| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
|
| |
Obtained from: http://www.iana.org/assignments/port-numbers
MFC after: 1 week
|
| |
|
|
|
|
| |
Submitted by: flo
Approved by: cperciva
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
| |
- Add an examples file with many of the not accepted suggestions from the discussion
PR: conf/160689
Reviewed by: many
Discussed on: current
Approved by: cperciva
|
| |
|
|
| |
Glanced by: kib
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
several new kerberos related libraries and applications to FreeBSD:
o kgetcred(1) allows one to manually get a ticket for a particular service.
o kf(1) securily forwards ticket to another host through an authenticated
and encrypted stream.
o kcc(1) is an umbrella program around klist(1), kswitch(1), kgetcred(1)
and other user kerberos operations. klist and kswitch are just symlinks
to kcc(1) now.
o kswitch(1) allows you to easily switch between kerberos credentials if
you're running KCM.
o hxtool(1) is a certificate management tool to use with PKINIT.
o string2key(1) maps a password into key.
o kdigest(8) is a userland tool to access the KDC's digest interface.
o kimpersonate(8) creates a "fake" ticket for a service.
We also now install manpages for some lirbaries that were not installed
before, libheimntlm and libhx509.
- The new HEIMDAL version no longer supports Kerberos 4. All users are
recommended to switch to Kerberos 5.
- Weak ciphers are now disabled by default. To enable DES support (used
by telnet(8)), use "allow_weak_crypto" option in krb5.conf.
- libtelnet, pam_ksu and pam_krb5 are now compiled with error on warnings
disabled due to the function they use (krb5_get_err_text(3)) being
deprecated. I plan to work on this next.
- Heimdal's KDC now require sqlite to operate. We use the bundled version
and install it as libheimsqlite. If some other FreeBSD components will
require it in the future we can rename it to libbsdsqlite and use for these
components as well.
- This is not a latest Heimdal version, the new one was released while I was
working on the update. I will update it to 1.5.2 soon, as it fixes some
important bugs and security issues.
|
| | | |
|
| | |
|
| |
|
|
|
| |
daily security checks 800.loginfail and 900.tcpwrap may produce
false positive alerts.
|
| |
|
|
| |
MFC after: 1 week
|
| |
|
|
|
|
|
| |
The /dev/zfs device is required for managing jailed ZFS datasets.
Discussed with: pjd, jamie
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the environment doesn't offer a working /dev/console, the existing
version of init(8) will simply refuse running rc(8) scripts. This means
you'll only have a system running init(8) and nothing else.
Change the code to do the following:
- Open /dev/console like we used to do, but make it more robust to use
O_NONBLOCK to prevent blocking on a carrier.
- If this fails, use /dev/null as stdin and /var/log/init.log as stdout
and stderr.
- If even this fails, use /dev/null as stdin, stdout and stderr.
So why us this useful? Well, if you remove the `getpid() == 1' check in
main(), you can now use init(8) inside jails to properly execute rc(8).
It still requires some polishing, as existing tools assume init(8) has
PID 1.
Also it is now possible to use use init(8) on `headless' devices that
don't even have a serial boot console.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If rc(8) is executed without using a TTY, this error appears at the
beginning:
stty: stdin isn't a terminal
Because this is to be expected and of course not harmful, it is better
to simply hide the error message.
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
| |
for the default FIB followed by a statement with a list of FIB numbers for
all the other FIBs we install the routes for.
Request by: kib (to make it less noisy)
Tested by: kib
MFC after: 3 days
|
| |
|
|
|
|
| |
universe with gcc.
Approved by: dim (mentor)
|
| |
|
|
|
| |
Approved by: nwhitehorn (mentor)
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
|
|
| |
Without this change, pressing ^T could result in rc.d script putting
junk strings like:
Script <filename> running
in configuration files when redirecting standard output to these files.
MFC after: 2 weeks
|
| |
|
|
|
|
|
|
|
| |
certain systems that take a long time to shut down, without adversely
affecting things that shut down quickly. It's also 30 seconds less than
the default hard limit of 120 seconds in kern.init_shutdown_timeout.
PR: conf/109272
Submitted by: Radim Kolar SF.NET <hsn@sendmail.cz>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Extend the so far IPv4-only support for multiple routing tables (FIBs)
introduced in r178888 to IPv6 providing feature parity.
This includes an extended rtalloc(9) KPI for IPv6, the necessary
adjustments to the network stack, and user land support as in netstat.
Sponsored by: Cisco Systems, Inc.
Reviewed by: melifaro (basically)
MFC after: 10 days
|
| |
|
|
|
|
| |
Requested by: marcel, dougb, bde
Approved by: cperciva
MFC after: 3 days
|
| |
|
|
|
|
| |
universe with them. Sorry for the breakage.
Pointy hat to: me and brooks
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Address performance regressions encountered by das@ by caching per-thread
data in TLS where available.
- Add a __NO_TLS flag to cdefs.h to indicate where not available.
- Reorganise the xlocale.h definitions into xlocale/*.h so that they can be
included from multiple places.
- Export the POSIX2008 subset of xlocale when POSIX2008 says it should be
exported, independently of whether xlocale.h is included.
- Fix the bug where programs using ctype functions always assumed ASCII unless
recompiled.
- Fix some style(9) violations.
Reviewed by: brooks (mentor)
Approved by: dim (mentor)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Add new functionality to the force_depend method to incorporate the
tests for whether the service is enabled and/or already running.
2. Add a new option to bypass checking only that the service is enabled
at boot time, and always check if it is running.
3. Use this new functionality to greatly simplify the rc.d scripts that
use force_depend.
4. Add a force_depend for statd in lockd
5. Remove the check that either nfs_server or nfs_client is _enable'd
from statd and lockd. This was always overkill, and prevented using
the {one|force}start options, as well as stop'ing on the command line.
6. The yp* scripts had some of their arguments in various weird orders.
Bring them into line with the model.
7. If mountd fails to create /var/db/mountdtab, err out.
Ideas, suggestions, and/or review from delphij and jilles.
Pointy hats are completely my responsibility however.
|
| |
|
|
| |
MFC after: 1 day
|
| |
|
|
|
|
|
|
|
| |
The main benefit is that watchdogd would shutdown after most of other
daemons/servers and thus, for example, would remedy a system hang caused
by unlucky X server shutdown.
Reviewed by: dougb (earlier version)
MFC after: 2 weeks
|
| |
|
|
| |
Requested by: dougb
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This has the following advantages:
- During boot, the BOOT_TIME record is now written right after the file
systems become writable, but before users are allowed to log in. This
means that they can't cause `hidden logins' by logging in right before
init(8) kicks in.
- The pututxline(3) function may potentially block on file locking,
though this is very rare to occur. By placing it in an rc script, the
user can still kill it with ^C if needed.
- Most importantly: jails don't use init(8). This means that a force
reboot of a system running jails will leave stale entries in the
accounting database of the jails individually.
|
| |
|
|
|
|
|
|
| |
of rcorder. Somehow in the intervening period addswap got moved to the
very end, which is almost certainly not what we want.
This change moves it to right after kld so that for users who need it,
they'll get it ASAP.
|
| |
|
|
|
|
|
| |
PR: conf/163789
Submitted by: gcooper (iXsystems)
Approved by: cperciva
MFC after: 3 days
|
| | |
|
| |
|
|
|
|
|
|
|
| |
side effect of something else using them. If they haven't been loaded
already but you want to use them, say for configuring a jail, you're out
of luck.
So add a knob to always load the default rulesets. While I'm here document
the other devfs_ knobs in rc.conf.5.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
zfs pools on the system.
While here, document daily_status_zfs_enable in periodic.conf(5).
Discussed on: -fs [1]
Reviewed by: netchild [1]
Approved by: jhb
MFC after: 1 week
[1] - http://lists.freebsd.org/pipermail/freebsd-fs/2011-June/011869.html
|
| |
|
|
|
|
| |
it was set to "auto", for example.
MFC after: 3 days
|
| | |
|
| |
|
|
|
|
|
| |
include notify tags.
Approved by: nwhitehorn (mentor)
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
- ipv6_enable + ipv6_gateway_enable should unset ACCEPT_RTADV by default for
backward compatibility.
- Configurations in ipv6_prefix_IF should be recognized even if there is no
ifconfig_IF_ipv6.
- DAD wait should be performed at once, not on a per-interface basis, if
possible. This fixes an issue that a system with a lot of IPv6-capable
interfaces takes too long for booting.
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
|
| |
creating stray "log" symlinks if the mount fails. That apparently
happens in some ezjail configs.
PR: conf/143084
Submitted by: Dirk Engling <erdgeist at erdgeist.org>
Reviewed by: simon
MFC after: 2 weeks
|
| |
|
|
|
|
|
|
| |
dhclient is no longer a real service, it is a helper script
for /etc/rc.d/netif and devd. Its direct invocation isn't
needed to bring the network up.
Approved by: jhb
|
| |
|
|
|
|
| |
We should show the error to user, but it doesn't deserve syslog.
Approved by: jhb
|
| |
|
|
|
|
|
| |
is running or not.
PR: conf/150752
Submitted by: YIN Xiaofeng <75394094@qq.com>
|
| |
|
|
|
|
| |
The concept of set_rcvar() was nice in theory, but the forks
it creates are a drag on the startup process, which is especially
noticeable on slower systems, such as embedded ones.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
assignments to the literal values it would have returned.
The concept of set_rcvar() was nice in theory, but the forks
it creates are a drag on the startup process, which is especially
noticeable on slower systems, such as embedded ones.
During the discussion on freebsd-rc@ a preference was expressed for
using ${name}_enable instead of the literal values. However the
code portability concept doesn't really apply since there are so
many other places where the literal name has to be searched for
and replaced. Also, using the literal value is also a tiny bit
faster than dereferencing the variables, and every little bit helps.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Document the current semantics of the 'quiet' command prefix
in the rc.subr(8).
Fix dhclient rc.d script: it should not call err() for
non-DHCP-enabled interface when it is called from devd, because the
latter just blindly calls 'service dhclient quietstart' on each "link
up" event.
Since the 'quietstart' will silence the message "Cannot 'start' <foo>.
Set <foo>_enable to YES in /etc/rc.conf or use 'onestart' instead of
'start'." and running dhclient on the non-DHCP-enabled interface is
the same thing as running the service <foo> without <foo>_enable set,
such modification is in sync with the current semantics of the 'quiet'
prefix.
Approved by: glebius
Reviewed by: freebsd-rc list
MFC after: 2 weeks
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
o Make the pfsync.ko actually usable. Before this change loading it
didn't register protosw, so was a nop. However, a module /boot/kernel
did confused users.
o Rewrite the way we are joining multicast group:
- Move multicast initialization/destruction to separate functions.
- Don't allocate memory if we aren't going to join a multicast group.
- Use modern API for joining/leaving multicast group.
- Now the utterly wrong pfsync_ifdetach() isn't needed.
o Move module initialization from SYSINIT(9) to moduledata_t method.
o Refuse to unload module, unless asked forcibly.
o Improve a bit some FreeBSD porting code:
- Use separate malloc type.
- Simplify swi sheduling.
This change is probably wrong from VIMAGE viewpoint, however pfsync
wasn't VIMAGE-correct before this change, too.
Glanced at by: bz
|
| |
|
|
| |
attempting to maintain compatibility with NetBSD for some years now.
|
| | |
|
| |
|
|
|
|
|
| |
inside a jail.
Discussed with: rwatson
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
| |
with FreeBSD easier for vendors.
- For optional files use variables starting with underscore.
Both changes make rc.d/Makefile look similar to sys/modules/Makefile.
Reviewed by: dim
|
| |
|
|
|
|
| |
rc.conf without the "inet" keyword.
Obtained from: hrs
|
| |
|
|
| |
Approved by: nwhitehorn (mentor)
|
