Commit Graph

1115 Commits

Author SHA1 Message Date
Dag-Erling Smørgrav
2a31bde3cd Load the pfsync module if necessary.
Reviewed by:	glebius@
MFC after:	1 week
2013-02-05 12:18:39 +00:00
Hajimu UMEMOTO
e695500d3c Use the default policy table of RFC 6724.
MFC after:	1 weeks
2013-02-02 18:08:09 +00:00
Bjoern A. Zeeb
4f22608e54 Add a conditional sleep 1 in case we add any IPv6 addresses to interfaces.
Do this per jail started, not per address.  This will allow DAD to complete
and services to properly start.   Before we have seen problems with services
trying to start before the IPv6 address was available to use and thus
erroring and failing to start.

MFC after:	3 days
2013-01-17 01:27:39 +00:00
Pawel Jakub Dawidek
349d039bdb - When checking if a dump exists on the given device there is no need to
provide dump directory. Eliminate this redundant argument. This changes
  the usage, but the only risk here is that a warning will be printed
  about directory given as device.

- Update usage of -C option.

- When clearing dump header from the given device there is also no need to
  provide dump directory, although additional arguments for -c were not
  documented.

- Document that -v can be used with -c and that list of devices can be given.

Obtained from:	WHEEL Systems
2012-12-14 15:12:08 +00:00
Xin LI
da178c777f Teach sysctl(8) about parsing a file (while I'm there also give it
capability of parsing both = and : formats).

Submitted by:	hrs (initial version, bugs are mine)
MFC after:	3 months
2012-12-13 23:32:47 +00:00
Pawel Jakub Dawidek
33da94038e Fix the location of auditdistd configuration file.
Reported by:	Johan Hendriks <joh.hendriks@gmail.com>
2012-12-13 09:41:32 +00:00
Robert Watson
16648b4fff Merge a number of changes required to hook up OpenBSM 1.2-alpha2's
auditdistd (distributed audit daemon) to the build:

- Manual cross references
- Makefile for auditdistd
- rc.d script, rc.conf entrie
- New group and user for auditdistd; associated aliases, etc.

The audit trail distribution daemon provides reliable,
cryptographically protected (and sandboxed) delivery of audit tails
from live clients to audit server hosts in order to both allow
centralised analysis, and improve resilience in the event of client
compromises: clients are not permitted to change trail contents
after submission.

Submitted by:	pjd
Sponsored by:	The FreeBSD Foundation (auditdistd)
2012-12-01 15:11:46 +00:00
Hiroki Sato
a2aa7473f3 Fix condition to check if the maximum number of FIBs is greater than 0 or not.
Spotted by:	zont
2012-11-18 11:22:15 +00:00
Hiroki Sato
73d473aecf Use -fib N modifier to add/delete a route to/from multiple FIBs. 2012-11-17 21:44:02 +00:00
Eitan Adler
d207a5583c Only pass ip[46].addr when _addrl contains a value
Submitted by:	crees
Reviewed by:	Mike Jakubik <mike.jakubik@intertainservices.com>
Approved by:	cperciva
MFC after:	2 weeks
2012-11-15 15:06:15 +00:00
Hiroki Sato
859aa11dce Load ipdivert.ko when natd_enable=YES.
PR:	conf/167566
2012-10-29 06:31:51 +00:00
Hiroki Sato
274b8658fc Fix an issue when ipv6_enable=YES && ipv6_gateway_enable=YES which could
prevent rtadvd(8) from working as intended.

Spotted by:	brian
Discussed with:	brian
2012-10-27 17:06:26 +00:00
Brian Somers
7c88121831 Enable "accept_rtadvd" on interfaces running rtadvd.
Without this, rtadvd runs but never advertises a default (IPv6) route.

MFC after:	1 week
2012-10-25 08:37:08 +00:00
Andriy Gapon
07dddf4e84 rc.d/power_profile: use recently added Cmax for cx_lowest
Trying to determine current lowest C-state after an AC event is racy
with C-states actually being changed by ACPI platform and kernel driver.

MFC after:	3 weeks
2012-09-11 06:25:10 +00:00
David E. O'Brien
8801556beb Simply things so that "#REQUIRE: FILESYSTEMS" means the file
systems are fully "ready to go".

'FILESYSTEMS' states: "This is a dummy dependency, for services which
require file systems to be mounted before starting."  However, we have
'var' which is was run after 'FILESYSTEMS' and can mount /var if it
already isn't mounted.  Furthermore, several scripts cannot use /var
until 'cleanvar' has done its thing.  Thus "FILESYSTEMS" hasn't really
meant all critical file systems are fully usable.
2012-09-11 05:04:59 +00:00
David E. O'Brien
7e71f1e85c Add postrandom. 2012-09-11 04:53:32 +00:00
Dag-Erling Smørgrav
c2b4a4036b Add a configtest command.
Submitted by:	gjb@
MFC after:	1 week
2012-09-04 21:56:16 +00:00
David E. O'Brien
203b2f2fa4 * Rather than run the same 'ps' command twice, add 'kenv' which often
gives machine unique values from the firmware.
* The kernel is more likely to be unique than /bin/ls (but no need to
  stuff many megabytes into /dev/random, so hash it).
* Change ordering to give larger variance across reboots to reduce
  predictability.
2012-09-04 21:47:09 +00:00
David E. O'Brien
b8ea11cf79 Correct style. 2012-08-22 23:44:12 +00:00
David E. O'Brien
b7aeb5b281 * Reinstate r128059's consumption of our best entropy first.
r128060 for "hardware-supplied entropy" reversed this without reason,
  seems a typo.
* Isolate "better than nothing" implementation to a function.

Submitted by:	obrien & Arthur Mesh <arthurmesh@gmail.com>
Sponsored by:	Juniper Networks
2012-08-22 23:37:24 +00:00
David E. O'Brien
2719ba5d0f The entire comment block is now spell checked this time -- I promise. 2012-08-22 22:34:55 +00:00
Xin LI
9130580bbd Allow - be used in the name of a provider. Without this change it's not
possible to specify a gptid in geli_devices.
2012-08-22 22:17:35 +00:00
David E. O'Brien
89e7132797 Fix comment misspelling.
Submitted by:	kargl
2012-08-22 20:56:53 +00:00
David E. O'Brien
a23ec70a4e Depend on the new 'postrandom' instead of random.
We need to limit the amount of time between consuming the entropy seeds
and removing it in case of a kernel panic.
2012-08-22 18:49:02 +00:00
David E. O'Brien
7e7fd6c88d Remove old entropy seeding after consumption initializing /dev/random PRNG.
Not doing so opens us up to replay attacks.

Submitted by:	Arthur Mesh <arthurmesh@gmail.com>
Sponsored by:	Juniper Networks
2012-08-22 18:43:21 +00:00
David E. O'Brien
849d3c12df Add dependencies based on security(7). 2012-08-22 18:35:17 +00:00
Jun Kuriyama
9b9bfdcc30 - Allow to pass extra parameters for each jails.
- To achieve above, convert jail(8) invocation to use new style
  command line "-c" flag.

Reviewed at:	freebsd-jail@
2012-08-19 08:15:32 +00:00
Devin Teske
41e0047a15 Revert SVN r238628 (mistake). 2012-07-19 22:41:00 +00:00
Devin Teske
f316f2c30c Fix syntax errors (s/:=/:-/).
Reviewed by:	emaste (mentor)
Approved by:	emaste (mentor)
MFC after:	3 days
2012-07-19 22:33:13 +00:00
Maksim Yevmenkin
78cf63fc10 Allow to specify no source-address-selection policy
MFC after:	1 week
2012-07-19 15:36:36 +00:00
Dag-Erling Smørgrav
d256f21a9a Move -n ${_jail} before ${_flags} so that any -n options in ${_flags}
will override ours instead of the other way around.
2012-07-18 23:01:23 +00:00
Brooks Davis
ba7f643097 MFP4 214344:
Tighten the regular expression that checks for an md /tmp such that
no /tmp mount and an md / isn't improperly matched.

Sponsored by:	DARPA/AFRL
2012-07-13 20:10:59 +00:00
Kevin Lo
1424b561e1 Whitespace nit 2012-07-13 06:46:09 +00:00
Hiroki Sato
ef23194991 - Add IFT_L2VLAN (vlan(4)) support.
- Add -P option to support PID file.  When -a is specified /var/run/rarpd.pid
  is used, and when an interface is specified /var/run/rarpd.<ifname>.pid is
  used by default.
2012-07-09 08:11:16 +00:00
Hiroki Sato
8efbd296e0 Make ipfw0 logging pseudo-interface clonable. It can be created automatically
by $firewall_logif rc.conf(5) variable at boot time or manually by ifconfig(8)
after a boot.

Discussed on:	freebsd-ipfw@
2012-07-09 07:16:19 +00:00
Dag-Erling Smørgrav
7f8492ba48 Name jails automatically.
MFC after:	1 week
2012-07-04 13:37:44 +00:00
Sean Bruno
55fb7f3673 Revert r238004 as more review has come in and there is now a discussion
on how to best proceed.
2012-07-02 17:55:29 +00:00
Sean Bruno
7402aad3c7 Cosmetic display change of Cx states via cx_supported sysctl entries.
Adjust power_profile script to handle the new world order as well.

Some vendors are opting out of a C2 state and only defining C1 & C3.  This
leads the acpi_cpu display to indicate that the machine supports C1 & C2
which is caused by the (mis)use of the index of the cx_state array as the
ACPI_STATE_CX value.

e.g. the code was pretending that cx_state[i] would
always convert to i by subtracting 1.

cx_state[2] == ACPI_STATE_C3
cx_state[1] == ACPI_STATE_C2
cx_state[0] == ACPI_STATE_C1

however, on certain machines this would lead to
cx_state[1] == ACPI_STATE_C3
cx_state[0] == ACPI_STATE_C1

This didn't break anything but led to a display of:
 * dev.cpu.0.cx_supported: C1/1 C2/96

Instead of
 * dev.cpu.0.cx_supported: C1/1 C3/96

MFC after:	2 weeks
2012-07-02 16:57:13 +00:00
Stanislav Sedov
51506f39f4 - Change kfd rc script to be more conformant with rcNG conventions:
o change rcname to kfd;
  o move mandatory options to command_args;
  o add missing "shutdown" keyword;
  o fix require line.  Kfd doesn't really need to be started before
    daemons.

Suggested by:	dougb
2012-05-06 20:46:04 +00:00
John Baldwin
b8cb2346fc - Don't log messages saying that accounting is being disabled and enabled
if the accounting log file is atomically replaced with a new file
  (such as during log rotation).
- Simplify accounting log rotation a bit.  There is no need to re-run
  accton(8) after renaming the new log file to it's real name.

PR:		kern/167321
Tested by:	Jeremy Chadwick
2012-05-02 14:25:39 +00:00
Stanislav Sedov
7e2d4dcd24 - Add rc.d script for kfd, kerberos forwarded tickets daemon. 2012-04-10 09:27:41 +00:00
Bjoern A. Zeeb
9f0b9a0853 Rather than printing the output from route add for all FIBs just print them
for the default FIB followed by a statement with a list of FIB numbers for
all the other FIBs we install the routes for.

Request by:	kib (to make it less noisy)
Tested by:	kib
MFC after:	3 days
2012-03-04 18:53:35 +00:00
Bjoern A. Zeeb
9dba179d5e IFC @231845
Sponsored by:	Cisco Systems, Inc.
2012-02-17 00:27:48 +00:00
Doug Barton
20ceedfb69 Fix various issues with the NFS and RPC related scripts:
1. Add new functionality to the force_depend method to incorporate the
   tests for whether the service is enabled and/or already running.
2. Add a new option to bypass checking only that the service is enabled
   at boot time, and always check if it is running.
3. Use this new functionality to greatly simplify the rc.d scripts that
   use force_depend.
4. Add a force_depend for statd in lockd
5. Remove the check that either nfs_server or nfs_client is _enable'd
   from statd and lockd. This was always overkill, and prevented using
   the {one|force}start options, as well as stop'ing on the command line.
6. The yp* scripts had some of their arguments in various weird orders.
   Bring them into line with the model.
7. If mountd fails to create /var/db/mountdtab, err out.

Ideas, suggestions, and/or review from delphij and jilles.
Pointy hats are completely my responsibility however.
2012-02-14 10:51:24 +00:00
Andriy Gapon
5a197b4612 start watchdogd before most of other daemons/servers
The main benefit is that watchdogd would shutdown after most of other
daemons/servers and thus, for example, would remedy a system hang caused
by unlucky X server shutdown.

Reviewed by:	dougb (earlier version)
MFC after:	2 weeks
2012-02-12 14:58:50 +00:00
Ed Schouten
18568efd19 Avoid using BEFORE in the utx rc script.
Requested by:	dougb
2012-02-12 07:45:48 +00:00
Ed Schouten
c21ae3a403 Move utmpx handling out of init(8).
This has the following advantages:

- During boot, the BOOT_TIME record is now written right after the file
  systems become writable, but before users are allowed to log in. This
  means that they can't cause `hidden logins' by logging in right before
  init(8) kicks in.

- The pututxline(3) function may potentially block on file locking,
  though this is very rare to occur. By placing it in an rc script, the
  user can still kill it with ^C if needed.

- Most importantly: jails don't use init(8). This means that a force
  reboot of a system running jails will leave stale entries in the
  accounting database of the jails individually.
2012-02-11 20:47:16 +00:00
Doug Barton
f7451733fb In the days before r208307 addswap was running early in the second stage
of rcorder. Somehow in the intervening period addswap got moved to the
very end, which is almost certainly not what we want.

This change moves it to right after kld so that for users who need it,
they'll get it ASAP.
2012-02-11 06:21:16 +00:00
Doug Barton
95208e20d0 As it stands right now, the default devfs rulesets are only loaded as a
side effect of something else using them. If they haven't been loaded
already but you want to use them, say for configuring a jail, you're out
of luck.

So add a knob to always load the default rulesets. While I'm here document
the other devfs_ knobs in rc.conf.5.
2012-02-08 08:52:40 +00:00
Hiroki Sato
86b84592a8 Fix $ipv6_network_interfaces handling in rc.d/routing. It could fail when
it was set to "auto", for example.

MFC after:	3 days
2012-02-04 18:14:49 +00:00