now it should support all the instructions of the old ipfw.
Fix some bugs in the user interface, /sbin/ipfw.
Please check this code against your rulesets, so i can fix the
remaining bugs (if any, i think they will be mostly in /sbin/ipfw).
Once we have done a bit of testing, this code is ready to be MFC'ed,
together with a bunch of other changes (glue to ipfw, and also the
removal of some global variables) which have been in -current for
a couple of weeks now.
MFC after: 7 days
o Fix zero payloading, unbreak ping -s 0.
o Increase socket recieve buffer, ping -s 65467 is working now.
Submitted by: anti-magic sweep based on kris's patch
Reviewed by: bde, silence on -audit
MFC after: 2 months
This code makes use of variable-size kernel representation of rules
(exactly the same concept of BPF instructions, as used in the BSDI's
firewall), which makes firewall operation a lot faster, and the
code more readable and easier to extend and debug.
The interface with the rest of the system is unchanged, as witnessed
by this commit. The only extra kernel files that I am touching
are if_fw.h and ip_dummynet.c, which is quite tied to ipfw. In
userland I only had to touch those programs which manipulate the
internal representation of firewall rules).
The code is almost entirely new (and I believe I have written the
vast majority of those sections which were taken from the former
ip_fw.c), so rather than modifying the old ip_fw.c I decided to
create a new file, sys/netinet/ip_fw2.c . Same for the user
interface, which is in sbin/ipfw/ipfw2.c (it still compiles to
/sbin/ipfw). The old files are still there, and will be removed
in due time.
I have not renamed the header file because it would have required
touching a one-line change to a number of kernel files.
In terms of user interface, the new "ipfw" is supposed to accepts
the old syntax for ipfw rules (and produce the same output with
"ipfw show". Only a couple of the old options (out of some 30 of
them) has not been implemented, but they will be soon.
On the other hand, the new code has some very powerful extensions.
First, you can put "or" connectives between match fields (and soon
also between options), and write things like
ipfw add allow ip from { 1.2.3.4/27 or 5.6.7.8/30 } 10-23,25,1024-3000 to any
This should make rulesets slightly more compact (and lines longer!),
by condensing 2 or more of the old rules into single ones.
Also, as an example of how easy the rules can be extended, I have
implemented an 'address set' match pattern, where you can specify
an IP address in a format like this:
10.20.30.0/26{18,44,33,22,9}
which will match the set of hosts listed in braces belonging to the
subnet 10.20.30.0/26 . The match is done using a bitmap, so it is
essentially a constant time operation requiring a handful of CPU
instructions (and a very small amount of memmory -- for a full /24
subnet, the instruction only consumes 40 bytes).
Again, in this commit I have focused on functionality and tried
to minimize changes to the other parts of the system. Some performance
improvement can be achieved with minor changes to the interface of
ip_fw_chk_t. This will be done later when this code is settled.
The code is meant to compile unmodified on RELENG_4 (once the
PACKET_TAG_* changes have been merged), for this reason
you will see #ifdef __FreeBSD_version in a couple of places.
This should minimize errors when (hopefully soon) it will be time
to do the MFC.
imposed by the filesystem structure itself remains. With 16k blocks,
the maximum file size is now just over 128TB.
For now, the UFS1 file size limit is left unchanged so as to remain
consistent with RELENG_4, but it too could be removed in the future.
Reviewed by: mckusick
filesystem expands the inode to 256 bytes to make space for 64-bit
block pointers. It also adds a file-creation time field, an ability
to use jumbo blocks per inode to allow extent like pointer density,
and space for extended attributes (up to twice the filesystem block
size worth of attributes, e.g., on a 16K filesystem, there is space
for 32K of attributes). UFS2 fully supports and runs existing UFS1
filesystems. New filesystems built using newfs can be built in either
UFS1 or UFS2 format using the -O option. In this commit UFS1 is
the default format, so if you want to build UFS2 format filesystems,
you must specify -O 2. This default will be changed to UFS2 when
UFS2 proves itself to be stable. In this commit the boot code for
reading UFS2 filesystems is not compiled (see /sys/boot/common/ufsread.c)
as there is insufficient space in the boot block. Once the size of the
boot block is increased, this code can be defined.
Things to note: the definition of SBSIZE has changed to SBLOCKSIZE.
The header file <ufs/ufs/dinode.h> must be included before
<ufs/ffs/fs.h> so as to get the definitions of ufs2_daddr_t and
ufs_lbn_t.
Still TODO:
Verify that the first level bootstraps work for all the architectures.
Convert the utility ffsinfo to understand UFS2 and test growfs.
Add support for the extended attribute storage. Update soft updates
to ensure integrity of extended attribute storage. Switch the
current extended attribute interfaces to use the extended attribute
storage. Add the extent like functionality (framework is there,
but is currently never used).
Sponsored by: DARPA & NAI Labs.
Reviewed by: Poul-Henning Kamp <phk@freebsd.org>
that are used if none at all are specified for a partition. Don't
keep replaying the last field if we run out of fields when processing
a line. Use a 8:1 frag:block ratio for both defaults.
More work here is required. I think disklabel should not attempt
to choose default filesystem parameters, and instead let newfs pick
any defaults if required.
PR: i386/38703
Reported by: Martin Kraemer <Martin.Kraemer@Fujitsu-Siemens.com>
- /0 if matches ::/128
- /64 if matches 2000::/3 and lowermost 64 bit is all 0
- /128 if matches 2000::/3 and lowermost 64 bit is non-zero 0
Obtained from: KAME/NetBSD
IFS had its fingers deep in the belly of the UFS/FFS split. IFS
will be reimplemented by the maintainer at a later date once the UFS
implementation is in place.
Requested by: adrian (maintainer)
am fairly certain that this should do it and that I may now remove the
UM_ macros from port.h. I will, however, wait a few days to ensure
that these can be safely removed.
/etc/exports. Oversized lines were unlikely due to the large 10k
limit, but any found would cause mountd to exit with an error. Also
fix one or two compiler warnings.
fields as discussed in the commit to ip_fw.c:1.186
On top of this, a ton of non functional changes to clean up the code,
write functions to replace sections of code that were replicated
multiple times (e.g. the printing or matching of flags and options),
splitting long sections of inlined code into separate functions,
and the like.
I have tested the code quite a bit, but some typos (using one variable
in place of another) might have escaped.
The "embedded manpage" is a bit inconsistent, but i am leaving fixing
it for later. The current format makes no sense, it is over 40 lines
long and practically unreadable. We can either split it into sections
( ipfw -h options , ipfw -h pipe , ipfw -h queue ...)
or remove it altogether and refer to the manpage.
+ setting a bandwidth too large for a pipe (above 2Gbit/s) could
cause the internal representation (which is int) to wrap to a
negative number, causing an infinite loop in the kernel;
+ (see PR bin/35628): when configuring RED parameters for a queue,
the values are not passed to the kernel resulting in panics at
runtime (part of the problem here is also that the kernel does
not check for valid parameters being passed, but this will be
fixed in a separate commit).
These are both critical fixes which need to be merged into 4.6-RELEASE.
MFC after: 1 day
- reimplement -z
- use syslog()
- improve consistancy of messages
- allow -f to recover cleared dumps
- return bufsize to 1024 * 1024
- return the ability to write sparse files
- update man page
- fix minfree to require 2k for info file instead of the kernel size
- include Berkeley copyright too due to amount of old code copied
Submitted by: Chad David <davidc@acns.ab.ca>
restores the check_space() function with small modifications
to make it work with the current code. The patch was slightly
modified by Bill Fenner to handle error messages better.
Reviewed by: fenner
fatal if the declaration of strdup() isn't in scope. The upper 32 bits
of the pointer are lost since it defaults to returning "int". Fix some
warnings while here, including trying to make gcc-3.1 happy.
more on how ipfw(8) deals with tiny fragments. While we're at it, add
a quick log message to even let people know we dropped a packet. (Note
that the second FINE POINT is somewhat redundant given the first, but
since the code is there, leave the docs for it.)
MFC after: 1 day
around. If the kernel boots successfully, the record of this kernel
is erased, it is intended to be a one-shot option for testing
kernels.
This could be improved by having the loader remove the record of
the next kernel to boot, it is currently removed in /etc/rc immediately
after disks are mounted r/w.
I'd like to MFC this before the 4.6 freeze unless there is violent
objection.
Reviewed by: Several on IRC
MFC after: 4 days
Use only one filedescriptor. Open in R/O or R/W based in the '-N' option.
Make the filedescriptor a global variable instead of passing it around
as semi-global variable(s).
Remove the undocumented ability to specify type without '-T' option.
Replace fatal() with straight err(3)/errx(3). Save calls to strerror()
where applicable. Loose the progname variable.
Get the sense of the cpgflag test correct so we only issue warnings if
people specify cpg and can't get that. It can be argued that this
should be an error.
Remove the check to see if the disk is mounted: Open for writing
would fail if it were mounted.
Attempt to get the sectorsize and mediasize with the generic disk
ioctls, fall back to disklabel and /etc/disktab as we can.
Notice that on-disk labels still take precedence over /etc/disktab,
this is probably wrong, but not as wrong as the entire concept of
/etc/disktab is.
Sponsored by: DARPA & NAI Labs.
the filesystem type isn't given in the command line. In the case of
an IPv6 address containing ':', one must use the '@' separator for it
to be properly parsed (mount_nfs(8) still needs fixing at the moment
though).
PR: bin/37230
Reviewed by: obrien
MFC after: 1 week
blocksizes, etc
does not give the default of -b
only mentiones rdump in the NAME section
uses both filesystem and file system in similar contexts
PR: 34248
Submitted by: Gary W. Swearingen <swear@blarg.net>
MFC after: 3 days
--change "-s newboot" to "-s newboot2" in an example
--Fixed spelling
--Fixed some confusion between slice/parition/primary partition and other
things.
PR: 35947 and 35951
Noticed by: Gary W. Swearingen <swear@blarg.net>
Reviewed by: keramida
Thanks to: grog
MFC after: 2 days
o Implement -c (clear) to clear previously kept headers (note that
dumps not cleared will remain until -c is used),
o Implement -f (force) to allow re-saving a previously saved dump,
o Implement -k (keep) and make clearing the dump header the default,
o Implement -v (verbose) and make most output conditional upon it,
o Emit minimal output for the non-verbose case with the assumption
that savecore is run mostly from within /etc/rc,
o Update usage message to reflect what is and what's not,
o mark -d as obsolete.
Low-level changes:
o Rename devname to device, for devname mirrors a global declaration
and GCC 3.x warns about it,
o Open the dump device R/W for clear and !keep to work,
o Reorder the locals of DoFile according to style(9),
o Remove newlines from strings passed to warn* and err*,
o Use stat(2) to check if a dump has been saved before,
o Truncate existing core and info files to support force,
o First check for the magic and the version before we complain about
parity errors. This prevents emitting parity error messages when
there's no dump,
o Keep track of the number of headers found and the number of headers
saved to support the minimal output,
o Close files we opened in DoFile. Not critical, but cleaner.
I'll still be overseeing the changes that go into natd(8) and
will maintain it the way I see it, non-preventing for the rest
of developers.
I will re-ask for the MAINTAINER bit if the ${MAINTAINER} gets
defined.
particular as there may not be one. Remove #if 0'ed code which might
mislead people to think otherwise.
unifdef -ULOSTDIR, fsck can make lost+found on the fly.
Sponsored by: DARPA & NAI Labs
Pick up the c-partitions magicness from sys/disklabel.h instead
of defining our own magicness for it, remove trivial comment.
Sponsored by: DARPA and NAI Labs.
that might have changed, then did a byte-by-byte comparison with
the alternate. If any unused fields got used, they had to be added
to the exception list. Such changes caused too many false alarms.
So, I have changed the comparison algorithm to compare a selected
set of fields that are not expected to change. This new algorithm
causes far fewer false hits and still does a good job of detecting
problems when they have really occurred. In particular, this change
should ease the transition to kernels supporting UFS2 which make
some significant changes to the superblock.
Sponsored by: DARPA, NAI Labs
