1; } @@ -141,13 +141,13 @@ getremoteaddress(bl_info_t *bi, struct sockaddr_storage *rss, socklen_t *rsl) break; default: (*lfun)(LOG_ERR, "bad client passed socket family %u", - (unsigned)bi->bi_ss.ss_family); + (unsigned)bi->bi_ss.ss_family); return -1; } if (*rsl != bi->bi_slen) { (*lfun)(LOG_ERR, "bad client passed socket length %u != %u", - (unsigned)*rsl, (unsigned)bi->bi_slen); + (unsigned)*rsl, (unsigned)bi->bi_slen); return -1; } @@ -157,7 +157,7 @@ getremoteaddress(bl_info_t *bi, struct sockaddr_storage *rss, socklen_t *rsl) if (*rsl != rss->ss_len) { (*lfun)(LOG_ERR, "bad client passed socket internal length %u != %u", - (unsigned)*rsl, (unsigned)rss->ss_len); + (unsigned)*rsl, (unsigned)rss->ss_len); return -1; } #endif @@ -176,12 +176,12 @@ process(bl_t bl) struct timespec ts; if (clock_gettime(CLOCK_REALTIME, &ts) == -1) { - (*lfun)(LOG_ERR, "clock_gettime failed (%m)"); + (*lfun)(LOG_ERR, "clock_gettime failed (%m)"); return; } if ((bi = bl_recv(bl)) == NULL) { - (*lfun)(LOG_ERR, "no message (%m)"); + (*lfun)(LOG_ERR, "no message (%m)"); return; } @@ -214,33 +214,38 @@ process(bl_t bl) } switch (bi->bi_type) { + case BL_ABUSE: + /* + * If the application has signaled abusive behavior, + * set the number of fails to be one less than the + * configured limit. Fallthrough to the normal BL_ADD + * processing, which will increment the failure count + * to the threshhold, and block the abusive address. + */ + if (c.c_nfail != -1) + dbi.count = c.c_nfail - 1; + /*FALLTHROUGH*/ case BL_ADD: dbi.count++; dbi.last = ts.tv_sec; - if (dbi.id[0]) { + if (c.c_nfail != -1 && dbi.count >= c.c_nfail) { /* - * We should not be getting this since the rule - * should have blocked the address. A possible - * explanation is that someone removed that rule, - * and another would be that we got another attempt - * before we added the rule. In anycase, we remove - * and re-add the rule because we don't want to add - * it twice, because then we'd lose track of it. + * No point in re-adding the rule. + * It might exist already due to latency in processing + * and removing the rule is the wrong thing to do as + * it allows a window to attack again. */ - (*lfun)(LOG_DEBUG, "rule exists %s", dbi.id); - (void)run_change("rem", &c, dbi.id, 0); - dbi.id[0] = '\0'; - } - if (c.c_nfail != -1 && dbi.count >= c.c_nfail) { - int res = run_change("add", &c, dbi.id, sizeof(dbi.id)); - if (res == -1) - goto out; + if (dbi.id[0] == '\0') { + int res = run_change("add", &c, + dbi.id, sizeof(dbi.id)); + if (res == -1) + goto out; + } sockaddr_snprintf(rbuf, sizeof(rbuf), "%a", (void *)&rss); (*lfun)(LOG_INFO, "blocked %s/%d:%d for %d seconds", rbuf, c.c_lmask, c.c_port, c.c_duration); - } break; case BL_DELETE: @@ -249,8 +254,11 @@ process(bl_t bl) dbi.count = 0; dbi.last = 0; break; + case BL_BADUSER: + /* ignore for now */ + break; default: - (*lfun)(LOG_ERR, "unknown message %d", bi->bi_type); + (*lfun)(LOG_ERR, "unknown message %d", bi->bi_type); } state_put(state, &c, &dbi); @@ -292,7 +300,7 @@ update(void) void *ss = &c.c_ss; if (clock_gettime(CLOCK_REALTIME, &ts) == -1) { - (*lfun)(LOG_ERR, "clock_gettime failed (%m)"); + (*lfun)(LOG_ERR, "clock_gettime failed (%m)"); return; } diff --git a/bin/blocklistd.conf.5 b/bin/blocklistd.conf.5 index 3b85fb889e32f..6d1eb36e098e1 100644 --- a/bin/blocklistd.conf.5 +++ b/bin/blocklistd.conf.5 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistd.conf.5,v 1.7 2017/06/07 13:50:57 wiz Exp $ +.\" $NetBSD: blocklistd.conf.5,v 1.9 2019/11/06 20:33:30 para Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,17 +27,17 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd June 5, 2017 -.Dt BLACKLISTD.CONF 5 +.Dd May 18, 2020 +.Dt BLOCKLISTD.CONF 5 .Os .Sh NAME -.Nm blacklistd.conf -.Nd configuration file format for blacklistd +.Nm blocklistd.conf +.Nd configuration file format for blocklistd .Sh DESCRIPTION The .Nm -files contains configuration entries for -.Xr blacklistd 8 +file contains configuration entries for +.Xr blocklistd 8 in a fashion similar to .Xr inetd.conf 5 . Only one entry per line is permitted. @@ -125,18 +125,18 @@ The second field is the socket .Dv dgram , or numeric. The third field is the -.Va prococol : +.Va protocol : .Dv tcp , .Dv udp , .Dv tcp6 , .Dv udp6 , or numeric. -The fourth file is the effective user +The fourth field is the effective user .Va ( owner ) of the daemon process reporting the event, either as a username or a userid. .Pp -The rest of the fields are controlling the behavior of the filter. +The rest of the fields control the behavior of the filter. .Pp The .Va name @@ -192,12 +192,12 @@ rule that matched. .Pp The .Va remote -rules can be used for whitelisting specific addresses, changing the mask +rules can be used for allowing specific addresses, changing the mask size, the rule that the packet filter uses, the number of failed attempts, or the block duration. .Sh FILES -.Bl -tag -width /etc/blacklistd.conf -compact -.It Pa /etc/blacklistd.conf +.Bl -tag -width /etc/blocklistd.conf -compact +.It Pa /etc/blocklistd.conf Configuration file. .El .Sh EXAMPLES @@ -214,8 +214,8 @@ bnx0:ssh * * * * 3 6h 8.8.0.0/16:ssh * * * /24 = = .Ed .Sh SEE ALSO -.Xr blacklistctl 8 , -.Xr blacklistd 8 +.Xr blocklistctl 8 , +.Xr blocklistd 8 .Sh HISTORY .Nm first appeared in diff --git a/bin/conf.c b/bin/conf.c index 3ec1e085c276f..6beb1051459b4 100644 --- a/bin/conf.c +++ b/bin/conf.c @@ -1,4 +1,4 @@ -/* $NetBSD: conf.c,v 1.24 2016/04/04 15:52:56 christos Exp $ */ +/* $NetBSD: conf.c,v 1.30 2020/03/12 19:47:32 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include <sys/cdefs.h> -__RCSID("$NetBSD: conf.c,v 1.24 2016/04/04 15:52:56 christos Exp $"); +__RCSID("$NetBSD: conf.c,v 1.30 2020/03/12 19:47:32 christos Exp $"); #include <stdio.h> #ifdef HAVE_LIBUTIL_H @@ -46,6 +46,7 @@ __RCSID("$NetBSD: conf.c,v 1.24 2016/04/04 15:52:56 christos Exp $"); #include <ctype.h> #include <inttypes.h> #include <netdb.h> +#include <unistd.h> #include <pwd.h> #include <syslog.h> #include <errno.h> @@ -55,6 +56,7 @@ __RCSID("$NetBSD: conf.c,v 1.24 2016/04/04 15:52:56 christos Exp $"); #include <arpa/inet.h> #include <netinet/in.h> #include <net/if.h> +#include <net/route.h> #include <sys/socket.h> #include "bl.h" @@ -90,7 +92,7 @@ advance(char **p) } static int -getnum(const char *f, size_t l, bool local, void *rp, const char *name, +conf_getnum(const char *f, size_t l, bool local, void *rp, const char *name, const char *p) { int e; @@ -127,13 +129,14 @@ out: } static int -getnfail(const char *f, size_t l, bool local, struct conf *c, const char *p) +conf_getnfail(const char *f, size_t l, bool local, struct conf *c, + const char *p) { - return getnum(f, l, local, &c->c_nfail, "nfail", p); + return conf_getnum(f, l, local, &c->c_nfail, "nfail", p); } static int -getsecs(const char *f, size_t l, bool local, struct conf *c, const char *p) +conf_getsecs(const char *f, size_t l, bool local, struct conf *c, const char *p) { int e; char *ep; @@ -173,9 +176,9 @@ again: } break; } - } else + } else tot = im; - + if (e == 0) { c->c_duration = (int)tot; return 0; @@ -193,7 +196,7 @@ out: } static int -getport(const char *f, size_t l, bool local, void *r, const char *p) +conf_getport(const char *f, size_t l, bool local, void *r, const char *p) { struct servent *sv; @@ -207,14 +210,14 @@ getport(const char *f, size_t l, bool local, void *r, const char *p) return 0; } - return getnum(f, l, local, r, "service", p); + return conf_getnum(f, l, local, r, "service", p); } static int -getmask(const char *f, size_t l, bool local, const char **p, int *mask) +conf_getmask(const char *f, size_t l, bool local, const char **p, int *mask) { char *d; - const char *s = *p; + const char *s = *p; if ((d = strchr(s, ':')) != NULL) { *d++ = '\0'; @@ -226,11 +229,12 @@ getmask(const char *f, size_t l, bool local, const char **p, int *mask) } *d++ = '\0'; - return getnum(f, l, local, mask, "mask", d); + return conf_getnum(f, l, local, mask, "mask", d); } static int -gethostport(const char *f, size_t l, bool local, struct conf *c, const char *p) +conf_gethostport(const char *f, size_t l, bool local, struct conf *c, + const char *p) { char *d; // XXX: Ok to write to string. in_port_t *port = NULL; @@ -249,7 +253,7 @@ gethostport(const char *f, size_t l, bool local, struct conf *c, const char *p) } else pstr = p; - if (getmask(f, l, local, &pstr, &c->c_lmask) == -1) + if (conf_getmask(f, l, local, &pstr, &c->c_lmask) == -1) goto out; if (d) { @@ -264,7 +268,7 @@ gethostport(const char *f, size_t l, bool local, struct conf *c, const char *p) sin6->sin6_len = sizeof(*sin6); #endif port = &sin6->sin6_port; - } + } } else if (pstr != p || strchr(p, '.') || conf_is_interface(p)) { if (pstr == p) pstr = "*"; @@ -300,7 +304,7 @@ gethostport(const char *f, size_t l, bool local, struct conf *c, const char *p) } } - if (getport(f, l, local, &c->c_port, pstr) == -1) + if (conf_getport(f, l, local, &c->c_port, pstr) == -1) return -1; if (port && c->c_port != FSTAR && c->c_port != FEQUAL) @@ -320,7 +324,7 @@ out2: } static int -getproto(const char *f, size_t l, bool local __unused, struct conf *c, +conf_getproto(const char *f, size_t l, bool local __unused, struct conf *c, const char *p) { if (strcmp(p, "stream") == 0) { @@ -331,22 +335,22 @@ getproto(const char *f, size_t l, bool local __unused, struct conf *c, c->c_proto = IPPROTO_UDP; return 0; } - return getnum(f, l, local, &c->c_proto, "protocol", p); + return conf_getnum(f, l, local, &c->c_proto, "protocol", p); } static int -getfamily(const char *f, size_t l, bool local __unused, struct conf *c, +conf_getfamily(const char *f, size_t l, bool local __unused, struct conf *c, const char *p) { if (strncmp(p, "tcp", 3) == 0 || strncmp(p, "udp", 3) == 0) { c->c_family = p[3] == '6' ? AF_INET6 : AF_INET; return 0; } - return getnum(f, l, local, &c->c_family, "family", p); + return conf_getnum(f, l, local, &c->c_family, "family", p); } static int -getuid(const char *f, size_t l, bool local __unused, struct conf *c, +conf_getuid(const char *f, size_t l, bool local __unused, struct conf *c, const char *p) { struct passwd *pw; @@ -356,21 +360,22 @@ getuid(const char *f, size_t l, bool local __unused, struct conf *c, return 0; } - return getnum(f, l, local, &c->c_uid, "user", p); + return conf_getnum(f, l, local, &c->c_uid, "user", p); } static int -getname(const char *f, size_t l, bool local, struct conf *c, +conf_getname(const char *f, size_t l, bool local, struct conf *c, const char *p) { - if (getmask(f, l, local, &p, &c->c_rmask) == -1) + if (conf_getmask(f, l, local, &p, &c->c_rmask) == -1) return -1; - + if (strcmp(p, "*") == 0) { strlcpy(c->c_name, rulename, CONFNAMESZ); return 0; } + if (strcmp(p, "=") == 0) { if (local) goto out; @@ -406,19 +411,19 @@ conf_parseline(const char *f, size_t l, char *p, struct conf *c, bool local) p++; memset(c, 0, sizeof(*c)); - e = getvalue(f, l, local, c, &p, gethostport); + e = getvalue(f, l, local, c, &p, conf_gethostport); if (e) return -1; - e = getvalue(f, l, local, c, &p, getproto); + e = getvalue(f, l, local, c, &p, conf_getproto); if (e) return -1; - e = getvalue(f, l, local, c, &p, getfamily); + e = getvalue(f, l, local, c, &p, conf_getfamily); if (e) return -1; - e = getvalue(f, l, local, c, &p, getuid); + e = getvalue(f, l, local, c, &p, conf_getuid); if (e) return -1; - e = getvalue(f, l, local, c, &p, getname); + e = getvalue(f, l, local, c, &p, conf_getname); if (e) return -1; - e = getvalue(f, l, local, c, &p, getnfail); + e = getvalue(f, l, local, c, &p, conf_getnfail); if (e) return -1; - e = getvalue(f, l, local, c, &p, getsecs); + e = getvalue(f, l, local, c, &p, conf_getsecs); if (e) return -1; return 0; @@ -473,7 +478,6 @@ conf_amask_eq(const void *v1, const void *v2, size_t len, int mask) return 1; goto out; case FEQUAL: - (*lfun)(LOG_CRIT, "%s: Internal error: bad mask %d", __func__, mask); abort(); @@ -687,7 +691,7 @@ conf_addr_eq(const struct sockaddr_storage *s1, static int conf_eq(const struct conf *c1, const struct conf *c2) { - + if (!conf_addr_eq(&c1->c_ss, &c2->c_ss, c2->c_lmask)) return 0; @@ -744,7 +748,7 @@ fmtport(char *b, size_t l, int port) if (port == FSTAR) return; - if (b[0] == '\0' || strcmp(b, "*") == 0) + if (b[0] == '\0' || strcmp(b, "*") == 0) snprintf(b, l, "%d", port); else { snprintf(buf, sizeof(buf), ":%d", port); @@ -820,7 +824,7 @@ conf_print(char *buf, size_t len, const char *pref, const char *delim, fmtmask(ha, sizeof(ha), c->c_family, c->c_lmask); fmtport(ha, sizeof(ha), c->c_port); - + sp = *delim == '\t' ? 20 : -1; hb[0] = '\0'; if (*delim) @@ -878,7 +882,7 @@ conf_merge(struct conf *c, const struct conf *sc) (*lfun)(LOG_DEBUG, "%s: %s", __func__, conf_print(buf, sizeof(buf), "to:\t", "", c)); } - + if (sc->c_name[0]) memcpy(c->c_name, sc->c_name, CONFNAMESZ); if (sc->c_uid != FEQUAL) @@ -998,32 +1002,73 @@ confset_match(const struct confset *cs, struct conf *c, return i; } -const struct conf * -conf_find(int fd, uid_t uid, const struct sockaddr_storage *rss, - struct conf *cr) +#ifdef AF_ROUTE +static int +conf_route_perm(int fd) { +/* Disable for now, the access check in the routing socket uses curlwp */ +#if defined(RTM_IFANNOUNCE) && defined(RT_ROUNDUP) + /* + * Send a routing message that is not supported to check for access + * We expect EOPNOTSUPP for having access, since we are sending a + * request the system does not understand and EACCES if we don't have + * access. + */ + static struct sockaddr_in sin = { +#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN + .sin_len = sizeof(sin), +#endif + .sin_family = AF_INET, + }; + char buf[4096]; + struct rt_msghdr *rtm = (void *)buf; + char *cp = (char *)(rtm + 1); + size_t l; + +#define NEXTADDR(s) \ + l = RT_ROUNDUP(sizeof(*s)); memmove(cp, s, l); cp += l; + memset(buf, 0, sizeof(buf)); + rtm->rtm_type = RTM_IFANNOUNCE; + rtm->rtm_flags = 0; + rtm->rtm_addrs = RTA_DST|RTA_GATEWAY; + rtm->rtm_version = RTM_VERSION; + rtm->rtm_seq = 666; + NEXTADDR(&sin); + NEXTADDR(&sin); + rtm->rtm_msglen = (u_short)((char *)cp - (char *)rtm); + if (write(fd, rtm, rtm->rtm_msglen) != -1) { + (*lfun)(LOG_ERR, "Writing to routing socket succeeded!"); + return 0; + } + switch (errno) { + case EACCES: + return 0; + case EOPNOTSUPP: + return 1; + default: + (*lfun)(LOG_ERR, + "Unexpected error writing to routing socket (%m)"); + return 0; + } +#else + return 0; +#endif +} +#endif + +static int +conf_handle_inet(int fd, const void *lss, struct conf *cr) { - int proto; - socklen_t slen; - struct sockaddr_storage lss; - size_t i; char buf[BUFSIZ]; + int proto; + socklen_t slen = sizeof(proto); - memset(cr, 0, sizeof(*cr)); - slen = sizeof(lss); - memset(&lss, 0, slen); - if (getsockname(fd, (void *)&lss, &slen) == -1) { - (*lfun)(LOG_ERR, "getsockname failed (%m)"); - return NULL; - } - - slen = sizeof(proto); if (getsockopt(fd, SOL_SOCKET, SO_TYPE, &proto, &slen) == -1) { - (*lfun)(LOG_ERR, "getsockopt failed (%m)"); - return NULL; + (*lfun)(LOG_ERR, "getsockopt failed (%m)"); + return -1; } if (debug) { - sockaddr_snprintf(buf, sizeof(buf), "%a:%p", (void *)&lss); + sockaddr_snprintf(buf, sizeof(buf), "%a:%p", lss); (*lfun)(LOG_DEBUG, "listening socket: %s", buf); } @@ -1035,19 +1080,54 @@ conf_find(int fd, uid_t uid, const struct sockaddr_storage *rss, cr->c_proto = IPPROTO_UDP; break; default: - (*lfun)(LOG_ERR, "unsupported protocol %d", proto); + (*lfun)(LOG_ERR, "unsupported protocol %d", proto); + return -1; + } + return 0; +} + +const struct conf * +conf_find(int fd, uid_t uid, const struct sockaddr_storage *rss, + struct conf *cr) +{ + socklen_t slen; + struct sockaddr_storage lss; + size_t i; + char buf[BUFSIZ]; + + memset(cr, 0, sizeof(*cr)); + slen = sizeof(lss); + memset(&lss, 0, slen); + if (getsockname(fd, (void *)&lss, &slen) == -1) { + (*lfun)(LOG_ERR, "getsockname failed (%m)"); return NULL; } switch (lss.ss_family) { case AF_INET: cr->c_port = ntohs(((struct sockaddr_in *)&lss)->sin_port); + if (conf_handle_inet(fd, &lss, cr) == -1) + return NULL; break; case AF_INET6: cr->c_port = ntohs(((struct sockaddr_in6 *)&lss)->sin6_port); + if (conf_handle_inet(fd, &lss, cr) == -1) + return NULL; break; +#ifdef AF_ROUTE + case AF_ROUTE: + if (!conf_route_perm(fd)) { + (*lfun)(LOG_ERR, + "permission denied to routing socket (%m)"); + return NULL; + } + cr->c_proto = FSTAR; + cr->c_port = FSTAR; + memcpy(&lss, rss, sizeof(lss)); + break; +#endif default: - (*lfun)(LOG_ERR, "unsupported family %d", lss.ss_family); + (*lfun)(LOG_ERR, "unsupported family %d", lss.ss_family); return NULL; } @@ -1119,6 +1199,7 @@ conf_parse(const char *f) confset_free(&lc); confset_free(&rc); fclose(fp); + free(line); return; } } @@ -1131,7 +1212,7 @@ conf_parse(const char *f) fclose(fp); confset_sort(&lc); confset_sort(&rc); - + confset_replace(&rconf, &rc); confset_replace(&lconf, &lc); diff --git a/bin/conf.h b/bin/conf.h index 03f1942e3e326..3062c1d35c1a2 100644 --- a/bin/conf.h +++ b/bin/conf.h @@ -1,4 +1,4 @@ -/* $NetBSD: conf.h,v 1.6 2015/01/27 19:40:36 christos Exp $ */ +/* $NetBSD: conf.h,v 1.5 2015/01/21 19:24:03 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. diff --git a/bin/internal.c b/bin/internal.c index 5c039e4dc5d26..c3099d82a1418 100644 --- a/bin/internal.c +++ b/bin/internal.c @@ -1,4 +1,4 @@ -/* $NetBSD: internal.c,v 1.5 2015/01/27 19:40:37 christos Exp $ */ +/* $NetBSD: internal.c,v 1.4 2015/01/25 20:59:39 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include <sys/cdefs.h> -__RCSID("$NetBSD: internal.c,v 1.5 2015/01/27 19:40:37 christos Exp $"); +__RCSID("$NetBSD: internal.c,v 1.4 2015/01/25 20:59:39 christos Exp $"); #include <stdio.h> #include <syslog.h> @@ -41,7 +41,7 @@ __RCSID("$NetBSD: internal.c,v 1.5 2015/01/27 19:40:37 christos Exp $"); #include "internal.h" int debug; -const char *rulename = "blacklistd"; +const char *rulename = "blocklistd"; const char *controlprog = _PATH_BLCONTROL; struct confset lconf, rconf; struct ifaddrs *ifas; diff --git a/bin/internal.h b/bin/internal.h index 5a40e49fbbd5b..e2319775e5e3c 100644 --- a/bin/internal.h +++ b/bin/internal.h @@ -1,4 +1,4 @@ -/* $NetBSD: internal.h,v 1.14 2016/04/04 15:52:56 christos Exp $ */ +/* $NetBSD: internal.h,v 1.13 2015/10/14 16:01:29 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -32,13 +32,13 @@ #define _INTERNAL_H #ifndef _PATH_BLCONF -#define _PATH_BLCONF "/etc/blacklistd.conf" +#define _PATH_BLCONF "/etc/blocklistd.conf" #endif #ifndef _PATH_BLCONTROL -#define _PATH_BLCONTROL "/libexec/blacklistd-helper" +#define _PATH_BLCONTROL "/libexec/blocklistd-helper" #endif #ifndef _PATH_BLSTATE -#define _PATH_BLSTATE "/var/db/blacklistd.db" +#define _PATH_BLSTATE "/var/db/blocklistd.db" #endif extern struct confset rconf, lconf; diff --git a/bin/run.c b/bin/run.c index 8499edd3d9c2f..5588f0198c04f 100644 --- a/bin/run.c +++ b/bin/run.c @@ -75,7 +75,7 @@ run(const char *cmd, const char *name, ...) (argv[i] = va_arg(ap, char *)) != NULL; i++) continue; va_end(ap); - + if (debug) { size_t z; int r; diff --git a/bin/run.h b/bin/run.h index bafc3e554690b..ec310191b3c21 100644 --- a/bin/run.h +++ b/bin/run.h @@ -1,4 +1,4 @@ -/* $NetBSD: run.h,v 1.5 2015/01/27 19:40:37 christos Exp $ */ +/* $NetBSD: run.h,v 1.4 2015/01/22 04:13:04 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. diff --git a/bin/state.c b/bin/state.c index f2622c82c2517..27d3eeceaff23 100644 --- a/bin/state.c +++ b/bin/state.c @@ -1,4 +1,4 @@ -/* $NetBSD: state.c,v 1.19 2016/09/26 19:43:43 christos Exp $ */ +/* $NetBSD: state.c,v 1.18 2016/04/04 15:52:56 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include <sys/cdefs.h> -__RCSID("$NetBSD: state.c,v 1.19 2016/09/26 19:43:43 christos Exp $"); +__RCSID("$NetBSD: state.c,v 1.18 2016/04/04 15:52:56 christos Exp $"); #include <sys/types.h> #include <sys/socket.h> diff --git a/bin/state.h b/bin/state.h index 2e9257006e806..823f97e8451f5 100644 --- a/bin/state.h +++ b/bin/state.h @@ -1,4 +1,4 @@ -/* $NetBSD: state.h,v 1.5 2015/01/27 19:40:37 christos Exp $ */ +/* $NetBSD: state.h,v 1.4 2015/01/24 07:46:20 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. diff --git a/bin/support.c b/bin/support.c index 79a1c6ee93acc..d560d2303223c 100644 --- a/bin/support.c +++ b/bin/support.c @@ -46,7 +46,7 @@ __RCSID("$NetBSD: support.c,v 1.9 2018/09/18 22:12:19 christos Exp $"); #include "support.h" static __attribute__((__format_arg__(3))) const char * -expandm(char *buf, size_t len, const char *fmt) +expandm(char *buf, size_t len, const char *fmt) { char *p; size_t r; diff --git a/bin/support.h b/bin/support.h index 899649ce8319e..b27016f5a7ec9 100644 --- a/bin/support.h +++ b/bin/support.h @@ -1,4 +1,4 @@ -/* $NetBSD: support.h,v 1.7 2016/04/04 15:52:56 christos Exp $ */ +/* $NetBSD: support.h,v 1.6 2015/06/02 14:02:10 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. diff --git a/diff/ftpd.diff b/diff/ftpd.diff index d28577f3ef5f7..37b43dae22957 100644 --- a/diff/ftpd.diff +++ b/diff/ftpd.diff @@ -2,17 +2,17 @@ +++ pfilter.c 2015-01-23 17:12:02.000000000 -0500 @@ -0,0 +1,24 @@ +#include <stdio.h> -+#include <blacklist.h> ++#include <blocklist.h> + +#include "pfilter.h" + -+static struct blacklist *blstate; ++static struct blocklist *blstate; + +void +pfilter_open(void) +{ + if (blstate == NULL) -+ blstate = blacklist_open(); ++ blstate = blocklist_open(); +} + +void @@ -23,7 +23,7 @@ + if (blstate == NULL) + return; + -+ blacklist_r(blstate, what, 0, msg); ++ blocklist_r(blstate, what, 0, msg); +} --- /dev/null 2015-01-23 17:30:40.000000000 -0500 +++ pfilter.h 2015-01-23 17:07:25.000000000 -0500 @@ -42,8 +42,8 @@ diff -u -p -u -r1.63 Makefile MLINKS= ftpusers.5 ftpchroot.5 +SRCS+= pfilter.c -+LDADD+= -lblacklist -+DPADD+= ${LIBBLACKLIST} ++LDADD+= -lblocklist ++DPADD+= ${LIBBLOCKLIST} + .if defined(NO_INTERNAL_LS) CPPFLAGS+=-DNO_INTERNAL_LS diff --git a/diff/named.diff b/diff/named.diff index fcd97ba7ec1f4..a5069ff94df7e 100644 --- a/diff/named.diff +++ b/diff/named.diff @@ -8,17 +8,17 @@ +#include <named/types.h> +#include <named/client.h> + -+#include <blacklist.h> ++#include <blocklist.h> + +#include "pfilter.h" + -+static struct blacklist *blstate; ++static struct blocklist *blstate; + +void +pfilter_open(void) +{ + if (blstate == NULL) -+ blstate = blacklist_open(); ++ blstate = blocklist_open(); +} + +#define TCP_CLIENT(c) (((c)->attributes & NS_CLIENTATTR_TCP) != 0) @@ -39,7 +39,7 @@ + } + if (socket == NULL) + return; -+ blacklist_sa_r(blstate, ++ blocklist_sa_r(blstate, + res != ISC_R_SUCCESS, isc_socket_getfd(socket), + &client->peeraddr.type.sa, client->peeraddr.length, msg); +} @@ -63,8 +63,8 @@ diff -u -u -r1.8 Makefile + pfilter.c tkeyconf.c tsigconf.c \ update.c xfrout.c zoneconf.c ${SRCS_UNIX} -+LDADD+=-lblacklist -+DPADD+=${LIBBLACKLIST} ++LDADD+=-lblocklist ++DPADD+=${LIBBLOCKLIST} .include <bsd.prog.mk> Index: dist/bin/named/client.c =================================================================== diff --git a/diff/postfix.diff b/diff/postfix.diff new file mode 100644 index 0000000000000..6d88e714c5059 --- /dev/null +++ b/diff/postfix.diff @@ -0,0 +1,82 @@ +Index: dist/src/smtpd/pfilter.c +=================================================================== +RCS file: dist/src/smtpd/pfilter.c +diff -N dist/src/smtpd/pfilter.c +--- /dev/null 1 Jan 1970 00:00:00 -0000 ++++ dist/src/smtpd/pfilter.c 1 Feb 2018 03:29:09 -0000 +@@ -0,0 +1,19 @@ ++#include "pfilter.h" ++#include <stdio.h> /* for NULL */ ++#include <blocklist.h> ++ ++static struct blocklist *blstate; ++ ++void ++pfilter_notify(int a, int fd) ++{ ++ if (blstate == NULL) ++ blstate = blocklist_open(); ++ if (blstate == NULL) ++ return; ++ (void)blocklist_r(blstate, a, fd, "smtpd"); ++ if (a == 0) { ++ blocklist_close(blstate); ++ blstate = NULL; ++ } ++} +Index: dist/src/smtpd/pfilter.h +=================================================================== +RCS file: dist/src/smtpd/pfilter.h +diff -N dist/src/smtpd/pfilter.h +--- /dev/null 1 Jan 1970 00:00:00 -0000 ++++ dist/src/smtpd/pfilter.h 1 Feb 2018 03:29:09 -0000 +@@ -0,0 +1,2 @@ ++ ++void pfilter_notify(int, int); +Index: dist/src/smtpd/smtpd.c +=================================================================== +RCS file: /cvsroot/src/external/ibm-public/postfix/dist/src/smtpd/smtpd.c,v +retrieving revision 1.14 +diff -u -r1.14 smtpd.c +--- dist/src/smtpd/smtpd.c 14 Feb 2017 01:16:48 -0000 1.14 ++++ dist/src/smtpd/smtpd.c 1 Feb 2018 03:29:09 -0000 +@@ -1197,6 +1197,8 @@ + #include <smtpd_milter.h> + #include <smtpd_expand.h> + ++#include "pfilter.h" ++ + /* + * Tunable parameters. Make sure that there is some bound on the length of + * an SMTP command, so that the mail system stays in control even when a +@@ -5048,6 +5050,7 @@ + if (state->error_count >= var_smtpd_hard_erlim) { + state->reason = REASON_ERROR_LIMIT; + state->error_mask |= MAIL_ERROR_PROTOCOL; ++ pfilter_notify(1, vstream_fileno(state->client)); + smtpd_chat_reply(state, "421 4.7.0 %s Error: too many errors", + var_myhostname); + break; +Index: libexec/smtpd/Makefile +=================================================================== +RCS file: /cvsroot/src/external/ibm-public/postfix/libexec/smtpd/Makefile,v +retrieving revision 1.6 +diff -u -r1.6 Makefile +--- libexec/smtpd/Makefile 21 May 2017 15:28:40 -0000 1.6 ++++ libexec/smtpd/Makefile 1 Feb 2018 03:29:09 -0000 +@@ -13,11 +13,14 @@ + SRCS= smtpd.c smtpd_token.c smtpd_check.c smtpd_chat.c smtpd_state.c \ + smtpd_peer.c smtpd_sasl_proto.c smtpd_sasl_glue.c smtpd_proxy.c \ + smtpd_xforward.c smtpd_dsn_fix.c smtpd_milter.c smtpd_resolve.c \ +- smtpd_expand.c smtpd_haproxy.c ++ smtpd_expand.c smtpd_haproxy.c pfilter.c + + DPADD+= ${LIBPMASTER} ${LIBPMILTER} ${LIBPGLOBAL} ${LIBPDNS} ${LIBPXSASL} + LDADD+= ${LIBPMASTER} ${LIBPMILTER} ${LIBPGLOBAL} ${LIBPDNS} ${LIBPXSASL} + ++DPADD+= ${LIBBLOCKLIST} ++LDADD+= -lblocklist ++ + DPADD+= ${LIBPTLS} ${LIBSSL} ${LIBCRYPTO} + LDADD+= ${LIBPTLS} -lssl -lcrypto + diff --git a/diff/proftpd.diff b/diff/proftpd.diff index c811c9cf50bce..e8d2cc5e9e07d 100644 --- a/diff/proftpd.diff +++ b/diff/proftpd.diff @@ -5,8 +5,8 @@ FTPWHO_OBJS=ftpwho.o scoreboard.o misc.o BUILD_FTPWHO_OBJS=utils/ftpwho.o utils/scoreboard.o utils/misc.o + -+CPPFLAGS+=-DHAVE_BLACKLIST -+LIBS+=-lblacklist ++CPPFLAGS+=-DHAVE_BLOCKLIST ++LIBS+=-lblocklist +OBJS+= pfilter.o +BUILD_OBJS+= src/pfilter.o --- /dev/null 2016-01-22 17:30:55.000000000 -0500 @@ -84,25 +84,25 @@ +#include "pfilter.h" +#include "conf.h" +#include "privs.h" -+#ifdef HAVE_BLACKLIST -+#include <blacklist.h> ++#ifdef HAVE_BLOCKLIST ++#include <blocklist.h> +#endif + -+static struct blacklist *blstate; ++static struct blocklist *blstate; + +void +pfilter_init(void) +{ -+#ifdef HAVE_BLACKLIST ++#ifdef HAVE_BLOCKLIST + if (blstate == NULL) -+ blstate = blacklist_open(); ++ blstate = blocklist_open(); +#endif +} + +void +pfilter_notify(int a) +{ -+#ifdef HAVE_BLACKLIST ++#ifdef HAVE_BLOCKLIST + conn_t *c = session.c; + int fd; + @@ -119,6 +119,6 @@ + pfilter_init(); + if (blstate == NULL) + return; -+ (void)blacklist_r(blstate, a, fd, "proftpd"); ++ (void)blocklist_r(blstate, a, fd, "proftpd"); +#endif +} diff --git a/diff/ssh.diff b/diff/ssh.diff index 9427fc8ddb369..17300bb5dc8d4 100644 --- a/diff/ssh.diff +++ b/diff/ssh.diff @@ -7,14 +7,14 @@ +#include "packet.h" +#include "log.h" +#include "pfilter.h" -+#include <blacklist.h> ++#include <blocklist.h> + -+static struct blacklist *blstate; ++static struct blocklist *blstate; + +void +pfilter_init(void) +{ -+ blstate = blacklist_open(); ++ blstate = blocklist_open(); +} + +void @@ -27,9 +27,9 @@ + return; + // XXX: 3? + fd = packet_connection_is_on_socket() ? packet_get_connection_in() : 3; -+ (void)blacklist_r(blstate, a, fd, "ssh"); ++ (void)blocklist_r(blstate, a, fd, "ssh"); + if (a == 0) { -+ blacklist_close(blstate); ++ blocklist_close(blstate); + blstate = NULL; + } +} @@ -60,8 +60,8 @@ diff -u -u -r1.10 Makefile LDADD+= -lwrap DPADD+= ${LIBWRAP} + -+LDADD+= -lblacklist -+DPADD+= ${LIBBLACKLIST} ++LDADD+= -lblocklist ++DPADD+= ${LIBBLOCKLIST} diff -ru openssh-7.7p1/auth-pam.c dist/auth-pam.c --- openssh-7.7p1/auth-pam.c 2018-04-02 01:38:28.000000000 -0400 +++ dist/auth-pam.c 2018-05-23 11:56:22.206661484 -0400 diff --git a/etc/Makefile b/etc/Makefile index 669528ddca89a..702a1da8da379 100644 --- a/etc/Makefile +++ b/etc/Makefile @@ -1,10 +1,10 @@ -# $NetBSD: Makefile,v 1.3 2015/01/26 00:18:40 christos Exp $ +# $NetBSD: Makefile,v 1.2 2015/01/23 21:33:50 christos Exp $ SUBDIR=rc.d -FILESDIR= /usr/share/examples/blacklist +FILESDIR= /usr/share/examples/blocklist FILESMODE= 644 -FILES= blacklistd.conf npf.conf +FILES= blocklistd.conf npf.conf .include <bsd.files.mk> .include <bsd.subdir.mk> diff --git a/etc/npf.conf b/etc/npf.conf index 42d56044ad6e5..b1c33f2738f02 100644 --- a/etc/npf.conf +++ b/etc/npf.conf @@ -1,4 +1,4 @@ -# Transparent firewall example for blacklistd +# Transparent firewall example for blocklistd $ext_if = "bnx0" @@ -6,7 +6,7 @@ set bpf.jit on; alg "icmp" group "external" on $ext_if { - ruleset "blacklistd" + ruleset "blocklistd" pass final all } diff --git a/etc/rc.d/Makefile b/etc/rc.d/Makefile index e863d0853a0fe..231108db2150c 100644 --- a/etc/rc.d/Makefile +++ b/etc/rc.d/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.1 2015/01/22 17:49:41 christos Exp $ +# $NetBSD$ -SCRIPTS=blacklistd +SCRIPTS=blocklistd SCRIPTSDIR=/etc/rc.d .include <bsd.prog.mk> diff --git a/etc/rc.d/blocklistd b/etc/rc.d/blocklistd index 278a6742e63c6..8e68aa372f927 100644 --- a/etc/rc.d/blocklistd +++ b/etc/rc.d/blocklistd @@ -1,15 +1,15 @@ #!/bin/sh # -# $NetBSD: blacklistd,v 1.2 2016/10/17 22:47:16 christos Exp $ +# $NetBSD: blocklistd,v 1.1 2015/01/22 17:49:41 christos Exp $ # -# PROVIDE: blacklistd +# PROVIDE: blocklistd # REQUIRE: npf # BEFORE: SERVERS $_rc_subr_loaded . /etc/rc.subr -name="blacklistd" +name="blocklistd" rcvar=$name command="/sbin/${name}" pidfile="/var/run/${name}.pid" @@ -18,17 +18,17 @@ start_precmd="${name}_precmd" extra_commands="reload" _sockfile="/var/run/${name}.sockets" -_sockname="blacklistd.sock" +_sockname="blocklistd.sock" -blacklistd_precmd() +blocklistd_precmd() { - # Create default list of blacklistd sockets to watch + # Create default list of blocklistd sockets to watch # ( umask 022 ; > $_sockfile ) # Find /etc/rc.d scripts with "chrootdir" rcorder(8) keyword, # and if $${app}_chrootdir is a directory, add appropriate - # blacklistd socket to list of sockets to watch. + # blocklistd socket to list of sockets to watch. # for _lr in $(rcorder -k chrootdir /etc/rc.d/*); do ( @@ -42,8 +42,8 @@ blacklistd_precmd() done # If other sockets have been provided, change run_rc_command()'s - # internal copy of $blacklistd_flags to force use of specific - # blacklistd sockets. + # internal copy of $blocklistd_flags to force use of specific + # blocklistd sockets. # if [ -s $_sockfile ]; then echo "/var/run/${_sockname}" >> $_sockfile diff --git a/include/Makefile b/include/Makefile index 6854907be25ea..49eea8ff8bf59 100644 --- a/include/Makefile +++ b/include/Makefile @@ -1,10 +1,10 @@ -# $NetBSD: Makefile,v 1.1 2015/01/21 16:16:00 christos Exp $ +# $NetBSD: Makefile,v 1.140 2013/12/11 01:24:08 joerg Exp $ # Doing a make includes builds /usr/include NOOBJ= # defined -INCS= blacklist.h +INCS= blocklist.h INCSDIR= /usr/include .include <bsd.prog.mk> diff --git a/include/bl.h b/include/bl.h index 68249cdf82302..b89a49d3eb603 100644 --- a/include/bl.h +++ b/include/bl.h @@ -35,12 +35,14 @@ #include <stdarg.h> #include <sys/param.h> #include <sys/socket.h> -#include "blacklist.h" +#include "blocklist.h" typedef enum { BL_INVALID, BL_ADD, - BL_DELETE + BL_DELETE, + BL_ABUSE, + BL_BADUSER } bl_type_t; typedef struct { @@ -56,12 +58,12 @@ typedef struct { #define bi_cred bi_u._bi_cred #ifndef _PATH_BLSOCK -#define _PATH_BLSOCK "/var/run/blacklistd.sock" +#define _PATH_BLSOCK "/var/run/blocklistd.sock" #endif __BEGIN_DECLS -typedef struct blacklist *bl_t; +typedef struct blocklist *bl_t; bl_t bl_create(bool, const char *, void (*)(int, const char *, va_list)); void bl_destroy(bl_t); diff --git a/include/blocklist.h b/include/blocklist.h index 9ebe11b95e08c..2a3c4750a6509 100644 --- a/include/blocklist.h +++ b/include/blocklist.h @@ -1,4 +1,4 @@ -/* $NetBSD: blacklist.h,v 1.3 2015/01/23 18:48:56 christos Exp $ */ +/* $NetBSD: blocklist.h,v 1.3 2015/01/23 18:48:56 christos Exp $ */ /*- * Copyright (c) 2014 The NetBSD Foundation, Inc. @@ -28,19 +28,28 @@ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. */ -#ifndef _BLACKLIST_H -#define _BLACKLIST_H +#ifndef _BLOCKLIST_H +#define _BLOCKLIST_H #include <sys/socket.h> __BEGIN_DECLS -struct blacklist *blacklist_open(void); -void blacklist_close(struct blacklist *); -int blacklist(int, int, const char *); -int blacklist_r(struct blacklist *, int, int, const char *); -int blacklist_sa(int, int, const struct sockaddr *, socklen_t, const char *); -int blacklist_sa_r(struct blacklist *, int, int, +struct blocklist *blocklist_open(void); +void blocklist_close(struct blocklist *); +int blocklist(int, int, const char *); +int blocklist_r(struct blocklist *, int, int, const char *); +int blocklist_sa(int, int, const struct sockaddr *, socklen_t, const char *); +int blocklist_sa_r(struct blocklist *, int, int, const struct sockaddr *, socklen_t, const char *); __END_DECLS -#endif /* _BLACKLIST_H */ +/* action values for user applications */ +#define BLOCKLIST_API_ENUM 1 +enum { + BLOCKLIST_AUTH_OK = 0, + BLOCKLIST_AUTH_FAIL, + BLOCKLIST_ABUSIVE_BEHAVIOR, + BLOCKLIST_BAD_USER +}; + +#endif /* _BLOCKLIST_H */ diff --git a/lib/Makefile b/lib/Makefile index 4f1ab7717a994..43da41f83b90b 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.7 2019/03/08 20:40:05 christos Exp $ +# $NetBSD: Makefile,v 1.6 2016/01/05 13:07:46 christos Exp $ .include <bsd.own.mk> @@ -6,14 +6,14 @@ USE_SHLIBDIR= yes CPPFLAGS+=-D_REENTRANT #LIBDPLIBS+=pthread ${NETBSDSRCDIR}/lib/libpthread -LIB=blacklist -SRCS=bl.c blacklist.c -MAN=libblacklist.3 -MLINKS+=libblacklist.3 blacklist_open.3 -MLINKS+=libblacklist.3 blacklist_close.3 -MLINKS+=libblacklist.3 blacklist.3 -MLINKS+=libblacklist.3 blacklist_r.3 -MLINKS+=libblacklist.3 blacklist_sa.3 -MLINKS+=libblacklist.3 blacklist_sa_r.3 +LIB=blocklist +SRCS=bl.c blocklist.c +MAN=libblocklist.3 +MLINKS+=libblocklist.3 blocklist_open.3 +MLINKS+=libblocklist.3 blocklist_close.3 +MLINKS+=libblocklist.3 blocklist.3 +MLINKS+=libblocklist.3 blocklist_r.3 +MLINKS+=libblocklist.3 blocklist_sa.3 +MLINKS+=libblocklist.3 blocklist_sa_r.3 .include <bsd.lib.mk> diff --git a/lib/bl.c b/lib/bl.c index 9f93b91f4c8f5..2be77a4224831 100644 --- a/lib/bl.c +++ b/lib/bl.c @@ -1,4 +1,4 @@ -/* $NetBSD: bl.c,v 1.28 2016/07/29 17:13:09 christos Exp $ */ +/* $NetBSD: bl.c,v 1.29 2020/03/10 13:36:08 roy Exp $ */ /*- * Copyright (c) 2014 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include <sys/cdefs.h> -__RCSID("$NetBSD: bl.c,v 1.28 2016/07/29 17:13:09 christos Exp $"); +__RCSID("$NetBSD: bl.c,v 1.29 2020/03/10 13:36:08 roy Exp $"); #include <sys/param.h> #include <sys/types.h> @@ -68,7 +68,7 @@ typedef struct { char bl_data[]; } bl_message_t; -struct blacklist { +struct blocklist { #ifdef _REENTRANT pthread_mutex_t b_mutex; # define BL_INIT(b) pthread_mutex_init(&b->b_mutex, NULL) @@ -207,7 +207,7 @@ bl_init(bl_t b, bool srv) BL_UNLOCK(b); return -1; } - bl_log(b->b_fun, LOG_DEBUG, "Connected to blacklist server", + bl_log(b->b_fun, LOG_DEBUG, "Connected to blocklist server", __func__); } @@ -495,12 +495,11 @@ bl_recv(bl_t b) } if (got != (GOT_CRED|GOT_FD)) { - bl_log(b->b_fun, LOG_ERR, "message missing %s %s", + bl_log(b->b_fun, LOG_ERR, "message missing %s %s", #if GOT_CRED != 0 (got & GOT_CRED) == 0 ? "cred" : #endif "", (got & GOT_FD) == 0 ? "fd" : ""); - return NULL; } diff --git a/lib/blocklist.c b/lib/blocklist.c index b8a524ca301a6..9c09f4186ba6e 100644 --- a/lib/blocklist.c +++ b/lib/blocklist.c @@ -1,4 +1,4 @@ -/* $NetBSD: blacklist.c,v 1.5 2015/01/22 16:19:53 christos Exp $ */ +/* $NetBSD: blocklist.c,v 1.6 2019/11/06 20:50:01 christos Exp $ */ /*- * Copyright (c) 2014 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include <sys/cdefs.h> -__RCSID("$NetBSD: blacklist.c,v 1.5 2015/01/22 16:19:53 christos Exp $"); +__RCSID("$NetBSD: blocklist.c,v 1.6 2019/11/06 20:50:01 christos Exp $"); #include <stdio.h> #include <bl.h> @@ -45,44 +45,64 @@ __RCSID("$NetBSD: blacklist.c,v 1.5 2015/01/22 16:19:53 christos Exp $"); #include <syslog.h> int -blacklist_sa(int action, int rfd, const struct sockaddr *sa, socklen_t salen, +blocklist_sa(int action, int rfd, const struct sockaddr *sa, socklen_t salen, const char *msg) { - struct blacklist *bl; + struct blocklist *bl; int rv; - if ((bl = blacklist_open()) == NULL) + if ((bl = blocklist_open()) == NULL) return -1; - rv = blacklist_sa_r(bl, action, rfd, sa, salen, msg); - blacklist_close(bl); + rv = blocklist_sa_r(bl, action, rfd, sa, salen, msg); + blocklist_close(bl); return rv; } int -blacklist_sa_r(struct blacklist *bl, int action, int rfd, +blocklist_sa_r(struct blocklist *bl, int action, int rfd, const struct sockaddr *sa, socklen_t slen, const char *msg) { - return bl_send(bl, action ? BL_ADD : BL_DELETE, rfd, sa, slen, msg); + bl_type_t internal_action; + + /* internal values are not the same as user application values */ + switch (action) { + case BLOCKLIST_AUTH_FAIL: + internal_action = BL_ADD; + break; + case BLOCKLIST_AUTH_OK: + internal_action = BL_DELETE; + break; + case BLOCKLIST_ABUSIVE_BEHAVIOR: + internal_action = BL_ABUSE; + break; + case BLOCKLIST_BAD_USER: + internal_action = BL_BADUSER; + break; + default: + internal_action = BL_INVALID; + break; + } + return bl_send(bl, internal_action, rfd, sa, slen, msg); } int -blacklist(int action, int rfd, const char *msg) +blocklist(int action, int rfd, const char *msg) { - return blacklist_sa(action, rfd, NULL, 0, msg); + return blocklist_sa(action, rfd, NULL, 0, msg); } int -blacklist_r(struct blacklist *bl, int action, int rfd, const char *msg) +blocklist_r(struct blocklist *bl, int action, int rfd, const char *msg) { - return blacklist_sa_r(bl, action, rfd, NULL, 0, msg); + return blocklist_sa_r(bl, action, rfd, NULL, 0, msg); } -struct blacklist * -blacklist_open(void) { +struct blocklist * +blocklist_open(void) { return bl_create(false, NULL, vsyslog); } void -blacklist_close(struct blacklist *bl) +blocklist_close(struct blocklist *bl) { bl_destroy(bl); } diff --git a/lib/libblocklist.3 b/lib/libblocklist.3 index 77be80f89d4ff..8368624dbc6ac 100644 --- a/lib/libblocklist.3 +++ b/lib/libblocklist.3 @@ -1,4 +1,4 @@ -.\" $NetBSD: libblacklist.3,v 1.8 2017/10/22 10:31:57 abhinav Exp $ +.\" $NetBSD: libblocklist.3,v 1.10 2020/03/30 15:47:15 christos Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,62 +27,58 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd January 22, 2015 -.Dt LIBBLACKLIST 3 +.Dd March 30, 2020 +.Dt LIBBLOCKLIST 3 .Os .Sh NAME -.Nm blacklist_open , -.Nm blacklist_close , -.Nm blacklist_r , -.Nm blacklist , -.Nm blacklist_sa , -.Nm blacklist_sa_r +.Nm blocklist_open , +.Nm blocklist_close , +.Nm blocklist_r , +.Nm blocklist , +.Nm blocklist_sa , +.Nm blocklist_sa_r .Nd Blacklistd notification library .Sh LIBRARY -.Lb libblacklist +.Lb libblocklist .Sh SYNOPSIS -.In blacklist.h -.Ft struct blacklist * -.Fn blacklist_open "void" +.In blocklist.h +.Ft struct blocklist * +.Fn blocklist_open "void" .Ft void -.Fn blacklist_close "struct blacklist *cookie" +.Fn blocklist_close "struct blocklist *cookie" .Ft int -.Fn blacklist "int action" "int fd" "const char *msg" +.Fn blocklist "int action" "int fd" "const char *msg" .Ft int -.Fn blacklist_r "struct blacklist *cookie" "int action" "int fd" "const char *msg" +.Fn blocklist_r "struct blocklist *cookie" "int action" "int fd" "const char *msg" .Ft int -.Fn blacklist_sa "int action" "int fd" "const struct sockaddr *sa" "socklen_t salen" "const char *msg" +.Fn blocklist_sa "int action" "int fd" "const struct sockaddr *sa" "socklen_t salen" "const char *msg" .Ft int -.Fn blacklist_sa_r "struct blacklist *cookie" "int action" "int fd" "const struct sockaddr *sa" "socklen_t salen" "const char *msg" +.Fn blocklist_sa_r "struct blocklist *cookie" "int action" "int fd" "const struct sockaddr *sa" "socklen_t salen" "const char *msg" .Sh DESCRIPTION These functions can be used by daemons to notify -.Xr blacklistd 8 -about successful and failed remote connections so that blacklistd can +.Xr blocklistd 8 +about successful and failed remote connections so that blocklistd can block or release port access to prevent Denial of Service attacks. .Pp The function -.Fn blacklist_open +.Fn blocklist_open creates the necessary state to communicate with -.Xr blacklistd 8 +.Xr blocklistd 8 and returns a pointer to it, or .Dv NULL on failure. .Pp The -.Fn blacklist_close +.Fn blocklist_close function frees all memory and resources used. .Pp The -.Fn blacklist +.Fn blocklist function sends a message to -.Xr blacklistd 8 , -with an +.Xr blocklistd 8 , +with an integer .Ar action -argument specifying -.Dv 1 -for a failed connection or -.Dv 0 -for a successful connection, +argument specifying the type of notification, a file descriptor .Ar fd specifying the accepted file descriptor connected to the client, @@ -91,22 +87,61 @@ and an optional message in the argument. .Pp The -.Fn blacklist_r -function is more efficient because it keeps the blacklist state around. +.Ar action +parameter can take these values: +.Bl -tag -width ".Va BLOCKLIST_ABUSIVE_BEHAVIOR" +.It Va BLOCKLIST_AUTH_FAIL +There was an unsuccessful authentication attempt. +.It Va BLOCKLIST_AUTH_OK +A user successfully authenticated. +.It Va BLOCKLIST_ABUSIVE_BEHAVIOR +The sending daemon has detected abusive behavior +from the remote system. +The remote address should +be blocked as soon as possible. +.It Va BLOCKLIST_BAD_USER +The sending daemon has determined the username +presented for authentication is invalid. +The +.Xr blocklistd 8 +daemon compares the username to a configured list of forbidden +usernames and +blocks the address immediately if a forbidden username matches. +(The +.Ar BLOCKLIST_BAD_USER +support is not currently available.) +.El +.Pp +The +.Fn blocklist_r +function is more efficient because it keeps the blocklist state around. .Pp The -.Fn blacklist_sa +.Fn blocklist_sa and -.Fn blacklist_sa_r +.Fn blocklist_sa_r functions can be used with unconnected sockets, where .Xr getpeername 2 will not work, the server will pass the peer name in the message. .Pp -All functions log errors to -.Xr syslogd 8 . +In all cases the file descriptor passed in the +.Fa fd +argument must be pointing to a valid socket so that +.Xr blocklistd 8 +can establish ownership of the local endpoint +using +.Xr getsockname 2 . +.Pp +By default, +.Xr syslogd 8 +is used for message logging. +The internal +.Fn bl_create +function can be used to create the required internal +state and specify a custom logging function. .Sh RETURN VALUES The function -.Fn blacklist_open +.Fn blocklist_open returns a cookie on success and .Dv NULL on failure setting @@ -114,10 +149,10 @@ on failure setting to an appropriate value. .Pp The functions -.Fn blacklist , -.Fn blacklist_sa , +.Fn blocklist , +.Fn blocklist_sa , and -.Fn blacklist_sa_r +.Fn blocklist_sa_r return .Dv 0 on success and @@ -126,7 +161,7 @@ on failure setting .Dv errno to an appropriate value. .Sh SEE ALSO -.Xr blacklistd.conf 5 , -.Xr blacklistd 8 +.Xr blocklistd.conf 5 , +.Xr blocklistd 8 .Sh AUTHORS .An Christos Zoulas diff --git a/libexec/Makefile b/libexec/Makefile index 6537080bf465b..da7f4980b5694 100644 --- a/libexec/Makefile +++ b/libexec/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.1 2015/01/22 17:49:41 christos Exp $ +# $NetBSD$ -SCRIPTS= blacklistd-helper +SCRIPTS= blocklistd-helper SCRIPTSDIR= /libexec .include <bsd.prog.mk> diff --git a/libexec/blocklistd-helper b/libexec/blocklistd-helper index 2d0a89e8fb0e2..a5f239fd2c1cd 100644 --- a/libexec/blocklistd-helper +++ b/libexec/blocklistd-helper @@ -10,9 +10,9 @@ # $7 id pf= -if [ -f "/etc/ipfw-blacklist.rc" ]; then +if [ -f "/etc/ipfw-blocklist.rc" ]; then pf="ipfw" - . /etc/ipfw-blacklist.rc + . /etc/ipfw-blocklist.rc ipfw_offset=${ipfw_offset:-2000} fi diff --git a/port/Makefile.am b/port/Makefile.am index 43bf6c94b4202..76ce02fe6f2ed 100644 --- a/port/Makefile.am +++ b/port/Makefile.am @@ -1,25 +1,25 @@ # ACLOCAL_AMFLAGS = -I m4 -lib_LTLIBRARIES = libblacklist.la -include_HEADERS = ../include/blacklist.h +lib_LTLIBRARIES = libblocklist.la +include_HEADERS = ../include/blocklist.h -bin_PROGRAMS = blacklistd blacklistctl srvtest cltest +bin_PROGRAMS = blocklistd blocklistctl srvtest cltest VPATH = ../bin:../lib:../test:../include AM_CPPFLAGS = -I../include -DDOT="." AM_CFLAGS = @WARNINGS@ -libblacklist_la_SOURCES = bl.c blacklist.c -libblacklist_la_LDFLAGS = -no-undefined -version-info 0:0:0 -libblacklist_la_LIBADD = $(LTLIBOBJS) +libblocklist_la_SOURCES = bl.c blocklist.c +libblocklist_la_LDFLAGS = -no-undefined -version-info 0:0:0 +libblocklist_la_LIBADD = $(LTLIBOBJS) SRCS = internal.c support.c run.c conf.c state.c -blacklistd_SOURCES = blacklistd.c ${SRCS} -blacklistd_LDADD = libblacklist.la -blacklistctl_SOURCES = blacklistctl.c ${SRCS} -blacklistctl_LDADD = libblacklist.la +blocklistd_SOURCES = blocklistd.c ${SRCS} +blocklistd_LDADD = libblocklist.la +blocklistctl_SOURCES = blocklistctl.c ${SRCS} +blocklistctl_LDADD = libblocklist.la srvtest_SOURCES = srvtest.c ${SRCS} -srvtest_LDADD = libblacklist.la +srvtest_LDADD = libblocklist.la cltest_SOURCES = cltest.c ${SRCS} -cltest_LDADD = libblacklist.la +cltest_LDADD = libblocklist.la diff --git a/port/_strtoi.h b/port/_strtoi.h index 4b2b4e80f0d82..031a76c8dc222 100644 --- a/port/_strtoi.h +++ b/port/_strtoi.h @@ -1,4 +1,4 @@ -/* $NetBSD: _strtoi.h,v 1.1 2015/01/22 02:15:59 christos Exp $ */ +/* $NetBSD: _strtoi.h,v 1.2 2015/01/18 17:55:22 christos Exp $ */ /*- * Copyright (c) 1990, 1993 diff --git a/port/configure.ac b/port/configure.ac index eef8065f060a5..a459f4542f57e 100644 --- a/port/configure.ac +++ b/port/configure.ac @@ -1,5 +1,5 @@ dnl Process this file with autoconf to produce a configure script. -AC_INIT([blacklistd],[0.1],[christos@netbsd.com]) +AC_INIT([blocklistd],[0.1],[christos@netbsd.com]) AM_INIT_AUTOMAKE([subdir-objects foreign]) m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) diff --git a/port/fgetln.c b/port/fgetln.c index a41a383a66535..54a3fa4ad897f 100644 --- a/port/fgetln.c +++ b/port/fgetln.c @@ -1,4 +1,4 @@ -/* $NetBSD: fgetln.c,v 1.1 2015/01/22 03:48:07 christos Exp $ */ +/* $NetBSD: fgetln.c,v 1.9 2008/04/29 06:53:03 martin Exp $ */ /*- * Copyright (c) 1998 The NetBSD Foundation, Inc. diff --git a/port/fparseln.c b/port/fparseln.c index 5bfae54b9a9bc..eef66598380a9 100644 --- a/port/fparseln.c +++ b/port/fparseln.c @@ -1,4 +1,4 @@ -/* $NetBSD: fparseln.c,v 1.1 2015/01/22 03:48:07 christos Exp $ */ +/* $NetBSD: fparseln.c,v 1.10 2009/10/21 01:07:45 snj Exp $ */ /* * Copyright (c) 1997 Christos Zoulas. All rights reserved. @@ -29,7 +29,7 @@ #include <sys/cdefs.h> #if defined(LIBC_SCCS) && !defined(lint) -__RCSID("$NetBSD: fparseln.c,v 1.1 2015/01/22 03:48:07 christos Exp $"); +__RCSID("$NetBSD: fparseln.c,v 1.10 2009/10/21 01:07:45 snj Exp $"); #endif /* LIBC_SCCS and not lint */ #include <assert.h> diff --git a/port/pidfile.c b/port/pidfile.c index 4deb2349d20a0..bb4d9dd0ddf81 100644 --- a/port/pidfile.c +++ b/port/pidfile.c @@ -1,4 +1,4 @@ -/* $NetBSD: pidfile.c,v 1.2 2016/04/05 12:28:57 christos Exp $ */ +/* $NetBSD: pidfile.c,v 1.1 2015/01/22 16:19:53 christos Exp $ */ /*- * Copyright (c) 1999 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ #include <sys/cdefs.h> #if defined(LIBC_SCCS) && !defined(lint) -__RCSID("$NetBSD: pidfile.c,v 1.2 2016/04/05 12:28:57 christos Exp $"); +__RCSID("$NetBSD: pidfile.c,v 1.1 2015/01/22 16:19:53 christos Exp $"); #endif #include <sys/param.h> diff --git a/port/popenve.c b/port/popenve.c index 20f6b5b86b68d..054f93eddca99 100644 --- a/port/popenve.c +++ b/port/popenve.c @@ -1,4 +1,4 @@ -/* $NetBSD: popenve.c,v 1.2 2015/01/22 03:10:50 christos Exp $ */ +/* $NetBSD: popenve.c,v 1.1 2015/01/22 01:39:18 christos Exp $ */ /* * Copyright (c) 1988, 1993 @@ -41,7 +41,7 @@ #if 0 static char sccsid[] = "@(#)popen.c 8.3 (Berkeley) 5/3/95"; #else -__RCSID("$NetBSD: popenve.c,v 1.2 2015/01/22 03:10:50 christos Exp $"); +__RCSID("$NetBSD: popenve.c,v 1.1 2015/01/22 01:39:18 christos Exp $"); #endif #endif /* LIBC_SCCS and not lint */ diff --git a/port/port.h b/port/port.h index f82fb34b40f56..2808d6b8ef2af 100644 --- a/port/port.h +++ b/port/port.h @@ -81,6 +81,6 @@ int clock_gettime(int, struct timespec *); #if !defined(__FreeBSD__) #define _PATH_BLCONF "conf" #define _PATH_BLCONTROL "control" -#define _PATH_BLSOCK "blacklistd.sock" -#define _PATH_BLSTATE "blacklistd.db" +#define _PATH_BLSOCK "blocklistd.sock" +#define _PATH_BLSTATE "blocklistd.db" #endif diff --git a/port/sockaddr_snprintf.c b/port/sockaddr_snprintf.c index 558755b6294bf..7b1c96548f758 100644 --- a/port/sockaddr_snprintf.c +++ b/port/sockaddr_snprintf.c @@ -1,4 +1,4 @@ -/* $NetBSD: sockaddr_snprintf.c,v 1.11 2016/06/01 22:57:51 christos Exp $ */ +/* $NetBSD: sockaddr_snprintf.c,v 1.10 2016/04/05 12:28:57 christos Exp $ */ /*- * Copyright (c) 2004 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ #include <sys/cdefs.h> #if defined(LIBC_SCCS) && !defined(lint) -__RCSID("$NetBSD: sockaddr_snprintf.c,v 1.11 2016/06/01 22:57:51 christos Exp $"); +__RCSID("$NetBSD: sockaddr_snprintf.c,v 1.10 2016/04/05 12:28:57 christos Exp $"); #endif /* LIBC_SCCS and not lint */ #include <sys/param.h> diff --git a/port/strlcat.c b/port/strlcat.c index d3c69b5fab789..86a545c4b3ad9 100644 --- a/port/strlcat.c +++ b/port/strlcat.c @@ -1,4 +1,4 @@ -/* $NetBSD: strlcat.c,v 1.2 2015/01/22 03:48:07 christos Exp $ */ +/* $NetBSD: strlcat.c,v 1.1 2015/01/22 02:36:15 christos Exp $ */ /* $OpenBSD: strlcat.c,v 1.10 2003/04/12 21:56:39 millert Exp $ */ /* @@ -24,7 +24,7 @@ #include <sys/cdefs.h> #if defined(LIBC_SCCS) && !defined(lint) -__RCSID("$NetBSD: strlcat.c,v 1.2 2015/01/22 03:48:07 christos Exp $"); +__RCSID("$NetBSD: strlcat.c,v 1.1 2015/01/22 02:36:15 christos Exp $"); #endif /* LIBC_SCCS and not lint */ #ifdef _LIBC diff --git a/port/strlcpy.c b/port/strlcpy.c index 6646e1ce96966..248f2ea3bd7ba 100644 --- a/port/strlcpy.c +++ b/port/strlcpy.c @@ -1,4 +1,4 @@ -/* $NetBSD: strlcpy.c,v 1.2 2015/01/22 03:48:07 christos Exp $ */ +/* $NetBSD: strlcpy.c,v 1.1 2015/01/22 02:36:15 christos Exp $ */ /* $OpenBSD: strlcpy.c,v 1.7 2003/04/12 21:56:39 millert Exp $ */ /* @@ -24,7 +24,7 @@ #include <sys/cdefs.h> #if defined(LIBC_SCCS) && !defined(lint) -__RCSID("$NetBSD: strlcpy.c,v 1.2 2015/01/22 03:48:07 christos Exp $"); +__RCSID("$NetBSD: strlcpy.c,v 1.1 2015/01/22 02:36:15 christos Exp $"); #endif /* LIBC_SCCS and not lint */ #ifdef _LIBC diff --git a/port/strtoi.c b/port/strtoi.c index 5514f1a00a32f..ef44c40f681a4 100644 --- a/port/strtoi.c +++ b/port/strtoi.c @@ -1,4 +1,4 @@ -/* $NetBSD: strtoi.c,v 1.3 2015/01/22 03:10:50 christos Exp $ */ +/* $NetBSD: strtoi.c,v 1.2 2015/01/22 02:35:44 christos Exp $ */ /*- * Copyright (c) 2005 The DragonFly Project. All rights reserved. @@ -34,7 +34,7 @@ #endif #include <sys/cdefs.h> -__RCSID("$NetBSD: strtoi.c,v 1.3 2015/01/22 03:10:50 christos Exp $"); +__RCSID("$NetBSD: strtoi.c,v 1.2 2015/01/22 02:35:44 christos Exp $"); #if defined(_KERNEL) #include <sys/param.h> diff --git a/test/Makefile b/test/Makefile index a451274def06b..cf76511541343 100644 --- a/test/Makefile +++ b/test/Makefile @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.3 2015/05/30 22:40:38 christos Exp $ +# $NetBSD: Makefile,v 1.2 2015/01/22 05:03:52 christos Exp $ MKMAN=no diff --git a/test/cltest.c b/test/cltest.c index 6671429fc3c44..1b6b1b4f08856 100644 --- a/test/cltest.c +++ b/test/cltest.c @@ -1,4 +1,4 @@ -/* $NetBSD: cltest.c,v 1.6 2015/01/22 05:44:28 christos Exp $ */ +/* $NetBSD: cltest.c,v 1.5 2015/01/22 05:03:52 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include <sys/cdefs.h> -__RCSID("$NetBSD: cltest.c,v 1.6 2015/01/22 05:44:28 christos Exp $"); +__RCSID("$NetBSD: cltest.c,v 1.5 2015/01/22 05:03:52 christos Exp $"); #include <sys/types.h> #include <sys/socket.h> diff --git a/test/srvtest.c b/test/srvtest.c index 03a762ab81f25..146b71c1a4f83 100644 --- a/test/srvtest.c +++ b/test/srvtest.c @@ -1,4 +1,4 @@ -/* $NetBSD: srvtest.c,v 1.10 2015/05/30 22:40:38 christos Exp $ */ +/* $NetBSD: srvtest.c,v 1.9 2015/01/22 05:35:55 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include <sys/cdefs.h> -__RCSID("$NetBSD: srvtest.c,v 1.10 2015/05/30 22:40:38 christos Exp $"); +__RCSID("$NetBSD: srvtest.c,v 1.9 2015/01/22 05:35:55 christos Exp $"); #include <sys/types.h> #include <sys/socket.h> @@ -48,7 +48,7 @@ __RCSID("$NetBSD: srvtest.c,v 1.10 2015/05/30 22:40:38 christos Exp $"); #include <poll.h> #include <err.h> -#include "blacklist.h" +#include "blocklist.h" #ifdef BLDEBUG #include "bl.h" static void *b; @@ -71,9 +71,9 @@ process_tcp(int afd) buffer[sizeof(buffer) - 1] = '\0'; printf("%s: sending %d %s\n", getprogname(), afd, buffer); #ifdef BLDEBUG - blacklist_r(b, 1, afd, buffer); + blocklist_r(b, 1, afd, buffer); #else - blacklist(1, afd, buffer); + blocklist(1, afd, buffer); #endif exit(0); } @@ -95,7 +95,7 @@ process_udp(int afd) err(1, "recvfrom"); buffer[sizeof(buffer) - 1] = '\0'; printf("%s: sending %d %s\n", getprogname(), afd, buffer); - blacklist_sa(1, afd, (void *)&ss, slen, buffer); + blocklist_sa(1, afd, (void *)&ss, slen, buffer); exit(0); } static int |