aboutsummaryrefslogtreecommitdiffstats
path: root/bin
diff options
context:
space:
mode:
Diffstat (limited to 'bin')
-rw-r--r--bin/blacklistctl.c37
-rw-r--r--bin/blacklistd.c13
-rw-r--r--bin/blacklistd.conf.532
-rw-r--r--bin/support.c14
4 files changed, 61 insertions, 35 deletions
diff --git a/bin/blacklistctl.c b/bin/blacklistctl.c
index 8cef404d74bf..aebbf72acc5e 100644
--- a/bin/blacklistctl.c
+++ b/bin/blacklistctl.c
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklistctl.c,v 1.21 2016/11/02 03:15:07 jnemeth Exp $ */
+/* $NetBSD: blacklistctl.c,v 1.23 2018/05/24 19:21:01 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include <sys/cdefs.h>
-__RCSID("$NetBSD: blacklistctl.c,v 1.21 2016/11/02 03:15:07 jnemeth Exp $");
+__RCSID("$NetBSD: blacklistctl.c,v 1.23 2018/05/24 19:21:01 christos Exp $");
#include <stdio.h>
#include <time.h>
@@ -67,6 +67,15 @@ usage(int c)
exit(EXIT_FAILURE);
}
+static const char *
+star(char *buf, size_t len, int val)
+{
+ if (val == -1)
+ return "*";
+ snprintf(buf, len, "%d", val);
+ return buf;
+}
+
int
main(int argc, char *argv[])
{
@@ -128,9 +137,10 @@ main(int argc, char *argv[])
"address", remain ? "remaining time" : "last access");
for (i = 1; state_iterate(db, &c, &dbi, i) != 0; i = 0) {
char buf[BUFSIZ];
+ char mbuf[64], pbuf[64];
if (!all) {
if (blocked) {
- if (dbi.count < c.c_nfail)
+ if (c.c_nfail == -1 || dbi.count < c.c_nfail)
continue;
} else {
if (dbi.count >= c.c_nfail)
@@ -138,13 +148,20 @@ main(int argc, char *argv[])
}
}
sockaddr_snprintf(buf, sizeof(buf), "%a", (void *)&c.c_ss);
- printf("%*.*s/%d:%d\t", wide, wide, buf, c.c_lmask, c.c_port);
- if (remain)
- fmtydhms(buf, sizeof(buf),
- c.c_duration - (ts.tv_sec - dbi.last));
- else
- fmttime(buf, sizeof(buf), dbi.last);
- printf("%s\t%d/%d\t%-s\n", dbi.id, dbi.count, c.c_nfail, buf);
+ printf("%*.*s/%s:%s\t", wide, wide, buf,
+ star(mbuf, sizeof(mbuf), c.c_lmask),
+ star(pbuf, sizeof(pbuf), c.c_port));
+ if (c.c_duration == -1) {
+ strlcpy(buf, "never", sizeof(buf));
+ } else {
+ if (remain)
+ fmtydhms(buf, sizeof(buf),
+ c.c_duration - (ts.tv_sec - dbi.last));
+ else
+ fmttime(buf, sizeof(buf), dbi.last);
+ }
+ printf("%s\t%d/%s\t%-s\n", dbi.id, dbi.count,
+ star(mbuf, sizeof(mbuf), c.c_nfail), buf);
}
state_close(db);
return EXIT_SUCCESS;
diff --git a/bin/blacklistd.c b/bin/blacklistd.c
index f5c35eae1ad2..ac92bbf2ffbf 100644
--- a/bin/blacklistd.c
+++ b/bin/blacklistd.c
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklistd.c,v 1.37 2017/02/18 00:26:16 christos Exp $ */
+/* $NetBSD: blacklistd.c,v 1.38 2019/02/27 02:20:18 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
#include "config.h"
#endif
#include <sys/cdefs.h>
-__RCSID("$NetBSD: blacklistd.c,v 1.37 2017/02/18 00:26:16 christos Exp $");
+__RCSID("$NetBSD: blacklistd.c,v 1.38 2019/02/27 02:20:18 christos Exp $");
#include <sys/types.h>
#include <sys/socket.h>
@@ -394,7 +394,6 @@ rules_restore(void)
for (f = 1; state_iterate(state, &c, &dbi, f) == 1; f = 0) {
if (dbi.id[0] == '\0')
continue;
- (void)run_change("rem", &c, dbi.id, 0);
(void)run_change("add", &c, dbi.id, sizeof(dbi.id));
}
}
@@ -491,7 +490,8 @@ main(int argc, char *argv[])
conf_parse(configfile);
if (flush) {
rules_flush();
- flags |= O_TRUNC;
+ if (!restore)
+ flags |= O_TRUNC;
}
struct pollfd *pfd = NULL;
@@ -522,8 +522,11 @@ main(int argc, char *argv[])
if (state == NULL)
return EXIT_FAILURE;
- if (restore)
+ if (restore) {
+ if (!flush)
+ rules_flush();
rules_restore();
+ }
if (!debug) {
if (daemon(0, 0) == -1)
diff --git a/bin/blacklistd.conf.5 b/bin/blacklistd.conf.5
index 9d44012c8a6f..3b85fb889e32 100644
--- a/bin/blacklistd.conf.5
+++ b/bin/blacklistd.conf.5
@@ -1,4 +1,4 @@
-.\" $NetBSD: blacklistd.conf.5,v 1.5 2016/06/08 12:48:37 wiz Exp $
+.\" $NetBSD: blacklistd.conf.5,v 1.7 2017/06/07 13:50:57 wiz Exp $
.\"
.\" Copyright (c) 2015 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd June 7, 2016
+.Dd June 5, 2017
.Dt BLACKLISTD.CONF 5
.Os
.Sh NAME
@@ -36,12 +36,13 @@
.Sh DESCRIPTION
The
.Nm
-files contains configuration lines for
-.Xr blacklistd 8 .
-It contains one entry per line, and is similar to
+files contains configuration entries for
+.Xr blacklistd 8
+in a fashion similar to
.Xr inetd.conf 5 .
-There must be an entry for each field of the configuration file, with
-entries for each field separated by a tab or a space.
+Only one entry per line is permitted.
+Every entry must have all fields populated.
+Each field can be separated by a tab or a space.
Comments are denoted by a
.Dq #
at the beginning of a line.
@@ -109,7 +110,7 @@ The
can be an IPv4 address in numeric format, an IPv6 address
in numeric format and enclosed by square brackets, or an interface name.
Mask modifiers are not allowed on interfaces because interfaces
-have multiple address in different protocols where the mask has a different
+can have multiple addresses in different protocols where the mask has a different
size.
.Pp
The
@@ -150,8 +151,8 @@ If the
contains a
.Dq / ,
the remaining portion of the name is interpreted as the mask to be
-applied to the address specified in the rule, so one can block whole
-subnets for a single rule violation.
+applied to the address specified in the rule, causing a single rule violation to
+block the entire subnet for the configured prefix.
.Pp
The
.Va nfail
@@ -176,10 +177,11 @@ for days.
.Pp
Matching is done first by checking the
.Va local
-rules one by one, from the most specific to the least specific.
+rules individually, in the order of the most specific to the least specific.
If a match is found, then the
.Va remote
-rules are applied, and if a match is found the
+rules are applied.
+The
.Va name ,
.Va nfail ,
and
@@ -191,15 +193,15 @@ rule that matched.
The
.Va remote
rules can be used for whitelisting specific addresses, changing the mask
-size, or the rule that the packet filter uses, the number of failed attempts,
-or the blocked duration.
+size, the rule that the packet filter uses, the number of failed attempts,
+or the block duration.
.Sh FILES
.Bl -tag -width /etc/blacklistd.conf -compact
.It Pa /etc/blacklistd.conf
Configuration file.
.El
.Sh EXAMPLES
-.Bd -literal -offset
+.Bd -literal -offset 8n
# Block ssh, after 3 attempts for 6 hours on the bnx0 interface
[local]
# location type proto owner name nfail duration
diff --git a/bin/support.c b/bin/support.c
index 0dac499aca02..79a1c6ee93ac 100644
--- a/bin/support.c
+++ b/bin/support.c
@@ -1,4 +1,4 @@
-/* $NetBSD: support.c,v 1.8 2016/04/04 15:52:56 christos Exp $ */
+/* $NetBSD: support.c,v 1.9 2018/09/18 22:12:19 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include <sys/cdefs.h>
-__RCSID("$NetBSD: support.c,v 1.8 2016/04/04 15:52:56 christos Exp $");
+__RCSID("$NetBSD: support.c,v 1.9 2018/09/18 22:12:19 christos Exp $");
#include <time.h>
#include <string.h>
@@ -105,12 +105,16 @@ fmtydhms(char *b, size_t l, time_t t)
s = t % 60;
t /= 60;
+
m = t % 60;
t /= 60;
- h = t % 60;
+
+ h = t % 24;
t /= 24;
- d = t % 24;
- t /= 356;
+
+ d = t % 365;
+ t /= 365;
+
y = t;
z = 0;