| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Only allow to overwrite lease file.
Reviewed by: brooks
Sponsored by: The FreeBSD Foundation
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Limit routing socket so only poll(2) and read(2) are allowed (CAP_POLL_EVENT
and CAP_READ). This prevents unprivileged process from adding, removing or
modifying system routes.
Reviewed by: brooks
Sponsored by: The FreeBSD Foundation
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Limit communication pipe with privileged process to CAP_READ and CAP_WRITE.
Reviewed by: brooks
Sponsored by: The FreeBSD Foundation
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
- Limit bpf descriptor in unprivileged process to CAP_POLL_EVENT, CAP_READ and
allow for SIOCGIFFLAGS, SIOCGIFMEDIA ioctls.
- While here limit bpf descriptor in privileged process to only CAP_WRITE.
Reviewed by: brooks
Sponsored by: The FreeBSD Foundation
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Currently it was allowed to send any UDP packets from unprivileged process and
possibly any packets because /dev/bpf was open for writing.
Move sending packets to privileged process. Unprivileged process has no longer
access to not connected UDP socket and has only access to /dev/bpf in read-only
mode.
Reviewed by: brooks
Sponsored by: The FreeBSD Foundation
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Shutdown write direction of the routing socket. We only need to read from it.
Reviewed by: brooks
Sponsored by: The FreeBSD Foundation
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
- Add new request (IMSG_SEND_PACKET) that will be handled by privileged process.
- Add $FreeBSD$.
Reviewed by: brooks
Sponsored by: The FreeBSD Foundation
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The gethostname(3) function won't work in capability mode, because reading
kern.hostname sysctl is not permitted there. Cache hostname early and use
cached value later.
Reviewed by: brooks
Sponsored by: The FreeBSD Foundation
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Make use of two fields: rfdesc and wfdesc to keep bpf descriptor open for
reading only in rfdesc and bpf descriptor open for writing only in wfdesc.
In the end they will be used by two different processes.
Reviewed by: brooks
Sponsored by: The FreeBSD Foundation
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
iov_base field is 'void *' in FreeBSD, no need to cast.
Reviewed by: brooks
Sponsored by: The FreeBSD Foundation
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
No caller checks send_packet() return value, so make it void.
Reviewed by: brooks
Sponsored by: The FreeBSD Foundation
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Use the same type for 'from' and 'to' argument in send_packet().
Reviewed by: brooks
Sponsored by: The FreeBSD Foundation
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Remove unused argument from assemble_hw_header().
Reviewed by: brooks
Sponsored by: The FreeBSD Foundation
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Remove unused argument from send_packet().
Reviewed by: brooks
Sponsored by: The FreeBSD Foundation
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Garbage-collect dead prototypes.
Reviewed by: brooks
Sponsored by: The FreeBSD Foundation
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
contained in the DHCP offer, and write it out to the lease file
as an unquoted value of the "next-server" keyword. The value is ignored
when the lease is read back by dhclient, however other applications
are free to parse it.
The intent behind this change is to allow easier interoperability
with automated installation systems e.g. Cobbler, Foreman, Razor;
FreeBSD installation kernels can automatically probe the network
to discover deployment servers. There are no plans to MFC this
change unless a backport is specifically requested.
The syntax of the "next-server <ip>" lease keyword is intended to be
identical to that used by the ISC DHCPD server in its configuration files.
The required defines are already present in dhclient but were unused before
this change. (Note: This is NOT the same as Option 66, tftp-server-name).
It has been exercised in a university protocol testbed environment, with
Cobbler and an mfsBSD image containing pc-sysinstall (driven by Cobbler
Cheetah templates). The SYSLINUX memdisk driver is used to boot mfsBSD.
Currently this approach requires that a dedicated system profile has
been created for the node where FreeBSD is to be deployed. If this
is not present, the pc-sysinstall wrapper will be unable to obtain
a node configuration. There is code in progress to allow mfsBSD images
to obtain the required hints from the memdisk environment by parsing
the MBFT ACPI chunk. This is non-standard as it is not linked into
the platform's ACPI RSDT.
Reviewed by: des
|
| | |/
|/|
| |
| |
| | |
PR: bin/170279
MFC after: 1 week
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
First, don't exit when the link goes down on an interface. Instead,
teach dhclient to track changes in link state and to enter the reboot
state when the link on an interface goes up causing dhclient to attempt
to renew its existing lease.
Second, remove the change I added to clear the old lease when dhclient
exits due to an error (such as ifconfig down). If an interface is
using autoconfiguration it should keep its autoconfiguration as much as
possible. If the next time it needs a configuration it is able to reuse
the previous autoconfiguration, then leaving the settings intact allows
existing connections to survive temporary outages, etc.
PR: bin/166656
MFC after: 1 month
|
| |/
|
|
|
|
|
|
|
|
| |
link is lost. devd will start a new dhclient instance when link is
restored.
PR: bin/166656
Submitted by: Peter Jeremy (mostly)
Reviewed by: brooks (earlier version from Peter)
MFC after: 1 month
|
| | |
|
| |
|
|
| |
Sponsored by: Yakaz (http://www.yakaz.com)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In the original Domain Search option patch, an invalid option value
would cause the whole lease to be rejected. However, DHCP servers who
emit such an invalid value are more common than I thought. With this new
patch, just the option is rejected, not the entire lease.
PR: bin/163431
Submitted by: Fabian Keil <fk@fabiankeil.de> (earlier version)
Reviewed by: Fabian Keil <fk@fabiankeil.de>
Sponsored by: Yakaz (http://www.yakaz.com)
|
| |
|
|
|
|
| |
we might as well use memcpy; strlcpy is really unnecessary here.
MFC after: 1 week
|
| |
|
|
|
|
|
| |
strlcpy appearing to be the size of the source buffer, instead of the
destination.
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
|
|
|
| |
that changed 0.0.0.0/0.0.0.0 prefix to 0.0.0.0/255.0.0.0.
In the r228313 this behavior was fixed, and since dhclient-script
got broken.
I'm not sure this fix is a perfect one, it just changes
dhclient-script to set 0.0.0.0/255.0.0.0 explicitly.
PR: kern/163206
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The "domain-search" option (option 119) allows a DHCP server to publish
a list of implicit domain suffixes used during name lookup. This option
is described in RFC 3397.
For instance, if the domain-search option says:
".example.org .example.com"
and one wants to resolve "foobar", the resolver will try:
1. "foobar.example.org"
2. "foobar.example.com"
The file /etc/resolv.conf is updated with a "search" directive if the
DHCP server provides "domain-search".
A regression test suite is included in this patch under
tools/regression/sbin/dhclient.
PR: bin/151940
Sponsored by Yakaz (http://www.yakaz.com)
|
| |
|
|
|
|
|
| |
there, clean it up and add some error checks.
Glanced at by: brooks@
MFC after: 3 weeks
|
| |
|
|
|
| |
If you don't want to use resolvconf(8) to update /etc/resolv.conf,
you can put resolvconf_enable="NO" into /etc/dhclient-enter-hooks.
|
| |
|
|
|
|
|
|
| |
how to configure dhclient to clear the interface of IP numbers prior
to configuring it.
PR: 149351
MFC after: 2 weeks
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
it to configure the interface. When the script is complete, dhclient
monitors the routing socket and will terminate if its address is
deleted or if its interface is removed or brought down.
Because the routing socket is already open when dhclient-script is
run, dhclient ignores address deletions for 10 seconds after the
script was run.
If the address that will be obtained is already configured on the
interface before dhclient starts, and if dhclient-script takes more
than 10 seconds (perhaps due to dhclient-*-hooks latencies), on script
completion, dhclient will immediately and silently exit when it sees
the RTM_DELADDR routing message resulting from the script reassigning
the address to the interface.
This change logs dhclient's reason for exiting and also changes the
10 second timeout to be effective from completion of dhclient-script
rather than from when it was started.
We now ignore RTM_DELADDR and RTM_NEWADDR messages when the message
contains no interface address (which should not happen) rather than
exiting.
Not reviewed by: brooks (timeout)
MFC after: 3 weeks
|
| |
|
|
|
|
|
|
|
|
|
|
| |
packets instead of allowing the protocol stack to pick a random source port.
This fixes the behaviour where dhclient would never transition from RENEWING
to BOUND without going through REBINDING in networks which are paranoid about
DHCP spoofing, such as most mainstream cable-broadband ISP networks.
Reviewed by: brooks
Obtained from: OpenBSD (partly - I'm not convinced their solution can work)
MFC after: 1 week (pending re approval)
|
| |
|
|
| |
Submitted by: Ulrich Spörlein
|
| |
|
|
|
|
|
|
| |
dhclient now terminates when the underlying ifnet is destroyed (e.g.
on card eject).
Reviewed by: brooks
Approved by: re (kib)
|
| |
|
|
|
|
|
|
|
|
|
| |
internal buffer sizes.
When we 'append', assume we're appending to text. Some MS dhcp servers will
give us a string with the length including the trailing NUL. when we 'append
domain-name', we get something like "search x.y\000 z" in resolv.conf :(
MFC after: 1 week
Security: A buffer overflow (by one NUL byte) was possible.
|
| |
|
|
|
|
| |
PR: bin/127076
Submitted by: jkim
MFC after: 1 week
|
| |
|
|
|
|
|
|
| |
In the MPSAFE TTY branch, I noticed PTY's to be leaked, because
dhclient's privileged process was run inside the session of, say, the
login shell. Make sure we call setsid() here.
Approved by: philip (mentor), brooks
|
| |
|
|
|
|
| |
for a long time if we get a lease, but DNS isn't working.
MFC after: 1 week
|
| |
|
|
|
|
|
|
| |
directly rather than bogusly sending it out as a link layer broadcast
(which fails to be received on some networks).
PR: bin/96018
MFC after: 2 weeks
|
| |
|
|
|
|
|
|
|
|
|
| |
interface is one with the default route (or there isn't one). Use it to
decide if we should adjust the default route and /etc/resolv.conf.
Fix the delete of the default route. The if statement was totally bogus
and the delete only worked due to a typo. [1]
Reported by: Jordan Coleman <jordan at JordanColeman dot com> [1]
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
|
| |
lease: track the current bssid and if it changes (as reported in an
assoc/reassoc) event only then kick the state machine. This gives us
immediate response when roaming but otherwise causes us to fallback on
the normal state machine.
Reviewed by: brooks, jhb
MFC after: 3 weeks
|
| |
|
|
| |
MFC after: 2 weeks
|
| |
|
|
|
|
|
| |
alias to avoid distrubing other addresses.
PR: bin/119255
Submitted by: Jaakko Heinonen <jh at saunalahti dot fi>
|
| |
|
|
|
| |
Reviewed by: brooks
MFC after: 3 days
|
| |
|
|
|
|
|
| |
PR: docs/116099
Submitted by: Ben Kaduk <minimarmot@gmail.com>
Approved by: re (bmah)
MFC after: 3 days
|
| |
|
|
|
|
|
| |
to be reloaded when the interface is torn down.
Reviewed by: brooks
Approved by: re (kensmith)
|
| |
|
|
|
|
|
| |
correct test to -ge 5. Without this change an RFC3442 encoded default
route would be ignored.
Reported by: Cedric Jonas <cedric at decemplex dot net>
|
| |
|
|
|
|
|
|
|
|
|
| |
The original DHCP specification includes a route option but it supports
only class-based routes. RFC3442 adds support for specifying the netmask
width for each static route. A variable length encoding is used to minimize
the size of this option.
PR: bin/99534
Submitted by: Andrey V. Elsukov <bu7cher@yandex.ru>
Reviewed by: brooks
|
| |
|
|
| |
file isn't actually installed; the one in src/etc is.
|
| |
|
|
|
|
| |
were removing the invalid option, but still rejecting the lease.
Reported by: Yoshihiko Sarumaru <mistral at imasy dot or dot jp>
|
