diff options
author | Kurt Lidl <lidl@FreeBSD.org> | 2016-06-12 23:34:48 +0000 |
---|---|---|
committer | Kurt Lidl <lidl@FreeBSD.org> | 2016-06-12 23:34:48 +0000 |
commit | 74bc093c1cd3bd67b815d0431c228f236bef603c (patch) | |
tree | dcf922c3e380e309da365e6539a4f301c93a9d04 /contrib/blacklist | |
parent | 90988efdc51e8442e21a0ecc8913b21662b168a1 (diff) | |
download | src-74bc093c1cd3bd67b815d0431c228f236bef603c.tar.gz src-74bc093c1cd3bd67b815d0431c228f236bef603c.zip |
Add ipfilter support to blacklistd-helper
In addition to adding initial support for the ipfilter
packet filtering system, wrap a few long lines, perform
whitespace cleanup and sync with upstream changes made
in NetBSD.
Submitted by: cy
Reviewed by: cy
Approved by: re (hrs)
Relnotes: YES
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D6823
Notes
Notes:
svn path=/head/; revision=301843
Diffstat (limited to 'contrib/blacklist')
-rw-r--r-- | contrib/blacklist/libexec/blacklistd-helper | 38 |
1 files changed, 29 insertions, 9 deletions
diff --git a/contrib/blacklist/libexec/blacklistd-helper b/contrib/blacklist/libexec/blacklistd-helper index befa4ae5eac3..be63a9ce53b7 100644 --- a/contrib/blacklist/libexec/blacklistd-helper +++ b/contrib/blacklist/libexec/blacklistd-helper @@ -10,12 +10,6 @@ # $7 id pf= -for f in npf pf; do - if [ -f "/etc/$f.conf" ]; then - pf="$f" - break - fi -done if [ -f "/etc/ipfw-blacklist.rc" ]; then pf="ipfw" . /etc/ipfw-blacklist.rc @@ -23,6 +17,15 @@ if [ -f "/etc/ipfw-blacklist.rc" ]; then fi if [ -z "$pf" ]; then + for f in npf pf ipf; do + if [ -f "/etc/$f.conf" ]; then + pf="$f" + break + fi + done +fi + +if [ -z "$pf" ]; then echo "$0: Unsupported packet filter" 1>&2 exit 1 fi @@ -48,12 +51,20 @@ esac case "$1" in add) case "$pf" in + ipf) + /sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1 + echo block in quick $proto from $addr/$mask to \ + any port=$6 head port$6 | \ + /sbin/ipf -I -f - -s >/dev/null 2>&1 + ;; ipfw) - rule=$(( $ipfw_offset + $6 )) # use $ipfw_offset+$port for rule number + # use $ipfw_offset+$port for rule number + rule=$(($ipfw_offset + $6)) tname="port$6" /sbin/ipfw table $tname create type addr 2>/dev/null /sbin/ipfw -q table $tname add "$addr/$mask" - /sbin/ipfw -q add $rule drop $3 from "table("$tname")" to any dst-port $6 + /sbin/ipfw -q add $rule drop $3 from "table("$tname")" to \ + any dst-port $6 ;; npf) /sbin/npfctl rule "$2" add block in final $proto from \ @@ -69,6 +80,12 @@ add) ;; rem) case "$pf" in + ipf) + /sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1 + echo block in quick $proto from $addr/$mask to \ + any port=$6 head port$6 | \ + /sbin/ipf -I -r -f - -s >/dev/null 2>&1 + ;; ipfw) /sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null ;; @@ -81,7 +98,10 @@ rem) esac ;; flush) - case "$pf" in + case "$pf" in + ipf) + /sbin/ipf -Z -I -Fi -s > /dev/null + ;; ipfw) /sbin/ipfw table "port$6" flush 2>/dev/null ;; |