(See: ftp://ftp.rfc-editor.org/in-notes/rfc3514.txt)
This fulfills the host requirements for userland support by
way of the setsockopt() IP_EVIL_INTENT message.
There are three sysctl tunables provided to govern system behavior.
net.inet.ip.rfc3514:
Enables support for rfc3514. As this is an
Informational RFC and support is not yet widespread
this option is disabled by default.
net.inet.ip.hear_no_evil
If set the host will discard all received evil packets.
net.inet.ip.speak_no_evil
If set the host will discard all transmitted evil packets.
The IP statistics counter 'ips_evil' (available via 'netstat') provides
information on the number of 'evil' packets recieved.
For reference, the '-E' option to 'ping' has been provided to demonstrate
and test the implementation.
- Correct some problems with packet construction.
+--------+------------+----------+-------------+---------+
| | | | | |
| IP Hdr | MINICMPLEN | phdr_len | TIMEVAL_LEN | payload |
| | | | | |
+--------+------------+----------+-------------+---------+
| | | |
|<- IP ->|<------- ICMP -------->|<------ datalen ------>|
My previous changes tried to mess around with 'datalen' instead of
modifying 'phdr_len'.
I'm including this nice ASCII diagram (from Maxim) to further clarify things
in CVS history.
Submitted by: Maxim Konovalov <maxim@macomnet.ru>
when WARNS was increased recently, but __printf0like() has been
temporarily disabled for 8 months.
Fixed related style bugs (disordered declaraction and silly type for
maxpayload -- assume 16-bit ints like the rest of ping.c).
- Use it in atacontrol(8) when listing ATA devices instead of
stopping at the first ENXIO received.
This makes atacontrol list work on my sparc64 where the two ATA
channels I have are numbered 2 and 3.
Reviewed by: sos
This is aimed at creating floppies during cross-releases.
For different endianness machines, a tool like bswapfs(8)
is necessary to make the generated floppies readable on
the target machine. While here, fixed unaligned access
on Alphas.
Tested on: i386, alpha
Notable changes:
- Removed the "disktype" argument from the -B only synopsis
form. This form doesn't touch the disk label, and doesn't
use this argument.
- Fixed the first example in the EXAMPLES section. Support
for compatibility slices has been recently dropped from
the GEOM kernels, and a bit later GEOM became standard.
- Removed the buggy notion from rev. 1.37 that disklabel(8)
may be used to define mount points; it cannot. Improve
some DOS partition / FreeBSD slice wording. Among these,
``dangerously-dedicated slice'' was just a nonsense. ;-)
comes in on is the same interface that we would route out of to get to
the packet's source address. Essentially automates an anti-spoofing
check using the information in the routing table.
Experimental. The usage and rule format for the feature may still be
subject to change.
width of fields for packets and bytes counters.
PR: bin/47196
Reviewed by: -audit
Not objected by: luigi, des
o Use %llu instead of deprecated %qu convert specification for ipfw
packets and bytes counters.
Noted by: des
MFC after: 1 month
upper-case alphabetical characters to lower-case ones, and spaces to dashes.
The person who added this when bringing the code from NetBSD has no idea why
he added it, and nobody on freebsd-fs came up with any cases where the icky
part (the conversion of spaces to underscores) was needed. The removal of
the upper-case conversion follows an even more obvious logic: it avoids any
sort of namespace issues. People using StUdLy caps for filesystem names
deserve everything they get. Otherwise, Efs and efs might be totally different
things, but would use the same fsck. And we don't want that, right? That
just provokes the sort of foot-shooting this would prevent.
If you have problems with this, I'll walk you through using sed on your fstab,
cause the only way you could have problems is if you spelled ufs as "UFS".
Most likely, you haven't done that.
MFC after: 1 month
program allows users in the operator group to take filesystem
snapshots. Its first use will be in support of `dump -L'.
Approved by: Technical Review Board <trb@FreeBSD.org>
Sponsored by: DARPA & NAI Labs.
NSWAPDEV limit.
- Don't warn about devices that are not in use in 'swapoff -a'.
- Re-add behavior mistakenly removed in revision 1.44:
If using 'swapon -a', do not warn if the device is already in use.
PR: 46633
Submitted by: Andy Farkas <andyf@speednet.com.au> (in part)
Reviewed by: mike (mentor)
values for the initial inode generation numbers in newfs and for
newly allocated inode generation numbers in the kernel.
Submitted by: Theo de Raadt <deraadt@cvs.openbsd.org>
Sponsored by: DARPA & NAI Labs.
version of such. Differences in filesystems generated were found to be
from 1) sbwrite with the "all" parameter 2) removal of writecache. The
sbwrite call was made to perform as the original version, and otherwise
this was checked against a version of newfs with the write cache removed.
creates a single file named just "boot".
Apart from the fact that the option "-s" is now gone and that "-b" should
be pointed at /boot/boot instead of /boot/boot1, this patch should be
a no-op.
for the disklabel: This facility is OBE.
First of all, we cannot sensibly implement this in a properly stacked
environment.
Second, if we did, it would confuse the heck out of users who
wouldn't be able to "start from scratch" by dd(8)'ing /dev/zero
onto /dev/da0.
Third, the offered protection is not comprehensive: no other software
would respect it.
Fourth and finally, the disklabel is already protected against
tampering if it controls open partitions.
Uselessness of these options discussed with: peter
answer for the euid. As a result, fix it such that setuid scripts or
programs may call route(8) to do work on their behalf.
Reviewed by: ru
MFC after: 3 days
Submitted by: bde
Do not constantify maximum payload size. It is 65467 with -R
(record route), and 65507 without it.
Reviewed by: silence on -net
Proposed by: bde
I am going to MFC rev.1.77 - 1.81 ping.c and rev.1.39 and 1.40 ping.8:
MFC after: 6 months
to create it. A small number of options are not marshalled as they are things
it would be dumb to spit out, as they are used by internal computations, and
newfs may change them, or they may not be directly apparent.
the three configuration ioctls which need a unit number.
Add a "ccd.ctl" device for config operations.
Implement ioctls on ccd.ctl which rely on the explicityly passed
unit numbers.
Update ccdconfig to use the new ccd.ctl interface.
Add code to the kernel to detect old ccdconfig binaries, and whine
about it.
Add code to ccdconfig to detect old kernels, and whine about it.
These two compatibility measures will be retained only for a limited
period since they are in the way of GEOM'ification of ccd.
the configuration of any other disk-like devices.
This is the non-DEVFS part which is normally not used in 5.x, but due
for MFC into 4.x.
PR: bin/28294, bin/32588
MFC after: 1 week
called -r but it takes 512 byte blocks instead of megabytes, and I felt a
megabytes specification would be far more useful so I did not use the same
option character.
This will *greatly* improve dump performance at the cost of possibly
missing filesystem changes that occur between passes, and does a fairly
good job making up for the loss of buffered block devices. Caching is disabled
by default to retain historical behavior.
In tests, dump performance improved by about 40% when dumping / or /usr.
Beware that dump forks and the cache may wind up being larger then you
specify, but a more complex shared memory implementation would not produce
results that are all that much better so I kept it simple for now.
MFC after: 3 days
default-to-deny firewall. Simply turning off IPFW via a preexisting
sysctl does the job. To make it more apparent (since nobody picked up
on this in a week's worth of flames), the boolean sysctl's have been
integrated into the /sbin/ipfw command set in an obvious and straightforward
manner. For example, you can now do 'ipfw disable firewall' or
'ipfw enable firewall'. This is far easier to remember then the
net.inet.ip.fw.enable sysctl.
Reviewed by: imp
MFC after: 3 days
#include <strings.h>
...
foo = (char *)strdup(...);
To:
#include <string.h>
foo = strdup(...);
because the former segfaults on an ia64 since there is no prototype
for strdup() in strings.h. Converting an "int" to a pointer is fatal.
o Expand variables correctly.
o Set variables for each event.
o rewrite event loop to execute the commands in the config file, rather
than the hard wired generic command
o better(?) debug when running -d
o sort vectors of actions so that we just have to search for the first
one to match rather than the best one that matches.
o better attempts to clear all resources used on 'restart'
o Remove now bogus comments
MFC After: 1 centiyear
swapctl functionality. The idea is to create a swapctl command that is
fairly close to the OpenBSD and NetBSD version. FreeBSD does not implement
swap priority (and it would be a mistake if we did) so we didn't bother with
that part of it.
Submitted by: Eirik Nygaard <eirikn@bluezone.no>
Augmented by: dillon (extensively)
Reviewed by: David Schultz <dschultz@uclink.Berkeley.EDU>
after -p except for the last (the ruleset file to process) to the
preprocessor for interpretation. This allows command-line options besides
-U and -D to be passed to cpp(1) and m4(1) as well as making it easier to
use other preprocessors.
Sponsored By: NTT Multimedia Communications Labs
MFC after: 1 week
Make sure sector zero is protected if it contains metadata.
Lower WARNS for gbde to 3 on non-i386 archs. rijndael-fst is evil
but appearntly does the right thing and passes the test-vectors.
MFC Candidate.
for request sizes larger than the sectorsize or for multi-key setups.
See warning mailed to current@ for details of recovery.
Found by: Marcus Reid <marcus@blazingdot.com>