Add basic blacklist build support
Reviewed by: rpaulo Approved by: rpaulo Relnotes: YES Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D5913
This commit is contained in:
parent
c247b3ca67
commit
95856e1457
@ -86,6 +86,10 @@ BIN1+= apmd.conf
|
||||
BIN1+= auto_master
|
||||
.endif
|
||||
|
||||
.if ${MK_BLACKLIST_SUPPORT} != "no"
|
||||
BIN1+= blacklistd.conf
|
||||
.endif
|
||||
|
||||
.if ${MK_FREEBSD_UPDATE} != "no"
|
||||
BIN1+= freebsd-update.conf
|
||||
.endif
|
||||
|
17
etc/blacklistd.conf
Normal file
17
etc/blacklistd.conf
Normal file
@ -0,0 +1,17 @@
|
||||
# $FreeBSD$
|
||||
#
|
||||
# Blacklist rule
|
||||
# adr/mask:port type proto owner name nfail disable
|
||||
[local]
|
||||
ssh stream * * * 3 24h
|
||||
ftp stream * * * 3 24h
|
||||
smtp stream * * * 3 24h
|
||||
submission stream * * * 3 24h
|
||||
#6161 stream tcp6 christos * 2 10m
|
||||
* * * * * 3 60
|
||||
|
||||
# adr/mask:port type proto owner name nfail disable
|
||||
[remote]
|
||||
#129.168.0.0/16 * * * = * *
|
||||
#6161 = = = =/24 = =
|
||||
#* stream tcp * = = =
|
@ -270,6 +270,8 @@ hastd_program="/sbin/hastd" # path to hastd, if you want a different one.
|
||||
hastd_flags="" # Optional flags to hastd.
|
||||
ctld_enable="NO" # CAM Target Layer / iSCSI target daemon.
|
||||
local_unbound_enable="NO" # local caching resolver
|
||||
blacklistd_enable="YES" # Run blacklistd daemon (YES/NO).
|
||||
blacklistd_flags="" # Optional flags for blacklistd(8).
|
||||
|
||||
#
|
||||
# kerberos. Do not run the admin daemons on slave servers
|
||||
|
@ -44,8 +44,14 @@ rc=0
|
||||
if check_yesno_period security_status_pfdenied_enable
|
||||
then
|
||||
TMP=`mktemp -t security`
|
||||
if pfctl -sr -v -z 2>/dev/null | nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' > ${TMP}; then
|
||||
check_diff new_only pf ${TMP} "${host} pf denied packets:"
|
||||
touch ${TMP}
|
||||
for _a in "" blacklistd
|
||||
do
|
||||
pfctl -a ${_a} -sr -v -z 2>/dev/null | \
|
||||
nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP}
|
||||
done
|
||||
if [ -s ${TMP} ]; then
|
||||
check_diff new_only pf ${TMP} "${host} pf denied packets:"
|
||||
fi
|
||||
rc=$?
|
||||
rm -f ${TMP}
|
||||
|
@ -17,6 +17,7 @@ FILES= DAEMON \
|
||||
auditd \
|
||||
auditdistd \
|
||||
bgfsck \
|
||||
${_blacklistd} \
|
||||
${_bluetooth} \
|
||||
bridge \
|
||||
${_bthidd} \
|
||||
@ -168,6 +169,10 @@ FILES+= automountd
|
||||
FILES+= autounmountd
|
||||
.endif
|
||||
|
||||
.if ${MK_BLACKLIST_SUPPORT} != "no"
|
||||
_blacklistd+= blacklistd
|
||||
.endif
|
||||
|
||||
.if ${MK_BLUETOOTH} != "no"
|
||||
_bluetooth= bluetooth
|
||||
_bthidd= bthidd
|
||||
|
45
etc/rc.d/blacklistd
Normal file
45
etc/rc.d/blacklistd
Normal file
@ -0,0 +1,45 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Copyright (c) 2016 The FreeBSD Foundation
|
||||
# All rights reserved.
|
||||
#
|
||||
# This software was developed by Kurt Lidl under sponsorship from the
|
||||
# FreeBSD Foundation.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
# SUCH DAMAGE.
|
||||
#
|
||||
# $FreeBSD$
|
||||
#
|
||||
|
||||
# PROVIDE: blacklistd
|
||||
# REQUIRE: netif pf
|
||||
|
||||
. /etc/rc.subr
|
||||
|
||||
name="blacklistd"
|
||||
desc="System blacklist daemon"
|
||||
rcvar="blacklistd_enable"
|
||||
command="/usr/sbin/${name}"
|
||||
required_files="/etc/blacklistd.conf"
|
||||
|
||||
load_rc_config $name
|
||||
run_rc_command "$1"
|
@ -28,6 +28,7 @@ SUBDIR= ${SUBDIR_ORDERED} \
|
||||
${_libatm} \
|
||||
libauditd \
|
||||
libbegemot \
|
||||
${_libblacklist} \
|
||||
libblocksruntime \
|
||||
${_libbluetooth} \
|
||||
${_libbsnmp} \
|
||||
@ -161,6 +162,10 @@ SUBDIR_DEPEND_liblzma= ${_libthr}
|
||||
_libngatm= libngatm
|
||||
.endif
|
||||
|
||||
.if ${MK_BLACKLIST_SUPPORT} != "no"
|
||||
_libblacklist= libblacklist
|
||||
.endif
|
||||
|
||||
.if ${MK_BLUETOOTH} != "no"
|
||||
_libbluetooth= libbluetooth
|
||||
_libsdp= libsdp
|
||||
|
30
lib/libblacklist/Makefile
Normal file
30
lib/libblacklist/Makefile
Normal file
@ -0,0 +1,30 @@
|
||||
# $FreeBSD$
|
||||
|
||||
BLACKLIST_DIR=${SRCTOP}/contrib/blacklist
|
||||
|
||||
.PATH: ${BLACKLIST_DIR}/lib ${BLACKLIST_DIR}/include
|
||||
|
||||
LIB= blacklist
|
||||
SHLIB_MAJOR= 0
|
||||
|
||||
LIBADD+= pthread
|
||||
|
||||
CFLAGS.clang+=-Wno-thread-safety-analysis
|
||||
|
||||
CFLAGS+=-I${BLACKLIST_DIR}/include -I${BLACKLIST_DIR}/port \
|
||||
-D_REENTRANT -DHAVE_CONFIG_H -DHAVE_DB_H -DHAVE_LIBUTIL_H \
|
||||
-DHAVE_CLOCK_GETTIME -DHAVE_FGETLN -DHAVE_GETPROGNAME \
|
||||
-DHAVE_STRLCAT -DHAVE_STRLCPY -DHAVE_STRUCT_SOCKADDR_SA_LEN
|
||||
|
||||
SRCS= bl.c blacklist.c
|
||||
INCS= blacklist.h
|
||||
MAN= libblacklist.3
|
||||
|
||||
MLINKS= libblacklist.3 blacklist_open.3 \
|
||||
libblacklist.3 blacklist_close.3 \
|
||||
libblacklist.3 blacklist.3 \
|
||||
libblacklist.3 blacklist_r.3 \
|
||||
libblacklist.3 blacklist_sa.3 \
|
||||
libblacklist.3 blacklist_sa_r.3
|
||||
|
||||
.include <bsd.lib.mk>
|
@ -5,6 +5,7 @@
|
||||
|
||||
SUBDIR= ${_atf} \
|
||||
${_atrun} \
|
||||
${_blacklistd-helper} \
|
||||
${_comsat} \
|
||||
${_dma} \
|
||||
getty \
|
||||
@ -33,6 +34,10 @@ SUBDIR= ${_atf} \
|
||||
_atrun= atrun
|
||||
.endif
|
||||
|
||||
.if ${MK_BLACKLIST_SUPPORT} != "no"
|
||||
_blacklistd-helper+= blacklistd-helper
|
||||
.endif
|
||||
|
||||
.if ${MK_BOOTPD} != "no"
|
||||
SUBDIR+= bootpd
|
||||
.endif
|
||||
|
7
libexec/blacklistd-helper/Makefile
Normal file
7
libexec/blacklistd-helper/Makefile
Normal file
@ -0,0 +1,7 @@
|
||||
# $FreeBSD$
|
||||
|
||||
BLACKLIST_DIR=${SRCTOP}/contrib/blacklist
|
||||
|
||||
SCRIPTS= ${BLACKLIST_DIR}/libexec/blacklistd-helper
|
||||
|
||||
.include <bsd.prog.mk>
|
@ -22,6 +22,7 @@ LIBATM?= ${DESTDIR}${LIBDIR}/libatm.a
|
||||
LIBAUDITD?= ${DESTDIR}${LIBDIR}/libauditd.a
|
||||
LIBAVL?= ${DESTDIR}${LIBDIR}/libavl.a
|
||||
LIBBEGEMOT?= ${DESTDIR}${LIBDIR}/libbegemot.a
|
||||
LIBBLACKLIST?= ${DESTDIR}${LIBDIR}/libblacklist.a
|
||||
LIBBLUETOOTH?= ${DESTDIR}${LIBDIR}/libbluetooth.a
|
||||
LIBBSDXML?= ${DESTDIR}${LIBDIR}/libbsdxml.a
|
||||
LIBBSM?= ${DESTDIR}${LIBDIR}/libbsm.a
|
||||
|
@ -178,6 +178,12 @@ _LIBRARIES= \
|
||||
zfs \
|
||||
zpool \
|
||||
|
||||
.if ${MK_BLACKLIST} != "no"
|
||||
_LIBRARIES+= \
|
||||
blacklist \
|
||||
|
||||
.endif
|
||||
|
||||
.if ${MK_OFED} != "no"
|
||||
_LIBRARIES+= \
|
||||
cxgb4 \
|
||||
@ -200,6 +206,9 @@ _LIBRARIES+= \
|
||||
# 2nd+ order consumers. Auto-generating this would be better.
|
||||
_DP_80211= sbuf bsdxml
|
||||
_DP_archive= z bz2 lzma bsdxml
|
||||
.if ${MK_BLACKLIST} != "no"
|
||||
_DP_blacklist+= pthread
|
||||
.endif
|
||||
.if ${MK_OPENSSL} != "no"
|
||||
_DP_archive+= crypto
|
||||
.else
|
||||
@ -502,6 +511,7 @@ LIBWINDDIR= ${OBJTOP}/kerberos5/lib/libwind
|
||||
LIBATF_CDIR= ${OBJTOP}/lib/atf/libatf-c
|
||||
LIBATF_CXXDIR= ${OBJTOP}/lib/atf/libatf-c++
|
||||
LIBALIASDIR= ${OBJTOP}/lib/libalias/libalias
|
||||
LIBBLACKLISTDIR= ${OBJTOP}/lib/libblacklist
|
||||
LIBBLOCKSRUNTIMEDIR= ${OBJTOP}/lib/libblocksruntime
|
||||
LIBBSNMPDIR= ${OBJTOP}/lib/libbsnmp/libbsnmp
|
||||
LIBCASPERDIR= ${OBJTOP}/lib/libcasper/libcasper
|
||||
|
@ -56,6 +56,7 @@ __DEFAULT_YES_OPTIONS = \
|
||||
BHYVE \
|
||||
BINUTILS \
|
||||
BINUTILS_BOOTSTRAP \
|
||||
BLACKLIST \
|
||||
BLUETOOTH \
|
||||
BOOT \
|
||||
BOOTPARAMD \
|
||||
@ -374,6 +375,7 @@ MK_CLANG_FULL:= no
|
||||
# MK_* variable is set to "no".
|
||||
#
|
||||
.for var in \
|
||||
BLACKLIST \
|
||||
BZIP2 \
|
||||
GNU \
|
||||
INET \
|
||||
|
@ -431,6 +431,26 @@ OLD_FILES+=usr/share/man/man7/ldint.7.gz
|
||||
OLD_FILES+=usr/share/man/man7/binutils.7.gz
|
||||
.endif
|
||||
|
||||
.if ${MK_BLACKLIST_SUPPORT} == no
|
||||
OLD_FILES+=etc/rc.d/blacklistd
|
||||
OLD_FILES+=usr/include/blacklist.h
|
||||
OLD_FILES+=usr/lib/libblacklist.a
|
||||
OLD_FILES+=usr/lib/libblacklist_p.a
|
||||
OLD_FILES+=usr/lib/libblacklist.so
|
||||
OLD_LIBS+=usr/lib/libblacklist.so.0
|
||||
OLD_FILES+=usr/libexec/blacklistd-helper
|
||||
OLD_FILES+=usr/sbin/blacklistctl
|
||||
OLD_FILES+=usr/sbin/blacklistd
|
||||
OLD_FILES+=usr/share/man/man3/blacklist.3.gz
|
||||
OLD_FILES+=usr/share/man/man3/blacklist_close.3.gz
|
||||
OLD_FILES+=usr/share/man/man3/blacklist_open.3.gz
|
||||
OLD_FILES+=usr/share/man/man3/blacklist_r.3.gz
|
||||
OLD_FILES+=usr/share/man/man3/blacklist_sa.3.gz
|
||||
OLD_FILES+=usr/share/man/man3/blacklist_sa_r.3.gz
|
||||
OLD_FILES+=usr/share/man/man8/blacklistctl.8.gz
|
||||
OLD_FILES+=usr/share/man/man8/blacklistd.8.gz
|
||||
.endif
|
||||
|
||||
.if ${MK_BLUETOOTH} == no
|
||||
OLD_FILES+=etc/bluetooth/hcsecd.conf
|
||||
OLD_FILES+=etc/bluetooth/hosts
|
||||
|
@ -113,6 +113,10 @@ SUBDIR.${MK_AUDIT}+= auditreduce
|
||||
SUBDIR.${MK_AUDIT}+= praudit
|
||||
SUBDIR.${MK_AUTHPF}+= authpf
|
||||
SUBDIR.${MK_AUTOFS}+= autofs
|
||||
.if ${MK_BLACKLIST_SUPPORT} != "no"
|
||||
SUBDIR.${MK_BLACKLIST_SUPPORT}+= blacklistctl
|
||||
SUBDIR.${MK_BLACKLIST_SUPPORT}+= blacklistd
|
||||
.endif
|
||||
SUBDIR.${MK_BLUETOOTH}+= bluetooth
|
||||
SUBDIR.${MK_BOOTPARAMD}+= bootparamd
|
||||
SUBDIR.${MK_BSDINSTALL}+= bsdinstall
|
||||
|
22
usr.sbin/blacklistctl/Makefile
Normal file
22
usr.sbin/blacklistctl/Makefile
Normal file
@ -0,0 +1,22 @@
|
||||
# $FreeBSD$
|
||||
|
||||
BLACKLIST_DIR=${SRCTOP}/contrib/blacklist
|
||||
.PATH: ${BLACKLIST_DIR}/bin ${BLACKLIST_DIR}/port
|
||||
|
||||
PROG= blacklistctl
|
||||
SRCS= blacklistctl.c conf.c state.c support.c internal.c \
|
||||
sockaddr_snprintf.c pidfile.c strtoi.c popenve.c
|
||||
MAN= blacklistctl.8
|
||||
|
||||
LDFLAGS+=-L${LIBBLACKLISTDIR}
|
||||
LIBADD+= blacklist util
|
||||
|
||||
CFLAGS+=-I${BLACKLIST_DIR}/include -I${BLACKLIST_DIR}/port \
|
||||
-D_PATH_BLCONTROL=\"/usr/libexec/blacklistd-helper\" \
|
||||
-DHAVE_CONFIG_H -DHAVE_DB_H -DHAVE_LIBUTIL_H \
|
||||
-DHAVE_CLOCK_GETTIME -DHAVE_FGETLN -DHAVE_FPARSELN \
|
||||
-DHAVE_GETPROGNAME -DHAVE_STRLCAT -DHAVE_STRLCPY \
|
||||
-DHAVE_STRUCT_SOCKADDR_SA_LEN
|
||||
# CFLAGS+= -D_REENTRANT
|
||||
|
||||
.include <bsd.prog.mk>
|
22
usr.sbin/blacklistd/Makefile
Normal file
22
usr.sbin/blacklistd/Makefile
Normal file
@ -0,0 +1,22 @@
|
||||
# $FreeBSD$
|
||||
|
||||
BLACKLIST_DIR=${SRCTOP}/contrib/blacklist
|
||||
.PATH: ${BLACKLIST_DIR}/bin ${BLACKLIST_DIR}/port
|
||||
|
||||
PROG= blacklistd
|
||||
SRCS= blacklistd.c conf.c run.c state.c support.c internal.c \
|
||||
sockaddr_snprintf.c pidfile.c strtoi.c popenve.c
|
||||
MAN= blacklistd.8
|
||||
|
||||
LDFLAGS+=-L${LIBBLACKLISTDIR}
|
||||
LIBADD+= blacklist util
|
||||
|
||||
CFLAGS+=-I${BLACKLIST_DIR}/include -I${BLACKLIST_DIR}/port \
|
||||
-D_PATH_BLCONTROL=\"/usr/libexec/blacklistd-helper\" \
|
||||
-DHAVE_CONFIG_H -DHAVE_DB_H -DHAVE_LIBUTIL_H \
|
||||
-DHAVE_CLOCK_GETTIME -DHAVE_FGETLN -DHAVE_FPARSELN \
|
||||
-DHAVE_GETPROGNAME -DHAVE_STRLCAT -DHAVE_STRLCPY \
|
||||
-DHAVE_STRUCT_SOCKADDR_SA_LEN
|
||||
# CFLAGS+= -D_REENTRANT
|
||||
|
||||
.include <bsd.prog.mk>
|
Loading…
Reference in New Issue
Block a user