git: 4d56eb007b18 - main - blocklist: Revert upstream commit ddf6d71
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 12 Oct 2025 17:18:45 UTC
The branch main has been updated by jlduran:
URL: https://cgit.FreeBSD.org/src/commit/?id=4d56eb007b18881becb2107f87bd2a7edca3e6bf
commit 4d56eb007b18881becb2107f87bd2a7edca3e6bf
Author: Jose Luis Duran <jlduran@FreeBSD.org>
AuthorDate: 2025-10-11 14:15:03 +0000
Commit: Jose Luis Duran <jlduran@FreeBSD.org>
CommitDate: 2025-10-12 17:11:18 +0000
blocklist: Revert upstream commit ddf6d71
Upstream commit ddf6d71 ("implement BLOCKLIST_BAD_USER as a "one-count"
failure") introduced BLOCKLIST_BAD_USER with a one-count failure
mechanism. BLOCKLIST_AUTH_FAIL was implemented with a two-count failure
mechanism. Since we have been utilizing BLOCKLIST_AUTH_FAIL, the number
of failed attempts now doubles towards the maximum limit (nfails),
giving system administrators the impression that the number of failed
authentication attempts is inaccurate.
Revert this commit until a consensus has been reached. We do not want
to introduce yet another breaking change with the renaming of the
library.
Approved by: emaste (mentor)
MFC after: 2 days
---
contrib/blocklist/bin/blocklistd.c | 18 +++++++++---------
contrib/blocklist/lib/libblocklist.3 | 32 +++++++++++++++++++-------------
2 files changed, 28 insertions(+), 22 deletions(-)
diff --git a/contrib/blocklist/bin/blocklistd.c b/contrib/blocklist/bin/blocklistd.c
index 4846b507c8d1..03a1dbbf056c 100644
--- a/contrib/blocklist/bin/blocklistd.c
+++ b/contrib/blocklist/bin/blocklistd.c
@@ -222,19 +222,16 @@ process(bl_t bl)
switch (bi->bi_type) {
case BL_ABUSE:
/*
- * If the application has signaled abusive behavior, set the
- * number of fails to be two less than the configured limit.
- * Fall through to the normal BL_ADD and BL_BADUSER processing,
- * which will increment the failure count to the threshhold, and
- * block the abusive address.
+ * If the application has signaled abusive behavior,
+ * set the number of fails to be one less than the
+ * configured limit. Fallthrough to the normal BL_ADD
+ * processing, which will increment the failure count
+ * to the threshhold, and block the abusive address.
*/
if (c.c_nfail != -1)
- dbi.count = c.c_nfail - 2;
+ dbi.count = c.c_nfail - 1;
/*FALLTHROUGH*/
case BL_ADD:
- dbi.count++; /* will become += 2 */
- /*FALLTHROUGH*/
- case BL_BADUSER:
dbi.count++;
dbi.last = ts.tv_sec;
if (c.c_nfail != -1 && dbi.count >= c.c_nfail) {
@@ -263,6 +260,9 @@ process(bl_t bl)
dbi.count = 0;
dbi.last = 0;
break;
+ case BL_BADUSER:
+ /* ignore for now */
+ break;
default:
(*lfun)(LOG_ERR, "unknown message %d", bi->bi_type);
}
diff --git a/contrib/blocklist/lib/libblocklist.3 b/contrib/blocklist/lib/libblocklist.3
index 7a016625a047..fd6eb93eb756 100644
--- a/contrib/blocklist/lib/libblocklist.3
+++ b/contrib/blocklist/lib/libblocklist.3
@@ -106,20 +106,26 @@ The
.Ar action
parameter can take these values:
.Bl -tag -width ".Dv BLOCKLIST_ABUSIVE_BEHAVIOR"
-.It Va BLOCKLIST_BAD_USER
-The sending daemon has determined the username presented for
-authentication is invalid.
-This is considered as one failure count.
-.It Va BLOCKLIST_AUTH_FAIL
+.It Dv BLOCKLIST_AUTH_FAIL
There was an unsuccessful authentication attempt.
-This is considered as two failure counts together.
-.It Va BLOCKLIST_ABUSIVE_BEHAVIOR
-The sending daemon has detected abusive behavior from the remote system.
-This is considered as a total immediate failure.
-The remote address will be blocked as soon as possible.
-.It Va BLOCKLIST_AUTH_OK
-A valid user successfully authenticated.
-Any entry for the remote address will be removed as soon as possible.
+.It Dv BLOCKLIST_AUTH_OK
+A user successfully authenticated.
+.It Dv BLOCKLIST_ABUSIVE_BEHAVIOR
+The sending daemon has detected abusive behavior
+from the remote system.
+The remote address should
+be blocked as soon as possible.
+.It Dv BLOCKLIST_BAD_USER
+The sending daemon has determined the username
+presented for authentication is invalid.
+The
+.Xr blocklistd 8
+daemon compares the username to a configured list of forbidden
+usernames and
+blocks the address immediately if a forbidden username matches.
+(The
+.Dv BLOCKLIST_BAD_USER
+support is not currently available.)
.El
.Pp
The