The noted argument is wrong - if it's already been deleted then the id we
have for it is invalid.
Because we don't track deletions to the ruleset, working it out is
problematic at best.
Instead, if we have already added the rule treat it as a non-op.
This is a valid use case because we might receive a burst of messages
in the downstream application for the same address and process them
one by one. It's not the job of the downstream application to track
blacklistd state.
Obtained from: 959b18a604
The issue was caused by header pollution brought by GCC 8.1.
We now have to remove include-fixed headers in the GCC installation
directory.
Sponsored by: DARPA, AFRL
Pointed out by: jhb
o Also move printf.h to go after it since it does require declaration
of va_list.
This fixes build with latest RISC-V GNU Toolchain with GCC 8.1
Sponsored by: DARPA, AFRL
Ordinarily, the continue clause of the for-loop would free 'line.' In this
case we instead return early, missing the free. Add an explicit free to
avoid the leak.
Reported by: Coverity
Sponsored by: Dell EMC Isilon
Use 'pfctl -k' when blocking a site to kill active tcp connections
from the blocked address.
Fix 'purge' operation for pf, which must dynamically determine which
filters have been created, so the filters can be flushed by name.
MFC after: 2 weeks
The original blacklist library supported two notification types:
- failed auth attempt, which incremented the failed login count
by one for the remote address
- successful auth attempt, which reset the failed login count
to zero for that remote address
When the failed login count reached the limit in the configuration
file, the remote address would be blocked by a packet filter.
This patch implements a new notification type, "abusive behavior",
and accepts, but does not act on an additional type, "bad username".
It is envisioned that a system administrator will configure a small
list of "known bad usernames" that should be blocked immediately.
Reviewed by: emaste
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D10604
The blacklistd daemon keeps records of failed login attempts for
each address:port that is flagged as a failed login. When a
successful login occurs for that address:port combination,
the record's last update time is set to zero, to indicate no current
failed login attempts.
Reset the failed login count to zero, so that at the next failed
login attempt, the counting will restart properly at zero. Without
this reset to zero, the first failed login after a successful login
will cause the address to be blocked immediately.
When debugging is turned on, output more information about database
state before and after the database updates have occured.
A similar patch has already been upstreamed to NetBSD.
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
When blocking an address, the blacklist-helper script
needs to do the following things for the ipfw packet
filter:
- create a table to hold the addresses to be blocked,
so lookups can be done quickly, and place the address
to be blocked in that table
- create rule that does the lookup in the table and
blocks the packet
The ipfw system allows multiple rules to be inserted for
a given rule number. There only needs to be one rule
to do the lookup per port. Modify the script to probe
for the existence of the rule before attempting to create
it, so only one rule is inserted, rather than one rule per
blocked address.
PR: 214980
Reported by: azhegalov (at) gmail.com
Reviewed by: emaste
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D9681
The blacklistd daemon expects to see a message on stdout, instead
of just relying on the exit value from any invoked programs.
Change the pf filtering to create multiple filters, attached under
a the "blacklist/*" anchor point. This prevents the filtering for
each port's filtering rule from overwriting the previously installed
filtering rule. Check for an existing filtering rule for each port,
so the installation of a given filtering rule only happens once.
Reinstalling the same rule resets the counters for the pf rule, and
we don't want that.
Reported by: David Horn (dhorn2000 at gmail.com)
Reviewed by: emaste
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D8081
The blacklistd daemon attempted to restore the filtering rules
before the database of blocked addresses was opened, so no rules
were being reloaded. Now the rules are properly recreated when the
daemon is started with '-r'.
This bug was fixed locally, and then sent upstream to NetBSD.
This changeset is the import the NetBSD version of the change,
which added debugging output to alert about a null database.
Reviewed by: emaste
Obtained from: NetBSD
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
The blacklist library can accept a function to use for logging,
defaulting to vsyslog(), if no function is specified. Make the
blacklist library use strerror(errno) explicitly, instead of %m,
so that the passed in function does not need to support the
syslog specific placeholder.
This matches a change already submitted and accepted upstream.
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
In addition to adding initial support for the ipfilter
packet filtering system, wrap a few long lines, perform
whitespace cleanup and sync with upstream changes made
in NetBSD.
Submitted by: cy
Reviewed by: cy
Approved by: re (hrs)
Relnotes: YES
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D6823
NetBSD installs the blacklist-helper script in /libexec, and
it goes into /usr/libexec on FreeBSD. Update the docs to
match FreeBSD's installation location.
Reviewed by: rpaulo
Approved by: rpaulo
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D6592
This import includes The basic blacklist library and utility programs,
to add a system-wide packet filtering notification mechanism to
FreeBSD.
The rational behind the daemon was given by Christos Zoulas in a
presentation at vBSDcon 2015: https://youtu.be/fuuf8G28mjs
Reviewed by: rpaulo
Approved by: rpaulo
Obtained from: NetBSD
Relnotes: YES
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D5912