| Age | Commit message (Collapse) | Author |
|---|
|
OK sthen (on a slightly different configure script version)
|
|
It is of course not relevant for us but introduces a diff when
the configure script is regenerated on upgrades and this file is
not arround.
|
|
makes no sense. Yes it breaks function address equality and therefore
the expectations of the standard C language. However declaring symbols
with protected visibility isn't standard C in the first place.
Fixes linking non-PIC/PIE code with lld on amd64.
ok millert@
|
|
|
|
with that of the '-l' case.
From David Hines on bugs@.
ok millert@
|
|
locked in stone yet, but the clock starts ticking...
|
|
Flow labels used to be 24-bit back in 1995 until the IPv6 header format
changed in 1998 when the field size was reduced to 20-bit.
https://tools.ietf.org/html/rfc1883#section-6
https://tools.ietf.org/html/rfc2460#section-6
OK denis deraadt
|
|
Previously, these would only be exported if they were present
in the environment when the shell started. OK deraadt@ anton@ kn@
|
|
|
|
|
|
|
|
roa-set for RPKI based origin validation and a origin-set which allows to
lookup a source-as / prefix pair.
For RPKI a config can be built like this:
roa-set {
165.254.255.0/24 source-as 15562
193.0.0.0/21 maxlen 24 source-as 3333
}
deny from any ovs invalid
match from any ovs valid set community local-as:42
match from any ovs not-found set community local-as:43
Origin sets are similar but only match when the source-as / prefix pair is
valid.
match from any origin-set ARINDB set community local-as:44
Committing this now so that further work can be done in tree.
OK benno@, job@
|
|
potentially much bigger. In bad cases the SE activated the config way
before the RDE which is not ideal. Introduce IMSG_RECONF_DRAIN which
acts as a barrier and ensures that both childs got all the config.
Only after that the IMSG_RECONF_DONE message is sent activating
the config in the childs more or less simultaneous.
OK benno@
|
|
which prefixes were sent out as UPDATE. At withdraw time the RB tree can be
consulted to know if the withdraw actually needs to be sent to the peer.
This replaces the faulty heuristic that was used before and caused either
that unneeded withdraw to be sent or in the worst case failing to send a
necessary withdraw resulting in stuck routes.
OK benno@
|
|
|
|
to unsigned int.
OK deraadt@
|
|
But there was still the header line. Make -r0 really quiet and
document the feature.
OK deraadt@
|
|
missing after reinstall.
|
|
(and this is allowed by POSIX). OK deraadt@ kn@
|
|
filename1 - given via args - read permission
filename2 - same as above
tmpdir - if TMPDIR env var is changed, or _PATH_TMP by default -
read/write/create/delete permissions
/usr/bin/diff - the default diff program - execute permission
_PATH_BSHELL - to spawn an EDITOR/VISUAL if -o is used - execute
permission
this diff only applies unveil(2) if -F is not used, meaning that we are not
changing the default diff program to be used since that way we would need to
find where the binary is whereas by default we are sure that the path is
/usr/bin/diff. this will be revisited at a later stage to cover all cases.
feedback and OK millert@ deraadt@
|
|
help from solene, jmc, and schwarze
|
|
|
|
default, with read permissions.
report and fix provided by semarie@
OK deraadt@
|
|
OK deraadt@ and kettenis@
|
|
OK mlarkin@
|
|
Please avoid tabs and excessive multi-line information with log_debug
as it also goes to syslog.
No functional change.
|
|
Reported by Greg Steuck
OK mlarkin@
|
|
People reading the present page will almost certainly need it
because that's where all the sysctl variables are described.
|
|
The following files are opened in the privsep proc, with read permissions, and
therefore need to be unveiled:
- /etc/pf.os - for OS fingerprinting, but only unveiled if -o flag is used
- /etc/ethers - ether_ntohost(3)
- /etc/rpc - getrpcbynumber(3)
Additional files are also opened, but they are either opened before reaching
this code path, or are covered by pledge(2)'s dns promise.
shown and tested by a few people
OK brynet@ deraadt@
|
|
makes it more readable.
ok stsp@ and jmatthew@
|
|
ok deraadt@
|
|
This is also be used to simplify the vmd rc stop script.
OK mlarkin@ ccardenas@
|
|
|
|
ok claudio@
|
|
ok visa@
|
|
RTF_LOCAL entries or static ARP entries don't have parents, so the logic
was incorrect. Note that it might be possible to extend the logic to work
with non-cloned L2 entries but the few use cases do not justify the
complexity (yet).
Problem reported & fix tested by Elie Bouttier.
ok bluhm@, visa@, claudio@
|
|
|
|
program. An absolute path seems to fix this.
|
|
Adjust expected output.
|
|
input jmc@; OK sthen@
|
|
always starting in home, GitHub issue 1488.
|
|
The files needed to be unveiled directly or indirectly via libutil are the
following:
- _PATH_MASTERPASSWD_LOCK - write/create permissions
- _PATH_MASTERPASSWD - read permission
- _PATH_BSHELL - execute permission
- _PATH_PWD_MKDB - execute permission
_PATH_MASTERPASSWD gets read and then _PATH_MASTERPASSWD_LOCK is created and
the content of the former is written on the latter. After this _PATH_BSHELL
spawns an EDITOR (vi(1) by default) and at the end then _PATH_PWD_MKDB is ran
to update the _PATH_MASTERPASSWD based in what was actually changed in
_PATH_MASTERPASSWD_LOCK.
OK deraadt@
|
|
This lets userspace distinguish between idle CPUs and those that are
not schedulable because hw.smt=0.
A subsequent commit probably needs to add documentation for this
to sysctl.2 (and perhaps elsewhere) after the dust settles.
Also included here are changes to systat(1) and top(1) that account
for the ENODEV case and adjust behavior accordingly:
- systat(1)'s cpu view prints placeholder marks ('-') instead of
percentages for each state if the given CPU is offline.
- systat(1)'s vmstat view checks for offline CPUs when computing the
machine state total and excludes them, so the CPU usage graph
only represents the states for online CPUs.
- top(1) does not draw CPU rows for offline CPUs when the view is
redrawn. If CPUs "go offline", percentages for each state are
replaced by placeholder marks ('-'); the view will need to be
redrawn to remove these rows. If CPUs "go online" the view will
need to be redrawn to show these new CPUs. In "combined CPU" mode,
the count and the state totals only represent online CPUs.
Ports using KERN_CPTIME2 will need to be updated. The changes
described above to make systat(1) and top(1) aware of the ENODEV
case *and* gracefully handle a changing HW_NCPUONLINE while the
application is running are not necessarily appropriate for each
and every port.
The changes described above are so extensive in part to demonstrate
one way a program *might* be made robust to changing CPU availability.
In particular, changing hw.smt after boot is an extremely rare event,
and this needs to be weighed when updating ports.
The logic needed to account for the KERN_CPTIME2 ENODEV case is
very roughly:
if (sysctl(...) == -1) {
if (errno != ENODEV) {
/* Actual error occurred. */
} else {
/* CPU is offline. */
}
} else {
/* CPU is online and CPU states were set by sysctl(2). */
}
Prompted by deraadt@. Basic idea for ENODEV from kettenis@. Discussed at
length with kettenis@. Additional testing by tb@.
No complaints from hackers@ after a week.
ok kettenis@, "I think you should commit [now]" deraadt@
|
|
Replace `long long id' with appropiate types and names, use smaller limits
where applicable and move variable declarations up out of loops.
This makes the code clearer and a tad simpler while staying consistent
across databases.
Feedback and OK millert
|
|
instead of bouncing the mail.
ok gilles@
|
|
hostsprint() reserves only 16 columns for IPs and prints one whitespace too
many afterwards. Crank it up to 39 as per hostsaddrinfo() to align nicely.
OK millert
|
|
|
|
soon. OK compiler and grep
|
|
into Makefile. Verbose testing and failing early helps debugging.
Remove the disk image during cleanup to save space.
OK krw@
|
|
withdraw were suddenly filtered out because the filter ran into the
default deny. So for this case (state == NULL) change action to default
allow. This bug was haunting bgpd for a while now causing prefixes to be
stuck for no obvious reason.
OK benno@, sthen@
|
