diff options
| author | rafan <rafan@FreeBSD.org> | 2006-07-27 18:32:56 +0800 |
|---|---|---|
| committer | rafan <rafan@FreeBSD.org> | 2006-07-27 18:32:56 +0800 |
| commit | 7563aa754e85c3911a103584fb72c6064550ea1e (patch) | |
| tree | 42c111496233e8a4e5ad136d8b1b2c5c3ead7235 /security | |
| parent | c53ca3ed84c342e6decdeed76596169e0199c066 (diff) | |
| download | freebsd-ports-graphics-7563aa754e85c3911a103584fb72c6064550ea1e.tar.gz freebsd-ports-graphics-7563aa754e85c3911a103584fb72c6064550ea1e.tar.zst freebsd-ports-graphics-7563aa754e85c3911a103584fb72c6064550ea1e.zip | |
(c) Rong-En Fan's, http://rafan.infor.org/patch/sshit.diff
In the code, the author uses two level hash, and IPC::Shareable
will create a share memory for those anonymouse object (the second
level hash). Those share memory will not be removed when sshit exists
or when the rule is removed. Running sshit for a period of time,
the number of share memory and semaphore will reach the limit for
one process, then sshit.pl can not get more share memory, thus it
quits. The only solution is to manually remove all share memory and
semaphore.
This is somehow the limitation of using IPC::Shareable. To workaround
this problem. The patch will removes associated firewall rules when
syslogd closes the fd [1], and use IPC::Shareable->clean_up
to remove all shm/sem created by this process. I also set 'destroy'
to 1 so the shm tied to %list can be removed.
The second hunk is to fix a typo for ipfw2. Due to this typo,
ip in ipfw2's table cat not be removed. That means once blocked,
the client is blocked until reboot or admin cleanup the table.
[1] if any log files are rotated, newsyslog sends a HUP to syslogd,
syslogd will close *all* current open fd and reopen them. At
that time, the sshit.pl's stdin will be closed, thus the main
program will exit.
PR: ports/100726
Submitted by: Alex Samorukov <samm at os2.kiev.ua>
Approved by: Jui-Nan Eric Lin <jnlin at csie.NCTU.edu.tw> (maintainer)
Obtained from: rafan
Diffstat (limited to 'security')
| -rw-r--r-- | security/sshit/Makefile | 1 | ||||
| -rw-r--r-- | security/sshit/files/patch-sshit.pl | 39 |
2 files changed, 40 insertions, 0 deletions
diff --git a/security/sshit/Makefile b/security/sshit/Makefile index 623f37de90c..1f39f039c51 100644 --- a/security/sshit/Makefile +++ b/security/sshit/Makefile @@ -7,6 +7,7 @@ PORTNAME= sshit PORTVERSION= 0.5 +PORTREVISION= 1 CATEGORIES= security MASTER_SITES= http://anp.ath.cx/sshit/ \ ${MASTER_SITE_LOCAL} diff --git a/security/sshit/files/patch-sshit.pl b/security/sshit/files/patch-sshit.pl new file mode 100644 index 00000000000..39db7a98ffc --- /dev/null +++ b/security/sshit/files/patch-sshit.pl @@ -0,0 +1,39 @@ +--- /usr/ports/security/sshit/work/sshit-0.5/sshit.pl Sat Dec 17 19:40:24 2005 ++++ sshit.pl Sat Apr 29 08:39:06 2006 +@@ -232,7 +232,7 @@ + create => 1, + exclusive => 0, + mode => 0644, +- destroy => 0, ++ destroy => 1, + ); + + $handle = tie %list, 'IPC::Shareable', 'sshi', { %options }; +@@ -266,7 +266,7 @@ + { + system("$IPFW_CMD delete $list{$ip}{rulenr}"); + } elsif ($FIREWALL_TYPE =~ /^ipfw2$/i) { +- system("$IPFW2_CMD table $IPFW_TABLE_NO delete $ip"); ++ system("$IPFW2_CMD table $IPFW2_TABLE_NO delete $ip"); + } elsif ($FIREWALL_TYPE =~ /^pf$/i) { + system("$PFCTL_CMD -t $PF_TABLE -Tdelete $ip"); + } +@@ -337,3 +337,18 @@ + } + } + } ++foreach $ip (keys %list) { ++ if($FIREWALL_TYPE =~ /^ipfw$/i) ++ { ++ system("$IPFW_CMD delete $list{$ip}{rulenr}"); ++ } elsif ($FIREWALL_TYPE =~ /^ipfw2$/i) { ++ system("$IPFW2_CMD table $IPFW2_TABLE_NO delete $ip"); ++ } elsif ($FIREWALL_TYPE =~ /^pf$/i) { ++ system("$PFCTL_CMD -t $PF_TABLE -Tdelete $ip"); ++ } ++ syslog(LOG_ERR, "main removed block rule $list{$ip}{rulenr} for $ip (reset time of $RESET_IP seconds reached)\n"); ++ delete($list{$ip}); ++} ++ ++# clear all SHM ++IPC::Shareable->clean_up; |