very specific scenarios, and now that we have had net.inet.tcp.blackhole for
quite some time there is really no reason to use it any more.
(second of three commits)
associated changes that had to happen to make this possible as well as
bugs fixed along the way.
Bring in required TLI library routines to support this.
Since we don't support TLI we've essentially copied what NetBSD
has done, adding a thin layer to emulate direct the TLI calls
into BSD socket calls.
This is mostly from Sun's tirpc release that was made in 1994,
however some fixes were backported from the 1999 release (supposedly
only made available after this porting effort was underway).
The submitter has agreed to continue on and bring us up to the
1999 release.
Several key features are introduced with this update:
Client calls are thread safe. (1999 code has server side thread
safe)
Updated, a more modern interface.
Many userland updates were done to bring the code up to par with
the recent RPC API.
There is an update to the pthreads library, a function
pthread_main_np() was added to emulate a function of Sun's threads
library.
While we're at it, bring in NetBSD's lockd, it's been far too
long of a wait.
New rpcbind(8) replaces portmap(8) (supporting communication over
an authenticated Unix-domain socket, and by default only allowing
set and unset requests over that channel). It's much more secure
than the old portmapper.
Umount(8), mountd(8), mount_nfs(8), nfsd(8) have also been upgraded
to support TI-RPC and to support IPV6.
Umount(8) is also fixed to unmount pathnames longer than 80 chars,
which are currently truncated by the Kernel statfs structure.
Submitted by: Martin Blapp <mb@imp.ch>
Manpage review: ru
Secure RPC implemented by: wpaul
Xircom CreditCard Netwave cnw
Intel PRO/Wireless 2011 (PRISM II) wi
3COM 3CRWE737A (PRISM II) wi
Note: I've had some reports that the latter two cards work, but I've not
been able to get them to work for me.
enable all harvesting options by default since having them on for
devices not present doesn't hurt anything. Leave them on by default
since for the most part they are not producing noticable slowdown,
and are about to get a lot more efficient.
Re-order part of the cheesy entropy process in preparation for
its complete removal.
during the boot process. We're turning it on by default, based on the
actual presence of a configured ethernet card, and/or ppp/tun devices.
Of course, it's easy to disable in rc.conf.
1) blackholes.mail-abuse.org is the same as FEATURE(dnsbl), so specifying
it in the "Other DNS based black hole lists" section leads to confusion of
specifying it twice.
2) Formatting issues. If error diagnostic not enclosed in double quotes,
varius visual artefacts appearse like 1) no space after ; and 2) redundant
space after ? (in CGI request), so I add quotes where needed.
3) FEATURE(dnsbl) directly use error code 550 by default, so I made other
dnsbl variants use the same error code too.
4) Comment relays.* list as "open relays" list, just "other" word is not
explain enough.
Submitted by: ache
and Pentium II, III and IV processors (p2, p3, p4), as well as 'mmx' and
'3dnow' MACHINE_CPU tags as appropriate. In the near future this will
be used to control various ports which have MMX/3dNow optimizations,
instead of the ad-hoc methods currently used.
Reviewed by: peter
libssl, for example), and hide it behind a make.conf option,
WANT_OPENSSL_MANPAGES, instead of having it commented out. We still can't
install these by default because of clobbering of a number of system
manpages with the same name, but they're there for people who want them.
* Rip out MACHINE_CPU stuff from sys.mk and include a new <bsd.cpu.mk>
after we pull in /etc/make.conf. We need to do it afterwards so we can
react to the user setting of the:
* CPUTYPE variable, which contains the CPU type which the user wants to
optimize for. For example, if you want your binaries to only run on an
i686-class machine (or higher), set this to i686. If you want to support
running binaries on a variety of CPU generations, set this to the lowest
common denominator. Supported values are listed in make.conf.
* bsd.cpu.mk does the expansion of CPUTYPE into MACHINE_CPU using the
(hopefully) correct unordered list of CPU types which should be used on
that CPU. For example, an AMD k6 CPU wants any of the following:
k6 k5 i586 i486 i386
This is still an unordered list so the client makefile logic is simple -
client makefiles need to test for the various elements of the set in
decreasing order of priority using ${MACHINE_CPU:M<foo>}, as before.
The various MACHINE_CPU lists are believed to be correct, but should be
checked.
* If NO_CPU_CFLAGS is not defined, add relevant gcc compiler optimization
settings by default (e.g. -karch=k6 for CPUTYPE=k6, etc). Release
builders and developers of third-party software need to make sure not to
enable CPU-specific optimization when generating code intended to be
portable. We probably need to move to an /etc/world.conf to allow the
optimization stuff to be applied separately to world/kernel and external
compilations, but it's not any worse a problem than it was before.
* Add coverage for the ia64/itanium MACHINE_ARCH/CPUTYPE.
* Add CPUTYPE support for all of the CPU types supported by FreeBSD and gcc
(only i386, alpha and ia64 first, since those are the minimally-working
ports. Other architecture porters, please feel free to add the relevant
gunk for your platform).
Reviewed by: jhb, obrien
+ Add support for the new SENDMAIL_MC make.conf knob
+ Add the ability to build .cf files from .mc files
+ Generalize map rebuilding
+ Add the ability to rebuild the aliases file
+ Add the ability to stop, start, and restart sendmail
PR: bin/13759, bin/19897, bin/24397
users should be configuring via m4 now. If set, use m4 to create the .cf
file. Also, if either SENDMAIL_MC or SENDMAIL_CF is set, 'make install' or
'make distribution' in src/etc/sendmail/ will install the appropriate .cf as
/etc/mail/sendmail.cf. This fixes some mergemaster problems.
PR: conf/13016
Makefile to the etc/sendmail Makefile to be consistent with all of the
other /var file creations. In doing so, change the Makefile target from
etc-sendmail.cf to distribution as it installs more than just the sendmail.cf.
pass udp from any 53 to ${oip}
allows an attacker to access ANY local port by simply binding his local
side to 53. The state keeping mechanism is the correct way to allow DNS
replies to go back to their source.
through the use of a new build directive, MACHINE_CPU, which contains a
list of the CPU generations/features for which optimizations are desired.
This feature will be extended to cover the ports tree in the future.
Currently OpenSSL provides optimizations for i386, i586 and i686-class
CPUs. Currently it has not been tested on an i386 or i486.
Teach make(1) to provide sensible defaults for MACHINE_CPU if it is not
defined (namely, the lowest common denominator CPU we support for each
architecture). Currently this is i386 for the i386 architecture and ev4
for the alpha. sys.mk also sets the variable as a last resort for
consistency with MACHINE_ARCH and bootstrapping from very old versions of
make.
Benchmarks show a significant speed increase even in the i386 case, with
additional improvements for i586 and i686 systems. For maximum performance
define MACHINE_CPU=i686 i586 i386 in /etc/make.conf.
Based on a patch submitted by: Mike Silbersack <silby@silby.com>
Reviewed by: current
trigger happy and turn off sendmail_enable entirely (instead of setting
sendmail_flags to -q30m instead). I have seen boxes with things like daily
run reports that have sat in mailq for 5 months. Since /usr/sbin/sendmail
is actually mailwrapper, this should be safe for the other plugins that
provide the sendmail calling interface.
default syslog target for console messages (when enabled in
syslog.conf). Use the same rotation defaults as with
/var/log/messages -- every 100kb of log, compress back logs,
and keep five rotated logs.
o Note: phk also thought it would be useful to force rotation
each boot. This commit does not introduce such a rotation.
Reviewed by: phk
compiled in. This involves a commented out sshd line to match the
remainder of the commented out pam_kerberosIV.so entries. This
doesn't quite restore the correct behavior, as ticket files are
not managed properly, but it's an improvement.
Forgotten by: green
just messages{,.0*} when looking for login failures and refused
connections.
PR: 23415
Mostly submitted by: phk
Convert a few " "s to tabs while I'm here - for consistency.
reference. The sysinstall binary is now in root's standard PATH,
so there's no need for explicit pathing, and there's some value
in a manual page reference.
- ipv6_network_interfaces has all available interfaces to work for
static configuration even if the host is end host. When rtsol is
invoked, singleness of interface is checked.
it at boot time closer to the way we want it to be in the final version.
* Move the default directory to /var/db/entropy
* Run the entropy saving cron job every 11 minutes. This seems
to be a better default, although still bikeshed material.
* Feed /dev/random some cheesy "entropy" from various commands
and files before the disks are mounted. This gives /dev/random
a better chance of running without blocking early.
* Move the reseeding with previously stored entropy to the point
immediately after the disks are mounted.
* Make the harvesting script a little safer in regards to the
possibility of accidentally overwriting something other
than a regular file.
it can be used to reseed at boot time. This will greatly increase
the chances that there will be sufficient entropy available at
boot time to prevent long delays.
For /etc/rc, remove the vmstat and iostat runs from the attempt
to provide some cheesy randomness if the files fail, since
those programs are dynamically linked, and ldd seems to want
some randomness to do its magic.
Guidance and parameters for this project were provided by
Mark Murray, based on the requirements of the Yarrow
algorithm. Some helpful suggestions for implementation
(including the tip about iostat and vmstat) were provided
by Sheldon Hearn. All blame for problems or mistakes is
mine of course.
as the previous line already tells us we are in rc.${MACHINE_ARCH}. This
also allows more syscons configuration messages during startup to fit on
one line.
Reviewed by: dougb
one-way hash functions for authentication purposes. There is no more
"set the libcrypt->libXXXcrypt" nightmare.
- Undo the libmd.so hack, use -D to hide the md5c.c internals.
- Remove the symlink hacks in release/Makefile
- the algorthm is set by set_crypt_format() as before. If this is
not called, it tries to heuristically figure out the hash format, and
if all else fails, it uses the optional auth.conf entry to chose the
overall default hash.
- Since source has non-hidden crypto in it there may be some issues with
having the source it in some countries, so preserve the "secure/*"
division. You can still build a des-free libcrypt library if you want
to badly enough. This should not be a problem in the US or exporting
from the US as freebsd.org had notified BXA some time ago. That makes
this stuff re-exportable by anyone.
- For consistancy, the default in absence of any other clues is md5. This
is to try and minimize POLA across buildworld where folk may suddenly
be activating des-crypt()-hash support. Since the des hash may not
always be present, it seemed sensible to make the stronger md5 algorithm
the default.
All things being equal, no functionality is lost.
Reviewed-by: jkh
(flame-proof suit on)
o Add the removable_interfaces variable for list of removable network
interfaces (PC-card ethernet, wireless network and USB ethernet etc).
o ifconfig_<ifn>_alias0, static_routes_<ifn>, removable_route_flush,
/etc/start_if.<ifn> and /etc/stop_if.<ifn> are support.
o removable_route_flush variable is set to "NO" if you want to use the
machine as gateway using two or more removable network cards. If
static routing is needed use static_routes_<ifn> instead of
static_routes or defaultrouter.
o The optional static_routes_<ifn> variable is likely static_routes.
o /etc/start_if.<ifn> and /etc/stop_if.<ifn> are shell script to be
specified that are called when a card is inserted or removed.
multifunction cards and I recieved reports that the card does not
workd by `config auto'. (MFPAO)
o Remove static assign of the IRQ number.
o Remove two duplicated entries.
o Join some entries using regex and fixed matching order problem.
These changes for boot.flp.
Suggested by: sanpei
distinction between the OS copyright message and the message displayed
gratuitously to each user at login. Because, well, they may be
different, among other things, and boy can a copyright message each
login consume some screen space. If people really want to do this,
they can copy /COPYRIGHT to /etc/COPYRIGHT.
Submitted by: Anders Andersson <anders@codefactory.se>
require the addition of flag 0x80000 to their config line in
pccard.conf(5). This flag is not optional. These Linksys cards will
not be recognized without it.
Reviewed by: imp, iwasaki
Apply a more consistent style to the echo statements in /etc/ scripts.
* Put quotes around each line
* Single quotes for lines with no variable interpolation
* Double quotes if there is
* Capitalize each word that begins a line
* Make echo -n 'Doing foo:' ... echo '.' more of a standard
Also:
* Use rm -f on /var/run/dev.db so if it's not there (devfs) it doesn't error
* Shorten the ldconfig messages so that the default fits on one line
* Test whether /var/msgs/bounds is a link before overwriting it
* Generally futz around with whitespace
* Put quotes around each line
* Single quotes for lines with no variable interpolation
* Double quotes if there is
* Capitalize each word that begins a line
* Make echo -n 'Doing foo:' ... echo '.' more of a standard
No functionality changes
In a few days I will commit a patch which changes vn(4) to use the
disk-minilayer. This will make vn(4) fully DEVFS friendly but have
the side effect that vnconfig needs the vn%d.ctl devices to be able
to configure vn(4).
Please remake your /dev/vn entries with this revision of MAKEDEV if
you don't rung DEVFS already.
from "PCMCIA SCSI MBH1040" to "PCMCIA SCSI MBH10401" "01". They are
based on the spc driver.
This will fix the conflicts of entry with REX-5536AM, REX-9836A,
and ICM PSC-2401 ("MBH10404" ones) which are based on stg driver.
The problem was pointed out in bsd-nomads several times since PAO2 days.
-Comment out the entry for "MBH10401" ones. The spc driver is
not supported yet.
-Add more comment about cards which has broken CIS
(some cards which has tuple of "PCMCIA SCSI MBH10404" "01").
Reported by: takachan@running-dog.net, y-nakaga@nwsl.mesh.ad.jp,
yuki@dayo.ne.jp
Obtained from: discussion in bsd-nomads mailing list
for a hung `daily' run to keep a `weekly' run from happening.
Same for `monthly'. We have always run `weekly' and `monthly' reguardless
of the execution status of `daily'. Until there is some consensus we should
not change the behavior.
On Saturdays, run daily and weekly sequentially, starting at 03:01 am.
This prevents daily and weekly from overlapping, while running weekly as
early as possible (i.e. as soon as daily finishes) to give it time to
finish before monthly starts at 05:30 am.
It's probably possible to do something similar with monthly, making it
run as soon as daily (and possibly weekly, if the first of the month
is a Saturday) finishes, but this is left as an exercise for the reader.
work right when the administrator has modified their runtime environment
in a manner not anticipated by our script.
Requested by: Tom Maher <tardis@ece.cmu.edu>
for a while, but a recent email to -stable suggests it should be spelled
out as the documentation of "password_format" is sparse.
Also add a `des_users' entry.
Submitted by: Sean O'Connell <sean@stat.Duke.EDU>
over the past couple years. The most recent came to the general consensus
that this was the best time, but no one actually made the change, so I'll
don my asbestos undies and dive in.
Please note that this time was chosen with input from people in various
countries with various methods and schedules for switching to and from DST.
There is no perfect time to schedule this job that works for everyone, but
this time both A) Works for more people, and B) Causes problems for fewer
people. And, ultimately, you can always change it if you need to.
ENABLE_SUID_SSH being defined reenable it for those that want it.
This follows discussion favoring the change from September. It
is not usually necessary to be setuid root, possibly less safe,
and less convenient (cannot use $HOSTALIASES, for example).
Submitted by: jedgar
overwriting $PATH, and find mknod $PATH instead of hardcoding /sbin so
that the copy of MAKEDEV on the fixit floppy is usable, since mknod and
expr live in /mnt2/stand when the fixit floppy is running.
Get rid of the sed invokation in release/Makefile that attempts to
delete the PATH setting stuff from MAKEDEV on the fixit floppy. This
hasn't worked since a long ago change to MAKEDEV caused the sed
expression to no longer match.
PR: misc/21241
a) the configured default printer entry might turn out to become a security hole
Although lpd isn't enabled by default in FreeBSD 4 and later versions
bad things might happen because of a simple copy and paste failure:
- fill up root-fs, if /dev/lpt0 doesn't exist
- fill up the spool dir (either root-fs or var-fs) if machine hadn't been
designed as print server
Therefore best decision: if people want printing, then configure both
1. /etc/rc.conf
2. /etc/printcap
the default entry wouldn't have served well all tastes and needs anyway...
design of most of our config files is, to have commented out suggestions
if a service is not active.
b) [Garance]
fix old and wrong documentation:
input filters are possible even if you print to a remote printer
this makes FreeBSDs implementation of lpd currently the best without
having to switch to port monster LPRng ...
c) fix pointer to wrong handbook section for a longer time .. so I doesn't fix the number
I'm only referring to the printing section, otherwise this would have to be fixed several
times, if the chapters should be reordered again ...
d) typo: chose -> choose
Submitted by: me and some suggestions by Garance
Approved by: Eivind and Garance A Drosihn <drosih@rpi.edu> in private e-mail
