Page MenuHomeFreeBSD
Files F150493803

D5913.id15135.diff
No OneTemporary
Actions

D5913.id15135.diff
View Options

Index: etc/Makefile
===================================================================
--- etc/Makefile
+++ etc/Makefile
@@ -85,6 +85,10 @@
BIN1+= auto_master
.endif
+.if ${MK_BLACKLIST_SUPPORT} != "no"
+BIN1+= blacklistd.conf
+.endif
+
.if ${MK_FREEBSD_UPDATE} != "no"
BIN1+= freebsd-update.conf
.endif
Index: etc/blacklistd.conf
===================================================================
--- /dev/null
+++ etc/blacklistd.conf
@@ -0,0 +1,13 @@
+# Blacklist rule
+# adr/mask:port type proto owner name nfail disable
+[local]
+ssh stream * * * 3 12h
+ftp stream * * * 3 12h
+#6161 stream tcp6 christos * 2 10m
+* * * * * 3 60
+
+# adr/mask:port type proto owner name nfail disable
+[remote]
+#129.168.0.0/16 * * * = * *
+#6161 = = = =/24 = =
+#* stream tcp * = = =
Index: etc/defaults/rc.conf
===================================================================
--- etc/defaults/rc.conf
+++ etc/defaults/rc.conf
@@ -266,6 +266,8 @@
hastd_flags="" # Optional flags to hastd.
ctld_enable="NO" # CAM Target Layer / iSCSI target daemon.
local_unbound_enable="NO" # local caching resolver
+blacklistd_enable="YES" # Run blacklistd daemon (YES/NO).
+blacklistd_flags="" # Optional flags for blacklistd(8).
#
# kerberos. Do not run the admin daemons on slave servers
Index: etc/periodic/security/520.pfdenied
===================================================================
--- etc/periodic/security/520.pfdenied
+++ etc/periodic/security/520.pfdenied
@@ -44,8 +44,14 @@
if check_yesno_period security_status_pfdenied_enable
then
TMP=`mktemp -t security`
- if pfctl -sr -v -z 2>/dev/null | nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' > ${TMP}; then
- check_diff new_only pf ${TMP} "${host} pf denied packets:"
+ touch ${TMP}
+ for _a in "" "blacklistd"
+ do
+ pfctl -a ${_a} -sr -v -z 2>/dev/null | \
+ nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP}
+ done
+ if [ -s ${TMP} ]; then
+ check_diff new_only pf ${TMP} "${host} pf denied packets:"
fi
rc=$?
rm -f ${TMP}
Index: etc/rc.d/Makefile
===================================================================
--- etc/rc.d/Makefile
+++ etc/rc.d/Makefile
@@ -18,6 +18,7 @@
auditd \
auditdistd \
bgfsck \
+ ${_blacklistd} \
${_bluetooth} \
bridge \
${_bthidd} \
@@ -160,6 +161,10 @@
FILES+= autounmountd
.endif
+.if ${MK_BLACKLIST_SUPPORT} != "no"
+_blacklistd+= blacklistd
+.endif
+
.if ${MK_BLUETOOTH} != "no"
_bluetooth= bluetooth
_bthidd= bthidd
Index: etc/rc.d/blacklistd
===================================================================
--- /dev/null
+++ etc/rc.d/blacklistd
@@ -0,0 +1,18 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# PROVIDE: blacklistd
+# REQUIRE: netif
+# BEFORE: NETWORKING
+
+. /etc/rc.subr
+
+name="blacklistd"
+rcvar="blacklistd_enable"
+command="/usr/sbin/${name}"
+required_files="/etc/blacklistd.conf"
+
+load_rc_config $name
+run_rc_command "$1"
Index: lib/Makefile
===================================================================
--- lib/Makefile
+++ lib/Makefile
@@ -28,6 +28,7 @@
${_libatm} \
libauditd \
libbegemot \
+ ${_libblacklist} \
libblocksruntime \
${_libbluetooth} \
${_libbsnmp} \
@@ -159,6 +160,10 @@
_libngatm= libngatm
.endif
+.if ${MK_BLACKLIST_SUPPORT} != "no"
+_libblacklist= libblacklist
+.endif
+
.if ${MK_BLUETOOTH} != "no"
_libbluetooth= libbluetooth
_libsdp= libsdp
Index: lib/libblacklist/Makefile
===================================================================
--- /dev/null
+++ lib/libblacklist/Makefile
@@ -0,0 +1,30 @@
+# $FreeBSD$
+
+BLACKLIST_DIR=${.CURDIR}/../../contrib/blacklist
+
+.PATH: ${BLACKLIST_DIR}/lib ${BLACKLIST_DIR}/include
+
+LIB= blacklist
+SHLIB_MAJOR= 0
+
+LIBADD+= pthread
+
+CFLAGS.clang+=-Wno-thread-safety-analysis
+
+CFLAGS+= -I${BLACKLIST_DIR}/include -I${BLACKLIST_DIR}/port
+CFLAGS+= -D_REENTRANT -DHAVE_CONFIG_H -DHAVE_DB_H -DHAVE_LIBUTIL_H
+CFLAGS+= -DHAVE_CLOCK_GETTIME -DHAVE_GETPROGNAME -DHAVE_STRLCAT
+CFLAGS+= -DHAVE_STRLCPY -DHAVE_STRUCT_SOCKADDR_SA_LEN
+
+SRCS= bl.c blacklist.c
+INCS= blacklist.h
+MAN= libblacklist.3
+
+MLINKS= libblacklist.3 blacklist_open.3 \
+ libblacklist.3 blacklist_close.3 \
+ libblacklist.3 blacklist.3 \
+ libblacklist.3 blacklist_r.3 \
+ libblacklist.3 blacklist_sa.3 \
+ libblacklist.3 blacklist_sa_r.3
+
+.include <bsd.lib.mk>
Index: libexec/Makefile
===================================================================
--- libexec/Makefile
+++ libexec/Makefile
@@ -5,6 +5,7 @@
SUBDIR= ${_atf} \
${_atrun} \
+ ${_blacklistd-helper} \
${_comsat} \
${_dma} \
getty \
@@ -33,6 +34,10 @@
_atrun= atrun
.endif
+.if ${MK_BLACKLIST_SUPPORT} != "no"
+_blacklistd-helper+= blacklistd-helper
+.endif
+
.if ${MK_BOOTPD} != "no"
SUBDIR+= bootpd
.endif
Index: libexec/blacklistd-helper/Makefile
===================================================================
--- /dev/null
+++ libexec/blacklistd-helper/Makefile
@@ -0,0 +1,7 @@
+# $FreeBSD$
+
+BLACKLIST_DIR=${.CURDIR}/../../contrib/blacklist
+
+SCRIPTS= ${BLACKLIST_DIR}/libexec/blacklistd-helper
+
+.include <bsd.prog.mk>
Index: share/mk/bsd.libnames.mk
===================================================================
--- share/mk/bsd.libnames.mk
+++ share/mk/bsd.libnames.mk
@@ -22,6 +22,7 @@
LIBAUDITD?= ${DESTDIR}${LIBDIR}/libauditd.a
LIBAVL?= ${DESTDIR}${LIBDIR}/libavl.a
LIBBEGEMOT?= ${DESTDIR}${LIBDIR}/libbegemot.a
+LIBBLACKLIST?= ${DESTDIR}${LIBDIR}/libblacklist.a
LIBBLUETOOTH?= ${DESTDIR}${LIBDIR}/libbluetooth.a
LIBBSDXML?= ${DESTDIR}${LIBDIR}/libbsdxml.a
LIBBSM?= ${DESTDIR}${LIBDIR}/libbsm.a
Index: share/mk/src.libnames.mk
===================================================================
--- share/mk/src.libnames.mk
+++ share/mk/src.libnames.mk
@@ -176,6 +176,12 @@
zfs \
zpool \
+.if ${MK_BLACKLIST} != "no"
+_LIBRARIES+= \
+ blacklist \
+
+.endif
+
.if ${MK_OFED} != "no"
_LIBRARIES+= \
cxgb4 \
@@ -198,6 +204,9 @@
# 2nd+ order consumers. Auto-generating this would be better.
_DP_80211= sbuf bsdxml
_DP_archive= z bz2 lzma bsdxml
+.if ${MK_BLACKLIST} != "no"
+_DP_blacklist+= pthread
+.endif
.if ${MK_OPENSSL} != "no"
_DP_archive+= crypto
.else
@@ -500,6 +509,7 @@
LIBATF_CDIR= ${OBJTOP}/lib/atf/libatf-c
LIBATF_CXXDIR= ${OBJTOP}/lib/atf/libatf-c++
LIBALIASDIR= ${OBJTOP}/lib/libalias/libalias
+LIBBLACKLISTDIR= ${OBJTOP}/lib/libblacklist
LIBBLOCKSRUNTIMEDIR= ${OBJTOP}/lib/libblocksruntime
LIBBSNMPDIR= ${OBJTOP}/lib/libbsnmp/libbsnmp
LIBCAP_CASPERDIR= ${OBJTOP}/lib/libcasper/libcasper
Index: share/mk/src.opts.mk
===================================================================
--- share/mk/src.opts.mk
+++ share/mk/src.opts.mk
@@ -56,6 +56,7 @@
BHYVE \
BINUTILS \
BINUTILS_BOOTSTRAP \
+ BLACKLIST \
BLUETOOTH \
BOOT \
BOOTPARAMD \
@@ -372,6 +373,7 @@
# MK_* variable is set to "no".
#
.for var in \
+ BLACKLIST \
BZIP2 \
GNU \
INET \
Index: tools/build/mk/OptionalObsoleteFiles.inc
===================================================================
--- tools/build/mk/OptionalObsoleteFiles.inc
+++ tools/build/mk/OptionalObsoleteFiles.inc
@@ -401,6 +401,26 @@
OLD_FILES+=usr/share/man/man7/binutils.7.gz
.endif
+.if ${MK_BLACKLIST_SUPPORT} == no
+OLD_FILES+=etc/rc.d/blacklistd
+OLD_FILES+=usr/include/blacklist.h
+OLD_FILES+=usr/lib/libblacklist.a
+OLD_FILES+=usr/lib/libblacklist_p.a
+OLD_FILES+=usr/lib/libblacklist.so
+OLD_LIBS+=usr/lib/libblacklist.so.0
+OLD_FILES+=usr/libexec/blacklistd-helper
+OLD_FILES+=usr/sbin/blacklistctl
+OLD_FILES+=usr/sbin/blacklistd
+OLD_FILES+=usr/share/man/man3/blacklist.3.gz
+OLD_FILES+=usr/share/man/man3/blacklist_close.3.gz
+OLD_FILES+=usr/share/man/man3/blacklist_open.3.gz
+OLD_FILES+=usr/share/man/man3/blacklist_r.3.gz
+OLD_FILES+=usr/share/man/man3/blacklist_sa.3.gz
+OLD_FILES+=usr/share/man/man3/blacklist_sa_r.3.gz
+OLD_FILES+=usr/share/man/man8/blacklistctl.8.gz
+OLD_FILES+=usr/share/man/man8/blacklistd.8.gz
+.endif
+
.if ${MK_BLUETOOTH} == no
OLD_FILES+=etc/bluetooth/hcsecd.conf
OLD_FILES+=etc/bluetooth/hosts
Index: usr.sbin/blacklistctl/Makefile
===================================================================
--- /dev/null
+++ usr.sbin/blacklistctl/Makefile
@@ -0,0 +1,22 @@
+# $FreeBSD$
+
+BLACKLIST_DIR=${.CURDIR}/../../contrib/blacklist
+.PATH: ${BLACKLIST_DIR}/bin ${BLACKLIST_DIR}/port
+
+PROG= blacklistctl
+SRCS= blacklistctl.c conf.c state.c support.c internal.c \
+ sockaddr_snprintf.c pidfile.c strtoi.c popenve.c
+MAN= blacklistctl.8
+
+LDFLAGS+=-L${LIBBLACKLISTDIR}
+LIBADD+= blacklist util
+
+CFLAGS+= -I${BLACKLIST_DIR}/include -I${BLACKLIST_DIR}/port
+CFLAGS+= -D_PATH_BLCONTROL=\"/usr/libexec/blacklistd-helper\"
+# CFLAGS+= -D_REENTRANT
+CFLAGS+= -DHAVE_CONFIG_H -DHAVE_DB_H -DHAVE_LIBUTIL_H
+CFLAGS+= -DHAVE_CLOCK_GETTIME -DHAVE_FGETLN -DHAVE_FPARSELN
+CFLAGS+= -DHAVE_GETPROGNAME -DHAVE_STRLCAT -DHAVE_STRLCPY
+CFLAGS+= -DHAVE_STRUCT_SOCKADDR_SA_LEN
+
+.include <bsd.prog.mk>
Index: usr.sbin/blacklistd/Makefile
===================================================================
--- /dev/null
+++ usr.sbin/blacklistd/Makefile
@@ -0,0 +1,22 @@
+# $FreeBSD$
+
+BLACKLIST_DIR=${.CURDIR}/../../contrib/blacklist
+.PATH: ${BLACKLIST_DIR}/bin ${BLACKLIST_DIR}/port
+
+PROG= blacklistd
+SRCS= blacklistd.c conf.c run.c state.c support.c internal.c \
+ sockaddr_snprintf.c pidfile.c strtoi.c popenve.c
+MAN= blacklistd.8
+
+LDFLAGS+= -L${LIBBLACKLISTDIR}
+LIBADD+= blacklist util
+
+CFLAGS+= -I${BLACKLIST_DIR}/include -I${BLACKLIST_DIR}/port
+CFLAGS+= -D_PATH_BLCONTROL=\"/usr/libexec/blacklistd-helper\"
+# CFLAGS+= -D_REENTRANT
+CFLAGS+= -DHAVE_CONFIG_H -DHAVE_DB_H -DHAVE_LIBUTIL_H
+CFLAGS+= -DHAVE_CLOCK_GETTIME -DHAVE_FGETLN -DHAVE_FPARSELN
+CFLAGS+= -DHAVE_GETPROGNAME -DHAVE_STRLCAT -DHAVE_STRLCPY
+CFLAGS+= -DHAVE_STRUCT_SOCKADDR_SA_LEN
+
+.include <bsd.prog.mk>

File Metadata

Mime Type
text/plain
Expires
Thu, Apr 2, 5:00 PM (10 h, 53 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
30711204
Default Alt Text
D5913.id15135.diff (9 KB)

Event Timeline