| Age | Commit message (Collapse) | Author |
|---|
|
OK: bluhm@
|
|
this should let people specify interface and queue bandwidths greater
than ~4Gbit.
this changes the pf ioctls used to specify queues, so if you want
to try this you'll need a new kernel, new headers, and a new pfctl
(and systat). or upgrade using a snapshot. the effort and benefit
of providing compat isn't worth it.
putting it in now so people can kick it around.
|
|
This is meaningless in dhcpleased(8) and *not* needed to receive
leases for an interface. In fact dhcpleased(8) works just fine without
any configuration file at all.
man page diff & OK kn
|
|
Replace literal braces with .Brq, use a list and indent the interface options
under that interface entry to reflect hierarchy (rad.conf(5) does that, too).
Feedback from/fine with jmc
|
|
ok jmc@
|
|
Our kernel supports 16 groups (NGROUPS_MAX), but nothing prevents
an admin from adding a user to more groups. With that tweak we'll keep
on ignoring them instead of potentially reading past the buffer passed to
getgrouplist(3). That behavior is explicitely described in initgroups(3).
ok millert@ gilles@
|
|
this is like the -t command line option on iked itself, but you get
to keep the ike listener on port 500 and you can enable this on
specific policies instead of all of them.
this is useful if you're dealing with an org that can't firewall
ESP traffic well and so you need to force the traffic to be udp
encapsulated even if there's no NAT involved.
ok markus@ tobhe@
|
|
Leave the notion of repition to ... and markup optional prefixes as such;
'name/prefix [name/prefix ...]' becomes 'name[/prefix] ...'.
Also sync with unwind.conf.5 to fix curly braces and indentation.
OK florian
Input OK jmc
|
|
Input & OK kn, jmc, sthen
|
|
|
|
for handling DNS compression). OK florian
|
|
Add reverse_scrolling to the manpage.
ok bru@
|
|
from thorsten blum
|
|
ok mpi@
|
|
|
|
Instead of closing the just received UDP socket we closed the imsg fd
thus cleanly shutting down dhcpleased(8).
Problem triggered by sf@ with something like
while :; do ifconfig vio0 -inet; done
while :; do ifconfig vio0 inet autoconf; done
The problem triggers when dhcpleased configured a lease and in just
the right moment the autoconf flag gets removed. The main process
opens a udp socket and sends it to the frontend. At the same time the
frontend learned (from the route socket), that the interface lost its
autoconf flag. When the frontend then receives the udp socket via fd
passing it tries to close it. Due to a typo it would instead close the
imsg file descriptor.
Found by me after lots of head scratching.
OK tb
|
|
ok markus
|
|
|
|
|
|
|
|
from markus
|
|
OK jmc sobrado
|
|
|
|
parse_edns_from_query_pkt() grew a parameter to handle cookies, which
we don't use.
|
|
"fatal in engine: engine_dispatch_frontend: invalid IMSG_REQUEST_REBOOT"
reported by qwer.ty tuta io
ok florian kn
|
|
The frontend and engine do not like this due to improved error
checking.
Found by Josh Grosse and Renato Aguiar, thanks!
|
|
|
|
|
|
While here mention function where fatalx(3) occurred like everywhere
else.
Suggested by & OK tb
|
|
input & OK tb
|
|
Pointed out by tb
|
|
It only handles one imsg type these days, so it doesn't need to peek
into struct imsg at all.
pointed out by & OK tb
|
|
pointed out by & OK tb
|
|
While here use i2s helper function for error logging.
OK tb
|
|
OK tb as part of a larger diff
|
|
|
|
0xdecafbad will no longer work as an IPv4 address, sorry.
OK bluhm
|
|
ok tobhe
|
|
reflect how they work, to emphasize that they do nothing unless auto conf
is set, and to more closely match each other;
prompted by a diff from andrew christopher hawk on tech, who noted a wonky
sentence;
help/feedback deraadt florian; ok deraadt
|
|
The trust-anchor was copied from the upcoming unbound(8) release and
verified against https://www.iana.org/reports/2024/root-ksk-2024.pdf
While here switch the 2017 trust-anchor from DNSKEY to DS to use the
same record type as for the 2024 trust-anchor. They are functionally
equivalent. It was verified against
https://www.iana.org/reports/2017/root-ksk-2017.pdf
As well as with run-time testing, i.e. unwind would still perform
DNSSEC validation.
checked pdfs & OK phessler
|
|
|
|
original diff from markus
ok tobhe
|
|
fields that can differ between the primary and 1st backup superblock.
This fixes fsck issues I've encountered on my system with a shared home
partition.
OK miod@
|
|
- tweak bioctl text
- don;t repeat the device examples
- reinstate softraid device being always softraid0
usage():
- add vertical blank between two formats
- rewrap to match 80col (shorter and matches man)
feedback/ok krw kn
|
|
anchor foo {
table <bar> { 192.168.1.1 }
pass in from <bar> to <self>
}
Without this diff one must either create table <bar> in main
ruleset (root) or use 'pfctl -a foo -t bar -T add 192.168.1.1'
This glitch is hard to notice. Not many human admins try to attach
tables to non-global anchors. Deamons which configure pf(4) automatically
at run time such as relayd(8) and spamd(8) create tables attached to
thair anchors (for example 'relayd/*') but the deamons use way similar
to pfctl(8) to add and manage those tables.
The reason why I'd like to seal this gap is that my long term goal
is to turn global `pfr_ktable` in pf(4) into member of pf_anchor.
So each ruleset will get its own tree of tables.
feedback and OK bluhm@
|
|
nvme(4).
Feedback jmc@ jmatthew@ deraadt@ kn@
ok jmc@ kn@
|
|
comparison is undefined.
|
|
We don't built log.c on the ramdisk so no need for ifndef small.
|
|
pointed out by tb
|
|
- include stdlib.h for exit(3)
- knf fixes
- define log_getverbose as (0) instead of 0
input & OK tb
|
