Add additional field 'overwrite' to login_vars. It mainly needed to handle
"term" according to manpage, i.e. not overwrite it, if already present in
environment.
Luigi Rizzo [Thu, 27 Jun 2002 23:02:18 +0000 (23:02 +0000)]
The new ipfw code.
This code makes use of variable-size kernel representation of rules
(exactly the same concept of BPF instructions, as used in the BSDI's
firewall), which makes firewall operation a lot faster, and the
code more readable and easier to extend and debug.
The interface with the rest of the system is unchanged, as witnessed
by this commit. The only extra kernel files that I am touching
are if_fw.h and ip_dummynet.c, which is quite tied to ipfw. In
userland I only had to touch those programs which manipulate the
internal representation of firewall rules).
The code is almost entirely new (and I believe I have written the
vast majority of those sections which were taken from the former
ip_fw.c), so rather than modifying the old ip_fw.c I decided to
create a new file, sys/netinet/ip_fw2.c . Same for the user
interface, which is in sbin/ipfw/ipfw2.c (it still compiles to
/sbin/ipfw). The old files are still there, and will be removed
in due time.
I have not renamed the header file because it would have required
touching a one-line change to a number of kernel files.
In terms of user interface, the new "ipfw" is supposed to accepts
the old syntax for ipfw rules (and produce the same output with
"ipfw show". Only a couple of the old options (out of some 30 of
them) has not been implemented, but they will be soon.
On the other hand, the new code has some very powerful extensions.
First, you can put "or" connectives between match fields (and soon
also between options), and write things like
ipfw add allow ip from { 1.2.3.4/27 or 5.6.7.8/30 } 10-23,25,1024-3000 to any
This should make rulesets slightly more compact (and lines longer!),
by condensing 2 or more of the old rules into single ones.
Also, as an example of how easy the rules can be extended, I have
implemented an 'address set' match pattern, where you can specify
an IP address in a format like this:
10.20.30.0/26{18,44,33,22,9}
which will match the set of hosts listed in braces belonging to the
subnet 10.20.30.0/26 . The match is done using a bitmap, so it is
essentially a constant time operation requiring a handful of CPU
instructions (and a very small amount of memmory -- for a full /24
subnet, the instruction only consumes 40 bytes).
Again, in this commit I have focused on functionality and tried
to minimize changes to the other parts of the system. Some performance
improvement can be achieved with minor changes to the interface of
ip_fw_chk_t. This will be done later when this code is settled.
The code is meant to compile unmodified on RELENG_4 (once the
PACKET_TAG_* changes have been merged), for this reason
you will see #ifdef __FreeBSD_version in a couple of places.
This should minimize errors when (hopefully soon) it will be time
to do the MFC.
Scott Long [Thu, 27 Jun 2002 22:36:01 +0000 (22:36 +0000)]
Delay the AC97 calibration until after the system clock has been
calibrated. This fixes the problem where playback and recording do
not run at the correct speed. It probably also eliminates the
need for the hacks/workarounds/sysctl's that were previously
devised to deal with this, but I will leave that for a different
time.
Juli Mallett [Thu, 27 Jun 2002 21:23:16 +0000 (21:23 +0000)]
In the SUPPORT_DOT case, warn that seperation with a period is deprecated.
In -STABLE, this is default, in -CURRENT it is not, which leads to many a
headache for a user coming to -CURRENT without remembering this fact. It
is one of the POLA violations we have not avoided by preparing the users
for it appopriately. Therefore, a warnx(3) is added here, explicitly to
be MFC'd shortly to start the re-education process rolling.
Reviewed by: General murmurs of approval in that IRC channel.
MFC after: 3 days
Juli Mallett [Thu, 27 Jun 2002 21:01:32 +0000 (21:01 +0000)]
Instead of not using argc and doing other great evil, check for no arguments
in main() and print usage, or if there are too many arguments, handle that
there, too.
Garrett Wollman [Thu, 27 Jun 2002 20:18:45 +0000 (20:18 +0000)]
The thread-safe time functions appear to have been introduced as of
ISO 9945-1: 1996 (according to the change bars therein), which corresponds
to 1003.1c-1995. Give them appropriate visibility protection.
Warner Losh [Thu, 27 Jun 2002 19:56:22 +0000 (19:56 +0000)]
Lots of people have had to hack around the fixed address for cardbus
bridges in modern hardware (that hardware w/ lots of RAM). Raise the
address from 0x44000000 to 0x88000000 to match what we do with
NEWCARD. However, this really should be done in the pci layer.
Robert Watson [Thu, 27 Jun 2002 19:31:15 +0000 (19:31 +0000)]
Fix a bug that prevented the deletion of non-default ACLs from being
passed down the VFS stack. While I'm here, replace a '0' with a 'NULL'
to make the code more readable.
Sponsored by: DARPA, NAI Labs
Obtained from: TrustedBSD Project
Brian Feldman [Thu, 27 Jun 2002 15:58:59 +0000 (15:58 +0000)]
Correct the psl regression test for sed(1)'s now-fixed newline
behavior. Add the bcb regression test which checks for failures due
to a backslash ('\') coinciding with the very last character of the
command buffer. The regression test is cf. this PR (which I did not
know about) and has a different fix for the bug.
PR: bin/22351
Submitted by: Stefan Duerholt <stefan.duerholt@t-online.de>
Daniel Eischen [Thu, 27 Jun 2002 13:23:46 +0000 (13:23 +0000)]
Remove pselect from application namespace and instead use a weak reference
to the actual implementation. This is to allow libc_r to override
pselect() making it a cancellation point.
Andrew R. Reiter [Thu, 27 Jun 2002 06:34:03 +0000 (06:34 +0000)]
Fix for the problem stated below by Tor Egge:
(from: http://docs.freebsd.org/cgi/getmsg.cgi?fetch=832566+0+ \
current/freebsd-current)
"Too many pages were prefaulted in pmap_object_init_pt, thus
the wrong physical page was entered in the pmap for the virtual
address where the .dynamic section was supposed to be."
Submitted by: tegge
Approved by: tegge's patches never fail
Mike Silbersack [Thu, 27 Jun 2002 03:55:36 +0000 (03:55 +0000)]
Modify bcopy (and memcpy/memmove) so that the length value is not
re-read from the stack mid copy. This may help mitigate the recent
Apache buffer overrun and future overruns of the sort.
Garrett Wollman [Wed, 26 Jun 2002 21:46:56 +0000 (21:46 +0000)]
When the -p flag is specified, set an environment variable to the name
of the remote host (or rather, the name as mangled by realhostname_sa())
so that the process can use it to behave differently depending on the
origin on the request. We use this to implement rudimentary visibility
control on our user information.
Make sure that the child process's standard error goes through the same
NVT-ASCII filter as is applied to the standard output.
Don't attempt to call logerr() from the child since stdio is not safe in
a vforked process. Just write a message to fd 2 instead. (Ideally, the
parent would open two pipes, and siphon off our stderr to some place less
public, but I have not attempted to do so in this implementation.)
Ian Dowse [Wed, 26 Jun 2002 20:32:51 +0000 (20:32 +0000)]
Avoid using the 64-bit vm_pindex_t in a few places where 64-bit
types are not required, as the overhead is unnecessary:
o In the i386 pmap_protect(), `sindex' and `eindex' represent page
indices within the 32-bit virtual address space.
o In swp_pager_meta_build() and swp_pager_meta_ctl(), use a temporary
variable to store the low few bits of a vm_pindex_t that gets used
as an array index.
o vm_uiomove() uses `osize' and `idx' for page offsets within a
map entry.
o In vm_object_split(), `idx' is a page offset within a map entry.
Ian Dowse [Wed, 26 Jun 2002 18:34:51 +0000 (18:34 +0000)]
Remove the kernel file-size limit for UFS2, so that only the limit
imposed by the filesystem structure itself remains. With 16k blocks,
the maximum file size is now just over 128TB.
For now, the UFS1 file size limit is left unchanged so as to remain
consistent with RELENG_4, but it too could be removed in the future.
Sheldon Hearn [Wed, 26 Jun 2002 17:05:48 +0000 (17:05 +0000)]
Revert previous delta, setting the system immutable flag on /var/empty
instead of the user immutable flag, now that mergemaster handles
schg directories in its /var/tmp/temproot.
Andrew R. Reiter [Wed, 26 Jun 2002 15:53:11 +0000 (15:53 +0000)]
- Remove the Giant acquisition from linux_socket_ioctl() as it was really
there to protect fdrop() (which in turn can call vrele()), however,
fdrop_locked() grabs Giant for us, so we do not have to.
Doug Barton [Wed, 26 Jun 2002 14:14:07 +0000 (14:14 +0000)]
Add 'chflags -R noschg' to the deletion process for the TEMPROOT
directory so that /var/empty, and any other such items that are
added in the future can be deleted effectively.
Sheldon Hearn [Wed, 26 Jun 2002 08:58:28 +0000 (08:58 +0000)]
Tone down the previous delta: don't set the system immutable flag on
/var/empty, because it makes it difficult for mergemaster(8) to remove
/var/tmp/temproot/var.
Juli Mallett [Wed, 26 Jun 2002 08:41:00 +0000 (08:41 +0000)]
If CLEANFILES is nil or not defined, do not try to remove it. This happens
when SRCS is entirely files which produce only one compiled form, and when
NOMAN is defined. This does not seem to happen in STABLE.
Tim J. Robbins [Wed, 26 Jun 2002 07:55:18 +0000 (07:55 +0000)]
Make it more obvious that the semicolon that terminates -exec and -execdir
argument lists must be in an argument by itself, not on the end of the
previous one.
Kenneth D. Merry [Wed, 26 Jun 2002 03:37:47 +0000 (03:37 +0000)]
At long last, commit the zero copy sockets code.
MAKEDEV: Add MAKEDEV glue for the ti(4) device nodes.
ti.4: Update the ti(4) man page to include information on the
TI_JUMBO_HDRSPLIT and TI_PRIVATE_JUMBOS kernel options,
and also include information about the new character
device interface and the associated ioctls.
man9/Makefile: Add jumbo.9 and zero_copy.9 man pages and associated
links.
jumbo.9: New man page describing the jumbo buffer allocator
interface and operation.
zero_copy.9: New man page describing the general characteristics of
the zero copy send and receive code, and what an
application author should do to take advantage of the
zero copy functionality.
NOTES: Add entries for ZERO_COPY_SOCKETS, TI_PRIVATE_JUMBOS,
TI_JUMBO_HDRSPLIT, MSIZE, and MCLSHIFT.
conf/files: Add uipc_jumbo.c and uipc_cow.c.
conf/options: Add the 5 options mentioned above.
kern_subr.c: Receive side zero copy implementation. This takes
"disposable" pages attached to an mbuf, gives them to
a user process, and then recycles the user's page.
This is only active when ZERO_COPY_SOCKETS is turned on
and the kern.ipc.zero_copy.receive sysctl variable is
set to 1.
uipc_cow.c: Send side zero copy functions. Takes a page written
by the user and maps it copy on write and assigns it
kernel virtual address space. Removes copy on write
mapping once the buffer has been freed by the network
stack.
uipc_jumbo.c: Jumbo disposable page allocator code. This allocates
(optionally) disposable pages for network drivers that
want to give the user the option of doing zero copy
receive.
uipc_socket.c: Add kern.ipc.zero_copy.{send,receive} sysctls that are
enabled if ZERO_COPY_SOCKETS is turned on.
Add zero copy send support to sosend() -- pages get
mapped into the kernel instead of getting copied if
they meet size and alignment restrictions.
uipc_syscalls.c:Un-staticize some of the sf* functions so that they
can be used elsewhere. (uipc_cow.c)
if_media.c: In the SIOCGIFMEDIA ioctl in ifmedia_ioctl(), avoid
calling malloc() with M_WAITOK. Return an error if
the M_NOWAIT malloc fails.
The ti(4) driver and the wi(4) driver, at least, call
this with a mutex held. This causes witness warnings
for 'ifconfig -a' with a wi(4) or ti(4) board in the
system. (I've only verified for ti(4)).
ip_output.c: Fragment large datagrams so that each segment contains
a multiple of PAGE_SIZE amount of data plus headers.
This allows the receiver to potentially do page
flipping on receives.
if_ti.c: Add zero copy receive support to the ti(4) driver. If
TI_PRIVATE_JUMBOS is not defined, it now uses the
jumbo(9) buffer allocator for jumbo receive buffers.
Add a new character device interface for the ti(4)
driver for the new debugging interface. This allows
(a patched version of) gdb to talk to the Tigon board
and debug the firmware. There are also a few additional
debugging ioctls available through this interface.
Add header splitting support to the ti(4) driver.
Tweak some of the default interrupt coalescing
parameters to more useful defaults.
Add hooks for supporting transmit flow control, but
leave it turned off with a comment describing why it
is turned off.
if_tireg.h: Change the firmware rev to 12.4.11, since we're really
at 12.4.11 plus fixes from 12.4.13.
Add defines needed for debugging.
Remove the ti_stats structure, it is now defined in
sys/tiio.h.
ti_fw.h: 12.4.11 firmware.
ti_fw2.h: 12.4.11 firmware, plus selected fixes from 12.4.13,
and my header splitting patches. Revision 12.4.13
doesn't handle 10/100 negotiation properly. (This
firmware is the same as what was in the tree previously,
with the addition of header splitting support.)
sys/jumbo.h: Jumbo buffer allocator interface.
sys/mbuf.h: Add a new external mbuf type, EXT_DISPOSABLE, to
indicate that the payload buffer can be thrown away /
flipped to a userland process.
socketvar.h: Add prototype for socow_setup.
tiio.h: ioctl interface to the character portion of the ti(4)
driver, plus associated structure/type definitions.
uio.h: Change prototype for uiomoveco() so that we'll know
whether the source page is disposable.
ufs_readwrite.c:Update for new prototype of uiomoveco().
vm_fault.c: In vm_fault(), check to see whether we need to do a page
based copy on write fault.
vm_object.c: Add a new function, vm_object_allocate_wait(). This
does the same thing that vm_object allocate does, except
that it gives the caller the opportunity to specify whether
it should wait on the uma_zalloc() of the object structre.
This allows vm objects to be allocated while holding a
mutex. (Without generating WITNESS warnings.)
vm_object_allocate() is implemented as a call to
vm_object_allocate_wait() with the malloc flag set to
M_WAITOK.
vm_object.h: Add prototype for vm_object_allocate_wait().
vm_page.c: Add page-based copy on write setup, clear and fault
routines.
vm_page.h: Add page based COW function prototypes and variable in
the vm_page structure.
Many thanks to Drew Gallatin, who wrote the zero copy send and receive
code, and to all the other folks who have tested and reviewed this code
over the years.