(MD5 signatures for TCP, as used with BGP). Credit for original
FreeBSD code goes to Bruce M. Simpson, with FreeBSD sponsorship
credited to sentex.net. Shortening of the setsockopt() name
attributed to Vincent Jardin.
This commit is a minimal, working version of the FreeBSD code, as
MFC'ed to FreeBSD-4. It has received minimal testing with a ttcp
modified to set the TCP-MD5 option; BMS's additions to tcpdump-current
(tcpdump -M) confirm that the MD5 signatures are correct. Committed
as-is for further testing between a NetBSD BGP speaker (e.g., quagga)
and industry-standard BGP speakers (e.g., Cisco, Juniper).
NOTE: This version has two potential flaws. First, I do see any code
that verifies recieved TCP-MD5 signatures. Second, the TCP-MD5
options are internally padded and assumed to be 32-bit aligned. A more
space-efficient scheme is to pack all TCP options densely (and
possibly unaligned) into the TCP header ; then do one final padding to
a 4-byte boundary. Pre-existing comments note that accounting for
TCP-option space when we add SACK is yet to be done. For now, I'm
punting on that; we can solve it properly, in a way that will handle
SACK blocks, as a separate exercise.
In case a pullup to NetBSD-2 is requested, this adds sys/netipsec/xform_tcp.c
,and modifies:
sys/net/pfkeyv2.h,v 1.15
sys/netinet/files.netinet,v 1.5
sys/netinet/ip.h,v 1.25
sys/netinet/tcp.h,v 1.15
sys/netinet/tcp_input.c,v 1.200
sys/netinet/tcp_output.c,v 1.109
sys/netinet/tcp_subr.c,v 1.165
sys/netinet/tcp_usrreq.c,v 1.89
sys/netinet/tcp_var.h,v 1.109
sys/netipsec/files.netipsec,v 1.3
sys/netipsec/ipsec.c,v 1.11
sys/netipsec/ipsec.h,v 1.7
sys/netipsec/key.c,v 1.11
share/man/man4/tcp.4,v 1.16
lib/libipsec/pfkey.c,v 1.20
lib/libipsec/pfkey_dump.c,v 1.17
lib/libipsec/policy_token.l,v 1.8
sbin/setkey/parse.y,v 1.14
sbin/setkey/setkey.8,v 1.27
sbin/setkey/token.l,v 1.15
Note that the preceding two revisions to tcp.4 will be
required to cleanly apply this diff.
socket options (TCP_MD5SIG) in the works. Break TCP socket-options
into a list, and add a list element for TCP_MAXSEG, with text borrowed
from FreeBSD. (NB: our implementation may need improving to match that
rather general text.)
In preparation for adding list elements for TCP_MD5SIG.
- support ${COPTS.<fn>} ${CPUFLAGS.<fn>} ${CPPFLAGS.<fn>}
(deficiency noted by Tyler Retzlaff <rtr@NetBSD.org>)
- use ${COMPILE.s} for .s.o .s.po .s.so (instead of ${COMPILE.S})
- don't support AINC anymore; append to AFLAGS instead
Remove .c.ln - it was a duplicate of the rule in <bsd.sys.mk>
Usage: ${MAKEDIRTARGET} dir target [params]
Runs "cd $${dir} && ${MAKE} [params] $${target}",
displaying a "pretty" message whilst doing so.
Use MAKEDIRPREFIX to implement the __recurse .USE macro in <bsd.subdir.mk>
name where the user should look at for documentation about rcvar. It defaults
to 'rc.subr(5)', as rc.subr is mainly used by rc.d scripts.
This variable is useful to let the daily, weekly, monthly and security scripts
tune the warning message shown when any of the variables they handle is not
properly set.
Closes PR misc/23908.
further confusion.
The corresponding files now live in gnu/dist/groff/tmac (still
BSD licensed!), but the only files that should be changed are in
gnu/usr.bin/groff/tmac, see also
http://www.netbsd.org/developers/releng/release-process.html
in Imake.rules:
* Allow XCOMM to be preceded by whitespace and provide a means of generating
* output lines with trailing backslashes.
* Allow XHASH to always be substituted, even in cases where XCOMM isn't.
In particular, this fixes an issue pointed out by wiz on tech-x11, where "@@"
remains unsubstituted for "\" in "startx".
in "/usr/X11R6/lib/X11/doc/RELNOTES". Note particularly that "tcp",
as in "X -nolisten tcp" or "xhost +tcp/host:0", now means *both*
IP transport protocols. Use "inet" or "inet6", instead, to specify
only one or the other.
XDMCP support for IPv6 -- such as it is -- is disabled, just as
it is in the native, out-of-the-box build. XDM-AUTHORIZATION-1
does not really support IPv6 addresses, in any case. (It is
possible to build "xdm" with -DIPv6, but that presumes support
for IPv6-mapped IPv4 addresses in the default installation, for
one thing, and there are unexplored issues with all that.)
