6 files changed, 118 insertions, 75 deletions

diff --git a/sbin/ifconfig/brconfig.c b/sbin/ifconfig/brconfig.c
index f6a3d0ef619..4eb8d6cd45d 100644
--- a/sbin/ifconfig/brconfig.c
+++ b/sbin/ifconfig/brconfig.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: brconfig.c,v 1.32 2023/11/23 03:38:34 dlg Exp $	*/
+/*	$OpenBSD: brconfig.c,v 1.33 2025/01/06 17:49:29 denis Exp $	*/
 
 /*
  * Copyright (c) 1999, 2000 Jason L. Wright (jason@thought.net)
@@ -693,6 +693,29 @@ bridge_addendpoint(const char *endpoint, const char *addr)
 }
 
 void
+bridge_delendpoint(const char *addr, int d)
+{
+	struct ifbareq ifba;
+	struct ether_addr *ea;
+	int ecode;
+
+	ea = ether_aton(addr);
+	if (ea == NULL) {
+		errx(1, "%s -endpoint %s: invalid Ethernet address",
+		    ifname, addr);
+	}
+
+	memset(&ifba, 0, sizeof(ifba));
+	strlcpy(ifba.ifba_name, ifname, sizeof(ifba.ifba_name));
+	strlcpy(ifba.ifba_ifsname, ifname, sizeof(ifba.ifba_ifsname));
+	memcpy(&ifba.ifba_dst, ea, sizeof(struct ether_addr));
+	ifba.ifba_flags = IFBAF_STATIC;
+
+	if (ioctl(sock, SIOCBRDGDADDR, &ifba) == -1)
+		err(1, "%s -endpoint %s", ifname, addr);
+}
+
+void
 bridge_addrs(const char *delim, int d)
 {
 	char dstaddr[NI_MAXHOST];
diff --git a/sbin/ifconfig/ifconfig.8 b/sbin/ifconfig/ifconfig.8
index 121bb1e8f75..421c6b29113 100644
--- a/sbin/ifconfig/ifconfig.8
+++ b/sbin/ifconfig/ifconfig.8
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ifconfig.8,v 1.400 2024/06/09 16:25:27 jan Exp $
+.\"	$OpenBSD: ifconfig.8,v 1.401 2025/01/06 17:49:29 denis Exp $
 .\"	$NetBSD: ifconfig.8,v 1.11 1996/01/04 21:27:29 pk Exp $
 .\"     $FreeBSD: ifconfig.8,v 1.16 1998/02/01 07:03:29 steve Exp $
 .\"
@@ -31,7 +31,7 @@
 .\"
 .\"     @(#)ifconfig.8	8.4 (Berkeley) 6/1/94
 .\"
-.Dd $Mdocdate: June 9 2024 $
+.Dd $Mdocdate: January 6 2025 $
 .Dt IFCONFIG 8
 .Os
 .Sh NAME
@@ -1841,6 +1841,7 @@ for a complete list of the available protocols.
 .Bk -words
 .Nm ifconfig
 .Ar tunnel-interface
+.Op Oo Fl Oc Ns Cm endpoint Ar dest_address dest_mac
 .Op Oo Fl Oc Ns Cm keepalive Ar period count
 .Op Oo Fl Oc Ns Cm parent Ar parent-interface
 .Op Cm rxprio Ar prio
@@ -1867,6 +1868,20 @@ and
 are all tunnel interfaces.
 The following options are available:
 .Bl -tag -width Ds
+.It Cm endpoint Ar dest_address dest_mac
+When
+.Xr vxlan 4
+is in endpoint mode, set the tunnel endpoint
+.Ar dest_address
+where
+.Ar dest_mac
+MAC address can be reached.
+.It Cm -endpoint Ar dest_mac
+When
+.Xr vxlan 4
+is in endpoint mode, remove the tunnel endpoint for
+.Ar dest_mac
+MAC address.
 .It Cm keepalive Ar period count
 Enable
 .Xr gre 4
diff --git a/sbin/ifconfig/ifconfig.c b/sbin/ifconfig/ifconfig.c
index e3b925fbcd5..4e865668a2b 100644
--- a/sbin/ifconfig/ifconfig.c
+++ b/sbin/ifconfig/ifconfig.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ifconfig.c,v 1.474 2024/06/29 12:09:51 jsg Exp $	*/
+/*	$OpenBSD: ifconfig.c,v 1.475 2025/01/06 17:49:29 denis Exp $	*/
 /*	$NetBSD: ifconfig.c,v 1.40 1997/10/01 02:19:43 enami Exp $	*/
 
 /*
@@ -578,6 +578,7 @@ const struct	cmd {
 	{ "flushall",	0,		0,		bridge_flushall },
 	{ "static",	NEXTARG2,	0,		NULL, bridge_addaddr },
 	{ "endpoint",	NEXTARG2,	0,		NULL, bridge_addendpoint },
+	{ "-endpoint",	NEXTARG,	0,		bridge_delendpoint },
 	{ "deladdr",	NEXTARG,	0,		bridge_deladdr },
 	{ "maxaddr",	NEXTARG,	0,		bridge_maxaddr },
 	{ "addr",	0,		0,		bridge_addrs },
@@ -624,7 +625,7 @@ const struct	cmd {
 	{ "wgpeer",	NEXTARG,	A_WIREGUARD,	setwgpeer},
 	{ "wgdescription", NEXTARG,	A_WIREGUARD,	setwgpeerdesc},
 	{ "wgdescr",	NEXTARG,	A_WIREGUARD,	setwgpeerdesc},
-	{ "wgendpoint",	NEXTARG2,	A_WIREGUARD,	NULL,	setwgpeerep},
+	{ "wgendpoint",	NEXTARG2,	A_WIREGUARD,	NULL, setwgpeerep},
 	{ "wgaip",	NEXTARG,	A_WIREGUARD,	setwgpeeraip},
 	{ "wgpsk",	NEXTARG,	A_WIREGUARD,	setwgpeerpsk},
 	{ "wgpka",	NEXTARG,	A_WIREGUARD,	setwgpeerpka},
diff --git a/sbin/ifconfig/ifconfig.h b/sbin/ifconfig/ifconfig.h
index 7df268f46bf..6bc17d56aaf 100644
--- a/sbin/ifconfig/ifconfig.h
+++ b/sbin/ifconfig/ifconfig.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ifconfig.h,v 1.5 2023/11/23 03:38:34 dlg Exp $	*/
+/*	$OpenBSD: ifconfig.h,v 1.6 2025/01/06 17:49:29 denis Exp $	*/
 
 /*
  * Copyright (c) 2009 Claudio Jeker <claudio@openbsd.org>
@@ -49,6 +49,7 @@ void bridge_flush(const char *, int);
 void bridge_flushall(const char *, int);
 void bridge_addaddr(const char *, const char *);
 void bridge_addendpoint(const char *, const char *);
+void bridge_delendpoint(const char *, int);
 void bridge_deladdr(const char *, int);
 void bridge_maxaddr(const char *, int);
 void bridge_addrs(const char *, int);
diff --git a/sbin/mountd/mountd.c b/sbin/mountd/mountd.c
index 4d56fe5aff5..f5d38a74a35 100644
--- a/sbin/mountd/mountd.c
+++ b/sbin/mountd/mountd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: mountd.c,v 1.96 2024/11/21 13:35:20 claudio Exp $	*/
+/*	$OpenBSD: mountd.c,v 1.97 2025/01/16 12:48:45 kn Exp $	*/
 /*	$NetBSD: mountd.c,v 1.31 1996/02/18 11:57:53 fvdl Exp $	*/
 
 /*
@@ -373,6 +373,19 @@ privchild(int sock)
 	char *path;
 	int error, size;
 
+	if (unveil("/", "r") == -1) {
+		syslog(LOG_ERR, "unveil /: %m");
+		_exit(1);
+	}
+	if (unveil(_PATH_RMOUNTLIST, "rwc") == -1) {
+		syslog(LOG_ERR, "unveil %s: %m", _PATH_RMOUNTLIST);
+		_exit(1);
+	}
+	if (unveil(NULL, NULL) == -1) {
+		syslog(LOG_ERR, "unveil: %m");
+		_exit(1);
+	}
+
 	if (imsgbuf_init(&ibuf, sock) == -1) {
 		syslog(LOG_ERR, "imsgbuf_init: %m");
 		_exit(1);
diff --git a/sbin/nfsd/nfsd.c b/sbin/nfsd/nfsd.c
index 1e00ae5ad9c..b7a9176fbe7 100644
--- a/sbin/nfsd/nfsd.c
+++ b/sbin/nfsd/nfsd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: nfsd.c,v 1.43 2025/01/02 21:37:38 kn Exp $	*/
+/*	$OpenBSD: nfsd.c,v 1.45 2025/01/16 12:46:03 kn Exp $	*/
 /*	$NetBSD: nfsd.c,v 1.19 1996/02/18 23:18:56 mycroft Exp $	*/
 
 /*
@@ -105,13 +105,22 @@ main(int argc, char *argv[])
 {
 	struct nfsd_args nfsdargs;
 	struct sockaddr_in inetaddr;
-	int ch, connect_type_cnt, i;
+	int ch, i;
 	int nfsdcnt = DEFNFSDCNT, on, reregister = 0, sock;
 	int udpflag = 0, tcpflag = 0, tcpsock;
 	const char *errstr = NULL;
 
 	/* Start by writing to both console and log. */
 	openlog("nfsd", LOG_PID | LOG_PERROR, LOG_DAEMON);
+	 
+	if (unveil("/", "") == -1) {
+		syslog(LOG_ERR, "unveil /: %s", strerror(errno));
+		return (1);
+	}
+	if (unveil(NULL, NULL) == -1) {
+		syslog(LOG_ERR, "unveil: %s", strerror(errno));
+		return (1);
+	}
 
 	while ((ch = getopt(argc, argv, "n:rtu")) != -1)
 		switch (ch) {
@@ -238,40 +247,36 @@ main(int argc, char *argv[])
 
 	/* Now set up the master server socket waiting for tcp connections. */
 	on = 1;
-	connect_type_cnt = 0;
-	if (tcpflag) {
-		if ((tcpsock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
-			syslog(LOG_ERR, "can't create tcp socket");
-			return (1);
-		}
-		if (setsockopt(tcpsock,
-		    SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) == -1)
-			syslog(LOG_ERR, "setsockopt SO_REUSEADDR: %s", strerror(errno));
-		memset(&inetaddr, 0, sizeof inetaddr);
-		inetaddr.sin_family = AF_INET;
-		inetaddr.sin_addr.s_addr = INADDR_ANY;
-		inetaddr.sin_port = htons(NFS_PORT);
-		inetaddr.sin_len = sizeof(inetaddr);
-		if (bind(tcpsock, (struct sockaddr *)&inetaddr,
-		    sizeof (inetaddr)) == -1) {
-			syslog(LOG_ERR, "can't bind tcp addr");
-			return (1);
-		}
-		if (listen(tcpsock, 5) == -1) {
-			syslog(LOG_ERR, "listen failed");
-			return (1);
-		}
-		if (!pmap_set(RPCPROG_NFS, 2, IPPROTO_TCP, NFS_PORT) ||
-		    !pmap_set(RPCPROG_NFS, 3, IPPROTO_TCP, NFS_PORT)) {
-			syslog(LOG_ERR, "can't register tcp with portmap");
-			return (1);
-		}
-		connect_type_cnt++;
-	}
-
-	if (connect_type_cnt == 0)
+	if (!tcpflag)
 		return (0);
 
+	if ((tcpsock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
+		syslog(LOG_ERR, "can't create tcp socket");
+		return (1);
+	}
+	if (setsockopt(tcpsock,
+	    SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) == -1)
+		syslog(LOG_ERR, "setsockopt SO_REUSEADDR: %s", strerror(errno));
+	memset(&inetaddr, 0, sizeof inetaddr);
+	inetaddr.sin_family = AF_INET;
+	inetaddr.sin_addr.s_addr = INADDR_ANY;
+	inetaddr.sin_port = htons(NFS_PORT);
+	inetaddr.sin_len = sizeof(inetaddr);
+	if (bind(tcpsock, (struct sockaddr *)&inetaddr,
+	    sizeof (inetaddr)) == -1) {
+		syslog(LOG_ERR, "can't bind tcp addr");
+		return (1);
+	}
+	if (listen(tcpsock, 5) == -1) {
+		syslog(LOG_ERR, "listen failed");
+		return (1);
+	}
+	if (!pmap_set(RPCPROG_NFS, 2, IPPROTO_TCP, NFS_PORT) ||
+	    !pmap_set(RPCPROG_NFS, 3, IPPROTO_TCP, NFS_PORT)) {
+		syslog(LOG_ERR, "can't register tcp with portmap");
+		return (1);
+	}
+
 	setproctitle("master");
 
 	/*
@@ -279,45 +284,30 @@ main(int argc, char *argv[])
 	 * into the kernel for the mounts.
 	 */
 	for (;;) {
-		struct pollfd		pfd;
 		struct sockaddr_in	inetpeer;
 		int ret, msgsock;
-		socklen_t len;
-
-		pfd.fd = tcpsock;
-		pfd.events = POLLIN;
+		socklen_t len = sizeof(inetpeer);
 
-		if (connect_type_cnt > 1) {
-			ret = poll(&pfd, 1, INFTIM);
-			if (ret < 1) {
-				syslog(LOG_ERR, "poll failed: %s", strerror(errno));
-				return (1);
-			}
+		if ((msgsock = accept(tcpsock,
+		    (struct sockaddr *)&inetpeer, &len)) == -1) {
+			if (errno == EWOULDBLOCK || errno == EINTR ||
+			    errno == ECONNABORTED)
+				continue;
+			syslog(LOG_ERR, "accept failed: %s", strerror(errno));
+			return (1);
 		}
-		
-		if (tcpflag) {
-			len = sizeof(inetpeer);
-			if ((msgsock = accept(tcpsock,
-			    (struct sockaddr *)&inetpeer, &len)) == -1) {
-				if (errno == EWOULDBLOCK || errno == EINTR ||
-				    errno == ECONNABORTED)
-					continue;
-				syslog(LOG_ERR, "accept failed: %s", strerror(errno));
-				return (1);
-			}
-			memset(inetpeer.sin_zero, 0, sizeof(inetpeer.sin_zero));
-			if (setsockopt(msgsock, SOL_SOCKET,
-			    SO_KEEPALIVE, &on, sizeof(on)) == -1)
-				syslog(LOG_ERR,
-				    "setsockopt SO_KEEPALIVE: %s", strerror(errno));
-			nfsdargs.sock = msgsock;
-			nfsdargs.name = (caddr_t)&inetpeer;
-			nfsdargs.namelen = sizeof(inetpeer);
-			if (nfssvc(NFSSVC_ADDSOCK, &nfsdargs) == -1) {
-				syslog(LOG_ERR, "can't Add TCP socket");
-			}
-			(void)close(msgsock);
+		memset(inetpeer.sin_zero, 0, sizeof(inetpeer.sin_zero));
+		if (setsockopt(msgsock, SOL_SOCKET,
+		    SO_KEEPALIVE, &on, sizeof(on)) == -1)
+			syslog(LOG_ERR,
+			    "setsockopt SO_KEEPALIVE: %s", strerror(errno));
+		nfsdargs.sock = msgsock;
+		nfsdargs.name = (caddr_t)&inetpeer;
+		nfsdargs.namelen = len;
+		if (nfssvc(NFSSVC_ADDSOCK, &nfsdargs) == -1) {
+			syslog(LOG_ERR, "can't Add TCP socket");
 		}
+		(void)close(msgsock);
 	}
 }