mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-14 20:37:06 +00:00
Update blacklist-helper to not emit messages from pf during operation.
Use 'pfctl -k' when blocking a site to kill active tcp connections from the blocked address. Fix 'purge' operation for pf, which must dynamically determine which filters have been created, so the filters can be flushed by name. MFC after: 2 weeks
This commit is contained in:
parent
9c33cc93cd
commit
549f31e459
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=328861
|
@ -80,8 +80,8 @@ add)
|
||||||
echo "block in quick $proto from <port$6> to any $port" | \
|
echo "block in quick $proto from <port$6> to any $port" | \
|
||||||
/sbin/pfctl -a "$2/$6" -f -
|
/sbin/pfctl -a "$2/$6" -f -
|
||||||
# insert $ip/$mask into per-protocol/port anchored table
|
# insert $ip/$mask into per-protocol/port anchored table
|
||||||
/sbin/pfctl -a "$2/$6" -t "port$6" -T add "$addr/$mask" && \
|
/sbin/pfctl -qa "$2/$6" -t "port$6" -T add "$addr/$mask" && \
|
||||||
echo OK
|
/sbin/pfctl -q -k $addr && echo OK
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
;;
|
;;
|
||||||
|
@ -101,7 +101,7 @@ rem)
|
||||||
/sbin/npfctl rule "$2" rem-id "$7"
|
/sbin/npfctl rule "$2" rem-id "$7"
|
||||||
;;
|
;;
|
||||||
pf)
|
pf)
|
||||||
/sbin/pfctl -a "$2/$6" -t "port$6" -T delete "$addr/$mask" && \
|
/sbin/pfctl -qa "$2/$6" -t "port$6" -T delete "$addr/$mask" && \
|
||||||
echo OK
|
echo OK
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
@ -118,7 +118,13 @@ flush)
|
||||||
/sbin/npfctl rule "$2" flush
|
/sbin/npfctl rule "$2" flush
|
||||||
;;
|
;;
|
||||||
pf)
|
pf)
|
||||||
/sbin/pfctl -a "$2/$6" -t "port$6" -T flush && echo OK
|
# dynamically determine which anchors exist
|
||||||
|
anchors=$(/sbin/pfctl -a $2 -s Anchors)
|
||||||
|
for anchor in $anchors; do
|
||||||
|
/sbin/pfctl -a $anchor -t "port${anchor##*/}" -T flush
|
||||||
|
/sbin/pfctl -a $anchor -F rules
|
||||||
|
done
|
||||||
|
echo OK
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
;;
|
;;
|
||||||
|
|
Loading…
Reference in a new issue