Add ipfilter support to blacklistd-helper
In addition to adding initial support for the ipfilter packet filtering system, wrap a few long lines, perform whitespace cleanup and sync with upstream changes made in NetBSD. Submitted by: cy Reviewed by: cy Approved by: re (hrs) Relnotes: YES Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D6823
This commit is contained in:
Kurt Lidl
parent
90988efdc5
commit
74bc093c1c
@ -10,18 +10,21 @@
|
||||
# $7 id
|
||||
|
||||
pf=
|
||||
for f in npf pf; do
|
||||
if [ -f "/etc/$f.conf" ]; then
|
||||
pf="$f"
|
||||
break
|
||||
fi
|
||||
done
|
||||
if [ -f "/etc/ipfw-blacklist.rc" ]; then
|
||||
pf="ipfw"
|
||||
. /etc/ipfw-blacklist.rc
|
||||
ipfw_offset=${ipfw_offset:-2000}
|
||||
fi
|
||||
|
||||
if [ -z "$pf" ]; then
|
||||
for f in npf pf ipf; do
|
||||
if [ -f "/etc/$f.conf" ]; then
|
||||
pf="$f"
|
||||
break
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
if [ -z "$pf" ]; then
|
||||
echo "$0: Unsupported packet filter" 1>&2
|
||||
exit 1
|
||||
@ -48,12 +51,20 @@ esac
|
||||
case "$1" in
|
||||
add)
|
||||
case "$pf" in
|
||||
ipf)
|
||||
/sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1
|
||||
echo block in quick $proto from $addr/$mask to \
|
||||
any port=$6 head port$6 | \
|
||||
/sbin/ipf -I -f - -s >/dev/null 2>&1
|
||||
;;
|
||||
ipfw)
|
||||
rule=$(( $ipfw_offset + $6 )) # use $ipfw_offset+$port for rule number
|
||||
# use $ipfw_offset+$port for rule number
|
||||
rule=$(($ipfw_offset + $6))
|
||||
tname="port$6"
|
||||
/sbin/ipfw table $tname create type addr 2>/dev/null
|
||||
/sbin/ipfw -q table $tname add "$addr/$mask"
|
||||
/sbin/ipfw -q add $rule drop $3 from "table("$tname")" to any dst-port $6
|
||||
/sbin/ipfw -q add $rule drop $3 from "table("$tname")" to \
|
||||
any dst-port $6
|
||||
;;
|
||||
npf)
|
||||
/sbin/npfctl rule "$2" add block in final $proto from \
|
||||
@ -69,6 +80,12 @@ add)
|
||||
;;
|
||||
rem)
|
||||
case "$pf" in
|
||||
ipf)
|
||||
/sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1
|
||||
echo block in quick $proto from $addr/$mask to \
|
||||
any port=$6 head port$6 | \
|
||||
/sbin/ipf -I -r -f - -s >/dev/null 2>&1
|
||||
;;
|
||||
ipfw)
|
||||
/sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null
|
||||
;;
|
||||
@ -81,7 +98,10 @@ rem)
|
||||
esac
|
||||
;;
|
||||
flush)
|
||||
case "$pf" in
|
||||
case "$pf" in
|
||||
ipf)
|
||||
/sbin/ipf -Z -I -Fi -s > /dev/null
|
||||
;;
|
||||
ipfw)
|
||||
/sbin/ipfw table "port$6" flush 2>/dev/null
|
||||
;;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user