Branch :
| Author | Commit | Date | CI | Message |
|---|---|---|---|---|
| 42051861 | 2025-02-10 18:09:10 | Print error message about missing config file. dhc6leased(8) does not work without one, as oposed to dhcpleased(8) from where this code came. Noticed by claudio. | ||
| c0f05be6 | 2025-02-07 21:56:04 | Rework checksum validation for incoming UDP in dhcpleased(8). RFC 1071 recommends to verify the checksum by calculating it over the packet including the checksum and compare to 0. That is also what our kernel does. Convert the logic in dhcpleased(8) to that algorithm. tested and OK jan@ | ||
| 30772397 | 2025-02-07 07:37:16 | sync with unbound ok sthen | ||
| dd54d7a2 | 2025-01-30 20:02:13 | drop unused -D_LIBKVM; no object change; OK deraadt | ||
| 2402f85a | 2025-01-30 17:08:10 | When struct ext2fs_dinode was extended in r1.15 fsck_ext2fs wasn't adjusted and ckinode() would copy over more than the 128 bytes that a caller would assume. Use EXT2_DINODE_SIZE() to make sure we stick to the expected 128 bytes. OK miod@ | ||
| 109821c1 | 2025-01-16 12:48:45 | unveil privileged child's write/create to mountdtab file, drop exec It needs arbitrary read access, but only ever changes one file and is not meant to execute anything; initial r1.84 privsep from 2005 has the details. OK ratchov millert | ||
| c2a2da96 | 2025-01-16 12:46:03 | unveil nothing nfsd can't pledge due to nfssvc(2), so use the empty-permission idiom to hide filesystems and prevent execve; after it set up sockets and spawned workers, all NFS work is done in the kernel. OK millert | ||
| 5ea00adc | 2025-01-11 18:21:02 | zap dead poll code With TCP on/off connect_type_cnt is 1/0; it can't be >=2 since 2004 r1.24 "remove iso crud, and other misc cleanups", so remove the unreachable block and flip early-exit logic to decrease indentation. OK millert | ||
| 4da14ec4 | 2025-01-06 17:49:29 | add and document vxlan "[-]endpoint" command. input anf ok dlg@ | ||
| 9a5c1bb0 | 2025-01-02 21:37:38 | default to UDP when using only -n Only 'nfsd' without any option or argument default to UDP. Move the r1.28's check from argc to options/flags to cover 'nfsd -n4' as well, which would fork four servers, but not create any UDP sockets. Feedback OK jca | ||
| b8d79964 | 2024-12-26 18:25:51 | Print "request" instead of "config" if dumping config when "request XX" is used. From William Rusnack, ok tobhe@ | ||
| d51e05ad | 2024-12-26 18:24:54 | Skip checking for root if we are only doing a config test. Tweaked from a diff from William Rusnack, ok tobhe@ kn@ | ||
| b7c9a52e | 2024-12-24 21:34:23 | struct gpt_partition's gp_name field is an array of u_int16_t so use nitems() not sizeof() to get the number of elements. ok kettenis@ lucas@ | ||
| efb7adaa | 2024-12-24 17:40:06 | Set pltime to 0 when upstream interface goes down. In case of a flash-renumbering event we configure new prefixes with a pltime > 0. Clients should form new addresses and prefer those. Reported & fix tested by Tamas (cstamas at cstamas.hu). OK phessler | ||
| 76b1f2eb | 2024-12-21 13:15:36 | change '386BSD 0.1.2.4/FreeBSD' to .Fx the 0.2.4 patchkit for 386BSD 0.1 did not have this command | ||
| 7ed182d8 | 2024-12-21 05:01:25 | correct history; a reboot command did not appear until 4BSD | ||
| dfd61507 | 2024-12-18 10:36:05 | use opendev() for fsck_ext2fs, based on code adding this to fsck_ffs tweak (add strncmp()...blockcheck section) from martijn@ ok martijn@ | ||
| a95f0396 | 2024-11-24 11:33:34 | unwind: support wildcard in blacklist Any domain in the blacklist that starts with '.', which is not a legal name due to an empty label, is treated as any subdomain on that zone. This means that .example.com blocks all requests to any subdomain of example.com, but allows example.com. No objections: florian@ OK: kn@ | ||
| e08605c7 | 2024-11-21 18:16:01 | omit preceding flag from command/modifier lists to get tags; OK jmc reads odd to repeat, e.g. -F, when listing all its modifiers. as a consequence, automatic tagging wouldn't work, e.g. no "zero" tag would exist to jump to that -F modifier's definition. also add manual tags for -R and -T as get explained together with -s and -t, respectively, where only the first flag gets tagged. | ||
| 0e59d0d1 | 2024-11-21 13:35:20 | Convert sbin and usr.bin to check for imsgbuf_init failure and add imsgbuf_allow_fdpass where needed. OK tb@ | ||
| fa353a8f | 2024-11-21 13:26:49 | s/ibuf_add_buf/ibuf_add_ibuf/ OK tb@ | ||
| aab0b474 | 2024-11-21 13:24:07 | Implement the recv_imsg/read_message function in the correct way. One needs to first check imsg_get() if there is a imsg already in the queue. Then if that returns 0 call imsgbuf_read(). Do this in a loop until imsg_get() returns an imsg. OK tb@ and nicm@ for file | ||
| 668e5ba9 | 2024-11-21 13:21:33 | Convert the common imsgbuf_read calls to the post EAGAIN world. OK tb@ | ||
| 31be28ca | 2024-11-21 13:18:37 | Use imsgbuf_queuelen() instead of accessing the w.queue member. OK tb@ | ||
| 9cbf9e90 | 2024-11-21 13:17:56 | Use imsgbuf_clear() where appropriate instead of msgbuf_clear(). OK tb@ | ||
| dd7efffe | 2024-11-21 13:17:01 | Rename imsg_init, imsg_clear, imsg_read, imsg_write and imsg_flush to imsgbuf_init, imsgbuf_clear, imsgbuf_read, imsgbuf_write and imsgbuf_flush. This separates the imsgbuf API from the per-imsg API. OK tb@ | ||
| e3b6409c | 2024-11-21 13:14:44 | Convert imsg_write() callers to the new simplified return logic. OK tb@ | ||
| ce33693d | 2024-11-21 13:10:18 | Introduce imsg_write() and use it instead of msgbuf_write(). imsg_write() is just a thin wrapper around msgbuf_write(). So this is mostly search and replace. OK tb@ | ||
| f978fa48 | 2024-11-21 13:06:19 | imsg_flush no longer returns EAGAIN. Simplify proc_flush_imsg() accordingly. Issue spotted by op@ | ||
| e449cd41 | 2024-11-21 10:07:30 | The block size of HMAC-SHA2-{384,512} must be 128 bytes. ok tb | ||
| e496dff3 | 2024-11-20 13:57:29 | pfctl: clear statistic for specified addresses OK: bluhm@ | ||
| 42a2f8b7 | 2024-11-12 04:14:51 | bump the type used to specify traffic queue bandwidth to 64bit. this should let people specify interface and queue bandwidths greater than ~4Gbit. this changes the pf ioctls used to specify queues, so if you want to try this you'll need a new kernel, new headers, and a new pfctl (and systat). or upgrade using a snapshot. the effort and benefit of providing compat isn't worth it. putting it in now so people can kick it around. | ||
| 726515c9 | 2024-11-11 15:19:31 | Prevent completely empty interface blocks. This is meaningless in dhcpleased(8) and *not* needed to receive leases for an interface. In fact dhcpleased(8) works just fine without any configuration file at all. man page diff & OK kn | ||
| 9720bce5 | 2024-11-09 12:44:12 | sync curly braces markup, fix indent Replace literal braces with .Brq, use a list and indent the interface options under that interface entry to reflect hierarchy (rad.conf(5) does that, too). Feedback from/fine with jmc | ||
| 22ac2f2a | 2024-11-09 10:57:06 | usage should fit in a 80-column display. ok jmc@ | ||
| 2119819d | 2024-11-04 21:59:15 | Ignore extra groups that don't fit in the buffer passed to getgrouplist(3) Our kernel supports 16 groups (NGROUPS_MAX), but nothing prevents an admin from adding a user to more groups. With that tweak we'll keep on ignoring them instead of potentially reading past the buffer passed to getgrouplist(3). That behavior is explicitely described in initgroups(3). ok millert@ gilles@ | ||
| 9a836554 | 2024-11-04 02:44:28 | add a "natt" option that forces negotiation of nat-t (and udpencap). this is like the -t command line option on iked itself, but you get to keep the ike listener on port 500 and you can enable this on specific policies instead of all of them. this is useful if you're dealing with an org that can't firewall ESP traffic well and so you need to force the traffic to be udp encapsulated even if there's no NAT involved. ok markus@ tobhe@ | ||
| 3612e128 | 2024-11-01 08:27:49 | Simplify name/prefix markup, readability tweak and cleanup Leave the notion of repition to ... and markup optional prefixes as such; 'name/prefix [name/prefix ...]' becomes 'name[/prefix] ...'. Also sync with unwind.conf.5 to fix curly braces and indentation. OK florian Input OK jmc | ||
| be0e8945 | 2024-10-30 17:01:28 | Document /var/db/dhcp6leased/uuid. Input & OK kn, jmc, sthen | ||
| a52c5fd0 | 2024-10-23 03:14:32 | remove duplicate defines | ||
| df2ad427 | 2024-10-08 00:21:08 | apply the CVE-2024-8508 fix from unbound (put a limit on resources used for handling DNS compression). OK florian | ||
| c08965e9 | 2024-10-05 13:27:16 | Make scaling available for normal mice, too; not just for touchpads. Add reverse_scrolling to the manpage. ok bru@ | ||
| 411db55c | 2024-09-29 18:00:38 | add some commas, to aid readability; from thorsten blum | ||
| 21cd3483 | 2024-09-25 19:56:33 | Correct an indexing error that may leave stale data in the mousecfg buffer. ok mpi@ | ||
| 479c151d | 2024-09-20 02:00:46 | remove unneeded semicolons; checked by millert@ | ||
| 1a834994 | 2024-09-16 07:34:49 | Close correct file descriptor. Instead of closing the just received UDP socket we closed the imsg fd thus cleanly shutting down dhcpleased(8). Problem triggered by sf@ with something like while :; do ifconfig vio0 -inet; done while :; do ifconfig vio0 inet autoconf; done The problem triggers when dhcpleased configured a lease and in just the right moment the autoconf flag gets removed. The main process opens a udp socket and sends it to the frontend. At the same time the frontend learned (from the route socket), that the interface lost its autoconf flag. When the frontend then receives the udp socket via fd passing it tries to close it. Due to a typo it would instead close the imsg file descriptor. Found by me after lots of head scratching. OK tb | ||
| 9ca241fc | 2024-09-15 11:08:50 | Add handling of "Class" attribute. diff from markus ok markus | ||
| f6e4162f | 2024-09-15 07:14:58 | remove unused variables | ||
| 4c856965 | 2024-09-11 00:41:51 | Fix a typo | ||
| 6bf66549 | 2024-09-10 05:33:32 | missing "Ar" in previous; | ||
| ed822a90 | 2024-09-09 23:38:29 | When accounting start the type attribute was added twice. from markus | ||
| 2402a19b | 2024-09-09 05:36:17 | Add triple-dots to synopsis as multiple name[=value] arguments may be given OK jmc sobrado | ||
| 19b65b99 | 2024-09-06 06:31:11 | Repair build with gcc. | ||
| 7037e34c | 2024-09-05 08:22:46 | Sync to unbound 1.21.0; heavy lifting by sthen parse_edns_from_query_pkt() grew a parameter to handle cookies, which we don't use. | ||
| c920a736 | 2024-09-01 20:24:42 | dhcpleased: fix a sizeof for IMSG_REQUEST_REBOOT. "fatal in engine: engine_dispatch_frontend: invalid IMSG_REQUEST_REBOOT" reported by qwer.ty tuta io ok florian kn | ||
| 596e1897 | 2024-08-27 05:55:39 | Do not send zero sized vendor or client ids. The frontend and engine do not like this due to improved error checking. Found by Josh Grosse and Renato Aguiar, thanks! | ||
| 7e5648d1 | 2024-08-26 06:06:04 | Use i2s instead of hard coding the imsg type. Suggested by tb. | ||
| c7074a52 | 2024-08-26 06:05:05 | errno is unset, use fatalx(3) instead of fatal(3). | ||
| f46577a8 | 2024-08-26 06:04:24 | Be stricter in what we accept from the main process. While here mention function where fatalx(3) occurred like everywhere else. Suggested by & OK tb | ||
| 45c5e5ad | 2024-08-25 09:53:53 | Do not peek inside of struct imsg. input & OK tb | ||
| 5bd09d2d | 2024-08-25 07:04:05 | sin6_to_str and i2s take a single argument. Pointed out by tb | ||
| 9a7d784a | 2024-08-24 16:35:05 | Simplify engine_showinfo_ctl() It only handles one imsg type these days, so it doesn't need to peek into struct imsg at all. pointed out by & OK tb | ||
| 46c03dec | 2024-08-24 16:34:23 | Stop peeking into struct imsg when relaying control messages. pointed out by & OK tb | ||
| 33d2acb6 | 2024-08-24 09:44:41 | Do not peek inside of struct imsg. While here use i2s helper function for error logging. OK tb | ||
| d5be4999 | 2024-08-24 09:42:40 | Helper function for logging imsg type names. OK tb as part of a larger diff | ||
| 3ff0799e | 2024-08-19 13:01:47 | correctly indent a line | ||
| a81015d0 | 2024-08-19 05:58:41 | Replace too flexible inet_aton(3) with getaddrinfo(3). 0xdecafbad will no longer work as an IPv4 address, sorry. OK bluhm | ||
| 8172eb65 | 2024-08-17 03:28:22 | Fix some memory leaks in the RADIUS part. ok tobhe | ||
| fb6793a6 | 2024-08-11 06:07:37 | rework DESCRIPTION for both dhcpleased(8) and slaacd(8) to more accurately reflect how they work, to emphasize that they do nothing unless auto conf is set, and to more closely match each other; prompted by a diff from andrew christopher hawk on tech, who noted a wonky sentence; help/feedback deraadt florian; ok deraadt | ||
| 10427868 | 2024-08-09 19:43:26 | Add 2024 root zone trust-anchor, it is expected to be used in 2026. The trust-anchor was copied from the upcoming unbound(8) release and verified against https://www.iana.org/reports/2024/root-ksk-2024.pdf While here switch the 2017 trust-anchor from DNSKEY to DS to use the same record type as for the 2024 trust-anchor. They are functionally equivalent. It was verified against https://www.iana.org/reports/2017/root-ksk-2017.pdf As well as with run-time testing, i.e. unwind would still perform DNSSEC validation. checked pdfs & OK phessler | ||
| 3a580dd9 | 2024-08-08 03:58:53 | Fix a typo in log message. | ||
| ee519c7f | 2024-07-18 08:58:59 | Fix memory leaks and improve id handling of iked_radserver_req. original diff from markus ok tobhe | ||
| 0025a967 | 2024-07-15 13:32:50 | Add e2fs_fsmnt, and the newly defined e2fs_kbytes_written to the list of fields that can differ between the primary and 1st backup superblock. This fixes fsck issues I've encountered on my system with a shared home partition. OK miod@ | ||
| 178701b6 | 2024-07-15 05:36:08 | bioctl.8: - tweak bioctl text - don;t repeat the device examples - reinstate softraid device being always softraid0 usage(): - add vertical blank between two formats - rewrap to match 80col (shorter and matches man) feedback/ok krw kn | ||
| 30269bc3 | 2024-07-14 19:51:08 | This change allows user to define table inside the anchor like that: anchor foo { table <bar> { 192.168.1.1 } pass in from <bar> to <self> } Without this diff one must either create table <bar> in main ruleset (root) or use 'pfctl -a foo -t bar -T add 192.168.1.1' This glitch is hard to notice. Not many human admins try to attach tables to non-global anchors. Deamons which configure pf(4) automatically at run time such as relayd(8) and spamd(8) create tables attached to thair anchors (for example 'relayd/*') but the deamons use way similar to pfctl(8) to add and manage those tables. The reason why I'd like to seal this gap is that my long term goal is to turn global `pfr_ktable` in pf(4) into member of pf_anchor. So each ruleset will get its own tree of tables. feedback and OK bluhm@ | ||
| 9182e176 | 2024-07-14 16:09:06 | Shuffle verbiage to make page more general. e.g. by mentioning nvme(4). Feedback jmc@ jmatthew@ deraadt@ kn@ ok jmc@ kn@ | ||
| f294d01e | 2024-07-14 13:13:33 | Fail explicitly on unexptected imsg->hdr_type. Otherwise the following comparison is undefined. | ||
| 237d2500 | 2024-07-14 08:57:32 | sync slaacd(8) log.c to dhcpleased(8)'s version. We don't built log.c on the ramdisk so no need for ifndef small. | ||
| 7ab22e66 | 2024-07-14 08:45:05 | log_getverbose() is a void function pointed out by tb | ||
| dc5d4411 | 2024-07-14 08:41:54 | sync slaacd(8) log.h to dhcpleased(8) log.h - include stdlib.h for exit(3) - knf fixes - define log_getverbose as (0) instead of 0 input & OK tb | ||
| 38b547d0 | 2024-07-14 06:34:04 | Unbreak tree by defining log_getverbose() for SMALL builds ok anton florian | ||
| cf6341ec | 2024-07-13 16:06:34 | Reduce if_indextoname(3) usage. Don't ask the kernel to translate an if_index to a name if we are not running with verbose logging, it's not free. | ||
| 65246e30 | 2024-07-13 14:28:27 | NULL check must be inside the loop. found tobhe ok tobhe | ||
| 4fa86b90 | 2024-07-13 14:19:09 | Fix radius.c again^2. Cancel previous and revert the latest one (sent to tech@). | ||
| a07498b0 | 2024-07-13 14:08:53 | Fix radius.c again. Previous was old one. | ||
| 260e310e | 2024-07-13 12:58:51 | grammar/macro fixes for the radius text; | ||
| 37e26f97 | 2024-07-13 12:25:07 | Fix radius.c. Previous it was broken. | ||
| f36db9c4 | 2024-07-13 12:22:46 | Add RADIUS support. Authentication, accounting, and "Dynamic Authorization Extensions"(DAE) are supported. feedback markus stu ok tobhe | ||
| 7520e8fa | 2024-07-11 13:38:03 | Make sure we are interested in an interface that shows up. | ||
| 0498f896 | 2024-07-11 10:48:51 | Be a bit more noisy in syslog on what is going on. So far dhcp6leased(8) has been completely silent. Prodding by Brian Conway. | ||
| cc3e93c2 | 2024-07-11 10:38:57 | Write lease after we configured prefixes. While here, do not claim we have a ::/0 lease, it confuses the parser. | ||
| 8e130894 | 2024-07-11 10:37:47 | Do not show expired lease information in dhcp6leasectl. | ||
| 363167f4 | 2024-07-11 09:39:13 | Forgot to initialize status_code in previous. No STATUS_CODE option from the server means "success", but we are now using stack garbage, which is usually not "success". | ||
| 70eb162f | 2024-07-10 12:52:51 | Pass status option up. If we are in state "renewing" and the DHCPv6 server returns an unsuccessful status go to "rebinding", i.e. ask any DHCPv6 server for a lease not just the one we got the lease from. This likely fixes a problem reported by Brian Conway where the ISP returned "NoBinding - Prefix not bound to this interface." for a renew. dhcp6leased recovered once T1 expired and we went to "rebinding" after some time. | ||
| 7571100d | 2024-07-10 12:44:46 | Pass int to the *2str functions, we don't need anything fancy. | ||
| 7580ae52 | 2024-07-10 10:30:46 | Only vis(3) the option, not the rest of the packet. Lots of head scratching and help from the hackroom ensued because of a inconveniently placed \r that truncated a string and placed garbage at a weird place. | ||
| 0da4c31d | 2024-07-09 16:24:57 | Track configured and new prefix delegations in iface. When the DHCPv6 server renumbers and hands us new delegations we have to deconfigure the old prefixes. To prevent situations where we have no IPv6 at all, first configure the new prefixes and then remove the old prefixes. | ||
| 10da7d5d | 2024-07-09 16:15:42 | Skip prefixes with vltime 0. Servers indicate unusable prefixes with vltime 0 when we are in state reboot and probably hand us new, valid prefixes. In IPv4 dhcp we would receive a NACK instead... | ||
| 38e980d7 | 2024-07-09 13:27:18 | remove unnused prototype | ||
| ce9c2690 | 2024-07-09 05:19:41 | point mount -> mount point; from netbsd -r1.46/pgoyette |