Hajimu UMEMOTO [Mon, 11 Jun 2001 19:27:05 +0000 (19:27 +0000)]
This is force commit to mention about previous commit.
- do not assume that the ro_dst member of route_in6{} is sockaddr_in6.
- repair IPsec header size prediction.
- validate mbuf chain better in {tcp,udp}6_ctlinput.
- loosened validation inner packets of icmp6 errors as much as possible.
- scope-awareness.
- be friendly with pfctlinput2.
- simplified address scope handling in the ctlinput function.
- type change of in6_pcbnotify.
- pass error from ipsec_setsocket() all the way up.
Hajimu UMEMOTO [Mon, 11 Jun 2001 19:03:42 +0000 (19:03 +0000)]
This is force commit to mention about previous commit.
- added comments about why in6p_inputopts should not be copied in
tcp6_input().
- call ip6_copypktopts() in order to copy in6p_outputopts
from a listening PCB to a corresponding accepting one.
- be proactive about unspecified IPv6 source address. pcb layer
uses unspecified address (::) to mean "unbounded" or
"unconnected", and can be confused by packets from outside.
- made consist between tcp and udp in using mappedaddr
- setsockopt(BIND_IPV6ONLY) now works
- deprecated address consideration on TCP SYN.
- get rid of M_ANYCAST6
Hajimu UMEMOTO [Mon, 11 Jun 2001 18:38:11 +0000 (18:38 +0000)]
This is force commit to mention about previous commit.
- use 0/8 to specify interface index on multicast get/setsockopt
- make sure to nuke m->m_aux pointer for ipsec, on if_output.
- pass error from ipsec_setsocket() all the way up.
- move ipsec output processing before filtering section.
Hajimu UMEMOTO [Mon, 11 Jun 2001 18:21:31 +0000 (18:21 +0000)]
This is force commit to mention about previous commit.
- (possible) remote kernel panic fix - out of bounds access on
ill-formed ipopt.
- strict boundary check on ipopt.
- make sure to enforce inbound IPsec policy on all final header.
- add missing ipcomp entry from ipprotosw.
- 127/8 must not appear on wire - RFC1122.
this is rather important as we use weak host model, so outsider
can abuse 127.0.0.1 from outside.
- introduce ipstat.ips_badaddr
- use ipsec_gethist() to prevent packet filters from looking at
decapulated packets.
- remove duplicate 127.0.0.0/8 checking.
Ruslan Ermilov [Mon, 11 Jun 2001 18:09:08 +0000 (18:09 +0000)]
- Restore -nostdinc that got lost in rev.1.105; we don't
want host headers during `buildworld'.
- During `buildworld', install headers in a "copy" mode
until we decide what to do with the (currently broken)
SHARED=symlinks.
- Temporarily run `buildworld' with -DNO_WERROR, which
effectively disabled the -Werror bit of recently added
WARNS=X feature. This is required because adding the
-nostdinc bit back revealed bugs in some header files
that were hiding after not using -nostdinc.
It is unclear currently how exactly (and why) -nostdinc
affects gcc(1) warnings.
Ruslan Ermilov [Mon, 11 Jun 2001 17:41:58 +0000 (17:41 +0000)]
Backout previous change (removal of -I${.CURDIR}/../../sys/netinet).
This is needed to pick up the right headers. Wrong headers from
src/contrib/ipfilter are used otherwise.
The right fix would be to fix contrib/ipfilter C sources to pick up
headers from <sys/netinet>.
Bruce Evans [Mon, 11 Jun 2001 13:57:54 +0000 (13:57 +0000)]
Removed the broken code which claimed to lose the set[ug]id bits in
the !(pflag && setfile()) case for regular files unless the copy is
owned by the same user and group. These bits have already been lost
(or never gained) in the correct way. The code didn't actually lose
the bits; it depended on them being lost already (apparently in all
cases) and attempted to gain them as necessary, but it often gained
them (and sometimes collateral bits) when wrong:
- pflag && setfile() == 0 case (i.e., for a successful cp -p):
setfile() copies all the attributes as correctly as possible (as
specified by POSIX), and we sometimes messed up the up the mode by
setting it again. Also, if the file is immutable, then setting the
mode again gave spurious errors (PR 20646).
- !pflag case. If the target is created, POSIX requires it to not
have the set[ug]id bits, but we sometimes copied them from the source.
If the target already exists, POSIX requires its mode to be unchanged,
but we sometimes copied the whole mode from the source.
Hajimu UMEMOTO [Mon, 11 Jun 2001 13:28:05 +0000 (13:28 +0000)]
prefixcmd_enable was obsoleted by syncing recent KAME. New prefix(8)
is just a shell script for backward compatibility. Now, we always use
ifconfig(8) instead of prefix(8).
Hajimu UMEMOTO [Mon, 11 Jun 2001 12:39:29 +0000 (12:39 +0000)]
Sync with recent KAME.
This work was based on kame-20010528-freebsd43-snap.tgz and some
critical problem after the snap was out were fixed.
There are many many changes since last KAME merge.
TODO:
- The definitions of SADB_* in sys/net/pfkeyv2.h are still different
from RFC2407/IANA assignment because of binary compatibility
issue. It should be fixed under 5-CURRENT.
- ip6po_m member of struct ip6_pktopts is no longer used. But, it
is still there because of binary compatibility issue. It should
be removed under 5-CURRENT.
Joerg Wunsch [Mon, 11 Jun 2001 10:48:10 +0000 (10:48 +0000)]
Cosmetics:
. remove stale comments and a stale #define (from the old days of ft(4))
. make MAX_SEC_SIZE (used in isa_dmainit()) a #define
. fix a typo in a string
. use 0 as the blocksize in devstat_add_entry(), since the actual blocksize
is unknown (devstat(9) suggests to use 0 in that case)
Once again, as explained in my messages to -audit, the ANSIfication comes
as part of the preparation to add a new -d command-line flag to send
output to stdout/stderr. That commit will come in a week, pending any
further comments/objections. For those who have missed the -audit mails,
it's at http://people.FreeBSD.org/~roam/bsd/rarpd/usr.sbin-rarpd-d.patch
Asbestos suit: on ;)
Reviewed by: dd, silence on -audit
MFC after: 1 month
Hajimu UMEMOTO [Sun, 10 Jun 2001 20:25:24 +0000 (20:25 +0000)]
Implement EDNS0 support, as EDNS0 support will be made mandatory for
IPv6 transport-ready resolvers/DNS servers. Need careful configuration
when enable it. (default config is not affected).
See manpage for details.
XXX visible symbol __res_opt() is added, however, it is not supposed to be
called from outside, libc minor is not bumped.
Andrew Gallatin [Sun, 10 Jun 2001 19:18:51 +0000 (19:18 +0000)]
Supply the intpin to the platform.pci_intr_map() function. It turns
out nearly every platform but the one I tested on requires the intpin
to swizzle out the correct intline.