diff options
author | Renato Botelho <renato@netgate.com> | 2016-06-02 18:34:21 -0300 |
---|---|---|
committer | Renato Botelho <renato@netgate.com> | 2016-06-02 18:34:21 -0300 |
commit | 4775a2bdcd046cf79426a4cdd0dbc8f52a414ca8 (patch) | |
tree | f7ba4164f8a1690df639984ef7588d4ed6ed80cd /etc | |
parent | 58cc1dd9a16eac0125c6fce83aa28f26d7e13989 (diff) | |
parent | ada12d916d2fc4a725e9c2f0ec61f027ce65471a (diff) | |
download | FreeBSD-src-4775a2bdcd046cf79426a4cdd0dbc8f52a414ca8.zip FreeBSD-src-4775a2bdcd046cf79426a4cdd0dbc8f52a414ca8.tar.gz |
Merge remote-tracking branch 'origin/master' into devel-11
Diffstat (limited to 'etc')
-rw-r--r-- | etc/Makefile | 4 | ||||
-rw-r--r-- | etc/blacklistd.conf | 17 | ||||
-rw-r--r-- | etc/defaults/rc.conf | 6 | ||||
-rw-r--r-- | etc/mtree/BSD.include.dist | 2 | ||||
-rw-r--r-- | etc/mtree/BSD.tests.dist | 4 | ||||
-rw-r--r-- | etc/mtree/BSD.var.dist | 4 | ||||
-rwxr-xr-x | etc/periodic/daily/480.leapfile-ntpd | 4 | ||||
-rwxr-xr-x | etc/periodic/security/520.pfdenied | 10 | ||||
-rw-r--r-- | etc/rc.d/Makefile | 8 | ||||
-rw-r--r-- | etc/rc.d/blacklistd | 45 | ||||
-rwxr-xr-x | etc/rc.d/dhclient | 2 | ||||
-rwxr-xr-x | etc/rc.d/ldconfig | 2 | ||||
-rwxr-xr-x | etc/rc.d/mountcritremote | 16 | ||||
-rwxr-xr-x | etc/rc.d/netif | 2 | ||||
-rwxr-xr-x | etc/rc.d/random | 4 | ||||
-rwxr-xr-x | etc/rc.d/routing | 5 | ||||
-rw-r--r-- | etc/rc.d/zfsd | 17 |
17 files changed, 139 insertions, 13 deletions
diff --git a/etc/Makefile b/etc/Makefile index 94c4473..99d905a 100644 --- a/etc/Makefile +++ b/etc/Makefile @@ -86,6 +86,10 @@ BIN1+= apmd.conf BIN1+= auto_master .endif +.if ${MK_BLACKLIST_SUPPORT} != "no" +BIN1+= blacklistd.conf +.endif + .if ${MK_FREEBSD_UPDATE} != "no" BIN1+= freebsd-update.conf .endif diff --git a/etc/blacklistd.conf b/etc/blacklistd.conf new file mode 100644 index 0000000..2b1cf87 --- /dev/null +++ b/etc/blacklistd.conf @@ -0,0 +1,17 @@ +# $FreeBSD$ +# +# Blacklist rule +# adr/mask:port type proto owner name nfail disable +[local] +ssh stream * * * 3 24h +ftp stream * * * 3 24h +smtp stream * * * 3 24h +submission stream * * * 3 24h +#6161 stream tcp6 christos * 2 10m +* * * * * 3 60 + +# adr/mask:port type proto owner name nfail disable +[remote] +#129.168.0.0/16 * * * = * * +#6161 = = = =/24 = = +#* stream tcp * = = = diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index 74125d1..8a5c07e 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -60,6 +60,10 @@ rc_conf_files="/etc/rc.conf /etc/rc.conf.local" # ZFS support zfs_enable="NO" # Set to YES to automatically mount ZFS file systems +# ZFSD support +zfsd_enable="NO" # Set to YES to automatically start the ZFS fault + # management daemon. + gptboot_enable="YES" # GPT boot success/failure reporting. # Experimental - test before enabling @@ -266,6 +270,8 @@ hastd_program="/sbin/hastd" # path to hastd, if you want a different one. hastd_flags="" # Optional flags to hastd. ctld_enable="NO" # CAM Target Layer / iSCSI target daemon. local_unbound_enable="NO" # local caching resolver +blacklistd_enable="YES" # Run blacklistd daemon (YES/NO). +blacklistd_flags="" # Optional flags for blacklistd(8). # # kerberos. Do not run the admin daemons on slave servers diff --git a/etc/mtree/BSD.include.dist b/etc/mtree/BSD.include.dist index a9baa7e..42980d0 100644 --- a/etc/mtree/BSD.include.dist +++ b/etc/mtree/BSD.include.dist @@ -155,6 +155,8 @@ wi .. .. + devdctl + .. edit readline .. diff --git a/etc/mtree/BSD.tests.dist b/etc/mtree/BSD.tests.dist index f18091d..ae17129 100644 --- a/etc/mtree/BSD.tests.dist +++ b/etc/mtree/BSD.tests.dist @@ -215,6 +215,8 @@ .. .. .. + zfsd + .. .. .. etc @@ -308,6 +310,8 @@ .. libcrypt .. + libdevdctl + .. libmp .. libnv diff --git a/etc/mtree/BSD.var.dist b/etc/mtree/BSD.var.dist index 46b8dcd..e6dfa50 100644 --- a/etc/mtree/BSD.var.dist +++ b/etc/mtree/BSD.var.dist @@ -54,6 +54,10 @@ .. portsnap .. + zfsd + cases + .. + .. .. empty mode=0555 flags=schg .. diff --git a/etc/periodic/daily/480.leapfile-ntpd b/etc/periodic/daily/480.leapfile-ntpd index 8429824..5a3ccce 100755 --- a/etc/periodic/daily/480.leapfile-ntpd +++ b/etc/periodic/daily/480.leapfile-ntpd @@ -16,10 +16,10 @@ case "$daily_ntpd_leapfile_enable" in case "$daily_ntpd_avoid_congestion" in [Yy][Ee][Ss]) # Avoid dogpiling - (sleep $(jot -r 1 0 86400); service ntpd fetch) & + (sleep $(jot -r 1 0 86400); service ntpd onefetch) & ;; *) - service ntpd fetch + service ntpd onefetch ;; esac ;; diff --git a/etc/periodic/security/520.pfdenied b/etc/periodic/security/520.pfdenied index f2f9e8a..850c10d 100755 --- a/etc/periodic/security/520.pfdenied +++ b/etc/periodic/security/520.pfdenied @@ -44,8 +44,14 @@ rc=0 if check_yesno_period security_status_pfdenied_enable then TMP=`mktemp -t security` - if pfctl -sr -v -z 2>/dev/null | nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' > ${TMP}; then - check_diff new_only pf ${TMP} "${host} pf denied packets:" + touch ${TMP} + for _a in "" blacklistd + do + pfctl -a ${_a} -sr -v -z 2>/dev/null | \ + nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP} + done + if [ -s ${TMP} ]; then + check_diff new_only pf ${TMP} "${host} pf denied packets:" fi rc=$? rm -f ${TMP} diff --git a/etc/rc.d/Makefile b/etc/rc.d/Makefile index 89d2baf..2d195f1 100644 --- a/etc/rc.d/Makefile +++ b/etc/rc.d/Makefile @@ -17,6 +17,7 @@ FILES= DAEMON \ auditd \ auditdistd \ bgfsck \ + ${_blacklistd} \ ${_bluetooth} \ bridge \ ${_bthidd} \ @@ -123,7 +124,7 @@ FILES= DAEMON \ ypserv \ ypset \ ypupdated \ - ypxfrd \ + ypxfrd .if ${MK_ACCT} != "no" FILESGROUPS+= ACCT @@ -168,6 +169,10 @@ FILES+= automountd FILES+= autounmountd .endif +.if ${MK_BLACKLIST_SUPPORT} != "no" +_blacklistd+= blacklistd +.endif + .if ${MK_BLUETOOTH} != "no" _bluetooth= bluetooth _bthidd= bthidd @@ -308,6 +313,7 @@ FILES+= wpa_supplicant .if ${MK_ZFS} != "no" FILESGROUPS+= ZFS ZFS+= zfs +ZFS+= zfsd ZFS+= zvol ZFSPACKAGE= zfs .endif diff --git a/etc/rc.d/blacklistd b/etc/rc.d/blacklistd new file mode 100644 index 0000000..8e79250 --- /dev/null +++ b/etc/rc.d/blacklistd @@ -0,0 +1,45 @@ +#!/bin/sh +# +# Copyright (c) 2016 The FreeBSD Foundation +# All rights reserved. +# +# This software was developed by Kurt Lidl under sponsorship from the +# FreeBSD Foundation. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# PROVIDE: blacklistd +# REQUIRE: netif pf + +. /etc/rc.subr + +name="blacklistd" +desc="System blacklist daemon" +rcvar="blacklistd_enable" +command="/usr/sbin/${name}" +required_files="/etc/blacklistd.conf" + +load_rc_config $name +run_rc_command "$1" diff --git a/etc/rc.d/dhclient b/etc/rc.d/dhclient index 332be4c..f2d17c5 100755 --- a/etc/rc.d/dhclient +++ b/etc/rc.d/dhclient @@ -30,7 +30,7 @@ dhclient_pre_check() else debug "$msg" fi - exit 1 + exit 1 fi } diff --git a/etc/rc.d/ldconfig b/etc/rc.d/ldconfig index 9ecb172..a657a01 100755 --- a/etc/rc.d/ldconfig +++ b/etc/rc.d/ldconfig @@ -4,7 +4,7 @@ # # PROVIDE: ldconfig -# REQUIRE: mountcritremote FILESYSTEMS +# REQUIRE: FILESYSTEMS # BEFORE: DAEMON . /etc/rc.subr diff --git a/etc/rc.d/mountcritremote b/etc/rc.d/mountcritremote index 2af48b6..dede14f 100755 --- a/etc/rc.d/mountcritremote +++ b/etc/rc.d/mountcritremote @@ -35,12 +35,15 @@ mountcritremote_precmd() mountcritremote_start() { + local mounted_remote_filesystem=false + # Mount nfs filesystems. # case "`/sbin/mount -d -a -t nfs`" in '') ;; *) + mounted_remote_filesystem=true echo -n 'Mounting NFS filesystems:' mount -a -t nfs echo '.' @@ -64,6 +67,7 @@ mountcritremote_start() case "`mount -d -a -t ${fstype}`" in *mount_${fstype}*) + mounted_remote_filesystem=true echo -n "Mounting ${fsdecr} filesystems:" mount -a -t ${fstype} echo '.' @@ -71,9 +75,15 @@ mountcritremote_start() esac done - # Cleanup /var again just in case it's a network mount. - /etc/rc.d/cleanvar quietreload - rm -f /var/run/clean_var /var/spool/lock/clean_var + if $mounted_remote_filesystem; then + # Cleanup /var again just in case it's a network mount. + /etc/rc.d/cleanvar quietreload + rm -f /var/run/clean_var /var/spool/lock/clean_var + + # Regenerate the ldconfig hints in case there are additional + # library paths on remote file systems + /etc/rc.d/ldconfig quietstart + fi } load_rc_config $name diff --git a/etc/rc.d/netif b/etc/rc.d/netif index e2b1825..a1543e6 100755 --- a/etc/rc.d/netif +++ b/etc/rc.d/netif @@ -27,7 +27,7 @@ # PROVIDE: netif # REQUIRE: FILESYSTEMS iovctl serial sppp sysctl -# REQUIRE: ipfilter ipfs +# REQUIRE: hostid ipfilter ipfs # KEYWORD: nojailvnet . /etc/rc.subr diff --git a/etc/rc.d/random b/etc/rc.d/random index 179ccc7..1e4e5b2 100755 --- a/etc/rc.d/random +++ b/etc/rc.d/random @@ -44,12 +44,12 @@ random_start() { if [ ${harvest_mask} -gt 0 ]; then - echo -n 'Setting up harvesting:' + echo -n 'Setting up harvesting: ' ${SYSCTL} kern.random.harvest.mask=${harvest_mask} > /dev/null ${SYSCTL_N} kern.random.harvest.mask_symbolic fi - echo -n 'Feeding entropy:' + echo -n 'Feeding entropy: ' if [ ! -w /dev/random ] ; then warn "/dev/random is not writeable" diff --git a/etc/rc.d/routing b/etc/rc.d/routing index 3d3f5a5..2a57fa3 100755 --- a/etc/rc.d/routing +++ b/etc/rc.d/routing @@ -90,18 +90,23 @@ routing_stop() setroutes() { + local _ret + _ret=0 case $1 in static) static_$2 add $3 + _ret=$? ;; options) options_$2 ;; doall) static_$2 add $3 + _ret=$? options_$2 ;; esac + return $_ret } routing_stop_inet() diff --git a/etc/rc.d/zfsd b/etc/rc.d/zfsd new file mode 100644 index 0000000..edf259b --- /dev/null +++ b/etc/rc.d/zfsd @@ -0,0 +1,17 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# PROVIDE: zfsd +# REQUIRE: devd zfs +# KEYWORD: nojail shutdown + +. /etc/rc.subr + +name="zfsd" +rcvar="zfsd_enable" +command="/usr/sbin/${name}" + +load_rc_config $name +run_rc_command "$1" |