Add experimental support for IPFW to blacklistd-helper
ClosedPublic
Actions

Authored by • lidl on Jun 8 2016, 3:16 AM.

Details

Reviewers

emaste
rpaulo
imp
ache

Commits

rS301736: Add IPFW support to blacklistd-helper

Summary

Basic support for IPFW.

It's unfortunate that the -q flag to ipfw does not suppress warning messages about
table operations.

Uses /etc/ipfw.conf to override settings for ipfw_offset (where the rule numbers start).
If this file isn't a shell script, things will probably go badly for the user.

Test Plan

Lightly tested in a virtual machine. Tables are created, addresses are added and removed as needed.

This code is intended as a starting point for IPFW users to experiment with blacklistd. It can almost
certainly be improved. Suggestions are welcome.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

• lidl updated this revision to Diff 17393.Jun 8 2016, 3:16 AM

• lidl retitled this revision from to Add experimental support for IPFW to blacklistd-helper.

• lidl updated this object.

• lidl edited the test plan for this revision. (Show Details)

• lidl added reviewers: rpaulo, emaste, imp, ache.

• lidl set the repository for this revision to rS FreeBSD src repository - subversion.

ipfw.conf is definitely bad name for the shell script. change it to ipfw.rc
It will be better to specify "dst-port", i.e. "to any dst-port $6" instead of "to any $6" to keep it working in case ipfw syntax will become stricter.
It will be nice to use protocol supplied, i.e. "drop $3" instead of "drop ip".
Tables named with numbers only, you can't make/use table with "port$6" name. Table number can be specified in the ipfw.rc

There is no such command /sbin/ipfw table $tname create type addr (at least on -stable), tables are created/deleted automatically when something added/removed to them. You can list current tables with

ipfw table all list
and current rules with
ipfw list

In D6753#142209, @ache wrote:

Tables named with numbers only, you can't make/use table with "port$6" name. Table number can be specified in the ipfw.rc

It is for -stable. It seems -current allow names here.

In D6753#142210, @ache wrote:

There is no such command /sbin/ipfw table $tname create type addr (at least on -stable), tables are created/deleted automatically when something added/removed to them.

This is for -current only too. It seems there is no plans to merge new ipfw changes to -stable, so if you want to see blacklistd on -stable to, table stuff should be rewritten.

In D6753#142209, @ache wrote:

ipfw.conf is definitely bad name for the shell script. change it to ipfw.rc

ipfw.rc name is still confusing with ipfw initialization script. Better name it as ipfw-blacklist.rc

Updated to reflect first pass of review comments. Note - this round of changes hasn't been tested on my virtual machine (yet).

I'm not terribly inclined to butcher the ipfw syntax to be backwards compatible to FreeBSD-10.

I've looked at doing the back-port for blacklistd to FreeBSD-10, and while it can be done, it's not like the work can be shared with FreeBSD-11. This is mostly due to the different way that build-time options are done in FreeBSD-11 is very different than FreeBSD-10, as well as using LIBADD+= in all the Makefiles, vs the older syntax (LDADD+=, DPADD+=) with FreeBSD-10.

• lidl set the repository for this revision to rS FreeBSD src repository - subversion.Jun 8 2016, 2:29 PM

Closed by commit rS301736: Add IPFW support to blacklistd-helper (authored by • lidl). · Explain WhyJun 9 2016, 3:19 PM

This revision was automatically updated to reflect the committed changes.

cy mentioned this in D6788: Add experimental support for ipfilter to blacklistd-helper..Jun 9 2016, 6:20 PM