Author: lidl Date: Thu Jun 2 19:06:04 2016 New Revision: 301226 URL: https://svnweb.freebsd.org/changeset/base/301226
Log: Add basic blacklist build support Reviewed by: rpaulo Approved by: rpaulo Relnotes: YES Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D5913 Added: head/etc/blacklistd.conf (contents, props changed) head/etc/rc.d/blacklistd (contents, props changed) head/lib/libblacklist/ head/lib/libblacklist/Makefile (contents, props changed) head/libexec/blacklistd-helper/ head/libexec/blacklistd-helper/Makefile (contents, props changed) head/usr.sbin/blacklistctl/ head/usr.sbin/blacklistctl/Makefile (contents, props changed) head/usr.sbin/blacklistd/ head/usr.sbin/blacklistd/Makefile (contents, props changed) Modified: head/etc/Makefile head/etc/defaults/rc.conf head/etc/periodic/security/520.pfdenied head/etc/rc.d/Makefile head/lib/Makefile head/libexec/Makefile head/share/mk/bsd.libnames.mk head/share/mk/src.libnames.mk head/share/mk/src.opts.mk head/tools/build/mk/OptionalObsoleteFiles.inc head/usr.sbin/Makefile Modified: head/etc/Makefile ============================================================================== --- head/etc/Makefile Thu Jun 2 18:41:33 2016 (r301225) +++ head/etc/Makefile Thu Jun 2 19:06:04 2016 (r301226) @@ -86,6 +86,10 @@ BIN1+= apmd.conf BIN1+= auto_master .endif +.if ${MK_BLACKLIST_SUPPORT} != "no" +BIN1+= blacklistd.conf +.endif + .if ${MK_FREEBSD_UPDATE} != "no" BIN1+= freebsd-update.conf .endif Added: head/etc/blacklistd.conf ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/etc/blacklistd.conf Thu Jun 2 19:06:04 2016 (r301226) @@ -0,0 +1,17 @@ +# $FreeBSD$ +# +# Blacklist rule +# adr/mask:port type proto owner name nfail disable +[local] +ssh stream * * * 3 24h +ftp stream * * * 3 24h +smtp stream * * * 3 24h +submission stream * * * 3 24h +#6161 stream tcp6 christos * 2 10m +* * * * * 3 60 + +# adr/mask:port type proto owner name nfail disable +[remote] +#129.168.0.0/16 * * * = * * +#6161 = = = =/24 = = +#* stream tcp * = = = Modified: head/etc/defaults/rc.conf ============================================================================== --- head/etc/defaults/rc.conf Thu Jun 2 18:41:33 2016 (r301225) +++ head/etc/defaults/rc.conf Thu Jun 2 19:06:04 2016 (r301226) @@ -270,6 +270,8 @@ hastd_program="/sbin/hastd" # path to ha hastd_flags="" # Optional flags to hastd. ctld_enable="NO" # CAM Target Layer / iSCSI target daemon. local_unbound_enable="NO" # local caching resolver +blacklistd_enable="YES" # Run blacklistd daemon (YES/NO). +blacklistd_flags="" # Optional flags for blacklistd(8). # # kerberos. Do not run the admin daemons on slave servers Modified: head/etc/periodic/security/520.pfdenied ============================================================================== --- head/etc/periodic/security/520.pfdenied Thu Jun 2 18:41:33 2016 (r301225) +++ head/etc/periodic/security/520.pfdenied Thu Jun 2 19:06:04 2016 (r301226) @@ -44,8 +44,14 @@ rc=0 if check_yesno_period security_status_pfdenied_enable then TMP=`mktemp -t security` - if pfctl -sr -v -z 2>/dev/null | nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' > ${TMP}; then - check_diff new_only pf ${TMP} "${host} pf denied packets:" + touch ${TMP} + for _a in "" blacklistd + do + pfctl -a ${_a} -sr -v -z 2>/dev/null | \ + nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP} + done + if [ -s ${TMP} ]; then + check_diff new_only pf ${TMP} "${host} pf denied packets:" fi rc=$? rm -f ${TMP} Modified: head/etc/rc.d/Makefile ============================================================================== --- head/etc/rc.d/Makefile Thu Jun 2 18:41:33 2016 (r301225) +++ head/etc/rc.d/Makefile Thu Jun 2 19:06:04 2016 (r301226) @@ -17,6 +17,7 @@ FILES= DAEMON \ auditd \ auditdistd \ bgfsck \ + ${_blacklistd} \ ${_bluetooth} \ bridge \ ${_bthidd} \ @@ -168,6 +169,10 @@ FILES+= automountd FILES+= autounmountd .endif +.if ${MK_BLACKLIST_SUPPORT} != "no" +_blacklistd+= blacklistd +.endif + .if ${MK_BLUETOOTH} != "no" _bluetooth= bluetooth _bthidd= bthidd Added: head/etc/rc.d/blacklistd ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/etc/rc.d/blacklistd Thu Jun 2 19:06:04 2016 (r301226) @@ -0,0 +1,45 @@ +#!/bin/sh +# +# Copyright (c) 2016 The FreeBSD Foundation +# All rights reserved. +# +# This software was developed by Kurt Lidl under sponsorship from the +# FreeBSD Foundation. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# PROVIDE: blacklistd +# REQUIRE: netif pf + +. /etc/rc.subr + +name="blacklistd" +desc="System blacklist daemon" +rcvar="blacklistd_enable" +command="/usr/sbin/${name}" +required_files="/etc/blacklistd.conf" + +load_rc_config $name +run_rc_command "$1" Modified: head/lib/Makefile ============================================================================== --- head/lib/Makefile Thu Jun 2 18:41:33 2016 (r301225) +++ head/lib/Makefile Thu Jun 2 19:06:04 2016 (r301226) @@ -28,6 +28,7 @@ SUBDIR= ${SUBDIR_ORDERED} \ ${_libatm} \ libauditd \ libbegemot \ + ${_libblacklist} \ libblocksruntime \ ${_libbluetooth} \ ${_libbsnmp} \ @@ -161,6 +162,10 @@ SUBDIR_DEPEND_liblzma= ${_libthr} _libngatm= libngatm .endif +.if ${MK_BLACKLIST_SUPPORT} != "no" +_libblacklist= libblacklist +.endif + .if ${MK_BLUETOOTH} != "no" _libbluetooth= libbluetooth _libsdp= libsdp Added: head/lib/libblacklist/Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/lib/libblacklist/Makefile Thu Jun 2 19:06:04 2016 (r301226) @@ -0,0 +1,30 @@ +# $FreeBSD$ + +BLACKLIST_DIR=${SRCTOP}/contrib/blacklist + +.PATH: ${BLACKLIST_DIR}/lib ${BLACKLIST_DIR}/include + +LIB= blacklist +SHLIB_MAJOR= 0 + +LIBADD+= pthread + +CFLAGS.clang+=-Wno-thread-safety-analysis + +CFLAGS+=-I${BLACKLIST_DIR}/include -I${BLACKLIST_DIR}/port \ + -D_REENTRANT -DHAVE_CONFIG_H -DHAVE_DB_H -DHAVE_LIBUTIL_H \ + -DHAVE_CLOCK_GETTIME -DHAVE_FGETLN -DHAVE_GETPROGNAME \ + -DHAVE_STRLCAT -DHAVE_STRLCPY -DHAVE_STRUCT_SOCKADDR_SA_LEN + +SRCS= bl.c blacklist.c +INCS= blacklist.h +MAN= libblacklist.3 + +MLINKS= libblacklist.3 blacklist_open.3 \ + libblacklist.3 blacklist_close.3 \ + libblacklist.3 blacklist.3 \ + libblacklist.3 blacklist_r.3 \ + libblacklist.3 blacklist_sa.3 \ + libblacklist.3 blacklist_sa_r.3 + +.include <bsd.lib.mk> Modified: head/libexec/Makefile ============================================================================== --- head/libexec/Makefile Thu Jun 2 18:41:33 2016 (r301225) +++ head/libexec/Makefile Thu Jun 2 19:06:04 2016 (r301226) @@ -5,6 +5,7 @@ SUBDIR= ${_atf} \ ${_atrun} \ + ${_blacklistd-helper} \ ${_comsat} \ ${_dma} \ getty \ @@ -33,6 +34,10 @@ SUBDIR= ${_atf} \ _atrun= atrun .endif +.if ${MK_BLACKLIST_SUPPORT} != "no" +_blacklistd-helper+= blacklistd-helper +.endif + .if ${MK_BOOTPD} != "no" SUBDIR+= bootpd .endif Added: head/libexec/blacklistd-helper/Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/libexec/blacklistd-helper/Makefile Thu Jun 2 19:06:04 2016 (r301226) @@ -0,0 +1,7 @@ +# $FreeBSD$ + +BLACKLIST_DIR=${SRCTOP}/contrib/blacklist + +SCRIPTS= ${BLACKLIST_DIR}/libexec/blacklistd-helper + +.include <bsd.prog.mk> Modified: head/share/mk/bsd.libnames.mk ============================================================================== --- head/share/mk/bsd.libnames.mk Thu Jun 2 18:41:33 2016 (r301225) +++ head/share/mk/bsd.libnames.mk Thu Jun 2 19:06:04 2016 (r301226) @@ -22,6 +22,7 @@ LIBATM?= ${DESTDIR}${LIBDIR}/libatm.a LIBAUDITD?= ${DESTDIR}${LIBDIR}/libauditd.a LIBAVL?= ${DESTDIR}${LIBDIR}/libavl.a LIBBEGEMOT?= ${DESTDIR}${LIBDIR}/libbegemot.a +LIBBLACKLIST?= ${DESTDIR}${LIBDIR}/libblacklist.a LIBBLUETOOTH?= ${DESTDIR}${LIBDIR}/libbluetooth.a LIBBSDXML?= ${DESTDIR}${LIBDIR}/libbsdxml.a LIBBSM?= ${DESTDIR}${LIBDIR}/libbsm.a Modified: head/share/mk/src.libnames.mk ============================================================================== --- head/share/mk/src.libnames.mk Thu Jun 2 18:41:33 2016 (r301225) +++ head/share/mk/src.libnames.mk Thu Jun 2 19:06:04 2016 (r301226) @@ -178,6 +178,12 @@ _LIBRARIES= \ zfs \ zpool \ +.if ${MK_BLACKLIST} != "no" +_LIBRARIES+= \ + blacklist \ + +.endif + .if ${MK_OFED} != "no" _LIBRARIES+= \ cxgb4 \ @@ -200,6 +206,9 @@ _LIBRARIES+= \ # 2nd+ order consumers. Auto-generating this would be better. _DP_80211= sbuf bsdxml _DP_archive= z bz2 lzma bsdxml +.if ${MK_BLACKLIST} != "no" +_DP_blacklist+= pthread +.endif .if ${MK_OPENSSL} != "no" _DP_archive+= crypto .else @@ -502,6 +511,7 @@ LIBWINDDIR= ${OBJTOP}/kerberos5/lib/libw LIBATF_CDIR= ${OBJTOP}/lib/atf/libatf-c LIBATF_CXXDIR= ${OBJTOP}/lib/atf/libatf-c++ LIBALIASDIR= ${OBJTOP}/lib/libalias/libalias +LIBBLACKLISTDIR= ${OBJTOP}/lib/libblacklist LIBBLOCKSRUNTIMEDIR= ${OBJTOP}/lib/libblocksruntime LIBBSNMPDIR= ${OBJTOP}/lib/libbsnmp/libbsnmp LIBCASPERDIR= ${OBJTOP}/lib/libcasper/libcasper Modified: head/share/mk/src.opts.mk ============================================================================== --- head/share/mk/src.opts.mk Thu Jun 2 18:41:33 2016 (r301225) +++ head/share/mk/src.opts.mk Thu Jun 2 19:06:04 2016 (r301226) @@ -56,6 +56,7 @@ __DEFAULT_YES_OPTIONS = \ BHYVE \ BINUTILS \ BINUTILS_BOOTSTRAP \ + BLACKLIST \ BLUETOOTH \ BOOT \ BOOTPARAMD \ @@ -374,6 +375,7 @@ MK_CLANG_FULL:= no # MK_* variable is set to "no". # .for var in \ + BLACKLIST \ BZIP2 \ GNU \ INET \ Modified: head/tools/build/mk/OptionalObsoleteFiles.inc ============================================================================== --- head/tools/build/mk/OptionalObsoleteFiles.inc Thu Jun 2 18:41:33 2016 (r301225) +++ head/tools/build/mk/OptionalObsoleteFiles.inc Thu Jun 2 19:06:04 2016 (r301226) @@ -431,6 +431,26 @@ OLD_FILES+=usr/share/man/man7/ldint.7.gz OLD_FILES+=usr/share/man/man7/binutils.7.gz .endif +.if ${MK_BLACKLIST_SUPPORT} == no +OLD_FILES+=etc/rc.d/blacklistd +OLD_FILES+=usr/include/blacklist.h +OLD_FILES+=usr/lib/libblacklist.a +OLD_FILES+=usr/lib/libblacklist_p.a +OLD_FILES+=usr/lib/libblacklist.so +OLD_LIBS+=usr/lib/libblacklist.so.0 +OLD_FILES+=usr/libexec/blacklistd-helper +OLD_FILES+=usr/sbin/blacklistctl +OLD_FILES+=usr/sbin/blacklistd +OLD_FILES+=usr/share/man/man3/blacklist.3.gz +OLD_FILES+=usr/share/man/man3/blacklist_close.3.gz +OLD_FILES+=usr/share/man/man3/blacklist_open.3.gz +OLD_FILES+=usr/share/man/man3/blacklist_r.3.gz +OLD_FILES+=usr/share/man/man3/blacklist_sa.3.gz +OLD_FILES+=usr/share/man/man3/blacklist_sa_r.3.gz +OLD_FILES+=usr/share/man/man8/blacklistctl.8.gz +OLD_FILES+=usr/share/man/man8/blacklistd.8.gz +.endif + .if ${MK_BLUETOOTH} == no OLD_FILES+=etc/bluetooth/hcsecd.conf OLD_FILES+=etc/bluetooth/hosts Modified: head/usr.sbin/Makefile ============================================================================== --- head/usr.sbin/Makefile Thu Jun 2 18:41:33 2016 (r301225) +++ head/usr.sbin/Makefile Thu Jun 2 19:06:04 2016 (r301226) @@ -113,6 +113,10 @@ SUBDIR.${MK_AUDIT}+= auditreduce SUBDIR.${MK_AUDIT}+= praudit SUBDIR.${MK_AUTHPF}+= authpf SUBDIR.${MK_AUTOFS}+= autofs +.if ${MK_BLACKLIST_SUPPORT} != "no" +SUBDIR.${MK_BLACKLIST_SUPPORT}+= blacklistctl +SUBDIR.${MK_BLACKLIST_SUPPORT}+= blacklistd +.endif SUBDIR.${MK_BLUETOOTH}+= bluetooth SUBDIR.${MK_BOOTPARAMD}+= bootparamd SUBDIR.${MK_BSDINSTALL}+= bsdinstall Added: head/usr.sbin/blacklistctl/Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/usr.sbin/blacklistctl/Makefile Thu Jun 2 19:06:04 2016 (r301226) @@ -0,0 +1,22 @@ +# $FreeBSD$ + +BLACKLIST_DIR=${SRCTOP}/contrib/blacklist +.PATH: ${BLACKLIST_DIR}/bin ${BLACKLIST_DIR}/port + +PROG= blacklistctl +SRCS= blacklistctl.c conf.c state.c support.c internal.c \ + sockaddr_snprintf.c pidfile.c strtoi.c popenve.c +MAN= blacklistctl.8 + +LDFLAGS+=-L${LIBBLACKLISTDIR} +LIBADD+= blacklist util + +CFLAGS+=-I${BLACKLIST_DIR}/include -I${BLACKLIST_DIR}/port \ + -D_PATH_BLCONTROL=\"/usr/libexec/blacklistd-helper\" \ + -DHAVE_CONFIG_H -DHAVE_DB_H -DHAVE_LIBUTIL_H \ + -DHAVE_CLOCK_GETTIME -DHAVE_FGETLN -DHAVE_FPARSELN \ + -DHAVE_GETPROGNAME -DHAVE_STRLCAT -DHAVE_STRLCPY \ + -DHAVE_STRUCT_SOCKADDR_SA_LEN +# CFLAGS+= -D_REENTRANT + +.include <bsd.prog.mk> Added: head/usr.sbin/blacklistd/Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/usr.sbin/blacklistd/Makefile Thu Jun 2 19:06:04 2016 (r301226) @@ -0,0 +1,22 @@ +# $FreeBSD$ + +BLACKLIST_DIR=${SRCTOP}/contrib/blacklist +.PATH: ${BLACKLIST_DIR}/bin ${BLACKLIST_DIR}/port + +PROG= blacklistd +SRCS= blacklistd.c conf.c run.c state.c support.c internal.c \ + sockaddr_snprintf.c pidfile.c strtoi.c popenve.c +MAN= blacklistd.8 + +LDFLAGS+=-L${LIBBLACKLISTDIR} +LIBADD+= blacklist util + +CFLAGS+=-I${BLACKLIST_DIR}/include -I${BLACKLIST_DIR}/port \ + -D_PATH_BLCONTROL=\"/usr/libexec/blacklistd-helper\" \ + -DHAVE_CONFIG_H -DHAVE_DB_H -DHAVE_LIBUTIL_H \ + -DHAVE_CLOCK_GETTIME -DHAVE_FGETLN -DHAVE_FPARSELN \ + -DHAVE_GETPROGNAME -DHAVE_STRLCAT -DHAVE_STRLCPY \ + -DHAVE_STRUCT_SOCKADDR_SA_LEN +# CFLAGS+= -D_REENTRANT + +.include <bsd.prog.mk> _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
