2022-10-17 18:02:04 +00:00
|
|
|
/*-*- mode:c;indent-tabs-mode:nil;c-basic-offset:2;tab-width:8;coding:utf-8 -*-│
|
|
|
|
|
│ vi: set et ft=c ts=2 sts=2 sw=2 fenc=utf-8 :vi │
|
|
|
|
|
╞══════════════════════════════════════════════════════════════════════════════╡
|
|
|
|
|
│ Copyright 2022 Justine Alexandra Roberts Tunney │
|
|
|
|
|
│ │
|
|
|
|
|
│ Permission to use, copy, modify, and/or distribute this software for │
|
|
|
|
|
│ any purpose with or without fee is hereby granted, provided that the │
|
|
|
|
|
│ above copyright notice and this permission notice appear in all copies. │
|
|
|
|
|
│ │
|
|
|
|
|
│ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL │
|
|
|
|
|
│ WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED │
|
|
|
|
|
│ WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE │
|
|
|
|
|
│ AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL │
|
|
|
|
|
│ DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR │
|
|
|
|
|
│ PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER │
|
|
|
|
|
│ TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR │
|
|
|
|
|
│ PERFORMANCE OF THIS SOFTWARE. │
|
|
|
|
|
╚─────────────────────────────────────────────────────────────────────────────*/
|
|
|
|
|
#include "libc/assert.h"
|
|
|
|
|
#include "libc/calls/calls.h"
|
|
|
|
|
#include "libc/calls/struct/sigaction.h"
|
|
|
|
|
#include "libc/calls/struct/sigset.h"
|
Make improvements
- We now serialize the file descriptor table when spawning / executing
processes on Windows. This means you can now inherit more stuff than
just standard i/o. It's needed by bash, which duplicates the console
to file descriptor #255. We also now do a better job serializing the
environment variables, so you're less likely to encounter E2BIG when
using your bash shell. We also no longer coerce environ to uppercase
- execve() on Windows now remotely controls its parent process to make
them spawn a replacement for itself. Then it'll be able to terminate
immediately once the spawn succeeds, without having to linger around
for the lifetime as a shell process for proxying the exit code. When
process worker thread running in the parent sees the child die, it's
given a handle to the new child, to replace it in the process table.
- execve() and posix_spawn() on Windows will now provide CreateProcess
an explicit handle list. This allows us to remove handle locks which
enables better fork/spawn concurrency, with seriously correct thread
safety. Other codebases like Go use the same technique. On the other
hand fork() still favors the conventional WIN32 inheritence approach
which can be a little bit messy, but is *controlled* by guaranteeing
perfectly clean slates at both the spawning and execution boundaries
- sigset_t is now 64 bits. Having it be 128 bits was a mistake because
there's no reason to use that and it's only supported by FreeBSD. By
using the system word size, signal mask manipulation on Windows goes
very fast. Furthermore @asyncsignalsafe funcs have been rewritten on
Windows to take advantage of signal masking, now that it's much more
pleasant to use.
- All the overlapped i/o code on Windows has been rewritten for pretty
good signal and cancelation safety. We're now able to ensure overlap
data structures are cleaned up so long as you don't longjmp() out of
out of a signal handler that interrupted an i/o operation. Latencies
are also improved thanks to the removal of lots of "busy wait" code.
Waits should be optimal for everything except poll(), which shall be
the last and final demon we slay in the win32 i/o horror show.
- getrusage() on Windows is now able to report RUSAGE_CHILDREN as well
as RUSAGE_SELF, thanks to aggregation in the process manager thread.
2023-10-08 12:36:18 +00:00
|
|
|
#include "libc/calls/struct/sigset.internal.h"
|
2022-10-17 18:02:04 +00:00
|
|
|
#include "libc/calls/struct/timespec.h"
|
2024-07-21 22:54:17 +00:00
|
|
|
#include "libc/ctype.h"
|
2022-10-17 18:02:04 +00:00
|
|
|
#include "libc/dce.h"
|
|
|
|
|
#include "libc/errno.h"
|
|
|
|
|
#include "libc/fmt/conv.h"
|
|
|
|
|
#include "libc/fmt/itoa.h"
|
|
|
|
|
#include "libc/intrin/kprintf.h"
|
|
|
|
|
#include "libc/intrin/safemacros.h"
|
|
|
|
|
#include "libc/mem/mem.h"
|
|
|
|
|
#include "libc/mem/sortedints.internal.h"
|
|
|
|
|
#include "libc/runtime/runtime.h"
|
2024-05-05 06:05:36 +00:00
|
|
|
#include "libc/serialize.h"
|
2022-10-17 18:02:04 +00:00
|
|
|
#include "libc/sock/sock.h"
|
|
|
|
|
#include "libc/sock/struct/sockaddr.h"
|
|
|
|
|
#include "libc/str/str.h"
|
|
|
|
|
#include "libc/sysv/consts/af.h"
|
|
|
|
|
#include "libc/sysv/consts/clock.h"
|
|
|
|
|
#include "libc/sysv/consts/o.h"
|
|
|
|
|
#include "libc/sysv/consts/ok.h"
|
|
|
|
|
#include "libc/sysv/consts/sa.h"
|
|
|
|
|
#include "libc/sysv/consts/sig.h"
|
|
|
|
|
#include "libc/sysv/consts/sock.h"
|
|
|
|
|
#include "libc/sysv/consts/timer.h"
|
2024-05-05 06:05:36 +00:00
|
|
|
#include "libc/time.h"
|
2022-10-19 17:00:29 +00:00
|
|
|
#include "net/http/http.h"
|
2022-10-19 20:10:00 +00:00
|
|
|
#include "net/http/ip.h"
|
2023-07-03 02:57:43 +00:00
|
|
|
#include "third_party/getopt/getopt.internal.h"
|
2022-10-17 18:02:04 +00:00
|
|
|
#include "third_party/musl/passwd.h"
|
|
|
|
|
|
|
|
|
|
#define LOG(FMT, ...) \
|
|
|
|
|
kprintf("%s %s:%d] " FMT "\n", GetTimestamp(), __FILE__, __LINE__, \
|
|
|
|
|
##__VA_ARGS__)
|
|
|
|
|
|
2022-10-20 17:19:27 +00:00
|
|
|
#define DEFAULT_CHAIN "PREROUTING"
|
2022-10-17 18:02:04 +00:00
|
|
|
#define DEFAULT_LOGNAME "/var/log/blackhole.log"
|
|
|
|
|
#define DEFAULT_PIDNAME "/var/run/blackhole.pid"
|
|
|
|
|
#define DEFAULT_SOCKNAME "/var/run/blackhole.sock"
|
2022-10-20 17:19:27 +00:00
|
|
|
#define GETOPTS "C:L:S:P:M:G:W:dh"
|
2022-10-17 18:02:04 +00:00
|
|
|
#define USAGE \
|
|
|
|
|
"\
|
2022-10-19 17:00:29 +00:00
|
|
|
Usage: blackholed [-hdLPSMGW]\n\
|
2022-10-17 18:02:04 +00:00
|
|
|
-h help\n\
|
|
|
|
|
-d daemonize\n\
|
2022-10-20 17:19:27 +00:00
|
|
|
-C CHAIN change iptables chain to insert rules into\n\
|
2022-10-19 17:00:29 +00:00
|
|
|
-W IP whitelist ip address\n\
|
2022-10-17 18:02:04 +00:00
|
|
|
-L PATH log file name (default: " DEFAULT_LOGNAME ")\n\
|
|
|
|
|
-P PATH pid file name (default: " DEFAULT_PIDNAME ")\n\
|
|
|
|
|
-S PATH socket file name (default: " DEFAULT_SOCKNAME ")\n\
|
|
|
|
|
-M MODE socket mode bits (default: 0777)\n\
|
|
|
|
|
-G GROUP socket group name or gid (default: n/a)\n\
|
|
|
|
|
--assimilate change executable header to native format\n\
|
|
|
|
|
--ftrace function call tracing\n\
|
|
|
|
|
--strace system call tracing\n\
|
|
|
|
|
\n\
|
|
|
|
|
Usage:\n\
|
|
|
|
|
sudo blackholed -d # run daemon\n\
|
|
|
|
|
blackhole 1.2.3.4 # anyone can securely ban ips\n\
|
|
|
|
|
\n\
|
|
|
|
|
Protocol:\n\
|
|
|
|
|
Send a 4 byte datagram to the unix socket file containing\n\
|
|
|
|
|
the IPv4 address you want banned encoded using big endian\n\
|
|
|
|
|
a.k.a. network byte order. We ignore these ips: 0.0.0.0/8\n\
|
|
|
|
|
and 127.0.0.0/8 so sending 0 to the socket is a good test\n"
|
|
|
|
|
|
|
|
|
|
#define LINUX_DOCS \
|
|
|
|
|
"\n\
|
|
|
|
|
Linux Requirements:\n\
|
|
|
|
|
sudo modprobe ip_tables\n\
|
|
|
|
|
sudo echo ip_tables >>/etc/modules\n\
|
|
|
|
|
\n\
|
|
|
|
|
Administration Notes:\n\
|
2022-10-20 17:19:27 +00:00
|
|
|
This program inserts IP bans into the prerouting chain in iptables raw\n\
|
|
|
|
|
so that the kernel won't track the TCP connections of threat actors.\n\
|
2022-10-17 18:02:04 +00:00
|
|
|
If you restart this program, then you should run\n\
|
2022-10-20 17:19:27 +00:00
|
|
|
sudo iptables -t raw -F \n\
|
2022-10-17 18:02:04 +00:00
|
|
|
to clear the IP blocks. It's a good idea to have a cron job\n\
|
|
|
|
|
restart this daemon and clear the raw table daily. Use the\n\
|
|
|
|
|
sudo iptables -t raw -L -vn\n\
|
|
|
|
|
command to list the IP addresses that have been blocked.\n\
|
2022-10-20 17:19:27 +00:00
|
|
|
If -C is specified, a chain needs to be created on every system startup\n\
|
|
|
|
|
with the following commands:\n\
|
|
|
|
|
sudo iptables -t raw -N blackholed\n\
|
|
|
|
|
sudo iptables -t raw -A blackholed -j RETURN\n\
|
|
|
|
|
sudo iptables -t raw -I PREROUTING -j blackholed\n\
|
2022-10-17 18:02:04 +00:00
|
|
|
\n"
|
|
|
|
|
|
|
|
|
|
#define BSD_DOCS \
|
|
|
|
|
"\n\
|
|
|
|
|
BSD Requirements:\n\
|
|
|
|
|
kldload pf\n\
|
|
|
|
|
echo 'table <badhosts> persist' >>/etc/pf.conf\n\
|
|
|
|
|
echo 'block on em0 from <badhosts> to any' >>/etc/pf.conf\n\
|
|
|
|
|
echo 'pf_enable=\"YES\"' >>/etc/rc.conf\n\
|
|
|
|
|
echo 'pf_rules=\"/etc/pf.conf\"' >>/etc/rc.conf\n\
|
|
|
|
|
/etc/rc.d/pf start\n\
|
|
|
|
|
pfctl -t badhosts -T add 1.2.3.4\n\
|
|
|
|
|
pfctl -t badhosts -T show\n\
|
|
|
|
|
\n\
|
|
|
|
|
Administration Notes:\n\
|
|
|
|
|
If you restart this program, then you should run\n\
|
|
|
|
|
pfctl -t badhosts -T flush\n\
|
|
|
|
|
to clear the IP blocks. It's a good idea to have a cron job\n\
|
|
|
|
|
restart this daemon and clear the raw table daily. Use the\n\
|
|
|
|
|
pfctl -t badhosts -T show\n\
|
|
|
|
|
command to list the IP addresses that have been blocked.\n\
|
|
|
|
|
\n\
|
|
|
|
|
"
|
|
|
|
|
|
|
|
|
|
int g_logfd;
|
|
|
|
|
int g_sockmode;
|
|
|
|
|
bool g_daemonize;
|
|
|
|
|
uint32_t *g_myips;
|
2022-10-20 17:19:27 +00:00
|
|
|
const char *g_chain;
|
2022-10-17 18:02:04 +00:00
|
|
|
const char *g_group;
|
|
|
|
|
const char *g_pfctl;
|
|
|
|
|
const char *g_logname;
|
|
|
|
|
const char *g_pidname;
|
|
|
|
|
const char *g_sockname;
|
|
|
|
|
const char *g_iptables;
|
|
|
|
|
sig_atomic_t g_shutdown;
|
|
|
|
|
struct SortedInts g_blocked;
|
2022-10-19 17:00:29 +00:00
|
|
|
struct SortedInts g_whitelisted;
|
2022-10-17 18:02:04 +00:00
|
|
|
|
|
|
|
|
static wontreturn void ShowUsage(int fd, int rc) {
|
|
|
|
|
write(fd, USAGE, sizeof(USAGE) - 1);
|
|
|
|
|
if (IsLinux())
|
|
|
|
|
write(fd, LINUX_DOCS, sizeof(LINUX_DOCS) - 1);
|
|
|
|
|
if (IsBsd())
|
|
|
|
|
write(fd, BSD_DOCS, sizeof(BSD_DOCS) - 1);
|
|
|
|
|
_Exit(rc);
|
|
|
|
|
}
|
|
|
|
|
|
2022-10-19 17:00:29 +00:00
|
|
|
char *GetTimestamp(void) {
|
|
|
|
|
struct timespec ts;
|
|
|
|
|
static struct tm tm;
|
|
|
|
|
static int64_t last;
|
|
|
|
|
static char str[27];
|
|
|
|
|
clock_gettime(0, &ts);
|
|
|
|
|
if (ts.tv_sec != last) {
|
|
|
|
|
localtime_r(&ts.tv_sec, &tm);
|
|
|
|
|
last = ts.tv_sec;
|
|
|
|
|
}
|
|
|
|
|
iso8601us(str, &tm, ts.tv_nsec);
|
|
|
|
|
return str;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void GetOpts(int argc, char *argv[]) {
|
2022-10-17 18:02:04 +00:00
|
|
|
int opt;
|
2022-10-19 17:00:29 +00:00
|
|
|
int64_t ip;
|
2022-10-17 18:02:04 +00:00
|
|
|
g_sockmode = 0777;
|
2022-10-20 17:19:27 +00:00
|
|
|
g_chain = DEFAULT_CHAIN;
|
2022-10-17 18:02:04 +00:00
|
|
|
g_pidname = DEFAULT_PIDNAME;
|
|
|
|
|
g_logname = DEFAULT_LOGNAME;
|
|
|
|
|
g_sockname = DEFAULT_SOCKNAME;
|
|
|
|
|
while ((opt = getopt(argc, argv, GETOPTS)) != -1) {
|
|
|
|
|
switch (opt) {
|
|
|
|
|
case 'd':
|
|
|
|
|
g_daemonize = true;
|
|
|
|
|
break;
|
2022-10-20 17:19:27 +00:00
|
|
|
case 'C':
|
|
|
|
|
g_chain = optarg;
|
|
|
|
|
break;
|
2022-10-17 18:02:04 +00:00
|
|
|
case 'S':
|
|
|
|
|
g_sockname = optarg;
|
|
|
|
|
break;
|
|
|
|
|
case 'L':
|
|
|
|
|
g_logname = emptytonull(optarg);
|
|
|
|
|
break;
|
|
|
|
|
case 'P':
|
|
|
|
|
g_pidname = emptytonull(optarg);
|
|
|
|
|
break;
|
|
|
|
|
case 'G':
|
|
|
|
|
g_group = emptytonull(optarg);
|
|
|
|
|
break;
|
|
|
|
|
case 'M':
|
|
|
|
|
g_sockmode = strtol(optarg, 0, 8) & 0777;
|
|
|
|
|
break;
|
2022-10-19 17:00:29 +00:00
|
|
|
case 'W':
|
|
|
|
|
if ((ip = ParseIp(optarg, -1)) != -1) {
|
|
|
|
|
if (InsertInt(&g_whitelisted, ip, true)) {
|
|
|
|
|
LOG("whitelisted %s", optarg);
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
kprintf("error: could not parse -W %#s IP address\n", optarg);
|
|
|
|
|
_Exit(1);
|
|
|
|
|
}
|
|
|
|
|
break;
|
2022-10-17 18:02:04 +00:00
|
|
|
case 'h':
|
|
|
|
|
ShowUsage(1, 0);
|
|
|
|
|
default:
|
|
|
|
|
ShowUsage(2, 64);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void OnTerm(int sig) {
|
2023-09-02 03:49:13 +00:00
|
|
|
char tmp[21];
|
2022-10-17 18:02:04 +00:00
|
|
|
LOG("got %s", strsignal_r(sig, tmp));
|
|
|
|
|
g_shutdown = sig;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
char *FormatIp(uint32_t ip) {
|
|
|
|
|
static char ipbuf[16];
|
|
|
|
|
ksnprintf(ipbuf, sizeof(ipbuf), "%hhu.%hhu.%hhu.%hhu", ip >> 24, ip >> 16,
|
|
|
|
|
ip >> 8, ip);
|
|
|
|
|
return ipbuf;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void BlockIp(uint32_t ip) {
|
|
|
|
|
if (!vfork()) {
|
|
|
|
|
if (g_iptables) {
|
|
|
|
|
execve(g_iptables,
|
|
|
|
|
(char *const[]){
|
2023-09-02 03:49:13 +00:00
|
|
|
"iptables", //
|
|
|
|
|
"-t", "raw", //
|
|
|
|
|
"-I", (char *)g_chain, //
|
|
|
|
|
"-s", FormatIp(ip), //
|
|
|
|
|
"-j", "DROP", //
|
|
|
|
|
0, //
|
2022-10-17 18:02:04 +00:00
|
|
|
},
|
|
|
|
|
(char *const[]){0});
|
|
|
|
|
} else if (g_pfctl) {
|
|
|
|
|
execve(g_pfctl,
|
|
|
|
|
(char *const[]){
|
|
|
|
|
"pfctl", //
|
|
|
|
|
"-t", "badhosts", //
|
|
|
|
|
"-T", "add", //
|
|
|
|
|
FormatIp(ip), //
|
|
|
|
|
0, //
|
|
|
|
|
},
|
|
|
|
|
(char *const[]){0});
|
|
|
|
|
}
|
|
|
|
|
_Exit(127);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void RequireRoot(void) {
|
|
|
|
|
if (geteuid()) {
|
|
|
|
|
kprintf("error: need root privileges\n");
|
|
|
|
|
ShowUsage(2, 2);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void ListenForTerm(void) {
|
|
|
|
|
struct sigaction sa = {.sa_handler = OnTerm};
|
2023-07-26 20:54:49 +00:00
|
|
|
npassert(!sigaction(SIGTERM, &sa, 0));
|
|
|
|
|
npassert(!sigaction(SIGHUP, &sa, 0));
|
|
|
|
|
npassert(!sigaction(SIGINT, &sa, 0));
|
2022-10-17 18:02:04 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void AutomaticallyHarvestZombies(void) {
|
|
|
|
|
struct sigaction sa = {.sa_handler = SIG_IGN, .sa_flags = SA_NOCLDWAIT};
|
2023-07-26 20:54:49 +00:00
|
|
|
npassert(!sigaction(SIGCHLD, &sa, 0));
|
2022-10-17 18:02:04 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void FindFirewall(void) {
|
|
|
|
|
if (!access("/sbin/iptables", X_OK)) {
|
|
|
|
|
g_iptables = "/sbin/iptables";
|
|
|
|
|
} else if (!access("/usr/sbin/iptables", X_OK)) {
|
|
|
|
|
g_iptables = "/usr/sbin/iptables";
|
|
|
|
|
} else if (!access("/sbin/pfctl", X_OK)) {
|
|
|
|
|
g_pfctl = "/sbin/pfctl";
|
|
|
|
|
} else {
|
|
|
|
|
kprintf("error: could not find `iptables` or `pfctl` command\n");
|
|
|
|
|
ShowUsage(2, 3);
|
|
|
|
|
}
|
|
|
|
|
errno = 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void OpenLog(void) {
|
|
|
|
|
if (!g_logname)
|
|
|
|
|
return;
|
|
|
|
|
if (!g_daemonize)
|
|
|
|
|
return;
|
|
|
|
|
if ((g_logfd = open(g_logname, O_WRONLY | O_APPEND | O_CREAT, 0644)) == -1) {
|
|
|
|
|
kprintf("error: open(%#s) failed: %s\n", g_logname, strerror(errno));
|
|
|
|
|
ShowUsage(2, 5);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void Daemonize(void) {
|
|
|
|
|
if (g_daemonize && daemon(false, false)) {
|
|
|
|
|
kprintf("error: daemon() failed: %s\n", strerror(errno));
|
|
|
|
|
ShowUsage(2, 4);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void UseLog(void) {
|
2022-10-19 17:00:29 +00:00
|
|
|
if (g_logfd > 0) {
|
2023-07-26 20:54:49 +00:00
|
|
|
npassert(dup2(g_logfd, 2) == 2);
|
2022-10-19 17:00:29 +00:00
|
|
|
if (g_logfd != 2) {
|
2023-07-26 20:54:49 +00:00
|
|
|
npassert(!close(g_logfd));
|
2022-10-19 17:00:29 +00:00
|
|
|
}
|
2022-10-17 18:02:04 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void UninterruptibleSleep(int ms) {
|
2022-11-06 02:49:41 +00:00
|
|
|
struct timespec ts = timespec_add(timespec_real(), timespec_frommillis(ms));
|
2022-10-17 18:02:04 +00:00
|
|
|
while (clock_nanosleep(CLOCK_REALTIME, TIMER_ABSTIME, &ts, 0))
|
|
|
|
|
errno = 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void Unlink(const char *path) {
|
|
|
|
|
if (!path)
|
|
|
|
|
return;
|
|
|
|
|
if (!unlink(path)) {
|
|
|
|
|
LOG("deleted %s", path);
|
|
|
|
|
} else {
|
|
|
|
|
if (errno != ENOENT) {
|
|
|
|
|
LOG("error: unlink(%#s) failed: %s", path, strerror(errno));
|
|
|
|
|
}
|
|
|
|
|
errno = 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void WritePid(void) {
|
|
|
|
|
ssize_t rc;
|
|
|
|
|
int fd, pid;
|
|
|
|
|
char buf[12] = {0};
|
|
|
|
|
if (!g_pidname)
|
|
|
|
|
return;
|
|
|
|
|
if ((fd = open(g_pidname, O_RDWR | O_CREAT, 0644)) == -1) {
|
|
|
|
|
LOG("error: open(%#s) failed: %s", g_pidname, strerror(errno));
|
|
|
|
|
_Exit(4);
|
|
|
|
|
}
|
2023-07-26 20:54:49 +00:00
|
|
|
npassert((rc = pread(fd, buf, 11, 0)) != -1);
|
2022-10-17 18:02:04 +00:00
|
|
|
if (rc) {
|
|
|
|
|
pid = atoi(buf);
|
|
|
|
|
LOG("killing old blackholed process %d", pid);
|
|
|
|
|
if (!kill(pid, SIGTERM)) {
|
|
|
|
|
UninterruptibleSleep(100);
|
|
|
|
|
if (kill(pid, SIGKILL)) {
|
|
|
|
|
if (errno != ESRCH) {
|
|
|
|
|
LOG("kill -KILL %s failed: %s", pid, strerror(errno));
|
|
|
|
|
}
|
|
|
|
|
errno = 0;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
if (errno != ESRCH) {
|
|
|
|
|
LOG("kill -TERM %d failed: %s", pid, strerror(errno));
|
|
|
|
|
}
|
|
|
|
|
errno = 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
FormatInt32(buf, getpid());
|
2023-07-26 20:54:49 +00:00
|
|
|
npassert(!ftruncate(fd, 0));
|
|
|
|
|
npassert((rc = pwrite(fd, buf, strlen(buf), 0)) == strlen(buf));
|
|
|
|
|
npassert(!close(fd));
|
2022-10-17 18:02:04 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool IsMyIp(uint32_t ip) {
|
|
|
|
|
uint32_t *p;
|
|
|
|
|
for (p = g_myips; *p; ++p) {
|
2022-10-19 20:10:00 +00:00
|
|
|
if (ip == *p && !IsTestnetIp(ip)) {
|
2022-10-17 18:02:04 +00:00
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int main(int argc, char *argv[]) {
|
|
|
|
|
|
|
|
|
|
if (closefrom(3))
|
|
|
|
|
for (int i = 3; i < 256; ++i) //
|
|
|
|
|
close(i);
|
|
|
|
|
|
|
|
|
|
GetOpts(argc, argv);
|
|
|
|
|
RequireRoot();
|
|
|
|
|
FindFirewall();
|
|
|
|
|
OpenLog();
|
|
|
|
|
Daemonize();
|
|
|
|
|
UseLog();
|
|
|
|
|
WritePid();
|
|
|
|
|
Unlink(g_sockname);
|
|
|
|
|
|
|
|
|
|
if (!(g_myips = GetHostIps())) {
|
|
|
|
|
LOG("failed to get host network interface addresses: %s", strerror(errno));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int server;
|
|
|
|
|
struct sockaddr_un addr = {AF_UNIX};
|
|
|
|
|
strlcpy(addr.sun_path, g_sockname, sizeof(addr.sun_path));
|
|
|
|
|
if ((server = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) {
|
|
|
|
|
LOG("error: socket(AF_UNIX) failed: %s", strerror(errno));
|
|
|
|
|
_Exit(3);
|
|
|
|
|
}
|
|
|
|
|
if (bind(server, (struct sockaddr *)&addr, sizeof(addr))) {
|
|
|
|
|
LOG("error: bind(%s) failed: %s", g_sockname, strerror(errno));
|
|
|
|
|
_Exit(4);
|
|
|
|
|
}
|
|
|
|
|
if (chmod(g_sockname, g_sockmode)) {
|
|
|
|
|
LOG("error: chmod(%s, %o) failed: %s", g_sockname, g_sockmode,
|
|
|
|
|
strerror(errno));
|
|
|
|
|
_Exit(5);
|
|
|
|
|
}
|
|
|
|
|
if (g_group) {
|
|
|
|
|
int gid;
|
|
|
|
|
struct group *g;
|
|
|
|
|
if (isdigit(*g_group)) {
|
|
|
|
|
gid = atoi(g_group);
|
|
|
|
|
} else if ((g = getgrnam(g_group))) {
|
|
|
|
|
gid = g->gr_gid;
|
|
|
|
|
} else {
|
|
|
|
|
LOG("error: group %s not found: %s", g_group, strerror(errno));
|
|
|
|
|
_Exit(6);
|
|
|
|
|
}
|
|
|
|
|
if (chown(g_sockname, -1, gid)) {
|
|
|
|
|
LOG("error: chmod(%s, -1, %o) failed: %s", g_sockname, g_sockmode,
|
|
|
|
|
strerror(errno));
|
|
|
|
|
_Exit(7);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
AutomaticallyHarvestZombies();
|
|
|
|
|
ListenForTerm();
|
|
|
|
|
|
|
|
|
|
while (!g_shutdown) {
|
|
|
|
|
ssize_t rc;
|
|
|
|
|
uint32_t ip;
|
|
|
|
|
char msg[16];
|
|
|
|
|
|
|
|
|
|
if (!(rc = read(server, msg, sizeof(msg)))) {
|
|
|
|
|
LOG("error: impossible eof", strerror(errno));
|
|
|
|
|
_Exit(6);
|
|
|
|
|
} else if (rc == -1) {
|
|
|
|
|
if (errno == EINTR) {
|
|
|
|
|
errno = 0;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
LOG("error: read failed: %s", strerror(errno));
|
|
|
|
|
continue;
|
|
|
|
|
} else if (rc != 4) {
|
|
|
|
|
LOG("error: read unexpected size of %ld: %s", rc, strerror(errno));
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
BLOCK_SIGNALS;
|
|
|
|
|
|
|
|
|
|
if ((ip = READ32BE(msg))) {
|
|
|
|
|
if (IsMyIp(ip) || // nics
|
2022-10-19 17:00:29 +00:00
|
|
|
ContainsInt(&g_whitelisted, ip) || // protected
|
2022-10-17 18:02:04 +00:00
|
|
|
(ip & 0xff000000) == 0x00000000 || // 0.0.0.0/8
|
|
|
|
|
(ip & 0xff000000) == 0x7f000000) { // 127.0.0.0/8
|
|
|
|
|
LOG("won't block %s", FormatIp(ip));
|
|
|
|
|
} else if (InsertInt(&g_blocked, ip, true)) {
|
|
|
|
|
BlockIp(ip);
|
|
|
|
|
LOG("blocked %s", FormatIp(ip));
|
|
|
|
|
} else {
|
|
|
|
|
LOG("already blocked %s", FormatIp(ip));
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ALLOW_SIGNALS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (g_shutdown == SIGINT || //
|
|
|
|
|
g_shutdown == SIGHUP) {
|
|
|
|
|
Unlink(g_sockname);
|
|
|
|
|
Unlink(g_pidname);
|
|
|
|
|
}
|
|
|
|
|
}
|
