deraadt [Mon, 29 May 2017 09:44:01 +0000 (09:44 +0000)]
Randomize link-order of libcrypto as we do with libc. This library
has many small functions without significant local storage, therefore
less tail protection from -fstack-protector-strong to prevent their use
as ROP gadgets. It is used in security contexts. Also many functions
dribble pointers onto the stack, allowing discovery of gadgets via the
fixed relative addresses, so let's randomly bias those.
ok tedu jsing
The rc script will soon need a strategy for skipping this step on
machines with poor IO performance. Or maybe do it less often? However,
I don't see many more libraries we'll do this with, these are the two
most important ones.
deraadt [Mon, 29 May 2017 09:40:13 +0000 (09:40 +0000)]
sync
deraadt [Mon, 29 May 2017 09:40:02 +0000 (09:40 +0000)]
It is distasteful to have manual pages which don't refer to real
function calls, but instead a "class" of functions like "sigsetops".
Rename to sigaddset", and while at it improve documentation in sigprocmask(2)
to point to it.
ok tedu
deraadt [Mon, 29 May 2017 09:37:33 +0000 (09:37 +0000)]
sync
florian [Mon, 29 May 2017 08:59:42 +0000 (08:59 +0000)]
clang points out that the first argument to setproctitle is a format
string. Not really an issue since we are eventually passing in a
string literal...
While here don't set the proctitle for the main process to play nicer
with rc.d(8)
florian [Mon, 29 May 2017 08:15:38 +0000 (08:15 +0000)]
Compare the l2 address from which the slaac address was formed with
the current interface l2 address. Only update the address lifetime if
they are the same. This way we get a new address on ifconfig lladdr
random.
nicm [Mon, 29 May 2017 07:58:33 +0000 (07:58 +0000)]
Do not factor in screen_hsize() for the visible copy mode screen when
adjusting the selection, it should never have any useful history (and
when it does, after resize, we shouldn't use it). From Michal Mazurek.
florian [Mon, 29 May 2017 07:54:46 +0000 (07:54 +0000)]
only send router solicitation on RTM_NEWADDR if the l2 address changed
phessler [Mon, 29 May 2017 07:49:27 +0000 (07:49 +0000)]
remove the file permission check for bgpd.conf
OK deraadt@, henning@, sthen@, and everyone who has ever been annoyed
krw [Mon, 29 May 2017 07:47:13 +0000 (07:47 +0000)]
To prevent anyone else from stumbling on this (now) archaic bit of
history, nuke all mentions of XS_NO_CCB and the #define.
2006 - 2017. R.I.P.
ok kettenis@ inferred ok dlg@
nicm [Mon, 29 May 2017 07:46:32 +0000 (07:46 +0000)]
Tweak text to mention initial size, from John Hood.
mlarkin [Mon, 29 May 2017 07:15:22 +0000 (07:15 +0000)]
vmd(8): prevent crashing when presented with a vm name argument to
"vmctl stop" that doesn't exist.
Diff from Pratik Vyas, thanks!
mpi [Mon, 29 May 2017 06:44:54 +0000 (06:44 +0000)]
Pass SIOCGIFMEDIA to vlan's parent interface.
ok krw@, dlg@
mpi [Mon, 29 May 2017 06:14:10 +0000 (06:14 +0000)]
Pass the symbol instead of its name when looking for CTF infos.
ok jasper@
mpi [Mon, 29 May 2017 06:08:21 +0000 (06:08 +0000)]
Do not try to grab the NET_LOCK() while holding an ifp reference.
Fix a deadlock with a thread trying to detach the corresponding interface.
ok sashan@, bluhm@
mpi [Mon, 29 May 2017 06:06:52 +0000 (06:06 +0000)]
copyin32 implementation from miod@
ok kettenis@
mlarkin [Mon, 29 May 2017 05:59:45 +0000 (05:59 +0000)]
vmm(4): Enable support for AMD-V (SVM) CPUs.
Tested on the following CPUs:
AMD C-60 APU
AMD GX-412TC SOC (PCEngines APU2C4)
AMD Opteron(tm) Processor 6128
... and various others via bochs/simulators, on a variety of different
guest VM types. Also verified no regressions on my x230 Intel machine
since this diff slightly changes CPUID behaviour WRT cache information.
ok deraadt@
deraadt [Mon, 29 May 2017 04:40:35 +0000 (04:40 +0000)]
do not need dev[] wasting bss space
henning [Mon, 29 May 2017 00:05:28 +0000 (00:05 +0000)]
mlarkin and airport.7 say "must have been there", not "flown there".
Add XFW, Hamburg-Finkenwerder (the Airbus factory)
ok mlarkin fcambus
mlarkin [Sun, 28 May 2017 23:56:13 +0000 (23:56 +0000)]
SVM: add some exit types
Also, fix a comment that wasn't applicable anymore, and change a format
from decimal to hex
mlarkin [Sun, 28 May 2017 23:50:19 +0000 (23:50 +0000)]
rename some fields
nicm [Sun, 28 May 2017 23:23:40 +0000 (23:23 +0000)]
Support OSC 10 and 11 to set foreground and background colours, from
"bertnp" in GitHub issue 942.
tedu [Sun, 28 May 2017 22:27:10 +0000 (22:27 +0000)]
remove some escapes that are unnecessary/harmful. ok jmc schwarze
tedu [Sun, 28 May 2017 21:59:56 +0000 (21:59 +0000)]
when copying curvy files from ssh, an extra one snuck in.
signify doesn't do any kex stuff and doesn't need scalarmult.
mlarkin [Sun, 28 May 2017 21:57:19 +0000 (21:57 +0000)]
fix broken include on previous pipex commit
ok deraadt
bluhm [Sun, 28 May 2017 21:23:47 +0000 (21:23 +0000)]
Now that pf looks behind IPv4 authentication headers, disable the
transport mode tests that fail because of floating states. At least
IPv4 and IPv6 are in sync now.
ajacoutot [Sun, 28 May 2017 21:21:00 +0000 (21:21 +0000)]
Add BND, I've been there many times.
zhuk [Sun, 28 May 2017 21:18:21 +0000 (21:18 +0000)]
Add ZIA, even given that I didn't visit it after it actually became ZIA
instead of Ramenskoe Airfield.
approved by deraadt@
tedu [Sun, 28 May 2017 21:13:39 +0000 (21:13 +0000)]
remove unused macro
tedu [Sun, 28 May 2017 21:09:24 +0000 (21:09 +0000)]
there are no bugs; i fixed them
naddy [Sun, 28 May 2017 21:05:54 +0000 (21:05 +0000)]
only mark privacy addresses as such instead of all configured addresses
ok florian@
tedu [Sun, 28 May 2017 21:01:13 +0000 (21:01 +0000)]
if your dying scream would escape the death field, realign to stay within
yasuoka [Sun, 28 May 2017 20:48:29 +0000 (20:48 +0000)]
Process packets immediately without queuing since pipex is believed MP safe
already, for PPPoE case as first step.
ok mpi
florian [Sun, 28 May 2017 20:40:13 +0000 (20:40 +0000)]
removed if 0'ed code; it gets in the way of grepping for things
tedu [Sun, 28 May 2017 20:34:33 +0000 (20:34 +0000)]
high scores printed too far to the right, move it left a little
mlarkin [Sun, 28 May 2017 20:20:00 +0000 (20:20 +0000)]
typo in comment
claudio [Sun, 28 May 2017 20:15:02 +0000 (20:15 +0000)]
Print when we send or recv an EOR marker.
Req by and OK benno@
claudio [Sun, 28 May 2017 20:14:15 +0000 (20:14 +0000)]
Introduce log_peer_info() and make log_peer_warn() log at LOG_ERR instead
of LOG_CRIT (which should only be used for fatal).
OK benno@
claudio [Sun, 28 May 2017 20:10:59 +0000 (20:10 +0000)]
Close imsg pipes later in the process. The shutdown code still tires to
send imsgs and so the SE and RDE crashed because of this late in shutdown.
OK benno@ phessler@
florian [Sun, 28 May 2017 19:57:38 +0000 (19:57 +0000)]
set autoconfprivacy flag; prodding naddy
nicm [Sun, 28 May 2017 19:46:55 +0000 (19:46 +0000)]
Change so that sessions created detached (-d or no client) are always
80x24 and the status line is not applied until they attach. Also make -x
and -y work for control clients whether the session is detached or not.
benno [Sun, 28 May 2017 19:44:52 +0000 (19:44 +0000)]
install new manpage, noted by tb@
benno [Sun, 28 May 2017 19:42:26 +0000 (19:42 +0000)]
please read operator(7) for this information.
benno [Sun, 28 May 2017 19:26:33 +0000 (19:26 +0000)]
document /usr/share/misc/airport contents and rules, after lengthy
hackroom discussion about train stations.
ok mlarkin, feedback deraadt
mlarkin [Sun, 28 May 2017 19:15:18 +0000 (19:15 +0000)]
typo
naddy [Sun, 28 May 2017 19:13:13 +0000 (19:13 +0000)]
pasto, typos, spelling; ok florian@
nicm [Sun, 28 May 2017 19:00:52 +0000 (19:00 +0000)]
Also recalculate session sizes when refreh-client -C is used. GitHub
issue 947.
tedu [Sun, 28 May 2017 18:57:40 +0000 (18:57 +0000)]
The High Council of Deciders has determined that railway stations, even
those with IATA codes, are not airports and therefore do not qualify for
inclusion in this file.
yasuoka [Sun, 28 May 2017 18:55:25 +0000 (18:55 +0000)]
Check also whether the interfaces is matched when pipex check PPPoE
packets. This fixes the problem when pipex connects with pppoe(4)
through pair(4).
ajacoutot [Sun, 28 May 2017 18:51:27 +0000 (18:51 +0000)]
Move check later to mitigate a possible race.
yasuoka [Sun, 28 May 2017 18:43:51 +0000 (18:43 +0000)]
Use interface index and if_{put,get} instead of ifnet pointer.
yasuoka [Sun, 28 May 2017 18:42:00 +0000 (18:42 +0000)]
Use interface index instead of ifnet pointer.
mlarkin [Sun, 28 May 2017 18:35:58 +0000 (18:35 +0000)]
add HWD - Hayward Executive Airport. After extensive discussion, the
decision was made that a missed approach at the DH counts as "being at
the airport"
ok phessler, deraadt
tedu [Sun, 28 May 2017 18:31:35 +0000 (18:31 +0000)]
convert to UTF-8
visa [Sun, 28 May 2017 17:12:48 +0000 (17:12 +0000)]
Do not allow NULL callback at rendezvous and clear callback
pointer at the end to catch errors faster.
joris [Sun, 28 May 2017 17:11:34 +0000 (17:11 +0000)]
Let opencvs show ignored files on import, not showing them is just confusing.
ok stsp@
joris [Sun, 28 May 2017 17:01:10 +0000 (17:01 +0000)]
Don't allow opencvs to commit towards tags that are not branches.
Gets rid of the old logic that wasn't working and replaced it with
a simplified version.
ok stsp@
joris [Sun, 28 May 2017 16:58:54 +0000 (16:58 +0000)]
Teach opencvs status to display the sticky tag according to what it really
represents if it is a branch or a revision.
ok stsp@
joris [Sun, 28 May 2017 16:57:01 +0000 (16:57 +0000)]
Bring the opencvs log message template inline with other cvs implementations.
ok stsp@
bluhm [Sun, 28 May 2017 16:55:54 +0000 (16:55 +0000)]
Limit the nested header chain for IPv6 extensions headers and for
authentication headers in the IPv4 case. This prevents spending
excessive cpu time on crafted packets.
OK henning@
jmc [Sun, 28 May 2017 16:52:27 +0000 (16:52 +0000)]
tweak previous;
bluhm [Sun, 28 May 2017 16:43:45 +0000 (16:43 +0000)]
Fix bad white spaces, wrap long lines, kill some empty lines.
florian [Sun, 28 May 2017 16:36:53 +0000 (16:36 +0000)]
get a new privacy address before the old one expires
florian [Sun, 28 May 2017 15:58:02 +0000 (15:58 +0000)]
No need to constantly re-add the default route. It will not expire
like the prefixes. We might want to check if someone deleted the
route by hand though.
jmatthew [Sun, 28 May 2017 15:48:49 +0000 (15:48 +0000)]
Fix checks for seconds and timezones in generalized times.
Fixing the CHECK_RANGE macro in r1.4 revealed that the seconds check
accidentally relied on the macro being broken. While looking into this I
noticed that the timezone check was also wrong, treating the timezone as
optional for generalized times.
investigation and diff mostly by Seiya Kawashima.
visa [Sun, 28 May 2017 15:46:06 +0000 (15:46 +0000)]
Use fast path if remote call is not needed.
Note that rendezvous calls are no longer necessarily
serialized systemwide.
anton [Sun, 28 May 2017 15:36:45 +0000 (15:36 +0000)]
Remove a redundant assignment introduced in revision 1.219 but favor the
assignment outside of the conditional.
ok stsp@
henning [Sun, 28 May 2017 15:16:52 +0000 (15:16 +0000)]
we're not hardcoded to table 0 any more
henning [Sun, 28 May 2017 15:16:33 +0000 (15:16 +0000)]
so far, bgpd was hardcoded to use rtable 0 for nexthop verification.
instead, use the rtable bgpd was started in (route -T <n> exec / rc.d
daemon_rtable) for nexthop verification and as default Adj-RIB-In and
Loc-RIB. This allows multiple bgpds in different rdomains on the same
machine - bgp router virtualization if you like buzzwords.
initial version written under contract more than a year ago, it took us
a while to wrap our brains around the bgpd <-> rdomain interactions -
1) RIBs, 2) nexthop verification and 3) tcp sockets.
ok & input phessler claudio benno
visa [Sun, 28 May 2017 15:16:08 +0000 (15:16 +0000)]
mips64_multicast_ipi() excludes current CPU.
The caller does not have to do that.
akfaew [Sun, 28 May 2017 15:15:21 +0000 (15:15 +0000)]
Don't check np->port for NULL - it's an array, it's never NULL.
OK bluhm@
mpi [Sun, 28 May 2017 15:03:53 +0000 (15:03 +0000)]
Add missing NET_UNLOCK() in error path.
Spotted by sashan@
bluhm [Sun, 28 May 2017 14:54:00 +0000 (14:54 +0000)]
Pf was handling IPv4 and IPv6 differently regarding AH extension
headers. pf_walk_header6() steps over it and detects the real
protocol. So to implement a minimal header walking function
pf_walk_header() for IPv4. It does the header checks and jumps
over AH. Then pf does not understand AH as a protocol, it is just
an extension that authenticates the packet. Move some header and
option checks to pf_walk_header() for consistency with IPv6. This
also improves the header check for IPv4 packets in ICMP payload.
OK henning@
krw [Sun, 28 May 2017 14:37:48 +0000 (14:37 +0000)]
Elegant and reliable link status checking courtesy of mpi@.
Less of unreliable ioctl(SIOCGIFMEDIA), more getifaddrs().
ok mpi@
mpi [Sun, 28 May 2017 14:26:38 +0000 (14:26 +0000)]
trunk_port_destroy() needs the NET_LOCK().
It brings the interface down and restore the original lladdr.
Found by Hrvoje Popovski
mpi [Sun, 28 May 2017 14:24:19 +0000 (14:24 +0000)]
If a function is not found in the CTF data, do not assume it takes no
argument.
bluhm [Sun, 28 May 2017 13:59:05 +0000 (13:59 +0000)]
Call bpf_mtap_af() a bit earlier in ipip_input(). This prepares
upcoming diffs, no functional change.
OK mpi@
jsg [Sun, 28 May 2017 13:20:37 +0000 (13:20 +0000)]
Build i386 kernels with -ffreestanding, matching amd64 and various
other platforms.
ok visa@ kettenis@
yasuoka [Sun, 28 May 2017 12:51:33 +0000 (12:51 +0000)]
Remove all splnet/splx from pipex(4) and pppx(4) and replace some of
them by NET_LOCK/NET_UNLOCK. Also make the timeout for pipex_timer
run with a thread context and replace pipex softintr by NETISR_PIPEX.
ok mpi
mpi [Sun, 28 May 2017 12:47:24 +0000 (12:47 +0000)]
Leaving IP multicast group requires the NET_LOCK().
Grab the lock before calling carpdetach().
ok bluhm@
jsg [Sun, 28 May 2017 12:22:54 +0000 (12:22 +0000)]
clang warns on unused labels. Place a recently introduced label under
ifdef IPSEC to fix the clang build when IPSEC is not defined.
ok deraadt@ bluhm@
claudio [Sun, 28 May 2017 12:21:36 +0000 (12:21 +0000)]
Implement an XON/XOFF protocol between the RDE and the SE to throttle
per control session and peer the generation of imsg in the RDE. This
reduces the memory pressure in the SE substantially and also a bit in
the RDE. Makes the RDE more responsive for bgpctl commands.
Tested by me with 100 peers * 2000 prefixes and by phessler@ on an AMS-IX
border router with 200+ session. Convergance time got quite a bit better.
OK phessler@
mpi [Sun, 28 May 2017 11:41:52 +0000 (11:41 +0000)]
Merge two functions to lookup ELF sections by name.
ok claudio@, jasper@
jmc [Sun, 28 May 2017 11:17:33 +0000 (11:17 +0000)]
reinstate the description of "mask-source" to "listen on socket": my changes
two revisions previous inadvertently removed it;
ok gilles
stsp [Sun, 28 May 2017 11:03:48 +0000 (11:03 +0000)]
Fix some spurious fatal firmware errors in iwm(4).
If we are not in SCAN state anymore by the time hardware signals completion
of a scan command, exit the scan completion handler immediately instead of
calling ieee80211_end_scan().
Tested by tb@ and myself.
ok mpi@ tb@ zhuk@
benno [Sun, 28 May 2017 10:39:15 +0000 (10:39 +0000)]
use __func__ in log messages. fix some whitespace while here.
From Hiltjo Posthuma hiltjo -AT codemadness -DOT- org, thanks!
ok florian, claudio
benno [Sun, 28 May 2017 10:37:26 +0000 (10:37 +0000)]
use __func__ in log messages.
From Hiltjo Posthuma hiltjo -AT codemadness -DOT- org, thanks!
ok florian, claudio
ajacoutot [Sun, 28 May 2017 10:12:42 +0000 (10:12 +0000)]
Indent and rename var; no functional change.
benno [Sun, 28 May 2017 10:06:13 +0000 (10:06 +0000)]
style(9) some variable declarations
ok florian@
akfaew [Sun, 28 May 2017 10:06:12 +0000 (10:06 +0000)]
Reduce differences between the two pfctl_osfp.c files.
Apply three commits from pfctl/pfctl_osfp.c
OK bluhm@
benno [Sun, 28 May 2017 10:04:27 +0000 (10:04 +0000)]
check_tos() gets a parameter so i can remove another global var.
ok florian@
benno [Sun, 28 May 2017 10:01:52 +0000 (10:01 +0000)]
introduce struct tr_conf to keep all of the configuration.
Functions needing access to any of those vars get it passed as a parameter.
result: even less global vars.
ok florian@
benno [Sun, 28 May 2017 10:00:00 +0000 (10:00 +0000)]
move as many globals as possible into the main function - thats the
only place where they are used.
Only exception: v6flags - make it an argument to usage()
ok florian@
stsp [Sun, 28 May 2017 09:59:58 +0000 (09:59 +0000)]
Remove unused flag IWM_FLAG_STOPPED.
ok tedu@ of course
mpi [Sun, 28 May 2017 09:45:25 +0000 (09:45 +0000)]
Use membar_enter_after_atomic() and membar_exit_before_atomic().
mpi [Sun, 28 May 2017 09:38:32 +0000 (09:38 +0000)]
Remove useless splnet()/splx() dances.
Data structures modified in the ioctl path are protected by the NET_LOCK().
ok sashan@
florian [Sun, 28 May 2017 09:35:56 +0000 (09:35 +0000)]
propose and configure default gateway
mpi [Sun, 28 May 2017 09:35:13 +0000 (09:35 +0000)]
Protect the global array of interfaces with the NET_LOCK().
ok sashan@
ajacoutot [Sun, 28 May 2017 09:31:45 +0000 (09:31 +0000)]
When a daemon reaches its timeout when starting, display "timeout" instead
of "ok" so the user is warned and has a chance to fix it (most of the time
due to bogus flags). Daemons reaching the timeout without being able to
start are still marked as "failed" (which should also give a clue to the
user that some investigation is needed).
prodded by beck@ a while ago
discussed with and ok sthen@
bluhm [Sun, 28 May 2017 09:25:51 +0000 (09:25 +0000)]
Rename ip_local() to ip_deliver() and give it the same parameters
as the pr_input functions. Add an assert that IPv4 delivery ends
in IP proto done to assure that IPv4 protocol functions work like
IPv6.
OK mpi@