| Age | Commit message (Collapse) | Author |
|---|
|
larger types really is a range reduction...
Almost any cast to (unsigned) is a bug.
ok millert tb benno
|
|
|
|
message is about to be displayed on the console.
|
|
DHCP knowledge and interface manipulation.
Unprivileged process now sends proposal derived from the accepted
lease to the privileged process rather than individual interface
manipulation requests.
The only intended functional change is that /etc/resolv.conf.tail is
not re-read each time a new proposal is implemented, rather than once
at dhclient startup.
|
|
directory writable by group _unwind. Move the on-disk trustanchor to
/var/db/unwind.key.
OK sthen
|
|
Noticed by deraadt@
|
|
Hints and wording from jmc@
|
|
|
|
The parser would allow bogus input and sometimes even produce invalid rules
on empty anchor names, so error out immediately.
OK sashan
|
|
For anchor names, make `load anchor' use the same grammar as `anchor' and
merge unique checks from both places so that anchor names are validated
regardless of the specific rule at hand.
OK sashan
|
|
Open trust anchor file for reading and writing on startup and pass it
to the frontend process. The frontend process seeks and truncates the
file apropriately when writing out new trust anchors learned via DNS
but never closes the file. On error the file is truncated to zero
length.
This is in turn handled on startup by switching to the built in trust
anchor when no trustanchor can be read from disk.
This side steps the need for an unveil'ed directory with "c" permission
and also removes the wpath and cpath pledges from the parent process.
deraadt@ pointed out that my previous design didn't make sense and I
had confused myself along the way. (It did work, but was too
complicated for no good reason).
While here validate that we actually read a trust anchor from disk by
trying to parse it and checking that it is a DNSKEY. Unfortunately
ub_ctx_add_ta() accepts just any string as a trust anchor without any
validation.
|
|
Shouldn't affect unwind but keeping in sync.
r5108 | wouter | 2019-02-08 15:05:24 +0000 (Fri, 08 Feb 2019) | 3 lines
- Fix #4225: clients seem to erroneously receive no answer with
DNS-over-TLS and qname-minimisation.
|
|
/usr/src/usr.sbin/unbound, diff from florian@
|
|
The captive portal process needs to receive sockets from the main
process to speak http to.
|
|
Do not use the libunbound's auto trust anchor file feature since it
then the resolver process needs rpath, wpath, and cpath pledges and
permission on the trust anchor file.
Instead configure the trust anchor as resource record strings. The
parent process opens the file, passes a filedescriptor to the frontend
process to parse the file and then passes trust anchors to the
resolver process to (re-) configure the resolver contexts.
The resolver process periodically probes for new trust anchors (DNSKEY
records of the root zone) and passes those to the frontend process.
This in turn requests a file descripter for writing from the parent
process. Once the trust anchors have been written the parent process
renames the tmp file to the final location.
Also provide a built in trust anchor for boot strapping purposes if no
file is found on disk. That way we can get rid of unbound-anchor in
unwind's rc.d script.
|
|
Same fix as in fsck_ffs. OK deraadt@ tb@
|
|
Found the hard way and OK tb@
|
|
|
|
|
|
|
|
decomposition into major and minor is unsigned, so we should print them
with %u instead of %d.
ok guenther
|
|
ok florian
|
|
This requires quite a bit of yak shaving until we can pick up nameservers
from router advertisements.
Pointed out by sthen & kn
|
|
|
|
ok sthen
|
|
it will crash when it sees a -1 FD.
Found the hard way by solene on a box without ::1
|
|
|
|
Contrary to other rules accepting a single port, this one only works with
numerical values. Fix it by simply using the proper grammar.
Port ranges are not accepted, but an error message on a range without start
was missing in general, so add it while here.
OK bluhm
|
|
ok florian@
|
|
tweaks and ok florian@
|
|
ok florian@
|
|
ok florian@
|
|
add some to unwind.h
clean up some whitespace.
ok florian@
|
|
of memory and can't do anything else. This way we don't terminate on
config reload with a bad config.
ok florian@
|
|
file.
Prodded by deraadt
|
|
|
|
otto@ pointed out that we lost a description on HOW to use macros.
|
|
If it comes from one of our processes and the size does not match what
we expect call fatalx to crash and burn. We either hit a logic bug or
something is fishy on the other end and we can't trust that process
any longer. Not that we trust those processes to begin with.
This also applies to receiving resources that we don't expect. For
example if we have an open UDP listen socket and get a new one passed
from the main process something is wrong and we should crash and burn.
The only place where we are more lenient is on the control socket. We
just ignore wrong sized messages so that users can't bring down
unwind.
|
|
ok florian@
|
|
pointed out by deraadt
|
|
The new node contains the subsystem's main control variable,
kern.witness.watch. It is aliased by the old name, kern.witnesswatch.
The alias will be removed in the future.
OK anton@ mpi@
|
|
Recently introduced in pfctl_parser.c r1.333, this helper nicely
simplifies code when copying IPs based on their address family, so use
it in five other places when killing state or source node entries.
All addresses copied in these code paths result from either
pfctl_parse_host() or pfctl_addrprefix() which guarantee the address
family set to AF_INET or AF_INET6. Therefore, effectively relaxing the
case of unhandled families from errx(3) in callers to warnx(3) in
copy_satopfaddr() is safe since it's never reached.
OK sashan
|
|
Either disable DNS or enable additional reverse lookups, but not both.
OK benno
|
|
Killing source tracking or state entries by hostname or CIDR would pass
given keys twice to getaddrinfo(3): once to resolve/parse and again to
parse the numerical address in case a prefix was specified.
Avoid this overhead by making pfctl_addrprefix() resolve, pass and mask
in one go and return the list of IPs to the callers. This notably
simplifies both logic and sanity checks around prefix length and address
family.
While here, also pass -N along such that -k and -K can be restricted to
not use DNS.
Discussed with procter sashan, OK sashan
|
|
|
|
|
|
directives, some of them no longer necessary.
Cleanup by Caspar Schutijser, thank you very much!
|
|
More consistent, clearer.
|
|
|
|
OK benno
|
