The original blacklist library supported two operations - a

notification of a failed auth attempt, and a notification of a
successful auth attempt.

Implements a third option - notification of abusive behavior, and
accepts, but does not act on a forth type - "bad username". It is
envisioned that a system administrator will configure a small list
of "known bad usernames" that should be blocked immediately.

From Kurt Lidl @ FreeBSD

external/bsd/blacklist/bin/blacklistd.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: blacklistd.c,v 1.38 2019/02/27 02:20:18 christos Exp $	*/
+/*	$NetBSD: blacklistd.c,v 1.39 2019/11/06 20:50:01 christos Exp $	*/
 
 /*-
  * Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
 #include "config.h"
 #endif
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: blacklistd.c,v 1.38 2019/02/27 02:20:18 christos Exp $");
+__RCSID("$NetBSD: blacklistd.c,v 1.39 2019/11/06 20:50:01 christos Exp $");
 
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -214,6 +214,17 @@ process(bl_t bl)
 	}
 
 	switch (bi->bi_type) {
+	case BL_ABUSE:
+		/*
+		 * If the application has signaled abusive behavior,
+		 * set the number of fails to be one less than the
+		 * configured limit.  Fallthrough to the normal BL_ADD
+		 * processing, which will increment the failure count
+		 * to the threshhold, and block the abusive address.
+		 */
+		if (c.c_nfail != -1)
+			dbi.count = c.c_nfail - 1;
+		/*FALLTHROUGH*/
 	case BL_ADD:
 		dbi.count++;
 		dbi.last = ts.tv_sec;
@@ -249,6 +260,9 @@ process(bl_t bl)
 		dbi.count = 0;
 		dbi.last = 0;
 		break;
+	case BL_BADUSER:
+		/* ignore for now */
+		break;
 	default:
 		(*lfun)(LOG_ERR, "unknown message %d", bi->bi_type); 
 	}

external/bsd/blacklist/include/bl.h

@@ -1,4 +1,4 @@
-/*	$NetBSD: bl.h,v 1.13 2016/03/11 17:16:40 christos Exp $	*/
+/*	$NetBSD: bl.h,v 1.14 2019/11/06 20:50:01 christos Exp $	*/
 
 /*-
  * Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -40,7 +40,9 @@
 typedef enum {
 	BL_INVALID,
 	BL_ADD,
-	BL_DELETE
+	BL_DELETE,
+	BL_ABUSE,
+	BL_BADUSER
 } bl_type_t;
 
 typedef struct {

external/bsd/blacklist/include/blacklist.h

@@ -1,4 +1,4 @@
-/*	$NetBSD: blacklist.h,v 1.3 2015/01/23 18:48:56 christos Exp $	*/
+/*	$NetBSD: blacklist.h,v 1.4 2019/11/06 20:50:01 christos Exp $	*/
 
 /*-
  * Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -43,4 +43,13 @@ int blacklist_sa_r(struct blacklist *, int, int,
     const struct sockaddr *, socklen_t, const char *);
 __END_DECLS
 
+/* action values for user applications */
+#define BLACKLIST_API_ENUM	1
+enum {
+        BLACKLIST_AUTH_OK = 0,
+        BLACKLIST_AUTH_FAIL,
+        BLACKLIST_ABUSIVE_BEHAVIOR,
+        BLACKLIST_BAD_USER
+};
+
 #endif /* _BLACKLIST_H */

external/bsd/blacklist/lib/blacklist.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: blacklist.c,v 1.5 2015/01/22 16:19:53 christos Exp $	*/
+/*	$NetBSD: blacklist.c,v 1.6 2019/11/06 20:50:01 christos Exp $	*/
 
 /*-
  * Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
 #endif
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: blacklist.c,v 1.5 2015/01/22 16:19:53 christos Exp $");
+__RCSID("$NetBSD: blacklist.c,v 1.6 2019/11/06 20:50:01 christos Exp $");
 
 #include <stdio.h>
 #include <bl.h>
@@ -61,7 +61,27 @@ int
 blacklist_sa_r(struct blacklist *bl, int action, int rfd,
 	const struct sockaddr *sa, socklen_t slen, const char *msg)
 {
-	return bl_send(bl, action ? BL_ADD : BL_DELETE, rfd, sa, slen, msg);
+	int internal_action;
+
+	/* internal values are not the same as user application values */
+	switch (action) {
+	case BLACKLIST_AUTH_FAIL:
+		internal_action = BL_ADD;
+		break;
+	case BLACKLIST_AUTH_OK:
+		internal_action = BL_DELETE;
+		break;
+	case BLACKLIST_ABUSIVE_BEHAVIOR:
+		internal_action = BL_ABUSE;
+		break;
+	case BLACKLIST_BAD_USER:
+		internal_action = BL_BADUSER;
+		break;
+	default:
+		internal_action = BL_INVALID;
+		break;
+	}
+	return bl_send(bl, internal_action, rfd, sa, slen, msg);
 }
 
 int

external/bsd/blacklist/lib/libblacklist.3

@@ -1,4 +1,4 @@
-.\" $NetBSD: libblacklist.3,v 1.8 2017/10/22 10:31:57 abhinav Exp $
+.\" $NetBSD: libblacklist.3,v 1.9 2019/11/06 20:50:01 christos Exp $
 .\"
 .\" Copyright (c) 2015 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd January 22, 2015
+.Dd May 5, 2017
 .Dt LIBBLACKLIST 3
 .Os
 .Sh NAME
@@ -76,13 +76,9 @@ The
 .Fn blacklist
 function sends a message to
 .Xr blacklistd 8 ,
-with an
+with an integer
 .Ar action
-argument specifying
-.Dv 1
-for a failed connection or
-.Dv 0
-for a successful connection,
+argument specifying the type of notification,
 a file descriptor
 .Ar fd
 specifying the accepted file descriptor connected to the client,
@@ -91,6 +87,30 @@ and an optional message in the
 argument.
 .Pp
 The
+.Ar action
+parameter can take these values:
+.Bl -tag -width ".Va BLACKLIST_ABUSIVE_BEHAVIOR"
+.It Va BLACKLIST_AUTH_FAIL
+There was an unsuccessful authentication attempt.
+.It Va BLACKLIST_AUTH_OK
+A user successfully authenticated.
+.It Va BLACKLIST_ABUSIVE_BEHAVIOR
+The sending daemon has detected abusive behavior
+from the remote system.  The remote address should
+be blocked as soon as possible.
+.It Va BLACKLIST_BAD_USER
+The sending daemon has determined the username
+presented for authentication is invalid.  The
+.Xr blacklistd 8
+daemon compares the username to a configured list of forbidden
+usernames and
+blocks the address immediately if a forbidden username matches.
+(The
+.Ar BLACKLIST_BAD_USER
+support is not currently available.)
+.El
+.Pp
+The
 .Fn blacklist_r
 function is more efficient because it keeps the blacklist state around.
 .Pp
@@ -102,8 +122,13 @@ functions can be used with unconnected sockets, where
 .Xr getpeername 2
 will not work, the server will pass the peer name in the message.
 .Pp
-All functions log errors to
-.Xr syslogd 8 .
+By default,
+.Xr syslogd 8
+is used for message logging.
+The internal
+.Fn bl_create
+function can be used to create the required internal
+state and specify a custom logging function.
 .Sh RETURN VALUES
 The function
 .Fn blacklist_open