schwarze [Sat, 18 Aug 2018 15:12:09 +0000 (15:12 +0000)]
end of sentence detection after .ME and .UE, useful for some GNU manuals
schwarze [Sat, 18 Aug 2018 14:25:55 +0000 (14:25 +0000)]
The .nf/.fi (fill mode) requests never have text children
and in particular do not reset font mode.
schwarze [Sat, 18 Aug 2018 14:02:52 +0000 (14:02 +0000)]
Two consecutive .SY blocks only get a blank line in between
if the first one is explicitly closed with .YS.
schwarze [Sat, 18 Aug 2018 13:04:48 +0000 (13:04 +0000)]
prevent line breaks in the middle of .OP
kettenis [Sat, 18 Aug 2018 11:34:08 +0000 (11:34 +0000)]
Make sure we don't match (and attach) more than the maximum number of
supported CPUs.
ok deraadt@, patrick@, visa@
kettenis [Sat, 18 Aug 2018 10:10:19 +0000 (10:10 +0000)]
Support arbitrary number of redistributors.
Inspired by an earlier diff from drahn@
ok patrick@, jsg@
schwarze [Sat, 18 Aug 2018 04:32:04 +0000 (04:32 +0000)]
Massively reduce the amount of text, cutting it down to what is needed
to understand existing man(7) code and deleting parts that would only
be useful for writing new documents, which we strongly discourage:
* Delete the MANUAL STRUCTURE section which merely duplicates mdoc(7).
* Delete internal cross references only useful for writing new code.
* Delete many instances of "included only for compatibility" as the
whole language is only provided for compatibility.
* Fix a few minor errors and omissions.
schwarze [Sat, 18 Aug 2018 02:03:41 +0000 (02:03 +0000)]
implement the GNU man-ext .SY/.YS (synopsis block) macro in man,
used in most manual pages of the groff package
patrick [Fri, 17 Aug 2018 21:00:17 +0000 (21:00 +0000)]
The official name for the ssdfb(4) reset GPIO attribute uses plural form.
schwarze [Fri, 17 Aug 2018 20:31:52 +0000 (20:31 +0000)]
Remove more pointer arithmetic passing via regions outside the array
that is undefined according to the C standard. Robert Elz <kre at
munnari dot oz dot au> pointed out i wasn't quite done yet.
jsing [Fri, 17 Aug 2018 16:28:21 +0000 (16:28 +0000)]
Convert ssl3_send_client_verify() to CBB.
ok inoguchi@ tb@
jmc [Fri, 17 Aug 2018 14:33:29 +0000 (14:33 +0000)]
spelling;
patrick [Fri, 17 Aug 2018 14:20:15 +0000 (14:20 +0000)]
Support reading and using serveral device tree attributes for ssdfb(4),
since some OLED display controller settings can change depending on the
actual hardware integration.
schwarze [Fri, 17 Aug 2018 14:03:10 +0000 (14:03 +0000)]
Make the wording more concise, use the imperative throughout, state
more precisely which options require which other options, add many
missing incompatibilities, mention the default for -e, and some
macro cleanup.
OK jmc@ tb@
martijn [Fri, 17 Aug 2018 07:12:28 +0000 (07:12 +0000)]
No need to send the same nameserver twice.
OK ccardenas@
dlg [Fri, 17 Aug 2018 01:53:31 +0000 (01:53 +0000)]
the stack already counts bytes and packets, so don't do it again here.
makes output stats look plausible.
reported by jason tubnor
ok deraadt@
schwarze [Thu, 16 Aug 2018 23:40:19 +0000 (23:40 +0000)]
implement the GNU man-ext .TQ macro in man(7),
used for example by groff_diff(7)
jsing [Thu, 16 Aug 2018 18:40:19 +0000 (18:40 +0000)]
Add regress coverage for CBB_add_u32().
jsing [Thu, 16 Aug 2018 18:39:37 +0000 (18:39 +0000)]
Provide CBB_add_u32(), as needed for an upcoming conversion.
ok tb@
jsing [Thu, 16 Aug 2018 18:13:15 +0000 (18:13 +0000)]
Simplify the add signature code/logic in ssl3_send_server_key_exchange().
ok tb@
florian [Thu, 16 Aug 2018 17:59:12 +0000 (17:59 +0000)]
Switch nsd control socket from localhost to a unix domain socket.
OK sthen
florian [Thu, 16 Aug 2018 17:56:18 +0000 (17:56 +0000)]
update to 4.1.24
OK sthen
jsing [Thu, 16 Aug 2018 17:49:48 +0000 (17:49 +0000)]
Convert ssl3_send_server_key_exchange() to CBB.
ok inoguchi@ tb@
millert [Thu, 16 Aug 2018 17:45:28 +0000 (17:45 +0000)]
When installing the link to rcs2log, set the owner on the link itself
and not the file it points to. OK deraadt@ tb@
millert [Thu, 16 Aug 2018 17:40:54 +0000 (17:40 +0000)]
The zoneinfo directories can be mode 755 just like everything else.
OK deraadt@
jsing [Thu, 16 Aug 2018 17:39:50 +0000 (17:39 +0000)]
Convert ssl3_get_server_key_exchange() to CBS.
ok inoguchi@ tb@
tb [Thu, 16 Aug 2018 16:56:51 +0000 (16:56 +0000)]
Revert previous, which was wrong as noted by schwarze. Also revert a hunk
from r1.45 and thereby avoid a use-after-free spotted by schwarze.
ok schwarze
patrick [Thu, 16 Aug 2018 15:36:04 +0000 (15:36 +0000)]
Make pmap_allocate_asid() mpsafe. Since between checking the ASID
table and setting the bits atomically another core can select the
same ASID as we did it currently would not be safe to run it without
the kernel lock. This replaces the atomic_setbits_int(9) call with
atomic_cas_uint(9) where we can check that the table entry has not
been changed since we evaluted it. Also modify pmap_free_asid() to
use the same concept.
ok kettenis@
schwarze [Thu, 16 Aug 2018 15:04:45 +0000 (15:04 +0000)]
Do not calculate a pointer to a memory location before the beginning of
a static array. Christos Zoulas, Robert Elz, and Andreas Gustafsson
point out that is undefined behaviour by the C standard even if we
never access the pointer.
nicm [Thu, 16 Aug 2018 14:04:03 +0000 (14:04 +0000)]
Add the KEYC_XTERM flag to all function keys that imply a modifier so
that they are correctly translated into xterm(1)-style keys. GitHub
issue 1437.
schwarze [Thu, 16 Aug 2018 14:01:35 +0000 (14:01 +0000)]
Document \*(.T.
While here, delete the section about predefined strings.
For manual pages, the concept is not important enough to be discussed
in such a prominent place, and some aspects of the text were also
misleading. Add a shorter version of the relevant parts to the
description of the \* escape sequence instead.
schwarze [Thu, 16 Aug 2018 13:49:40 +0000 (13:49 +0000)]
Implement the \*(.T predefined string (interpolate device name)
by allowing the preprocessor to pass it through to the formatters.
Used for example by the groff_char(7) manual page.
rob [Thu, 16 Aug 2018 10:26:34 +0000 (10:26 +0000)]
Remove unused variable.
From Nan at chinadtrace dot org. Thanks!
kettenis [Wed, 15 Aug 2018 21:46:29 +0000 (21:46 +0000)]
Turns out the integration of the GIC-500 on the Rockchip RK3399 is busted.
It treats all access to the memory mapped registers as "secure" even if
we're running in non-secure mode. As a result, during bringup of OpenBSD
on the RK3399, I got confused and tweaked the interrupt priorities in a way
that is wrong (but worked on the RK3399.
Fix those priorities to match what they should be according to the
documentation (and works on other hardware that includes a GICv3) and
add code that detects the broken RK3399 GIC and adjusts the priorities
accordingly. Also remove (broken) code that tries to mess around with
group 0 interrupts and fix setting bits in the GICD_CTLR register on the
broken RK3399 GIC.
kettenis [Wed, 15 Aug 2018 20:27:56 +0000 (20:27 +0000)]
Distinguish between softc array members that are indexed by redistributor
and those that are indexed by the assigned CPU (unit) number. Fix the
shuffling of the affinity fields are shuffled around to match the spec.
kettenis [Wed, 15 Aug 2018 20:22:13 +0000 (20:22 +0000)]
Push back the kernel lock in sys_mmap(2) a little bit more now that
fd_getfile(9) is mpsafe. Note that sys_mmap(2) isn't actually unlocked
currently. However this diff has been tested with it unlocked, and I
hope to unlock it for real soon-ish.
ok visa@, mpi@
kettenis [Wed, 15 Aug 2018 20:18:31 +0000 (20:18 +0000)]
Use atomic instructions to keep track of what ASIDs are in use. This makes
pmap_free_asid() and therefore pmap_destroy() mpsafe which is important since
we might end up calling that function without holding the kernel lock
as a result of releasing a reference in pmap_page_protect(9).
ok visa@
fcambus [Wed, 15 Aug 2018 19:40:30 +0000 (19:40 +0000)]
Add /usr/include/c++ to hier.7.
OK jmc@
fcambus [Wed, 15 Aug 2018 19:38:47 +0000 (19:38 +0000)]
Remove dead assignment in login(1).
Since rev 1.36, the instance variable is never read again so we can
simply drop the else clause with the assignment.
While there, also drop the useless increment, as pointed out by tom@.
OK deraadt@ (previous version), millert@, tom@
stsp [Wed, 15 Aug 2018 18:45:43 +0000 (18:45 +0000)]
Update AP selection heuristics for auto-join.
We now prefer stronger crypto over weaker crypto over none, prefer 5 GHz
band with reasonable RSSI, and use RSSI as a tie-breaker with a slight
advantage for 5GHz. Candidate APs are now ranked by a score which is
calculated based on these attributes.
There is likely room for improvements to make these heuristics
work well across many different environments, but it's a start.
ok phessler@
florian [Wed, 15 Aug 2018 16:48:20 +0000 (16:48 +0000)]
SIOCGIFNETMASK_IN6 failing just means that someone delete the address
we are currently looking at. No need to fatal.
Found the hard way by naddy
schwarze [Wed, 15 Aug 2018 15:36:11 +0000 (15:36 +0000)]
fix incomplete variable renaming in previous;
found by Thomas Klausner <wiz at NetBSD> via a compiler warning
florian [Wed, 15 Aug 2018 14:43:30 +0000 (14:43 +0000)]
Restore ability to use hostnames to configure ip addresses.
Unveil /etc/{resolv.conf,hosts,services} which keeps it in sync with
the kernel bypass for pledge("dns").
OK deraadt
pointed out by & OK stsp
mpi [Wed, 15 Aug 2018 14:13:07 +0000 (14:13 +0000)]
Partially revert previous, EM7455 is already handled by umb(4).
Reported by Bryan Vyhmeister.
visa [Wed, 15 Aug 2018 13:19:06 +0000 (13:19 +0000)]
Grab the KERNEL_LOCK() in MP-unsafe fo_close routines. This prevents
a scenario where MP-unsafe code gets run without the kernel lock
as a consequence of an unlocked system call.
OK mpi@, kettenis@
kn [Wed, 15 Aug 2018 12:10:49 +0000 (12:10 +0000)]
Fix struct soplice usage
sys/sys/socketvar.h r1.57 (2014) moved various struct socket fields into
a new struct sosplice field, this adapts usage accordingly.
OK bluhm
kevlo [Wed, 15 Aug 2018 07:13:51 +0000 (07:13 +0000)]
Introduce mue_eeprom_present to check if the EEPROM is present.
When the EEPROM is not populated, set the MAC config register
MUE_MAC_CR_AUTO_SPEED. While there, encode the MAC address for the onboard
USB Ethernet for the Rasperry Pi, like smsc(4) does.
jsg [Wed, 15 Aug 2018 06:31:58 +0000 (06:31 +0000)]
sync machine list with arm64.html
jsg [Wed, 15 Aug 2018 02:07:35 +0000 (02:07 +0000)]
add cpuid and msr bits from
'Deep Dive: CPUID Enumeration and Architectural MSRs'
ok deraadt@
cheloha [Tue, 14 Aug 2018 18:13:11 +0000 (18:13 +0000)]
unveil(2) /etc/nologin.txt for reading
ok deraadt
schwarze [Tue, 14 Aug 2018 18:10:09 +0000 (18:10 +0000)]
Improve consistency of the substitution command further.
When the opening square bracket ('[') is abused as the delimiter, the regular
expression contains a bracket expression, and the bracket expression contains
another opening square bracket (sick! - i mean, sic!), then do not require
escaping that innermost bracket and treat a preceding backslash as a literal
backslash character, in accordance with POSIX:
$ printf 'x[x\\x\n' | sed 's[\[[][R[g'
xRx\x
$ printf 'x[x\\x\n' | sed 's[\[\[][R[g'
xRxRx
While here, also make the implementation more readable and insert
some comments.
Joint work with martijn@ (started during g2k18) and OK martijn@.
tb [Tue, 14 Aug 2018 17:59:26 +0000 (17:59 +0000)]
Add a comment that explains what the check is doing and why len >= 1.
Prompted by a remark by jsing
tb [Tue, 14 Aug 2018 17:51:36 +0000 (17:51 +0000)]
The UI_add_{input,verify}_string() functions want a length not including
the terminating NUL. EVP_read_pw_string_min() got this wrong, leading to
a one-byte buffer overrun in all callers of EVP_read_pw_string().
Found by mestre running 'openssl passwd' with MALLOC_OPTIONS including C.
Fix this by doing some basic sanity checking in EVP_read_pw_string_min().
Cap the len argument at BUFSIZ and ensure that min < len as well as
0 <= min and 1 <= len. The last two checks are important as these
numbers may end up in reallocarray().
ok bcook (on previous version), jsing, mestre
deraadt [Tue, 14 Aug 2018 16:43:02 +0000 (16:43 +0000)]
spelling error
jsing [Tue, 14 Aug 2018 16:31:02 +0000 (16:31 +0000)]
Remove now unused variable, that got left behind from a previous change.
jsing [Tue, 14 Aug 2018 16:19:06 +0000 (16:19 +0000)]
Actually check the return values for EVP_Sign* and EVP_Verify*.
ok bcook@ beck@ tb@
cheloha [Tue, 14 Aug 2018 15:25:04 +0000 (15:25 +0000)]
Don't fail by default in the -new case; ok tb jca
nicm [Tue, 14 Aug 2018 11:38:05 +0000 (11:38 +0000)]
Add size to arguments struct too.
nicm [Tue, 14 Aug 2018 11:31:34 +0000 (11:31 +0000)]
Some tidying, use a struct for arguments (there will be more later) and
add a helper function.
mestre [Tue, 14 Aug 2018 06:38:33 +0000 (06:38 +0000)]
Drop unnecessary pledge(2) promises on apm(8):
After we successfully connect to the unix socket created by apmd(8) all actions
occur over fds so we can drop only to pledge("stdio").
The code path in the case that the required action is GETSTATUS, and we couldn't
connect to the socket, then after open(2)/ioctl(2) the device /dev/apm directly
we can pledge("stdio") as well since from here on down we only need to
printf(3) messages.
OK deraadt@
jmatthew [Tue, 14 Aug 2018 05:22:21 +0000 (05:22 +0000)]
return ENOTTY rather than EINVAL to indicate an ioctl hasn't been handled
ok dlg@ deraadt@ kettenis@
schwarze [Tue, 14 Aug 2018 01:26:12 +0000 (01:26 +0000)]
support tail arguments on the .ME and .UE macros,
used for example in the ditroff(7) manual of the groff package
deraadt [Mon, 13 Aug 2018 23:13:02 +0000 (23:13 +0000)]
document new namei flags
deraadt [Mon, 13 Aug 2018 23:12:39 +0000 (23:12 +0000)]
Instead of using BYPASSUNVEIL at NDINIT time, use KERNELPATH to indicate
we want to skip all userland-related checks. Discussed with beck and
semarie, tested by stsp.
deraadt [Mon, 13 Aug 2018 23:11:44 +0000 (23:11 +0000)]
More clear version of previous namei/pledge/chroot solution. namei flag
KERNELPATH indicates this operation is being done on behalf of the kernel,
not a process, so ignore chroot of the current process context, start at /,
and skip unveil and pledge checks. Discussed with beck and semarie
deraadt [Mon, 13 Aug 2018 20:36:35 +0000 (20:36 +0000)]
in sys_statfs(), BYPASSUNVEIL can be passed to NDINIT in the "flags"
argument, rather than manually |= afterwards. Observed by semarie
deraadt [Mon, 13 Aug 2018 20:31:38 +0000 (20:31 +0000)]
The first panic in pledge_namei should only be for ni_pledge == 0
(the other cause is implausible, and crashes with a nice *NULL)
florian [Mon, 13 Aug 2018 16:54:50 +0000 (16:54 +0000)]
Make the owner of fcgi socket configurable.
Andrew Daugherity (andrew.daugherity AT gmail) pointed out that this
is helpful for his port to linux. For example on openSUSE nginx and
Apache run as different users so a compile time default user won't cut
it.
Man page tweaks jmc@
While here, consistently log users at debug level; from Andrew.
schwarze [Mon, 13 Aug 2018 16:37:56 +0000 (16:37 +0000)]
basic macro cleanup, break lines of excessive length, fix order of sections
visa [Mon, 13 Aug 2018 15:26:17 +0000 (15:26 +0000)]
Simplify the startup of the cleaner, reaper and update threads by
passing the main function directly to kthread_create(9). The start_*
functions are mere stepping stones nowadays and can be pruned.
They used to contain more logic in the pre-kthread era.
While here, set `cleanerproc' and `syncerproc' during the thread
creation rather than expect the threads to set the proc pointer.
Also, rename `sched_sync' to `syncer_thread' to reduce confusion
with the scheduler-related functions.
OK kettenis@, deraadt@, mpi@
rob [Mon, 13 Aug 2018 15:22:39 +0000 (15:22 +0000)]
Add more content. Tweaks from ingo. This man page is not yet hooked up to the
build and is still a work in progress. Tweaks and comments welcome.
stsp [Mon, 13 Aug 2018 15:19:52 +0000 (15:19 +0000)]
Add support for band-steering access points to net80211.
Some access points have a feature called "band steering" where they
will try to push clients from 2 GHz channels to 5 GHz channels.
If a client sends probe-requests on both 2 GHz and 5GHz channels, and
then attempts to authenticate on a 2 GHz channel, such APs will deny
authentication and hope that the client will come back on a 5 GHz channel.
So if we fail to AUTH for any reason, and if there is a different
AP with the same ESSID that we haven't tried yet, try that AP next.
Keep trying until no APs are left, and only then continue scanning.
APs with support for this feature were provided by Mischa Peters.
ok phessler@ mpi@
patrick [Mon, 13 Aug 2018 15:15:02 +0000 (15:15 +0000)]
Support CPU frequency scaling on NXP i.MX8M.
ok kettenis@
patrick [Mon, 13 Aug 2018 15:14:27 +0000 (15:14 +0000)]
Support GPIO-based voltage regulators.
ok kettenis@
stsp [Mon, 13 Aug 2018 15:05:31 +0000 (15:05 +0000)]
Prevent iwm(4) from writing back the former BSS channel
if the current BSS has been changed by ieee80211_input().
Needed for upcoming band-steering support in net80211.
ok phessler@ mpi@
mpi [Mon, 13 Aug 2018 14:36:54 +0000 (14:36 +0000)]
Print global IPsec counters.
ok markus@
mpi [Mon, 13 Aug 2018 14:35:29 +0000 (14:35 +0000)]
Make it possible to run pipe(2) and pipe2(2) mostly w/o KERNEL_LOCK():
- Update counters atomatically
- Use IPL_MPFLOOR for pipe's pool.
- Grab the KERNEL_LOCK() before calling km_alloc(9) & km_free(9)
Inputs from kettenis@, ok visa@
mpi [Mon, 13 Aug 2018 14:32:46 +0000 (14:32 +0000)]
Attach to Sierra Wireless MC7304/MC7354 & EM7455, from Denis Lapshin.
mpi [Mon, 13 Aug 2018 14:25:24 +0000 (14:25 +0000)]
regen
mpi [Mon, 13 Aug 2018 14:24:49 +0000 (14:24 +0000)]
Sierra Wireless MC7304/MC7354, from Denis Lapshin.
patrick [Mon, 13 Aug 2018 14:10:26 +0000 (14:10 +0000)]
The iterator i is not the option code, but simply the index for the
array that stores the option codes. Fixes the issue where it named
an incorrect option on error.
Found by Florian Kaiser
ok krw@
anton [Mon, 13 Aug 2018 06:36:29 +0000 (06:36 +0000)]
Add a test covering the recently fixed issue with dangling knote references upon
closing a kqueue file descriptor.
jmc [Mon, 13 Aug 2018 05:54:13 +0000 (05:54 +0000)]
consistent macros;
djm [Mon, 13 Aug 2018 02:41:05 +0000 (02:41 +0000)]
revert compat.[ch] section of the following change. It causes
double-free under some circumstances.
--
date: 2018/07/31 03:07:24; author: djm; state: Exp; lines: +33 -18; commitid: f7g4UI8eeOXReTPh;
fix some memory leaks spotted by Coverity via Jakub Jelen in bz#2366
feedback and ok dtucker@
ccardenas [Sun, 12 Aug 2018 23:50:31 +0000 (23:50 +0000)]
Add administrative options to LACP trunk implementation.
The trunk driver now has a new ioctl (SIOCxTRUNKOPTS), which for now only
has options for LACP:
* Mode - Active or Passive (default Active)
* Timeout - Fast or Slow (default Slow)
* System Priority - 1(high) to 65535(low) (default 32768/0x8000)
* Port Priority - 1(high) to 65535(low) (default 32768/0x8000)
* IFQ Priority - 0 to NUM_QUEUES (default 6)
At the moment, ifconfig only has options for lacpmode and lacptimeout
plumbed as those are the immediate need.
The approach taken for the options was to make them on a "trunk" vs a
"port" as what's typically seen on various NOSes (JunOS, NXOS, etc...)
as it's uncommon for a host to have one link "Passive" and the other
"Active" in a given trunk.
Just like on a NOS, when applying lacpmode or lacptimeout, the settings
are immediately applied to all existing ports in the trunk and to all
future ports brought into the trunk.
Tested by many on a plethora of NIC drivers and switches.
Ok remi@
rob [Sun, 12 Aug 2018 22:04:09 +0000 (22:04 +0000)]
Change ber_write_elements() to return ssize_t instead of int.
ok claudio@
djm [Sun, 12 Aug 2018 20:19:13 +0000 (20:19 +0000)]
better diagnosics on alg list assembly errors; ok deraadt@ markus@
kettenis [Sun, 12 Aug 2018 19:05:37 +0000 (19:05 +0000)]
Drop reference to dmabuf "file" as fnew() returns one that has two
references.
ok visa@, deraadt@
stsp [Sun, 12 Aug 2018 18:33:55 +0000 (18:33 +0000)]
Make ifconfig's -joinlist command work as advertised.
ok deraadt phessler
kettenis [Sun, 12 Aug 2018 18:32:18 +0000 (18:32 +0000)]
Really overwrite the major of com(4) instead of the hardcoded 12.
Should have been part of the earlier commit that unified armv7 and arm64.
mortimer [Sun, 12 Aug 2018 17:15:10 +0000 (17:15 +0000)]
Add retguard macros for arm64 asm and apply them in the straightforward
cases in kernel and libc.
ok deraadt@
mortimer [Sun, 12 Aug 2018 17:07:00 +0000 (17:07 +0000)]
Add retguard for arm64.
ok deraadt@
mortimer [Sun, 12 Aug 2018 16:59:31 +0000 (16:59 +0000)]
Refactor retguard to make adding additional arches easier.
jmc [Sun, 12 Aug 2018 12:40:25 +0000 (12:40 +0000)]
add missing markup;
deraadt [Sun, 12 Aug 2018 02:55:45 +0000 (02:55 +0000)]
Heydar Aliyev, Baku, Azerbaijan is GYD, not BAK
deraadt [Sat, 11 Aug 2018 23:18:39 +0000 (23:18 +0000)]
sync
kettenis [Sat, 11 Aug 2018 22:47:27 +0000 (22:47 +0000)]
Make legacy interrupts work in more cases.
kettenis [Sat, 11 Aug 2018 20:46:48 +0000 (20:46 +0000)]
Use IORT table to map requester ID into MSI sideband data.
krw [Sat, 11 Aug 2018 18:37:21 +0000 (18:37 +0000)]
Nuke stray/pointless 'volatile' for local var.
beck [Sat, 11 Aug 2018 16:16:07 +0000 (16:16 +0000)]
Get rid of PLEDGE_STAT, which was a hack used for unveil.
We use UNVEIL_INSPECT instead in the unveil flags for the same
purpose, and now add traversed vnodes of a path with UNVEIL_INSPECT
instead of with 0 flags and voodoo in unveil_flagmatch. This
allows us to uncontort the logic of unveil_flagmatch a bunch.
helpful review and ok from semarie@