D10604.diff
No OneTemporary
Actions

Size

4 KB

Referenced Files

None

Subscribers

None

D10604.diff
View Options

	Index: head/contrib/blacklist/bin/blacklistd.c
	===================================================================
	--- head/contrib/blacklist/bin/blacklistd.c
	+++ head/contrib/blacklist/bin/blacklistd.c
	@@ -214,6 +214,17 @@
	}

	switch (bi->bi_type) {
	+ case BL_ABUSE:
	+ /*
	+ * If the application has signaled abusive behavior,
	+ * set the number of fails to be one less than the
	+ * configured limit. Fallthrough to the normal BL_ADD
	+ * processing, which will increment the failure count
	+ * to the threshhold, and block the abusive address.
	+ */
	+ if (c.c_nfail != -1)
	+ dbi.count = c.c_nfail - 1;
	+ /FALLTHROUGH/
	case BL_ADD:
	dbi.count++;
	dbi.last = ts.tv_sec;
	@@ -249,6 +260,9 @@
	dbi.count = 0;
	dbi.last = 0;
	break;
	+ case BL_BADUSER:
	+ /* ignore for now */
	+ break;
	default:
	(*lfun)(LOG_ERR, "unknown message %d", bi->bi_type);
	}
	Index: head/contrib/blacklist/include/bl.h
	===================================================================
	--- head/contrib/blacklist/include/bl.h
	+++ head/contrib/blacklist/include/bl.h
	@@ -40,7 +40,9 @@
	typedef enum {
	BL_INVALID,
	BL_ADD,
	- BL_DELETE
	+ BL_DELETE,
	+ BL_ABUSE,
	+ BL_BADUSER
	} bl_type_t;

	typedef struct {
	Index: head/contrib/blacklist/include/blacklist.h
	===================================================================
	--- head/contrib/blacklist/include/blacklist.h
	+++ head/contrib/blacklist/include/blacklist.h
	@@ -43,4 +43,13 @@
	const struct sockaddr , socklen_t, const char );
	__END_DECLS

	+/* action values for user applications */
	+#define BLACKLIST_API_ENUM 1
	+enum {
	+ BLACKLIST_AUTH_OK = 0,
	+ BLACKLIST_AUTH_FAIL,
	+ BLACKLIST_ABUSIVE_BEHAVIOR,
	+ BLACKLIST_BAD_USER
	+};
	+
	#endif /* _BLACKLIST_H */
	Index: head/contrib/blacklist/lib/blacklist.c
	===================================================================
	--- head/contrib/blacklist/lib/blacklist.c
	+++ head/contrib/blacklist/lib/blacklist.c
	@@ -61,7 +61,27 @@
	blacklist_sa_r(struct blacklist *bl, int action, int rfd,
	const struct sockaddr sa, socklen_t slen, const char msg)
	{
	- return bl_send(bl, action ? BL_ADD : BL_DELETE, rfd, sa, slen, msg);
	+ int internal_action;
	+
	+ /* internal values are not the same as user application values */
	+ switch (action) {
	+ case BLACKLIST_AUTH_FAIL:
	+ internal_action = BL_ADD;
	+ break;
	+ case BLACKLIST_AUTH_OK:
	+ internal_action = BL_DELETE;
	+ break;
	+ case BLACKLIST_ABUSIVE_BEHAVIOR:
	+ internal_action = BL_ABUSE;
	+ break;
	+ case BLACKLIST_BAD_USER:
	+ internal_action = BL_BADUSER;
	+ break;
	+ default:
	+ internal_action = BL_INVALID;
	+ break;
	+ }
	+ return bl_send(bl, internal_action, rfd, sa, slen, msg);
	}

	int
	Index: head/contrib/blacklist/lib/libblacklist.3
	===================================================================
	--- head/contrib/blacklist/lib/libblacklist.3
	+++ head/contrib/blacklist/lib/libblacklist.3
	@@ -27,7 +27,7 @@
	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
	.\" POSSIBILITY OF SUCH DAMAGE.
	.\"
	-.Dd January 22, 2015
	+.Dd May 5, 2017
	.Dt LIBBLACKLIST 3
	.Os
	.Sh NAME
	@@ -76,13 +76,9 @@
	.Fn blacklist
	function sends a message to
	.Xr blacklistd 8 ,
	-with an
	+with an integer
	.Ar action
	-argument specifying
	-.Dv 1
	-for a failed connection or
	-.Dv 0
	-for a successful connection,
	+argument specifying the type of notification,
	a file descriptor
	.Ar fd
	specifying the accepted file descriptor connected to the client,
	@@ -91,6 +87,30 @@
	argument.
	.Pp
	The
	+.Ar action
	+parameter can take these values:
	+.Bl -tag -width ".Va BLACKLIST_ABUSIVE_BEHAVIOR"
	+.It Va BLACKLIST_AUTH_FAIL
	+There was an unsuccessful authentication attempt.
	+.It Va BLACKLIST_AUTH_OK
	+A user successfully authenticated.
	+.It Va BLACKLIST_ABUSIVE_BEHAVIOR
	+The sending daemon has detected abusive behavior
	+from the remote system. The remote address should
	+be blocked as soon as possible.
	+.It Va BLACKLIST_BAD_USER
	+The sending daemon has determined the username
	+presented for authentication is invalid. The
	+.Xr blacklistd 8
	+daemon compares the username to a configured list of forbidden
	+usernames and
	+blocks the address immediately if a forbidden username matches.
	+(The
	+.Ar BLACKLIST_BAD_USER
	+support is not currently available.)
	+.El
	+.Pp
	+The
	.Fn blacklist_r
	function is more efficient because it keeps the blacklist state around.
	.Pp
	@@ -102,8 +122,13 @@
	.Xr getpeername 2
	will not work, the server will pass the peer name in the message.
	.Pp
	-All functions log errors to
	-.Xr syslogd 8 .
	+By default,
	+.Xr syslogd 8
	+is used for message logging.
	+The internal
	+.Fn bl_create
	+function can be used to create the required internal
	+state and specify a custom logging function.
	.Sh RETURN VALUES
	The function
	.Fn blacklist_open

File Metadata

Mime Type: text/plain
Expires: Thu, Jan 29, 7:32 AM (40 m, 7 s)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 28075757
Default Alt Text: D10604.diff (4 KB)

D10604.diffNo OneTemporaryActions

D10604.diffView Options

File Metadata

Event Timeline

D10604.diff
No OneTemporary
Actions

D10604.diff
View Options