aboutsummaryrefslogtreecommitdiff
path: root/contrib/blacklist/libexec/blacklistd-helper
blob: f92eab8b29bde626b5602991e1fba5703897d41a (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134

#!/bin/sh
#echo "run $@" 1>&2
#set -x
# $1 command
# $2 rulename
# $3 protocol
# $4 address
# $5 mask
# $6 port
# $7 id

pf=
if [ -f "/etc/ipfw-blacklist.rc" ]; then
	pf="ipfw"
	. /etc/ipfw-blacklist.rc
	ipfw_offset=${ipfw_offset:-2000}
fi

if [ -z "$pf" ]; then
	for f in npf pf ipf; do
		if [ -f "/etc/$f.conf" ]; then
			pf="$f"
			break
		fi
	done
fi

if [ -z "$pf" ]; then
	echo "$0: Unsupported packet filter" 1>&2
	exit 1
fi

if [ -n "$3" ]; then
	proto="proto $3"
fi

if [ -n "$6" ]; then
	port="port $6"
fi

addr="$4"
mask="$5"
case "$4" in
::ffff:*.*.*.*)
	if [ "$5" = 128 ]; then
		mask=32
		addr=${4#::ffff:}
	fi;;
esac

case "$1" in
add)
	case "$pf" in
	ipf)
		/sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1
		echo block in quick $proto from $addr/$mask to \
		    any port=$6 head port$6 | \
		    /sbin/ipf -I -f - -s >/dev/null 2>&1 && echo OK
		;;
	ipfw)
		# use $ipfw_offset+$port for rule number
		rule=$(($ipfw_offset + $6))
		tname="port$6"
		/sbin/ipfw table $tname create type addr 2>/dev/null
		/sbin/ipfw -q table $tname add "$addr/$mask"
		# if rule number $rule does not already exist, create it
		/sbin/ipfw show $rule >/dev/null 2>&1 || \
			/sbin/ipfw add $rule drop $3 from \
			table"("$tname")" to any dst-port $6 >/dev/null && \
			echo OK
		;;
	npf)
		/sbin/npfctl rule "$2" add block in final $proto from \
		    "$addr/$mask" to any $port
		;;
	pf)
		# if the filtering rule does not exist, create it
		/sbin/pfctl -a "$2/$6" -sr 2>/dev/null | \
		    grep -q "<port$6>" || \
		    echo "block in quick $proto from <port$6> to any $port" | \
		    /sbin/pfctl -a "$2/$6" -f -
		# insert $ip/$mask into per-protocol/port anchored table
		/sbin/pfctl -qa "$2/$6" -t "port$6" -T add "$addr/$mask" && \
		    /sbin/pfctl -qk "$addr" && echo OK
		;;
	esac
	;;
rem)
	case "$pf" in
	ipf)
		/sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1
		echo block in quick $proto from $addr/$mask to \
		    any port=$6 head port$6 | \
		    /sbin/ipf -I -r -f - -s >/dev/null 2>&1 && echo OK
		;;
	ipfw)
		/sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null && \
		    echo OK
		;;
	npf)
		/sbin/npfctl rule "$2" rem-id "$7"
		;;
	pf)
		/sbin/pfctl -qa "$2/$6" -t "port$6" -T delete "$addr/$mask" && \
		    echo OK
		;;
	esac
	;;
flush)
	case "$pf" in
	ipf)
		/sbin/ipf -Z -I -Fi -s > /dev/null && echo OK
		;;
	ipfw)
		/sbin/ipfw table "port$6" flush 2>/dev/null && echo OK
		;;
	npf)
		/sbin/npfctl rule "$2" flush
		;;
	pf)
		# dynamically determine which anchors exist
		for anchor in $(/sbin/pfctl -a "$2" -s Anchors); do
			/sbin/pfctl -a $anchor -t "port${anchor##*/}" -T flush
			/sbin/pfctl -a $anchor -F rules
		done
		echo OK
		;;
	esac
	;;
*)
	echo "$0: Unknown command '$1'" 1>&2
	exit 1
	;;
esac
generated by cgit v1.2.3 (git 2.25.1) at 2025-03-07 06:52:04 +0000