Sync with current.
This commit is contained in:
parent
fff8d9a1f5
commit
9e607ccb2a
5
external/bsd/blacklist/Makefile
vendored
Normal file
5
external/bsd/blacklist/Makefile
vendored
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
# $NetBSD: Makefile,v 1.1 2015/01/21 16:16:00 christos Exp $
|
||||||
|
|
||||||
|
SUBDIR = lib .WAIT include bin
|
||||||
|
|
||||||
|
.include <bsd.subdir.mk>
|
6
external/bsd/blacklist/Makefile.inc
vendored
Normal file
6
external/bsd/blacklist/Makefile.inc
vendored
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
# $NetBSD: Makefile.inc,v 1.1 2015/01/21 16:16:00 christos Exp $
|
||||||
|
|
||||||
|
WARNS=6
|
||||||
|
LDADD+= -lblacklist
|
||||||
|
DPADD+= ${LIBBLACKLIST}
|
||||||
|
CPPFLAGS+= -I${.CURDIR}/../include
|
71
external/bsd/blacklist/README
vendored
Normal file
71
external/bsd/blacklist/README
vendored
Normal file
@ -0,0 +1,71 @@
|
|||||||
|
# Tue Jan 20 21:18:54 EST 2015
|
||||||
|
|
||||||
|
This package contains library that can be used by network daemons to
|
||||||
|
communicate with a packet filter via a daemon to enforce opening and
|
||||||
|
closing ports dynamically based on policy.
|
||||||
|
|
||||||
|
The interface to the packet filter is in etc/control (this is currently
|
||||||
|
designed for npf) and the configuration file (inspired from inetd.conf)
|
||||||
|
is in etc/conf.
|
||||||
|
|
||||||
|
A patch to OpenSSH is in ssh.diff that adds blacklisting capabilities to
|
||||||
|
openssh.
|
||||||
|
|
||||||
|
The network daemon (for example sshd) communicates to blacklistd, via
|
||||||
|
a unix socket like syslog. The library calls are simple and everything
|
||||||
|
is handled by the library. In the simplest form the only thing the
|
||||||
|
daemon needs to do is to call:
|
||||||
|
|
||||||
|
blacklist(action, acceptedfd, message);
|
||||||
|
|
||||||
|
Where:
|
||||||
|
action = 0 -> successful login clear blacklist state
|
||||||
|
1 -> failed login, add to the failed count
|
||||||
|
acceptedfd -> the file descriptor where the server is
|
||||||
|
connected to the remote client. It is used
|
||||||
|
to determine the listening socket, and the
|
||||||
|
remote address. This allows any program to
|
||||||
|
contact the blacklist daemon, since the verification
|
||||||
|
if the program has access to the listening
|
||||||
|
socket is done by virtue that the port
|
||||||
|
number is retrieved from the kernel.
|
||||||
|
message -> an optional string that is used in debugging logs.
|
||||||
|
|
||||||
|
The configuration file contains entries of the form:
|
||||||
|
|
||||||
|
# Blacklist rule
|
||||||
|
# Port type protocol owner nfail disable
|
||||||
|
ssh stream tcp * 6 60m
|
||||||
|
ssh stream tcp6 * 6 60m
|
||||||
|
|
||||||
|
Here note that owner is * because the connection is done from the
|
||||||
|
child ssh socket which runs with user privs. We also register for
|
||||||
|
both tcp and tcp6 since those are different listening sockets and
|
||||||
|
addresses. We use nfail = 6, because ssh allows 3 password attempts
|
||||||
|
per connection, and this will let us have 2 connections before
|
||||||
|
blocking. Finally we block for an hour; we could block forever
|
||||||
|
too by specifying * in the duration column.
|
||||||
|
|
||||||
|
blacklistd and the library use syslog(3) to report errors. The
|
||||||
|
blacklist filter state is persisted automatically in /var/db/blacklistd.db
|
||||||
|
so that if the daemon is restarted, it remembers what connections
|
||||||
|
is currently handling. To start from a fresh state (if you restart
|
||||||
|
npf too for example), you can use -f. To watch the daemon at work,
|
||||||
|
you can use -d.
|
||||||
|
|
||||||
|
The current control file is designed for npf, and it uses the
|
||||||
|
dynamic rule feature. You need to create a dynamic rule in your
|
||||||
|
/etc/npf.conf on the group referring to the interface you want to block
|
||||||
|
called blacklistd as follows:
|
||||||
|
|
||||||
|
ext_if=bge0
|
||||||
|
|
||||||
|
group "external" on $ext_if {
|
||||||
|
...
|
||||||
|
ruleset "blacklistd"
|
||||||
|
...
|
||||||
|
}
|
||||||
|
|
||||||
|
Enjoy,
|
||||||
|
|
||||||
|
christos
|
21
external/bsd/blacklist/bin/Makefile
vendored
21
external/bsd/blacklist/bin/Makefile
vendored
@ -1,13 +1,14 @@
|
|||||||
.include <bsd.own.mk>
|
# $NetBSD: Makefile,v 1.5 2015/01/21 16:16:00 christos Exp $
|
||||||
|
|
||||||
WARNS=6
|
BINDIR=/usr/sbin
|
||||||
COPTS=-g
|
|
||||||
MKMAN=no
|
PROGS=blacklistd blacklistctl
|
||||||
PROGS=srvtest cltest blacklistd
|
MAN=blacklistd.8
|
||||||
SRCS.srvtest = bl.c srvtest.c
|
MLINKS=blacklistd.8 blacklistd.conf.5
|
||||||
SRCS.cltest = cltest.c
|
SRCS.blacklistd = blacklistd.c conf.c run.c state.c
|
||||||
SRCS.blacklistd = bl.c blacklistd.c conf.c run.c state.c
|
SRCS.blacklistctl = blacklistctl.c conf.c state.c
|
||||||
LDADD.blacklistd += -lutil
|
|
||||||
LPADD.blacklistd += ${LIBUTIL}
|
LDADD+=-lutil
|
||||||
|
DPADD+=${LIBUTIL}
|
||||||
|
|
||||||
.include <bsd.prog.mk>
|
.include <bsd.prog.mk>
|
||||||
|
52
external/bsd/blacklist/bin/blacklistctl.c
vendored
Normal file
52
external/bsd/blacklist/bin/blacklistctl.c
vendored
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <time.h>
|
||||||
|
#include <util.h>
|
||||||
|
#include <fcntl.h>
|
||||||
|
#include <db.h>
|
||||||
|
#include <err.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
#include <sys/socket.h>
|
||||||
|
|
||||||
|
#include "conf.h"
|
||||||
|
#include "state.h"
|
||||||
|
#include "internal.h"
|
||||||
|
|
||||||
|
static const char *
|
||||||
|
fmttime(char *b, size_t l, time_t t)
|
||||||
|
{
|
||||||
|
struct tm tm;
|
||||||
|
if (localtime_r(&t, &tm) == NULL)
|
||||||
|
snprintf(b, l, "*%jd*", (intmax_t)t);
|
||||||
|
else
|
||||||
|
strftime(b, l, "%Y/%m/%d %H:%M:%S", &tm);
|
||||||
|
return b;
|
||||||
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
main(int argc, char *argv[])
|
||||||
|
{
|
||||||
|
const char *dbname = _PATH_BLSTATE;
|
||||||
|
DB *db;
|
||||||
|
struct conf c;
|
||||||
|
struct sockaddr_storage ss;
|
||||||
|
struct dbinfo dbi;
|
||||||
|
unsigned int i;
|
||||||
|
|
||||||
|
db = state_open(dbname, O_RDONLY, 0);
|
||||||
|
if (db == NULL)
|
||||||
|
err(EXIT_FAILURE, "Can't open `%s'", dbname);
|
||||||
|
|
||||||
|
for (i = 1; state_iterate(db, &ss, &c, &dbi, i) != 0; i = 0) {
|
||||||
|
char buf[BUFSIZ];
|
||||||
|
printf("conf: %s\n", conf_print(buf, sizeof(buf), "",
|
||||||
|
":", &c));
|
||||||
|
sockaddr_snprintf(buf, sizeof(buf), "%a", (void *)&ss);
|
||||||
|
printf("addr: %s\n", buf);
|
||||||
|
printf("data: count=%d id=%s time=%s\n", dbi.count,
|
||||||
|
dbi.id, fmttime(buf, sizeof(buf), dbi.last));
|
||||||
|
}
|
||||||
|
state_close(db);
|
||||||
|
return EXIT_SUCCESS;
|
||||||
|
}
|
170
external/bsd/blacklist/bin/blacklistd.8
vendored
Normal file
170
external/bsd/blacklist/bin/blacklistd.8
vendored
Normal file
@ -0,0 +1,170 @@
|
|||||||
|
.\" $NetBSD: blacklistd.8,v 1.1 2015/01/21 16:16:00 christos Exp $
|
||||||
|
.\"
|
||||||
|
.\" Copyright (c) 2015 The NetBSD Foundation, Inc.
|
||||||
|
.\" All rights reserved.
|
||||||
|
.\"
|
||||||
|
.\" This code is derived from software contributed to The NetBSD Foundation
|
||||||
|
.\" by Christos Zoulas.
|
||||||
|
.\"
|
||||||
|
.\" Redistribution and use in source and binary forms, with or without
|
||||||
|
.\" modification, are permitted provided that the following conditions
|
||||||
|
.\" are met:
|
||||||
|
.\" 1. Redistributions of source code must retain the above copyright
|
||||||
|
.\" notice, this list of conditions and the following disclaimer.
|
||||||
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
||||||
|
.\" notice, this list of conditions and the following disclaimer in the
|
||||||
|
.\" documentation and/or other materials provided with the distribution.
|
||||||
|
.\"
|
||||||
|
.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
|
||||||
|
.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
||||||
|
.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||||
|
.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
|
||||||
|
.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||||
|
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||||
|
.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||||
|
.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||||
|
.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||||
|
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||||
|
.\" POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
.\"
|
||||||
|
.Dd January 19, 2016
|
||||||
|
.Dt BLACKLISTD 8
|
||||||
|
.Os
|
||||||
|
.Sh NAME
|
||||||
|
.Nm blacklistd ,
|
||||||
|
.Nm blacklistd.conf
|
||||||
|
.Nd block and release ports on demand to avoid DoS abuse
|
||||||
|
.Sh SYNOPSIS
|
||||||
|
.Nm
|
||||||
|
.Op Fl df
|
||||||
|
.Op Fl c Ar configfile
|
||||||
|
.Op Fl C Ar controlprog
|
||||||
|
.Op Fl D Ar dbfile
|
||||||
|
.Op Fl r Ar rulename
|
||||||
|
.Op Fl s Ar sockpath
|
||||||
|
.Op Fl t Ar timeout
|
||||||
|
.Sh DESCRIPTION
|
||||||
|
.Nm
|
||||||
|
is a daemon similar to
|
||||||
|
.Xr syslogd 8
|
||||||
|
that listens to a socket at
|
||||||
|
.Ar sockpath
|
||||||
|
for notifications from other daemons about successful or failed connection
|
||||||
|
attempts.
|
||||||
|
Each notification contains a (action, port, protocol, address, owner) tuple
|
||||||
|
that identifies the remote connection and the action.
|
||||||
|
This tuple is consulted against entries in
|
||||||
|
.Ar configfile
|
||||||
|
with syntax specified in
|
||||||
|
.Xr blacklistd.conf 5 .
|
||||||
|
If an entry is matched, a state entry is created for that tuple.
|
||||||
|
Each entry contains a number of tries limit and a duration.
|
||||||
|
.Pp
|
||||||
|
If the action is
|
||||||
|
.Dq add
|
||||||
|
and the number of tries limit is reached, then a
|
||||||
|
control script
|
||||||
|
.Ar controlprog
|
||||||
|
is invoked with arguments:
|
||||||
|
.Bd -literal -offset indent
|
||||||
|
control add <rulename> <proto> <port> <address>
|
||||||
|
.Ed
|
||||||
|
.Pp
|
||||||
|
and should invoke a packet filter command to block the connection
|
||||||
|
specified by the arguments.
|
||||||
|
The
|
||||||
|
.Ar rulename
|
||||||
|
argument can be set from the command line (default
|
||||||
|
.Dv blacklistd ).
|
||||||
|
The script should print a numerical id to stdout as a handle for
|
||||||
|
the rule that can be used later to remove that connection.
|
||||||
|
.Pp
|
||||||
|
If the action is
|
||||||
|
.Dq remove
|
||||||
|
Then the same control script is invoked as:
|
||||||
|
.Bd -literal -offset indent
|
||||||
|
control rem <rulename> <id>
|
||||||
|
.Ed
|
||||||
|
.Pp
|
||||||
|
where
|
||||||
|
.Ar id
|
||||||
|
is the number returned from the
|
||||||
|
.Dq add
|
||||||
|
action.
|
||||||
|
.Pp
|
||||||
|
.Nm
|
||||||
|
maintains a database of known connections in
|
||||||
|
.Ar dbfile .
|
||||||
|
On startup it reads entries from that file, and updates its internal state.
|
||||||
|
If the
|
||||||
|
.Fl f
|
||||||
|
flag is specified, then the database is truncated an all the rules named
|
||||||
|
.Ar rulename
|
||||||
|
are deleted by invoking the control script as:
|
||||||
|
.Bd -literal -offset indent
|
||||||
|
control flush <rulename>
|
||||||
|
.Ed
|
||||||
|
.Pp
|
||||||
|
.Nm
|
||||||
|
checks the list of active entries every
|
||||||
|
.Ar timeout
|
||||||
|
seconds (default
|
||||||
|
.Dv 15 )
|
||||||
|
and removes entries and block rules using the control program as necessary.
|
||||||
|
.Pp
|
||||||
|
The configuration file contains one tuple per line, and is similar to
|
||||||
|
.Xr inetd.conf .
|
||||||
|
There must be an entry for each field of the configuration file, with
|
||||||
|
entries for each field separated by a tab or a space.
|
||||||
|
Comments are denoted by a
|
||||||
|
.Dq #
|
||||||
|
at the beginning of a line.
|
||||||
|
There must be an entry for each field; entries can be numeric or symbolic,
|
||||||
|
where appropriate (
|
||||||
|
.Dv service-name ,
|
||||||
|
.Dv user )
|
||||||
|
and can be
|
||||||
|
.Dq *
|
||||||
|
for all fields except
|
||||||
|
.Dv nfail and
|
||||||
|
.Dv duration :
|
||||||
|
The fields of the configuration file are as follows:
|
||||||
|
.Bd -literal -offset indent
|
||||||
|
service-name
|
||||||
|
socket-type
|
||||||
|
protocol
|
||||||
|
user
|
||||||
|
nfail
|
||||||
|
duration
|
||||||
|
.Ed
|
||||||
|
.Pp
|
||||||
|
Normally,
|
||||||
|
.Nm
|
||||||
|
disassociates itself from the terminal and writes messages to
|
||||||
|
.Xr syslogd 8 ,
|
||||||
|
unless the
|
||||||
|
.Fl d
|
||||||
|
flag is specified, in which case it stays in the foreground and prints
|
||||||
|
diagnostic messages to
|
||||||
|
.Dv stdout .
|
||||||
|
.Sh FILES
|
||||||
|
.Bl -tag -width /etc/blacklistd/control -compact
|
||||||
|
.It Pa /etc/blacklistd/control
|
||||||
|
Shell script invoked to interface with the packet filter.
|
||||||
|
.It Pa /etc/blacklistd/conf
|
||||||
|
Configuration file.
|
||||||
|
.It Pa /var/db/blacklistd.db
|
||||||
|
Database of current connection entries.
|
||||||
|
.It Pa /var/run/blsock
|
||||||
|
Socket to receive connection notifications.
|
||||||
|
.El
|
||||||
|
.Sh SEE ALSO
|
||||||
|
.Xr blacklistd.conf 5 ,
|
||||||
|
.Xr npfctl 8 ,
|
||||||
|
.Xr syslogd 8
|
||||||
|
.Sh HISTORY
|
||||||
|
.Nm
|
||||||
|
appeared in
|
||||||
|
.Nx 8
|
||||||
|
.Sh AUTHORS
|
||||||
|
.An Christos Zoulas
|
86
external/bsd/blacklist/bin/blacklistd.c
vendored
86
external/bsd/blacklist/bin/blacklistd.c
vendored
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: blacklistd.c,v 1.5 2015/01/20 00:52:15 christos Exp $ */
|
/* $NetBSD: blacklistd.c,v 1.6 2015/01/21 16:16:00 christos Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2015 The NetBSD Foundation, Inc.
|
* Copyright (c) 2015 The NetBSD Foundation, Inc.
|
||||||
@ -29,7 +29,7 @@
|
|||||||
* POSSIBILITY OF SUCH DAMAGE.
|
* POSSIBILITY OF SUCH DAMAGE.
|
||||||
*/
|
*/
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__RCSID("$NetBSD: blacklistd.c,v 1.5 2015/01/20 00:52:15 christos Exp $");
|
__RCSID("$NetBSD: blacklistd.c,v 1.6 2015/01/21 16:16:00 christos Exp $");
|
||||||
|
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
#include <sys/socket.h>
|
#include <sys/socket.h>
|
||||||
@ -87,11 +87,12 @@ sigdone(int n)
|
|||||||
{
|
{
|
||||||
done++;
|
done++;
|
||||||
}
|
}
|
||||||
|
|
||||||
static __dead void
|
static __dead void
|
||||||
usage(void)
|
usage(void)
|
||||||
{
|
{
|
||||||
fprintf(stderr, "Usage: %s -d [-c <config>] [-r <rulename>] "
|
fprintf(stderr, "Usage: %s [-df] [-c <config>] [-r <rulename>] "
|
||||||
"[-s <sockpath>] [-C <controlprog>] [-D <dbfile>]\n",
|
"[-s <sockpath>] [-C <controlprog>] [-D <dbfile>] [-t <timeout>]\n",
|
||||||
getprogname());
|
getprogname());
|
||||||
exit(EXIT_FAILURE);
|
exit(EXIT_FAILURE);
|
||||||
}
|
}
|
||||||
@ -161,15 +162,15 @@ process(bl_t bl)
|
|||||||
return;
|
return;
|
||||||
|
|
||||||
if (debug)
|
if (debug)
|
||||||
printf("got type=%d fd=[%d %d] msg=%s cred=[u=%lu, g=%lu]\n",
|
printf("got type=%d fd=%d msg=%s cred=[u=%lu, g=%lu]\n",
|
||||||
bi->bi_type, bi->bi_fd[0], bi->bi_fd[1], bi->bi_msg,
|
bi->bi_type, bi->bi_fd, bi->bi_msg,
|
||||||
(unsigned long)bi->bi_cred->sc_euid,
|
(unsigned long)bi->bi_cred.sc_euid,
|
||||||
(unsigned long)bi->bi_cred->sc_egid);
|
(unsigned long)bi->bi_cred.sc_egid);
|
||||||
|
|
||||||
if (findconf(bi, &c) == NULL)
|
if (conf_find(bi->bi_fd, bi->bi_cred.sc_euid, &c) == NULL)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
rfd = bi->bi_fd[1];
|
rfd = bi->bi_fd;
|
||||||
rsl = sizeof(rss);
|
rsl = sizeof(rss);
|
||||||
memset(&rss, 0, rsl);
|
memset(&rss, 0, rsl);
|
||||||
if (getpeername(rfd, (void *)&rss, &rsl) == -1) {
|
if (getpeername(rfd, (void *)&rss, &rsl) == -1) {
|
||||||
@ -192,15 +193,20 @@ process(bl_t bl)
|
|||||||
case BL_ADD:
|
case BL_ADD:
|
||||||
dbi.count++;
|
dbi.count++;
|
||||||
dbi.last = ts.tv_sec;
|
dbi.last = ts.tv_sec;
|
||||||
if (dbi.id != -1) {
|
if (dbi.id[0]) {
|
||||||
(*lfun)(LOG_ERR, "rule exists %d", dbi.id);
|
(*lfun)(LOG_ERR, "rule exists %s", dbi.id);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
if (dbi.count >= c.c_nfail) {
|
if (dbi.count >= c.c_nfail) {
|
||||||
int res = run_add(c.c_proto, (in_port_t)c.c_port, &rss);
|
int res = run_add(c.c_proto, (in_port_t)c.c_port, &rss,
|
||||||
|
dbi.id, sizeof(dbi.id));
|
||||||
if (res == -1)
|
if (res == -1)
|
||||||
goto out;
|
goto out;
|
||||||
dbi.id = res;
|
sockaddr_snprintf(rbuf, sizeof(rbuf), "%a",
|
||||||
|
(void *)&rss);
|
||||||
|
syslog(LOG_INFO, "Blocked %s at port %d for %d seconds",
|
||||||
|
rbuf, c.c_port, c.c_duration);
|
||||||
|
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case BL_DELETE:
|
case BL_DELETE:
|
||||||
@ -214,8 +220,7 @@ process(bl_t bl)
|
|||||||
if (state_put(state, &rss, &c, &dbi) == -1)
|
if (state_put(state, &rss, &c, &dbi) == -1)
|
||||||
goto out;
|
goto out;
|
||||||
out:
|
out:
|
||||||
close(bi->bi_fd[0]);
|
close(bi->bi_fd);
|
||||||
close(bi->bi_fd[1]);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
@ -226,6 +231,7 @@ update(void)
|
|||||||
struct conf c;
|
struct conf c;
|
||||||
struct dbinfo dbi;
|
struct dbinfo dbi;
|
||||||
unsigned int f, n;
|
unsigned int f, n;
|
||||||
|
char buf[128];
|
||||||
|
|
||||||
if (clock_gettime(CLOCK_REALTIME, &ts) == -1) {
|
if (clock_gettime(CLOCK_REALTIME, &ts) == -1) {
|
||||||
(*lfun)(LOG_ERR, "clock_gettime failed (%m)");
|
(*lfun)(LOG_ERR, "clock_gettime failed (%m)");
|
||||||
@ -237,18 +243,23 @@ update(void)
|
|||||||
{
|
{
|
||||||
time_t when = c.c_duration + dbi.last;
|
time_t when = c.c_duration + dbi.last;
|
||||||
if (debug) {
|
if (debug) {
|
||||||
char buf[128], b1[64], b2[64];
|
char b1[64], b2[64];
|
||||||
sockaddr_snprintf(buf, sizeof(buf), "%a:%p",
|
sockaddr_snprintf(buf, sizeof(buf), "%a:%p",
|
||||||
(void *)&ss);
|
(void *)&ss);
|
||||||
printf("%s:[%u] %s count=%d duration=%d exp=%s "
|
printf("%s:[%u] %s count=%d duration=%d last=%s "
|
||||||
"now=%s\n", __func__, n, buf, dbi.count,
|
"now=%s\n", __func__, n, buf, dbi.count,
|
||||||
c.c_duration, fmttime(b1, sizeof(b1), when),
|
c.c_duration, fmttime(b1, sizeof(b1), dbi.last),
|
||||||
fmttime(b2, sizeof(b2), ts.tv_sec));
|
fmttime(b2, sizeof(b2), ts.tv_sec));
|
||||||
}
|
}
|
||||||
if (when >= ts.tv_sec)
|
if (c.c_duration == -1 || when >= ts.tv_sec)
|
||||||
continue;
|
continue;
|
||||||
if (dbi.id != -1)
|
if (dbi.id[0]) {
|
||||||
run_rem(dbi.id);
|
run_rem(dbi.id);
|
||||||
|
sockaddr_snprintf(buf, sizeof(buf), "%a", (void *)&ss);
|
||||||
|
syslog(LOG_INFO,
|
||||||
|
"Released %s at port %d after %d seconds",
|
||||||
|
buf, c.c_port, c.c_duration);
|
||||||
|
}
|
||||||
state_del(state, &ss, &c);
|
state_del(state, &ss, &c);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -256,15 +267,17 @@ update(void)
|
|||||||
int
|
int
|
||||||
main(int argc, char *argv[])
|
main(int argc, char *argv[])
|
||||||
{
|
{
|
||||||
int c;
|
|
||||||
bl_t bl;
|
bl_t bl;
|
||||||
int tout;
|
int c, tout, flags, reset;
|
||||||
int flags = O_RDWR|O_EXCL|O_CLOEXEC;
|
const char *spath;
|
||||||
const char *spath = _PATH_BLSOCK;
|
|
||||||
|
|
||||||
setprogname(argv[0]);
|
setprogname(argv[0]);
|
||||||
|
|
||||||
while ((c = getopt(argc, argv, "C:c:D:ds:r:")) != -1) {
|
spath = _PATH_BLSOCK;
|
||||||
|
reset = 0;
|
||||||
|
tout = 0;
|
||||||
|
flags = O_RDWR|O_EXCL|O_CLOEXEC;
|
||||||
|
while ((c = getopt(argc, argv, "C:c:D:dfr:s:t:")) != -1) {
|
||||||
switch (c) {
|
switch (c) {
|
||||||
case 'C':
|
case 'C':
|
||||||
controlprog = optarg;
|
controlprog = optarg;
|
||||||
@ -278,12 +291,18 @@ main(int argc, char *argv[])
|
|||||||
case 'd':
|
case 'd':
|
||||||
debug++;
|
debug++;
|
||||||
break;
|
break;
|
||||||
|
case 'f':
|
||||||
|
reset++;
|
||||||
|
break;
|
||||||
case 'r':
|
case 'r':
|
||||||
rulename = optarg;
|
rulename = optarg;
|
||||||
break;
|
break;
|
||||||
case 's':
|
case 's':
|
||||||
spath = optarg;
|
spath = optarg;
|
||||||
break;
|
break;
|
||||||
|
case 't':
|
||||||
|
tout = atoi(optarg) * 1000;
|
||||||
|
break;
|
||||||
default:
|
default:
|
||||||
usage();
|
usage();
|
||||||
}
|
}
|
||||||
@ -296,15 +315,20 @@ main(int argc, char *argv[])
|
|||||||
|
|
||||||
if (debug) {
|
if (debug) {
|
||||||
lfun = dlog;
|
lfun = dlog;
|
||||||
tout = 5000;
|
if (tout == 0)
|
||||||
|
tout = 5000;
|
||||||
} else {
|
} else {
|
||||||
daemon(0, 0);
|
daemon(0, 0);
|
||||||
tout = 15000;
|
if (tout == 0)
|
||||||
|
tout = 15000;
|
||||||
}
|
}
|
||||||
|
|
||||||
run_flush();
|
if (reset) {
|
||||||
|
flags |= O_TRUNC;
|
||||||
|
run_flush();
|
||||||
|
}
|
||||||
|
|
||||||
bl = bl_create2(true, spath, lfun);
|
bl = bl_create(true, spath, lfun);
|
||||||
if (bl == NULL || !bl_isconnected(bl))
|
if (bl == NULL || !bl_isconnected(bl))
|
||||||
return EXIT_FAILURE;
|
return EXIT_FAILURE;
|
||||||
state = state_open(dbfile, flags, 0600);
|
state = state_open(dbfile, flags, 0600);
|
||||||
@ -319,7 +343,7 @@ main(int argc, char *argv[])
|
|||||||
while (!done) {
|
while (!done) {
|
||||||
if (rconf) {
|
if (rconf) {
|
||||||
rconf = 0;
|
rconf = 0;
|
||||||
parseconf(configfile);
|
conf_parse(configfile);
|
||||||
}
|
}
|
||||||
switch (poll(&pfd, 1, tout)) {
|
switch (poll(&pfd, 1, tout)) {
|
||||||
case -1:
|
case -1:
|
||||||
|
66
external/bsd/blacklist/bin/conf.c
vendored
66
external/bsd/blacklist/bin/conf.c
vendored
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: conf.c,v 1.2 2015/01/20 00:19:21 christos Exp $ */
|
/* $NetBSD: conf.c,v 1.3 2015/01/21 16:16:00 christos Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2015 The NetBSD Foundation, Inc.
|
* Copyright (c) 2015 The NetBSD Foundation, Inc.
|
||||||
@ -29,7 +29,7 @@
|
|||||||
* POSSIBILITY OF SUCH DAMAGE.
|
* POSSIBILITY OF SUCH DAMAGE.
|
||||||
*/
|
*/
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__RCSID("$NetBSD: conf.c,v 1.2 2015/01/20 00:19:21 christos Exp $");
|
__RCSID("$NetBSD: conf.c,v 1.3 2015/01/21 16:16:00 christos Exp $");
|
||||||
|
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
@ -213,7 +213,7 @@ getvalue(const char *f, size_t l, int *r, char **p,
|
|||||||
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
parseconfline(const char *f, size_t l, char *p, struct conf *c)
|
conf_parseline(const char *f, size_t l, char *p, struct conf *c)
|
||||||
{
|
{
|
||||||
int e;
|
int e;
|
||||||
|
|
||||||
@ -237,7 +237,7 @@ parseconfline(const char *f, size_t l, char *p, struct conf *c)
|
|||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
sortconf(const void *v1, const void *v2)
|
conf_sort(const void *v1, const void *v2)
|
||||||
{
|
{
|
||||||
const struct conf *c1 = v1;
|
const struct conf *c1 = v1;
|
||||||
const struct conf *c2 = v2;
|
const struct conf *c2 = v2;
|
||||||
@ -249,36 +249,51 @@ sortconf(const void *v1, const void *v2)
|
|||||||
CMP(c1, c2, c_proto);
|
CMP(c1, c2, c_proto);
|
||||||
CMP(c1, c2, c_family);
|
CMP(c1, c2, c_family);
|
||||||
CMP(c1, c2, c_uid);
|
CMP(c1, c2, c_uid);
|
||||||
|
#undef CMP
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static int
|
||||||
printconf(const char *pref, const struct conf *c)
|
conf_eq(const struct conf *c1, const struct conf *c2)
|
||||||
{
|
{
|
||||||
printf("%s%d\t%d\t%d\t%d\t%d\t%d\n", pref,
|
#define CMP(a, b, f) \
|
||||||
c->c_port, c->c_proto, c->c_family,
|
if ((a)->f != (b)->f && (b)->f != -1) return 0;
|
||||||
c->c_uid, c->c_nfail, c->c_duration);
|
CMP(c1, c2, c_port);
|
||||||
|
CMP(c1, c2, c_proto);
|
||||||
|
CMP(c1, c2, c_family);
|
||||||
|
CMP(c1, c2, c_uid);
|
||||||
|
#undef CMP
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
const char *
|
||||||
|
conf_print(char *buf, size_t len, const char *pref, const char *delim,
|
||||||
|
const struct conf *c)
|
||||||
|
{
|
||||||
|
snprintf(buf, len, "%s%d%s%d%s%d%s%d%s%d%s%d", pref,
|
||||||
|
c->c_port, delim, c->c_proto, delim, c->c_family, delim,
|
||||||
|
c->c_uid, delim, c->c_nfail, delim, c->c_duration);
|
||||||
|
return buf;
|
||||||
}
|
}
|
||||||
|
|
||||||
const struct conf *
|
const struct conf *
|
||||||
findconf(bl_info_t *bi, struct conf *cr)
|
conf_find(int fd, uid_t uid, struct conf *cr)
|
||||||
{
|
{
|
||||||
int lfd;
|
|
||||||
int proto;
|
int proto;
|
||||||
socklen_t slen;
|
socklen_t slen;
|
||||||
struct sockaddr_storage ss;
|
struct sockaddr_storage ss;
|
||||||
size_t i;
|
size_t i;
|
||||||
|
char buf[BUFSIZ];
|
||||||
|
|
||||||
lfd = bi->bi_fd[0];
|
|
||||||
slen = sizeof(ss);
|
slen = sizeof(ss);
|
||||||
memset(&ss, 0, slen);
|
memset(&ss, 0, slen);
|
||||||
if (getsockname(lfd, (void *)&ss, &slen) == -1) {
|
if (getsockname(fd, (void *)&ss, &slen) == -1) {
|
||||||
(*lfun)(LOG_ERR, "getsockname failed (%m)");
|
(*lfun)(LOG_ERR, "getsockname failed (%m)");
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
slen = sizeof(proto);
|
slen = sizeof(proto);
|
||||||
if (getsockopt(lfd, SOL_SOCKET, SO_TYPE, &proto, &slen) == -1) {
|
if (getsockopt(fd, SOL_SOCKET, SO_TYPE, &proto, &slen) == -1) {
|
||||||
(*lfun)(LOG_ERR, "getsockopt failed (%m)");
|
(*lfun)(LOG_ERR, "getsockopt failed (%m)");
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
@ -307,20 +322,23 @@ findconf(bl_info_t *bi, struct conf *cr)
|
|||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
cr->c_uid = (int)bi->bi_cred->sc_euid;
|
cr->c_uid = (int)uid;
|
||||||
cr->c_family = ss.ss_family;
|
cr->c_family = ss.ss_family;
|
||||||
cr->c_nfail = -1;
|
cr->c_nfail = -1;
|
||||||
cr->c_duration = -1;
|
cr->c_duration = -1;
|
||||||
|
|
||||||
if (debug)
|
if (debug)
|
||||||
printconf("look:\t", cr);
|
printf("%s\n", conf_print(buf, sizeof(buf),
|
||||||
|
"look:\t", "\t", cr));
|
||||||
|
|
||||||
for (i = 0; i < nconf; i++) {
|
for (i = 0; i < nconf; i++) {
|
||||||
if (debug)
|
if (debug)
|
||||||
printconf("check:\t", &conf[i]);
|
printf("%s\n", conf_print(buf, sizeof(buf), "check:\t",
|
||||||
if (sortconf(cr, &conf[i]) == 0) {
|
"\t", &conf[i]));
|
||||||
|
if (conf_eq(cr, &conf[i])) {
|
||||||
if (debug)
|
if (debug)
|
||||||
printconf("found: ", &conf[i]);
|
printf("%s\n", conf_print(buf, sizeof(buf),
|
||||||
|
"found:\t", "\t", &conf[i]));
|
||||||
cr->c_nfail = conf[i].c_nfail;
|
cr->c_nfail = conf[i].c_nfail;
|
||||||
cr->c_duration = conf[i].c_duration;
|
cr->c_duration = conf[i].c_duration;
|
||||||
return cr;
|
return cr;
|
||||||
@ -333,7 +351,7 @@ findconf(bl_info_t *bi, struct conf *cr)
|
|||||||
|
|
||||||
|
|
||||||
void
|
void
|
||||||
parseconf(const char *f)
|
conf_parse(const char *f)
|
||||||
{
|
{
|
||||||
FILE *fp;
|
FILE *fp;
|
||||||
char *line;
|
char *line;
|
||||||
@ -361,12 +379,12 @@ parseconf(const char *f)
|
|||||||
}
|
}
|
||||||
c = tc;
|
c = tc;
|
||||||
}
|
}
|
||||||
if (parseconfline(f, lineno, line, &c[nc]) == -1)
|
if (conf_parseline(f, lineno, line, &c[nc]) == -1)
|
||||||
continue;
|
continue;
|
||||||
nc++;
|
nc++;
|
||||||
}
|
}
|
||||||
fclose(fp);
|
fclose(fp);
|
||||||
qsort(c, nc, sizeof(*c), sortconf);
|
qsort(c, nc, sizeof(*c), conf_sort);
|
||||||
|
|
||||||
tc = conf;
|
tc = conf;
|
||||||
nconf = nc;
|
nconf = nc;
|
||||||
@ -374,8 +392,10 @@ parseconf(const char *f)
|
|||||||
free(tc);
|
free(tc);
|
||||||
|
|
||||||
if (debug) {
|
if (debug) {
|
||||||
|
char buf[BUFSIZ];
|
||||||
printf("port\ttype\tproto\towner\tnfail\tduration\n");
|
printf("port\ttype\tproto\towner\tnfail\tduration\n");
|
||||||
for (nc = 0; nc < nconf; nc++)
|
for (nc = 0; nc < nconf; nc++)
|
||||||
printconf("", &c[nc]);
|
printf("%s\n",
|
||||||
|
conf_print(buf, sizeof(buf), "", "\t", &c[nc]));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
10
external/bsd/blacklist/bin/conf.h
vendored
10
external/bsd/blacklist/bin/conf.h
vendored
@ -1,7 +1,7 @@
|
|||||||
/* $NetBSD: conf.h,v 1.3 2015/01/20 00:19:21 christos Exp $ */
|
/* $NetBSD: conf.h,v 1.4 2015/01/21 16:16:00 christos Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2014 The NetBSD Foundation, Inc.
|
* Copyright (c) 2015 The NetBSD Foundation, Inc.
|
||||||
* All rights reserved.
|
* All rights reserved.
|
||||||
*
|
*
|
||||||
* This code is derived from software contributed to The NetBSD Foundation
|
* This code is derived from software contributed to The NetBSD Foundation
|
||||||
@ -41,8 +41,10 @@ struct conf {
|
|||||||
};
|
};
|
||||||
|
|
||||||
__BEGIN_DECLS
|
__BEGIN_DECLS
|
||||||
void parseconf(const char *);
|
const char *conf_print(char *, size_t, const char *, const char *,
|
||||||
const struct conf *findconf(bl_info_t *, struct conf *);
|
const struct conf *);
|
||||||
|
void conf_parse(const char *);
|
||||||
|
const struct conf *conf_find(int, uid_t, struct conf *);
|
||||||
__END_DECLS
|
__END_DECLS
|
||||||
|
|
||||||
#endif /* _CONF_H */
|
#endif /* _CONF_H */
|
||||||
|
6
external/bsd/blacklist/bin/internal.h
vendored
6
external/bsd/blacklist/bin/internal.h
vendored
@ -1,7 +1,7 @@
|
|||||||
/* $NetBSD: internal.h,v 1.4 2015/01/20 00:19:21 christos Exp $ */
|
/* $NetBSD: internal.h,v 1.5 2015/01/21 16:16:00 christos Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2014 The NetBSD Foundation, Inc.
|
* Copyright (c) 2015 The NetBSD Foundation, Inc.
|
||||||
* All rights reserved.
|
* All rights reserved.
|
||||||
*
|
*
|
||||||
* This code is derived from software contributed to The NetBSD Foundation
|
* This code is derived from software contributed to The NetBSD Foundation
|
||||||
@ -33,7 +33,7 @@
|
|||||||
|
|
||||||
#define _PATH_BLCONF "/etc/blacklistd/conf"
|
#define _PATH_BLCONF "/etc/blacklistd/conf"
|
||||||
#define _PATH_BLCONTROL "/etc/blacklistd/control"
|
#define _PATH_BLCONTROL "/etc/blacklistd/control"
|
||||||
#define _PATH_BLSTATE "/var/run/blacklistd.db"
|
#define _PATH_BLSTATE "/var/db/blacklistd.db"
|
||||||
|
|
||||||
struct conf *conf;
|
struct conf *conf;
|
||||||
size_t nconf;
|
size_t nconf;
|
||||||
|
22
external/bsd/blacklist/bin/run.c
vendored
22
external/bsd/blacklist/bin/run.c
vendored
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: run.c,v 1.2 2015/01/20 00:52:15 christos Exp $ */
|
/* $NetBSD: run.c,v 1.3 2015/01/21 16:16:00 christos Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2015 The NetBSD Foundation, Inc.
|
* Copyright (c) 2015 The NetBSD Foundation, Inc.
|
||||||
@ -29,7 +29,7 @@
|
|||||||
* POSSIBILITY OF SUCH DAMAGE.
|
* POSSIBILITY OF SUCH DAMAGE.
|
||||||
*/
|
*/
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__RCSID("$NetBSD: run.c,v 1.2 2015/01/20 00:52:15 christos Exp $");
|
__RCSID("$NetBSD: run.c,v 1.3 2015/01/21 16:16:00 christos Exp $");
|
||||||
|
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <util.h>
|
#include <util.h>
|
||||||
@ -93,11 +93,11 @@ run_flush(void)
|
|||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
run_add(int proto, in_port_t port, const struct sockaddr_storage *ss)
|
run_add(int proto, in_port_t port, const struct sockaddr_storage *ss,
|
||||||
|
char *id, size_t len)
|
||||||
{
|
{
|
||||||
const char *prname;
|
const char *prname;
|
||||||
char poname[64], adname[128], *rv;
|
char poname[64], adname[128], *rv;
|
||||||
int id, e;
|
|
||||||
size_t off;
|
size_t off;
|
||||||
|
|
||||||
switch (proto) {
|
switch (proto) {
|
||||||
@ -120,19 +120,13 @@ run_add(int proto, in_port_t port, const struct sockaddr_storage *ss)
|
|||||||
return -1;
|
return -1;
|
||||||
rv[strcspn(rv, "\n")] = '\0';
|
rv[strcspn(rv, "\n")] = '\0';
|
||||||
off = strncmp(rv, "OK ", 3) == 0 ? 3 : 0;
|
off = strncmp(rv, "OK ", 3) == 0 ? 3 : 0;
|
||||||
id = (int)strtoi(rv + off, NULL, 0, 0, INT_MAX, &e);
|
strlcpy(id, rv + off, len);
|
||||||
if (e) {
|
|
||||||
(*lfun)(LOG_ERR, "%s: bad number %s (%m)", __func__, rv);
|
|
||||||
id = -1;
|
|
||||||
}
|
|
||||||
free(rv);
|
free(rv);
|
||||||
return id;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
run_rem(int id)
|
run_rem(const char *id)
|
||||||
{
|
{
|
||||||
char buf[64];
|
free(run("rem", id, NULL));
|
||||||
snprintf(buf, sizeof(buf), "%d", id);
|
|
||||||
free(run("rem", buf, NULL));
|
|
||||||
}
|
}
|
||||||
|
8
external/bsd/blacklist/bin/run.h
vendored
8
external/bsd/blacklist/bin/run.h
vendored
@ -1,7 +1,7 @@
|
|||||||
/* $NetBSD: run.h,v 1.1 2015/01/20 00:19:21 christos Exp $ */
|
/* $NetBSD: run.h,v 1.2 2015/01/21 16:16:00 christos Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2014 The NetBSD Foundation, Inc.
|
* Copyright (c) 2015 The NetBSD Foundation, Inc.
|
||||||
* All rights reserved.
|
* All rights reserved.
|
||||||
*
|
*
|
||||||
* This code is derived from software contributed to The NetBSD Foundation
|
* This code is derived from software contributed to The NetBSD Foundation
|
||||||
@ -34,8 +34,8 @@
|
|||||||
__BEGIN_DECLS
|
__BEGIN_DECLS
|
||||||
void run_flush(void);
|
void run_flush(void);
|
||||||
struct sockaddr_storage;
|
struct sockaddr_storage;
|
||||||
int run_add(int, in_port_t, const struct sockaddr_storage *);
|
int run_add(int, in_port_t, const struct sockaddr_storage *, char *, size_t);
|
||||||
void run_rem(int id);
|
void run_rem(const char *);
|
||||||
__END_DECLS
|
__END_DECLS
|
||||||
|
|
||||||
#endif /* _RUN_H */
|
#endif /* _RUN_H */
|
||||||
|
9
external/bsd/blacklist/bin/state.c
vendored
9
external/bsd/blacklist/bin/state.c
vendored
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: state.c,v 1.2 2015/01/20 00:52:15 christos Exp $ */
|
/* $NetBSD: state.c,v 1.3 2015/01/21 16:16:00 christos Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2015 The NetBSD Foundation, Inc.
|
* Copyright (c) 2015 The NetBSD Foundation, Inc.
|
||||||
@ -30,7 +30,7 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__RCSID("$NetBSD: state.c,v 1.2 2015/01/20 00:52:15 christos Exp $");
|
__RCSID("$NetBSD: state.c,v 1.3 2015/01/21 16:16:00 christos Exp $");
|
||||||
|
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
#include <sys/socket.h>
|
#include <sys/socket.h>
|
||||||
@ -161,10 +161,9 @@ state_get(DB *db, const struct sockaddr_storage *ss, const struct conf *c,
|
|||||||
switch (rv = (*db->get)(db, &k, &v, 0)) {
|
switch (rv = (*db->get)(db, &k, &v, 0)) {
|
||||||
case 0:
|
case 0:
|
||||||
case 1:
|
case 1:
|
||||||
if (rv) {
|
if (rv)
|
||||||
memset(dbi, 0, sizeof(*dbi));
|
memset(dbi, 0, sizeof(*dbi));
|
||||||
dbi->id = -1;
|
else
|
||||||
} else
|
|
||||||
memcpy(dbi, v.data, sizeof(*dbi));
|
memcpy(dbi, v.data, sizeof(*dbi));
|
||||||
if (debug)
|
if (debug)
|
||||||
printf("%s: returns %d\n", __func__, rv);
|
printf("%s: returns %d\n", __func__, rv);
|
||||||
|
6
external/bsd/blacklist/bin/state.h
vendored
6
external/bsd/blacklist/bin/state.h
vendored
@ -1,7 +1,7 @@
|
|||||||
/* $NetBSD: state.h,v 1.1 2015/01/20 00:19:21 christos Exp $ */
|
/* $NetBSD: state.h,v 1.2 2015/01/21 16:16:00 christos Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2014 The NetBSD Foundation, Inc.
|
* Copyright (c) 2015 The NetBSD Foundation, Inc.
|
||||||
* All rights reserved.
|
* All rights reserved.
|
||||||
*
|
*
|
||||||
* This code is derived from software contributed to The NetBSD Foundation
|
* This code is derived from software contributed to The NetBSD Foundation
|
||||||
@ -37,7 +37,7 @@
|
|||||||
struct dbinfo {
|
struct dbinfo {
|
||||||
int count;
|
int count;
|
||||||
time_t last;
|
time_t last;
|
||||||
int id;
|
char id[64];
|
||||||
};
|
};
|
||||||
|
|
||||||
__BEGIN_DECLS
|
__BEGIN_DECLS
|
||||||
|
10
external/bsd/blacklist/include/Makefile
vendored
Normal file
10
external/bsd/blacklist/include/Makefile
vendored
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
# $NetBSD: Makefile,v 1.1 2015/01/21 16:16:00 christos Exp $
|
||||||
|
|
||||||
|
# Doing a make includes builds /usr/include
|
||||||
|
|
||||||
|
NOOBJ= # defined
|
||||||
|
|
||||||
|
INCS= blacklist.h
|
||||||
|
INCSDIR= /usr/include
|
||||||
|
|
||||||
|
.include <bsd.prog.mk>
|
29
external/bsd/blacklist/include/bl.h
vendored
29
external/bsd/blacklist/include/bl.h
vendored
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: bl.h,v 1.6 2015/01/20 00:52:15 christos Exp $ */
|
/* $NetBSD: bl.h,v 1.7 2015/01/21 16:16:00 christos Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2014 The NetBSD Foundation, Inc.
|
* Copyright (c) 2014 The NetBSD Foundation, Inc.
|
||||||
@ -31,23 +31,44 @@
|
|||||||
#ifndef _BL_H
|
#ifndef _BL_H
|
||||||
#define _BL_H
|
#define _BL_H
|
||||||
|
|
||||||
|
#include <stdbool.h>
|
||||||
|
#include <sys/param.h>
|
||||||
|
#include <sys/socket.h>
|
||||||
#include "blacklist.h"
|
#include "blacklist.h"
|
||||||
|
|
||||||
struct sockcred;
|
struct sockcred;
|
||||||
|
|
||||||
|
typedef enum {
|
||||||
|
BL_INVALID,
|
||||||
|
BL_ADD,
|
||||||
|
BL_DELETE
|
||||||
|
} bl_type_t;
|
||||||
|
|
||||||
typedef struct {
|
typedef struct {
|
||||||
bl_type_t bi_type;
|
bl_type_t bi_type;
|
||||||
int *bi_fd;
|
int bi_fd;
|
||||||
struct sockcred *bi_cred;
|
union {
|
||||||
|
char bi_space[SOCKCREDSIZE(NGROUPS_MAX)];
|
||||||
|
struct sockcred _bi_cred;
|
||||||
|
} bi_u;
|
||||||
char bi_msg[1024];
|
char bi_msg[1024];
|
||||||
} bl_info_t;
|
} bl_info_t;
|
||||||
|
|
||||||
|
#define bi_cred bi_u._bi_cred
|
||||||
|
|
||||||
#define _PATH_BLSOCK "/var/run/blsock"
|
#define _PATH_BLSOCK "/var/run/blsock"
|
||||||
|
|
||||||
__BEGIN_DECLS
|
__BEGIN_DECLS
|
||||||
bl_t bl_create2(bool, const char *, void (*)(int, const char *, ...));
|
|
||||||
|
typedef struct blacklist *bl_t;
|
||||||
|
|
||||||
|
bl_t bl_create(bool, const char *, void (*)(int, const char *, ...));
|
||||||
|
void bl_destroy(bl_t);
|
||||||
|
int bl_send(bl_t, bl_type_t, int, const char *);
|
||||||
|
int bl_getfd(bl_t);
|
||||||
bl_info_t *bl_recv(bl_t);
|
bl_info_t *bl_recv(bl_t);
|
||||||
bool bl_isconnected(bl_t);
|
bool bl_isconnected(bl_t);
|
||||||
|
|
||||||
__END_DECLS
|
__END_DECLS
|
||||||
|
|
||||||
#endif /* _BL_H */
|
#endif /* _BL_H */
|
||||||
|
42
external/bsd/blacklist/include/blacklist.h
vendored
Normal file
42
external/bsd/blacklist/include/blacklist.h
vendored
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
/* $NetBSD: blacklist.h,v 1.1 2015/01/21 16:16:00 christos Exp $ */
|
||||||
|
|
||||||
|
/*-
|
||||||
|
* Copyright (c) 2014 The NetBSD Foundation, Inc.
|
||||||
|
* All rights reserved.
|
||||||
|
*
|
||||||
|
* This code is derived from software contributed to The NetBSD Foundation
|
||||||
|
* by Christos Zoulas.
|
||||||
|
*
|
||||||
|
* Redistribution and use in source and binary forms, with or without
|
||||||
|
* modification, are permitted provided that the following conditions
|
||||||
|
* are met:
|
||||||
|
* 1. Redistributions of source code must retain the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer.
|
||||||
|
* 2. Redistributions in binary form must reproduce the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer in the
|
||||||
|
* documentation and/or other materials provided with the distribution.
|
||||||
|
*
|
||||||
|
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
|
||||||
|
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
||||||
|
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||||
|
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
|
||||||
|
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||||
|
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||||
|
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||||
|
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||||
|
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||||
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||||
|
* POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
*/
|
||||||
|
#ifndef _BLACKLIST_H
|
||||||
|
#define _BLACKLIST_H
|
||||||
|
|
||||||
|
__BEGIN_DECLS
|
||||||
|
struct blacklist;
|
||||||
|
int blacklist(int, int, const char *);
|
||||||
|
int blacklist_r(struct blacklist *, int, int, const char *);
|
||||||
|
struct blacklist *blacklist_open(void);
|
||||||
|
void blacklist_close(struct blacklist *);
|
||||||
|
__END_DECLS
|
||||||
|
|
||||||
|
#endif /* _BLACKLIST_H */
|
11
external/bsd/blacklist/lib/Makefile
vendored
Normal file
11
external/bsd/blacklist/lib/Makefile
vendored
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
# $NetBSD: Makefile,v 1.1 2015/01/21 16:16:00 christos Exp $
|
||||||
|
|
||||||
|
LIB=blacklist
|
||||||
|
SRCS=bl.c blacklist.c
|
||||||
|
MAN=libblacklist.3
|
||||||
|
MLINKS+=libblacklist.3 blacklist_open.3
|
||||||
|
MLINKS+=libblacklist.3 blacklist_close.3
|
||||||
|
MLINKS+=libblacklist.3 blacklist.3
|
||||||
|
MLINKS+=libblacklist.3 blacklist_r.3
|
||||||
|
|
||||||
|
.include <bsd.lib.mk>
|
66
external/bsd/blacklist/lib/bl.c
vendored
66
external/bsd/blacklist/lib/bl.c
vendored
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: bl.c,v 1.7 2015/01/20 00:52:15 christos Exp $ */
|
/* $NetBSD: bl.c,v 1.8 2015/01/21 16:16:00 christos Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2014 The NetBSD Foundation, Inc.
|
* Copyright (c) 2014 The NetBSD Foundation, Inc.
|
||||||
@ -29,7 +29,7 @@
|
|||||||
* POSSIBILITY OF SUCH DAMAGE.
|
* POSSIBILITY OF SUCH DAMAGE.
|
||||||
*/
|
*/
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__RCSID("$NetBSD: bl.c,v 1.7 2015/01/20 00:52:15 christos Exp $");
|
__RCSID("$NetBSD: bl.c,v 1.8 2015/01/21 16:16:00 christos Exp $");
|
||||||
|
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
@ -56,7 +56,7 @@ typedef struct {
|
|||||||
struct blacklist {
|
struct blacklist {
|
||||||
int b_fd;
|
int b_fd;
|
||||||
int b_connected;
|
int b_connected;
|
||||||
const char *b_path;
|
char b_path[MAXPATHLEN];
|
||||||
void (*b_fun)(int, const char *, ...);
|
void (*b_fun)(int, const char *, ...);
|
||||||
bl_info_t b_info;
|
bl_info_t b_info;
|
||||||
};
|
};
|
||||||
@ -125,7 +125,7 @@ bl_init(bl_t b, bool srv)
|
|||||||
|
|
||||||
b->b_connected = true;
|
b->b_connected = true;
|
||||||
if (setsockopt(b->b_fd, 0, LOCAL_CREDS,
|
if (setsockopt(b->b_fd, 0, LOCAL_CREDS,
|
||||||
&one, sizeof(one)) == -1) {
|
&one, (socklen_t)sizeof(one)) == -1) {
|
||||||
(*b->b_fun)(LOG_ERR, "%s: setsockopt LOCAL_CREDS "
|
(*b->b_fun)(LOG_ERR, "%s: setsockopt LOCAL_CREDS "
|
||||||
"failed (%m)", __func__);
|
"failed (%m)", __func__);
|
||||||
goto out;
|
goto out;
|
||||||
@ -144,63 +144,38 @@ out:
|
|||||||
}
|
}
|
||||||
|
|
||||||
bl_t
|
bl_t
|
||||||
bl_create2(bool srv, const char *path, void (*fun)(int, const char *, ...))
|
bl_create(bool srv, const char *path, void (*fun)(int, const char *, ...))
|
||||||
{
|
{
|
||||||
bl_t b = malloc(sizeof(*b));
|
bl_t b = calloc(1, sizeof(*b));
|
||||||
bl_info_t *bi;
|
|
||||||
if (b == NULL)
|
if (b == NULL)
|
||||||
goto out;
|
goto out;
|
||||||
bi = &b->b_info;
|
|
||||||
bi->bi_fd = malloc(2 * sizeof(int));
|
|
||||||
if (bi->bi_fd == NULL)
|
|
||||||
goto out1;
|
|
||||||
bi->bi_cred = malloc(SOCKCREDSIZE(NGROUPS_MAX));
|
|
||||||
if (bi->bi_cred == NULL)
|
|
||||||
goto out2;
|
|
||||||
|
|
||||||
b->b_fun = fun == NULL ? syslog : fun;
|
b->b_fun = fun == NULL ? syslog : fun;
|
||||||
b->b_fd = -1;
|
b->b_fd = -1;
|
||||||
b->b_path = strdup(path ? path : _PATH_BLSOCK);
|
strlcpy(b->b_path, path ? path : _PATH_BLSOCK, MAXPATHLEN);
|
||||||
if (b->b_path == NULL)
|
|
||||||
goto out3;
|
|
||||||
b->b_connected = false;
|
b->b_connected = false;
|
||||||
bl_init(b, srv);
|
bl_init(b, srv);
|
||||||
return b;
|
return b;
|
||||||
out3:
|
|
||||||
free(bi->bi_cred);
|
|
||||||
out2:
|
|
||||||
free(bi->bi_fd);
|
|
||||||
out1:
|
|
||||||
free(b);
|
|
||||||
out:
|
out:
|
||||||
|
free(b);
|
||||||
(*fun)(LOG_ERR, "%s: malloc failed (%m)", __func__);
|
(*fun)(LOG_ERR, "%s: malloc failed (%m)", __func__);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
bl_t
|
|
||||||
bl_create(void)
|
|
||||||
{
|
|
||||||
return bl_create2(false, NULL, NULL);
|
|
||||||
}
|
|
||||||
|
|
||||||
void
|
void
|
||||||
bl_destroy(bl_t b)
|
bl_destroy(bl_t b)
|
||||||
{
|
{
|
||||||
bl_reset(b);
|
bl_reset(b);
|
||||||
free(__UNCONST(b->b_path));
|
|
||||||
free(b->b_info.bi_cred);
|
|
||||||
free(b->b_info.bi_fd);
|
|
||||||
free(b);
|
free(b);
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
bl_send(bl_t b, bl_type_t e, int lfd, int pfd, const char *ctx)
|
bl_send(bl_t b, bl_type_t e, int pfd, const char *ctx)
|
||||||
{
|
{
|
||||||
struct msghdr msg;
|
struct msghdr msg;
|
||||||
struct iovec iov;
|
struct iovec iov;
|
||||||
union {
|
union {
|
||||||
char ctrl[CMSG_SPACE(2 * sizeof(int))];
|
char ctrl[CMSG_SPACE(sizeof(int))];
|
||||||
uint32_t fd[2];
|
uint32_t fd;
|
||||||
} ua;
|
} ua;
|
||||||
struct cmsghdr *cmsg;
|
struct cmsghdr *cmsg;
|
||||||
union {
|
union {
|
||||||
@ -231,13 +206,12 @@ bl_send(bl_t b, bl_type_t e, int lfd, int pfd, const char *ctx)
|
|||||||
msg.msg_controllen = sizeof(ua.ctrl);
|
msg.msg_controllen = sizeof(ua.ctrl);
|
||||||
|
|
||||||
cmsg = CMSG_FIRSTHDR(&msg);
|
cmsg = CMSG_FIRSTHDR(&msg);
|
||||||
cmsg->cmsg_len = CMSG_LEN(2 * sizeof(int));
|
cmsg->cmsg_len = CMSG_LEN(sizeof(int));
|
||||||
cmsg->cmsg_level = SOL_SOCKET;
|
cmsg->cmsg_level = SOL_SOCKET;
|
||||||
cmsg->cmsg_type = SCM_RIGHTS;
|
cmsg->cmsg_type = SCM_RIGHTS;
|
||||||
|
|
||||||
fd = (void *)CMSG_DATA(cmsg);
|
fd = CMSG_DATA(cmsg);
|
||||||
fd[0] = lfd;
|
*fd = pfd;
|
||||||
fd[1] = pfd;
|
|
||||||
|
|
||||||
tried = 0;
|
tried = 0;
|
||||||
again:
|
again:
|
||||||
@ -257,9 +231,9 @@ bl_recv(bl_t b)
|
|||||||
struct msghdr msg;
|
struct msghdr msg;
|
||||||
struct iovec iov;
|
struct iovec iov;
|
||||||
union {
|
union {
|
||||||
char ctrl[CMSG_SPACE(2 * sizeof(int)) +
|
char ctrl[CMSG_SPACE(sizeof(int)) +
|
||||||
CMSG_SPACE(SOCKCREDSIZE(NGROUPS_MAX))];
|
CMSG_SPACE(SOCKCREDSIZE(NGROUPS_MAX))];
|
||||||
uint32_t fd[2];
|
uint32_t fd;
|
||||||
struct sockcred sc;
|
struct sockcred sc;
|
||||||
} ua;
|
} ua;
|
||||||
struct cmsghdr *cmsg;
|
struct cmsghdr *cmsg;
|
||||||
@ -297,21 +271,21 @@ bl_recv(bl_t b)
|
|||||||
}
|
}
|
||||||
switch (cmsg->cmsg_type) {
|
switch (cmsg->cmsg_type) {
|
||||||
case SCM_RIGHTS:
|
case SCM_RIGHTS:
|
||||||
if (cmsg->cmsg_len != CMSG_LEN(2 * sizeof(int))) {
|
if (cmsg->cmsg_len != CMSG_LEN(sizeof(int))) {
|
||||||
(*b->b_fun)(LOG_ERR,
|
(*b->b_fun)(LOG_ERR,
|
||||||
"%s: unexpected cmsg_len %d != %zu",
|
"%s: unexpected cmsg_len %d != %zu",
|
||||||
__func__, cmsg->cmsg_len,
|
__func__, cmsg->cmsg_len,
|
||||||
CMSG_LEN(2 * sizeof(int)));
|
CMSG_LEN(2 * sizeof(int)));
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
fd = (void *)CMSG_DATA(cmsg);
|
fd = CMSG_DATA(cmsg);
|
||||||
memcpy(bi->bi_fd, fd, sizeof(*bi->bi_fd) * 2);
|
bi->bi_fd = *fd;
|
||||||
break;
|
break;
|
||||||
case SCM_CREDS:
|
case SCM_CREDS:
|
||||||
sc = (void *)CMSG_DATA(cmsg);
|
sc = (void *)CMSG_DATA(cmsg);
|
||||||
if (sc->sc_ngroups > NGROUPS_MAX)
|
if (sc->sc_ngroups > NGROUPS_MAX)
|
||||||
sc->sc_ngroups = NGROUPS_MAX;
|
sc->sc_ngroups = NGROUPS_MAX;
|
||||||
memcpy(bi->bi_cred, sc, SOCKCREDSIZE(sc->sc_ngroups));
|
memcpy(&bi->bi_cred, sc, SOCKCREDSIZE(sc->sc_ngroups));
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
(*b->b_fun)(LOG_ERR, "%s: unexpected cmsg_type %d",
|
(*b->b_fun)(LOG_ERR, "%s: unexpected cmsg_type %d",
|
||||||
|
101
external/bsd/blacklist/lib/blacklist.c
vendored
Normal file
101
external/bsd/blacklist/lib/blacklist.c
vendored
Normal file
@ -0,0 +1,101 @@
|
|||||||
|
/* $NetBSD: blacklist.c,v 1.1 2015/01/21 16:16:00 christos Exp $ */
|
||||||
|
|
||||||
|
/*-
|
||||||
|
* Copyright (c) 2014 The NetBSD Foundation, Inc.
|
||||||
|
* All rights reserved.
|
||||||
|
*
|
||||||
|
* This code is derived from software contributed to The NetBSD Foundation
|
||||||
|
* by Christos Zoulas.
|
||||||
|
*
|
||||||
|
* Redistribution and use in source and binary forms, with or without
|
||||||
|
* modification, are permitted provided that the following conditions
|
||||||
|
* are met:
|
||||||
|
* 1. Redistributions of source code must retain the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer.
|
||||||
|
* 2. Redistributions in binary form must reproduce the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer in the
|
||||||
|
* documentation and/or other materials provided with the distribution.
|
||||||
|
*
|
||||||
|
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
|
||||||
|
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
||||||
|
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||||
|
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
|
||||||
|
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||||
|
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||||
|
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||||
|
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||||
|
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||||
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||||
|
* POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
*/
|
||||||
|
#include <sys/cdefs.h>
|
||||||
|
__RCSID("$NetBSD: blacklist.c,v 1.1 2015/01/21 16:16:00 christos Exp $");
|
||||||
|
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <bl.h>
|
||||||
|
|
||||||
|
#include <stdarg.h>
|
||||||
|
#include <errno.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
static const char *
|
||||||
|
expandm(char *buf, size_t len, const char *fmt)
|
||||||
|
{
|
||||||
|
char *p;
|
||||||
|
size_t r;
|
||||||
|
|
||||||
|
if ((p = strstr(fmt, "%m")) == NULL)
|
||||||
|
return fmt;
|
||||||
|
|
||||||
|
r = (size_t)(p - fmt);
|
||||||
|
if (r >= len)
|
||||||
|
return fmt;
|
||||||
|
|
||||||
|
strlcpy(buf, fmt, r + 1);
|
||||||
|
strlcat(buf, strerror(errno), len);
|
||||||
|
strlcat(buf, fmt + r + 2, len);
|
||||||
|
|
||||||
|
return buf;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
dlog(int level, const char *fmt, ...)
|
||||||
|
{
|
||||||
|
char buf[BUFSIZ];
|
||||||
|
va_list ap;
|
||||||
|
|
||||||
|
fprintf(stderr, "%s: ", getprogname());
|
||||||
|
va_start(ap, fmt);
|
||||||
|
vfprintf(stderr, expandm(buf, sizeof(buf), fmt), ap);
|
||||||
|
va_end(ap);
|
||||||
|
fprintf(stderr, "\n");
|
||||||
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
blacklist(int action, int rfd, const char *msg)
|
||||||
|
{
|
||||||
|
struct blacklist *bl;
|
||||||
|
int rv;
|
||||||
|
if ((bl = blacklist_open()) == NULL)
|
||||||
|
return -1;
|
||||||
|
rv = blacklist_r(bl, action, rfd, msg);
|
||||||
|
blacklist_close(bl);
|
||||||
|
return rv;
|
||||||
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
blacklist_r(struct blacklist *bl, int action, int rfd, const char *msg)
|
||||||
|
{
|
||||||
|
return bl_send(bl, action ? BL_ADD : BL_DELETE, rfd, msg);
|
||||||
|
}
|
||||||
|
|
||||||
|
struct blacklist *
|
||||||
|
blacklist_open(void) {
|
||||||
|
return bl_create(false, NULL, dlog);
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
blacklist_close(struct blacklist *bl)
|
||||||
|
{
|
||||||
|
bl_destroy(bl);
|
||||||
|
}
|
110
external/bsd/blacklist/lib/libblacklist.3
vendored
Normal file
110
external/bsd/blacklist/lib/libblacklist.3
vendored
Normal file
@ -0,0 +1,110 @@
|
|||||||
|
.\" $NetBSD: libblacklist.3,v 1.1 2015/01/21 16:16:00 christos Exp $
|
||||||
|
.\"
|
||||||
|
.\" Copyright (c) 2015 The NetBSD Foundation, Inc.
|
||||||
|
.\" All rights reserved.
|
||||||
|
.\"
|
||||||
|
.\" This code is derived from software contributed to The NetBSD Foundation
|
||||||
|
.\" by Christos Zoulas.
|
||||||
|
.\"
|
||||||
|
.\" Redistribution and use in source and binary forms, with or without
|
||||||
|
.\" modification, are permitted provided that the following conditions
|
||||||
|
.\" are met:
|
||||||
|
.\" 1. Redistributions of source code must retain the above copyright
|
||||||
|
.\" notice, this list of conditions and the following disclaimer.
|
||||||
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
||||||
|
.\" notice, this list of conditions and the following disclaimer in the
|
||||||
|
.\" documentation and/or other materials provided with the distribution.
|
||||||
|
.\"
|
||||||
|
.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
|
||||||
|
.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
||||||
|
.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||||
|
.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
|
||||||
|
.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||||
|
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||||
|
.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||||
|
.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||||
|
.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||||
|
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||||
|
.\" POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
.\"
|
||||||
|
.Dd January 19, 2016
|
||||||
|
.Dt LIBBLACKLIST 3
|
||||||
|
.Os
|
||||||
|
.Sh NAME
|
||||||
|
.Nm blacklist_open ,
|
||||||
|
.Nm blacklist_close ,
|
||||||
|
.Nm blacklist_r ,
|
||||||
|
.Nm blacklist
|
||||||
|
.Nd Blacklistd notification library
|
||||||
|
.Sh LIBRARY
|
||||||
|
.Lb libblacklist
|
||||||
|
.Sh SYNOPSIS
|
||||||
|
.In blacklist.h
|
||||||
|
.Ft struct blacklist *
|
||||||
|
.Fn blacklist_open "void"
|
||||||
|
.Ft void
|
||||||
|
.Fn blacklist_close "struct blacklist *cookie"
|
||||||
|
.Ft int
|
||||||
|
.Fn blacklist "int action" "int fd" "const char *msg"
|
||||||
|
.Fn blacklist_r "struct blacklist cookie" "int action" "int fd" "const char *msg"
|
||||||
|
.Sh DESCRIPTION
|
||||||
|
These functions can be used by daemons to notify
|
||||||
|
.Xr blacklistd 8
|
||||||
|
about successful and failed remote connections so that blacklistd can
|
||||||
|
block or release port access to prevent Denial of Service attacks.
|
||||||
|
.Pp
|
||||||
|
The function
|
||||||
|
.Fn blacklist_open
|
||||||
|
creates a the necessary state to communicate with
|
||||||
|
.Xr blacklistd 8
|
||||||
|
and returns a pointer to it, or
|
||||||
|
.Dv NULL
|
||||||
|
on failure.
|
||||||
|
.Pp
|
||||||
|
The
|
||||||
|
.Fn blacklist_close
|
||||||
|
function frees all memory and resources used.
|
||||||
|
.Pp
|
||||||
|
The
|
||||||
|
.Fn blacklist
|
||||||
|
function sends a message to
|
||||||
|
.Xr blacklistd 8 ,
|
||||||
|
with an
|
||||||
|
.Ar action
|
||||||
|
argument specifying
|
||||||
|
.Dv 1
|
||||||
|
for a failed connection or
|
||||||
|
.Dv 0
|
||||||
|
for a successful connection,
|
||||||
|
a file descriptor
|
||||||
|
.Ar fd
|
||||||
|
specifying the accepted file descriptor connected to the client,
|
||||||
|
and an optional message in the
|
||||||
|
.Ar msg
|
||||||
|
argument.
|
||||||
|
.Pp
|
||||||
|
The
|
||||||
|
.Fn blacklist_r
|
||||||
|
function is more efficient because it keeps the blacklist state around.
|
||||||
|
.Pp
|
||||||
|
All functions log errors to
|
||||||
|
.Xr syslogd 8 .
|
||||||
|
.Sh RETURN VALUES
|
||||||
|
The function
|
||||||
|
.Fn bl_open
|
||||||
|
returns a cookie on success and
|
||||||
|
.Dv NULL
|
||||||
|
on failure setting errno to an appropriate value.
|
||||||
|
.Pp
|
||||||
|
The
|
||||||
|
.Fn bl_send ,
|
||||||
|
function returns
|
||||||
|
.Dv 0
|
||||||
|
on success and
|
||||||
|
.Dv -1
|
||||||
|
on failure setting errno to an appropriate value.
|
||||||
|
.Sh SEE ALSO
|
||||||
|
.Xr blacklistd 8 ,
|
||||||
|
.Xr blacklistd.conf 5
|
||||||
|
.Sh AUTHORS
|
||||||
|
.An Christos Zoulas
|
2
external/bsd/blacklist/lib/shlib_version
vendored
Normal file
2
external/bsd/blacklist/lib/shlib_version
vendored
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
major=0
|
||||||
|
minor=0
|
9
external/bsd/blacklist/test/Makefile
vendored
Normal file
9
external/bsd/blacklist/test/Makefile
vendored
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
# $NetBSD: Makefile,v 1.1 2015/01/21 16:16:00 christos Exp $
|
||||||
|
|
||||||
|
MKMAN=no
|
||||||
|
|
||||||
|
PROGS=srvtest cltest
|
||||||
|
SRCS.srvtest = srvtest.c
|
||||||
|
SRCS.cltest = cltest.c
|
||||||
|
|
||||||
|
.include <bsd.prog.mk>
|
30
external/bsd/blacklist/test/cltest.c
vendored
30
external/bsd/blacklist/test/cltest.c
vendored
@ -10,10 +10,12 @@
|
|||||||
#include <err.h>
|
#include <err.h>
|
||||||
|
|
||||||
static __dead void
|
static __dead void
|
||||||
usage(void)
|
usage(int c)
|
||||||
{
|
{
|
||||||
fprintf(stderr, "Usage: %s [-a <addr>] [-m <msg>]\n", getprogname());
|
warnx("Unknown option `%c'", (char)c);
|
||||||
exit(1);
|
fprintf(stderr, "Usage: %s [-u] [-a <addr>] [-m <msg>] [-p <port>]\n",
|
||||||
|
getprogname());
|
||||||
|
exit(EXIT_FAILURE);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
@ -49,8 +51,10 @@ main(int argc, char *argv[])
|
|||||||
struct sockaddr_storage ss;
|
struct sockaddr_storage ss;
|
||||||
const char *msg = "hello";
|
const char *msg = "hello";
|
||||||
const char *addr = "127.0.0.1";
|
const char *addr = "127.0.0.1";
|
||||||
|
int type = SOCK_STREAM;
|
||||||
|
in_port_t port = 6161;
|
||||||
|
|
||||||
while ((c = getopt(argc, argv, "a:m:")) == -1) {
|
while ((c = getopt(argc, argv, "a:m:p:u")) == -1) {
|
||||||
switch (c) {
|
switch (c) {
|
||||||
case 'a':
|
case 'a':
|
||||||
addr = optarg;
|
addr = optarg;
|
||||||
@ -58,21 +62,27 @@ main(int argc, char *argv[])
|
|||||||
case 'm':
|
case 'm':
|
||||||
msg = optarg;
|
msg = optarg;
|
||||||
break;
|
break;
|
||||||
|
case 'p':
|
||||||
|
port = (in_port_t)atoi(optarg);
|
||||||
|
break;
|
||||||
|
case 'u':
|
||||||
|
type = SOCK_DGRAM;
|
||||||
|
break;
|
||||||
default:
|
default:
|
||||||
usage();
|
usage(c);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
getaddr(addr, 6161, &ss);
|
getaddr(addr, port, &ss);
|
||||||
|
|
||||||
if ((sfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
|
if ((sfd = socket(AF_INET, type, 0)) == -1)
|
||||||
err(1, "socket");
|
err(EXIT_FAILURE, "socket");
|
||||||
|
|
||||||
if (connect(sfd, (const void *)&ss, ss.ss_len) == -1)
|
if (connect(sfd, (const void *)&ss, ss.ss_len) == -1)
|
||||||
err(1, "connect");
|
err(EXIT_FAILURE, "connect");
|
||||||
|
|
||||||
size_t len = strlen(msg) + 1;
|
size_t len = strlen(msg) + 1;
|
||||||
if (write(sfd, msg, len) != (ssize_t)len)
|
if (write(sfd, msg, len) != (ssize_t)len)
|
||||||
err(1, "write");
|
err(EXIT_FAILURE, "write");
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
45
external/bsd/blacklist/test/srvtest.c
vendored
45
external/bsd/blacklist/test/srvtest.c
vendored
@ -14,7 +14,7 @@
|
|||||||
#include "blacklist.h"
|
#include "blacklist.h"
|
||||||
|
|
||||||
static void
|
static void
|
||||||
process(bl_t bl, int sfd, int afd)
|
process(int afd)
|
||||||
{
|
{
|
||||||
ssize_t n;
|
ssize_t n;
|
||||||
char buffer[256];
|
char buffer[256];
|
||||||
@ -24,17 +24,17 @@ process(bl_t bl, int sfd, int afd)
|
|||||||
if ((n = read(afd, buffer, sizeof(buffer))) == -1)
|
if ((n = read(afd, buffer, sizeof(buffer))) == -1)
|
||||||
err(1, "read");
|
err(1, "read");
|
||||||
buffer[sizeof(buffer) - 1] = '\0';
|
buffer[sizeof(buffer) - 1] = '\0';
|
||||||
printf("%s: sending %d %d %s\n", getprogname(), sfd, afd, buffer);
|
printf("%s: sending %d %s\n", getprogname(), afd, buffer);
|
||||||
bl_send(bl, BL_ADD, sfd, afd, buffer);
|
blacklist(1, afd, buffer);
|
||||||
exit(0);
|
exit(0);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
cr(int af, in_port_t p)
|
cr(int af, int type, in_port_t p)
|
||||||
{
|
{
|
||||||
int sfd;
|
int sfd;
|
||||||
struct sockaddr_storage ss;
|
struct sockaddr_storage ss;
|
||||||
sfd = socket(af == AF_INET ? PF_INET : PF_INET6, SOCK_STREAM, 0);
|
sfd = socket(af == AF_INET ? PF_INET : PF_INET6, type, 0);
|
||||||
if (sfd == -1)
|
if (sfd == -1)
|
||||||
err(1, "socket");
|
err(1, "socket");
|
||||||
|
|
||||||
@ -61,7 +61,7 @@ cr(int af, in_port_t p)
|
|||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
handle(bl_t bl, int sfd)
|
handle(int sfd)
|
||||||
{
|
{
|
||||||
struct sockaddr_storage ss;
|
struct sockaddr_storage ss;
|
||||||
socklen_t alen = sizeof(ss);
|
socklen_t alen = sizeof(ss);
|
||||||
@ -74,7 +74,7 @@ handle(bl_t bl, int sfd)
|
|||||||
case -1:
|
case -1:
|
||||||
err(1, "fork");
|
err(1, "fork");
|
||||||
case 0:
|
case 0:
|
||||||
process(bl, sfd, afd);
|
process(afd);
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
close(afd);
|
close(afd);
|
||||||
@ -82,19 +82,38 @@ handle(bl_t bl, int sfd)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static __dead void
|
||||||
|
usage(int c)
|
||||||
|
{
|
||||||
|
warnx("Unknown option `%c'", (char)c);
|
||||||
|
fprintf(stderr, "Usage: %s [-u] [-p <num>]\n", getprogname());
|
||||||
|
exit(EXIT_FAILURE);
|
||||||
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
main(int argc, char *argv[])
|
main(int argc, char *argv[])
|
||||||
{
|
{
|
||||||
bl_t bl;
|
|
||||||
struct pollfd pfd[2];
|
struct pollfd pfd[2];
|
||||||
|
int type = SOCK_STREAM, c;
|
||||||
|
in_port_t port = 6161;
|
||||||
|
|
||||||
signal(SIGCHLD, SIG_IGN);
|
signal(SIGCHLD, SIG_IGN);
|
||||||
|
|
||||||
pfd[0].fd = cr(AF_INET, 6161);
|
while ((c = getopt(argc, argv, "up:")) != -1)
|
||||||
pfd[1].fd = cr(AF_INET6, 6161);
|
switch (c) {
|
||||||
pfd[0].events = pfd[1].events = POLLIN;
|
case 'u':
|
||||||
|
type = SOCK_DGRAM;
|
||||||
|
break;
|
||||||
|
case 'p':
|
||||||
|
port = (in_port_t)atoi(optarg);
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
usage(c);
|
||||||
|
}
|
||||||
|
|
||||||
bl = bl_create();
|
pfd[0].fd = cr(AF_INET, type, port);
|
||||||
|
pfd[1].fd = cr(AF_INET6, type, port);
|
||||||
|
pfd[0].events = pfd[1].events = POLLIN;
|
||||||
|
|
||||||
for (;;) {
|
for (;;) {
|
||||||
if (poll(pfd, __arraycount(pfd), INFTIM) == -1)
|
if (poll(pfd, __arraycount(pfd), INFTIM) == -1)
|
||||||
@ -102,7 +121,7 @@ main(int argc, char *argv[])
|
|||||||
for (size_t i = 0; i < __arraycount(pfd); i++) {
|
for (size_t i = 0; i < __arraycount(pfd); i++) {
|
||||||
if ((pfd[i].revents & POLLIN) == 0)
|
if ((pfd[i].revents & POLLIN) == 0)
|
||||||
continue;
|
continue;
|
||||||
handle(bl, pfd[i].fd);
|
handle(pfd[i].fd);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user