that is already present in a kernel statically.
For example, the command "mount_msdosfs -L ru_RU.KOI8-R" fails with error
"mount_msdosfs: msdosfs_iconv: File exists" for a kernel having
options LIBICONV and MSDOSFS_ICONV. After this change, it mounts successfully.
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D16951
Previously, route returned 1 in case of error properly signalling failure
but "route -q" it returned 0 for same case. Fix it.
PR: 186333
MFC after: 1 month
Start with a short summary and cover the options in a standard list style.
Organize sections by common focus and prioritize more useful information
closer to the top.
Flesh out authors, history, caveats, and security considerations sections.
Reviewed by: markj, eadler (previous version)
Differential Revision: https://reviews.freebsd.org/D17679
The premise of dumpon -k foo.pem is that dump contents will be confidential
except to anyone holding the corresponding RSA private key.
This guarantee breaks down when weak RSA keys are used. Small RSA keys
(e.g. 512 bits) can be broken on a single personal computer in tractible
time. Marginal RSA keys (768 bits) can be broken by EC2 and a few dollars.
Even 1024 bit keys can probably be broken by sophisticated and wealthy
attackers.
NIST SP800-57 (2016) recommends a minimum of 2048 bit RSA keys, and
estimates this provides 112 bits of security.
It would also be good to protect users from weak values of 'e' (i.e., 3) and
perhaps sanity check that their public key .pem does not accidentally
contain their private key as well. These considerations are left as future
work.
Reviewed by: markj, darius AT dons.net.au (previous version)
Discussed with: bjk
Differential Revision: https://reviews.freebsd.org/D17678
check hash to the superblock. If a check hash fails when an attempt
is made to mount a filesystem, the mount fails with EINVAL (Invalid
argument). This avoids a class of filesystem panics related to
corrupted superblocks. The hash is done using crc32c.
Check hases are added only to UFS2 and not to UFS1 as UFS1 is primarily
used in embedded systems with small memories and low-powered processors
which need as light-weight a filesystem as possible.
Reviewed by: kib
Tested by: Peter Holm
Sponsored by: Netflix
to switch the output method in run-time. Also document some sysctl
variables that can by changed for NAT64 module.
NAT64 had compile time option IPFIREWALL_NAT64_DIRECT_OUTPUT to use
if_output directly from nat64 module. By default is used netisr based
output method. Now both methods can be used, but they require different
handling by rules.
Obtained from: Yandex LLC
MFC after: 3 weeks
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D16647
that was added using "new rule format". And then, when the kernel
returns rule with this flag, ipfw(8) can correctly show it.
Reported by: lev
MFC after: 3 weeks
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D17373
for already existing interface.
It appeared, that ifconfig(8) assumes `create` keyword as hostname and
tries to resolve it, when `ifconfig ifname create` invoked for already
existing interface. This can produce some unexpected results, when hostname
resolving has successfully happened. This patch adds check for such case.
When an interface is already exists, and create is only one argument,
return error message. But when there are some other arguments, just remove
create keyword from the arguments list.
Obtained from: Yandex LLC
MFC after: 3 weeks
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D17171
Exiting with a signal should not be treated the same as successful exit with
zero status.
Return signal exit information to the callers via negative integers, to
enable distinction from normal exit statuses. (All consumers that check for
errors don't care what the exact non-zero exit value is -- in such a case
they print a diagnostic message and either continue or bail.)
Additionally, check for unexpected sources of waitpid() wakeup and bail if
we encounter them.
Reported by: lev@
Reviewed by: kib, lev, markj (earlier version)
Sponsored by: Dell EMC Isilon
Differential Revision: https://reviews.freebsd.org/D17035
When we set the ifname we have to copy the string, rather than just keep
the pointer.
PR: 231323
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D17507
The reasons for this are forward looking to pkgbase:
* /sbin/init is a special binary; try not to replace it with
every package update because an rc script was touched.
(a follow-up commit will make init its own package)
* having rc in its own place will allow more easy replacement
of the rc framework with alternatives, such as openrc.
Discussed with: brd (during BSDCam), kmoore
Requested by: cem, bz
PR: 231522
Approved by: re (gjb)
After r273201 it is supported "/{udp,tcp,proto}" suffix into
$firewall_myservices, and in the rc.conf the information is outdated.
Reviewed by: bcr, rgrimes
Approved by: re (gjb), doc (bcr), src (rgrimes)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D17338
mips64 supports COMPAT_FREEBSD32 (for o32 binaries), so run the 32-bit
compat ldconfig on it as well.
Reported by: brooks
Reviewed by: brooks, kib
Approved by: re (gjb)
Differential Revision: https://reviews.freebsd.org/D17342
Since r154114 which introduced ldconfig_local32_dirs, ldconfig -32 was
called with -m. This means that ld-elf32.so.hints paths set is not
cleared for compat32 on boot, unlike ld,so,hints. Same -m was used in
r294295 for ld-elf-soft.so.hints on arm. The patch fixes the
asymmetry.
Noted by: Andreas Longwitz <longwitz@incore.de>
Reviewed by: brooks, emaste, imp
Discussed with: bdrewery
Sponsored by: The FreeBSD Foundation
Approved by: re (gjb)
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D17331
when `ifconfig ipsec create reqid N` command invoked without interface
unit number. The "name" global variable is updated after interface
cloning in the ifclonecreate() and contains actual interface name.
Reported by: lev
Approved by: re (kib)
MFC after: 1 week
Don't add it. This should fix when we do regepx matches against
variables we've set and fix wifi bring up.
PR: 231441
Approved by: re@ (kib)
Differential Revision: https://reviews.freebsd.org/D17267
This leverages CONFS to handle the install.
Approved by: re (blanket, pkgbase), will (mentor)
Differential Revision: https://reviews.freebsd.org/D17217
This is being done a separate step to ease importing into other VCSes.
Approved by: re (gjb), will (mentor)
Differential Revision: https://reviews.freebsd.org/D17160
fasthalt has behaved like reboot, instead of like halt, since r228408
(2011, 10.0-RELEASE). Fix it. One wonders if anyone will notice.
Approved by: re (kib)
MFC after: 3 days
Sponsored by: Dell EMC Isilon
Sample output:
% geom -t
Geom Class Provider
da0 DISK da0
da0 PART da0s1
da0s1 PART da0s1a
ffs.da0s1a VFS
da0s1a DEV
da0s1 DEV
da0 DEV
da1 DISK da1
swap SWAP
da1 DEV
cd0 DISK cd0
cd0 DEV
Reviewed by: oshogbo
Approved by: re (kib)
MFC after: 2 weeks
Relnotes: yes
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D17151
It completely unnecessarily iterates over all filesystems and happens
to be executed a lot e.g. by synth.
Reviewed by: kib
Approved by: re (gjb)
Differential Revision: https://reviews.freebsd.org/D17143
dhclient and ping normally use libcasper services. These are not
available in statically-linked binaries, so when WITHOUT_DYNAMICROOT is
set disable libcasper use, as with rescue builds. Also emit a warning
as it's undesirable to build this way.
Reported by: Michael Dexter
Reviewed by: rgrimes
Tested by: Michael Dexter
Approved by: re (kib)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D17074
Use nitems(), do not assume EFI_MD_TYPE_ contiguous allocation, in
particular, switch to use designated array initializers.
Reviewed by: jhb (previous version)
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Approved by: re (gjb)
Add PersistentMemory to the list of sysctl's known memory types
when decoding an EFI memory map.
Submitted by: D Scott Phillips <d.scott.phillips@intel.com>
MFC after: 1 week
Approved by: re (rgrimes)
And simplify this a little by flattening the directory structure.
Approved by: re (gjb), will (mentor)
Differential Revision: https://reviews.freebsd.org/D16955
In the conversion, the newline got stripped. It worked fine when there
was only one module, but not when there are many. Add back the missing
newline.
Approved by: re@ (kib)
PR: 230868
Differential Revision: https://reviews.freebsd.org/D16895
vermaden (maintainer of beadm) points out the following inconsistencies:
- "missing command" is not printed prior to usage if the error is simply a
missing command; this should be obvious from the context
- "bectl rename" isn't using the "don't unmount" flag (zfs rename -u), so
the active BE can't be renamed. It doesn't make sense in our context to
*not* use -u, so use it.
Documentation updates reflect the above and note an inconsistency with the
'destroy' command that is consistent with other parts of the base system.
A fix for libbe(3) not properly being installed to /lib is included.
SHLIBDIR should have been added when it was moved in r337995.
Approved by: re (kib)
In order to build on a Linux host we need to bootstrap md5 since the Linux
md5sum command produces output in a different format.
Reviewed By: emaste
Approved By: brooks (mentor)
Differential Revision: https://reviews.freebsd.org/D16846
higher bandwidth interfaces. The new value is used above 2.5 Gbps,
which is the highest standard rate that could be used prior to
r338209, so the default behavior for all existing systems should
remain the same.
The value of 128 chosen is a balance between being big enough to
reduce potential precision/quantization effects stemming from frequent
bucket refills over small time intervals and being small enough to
prevent a greedy driver from burst dequeuing more packets than it has
available hardware ring slots for whenever altq transitions from idle
to backlogged.
Reviewed by: jmallett, kp
MFC after: 2 weeks
Sponsored by: RG Nets
Differential Revision: https://reviews.freebsd.org/D16852
devmatch_blacklist is a space separated list of modules (w/o the .ko
or full path) to exclude from devmatch's processing.
Differential Revision: https://reviews.freebsd.org/D16735