The blacklistd daemon expects to see a message on stdout, instead
of just relying on the exit value from any invoked programs.
Change the pf filtering to create multiple filters, attached under
a the "blacklist/*" anchor point. This prevents the filtering for
each port's filtering rule from overwriting the previously installed
filtering rule. Check for an existing filtering rule for each port,
so the installation of a given filtering rule only happens once.
Reinstalling the same rule resets the counters for the pf rule, and
we don't want that.
Reported by: David Horn (dhorn2000 at gmail.com)
Reviewed by: emaste
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D8081
The blacklistd daemon attempted to restore the filtering rules
before the database of blocked addresses was opened, so no rules
were being reloaded. Now the rules are properly recreated when the
daemon is started with '-r'.
This bug was fixed locally, and then sent upstream to NetBSD.
This changeset is the import the NetBSD version of the change,
which added debugging output to alert about a null database.
Reviewed by: emaste
Obtained from: NetBSD
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
The blacklist library can accept a function to use for logging,
defaulting to vsyslog(), if no function is specified. Make the
blacklist library use strerror(errno) explicitly, instead of %m,
so that the passed in function does not need to support the
syslog specific placeholder.
This matches a change already submitted and accepted upstream.
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
In addition to adding initial support for the ipfilter
packet filtering system, wrap a few long lines, perform
whitespace cleanup and sync with upstream changes made
in NetBSD.
Submitted by: cy
Reviewed by: cy
Approved by: re (hrs)
Relnotes: YES
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D6823
NetBSD installs the blacklist-helper script in /libexec, and
it goes into /usr/libexec on FreeBSD. Update the docs to
match FreeBSD's installation location.
Reviewed by: rpaulo
Approved by: rpaulo
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D6592
This import includes The basic blacklist library and utility programs,
to add a system-wide packet filtering notification mechanism to
FreeBSD.
The rational behind the daemon was given by Christos Zoulas in a
presentation at vBSDcon 2015: https://youtu.be/fuuf8G28mjs
Reviewed by: rpaulo
Approved by: rpaulo
Obtained from: NetBSD
Relnotes: YES
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D5912
