blocklist: Revert upstream commit ddf6d71

Upstream commit ddf6d71 ("implement BLOCKLIST_BAD_USER as a "one-count"
failure") introduced BLOCKLIST_BAD_USER with a one-count failure
mechanism.  BLOCKLIST_AUTH_FAIL was implemented with a two-count failure
mechanism.  Since we have been utilizing BLOCKLIST_AUTH_FAIL, the number
of failed attempts now doubles towards the maximum limit (nfails),
giving system administrators the impression that the number of failed
authentication attempts is inaccurate.

Revert this commit until a consensus has been reached.  We do not want
to introduce yet another breaking change with the renaming of the
library.

Approved by:	emaste (mentor)
MFC after:	2 days
This commit is contained in:
Jose Luis Duran
2025-10-11 14:15:03 +00:00
parent 48e64ca13d
commit 4d56eb007b
2 changed files with 28 additions and 22 deletions
+9 -9
View File
@@ -222,19 +222,16 @@ process(bl_t bl)
switch (bi->bi_type) {
case BL_ABUSE:
/*
* If the application has signaled abusive behavior, set the
* number of fails to be two less than the configured limit.
* Fall through to the normal BL_ADD and BL_BADUSER processing,
* which will increment the failure count to the threshhold, and
* block the abusive address.
* If the application has signaled abusive behavior,
* set the number of fails to be one less than the
* configured limit. Fallthrough to the normal BL_ADD
* processing, which will increment the failure count
* to the threshhold, and block the abusive address.
*/
if (c.c_nfail != -1)
dbi.count = c.c_nfail - 2;
dbi.count = c.c_nfail - 1;
/*FALLTHROUGH*/
case BL_ADD:
dbi.count++; /* will become += 2 */
/*FALLTHROUGH*/
case BL_BADUSER:
dbi.count++;
dbi.last = ts.tv_sec;
if (c.c_nfail != -1 && dbi.count >= c.c_nfail) {
@@ -263,6 +260,9 @@ process(bl_t bl)
dbi.count = 0;
dbi.last = 0;
break;
case BL_BADUSER:
/* ignore for now */
break;
default:
(*lfun)(LOG_ERR, "unknown message %d", bi->bi_type);
}
+19 -13
View File
@@ -106,20 +106,26 @@ The
.Ar action
parameter can take these values:
.Bl -tag -width ".Dv BLOCKLIST_ABUSIVE_BEHAVIOR"
.It Va BLOCKLIST_BAD_USER
The sending daemon has determined the username presented for
authentication is invalid.
This is considered as one failure count.
.It Va BLOCKLIST_AUTH_FAIL
.It Dv BLOCKLIST_AUTH_FAIL
There was an unsuccessful authentication attempt.
This is considered as two failure counts together.
.It Va BLOCKLIST_ABUSIVE_BEHAVIOR
The sending daemon has detected abusive behavior from the remote system.
This is considered as a total immediate failure.
The remote address will be blocked as soon as possible.
.It Va BLOCKLIST_AUTH_OK
A valid user successfully authenticated.
Any entry for the remote address will be removed as soon as possible.
.It Dv BLOCKLIST_AUTH_OK
A user successfully authenticated.
.It Dv BLOCKLIST_ABUSIVE_BEHAVIOR
The sending daemon has detected abusive behavior
from the remote system.
The remote address should
be blocked as soon as possible.
.It Dv BLOCKLIST_BAD_USER
The sending daemon has determined the username
presented for authentication is invalid.
The
.Xr blocklistd 8
daemon compares the username to a configured list of forbidden
usernames and
blocks the address immediately if a forbidden username matches.
(The
.Dv BLOCKLIST_BAD_USER
support is not currently available.)
.El
.Pp
The