Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

- move diffs 

- always log through lfun
This commit is contained in:
christos 2015-01-22 15:29:27 +00:00
parent e613991ba4
commit b11744f0b9
8 changed files with 352 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
external/bsd/blacklist/README vendored
View File

@ -1,4 +1,4 @@
# $NetBSD: README,v 1.3 2015/01/21 19:39:25 christos Exp $
# $NetBSD: README,v 1.4 2015/01/22 15:29:27 christos Exp $
This package contains library that can be used by network daemons to
communicate with a packet filter via a daemon to enforce opening and
@ -8,8 +8,10 @@ The interface to the packet filter is in etc/control (this is currently
designed for npf) and the configuration file (inspired from inetd.conf)
is in etc/conf.
A patch to OpenSSH is in ssh.diff that adds blacklisting capabilities to
openssh.
Patches to various daemons to add blacklisting capabilitiers are in the
diff directory:
- OpenSSH: diff/ssh.diff
- Bind: diff/named.diff
The network daemon (for example sshd) communicates to blacklistd, via
a unix socket like syslog. The library calls are simple and everything

10
external/bsd/blacklist/bin/blacklistctl.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: blacklistctl.c,v 1.8 2015/01/22 03:48:07 christos Exp $ */
/* $NetBSD: blacklistctl.c,v 1.9 2015/01/22 15:29:27 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@ -33,7 +33,7 @@
#endif
#include <sys/cdefs.h>
__RCSID("$NetBSD: blacklistctl.c,v 1.8 2015/01/22 03:48:07 christos Exp $");
__RCSID("$NetBSD: blacklistctl.c,v 1.9 2015/01/22 15:29:27 christos Exp $");
#include <stdio.h>
#include <time.h>
@ -86,11 +86,11 @@ main(int argc, char *argv[])
for (i = 1; state_iterate(db, &ss, &c, &dbi, i) != 0; i = 0) {
char buf[BUFSIZ];
printf("conf: %s\n", conf_print(buf, sizeof(buf), "",
(*lfun)(LOG_DEBUG, "conf: %s\n", conf_print(buf, sizeof(buf), "",
":", &c));
sockaddr_snprintf(buf, sizeof(buf), "%a", (void *)&ss);
printf("addr: %s\n", buf);
printf("data: count=%d id=%s time=%s\n", dbi.count,
(*lfun)(LOG_DEBUG, "addr: %s\n", buf);
(*lfun)(LOG_DEBUG, "data: count=%d id=%s time=%s\n", dbi.count,
dbi.id, fmttime(buf, sizeof(buf), dbi.last));
}
state_close(db);

10
external/bsd/blacklist/bin/blacklistd.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: blacklistd.c,v 1.19 2015/01/22 15:25:52 christos Exp $ */
/* $NetBSD: blacklistd.c,v 1.20 2015/01/22 15:29:27 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@ -32,7 +32,7 @@
#include "config.h"
#endif
#include <sys/cdefs.h>
__RCSID("$NetBSD: blacklistd.c,v 1.19 2015/01/22 15:25:52 christos Exp $");
__RCSID("$NetBSD: blacklistd.c,v 1.20 2015/01/22 15:29:27 christos Exp $");
#include <sys/types.h>
#include <sys/socket.h>
@ -127,7 +127,7 @@ process(bl_t bl)
return;
if (debug)
printf("got type=%d fd=%d msg=%s uid=%lu\n",
(*lfun)(LOG_DEBUG, "got type=%d fd=%d msg=%s uid=%lu\n",
bi->bi_type, bi->bi_fd, bi->bi_msg,
(unsigned long)bi->bi_uid);
@ -155,7 +155,7 @@ process(bl_t bl)
if (debug) {
char b1[128], b2[128];
sockaddr_snprintf(rbuf, sizeof(rbuf), "%a:%p", (void *)&rss);
printf("%s: %s count=%d nfail=%d last=%s now=%s\n", __func__,
(*lfun)(LOG_DEBUG, "%s: %s count=%d nfail=%d last=%s now=%s\n", __func__,
rbuf, dbi.count, c.c_nfail,
fmttime(b1, sizeof(b1), dbi.last),
fmttime(b2, sizeof(b2), ts.tv_sec));
@ -219,7 +219,7 @@ update(void)
char b1[64], b2[64];
sockaddr_snprintf(buf, sizeof(buf), "%a:%p",
(void *)&ss);
printf("%s:[%u] %s count=%d duration=%d last=%s "
(*lfun)(LOG_DEBUG, "%s:[%u] %s count=%d duration=%d last=%s "
"now=%s\n", __func__, n, buf, dbi.count,
c.c_duration, fmttime(b1, sizeof(b1), dbi.last),
fmttime(b2, sizeof(b2), ts.tv_sec));

28
external/bsd/blacklist/bin/conf.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: conf.c,v 1.11 2015/01/22 04:13:04 christos Exp $ */
/* $NetBSD: conf.c,v 1.12 2015/01/22 15:29:27 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@ -33,7 +33,7 @@
#endif
#include <sys/cdefs.h>
__RCSID("$NetBSD: conf.c,v 1.11 2015/01/22 04:13:04 christos Exp $");
__RCSID("$NetBSD: conf.c,v 1.12 2015/01/22 15:29:27 christos Exp $");
#include <stdio.h>
#include <string.h>
@ -168,7 +168,7 @@ gethostport(const char *f, size_t l, void *v, const char *p)
*d++ = '\0';
p++;
if (debug)
printf("%s: host6 %s\n", __func__, p);
(*lfun)(LOG_DEBUG, "%s: host6 %s\n", __func__, p);
if (strcmp(p, "*") != 0) {
if (inet_pton(AF_INET6, p, &s6->sin6_addr) == -1)
goto out;
@ -183,7 +183,7 @@ gethostport(const char *f, size_t l, void *v, const char *p)
struct sockaddr_in *s = (void *)&c->c_ss;
*d++ = '\0';
if (debug)
printf("%s: host4 %s\n", __func__, p);
(*lfun)(LOG_DEBUG, "%s: host4 %s\n", __func__, p);
if (strcmp(p, "*") != 0) {
if (inet_pton(AF_INET, p, &s->sin_addr) == -1)
goto out;
@ -337,14 +337,14 @@ conf_eq(const struct conf *c1, const struct conf *c2)
if (c2->c_ss.ss_family != 0 &&
memcmp(&c1->c_ss, &c2->c_ss, sizeof(c1->c_ss))) {
if (debug > 1)
printf("%s: c_ss fail\n", __func__);
(*lfun)(LOG_DEBUG, "%s: c_ss fail\n", __func__);
return 0;
}
#define CMP(a, b, f) \
if ((a)->f != (b)->f && (b)->f != -1) { \
if (debug > 1) \
printf("%s: %s fail\n", __func__, __STRING(f)); \
(*lfun)(LOG_DEBUG, "%s: %s fail\n", __func__, __STRING(f)); \
return 0; \
}
CMP(c1, c2, c_port);
@ -443,7 +443,7 @@ conf_find(int fd, uid_t uid, struct conf *cr)
if (debug) {
sockaddr_snprintf(buf, sizeof(buf), "%a:%p", (void *)&ss);
printf("listening socket: %s\n", buf);
(*lfun)(LOG_DEBUG, "listening socket: %s\n", buf);
}
switch (proto) {
@ -477,16 +477,16 @@ conf_find(int fd, uid_t uid, struct conf *cr)
cr->c_duration = -1;
if (debug)
printf("%s\n", conf_print(buf, sizeof(buf),
(*lfun)(LOG_DEBUG, "%s\n", conf_print(buf, sizeof(buf),
"look:\t", "", cr));
for (i = 0; i < nconf; i++) {
if (debug)
printf("%s\n", conf_print(buf, sizeof(buf), "check:\t",
(*lfun)(LOG_DEBUG, "%s\n", conf_print(buf, sizeof(buf), "check:\t",
"", &conf[i]));
if (conf_eq(cr, &conf[i])) {
if (debug)
printf("%s\n", conf_print(buf, sizeof(buf),
(*lfun)(LOG_DEBUG, "%s\n", conf_print(buf, sizeof(buf),
"found:\t", "", &conf[i]));
cr->c_ss = conf[i].c_ss;
memcpy(cr->c_name, conf[i].c_name, CONFNAMESZ);
@ -496,7 +496,7 @@ conf_find(int fd, uid_t uid, struct conf *cr)
}
}
if (debug)
printf("not found\n");
(*lfun)(LOG_DEBUG, "not found\n");
return NULL;
}
@ -523,7 +523,7 @@ conf_parse(const char *f)
if (!*line)
continue;
if (debug > 4)
printf("%s, %zu: [%s]\n", f, lineno, line);
(*lfun)(LOG_DEBUG, "%s, %zu: [%s]\n", f, lineno, line);
#endif
if (nc == mc) {
mc += 10;
@ -549,11 +549,11 @@ conf_parse(const char *f)
if (debug) {
char buf[BUFSIZ];
printf(
(*lfun)(LOG_DEBUG,
"%20.20s\ttype\tproto\towner\tname\tnfail\tduration\n",
"target");
for (nc = 0; nc < nconf; nc++)
printf("%s\n",
(*lfun)(LOG_DEBUG, "%s\n",
conf_print(buf, sizeof(buf), "", "\t", &c[nc]));
}
}

12
external/bsd/blacklist/bin/run.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: run.c,v 1.8 2015/01/22 04:13:04 christos Exp $ */
/* $NetBSD: run.c,v 1.9 2015/01/22 15:29:27 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@ -33,7 +33,7 @@
#endif
#include <sys/cdefs.h>
__RCSID("$NetBSD: run.c,v 1.8 2015/01/22 04:13:04 christos Exp $");
__RCSID("$NetBSD: run.c,v 1.9 2015/01/22 15:29:27 christos Exp $");
#include <stdio.h>
#ifdef HAVE_UTIL_H
@ -72,10 +72,10 @@ run(const char *cmd, const char *name, ...)
va_end(ap);
if (debug) {
printf("run %s [", controlprog);
(*lfun)(LOG_DEBUG, "run %s [", controlprog);
for (i = 0; argv[i]; i++)
printf(" %s", argv[i]);
printf("]\n");
(*lfun)(LOG_DEBUG, " %s", argv[i]);
(*lfun)(LOG_DEBUG, "]\n");
}
fp = popenve(controlprog, __UNCONST(argv), environ, "r");
@ -89,7 +89,7 @@ run(const char *cmd, const char *name, ...)
res = NULL;
pclose(fp);
if (debug)
printf("%s returns %s\n", cmd, res);
(*lfun)(LOG_DEBUG, "%s returns %s\n", cmd, res);
return res;
}

20
external/bsd/blacklist/bin/state.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: state.c,v 1.8 2015/01/22 04:13:04 christos Exp $ */
/* $NetBSD: state.c,v 1.9 2015/01/22 15:29:27 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@ -33,7 +33,7 @@
#endif
#include <sys/cdefs.h>
__RCSID("$NetBSD: state.c,v 1.8 2015/01/22 04:13:04 christos Exp $");
__RCSID("$NetBSD: state.c,v 1.9 2015/01/22 15:29:27 christos Exp $");
#include <sys/types.h>
#include <sys/socket.h>
@ -98,10 +98,10 @@ dumpkey(const struct dbkey *k)
{
const unsigned char *p = (const void *)k;
const unsigned char *e = p + sizeof(*k);
printf("%s: ", __func__);
(*lfun)(LOG_DEBUG, "%s: ", __func__);
while (p < e)
printf("%.2x", *p++);
printf("\n");
(*lfun)(LOG_DEBUG, "%.2x", *p++);
(*lfun)(LOG_DEBUG, "\n");
}
static void
@ -146,7 +146,7 @@ state_del(DB *db, const struct sockaddr_storage *ss, const struct conf *c)
case 0:
case 1:
if (debug > 1)
printf("%s: returns %d\n", __func__, rv);
(*lfun)(LOG_DEBUG, "%s: returns %d\n", __func__, rv);
return 0;
default:
(*lfun)(LOG_ERR, "%s: failed (%m)", __func__);
@ -178,7 +178,7 @@ state_get(DB *db, const struct sockaddr_storage *ss, const struct conf *c,
else
memcpy(dbi, v.data, sizeof(*dbi));
if (debug > 1)
printf("%s: returns %d\n", __func__, rv);
(*lfun)(LOG_DEBUG, "%s: returns %d\n", __func__, rv);
return 0;
default:
(*lfun)(LOG_ERR, "%s: failed (%m)", __func__);
@ -207,7 +207,7 @@ state_put(DB *db, const struct sockaddr_storage *ss, const struct conf *c,
switch (rv = (*db->put)(db, &k, &v, 0)) {
case 0:
if (debug > 1)
printf("%s: returns %d\n", __func__, rv);
(*lfun)(LOG_DEBUG, "%s: returns %d\n", __func__, rv);
return 0;
case 1:
errno = EEXIST;
@ -240,11 +240,11 @@ state_iterate(DB *db, struct sockaddr_storage *ss, struct conf *c,
dumpkey(kp);
memcpy(dbi, v.data, sizeof(*dbi));
if (debug > 1)
printf("%s: returns %d\n", __func__, rv);
(*lfun)(LOG_DEBUG, "%s: returns %d\n", __func__, rv);
return 1;
case 1:
if (debug > 1)
printf("%s: returns %d\n", __func__, rv);
(*lfun)(LOG_DEBUG, "%s: returns %d\n", __func__, rv);
return 0;
default:
(*lfun)(LOG_ERR, "%s: failed (%m)", __func__);

193
external/bsd/blacklist/diff/named.diff vendored Normal file
View File

@ -0,0 +1,193 @@
? named.diff
? pfilter.c
? pfilter.h
? x
Index: client.c
===================================================================
RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/client.c,v
retrieving revision 1.11
diff -u -u -r1.11 client.c
--- client.c 10 Dec 2014 04:37:51 -0000 1.11
+++ client.c 22 Jan 2015 06:47:45 -0000
@@ -65,6 +65,8 @@
#include <named/server.h>
#include <named/update.h>
+#include "pfilter.h"
+
/***
*** Client
***/
@@ -3101,6 +3103,7 @@
result = ns_client_checkaclsilent(client, sockaddr ? &netaddr : NULL,
acl, default_allow);
+ pfilter_notify(result, client, opname);
if (result == ISC_R_SUCCESS)
ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
Index: main.c
===================================================================
RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/main.c,v
retrieving revision 1.15
diff -u -u -r1.15 main.c
--- main.c 10 Dec 2014 04:37:51 -0000 1.15
+++ main.c 22 Jan 2015 06:47:45 -0000
@@ -83,6 +83,9 @@
#ifdef HAVE_LIBXML2
#include <libxml/xmlversion.h>
#endif
+
+#include "pfilter.h"
+
/*
* Include header files for database drivers here.
*/
@@ -1206,6 +1209,8 @@
parse_command_line(argc, argv);
+ pfilter_open();
+
/*
* Warn about common configuration error.
*/
Index: query.c
===================================================================
RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/query.c,v
retrieving revision 1.17
diff -u -u -r1.17 query.c
--- query.c 10 Dec 2014 04:37:52 -0000 1.17
+++ query.c 22 Jan 2015 06:47:45 -0000
@@ -65,6 +65,8 @@
#include <named/sortlist.h>
#include <named/xfrout.h>
+#include "pfilter.h"
+
#if 0
/*
* It has been recommended that DNS64 be changed to return excluded
@@ -762,6 +764,7 @@
}
result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE);
+ pfilter_notify(result, client, "validatezonedb");
if ((options & DNS_GETDB_NOLOG) == 0) {
char msg[NS_CLIENT_ACLMSGSIZE("query")];
if (result == ISC_R_SUCCESS) {
@@ -1026,6 +1029,7 @@
result = ns_client_checkaclsilent(client, NULL,
client->view->cacheacl,
ISC_TRUE);
+ pfilter_notify(result, client, "cachedb");
if (result == ISC_R_SUCCESS) {
/*
* We were allowed by the "allow-query-cache" ACL.
Index: update.c
===================================================================
RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/update.c,v
retrieving revision 1.9
diff -u -u -r1.9 update.c
--- update.c 10 Dec 2014 04:37:52 -0000 1.9
+++ update.c 22 Jan 2015 06:47:45 -0000
@@ -59,6 +59,8 @@
#include <named/server.h>
#include <named/update.h>
+#include "pfilter.h"
+
/*! \file
* \brief
* This module implements dynamic update as in RFC2136.
@@ -306,6 +308,7 @@
isc_result_t result;
result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE);
+ pfilter_notify(result, client, "queryacl");
if (result != ISC_R_SUCCESS) {
dns_name_format(zonename, namebuf, sizeof(namebuf));
dns_rdataclass_format(client->view->rdclass, classbuf,
@@ -362,6 +365,7 @@
msg = "disabled";
} else {
result = ns_client_checkaclsilent(client, NULL, acl, ISC_FALSE);
+ pfilter_notify(result, client, "updateacl");
if (result == ISC_R_SUCCESS) {
level = ISC_LOG_DEBUG(3);
msg = "approved";
Index: xfrout.c
===================================================================
RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/xfrout.c,v
retrieving revision 1.7
diff -u -u -r1.7 xfrout.c
--- xfrout.c 10 Dec 2014 04:37:52 -0000 1.7
+++ xfrout.c 22 Jan 2015 06:47:45 -0000
@@ -54,6 +54,8 @@
#include <named/server.h>
#include <named/xfrout.h>
+#include "pfilter.h"
+
/*! \file
* \brief
* Outgoing AXFR and IXFR.
@@ -821,7 +823,7 @@
question_name,
&client->peeraddr,
&db);
-
+ pfilter_notify(result, client, "zonexfr");
if (result == ISC_R_NOPERM) {
char _buf1[DNS_NAME_FORMATSIZE];
char _buf2[DNS_RDATACLASS_FORMATSIZE];
--- /dev/null 2015-01-22 01:48:00.000000000 -0500
+++ pfilter.c 2015-01-22 01:35:16.000000000 -0500
@@ -0,0 +1,42 @@
+#include <config.h>
+
+#include <isc/platform.h>
+#include <isc/util.h>
+#include <named/types.h>
+#include <named/client.h>
+
+#include <blacklist.h>
+
+#include "pfilter.h"
+
+static struct blacklist *blstate;
+
+void
+pfilter_open(void)
+{
+ if (blstate == NULL)
+ blstate = blacklist_open();
+}
+
+#define TCP_CLIENT(c) (((c)->attributes & NS_CLIENTATTR_TCP) != 0)
+
+void
+pfilter_notify(isc_result_t res, ns_client_t *client, const char *msg)
+{
+ isc_socket_t *socket;
+
+ pfilter_open();
+
+ if (TCP_CLIENT(client))
+ socket = client->tcpsocket;
+ else {
+ socket = client->udpsocket;
+ if (!client->peeraddr_valid)
+ return;
+ }
+ if (socket == NULL)
+ return;
+ blacklist_sa_r(blstate,
+ res != ISC_R_SUCCESS, isc_socket_getfd(socket),
+ &client->peeraddr.type.sa, client->peeraddr.length, msg);
+}
--- /dev/null 2015-01-22 01:48:00.000000000 -0500
+++ pfilter.h 2015-01-22 01:16:56.000000000 -0500
@@ -0,0 +1,2 @@
+void pfilter_open(void);
+void pfilter_notify(isc_result_t, ns_client_t *, const char *);

114
external/bsd/blacklist/diff/ssh.diff vendored Normal file
View File

@ -0,0 +1,114 @@
Index: bin/sshd/Makefile
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/openssh/bin/sshd/Makefile,v
retrieving revision 1.10
diff -u -r1.10 Makefile
--- bin/sshd/Makefile 19 Oct 2014 16:30:58 -0000 1.10
+++ bin/sshd/Makefile 21 Jan 2015 02:16:08 -0000
@@ -15,7 +15,7 @@
auth2-none.c auth2-passwd.c auth2-pubkey.c \
monitor_mm.c monitor.c monitor_wrap.c \
kexdhs.c kexgexs.c kexecdhs.c sftp-server.c sftp-common.c \
- roaming_common.c roaming_serv.c sandbox-rlimit.c
+ roaming_common.c roaming_serv.c sandbox-rlimit.c pfilter.c
COPTS.auth-options.c= -Wno-pointer-sign
COPTS.ldapauth.c= -Wno-format-nonliteral # XXX: should fix
@@ -68,3 +68,6 @@
LDADD+= -lwrap
DPADD+= ${LIBWRAP}
+
+LDADD+= -lblacklist
+DPADD+= ${LIBBLACKLIST}
Index: dist/auth.c
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v
retrieving revision 1.10
diff -u -r1.10 auth.c
--- dist/auth.c 19 Oct 2014 16:30:58 -0000 1.10
+++ dist/auth.c 21 Jan 2015 02:16:09 -0000
@@ -62,6 +62,7 @@
#include "monitor_wrap.h"
#include "krl.h"
#include "compat.h"
+#include "pfilter.h"
#ifdef HAVE_LOGIN_CAP
#include <login_cap.h>
@@ -362,6 +363,8 @@
compat20 ? "ssh2" : "ssh1",
authctxt->info != NULL ? ": " : "",
authctxt->info != NULL ? authctxt->info : "");
+ if (!authctxt->postponed)
+ pfilter_notify(!authenticated);
free(authctxt->info);
authctxt->info = NULL;
}
Index: dist/sshd.c
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v
retrieving revision 1.15
diff -u -u -r1.15 sshd.c
--- dist/sshd.c 28 Oct 2014 21:36:16 -0000 1.15
+++ dist/sshd.c 21 Jan 2015 02:49:39 -0000
@@ -109,6 +109,7 @@
#include "roaming.h"
#include "ssh-sandbox.h"
#include "version.h"
+#include "pfilter.h"
#ifdef LIBWRAP
#include <tcpd.h>
@@ -364,6 +365,7 @@
killpg(0, SIGTERM);
}
+ pfilter_notify(1);
/* Log error and exit. */
sigdie("Timeout before authentication for %s", get_remote_ipaddr());
}
@@ -1160,6 +1162,7 @@
for (i = 0; i < options.max_startups; i++)
startup_pipes[i] = -1;
+ pfilter_init();
/*
* Stay listening for connections until the system crashes or
* the daemon is killed with a signal.
--- /dev/null 2015-01-20 21:14:44.000000000 -0500
+++ dist/pfilter.c 2015-01-20 21:17:22.000000000 -0500
@@ -0,0 +1,27 @@
+#include "namespace.h"
+#include "ssh.h"
+#include "packet.h"
+#include "log.h"
+#include "pfilter.h"
+#include <blacklist.h>
+
+static struct blacklist *blstate;
+
+void
+pfilter_init()
+{
+ blstate = blacklist_open();
+}
+
+void
+pfilter_notify(int a)
+{
+ int fd;
+ if (blstate == NULL)
+ pfilter_init();
+ if (blstate == NULL)
+ return;
+ // XXX: 3?
+ fd = packet_connection_is_on_socket() ? packet_get_connection_in() : 3;
+ (void)blacklist_r(blstate, a, fd, "ssh");
+}
--- /dev/null 2015-01-20 21:14:44.000000000 -0500
+++ dist/pfilter.h 2015-01-20 20:16:20.000000000 -0500
@@ -0,0 +1,3 @@
+
+void pfilter_notify(int);
+void pfilter_init(void);