Add experimental support for ipfilter to blacklistd-helper.
AbandonedPublic
Actions

Authored by cy on Jun 9 2016, 6:20 PM.

Details

Reviewers

Summary

Basic support for ipfilter. It provides similar examples to ipfw and pf in the same file. See D6753 for the ipfw version of this diff.

Test Plan

This will be tested on my testbed.

Repository

rS FreeBSD src repository - subversion

Lint

Lint Skipped

Unit

Tests Skipped

cy retitled this revision from to Add experimental support for ipfilter to blacklistd-helper..

cy updated this object.

cy edited the test plan for this revision. (Show Details)

cy set the repository for this revision to rS FreeBSD src repository - subversion.

When you test this, make sure you test it with IPv6 traffic too.

blacklistd-helper
19	I dislike that "ipfilter" uses "ipf.conf", but I guess that's just the way it is. Grumble.
56	This doesn't look right. It's going expand to something like this for ssh traffic: block in quick proto upd from xxxx/yy to any port =port 22 head port 2222 Maybe that last 'head $port$6' ought to be 'head port$6"... Also, I thought you had to flag IPv6 rules with '-6' to get them to be accepted. Both pf and ipfw will "just deal" with IPv6 addresses.
81	I don't think this is right either. 'to any port =$port' is going to expand to: 'to any port =port 22'

cy edited edge metadata.

cy added inline comments.

blacklistd-helper
19	I suppose we could change it to ipfilter.conf but that would be a POLA violation. The customer can call it whatever he wants.
56	There should be a space between = and port and $port$6 should be port $6. No -6 is required any more. ipf 5.1.2 no longer puts the rules in separate tables.

This review can be abandoned. The ipfilter support was added several months ago. Any problems with the code would need a new review.

Yup, see D6823 (from SVN r301843)

Other revision committed.

Path

Size

14 lines