| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Spotted by: FlexeLint
|
| |
|
|
| |
Spotted by: FlexeLint
|
| |
|
|
|
|
| |
pnp_read_bytes().
Spotted by: FlexeLint
|
| |
|
|
| |
Spotted by: FlexeLint.
|
| |
|
|
| |
Spotte by: FlexeLint.
|
| |
|
|
|
|
| |
Fix misindentation.
Spotted by: DARPA & NAI Labs.
|
| |
|
|
| |
Spotted by: FlexeLint.
|
| |
|
|
|
|
| |
Properly put macro args in ().
Spotted by: FlexeLint.
|
| |
|
|
| |
Spotted by: FlexeLint.
|
| |
|
|
| |
Spotted by: FlexeLint.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
supposed to be checked by the firewall rules twice. However, because the
various ipsec handlers never call ip_input(), this never happens anyway.
This fixes the situation where a gif tunnel is encrypted with IPsec. In
such a case, after IPsec processing, the unencrypted contents from the
GIF tunnel are fed back to the ipintrq and subsequently handeld by
ip_input(). Yet, since there still is IPSec history attached, the
packets coming out from the gif device are never fed into the filtering
code.
This fix was sent to Itojun, and he pointed towartds
http://www.netbsd.org/Documentation/network/ipsec/#ipf-interaction.
This patch actually implements what is stated there (specifically:
Packet came from tunnel devices (gif(4) and ipip(4)) will still
go through ipf(4). You may need to identify these packets by
using interface name directive in ipf.conf(5).
Reviewed by: rwatson
MFC after: 3 weeks
|
| |
|
|
| |
Spotted by: FlexeLint.
|
| |
|
|
| |
Spotted by: FlexeLint.
|
| |
|
|
| |
Spotted by: FlexeLint.
|
| |
|
|
| |
Spotted by: FlexeLint
|
| | |
|
| |
|
|
|
|
| |
"command" argument to VOP_IOCTL.
Spotted by: FlexeLint.
|
| |
|
|
| |
Spotted by: FlexeLint
|
| | |
|
| |
|
|
| |
Spotted by: FlexeLint
|
| |
|
|
|
| |
do not support that configuration. This should fix problems with
embedded 7902 controllers running in PCI-X mode.
|
| |
|
|
|
|
| |
to use udp_append
Reviewed by: hsu
|
| |
|
|
|
|
|
|
|
|
|
|
| |
configuration stuff as well as conditional code in the IPv4 and IPv6
areas. Everything is conditional on FAST_IPSEC which is mutually
exclusive with IPSEC (KAME IPsec implmentation).
As noted previously, don't use FAST_IPSEC with INET6 at the moment.
Reviewed by: KAME, rwatson
Approved by: silence
Supported by: Vernier Networks
|
| |
|
|
| |
for use by "Fast IPsec"
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
from the KAME IPsec implementation, but with heavy borrowing and influence
of openbsd. A key feature of this implementation is that it uses the kernel
crypto framework to do all crypto work so when h/w crypto support is present
IPsec operation is automatically accelerated. Otherwise the protocol
implementations are rather differet while the SADB and policy management
code is very similar to KAME (for the moment).
Note that this implementation is enabled with a FAST_IPSEC option. With this
you get all protocols; i.e. there is no FAST_IPSEC_ESP option.
FAST_IPSEC and IPSEC are mutually exclusive; you cannot build both into a
single system.
This software is well tested with IPv4 but should be considered very
experimental (i.e. do not deploy in production environments). This software
does NOT currently support IPv6. In fact do not configure FAST_IPSEC and
INET6 in the same system.
Obtained from: KAME + openbsd
Supported by: Vernier Networks
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
o instead of a list of mbufs use a list of m_tag structures a la openbsd
o for netgraph et. al. extend the stock openbsd m_tag to include a 32-bit
ABI/module number cookie
o for openbsd compatibility define a well-known cookie MTAG_ABI_COMPAT and
use this in defining openbsd-compatible m_tag_find and m_tag_get routines
o rewrite KAME use of aux mbufs in terms of packet tags
o eliminate the most heavily used aux mbufs by adding an additional struct
inpcb parameter to ip_output and ip6_output to allow the IPsec code to
locate the security policy to apply to outbound packets
o bump __FreeBSD_version so code can be conditionalized
o fixup ipfilter's call to ip_output based on __FreeBSD_version
Reviewed by: julian, luigi (silent), -arch, -net, darren
Approved by: julian, silence from everyone else
Obtained from: openbsd (mostly)
MFC after: 1 month
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
a common lock. This change avoids a deadlock between snapshots when
separate requests cause them to deadlock checking each other for a
need to copy blocks that are close enough together that they fall
into the same indirect block. Although I had anticipated a slowdown
from contention for the single lock, my filesystem benchmarks show
no measurable change in throughput on a uniprocessor system with
three active snapshots. I conjecture that this result is because
every copy-on-write fault must check all the active snapshots, so
the process was inherently serial already. This change removes the
last of the deadlocks of which I am aware in snapshots.
Sponsored by: DARPA & NAI Labs.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
of KBDIO_DEBUG which may be defined in the kernel config (as it is in NOTES).
This kind of bug is a _really_ horribly thing as we end up with one bit
of code thinking a particular structure is 136 bytes and another that it
is only 112 bytes.
Ideally all places would remember to #include the right "opt_foo.h" file,
but I think in practice file containing the variable sized struct should
#include it explicitly as a precaution.
Detected by: FlexeLint
|
| |
|
|
|
|
| |
This fixes a divide by zero in fdisk(8)
Reviewed by: phk
|
| |
|
|
|
|
|
|
|
|
|
|
| |
to be administratively disabled as needed on UFS/UFS2 file systems. This
also has the effect of preventing the slightly more expensive ACL code
from running on non-ACL file systems, avoiding storage allocation for
ACLs that may be read from disk. MNT_ACLS may be set at mount-time
using mount -o acls, or implicitly by setting the FS_ACLS flag using
tunefs. On UFS1, you may also have to configure ACL store.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
|
| |
|
|
| |
new FreeBSD emulation, vec, and output format.
|
| |
|
|
|
|
| |
RFC2407/IANA assignment. This change breaks binary
compatibility. So, you need to recompile IPsec related
applications.
|
| | |
|
| |
|
|
| |
Found by: FlexeLint.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
automatically set MNT_MULTILABEL in the mount flags.
If FS_ACLS is set in a UFS or UFS2 superblock, automatically
set MNT_ACLS in the mount flags.
If either of these flags is set, but the appropriate kernel option
to support the features associated with the flag isn't available,
then print a warning at mount-time.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
|
| |
|
|
| |
"I think you're right" by: jake
|
| |
|
|
|
|
|
|
|
|
|
| |
Ignoring a NULL dev in device_set_ivars() sounds wrong, KASSERT it to
non-NULL instead.
Do the same for device_get_ivars() for reasons of symmetry, though
it probably would have yielded a panic anyway, this gives more precise
diagnostics.
Absentmindedly nodded OK to by: jhb
|
| |
|
|
| |
Spotted by: FlexeLint
|
| |
|
|
| |
Sponsored by: DARPA & NAI Labs
|
| |
|
|
|
|
|
| |
accidentally lost in the previous revision.
Submitted by: bde
Pointy hat to: jhb
|
| |
|
|
|
|
|
|
|
|
|
|
| |
were improperly relocated due to faulty logic in lookup_fdesc()
in elf_machdep.c. The symbol index (symidx) was bogusly used for
load modules other than the one the relocation applied to. This
resulted in bogus bindings and consequently runtime failures.
The fix is to use the symbol index only for the module being
relocated and to use the symbol name for look-ups in the
modules in the dependent list. As such, we need a function to
return the symbol name given the linker file and symbol index.
|
| | |
|
| |
|
|
|
|
| |
print them with %p. Cast to unsigned long and print with %#lx.
Discussed with: bde
|
| | |
|
| |
|
|
| |
in more than just <sys/types.h>.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
processes forked with RFTHREAD.
- Use a goto to a label for common code when exiting from fork1() in case
of an error.
- Move the RFTHREAD linkage setup code later in fork since the ppeers_lock
cannot be locked while holding a proc lock. Handle the race of a task
leader exiting and killing its peers while a peer is forking a new child.
In that case, go ahead and let the peer process proceed normally as the
parent is about to kill it. However, the task leader may have already
gone to sleep to wait for the peers to die, so the new child process may
not receive a SIGKILL from the task leader. Rather than try to destruct
the new child process, just go ahead and send it a SIGKILL directly and
add it to the p_peers list. This ensures that the task leader will wait
until both the peer process doing the fork() and the new child process
have received their KILL signals and exited.
Discussed with: truckman (earlier versions)
|
| |
|
|
|
| |
p_leader field is not protected by the proc lock but is only set during
fork1() by the parent process and never changes.
|
| |
|
|
|
|
|
|
| |
homerolling our own version.
- Rename the enum for memsize from ISA_IVAR_MSIZE to ISA_IVAR_MEMSIZE
since using 'MSIZE' in the macro invocation of ISA_ACCESSOR() conflicts
with the 'MSIZE' kernel option. The accessor function is still
isa_get_msize().
|
| |
|
|
| |
hasn't been filled in for ages.. Nuked.
|
