before running make. If the package origin points to a non-existent or
stale port, report this package as orphaned, instead of producing more
general `unknown in index' message.
PR: 27707
Submitted by: myself, roamer
Approved by: bmah, markm
- add a pointer to struct mauxtag. two integer was too restrictive
- have m_aux_{add,find}2.
- make sure to return non-cluster on m_pulldown(). this is safer
(but of course less performant) when we have non-loopback L2 code
which throws the mbuf back to input path, like L2 bridging or some
multicast handling code.
Following changed was made by previous commit:
- add a pointer to struct mauxtag. two integer was too restrictive.
- add m_aux_{add,find}2.
- make sure to nuke mbuf pointed to m_aux.
- do not assume that the ro_dst member of route_in6{} is sockaddr_in6.
- repair IPsec header size prediction.
- validate mbuf chain better in {tcp,udp}6_ctlinput.
- loosened validation inner packets of icmp6 errors as much as possible.
- scope-awareness.
- be friendly with pfctlinput2.
- simplified address scope handling in the ctlinput function.
- type change of in6_pcbnotify.
- pass error from ipsec_setsocket() all the way up.
- added comments about why in6p_inputopts should not be copied in
tcp6_input().
- call ip6_copypktopts() in order to copy in6p_outputopts
from a listening PCB to a corresponding accepting one.
- be proactive about unspecified IPv6 source address. pcb layer
uses unspecified address (::) to mean "unbounded" or
"unconnected", and can be confused by packets from outside.
- made consist between tcp and udp in using mappedaddr
- setsockopt(BIND_IPV6ONLY) now works
- deprecated address consideration on TCP SYN.
- get rid of M_ANYCAST6
- use 0/8 to specify interface index on multicast get/setsockopt
- make sure to nuke m->m_aux pointer for ipsec, on if_output.
- pass error from ipsec_setsocket() all the way up.
- move ipsec output processing before filtering section.
- (possible) remote kernel panic fix - out of bounds access on
ill-formed ipopt.
- strict boundary check on ipopt.
- make sure to enforce inbound IPsec policy on all final header.
- add missing ipcomp entry from ipprotosw.
- 127/8 must not appear on wire - RFC1122.
this is rather important as we use weak host model, so outsider
can abuse 127.0.0.1 from outside.
- introduce ipstat.ips_badaddr
- use ipsec_gethist() to prevent packet filters from looking at
decapulated packets.
- remove duplicate 127.0.0.0/8 checking.
want host headers during `buildworld'.
- During `buildworld', install headers in a "copy" mode
until we decide what to do with the (currently broken)
SHARED=symlinks.
- Temporarily run `buildworld' with -DNO_WERROR, which
effectively disabled the -Werror bit of recently added
WARNS=X feature. This is required because adding the
-nostdinc bit back revealed bugs in some header files
that were hiding after not using -nostdinc.
It is unclear currently how exactly (and why) -nostdinc
affects gcc(1) warnings.
This is needed to pick up the right headers. Wrong headers from
src/contrib/ipfilter are used otherwise.
The right fix would be to fix contrib/ipfilter C sources to pick up
headers from <sys/netinet>.
Noticed by: peter
the !(pflag && setfile()) case for regular files unless the copy is
owned by the same user and group. These bits have already been lost
(or never gained) in the correct way. The code didn't actually lose
the bits; it depended on them being lost already (apparently in all
cases) and attempted to gain them as necessary, but it often gained
them (and sometimes collateral bits) when wrong:
- pflag && setfile() == 0 case (i.e., for a successful cp -p):
setfile() copies all the attributes as correctly as possible (as
specified by POSIX), and we sometimes messed up the up the mode by
setting it again. Also, if the file is immutable, then setting the
mode again gave spurious errors (PR 20646).
- !pflag case. If the target is created, POSIX requires it to not
have the set[ug]id bits, but we sometimes copied them from the source.
If the target already exists, POSIX requires its mode to be unchanged,
but we sometimes copied the whole mode from the source.
PR: 20646
MFC after: 4 weeks
This work was based on kame-20010528-freebsd43-snap.tgz and some
critical problem after the snap was out were fixed.
There are many many changes since last KAME merge.
TODO:
- The definitions of SADB_* in sys/net/pfkeyv2.h are still different
from RFC2407/IANA assignment because of binary compatibility
issue. It should be fixed under 5-CURRENT.
- ip6po_m member of struct ip6_pktopts is no longer used. But, it
is still there because of binary compatibility issue. It should
be removed under 5-CURRENT.
Reviewed by: itojun
Obtained from: KAME
MFC after: 3 weeks
. remove stale comments and a stale #define (from the old days of ft(4))
. make MAX_SEC_SIZE (used in isa_dmainit()) a #define
. fix a typo in a string
. use 0 as the blocksize in devstat_add_entry(), since the actual blocksize
is unknown (devstat(9) suggests to use 0 in that case)
Once again, as explained in my messages to -audit, the ANSIfication comes
as part of the preparation to add a new -d command-line flag to send
output to stdout/stderr. That commit will come in a week, pending any
further comments/objections. For those who have missed the -audit mails,
it's at http://people.FreeBSD.org/~roam/bsd/rarpd/usr.sbin-rarpd-d.patch
Asbestos suit: on ;)
Reviewed by: dd, silence on -audit
MFC after: 1 month
