Page MenuHomeFreeBSD

improve ipfw rule creation for blacklist-helper script
ClosedPublic

Authored by lidl on Feb 20 2017, 1:13 AM.

Details

Summary

The current blacklist-helper script adds a rule using 'ipfw add -q ...'
when a ipaddress/port needs to be blocked. The 'ipfw' command,
when using '-q', it not only suppresses output messages, changes the
behaviour so that it allows duplicate rules!

So, probe for an existing rule first, and if that probe fails, only then add
the rule.

Test Plan

Tested in a virtual machine, seems to work for me, but I am not an ipfw expert.

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

lidl updated this revision to Diff 25401.Feb 20 2017, 1:13 AM
lidl retitled this revision from to improve ipfw rule creation for blacklist-helper script.
lidl updated this object.
lidl edited the test plan for this revision. (Show Details)
lidl added a reviewer: emaste.
lidl set the repository for this revision to rS FreeBSD src repository.
allanjude added inline comments.
contrib/blacklist/libexec/blacklistd-helper
68 ↗(On Diff #25401)

did you intend to drop the -q here?

lidl added inline comments.Feb 20 2017, 2:06 AM
contrib/blacklist/libexec/blacklistd-helper
68 ↗(On Diff #25401)

I thought about this a lot, and decided that I don't need it, since I'm redirecting away stdout.

emaste accepted this revision.Feb 22 2017, 4:56 PM
emaste edited edge metadata.

OK

This revision is now accepted and ready to land.Feb 22 2017, 4:56 PM
This revision was automatically updated to reflect the committed changes.