blacklistd-helper revision 301736
1#!/bin/sh 2#echo "run $@" 1>&2 3#set -x 4# $1 command 5# $2 rulename 6# $3 protocol 7# $4 address 8# $5 mask 9# $6 port 10# $7 id 11 12pf= 13for f in npf pf; do 14 if [ -f "/etc/$f.conf" ]; then 15 pf="$f" 16 break 17 fi 18done 19if [ -f "/etc/ipfw-blacklist.rc" ]; then 20 pf="ipfw" 21 . /etc/ipfw-blacklist.rc 22 ipfw_offset=${ipfw_offset:-2000} 23fi 24 25if [ -z "$pf" ]; then 26 echo "$0: Unsupported packet filter" 1>&2 27 exit 1 28fi 29 30if [ -n "$3" ]; then 31 proto="proto $3" 32fi 33 34if [ -n "$6" ]; then 35 port="port $6" 36fi 37 38addr="$4" 39mask="$5" 40case "$4" in 41::ffff:*.*.*.*) 42 if [ "$5" = 128 ]; then 43 mask=32 44 addr=${4#::ffff:} 45 fi;; 46esac 47 48case "$1" in 49add) 50 case "$pf" in 51 ipfw) 52 rule=$(( $ipfw_offset + $6 )) # use $ipfw_offset+$port for rule number 53 tname="port$6" 54 /sbin/ipfw table $tname create type addr 2>/dev/null 55 /sbin/ipfw -q table $tname add "$addr/$mask" 56 /sbin/ipfw -q add $rule drop $3 from "table("$tname")" to any dst-port $6 57 ;; 58 npf) 59 /sbin/npfctl rule "$2" add block in final $proto from \ 60 "$addr/$mask" to any $port 61 ;; 62 pf) 63 # insert $ip/$mask into per-protocol anchored table 64 /sbin/pfctl -a "$2" -t "port$6" -T add "$addr/$mask" 65 echo "block in quick $proto from <port$6> to any $port" | \ 66 /sbin/pfctl -a "$2" -f - 67 ;; 68 esac 69 ;; 70rem) 71 case "$pf" in 72 ipfw) 73 /sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null 74 ;; 75 npf) 76 /sbin/npfctl rule "$2" rem-id "$7" 77 ;; 78 pf) 79 /sbin/pfctl -a "$2" -t "port$6" -T delete "$addr/$mask" 80 ;; 81 esac 82 ;; 83flush) 84 case "$pf" in 85 ipfw) 86 /sbin/ipfw table "port$6" flush 2>/dev/null 87 ;; 88 npf) 89 /sbin/npfctl rule "$2" flush 90 ;; 91 pf) 92 /sbin/pfctl -a "$2" -t "port$6" -T flush 93 ;; 94 esac 95 ;; 96*) 97 echo "$0: Unknown command '$1'" 1>&2 98 exit 1 99 ;; 100esac 101