From b11744f0b98b6a740170f563a7b732af73ed2436 Mon Sep 17 00:00:00 2001 From: christos Date: Thu, 22 Jan 2015 15:29:27 +0000 Subject: [PATCH] - move diffs - always log through lfun --- external/bsd/blacklist/README | 8 +- external/bsd/blacklist/bin/blacklistctl.c | 10 +- external/bsd/blacklist/bin/blacklistd.c | 10 +- external/bsd/blacklist/bin/conf.c | 28 ++-- external/bsd/blacklist/bin/run.c | 12 +- external/bsd/blacklist/bin/state.c | 20 +-- external/bsd/blacklist/diff/named.diff | 193 ++++++++++++++++++++++ external/bsd/blacklist/diff/ssh.diff | 114 +++++++++++++ 8 files changed, 352 insertions(+), 43 deletions(-) create mode 100644 external/bsd/blacklist/diff/named.diff create mode 100644 external/bsd/blacklist/diff/ssh.diff diff --git a/external/bsd/blacklist/README b/external/bsd/blacklist/README index 2f17d465eeb9..622434de9544 100644 --- a/external/bsd/blacklist/README +++ b/external/bsd/blacklist/README @@ -1,4 +1,4 @@ -# $NetBSD: README,v 1.3 2015/01/21 19:39:25 christos Exp $ +# $NetBSD: README,v 1.4 2015/01/22 15:29:27 christos Exp $ This package contains library that can be used by network daemons to communicate with a packet filter via a daemon to enforce opening and @@ -8,8 +8,10 @@ The interface to the packet filter is in etc/control (this is currently designed for npf) and the configuration file (inspired from inetd.conf) is in etc/conf. -A patch to OpenSSH is in ssh.diff that adds blacklisting capabilities to -openssh. +Patches to various daemons to add blacklisting capabilitiers are in the +diff directory: + - OpenSSH: diff/ssh.diff + - Bind: diff/named.diff The network daemon (for example sshd) communicates to blacklistd, via a unix socket like syslog. The library calls are simple and everything diff --git a/external/bsd/blacklist/bin/blacklistctl.c b/external/bsd/blacklist/bin/blacklistctl.c index 74d0a1c301cd..538a0fd00f20 100644 --- a/external/bsd/blacklist/bin/blacklistctl.c +++ b/external/bsd/blacklist/bin/blacklistctl.c @@ -1,4 +1,4 @@ -/* $NetBSD: blacklistctl.c,v 1.8 2015/01/22 03:48:07 christos Exp $ */ +/* $NetBSD: blacklistctl.c,v 1.9 2015/01/22 15:29:27 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include -__RCSID("$NetBSD: blacklistctl.c,v 1.8 2015/01/22 03:48:07 christos Exp $"); +__RCSID("$NetBSD: blacklistctl.c,v 1.9 2015/01/22 15:29:27 christos Exp $"); #include #include @@ -86,11 +86,11 @@ main(int argc, char *argv[]) for (i = 1; state_iterate(db, &ss, &c, &dbi, i) != 0; i = 0) { char buf[BUFSIZ]; - printf("conf: %s\n", conf_print(buf, sizeof(buf), "", + (*lfun)(LOG_DEBUG, "conf: %s\n", conf_print(buf, sizeof(buf), "", ":", &c)); sockaddr_snprintf(buf, sizeof(buf), "%a", (void *)&ss); - printf("addr: %s\n", buf); - printf("data: count=%d id=%s time=%s\n", dbi.count, + (*lfun)(LOG_DEBUG, "addr: %s\n", buf); + (*lfun)(LOG_DEBUG, "data: count=%d id=%s time=%s\n", dbi.count, dbi.id, fmttime(buf, sizeof(buf), dbi.last)); } state_close(db); diff --git a/external/bsd/blacklist/bin/blacklistd.c b/external/bsd/blacklist/bin/blacklistd.c index a50839619c7c..5adb8126be71 100644 --- a/external/bsd/blacklist/bin/blacklistd.c +++ b/external/bsd/blacklist/bin/blacklistd.c @@ -1,4 +1,4 @@ -/* $NetBSD: blacklistd.c,v 1.19 2015/01/22 15:25:52 christos Exp $ */ +/* $NetBSD: blacklistd.c,v 1.20 2015/01/22 15:29:27 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -32,7 +32,7 @@ #include "config.h" #endif #include -__RCSID("$NetBSD: blacklistd.c,v 1.19 2015/01/22 15:25:52 christos Exp $"); +__RCSID("$NetBSD: blacklistd.c,v 1.20 2015/01/22 15:29:27 christos Exp $"); #include #include @@ -127,7 +127,7 @@ process(bl_t bl) return; if (debug) - printf("got type=%d fd=%d msg=%s uid=%lu\n", + (*lfun)(LOG_DEBUG, "got type=%d fd=%d msg=%s uid=%lu\n", bi->bi_type, bi->bi_fd, bi->bi_msg, (unsigned long)bi->bi_uid); @@ -155,7 +155,7 @@ process(bl_t bl) if (debug) { char b1[128], b2[128]; sockaddr_snprintf(rbuf, sizeof(rbuf), "%a:%p", (void *)&rss); - printf("%s: %s count=%d nfail=%d last=%s now=%s\n", __func__, + (*lfun)(LOG_DEBUG, "%s: %s count=%d nfail=%d last=%s now=%s\n", __func__, rbuf, dbi.count, c.c_nfail, fmttime(b1, sizeof(b1), dbi.last), fmttime(b2, sizeof(b2), ts.tv_sec)); @@ -219,7 +219,7 @@ update(void) char b1[64], b2[64]; sockaddr_snprintf(buf, sizeof(buf), "%a:%p", (void *)&ss); - printf("%s:[%u] %s count=%d duration=%d last=%s " + (*lfun)(LOG_DEBUG, "%s:[%u] %s count=%d duration=%d last=%s " "now=%s\n", __func__, n, buf, dbi.count, c.c_duration, fmttime(b1, sizeof(b1), dbi.last), fmttime(b2, sizeof(b2), ts.tv_sec)); diff --git a/external/bsd/blacklist/bin/conf.c b/external/bsd/blacklist/bin/conf.c index 65bf9f2ae099..c9eb79db6014 100644 --- a/external/bsd/blacklist/bin/conf.c +++ b/external/bsd/blacklist/bin/conf.c @@ -1,4 +1,4 @@ -/* $NetBSD: conf.c,v 1.11 2015/01/22 04:13:04 christos Exp $ */ +/* $NetBSD: conf.c,v 1.12 2015/01/22 15:29:27 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include -__RCSID("$NetBSD: conf.c,v 1.11 2015/01/22 04:13:04 christos Exp $"); +__RCSID("$NetBSD: conf.c,v 1.12 2015/01/22 15:29:27 christos Exp $"); #include #include @@ -168,7 +168,7 @@ gethostport(const char *f, size_t l, void *v, const char *p) *d++ = '\0'; p++; if (debug) - printf("%s: host6 %s\n", __func__, p); + (*lfun)(LOG_DEBUG, "%s: host6 %s\n", __func__, p); if (strcmp(p, "*") != 0) { if (inet_pton(AF_INET6, p, &s6->sin6_addr) == -1) goto out; @@ -183,7 +183,7 @@ gethostport(const char *f, size_t l, void *v, const char *p) struct sockaddr_in *s = (void *)&c->c_ss; *d++ = '\0'; if (debug) - printf("%s: host4 %s\n", __func__, p); + (*lfun)(LOG_DEBUG, "%s: host4 %s\n", __func__, p); if (strcmp(p, "*") != 0) { if (inet_pton(AF_INET, p, &s->sin_addr) == -1) goto out; @@ -337,14 +337,14 @@ conf_eq(const struct conf *c1, const struct conf *c2) if (c2->c_ss.ss_family != 0 && memcmp(&c1->c_ss, &c2->c_ss, sizeof(c1->c_ss))) { if (debug > 1) - printf("%s: c_ss fail\n", __func__); + (*lfun)(LOG_DEBUG, "%s: c_ss fail\n", __func__); return 0; } #define CMP(a, b, f) \ if ((a)->f != (b)->f && (b)->f != -1) { \ if (debug > 1) \ - printf("%s: %s fail\n", __func__, __STRING(f)); \ + (*lfun)(LOG_DEBUG, "%s: %s fail\n", __func__, __STRING(f)); \ return 0; \ } CMP(c1, c2, c_port); @@ -443,7 +443,7 @@ conf_find(int fd, uid_t uid, struct conf *cr) if (debug) { sockaddr_snprintf(buf, sizeof(buf), "%a:%p", (void *)&ss); - printf("listening socket: %s\n", buf); + (*lfun)(LOG_DEBUG, "listening socket: %s\n", buf); } switch (proto) { @@ -477,16 +477,16 @@ conf_find(int fd, uid_t uid, struct conf *cr) cr->c_duration = -1; if (debug) - printf("%s\n", conf_print(buf, sizeof(buf), + (*lfun)(LOG_DEBUG, "%s\n", conf_print(buf, sizeof(buf), "look:\t", "", cr)); for (i = 0; i < nconf; i++) { if (debug) - printf("%s\n", conf_print(buf, sizeof(buf), "check:\t", + (*lfun)(LOG_DEBUG, "%s\n", conf_print(buf, sizeof(buf), "check:\t", "", &conf[i])); if (conf_eq(cr, &conf[i])) { if (debug) - printf("%s\n", conf_print(buf, sizeof(buf), + (*lfun)(LOG_DEBUG, "%s\n", conf_print(buf, sizeof(buf), "found:\t", "", &conf[i])); cr->c_ss = conf[i].c_ss; memcpy(cr->c_name, conf[i].c_name, CONFNAMESZ); @@ -496,7 +496,7 @@ conf_find(int fd, uid_t uid, struct conf *cr) } } if (debug) - printf("not found\n"); + (*lfun)(LOG_DEBUG, "not found\n"); return NULL; } @@ -523,7 +523,7 @@ conf_parse(const char *f) if (!*line) continue; if (debug > 4) - printf("%s, %zu: [%s]\n", f, lineno, line); + (*lfun)(LOG_DEBUG, "%s, %zu: [%s]\n", f, lineno, line); #endif if (nc == mc) { mc += 10; @@ -549,11 +549,11 @@ conf_parse(const char *f) if (debug) { char buf[BUFSIZ]; - printf( + (*lfun)(LOG_DEBUG, "%20.20s\ttype\tproto\towner\tname\tnfail\tduration\n", "target"); for (nc = 0; nc < nconf; nc++) - printf("%s\n", + (*lfun)(LOG_DEBUG, "%s\n", conf_print(buf, sizeof(buf), "", "\t", &c[nc])); } } diff --git a/external/bsd/blacklist/bin/run.c b/external/bsd/blacklist/bin/run.c index c181ef39920c..535ac0646e89 100644 --- a/external/bsd/blacklist/bin/run.c +++ b/external/bsd/blacklist/bin/run.c @@ -1,4 +1,4 @@ -/* $NetBSD: run.c,v 1.8 2015/01/22 04:13:04 christos Exp $ */ +/* $NetBSD: run.c,v 1.9 2015/01/22 15:29:27 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include -__RCSID("$NetBSD: run.c,v 1.8 2015/01/22 04:13:04 christos Exp $"); +__RCSID("$NetBSD: run.c,v 1.9 2015/01/22 15:29:27 christos Exp $"); #include #ifdef HAVE_UTIL_H @@ -72,10 +72,10 @@ run(const char *cmd, const char *name, ...) va_end(ap); if (debug) { - printf("run %s [", controlprog); + (*lfun)(LOG_DEBUG, "run %s [", controlprog); for (i = 0; argv[i]; i++) - printf(" %s", argv[i]); - printf("]\n"); + (*lfun)(LOG_DEBUG, " %s", argv[i]); + (*lfun)(LOG_DEBUG, "]\n"); } fp = popenve(controlprog, __UNCONST(argv), environ, "r"); @@ -89,7 +89,7 @@ run(const char *cmd, const char *name, ...) res = NULL; pclose(fp); if (debug) - printf("%s returns %s\n", cmd, res); + (*lfun)(LOG_DEBUG, "%s returns %s\n", cmd, res); return res; } diff --git a/external/bsd/blacklist/bin/state.c b/external/bsd/blacklist/bin/state.c index 7d22383be296..96c3d671bef7 100644 --- a/external/bsd/blacklist/bin/state.c +++ b/external/bsd/blacklist/bin/state.c @@ -1,4 +1,4 @@ -/* $NetBSD: state.c,v 1.8 2015/01/22 04:13:04 christos Exp $ */ +/* $NetBSD: state.c,v 1.9 2015/01/22 15:29:27 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -33,7 +33,7 @@ #endif #include -__RCSID("$NetBSD: state.c,v 1.8 2015/01/22 04:13:04 christos Exp $"); +__RCSID("$NetBSD: state.c,v 1.9 2015/01/22 15:29:27 christos Exp $"); #include #include @@ -98,10 +98,10 @@ dumpkey(const struct dbkey *k) { const unsigned char *p = (const void *)k; const unsigned char *e = p + sizeof(*k); - printf("%s: ", __func__); + (*lfun)(LOG_DEBUG, "%s: ", __func__); while (p < e) - printf("%.2x", *p++); - printf("\n"); + (*lfun)(LOG_DEBUG, "%.2x", *p++); + (*lfun)(LOG_DEBUG, "\n"); } static void @@ -146,7 +146,7 @@ state_del(DB *db, const struct sockaddr_storage *ss, const struct conf *c) case 0: case 1: if (debug > 1) - printf("%s: returns %d\n", __func__, rv); + (*lfun)(LOG_DEBUG, "%s: returns %d\n", __func__, rv); return 0; default: (*lfun)(LOG_ERR, "%s: failed (%m)", __func__); @@ -178,7 +178,7 @@ state_get(DB *db, const struct sockaddr_storage *ss, const struct conf *c, else memcpy(dbi, v.data, sizeof(*dbi)); if (debug > 1) - printf("%s: returns %d\n", __func__, rv); + (*lfun)(LOG_DEBUG, "%s: returns %d\n", __func__, rv); return 0; default: (*lfun)(LOG_ERR, "%s: failed (%m)", __func__); @@ -207,7 +207,7 @@ state_put(DB *db, const struct sockaddr_storage *ss, const struct conf *c, switch (rv = (*db->put)(db, &k, &v, 0)) { case 0: if (debug > 1) - printf("%s: returns %d\n", __func__, rv); + (*lfun)(LOG_DEBUG, "%s: returns %d\n", __func__, rv); return 0; case 1: errno = EEXIST; @@ -240,11 +240,11 @@ state_iterate(DB *db, struct sockaddr_storage *ss, struct conf *c, dumpkey(kp); memcpy(dbi, v.data, sizeof(*dbi)); if (debug > 1) - printf("%s: returns %d\n", __func__, rv); + (*lfun)(LOG_DEBUG, "%s: returns %d\n", __func__, rv); return 1; case 1: if (debug > 1) - printf("%s: returns %d\n", __func__, rv); + (*lfun)(LOG_DEBUG, "%s: returns %d\n", __func__, rv); return 0; default: (*lfun)(LOG_ERR, "%s: failed (%m)", __func__); diff --git a/external/bsd/blacklist/diff/named.diff b/external/bsd/blacklist/diff/named.diff new file mode 100644 index 000000000000..62fdf6a2c6dc --- /dev/null +++ b/external/bsd/blacklist/diff/named.diff @@ -0,0 +1,193 @@ +? named.diff +? pfilter.c +? pfilter.h +? x +Index: client.c +=================================================================== +RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/client.c,v +retrieving revision 1.11 +diff -u -u -r1.11 client.c +--- client.c 10 Dec 2014 04:37:51 -0000 1.11 ++++ client.c 22 Jan 2015 06:47:45 -0000 +@@ -65,6 +65,8 @@ + #include + #include + ++#include "pfilter.h" ++ + /*** + *** Client + ***/ +@@ -3101,6 +3103,7 @@ + result = ns_client_checkaclsilent(client, sockaddr ? &netaddr : NULL, + acl, default_allow); + ++ pfilter_notify(result, client, opname); + if (result == ISC_R_SUCCESS) + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), +Index: main.c +=================================================================== +RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/main.c,v +retrieving revision 1.15 +diff -u -u -r1.15 main.c +--- main.c 10 Dec 2014 04:37:51 -0000 1.15 ++++ main.c 22 Jan 2015 06:47:45 -0000 +@@ -83,6 +83,9 @@ + #ifdef HAVE_LIBXML2 + #include + #endif ++ ++#include "pfilter.h" ++ + /* + * Include header files for database drivers here. + */ +@@ -1206,6 +1209,8 @@ + + parse_command_line(argc, argv); + ++ pfilter_open(); ++ + /* + * Warn about common configuration error. + */ +Index: query.c +=================================================================== +RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/query.c,v +retrieving revision 1.17 +diff -u -u -r1.17 query.c +--- query.c 10 Dec 2014 04:37:52 -0000 1.17 ++++ query.c 22 Jan 2015 06:47:45 -0000 +@@ -65,6 +65,8 @@ + #include + #include + ++#include "pfilter.h" ++ + #if 0 + /* + * It has been recommended that DNS64 be changed to return excluded +@@ -762,6 +764,7 @@ + } + + result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE); ++ pfilter_notify(result, client, "validatezonedb"); + if ((options & DNS_GETDB_NOLOG) == 0) { + char msg[NS_CLIENT_ACLMSGSIZE("query")]; + if (result == ISC_R_SUCCESS) { +@@ -1026,6 +1029,7 @@ + result = ns_client_checkaclsilent(client, NULL, + client->view->cacheacl, + ISC_TRUE); ++ pfilter_notify(result, client, "cachedb"); + if (result == ISC_R_SUCCESS) { + /* + * We were allowed by the "allow-query-cache" ACL. +Index: update.c +=================================================================== +RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/update.c,v +retrieving revision 1.9 +diff -u -u -r1.9 update.c +--- update.c 10 Dec 2014 04:37:52 -0000 1.9 ++++ update.c 22 Jan 2015 06:47:45 -0000 +@@ -59,6 +59,8 @@ + #include + #include + ++#include "pfilter.h" ++ + /*! \file + * \brief + * This module implements dynamic update as in RFC2136. +@@ -306,6 +308,7 @@ + isc_result_t result; + + result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE); ++ pfilter_notify(result, client, "queryacl"); + if (result != ISC_R_SUCCESS) { + dns_name_format(zonename, namebuf, sizeof(namebuf)); + dns_rdataclass_format(client->view->rdclass, classbuf, +@@ -362,6 +365,7 @@ + msg = "disabled"; + } else { + result = ns_client_checkaclsilent(client, NULL, acl, ISC_FALSE); ++ pfilter_notify(result, client, "updateacl"); + if (result == ISC_R_SUCCESS) { + level = ISC_LOG_DEBUG(3); + msg = "approved"; +Index: xfrout.c +=================================================================== +RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/xfrout.c,v +retrieving revision 1.7 +diff -u -u -r1.7 xfrout.c +--- xfrout.c 10 Dec 2014 04:37:52 -0000 1.7 ++++ xfrout.c 22 Jan 2015 06:47:45 -0000 +@@ -54,6 +54,8 @@ + #include + #include + ++#include "pfilter.h" ++ + /*! \file + * \brief + * Outgoing AXFR and IXFR. +@@ -821,7 +823,7 @@ + question_name, + &client->peeraddr, + &db); +- ++ pfilter_notify(result, client, "zonexfr"); + if (result == ISC_R_NOPERM) { + char _buf1[DNS_NAME_FORMATSIZE]; + char _buf2[DNS_RDATACLASS_FORMATSIZE]; +--- /dev/null 2015-01-22 01:48:00.000000000 -0500 ++++ pfilter.c 2015-01-22 01:35:16.000000000 -0500 +@@ -0,0 +1,42 @@ ++#include ++ ++#include ++#include ++#include ++#include ++ ++#include ++ ++#include "pfilter.h" ++ ++static struct blacklist *blstate; ++ ++void ++pfilter_open(void) ++{ ++ if (blstate == NULL) ++ blstate = blacklist_open(); ++} ++ ++#define TCP_CLIENT(c) (((c)->attributes & NS_CLIENTATTR_TCP) != 0) ++ ++void ++pfilter_notify(isc_result_t res, ns_client_t *client, const char *msg) ++{ ++ isc_socket_t *socket; ++ ++ pfilter_open(); ++ ++ if (TCP_CLIENT(client)) ++ socket = client->tcpsocket; ++ else { ++ socket = client->udpsocket; ++ if (!client->peeraddr_valid) ++ return; ++ } ++ if (socket == NULL) ++ return; ++ blacklist_sa_r(blstate, ++ res != ISC_R_SUCCESS, isc_socket_getfd(socket), ++ &client->peeraddr.type.sa, client->peeraddr.length, msg); ++} +--- /dev/null 2015-01-22 01:48:00.000000000 -0500 ++++ pfilter.h 2015-01-22 01:16:56.000000000 -0500 +@@ -0,0 +1,2 @@ ++void pfilter_open(void); ++void pfilter_notify(isc_result_t, ns_client_t *, const char *); diff --git a/external/bsd/blacklist/diff/ssh.diff b/external/bsd/blacklist/diff/ssh.diff new file mode 100644 index 000000000000..ab2e42903a0f --- /dev/null +++ b/external/bsd/blacklist/diff/ssh.diff @@ -0,0 +1,114 @@ +Index: bin/sshd/Makefile +=================================================================== +RCS file: /cvsroot/src/crypto/external/bsd/openssh/bin/sshd/Makefile,v +retrieving revision 1.10 +diff -u -r1.10 Makefile +--- bin/sshd/Makefile 19 Oct 2014 16:30:58 -0000 1.10 ++++ bin/sshd/Makefile 21 Jan 2015 02:16:08 -0000 +@@ -15,7 +15,7 @@ + auth2-none.c auth2-passwd.c auth2-pubkey.c \ + monitor_mm.c monitor.c monitor_wrap.c \ + kexdhs.c kexgexs.c kexecdhs.c sftp-server.c sftp-common.c \ +- roaming_common.c roaming_serv.c sandbox-rlimit.c ++ roaming_common.c roaming_serv.c sandbox-rlimit.c pfilter.c + + COPTS.auth-options.c= -Wno-pointer-sign + COPTS.ldapauth.c= -Wno-format-nonliteral # XXX: should fix +@@ -68,3 +68,6 @@ + + LDADD+= -lwrap + DPADD+= ${LIBWRAP} ++ ++LDADD+= -lblacklist ++DPADD+= ${LIBBLACKLIST} +Index: dist/auth.c +=================================================================== +RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v +retrieving revision 1.10 +diff -u -r1.10 auth.c +--- dist/auth.c 19 Oct 2014 16:30:58 -0000 1.10 ++++ dist/auth.c 21 Jan 2015 02:16:09 -0000 +@@ -62,6 +62,7 @@ + #include "monitor_wrap.h" + #include "krl.h" + #include "compat.h" ++#include "pfilter.h" + + #ifdef HAVE_LOGIN_CAP + #include +@@ -362,6 +363,8 @@ + compat20 ? "ssh2" : "ssh1", + authctxt->info != NULL ? ": " : "", + authctxt->info != NULL ? authctxt->info : ""); ++ if (!authctxt->postponed) ++ pfilter_notify(!authenticated); + free(authctxt->info); + authctxt->info = NULL; + } +Index: dist/sshd.c +=================================================================== +RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v +retrieving revision 1.15 +diff -u -u -r1.15 sshd.c +--- dist/sshd.c 28 Oct 2014 21:36:16 -0000 1.15 ++++ dist/sshd.c 21 Jan 2015 02:49:39 -0000 +@@ -109,6 +109,7 @@ + #include "roaming.h" + #include "ssh-sandbox.h" + #include "version.h" ++#include "pfilter.h" + + #ifdef LIBWRAP + #include +@@ -364,6 +365,7 @@ + killpg(0, SIGTERM); + } + ++ pfilter_notify(1); + /* Log error and exit. */ + sigdie("Timeout before authentication for %s", get_remote_ipaddr()); + } +@@ -1160,6 +1162,7 @@ + for (i = 0; i < options.max_startups; i++) + startup_pipes[i] = -1; + ++ pfilter_init(); + /* + * Stay listening for connections until the system crashes or + * the daemon is killed with a signal. +--- /dev/null 2015-01-20 21:14:44.000000000 -0500 ++++ dist/pfilter.c 2015-01-20 21:17:22.000000000 -0500 +@@ -0,0 +1,27 @@ ++#include "namespace.h" ++#include "ssh.h" ++#include "packet.h" ++#include "log.h" ++#include "pfilter.h" ++#include ++ ++static struct blacklist *blstate; ++ ++void ++pfilter_init() ++{ ++ blstate = blacklist_open(); ++} ++ ++void ++pfilter_notify(int a) ++{ ++ int fd; ++ if (blstate == NULL) ++ pfilter_init(); ++ if (blstate == NULL) ++ return; ++ // XXX: 3? ++ fd = packet_connection_is_on_socket() ? packet_get_connection_in() : 3; ++ (void)blacklist_r(blstate, a, fd, "ssh"); ++} +--- /dev/null 2015-01-20 21:14:44.000000000 -0500 ++++ dist/pfilter.h 2015-01-20 20:16:20.000000000 -0500 +@@ -0,0 +1,3 @@ ++ ++void pfilter_notify(int); ++void pfilter_init(void);