Use 'pfctl -k' when blocking a site to kill active tcp connections
from the blocked address.
Fix 'purge' operation for pf, which must dynamically determine which
filters have been created, so the filters can be flushed by name.
MFC after: 2 weeks
When blocking an address, the blacklist-helper script
needs to do the following things for the ipfw packet
filter:
- create a table to hold the addresses to be blocked,
so lookups can be done quickly, and place the address
to be blocked in that table
- create rule that does the lookup in the table and
blocks the packet
The ipfw system allows multiple rules to be inserted for
a given rule number. There only needs to be one rule
to do the lookup per port. Modify the script to probe
for the existence of the rule before attempting to create
it, so only one rule is inserted, rather than one rule per
blocked address.
PR: 214980
Reported by: azhegalov (at) gmail.com
Reviewed by: emaste
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D9681
The blacklistd daemon expects to see a message on stdout, instead
of just relying on the exit value from any invoked programs.
Change the pf filtering to create multiple filters, attached under
a the "blacklist/*" anchor point. This prevents the filtering for
each port's filtering rule from overwriting the previously installed
filtering rule. Check for an existing filtering rule for each port,
so the installation of a given filtering rule only happens once.
Reinstalling the same rule resets the counters for the pf rule, and
we don't want that.
Reported by: David Horn (dhorn2000 at gmail.com)
Reviewed by: emaste
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D8081
In addition to adding initial support for the ipfilter
packet filtering system, wrap a few long lines, perform
whitespace cleanup and sync with upstream changes made
in NetBSD.
Submitted by: cy
Reviewed by: cy
Approved by: re (hrs)
Relnotes: YES
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D6823
This import includes The basic blacklist library and utility programs,
to add a system-wide packet filtering notification mechanism to
FreeBSD.
The rational behind the daemon was given by Christos Zoulas in a
presentation at vBSDcon 2015: https://youtu.be/fuuf8G28mjs
Reviewed by: rpaulo
Approved by: rpaulo
Obtained from: NetBSD
Relnotes: YES
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D5912
