| Age | Commit message (Collapse) | Author |
|---|
|
OK florian@, additional review from kn@
|
|
ok reyk@
|
|
Found via snmpctl snmp walk 127.0.0.1 oid 1
OK claudio@
|
|
|
|
with an error status when writing cd image fails.
ok deraadt
|
|
is not found. Fixes crash reported by Tom Smyth.
|
|
CFI stood for canonical format indicator, and basically said whether
the payload was ethernet of fddi (with 0 meaning ethernet).
DEI stands for drop eligibility indicator
|
|
|
|
The privsep monitor process handles all privileged operations on behalf
of the unprivileged "packet parser" process. Once it enters its runtime
state, it only needs to:
* Perform DNS and other "numbers to names" lookups, sending results
back over a pipe/socketpair.
* Display the final packet statistics on ^C.
We can finally now drop root privileges in this process as well, as bpf
BIOCGSTATS is still permitted by non-root on open descriptors after it
has been permanently locked with BIOCLOCK. This provides some additional
protection, to go along with the already tight unveil(2) and pledge(2)
restrictions.
With this change tcpdump(8) completely drops root privileges at runtime.
ok mestre@, deraadt@
|
|
|
|
has been evaluated.
ok gilles@
|
|
The underlying interface might have been destroyed or detached and
rad(8) will just cope with that.
OK florian@
|
|
OK claudio@
|
|
OK phessler@
|
|
|
|
pledge cannot be used, nevertheless since we now have unveil available we can
use it to guarantee that in this particular case the snmpe process cannot
access the filesystem at all, therefore close a big attack vector and achieve
a great level of protection even without being able to use pledge.
prodded by deraadt@
|
|
ok gilles@
|
|
suggested by kn@ after similar changes to ping
|
|
where appropriate and add missing check before freeaddrinfo().
This code path is currently unused.
|
|
ok gilles@
|
|
an interface config example with and one without parameters.
comment and OK claudio@
|
|
uses.
OK nayden@ kn@
|
|
OK claudio@
|
|
OK claudio@
|
|
it reuses the toskeyword handling that ipv4 uses for setting the
tos field, which is equiavlent to traffic class.
ok florian@ denis@
|
|
When running rad(8) on top of carp(4), ifconfig carp0 -soii is a good idea.
ok florian@ jmc@
|
|
This reduces the remaining runtime pledge(2) in the privsep monitor
process to "stdio rpath dns bpf":
- 'rpath' for /etc/{ethers,rpc}, also unveil(2)'d thanks to mestre@!
- 'dns' for DNS lookups
- 'bpf' BIOCGSTATS on ^C
The unprivileged packet parser process remains pledged just "stdio"
This depends on the previous commit that removed YP support from
ethers(5).
ok mestre@
|
|
OK phessler@
|
|
I missed this part in my previous commit.
|
|
defacto port value used by OpenFlow. A decent chunk of OpenFlow
controllers have switched over to the IANA standardized OpenFlow port,
6653. switchd(8) also randomizes its listen ports when one is not
specified in switchd.conf(5).conf.
Consolidate the #defines for port values, and set a default listen port.
OK phessler@ claudio@, kn@ with separate switchd.conf(5) update
|
|
need to be unveiled at runtime in the monitor process.
Cleanup the unused internal privsep "getlines" code, we now explictly
fdpass the OS fingerprints file instead.
ok mestre@ kn@
|
|
events with less ambiguity
ok eric@
|
|
when reporting tx commit, report data size
report tx-envelope events
|
|
|
|
if there are any neighbors that have pending updates. If so the timeout of
the poll loop is set to 0 so that the work is completet ASAP.
The regress test was not working because of this. The RDE was stuck in poll()
instead of sending the updates out.
Tested and OK denis@
|
|
config and not the old flags. Needed so that changing flags and rtableid
at the same time works.
|
|
or the rtableid changed and there is a FIB. In the NOFIB case changing the
rtableid has no effect. Fixes a problem introduced with keeping the default
ribs alive and Adj-RIB-In/Out.
Probelm found, tested and OK denis@
|
|
/etc/resolv.conf both with read permissions for the purpose of name resolution,
so unveil(2) both files with "r" perms and disable further filesystem access.
While here sort the headers alphabetically.
OK bluhm@
|
|
part of DATA
|
|
|
|
ok beck@ bluhm@ tb@
|
|
read permissions, but once it reaches pledge(2) just before the main loop both
were already opened. Since snmpd(8) doesn't have a way to load or reload the
config file, not even through SIGHUP, then rpath promise is not needed.
The snmpe process cannot yet be pledged, but it doesn't need fs access so we
can disable the access through unveil("/", ""); unveil(NULL, NULL);
"looks right" to deraadt@
|
|
|
|
OK claudio@
|
|
We already require TLSv1.2 so it does not make sense to be liberal with the
cipher suites that we allow. Additionally, it is potentially dangerous to
disable certificate verification when no CA data is available (which is
currently an impossible case to reach).
Also ensure we check the return value from tls_config_set_ca_mem() (as
spotted by tb@).
ok kn@ tb@
|
|
OK job@, benno@
|
|
introduced before 6.4 because it now can be replaced with the real RIB.
Main changes are:
- simplified 'show rib' handling since everything is now a real RIB
- path_update() is now returning if a prefix was not modified, added or moved
- softreconfig out case is simpler since path_update does all the magic now
- Adjust shutdown code to work with the Adj-RIB-Out
Tested and OK denis@, benno@
|
|
|
|
Use unveil to remove file system access for the parent proc.
Also remove control_cleanup as discussed on tech@. It allows to fully remove
fs access (ripd does not support reload). It's not an issue for ripd and
ripctrl if an unused socket file is lying around.
reads OK for claudio@ and mestre@
|
|
from Hiltjo Posthuma (hiltjo(at)codemadness.org)
|
