Merge latest version of blacklist sources from NetBSD (@ 20170503)

MFC after:	3 days
Sponsored by:	The FreeBSD Foundation

contrib/blacklist/README

@@ -1,4 +1,4 @@
-# $NetBSD: README,v 1.7 2015/01/26 00:34:50 christos Exp $
+# $NetBSD: README,v 1.8 2017/04/13 17:59:34 christos Exp $
 
 This package contains library that can be used by network daemons to
 communicate with a packet filter via a daemon to enforce opening and
@@ -98,6 +98,16 @@ group "internal" on $int_if {
 	...
 }
 
+You can use 'blacklistctl dump -a' to list all the current entries
+in the database; the ones that have nfail <c>/<t> where <c>urrent
+>= <t>otal, should have an id assosiated with them; this means that
+there is a packet filter rule added for that entry. For npf, you
+can examine the packet filter dynamic rule entries using 'npfctl
+rule <rulename> list'.  The number of current entries can exceed
+the total. This happens because entering packet filter rules is
+asynchronous; there could be other connection before the rule
+becomes activated.
+
 Enjoy,
 
 christos

contrib/blacklist/bin/blacklistctl.8

@@ -1,4 +1,4 @@
-.\" $NetBSD: blacklistctl.8,v 1.7 2015/04/30 06:20:43 riz Exp $
+.\" $NetBSD: blacklistctl.8,v 1.9 2016/06/08 12:48:37 wiz Exp $
 .\"
 .\" Copyright (c) 2015 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -77,7 +77,8 @@ it to make sure that there is only one rule active.
 .Nm
 first appeared in
 .Nx 7 .
-.Fx support for
+.Fx
+support for
 .Nm
 was implemented in
 .Fx 11 .

contrib/blacklist/bin/blacklistctl.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: blacklistctl.c,v 1.20 2016/04/04 15:52:56 christos Exp $	*/
+/*	$NetBSD: blacklistctl.c,v 1.21 2016/11/02 03:15:07 jnemeth Exp $	*/
 
 /*-
  * Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
 #endif
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: blacklistctl.c,v 1.20 2016/04/04 15:52:56 christos Exp $");
+__RCSID("$NetBSD: blacklistctl.c,v 1.21 2016/11/02 03:15:07 jnemeth Exp $");
 
 #include <stdio.h>
 #include <time.h>

contrib/blacklist/bin/blacklistd.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: blacklistd.c,v 1.35 2016/09/26 19:43:43 christos Exp $	*/
+/*	$NetBSD: blacklistd.c,v 1.37 2017/02/18 00:26:16 christos Exp $	*/
 
 /*-
  * Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
 #include "config.h"
 #endif
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: blacklistd.c,v 1.35 2016/09/26 19:43:43 christos Exp $");
+__RCSID("$NetBSD: blacklistd.c,v 1.37 2017/02/18 00:26:16 christos Exp $");
 
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -403,12 +403,14 @@ int
 main(int argc, char *argv[])
 {
 	int c, tout, flags, flush, restore, ret;
-	const char *spath, *blsock;
+	const char *spath, **blsock;
+	size_t nblsock, maxblsock;
 
 	setprogname(argv[0]);
 
 	spath = NULL;
-	blsock = _PATH_BLSOCK;
+	blsock = NULL;
+	maxblsock = nblsock = 0;
 	flush = 0;
 	restore = 0;
 	tout = 0;
@@ -440,7 +442,17 @@ main(int argc, char *argv[])
 			restore++;
 			break;
 		case 's':
-			blsock = optarg;
+			if (nblsock >= maxblsock) {
+				maxblsock += 10;
+				void *p = realloc(blsock,
+				    sizeof(*blsock) * maxblsock);
+				if (p == NULL)
+				    err(EXIT_FAILURE,
+					"Can't allocate memory for %zu sockets",
+					maxblsock);
+				blsock = p;
+			}
+			blsock[nblsock++] = optarg;
 			break;
 		case 't':
 			tout = atoi(optarg) * 1000;
@@ -487,9 +499,11 @@ main(int argc, char *argv[])
 	size_t nfd = 0;
 	size_t maxfd = 0;
 
-	if (spath == NULL)
-		addfd(&pfd, &bl, &nfd, &maxfd, blsock);
-	else {
+	for (size_t i = 0; i < nblsock; i++)
+		addfd(&pfd, &bl, &nfd, &maxfd, blsock[i]);
+	free(blsock);
+
+	if (spath) {
 		FILE *fp = fopen(spath, "r");
 		char *line;
 		if (fp == NULL)
@@ -499,6 +513,8 @@ main(int argc, char *argv[])
 			addfd(&pfd, &bl, &nfd, &maxfd, line);
 		fclose(fp);
 	}
+	if (nfd == 0)
+		addfd(&pfd, &bl, &nfd, &maxfd, _PATH_BLSOCK);
 
 	state = state_open(dbfile, flags, 0600);
 	if (state == NULL)

contrib/blacklist/bin/blacklistd.conf.5

@@ -1,4 +1,4 @@
-.\" $NetBSD: blacklistd.conf.5,v 1.3 2015/04/30 06:20:43 riz Exp $
+.\" $NetBSD: blacklistd.conf.5,v 1.5 2016/06/08 12:48:37 wiz Exp $
 .\"
 .\" Copyright (c) 2015 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -218,7 +218,8 @@ bnx0:ssh	*	*	*	*	3	6h
 .Nm
 first appeared in
 .Nx 7 .
-.Fx support for
+.Fx
+support for
 .Nm
 was implemented in
 .Fx 11 .

contrib/blacklist/etc/rc.d/blacklistd

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# $NetBSD: blacklistd,v 1.1 2015/01/22 17:49:41 christos Exp $
+# $NetBSD: blacklistd,v 1.2 2016/10/17 22:47:16 christos Exp $
 #
 
 # PROVIDE: blacklistd
@@ -18,7 +18,7 @@ start_precmd="${name}_precmd"
 extra_commands="reload"
 
 _sockfile="/var/run/${name}.sockets"
-_sockname="blsock"
+_sockname="blacklistd.sock"
 
 blacklistd_precmd()
 {

contrib/blacklist/lib/bl.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: bl.c,v 1.27 2015/12/30 16:42:48 christos Exp $	*/
+/*	$NetBSD: bl.c,v 1.28 2016/07/29 17:13:09 christos Exp $	*/
 
 /*-
  * Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
 #endif
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: bl.c,v 1.27 2015/12/30 16:42:48 christos Exp $");
+__RCSID("$NetBSD: bl.c,v 1.28 2016/07/29 17:13:09 christos Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>

contrib/blacklist/lib/libblacklist.3

@@ -1,4 +1,4 @@
-.\" $NetBSD: libblacklist.3,v 1.3 2015/01/25 23:09:28 wiz Exp $
+.\" $NetBSD: libblacklist.3,v 1.7 2017/02/04 23:33:56 wiz Exp $
 .\"
 .\" Copyright (c) 2015 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -36,7 +36,7 @@
 .Nm blacklist_r ,
 .Nm blacklist ,
 .Nm blacklist_sa
-.Nm blacklist_sa_r ,
+.Nm blacklist_sa_r
 .Nd Blacklistd notification library
 .Sh LIBRARY
 .Lb libblacklist
@@ -62,7 +62,7 @@ block or release port access to prevent Denial of Service attacks.
 .Pp
 The function
 .Fn blacklist_open
-creates a the necessary state to communicate with
+creates the necessary state to communicate with
 .Xr blacklistd 8
 and returns a pointer to it, or
 .Dv NULL
@@ -106,18 +106,25 @@ All functions log errors to
 .Xr syslogd 8 .
 .Sh RETURN VALUES
 The function
-.Fn bl_open
+.Fn blacklist_open
 returns a cookie on success and
 .Dv NULL
-on failure setting errno to an appropriate value.
+on failure setting
+.Dv errno
+to an appropriate value.
 .Pp
-The
-.Fn bl_send
-function returns
+The functions
+.Fn blacklist ,
+.Fn blacklist_sa ,
+and
+.Fn blacklist_sa_r
+return
 .Dv 0
 on success and
-.Dv -1
-on failure setting errno to an appropriate value.
+.Dv \-1
+on failure setting
+.Dv errno
+to an appropriate value.
 .Sh SEE ALSO
 .Xr blacklistd.conf 5 ,
 .Xr blacklistd 8

contrib/blacklist/libexec/blacklistd-helper

@@ -19,8 +19,8 @@ fi
 if [ -z "$pf" ]; then
 	for f in npf pf ipf; do
 		if [ -f "/etc/$f.conf" ]; then
-		    pf="$f"
-		    break
+			pf="$f"
+			break
 		fi
 	done
 fi

contrib/blacklist/port/Makefile.am

@@ -1,11 +1,11 @@
 #
 ACLOCAL_AMFLAGS = -I m4
 lib_LTLIBRARIES = libblacklist.la
-include_HEADERS = blacklist.h
+include_HEADERS = ../include/blacklist.h
 
 bin_PROGRAMS = blacklistd blacklistctl srvtest cltest
 
-VPATH = ../bin:../lib:../test
+VPATH = ../bin:../lib:../test:../include
 
 AM_CPPFLAGS = -I../include  -DDOT="."
 AM_CFLAGS = @WARNINGS@

contrib/blacklist/port/sockaddr_snprintf.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: sockaddr_snprintf.c,v 1.10 2016/04/05 12:28:57 christos Exp $	*/
+/*	$NetBSD: sockaddr_snprintf.c,v 1.11 2016/06/01 22:57:51 christos Exp $	*/
 
 /*-
  * Copyright (c) 2004 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
 
 #include <sys/cdefs.h>
 #if defined(LIBC_SCCS) && !defined(lint)
-__RCSID("$NetBSD: sockaddr_snprintf.c,v 1.10 2016/04/05 12:28:57 christos Exp $");
+__RCSID("$NetBSD: sockaddr_snprintf.c,v 1.11 2016/06/01 22:57:51 christos Exp $");
 #endif /* LIBC_SCCS and not lint */
 
 #include <sys/param.h>
@@ -219,7 +219,7 @@ sockaddr_snprintf(char * const sbuf, const size_t len, const char * const fmt,
 	case AF_LINK:
 		sdl = ((const struct sockaddr_dl *)(const void *)sa);
 		(void)strlcpy(addr = abuf, link_ntoa(sdl), sizeof(abuf));
-		if ((w = strchr(addr, ':')) != 0) {
+		if ((w = strchr(addr, ':')) != NULL) {
 			*w++ = '\0';
 			addr = w;
 		}