diff options
| author | James Meyer <james.meyer@operamail.com> | 2009-03-06 22:04:22 (GMT) |
|---|---|---|
| committer | James Meyer <james.meyer@operamail.com> | 2009-03-06 22:04:22 (GMT) |
| commit | 745ebc4d0b581a1e891a56b8b21c19b3bbd40c5e (patch) | |
| tree | 690c9baaf6f938da0b9203708a649bca5e980e96 | |
| parent | 0d8d8e073d7118d67fd8c3bdaf7be00c76df317a (diff) | |
| download | linhes_pkgbuild-745ebc4d0b581a1e891a56b8b21c19b3bbd40c5e.zip linhes_pkgbuild-745ebc4d0b581a1e891a56b8b21c19b3bbd40c5e.tar.gz linhes_pkgbuild-745ebc4d0b581a1e891a56b8b21c19b3bbd40c5e.tar.bz2 | |
Added moblock
| -rw-r--r-- | abs/extra-testing/community/moblock/MoBlock-nfq.sh.patch | 53 | ||||
| -rwxr-xr-x | abs/extra-testing/community/moblock/PKGBUILD | 56 | ||||
| -rw-r--r-- | abs/extra-testing/community/moblock/config | 30 | ||||
| -rwxr-xr-x | abs/extra-testing/community/moblock/moblock | 70 | ||||
| -rwxr-xr-x | abs/extra-testing/community/moblock/moblock-update | 174 | ||||
| -rw-r--r-- | abs/extra-testing/community/moblock/moblock.install | 26 | ||||
| -rw-r--r-- | abs/extra-testing/community/moblock/moblock.logrotate | 11 | ||||
| -rw-r--r-- | abs/extra-testing/community/moblock/moblock_0.9_rc2.patch | 912 | ||||
| -rw-r--r-- | abs/extra-testing/community/moblock/moblock_include.patch | 10 | ||||
| -rw-r--r-- | abs/extra-testing/community/moblockcontrol/PKGBUILD | 38 | ||||
| -rw-r--r-- | abs/extra-testing/community/moblockcontrol/moblock_control.patch | 11 |
11 files changed, 1391 insertions, 0 deletions
diff --git a/abs/extra-testing/community/moblock/MoBlock-nfq.sh.patch b/abs/extra-testing/community/moblock/MoBlock-nfq.sh.patch new file mode 100644 index 0000000..15e742f --- /dev/null +++ b/abs/extra-testing/community/moblock/MoBlock-nfq.sh.patch @@ -0,0 +1,53 @@ +--- MoBlock-0.8/MoBlock-nfq.sh.orig 2008-11-30 03:44:02.000000000 -0500 ++++ MoBlock-0.8/MoBlock-nfq.sh 2008-12-01 18:56:15.000000000 -0500 +@@ -3,14 +3,10 @@ + # MoBlock.sh - MoBlock start script + # --------------------------------- + +-ACTIVATE_CHAINS=1 +-WHITE_TCP_IN="" +-WHITE_UDP_IN="" +-WHITE_TCP_OUT="" +-WHITE_UDP_OUT="" +-WHITE_TCP_FORWARD="" +-WHITE_UDP_FORWARD="" ++# Some configuration options have been moved to an external conf file ++# This should make maintenance and upgrading easier + ++. /etc/moblock/config + + PIDF=/var/run/moblock.pid + +@@ -78,6 +74,17 @@ + iptables -I MOBLOCK_FW -p udp --dport $PORT -j ACCEPT + done + ++# For added IP whitelisting support ++ ++for IP in $WHITE_IP_OUT; do ++ iptables -I MOBLOCK_OUT -p all -m iprange --dst-range $IP -j ACCEPT ++done ++for IP in $WHITE_IP_IN; do ++ iptables -I MOBLOCK_IN -p all -m iprange --dst-range $IP -j ACCEPT ++done ++for IP in $WHITE_IP_FW; do ++ iptables -I MOBLOCK_FW -p all -m iprange --dst-range $IP -j ACCEPT ++done + + # Loopback traffic fix + +@@ -85,7 +92,8 @@ + iptables -I OUTPUT -p all -o lo -j ACCEPT + + # Here you can change block list and log files +-./moblock -p /etc/guarding.p2p ./moblock.log ++#./moblock -p /etc/guarding.p2p ./moblock.log ++/usr/bin/moblock -p /etc/moblock/banned.list /var/log/moblock.log >/dev/null 2>&1 + + # On exit delete the rules we added + +@@ -108,3 +116,4 @@ + if [ -f $PIDF ]; then + rm $PIDF; + fi ++ diff --git a/abs/extra-testing/community/moblock/PKGBUILD b/abs/extra-testing/community/moblock/PKGBUILD new file mode 100755 index 0000000..283eb8c --- /dev/null +++ b/abs/extra-testing/community/moblock/PKGBUILD @@ -0,0 +1,56 @@ +# Contributor: Kevin Edmonds <edmondskevin@hotmail.com> +# Maintainer: Filip Wojciechowski, filip at loka dot pl + +pkgname=moblock +pkgver=0.9rc2 +pkgrel=7 +pkgdesc="Console application that blocks connections from/to hosts listed in a file in peerguardian format" +arch=('i686' 'x86_64') +url="http://moblock.berlios.de/" +license=('GPL') +depends=(libnetfilter_queue iptables) +backup=(etc/moblock/config) +install=moblock.install +source=(http://download.berlios.de/moblock/MoBlock-0.8-i586.tar.bz2 \ + moblock_0.9_rc2.patch \ + MoBlock-nfq.sh.patch \ + moblock_include.patch \ + config \ + moblock-update \ + moblock \ + moblock.logrotate) +md5sums=('199967adb48b153be90db10fe21325c5' + 'e4e33c515677fa53eaca4616591d4e44' + '1193adccce219d31a7c0540807a4a8e8' + 'b23b5214965df59632de5cec317ddbde' + '840bb52a99529305e49212a69c9ced8a' + '49a16feb221d4d912cc7200313517f7b' + '1bdc949fcff0ce751a5096e489061513' + 'a8285fd3e68043cd8d21993d3dbbf9d4') + +build() { + cd $startdir/src/MoBlock-0.8 + + # patch to update moblock to the latest cvs version + patch -Np1 -i ../moblock_0.9_rc2.patch || return 1 + # add IP whitelisting and move configs to a separate conf file + patch -Np1 -i ../MoBlock-nfq.sh.patch || return 1 + # necessary to make moblock build with recent kernels + patch -Np1 -i ../moblock_include.patch || return 1 + + # change the CFLAGS for both i686 and x84_64 builds + sed -i "s#-Wall -O.*-ffast-math#$CFLAGS#g" Makefile + + # build + make || return 1 + + #move the files + install -D -m 755 ./MoBlock-nfq.sh $startdir/pkg/usr/bin/moblock-nfq || return 1 + install -D -m 744 ./moblock $startdir/pkg/usr/bin/moblock || return 1 + install -D -m 755 ../moblock-update $startdir/pkg/usr/bin/moblock-update || return 1 + install -D -m 744 ../moblock $startdir/pkg/etc/rc.d/moblock || return 1 + install -D -m 644 ../config $startdir/pkg/etc/moblock/config || return 1 + install -D -m 644 ../moblock.logrotate $startdir/pkg/etc/logrotate.d/moblock || return 1 +} + + diff --git a/abs/extra-testing/community/moblock/config b/abs/extra-testing/community/moblock/config new file mode 100644 index 0000000..7d7c287 --- /dev/null +++ b/abs/extra-testing/community/moblock/config @@ -0,0 +1,30 @@ +# Original MoBlock configuration options from MoBlock-nfq.sh file +ACTIVATE_CHAINS=1 +WHITE_TCP_IN="" +WHITE_UDP_IN="" +WHITE_TCP_OUT="" # Add "http https" here to prevent moblock from blocking webpages +WHITE_UDP_OUT="" +WHITE_TCP_FORWARD="" +WHITE_UDP_FORWARD="" + +# Added IP whitelisting support +WHITE_IP_IN="" +WHITE_IP_OUT="" +WHITE_IP_FW="" + +# Individual lists can be disabled by prefixing them with '!' +# Bluetack blacklists (http://www.bluetack.co.uk) +BLUETACK=(level1 level2 !level3 !edu ads-trackers-and-bad-pr0n bogon spyware spider Microsoft !proxy hijacked templist !rangetest dshield) + +# blocklist.org lists (currently doesn't work) +#BLOCKLIST=(p2p gov spy ads edu) + +# backup lists (might be outdated) +#PHOENIXLABS=(!p2b.p2b edu.txt spider.txt spyware.txt level1.txt !level2.txt !level3.txt) + +# Change to 'yes' if you want to backup up the old list before writing +# a new one. Only one backup copy will be kept. +BACKUP_OLD_LIST="no" + +# Options passed to wget +WGET_OPTS="-q" diff --git a/abs/extra-testing/community/moblock/moblock b/abs/extra-testing/community/moblock/moblock new file mode 100755 index 0000000..d88bd2e --- /dev/null +++ b/abs/extra-testing/community/moblock/moblock @@ -0,0 +1,70 @@ +#!/bin/bash + +. /etc/rc.conf +. /etc/rc.d/functions + +case "$1" in + start) + stat_busy "Starting MoBlock" + if [ ! -f /var/run/moblock.pid ] + then + /usr/bin/moblock-nfq & + if [ $? -gt 0 ] + then + stat_fail + else + add_daemon moblock + stat_done + fi + else + stat_fail + fi + ;; + update) + stat_busy "Updating MoBlock block list..." + error=0 + /usr/bin/moblock-update || error=1 + stat_busy "Updating MoBlock block list" + if [ $error -eq 1 ]; then + stat_fail + else + stat_done + fi + ;; + stats) + stat_busy "Logging stats to /var/log/MoBlock.stats" + PID=`cat /var/run/moblock.pid 2>/dev/null` + if [ ! -z "$PID" ]; then + /bin/kill -USR2 $PID + if [ $? -gt 0 ]; then + stat_fail + else + stat_done + fi + else + stat_fail + fi + ;; + stop) + stat_busy "Stopping MoBlock" + PID=`cat /var/run/moblock.pid 2>/dev/null` + if [ ! -z "$PID" ]; then + /bin/kill $PID + if [ $? -gt 0 ]; then + stat_fail + else + rm_daemon moblock + stat_done + fi + else + stat_fail + fi + ;; + restart) + $0 stop + sleep 2 + $0 start + ;; + *) + echo "usage: $0 {start|stop|restart|update|stats}" +esac diff --git a/abs/extra-testing/community/moblock/moblock-update b/abs/extra-testing/community/moblock/moblock-update new file mode 100755 index 0000000..aae861d --- /dev/null +++ b/abs/extra-testing/community/moblock/moblock-update @@ -0,0 +1,174 @@ +#!/bin/bash + +. /etc/moblock/config + +CONF_DIR=/etc/moblock +TEMP_DIR=$(/usr/bin/mktemp -t -d moblock-updateXXXXXXXX) +LIST_FILE=banned.list + +USECOLOR="no" +. /etc/rc.d/functions +PREFIX_REG=" >" +PREFIX_HL="::" + +function extract() +{ + /usr/bin/find $TEMP_DIR -type f -name '*.gz' -o -name '*.zip' |\ + while read N + do + case "$N" in + *.zip) /usr/bin/unzip -oqq "$N" 2>/dev/null + if [ $? -gt 0 ]; then + rm -f "$N" + return 1 + else + rm -f "$N" + fi + ;; + *.gz) /bin/gunzip -f "$N" 2>/dev/null + if [ $? -gt 0 ]; then + rm -f "$N" + return 1 + fi + ;; + *) continue + ;; + esac + done + return 0 +} + +cd $TEMP_DIR + +printf "${C_SEPARATOR} ------------------------------\n" +printhl "Downloading and extracting files:\n" + +# Bluetack lists (with fallback) +for i in ${BLUETACK[@]} +do + if [ $(echo $i | /bin/grep '^[^\!]' | /usr/bin/wc -l) -eq 1 ]; then + stat_busy "BLUETACK '${i}'... " + /usr/bin/wget ${WGET_OPTS} "http://www.bluetack.co.uk/config/${i}.gz" && extract + if [ $? -gt 0 ] || [ ! -f ${i} ]; then + stat_fail + bfile=$i + if [ "$bfile" = "ads-trackers-and-bad-pr0n" ]; then + bfile="ads" + elif [ "$bfile" = "Microsoft" ];then + bfile="microsoft" + fi + stat_busy "[!!] BLUETACK '${i}' (fallback link)... " + /usr/bin/wget ${WGET_OPTS} "http://list.iblocklist.com/?list=bt_${bfile%%-*}" -O "${i}.gz" && extract + if [ $? -gt 0 ]; then + stat_fail + else + stat_done + fi + else + stat_done + fi + fi +done + +# Blocklist lists +for i in ${BLOCKLIST[@]} +do + if [ $(echo $i | /bin/grep '^[^\!]' | /usr/bin/wc -l) -eq 1 ]; then + stat_busy "BLOCKLIST '${i}'... " + /usr/bin/wget ${WGET_OPTS} "blocklist.org/${i}.p2b.gz" && extract + if [ $? -gt 0 ]; then + stat_fail + else + stat_done + fi + fi +done + +# Old phoenixlabs.org lists +for i in ${PHOENIXLABS[@]} +do + if [ $(echo $i | /bin/grep '^[^\!]' | /usr/bin/wc -l) -eq 1 ]; then + stat_busy "PHOENIXLABS '${i}'... " + /usr/bin/wget ${WGET_OPTS} "fox.phoenixlabs.org/${i}" && extract + if [ $? -gt 0 ]; then + stat_fail + else + stat_done + fi + fi +done + +if [ $(/bin/cat "$TEMP_DIR"/* | /usr/bin/wc -l) -eq 0 ]; then + printf "\n" + printhl "ERROR: No files were downloaded" + printf "${C_SEPARATOR} ------------------------------\n" + exit 1 +fi + +# Check files +printsep +printhl "Checking integrity of downloaded files:\n" + +/usr/bin/find -type f | while read N +do + stat_busy "File '$(echo $N | /bin/awk -F/ '{print $NF}')'... " + scan1=$(/bin/cat "$N" | /usr/bin/wc -l) + scan2=$(/bin/egrep -o ":[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*-[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*" "$N" | /usr/bin/wc -l) + if [ $scan1 -eq $scan2 ]; then + stat_done + else + if [ $scan2 -gt 0 ]; then + if [ $scan1 -gt $scan2 ]; then + stat_append "$(($scan1-$scan2)) of $scan1 entries failed validation; keeping the file" + stat_done + fi + else + stat_fail + stat_busy "[!!] Removing corrupted file... " + rm "$N" 2>/dev/null + if [ $? -gt 0 ]; then + stat_fail + exit 1 + else + stat_done + fi + fi + fi +done + +printsep +printhl "Saving the list:\n" + +# Make backup +if [ "$BACKUP_OLD_LIST" = "yes" ] && [ -f "$CONF_DIR"/"$LIST_FILE" ]; then + stat_busy "Backing up old list to '$CONF_DIR/$LIST_FILE.gz'... " + /bin/gzip -f "$CONF_DIR"/"$LIST_FILE" 2>/dev/null + if [ $? -gt 0 ]; then + stat_fail + else + stat_done + fi +fi + +# Save the list +stat_busy "Saving new list to '$CONF_DIR/$LIST_FILE'... " +/bin/cat "$TEMP_DIR"/* > "$CONF_DIR"/"$LIST_FILE" 2>&1 +if [ $? -gt 0 ]; then + stat_fail + exit 1 +else + stat_done + printf "\n" + printhl "Saved `cat "$CONF_DIR"/"$LIST_FILE" | wc -l` ranges" + printf "${C_SEPARATOR} ------------------------------\n" +fi + +rm -rf "$TEMP_DIR" + +# Restart MoBlock +if [ -f /var/run/moblock.pid ]; then + /bin/kill -HUP `cat /var/run/moblock.pid` >/dev/null 2>&1 +fi + +exit 0 + diff --git a/abs/extra-testing/community/moblock/moblock.install b/abs/extra-testing/community/moblock/moblock.install new file mode 100644 index 0000000..6afe1d5 --- /dev/null +++ b/abs/extra-testing/community/moblock/moblock.install @@ -0,0 +1,26 @@ +post_install() { + #clean up after an old hack + if [ -h /usr/lib/libnfnetlink.so.1 ]; then + rm /usr/lib/libnfnetlink.so.1 + fi + echo "" + echo ">>> moblock-update script no longer uses /var/spool/moblock" + echo ">>> as a temporary directory. You can safely delete it." + echo "" +} + +post_upgrade() { + #clean up after an old hack + if [ -h /usr/lib/libnfnetlink.so.1 ]; then + rm /usr/lib/libnfnetlink.so.1 + fi + echo "" + echo ">>> moblock-update script no longer uses /var/spool/moblock" + echo ">>> as a temporary directory. You can safely delete it." + echo "" +} + +op=$1 +shift +$op $* + diff --git a/abs/extra-testing/community/moblock/moblock.logrotate b/abs/extra-testing/community/moblock/moblock.logrotate new file mode 100644 index 0000000..6ed64bb --- /dev/null +++ b/abs/extra-testing/community/moblock/moblock.logrotate @@ -0,0 +1,11 @@ +"/var/log/moblock.log" /var/log/MoBlock.stats { + daily + missingok + notifempty + sharedscripts + postrotate + /usr/bin/test -f /var/run/moblock.pid && /bin/kill -HUP `cat /var/run/moblock.pid 2>/dev/null` 2>/dev/null || exit 0 + endscript + compress +} + diff --git a/abs/extra-testing/community/moblock/moblock_0.9_rc2.patch b/abs/extra-testing/community/moblock/moblock_0.9_rc2.patch new file mode 100644 index 0000000..69994ff --- /dev/null +++ b/abs/extra-testing/community/moblock/moblock_0.9_rc2.patch @@ -0,0 +1,912 @@ +diff -Naur MoBlock-0.8_orig/Changelog MoBlock-0.8/Changelog +--- MoBlock-0.8_orig/Changelog 2006-03-22 12:44:31.000000000 -0500 ++++ MoBlock-0.8/Changelog 2008-02-10 11:56:08.000000000 -0500 +@@ -4,6 +4,23 @@ + + --- + ++0.9: - fix for kernel 2.6.23 ++ - support for MARKing packets instead of DROPping or ++ ACCEPTing ++ - example start script that REJECTs packets instead of ++ DROPping. ++ - Integrated a patch from David Walluck for proper loading ++ of p2b files (version 2) ++ - command line options for logging to syslog, stdout ++ and log timestamping ++ - fixed loading pg1 lists with comments (lines starting ++ with '#') ++ - fixed a bug in ranges merge ++ - applied patch 2223 by badfish99: "IPs logged with bytes ++ reversed on big-endian m/c" ++ ++--- ++ + 0.8: - support for NFQUEUE-ing from iptables FORWARD chain (thx to + hyakki for suggestions and testing!) + - included patches from Maximilian Mehnert to support log file +diff -Naur MoBlock-0.8_orig/Makefile MoBlock-0.8/Makefile +--- MoBlock-0.8_orig/Makefile 2006-03-22 12:44:31.000000000 -0500 ++++ MoBlock-0.8/Makefile 2007-11-22 08:10:44.000000000 -0500 +@@ -1,4 +1,3 @@ +- + # To use the old-soon-to-be-deprecated libipq interface + # uncomment the following line and comment the NFQUEUE one, + # then comment the gcc line with netfilter_queue and +@@ -7,7 +6,7 @@ + #QUEUE_LIB=LIBIPQ + QUEUE_LIB=NFQUEUE + +-CFLAGS=-Wall -O2 -march=i586 -mtune=i686 -fomit-frame-pointer -ffast-math \ ++CFLAGS=-Wall -O3 -march=i586 -mtune=i686 -fomit-frame-pointer -ffast-math \ + -D_GNU_SOURCE -D$(QUEUE_LIB) -L/usr/include/libipq + CC=gcc + +diff -Naur MoBlock-0.8_orig/MoBlock-nfq-reject.sh MoBlock-0.8/MoBlock-nfq-reject.sh +--- MoBlock-0.8_orig/MoBlock-nfq-reject.sh 1969-12-31 19:00:00.000000000 -0500 ++++ MoBlock-0.8/MoBlock-nfq-reject.sh 2007-11-22 08:10:44.000000000 -0500 +@@ -0,0 +1,104 @@ ++#!/bin/sh ++# ++# MoBlock.sh - MoBlock start script ++# --------------------------------- ++ ++ACTIVATE_CHAINS=1 ++WHITE_TCP_IN="" ++WHITE_UDP_IN="" ++WHITE_TCP_OUT="" ++WHITE_UDP_OUT="" ++WHITE_TCP_FORWARD="" ++WHITE_UDP_FORWARD="" ++REJECT_MARK="10" ++ ++PIDF=/var/run/moblock.pid ++ ++FNAME=`basename $0 .sh` ++MODE=`echo $FNAME|awk -F- '{print $2}'` ++ ++if [ -f $PIDF ]; then ++ PID=`cat $PIDF` ++ if [ `ps -p $PID|wc -l` -gt 1 ]; then ++ echo "$0: $PIDF exists and processs seems to be running. Exiting." ++ exit 1; ++ fi; ++fi; ++ ++if [ $MODE == "ipq" ]; then ++ modprobe ip_queue ++ TARGET="QUEUE" ++elif [ $MODE == "nfq" ]; then ++ modprobe ipt_NFQUEUE ++ TARGET="NFQUEUE" ++fi; ++ ++modprobe ipt_state ++ ++# Filter all traffic, edit for your needs ++ ++iptables -N MOBLOCK_IN ++iptables -N MOBLOCK_OUT ++iptables -N MOBLOCK_FW ++ ++if [ $ACTIVATE_CHAINS -eq 1 ]; then ++ iptables -I INPUT -p all -m state --state NEW -j MOBLOCK_IN ++ iptables -I OUTPUT -p all -m state --state NEW -j MOBLOCK_OUT ++ iptables -I FORWARD -p all -m state --state NEW -j MOBLOCK_FW ++fi; ++ ++ ++iptables -I MOBLOCK_IN -p all -j $TARGET ++ ++iptables -I MOBLOCK_OUT -p all -j $TARGET ++ ++iptables -I MOBLOCK_FW -p all -j $TARGET ++ ++for PORT in $WHITE_TCP_OUT; do ++ iptables -I MOBLOCK_OUT -p tcp --dport $PORT -j ACCEPT ++done ++for PORT in $WHITE_UDP_OUT; do ++ iptables -I MOBLOCK_OUT -p udp --dport $PORT -j ACCEPT ++done ++ ++for PORT in $WHITE_TCP_IN; do ++ iptables -I MOBLOCK_IN -p tcp --dport $PORT -j ACCEPT ++done ++for PORT in $WHITE_UDP_IN; do ++ iptables -I MOBLOCK_IN -p udp --dport $PORT -j ACCEPT ++done ++ ++for PORT in $WHITE_TCP_FORWARD; do ++ iptables -I MOBLOCK_FW -p tcp --dport $PORT -j ACCEPT ++done ++for PORT in $WHITE_UDP_FORWARD; do ++ iptables -I MOBLOCK_FW -p udp --dport $PORT -j ACCEPT ++done ++ ++iptables -I OUTPUT -p all -m state --state NEW -m mark --mark $REJECT_MARK -j REJECT ++iptables -I FORWARD -p all -m state --state NEW -m mark --mark $REJECT_MARK -j REJECT ++ ++# Here you can change block list and log files ++./moblock -d /etc/ipfilter.dat -t -s -r $REJECT_MARK ./moblock.log ++ ++# On exit delete the rules we added ++ ++if [ $ACTIVATE_CHAINS -eq 1 ]; then ++ iptables -D INPUT -p all -m state --state NEW -j MOBLOCK_IN ++ iptables -D OUTPUT -p all -m state --state NEW -j MOBLOCK_OUT ++ iptables -D FORWARD -p all -m state --state NEW -j MOBLOCK_FW ++fi; ++ ++iptables -D OUTPUT -p all -m state --state NEW -m mark --mark $REJECT_MARK -j REJECT ++iptables -D FORWARD -p all -m state --state NEW -m mark --mark $REJECT_MARK -j REJECT ++ ++iptables -F MOBLOCK_IN ++iptables -X MOBLOCK_IN ++iptables -F MOBLOCK_OUT ++iptables -X MOBLOCK_OUT ++iptables -F MOBLOCK_FW ++iptables -X MOBLOCK_FW ++ ++if [ -f $PIDF ]; then ++ rm $PIDF; ++fi +diff -Naur MoBlock-0.8_orig/MoBlock.c MoBlock-0.8/MoBlock.c +--- MoBlock-0.8_orig/MoBlock.c 2006-03-22 12:44:31.000000000 -0500 ++++ MoBlock-0.8/MoBlock.c 2008-02-10 11:56:08.000000000 -0500 +@@ -35,6 +35,8 @@ + #include <linux/netfilter_ipv4.h>
+ #include <signal.h>
+ #include <regex.h>
++#include <time.h>
++#include <syslog.h>
+
+ // in Makefile define LIBIPQ to use soon-to-be-deprecated ip_queue,
+ // NFQUEUE for ipt_NFQUEUE (from kernel 2.6.14)
+@@ -46,7 +48,7 @@ + #include <libnetfilter_queue/libnetfilter_queue.h>
+ #endif
+
+-#define MB_VERSION "0.8"
++#define MB_VERSION "0.9rc2"
+
+ #define BUFSIZE 2048
+ #define PAYLOADSIZE 21
+@@ -58,6 +60,9 @@ + #define SRC_ADDR(payload) (*(in_addr_t *)((payload)+12))
+ #define DST_ADDR(payload) (*(in_addr_t *)((payload)+16))
+
++#define likely(x) __builtin_expect((x),1)
++#define unlikely(x) __builtin_expect((x),0)
++
+ // rbt datatypes/functions
+
+ typedef enum {
+@@ -96,7 +101,8 @@ + char filename[100];
+ } blocklist_info;
+
+-int merged_ranges=0, skipped_ranges=0;
++u_int32_t merged_ranges=0, skipped_ranges=0, accept_mark=0, reject_mark=0;
++u_int8_t log2syslog=0, log2file=0, log2stdout=0, timestamp=0;
+
+ #ifdef LIBIPQ
+ static void die(struct ipq_handle *h)
+@@ -112,11 +118,13 @@ + static char buf[2][ sizeof("aaa.bbb.ccc.ddd") ];
+ static short int index=0;
+
++ ip = ntohl(ip);
++
+ sprintf(buf[index],"%d.%d.%d.%d",
+- (ip) & 0xff,
+- (ip >> 8) & 0xff,
++ (ip >> 24) & 0xff,
+ (ip >> 16) & 0xff,
+- (ip >> 24) & 0xff);
++ (ip >> 8) & 0xff,
++ (ip) & 0xff);
+
+ if (index) {
+ index=0;
+@@ -134,10 +142,38 @@ + fflush(stdout);
+ }
+
++void log_action(char *msg)
++{
++ char timestr[30];
++ time_t tv;
++
++ if (timestamp) {
++ tv = time(NULL);
++ strncpy(timestr, ctime(&tv), 19);
++ timestr[19] = '\0';
++ strcat(timestr, "| ");
++ }
++ else strcpy(timestr, "");
++
++ if (log2syslog) {
++ syslog(LOG_INFO, msg);
++ }
++
++ if (log2file) {
++ fprintf(logfile,"%s%s",timestr,msg);
++ fflush(logfile);
++ }
++
++ if (log2stdout) {
++ fprintf(stdout,"%s%s",timestr,msg);
++ }
++}
++
+ inline void ranged_insert(char *name,char *ipmin,char *ipmax)
+ {
+ recType tmprec;
+ int ret;
++ char msgbuf[255];
+
+ if ( strlen(name) > (BNAME_LEN-1) ) {
+ strncpy(tmprec.blockname, name, BNAME_LEN);
+@@ -149,10 +185,11 @@ + if ( (ret=insert(ntohl(inet_addr(ipmin)),&tmprec)) != STATUS_OK )
+ switch(ret) {
+ case STATUS_MEM_EXHAUSTED:
+- fprintf(logfile,"Error inserting range, MEM_EXHAUSTED.\n");
++ log_action("Error inserting range, MEM_EXHAUSTED.\n");
+ break;
+ case STATUS_DUPLICATE_KEY:
+- fprintf(logfile,"Duplicated range ( %s )\n",name);
++ sprintf(msgbuf,"Duplicated range ( %s )\n",name);
++ log_action(msgbuf);
+ break;
+ case STATUS_MERGED:
+ merged_ranges++;
+@@ -161,8 +198,9 @@ + skipped_ranges++;
+ break;
+ default:
+- fprintf(logfile,"Unexpected return value from ranged_insert()!\n");
+- fprintf(logfile,"Return value was: %d\n",ret);
++ log_action("Unexpected return value from ranged_insert()!\n");
++ sprintf(msgbuf,"Return value was: %d\n",ret);
++ log_action(msgbuf);
+ break;
+ }
+ }
+@@ -177,15 +215,19 @@ + regex_t regmain;
+ regmatch_t matches[4];
+ int i;
++ char msgbuf[255];
+
+ regcomp(®main, "^(.*)[:]([0-9.]*)[-]([0-9.]*)$", REG_EXTENDED);
+
+ fp=fopen(filename,"r");
+ if ( fp == NULL ) {
+- fprintf(logfile,"Error opening %s, aborting...\n", filename);
++ sprintf(msgbuf,"Error opening %s, aborting...\n", filename);
++ log_action(msgbuf);
+ exit(-1);
+ }
+ while ( (count=getline(&line,&len,fp)) != -1 ) {
++ if ( line[0] == '#' ) //comment line, skip
++ continue;
+ for(i=count-1; i>=0; i--) {
+ if ((line[i] == '\r') || (line[i] == '\n') || (line[i] == ' ')) {
+ line[i] = 0;
+@@ -207,36 +249,78 @@ + line+matches[3].rm_so);
+ ntot++;
+ } else {
+- fprintf(logfile,"Short guarding.p2p line %s, skipping it...\n", line);
++ sprintf(msgbuf,"Short guarding.p2p line %s, skipping it...\n", line);
++ log_action(msgbuf);
+ }
+ }
+ if (line)
+ free(line);
+ fclose(fp);
+- fprintf(logfile,"Ranges loaded: %d\n",ntot);
+- printf("* Ranges loaded: %d\n",ntot);
++ sprintf(msgbuf, "* Ranges loaded: %d\n", ntot);
++ log_action(msgbuf);
++ if ( !log2stdout )
++ printf(msgbuf);
+ }
+
+-void loadlist_pg2(char *filename) // experimental, no check for list sanity
++void loadlist_pg2(char *filename) // supports only v2 files
+ {
+ FILE *fp;
+- int i,retval,ntot=0;
+- char name[100],ipmin[16]; // hope we don't have a list with longer names...
++ int i, j, c, retval=0, ntot=0;
++ char name[100],ipmin[16], msgbuf[255]; // hope we don't have a list with longer names...
+ uint32_t start_ip, end_ip;
+ struct in_addr startaddr,endaddr;
++ size_t s;
+
+ fp=fopen(filename,"r");
+ if ( fp == NULL ) {
+- fprintf(logfile,"Error opening %s, aborting...\n", filename);
++ sprintf(msgbuf, "Error opening %s, aborting...\n", filename);
++ log_action(msgbuf);
+ exit(-1);
+ }
+
+- fgetc(fp); // skip first 4 bytes, don't know what they are
+- fgetc(fp);
+- fgetc(fp);
+- retval=fgetc(fp);
++ for (j=0; j<4; j++) {
++ c=fgetc(fp);
++ if ( c != 0xff ) {
++ sprintf(msgbuf,"Byte %d: 0x%x != 0xff, aborting...\n", j+1, c);
++ log_action(msgbuf);
++ fclose(fp);
++ exit(-1);
++ }
++ }
++
++ c=fgetc(fp);
++ if ( c != 'P' ) {
++ sprintf(msgbuf,"Byte 5: %c != P, aborting...\n", c);
++ log_action(msgbuf);
++ fclose(fp);
++ exit(-1);
++ }
++
++ c=fgetc(fp);
++ if ( c != '2' ) {
++ sprintf(msgbuf,"Byte 6: %c != 2, aborting...\n", c);
++ log_action(msgbuf);
++ fclose(fp);
++ exit(-1);
++ }
+
+- while ( retval != EOF ) {
++ c=fgetc(fp);
++ if ( c != 'B' ) {
++ sprintf(msgbuf,"Byte 7: %c != B, aborting...\n", c);
++ log_action(msgbuf);
++ fclose(fp);
++ exit(-1);
++ }
++
++ c=fgetc(fp);
++ if ( c != 0x02 ) {
++ sprintf(msgbuf,"Byte 8: version: %d != 2, aborting...\n", c);
++ log_action(msgbuf);
++ fclose(fp);
++ exit(-1);
++ }
++
++ do {
+ i=0;
+ do {
+ name[i]=fgetc(fp);
+@@ -244,9 +328,22 @@ + } while ( name[i-1] != 0x00 && name[i-1] != EOF);
+ if ( name[i-1] != EOF ) {
+ name[i-1]='\0';
+- fread(&start_ip,4,1,fp);
+- fread(&end_ip,4,1,fp);
+- startaddr.s_addr=start_ip;
++ s=fread(&start_ip,4,1,fp);
++ if ( s != 1 ) {
++ sprintf(msgbuf,"Failed to read start IP: %d != 1, aborting...\n", (int)s);
++ log_action(msgbuf);
++ fclose(fp);
++ exit(-1);
++ }
++ s=fread(&end_ip,4,1,fp);
++ if ( s != 1 ) {
++ sprintf(msgbuf,"Failed to read end IP: %d != 1, aborting...\n", (int)s);
++ log_action(msgbuf);
++ fclose(fp);
++ exit(-1);
++ }
++
++ startaddr.s_addr=start_ip;
+ endaddr.s_addr=end_ip;
+ strcpy(ipmin,inet_ntoa(startaddr));
+ ranged_insert(name,ipmin,inet_ntoa(endaddr));
+@@ -255,22 +352,25 @@ + else {
+ retval=EOF;
+ }
+- }
++ } while ( retval != EOF );
+ fclose(fp);
+- fprintf(logfile,"Ranges loaded: %d\n",ntot);
+- printf("* Ranges loaded: %d\n",ntot);
++ sprintf(msgbuf, "* Ranges loaded: %d\n",ntot);
++ log_action(msgbuf);
++ if ( !log2stdout )
++ printf(msgbuf);
+ }
+
+ void loadlist_dat(char *filename)
+ {
+ FILE *fp;
+ int ntot=0;
+- char readbuf[200], *name, start_ip[16], end_ip[16];
++ char readbuf[200], *name, start_ip[16], end_ip[16], msgbuf[255];
+ unsigned short ip1_0, ip1_1, ip1_2, ip1_3, ip2_0, ip2_1, ip2_2, ip2_3;
+
+ fp=fopen(filename,"r");
+ if ( fp == NULL ) {
+- fprintf(logfile,"Error opening %s, aborting...\n", filename);
++ sprintf(msgbuf,"Error opening %s, aborting...\n", filename);
++ log_action(msgbuf);
+ exit(-1);
+ }
+
+@@ -286,38 +386,45 @@ + ntot++;
+ }
+ fclose(fp);
+- fprintf(logfile,"Ranges loaded: %d\n",ntot);
+- printf("* Ranges loaded: %d\n",ntot);
++ sprintf(msgbuf, "* Ranges loaded: %d\n", ntot);
++ log_action(msgbuf);
++ if ( !log2stdout )
++ printf(msgbuf);
+ }
+
+ void reopen_logfile(void)
+ {
++ char msgbuf[255];
++
+ if (logfile != NULL) {
+ fclose(logfile);
+ logfile=NULL;
+ }
+ logfile=fopen(logfile_name,"a");
+ if (logfile == NULL) {
+- fprintf(stderr, "Unable to open logfile %s\n", logfile_name);
++ sprintf(msgbuf, "Unable to open logfile %s\n", logfile_name);
++ log_action(msgbuf);
+ exit(-1);
+ }
+- fprintf(logfile, "Reopening logfile.\n");
++ log_action("Reopening logfile.\n");
+ }
+
+ void my_sahandler(int sig)
+ {
++ char msgbuf[255];
++
+ switch( sig ) {
+ case SIGUSR1:
+- fprintf(logfile,"Got SIGUSR1! Dumping stats...\n");
++ log_action("Got SIGUSR1! Dumping stats...\n");
+ ll_show(logfile);
+ reopen_logfile();
+ break;
+ case SIGUSR2:
+- fprintf(logfile,"Got SIGUSR2! Dumping stats to /var/log/MoBlock.stats\n");
++ log_action("Got SIGUSR2! Dumping stats to /var/log/MoBlock.stats\n");
+ ll_log();
+ break;
+ case SIGHUP:
+- fprintf(logfile,"\nGot SIGHUP! Dumping and resetting stats, reloading blocklist\n\n");
++ log_action("Got SIGHUP! Dumping and resetting stats, reloading blocklist\n");
+ ll_log();
+ ll_clear(); // clear stats list
+ destroy_tree(); // clear loaded ranges
+@@ -332,17 +439,18 @@ + loadlist_pg2(blocklist_info.filename);
+ break;
+ default:
+- fprintf(logfile,"Unknown blocklist type while reloading list, contact the developer!\n");
++ log_action("Unknown blocklist type while reloading list, contact the developer!\n");
+ break;
+ }
+ reopen_logfile();
+ break;
+ case SIGTERM:
+- fprintf(logfile,"Got SIGTERM! Dumping stats and exiting.\n");
++ log_action("Got SIGTERM! Dumping stats and exiting.\n");
+ ll_log();
+ exit(0);
+ default:
+- fprintf(logfile,"Received signal = %d but not handled\n",sig);
++ sprintf(msgbuf,"Received signal = %d but not handled\n",sig);
++ log_action(msgbuf);
+ break;
+ }
+ }
+@@ -378,7 +486,7 @@ + {
+ int id=0, status=0;
+ struct nfqnl_msg_packet_hdr *ph;
+- char *payload;
++ char *payload, msgbuf[255];
+ recType tmprec;
+
+ ph = nfq_get_msg_packet_hdr(nfa);
+@@ -389,34 +497,78 @@ + switch (ph->hook) {
+ case NF_IP_LOCAL_IN:
+ if ( find(ntohl(SRC_ADDR(payload)),&tmprec) == STATUS_OK ) {
++ // we drop the packet instead of rejecting
++ // we don't want the other host to know we are alive
+ status=nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
+- fprintf(logfile,"Blocked IN: %s,hits: %d,SRC: %s\n",tmprec.blockname,tmprec.hits,ip2str(SRC_ADDR(payload)));
+- } else status = nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
++ sprintf(msgbuf,"Blocked IN: %s,hits: %d,SRC: %s\n",tmprec.blockname,tmprec.hits,ip2str(SRC_ADDR(payload)));
++ log_action(msgbuf);
++ }
++ else if ( unlikely(accept_mark) ) {
++ // we set the user-defined accept_mark and set NF_REPEAT verdict
++ // it's up to other iptables rules to decide what to do with this marked packet
++ status = nfq_set_verdict_mark(qh, id, NF_REPEAT, accept_mark, 0, NULL);
++ }
++ else {
++ // no accept_mark, just NF_ACCEPT the packet
++ status = nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
++ }
+ break;
+ case NF_IP_LOCAL_OUT:
+ if ( find(ntohl(DST_ADDR(payload)),&tmprec) == STATUS_OK ) {
+- status=nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
+- fprintf(logfile,"Blocked OUT: %s,hits: %d,DST: %s\n",tmprec.blockname,tmprec.hits,ip2str(DST_ADDR(payload)));
+- } else status = nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
++ if ( likely(reject_mark) ) {
++ // we set the user-defined reject_mark and set NF_REPEAT verdict
++ // it's up to other iptables rules to decide what to do with this marked packet
++ status = nfq_set_verdict_mark(qh, id, NF_REPEAT, reject_mark, 0, NULL);
++ }
++ else {
++ status = nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
++ }
++ sprintf(msgbuf,"Blocked OUT: %s,hits: %d,DST: %s\n",tmprec.blockname,tmprec.hits,ip2str(DST_ADDR(payload)));
++ log_action(msgbuf);
++ }
++ else if ( unlikely(accept_mark) ) {
++ // we set the user-defined accept_mark and set NF_REPEAT verdict
++ // it's up to other iptables rules to decide what to do with this marked packet
++ status = nfq_set_verdict_mark(qh, id, NF_REPEAT, accept_mark, 0, NULL);
++ }
++ else {
++ // no accept_mark, just NF_ACCEPT the packet
++ status = nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
++ }
+ break;
+ case NF_IP_FORWARD:
+ if ( find2(ntohl(SRC_ADDR(payload)), ntohl(DST_ADDR(payload)), &tmprec) == STATUS_OK ) {
+- status=nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
+- fprintf(logfile,"Blocked FWD: %s,hits: %d,SRC: %s, DST: %s\n",
++ if ( likely(reject_mark) ) {
++ // we set the user-defined reject_mark and set NF_REPEAT verdict
++ // it's up to other iptables rules to decide what to do with this marked packet
++ status = nfq_set_verdict_mark(qh, id, NF_REPEAT, reject_mark, 0, NULL);
++ }
++ else {
++ status = nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
++ }
++ sprintf(msgbuf,"Blocked FWD: %s,hits: %d,SRC: %s, DST: %s\n",
+ tmprec.blockname, tmprec.hits, ip2str(SRC_ADDR(payload)), ip2str(DST_ADDR(payload)));
+- fflush(logfile);
+- } else status = nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
++ log_action(msgbuf);
++ }
++ else if ( unlikely(accept_mark) ) {
++ // we set the user-defined accept_mark and set NF_REPEAT verdict
++ // it's up to other iptables rules to decide what to do with this marked packet
++ status = nfq_set_verdict_mark(qh, id, NF_REPEAT, accept_mark, 0, NULL);
++ }
++ else {
++ // no accept_mark, just NF_ACCEPT the packet
++ status = nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
++ }
+ break;
+ default:
+- fprintf(logfile,"Not NF_LOCAL_IN/OUT/FORWARD packet!\n");
++ log_action("Not NF_LOCAL_IN/OUT/FORWARD packet!\n");
+ break;
+ }
+ }
+ else {
+- fprintf(logfile,"NFQUEUE: can't get msg packet header.\n");
++ log_action("NFQUEUE: can't get msg packet header.\n");
+ return(1); // from nfqueue source: 0 = ok, >0 = soft error, <0 hard error
+ }
+- fflush(logfile);
+ return(0);
+ }
+ #endif
+@@ -492,46 +644,48 @@ + struct nfq_q_handle *qh;
+ struct nfnl_handle *nh;
+ int fd,rv;
+- char buf[BUFSIZE];
++ char buf[BUFSIZE], msgbuf[255];
+
+ h = nfq_open();
+ if (!h) {
+- fprintf(logfile, "Error during nfq_open()\n");
++ log_action("Error during nfq_open()\n");
+ exit(-1);
+ }
+
+ if (nfq_unbind_pf(h, AF_INET) < 0) {
+- fprintf(logfile, "error during nfq_unbind_pf()\n");
+- exit(-1);
++ log_action("error during nfq_unbind_pf()\n");
++ //exit(-1);
+ }
+
+ if (nfq_bind_pf(h, AF_INET) < 0) {
+- fprintf(logfile, "Error during nfq_bind_pf()\n");
++ log_action("Error during nfq_bind_pf()\n");
+ exit(-1);
+ }
+
+- fprintf(logfile,"NFQUEUE: binding to queue '%hd'\n", queuenum);
++ sprintf(msgbuf,"NFQUEUE: binding to queue '%hd'\n", queuenum);
++ log_action(msgbuf);
+ qh = nfq_create_queue(h, queuenum, &nfqueue_cb, NULL);
+ if (!qh) {
+- fprintf(logfile, "error during nfq_create_queue()\n");
++ log_action("error during nfq_create_queue()\n");
+ exit(-1);
+ }
+
+ if (nfq_set_mode(qh, NFQNL_COPY_PACKET, PAYLOADSIZE) < 0) {
+- fprintf(logfile, "can't set packet_copy mode\n");
++ log_action("can't set packet_copy mode\n");
+ exit(-1);
+ }
+
+ nh = nfq_nfnlh(h);
+ fd = nfnl_fd(nh);
+
+- while ((rv = recv(fd, buf, sizeof(buf), 0)) && rv >= 0) {
++ while ((rv = recv(fd, buf, sizeof(buf), 0)) >= 0) {
+ nfq_handle_packet(h, buf, rv);
+ }
+
+- printf("NFQUEUE: unbinding from queue 0\n");
++ log_action("NFQUEUE: unbinding from queue 0\n");
+ nfq_destroy_queue(qh);
+ nfq_close(h);
++ nfq_unbind_pf(h, AF_INET);
+ return(0);
+ #endif
+
+@@ -540,11 +694,16 @@ + void print_options(void)
+ {
+ printf("\nMoBlock %s by Morpheus",MB_VERSION);
+- printf("\nSyntax: MoBlock -dnp <blocklist> [-b] [-q 0-65535] <logfile>\n\n");
++ printf("\nSyntax: MoBlock -dnp <blocklist> [-q 0-65535] <logfile>\n\n");
+ printf("\t-d\tblocklist is an ipfilter.dat file\n");
+ printf("\t-n\tblocklist is a peerguardian 2.x file (.p2b)\n");
+ printf("\t-p\tblocklist is a peerguardian file (.p2p)\n");
+ printf("\t-q\t0-65535 NFQUEUE number (as specified in --queue-num with iptables)\n");
++ printf("\t-r MARK\tmark packet with MARK instead of DROP\n");
++ printf("\t-a MARK\tmark packet with MARK instead of ACCEPT\n");
++ printf("\t-l\tlog to stdout\n");
++ printf("\t-s\tlog to syslog\n");
++ printf("\t-t\tlog timestamping\n\n");
+ }
+
+ void on_quit()
+@@ -556,6 +715,7 @@ + {
+ int ret=0;
+ unsigned short int queuenum=0;
++ char msgbuf[255];
+
+ if (argc < 3) {
+ print_options();
+@@ -591,10 +751,11 @@ + }
+ logfile_name=malloc(strlen(argv[argc-1])+1);
+ strcpy(logfile_name,argv[argc-1]);
++ log2file = 1;
+ printf("* Logging to %s\n",logfile_name);
+
+ while (1) { //scan command line options
+- ret=getopt(argc, argv, "d:n:p:q:");
++ ret=getopt(argc, argv, "d:n:p:q:a:r:stl");
+ if ( ret == -1 ) break;
+
+ switch (ret) {
+@@ -619,6 +780,28 @@ + case 'q':
+ queuenum=(unsigned short int)atoi(optarg);
+ break;
++ case 'r':
++ reject_mark=(u_int32_t)atoi(optarg);
++ printf("* DROP MARK: %d\n", reject_mark);
++ reject_mark=htonl(reject_mark);
++ break;
++ case 'a':
++ accept_mark=(u_int32_t)atoi(optarg);
++ printf("* ACCEPT MARK: %d\n", accept_mark);
++ accept_mark=htonl(accept_mark);
++ break;
++ case 's':
++ log2syslog = 1;
++ printf("* Logging to syslog\n");
++ break;
++ case 't':
++ timestamp = 1;
++ printf("* Log timestamp enabled\n");
++ break;
++ case 'l':
++ log2stdout = 1;
++ printf("* Log to stdout enabled\n");
++ break;
+ case '?': // unknown option
+ print_options();
+ exit(-1);
+@@ -626,10 +809,14 @@ + }
+ }
+
+- printf("* Merged ranges: %d\n", merged_ranges);
+- fprintf(logfile, "Merged ranges: %d\n", merged_ranges);
+- printf("* Skipped useless ranges: %d\n", skipped_ranges);
+- fprintf(logfile,"Skipped useless ranges: %d\n", skipped_ranges);
++ sprintf(msgbuf, "* Merged ranges: %d\n", merged_ranges);
++ log_action(msgbuf);
++ if ( !log2stdout )
++ printf(msgbuf);
++ sprintf(msgbuf,"* Skipped useless ranges: %d\n", skipped_ranges);
++ log_action(msgbuf);
++ if ( !log2stdout )
++ printf(msgbuf);
+ fflush(NULL);
+
+ netlink_loop(queuenum);
+diff -Naur MoBlock-0.8_orig/README MoBlock-0.8/README +--- MoBlock-0.8_orig/README 2006-03-22 12:44:31.000000000 -0500 ++++ MoBlock-0.8/README 2007-11-22 08:10:44.000000000 -0500 +@@ -1,5 +1,5 @@ + +-MoBlock README v0.8 ++MoBlock README v0.9 + http://moblock.berlios.de + + .Introduction. +@@ -47,6 +47,22 @@ + ip_conntrack 40044 1 ipt_state + iptable_filter 2176 1 + ip_tables 17600 3 ipt_NFQUEUE,ipt_state,iptable_filter ++ ++ ...and these with kernel 2.6.23 using NFQUEUE interface: ++ ++ nfnetlink_queue 9344 1 ++ nfnetlink 4568 2 nfnetlink_queue ++ ipt_REJECT 3520 2 ++ xt_mark 1600 2 ++ nf_conntrack_ipv4 12424 5 ++ iptable_filter 2308 1 ++ ip_tables 10328 1 iptable_filter ++ xt_state 1984 5 ++ nf_conntrack 48356 2 nf_conntrack_ipv4,xt_state ++ xt_NFQUEUE 1664 3 ++ x_tables 11396 5 ipt_REJECT,xt_mark,ip_tables,xt_state,xt_NFQUEUE ++ ++ (notice that ipt_NFQUEUE has changed to xt_NFQUEUE, same thing for other modules too) + + 2) A valid guarding.p2p/ipfilter.dat/p2p.p2b host file in /etc ( /etc/guarding.p2p ). + MoBlock tries to skip malformed or duplicate ranges but +@@ -140,8 +156,18 @@ + To specify a NFQUEUE queue number: + + ./moblock -p /etc/guarding.p2p -q 5 MoBlock.log ++ ++ From version 0.9 MoBlock supports MARKing packets and RETURN them to ++ iptables, there's an example start script (MoBlock-nfq-reject.sh) that ++ uses this feature to REJECT packet instead of dropping them. It can help ++ in complex firewall configuration where you need more control of packets ++ flow after MoBlock inspection. ++ See the mentioned start script for reference, you can set the MARK value ++ for packets that MoBlock would drop (ip in list) with the "-r" command line ++ option and for packets that MoBlock would accept (ip not in list) with ++ the "-a" command line option. + +- To stop it: ++ To stop MoBlock: + + kill -TERM <MoBlockPid> + +@@ -149,7 +175,7 @@ + To obtain stats about blocked ranges while it's running: + + kill -USR1 <MoBlockPid> # write stats to logfile +- kill -USR2 <MoBlockPid> # write stats to /var/log/MoBlock.stats ++ kill -USR2 <MoBlockPid> # write stats to /var/log/MoBlock.stats + + ** NEW: to reload the blocklist while MoBlock is running send to it the + HUP signal: +@@ -168,7 +194,10 @@ + took some code and ideas from his FTwall + - Andrew de Quincey (adq at lidskialf dot net) for regular expressions + and command line args patch +-- Maximilian Mehnert (clessing at freenet dot de) for logfile rotation ++- clessing at freenet dot de for logfile rotation + patches, pid file creation, start script, fixes/files for debian packaging ++- David Walluck, patch for proper loading of p2b files ++- jre, for continuing clessing work on debian packaging and many other ++ contributions + +-Last Updated: 20/Mar/2006 ++Last Updated: 15/Oct/2007 +diff -Naur MoBlock-0.8_orig/rbt.c MoBlock-0.8/rbt.c +--- MoBlock-0.8_orig/rbt.c 2006-03-22 12:44:31.000000000 -0500 ++++ MoBlock-0.8/rbt.c 2008-02-10 11:56:08.000000000 -0500 +@@ -19,7 +19,7 @@ + #include <stdarg.h> + #include <time.h> + +-#define RBT_VERSION 0.8 ++#define RBT_VERSION 0.9 + #define BNAME_LEN 80 + + /* implementation dependend declarations */ +@@ -421,7 +421,7 @@ + + statusEnum insert(keyType key, recType *rec) { + nodeType *current, *parent, *x; +- keyType tmpkey; ++ //keyType tmpkey; + recType tmprec; + int ret; + +@@ -433,6 +433,23 @@ + current = root; + parent = 0; + while (current != NIL) { ++ if (compEQ2(current->key, key, rec->ipmax)) { // current node key is inside new range to be inserted ++ strcpy(tmprec.blockname, rec->blockname); // block name from new range ++ if (compLT(current->rec.ipmax, rec->ipmax)) ++ tmprec.ipmax = rec->ipmax; ++ else tmprec.ipmax = current->rec.ipmax; ++ tmprec.hits = 0; ++ //printf("deleting node :%lu\n", current->key); ++ ret=delete(current->key); ++ if ( ret != STATUS_OK ) ++ return(ret); ++ ret=insert(key, &tmprec); ++ if ( ret == STATUS_OK ) { ++ printf("new merge\n"); ++ return(STATUS_MERGED); ++ } ++ else return(ret); ++ } + if (compEQ(key, current->key)) { + if ( rec->ipmax > current->rec.ipmax ) { + current->rec.ipmax=rec->ipmax; +@@ -458,7 +475,7 @@ + } + } + //check if higher ip (ipmax) is already in a range +- if (compEQ2(rec->ipmax,current->key,current->rec.ipmax)) { ++ /*if (compEQ2(rec->ipmax,current->key,current->rec.ipmax)) { + fprintf(logfile,"higher ip in range\n"); + tmpkey=key; + strcpy(tmprec.blockname,current->rec.blockname); +@@ -470,7 +487,7 @@ + if ( ret == STATUS_OK ) + return(STATUS_MERGED); + else return(ret); +- } ++ }*/ + parent = current; + current = compLT(key, current->key) ? + current->left : current->right; +@@ -495,7 +512,7 @@ + } else { + root = x; + } +- ++ //printf("new node, key: %lu, parent: %lu\n", x->key, parent ? parent->key : 0); + insertFixup(x); + lastFind = NULL; + diff --git a/abs/extra-testing/community/moblock/moblock_include.patch b/abs/extra-testing/community/moblock/moblock_include.patch new file mode 100644 index 0000000..644e824 --- /dev/null +++ b/abs/extra-testing/community/moblock/moblock_include.patch @@ -0,0 +1,10 @@ +--- MoBlock-0.8/MoBlock.c.orig 2008-08-15 14:41:49.000000000 -0400 ++++ MoBlock-0.8/MoBlock.c 2008-08-15 14:43:45.000000000 -0400 +@@ -32,6 +32,7 @@ + #include <netinet/udp.h>
+ #include <sys/socket.h>
+ #include <arpa/inet.h>
++#include <limits.h>
+ #include <linux/netfilter_ipv4.h>
+ #include <signal.h>
+ #include <regex.h>
diff --git a/abs/extra-testing/community/moblockcontrol/PKGBUILD b/abs/extra-testing/community/moblockcontrol/PKGBUILD new file mode 100644 index 0000000..f13e48c --- /dev/null +++ b/abs/extra-testing/community/moblockcontrol/PKGBUILD @@ -0,0 +1,38 @@ +# Contributor: marinz <marinz@email.it> + +pkgname=moblockcontrol +pkgver=1.0 +pkgrel=8 +pkgdesc="moblock-control" +arch=('i686' 'x86_64') +url="http://moblock-deb.sourceforge.net/" +license=('GPL') +groups=() +depends=('moblock') +makedepends=() +install= +source=(http://download.sourceforge.net/moblock-deb/moblock-control-1.0.tar.gz \ + moblock_control.patch) +md5sums=('1399e5465028e116e941cd1e01f6f7fc' + 'dc269c6c47bc423b9093919d52e97d63') +backup=('etc/moblock/moblock.conf' 'etc/moblock/blocklists.list') + +build() { + + cd $startdir/src/moblock-control-1.0 + + patch -Np1 -i ../moblock_control.patch || return 1 + + install -d ${pkgdir}/usr/bin ${pkgdir}/etc/moblock ${pkgdir}/etc/default ${pkgdir}/var/spool/moblock/user ${pkgdir}/lib/lsb ${pkgdir}/var/log + install -m 755 moblock-control ${pkgdir}/usr/bin/moblock-control + install -m 755 blocklists.list ${pkgdir}/etc/moblock/blocklists.list + install -m 755 moblock.conf ${pkgdir}/etc/moblock/moblock.conf + install -m 755 moblock.default ${pkgdir}/etc/default/moblock + install -m 755 init-functions ${pkgdir}/lib/lsb/init-functions + install -m 755 iptables-custom-insert.sh ${pkgdir}/etc/iptables-custom-insert.sh + install -m 755 iptables-custom-remove.sh ${pkgdir}/etc/iptables-custom-remove.sh + + touch ${pkgdir}/var/log/moblock-control.log + touch ${pkgdir}/etc/moblock/guarding.p2p +} + diff --git a/abs/extra-testing/community/moblockcontrol/moblock_control.patch b/abs/extra-testing/community/moblockcontrol/moblock_control.patch new file mode 100644 index 0000000..db6bbf9 --- /dev/null +++ b/abs/extra-testing/community/moblockcontrol/moblock_control.patch @@ -0,0 +1,11 @@ +--- moblockcontrol/moblock-control_2 2008-09-25 23:22:39.000000000 +0200 ++++ moblockcontrol/moblock-control 2008-12-28 09:33:51.000000000 +0100 +@@ -954,7 +954,7 @@ + else + # The options Moblock is started with + # The same like above, but with a "&" to start moblock in the background +- DAEMON_OPTS="-$BLOCKLIST_FORMAT $BLOCKLIST $NFQUEUE_NUMBER_OPT $LOG_SYSLOG_OPT $LOG_TIMESTAMP_OPT -r $REJECT_MARK -a $ACCEPT_MARK $DAEMON_LOG &" ++ DAEMON_OPTS="-$BLOCKLIST_FORMAT $BLOCKLIST $NFQUEUE_NUMBER_OPT $LOG_SYSLOG_OPT $DAEMON_LOG & " + # Start MoBlock + start_daemon -p $PIDFILE $DAEMON $DAEMON_OPTS # The init-functions provided with moblock-control depend on this syntax! + fi |