2022-09-19 18:23:32 +00:00
|
|
|
#include <sys/socket.h>
|
|
|
|
|
#include <sys/wait.h>
|
|
|
|
|
|
|
|
|
|
#include <netinet/in.h>
|
|
|
|
|
|
2021-02-25 23:10:12 +00:00
|
|
|
#include <err.h>
|
2022-09-19 18:23:32 +00:00
|
|
|
#include <netdb.h>
|
2021-03-10 21:34:50 +00:00
|
|
|
#include <stdio.h>
|
|
|
|
|
#include <stdlib.h>
|
2021-02-28 09:54:36 +00:00
|
|
|
#include <syslog.h>
|
2021-03-10 21:34:50 +00:00
|
|
|
#include <unistd.h>
|
2021-02-25 23:10:12 +00:00
|
|
|
|
2022-08-22 12:50:40 +00:00
|
|
|
#define DEFAULT_TABLE "iblocked"
|
2021-03-10 21:34:50 +00:00
|
|
|
|
2022-09-19 18:23:32 +00:00
|
|
|
static void __dead
|
|
|
|
|
usage(void)
|
|
|
|
|
{
|
|
|
|
|
fprintf(stderr, "usage: %s [table]\n", getprogname());
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int
|
|
|
|
|
main(int argc, char *argv[])
|
|
|
|
|
{
|
2022-08-22 12:55:25 +00:00
|
|
|
struct sockaddr_storage sock = {0};
|
2021-03-10 21:34:50 +00:00
|
|
|
socklen_t slen = sizeof(sock);
|
|
|
|
|
char ip[INET6_ADDRSTRLEN] = {'\0'}; /* INET6_ADDRSTRLEN > INET_ADDRSTRLEN */
|
2022-09-19 18:23:32 +00:00
|
|
|
const char *table = DEFAULT_TABLE;
|
|
|
|
|
int ch, status = 0;
|
2022-09-17 14:52:03 +00:00
|
|
|
pid_t id;
|
2021-03-10 21:34:50 +00:00
|
|
|
|
2021-03-20 10:42:00 +00:00
|
|
|
if (unveil("/usr/bin/doas", "rx") != 0)
|
2021-03-10 21:34:50 +00:00
|
|
|
err(1, "unveil");
|
2022-09-17 14:52:03 +00:00
|
|
|
if (pledge("exec inet proc stdio", NULL) != 0)
|
2021-03-10 21:34:50 +00:00
|
|
|
err(1, "pledge");
|
|
|
|
|
|
2022-09-19 18:23:32 +00:00
|
|
|
while ((ch = getopt(argc, argv, "")) != -1) {
|
|
|
|
|
switch (ch) {
|
|
|
|
|
default:
|
|
|
|
|
usage();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
argc -= optind;
|
|
|
|
|
argv += optind;
|
|
|
|
|
|
|
|
|
|
if (argc > 1)
|
|
|
|
|
usage();
|
|
|
|
|
|
|
|
|
|
if (argc == 1)
|
|
|
|
|
table = *argv;
|
2021-02-25 23:10:12 +00:00
|
|
|
|
2021-03-10 21:34:50 +00:00
|
|
|
/* get socket structure */
|
2022-08-22 12:56:21 +00:00
|
|
|
if (getpeername(STDIN_FILENO, (struct sockaddr *)&sock, &slen))
|
2021-03-10 21:34:50 +00:00
|
|
|
err(1, "getpeername");
|
|
|
|
|
|
|
|
|
|
/* get ip */
|
|
|
|
|
status = getnameinfo((struct sockaddr *)&sock, slen, ip, sizeof(ip),
|
2022-09-19 18:23:32 +00:00
|
|
|
NULL, 0, NI_NUMERICHOST);
|
2021-03-10 21:34:50 +00:00
|
|
|
|
2022-08-22 12:56:21 +00:00
|
|
|
if (status != 0) {
|
2022-09-19 18:23:32 +00:00
|
|
|
syslog(LOG_DAEMON, "getnameinfo error: %s",
|
|
|
|
|
gai_strerror(status));
|
2021-03-10 21:34:50 +00:00
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-22 12:56:21 +00:00
|
|
|
switch (sock.ss_family) {
|
2022-08-22 12:56:35 +00:00
|
|
|
case AF_INET: /* FALLTHROUGH */
|
2021-03-10 21:34:50 +00:00
|
|
|
case AF_INET6:
|
2022-09-17 14:52:03 +00:00
|
|
|
id = fork();
|
|
|
|
|
|
2022-09-18 12:43:53 +00:00
|
|
|
if (id == -1) {
|
|
|
|
|
syslog(LOG_DAEMON, "fork error");
|
|
|
|
|
exit(1);
|
|
|
|
|
} else if (id == 0) {
|
|
|
|
|
// child process
|
|
|
|
|
syslog(LOG_DAEMON, "blocking %s", ip);
|
|
|
|
|
execl("/usr/bin/doas", "doas", "/sbin/pfctl",
|
2022-09-19 18:23:32 +00:00
|
|
|
"-t", table, "-T", "add", ip, NULL);
|
2022-09-18 12:43:53 +00:00
|
|
|
} else {
|
|
|
|
|
// parent process
|
2022-09-17 14:52:03 +00:00
|
|
|
wait(NULL);
|
2022-09-18 12:43:53 +00:00
|
|
|
syslog(LOG_DAEMON, "kill states for %s", ip);
|
|
|
|
|
execl("/usr/bin/doas", "doas", "/sbin/pfctl",
|
2022-09-19 18:23:32 +00:00
|
|
|
"-k", ip, NULL);
|
2022-09-17 14:52:03 +00:00
|
|
|
}
|
2021-03-10 21:34:50 +00:00
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
exit(2);
|
|
|
|
|
}
|
2021-02-25 23:10:12 +00:00
|
|
|
}
|
