freebsd-skq/contrib/blacklist/diff/proftpd.diff
Kurt Lidl 12017ca883 Import NetBSD's blacklist source from vendor tree
This import includes The basic blacklist library and utility programs,
to add a system-wide packet filtering notification mechanism to
FreeBSD.

The rational behind the daemon was given by Christos Zoulas in a
presentation at vBSDcon 2015: https://youtu.be/fuuf8G28mjs

Reviewed by:	rpaulo
Approved by:	rpaulo
Obtained from:	NetBSD
Relnotes:	YES
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D5912
2016-06-01 22:04:10 +00:00

125 lines
2.8 KiB
Diff

--- Make.rules.in.orig 2015-05-27 20:25:54.000000000 -0400
+++ Make.rules.in 2016-01-25 21:48:47.000000000 -0500
@@ -110,3 +110,8 @@
FTPWHO_OBJS=ftpwho.o scoreboard.o misc.o
BUILD_FTPWHO_OBJS=utils/ftpwho.o utils/scoreboard.o utils/misc.o
+
+CPPFLAGS+=-DHAVE_BLACKLIST
+LIBS+=-lblacklist
+OBJS+= pfilter.o
+BUILD_OBJS+= src/pfilter.o
--- /dev/null 2016-01-22 17:30:55.000000000 -0500
+++ include/pfilter.h 2016-01-22 16:18:33.000000000 -0500
@@ -0,0 +1,3 @@
+
+void pfilter_notify(int);
+void pfilter_init(void);
--- modules/mod_auth.c.orig 2015-05-27 20:25:54.000000000 -0400
+++ modules/mod_auth.c 2016-01-22 16:21:06.000000000 -0500
@@ -30,6 +30,7 @@
#include "conf.h"
#include "privs.h"
+#include "pfilter.h"
extern pid_t mpid;
@@ -84,6 +85,8 @@
_("Login timeout (%d %s): closing control connection"), TimeoutLogin,
TimeoutLogin != 1 ? "seconds" : "second");
+ pfilter_notify(1);
+
/* It's possible that any listeners of this event might terminate the
* session process themselves (e.g. mod_ban). So write out that the
* TimeoutLogin has been exceeded to the log here, in addition to the
@@ -913,6 +916,7 @@
pr_memscrub(pass, strlen(pass));
}
+ pfilter_notify(1);
pr_log_auth(PR_LOG_NOTICE, "SECURITY VIOLATION: Root login attempted");
return 0;
}
@@ -1726,6 +1730,7 @@
return 1;
auth_failure:
+ pfilter_notify(1);
if (pass)
pr_memscrub(pass, strlen(pass));
session.user = session.group = NULL;
--- src/main.c.orig 2016-01-22 17:36:43.000000000 -0500
+++ src/main.c 2016-01-22 17:37:58.000000000 -0500
@@ -49,6 +49,7 @@
#endif
#include "privs.h"
+#include "pfilter.h"
int (*cmd_auth_chk)(cmd_rec *);
void (*cmd_handler)(server_rec *, conn_t *);
@@ -1050,6 +1051,7 @@
pid_t pid;
sigset_t sig_set;
+ pfilter_init();
if (!nofork) {
/* A race condition exists on heavily loaded servers where the parent
@@ -1169,7 +1171,8 @@
/* Reseed pseudo-randoms */
srand((unsigned int) (time(NULL) * getpid()));
-
+#else
+ pfilter_init();
#endif /* PR_DEVEL_NO_FORK */
/* Child is running here */
--- /dev/null 2016-01-22 17:30:55.000000000 -0500
+++ src/pfilter.c 2016-01-22 16:37:55.000000000 -0500
@@ -0,0 +1,41 @@
+#include "pfilter.h"
+#include "conf.h"
+#include "privs.h"
+#ifdef HAVE_BLACKLIST
+#include <blacklist.h>
+#endif
+
+static struct blacklist *blstate;
+
+void
+pfilter_init(void)
+{
+#ifdef HAVE_BLACKLIST
+ if (blstate == NULL)
+ blstate = blacklist_open();
+#endif
+}
+
+void
+pfilter_notify(int a)
+{
+#ifdef HAVE_BLACKLIST
+ conn_t *c = session.c;
+ int fd;
+
+ if (c == NULL)
+ return;
+ if (c->rfd != -1)
+ fd = c->rfd;
+ else if (c->wfd != -1)
+ fd = c->wfd;
+ else
+ return;
+
+ if (blstate == NULL)
+ pfilter_init();
+ if (blstate == NULL)
+ return;
+ (void)blacklist_r(blstate, a, fd, "proftpd");
+#endif
+}