mrouted has been available in ports for the last 8 years as net/mrouted . An
equivalent rc.d script has been present in the port.
Remove all corresponding variables from etc/defaults/rc.conf
Relnotes: yes
have chosen different (and more traditional) stateless/statuful
NAT64 as translation mechanism. Last non-trivial commits to both
faith(4) and faithd(8) happened more than 12 years ago, so I assume
it is time to drop RFC3142 in FreeBSD.
No objections from: net@
random script ran before filesystems were mounted, which is no
longer the case.
In random_start(), immediately delete each file that is fed into
/dev/random, and recreate the default entropy file immediately
after reading and deleting it. The logic used in random_stop()
to determine which file to write to should probably be factored
out and used here as well.
do not require additional entropy to function.
It would create a circular dependency (not immediately obvious:
geli provides 'disks' and requires 'random' as of r273872,
'random' requires 'FILESYSTEMS', 'FILESYSTEMS' requires 'root',
'root' requires 'swap', and finally 'swap' requires 'disk').
This code has had an extensive rewrite and a good series of reviews, both by the author and other parties. This means a lot of code has been simplified. Pluggable structures for high-rate entropy generators are available, and it is most definitely not the case that /dev/random can be driven by only a hardware souce any more. This has been designed out of the device. Hardware sources are stirred into the CSPRNG (Yarrow, Fortuna) like any other entropy source. Pluggable modules may be written by third parties for additional sources.
The harvesting structures and consequently the locking have been simplified. Entropy harvesting is done in a more general way (the documentation for this will follow). There is some GREAT entropy to be had in the UMA allocator, but it is disabled for now as messing with that is likely to annoy many people.
The venerable (but effective) Yarrow algorithm, which is no longer supported by its authors now has an alternative, Fortuna. For now, Yarrow is retained as the default algorithm, but this may be changed using a kernel option. It is intended to make Fortuna the default algorithm for 11.0. Interested parties are encouraged to read ISBN 978-0-470-47424-2 "Cryptography Engineering" By Ferguson, Schneier and Kohno for Fortuna's gory details. Heck, read it anyway.
Many thanks to Arthur Mesh who did early grunt work, and who got caught in the crossfire rather more than he deserved to.
My thanks also to folks who helped me thresh this out on whiteboards and in the odd "Hallway track", or otherwise.
My Nomex pants are on. Let the feedback commence!
Reviewed by: trasz,des(partial),imp(partial?),rwatson(partial?)
Approved by: so(des)
collision for "no" as a country code with "NO" meaning "do not load any
keymap" (which also has been the default value in etc/defaults/rc.conf
for a long time).
The result of this collision is, that "kbdcontrol -l no" will load the
Norwegian keymap, while "keymap=no" in rc.conf was interpreted as the
lower case spelling of "NO" meaning "no keyboard" (and "no.kbd" was not
loaded).
Fix this by matching only the upper-case spelling "NO" in rc.d/syscons
when deciding whether to load a keymap file.
This will lead to "no.kbd" being loaded, if the until now valid (but
non-default) spelling "no" was used in an individual rc.conf file to mean
"no keyboard". But all alternatives I could think of introduce a larger
violation of POLA ...
Reported by: Gyrd Thane Lange (gyrd-se at thanelange.no)
MFC after: 3 days
This is cleaner and eliminates the unneeded startup of KVP daemon on
systems that do not run as a Hyper-V guest.
Submitted by: hrs
X-MFC-with: 271493, 271688, 271699
run when asked for by the user. Right now, hv_kvpd is run on every boot.
Don't do that.
Add hv_kvpd_enable= for this script to be run.
MFC with 271493
MFC after: 2 weeks
Relnotes: yes
The following warnings were displayed:
sysctl: net.inet.ip.sourceroute=0: Operation not permitted
sysctl: net.inet.ip.accept_sourceroute=0: Operation not permitted
many thanks for their continued support of FreeBSD.
While I'm there, also implement a new build knob, WITHOUT_HYPERV to
disable building and installing of the HyperV utilities when necessary.
The HyperV utilities are only built for i386 and amd64 targets.
This is a stable/10 candidate for inclusion with 10.1-RELEASE.
Submitted by: Wei Hu <weh microsoft com>
MFC after: 1 week
- Identify the console driver used and print syscons or vt as appropriate.
- If vt is used and a keymap could not be loaded, then try to replace the
keymap name configured in rc.conf based on a replacement list in this
script. Warn about the fact, that a syscons keyname is configured and
report the replacement used under vt.
- If no replacement keymap is found, no keymap is loaded and a warning
is displayed, which points at the conversion script and allows the
conversion of keymaps not part of the official distribution.
This patch has been sent to the -hackers list for review, but no comment
has been received, yet. It is tested to work under syscons and vt on my
system (on vt with either the syscons or vt keymap file name in rc.conf).
MFC after: 3 days
- Rename $kerberos5_server_enable with $kdc_enable and rename
rc.d/kerberos with rc.d/kdc.
- Rename $kadmin5_server_enable with $kadmind_enable.
- Rename ${kerberos5,kpasswdd}_server with ${kdc,kpasswdd}_program.
- Fix rc.d/{kadmind,kerberos,kpasswdd,kfd} scripts not to change variables
after load_rc_config().
- Add rc.d/ipropd_master and rc.d/ipropd_slave scripts. These are
for iprop-master(8) and iprop-slave(8). Keytab used for iprop service is
defined in ipropd_{master,slave}_keytab (/etc/krb5.keytab by default).
- Add dependency on rc.d/kdc to SERVERS. rc.d/kdc must be invoked as early
as possible before scripts divided by rc.d/SERVERS.
Note that changes to rc.d/{kdc,kpasswdd,kadmind} are backward-compatible
with the old configuration variables:
${kerberos5,kpasswdd,kadmin5}_server{,_enable,_flags}.
UNIX systems, eg. MacOS X and Solaris. It uses Sun-compatible map format,
has proper kernel support, and LDAP integration.
There are still a few outstanding problems; they will be fixed shortly.
Reviewed by: allanjude@, emaste@, kib@, wblock@ (earlier versions)
Phabric: D523
MFC after: 2 weeks
Relnotes: yes
Sponsored by: The FreeBSD Foundation
