blacklistd-helper revision 303975
1169691Skan#!/bin/sh 2169691Skan#echo "run $@" 1>&2 3169691Skan#set -x 4169691Skan# $1 command 5169691Skan# $2 rulename 6169691Skan# $3 protocol 7169691Skan# $4 address 8169691Skan# $5 mask 9169691Skan# $6 port 10169691Skan# $7 id 11169691Skan 12169691Skanpf= 13169691Skanif [ -f "/etc/ipfw-blacklist.rc" ]; then 14169691Skan pf="ipfw" 15169691Skan . /etc/ipfw-blacklist.rc 16169691Skan ipfw_offset=${ipfw_offset:-2000} 17169691Skanfi 18169691Skan 19169691Skanif [ -z "$pf" ]; then 20169691Skan for f in npf pf ipf; do 21169691Skan if [ -f "/etc/$f.conf" ]; then 22169691Skan pf="$f" 23169691Skan break 24169691Skan fi 25169691Skan done 26169691Skanfi 27169691Skan 28169691Skanif [ -z "$pf" ]; then 29169691Skan echo "$0: Unsupported packet filter" 1>&2 30169691Skan exit 1 31169691Skanfi 32169691Skan 33169691Skanif [ -n "$3" ]; then 34169691Skan proto="proto $3" 35169691Skanfi 36169691Skan 37169691Skanif [ -n "$6" ]; then 38169691Skan port="port $6" 39169691Skanfi 40169691Skan 41169691Skanaddr="$4" 42169691Skanmask="$5" 43169691Skancase "$4" in 44169691Skan::ffff:*.*.*.*) 45169691Skan if [ "$5" = 128 ]; then 46169691Skan mask=32 47169691Skan addr=${4#::ffff:} 48169691Skan fi;; 49169691Skanesac 50169691Skan 51169691Skancase "$1" in 52169691Skanadd) 53169691Skan case "$pf" in 54169691Skan ipf) 55169691Skan /sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1 56169691Skan echo block in quick $proto from $addr/$mask to \ 57169691Skan any port=$6 head port$6 | \ 58169691Skan /sbin/ipf -I -f - -s >/dev/null 2>&1 59169691Skan ;; 60169691Skan ipfw) 61169691Skan # use $ipfw_offset+$port for rule number 62169691Skan rule=$(($ipfw_offset + $6)) 63169691Skan tname="port$6" 64169691Skan /sbin/ipfw table $tname create type addr 2>/dev/null 65169691Skan /sbin/ipfw -q table $tname add "$addr/$mask" 66169691Skan /sbin/ipfw -q add $rule drop $3 from "table("$tname")" to \ 67169691Skan any dst-port $6 68169691Skan ;; 69169691Skan npf) 70169691Skan /sbin/npfctl rule "$2" add block in final $proto from \ 71169691Skan "$addr/$mask" to any $port 72169691Skan ;; 73169691Skan pf) 74169691Skan # insert $ip/$mask into per-protocol anchored table 75169691Skan /sbin/pfctl -a "$2" -t "port$6" -T add "$addr/$mask" 76169691Skan echo "block in quick $proto from <port$6> to any $port" | \ 77169691Skan /sbin/pfctl -a "$2" -f - 78169691Skan ;; 79169691Skan esac 80169691Skan ;; 81169691Skanrem) 82169691Skan case "$pf" in 83169691Skan ipf) 84169691Skan /sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1 85169691Skan echo block in quick $proto from $addr/$mask to \ 86169691Skan any port=$6 head port$6 | \ 87169691Skan /sbin/ipf -I -r -f - -s >/dev/null 2>&1 88169691Skan ;; 89169691Skan ipfw) 90169691Skan /sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null 91169691Skan ;; 92169691Skan npf) 93169691Skan /sbin/npfctl rule "$2" rem-id "$7" 94169691Skan ;; 95169691Skan pf) 96169691Skan /sbin/pfctl -a "$2" -t "port$6" -T delete "$addr/$mask" 97169691Skan ;; 98169691Skan esac 99169691Skan ;; 100169691Skanflush) 101169691Skan case "$pf" in 102169691Skan ipf) 103169691Skan /sbin/ipf -Z -I -Fi -s > /dev/null 104169691Skan ;; 105169691Skan ipfw) 106169691Skan /sbin/ipfw table "port$6" flush 2>/dev/null 107169691Skan ;; 108169691Skan npf) 109169691Skan /sbin/npfctl rule "$2" flush 110169691Skan ;; 111169691Skan pf) 112169691Skan /sbin/pfctl -a "$2" -t "port$6" -T flush 113169691Skan ;; 114169691Skan esac 115169691Skan ;; 116169691Skan*) 117169691Skan echo "$0: Unknown command '$1'" 1>&2 118169691Skan exit 1 119169691Skan ;; 120169691Skanesac 121169691Skan