auditdistd (distributed audit daemon) to the build:
- Manual cross references
- Makefile for auditdistd
- rc.d script, rc.conf entrie
- New group and user for auditdistd; associated aliases, etc.
The audit trail distribution daemon provides reliable,
cryptographically protected (and sandboxed) delivery of audit tails
from live clients to audit server hosts in order to both allow
centralised analysis, and improve resilience in the event of client
compromises: clients are not permitted to change trail contents
after submission.
Submitted by: pjd
Sponsored by: The FreeBSD Foundation (auditdistd)
o Describe passing file descriptors as separate section.
- Descriptors can be passed through any protocol of the UNIX family,
not SOCK_STREAM and SOCK_SEQPACKET only. [1]
o Describe socket options as separate section.
- Move LOCAL_PEERCRED option to this section.
- Describe struct xucred.
- In LOCAL_CREDS section mention that credentials
are passed only on the first read on non-datagram
sockets.
o Xref all mentioned system calls.
Noticed by: Igor Sysoev [1]
provide this information along with messages documentation,
like this done in manual pages for other netgraph nodes.
Submitted by: Mamontov Roman <mr.xanto gmail.com>
Allow textdumps to be called explicitly from DDB.
If "dump" is called in DDB and textdumps are enabled then abort the
dump and tell the user to turn off textdumps.
Add options TEXTDUMP_PREFERRED to turn textdumps on by default.
Add options TEXTDUMP_VERBOSE to be a bit more verbose while textdumping.
Reviewed by: rwatson
MFC after: 2 weeks
RocketRAID 4500 series.
Many thanks to HighPoint Technologies for their continued support
of FreeBSD!
Submitted by: HighPoint Technologies
MFC after: 3 days
on the related functionality in the runtime via the sysctl variable
net.pfil.forward. It is turned off by default.
Sponsored by: Yandex LLC
Discussed with: net@
MFC after: 2 weeks
but committing it helps to get everyone on the same page and makes
sure we make progress.
Tinderbox breakages that are the result of this commit are entirely
the committer's fault -- in other words: buildworld testing on amd64
only.
Credits follow:
Submitted by: Garrett Cooper <yanegomi@gmail.com>
Sponsored by: Isilon Systems
Based on work by: keramida@
Thanks to: gnn@, mdf@, mlaier@, sjg@
Special thanks to: keramida@
available to the user. Should be applicable to all branches and versions
where est(4) exists.
thanks to gjb for reviewing and suggesting nits
Reviewed by: gjb@
MFC after: 2 weeks
This is important to secure a small timeframe at boot time, when
network is already configured, but pf(4) is not yet.
PR: kern/171622
Submitted by: Olivier Cochard-LabbИ <olivier cochard.me>
reside, and move there ipfw(4) and pf(4).
o Move most modified parts of pf out of contrib.
Actual movements:
sys/contrib/pf/net/*.c -> sys/netpfil/pf/
sys/contrib/pf/net/*.h -> sys/net/
contrib/pf/pfctl/*.c -> sbin/pfctl
contrib/pf/pfctl/*.h -> sbin/pfctl
contrib/pf/pfctl/pfctl.8 -> sbin/pfctl
contrib/pf/pfctl/*.4 -> share/man/man4
contrib/pf/pfctl/*.5 -> share/man/man5
sys/netinet/ipfw -> sys/netpfil/ipfw
The arguable movement is pf/net/*.h -> sys/net. There are
future plans to refactor pf includes, so I decided not to
break things twice.
Not modified bits of pf left in contrib: authpf, ftp-proxy,
tftp-proxy, pflogd.
The ipfw(4) movement is planned to be merged to stable/9,
to make head and stable match.
Discussed with: bz, luigi
