solene
/
iblock
2
2
Fork 1
Code Issues Pull Requests 1 Projects Releases Wiki Activity

Merge pull request 'main' (#1) from prx/iblock:main into main 

Reviewed-on: #1
This commit is contained in:
solene 2022-08-22 14:02:23 +00:00
parent ee7a713fc9 ff5ff21ca5
commit 1a60f738f2
3 changed files with 17 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Makefile
View File

@ -2,6 +2,10 @@ CFLAGS += -pedantic -Wall -Wextra -Wmissing-prototypes \
-Werror -Wshadow -Wstrict-overflow -fno-strict-aliasing \ -Werror -Wshadow -Wstrict-overflow -fno-strict-aliasing \
-Wstrict-prototypes -Wwrite-strings \ -Wstrict-prototypes -Wwrite-strings \
-Os -Os
PREFIX = /usr/local
all: iblock all: iblock
iblock: main.c iblock: main.c

3
README.md
View File

@ -39,6 +39,8 @@ In this example, the parameter `blocklist` will add IPs to the `blocklist` PF ta
666 stream tcp6 nowait _iblock /usr/local/bin/iblock iblock blocklist 666 stream tcp6 nowait _iblock /usr/local/bin/iblock iblock blocklist
``` ```
Default is "iblocked" table.
## Configure packet filter ## Configure packet filter
Use this in `/etc/pf.conf`, choose which ports will trigger the ban from the variable: Use this in `/etc/pf.conf`, choose which ports will trigger the ban from the variable:
@ -65,5 +67,4 @@ In the example I added a label to the block rule, you can use `pfctl -s labels`
# TODO # TODO
- make install doing something
- A proper man page - A proper man page

24
main.c
View File

@ -9,15 +9,15 @@
#include <sys/socket.h> #include <sys/socket.h>
#define DEFAULT_TABLE "blocked" #define DEFAULT_TABLE "iblocked"
#define TABLE_LEN 128 /* not sure what is pf table name length limit... */ #define TABLE_LEN 32 /* see PF_TABLE_NAME_SIZE in net/pfvar.h */
int main(int argc, char *argv[]){ int main(int argc, char *argv[]){
struct sockaddr_storage sock; struct sockaddr_storage sock = {0};
socklen_t slen = sizeof(sock); socklen_t slen = sizeof(sock);
char ip[INET6_ADDRSTRLEN] = {'\0'}; /* INET6_ADDRSTRLEN > INET_ADDRSTRLEN */ char ip[INET6_ADDRSTRLEN] = {'\0'}; /* INET6_ADDRSTRLEN > INET_ADDRSTRLEN */
char table[TABLE_LEN] = DEFAULT_TABLE; char table[TABLE_LEN] = DEFAULT_TABLE;
int status; int status = 0;
if (unveil("/usr/bin/doas", "rx") != 0) if (unveil("/usr/bin/doas", "rx") != 0)
err(1, "unveil"); err(1, "unveil");
@ -25,30 +25,28 @@ int main(int argc, char *argv[]){
err(1, "pledge"); err(1, "pledge");
/* configuration */ /* configuration */
if (argc == 2) { if (argc == 2)
if (strlen(argv[1]) > sizeof(table)) if (strlcpy(table, argv[1], TABLE_LEN) >= sizeof(table))
errx(1, "table name is too long"); errx(1, "table name is too long");
strlcpy(table, argv[1], TABLE_LEN);
}
/* get socket structure */ /* get socket structure */
if(getpeername(STDIN_FILENO, (struct sockaddr *)&sock, &slen)) if (getpeername(STDIN_FILENO, (struct sockaddr *)&sock, &slen))
err(1, "getpeername"); err(1, "getpeername");
/* get ip */ /* get ip */
status = getnameinfo((struct sockaddr *)&sock, slen, ip, sizeof(ip), status = getnameinfo((struct sockaddr *)&sock, slen, ip, sizeof(ip),
NULL, 0, NI_NUMERICHOST); NULL, 0, NI_NUMERICHOST);
if(status != 0) { if (status != 0) {
syslog(LOG_DAEMON, "getnameinfo error"); syslog(LOG_DAEMON, "getnameinfo error");
exit(1); exit(1);
} }
syslog(LOG_DAEMON, "blocking %s", ip); syslog(LOG_DAEMON, "blocking %s", ip);
switch(sock.ss_family) { switch (sock.ss_family) {
case AF_INET: /* FALLTHROUGHT */ case AF_INET: /* FALLTHROUGH */
case AF_INET6: case AF_INET6:
execlp("/usr/bin/doas", "doas", "/sbin/pfctl", "-t", table, "-T", "add", ip, NULL); execl("/usr/bin/doas", "doas", "/sbin/pfctl", "-t", table, "-T", "add", ip, NULL);
break; break;
default: default:
exit(2); exit(2);