Hajimu UMEMOTO [Mon, 11 Jun 2001 18:21:31 +0000 (18:21 +0000)]
This is force commit to mention about previous commit.
- (possible) remote kernel panic fix - out of bounds access on
ill-formed ipopt.
- strict boundary check on ipopt.
- make sure to enforce inbound IPsec policy on all final header.
- add missing ipcomp entry from ipprotosw.
- 127/8 must not appear on wire - RFC1122.
this is rather important as we use weak host model, so outsider
can abuse 127.0.0.1 from outside.
- introduce ipstat.ips_badaddr
- use ipsec_gethist() to prevent packet filters from looking at
decapulated packets.
- remove duplicate 127.0.0.0/8 checking.
Ruslan Ermilov [Mon, 11 Jun 2001 18:09:08 +0000 (18:09 +0000)]
- Restore -nostdinc that got lost in rev.1.105; we don't
want host headers during `buildworld'.
- During `buildworld', install headers in a "copy" mode
until we decide what to do with the (currently broken)
SHARED=symlinks.
- Temporarily run `buildworld' with -DNO_WERROR, which
effectively disabled the -Werror bit of recently added
WARNS=X feature. This is required because adding the
-nostdinc bit back revealed bugs in some header files
that were hiding after not using -nostdinc.
It is unclear currently how exactly (and why) -nostdinc
affects gcc(1) warnings.
Ruslan Ermilov [Mon, 11 Jun 2001 17:41:58 +0000 (17:41 +0000)]
Backout previous change (removal of -I${.CURDIR}/../../sys/netinet).
This is needed to pick up the right headers. Wrong headers from
src/contrib/ipfilter are used otherwise.
The right fix would be to fix contrib/ipfilter C sources to pick up
headers from <sys/netinet>.
Bruce Evans [Mon, 11 Jun 2001 13:57:54 +0000 (13:57 +0000)]
Removed the broken code which claimed to lose the set[ug]id bits in
the !(pflag && setfile()) case for regular files unless the copy is
owned by the same user and group. These bits have already been lost
(or never gained) in the correct way. The code didn't actually lose
the bits; it depended on them being lost already (apparently in all
cases) and attempted to gain them as necessary, but it often gained
them (and sometimes collateral bits) when wrong:
- pflag && setfile() == 0 case (i.e., for a successful cp -p):
setfile() copies all the attributes as correctly as possible (as
specified by POSIX), and we sometimes messed up the up the mode by
setting it again. Also, if the file is immutable, then setting the
mode again gave spurious errors (PR 20646).
- !pflag case. If the target is created, POSIX requires it to not
have the set[ug]id bits, but we sometimes copied them from the source.
If the target already exists, POSIX requires its mode to be unchanged,
but we sometimes copied the whole mode from the source.
Hajimu UMEMOTO [Mon, 11 Jun 2001 13:28:05 +0000 (13:28 +0000)]
prefixcmd_enable was obsoleted by syncing recent KAME. New prefix(8)
is just a shell script for backward compatibility. Now, we always use
ifconfig(8) instead of prefix(8).
Hajimu UMEMOTO [Mon, 11 Jun 2001 12:39:29 +0000 (12:39 +0000)]
Sync with recent KAME.
This work was based on kame-20010528-freebsd43-snap.tgz and some
critical problem after the snap was out were fixed.
There are many many changes since last KAME merge.
TODO:
- The definitions of SADB_* in sys/net/pfkeyv2.h are still different
from RFC2407/IANA assignment because of binary compatibility
issue. It should be fixed under 5-CURRENT.
- ip6po_m member of struct ip6_pktopts is no longer used. But, it
is still there because of binary compatibility issue. It should
be removed under 5-CURRENT.
Joerg Wunsch [Mon, 11 Jun 2001 10:48:10 +0000 (10:48 +0000)]
Cosmetics:
. remove stale comments and a stale #define (from the old days of ft(4))
. make MAX_SEC_SIZE (used in isa_dmainit()) a #define
. fix a typo in a string
. use 0 as the blocksize in devstat_add_entry(), since the actual blocksize
is unknown (devstat(9) suggests to use 0 in that case)
Once again, as explained in my messages to -audit, the ANSIfication comes
as part of the preparation to add a new -d command-line flag to send
output to stdout/stderr. That commit will come in a week, pending any
further comments/objections. For those who have missed the -audit mails,
it's at http://people.FreeBSD.org/~roam/bsd/rarpd/usr.sbin-rarpd-d.patch
Asbestos suit: on ;)
Reviewed by: dd, silence on -audit
MFC after: 1 month
Hajimu UMEMOTO [Sun, 10 Jun 2001 20:25:24 +0000 (20:25 +0000)]
Implement EDNS0 support, as EDNS0 support will be made mandatory for
IPv6 transport-ready resolvers/DNS servers. Need careful configuration
when enable it. (default config is not affected).
See manpage for details.
XXX visible symbol __res_opt() is added, however, it is not supposed to be
called from outside, libc minor is not bumped.
Andrew Gallatin [Sun, 10 Jun 2001 19:18:51 +0000 (19:18 +0000)]
Supply the intpin to the platform.pci_intr_map() function. It turns
out nearly every platform but the one I tested on requires the intpin
to swizzle out the correct intline.
sbuf_new(9) now returns a struct sbuf * instead of an int. If the caller
does not provide a struct sbuf, sbuf_new(9) will allocate one and return
a pointer to it.
Doug Rabson [Sun, 10 Jun 2001 13:39:10 +0000 (13:39 +0000)]
Move the first section up one page. The firmware bogusly uses the first
page of the image to load section headers and if we let the text section
start at zero, it corrupts the section table when its loaded. With this
change, the loader gets as far as the 'ok' prompt.