svn commit: r314324 - stable/11/contrib/blacklist/libexec
Kurt Lidl
lidl at FreeBSD.org
Mon Feb 27 04:05:36 UTC 2017
Author: lidl
Date: Mon Feb 27 04:05:34 2017
New Revision: 314324
URL: https://svnweb.freebsd.org/changeset/base/314324
Log:
MFC r314111: Improve ipfw rule creation for blacklist-helper script
When blocking an address, the blacklist-helper script
needs to do the following things for the ipfw packet
filter:
- create a table to hold the addresses to be blocked,
so lookups can be done quickly, and place the address
to be blocked in that table
- create rule that does the lookup in the table and
blocks the packet
The ipfw system allows multiple rules to be inserted for
a given rule number. There only needs to be one rule
to do the lookup per port. Modify the script to probe
for the existence of the rule before attempting to create
it, so only one rule is inserted, rather than one rule per
blocked address.
PR: 214980
Reported by: azhegalov (at) gmail.com
Reviewed by: emaste
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D9681
Modified:
stable/11/contrib/blacklist/libexec/blacklistd-helper
Modified: stable/11/contrib/blacklist/libexec/blacklistd-helper
==============================================================================
--- stable/11/contrib/blacklist/libexec/blacklistd-helper Mon Feb 27 03:52:32 2017 (r314323)
+++ stable/11/contrib/blacklist/libexec/blacklistd-helper Mon Feb 27 04:05:34 2017 (r314324)
@@ -63,8 +63,11 @@ add)
tname="port$6"
/sbin/ipfw table $tname create type addr 2>/dev/null
/sbin/ipfw -q table $tname add "$addr/$mask"
- /sbin/ipfw -q add $rule drop $3 from "table("$tname")" to \
- any dst-port $6 && echo OK
+ # if rule number $rule does not already exist, create it
+ /sbin/ipfw show $rule >/dev/null 2>&1 || \
+ /sbin/ipfw add $rule drop $3 from \
+ table"("$tname")" to any dst-port $6 >/dev/null && \
+ echo OK
;;
npf)
/sbin/npfctl rule "$2" add block in final $proto from \
More information about the svn-src-stable-11
mailing list