Merge pull request 'iblock: kill established connections after the ban' (#3) from fork into main

Reviewed-on: https://tildegit.org/solene/iblock/pulls/3
This commit is contained in:
solene 2022-09-17 15:25:57 +00:00
commit 747a833df3
2 changed files with 13 additions and 2 deletions

View File

@ -4,6 +4,7 @@ iblock is an inetd program adding the client IP to a Packet Filter table.
It is meant to be used to block scanner connecting on unused ports. It is meant to be used to block scanner connecting on unused ports.
Upon connection, the IP is added to a PF table and all established connections with this IP are killed. You need to use a PF bloking rule using the table.
# How to use # How to use

14
main.c
View File

@ -5,6 +5,7 @@
#include <netdb.h> #include <netdb.h>
#include <netinet/in.h> #include <netinet/in.h>
#include <syslog.h> #include <syslog.h>
#include <sys/wait.h>
#include <unistd.h> #include <unistd.h>
#include <sys/socket.h> #include <sys/socket.h>
@ -18,10 +19,11 @@ int main(int argc, char *argv[]){
char ip[INET6_ADDRSTRLEN] = {'\0'}; /* INET6_ADDRSTRLEN > INET_ADDRSTRLEN */ char ip[INET6_ADDRSTRLEN] = {'\0'}; /* INET6_ADDRSTRLEN > INET_ADDRSTRLEN */
char table[TABLE_LEN] = DEFAULT_TABLE; char table[TABLE_LEN] = DEFAULT_TABLE;
int status = 0; int status = 0;
pid_t id;
if (unveil("/usr/bin/doas", "rx") != 0) if (unveil("/usr/bin/doas", "rx") != 0)
err(1, "unveil"); err(1, "unveil");
if (pledge("exec inet stdio", NULL) != 0) if (pledge("exec inet proc stdio", NULL) != 0)
err(1, "pledge"); err(1, "pledge");
/* configuration */ /* configuration */
@ -46,7 +48,15 @@ int main(int argc, char *argv[]){
switch (sock.ss_family) { switch (sock.ss_family) {
case AF_INET: /* FALLTHROUGH */ case AF_INET: /* FALLTHROUGH */
case AF_INET6: case AF_INET6:
execl("/usr/bin/doas", "doas", "/sbin/pfctl", "-t", table, "-T", "add", ip, NULL); id = fork();
// child process
if (id == 0) {
execl("/usr/bin/doas", "doas", "/sbin/pfctl", "-t", table, "-T", "add", ip, NULL);
} else { // parent process
wait(NULL);
}
execl("/usr/bin/doas", "doas", "/sbin/pfctl", "-k", ip, NULL);
break; break;
default: default:
exit(2); exit(2);