This code makes use of variable-size kernel representation of rules
(exactly the same concept of BPF instructions, as used in the BSDI's
firewall), which makes firewall operation a lot faster, and the
code more readable and easier to extend and debug.
The interface with the rest of the system is unchanged, as witnessed
by this commit. The only extra kernel files that I am touching
are if_fw.h and ip_dummynet.c, which is quite tied to ipfw. In
userland I only had to touch those programs which manipulate the
internal representation of firewall rules).
The code is almost entirely new (and I believe I have written the
vast majority of those sections which were taken from the former
ip_fw.c), so rather than modifying the old ip_fw.c I decided to
create a new file, sys/netinet/ip_fw2.c . Same for the user
interface, which is in sbin/ipfw/ipfw2.c (it still compiles to
/sbin/ipfw). The old files are still there, and will be removed
in due time.
I have not renamed the header file because it would have required
touching a one-line change to a number of kernel files.
In terms of user interface, the new "ipfw" is supposed to accepts
the old syntax for ipfw rules (and produce the same output with
"ipfw show". Only a couple of the old options (out of some 30 of
them) has not been implemented, but they will be soon.
On the other hand, the new code has some very powerful extensions.
First, you can put "or" connectives between match fields (and soon
also between options), and write things like
ipfw add allow ip from { 1.2.3.4/27 or 5.6.7.8/30 } 10-23,25,1024-3000 to any
This should make rulesets slightly more compact (and lines longer!),
by condensing 2 or more of the old rules into single ones.
Also, as an example of how easy the rules can be extended, I have
implemented an 'address set' match pattern, where you can specify
an IP address in a format like this:
10.20.30.0/26{18,44,33,22,9}
which will match the set of hosts listed in braces belonging to the
subnet 10.20.30.0/26 . The match is done using a bitmap, so it is
essentially a constant time operation requiring a handful of CPU
instructions (and a very small amount of memmory -- for a full /24
subnet, the instruction only consumes 40 bytes).
Again, in this commit I have focused on functionality and tried
to minimize changes to the other parts of the system. Some performance
improvement can be achieved with minor changes to the interface of
ip_fw_chk_t. This will be done later when this code is settled.
The code is meant to compile unmodified on RELENG_4 (once the
PACKET_TAG_* changes have been merged), for this reason
you will see #ifdef __FreeBSD_version in a couple of places.
This should minimize errors when (hopefully soon) it will be time
to do the MFC.
calibrated. This fixes the problem where playback and recording do
not run at the correct speed. It probably also eliminates the
need for the hacks/workarounds/sysctl's that were previously
devised to deal with this, but I will leave that for a different
time.
Reviewed by: orion
In -STABLE, this is default, in -CURRENT it is not, which leads to many a
headache for a user coming to -CURRENT without remembering this fact. It
is one of the POLA violations we have not avoided by preparing the users
for it appopriately. Therefore, a warnx(3) is added here, explicitly to
be MFC'd shortly to start the re-education process rolling.
Reviewed by: General murmurs of approval in that IRC channel.
MFC after: 3 days
bridges in modern hardware (that hardware w/ lots of RAM). Raise the
address from 0x44000000 to 0x88000000 to match what we do with
NEWCARD. However, this really should be done in the pci layer.
passed down the VFS stack. While I'm here, replace a '0' with a 'NULL'
to make the code more readable.
Sponsored by: DARPA, NAI Labs
Obtained from: TrustedBSD Project
behavior. Add the bcb regression test which checks for failures due
to a backslash ('\') coinciding with the very last character of the
command buffer. The regression test is cf. this PR (which I did not
know about) and has a different fix for the bug.
PR: bin/22351
Submitted by: Stefan Duerholt <stefan.duerholt@t-online.de>
(from: http://docs.freebsd.org/cgi/getmsg.cgi?fetch=832566+0+ \
current/freebsd-current)
"Too many pages were prefaulted in pmap_object_init_pt, thus
the wrong physical page was entered in the pmap for the virtual
address where the .dynamic section was supposed to be."
Submitted by: tegge
Approved by: tegge's patches never fail
re-read from the stack mid copy. This may help mitigate the recent
Apache buffer overrun and future overruns of the sort.
Reviewed by: jdp
MFC after: 2 days
of the remote host (or rather, the name as mangled by realhostname_sa())
so that the process can use it to behave differently depending on the
origin on the request. We use this to implement rudimentary visibility
control on our user information.
Make sure that the child process's standard error goes through the same
NVT-ASCII filter as is applied to the standard output.
Don't attempt to call logerr() from the child since stdio is not safe in
a vforked process. Just write a message to fd 2 instead. (Ideally, the
parent would open two pipes, and siphon off our stderr to some place less
public, but I have not attempted to do so in this implementation.)