keeping a flag to check whether we actually wanted to mount the filesystem
readonly, setup the options list so that we start off by assuming rw is what's
desired and let later flags change that.
to the init. This prevents zombies from being accumulated.
PR: bin/64198
Tested by: Eugene Grosbein <eugen at www svzserv kemerovo su>
Approved by: kan (mentor)
MFC after: 1 month
Now, encryption algorithm is given using '-e' option, not '-a'.
The '-a' option is now used to specify authentication algorithm.
Supported by: Wheel Sp. z o.o. (http://www.wheel.pl)
- remove call to getmntopts(), and just pass -o options to
nmount(). This removes some confusion as to what options
msdosfs can parse, by pushing the responsibility of option parsing
to the VFS and FS specific code in the kernel.
msdosfs_vfsops.c:
- add "force" and "sync" to msdosfs_opts. They used to be specified
in mount_msdosfs.c, so move them here. It's not clear whethere these
options should be placed into global_opts in vfs_mount.c or not.
Motivated by: marcus
Since tags are kept while packet resides in kernelspace, it's possible to
use other kernel facilities (like netgraph nodes) for altering those tags.
Submitted by: Andrey Elsukov <bu7cher at yandex dot ru>
Submitted by: Vadim Goncharov <vadimnuclight at tpu dot ru>
Approved by: glebius (mentor)
Idea from: OpenBSD PF
MFC after: 1 month
It is no longer needed, because "mount -t reiserfs" calls nmount(2)
directly to mount a ReiserFS file system without the use of
this external mount program.
Approved by: dumbbell
option if none is given in the config file. Also add #ifdefd out
support for sending a client ID based on our MAC address.
PR: bin/94743, bin/76401
Submitted by: Frank Behrens <frank at pinky dot sax dot de>
X-MFC after: 6.1-RELEASE
o Introduce -r and -w keys which allow to load and save a worklist.
o Replace README by man page.
PR: bin/96677
Submitted by: Ulrich Spoerlein
Approved by: phk
MFC after: 1 month
arguments so we do not coredump at "help foo", "back bar" and such.
o Be consistent and print argc - 1 as a command arguments number in
all cases.
PR: bin/37096
Submitted by: Joshua Goodall
MFC after: 1 month
Reset it to 1 for each devd config file so if the parser finds
a syntax error devd(8) will report a correct line number.
Submitted by: Niki Denev
MFC after: 2 weeks
to match the number of inodes on the disk. If we find a directory
entry with a crazy inode number in it, don't look beyond the end
of the bitmap to find that inode's state. Instead skip that directory
entry and print a warning.
Reviewed by: iedowse
MFC after: 3 weeks
wait time for a packet. This allows to:
- Count number of packets received before and after specified
time.
- Shorten time of execution of 'ping -c 1' scripts.
Submitted by: Lytochkin Boris <lytboris gmail.com>
device number at creation time with -u option. Together with XMLizing
mdconfig(8), I broke this functionality.
This change is temporary. Complete fix will be commited soon.
Approved by: cognet (mentor)
a problem with listing large number of md(4) devices. Either 'list' or
'query' mode uses XML.
Additionally, new functionality was introduced. It's possible to pass
multiple devices to -u:
# ./mdconfig -l -u md0,md1
Approved by: cognet (mentor)
- <netipx> headers [1]
- IPX library (libipx)
- IPX support in ifconfig(8)
- IPXrouted(8)
- new MK_NCP option
New MK_NCP build option controls:
- <netncp> and <fs/nwfs> headers
- NCP library (libncp)
- ncplist(1) and ncplogin(1)
- mount_nwfs(8)
- ncp and nwfs kernel modules
User knobs: WITHOUT_IPX, WITHOUT_IPX_SUPPORT, WITHOUT_NCP.
[1] <netsmb/netbios.h> unconditionally uses <netipx> headers
so they are still installed. This needs to be dealt with.
as both have been read from the command line. Still use the callback,
but this time only to verify that both vlan and vlandev have been
found on the command line.
This should allow for control over the relative order of processing
parameters, which is needed to satisfy some caveats of the if_vlan
driver. E.g., MTU cannot be changed on a vlan interface until it's
attached to its parent.
PR: bin/94028
Reviewed by: ru
MFC after: 3 days
As discussed on -current, there is no sensitive info in /sbin/init
to prevent reading it from non-privileged users, nor any reason to
remove the 'x' bit as the first thing the program does is check the
uid and exit if it is not run by root.
Instead (and this is why i make the change), mode 500 prevents
operation when exporting the partition without -maproot=0 to diskless
clients.
All previuos releases are affected by the same problem, so a merge
to RELENG_6 at least would be appropriate (after proper re@ approval
of course).
o multiple modules can be unloaded at once (specified either by id or be
module name)
o exit with EX_USAGE after usage() is called.
o remove unused variables, since we keep command line flags as bitmask,
in 'opt'.
o 'kldload -n ...' does nothing. Add comment to this options.
Additionally:
o Update manual page to conform new functionality.
o Increace WARNS to 6. Because we can.
Approved by: cognet (mentor)
MFC after: 1 week
in the buffer. This isn't exactly the patch that Stephen submitted, but
is based on one of his suggestions.
PR: 93841
Submitted by: Stephen Montgomery-Smith <stephen@math.missouri.edu>
MFC after: 2 weeks
o Also, fdisk_pc98 appears to support -i, so add it to the man page.
o Ditto -v
o Change the name from PC partition table maintenance program to NEC PC-98x1
partition table maintenance program, since it is possible to have a DOS MBR
formatted disk on FreeBSD/pc98 now (although we don't install any tools for
this).
o Merge the -I switch from i386 verison to initialize the partition table
to use the maximum amount possible for a single FreeBSD table.
o Improve warning when the geom method fails (which I think it
always will until geom_pc98 is updated to respond to this ctl message)
o when writing out the boot sector, we have to write out a minimum of
1024 bytes or the sector size. This is different than the i386 case where
we need to write out a minimum of 512 bytes (which is also the minimum
sector size). We already handle this difference on reading, but didn't
in writing, so attempting to write a new partition table would fail.
o Add MID to the -s output, since pc98 users are likely interested in
both of these parameters.
# I can now initialize disks on my pc98 machine either by -I or by
# manually entering the parameters. I don't know if fdisk -B works or not,
# since I'm not willing to risk my only working boot disk to test it..
additional -r (read-only) flag or or -w (read-write) flag,
then assume we want, mount -u -w.
When doing a mount update, this will implicitly pass a "noro" mount
option down to the VFS layer.
vfs_mergeopts() in vfs_mount.c will then remove the "ro" mount option
if it exists in the mount options for a mounted file system.
This means that "mount -u" works the same as "mount -u -w"
and will convert a read-only mount to read-write.
- mount(8) now calls the nmount(2) system call directly, not mount(2)
- specifying a filesystem type with -t will not automatically
invoke an external /sbin/mount_XXXX program....this only happens for
certain file system types. For all other file system types, nmount(2)
is called directly.
doesn't exist or add one that is already present, if the -q flag
is set. Useful for "ipfw -q /dev/stdin" when the command above is
invoked from something like python or TCL to feed commands
down the throat of ipfw.
MFC in: 1 week
supported for a moment.
- Don't allow to use -i when no passphrase is given. Now if iterations is
equal to -1 (not set), we know that we should not ask for the passphrase
on boot.
It still doesn't handle situation when one key is protected with
passphrase and the other is not. There is no quick fix for this.
The complete solution will be to make number of iterations a per-key
value. Because this need metadata format change and is only needed for
devices attached on boot, I'll leave it as it is for now.
MFC after: 3 days
makes it practical to use GBDE for "something you have plus something
you know" security together with a USB flash drive.
Reviewed by: phk
MFC after: 7 days
Presently, ifconfig callbacks are used for L2 configuration, media
and vlan, so actions associated with address assignment, like sending
out a gratuitous ARP, should go when L2 is running already.
This also should fix the problem with setting up vlan interfaces
from rc.conf, when both IP and vlan+vlandev parameters are passed
to ifconfig at once.
Future work: Consider introducing several ifconfig callback lists
to invoke callbacks orderly.
MFC after: 1 week
/tmp may not be writeable yet when dhclient is first run via
/etc/rc.d/netif so using it may not work. Also, writing to a
predictable file in /tmp as root is a really bad idea since a malicious
user may be able to win a race and insert a symlink which will allow
them to cause any file to be overwritten. To solve these problems,
create the tempory file in /var/run which will exist this early and is
writable only by root.
Security: Local risk if users can cause dhclient to run on demand
(such as by unplugging and replugging the network cable).
system is mounted. This prevevents duplicated mounts.
The change I made against the original patch is to fall back to the given
path on realpath(2) failure instead of exiting with an error.
Submitted by: Andreas Kohn <andreas@syndrom23.de>
PR: bin/89782
MFC after: 3 days
circumstances that include circular dependencies.
PR: bin/91789
PR submitted by: Frank Behrens <frank@pinky.sax.de>
Patch submitted by: Divacky Roman <xdivac02@stud.fit.vutbr.cz>
entries from the interface rather than using ifconfig's delete command.
This preserves non-dhclient configured addresses (though they are wiped
out when dhclient is restarted).
MFC after: 1 week
disk. Apparently some people want to use mdmfs as mount_* as a
shortcut for mounting existing file-based file systems.
Note that unlike in the patches from the submitters, this option is
not available in compat mode. Compat mode was supposed to support only
things that mount_mfs used to support. To use this option from fstab,
mdmfs should be called mount_md, not mount_mfs. This distinction has
not always upkept for new options, and those can't be fixed now
without breaking people's systems, but new options should not usually
be allowed in compat mode. (Not sure why -F is allowed there at all.)
PR: 57641
Submitted by: Ruben de Groot
Submitted independently by: Wojciech A. Koszek, for Urzad Miasta Czestochowa
autonumbering is requested, set the unit to 0 instead of -1. This
option is just for output, and "/dev/md-1" looks disconcerting.
Submitted by: Wojciech A. Koszek
kernel is in the order the devices were made, which is not useful to
the user. Also, remove the "%d more" test since the kernel does not
return the complete count in md_pad[0] (maybe it should?).
Submitted by: Wojciech A. Koszek
action argument with the value obtained from table lookup. The feature
is now applicable only to "pipe", "queue", "divert", "tee", "netgraph"
and "ngtee" rules.
An example usage:
ipfw pipe 1000 config bw 1000Kbyte/s
ipfw pipe 4000 config bw 4000Kbyte/s
ipfw table 1 add x.x.x.x 1000
ipfw table 1 add x.x.x.y 4000
ipfw pipe tablearg ip from table(1) to any
In the example above the rule will throw different packets to different pipes.
TODO:
- Support "skipto" action, but without searching all rules.
- Improve parser, so that it warns about bad rules. These are:
- "tablearg" argument to action, but no "table" in the rule. All
traffic will be blocked.
- "tablearg" argument to action, but "table" searches for entry with
a specific value. All traffic will be blocked.
- "tablearg" argument to action, and two "table" looks - for src and
for dst. The last lookup will match.
- number of read I/O requests,
- number of write I/O requests,
- number of read bytes,
- number of written bytes.
Add 'reset' subcommand for resetting statistics.
value (intmax_t) and boolean (int).
Based on that provide three functions:
- gctl_get_ascii()
- gctl_get_int()
- gctl_get_intmax()
- Hide gctl_get_param() function, as it is only used internally in
subr.c.
- Allow to provide argument name as (fmt, ...).
- Assert geom(8) bugs (missing argument is a geom(8) bug).
- Clean-up and simplify the code by using new functions and assumtions
(no more checking for missing argument).
Tested by: regression tests
IPv6 support was committed:
- Stop treating `ip' and `ipv6' as special in `proto' option as they
conflict with /etc/protocols.
- Disuse `ipv4' in `proto' option as it is corresponding to `ipv6'.
- When protocol is specified as numeric, treat it as it is even it is
41 (ipv6).
- Allow zero for protocol as it is valid number of `ip'.
Still, we cannot specify an IPv6 over an IPv4 tunnel like before such
as:
pass ipv6 from any to any
But, now, you can specify it like:
pass ip4 from any to any proto ipv6
PR: kern/89472
Reported by: Ga l Roualland <gael.roualland__at__dial.oleane.com>
MFC after: 1 week
iov address internally through realloc(3). However, since the function
parameter wasn't designed to allow the modified iov being passed back to
the caller, we ended up feeding iov with several corrupted entries(this
depends on how many arguments were pushed into iovec before set_charset())
to nmount(2).
This commit fixes this regression introduced in rev1.37 such that
mount_msdosfs(8) with code page conversion option(-W,-D) enabled works again.
Reviewed by: rodrigc
iov address internally through realloc(3). However, since the function
parameter wasn't designed to allow the modified iov being passed back to
the caller, we end up feeding iov with several corrupted entries(depends on
how many arguments were pushed into iovec before set_charset()) to nmount(2).
This commit fixes this regression introduced in rev1.31 such that
mount_cd9660(8) with code page conversion option(-C) enabled works again.
Reviewed by: rodrigc
external mounting program list as well; otherwise, entry like the following
in /etc/fstab wouldn't work:
/dev/acd0 /mnt/cdrom cd9660 ro,-C=big5 0 0
Reviewed by: rodrigc
Add functions to rename objects and to move a subdisk from one drive
to another.
Add manual page (finally).
Bring up-to-date the online help.
Obtained from: Chris Jones <chris.jones@ualberta.ca>
Sponsored by: Google Summer of Code 2005
MFC in: 1 week
- Add build_iovec_argf() helper function, for help converting old
mount options which used the mount_argf() function for the mount() syscall.
Discussed with: phk
- Teach the mount program to call the nmount() syscall directly
- Preserve existing method of calling mount() for UFS, until we clean things
up.
- Preserve existing method of forking and calling external mount programs for
mfs, msdosfs, nfs, nfs4, ntfs, nwfs, nullfs, portalfs, reiserfs, smbfs,
udf, umapfs, unionfs
- devfs, linprocfs, procfs, ext2fs call nmount() syscall directly, since
that is all those external mount programs were doing
Reviewed by: phk
Discussed on: arch
length and bail immediatly if the returned length is wrong rather than
attempting to set an correct value.
This commit differs from the patch in the PR in the use of exit instead
of return and the use of a defined value for the array.
Submitted by: Daan Vreeken [PA4DAN] <Danovitsch at Vitsch dot net>
PR: bin/74509
that debug.mpsafenet be set to 0. It is still possible for dead locks to
occur while these filtering options are used due to the layering violation
inherent in their implementation.
Discussed: -current, rwatson, glebius
<group> is a numeric user/group ID instead of a user/group name (as
explicitly intended to be allowed by both the manual page and the
implementation).
Before this fix, mdmfs(8) aborted:
| # mdmfs -s 32m -w 0:0 md /var/tmp/foo
| Assertion failed: (mip->mi_have_uid), function extract_ugid, file /usr/src/sbin/mdmfs/mdmfs.c, line 555.
| Abort trap (core dumped)
The "mi_have_[ug]id" fields were only set in case a name lookup was
successful. Instead they also have to be set in case the string to
integer conversion was successful.
Additionally, as a result of this fix, two assertions at the end of
the function are now always true and hence can be just be removed. It
is guarrantied that both the UID and the GID are set when the function
returns regularily, else it would have been already bailed out with
usage()/exit(3) or errx(3) before.
Spotted by: Christoph Schug <chris@schug.net>
MFC after: 3 days
where applicable. The main reason for this change is that
the location of make.conf is not constant and can be
modified via __MAKE_CONF. This change also improves
hyper-text linkage in our manpages.
MFC after: 2 weeks
and "vlandev" commands can be specified in any order.
This makes the code more compact and clear as well.
Improve error check on vlan argument.
MFC after: 2 weeks
introduce "-tunnel" as an alias for "deletetunnel".
The latter is overly long and prone to typos, but
keep it for POLA since it costs nothing.
MFC after: 5 days
module is loaded or compiled into the kernel.
This is useful mostly in startup scripts, when module should be loaded only
if it wasn't compiled into the kernel nor already loaded, eg.:
kldstat -q -m g_eli || kldload geom_eli.ko || err 1 'geom_eli module failed to load.'
(not in mdoc(7) sense yet) in ifconfig(8) manpage, create such
subsections for gif(4) and vlan(4) so that their specific
options are not mixed up with general options.
- Add description for EEXIST.
- Change description for ENOBUFS. Routing socket can return
this error for many different reasons, including general
memory shortage, mbuf memory shortage and rtentry zone.
PR: kern/64090 [1]
shutdown procedures (which have a duration of more than 120 seconds).
We have two user-space affecting shutdown timeouts: a "soft" one in
/etc/rc.shutdown and a "hard" one in init(8). The first one can be
configured via /etc/rc.conf variable "rcshutdown_timeout" and defaults
to 30 seconds. The second one was originally (in 1998) intended to be
configured via sysctl(8) variable "kern.shutdown_timeout" and defaults
to 120 seconds.
Unfortunately, the "kern.shutdown_timeout" was declared "unused" in 1999
(as it obviously is actually not used within the kernel itself) and
hence was intentionally but misleadingly removed in revision 1.107 from
init_main.c. Kernel sysctl(8) variables are certainly a wrong way to
control user-space processes in general, but in this particular case the
sysctl(8) variable should have remained as it supports init(8), which
isn't passed command line flags (which in turn could have been set via
/etc/rc.conf), etc.
As there is already a similar "kern.init_path" sysctl(8) variable which
directly affects init(8), resurrect the init(8) shutdown timeout under
sysctl(8) variable "kern.init_shutdown_timeout". But this time document
it as being intentionally unused within the kernel and used by init(8).
Also document it in the manpages init(8) and rc.conf(5).
Reviewed by: phk
MFC after: 2 weeks
at LOG_WARNING by default; instead, consider it something to be printed
to the tty when 'verbose' mode is set. This avoids printing out extra
lines at every boot on a system with crash dumps enabled, but that has
not yet had to generate a crashdump.
MFC after: 1 week
renewal, or we lose link, be more forceful about clearing interface
state so another interface that connects to the same network has a
chance of working. This doesn't address attemping to connect to both at
once, but appears to allow unplugging from a wired interface and then
inserting a wireless card that associates with an AP bridged to the same
LAN.
Files used both "securelevel" and either "secure level" or
"security level"; all are now "security level".
PR: docs/84266
Submitted by: garys
Approved by: keramida
MFC after: 3 days
labeled are selected in the same way as with the remove command.
Update the manpage to have the selection options described for the
label command and referenced to it from the remove command.
The label can be specified on the command line with the -l option
or read from a file with the -f option. In both cases, the label
is assumed to be encoded in UTF-8.
PR: ia64/83124
MFC after: 1 week
o Introduce utf16_to_utf8().
o Add option -l to the show command to display the GPT label instead
of the friendly partition type.
o Add option -u to the show command to suppress the friendly output
and print th raw UUIDs instead.
check the domain-name parameter according to the rules for "search"
strings as documented in resolv.conf(5). Specifically, the string must
be no more than 256 bytes long and contain no more than six valid domain
names separated by white space.
The previous unchecked values could result in a mangled resolv.conf
file which could effectively deny access to local sites. This is not
a security issue as rogue dhcp servers could already do this without
sending invalid strings.
Reviewed by: cperciva
MFC After: 3 days
device be created read+write, check to see if the backing store is read only
through the use of the access(2) system call. If this check fails returning
EACCES, EPERM or EROFS then gracefully downgrade the access to read only. Also
print a warning message to stderr, informing the user that the access mode
they requested is not available.
This behavior used to be handled by md(4) but was changed in revision 1.154
Discussed with: pjd, phk, Dario Freni <saturnero at freesbie dot org>
Reviewed by: phk
serves no apparent purpose (we commented this out ages ago in the ISC
scripts) and cases problems with some ADSL setups.
Reported by: Rostislav Krasny <rosti dot bsd at gmail dot com>
/boot.config or on the "boot:" prompt line via a "-S<speed>" flag,
e.g. "-h -S19200". This adds about 50 bytes to the size of boot2
and required a few other small changes to limit the size impact.
This changes only affects boot2; there are further loader changes
to follow.
example on how to obtain information on devices on an ata channel.
PR: 84676
Submitted by: Kevin Oberman <oberman@es.net>
Jeremie Le Hen <jeremie@le-hen.org>
MFC after: 3 days
ping ICMP payload of packets being sent is increased with given step.
Sweeping pings are useful for testing problematic channels, MTU
issues or traffic policing functions in networks.
PR: bin/82625
Submitted by: Chris Hellberg <chellberg juniper.net> (with some cleanups)
to take into account the new default of starting the first partition
after the boot blocks instead of at sector 0. If you used automatic
sizing when the first partition did not start at 0, you would get
an error that the automatically sized partition extended beyond the
end of the disk.
Note that there are probably still many more complex cases where
automatic sizing and placement will not work (e.g. non-contiguous
or out of order partitions).
ignore "no such file" errors only, which I wanted to do.
Because of this I ignored all other errors on dlopen(3) failure as well,
which isn't good.
Fix this situation by calling access(2) on library file first and ignore
only ENOENT error. This allows to report all the rest of dlopen(3) errors.
MFC after: 3 days
metadata is equal to -1. if we then wanted to attach provider (or change
keys) and forget about '-p' flag it failed on assertion (quite ok, without
assertion it could call PKCS#5v2 with 4294967295 iterations).
Instead of failing on assertion, remind about '-p' flag.
MFC after: 3 days
* Correct handling of IPv6 Extension Headers.
* Add unreach6 code.
* Add logging for IPv6.
Submitted by: sysctl handling derived from patch from ume needed for ip6fw
Obtained from: is_icmp6_query and send_reject6 derived from similar
functions of netinet6,ip6fw
Reviewed by: ume, gnn; silence on ipfw@
Test setup provided by: CK Software GmbH
MFC after: 6 days
capture. Zero length captures caused an infinte loop and short captures
probably caused memory corruption and a crash.
Reported by: many
MFC After: 3 days
accept NUL-terminated strings as required by RFC 2132.
This solution is not perfect as it removes the ability to send
NUL-terminated host-name options which may be required by some broken
servers. Given the current lack of an existance proof of such servers
and the fact that servers that send NUL-terminated domain names do
exist, this seems like an acceptable compromise. A discussion of these
issues can be found at:
http://marc.theaimsgroup.com/?l=dhcp-client&m=96837107208382&w=2
PR: bin/83468
Reported by: Sean Winn <sean at gothic dot net dot au>
MFC-after: 3 days
print potentially sensitive keying material to stdout. With the new
802.11 support, ifconfig(8) is now capable of printing 802.11 keys,
and did by default for the root user, which is undesirable in some
environments. Now it will not print keying material unless requested
(and available to the user).
MFC after: 1 week
from this socket
* Enable non-blocking I/O on devd.pipe to keep clients from wedging devd.
If a write(2) on devd.pipe would block, the client in question will be
removed [1]
Requested by: rwatson [1]
Approved by: imp
Change communication protocol to be much more resistant on network
problems and to allow for much better performance.
Better performance is achieved by creating two connections between
ggatec and ggated one for sending the data and one for receiving it.
Every connection is handled by separeted thread, so there is no more
synchronous data flow (send and wait for response), now one threads
sends all requests and another receives the data.
Use two threads in ggatec(8):
- sendtd, which takes I/O requests from the kernel and sends them to the
ggated daemon on the other end;
- recvtd, which waits for ggated responses and forwards them to the kernel.
Use three threads in ggated(8):
- recvtd, which waits for I/O requests and puts them onto incoming queue;
- disktd, which takes requests from the incoming queue, does disk operations
and puts finished requests onto outgoing queue;
- sendtd, which takes finished requests from the outgoing queue and sends
responses back to ggatec.
Because there were major changes in communication protocol, there is no
backward compatibility, from now on, both client and server has to run
on 5.x or 6.x (or at least ggated should be from the same FreeBSD version
on which ggatec is running).
For Gbit networks some buffers need to be increased. I use those settings:
kern.ipc.maxsockbuf=16777216
net.inet.tcp.sendspace=8388608
net.inet.tcp.recvspace=8388608
and I use '-S 4194304 -R 4194304' options for both, ggatec and ggated.
Approved by: re (scottl)
include a space seperated list of domains instead of the domain of the
host. This is supported on too many platforms to break for now so,
remove validation of this option for the moment.
The correct solution longer term is to implement RFC 3397 support and
then treat domain-name options containing space seperated lists of
domains as domain-search options for backwards compatability.
Approved by: re (dhclient blanket)
Add a -b option to background immediatly.
Add support for 802.11 routing messages to "instantly" renegotiate
at lease when we associate with a new network.
Submitted by: sam
spanning tree support.
Based on Jason Wright's bridge driver from OpenBSD, and modified by Jason R.
Thorpe in NetBSD.
Reviewed by: mlaier, bms, green
Silence from: -net
Approved by: mlaier (mentor)
Obtained from: NetBSD
policy. It may be used to provide more detailed classification of
traffic without actually having to decide its fate at the time of
classification.
MFC after: 1 week
This is the last requirement before we can retire ip6fw.
Reviewed by: dwhite, brooks(earlier version)
Submitted by: dwhite (manpage)
Silence from: -ipfw
use of the macro in sbin/mount*'s, by replacing:
mopts[] = {
MOPT_STDOPTS,
{ NULL }
}
With:
mopts[] = {
MOPT_STDOPTS,
MOPT_NULL
}
This change will help to reduce the situation that we don't explicitly
initialize "struct mntopt"'s. It should not contribute to any
functional/logical changes as far as I can tell.
command line) and the device path (what we passed to open()). Use
the former in diagnostics.
- when adding or removing partitions, print a single line to stdout for
each partition that was added or removed, indicating its name.
- add an -a option to 'gpt remove' which must be explicitly specified
to remove all partitions.
Approved by: marcel (in prinicple)
MFC after: 2 weeks
o ATA is now fully newbus'd and split into modules.
This means that on a modern system you just load "atapci and ata"
to get the base support, and then one or more of the device
subdrivers "atadisk atapicd atapifd atapist ataraid".
All can be loaded/unloaded anytime, but for obvious reasons you
dont want to unload atadisk when you have mounted filesystems.
o The device identify part of the probe has been rewritten to fix
the problems with odd devices the old had, and to try to remove
so of the long delays some HW could provoke. Also probing is done
without the need for interrupts, making earlier probing possible.
o SATA devices can be hot inserted/removed and devices will be created/
removed in /dev accordingly.
NOTE: only supported on controllers that has this feature:
Promise and Silicon Image for now.
On other controllers the usual atacontrol detach/attach dance is
still needed.
o Support for "atomic" composite ATA requests used for RAID.
o ATA RAID support has been rewritten and and now supports these
metadata formats:
"Adaptec HostRAID"
"Highpoint V2 RocketRAID"
"Highpoint V3 RocketRAID"
"Intel MatrixRAID"
"Integrated Technology Express"
"LSILogic V2 MegaRAID"
"LSILogic V3 MegaRAID"
"Promise FastTrak"
"Silicon Image Medley"
"FreeBSD PseudoRAID"
o Update the ioctl API to match new RAID levels etc.
o Update atacontrol to know about the new RAID levels etc
NOTE: you need to recompile atacontrol with the new sys/ata.h,
make world will take care of that.
NOTE2: that rebuild is done differently from the old system as
the rebuild is now done piggybacked on read requests to the
array, so atacontrol simply starts a background "dd" to rebuild
the array.
o The reinit code has been worked over to be much more robust.
o The timeout code has been overhauled for races.
o Support of new chipsets.
o Lots of fixes for bugs found while doing the modulerization and
reviewing the old code.
Missing or changed features from current ATA:
o atapi-cd no longer has support for ATAPI changers. Todays its
much cheaper and alot faster to copy those CD images to disk
and serve them from there. Besides they dont seem to be made
anymore, maybe for that exact reason.
o ATA RAID can only read metadata from all the above metadata formats,
not write all of them (Promise and Highpoint V2 so far). This means
that arrays can be picked up from the BIOS, but they cannot be
created from FreeBSD. There is more to it than just the missing
write metadata support, those formats are not unique to a given
controller like Promise and Highpoint formats, instead they exist
for several types, and even worse, some controllers can have
different formats and its impossible to tell which one.
The outcome is that we cannot reliably create the metadata of those
formats and be sure the controller BIOS will understand it.
However write support is needed to update/fail/rebuild the arrays
properly so it sits fairly high on the TODO list.
o So far atapicam is not supported with these changes. When/if this
will change is up to the maintainer of atapi-cam so go there for
questions.
HW donated by: Webveveriet AS
HW donated by: Frode Nordahl
HW donated by: Yahoo!
HW donated by: Sentex
Patience by: Vife and my boys (and even the cats)
report on the status of a format already running on a drive.
Fix status reporting for 'camcontrol format'. This was broken in rev 1.34
of camcontrol.c, almost 4 years ago!
Submitted by: joerg (most of the reportonly changes)
MFC after: 3 days
This unbreaks "/rescue/mount -t foo" -- previously it was necessary to
explicitly call "/rescue/mount_foo".
Hints from: gordon
X-MFC after: 3 days (if approved by re@)
.depends other then the commant line.
Also remove -g from CFLAGS. The user should add it to CFLAGS if they
desire debug support.
Reviewed by: ru (in concept)
MFC After: 7 days
based tapes, but I'm not sure where NFS_MAGIC was introduced after
4.3). When support for the pre-4.4 format was removed (the ability to
read 4.2 and 4.3 BSD tapes), the old format inode conversion was
junked as well. However, FreeBSD 1 dump tapes use the NFS_MAGIC
format, but have this inode format. Before, restore would fail
complaining that '.' wasn't found and the root directory wasn't on
this tape. Since the conversion from the not so old format is
relatively trivial, restore the code to make that conversion.
FreeBSD 1 dumps are once again readable.
MFC After: a few days
for the old (4.4-lite through FreeBSD 4.x and *BSD) format. It looks
like they aren't used for TS_INODE, but conversion costs so little
there that I've not removed them there (in case my grep was wrong).
This makes at least some of the tapes work for me again. Now, to
regresion test all my dusty tapes...
usage for a subcommand, so no 'usage' function has to be implemented
in class library.
- Bump version number as it breaks ABI, but don't provide backward
compatibility, because there are probably no external consumers of this
geom(8).
This allows to print more precise usage for standard commands and simplify
class libraries a bit.
MFC after: 1 week
warning on 64-bit platforms. Explicitly cast these values to int
to work around this issue, as these values are tend to be small.
Spotted by: ia64 tinderbox
providers.
This prevents from listing geoms like <name>.sync which can be confusing.
It still allows to show details about it by giving its name when listing.
MFC after: 1 week
initializing the sysctl mibs data before actually using them.
The original patchset (which is the actual version that is running
on my testboxes) have checked whether all of these sysctls and
refuses to do background fsck if we don't have them. Kirk has
pointed out that refusing running fsck on old kernels is pointless,
as old kernels will recompute the summary at mount time, so I
have removed these checks.
Unfortunatelly, as the checks will initialize the mib values of
those sysctl's, and which are vital for the runtime summary
adjustment to work, we can not simply remove the check, which
will lead to problem when running background fsck over a dirty
volume. Add these checks in a different way: give a warning rather
than refusing to work, and complain if the functionality is not
available when adjustments are necessary.
Noticed by: A power failure at my lab
Pointy hat: me
MFC After: 3 days
with a signal handler. This fixes a race condition introduced by
compiler reordering that caused dump to sometimes get stuck,
especially while dumping large filesystems.
shared-last-sector problem.
After this change, even if there is more than one provider with the same
last sector, the proper one will be chosen based on its size.
It still doesn't fix the 'c' partition problem (when da0s1 can be confused
with da0s1c) and situation when 'a' partition starts at offset 0
(then da0s1a can be confused with da0s1 and da0s1c). One can use '-h'
option there, when creating device or avoid sharing last sector.
Actually, when providers share the same last sector and their size is equal,
they provide exactly the same data, so the name (da0s1, da0s1a, da0s1c)
isn't important at all.
- Provide backward compatibility.
- Update copyright's year.
MFC after: 1 week
with the kernel compile time option:
options IPFIREWALL_FORWARD_EXTENDED
This option has to be specified in addition to IPFIRWALL_FORWARD.
With this option even packets targeted for an IP address local
to the host can be redirected. All restrictions to ensure proper
behaviour for locally generated packets are turned off. Firewall
rules have to be carefully crafted to make sure that things like
PMTU discovery do not break.
Document the two kernel options.
PR: kern/71910
PR: kern/73129
MFC after: 1 week
hosts to share an IP address, providing high availability and load
balancing.
Original work on CARP done by Michael Shalayeff, with many
additions by Marco Pfatschbacher and Ryan McBride.
FreeBSD port done solely by Max Laier.
Patch by: mlaier
Obtained from: OpenBSD (mickey, mcbride)
very slow process, especially for large file systems that is just
recovered from a crash.
Since the summary is already re-sync'ed every 30 second, we will
not lag behind too much after a crash. With this consideration
in mind, it is more reasonable to transfer the responsibility to
background fsck, to reduce the delay after a crash.
Add a new sysctl variable, vfs.ffs.compute_summary_at_mount, to
control this behavior. When set to nonzero, we will get the
"old" behavior, that the summary is computed immediately at mount
time.
Add five new sysctl variables to adjust ndir, nbfree, nifree,
nffree and numclusters respectively. Teach fsck_ffs about these
API, however, intentionally not to check the existence, since
kernels without these sysctls must have recomputed the summary
and hence no adjustments are necessary.
This change has eliminated the usual tens of minutes of delay of
mounting large dirty volumes.
Reviewed by: mckusick
MFC After: 1 week
affect the largest file size that is allowed by the file system.
On the other hand, when creating a snapshot, the snapshot file will
appear as it is as big as the file system itself. Hence we will not
be able to create a file system on large file systems with small
block sizes.
Add a warning about this, and gives some hints to correct the issue.
Reviewed by: mckusick
MFC After: 1 week
its value once per ifconfig run. Use Sam's new callback
operation to set it when everything is done.
The purpose for this is that if you did something like
ifconfig bge0 media 100baseTX mediaopt full-duplex
multiple times it would end up causing the PHY to re-sync
since it would send the IOCTLs:
ifconfig bge0 media 100baseTX -mediaopt full-duplex
ifconfig bge0 media 100baseTX mediaopt full-duplex
This would cause the PHY to be updated twice even though
there really wasn't any change since the check in
sys/net/if_media.c would always fail.
Caveat is that this doesn't fix the case of:
ifconfig bge0 media autoselect
etc. since in sys/net/if_media.c it forces an autoselect to go through
the entire process in ifmedia_ioctl :-( :
/*
* If no change, we're done.
* XXX Automedia may invole software intervention.
* Keep going in case the the connected media changed.
* Similarly, if best match changed (kernel debugger?).
*/
if ((IFM_SUBTYPE(newmedia) != IFM_AUTO) &&
(newmedia == ifm->ifm_media) &&
(match == ifm->ifm_cur))
return 0;
Briefly looked at by: sam
with -k option and never be used without kflag. This confuses
gcc because we set "kflag" at the same time with "kernel", but
the logic is not that apparant for gcc.
Since we can initialize "kernel" to NULL then know if "k" option
is set through determining whether it is still NULL, don't try
to have gcc to guess why we are connecting "kflag" with "kernel"
and use "kernel" directly in place of kflag.
Bump WARNS?= from 2 to 6
the new filesystem. This is intended for memory and vnode filesystems
that will never be fsck'ed or dumped.
Obtained from: St. Bernard Software RAPID
MFC after: 2 weeks
generate snapshots in when -L is requested. If the .snap directory
does not exist, or is not a directory, issue a warning and revert
to the non- live behavior.
Obtained from: St. Bernard Software RAPID
- Initialize everything in the struct array, not only the mentioned
ones
- Unconditionally initialize hs to 0 to avoid repeatly doing so
- Cast to unsigned int when comparing to unsigned variables.
This commit replaces those with two new functions that simplify the code
and produce warnings that the syntax is deprecated. A small number of
sensible abbreviations may be explicitly added based on user feedback.
There were previously three types of strncmp use in ipfw:
- Most commonly, strncmp(av, "string", sizeof(av)) was used to allow av
to match string or any shortened form of it. I have replaced this
with a new function _substrcmp(av, "string") which returns 0 if av
is a substring of "string", but emits a warning if av is not exactly
"string".
- The next type was two instances of strncmp(av, "by", 2) which allowed
the abbreviation of bytes to "by", "byt", etc. Unfortunately, it
also supported "bykHUygh&*g&*7*ui". I added a second new function
_substrcmp2(av, "by", "bytes") which acts like the strncmp did, but
complains if the user doesn't spell out the word "bytes".
- There is also one correct use of strncmp to match "table(" which might
have another token after it without a space.
Since I changed all the lines anyway, I also fixed the treatment of
strncmp's return as a boolean in many cases. I also modified a few
strcmp cases as well to be fully consistent.
- Convert the (char *) cast+cast backs magic to
memcpy(3). Without this, the resulting code
is potentially risky with higher optimization
levels.
- Avoid same name when calling local variables,
as well as global symbols. This reduces
confusion for both human and compiler.
- Add necessary casts, consts
- Use new style function defination.
- Minor style.Makefile(5) tweak
- Bump WARNS?= from 0 to 6
** for the aout code: changes are intentionally limited
to ease maintaince.
the given providers. Without even one of the configured components there
should be no way to get the secret.
Supported by: WHEEL Sp. z o.o.
http://www.wheel.pl
- Use more ``const''s where suitable.
- Define strk() as a static function in global scope.
This avoids the "nested extern declaration" warnings.
- Use static initialization of strings, rather than
referring string constants through char *.
- Bump WARNS from 0 to 6.
complementing the existing special case of a not existing /dev prefix
with the recognition of an already existing /dev prefix.
This implicitly solves the following two issues related to working on
GEOM devices /dev/foo/bar (which have the GEOM provider name "foo/bar")
with the expected commands like "bsdlabel /dev/foo/bar":
1. the error "Geom not found" when trying to write or edit the BSD
label (because previously the incorrect GEOM name "bar" instead of
"foo/bar" was derived from "/dev/foo/bar").
2. the multiple times reported "magically introduced" partition offset
of 63 blocks and the resulting errors like "partition extends past
end of unit" and "partition c doesn't start at 0!".
This implicitly resulted because bsdlabel(8) determines the "MBR
offset" via GEOM and (intentionally) silently falls back to an offset
of 0 if it could not be queried (which is the case if the name was
incorrectly derived).
Usually (at least on PCs) the offset for the first slice is 63 blocks
and bsdlabel(8) automatically subtracts them from the absolute
offsets in the read on-disk BSD label, resulting in the display of an
effective offset of 0. If the GEOM query fails, the assumed offset of
0 is subtracted and an incorrect effective offset of 63 is displayed
and tried to be worked upon.
Reviewed by: pjd
MFC after: 1 week
checking and only recognizes numbers in base 10. The attached patch
checks errno after strtol() and uses a base of 0 to allow octal, or hex
sector numbers too.
PR: 73112
Submitted by: keramida
MFC after: 2 weeks
strings. This isn't necessarily a bug, but it can be slightly inconvenient,
because atol() doesn't know how to parse hexadecimal or octal numbers and at
least one of the options of ffsinfo(8) would be easier to use if it did.
Changing atol() -> strtol() allows one to use hex masks for -l MASK, i.e.:
orion:/a/freebsd/src/sbin/ffsinfo# ./ffsinfo -l 0x3ff /
PR: 73110
Submitted by: keramida
MFC after: 2 weeks
special-purpose code to display status for an interface for
state that was not address-oriented. This status reporting
was merged in to the address-oriented status reporting but
did not work for link address reporting (as discovered with
fwip interfaces). Correct this mis-merge and eliminate the
bogus kludge that was used for link-level address reporting.
o add an af_other_status method for an address family for
reporting status of things like media, vlan, etc.
o call the af_other_status methods after reporting address
status for an interface
o special-case link address status; when reporting all
status for an interface invoke it specially prior to
reporting af_other_status methods (since it requires the
sockaddr_dl that is passed in to status separately from
the rtmsg address state)
o correct the calling convention for link address status;
don't cast types, construct the proper parameter
This fixes ifconfig on fwip interfaces.
show file name for 'mdconfig -l -u <x>' command.
This allows to preserve API/ABI compatibility with version 0 (that's why
I changed version number back to 0) and will allow to merge this change
to RELENG_5.
MFC after: 5 days
After this change, when component is disconnected because of an I/O error,
it will not be connected and synchronized automatically, it will be logged
as broken and skipped. Autosynchronization can occur, when component is
disconnected (on orphan event) and connected again - there were no I/O
error, so there is no need to not connected the component, but when there were
writes while it wasn't connected, it will be synchronized.
This fix cases, when component is disconnected because of I/O error and can be
connected again and again.
- Bump version number.
- Implement backward compatibility mechanism. After this change when metadata in
old version is detected, it is automatically upgraded to the new (current)
version.
After this change, when component is disconnected because of an I/O error,
it will not be connected and synchronized automatically, it will be logged
as broken and skipped. Autosynchronization can occur, when component is
disconnected (on orphan event) and connected again - there were no I/O
error, so there is no need to not connected the component, but when there were
writes while it wasn't connected, it will be synchronized.
This fix cases, when component is disconnected because of I/O error and can be
connected again and again.
- Bump version number.
- Add version change history.
- Implement backward compatibility mechanism. After this change when metadata in
old version is detected, it is automatically upgraded to the new (current)
version.
o break per-address family support out into separate files
o modularize per-address family and functional operations using
a registration mechanism; this permits configuration according
to which files you include (but beware that order of the files
is important to insure backwards compatibility)
o many cleanups to eliminate incestuous behaviour, global variables,
and poor coding practices (still much more to fix)
The original motivation of this work was to support dynamic addition
of functionality based on the interface so we can eliminate the various
little control programs and so that vendors can distribute ifconfig
plugins that support their in-kernel code. That work is still to be
completed.
o Update 802.11 support for all the new net80211 functionality; some
of these operations (e.g. list *) may be better suited in a different
program
allows the user to force the creation of a GPT even when there's a
MBR on the device. The MBR is simply wiped and any partitions
described by it are lost. Without the -f option one cannot create
a GPT when there's a MBR.
and 'mediasz' is in bytes. As it so happens, we define 'last' as the
sector number of the last sector on the medium which also is the size
of the PMBR partition. Therefore, use 'last' instead of 'mediasz'.
Submitted by: Dan Markarian <markarian at apple dot com>
to lo(4) interfaces to have an effect, and that this is not needed
when using IP fast forwarding.
Sponsored by: eXtensible Open Router Project <URL:http://www.xorp.org/>
MFC after: 3 weeks
to PRECIOUSLIB from bsd.lib.mk. The side effect of this
is making installing the world under jail(8) possible by
using another knob, NOFSCHG.
Reviewed by: oliver
implying that geom(8) is a RAID solution, but it can be used for that
purpose, and a pointer in that direction is better than nothing.
PR: 73088
Submitted by: Miguel Mendez <flynn@energyhq.es.eu.org>
the MBR after it is migrated to a GPT. While this was useful during
the early days when GPT support was under development, it's something
that users can use without knowing what they're getting themselves
into. The possible harm outweights the marginal usefulness it now has.
reversals+system lock ups if they are using ucred based rules
while running with debug.mpsafenet=1.
I am working on merging a shared locking mechanism into ipfw which
should take care of this problem, but it still requires a bit more
testing and review.
1) ginode() is passed a cylinder group number and inode number. The inode
number is relative to the cg. Use this relative number rather than the
absolute inode number when searching the cg inode bitmap to see if the inode
is allocated. Using the absolute number quickly runs the check off the end
of the array and causes invalid inodes to be referenced.
2) ginode() checks the absolute indoe number to make sure that it is greater
than ROOTINO. However, the caller loops through all of the possible inode
numbers and directly passes in values that are < ROOTINO. Instead of halting
the program with an error, just return NULL.
3) When allocating new cylinder groups, growfs was initializing all of the
inodes in the group regardless of this only being required for UFS1. Not
doing this for UFS2 provides a significant performance increase.
These fixes allow growing a filesystem beyond a trivial amount and have
been tested to grow an 8GB filesystem to 1.9TB. Much more testing would
be appreciated.
Obtained from: Sandvine, Inc.
count of zero and instead encode this information in the inode state.
Pass 4 performed a linear search of this list for each inode in
the file system, which performs poorly if the list is long.
Reviewed by: sam & keramida (an earlier version of the patch), mckusick
MFC after: 1 month
- Document better what the -C option means.
- The -c option is currently a no-op.
- The -D and -h options do not allow switching between
single/dual console modes and internal/video consoles.
(This used to be true for the old biosdisk boot code,
but now they just force the multiple consoles mode and
serial console, respectively.)
1M blocks and optionally write the read data to a file or disk.
If a read error happens, the 1M block gets put on the end of the worklist
and will be retried with 64k blocksize.
If a read error happens again, the 64k block gets put at the end of the
worklist and will be retried with single sector reads.
The program keeps trying until you stop it.
You can refresh a disk:
recoverdisk /dev/ad1 /dev/ad1
or salvage a floppy:
recoverdisk /dev/fd0 myfloppy.flp
standing ability to list a non-existant device in /etc/ttys to keep it
from dying. This is a documented feature of init(8):
The init utility can also be used to keep arbitrary daemons running,
automatically restarting them if they die. In this case, the first field
in the ttys(5) file must not reference the path to a configured device
node and will be passed to the daemon as the final argument on its com-
mand line. This is similar to the facility offered in the AT&T System V
UNIX /etc/inittab.
So rather than fix the man page to 'break' this feature, back out the change.
At the time this change was made, people felt that the spamage from
getty was annoying on headless consoles. Andrew Gallatin noted:
> Most of my machines are headless without video cards and use a serial
> console. With devfs this means that /dev/ttyv[1-N] do not exist and
> getty bitches like this:
>
> Sep 26 11:00:11 monet getty[543]: open /dev/ttyv1: No such file or directory
and we went off and applied this hack rather than fixing getty to
sleep forever when it gets an unknown device, as was Andrew's other
suggestion. Since it breaks things, I'm off to do that instead.
and disklabel.5. Refrencing bsdlabel.5 is somewhat bogus as it is not
connected to the build and is mostly unwritten at this point.
Reported by: Matthias Andree <matthias.andree at web.de>
PR: docs/72020
After this change it should be possible to use very big md(4) devices.
- Clean up and simplify the code a bit.
- Use humanize_number(3) to print size of md(4) devices.
- Add 't' suffix which stands for terabyte.
- Make '-S' to really work with all types of devices.
- Other minor changes.
and sent to the DIVERT socket while the original packet continues with the
next rule. Unlike a normally diverted packet no IP reassembly attemts are
made on tee'd packets and they are passed upwards totally unmodified.
Note: This will not be MFC'd to 4.x because of major infrastucture changes.
PR: kern/64240 (and many others collapsed into that one)
contain O_UID, O_GID and O_JAIL opcodes, the F_NOT or F_OR logical
operator bits get clobbered. Making it impossible to use the ``NOT'' or
``OR'' operators with uid, gid and jail based constraints.
The ipfw_insn instruction template contains a ``len'' element which
stores two pieces of information, the size of the instruction
(in 32-bit words) in the low 6 bits of "len" with the 2 remaining
bits to implement OR and NOT.
The current code clobbers the OR and NOT bits by initializing the
``len'' element to the size, rather than OR'ing the bits. This change
fixes this by changing the initialization of cmd->len to an OR operation
for the O_UID, O_GID and O_JAIL opcodes.
This may be a MFC candidate for RELENG_5.
Reviewed by: andre
Approved by: luigi
PR: kern/63961 (partially)
0xffffffff sectors. Document this limit and avoid installing bogus
labels on disks with more sectors.
Allowing the installation of labels addressing as much of the disk as
possiable may be a useful addition in some situations, but this was easy
to implement and should reduce confusion.
PR: bin/71408
increasing it. Add code to ifconfig to use this size to find the
sockaddr_dl after the struct if_data in the routing message. This
allows struct if_data to grow (up to 255 bytes) without breaking
ifconfig.
Submitted by: peter
keyword but without 'logamount' limit the amount of their log messages
by net.inet.ip.fw.verbose_limit sysctl value.
RELENG_5 candidate.
PR: kern/46080
Submitted by: Dan Pelleg
MFC after: 1 week
verification of regular data when device is in complete state.
On verification error, EIO error is returned for the bio and sysctl
kern.geom.raid3.stat.parity_mismatch is increased.
Suggested by: phk
as well, even if device is in complete state.
I observe 40% of speed-up with this option for random read operations,
but slowdown for sequential reads.
Basically, without this option reading from a RAID3 device built from 5
components (c0-c4) looks like this:
Request no. Used components
1 c0+c1+c2+c3
2 c0+c1+c2+c3
3 c0+c1+c2+c3
With the new feature:
Request no. Used components
1 c0+c1+c2+c3
2 (c1^c2^c3^c4)+c1+c2+c3
3 c0+(c0^c2^c3^c4)+c2+c3
4 c0+c1+(c0^c1^c3^c4)+c3
5 c0+c1+c2+(c0^c1^c2^c4)
6 c0+c1+c2+c3
[...]
has only been partly initialized via newfs(8) so that it applies to both
UFS1 and UFS2.
Submitted by: "Xin LI" delphij at frontfree dot net
MFC: maybe?
Only the actual loopback address should be declared passive, other
addresses are very likely to be desirable to announce.
Check for IFF_LOOPBACK instead of IFF_PASSIVE to determine if we have
an unknown interface type.
Since the only thing truly unique about a prison is it's ID, I figured
this would be the most granular way of handling this.
This commit makes the following changes:
- Adds tokenizing and parsing for the ``jail'' command line option
to the ipfw(8) userspace utility.
- Append the ipfw opcode list with O_JAIL.
- While Iam here, add a comment informing others that if they
want to add additional opcodes, they should append them to the end
of the list to avoid ABI breakage.
- Add ``fw_prid'' to the ipfw ucred cache structure.
- When initializing ucred cache, if the process is jailed,
set fw_prid to the prison ID, otherwise set it to -1.
- Update man page to reflect these changes.
This change was a strong motivator behind the ucred caching
mechanism in ipfw.
A sample usage of this new functionality could be:
ipfw add count ip from any to any jail 2
It should be noted that because ucred based constraints
are only implemented for TCP and UDP packets, the same
applies for jail associations.
Conceptual head nod by: pjd
Reviewed by: rwatson
Approved by: bmilekic (mentor)
This is implemented through SNMP and requires the ilmi daemon to
run on the system. To prevent bloat in rescue the atmconfig for
rescue is compiled without this stuff.
For incoming packets, the packet's source address is checked if it
belongs to a directly connected network. If the network is directly
connected, then the interface the packet came on in is compared to
the interface the network is connected to. When incoming interface
and directly connected interface are not the same, the packet does
not match.
Usage example:
ipfw add deny ip from any to any not antispoof in
Manpage education by: ru
It allows to fix problems when last provider's sector is shared between few
providers.
- Bump version number for CONCAT and STRIPE and add code for backward
compatibility.
- Do not bump version number of MIRROR, as it wasn't officially introduced yet.
Even if someone started to play with it, there is no big deal, because
wrong MD5 sum of metadata will deny those providers.
- Update manual pages.
- Add version history to g_(stripe|concat).h files.
the bug exists in little-endian machine, it was not triggered due
to the difference of memory ordering between little/big endian
machines. Instead of relying on possibly modified value during
function invokcations, use saved copy of ifr.ifr_addr.sa_family.
Also add a comment at the top of ifconfig.c clarifying the issue
so the bug won't re-appear.
Approved by: jake
Reviewed by: yar
partitions and removes any that matches the pre-conditions. The
options are the same for the add command and are used to select
the partitions to remove.
Currently the remove command without any options deletes all GPT
partitions. This is rather harmful and will need anti-footshooting
measures.
starts at 1. No index is represented by 0.
o Change the show command to display the partition number at the expense
of the partition end columm. We already display the start and size.
o Enhance the add command to accept the -i option. The -i option allows
the user to specify which partition number the new partition should
get.
o Update the manpage accordingly.
While here:
o Make the UUIDs static to avoid runtime initialization,
o Rename ext to mslinux,
o Replace the use of memcmp() with uuid_equal(),
o Various style(9) improvements,
o Order the comparisons based on importance,
o Remove the word partition from all the descriptions,
o Other description improvements.
Includes patch from: T. Muthu Mohan < Muthu_T at dell dot com >
new problem shows up: symblic links (<libname>.so) are created under
/usr/lib/ now, instead of under /lib/geom/ where geom(8) looks for them.
Introduce a workaround to fix this by teaching geom(8) to open libraries
via /lib/geom/<libname>.so.<major_number> instead of /lib/geom/<libname>.so.
features. The gmirror(8) utility should be used for control of this class.
There is no manual page yet, but I'm working on it with keramida@.
Many useful tests provided by: simon (thank you!)
Some ideas from: scottl, simon, phk
provider.
- Bump version number.
This allows for a quite interesting trick. One can setup a stripe with
stripe size of 512 bytes and create transparent provider on top of it
with sector size equal to <ndisks> * 512. The result will be something
like RAID3 without parity disk (every access will touch all disks).
RTF_BLACKHOLE as well.
To quote the submitter:
The uRPF loose-check implementation by the industry vendors, at least on Cisco
and possibly Juniper, will fail the check if the route of the source address
is pointed to Null0 (on Juniper, discard or reject route). What this means is,
even if uRPF Loose-check finds the route, if the route is pointed to blackhole,
uRPF loose-check must fail. This allows people to utilize uRPF loose-check mode
as a pseudo-packet-firewall without using any manual filtering configuration --
one can simply inject a IGP or BGP prefix with next-hop set to a static route
that directs to null/discard facility. This results in uRPF Loose-check failing
on all packets with source addresses that are within the range of the nullroute.
Submitted by: James Jun <james@towardex.com>
where boot.config needs to reside. Also change /kernel
to /boot/loader, as that is the apparent default now. This
man page probably requires more updates.
Add a MOD_QUIESCE event for modules. This should return error (EBUSY)
of the module is in use.
MOD_UNLOAD should now only fail if it is impossible (as opposed to
inconvenient) to unload the module. Valid reasons are memory references
into the module which cannot be tracked down and eliminated.
When kldunloading, we abandon if MOD_UNLOAD fails, and if -force is
not given, MOD_QUIESCE failing will also prevent the unload.
For backwards compatibility, we treat EOPNOTSUPP from MOD_QUIESCE as
success.
Document that modules should return EOPNOTSUPP for unknown events.
This class is used for detecting volume labels on file systems:
UFS, MSDOSFS (FAT12, FAT16, FAT32) and ISO9660.
It also provide native labelization (there is no need for file system).
g_label_ufs.c is based on geom_vol_ffs from Gordon Tetlow.
g_label_msdos.c and g_label_iso9660.c are probably hacks, I just found
where volume labels are stored and I use those offsets here,
but with this class it should be easy to do it as it should be done by
someone who know how.
Implementing volume labels detection for other file systems also should
be trivial.
New providers are created in those directories:
/dev/ufs/ (UFS1, UFS2)
/dev/msdosfs/ (FAT12, FAT16, FAT32)
/dev/iso9660/ (ISO9660)
/dev/label/ (native labels, configured with glabel(8))
Manual page cleanups and some comments inside were submitted by
Simon L. Nielsen, who was, as always, very helpful. Thanks!
manpage:
The comparison function must return an integer less than, equal to, or
greater than zero if the first argument is considered to be respectively
less than, equal to, or greater than the second.
Therefore, simply returning "arg1 > arg2" is incorrect. Actually it works
but for the number of items to be sorted less than 7 due to special case
handling in qsort(3);
o add missing '\n' to one of usage() calls.
Approved by: phk
- g_lcm() - calculates Least Common Multiple of two given values,
it is helpful when we need to find sector size for provider
which is based on disks with different sector size;
- g_get_mediasize() - returns media size of given provider;
- g_get_sectorsize() - returns sector size of given provider;
Those function aren't used now, but are used by geom_mirror which will be
committed soon.
routed should be able to specify multicast memberships to be added by
interface index. This should fix the unnumbered / point-to-point case
for RIPv2.
PR: bin/51927
Requested by: Eugene Grosbein
modification of a patch which was already applied for BSD/OS in the
Rhyolite.com sources; this file is already off the vendor branch.
PR: bin/57484
Submitted by: Richard Perini
o Add sanity checking to the firewall delete operation
which tells the user that a firewall rule
specification is required.
The previous behaviour was to exit without reporting any
errors to the user.
Approved by: bmilekic (mentor)
