2022-09-19 20:23:32 +02:00
|
|
|
#include <sys/socket.h>
|
|
|
|
#include <sys/wait.h>
|
|
|
|
|
|
|
|
#include <netinet/in.h>
|
2022-10-08 14:08:57 +02:00
|
|
|
#include <arpa/inet.h>
|
2022-09-19 20:23:32 +02:00
|
|
|
|
2021-02-26 00:10:12 +01:00
|
|
|
#include <err.h>
|
2022-09-19 20:23:32 +02:00
|
|
|
#include <netdb.h>
|
2022-10-08 21:16:32 +02:00
|
|
|
#include <signal.h>
|
2021-03-10 22:34:50 +01:00
|
|
|
#include <stdio.h>
|
|
|
|
#include <stdlib.h>
|
2022-10-08 14:08:57 +02:00
|
|
|
#include <string.h>
|
2021-02-28 10:54:36 +01:00
|
|
|
#include <syslog.h>
|
2021-03-10 22:34:50 +01:00
|
|
|
#include <unistd.h>
|
2021-02-26 00:10:12 +01:00
|
|
|
|
2022-10-08 14:08:57 +02:00
|
|
|
#define PORT "2507"
|
|
|
|
#define BACKLOG 42
|
2022-08-22 14:50:40 +02:00
|
|
|
#define DEFAULT_TABLE "iblocked"
|
2021-03-10 22:34:50 +01:00
|
|
|
|
2022-10-08 21:16:32 +02:00
|
|
|
static void *get_in_addr(struct sockaddr *);
|
|
|
|
static void runcmd(const char*, const char**);
|
|
|
|
static void sigchld(int unused);
|
|
|
|
static void usage(void);
|
|
|
|
|
2022-09-19 20:23:32 +02:00
|
|
|
|
2022-10-08 14:08:57 +02:00
|
|
|
static void *get_in_addr(struct sockaddr *sa)
|
|
|
|
{
|
|
|
|
if (sa->sa_family == AF_INET)
|
|
|
|
return &(((struct sockaddr_in*)sa)->sin_addr);
|
|
|
|
|
|
|
|
return &(((struct sockaddr_in6*)sa)->sin6_addr);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void runcmd(const char* cmd, const char** arg_list)
|
|
|
|
{
|
|
|
|
pid_t pid = fork();
|
|
|
|
if (pid == -1) {
|
|
|
|
syslog(LOG_DAEMON, "fork error");
|
|
|
|
err(1,"fork");
|
|
|
|
} else if (pid == 0) { /* child */
|
|
|
|
execv(cmd, (char **)arg_list);
|
|
|
|
/* if this is reached, then exec failed */
|
|
|
|
syslog(LOG_DAEMON, "execv error");
|
|
|
|
err(1,"execv");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-10-08 21:16:32 +02:00
|
|
|
void
|
|
|
|
sigchld(int unused)
|
|
|
|
{
|
|
|
|
(void)unused;
|
|
|
|
if (signal(SIGCHLD, sigchld) == SIG_ERR)
|
|
|
|
err(1, "can't install SIGCHLD handler:");
|
|
|
|
while (waitpid(WAIT_ANY, NULL, WNOHANG) > 0);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void usage(void)
|
|
|
|
{
|
|
|
|
fprintf(stderr, "usage: %s [table]\n", getprogname());
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
|
2022-09-19 20:23:32 +02:00
|
|
|
int
|
|
|
|
main(int argc, char *argv[])
|
|
|
|
{
|
2022-10-08 14:08:57 +02:00
|
|
|
char ip[INET6_ADDRSTRLEN] = {'\0'};
|
|
|
|
const char *table = DEFAULT_TABLE;
|
|
|
|
int sockfd = 0;
|
|
|
|
int new_fd = 0;
|
|
|
|
int retval = 0;
|
|
|
|
socklen_t sin_size = 0;
|
|
|
|
struct addrinfo hints, *servinfo, *p;
|
|
|
|
struct sockaddr_storage client_addr;
|
|
|
|
const char *bancmd[] = { "/usr/bin/doas", "-n",
|
|
|
|
"/sbin/pfctl", "-t", table,
|
|
|
|
"-T", "add", ip,
|
|
|
|
NULL };
|
|
|
|
const char *killstatecmd[] = { "/usr/bin/doas", "-n",
|
|
|
|
"/sbin/pfctl",
|
|
|
|
"-k", ip,
|
|
|
|
NULL };
|
|
|
|
|
2021-03-10 22:34:50 +01:00
|
|
|
|
2021-03-20 11:42:00 +01:00
|
|
|
if (unveil("/usr/bin/doas", "rx") != 0)
|
2021-03-10 22:34:50 +01:00
|
|
|
err(1, "unveil");
|
2022-10-08 14:08:57 +02:00
|
|
|
if (pledge("stdio inet exec proc rpath", NULL) != 0)
|
2021-03-10 22:34:50 +01:00
|
|
|
err(1, "pledge");
|
|
|
|
|
2022-10-08 14:08:57 +02:00
|
|
|
if (argc > 2)
|
|
|
|
usage();
|
|
|
|
else if (argc == 2)
|
|
|
|
table = argv[1];
|
|
|
|
|
|
|
|
/* initialize structures */
|
|
|
|
memset(&client_addr, 0, sizeof(client_addr));
|
|
|
|
memset(&hints, 0, sizeof(hints));
|
|
|
|
|
|
|
|
/* set hints for socket */
|
|
|
|
hints.ai_family = AF_UNSPEC; /* ip4 or ip6 */
|
|
|
|
hints.ai_socktype = SOCK_STREAM;
|
|
|
|
hints.ai_flags = AI_PASSIVE;
|
|
|
|
|
|
|
|
if ((retval = getaddrinfo(NULL, PORT, &hints, &servinfo)) != 0) {
|
|
|
|
syslog(LOG_DAEMON, "getaddrinfo failed");
|
|
|
|
err(1, "getaddrinfo :%s", gai_strerror(retval));
|
2022-09-19 20:23:32 +02:00
|
|
|
}
|
|
|
|
|
2022-10-08 14:08:57 +02:00
|
|
|
/* get a socket and bind */
|
|
|
|
for (p = servinfo; p != NULL; p = p->ai_next) {
|
|
|
|
if ((sockfd = socket(p->ai_family,
|
|
|
|
p->ai_socktype,
|
|
|
|
p->ai_protocol)) == -1) {
|
|
|
|
continue;
|
|
|
|
}
|
2022-09-19 20:23:32 +02:00
|
|
|
|
2022-10-08 14:08:57 +02:00
|
|
|
if (bind(sockfd, p->ai_addr, p->ai_addrlen) == -1) {
|
|
|
|
close(sockfd);
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
break;
|
|
|
|
}
|
2021-02-26 00:10:12 +01:00
|
|
|
|
2022-10-08 14:08:57 +02:00
|
|
|
freeaddrinfo(servinfo);
|
2021-03-10 22:34:50 +01:00
|
|
|
|
2022-10-08 14:08:57 +02:00
|
|
|
if (p == NULL) {
|
|
|
|
syslog(LOG_DAEMON, "Failed to bind");
|
|
|
|
err(1, "Failed to bind");
|
|
|
|
}
|
2021-03-10 22:34:50 +01:00
|
|
|
|
2022-10-08 14:08:57 +02:00
|
|
|
if (listen(sockfd, BACKLOG) == -1) {
|
|
|
|
syslog(LOG_DAEMON, "listen failed");
|
|
|
|
err(1, "listen");
|
2021-03-10 22:34:50 +01:00
|
|
|
}
|
|
|
|
|
2022-10-08 21:16:32 +02:00
|
|
|
sigchld(0);
|
|
|
|
|
2022-10-08 14:20:01 +02:00
|
|
|
syslog(LOG_DAEMON, "ready to reap on port %s, muhahaha :>", PORT);
|
|
|
|
|
2022-10-08 14:08:57 +02:00
|
|
|
while (1) {
|
|
|
|
sin_size = sizeof(client_addr);
|
|
|
|
new_fd = accept(sockfd,
|
|
|
|
(struct sockaddr*)&client_addr,
|
|
|
|
&sin_size);
|
|
|
|
|
|
|
|
if (new_fd == -1)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
/* get client ip */
|
|
|
|
inet_ntop(client_addr.ss_family,
|
|
|
|
get_in_addr((struct sockaddr *)&client_addr),
|
|
|
|
ip, sizeof(ip));
|
|
|
|
|
|
|
|
close(new_fd); /* no longer needed */
|
2022-09-17 16:52:03 +02:00
|
|
|
|
2022-10-08 14:08:57 +02:00
|
|
|
pid_t id = fork();
|
2022-09-18 14:43:53 +02:00
|
|
|
if (id == -1) {
|
|
|
|
syslog(LOG_DAEMON, "fork error");
|
2022-10-08 14:08:57 +02:00
|
|
|
err(1, "fork");
|
|
|
|
} else if (id == 0) { /* child process */
|
2022-09-18 14:43:53 +02:00
|
|
|
syslog(LOG_DAEMON, "blocking %s", ip);
|
2022-10-08 14:08:57 +02:00
|
|
|
runcmd(bancmd[0], bancmd);
|
2022-09-18 14:43:53 +02:00
|
|
|
syslog(LOG_DAEMON, "kill states for %s", ip);
|
2022-10-08 14:08:57 +02:00
|
|
|
runcmd(killstatecmd[0], killstatecmd);
|
2022-10-08 21:40:27 +02:00
|
|
|
close(sockfd);
|
|
|
|
exit(0);
|
2022-09-17 16:52:03 +02:00
|
|
|
}
|
2021-03-10 22:34:50 +01:00
|
|
|
}
|
2022-10-08 14:08:57 +02:00
|
|
|
close(sockfd);
|
|
|
|
return 0;
|
2021-02-26 00:10:12 +01:00
|
|
|
}
|