aboutsummaryrefslogtreecommitdiff
path: root/contrib
diff options
context:
space:
mode:
Diffstat (limited to 'contrib')
-rw-r--r--contrib/blocklist/bin/blacklistctl.83
-rw-r--r--contrib/blocklist/bin/blacklistd.c18
-rw-r--r--contrib/blocklist/bin/blocklistctl.811
-rw-r--r--contrib/blocklist/bin/blocklistctl.c8
-rw-r--r--contrib/blocklist/bin/blocklistd.c18
-rwxr-xr-xcontrib/blocklist/libexec/blocklistd-helper2
6 files changed, 29 insertions, 31 deletions
diff --git a/contrib/blocklist/bin/blacklistctl.8 b/contrib/blocklist/bin/blacklistctl.8
index 4d557c0c979d..08f1d1b9e5af 100644
--- a/contrib/blocklist/bin/blacklistctl.8
+++ b/contrib/blocklist/bin/blacklistctl.8
@@ -45,7 +45,6 @@ is a program used to display and change the state of the
database.
The following sub-commands are supported:
.Ss dump
-.Pp
The following options are available for the
.Cm dump
sub-command:
@@ -90,7 +89,7 @@ associated with the database entry.
column will show the identifier for the packet filter rule associated
with the database entry, though this may only be the word
.Ql OK
-for packet filters which do not creat a unique identifier for each rule.
+for packet filters which do not create a unique identifier for each rule.
.It Ql nfail
The number of
.Em failures
diff --git a/contrib/blocklist/bin/blacklistd.c b/contrib/blocklist/bin/blacklistd.c
index ded3075ed707..b5f9358122ef 100644
--- a/contrib/blocklist/bin/blacklistd.c
+++ b/contrib/blocklist/bin/blacklistd.c
@@ -1,4 +1,4 @@
-/* $NetBSD: blocklistd.c,v 1.10 2025/03/26 17:09:35 christos Exp $ */
+/* $NetBSD: blocklistd.c,v 1.11 2025/10/25 16:55:23 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -35,7 +35,7 @@
#ifdef HAVE_SYS_CDEFS_H
#include <sys/cdefs.h>
#endif
-__RCSID("$NetBSD: blocklistd.c,v 1.10 2025/03/26 17:09:35 christos Exp $");
+__RCSID("$NetBSD: blocklistd.c,v 1.11 2025/10/25 16:55:23 christos Exp $");
#include <sys/types.h>
#include <sys/socket.h>
@@ -191,12 +191,12 @@ process(bl_t bl)
}
if (getremoteaddress(bi, &rss, &rsl) == -1)
- goto out;
+ return;
if (debug || bi->bi_msg[0]) {
sockaddr_snprintf(rbuf, sizeof(rbuf), "%a:%p", (void *)&rss);
(*lfun)(bi->bi_msg[0] ? LOG_INFO : LOG_DEBUG,
- "processing type=%d fd=%d remote=%s msg=%s uid=%lu gid=%lu",
+ "processing type=%d fd=%d remote=%s msg=\"%s\" uid=%lu gid=%lu",
bi->bi_type, bi->bi_fd, rbuf,
bi->bi_msg, (unsigned long)bi->bi_uid,
(unsigned long)bi->bi_gid);
@@ -204,12 +204,12 @@ process(bl_t bl)
if (conf_find(bi->bi_fd, bi->bi_uid, &rss, &c) == NULL) {
(*lfun)(LOG_DEBUG, "no rule matched");
- goto out;
+ return;
}
if (state_get(state, &c, &dbi) == -1)
- goto out;
+ return;
if (debug) {
char b1[128], b2[128];
@@ -226,7 +226,7 @@ process(bl_t bl)
* set the number of fails to be one less than the
* configured limit. Fallthrough to the normal BL_ADD
* processing, which will increment the failure count
- * to the threshhold, and block the abusive address.
+ * to the threshold, and block the abusive address.
*/
if (c.c_nfail != -1)
dbi.count = c.c_nfail - 1;
@@ -269,8 +269,6 @@ process(bl_t bl)
state_put(state, &c, &dbi);
out:
- close(bi->bi_fd);
-
if (debug) {
char b1[128], b2[128];
(*lfun)(LOG_DEBUG, "%s: final db state for %s: count=%d/%d "
@@ -565,7 +563,7 @@ main(int argc, char *argv[])
conf_parse(configfile);
}
ret = poll(pfd, (nfds_t)nfd, tout);
- if (debug)
+ if (debug && ret != 0)
(*lfun)(LOG_DEBUG, "received %d from poll()", ret);
switch (ret) {
case -1:
diff --git a/contrib/blocklist/bin/blocklistctl.8 b/contrib/blocklist/bin/blocklistctl.8
index a98c16374f19..75228599a9de 100644
--- a/contrib/blocklist/bin/blocklistctl.8
+++ b/contrib/blocklist/bin/blocklistctl.8
@@ -1,4 +1,4 @@
-.\" $NetBSD: blocklistctl.8,v 1.4 2025/02/07 01:35:38 kre Exp $
+.\" $NetBSD: blocklistctl.8,v 1.5 2025/10/25 16:56:27 christos Exp $
.\"
.\" Copyright (c) 2015 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd January 27, 2025
+.Dd October 25, 2025
.Dt BLOCKLISTCTL 8
.Os
.Sh NAME
@@ -45,7 +45,6 @@ is a program used to display and change the state of the
database.
The following sub-commands are supported:
.Ss dump
-.Pp
The following options are available for the
.Cm dump
sub-command:
@@ -83,6 +82,10 @@ sub-command consists of a header (unless
was given) and one line for each record in the database, where each line
has the following columns:
.Bl -tag -width indent
+.It Ql rulename
+The packet filter rule name associated with the database entry,
+usually
+.Dv blocklistd .
.It Ql address/ma:port
The remote address, mask, and local port number of the client connection
associated with the database entry.
@@ -90,7 +93,7 @@ associated with the database entry.
column will show the identifier for the packet filter rule associated
with the database entry, though this may only be the word
.Ql OK
-for packet filters which do not creat a unique identifier for each rule.
+for packet filters which do not create a unique identifier for each rule.
.It Ql nfail
The number of
.Em failures
diff --git a/contrib/blocklist/bin/blocklistctl.c b/contrib/blocklist/bin/blocklistctl.c
index 8c75e0430c61..b43d8b8aaab3 100644
--- a/contrib/blocklist/bin/blocklistctl.c
+++ b/contrib/blocklist/bin/blocklistctl.c
@@ -1,4 +1,4 @@
-/* $NetBSD: blocklistctl.c,v 1.4 2025/02/11 17:48:30 christos Exp $ */
+/* $NetBSD: blocklistctl.c,v 1.5 2025/10/25 16:56:10 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -35,7 +35,7 @@
#ifdef HAVE_SYS_CDEFS_H
#include <sys/cdefs.h>
#endif
-__RCSID("$NetBSD: blocklistctl.c,v 1.4 2025/02/11 17:48:30 christos Exp $");
+__RCSID("$NetBSD: blocklistctl.c,v 1.5 2025/10/25 16:56:10 christos Exp $");
#include <stdio.h>
#include <time.h>
@@ -135,7 +135,7 @@ main(int argc, char *argv[])
clock_gettime(CLOCK_REALTIME, &ts);
wide = wide ? 8 * 4 + 7 : 4 * 3 + 3;
if (!noheader)
- printf("%*.*s/ma:port\tid\tnfail\t%s\n", wide, wide,
+ printf("rulename\t%*.*s/ma:port\tid\tnfail\t%s\n", wide, wide,
"address", remain ? "remaining time" : "last access");
for (i = 1; state_iterate(db, &c, &dbi, i) != 0; i = 0) {
char buf[BUFSIZ];
@@ -150,7 +150,7 @@ main(int argc, char *argv[])
}
}
sockaddr_snprintf(buf, sizeof(buf), "%a", (void *)&c.c_ss);
- printf("%*.*s/%s:%s\t", wide, wide, buf,
+ printf("%s\t%*.*s/%s:%s\t", c.c_name, wide, wide, buf,
star(mbuf, sizeof(mbuf), c.c_lmask),
star(pbuf, sizeof(pbuf), c.c_port));
if (c.c_duration == -1) {
diff --git a/contrib/blocklist/bin/blocklistd.c b/contrib/blocklist/bin/blocklistd.c
index 03a1dbbf056c..c78c560613fc 100644
--- a/contrib/blocklist/bin/blocklistd.c
+++ b/contrib/blocklist/bin/blocklistd.c
@@ -1,4 +1,4 @@
-/* $NetBSD: blocklistd.c,v 1.10 2025/03/26 17:09:35 christos Exp $ */
+/* $NetBSD: blocklistd.c,v 1.11 2025/10/25 16:55:23 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -35,7 +35,7 @@
#ifdef HAVE_SYS_CDEFS_H
#include <sys/cdefs.h>
#endif
-__RCSID("$NetBSD: blocklistd.c,v 1.10 2025/03/26 17:09:35 christos Exp $");
+__RCSID("$NetBSD: blocklistd.c,v 1.11 2025/10/25 16:55:23 christos Exp $");
#include <sys/types.h>
#include <sys/socket.h>
@@ -191,12 +191,12 @@ process(bl_t bl)
}
if (getremoteaddress(bi, &rss, &rsl) == -1)
- goto out;
+ return;
if (debug || bi->bi_msg[0]) {
sockaddr_snprintf(rbuf, sizeof(rbuf), "%a:%p", (void *)&rss);
(*lfun)(bi->bi_msg[0] ? LOG_INFO : LOG_DEBUG,
- "processing type=%d fd=%d remote=%s msg=%s uid=%lu gid=%lu",
+ "processing type=%d fd=%d remote=%s msg=\"%s\" uid=%lu gid=%lu",
bi->bi_type, bi->bi_fd, rbuf,
bi->bi_msg, (unsigned long)bi->bi_uid,
(unsigned long)bi->bi_gid);
@@ -204,12 +204,12 @@ process(bl_t bl)
if (conf_find(bi->bi_fd, bi->bi_uid, &rss, &c) == NULL) {
(*lfun)(LOG_DEBUG, "no rule matched");
- goto out;
+ return;
}
if (state_get(state, &c, &dbi) == -1)
- goto out;
+ return;
if (debug) {
char b1[128], b2[128];
@@ -226,7 +226,7 @@ process(bl_t bl)
* set the number of fails to be one less than the
* configured limit. Fallthrough to the normal BL_ADD
* processing, which will increment the failure count
- * to the threshhold, and block the abusive address.
+ * to the threshold, and block the abusive address.
*/
if (c.c_nfail != -1)
dbi.count = c.c_nfail - 1;
@@ -269,8 +269,6 @@ process(bl_t bl)
state_put(state, &c, &dbi);
out:
- close(bi->bi_fd);
-
if (debug) {
char b1[128], b2[128];
(*lfun)(LOG_DEBUG, "%s: final db state for %s: count=%d/%d "
@@ -565,7 +563,7 @@ main(int argc, char *argv[])
conf_parse(configfile);
}
ret = poll(pfd, (nfds_t)nfd, tout);
- if (debug)
+ if (debug && ret != 0)
(*lfun)(LOG_DEBUG, "received %d from poll()", ret);
switch (ret) {
case -1:
diff --git a/contrib/blocklist/libexec/blocklistd-helper b/contrib/blocklist/libexec/blocklistd-helper
index 14a192ee35ce..1d4a38b1d831 100755
--- a/contrib/blocklist/libexec/blocklistd-helper
+++ b/contrib/blocklist/libexec/blocklistd-helper
@@ -259,7 +259,7 @@ flush)
# dynamically determine which anchors exist
for anchor in $(/sbin/pfctl -a "$2" -s Anchors 2> /dev/null); do
/sbin/pfctl -a "$anchor" -t "port${anchor##*/}" -T flush 2> /dev/null
- /sbin/pfctl -a "$anchor" -F rules
+ /sbin/pfctl -a "$anchor" -F rules 2> /dev/null
done
echo OK
;;
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-26 23:50:56 +0000