Merge pull request 'main' (#1) from prx/iblock:main into main
Reviewed-on: #1
This commit is contained in:
commit
1a60f738f2
4
Makefile
4
Makefile
|
@ -2,6 +2,10 @@ CFLAGS += -pedantic -Wall -Wextra -Wmissing-prototypes \
|
||||||
-Werror -Wshadow -Wstrict-overflow -fno-strict-aliasing \
|
-Werror -Wshadow -Wstrict-overflow -fno-strict-aliasing \
|
||||||
-Wstrict-prototypes -Wwrite-strings \
|
-Wstrict-prototypes -Wwrite-strings \
|
||||||
-Os
|
-Os
|
||||||
|
|
||||||
|
PREFIX = /usr/local
|
||||||
|
|
||||||
|
|
||||||
all: iblock
|
all: iblock
|
||||||
|
|
||||||
iblock: main.c
|
iblock: main.c
|
||||||
|
|
|
@ -39,6 +39,8 @@ In this example, the parameter `blocklist` will add IPs to the `blocklist` PF ta
|
||||||
666 stream tcp6 nowait _iblock /usr/local/bin/iblock iblock blocklist
|
666 stream tcp6 nowait _iblock /usr/local/bin/iblock iblock blocklist
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Default is "iblocked" table.
|
||||||
|
|
||||||
## Configure packet filter
|
## Configure packet filter
|
||||||
|
|
||||||
Use this in `/etc/pf.conf`, choose which ports will trigger the ban from the variable:
|
Use this in `/etc/pf.conf`, choose which ports will trigger the ban from the variable:
|
||||||
|
@ -65,5 +67,4 @@ In the example I added a label to the block rule, you can use `pfctl -s labels`
|
||||||
|
|
||||||
# TODO
|
# TODO
|
||||||
|
|
||||||
- make install doing something
|
|
||||||
- A proper man page
|
- A proper man page
|
||||||
|
|
24
main.c
24
main.c
|
@ -9,15 +9,15 @@
|
||||||
|
|
||||||
#include <sys/socket.h>
|
#include <sys/socket.h>
|
||||||
|
|
||||||
#define DEFAULT_TABLE "blocked"
|
#define DEFAULT_TABLE "iblocked"
|
||||||
#define TABLE_LEN 128 /* not sure what is pf table name length limit... */
|
#define TABLE_LEN 32 /* see PF_TABLE_NAME_SIZE in net/pfvar.h */
|
||||||
|
|
||||||
int main(int argc, char *argv[]){
|
int main(int argc, char *argv[]){
|
||||||
struct sockaddr_storage sock;
|
struct sockaddr_storage sock = {0};
|
||||||
socklen_t slen = sizeof(sock);
|
socklen_t slen = sizeof(sock);
|
||||||
char ip[INET6_ADDRSTRLEN] = {'\0'}; /* INET6_ADDRSTRLEN > INET_ADDRSTRLEN */
|
char ip[INET6_ADDRSTRLEN] = {'\0'}; /* INET6_ADDRSTRLEN > INET_ADDRSTRLEN */
|
||||||
char table[TABLE_LEN] = DEFAULT_TABLE;
|
char table[TABLE_LEN] = DEFAULT_TABLE;
|
||||||
int status;
|
int status = 0;
|
||||||
|
|
||||||
if (unveil("/usr/bin/doas", "rx") != 0)
|
if (unveil("/usr/bin/doas", "rx") != 0)
|
||||||
err(1, "unveil");
|
err(1, "unveil");
|
||||||
|
@ -25,30 +25,28 @@ int main(int argc, char *argv[]){
|
||||||
err(1, "pledge");
|
err(1, "pledge");
|
||||||
|
|
||||||
/* configuration */
|
/* configuration */
|
||||||
if (argc == 2) {
|
if (argc == 2)
|
||||||
if (strlen(argv[1]) > sizeof(table))
|
if (strlcpy(table, argv[1], TABLE_LEN) >= sizeof(table))
|
||||||
errx(1, "table name is too long");
|
errx(1, "table name is too long");
|
||||||
strlcpy(table, argv[1], TABLE_LEN);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* get socket structure */
|
/* get socket structure */
|
||||||
if(getpeername(STDIN_FILENO, (struct sockaddr *)&sock, &slen))
|
if (getpeername(STDIN_FILENO, (struct sockaddr *)&sock, &slen))
|
||||||
err(1, "getpeername");
|
err(1, "getpeername");
|
||||||
|
|
||||||
/* get ip */
|
/* get ip */
|
||||||
status = getnameinfo((struct sockaddr *)&sock, slen, ip, sizeof(ip),
|
status = getnameinfo((struct sockaddr *)&sock, slen, ip, sizeof(ip),
|
||||||
NULL, 0, NI_NUMERICHOST);
|
NULL, 0, NI_NUMERICHOST);
|
||||||
|
|
||||||
if(status != 0) {
|
if (status != 0) {
|
||||||
syslog(LOG_DAEMON, "getnameinfo error");
|
syslog(LOG_DAEMON, "getnameinfo error");
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
syslog(LOG_DAEMON, "blocking %s", ip);
|
syslog(LOG_DAEMON, "blocking %s", ip);
|
||||||
switch(sock.ss_family) {
|
switch (sock.ss_family) {
|
||||||
case AF_INET: /* FALLTHROUGHT */
|
case AF_INET: /* FALLTHROUGH */
|
||||||
case AF_INET6:
|
case AF_INET6:
|
||||||
execlp("/usr/bin/doas", "doas", "/sbin/pfctl", "-t", table, "-T", "add", ip, NULL);
|
execl("/usr/bin/doas", "doas", "/sbin/pfctl", "-t", table, "-T", "add", ip, NULL);
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
exit(2);
|
exit(2);
|
||||||
|
|
Loading…
Reference in New Issue