From 1f21555152ae9bfc21d9fdf9472a8fb415a6ae91 Mon Sep 17 00:00:00 2001
From: Solene Rapenne <solene@perso.pw>
Date: Sat, 17 Sep 2022 16:52:03 +0200
Subject: [PATCH] iblock: kill established connections after the ban

---
 README.md |  1 +
 main.c    | 14 ++++++++++++--
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index cb19422..8f022d3 100644
--- a/README.md
+++ b/README.md
@@ -4,6 +4,7 @@ iblock is an inetd program adding the client IP to a Packet Filter table.
 
 It is meant to be used to block scanner connecting on unused ports.
 
+Upon connection, the IP is added to a PF table and all established connections with this IP are killed.  You need to use a PF bloking rule using the table.
 
 # How to use
 
diff --git a/main.c b/main.c
index 397d676..beda16f 100644
--- a/main.c
+++ b/main.c
@@ -5,6 +5,7 @@
 #include <netdb.h>
 #include <netinet/in.h>
 #include <syslog.h>
+#include <sys/wait.h>
 #include <unistd.h>
 
 #include <sys/socket.h>
@@ -18,10 +19,11 @@ int main(int argc, char *argv[]){
 	char ip[INET6_ADDRSTRLEN] = {'\0'}; /* INET6_ADDRSTRLEN > INET_ADDRSTRLEN */
 	char table[TABLE_LEN] = DEFAULT_TABLE;
 	int status = 0;
+	pid_t id;
 
 	if (unveil("/usr/bin/doas", "rx") != 0)
 		err(1, "unveil");
-	if (pledge("exec inet stdio", NULL) != 0)
+	if (pledge("exec inet proc stdio", NULL) != 0)
 		err(1, "pledge");
 
 	/* configuration */
@@ -46,7 +48,15 @@ int main(int argc, char *argv[]){
 	switch (sock.ss_family) {
 	case AF_INET: /* FALLTHROUGH */
 	case AF_INET6:
-		execl("/usr/bin/doas", "doas", "/sbin/pfctl", "-t", table, "-T", "add", ip, NULL);
+		id = fork();
+
+		// child process
+		if (id == 0) {
+			execl("/usr/bin/doas", "doas", "/sbin/pfctl", "-t", table, "-T", "add", ip, NULL);
+		} else { // parent process
+			wait(NULL);
+		}
+		execl("/usr/bin/doas", "doas", "/sbin/pfctl", "-k", ip, NULL);
 		break;
 	default:
 		exit(2);