svn commit: r328861 - head/contrib/blacklist/libexec
Kurt Lidl
lidl at FreeBSD.org
Sun Feb 4 19:43:52 UTC 2018
Author: lidl
Date: Sun Feb 4 19:43:51 2018
New Revision: 328861
URL: https://svnweb.freebsd.org/changeset/base/328861
Log:
Update blacklist-helper to not emit messages from pf during operation.
Use 'pfctl -k' when blocking a site to kill active tcp connections
from the blocked address.
Fix 'purge' operation for pf, which must dynamically determine which
filters have been created, so the filters can be flushed by name.
MFC after: 2 weeks
Modified:
head/contrib/blacklist/libexec/blacklistd-helper
Modified: head/contrib/blacklist/libexec/blacklistd-helper
==============================================================================
--- head/contrib/blacklist/libexec/blacklistd-helper Sun Feb 4 19:14:09 2018 (r328860)
+++ head/contrib/blacklist/libexec/blacklistd-helper Sun Feb 4 19:43:51 2018 (r328861)
@@ -80,8 +80,8 @@ add)
echo "block in quick $proto from <port$6> to any $port" | \
/sbin/pfctl -a "$2/$6" -f -
# insert $ip/$mask into per-protocol/port anchored table
- /sbin/pfctl -a "$2/$6" -t "port$6" -T add "$addr/$mask" && \
- echo OK
+ /sbin/pfctl -qa "$2/$6" -t "port$6" -T add "$addr/$mask" && \
+ /sbin/pfctl -q -k $addr && echo OK
;;
esac
;;
@@ -101,7 +101,7 @@ rem)
/sbin/npfctl rule "$2" rem-id "$7"
;;
pf)
- /sbin/pfctl -a "$2/$6" -t "port$6" -T delete "$addr/$mask" && \
+ /sbin/pfctl -qa "$2/$6" -t "port$6" -T delete "$addr/$mask" && \
echo OK
;;
esac
@@ -118,7 +118,13 @@ flush)
/sbin/npfctl rule "$2" flush
;;
pf)
- /sbin/pfctl -a "$2/$6" -t "port$6" -T flush && echo OK
+ # dynamically determine which anchors exist
+ anchors=$(/sbin/pfctl -a $2 -s Anchors)
+ for anchor in $anchors; do
+ /sbin/pfctl -a $anchor -t "port${anchor##*/}" -T flush
+ /sbin/pfctl -a $anchor -F rules
+ done
+ echo OK
;;
esac
;;
More information about the svn-src-head
mailing list