options used to build ppp.
Currently, this is a no-op and only handles LOCALNAT and LOCALRAD cases.
This will be used for the upcoming ipv6 changes, and allows a shared
man page between OpenBSD and FreeBSD.
conservative default, and actually prompt specifically for inetd rather
than handling it as a side effect of the security profile. Update the
help file to reflect this change.
o Rename "Fascist" to "Extreme" in the source code, to match the names
presented to the user.
o Remove portmap and inetd from profile management. Portmap is now
disabled by default, but automatically turned on if a feature requires
it (such as NFS, etc).
This is an MFC candidate for 4.4-RELEASE.
Reviewed by: freebsd-arch@FreeBSD.org
Approved by: re@FreeBSD.org
MFC after: 2 days
Not much, but it is better than nothing as it discourages
the extremely lazy.
Please read the actual text (the last text was softer than the commit
message about it) before giving me feedback.
Also, in the last commit I also tagged the newly optional elements in
the command line as optional.
WEP IS INSECURE. DO NOT USE IT.
and point people to details on the attack:
http://www.cs.rice.edu/~astubble/wep/wep_attack.html
and recommend people use ipsec instead if possible.
Approved by: kris
Mandoc police: Please do your worst. I'd like to merge similar text
into ancontrol and ifconfig.
Avoid using parenthesis enclosure macros (.Pq and .Po/.Pc) with plain text.
Not only this slows down the mdoc(7) processing significantly, but it also
has an undesired (in this case) effect of disabling hyphenation within the
entire enclosed block.
post-install config, reduce the potential confusion from the existence
of both configTTYs and configTtys by renaming configTTYs to
configEtcTtys. While this is not a C naming conflict, it was probably
a poor choice of names on my part.
into sadb_x_sa2_sequence from sadb_x_sa2_reserved3 in the sadb_x_sa2
structure. Also the output of setkey is changed. sequence number
of the sadb is replaced to the end of the output.
Obtained from: KAME
crash dumps, and make it use sysctl for all data retrievals in the
"live" case (i.e. when not using iostat on a crash dump).
Remove setgid kmem for the iostat executable, it is not needed any
more after these changes.
Reviewed by: ken
- clean_mtab():
Actually use the strdup'd version of the host that we go to the
trouble of creating.
- do_umntall/do_umount:
Don't return success if clnt_create() fails.
Don't access a client pointer after it has been destroyed.
Remember to destroy the authentication information we created.
crypto bits installed and/or NOCRYPTO/NO_OPENSSL is defined. This unfortunately
meants that usr.bin/chkey, usr.bin/newkey and usr.sbin/keyserv have also to
be disconnected.
IMO it is merely a workaround, the proper solution is to move libmp to
src/crypto where it belongs and use libgmp for the cryptoless builds instead.
Missed by: dd
Use '' quotes instead of `' to delimit names of files and packages in
warning and error messages, because it is easier to cut-n-paste name in
question that way (single click) without confusing the shell. And yes,
I know that it is less eye-candy...
MFC after: 1 month
some of the config problems that we've been seeing (where wi0 tries to
allocate 0x138-0x198, for example).
Use err(1,"foo") rather than perror + exit while I'm here.
system installation process. This allows users installing via serial
console to enable serial console login during the installation
process using an un-customized install. The user is not prompted to
modify /etc/ttys during a normal install, but is offered the
opportunity during post-install configuration.
- Introduce configTTYs(), which describes the benefits of editing
/etc/ttys, and asks for confirmation before spawning the editor.
- add configTTYs to the post-install configuration, as well as to
the global configuration index.
by providing the opportunity to edit inetd.conf during the system
installation process. The following modifications were made:
(1) Expand the Anonymous FTP description dialog to indicate that inetd
and ftpd must be enabled before it can be used.
(2) Introduce a new configInetd() pair of dialogs, the first describing
inetd, giving a couple of examples of services that require it, and
hinting at potential risk, then asking the user if they wish to
enable it. The second indicates that inetd.conf must be configured
to enabled specific services, and asks if the user would like to
load inetd.conf into the editor to modify it. Add this
configuration action to the index.
There are some further improvements that might be considered:
(1) Provide a more inetd.conf-specific configuration tool that speaks
inetd.conf(5). However, this is made difficult by the "yet another
configuration format" nature of inetd.conf, as well as its use of
commenting to disable services, rather than an in-syntax way to
disable a service without commenting it out. Submissions here
would probably be welcome.
(2) There's some overlap between settings in the somewhat obtuse
Security Profile mechanism and other settings, including the inetd
setting, and NFS server configuration. As features become
individually tunable, they should probably be removed from the
security profile mechanism. Otherwise, somewhat counter-intuitively,
sysinstall (in practice) queries multiple times whether inetd, nfsd,
etc, should be enabled/disabled. A possible future direction might
be to drive profiles not by degree of paranoia, rather, the set
of services desired. Or simply to remove the Security Profile
mechanism and resort to feature-driven configuration.
Reviewed by: imp, chris, jake, nate, -arch, -stable
When encryption (MPPE) is enabled, WindowsME and Windows98 both
fail because of the extra byte, suggesting that they autheticated
successfully in their log and then dropping the connection, telling
the user that the peer doesn't support compatible encryption
options.
MFC after: 1 week
byte of the packet to contain '\0'.
Windows 98 gets this wrong, dropping garbage into the last byte and
failing authentication.
Now, we notice this and whinge to our log file that we're compensating
for the corrupt data.
will soon return the irq from the pcic bridge in cases where't that's
appropriate.
Note: I've had to disbale -I option for the moment. I've made it easy
to reenable it for people that need it.
MFC After: soon!
doing PPPoE and the default MRU is therefore too big.
When negotiating with win2k, we ask for MRU 1492 and the win2k box
NAKs us saying ``MRU 1492''. This doesn't make sense to me. When
we continue to request MRU 1492, the win2k box eventually REJs our
MRU. This fix allows negotiations to continue at that point,
bringing the link up and potentially allowing the win2k box to send
us frames that are too large. AFAICT this is better than failing
to bring the link up.... probably !
I have no idea how to do the equivalent of ``route get'' or
``ifconfig -a'' under win2k, so I can't tell what MTU it actually
ends up using.
I believe the bug is in win2k (it's certainly mis-negotiating).
I'll MFC given the release engineers permission as code freeze
begins on August 1.
PR: 29277
MFC after: 3 days
inconsistently named "ptmp" and "etc_ptmp". This commit changes
it to "passwd_tmp" for consistency and to match OpenBSD's name
for the variable.
Consulted with: jedgar
once. If they repeat the request (again without the IPADDR option)
ACK it.
I've had reports that some ppp implementations will not assign
themselves an IP number. This should negotiate with such things.
MFC after: 3 days
When reading the code I had to stop, say "ok, what does *these*
modifications of strl*() do? Pull out grep. Oh, not in add/, maybe above
in ../lib/? Yep. So what do they do? Comments above them are misleading,
guess I'll have to read the code. Oh, they just test strl* against the
size and return the result of the test. Now I can continue to read the
code I was.
The uses of s_strl*() then test that result and errx()'s.
Lets think about the "optimized" code I am removing:
In general the compiler pushes the three args to strl* onto the stack and calls
s_strl*. s_strl* has to indirectly access 3 args from the stack. Then push
them on the stack a 2nd time for the real strl* call. s_strl* then pops the
return from strl* off the stack; or moves it from the register it was returned
in, to the register where tests can happen. s_strl* then pops the three
arguments to strl*. Perform the test, push the result of the test, or move it
from the result register to the return value register. The caller to s_strl*
now has to either pop the return value of s_strl* or move it from the return
value register to the test register. The caller then pops the three args to
s_strl* off the stack (the same args that s_strl* itself had to pop off after
the real call to strl*). The s_strl* caller then performs a simular test to
what has already been done, and conditionally jumps. By doing things this way, we've given the compiler optimizer less to work with.
Also, please don't forget the that call to s_strl* has possibly jumped to code
not in the cache due to being far away from the calling code, thus causing a
pipeline stall.
So where is the "optimization" from s_strl*?
It isn't code clarity.
It isn't code execution speed. It isn't code size either.
in the signal handlers which may pose a risk when executable by untrusted
users.
Submitted by: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
MFC After: 3 days
correct the error-checking that was there. With the old code, an error
return from getpwuid(daemon_user) could turn the lpd process into a very
effective fork-bomb...
Reviewed by: freebsd-audit freebsd-print (a little...)
MFC after: 6 days
blown over by the Hurricane and had a house dropped on you by the Tornado.
Now it's time to have your parade rained on by... the Typhoon!
This commit adds driver support for 3Com 3cR990 10/100 ethernet
adapters based on the Typhoon I and Typhoon II chipsets. This is actually
a port of the OpenBSD driver with many hacks by me.
No Virginia, there isn't any support for the hardware crypto yet. However
there is support for TCP/IP checksum offload and VLANs.
Special thanks go to Jason Wright, Aaron Campbell and Theo de Raadt for
squeezing enough info out of 3Com to get this written, and for doing
most of the hard work.
Manual page is included. Compiled as a module and included in GENERIC.
- Declare mtabhead as an extern in mounttab.h and define it only in
mounttab.c.
- Remove shared global `verbose' and instead pass it as a parameter.
- Remove the `mtabp' argument to read_mtab(). It served no purpose
whatsoever, although read_mtab() did use it as a temporary local
variable.
- Don't check for impossible conditions when parsing mounttab, and
do detect zero-length fields.
- Correctly test for strtoul() failures - just testing ERANGE is wrong.
- Include a field name in syslog errors, and avoid passing NULL to
a syslog %s field.
- Don't test if arrays are NULL.
- If there are duplicates when writing out mounttab, keep the last
entry instead of the first, as it will have a later timestamp.
- Fix a few formatting issues.
Update rpc.umntall and umount to match the mounttab interface changes.
- Remove unnecessary and unused local variables.
- Include useful information in error and warning messages.
- Fix the logic for expiring mounttab entries.
- Remove calls to getaddrinfo - the results were not used.
- Simplify some string handling by using snprintf.
- Fix usage.
than the long-standing -w option in NetBSD, so change it before anyone in
FreeBSD gets used to it. For now, -w is still accepted, but prints out
some warnings via syslog.
MFC after: 1 week
Problem 1 is that the config entry hangup flag is zeroed only at
CONNECT_ACTIVE_IND in msghdl.c. If any (other) call is disconnected
after EV_MDO and before CONNECT_ACTIVE_IND, the cleanup routine will
disconnect the in-progress dialout as well, if its hangup flag is
nonzero (which it is likely to be) after the previous incarnation of the
cfg entry. Patch-1 fixes this by clearing the hangup flag as soon as a
cfg entry is reserved for the call.
Submitted by: Juha-Matti Liukkonen <jml@cubical.fi>
Problem 2 is that doing a local hangup (eg. by writing "H" to the
dialout device) to a call which is already disconnected results in isdnd
moving the cfg entry to an illegal state, from which there is no
recovery. This is tricky because there is no way to synchronize local
hangup with the remote end (ie. the callee can always hang up at an
inconvenient time)! Hence, patch-2 alters fsm.c's EV_DRQ state table
such that the local hangup request is processed or ignored in most
states, even for disconnected calls.
Submitted by: Juha-Matti Liukkonen <jml@cubical.fi>
Don't set BINMODE to 500. This is not a setuid program.
Note: the dpt utilities have never been attached to the world and
haven't been compilable for a year or two.
- Lose any stray host bits that a user may have entered when providing
a network number and netmask to the `-a' option for IPv6. This is
corresponding to 1.79 that is for IPv4 only.
MFC after: 1 week
another, unknown option.
Submitted by: Naoki Kobayashi <shibata@geo.titech.ac.jp> and
Harti Brandt <brandt@fokus.gmd.de>, respectively.
Pointy hat to: dd
give an example of how to rotate logs at the beginning of the month.
Although they sound the same, since both of them rotate logs at the
beginning of the day, the former ended up taking place on, e.g., July
31 00:00 instead of the expected July 31 23:59. This is contraty to POLA.
Submitted by: Dan Langille <dan@langille.org>
e->cmd. free_entry() now does the right thing with
partially-initialized structures.
load_entry(): Don't call env_free() on e->envp throughout the routine
before jumping to eof; the free_entry() call at that label will take
care of it. The previous behavior resulted in e->envp being free'd
twice (well, the second time would usually result in a crash, but
that's besides the point); once in load_entry(), and once in
free_entry() after the former called the latter. Also note that the
check added to free_entry() (above) doesn't help, since e->envp wasn't
reset to NULL after env_free().
Submitted by: Mark Peek <mark@whistle.com>
this entire subtree would be in src/contrib, but if that isn't going
to happen at least this has a chance of warning off unsuspecting
committers.
Approved by: wollman
for glue records and forces the glue record to be reloaded from the real NS.
The 5% ttl reduction can cause the glue IN A to timeout before the NS
record in certain situations, such as when the domain owner does not match
up NS records with the NIC. This behavior by domain owners is becoming
more common as primary zone serving iterates through another glue level
(i.e. exodus hosts the master NS's but the customer then redirects the
NS's to the real DNS servers). The result is that named would appear to
work properly for about 40 minutes, and then unexpectedly fail for that
zone. This causes named to behave very inconsistently and a google search
shows that it has obviously frustrated many, many people. So until the bind
guys make named behave consistently (either fail instantly or accomodate the
case), we need to set this option to accomodate the case. The result
will be much more consistent behavior and fewer head-scratching failures.
MFC after: 3 days
receives them from other hosts. This is meant to protect from both
nefarious users (which maybe broke into some remote host that we accept
print jobs from), and broken implementations of lpr on other platforms.
This is done by changing recvjob.c to call the new ctl_renametf()
routine in the new common_source/ctlinfo.[ch] files. This will not
affect jobs coming via lpr on the local machine.
Reviewed by: freebsd-print@bostonradio.org & freebsd-audit
MFC after: 16 days
