This is the second of two commits; bring in the userland support to finish.
Teach libipsec and setkey about the tcp-md5 class of security associations,
thus allowing administrators to add per-host keys to the SADB for use by
the tcpsignature_compute() function.
Document that a single SPI must be used until such time as the code which
adds support to the SPD to specify flows for tcp-md5 treatment is suitable
for production.
Sponsored by: sentex.net
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
systems define power/sleep buttons in both places but only deliver
notifies to the ones defined in the AML.
Also, reduce length of various function handler names.
PR:
Submitted by:
Reviewed by:
Approved by:
Obtained from:
MFC after:
pci-hi/med/lo + node 'interrupts' property. This worked by
accident until recent notebooks required correct operation.
Tested by: Suleiman Souhlal <refugee@segfaulted.com>
routines to do anything except return error if the miniport adapter context
is not set (meaning we either having init'ed the driver yet, or the
initialization failed).
Also, be sure to NULL out the adapter context along with the
miniport characteristics pointers if calling the MiniportInitialize()
method fails.
These files had tags after the copyright notice,
inside the comment block (incorrect, removed),
and outside the comment block (correct).
Approved by: rwatson (mentor)
These files had tags after teh copyright notice,
inside the comment block (incorrect, removed),
and outside the comment block (correct).
Approved by: rwatson (mentor)
These files had tags after the copyright notice,
inside the comment block (incorrect, removed),
and outside the comment block (correct).
Approved by: rwatson (mentor)
the added comment for low-level details.) The effect of this race
condition is a panic "vm_page_cache: caching a dirty page, ..."
Reviewed by: tegge
MFC after: 7 days
ever since rev. 1.1 of bootpd.c.
While I'm here, rearrange the synopsis a bit: sort the options and
clarify that -i and -s are mutually exclusive.
Reported by: Atanas Buchvarov <nasko@nove.bg>
MFC after: 3 days
created with the same name, and vice versa:
- Immediately recycle vnodes of files & directories that have been deleted
or renamed.
- When looking an entry in the VFS name cache or smbfs's private
cache, make sure the vnode type is consistent with the type of file
the server thinks it is, and re-create the vnode if it isn't.
The alternative to this is to recycle vnodes unconditionally when their
use count drops to 0, but this would make all the caching we do
mostly useless.
PR: 62342
MFC after: 2 weeks
What it is:
A library for reading and writing various streaming archive
formats, especially tar and cpio. Being a library, it should
be easy to incorporate into pkg_* tools, sysinstall, and any
other place that needs to read or write such archives.
Features:
* Full automatic detection of both compression and archive format.
* Extensible internal architecture to make it easy to add new formats.
* Support for "pax interchange format," a new POSIX-standard tar format
that eliminates essentially all of the restrictions of historic formats.
* BSD license
Thanks to: jkh for pushing me to start this work, gordon for
encouraging me to commit it, bde for answering endless style
questions, and many others for feedback and encouragement.
Status: Pretty good overall, though there are still a few rough edges and
the library could always use more testing. Feedback eagerly solicited.
The default is to be backwards compatible and non-KNF (use the same
indentation for locals as for globals; -ldi0 gives KNF indentation
for locals (none)). The indentation for globals also applies to struct
member names in local declatations. The indentation of variable names
in multi-line declarations is broken in various ways and this commit
gives some new variations.
indent.1:
Also clarified the description of -di<N>.
nonzero (so that the 1-char indentation given by -di0 is never rendered
by a tab).
Removed garbage commented out code for setting the indentation of variable
names.
worse than useless because it caused things like mangling of
"^int\tfoo" to "int foo" (this for N = 8). This quick fix breaks
the invariant that characters between s_code and e_code have width 1,
but nothing seems to depend on this.
was mangled to "struct foo * bar". There should be an option to control
this, but no space is normal. This finishes fixing the bugs in rev.1.4.
indent(1) still doesn't really understand types in parameter lists. It
thinks keywords inside parentheses are for casts or sizeofs. This works
accidentally for scalar types and this quick fix makes it work similarly
but not so accidentally for struct/union/enum types.
- Factor out common settings and put them in an upper level Makefile.inc.
- Properly use PROG for real programs, not their products.
- Further reduce diffs to i386 versions.
Tested on: sparc64 (panther)
- Now that bsd.prog.mk deals with programs linked with -nostdlib
better, and has a notion of an "internal" program, use PROG
where possible. This has a good impact on the contents of
.depend files and causes programs to be linked with cc(1).
XXX: boot2 couldn't be converted as it's actually two programs.
Tested on: i386, amd64
- Don't put libc.a as a dependency if program is linked with -nostdlib.
- Added INTERNALPROG (by analogy to INTERNALLIB) for programs which are
built only for its side effect and shold not be installed.
