svn commit: r301843 - head/contrib/blacklist/libexec

Sun Jun 12 23:34:50 UTC 2016

Author: lidl
Date: Sun Jun 12 23:34:48 2016
New Revision: 301843
URL: https://svnweb.freebsd.org/changeset/base/301843

Log:
  Add ipfilter support to blacklistd-helper
  
  In addition to adding initial support for the ipfilter
  packet filtering system, wrap a few long lines, perform
  whitespace cleanup and sync with upstream changes made
  in NetBSD.
  
  Submitted by:	cy
  Reviewed by:	cy
  Approved by:	re (hrs)
  Relnotes:	YES
  Sponsored by:	The FreeBSD Foundation
  Differential Revision:	https://reviews.freebsd.org/D6823

Modified:
  head/contrib/blacklist/libexec/blacklistd-helper

Modified: head/contrib/blacklist/libexec/blacklistd-helper
==============================================================================

--- head/contrib/blacklist/libexec/blacklistd-helper	Sun Jun 12 23:26:38 2016	(r301842)
+++ head/contrib/blacklist/libexec/blacklistd-helper	Sun Jun 12 23:34:48 2016	(r301843)
@@ -10,12 +10,6 @@
 # $7 id
 
 pf=
-for f in npf pf; do
-	if [ -f "/etc/$f.conf" ]; then
-		pf="$f"
-		break
-	fi
-done
 if [ -f "/etc/ipfw-blacklist.rc" ]; then
 	pf="ipfw"
 	. /etc/ipfw-blacklist.rc
@@ -23,6 +17,15 @@ if [ -f "/etc/ipfw-blacklist.rc" ]; then
 fi
 
 if [ -z "$pf" ]; then
+	for f in npf pf ipf; do
+		if [ -f "/etc/$f.conf" ]; then
+			pf="$f"
+			break
+		fi
+	done
+fi
+
+if [ -z "$pf" ]; then
 	echo "$0: Unsupported packet filter" 1>&2
 	exit 1
 fi
@@ -48,12 +51,20 @@ esac
 case "$1" in
 add)
 	case "$pf" in
+	ipf)
+		/sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1
+		echo block in quick $proto from $addr/$mask to \
+			any port=$6 head port$6 | \
+			/sbin/ipf -I -f - -s >/dev/null 2>&1
+		;;
 	ipfw)
-		rule=$(( $ipfw_offset + $6 )) # use $ipfw_offset+$port for rule number
+		# use $ipfw_offset+$port for rule number
+		rule=$(($ipfw_offset + $6))
 		tname="port$6"
 		/sbin/ipfw table $tname create type addr 2>/dev/null
 		/sbin/ipfw -q table $tname add "$addr/$mask"
-		/sbin/ipfw -q add $rule drop $3 from "table("$tname")" to any dst-port $6
+		/sbin/ipfw -q add $rule drop $3 from "table("$tname")" to \
+			any dst-port $6
 		;;
 	npf)
 		/sbin/npfctl rule "$2" add block in final $proto from \
@@ -69,6 +80,12 @@ add)
 	;;
 rem)
 	case "$pf" in
+	ipf)
+		/sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1
+		echo block in quick $proto from $addr/$mask to \
+			any port=$6 head port$6 | \
+			/sbin/ipf -I -r -f - -s >/dev/null 2>&1
+		;;
 	ipfw)
 		/sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null
 		;;
@@ -81,7 +98,10 @@ rem)
 	esac
 	;;
 flush)
-	case "$pf" in 
+	case "$pf" in
+	ipf)
+		/sbin/ipf -Z -I -Fi -s > /dev/null
+		;;
 	ipfw)
 		/sbin/ipfw table "port$6" flush 2>/dev/null
 		;;
