| Age | Commit message (Collapse) | Author |
|---|
|
with "0x".
Pointed out by Philippe Meunier.
|
|
pcap_dispatch() returns -1 (PCAP_ERROR) or -2 (PCAP_ERROR_BREAK) the
latter is used when a signal is received and is not an error. So limit
the code to log errors to np == -1.
OK semarie@ sashan@
|
|
from dhill@
|
|
using 'flag <part #>' to make a partition the only bootable partition.
Just turn off the bootable bit in the other partitions.
ok dlg@
|
|
.. INT64_MAX decimal values..
Easier to specify the 64 bits of GPT partition attributes and
0x8000000000000000 (a.k.a. MS_NOAUTOMOUNT, a.k.a. 1 << 63)
becomes accessable.
Prompted by bug report and testing by Philippe Meunier. Thanks!
ok dlg@
|
|
from markus@
|
|
OK kn@ jmc@
|
|
pflogd uses blocking bpf reads, but installs a bunch of signal
handlers to handle cleanly closing and (re)opening the log file.
signal() by default sets the handlers up so they're restartable.
this has the effect that when pflogd receives a signal while waiting
in bpfread, the signal handler runs and sets a flag saying the file
should be rotated or closed or whatever, but then the kernel restarts
the read.
when pflogd used a bpf read timeout, pflogd would run it's "event"
loop every time the read timeout expired. this meant even though
the bpf read was restarted, by having the read timeout expire every
500ms the flag the signal handlers set would be processed in a
relatively short period of time.
after moving bpf to a wait timeout, pflogd basically has to wait
for a packet to be captured before the bpf read will return. if
you're trying to kill pflogd on an idle firewall then you're basically
stuck.
making the signal handlers not restartable allows bpfread to fail
with EINTR so pflogd can go around it's even loop and exit as
expected.
reported by Mikhail on bugs@
ok claudio@
pflogd needs a rewrite though.
|
|
|
|
|
|
From Laurie Tratt, ok florian
|
|
for pfctl -f /path/to/pf.conf. Otherwise, if you accidentally use a dir
instead of a file (e.g. if you have an /etc/pf directory and don't notice
the name when tab-completing), you successfully install an empty ruleset.
ok sashan@
|
|
This makes is possible to build the base system with a C99 compiler.
OK deraadt@ mvs@
|
|
the parsing code
|
|
prevent out-of-bounds read in strlen().
ok tb@
|
|
Pointed out by gcc via tb.
rdns_count is validated by all callers of propose_rdns(), so we can
trust it here to be sensible.
While here fix a pasto in an error message.
OK tb
|
|
ipsecctl -m and ipsecctl -s. Refactor ipsecctl_show_*() to setup all
sysctls first before dropping privileges and finally parsing and
printing IPsec SAs and flows.
feedback and ok mbuhl@
ok deraadt@
|
|
They must not be empty, or else creation/unlock fails (and boot loaders
would not be able to abort and drop back to the boot> prompt).
[-p passfile] handles this with "invalid passphrase length", so align
the interactive prompt and retry there.
-s remains a one-shot whilst getting a better error message.
This is user friendlier and fixes the last installer "bug" on my list
wrt. disk encryption where hitting Enter twice at the passphrase prompt
would abort bioctl(8) and thus the installation.
OK deraadt
|
|
It contains the path to the file containing a passphrase;
password reads misleading and was also the only usage of "word" in contrast
to consistent "phrase" usage.
|
|
This cherry-picks upstream git commit
0ee44ef384593ed0382d1ce6048d5a9c9440b45c.
Issue reported by landry@, which could be traced back to a buggy WiFi
driver that would constantly return ENOBUFS. This in turn lead
unwind(8) enter a tight loop through poll / sendto without making any
progress and burning 100% cpu.
OK sthen
I missed to commit this file when commiting to unbound.
Pointed out by tb, thanks!
|
|
|
|
confirmed by florian
|
|
This cherry-picks upstream git commit
0ee44ef384593ed0382d1ce6048d5a9c9440b45c.
Issue reported by landry@, which could be traced back to a buggy WiFi
driver that would constantly return ENOBUFS. This in turn lead
unwind(8) enter a tight loop through poll / sendto without making any
progress and burning 100% cpu.
OK sthen
|
|
ok krw@
|
|
|
|
Already commited upstream.
|
|
https://github.com/NLnetLabs/unbound/pull/931
|
|
The api changed to handle cookies and extended error codes.
Passing in NULL for config_file disables cookie handling so we do not
need to pass a valid comm_reply, NULL will do.
|
|
|
|
ok tb@
|
|
Found by David Linder
ok patrick@
|
|
be NULL here.
Found by tb@
|
|
When creating new crypto volumes with a passphrase or updating one, pick a
number of rounds that aims to take around 1s instead of just 16 (on X230 and
T14 machines, 16 rounds unlock pretty much instantly).
New default [-r auto] never decreases rounds, only explicit '-r N' can.
16 is the absolute minimum.
Motivation is to provide a saner and more modern default, especially for
fresh installations utilizing new disk encryption question.
Prodding for new default from and OK jsing on early "-r auto" installer diff
idea to to pick MAX(auto, old-rounds) from Lucas[AT sexy DOT is]
"seems acceptable to me" deraadt
Feedback kettenis sthen
OK op
|
|
Gracefully prompt again during interactive creation and passphrase change on
CRYPTO/1C volumes when confirmation fails instead of exiting, so bioctl(8)
behaves more like passwd(1) in this regard.
Use -s aka. non-interactive scripting mode to try just once.
Input OK jsing op
|
|
INFO messages remain on stdin, WARN/ERROR go to stderr as usual to make
silencing and scripting bioctl(8) easier.
OK op jsing
|
|
-s for non-interactive usage disables prompts, but still silently expects
two inputs, which is neither intuitive nor ergonomic.
Fix this get sane scriptable behaviour and documentation.
Feedback OK jsing op
|
|
|
|
|
|
To use sec(4) instead of policy based tunnels, create a sec(4)
interface and add 'iface secXX' to your policy config.
sec(4) interfaces also support auto configuration for dynamic client
IPs via 'request any' like all other interfaces.
The config won't work without traffic selectors, 'from any to any'
should work for now but I plan to make this optional in the future.
ok dlg@
|
|
im not really happy with this, but it's a start.
|
|
this adds "interface secX" to the grammar that you can use instead
of specifying tunnel/transport modes and traffic selectors.
if you have config like "ike interface sec0 local ... peer ...",
ipsecctl will generate the right config for isakmpd to negotiate
esp tunnels for all traffic between 0.0.0.0/0 and 0.0.0.0/0. however,
this also specifies that they should be set up as interface SAs in
the kernel for use with sec(4).
this supports route-based instead of policy based ipsec encapsulation,
and allows us to more easily operate with other vendors and products
that also offer route-based vpns with opinions about the negotiated
policy that doesnt fit with the SPD.
support from many including markus@ tobhe@ claudio@ sthen@ patrick@
now is a good time deraadt@
|
|
add "Interface NUMBER" to the config parser to specify that once
SAs have been negotiated with a peer, install the SAs with the
sadb_x_iface extension set up, but skip installing the flows/SPD
entries.
this allows for the negotiation of multiple esp tunnels covering
all traffic between 0.0.0.0/0 to 0.0.0.0/0, and then being able to
do something useful with them using the routing table and sec(4)
interfaces instead of having SPD entries fight over those packets
in the kernel.
this in turn allows interoperation with other ipsec/vpn solutions
that require the negotiation of such tunnels.
support from many including markus@ tobhe@ claudio@ sthen@ patrick@
now is a good time deraadt@
|
|
NULL to ibuf_size(). In some cases it is clear that the ibuf pointer
should just be checked for NULL since afterwards a new ibuf is allocated
in its place.
OK tb@
|
|
patch by Matthew Martin <phy1729 AT gmail DOT com>
|
|
OK tb@
|
|
Also convert some ibuf_add(() calls to ibuf_add_buf() where appropriate.
OK tobhe@ tb@
|
|
RAMDISK* has MFS and TMPFS disabled, so the installer can't use them.
OK deraadt
|
|
Large Receive Offload allows to receive aggregated packets larger
than the MTU. Receiving TCP streams becomes much faster. As the
network hardware is not aware whether a packet is received locally
or to be forwarded, everything is aggregated. In case of forwarding
it is split on output to packets not larger than the original
packets. So path MTU discovery should still work. If the outgoing
interface supports TSO, the packet is chopped in hardware by TCP
Segmentation Offload.
Currently only ix(4) and lo(4) devices support LRO, and ix(4) is
limited to IPv4 and hardware newer than the old 82598 model. If
the interface is added to a tpmr(4), bridge(4) or veb(4), LRO is
automatically disabled. All ix(4) devices support outgoing TSO for
IPv4 and IPv6. Enabling LRO on lo(4) automatically enables TSO and
TCP packets larger than the MTU pass the loopback interface.
LRO can be turned off per interface with ifconfig -tcplro.
OK jan@
|
|
OK tb@ tobhe@
|
|
Also replace a ibuf_reserve() call with ibuf_add_zero() and
remove a buf->buf == NULL check in ibuf_length() since it is not necessary.
OK tobhe@ tb@
|
