diff options
Diffstat (limited to 'abs/extra/community/moblock')
-rw-r--r-- | abs/extra/community/moblock/MoBlock-nfq.sh.patch | 53 | ||||
-rwxr-xr-x | abs/extra/community/moblock/PKGBUILD | 57 | ||||
-rw-r--r-- | abs/extra/community/moblock/config | 30 | ||||
-rwxr-xr-x | abs/extra/community/moblock/moblock | 70 | ||||
-rwxr-xr-x | abs/extra/community/moblock/moblock-update | 174 | ||||
-rw-r--r-- | abs/extra/community/moblock/moblock.install | 26 | ||||
-rw-r--r-- | abs/extra/community/moblock/moblock.logrotate | 11 | ||||
-rw-r--r-- | abs/extra/community/moblock/moblock_0.9_rc2.patch | 912 | ||||
-rw-r--r-- | abs/extra/community/moblock/moblock_include.patch | 10 |
9 files changed, 0 insertions, 1343 deletions
diff --git a/abs/extra/community/moblock/MoBlock-nfq.sh.patch b/abs/extra/community/moblock/MoBlock-nfq.sh.patch deleted file mode 100644 index f9136c3..0000000 --- a/abs/extra/community/moblock/MoBlock-nfq.sh.patch +++ /dev/null @@ -1,53 +0,0 @@ ---- MoBlock-0.8/MoBlock-nfq.sh.orig 2008-11-30 03:44:02.000000000 -0500 -+++ MoBlock-0.8/MoBlock-nfq.sh 2008-12-01 18:56:15.000000000 -0500 -@@ -3,14 +3,10 @@ - # MoBlock.sh - MoBlock start script - # --------------------------------- - --ACTIVATE_CHAINS=1 --WHITE_TCP_IN="" --WHITE_UDP_IN="" --WHITE_TCP_OUT="" --WHITE_UDP_OUT="" --WHITE_TCP_FORWARD="" --WHITE_UDP_FORWARD="" -+# Some configuration options have been moved to an external conf file -+# This should make maintenance and upgrading easier - -+. /etc/moblock/config - - PIDF=/var/run/moblock.pid - -@@ -78,6 +74,17 @@ - iptables -I MOBLOCK_FW -p udp --dport $PORT -j ACCEPT - done - -+# For added IP whitelisting support -+ -+for IP in $WHITE_IP_OUT; do -+ iptables -I MOBLOCK_OUT -p all -m iprange --dst-range $IP -j ACCEPT -+done -+for IP in $WHITE_IP_IN; do -+ iptables -I MOBLOCK_IN -p all -m iprange --src-range $IP -j ACCEPT -+done -+for IP in $WHITE_IP_FW; do -+ iptables -I MOBLOCK_FW -p all -m iprange --dst-range $IP -j ACCEPT -+done - - # Loopback traffic fix - -@@ -85,7 +92,8 @@ - iptables -I OUTPUT -p all -o lo -j ACCEPT - - # Here you can change block list and log files --./moblock -p /etc/guarding.p2p ./moblock.log -+#./moblock -p /etc/guarding.p2p ./moblock.log -+/usr/bin/moblock -p /etc/moblock/banned.list /var/log/moblock.log >/dev/null 2>&1 - - # On exit delete the rules we added - -@@ -108,3 +116,4 @@ - if [ -f $PIDF ]; then - rm $PIDF; - fi -+ diff --git a/abs/extra/community/moblock/PKGBUILD b/abs/extra/community/moblock/PKGBUILD deleted file mode 100755 index 0f3ff26..0000000 --- a/abs/extra/community/moblock/PKGBUILD +++ /dev/null @@ -1,57 +0,0 @@ -# Contributor: Kevin Edmonds <edmondskevin@hotmail.com> -# Maintainer: Filip Wojciechowski, filip at loka dot pl - -pkgname=moblock -pkgver=0.9rc2 -pkgrel=9 -pkgdesc="Console application that blocks connections from/to hosts listed in a file in peerguardian format" -arch=('i686' 'x86_64') -url="http://moblock.berlios.de/" -license=('GPL') -depends=(libnetfilter_queue iptables) -backup=(etc/moblock/config) -install=moblock.install -source=(http://download.berlios.de/moblock/MoBlock-0.8-i586.tar.bz2 \ - moblock_0.9_rc2.patch \ - MoBlock-nfq.sh.patch \ - moblock_include.patch \ - config \ - moblock-update \ - moblock \ - moblock.logrotate) - -build() { - cd ${srcdir}/MoBlock-0.8 - - # patch to update moblock to the latest cvs version - patch -Np1 -i ../moblock_0.9_rc2.patch || return 1 - # add IP whitelisting and move configs to a separate conf file - patch -Np1 -i ../MoBlock-nfq.sh.patch || return 1 - # necessary to make moblock build with recent kernels - patch -Np1 -i ../moblock_include.patch || return 1 - - # change the CFLAGS for both i686 and x84_64 builds - sed -i "s#-Wall -O.*-ffast-math#$CFLAGS#g" Makefile - - # build - make || return 1 -} - -package() { - cd ${srcdir}/MoBlock-0.8 - #move the files - install -D -m 755 ./MoBlock-nfq.sh ${pkgdir}/usr/bin/moblock-nfq || return 1 - install -D -m 744 ./moblock ${pkgdir}/usr/bin/moblock || return 1 - install -D -m 755 ../moblock-update ${pkgdir}/usr/bin/moblock-update || return 1 - install -D -m 744 ../moblock ${pkgdir}/etc/rc.d/moblock || return 1 - install -D -m 644 ../config ${pkgdir}/etc/moblock/config || return 1 - install -D -m 644 ../moblock.logrotate ${pkgdir}/etc/logrotate.d/moblock || return 1 -} -md5sums=('199967adb48b153be90db10fe21325c5' - 'e4e33c515677fa53eaca4616591d4e44' - 'e9f3c6b09f5e07dee948450780340ea3' - 'b23b5214965df59632de5cec317ddbde' - '840bb52a99529305e49212a69c9ced8a' - '49a16feb221d4d912cc7200313517f7b' - '1bdc949fcff0ce751a5096e489061513' - 'a8285fd3e68043cd8d21993d3dbbf9d4') diff --git a/abs/extra/community/moblock/config b/abs/extra/community/moblock/config deleted file mode 100644 index 7d7c287..0000000 --- a/abs/extra/community/moblock/config +++ /dev/null @@ -1,30 +0,0 @@ -# Original MoBlock configuration options from MoBlock-nfq.sh file -ACTIVATE_CHAINS=1 -WHITE_TCP_IN="" -WHITE_UDP_IN="" -WHITE_TCP_OUT="" # Add "http https" here to prevent moblock from blocking webpages -WHITE_UDP_OUT="" -WHITE_TCP_FORWARD="" -WHITE_UDP_FORWARD="" - -# Added IP whitelisting support -WHITE_IP_IN="" -WHITE_IP_OUT="" -WHITE_IP_FW="" - -# Individual lists can be disabled by prefixing them with '!' -# Bluetack blacklists (http://www.bluetack.co.uk) -BLUETACK=(level1 level2 !level3 !edu ads-trackers-and-bad-pr0n bogon spyware spider Microsoft !proxy hijacked templist !rangetest dshield) - -# blocklist.org lists (currently doesn't work) -#BLOCKLIST=(p2p gov spy ads edu) - -# backup lists (might be outdated) -#PHOENIXLABS=(!p2b.p2b edu.txt spider.txt spyware.txt level1.txt !level2.txt !level3.txt) - -# Change to 'yes' if you want to backup up the old list before writing -# a new one. Only one backup copy will be kept. -BACKUP_OLD_LIST="no" - -# Options passed to wget -WGET_OPTS="-q" diff --git a/abs/extra/community/moblock/moblock b/abs/extra/community/moblock/moblock deleted file mode 100755 index d88bd2e..0000000 --- a/abs/extra/community/moblock/moblock +++ /dev/null @@ -1,70 +0,0 @@ -#!/bin/bash - -. /etc/rc.conf -. /etc/rc.d/functions - -case "$1" in - start) - stat_busy "Starting MoBlock" - if [ ! -f /var/run/moblock.pid ] - then - /usr/bin/moblock-nfq & - if [ $? -gt 0 ] - then - stat_fail - else - add_daemon moblock - stat_done - fi - else - stat_fail - fi - ;; - update) - stat_busy "Updating MoBlock block list..." - error=0 - /usr/bin/moblock-update || error=1 - stat_busy "Updating MoBlock block list" - if [ $error -eq 1 ]; then - stat_fail - else - stat_done - fi - ;; - stats) - stat_busy "Logging stats to /var/log/MoBlock.stats" - PID=`cat /var/run/moblock.pid 2>/dev/null` - if [ ! -z "$PID" ]; then - /bin/kill -USR2 $PID - if [ $? -gt 0 ]; then - stat_fail - else - stat_done - fi - else - stat_fail - fi - ;; - stop) - stat_busy "Stopping MoBlock" - PID=`cat /var/run/moblock.pid 2>/dev/null` - if [ ! -z "$PID" ]; then - /bin/kill $PID - if [ $? -gt 0 ]; then - stat_fail - else - rm_daemon moblock - stat_done - fi - else - stat_fail - fi - ;; - restart) - $0 stop - sleep 2 - $0 start - ;; - *) - echo "usage: $0 {start|stop|restart|update|stats}" -esac diff --git a/abs/extra/community/moblock/moblock-update b/abs/extra/community/moblock/moblock-update deleted file mode 100755 index aae861d..0000000 --- a/abs/extra/community/moblock/moblock-update +++ /dev/null @@ -1,174 +0,0 @@ -#!/bin/bash - -. /etc/moblock/config - -CONF_DIR=/etc/moblock -TEMP_DIR=$(/usr/bin/mktemp -t -d moblock-updateXXXXXXXX) -LIST_FILE=banned.list - -USECOLOR="no" -. /etc/rc.d/functions -PREFIX_REG=" >" -PREFIX_HL="::" - -function extract() -{ - /usr/bin/find $TEMP_DIR -type f -name '*.gz' -o -name '*.zip' |\ - while read N - do - case "$N" in - *.zip) /usr/bin/unzip -oqq "$N" 2>/dev/null - if [ $? -gt 0 ]; then - rm -f "$N" - return 1 - else - rm -f "$N" - fi - ;; - *.gz) /bin/gunzip -f "$N" 2>/dev/null - if [ $? -gt 0 ]; then - rm -f "$N" - return 1 - fi - ;; - *) continue - ;; - esac - done - return 0 -} - -cd $TEMP_DIR - -printf "${C_SEPARATOR} ------------------------------\n" -printhl "Downloading and extracting files:\n" - -# Bluetack lists (with fallback) -for i in ${BLUETACK[@]} -do - if [ $(echo $i | /bin/grep '^[^\!]' | /usr/bin/wc -l) -eq 1 ]; then - stat_busy "BLUETACK '${i}'... " - /usr/bin/wget ${WGET_OPTS} "http://www.bluetack.co.uk/config/${i}.gz" && extract - if [ $? -gt 0 ] || [ ! -f ${i} ]; then - stat_fail - bfile=$i - if [ "$bfile" = "ads-trackers-and-bad-pr0n" ]; then - bfile="ads" - elif [ "$bfile" = "Microsoft" ];then - bfile="microsoft" - fi - stat_busy "[!!] BLUETACK '${i}' (fallback link)... " - /usr/bin/wget ${WGET_OPTS} "http://list.iblocklist.com/?list=bt_${bfile%%-*}" -O "${i}.gz" && extract - if [ $? -gt 0 ]; then - stat_fail - else - stat_done - fi - else - stat_done - fi - fi -done - -# Blocklist lists -for i in ${BLOCKLIST[@]} -do - if [ $(echo $i | /bin/grep '^[^\!]' | /usr/bin/wc -l) -eq 1 ]; then - stat_busy "BLOCKLIST '${i}'... " - /usr/bin/wget ${WGET_OPTS} "blocklist.org/${i}.p2b.gz" && extract - if [ $? -gt 0 ]; then - stat_fail - else - stat_done - fi - fi -done - -# Old phoenixlabs.org lists -for i in ${PHOENIXLABS[@]} -do - if [ $(echo $i | /bin/grep '^[^\!]' | /usr/bin/wc -l) -eq 1 ]; then - stat_busy "PHOENIXLABS '${i}'... " - /usr/bin/wget ${WGET_OPTS} "fox.phoenixlabs.org/${i}" && extract - if [ $? -gt 0 ]; then - stat_fail - else - stat_done - fi - fi -done - -if [ $(/bin/cat "$TEMP_DIR"/* | /usr/bin/wc -l) -eq 0 ]; then - printf "\n" - printhl "ERROR: No files were downloaded" - printf "${C_SEPARATOR} ------------------------------\n" - exit 1 -fi - -# Check files -printsep -printhl "Checking integrity of downloaded files:\n" - -/usr/bin/find -type f | while read N -do - stat_busy "File '$(echo $N | /bin/awk -F/ '{print $NF}')'... " - scan1=$(/bin/cat "$N" | /usr/bin/wc -l) - scan2=$(/bin/egrep -o ":[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*-[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*" "$N" | /usr/bin/wc -l) - if [ $scan1 -eq $scan2 ]; then - stat_done - else - if [ $scan2 -gt 0 ]; then - if [ $scan1 -gt $scan2 ]; then - stat_append "$(($scan1-$scan2)) of $scan1 entries failed validation; keeping the file" - stat_done - fi - else - stat_fail - stat_busy "[!!] Removing corrupted file... " - rm "$N" 2>/dev/null - if [ $? -gt 0 ]; then - stat_fail - exit 1 - else - stat_done - fi - fi - fi -done - -printsep -printhl "Saving the list:\n" - -# Make backup -if [ "$BACKUP_OLD_LIST" = "yes" ] && [ -f "$CONF_DIR"/"$LIST_FILE" ]; then - stat_busy "Backing up old list to '$CONF_DIR/$LIST_FILE.gz'... " - /bin/gzip -f "$CONF_DIR"/"$LIST_FILE" 2>/dev/null - if [ $? -gt 0 ]; then - stat_fail - else - stat_done - fi -fi - -# Save the list -stat_busy "Saving new list to '$CONF_DIR/$LIST_FILE'... " -/bin/cat "$TEMP_DIR"/* > "$CONF_DIR"/"$LIST_FILE" 2>&1 -if [ $? -gt 0 ]; then - stat_fail - exit 1 -else - stat_done - printf "\n" - printhl "Saved `cat "$CONF_DIR"/"$LIST_FILE" | wc -l` ranges" - printf "${C_SEPARATOR} ------------------------------\n" -fi - -rm -rf "$TEMP_DIR" - -# Restart MoBlock -if [ -f /var/run/moblock.pid ]; then - /bin/kill -HUP `cat /var/run/moblock.pid` >/dev/null 2>&1 -fi - -exit 0 - diff --git a/abs/extra/community/moblock/moblock.install b/abs/extra/community/moblock/moblock.install deleted file mode 100644 index 6afe1d5..0000000 --- a/abs/extra/community/moblock/moblock.install +++ /dev/null @@ -1,26 +0,0 @@ -post_install() { - #clean up after an old hack - if [ -h /usr/lib/libnfnetlink.so.1 ]; then - rm /usr/lib/libnfnetlink.so.1 - fi - echo "" - echo ">>> moblock-update script no longer uses /var/spool/moblock" - echo ">>> as a temporary directory. You can safely delete it." - echo "" -} - -post_upgrade() { - #clean up after an old hack - if [ -h /usr/lib/libnfnetlink.so.1 ]; then - rm /usr/lib/libnfnetlink.so.1 - fi - echo "" - echo ">>> moblock-update script no longer uses /var/spool/moblock" - echo ">>> as a temporary directory. You can safely delete it." - echo "" -} - -op=$1 -shift -$op $* - diff --git a/abs/extra/community/moblock/moblock.logrotate b/abs/extra/community/moblock/moblock.logrotate deleted file mode 100644 index 6ed64bb..0000000 --- a/abs/extra/community/moblock/moblock.logrotate +++ /dev/null @@ -1,11 +0,0 @@ -"/var/log/moblock.log" /var/log/MoBlock.stats { - daily - missingok - notifempty - sharedscripts - postrotate - /usr/bin/test -f /var/run/moblock.pid && /bin/kill -HUP `cat /var/run/moblock.pid 2>/dev/null` 2>/dev/null || exit 0 - endscript - compress -} - diff --git a/abs/extra/community/moblock/moblock_0.9_rc2.patch b/abs/extra/community/moblock/moblock_0.9_rc2.patch deleted file mode 100644 index 69994ff..0000000 --- a/abs/extra/community/moblock/moblock_0.9_rc2.patch +++ /dev/null @@ -1,912 +0,0 @@ -diff -Naur MoBlock-0.8_orig/Changelog MoBlock-0.8/Changelog ---- MoBlock-0.8_orig/Changelog 2006-03-22 12:44:31.000000000 -0500 -+++ MoBlock-0.8/Changelog 2008-02-10 11:56:08.000000000 -0500 -@@ -4,6 +4,23 @@ - - --- - -+0.9: - fix for kernel 2.6.23 -+ - support for MARKing packets instead of DROPping or -+ ACCEPTing -+ - example start script that REJECTs packets instead of -+ DROPping. -+ - Integrated a patch from David Walluck for proper loading -+ of p2b files (version 2) -+ - command line options for logging to syslog, stdout -+ and log timestamping -+ - fixed loading pg1 lists with comments (lines starting -+ with '#') -+ - fixed a bug in ranges merge -+ - applied patch 2223 by badfish99: "IPs logged with bytes -+ reversed on big-endian m/c" -+ -+--- -+ - 0.8: - support for NFQUEUE-ing from iptables FORWARD chain (thx to - hyakki for suggestions and testing!) - - included patches from Maximilian Mehnert to support log file -diff -Naur MoBlock-0.8_orig/Makefile MoBlock-0.8/Makefile ---- MoBlock-0.8_orig/Makefile 2006-03-22 12:44:31.000000000 -0500 -+++ MoBlock-0.8/Makefile 2007-11-22 08:10:44.000000000 -0500 -@@ -1,4 +1,3 @@ -- - # To use the old-soon-to-be-deprecated libipq interface - # uncomment the following line and comment the NFQUEUE one, - # then comment the gcc line with netfilter_queue and -@@ -7,7 +6,7 @@ - #QUEUE_LIB=LIBIPQ - QUEUE_LIB=NFQUEUE - --CFLAGS=-Wall -O2 -march=i586 -mtune=i686 -fomit-frame-pointer -ffast-math \ -+CFLAGS=-Wall -O3 -march=i586 -mtune=i686 -fomit-frame-pointer -ffast-math \ - -D_GNU_SOURCE -D$(QUEUE_LIB) -L/usr/include/libipq - CC=gcc - -diff -Naur MoBlock-0.8_orig/MoBlock-nfq-reject.sh MoBlock-0.8/MoBlock-nfq-reject.sh ---- MoBlock-0.8_orig/MoBlock-nfq-reject.sh 1969-12-31 19:00:00.000000000 -0500 -+++ MoBlock-0.8/MoBlock-nfq-reject.sh 2007-11-22 08:10:44.000000000 -0500 -@@ -0,0 +1,104 @@ -+#!/bin/sh -+# -+# MoBlock.sh - MoBlock start script -+# --------------------------------- -+ -+ACTIVATE_CHAINS=1 -+WHITE_TCP_IN="" -+WHITE_UDP_IN="" -+WHITE_TCP_OUT="" -+WHITE_UDP_OUT="" -+WHITE_TCP_FORWARD="" -+WHITE_UDP_FORWARD="" -+REJECT_MARK="10" -+ -+PIDF=/var/run/moblock.pid -+ -+FNAME=`basename $0 .sh` -+MODE=`echo $FNAME|awk -F- '{print $2}'` -+ -+if [ -f $PIDF ]; then -+ PID=`cat $PIDF` -+ if [ `ps -p $PID|wc -l` -gt 1 ]; then -+ echo "$0: $PIDF exists and processs seems to be running. Exiting." -+ exit 1; -+ fi; -+fi; -+ -+if [ $MODE == "ipq" ]; then -+ modprobe ip_queue -+ TARGET="QUEUE" -+elif [ $MODE == "nfq" ]; then -+ modprobe ipt_NFQUEUE -+ TARGET="NFQUEUE" -+fi; -+ -+modprobe ipt_state -+ -+# Filter all traffic, edit for your needs -+ -+iptables -N MOBLOCK_IN -+iptables -N MOBLOCK_OUT -+iptables -N MOBLOCK_FW -+ -+if [ $ACTIVATE_CHAINS -eq 1 ]; then -+ iptables -I INPUT -p all -m state --state NEW -j MOBLOCK_IN -+ iptables -I OUTPUT -p all -m state --state NEW -j MOBLOCK_OUT -+ iptables -I FORWARD -p all -m state --state NEW -j MOBLOCK_FW -+fi; -+ -+ -+iptables -I MOBLOCK_IN -p all -j $TARGET -+ -+iptables -I MOBLOCK_OUT -p all -j $TARGET -+ -+iptables -I MOBLOCK_FW -p all -j $TARGET -+ -+for PORT in $WHITE_TCP_OUT; do -+ iptables -I MOBLOCK_OUT -p tcp --dport $PORT -j ACCEPT -+done -+for PORT in $WHITE_UDP_OUT; do -+ iptables -I MOBLOCK_OUT -p udp --dport $PORT -j ACCEPT -+done -+ -+for PORT in $WHITE_TCP_IN; do -+ iptables -I MOBLOCK_IN -p tcp --dport $PORT -j ACCEPT -+done -+for PORT in $WHITE_UDP_IN; do -+ iptables -I MOBLOCK_IN -p udp --dport $PORT -j ACCEPT -+done -+ -+for PORT in $WHITE_TCP_FORWARD; do -+ iptables -I MOBLOCK_FW -p tcp --dport $PORT -j ACCEPT -+done -+for PORT in $WHITE_UDP_FORWARD; do -+ iptables -I MOBLOCK_FW -p udp --dport $PORT -j ACCEPT -+done -+ -+iptables -I OUTPUT -p all -m state --state NEW -m mark --mark $REJECT_MARK -j REJECT -+iptables -I FORWARD -p all -m state --state NEW -m mark --mark $REJECT_MARK -j REJECT -+ -+# Here you can change block list and log files -+./moblock -d /etc/ipfilter.dat -t -s -r $REJECT_MARK ./moblock.log -+ -+# On exit delete the rules we added -+ -+if [ $ACTIVATE_CHAINS -eq 1 ]; then -+ iptables -D INPUT -p all -m state --state NEW -j MOBLOCK_IN -+ iptables -D OUTPUT -p all -m state --state NEW -j MOBLOCK_OUT -+ iptables -D FORWARD -p all -m state --state NEW -j MOBLOCK_FW -+fi; -+ -+iptables -D OUTPUT -p all -m state --state NEW -m mark --mark $REJECT_MARK -j REJECT -+iptables -D FORWARD -p all -m state --state NEW -m mark --mark $REJECT_MARK -j REJECT -+ -+iptables -F MOBLOCK_IN -+iptables -X MOBLOCK_IN -+iptables -F MOBLOCK_OUT -+iptables -X MOBLOCK_OUT -+iptables -F MOBLOCK_FW -+iptables -X MOBLOCK_FW -+ -+if [ -f $PIDF ]; then -+ rm $PIDF; -+fi -diff -Naur MoBlock-0.8_orig/MoBlock.c MoBlock-0.8/MoBlock.c ---- MoBlock-0.8_orig/MoBlock.c 2006-03-22 12:44:31.000000000 -0500 -+++ MoBlock-0.8/MoBlock.c 2008-02-10 11:56:08.000000000 -0500 -@@ -35,6 +35,8 @@ - #include <linux/netfilter_ipv4.h>
- #include <signal.h>
- #include <regex.h>
-+#include <time.h>
-+#include <syslog.h>
-
- // in Makefile define LIBIPQ to use soon-to-be-deprecated ip_queue,
- // NFQUEUE for ipt_NFQUEUE (from kernel 2.6.14)
-@@ -46,7 +48,7 @@ - #include <libnetfilter_queue/libnetfilter_queue.h>
- #endif
-
--#define MB_VERSION "0.8"
-+#define MB_VERSION "0.9rc2"
-
- #define BUFSIZE 2048
- #define PAYLOADSIZE 21
-@@ -58,6 +60,9 @@ - #define SRC_ADDR(payload) (*(in_addr_t *)((payload)+12))
- #define DST_ADDR(payload) (*(in_addr_t *)((payload)+16))
-
-+#define likely(x) __builtin_expect((x),1)
-+#define unlikely(x) __builtin_expect((x),0)
-+
- // rbt datatypes/functions
-
- typedef enum {
-@@ -96,7 +101,8 @@ - char filename[100];
- } blocklist_info;
-
--int merged_ranges=0, skipped_ranges=0;
-+u_int32_t merged_ranges=0, skipped_ranges=0, accept_mark=0, reject_mark=0;
-+u_int8_t log2syslog=0, log2file=0, log2stdout=0, timestamp=0;
-
- #ifdef LIBIPQ
- static void die(struct ipq_handle *h)
-@@ -112,11 +118,13 @@ - static char buf[2][ sizeof("aaa.bbb.ccc.ddd") ];
- static short int index=0;
-
-+ ip = ntohl(ip);
-+
- sprintf(buf[index],"%d.%d.%d.%d",
-- (ip) & 0xff,
-- (ip >> 8) & 0xff,
-+ (ip >> 24) & 0xff,
- (ip >> 16) & 0xff,
-- (ip >> 24) & 0xff);
-+ (ip >> 8) & 0xff,
-+ (ip) & 0xff);
-
- if (index) {
- index=0;
-@@ -134,10 +142,38 @@ - fflush(stdout);
- }
-
-+void log_action(char *msg)
-+{
-+ char timestr[30];
-+ time_t tv;
-+
-+ if (timestamp) {
-+ tv = time(NULL);
-+ strncpy(timestr, ctime(&tv), 19);
-+ timestr[19] = '\0';
-+ strcat(timestr, "| ");
-+ }
-+ else strcpy(timestr, "");
-+
-+ if (log2syslog) {
-+ syslog(LOG_INFO, msg);
-+ }
-+
-+ if (log2file) {
-+ fprintf(logfile,"%s%s",timestr,msg);
-+ fflush(logfile);
-+ }
-+
-+ if (log2stdout) {
-+ fprintf(stdout,"%s%s",timestr,msg);
-+ }
-+}
-+
- inline void ranged_insert(char *name,char *ipmin,char *ipmax)
- {
- recType tmprec;
- int ret;
-+ char msgbuf[255];
-
- if ( strlen(name) > (BNAME_LEN-1) ) {
- strncpy(tmprec.blockname, name, BNAME_LEN);
-@@ -149,10 +185,11 @@ - if ( (ret=insert(ntohl(inet_addr(ipmin)),&tmprec)) != STATUS_OK )
- switch(ret) {
- case STATUS_MEM_EXHAUSTED:
-- fprintf(logfile,"Error inserting range, MEM_EXHAUSTED.\n");
-+ log_action("Error inserting range, MEM_EXHAUSTED.\n");
- break;
- case STATUS_DUPLICATE_KEY:
-- fprintf(logfile,"Duplicated range ( %s )\n",name);
-+ sprintf(msgbuf,"Duplicated range ( %s )\n",name);
-+ log_action(msgbuf);
- break;
- case STATUS_MERGED:
- merged_ranges++;
-@@ -161,8 +198,9 @@ - skipped_ranges++;
- break;
- default:
-- fprintf(logfile,"Unexpected return value from ranged_insert()!\n");
-- fprintf(logfile,"Return value was: %d\n",ret);
-+ log_action("Unexpected return value from ranged_insert()!\n");
-+ sprintf(msgbuf,"Return value was: %d\n",ret);
-+ log_action(msgbuf);
- break;
- }
- }
-@@ -177,15 +215,19 @@ - regex_t regmain;
- regmatch_t matches[4];
- int i;
-+ char msgbuf[255];
-
- regcomp(®main, "^(.*)[:]([0-9.]*)[-]([0-9.]*)$", REG_EXTENDED);
-
- fp=fopen(filename,"r");
- if ( fp == NULL ) {
-- fprintf(logfile,"Error opening %s, aborting...\n", filename);
-+ sprintf(msgbuf,"Error opening %s, aborting...\n", filename);
-+ log_action(msgbuf);
- exit(-1);
- }
- while ( (count=getline(&line,&len,fp)) != -1 ) {
-+ if ( line[0] == '#' ) //comment line, skip
-+ continue;
- for(i=count-1; i>=0; i--) {
- if ((line[i] == '\r') || (line[i] == '\n') || (line[i] == ' ')) {
- line[i] = 0;
-@@ -207,36 +249,78 @@ - line+matches[3].rm_so);
- ntot++;
- } else {
-- fprintf(logfile,"Short guarding.p2p line %s, skipping it...\n", line);
-+ sprintf(msgbuf,"Short guarding.p2p line %s, skipping it...\n", line);
-+ log_action(msgbuf);
- }
- }
- if (line)
- free(line);
- fclose(fp);
-- fprintf(logfile,"Ranges loaded: %d\n",ntot);
-- printf("* Ranges loaded: %d\n",ntot);
-+ sprintf(msgbuf, "* Ranges loaded: %d\n", ntot);
-+ log_action(msgbuf);
-+ if ( !log2stdout )
-+ printf(msgbuf);
- }
-
--void loadlist_pg2(char *filename) // experimental, no check for list sanity
-+void loadlist_pg2(char *filename) // supports only v2 files
- {
- FILE *fp;
-- int i,retval,ntot=0;
-- char name[100],ipmin[16]; // hope we don't have a list with longer names...
-+ int i, j, c, retval=0, ntot=0;
-+ char name[100],ipmin[16], msgbuf[255]; // hope we don't have a list with longer names...
- uint32_t start_ip, end_ip;
- struct in_addr startaddr,endaddr;
-+ size_t s;
-
- fp=fopen(filename,"r");
- if ( fp == NULL ) {
-- fprintf(logfile,"Error opening %s, aborting...\n", filename);
-+ sprintf(msgbuf, "Error opening %s, aborting...\n", filename);
-+ log_action(msgbuf);
- exit(-1);
- }
-
-- fgetc(fp); // skip first 4 bytes, don't know what they are
-- fgetc(fp);
-- fgetc(fp);
-- retval=fgetc(fp);
-+ for (j=0; j<4; j++) {
-+ c=fgetc(fp);
-+ if ( c != 0xff ) {
-+ sprintf(msgbuf,"Byte %d: 0x%x != 0xff, aborting...\n", j+1, c);
-+ log_action(msgbuf);
-+ fclose(fp);
-+ exit(-1);
-+ }
-+ }
-+
-+ c=fgetc(fp);
-+ if ( c != 'P' ) {
-+ sprintf(msgbuf,"Byte 5: %c != P, aborting...\n", c);
-+ log_action(msgbuf);
-+ fclose(fp);
-+ exit(-1);
-+ }
-+
-+ c=fgetc(fp);
-+ if ( c != '2' ) {
-+ sprintf(msgbuf,"Byte 6: %c != 2, aborting...\n", c);
-+ log_action(msgbuf);
-+ fclose(fp);
-+ exit(-1);
-+ }
-
-- while ( retval != EOF ) {
-+ c=fgetc(fp);
-+ if ( c != 'B' ) {
-+ sprintf(msgbuf,"Byte 7: %c != B, aborting...\n", c);
-+ log_action(msgbuf);
-+ fclose(fp);
-+ exit(-1);
-+ }
-+
-+ c=fgetc(fp);
-+ if ( c != 0x02 ) {
-+ sprintf(msgbuf,"Byte 8: version: %d != 2, aborting...\n", c);
-+ log_action(msgbuf);
-+ fclose(fp);
-+ exit(-1);
-+ }
-+
-+ do {
- i=0;
- do {
- name[i]=fgetc(fp);
-@@ -244,9 +328,22 @@ - } while ( name[i-1] != 0x00 && name[i-1] != EOF);
- if ( name[i-1] != EOF ) {
- name[i-1]='\0';
-- fread(&start_ip,4,1,fp);
-- fread(&end_ip,4,1,fp);
-- startaddr.s_addr=start_ip;
-+ s=fread(&start_ip,4,1,fp);
-+ if ( s != 1 ) {
-+ sprintf(msgbuf,"Failed to read start IP: %d != 1, aborting...\n", (int)s);
-+ log_action(msgbuf);
-+ fclose(fp);
-+ exit(-1);
-+ }
-+ s=fread(&end_ip,4,1,fp);
-+ if ( s != 1 ) {
-+ sprintf(msgbuf,"Failed to read end IP: %d != 1, aborting...\n", (int)s);
-+ log_action(msgbuf);
-+ fclose(fp);
-+ exit(-1);
-+ }
-+
-+ startaddr.s_addr=start_ip;
- endaddr.s_addr=end_ip;
- strcpy(ipmin,inet_ntoa(startaddr));
- ranged_insert(name,ipmin,inet_ntoa(endaddr));
-@@ -255,22 +352,25 @@ - else {
- retval=EOF;
- }
-- }
-+ } while ( retval != EOF );
- fclose(fp);
-- fprintf(logfile,"Ranges loaded: %d\n",ntot);
-- printf("* Ranges loaded: %d\n",ntot);
-+ sprintf(msgbuf, "* Ranges loaded: %d\n",ntot);
-+ log_action(msgbuf);
-+ if ( !log2stdout )
-+ printf(msgbuf);
- }
-
- void loadlist_dat(char *filename)
- {
- FILE *fp;
- int ntot=0;
-- char readbuf[200], *name, start_ip[16], end_ip[16];
-+ char readbuf[200], *name, start_ip[16], end_ip[16], msgbuf[255];
- unsigned short ip1_0, ip1_1, ip1_2, ip1_3, ip2_0, ip2_1, ip2_2, ip2_3;
-
- fp=fopen(filename,"r");
- if ( fp == NULL ) {
-- fprintf(logfile,"Error opening %s, aborting...\n", filename);
-+ sprintf(msgbuf,"Error opening %s, aborting...\n", filename);
-+ log_action(msgbuf);
- exit(-1);
- }
-
-@@ -286,38 +386,45 @@ - ntot++;
- }
- fclose(fp);
-- fprintf(logfile,"Ranges loaded: %d\n",ntot);
-- printf("* Ranges loaded: %d\n",ntot);
-+ sprintf(msgbuf, "* Ranges loaded: %d\n", ntot);
-+ log_action(msgbuf);
-+ if ( !log2stdout )
-+ printf(msgbuf);
- }
-
- void reopen_logfile(void)
- {
-+ char msgbuf[255];
-+
- if (logfile != NULL) {
- fclose(logfile);
- logfile=NULL;
- }
- logfile=fopen(logfile_name,"a");
- if (logfile == NULL) {
-- fprintf(stderr, "Unable to open logfile %s\n", logfile_name);
-+ sprintf(msgbuf, "Unable to open logfile %s\n", logfile_name);
-+ log_action(msgbuf);
- exit(-1);
- }
-- fprintf(logfile, "Reopening logfile.\n");
-+ log_action("Reopening logfile.\n");
- }
-
- void my_sahandler(int sig)
- {
-+ char msgbuf[255];
-+
- switch( sig ) {
- case SIGUSR1:
-- fprintf(logfile,"Got SIGUSR1! Dumping stats...\n");
-+ log_action("Got SIGUSR1! Dumping stats...\n");
- ll_show(logfile);
- reopen_logfile();
- break;
- case SIGUSR2:
-- fprintf(logfile,"Got SIGUSR2! Dumping stats to /var/log/MoBlock.stats\n");
-+ log_action("Got SIGUSR2! Dumping stats to /var/log/MoBlock.stats\n");
- ll_log();
- break;
- case SIGHUP:
-- fprintf(logfile,"\nGot SIGHUP! Dumping and resetting stats, reloading blocklist\n\n");
-+ log_action("Got SIGHUP! Dumping and resetting stats, reloading blocklist\n");
- ll_log();
- ll_clear(); // clear stats list
- destroy_tree(); // clear loaded ranges
-@@ -332,17 +439,18 @@ - loadlist_pg2(blocklist_info.filename);
- break;
- default:
-- fprintf(logfile,"Unknown blocklist type while reloading list, contact the developer!\n");
-+ log_action("Unknown blocklist type while reloading list, contact the developer!\n");
- break;
- }
- reopen_logfile();
- break;
- case SIGTERM:
-- fprintf(logfile,"Got SIGTERM! Dumping stats and exiting.\n");
-+ log_action("Got SIGTERM! Dumping stats and exiting.\n");
- ll_log();
- exit(0);
- default:
-- fprintf(logfile,"Received signal = %d but not handled\n",sig);
-+ sprintf(msgbuf,"Received signal = %d but not handled\n",sig);
-+ log_action(msgbuf);
- break;
- }
- }
-@@ -378,7 +486,7 @@ - {
- int id=0, status=0;
- struct nfqnl_msg_packet_hdr *ph;
-- char *payload;
-+ char *payload, msgbuf[255];
- recType tmprec;
-
- ph = nfq_get_msg_packet_hdr(nfa);
-@@ -389,34 +497,78 @@ - switch (ph->hook) {
- case NF_IP_LOCAL_IN:
- if ( find(ntohl(SRC_ADDR(payload)),&tmprec) == STATUS_OK ) {
-+ // we drop the packet instead of rejecting
-+ // we don't want the other host to know we are alive
- status=nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
-- fprintf(logfile,"Blocked IN: %s,hits: %d,SRC: %s\n",tmprec.blockname,tmprec.hits,ip2str(SRC_ADDR(payload)));
-- } else status = nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
-+ sprintf(msgbuf,"Blocked IN: %s,hits: %d,SRC: %s\n",tmprec.blockname,tmprec.hits,ip2str(SRC_ADDR(payload)));
-+ log_action(msgbuf);
-+ }
-+ else if ( unlikely(accept_mark) ) {
-+ // we set the user-defined accept_mark and set NF_REPEAT verdict
-+ // it's up to other iptables rules to decide what to do with this marked packet
-+ status = nfq_set_verdict_mark(qh, id, NF_REPEAT, accept_mark, 0, NULL);
-+ }
-+ else {
-+ // no accept_mark, just NF_ACCEPT the packet
-+ status = nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
-+ }
- break;
- case NF_IP_LOCAL_OUT:
- if ( find(ntohl(DST_ADDR(payload)),&tmprec) == STATUS_OK ) {
-- status=nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
-- fprintf(logfile,"Blocked OUT: %s,hits: %d,DST: %s\n",tmprec.blockname,tmprec.hits,ip2str(DST_ADDR(payload)));
-- } else status = nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
-+ if ( likely(reject_mark) ) {
-+ // we set the user-defined reject_mark and set NF_REPEAT verdict
-+ // it's up to other iptables rules to decide what to do with this marked packet
-+ status = nfq_set_verdict_mark(qh, id, NF_REPEAT, reject_mark, 0, NULL);
-+ }
-+ else {
-+ status = nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
-+ }
-+ sprintf(msgbuf,"Blocked OUT: %s,hits: %d,DST: %s\n",tmprec.blockname,tmprec.hits,ip2str(DST_ADDR(payload)));
-+ log_action(msgbuf);
-+ }
-+ else if ( unlikely(accept_mark) ) {
-+ // we set the user-defined accept_mark and set NF_REPEAT verdict
-+ // it's up to other iptables rules to decide what to do with this marked packet
-+ status = nfq_set_verdict_mark(qh, id, NF_REPEAT, accept_mark, 0, NULL);
-+ }
-+ else {
-+ // no accept_mark, just NF_ACCEPT the packet
-+ status = nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
-+ }
- break;
- case NF_IP_FORWARD:
- if ( find2(ntohl(SRC_ADDR(payload)), ntohl(DST_ADDR(payload)), &tmprec) == STATUS_OK ) {
-- status=nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
-- fprintf(logfile,"Blocked FWD: %s,hits: %d,SRC: %s, DST: %s\n",
-+ if ( likely(reject_mark) ) {
-+ // we set the user-defined reject_mark and set NF_REPEAT verdict
-+ // it's up to other iptables rules to decide what to do with this marked packet
-+ status = nfq_set_verdict_mark(qh, id, NF_REPEAT, reject_mark, 0, NULL);
-+ }
-+ else {
-+ status = nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
-+ }
-+ sprintf(msgbuf,"Blocked FWD: %s,hits: %d,SRC: %s, DST: %s\n",
- tmprec.blockname, tmprec.hits, ip2str(SRC_ADDR(payload)), ip2str(DST_ADDR(payload)));
-- fflush(logfile);
-- } else status = nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
-+ log_action(msgbuf);
-+ }
-+ else if ( unlikely(accept_mark) ) {
-+ // we set the user-defined accept_mark and set NF_REPEAT verdict
-+ // it's up to other iptables rules to decide what to do with this marked packet
-+ status = nfq_set_verdict_mark(qh, id, NF_REPEAT, accept_mark, 0, NULL);
-+ }
-+ else {
-+ // no accept_mark, just NF_ACCEPT the packet
-+ status = nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
-+ }
- break;
- default:
-- fprintf(logfile,"Not NF_LOCAL_IN/OUT/FORWARD packet!\n");
-+ log_action("Not NF_LOCAL_IN/OUT/FORWARD packet!\n");
- break;
- }
- }
- else {
-- fprintf(logfile,"NFQUEUE: can't get msg packet header.\n");
-+ log_action("NFQUEUE: can't get msg packet header.\n");
- return(1); // from nfqueue source: 0 = ok, >0 = soft error, <0 hard error
- }
-- fflush(logfile);
- return(0);
- }
- #endif
-@@ -492,46 +644,48 @@ - struct nfq_q_handle *qh;
- struct nfnl_handle *nh;
- int fd,rv;
-- char buf[BUFSIZE];
-+ char buf[BUFSIZE], msgbuf[255];
-
- h = nfq_open();
- if (!h) {
-- fprintf(logfile, "Error during nfq_open()\n");
-+ log_action("Error during nfq_open()\n");
- exit(-1);
- }
-
- if (nfq_unbind_pf(h, AF_INET) < 0) {
-- fprintf(logfile, "error during nfq_unbind_pf()\n");
-- exit(-1);
-+ log_action("error during nfq_unbind_pf()\n");
-+ //exit(-1);
- }
-
- if (nfq_bind_pf(h, AF_INET) < 0) {
-- fprintf(logfile, "Error during nfq_bind_pf()\n");
-+ log_action("Error during nfq_bind_pf()\n");
- exit(-1);
- }
-
-- fprintf(logfile,"NFQUEUE: binding to queue '%hd'\n", queuenum);
-+ sprintf(msgbuf,"NFQUEUE: binding to queue '%hd'\n", queuenum);
-+ log_action(msgbuf);
- qh = nfq_create_queue(h, queuenum, &nfqueue_cb, NULL);
- if (!qh) {
-- fprintf(logfile, "error during nfq_create_queue()\n");
-+ log_action("error during nfq_create_queue()\n");
- exit(-1);
- }
-
- if (nfq_set_mode(qh, NFQNL_COPY_PACKET, PAYLOADSIZE) < 0) {
-- fprintf(logfile, "can't set packet_copy mode\n");
-+ log_action("can't set packet_copy mode\n");
- exit(-1);
- }
-
- nh = nfq_nfnlh(h);
- fd = nfnl_fd(nh);
-
-- while ((rv = recv(fd, buf, sizeof(buf), 0)) && rv >= 0) {
-+ while ((rv = recv(fd, buf, sizeof(buf), 0)) >= 0) {
- nfq_handle_packet(h, buf, rv);
- }
-
-- printf("NFQUEUE: unbinding from queue 0\n");
-+ log_action("NFQUEUE: unbinding from queue 0\n");
- nfq_destroy_queue(qh);
- nfq_close(h);
-+ nfq_unbind_pf(h, AF_INET);
- return(0);
- #endif
-
-@@ -540,11 +694,16 @@ - void print_options(void)
- {
- printf("\nMoBlock %s by Morpheus",MB_VERSION);
-- printf("\nSyntax: MoBlock -dnp <blocklist> [-b] [-q 0-65535] <logfile>\n\n");
-+ printf("\nSyntax: MoBlock -dnp <blocklist> [-q 0-65535] <logfile>\n\n");
- printf("\t-d\tblocklist is an ipfilter.dat file\n");
- printf("\t-n\tblocklist is a peerguardian 2.x file (.p2b)\n");
- printf("\t-p\tblocklist is a peerguardian file (.p2p)\n");
- printf("\t-q\t0-65535 NFQUEUE number (as specified in --queue-num with iptables)\n");
-+ printf("\t-r MARK\tmark packet with MARK instead of DROP\n");
-+ printf("\t-a MARK\tmark packet with MARK instead of ACCEPT\n");
-+ printf("\t-l\tlog to stdout\n");
-+ printf("\t-s\tlog to syslog\n");
-+ printf("\t-t\tlog timestamping\n\n");
- }
-
- void on_quit()
-@@ -556,6 +715,7 @@ - {
- int ret=0;
- unsigned short int queuenum=0;
-+ char msgbuf[255];
-
- if (argc < 3) {
- print_options();
-@@ -591,10 +751,11 @@ - }
- logfile_name=malloc(strlen(argv[argc-1])+1);
- strcpy(logfile_name,argv[argc-1]);
-+ log2file = 1;
- printf("* Logging to %s\n",logfile_name);
-
- while (1) { //scan command line options
-- ret=getopt(argc, argv, "d:n:p:q:");
-+ ret=getopt(argc, argv, "d:n:p:q:a:r:stl");
- if ( ret == -1 ) break;
-
- switch (ret) {
-@@ -619,6 +780,28 @@ - case 'q':
- queuenum=(unsigned short int)atoi(optarg);
- break;
-+ case 'r':
-+ reject_mark=(u_int32_t)atoi(optarg);
-+ printf("* DROP MARK: %d\n", reject_mark);
-+ reject_mark=htonl(reject_mark);
-+ break;
-+ case 'a':
-+ accept_mark=(u_int32_t)atoi(optarg);
-+ printf("* ACCEPT MARK: %d\n", accept_mark);
-+ accept_mark=htonl(accept_mark);
-+ break;
-+ case 's':
-+ log2syslog = 1;
-+ printf("* Logging to syslog\n");
-+ break;
-+ case 't':
-+ timestamp = 1;
-+ printf("* Log timestamp enabled\n");
-+ break;
-+ case 'l':
-+ log2stdout = 1;
-+ printf("* Log to stdout enabled\n");
-+ break;
- case '?': // unknown option
- print_options();
- exit(-1);
-@@ -626,10 +809,14 @@ - }
- }
-
-- printf("* Merged ranges: %d\n", merged_ranges);
-- fprintf(logfile, "Merged ranges: %d\n", merged_ranges);
-- printf("* Skipped useless ranges: %d\n", skipped_ranges);
-- fprintf(logfile,"Skipped useless ranges: %d\n", skipped_ranges);
-+ sprintf(msgbuf, "* Merged ranges: %d\n", merged_ranges);
-+ log_action(msgbuf);
-+ if ( !log2stdout )
-+ printf(msgbuf);
-+ sprintf(msgbuf,"* Skipped useless ranges: %d\n", skipped_ranges);
-+ log_action(msgbuf);
-+ if ( !log2stdout )
-+ printf(msgbuf);
- fflush(NULL);
-
- netlink_loop(queuenum);
-diff -Naur MoBlock-0.8_orig/README MoBlock-0.8/README ---- MoBlock-0.8_orig/README 2006-03-22 12:44:31.000000000 -0500 -+++ MoBlock-0.8/README 2007-11-22 08:10:44.000000000 -0500 -@@ -1,5 +1,5 @@ - --MoBlock README v0.8 -+MoBlock README v0.9 - http://moblock.berlios.de - - .Introduction. -@@ -47,6 +47,22 @@ - ip_conntrack 40044 1 ipt_state - iptable_filter 2176 1 - ip_tables 17600 3 ipt_NFQUEUE,ipt_state,iptable_filter -+ -+ ...and these with kernel 2.6.23 using NFQUEUE interface: -+ -+ nfnetlink_queue 9344 1 -+ nfnetlink 4568 2 nfnetlink_queue -+ ipt_REJECT 3520 2 -+ xt_mark 1600 2 -+ nf_conntrack_ipv4 12424 5 -+ iptable_filter 2308 1 -+ ip_tables 10328 1 iptable_filter -+ xt_state 1984 5 -+ nf_conntrack 48356 2 nf_conntrack_ipv4,xt_state -+ xt_NFQUEUE 1664 3 -+ x_tables 11396 5 ipt_REJECT,xt_mark,ip_tables,xt_state,xt_NFQUEUE -+ -+ (notice that ipt_NFQUEUE has changed to xt_NFQUEUE, same thing for other modules too) - - 2) A valid guarding.p2p/ipfilter.dat/p2p.p2b host file in /etc ( /etc/guarding.p2p ). - MoBlock tries to skip malformed or duplicate ranges but -@@ -140,8 +156,18 @@ - To specify a NFQUEUE queue number: - - ./moblock -p /etc/guarding.p2p -q 5 MoBlock.log -+ -+ From version 0.9 MoBlock supports MARKing packets and RETURN them to -+ iptables, there's an example start script (MoBlock-nfq-reject.sh) that -+ uses this feature to REJECT packet instead of dropping them. It can help -+ in complex firewall configuration where you need more control of packets -+ flow after MoBlock inspection. -+ See the mentioned start script for reference, you can set the MARK value -+ for packets that MoBlock would drop (ip in list) with the "-r" command line -+ option and for packets that MoBlock would accept (ip not in list) with -+ the "-a" command line option. - -- To stop it: -+ To stop MoBlock: - - kill -TERM <MoBlockPid> - -@@ -149,7 +175,7 @@ - To obtain stats about blocked ranges while it's running: - - kill -USR1 <MoBlockPid> # write stats to logfile -- kill -USR2 <MoBlockPid> # write stats to /var/log/MoBlock.stats -+ kill -USR2 <MoBlockPid> # write stats to /var/log/MoBlock.stats - - ** NEW: to reload the blocklist while MoBlock is running send to it the - HUP signal: -@@ -168,7 +194,10 @@ - took some code and ideas from his FTwall - - Andrew de Quincey (adq at lidskialf dot net) for regular expressions - and command line args patch --- Maximilian Mehnert (clessing at freenet dot de) for logfile rotation -+- clessing at freenet dot de for logfile rotation - patches, pid file creation, start script, fixes/files for debian packaging -+- David Walluck, patch for proper loading of p2b files -+- jre, for continuing clessing work on debian packaging and many other -+ contributions - --Last Updated: 20/Mar/2006 -+Last Updated: 15/Oct/2007 -diff -Naur MoBlock-0.8_orig/rbt.c MoBlock-0.8/rbt.c ---- MoBlock-0.8_orig/rbt.c 2006-03-22 12:44:31.000000000 -0500 -+++ MoBlock-0.8/rbt.c 2008-02-10 11:56:08.000000000 -0500 -@@ -19,7 +19,7 @@ - #include <stdarg.h> - #include <time.h> - --#define RBT_VERSION 0.8 -+#define RBT_VERSION 0.9 - #define BNAME_LEN 80 - - /* implementation dependend declarations */ -@@ -421,7 +421,7 @@ - - statusEnum insert(keyType key, recType *rec) { - nodeType *current, *parent, *x; -- keyType tmpkey; -+ //keyType tmpkey; - recType tmprec; - int ret; - -@@ -433,6 +433,23 @@ - current = root; - parent = 0; - while (current != NIL) { -+ if (compEQ2(current->key, key, rec->ipmax)) { // current node key is inside new range to be inserted -+ strcpy(tmprec.blockname, rec->blockname); // block name from new range -+ if (compLT(current->rec.ipmax, rec->ipmax)) -+ tmprec.ipmax = rec->ipmax; -+ else tmprec.ipmax = current->rec.ipmax; -+ tmprec.hits = 0; -+ //printf("deleting node :%lu\n", current->key); -+ ret=delete(current->key); -+ if ( ret != STATUS_OK ) -+ return(ret); -+ ret=insert(key, &tmprec); -+ if ( ret == STATUS_OK ) { -+ printf("new merge\n"); -+ return(STATUS_MERGED); -+ } -+ else return(ret); -+ } - if (compEQ(key, current->key)) { - if ( rec->ipmax > current->rec.ipmax ) { - current->rec.ipmax=rec->ipmax; -@@ -458,7 +475,7 @@ - } - } - //check if higher ip (ipmax) is already in a range -- if (compEQ2(rec->ipmax,current->key,current->rec.ipmax)) { -+ /*if (compEQ2(rec->ipmax,current->key,current->rec.ipmax)) { - fprintf(logfile,"higher ip in range\n"); - tmpkey=key; - strcpy(tmprec.blockname,current->rec.blockname); -@@ -470,7 +487,7 @@ - if ( ret == STATUS_OK ) - return(STATUS_MERGED); - else return(ret); -- } -+ }*/ - parent = current; - current = compLT(key, current->key) ? - current->left : current->right; -@@ -495,7 +512,7 @@ - } else { - root = x; - } -- -+ //printf("new node, key: %lu, parent: %lu\n", x->key, parent ? parent->key : 0); - insertFixup(x); - lastFind = NULL; - diff --git a/abs/extra/community/moblock/moblock_include.patch b/abs/extra/community/moblock/moblock_include.patch deleted file mode 100644 index 644e824..0000000 --- a/abs/extra/community/moblock/moblock_include.patch +++ /dev/null @@ -1,10 +0,0 @@ ---- MoBlock-0.8/MoBlock.c.orig 2008-08-15 14:41:49.000000000 -0400 -+++ MoBlock-0.8/MoBlock.c 2008-08-15 14:43:45.000000000 -0400 -@@ -32,6 +32,7 @@ - #include <netinet/udp.h>
- #include <sys/socket.h>
- #include <arpa/inet.h>
-+#include <limits.h>
- #include <linux/netfilter_ipv4.h>
- #include <signal.h>
- #include <regex.h>
|