blacklistd-helper revision 301169
1#!/bin/sh 2#echo "run $@" 1>&2 3#set -x 4# $1 command 5# $2 rulename 6# $3 protocol 7# $4 address 8# $5 mask 9# $6 port 10# $7 id 11 12pf= 13for f in npf pf; do 14 if [ -f "/etc/$f.conf" ]; then 15 pf="$f" 16 break 17 fi 18done 19 20if [ -z "$pf" ]; then 21 echo "$0: Unsupported packet filter" 1>&2 22 exit 1 23fi 24 25if [ -n "$3" ]; then 26 proto="proto $3" 27fi 28 29if [ -n "$6" ]; then 30 port="port $6" 31fi 32 33addr="$4" 34mask="$5" 35case "$4" in 36::ffff:*.*.*.*) 37 if [ "$5" = 128 ]; then 38 mask=32 39 addr=${4#::ffff:} 40 fi;; 41esac 42 43case "$1" in 44add) 45 case "$pf" in 46 npf) 47 /sbin/npfctl rule "$2" add block in final $proto from \ 48 "$addr/$mask" to any $port 49 ;; 50 pf) 51 # insert $ip/$mask into per-protocol anchored table 52 /sbin/pfctl -a "$2" -t "port$6" -T add "$addr/$mask" 53 echo "block in quick $proto from <port$6> to any $port" | \ 54 /sbin/pfctl -a "$2" -f - 55 ;; 56 esac 57 ;; 58rem) 59 case "$pf" in 60 npf) 61 /sbin/npfctl rule "$2" rem-id "$7" 62 ;; 63 pf) 64 /sbin/pfctl -a "$2" -t "port$6" -T delete "$addr/$mask" 65 ;; 66 esac 67 ;; 68flush) 69 case "$pf" in 70 npf) 71 /sbin/npfctl rule "$2" flush 72 ;; 73 pf) 74 /sbin/pfctl -a "$2" -t "port$6" -T flush 75 ;; 76 esac 77 ;; 78*) 79 echo "$0: Unknown command '$1'" 1>&2 80 exit 1 81 ;; 82esac 83