The branch main has been updated by jlduran: URL: https://cgit.FreeBSD.org/src/commit/?id=4d56eb007b18881becb2107f87bd2a7edca3e6bf
commit 4d56eb007b18881becb2107f87bd2a7edca3e6bf Author: Jose Luis Duran <[email protected]> AuthorDate: 2025-10-11 14:15:03 +0000 Commit: Jose Luis Duran <[email protected]> CommitDate: 2025-10-12 17:11:18 +0000 blocklist: Revert upstream commit ddf6d71 Upstream commit ddf6d71 ("implement BLOCKLIST_BAD_USER as a "one-count" failure") introduced BLOCKLIST_BAD_USER with a one-count failure mechanism. BLOCKLIST_AUTH_FAIL was implemented with a two-count failure mechanism. Since we have been utilizing BLOCKLIST_AUTH_FAIL, the number of failed attempts now doubles towards the maximum limit (nfails), giving system administrators the impression that the number of failed authentication attempts is inaccurate. Revert this commit until a consensus has been reached. We do not want to introduce yet another breaking change with the renaming of the library. Approved by: emaste (mentor) MFC after: 2 days --- contrib/blocklist/bin/blocklistd.c | 18 +++++++++--------- contrib/blocklist/lib/libblocklist.3 | 32 +++++++++++++++++++------------- 2 files changed, 28 insertions(+), 22 deletions(-) diff --git a/contrib/blocklist/bin/blocklistd.c b/contrib/blocklist/bin/blocklistd.c index 4846b507c8d1..03a1dbbf056c 100644 --- a/contrib/blocklist/bin/blocklistd.c +++ b/contrib/blocklist/bin/blocklistd.c @@ -222,19 +222,16 @@ process(bl_t bl) switch (bi->bi_type) { case BL_ABUSE: /* - * If the application has signaled abusive behavior, set the - * number of fails to be two less than the configured limit. - * Fall through to the normal BL_ADD and BL_BADUSER processing, - * which will increment the failure count to the threshhold, and - * block the abusive address. + * If the application has signaled abusive behavior, + * set the number of fails to be one less than the + * configured limit. Fallthrough to the normal BL_ADD + * processing, which will increment the failure count + * to the threshhold, and block the abusive address. */ if (c.c_nfail != -1) - dbi.count = c.c_nfail - 2; + dbi.count = c.c_nfail - 1; /*FALLTHROUGH*/ case BL_ADD: - dbi.count++; /* will become += 2 */ - /*FALLTHROUGH*/ - case BL_BADUSER: dbi.count++; dbi.last = ts.tv_sec; if (c.c_nfail != -1 && dbi.count >= c.c_nfail) { @@ -263,6 +260,9 @@ process(bl_t bl) dbi.count = 0; dbi.last = 0; break; + case BL_BADUSER: + /* ignore for now */ + break; default: (*lfun)(LOG_ERR, "unknown message %d", bi->bi_type); } diff --git a/contrib/blocklist/lib/libblocklist.3 b/contrib/blocklist/lib/libblocklist.3 index 7a016625a047..fd6eb93eb756 100644 --- a/contrib/blocklist/lib/libblocklist.3 +++ b/contrib/blocklist/lib/libblocklist.3 @@ -106,20 +106,26 @@ The .Ar action parameter can take these values: .Bl -tag -width ".Dv BLOCKLIST_ABUSIVE_BEHAVIOR" -.It Va BLOCKLIST_BAD_USER -The sending daemon has determined the username presented for -authentication is invalid. -This is considered as one failure count. -.It Va BLOCKLIST_AUTH_FAIL +.It Dv BLOCKLIST_AUTH_FAIL There was an unsuccessful authentication attempt. -This is considered as two failure counts together. -.It Va BLOCKLIST_ABUSIVE_BEHAVIOR -The sending daemon has detected abusive behavior from the remote system. -This is considered as a total immediate failure. -The remote address will be blocked as soon as possible. -.It Va BLOCKLIST_AUTH_OK -A valid user successfully authenticated. -Any entry for the remote address will be removed as soon as possible. +.It Dv BLOCKLIST_AUTH_OK +A user successfully authenticated. +.It Dv BLOCKLIST_ABUSIVE_BEHAVIOR +The sending daemon has detected abusive behavior +from the remote system. +The remote address should +be blocked as soon as possible. +.It Dv BLOCKLIST_BAD_USER +The sending daemon has determined the username +presented for authentication is invalid. +The +.Xr blocklistd 8 +daemon compares the username to a configured list of forbidden +usernames and +blocks the address immediately if a forbidden username matches. +(The +.Dv BLOCKLIST_BAD_USER +support is not currently available.) .El .Pp The
