| Age | Commit message (Collapse) | Author |
|---|
|
socket listener was tagged "local" so we could trick "from local" into
matching non-network connections.
this hack was removed years ago and the socket listener still had this
"local" tag hardcoded. this commit teaches parse.y how to assign a tag
to a socket listener and removes the hardcoded "local".
|
|
crash depending on how the ruleset is crafted.
|
|
|
|
be able to cope with packages from the next OpenBSD release - firmware packages
are occasionally updated on the release branch post-release.
this should handle most situations - the corner-case is an old snapshot upgrading
to a new snapshot across some types of pkg_add change, but as fw_update is usually
not mandatory this is usually good enough.
ok beck deraadt
|
|
|
|
|
|
if it's going to the wrong place/dir. ok deraadt@
|
|
|
|
diff from Quentin Rameau <quinq@fifth.space>
|
|
|
|
|
|
for these. ok deraadt@
|
|
autoconfiguration daemons. Currently only slaacd is switched over so
we need to keep the lease file parsing.
|
|
from router advertisements.
unwind(8) can solicit DNS proposals by sending an empty RTM_PROPOSAL
message with priority RTP_PROPOSAL_SOLICIT.
|
|
more clearly
ok ingo schwarze
|
|
any MITM protection checks. We've had constraint checks for MITM protection
for some time. Recent work changed the default mode to rapidly check NTP packets against constraint validation, as the default mode.
In environments where https traffic doesn't work, ethernet-near servers can
be labelled as "trusted". trusted sensor support is also coming.
We have reasons to immediately move people away from the -s mode.
ok otto
|
|
Warn if it fails, but allow the upgrade to continue for now.
discussed with many, refinements by naddy@ sthen@
"commit something" deraadt@
|
|
error prone than manually editing rc.conf.local, and also works to
enable ipsec and accounting.
tweak from schwarze@ to use the \(dq\(dq syntax for quotes in '.Dl
foo_flags="" lines' instead of \&"\&".
while at it, fix a reference to a bogus /dev/dhclient.conf file that
recently snuck in.
ok jmc@ deraadt@ schwarze@
|
|
server is wired up such that non MITM attacks are possible, and NTP
packets can be trusted. Therefore constraint validity is not required,
and during boot ntpd can spin-up correct time faster.
with otto, ok jmc schwarze
|
|
used in situations where https constraints cannot be used and we still want
auto settime. Result of discussion with and ok deraadt@
|
|
more similar
ok jmc schwarze
|
|
|
|
existing @bin @lib
and new @static-lib @so
as discussed with p2k19 people
|
|
|
|
|
|
- do not restart settime timeout interval if something happens in the main
event loop
- apply a tight loop protection; it can be painfull on a single
core machine since the process runs at maximum priority. Should only
happen when a bug is introduced while developing, but prevents having to
machine taken over by ntpd.
|
|
input & OK claudio@
|
|
|
|
by adding a missing check for the return value -1 on both cgetfirst(3) and
cgetnext(3)
OK millert@ deraadt@
|
|
OpenBSD coding practices (fork+exec/privsep/pledge/...). It is only
intended to replace the lpd(8) daemon for the moment, not the lpr(1),
lprm(1), lpq(1) and lpc(8) commands.
This is a work in progress. The server part should be fairly functionnal,
but the printer part is not complete: remote printers should work, for
local printers it depends on the setup. Anyway, at this point it's better
in the tree than rotting on my disk.
ok deraadt@
|
|
instead of ditching stderr entirely, keep it in a temp file, and if the
child exits with an error, we got something to display.
(note that returning and undef'd plist is enough of an error, just we
had no clue what went wrong previously)
aja@ ran into this a few weeks ago.
|
|
|
|
|
|
AI_ADDRCONFIG flag for getaddrinfo to only return addresses for a
configured address family.
Implementing a loop over all IPs is left as an exercise to the reader.
Reported some time ago by kasimov.an AT gmail on bugs@, thanks!
oh boy deraadt@
OK benno@
|
|
More people know what a "stub" resolver is then asr.
Pointed out by & discussed with deraadt
Input & OK otto
|
|
ok deraadt@
|
|
or a USB device. ok mpi
|
|
Problem reported by Alexandre Hamada
|
|
sure that on the first round the buffer is set to an empty string so that
strlcat() works correctly. Also check for strlcat() overflow and error out
in case it happens.
Found by infrequent regress test failures.
|
|
will try to access the NULL tal pointer.
Reported by Alexandre Hamada
|
|
|
|
found by Clemens Goessnitzer, ok and prodded by florian@
|
|
unsigned char or EOF. Cast the char to unsigned char as required.
Reminded by Hiltjo Posthuma
|
|
regress test is able to use it.
OK deraadt@
|
|
a particular sequence of rules causing "from rdns" to be hit again from the
expanded aliases. this requires crafting a specific configuration.
|
|
|
|
m.n-beta -> m.n
not
m.n-beta -> m.n + 0.1
Handle this correctly for the -r case to stick to a release after
beta.
OK sthen
|
|
joint work and ok florian@
|
|
|
|
|
