Index: contrib/blacklist/bin/blacklistd.c =================================================================== --- contrib/blacklist/bin/blacklistd.c +++ contrib/blacklist/bin/blacklistd.c @@ -214,6 +214,17 @@ } switch (bi->bi_type) { + case BL_ABUSE: + /* + * If the application has signaled abusive behavior, + * set the number of fails to be one less than the + * configured limit. Fallthrough to the normal BL_ADD + * processing, which will increment the failure count + * to the threshhold, and block the abusive address. + */ + if (c.c_nfail != -1) + dbi.count = c.c_nfail - 1; + /*FALLTHROUGH*/ case BL_ADD: dbi.count++; dbi.last = ts.tv_sec; @@ -249,6 +260,9 @@ dbi.count = 0; dbi.last = 0; break; + case BL_BADUSER: + /* ignore for now */ + break; default: (*lfun)(LOG_ERR, "unknown message %d", bi->bi_type); } Index: contrib/blacklist/include/bl.h =================================================================== --- contrib/blacklist/include/bl.h +++ contrib/blacklist/include/bl.h @@ -40,7 +40,9 @@ typedef enum { BL_INVALID, BL_ADD, - BL_DELETE + BL_DELETE, + BL_ABUSE, + BL_BADUSER } bl_type_t; typedef struct { Index: contrib/blacklist/include/blacklist.h =================================================================== --- contrib/blacklist/include/blacklist.h +++ contrib/blacklist/include/blacklist.h @@ -43,4 +43,13 @@ const struct sockaddr *, socklen_t, const char *); __END_DECLS +/* action values for user applications */ +#define BLACKLIST_API_ENUM 1 +enum { + BLACKLIST_AUTH_OK = 0, + BLACKLIST_AUTH_FAIL, + BLACKLIST_ABUSIVE_BEHAVIOR, + BLACKLIST_BAD_USER +}; + #endif /* _BLACKLIST_H */ Index: contrib/blacklist/lib/blacklist.c =================================================================== --- contrib/blacklist/lib/blacklist.c +++ contrib/blacklist/lib/blacklist.c @@ -61,7 +61,27 @@ blacklist_sa_r(struct blacklist *bl, int action, int rfd, const struct sockaddr *sa, socklen_t slen, const char *msg) { - return bl_send(bl, action ? BL_ADD : BL_DELETE, rfd, sa, slen, msg); + int internal_action; + + /* internal values are not the same as user application values */ + switch (action) { + case BLACKLIST_AUTH_FAIL: + internal_action = BL_ADD; + break; + case BLACKLIST_AUTH_OK: + internal_action = BL_DELETE; + break; + case BLACKLIST_ABUSIVE_BEHAVIOR: + internal_action = BL_ABUSE; + break; + case BLACKLIST_BAD_USER: + internal_action = BL_BADUSER; + break; + default: + internal_action = BL_INVALID; + break; + } + return bl_send(bl, internal_action, rfd, sa, slen, msg); } int Index: contrib/blacklist/lib/libblacklist.3 =================================================================== --- contrib/blacklist/lib/libblacklist.3 +++ contrib/blacklist/lib/libblacklist.3 @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd January 22, 2015 +.Dd May 5, 2017 .Dt LIBBLACKLIST 3 .Os .Sh NAME @@ -76,13 +76,9 @@ .Fn blacklist function sends a message to .Xr blacklistd 8 , -with an +with an integer .Ar action -argument specifying -.Dv 1 -for a failed connection or -.Dv 0 -for a successful connection, +argument specifying the type of notification, a file descriptor .Ar fd specifying the accepted file descriptor connected to the client, @@ -91,6 +87,30 @@ argument. .Pp The +.Ar action +parameter can take these values: +.Bl -tag -width ".Va BLACKLIST_ABUSIVE_BEHAVIOR" +.It Va BLACKLIST_AUTH_FAIL +There was an unsuccessful authentication attempt. +.It Va BLACKLIST_AUTH_OK +A user successfully authenticated. +.It Va BLACKLIST_ABUSIVE_BEHAVIOR +The sending daemon has detected abusive behavior +from the remote system. The remote address should +be blocked as soon as possible. +.It Va BLACKLIST_BAD_USER +The sending daemon has determined the username +presented for authentication is invalid. The +.Xr blacklistd 8 +daemon compares the username to a configured list of forbidden +usernames and +blocks the address immediately if a forbidden username matches. +(The +.Ar BLACKLIST_BAD_USER +support is not currently available.) +.El +.Pp +The .Fn blacklist_r function is more efficient because it keeps the blacklist state around. .Pp @@ -102,8 +122,13 @@ .Xr getpeername 2 will not work, the server will pass the peer name in the message. .Pp -All functions log errors to -.Xr syslogd 8 . +By default, +.Xr syslogd 8 +is used for message logging. +The internal +.Fn bl_create +function can be used to create the required internal +state and specify a custom logging function. .Sh RETURN VALUES The function .Fn bl_open