iblock/main.c

66 lines
1.5 KiB
C
Raw Permalink Normal View History

2021-02-26 00:10:12 +01:00
#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
2021-02-26 00:10:12 +01:00
#include <netdb.h>
#include <netinet/in.h>
2021-02-28 10:54:36 +01:00
#include <syslog.h>
#include <sys/wait.h>
#include <unistd.h>
2021-02-26 00:10:12 +01:00
#include <sys/socket.h>
2022-08-22 14:50:40 +02:00
#define DEFAULT_TABLE "iblocked"
2022-08-22 14:50:27 +02:00
#define TABLE_LEN 32 /* see PF_TABLE_NAME_SIZE in net/pfvar.h */
int main(int argc, char *argv[]){
struct sockaddr_storage sock = {0};
socklen_t slen = sizeof(sock);
char ip[INET6_ADDRSTRLEN] = {'\0'}; /* INET6_ADDRSTRLEN > INET_ADDRSTRLEN */
char table[TABLE_LEN] = DEFAULT_TABLE;
int status = 0;
pid_t id;
if (unveil("/usr/bin/doas", "rx") != 0)
err(1, "unveil");
if (pledge("exec inet proc stdio", NULL) != 0)
err(1, "pledge");
/* configuration */
2022-08-22 14:55:45 +02:00
if (argc == 2)
if (strlcpy(table, argv[1], TABLE_LEN) >= sizeof(table))
errx(1, "table name is too long");
2021-02-26 00:10:12 +01:00
/* get socket structure */
2022-08-22 14:56:21 +02:00
if (getpeername(STDIN_FILENO, (struct sockaddr *)&sock, &slen))
err(1, "getpeername");
/* get ip */
status = getnameinfo((struct sockaddr *)&sock, slen, ip, sizeof(ip),
NULL, 0, NI_NUMERICHOST);
2022-08-22 14:56:21 +02:00
if (status != 0) {
syslog(LOG_DAEMON, "getnameinfo error");
exit(1);
}
syslog(LOG_DAEMON, "blocking %s", ip);
2022-08-22 14:56:21 +02:00
switch (sock.ss_family) {
2022-08-22 14:56:35 +02:00
case AF_INET: /* FALLTHROUGH */
case AF_INET6:
id = fork();
// child process
if (id == 0) {
execl("/usr/bin/doas", "doas", "/sbin/pfctl", "-t", table, "-T", "add", ip, NULL);
} else { // parent process
wait(NULL);
}
execl("/usr/bin/doas", "doas", "/sbin/pfctl", "-k", ip, NULL);
break;
default:
exit(2);
}
2021-02-26 00:10:12 +01:00
}