code is compiled in to support the O_IPSEC operator. Previously no
support was included and ipsec rules were always matching. Note that
we do not return an error when an ipsec rule is added and the kernel
does not have IPsec support compiled in; this is done intentionally
but we may want to revisit this (document this in the man page).
PR: 58899
Submitted by: Bjoern A. Zeeb
Approved by: re (rwatson)
to sendfile(2) being erroneously automatically restarted after a signal
is delivered. Fixed by converting ERESTART to EINTR prior to exiting.
Updated manual page to indicate the potential EINTR error, its cause
and consequences.
Approved by: re@freebsd.org
using critcal_enter() and critical_exit() to attempt to replace spl*()
calls. The critical section was calling selrecord(), which locks an
MTX_DEF mutex, which is not legal in a critical section.
Tested by: Stefan Ehmann <shoesoft@gmx.net> and "make universe"
Approved by: re (scottl)
nologin(8) C implementation, no more sysinstall(8) security profiles
Modified release notes: Dynamic /bin and /sbin only apply to non-ia64,
BIND 8.3.7 (+ MFC), add old version information to sendmail update
note.
Approved by: re (implicitly)
forced unmount case. Otherwise, a file system that is referenced
only by process fd_cdir/fd_rdir references to the file system root
vnode will be successfully unmounted without the MNT_FORCE flag.
The previous behaviour was not compatible with the unmount semantics
required by amd(8), so file systems could be unexpectedly unmounted
while there were still references to the file system root directory.
Reported by: Erez Zadok <ezk@cs.sunysb.edu>
Approved by: re (scottl)
The altio resource magic no longer worked probably due to other changes
in the kernel. Redo that part so it also fits better into ATAng.
Fix detach so it doesn't panic the system when a pccard device is
yanked.
Approved by: re@
was equal to MAXCPU, we would overrun the pcpu_mtx array because maxcpu
was calculated incorrectly.
- Add some more debugging code so that memory leaks at the time of
uma_zdestroy() are more easily diagnosed.
Approved by: re (rwatson)
permitting the administrator to select a securelevel top operate
at. Include a helpfile summarizing some of the information from
init(8). This allows for explicit configuration of securelevels,
which was previously implicit in Security Profile selection.
Currently, there are no checkboxes for the active securelevel,
because sysinstall's facilities for deriving "current settings"
from rc.conf may use only one variable, not two, and I opted for
the simplest approach at this point.
Approved by: re (scottl)
through branch predict as suggested in INTEL IA32 optimization guide.
2.Allocate siginfo arrary separately to avoid pthread to be allocated at
2K boundary, which hits L1 address alias problem and causes context
switch to be slow down.
3.Simplify context switch code by removing redundant code, code size is
reduced, so it is expected to run faster.
Reviewed by: deischen
Approved by: re (scottl)
in init_main_thread. Also don't initialize lock and lockuser again for initial
thread, it is already done by _thr_alloc().
Reviewed by: deischen
Approved by: re (scottl)
o fix race condition when processing rx descriptors: because we use
a self-linked descriptor at the end of the rx descriptor list to
avoid rx overruns (which can easily happen for 5212 parts that enable
PHY errors) we must carefully check that a descriptor is "done" by
looking ahead to the next descriptor before believing the done bit
in the current descriptor (this is all handled in the HAL since the
rx descriptor format is chip-specific so we need to pass in two
additional parameters--the physical address of the current descriptor
and the virtual address of the next descriptor in the list)
o check copyout return status for SIOCGATHSTATS ioctl
Approved by: re (scottl)
o support for 5112 and 2112 radios on 5212-based products
o revised interface for ah_procRxDesc needed to handle a race
condition created with the use of self-linked rx descriptors
o support for setting the MAC address
o remove some unused methods from the public API
o revised diagnostic API (replace dump* methods with getDiagState)
o const'ify set key cache method parameters
o support for optional 32khz sleep clock
o implement ah_setSlotTime for 5211 parts
o ANI improvements for 5212 parts
Approved by: re (scottl)
mpf are allocated on the stack, which causes this check to falsely trigger.
A new check which takes on-stack mbufs into account will be reintroduced
after 5.2 is out the door.
Approved by: re (watson)
Requested by: many
selection is used to drive two configuration parameters:
(1) Default enable/disable for sshd
(2) Default enable/disable for securelevels
Replace this with an explicit choice to enable/disable sshd. A
follow-up commit will add a configuration option to the Security
post-install configuration menu to set the securelevel in rc.conf
explicitly. This should reduce the level of foot-shooting associated
with accidental enabling of securelevels, make the nature and
implications of the securelevel configuration options more explicit,
as well as make the choice to enable/disable sshd more explicit.
Approved by: re (scottl)
initialization overhead, there's a problem in that we never call
imalloc() and thus malloc_init() for zero-sized allocations. As a
result, malloc(0) returns NULL when it's the first or only malloc in
the program. Any non-zero allocation will initialize the malloc code
with the side-effect that subsequent zero-sized allocations return a
non-NULL pointer. This is because the pointer we return for zero-
sized allocations is calculated from malloc_pageshift, which needs
to be initialized at runtime on ia64.
The result of the inconsistent behaviour described above is that
configure scripts failed the test for a GNU compatible malloc. This
resulted in a lot of broken ports.
Other, even simpler, solutions were possible as well:
1. initialize malloc_pageshift with some non-zero value (say 13 for
8KB pages) and keep the runtime adjustment.
2. Stop using malloc_pageshift to calculate ZEROSIZEPTR.
Removal of the runtime adjustment was chosen because then ia64 is the
same as any other platform. It is not to say that using a page size
obtained at runtime is bad per se. It's that there's currently a high
level of gratuity for its existence and the moment it causes problems
is the moment you need to get rid of it. Hence, it's not unthinkable
that this commit is (partially) reverted some time in the future when
we do have a good reason for it and a good way to achieve it.
Approved by: re@ (rwatson)
Reported by: kris (portmgr@) -- may the ports be with you
truncated. In environments where many tunnel or vlan interfaces are created,
interface names have high numbers which overflow the field width.
PRs: bin/52349, bin/35838
Submitted by: Mike Tancsa, Scot W. Hetzel
Approved by: re (rwatson)
time during the boot process. This is needed in the case where NFS mounts
from servers reachable only via IPSEC are in /etc/fstab.
PR: conf/42497
Submitted by: Volker Stolz
Approved by: re (rwatson)