Module Name: src
Committed By: christos
Date: Mon Jan 27 17:20:49 UTC 2025
Modified Files:
src/external/bsd/blocklist/libexec: blocklistd-helper
Log Message:
PR/14: robohack: make packet filter detection more reliable and add
explanatory comments.
To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.10 \
src/external/bsd/blocklist/libexec/blocklistd-helper
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/blocklist/libexec/blocklistd-helper
diff -u src/external/bsd/blocklist/libexec/blocklistd-helper:1.9 src/external/bsd/blocklist/libexec/blocklistd-helper:1.10
--- src/external/bsd/blocklist/libexec/blocklistd-helper:1.9 Mon Jan 27 12:17:49 2025
+++ src/external/bsd/blocklist/libexec/blocklistd-helper Mon Jan 27 12:20:49 2025
@@ -14,19 +14,18 @@ if [ -f "/etc/ipfw-blocklist.rc" ]; then
pf="ipfw"
. /etc/ipfw-blocklist.rc
ipfw_offset=${ipfw_offset:-2000}
-else
- # ipfilter NetBSD, FreeBSD, Linux
- for f in /etc/ipf.conf /etc/ipf.rules /etc/netscript/ipfilter.conf; do
- if [ -f "$f" ]; then
- pf="ipf"
- break
- fi
- done
fi
if [ -z "$pf" ]; then
- for f in npf pf; do
- if [ -f "/etc/$f.conf" ]; then
+ for f in npf pf ipfilter ipfw; do
+ if [ -x /etc/rc.d/$f ]; then
+ if /etc/rc.d/$f status >/dev/null 2>&1; then
+ pf="$f"
+ break
+ fi
+ elif [ -f "/etc/$f.conf" ]; then
+ # xxx assume a config file means it can be enabled --
+ # and the first one wins!
pf="$f"
break
fi
@@ -69,14 +68,19 @@ esac
case "$1" in
add)
case "$pf" in
- ipf)
+ ipfilter)
# N.B.: If you reload /etc/ipf.conf then you need to stop and
- # restart blocklistd (and make sure blocklistd_flags="-r"):
- #
- # /etc/rc.d/ipfilter reload
- # /etc/rc.d/blocklistd restart
+ # restart blocklistd (and make sure blocklistd_flags="-r").
+ # This should normally already be implemented in
+ # /etc/rc.d/ipfilter, but if then not add the following lines to
+ # the end of the ipfilter_reload() function:
+ #
+ # if checkyesnox blocklistd; then
+ # /etc/rc.d/blocklistd restart
+ # fi
#
# XXX we assume the following rule is present in /etc/ipf.conf:
+ # (should we check? -- it probably cannot be added dynamically)
#
# block in proto tcp/udp from any to any head blocklistd
#
@@ -97,8 +101,8 @@ add)
# actually block packets, and prevent logging of them as
# connections, because they include the "quick" flag.
#
- # N.b.: $port is not included -- abusers are cut off completely
- # from all services!
+ # N.b.: $port is not included/used in rules -- abusers are cut
+ # off completely from all services!
#
# Note RST packets are not returned for blocked SYN packets of
# active attacks, so the port will not appear to be closed.
@@ -111,12 +115,12 @@ add)
# to open connections (see $flags above). This allows us to do
# counterespionage against the attacker (or continue to make use
# of any other services that might be on the same subnet as the
- # attacker). However it does not kill any active connections --
- # we rely on the reporting daemon to do its own protection and
- # cleanup.
+ # supposed attacker). However it does not kill any active
+ # connections -- we rely on the reporting daemon to do its own
+ # protection and cleanup.
#
- # N.B.: The generated must exactly match the rule generated for
- # the "rem" command below!
+ # N.B.: The rule generated here must exactly match the
+ # corresponding rule generated for the "rem" command below!
#
echo block in log quick $proto \
from $addr/$mask to any $flags group $2 | \
@@ -167,7 +171,10 @@ add)
;;
rem)
case "$pf" in
- ipf)
+ ipfilter)
+ # N.B.: The rule generated here must exactly match the
+ # corresponding rule generated for the "add" command above!
+ #
echo block in log quick $proto \
from $addr/$mask to any $flags group $2 | \
/sbin/ipf -A -r -f - >/dev/null 2>&1 && echo OK
@@ -200,19 +207,36 @@ rem)
;;
flush)
case "$pf" in
- ipf)
- #
- # XXX this is a slightly convoluted way to remove all the rules
- # in the group added for "$2" (i.e. normally by default
- # "blocklistd").
+ ipfilter)
#
# N.B. WARNING: This is obviously not reentrant!
#
+ # First we flush all the rules from the inactive set, then we
+ # reload the ones that do not belong to the group "$2", and
+ # finally we swap the active and inactive rule sets.
+ #
/sbin/ipf -I -F a
+ #
+ # "ipf -I -F a" also flushes active accounting rules!
+ #
+ # Note that accounting rule groups are unique to accounting
+ # rules and have nothing to do with filter rules, though of
+ # course theoretically one could use the same group name for
+ # them too.
+ #
+ # In theory anyone using any such accounting rules should have a
+ # wrapper /etc/rc.conf.d/blocklistd script (and corresponding
+ # /etc/rc.conf.d/ipfilter script) that will record and
+ # consolidate the values accumulated by such accounting rules
+ # before they are flushed, since otherwise their counts will be
+ # lost forever.
+ #
/usr/sbin/ipfstat -io | fgrep -v "group $2" | \
/sbin/ipf -I -f - >/dev/null 2>&1
- # XXX this MUST be done last and separately as "-s" is executed
+ #
+ # This MUST be done last and separately as "-s" is executed
# _while_ the command arguments are being processed!
+ #
/sbin/ipf -s && echo OK
;;
