Teach gbde(8) to use a key file in addition to a passphrase. This
makes it practical to use GBDE for "something you have plus something
you know" security together with a USB flash drive.
Approved by: re (scottl)
Do address assignment/removal operations after callbacks. Presently,
ifconfig callbacks are used for L2 configuration, media and vlan,
so actions associated with address assignment, like sending out a
gratuitous ARP, should go when L2 is running already.
Return ifvlan.c to the state of rev. 1.7.2.2 -- undo the last
back-out. The above change to ifconfig.c lets us use a callback
for vlan set-up without facing the evil side-effects from IP
assignment to an orphaned vlan interface.
Approved by: re (scottl)
The problem with it was that it swapped the relative order of IP
assignment and parent interface attachment. The present if_vlan
code gets certain flags from the parent, including those meaningful
to the upper layers. E.g., IP assignment to an interface with
IFF_BROADCAST goes somewhat differently from that to a non-broadcast
interface. Consequently, assigning IP before attaching the parent
results in a bogus or missing broadcast address on the vlan interface.
This bug is still here, but at least it won't be triggered by doing
both vlanX configuration steps, IP and vlan+vlandev, in a single
ifconfig invocation, which is usual to setting up vlans via rc.conf.
Work at the global issue is under way.
Bring ATA up to -current standards:
Fix SiS SATA support, the SATA registers was off.
Update the ICH7 support so it deals better with chips without AHCI.
Unbreak hotplug support on the ICH6 and ICH7 chipsets.
Add support for VIA VT8251 southbridge.
Add new nVidia nForce4 chips.
Add support for the Marvell 88SX[56]0[48][01] series of SATA chips.
Fix the promise modesetting for old chips.
Get rid of the advertising clause in the copyright.
Add support for using DMA on dump, greatly speeds up the dump process.
When IOCATAGPARM is called, update the capabilities page that is stored
in the kernel and return the new values.
Fix rebuilds of arrays that got stuck.
Add dump support in ataraid.
Add support for for reading and writing SiS metadata.
Add support for writing VIA metadata.
Add support for writing Intel metadata.
Correct calculation of RAID0 sizes on VIA RAID arrays.
Update Intel MatrixRAID support to be able to pick up RAID0+1 (RAID10)
Resolve the mount point's path with realpath(2) before checking if file
system is mounted. This prevevents duplicated mounts.
The change I made against the original patch is to fall back to the given
path on realpath(2) failure instead of exiting with an error.
Submitted by: Andreas Kohn <andreas@syndrom23.de>
PR: bin/89782
When we give up on an interface, use the arp(8) command to remove all
entries from the interface rather than using ifconfig's delete command.
This preserves non-dhclient configured addresses (though they are wiped
out when dhclient is restarted).
Use a callback to set up a vlan interface so that "vlan"
and "vlandev" commands can be specified in any order.
This makes the code more compact and clear as well.
Improve error check on vlan argument.
Eliminate some unneeded code bits.
Add a new feature for optimizining ipfw rulesets - substitution of the
action argument with the value obtained from table lookup. The feature
is now applicable only to "pipe", "queue", "divert", "tee", "netgraph"
and "ngtee" rules.
When we get a bogus hostname in an option, drop the option
rather than refusing the lease. This allow obtaining leases
on misadministered networks that use host names with
underscores in them.
Reminded by: avatar
before rc.d/mountcritremote, so it is possible to mount /usr/ over
IPsec.
Discussed on: arch@
Suggested by: Tomasz Pi³at <tomasz.pilat@axelspringer.pl>
Prodded by: dougb
IPv6 support was committed:
- Stop treating `ip' and `ipv6' as special in `proto' option as they
conflict with /etc/protocols.
- Disuse `ipv4' in `proto' option as it is corresponding to `ipv6'.
- When protocol is specified as numeric, treat it as it is even it is
41 (ipv6).
- Allow zero for protocol as it is valid number of `ip'.
sbin/ipfw/ipfw.8: 1.180
src/sbin/ipfw/ipfw2.c: 1.80
Finally bring in what was produced during Google SoC 2005:
Add functions to rename objects and to move a subdisk from one drive
to another.
Add manual page (finally).
Bring up-to-date the online help.
Plus several cleanups and whitespace fixes.
| Fix parsing of mdmfs(8) option "-w <user>:<group>" in case <user> or
| <group> is a numeric user/group ID instead of a user/group name (as
| explicitly intended to be allowed by both the manual page and the
| implementation).
|
| Before this fix, mdmfs(8) aborted:
|
| | # mdmfs -s 32m -w 0:0 md /var/tmp/foo
| | Assertion failed: (mip->mi_have_uid), function extract_ugid, file /usr/src/sbin/mdmfs/mdmfs.c, line 555.
| | Abort trap (core dumped)
|
| The "mi_have_[ug]id" fields were only set in case a name lookup was
| successful. Instead they also have to be set in case the string to
| integer conversion was successful.
|
| Additionally, as a result of this fix, two assertions at the end of
| the function are now always true and hence can be just be removed. It
| is guarrantied that both the UID and the GID are set when the function
| returns regularily, else it would have been already bailed out with
| usage()/exit(3) or errx(3) before.
|
| Spotted by: Christoph Schug <chris@schug.net>
Display the status of the spanning tree for each port.
member: xl0 flags=7<LEARNING,DISCOVER,STP>
member: gem0 flags=7<LEARNING,DISCOVER,STP>
to:
member: xl0 flags=7<LEARNING,DISCOVER,STP>
port 3 priority 128 path cost 55 forwarding
member: gem0 flags=7<LEARNING,DISCOVER,STP>
port 1 priority 128 path cost 55 learning
Approved by: re (scottl)
Add a note in example as well, that last sector is used for metadata,
so it don't provoke confusions.
Noticed by: Victor Sudakov <sudakov@sibptus.tomsk.ru>
Approved by: re (scottl)
ifconfig.c 1.116
For the sake of consistency and easier typing,
introduce "-tunnel" as an alias for "deletetunnel".
The latter is overly long and prone to typos, but
keep it for POLA since it costs nothing.
ifvlan.c 1.8
Deprecate the useless argument to -vlandev.
ifconfig.8 1.102-1.105
Document the above changes.
Logically group vlan- and tunnel-related parameters.
Approved by: re (scottl)
| Fix system shutdown timeout handling by again supporting longer running
| shutdown procedures (which have a duration of more than 120 seconds).
|
| We have two user-space affecting shutdown timeouts: a "soft" one in
| /etc/rc.shutdown and a "hard" one in init(8). The first one can be
| configured via /etc/rc.conf variable "rcshutdown_timeout" and defaults
| to 30 seconds. The second one was originally (in 1998) intended to be
| configured via sysctl(8) variable "kern.shutdown_timeout" and defaults
| to 120 seconds.
|
| Unfortunately, the "kern.shutdown_timeout" was declared "unused" in 1999
| (as it obviously is actually not used within the kernel itself) and
| hence was intentionally but misleadingly removed in revision 1.107 from
| init_main.c. Kernel sysctl(8) variables are certainly a wrong way to
| control user-space processes in general, but in this particular case the
| sysctl(8) variable should have remained as it supports init(8), which
| isn't passed command line flags (which in turn could have been set via
| /etc/rc.conf), etc.
|
| As there is already a similar "kern.init_path" sysctl(8) variable which
| directly affects init(8), resurrect the init(8) shutdown timeout under
| sysctl(8) variable "kern.init_shutdown_timeout". But this time document
| it as being intentionally unused within the kernel and used by init(8).
| Also document it in the manpages init(8) and rc.conf(5).
|
| Reviewed by: phk
| MFC after: 2 weeks
|
| Revision Changes Path
| 1.48 +7 -1 src/sbin/init/init.8
| 1.61 +1 -1 src/sbin/init/init.c
| 1.264 +16 -1 src/share/man/man5/rc.conf.5
| 1.257 +11 -0 src/sys/kern/init_main.c
Approved by: re (scottl)
- Understand EADDRINUSE, and forget EDQUOT. [1]
- Add description for EEXIST.
- Change description for ENOBUFS. Routing socket can return
this error for many different reasons, including general
memory shortage, mbuf memory shortage and rtentry zone.
PR: kern/64090 [1]
Approved by: re (scottl)
Add "-q" argument to sysctl(8), which suppresses a limited set of
warnings/ errors generated. In particular, it suppresses "unknown oid"
when attempting to get or set a sysctl not present in the kernel.
Approved by: re (kensmith)
Don't consider being unable to open the bounds file worthy of printing
at LOG_WARNING by default; instead, consider it something to be printed
to the tty when 'verbose' mode is set. This avoids printing out extra
lines at every boot on a system with crash dumps enabled, but that has
not yet had to generate a crashdump.
Approved by: re (kensmith)
Even if there are no valid keys in metadata, but provider is attached
we can still use setkey subcommand.
Found by: regression tests
Approved by: re (scottl)
sbin/dhclient/*.c:
- add __FBSDID
sbin/dhclient/conflex.c: 1.3-1.4
- fix a minor buffer overflow in config parsing
- actually support backslash escaping in config files
bin/dhclient/dhclient-script: 1.6-1.10
- don't create or remove routes to our address through 127.0.0.1
- improved detection of the interface of the default route
- support quotes in the medium string
- clear interface state more effectively on failure
- don't update resolv.conf when unchanged
bin/dhclient/dhclient.c: 1.10-1.11
- validate domain-name (used as resolv.conf search string)
- handle superseded subnet-mask correctly
Approved by: re (scottl)
Makefile: 1.7
add.c: 1.12, 1.23
create.c: 1.11
destroy.c: 1.6
gpt.8: 1.14, 1.15
gpt.c: 1.11, 1.12, 1.13
gpt.h: 1.8, 1.9, 1.10
label.c: 1.1
map.c: 1.6
map.h: 1.6
migrate.c: 1.14, 1.15, 1.16
recover.c: 1.8
remove.c: 1.5, 1.6, 1.7, 1.8
show.c: 1.12, 1.13
o New -l and -u options to the show command,
o New label command to support GPT labels,
o The remove command doesn't print the total partitions removed,
as it prints each partition it removes by name already,
o Added ellipsis to most usage messages.
PR: ia64/83124
Approved by: re (scottl)
sys/geom/eli/g_eli.h 1.3-4
sys/geom/eli/g_eli_ctl.c 1.2
sbin/geom/class/eli/geli.8 1.4-6
sbin/geom/class/eli/geom_eli.c 1.3
Sync with HEAD:
- We don't need to clear allocated memory. This will speed-up things a bit.
- Even if crypto_dispatch() return an error, request is not canceled and
our callback will still be called, just to tell us that requested
failed...
- Always run dedicated kernel thread (even when we have hardware support).
There is no performance impact, but allows to allocate memory with
M_WAITOK flag.
As a side effect this simplify code a bit.
- Allow to change number of iterations for PKCS#5v2. It can only be used
when there is only one key set.
- Add a __packed keyword to g_eli_metadata struct definition, so
sizeof(struct g_eli_metadata) will return the exact number of bytes needed
for storing it on the disk.
Without this change GELI was unusable on amd64 (and probably other 64-bit
archs), because sizeof(struct g_eli_metadata) was greater than 512 bytes
and geli(8) was failing on assertion.
Approved by: re (scottl)
rev. 1.108, 1.109 src/sys/netinet/ip_fw2.c
rev. 1.101 src/sys/netinet/ip_fw.h
rev. 1.77 src/sbin/ipfw/ipfw2.c
rev. 1.176 src/sbin/ipfw/ipfw.8
* Add dynamic sysctl for net.inet6.ip6.fw.
* Correct handling of IPv6 Extension Headers.
* Add unreach6 code.
* Add logging for IPv6.
* Fix build without INET6 and IPFIREWALL compiled into kernel.[1]
Submitted by: sysctl handling derived from patch from ume needed for ip6fw
Obtained from: is_icmp6_query and send_reject6 derived from similar
functions of netinet6,ip6fw
Reviewed by: ume, gnn; silence on ipfw@
Spotted and tested by: Michal Mertl <mime at traveller.cz>[1]
Approved by: re (kensmith)
Clarify how the 'channel' argument should look like and add an
example on how to obtain information on devices on an ata channel.
Approved by: re (hrs)
Implement a new feature for ping(8) - sweeping pings. In a sweeping
ping ICMP payload of packets being sent is increased with given step.
Sweeping pings are useful for testing problematic channels, MTU
issues or traffic policing functions in networks.
PR: bin/82625
Submitted by: Chris Hellberg <chellberg juniper.net> (with some cleanups)
Approved by: re (kensmith)
When keys were configured without passphrase, number of iterations in
metadata is equal to -1. if we then wanted to attach provider (or change
keys) and forget about '-p' flag it failed on assertion (quite ok, without
assertion it could call PKCS#5v2 with 4294967295 iterations).
Instead of failing on assertion, remind about '-p' flag.
Approved by: re (kensmith)
sys/geom/eli/g_eli.c 1.4,1.5
- GELI doesn't need cryptodev.
- Because code paths for I/O requests are quite complex, add comments above
the functions which participate in I/O paths.
Approved by: re (kensmith)
Unfortunately dlerror(3) returns string, so there is no clean way to
ignore "no such file" errors only, which I wanted to do.
Because of this I ignored all other errors on dlopen(3) failure as well,
which isn't good.
Fix this situation by calling access(2) on library file first and ignore
only ENOENT error. This allows to report all the rest of dlopen(3) errors.
Approved by: re (kensmith)
- Add code for Ext2FS and ReiserFS labels recognition.
- Avoid creating directories in devfs by changing all '/' in labels to '_'.
Submitted by: Stanislav Sedov <stas@310.ru>
PR: kern/84638
Approved by: re (kensmith)
Correct the description of the TAPE environment variable.
Based on:
PR: docs/84200
Submitted by: Gary W. Swearingen <garys at opusnet dot com>
Approved by: re (hrs)
Wireless suport fixups: add a bunch of stuff that's been in the
code but not documented (e.g. wme, mac acl) and correct some
information, etc.
Approved by: re (kensmith)
Don't try to compile geli(8) when NO_CRYPT knob if defined.
Reported by: Alexander Polakov
Committed to HEAD by: ru
Approved by: re (kensmith (implicit))
- Don't complain when debouncing dhclient startup.
- Fix buffer handling in reveive_packet(). This fixes infinite cpu
eating loops and probably some crashes.
- Spell if_defaultroute route correctly in dhclient-script so we
are allowed to change the default route.
- Document dhclient -b.
- Treat reassociation like association.
- Do not force server-name to be a valid domain name.
- Handle servers that send NUL-terminated host-name options.
Approved by: re (scottl)
ifieee80211.c:1.19 from HEAD to RELENG_6:
Add a new flag '-k' to ifconfig(8), indicating that it is alright to
print potentially sensitive keying material to stdout. With the new
802.11 support, ifconfig(8) is now capable of printing 802.11 keys,
and did by default for the root user, which is undesirable in some
environments. Now it will not print keying material unless requested
(and available to the user).
Approved by: re (kensmith)
* Replace fch{mod,own} with straight ch{mod,own} as the former cannot be used
on socket file descriptors
* Open permissions on /var/run/devd.pipe so that any user can read devd events
from this socket
* Enable non-blocking I/O on devd.pipe to keep clients from wedging devd.
If a write(2) on devd.pipe would block, the client in question will be
removed
Approved by: re (kensmith)
- Remove MLINKS to nonexistant manpages
- Change some section numbers to match reality
- For MLINKS to manpages from ports, mention which port installs them
Approved by: re (hrs)
Change communication protocol to be much more resistant on network
problems and to allow for much better performance.
Better performance is achieved by creating two connections between
ggatec and ggated one for sending the data and one for receiving it.
Every connection is handled by separeted thread, so there is no more
synchronous data flow (send and wait for response), now one threads
sends all requests and another receives the data.
Use two threads in ggatec(8):
- sendtd, which takes I/O requests from the kernel and sends them to the
ggated daemon on the other end;
- recvtd, which waits for ggated responses and forwards them to the kernel.
Use three threads in ggated(8):
- recvtd, which waits for I/O requests and puts them onto incoming queue;
- disktd, which takes requests from the incoming queue, does disk operations
and puts finished requests onto outgoing queue;
- sendtd, which takes finished requests from the outgoing queue and sends
responses back to ggatec.
Because there were major changes in communication protocol, there is no
backward compatibility, from now on, both client and server has to run
on 5.x or 6.x (or at least ggated should be from the same FreeBSD version
on which ggatec is running).
For Gbit networks some buffers need to be increased. I use those settings:
kern.ipc.maxsockbuf=16777216
net.inet.tcp.sendspace=8388608
net.inet.tcp.recvspace=8388608
and I use '-S 4194304 -R 4194304' options for both, ggatec and ggated.
Approved by: re (scottl)
include a space seperated list of domains instead of the domain of the
host. This is supported on too many platforms to break for now so,
remove validation of this option for the moment.
The correct solution longer term is to implement RFC 3397 support and
then treat domain-name options containing space seperated lists of
domains as domain-search options for backwards compatability.
Approved by: re (dhclient blanket)
Add a -b option to background immediatly.
Add support for 802.11 routing messages to "instantly" renegotiate
at lease when we associate with a new network.
Submitted by: sam
spanning tree support.
Based on Jason Wright's bridge driver from OpenBSD, and modified by Jason R.
Thorpe in NetBSD.
Reviewed by: mlaier, bms, green
Silence from: -net
Approved by: mlaier (mentor)
Obtained from: NetBSD
policy. It may be used to provide more detailed classification of
traffic without actually having to decide its fate at the time of
classification.
MFC after: 1 week
This is the last requirement before we can retire ip6fw.
Reviewed by: dwhite, brooks(earlier version)
Submitted by: dwhite (manpage)
Silence from: -ipfw
use of the macro in sbin/mount*'s, by replacing:
mopts[] = {
MOPT_STDOPTS,
{ NULL }
}
With:
mopts[] = {
MOPT_STDOPTS,
MOPT_NULL
}
This change will help to reduce the situation that we don't explicitly
initialize "struct mntopt"'s. It should not contribute to any
functional/logical changes as far as I can tell.
