reject the following sources:
0.0.0.0/8 127.0.0.0/8 240.0.0.0/4 255.0.0.0/8
ff00::/8 ::/128
::ffff:0.0.0.0/96 and ::0.0.0.0/96 obeys IPv4 rule.
hint from deraadt.
- print-telnet.c: do not print control character
- print-icmp6.c: improve icmp6 node information printing
(we need to at least meet our kernel code!)
- update dhcp6 printing to 15 draft (14 and 15 are totally incompatible)
- add safeputc() and safeputs() into util.c
hosts.{byname,byaddr} is still an IPv4 only mapping.
obeys solaris8 practice. see comments in ypinit/Makefile.yp for details.
TODO: interop test with solaris8 (any takers?)
duplicate keys are found indicating a corrupted database (avoids problem
where sa would loop forever).
- add open flags and mode in dbopen in case someone wants to debug...
13 characters, not 14. The 13 characters (104bit) secret will be
combined with 24-bit IV to consist the seed for 128-bit RC4.
Though maximum 14 characters can be configured in seven 16-bit hardware
registers, the last charactoer is apparently ignored both for encryption
and decryption.
which needed to be set at compile time but weren't (to handle the case where
TAR_CMD was set to something other than "tar", eg "gtar". In addition to
the constants being wrong, the wrong directory name was being examined for
its string length.
Add a few comments to hopefully avoid having this problem come back.
up to 128 chars long).
Ignore filenames longer than this.
Use syslog with %s as format, just in case.
The above changes come from OpenBSD.
Also use #define instead of magic constants.
between it and hostname:username is optional as well (some software relies
in this); while here, covert to use sscanf() instead of explicit parse code,
sprinkle some comments
dumpit(): change so that the price is total price for this entry, instead of
beeing price per copy
Addresses bin/9996 by Brian Stark, though the implementation differs from
patch code attached to it.
- remove obsolete non-advanced-api support.
- if a routing entry exists for aggregate prefix (-A), do not overwrite
the routing entry (exit with error).
in inetd.conf. otherwise, we'll have (minor) problem putting IPv6 address in.
sync with kame.
[::1]:ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -ll
- Centerize the check whether an interface is specified.
- Print maximum data length.
- Swap wi_type and wi_code in struct wi_table so that wi_type matches with
wi_type in wi_req.
XXX enami, I admit it is not a good thing to check the error code from
getaddrinfo. it is sometimes mandatory, however. gai_strerror message
can be too generic in some cases. we can't really extend getaddrinfo,
as it was not invented by kame (see RFC2553)
sync with kame.
benefits: allows us to access-control inbound traffic by using hosts.allow(5).
possible drawbacks: inetd mode has no chance for multi-connection-per-single-
process enhancement. current faithd(8) needs 1 process per 1 connection
anyways.
sockets in the situation where all of the following are true:
* /etc/syslogd.conf contained forwarding actions when we were
started up or when we last received a HUP
* /etc/syslogd.conf has had all forwarding actions removed
* we are running with -s
and we receive a HUP.
request:
instead of the -S flag, fix the -s flag to not open a socket
if there are no forwarding rules in /etc/syslog.conf
The behavior of syslogd when -s is specified and there are forwarding rules
should still be made cleaner.
in man page and comments -- for some time it has no longer prevents
an inet socket from being opened, just caused it to be ignored
2.) Fix this problem with `-s' -- syslogd always opens an inet socket, even if
-s is specified and it has nowhere to send to. This socket is then
shutdown(), but there is no way to not have this socket open.
Users setting up paranoid installations can now specify `-S' which
prevents any non-unix-domain sockets from being opened, even if
forwarding is specified in /etc/syslogd.conf.
As per the previous fix, this is not made the default for `-s', as it
also prevents syslogd from forwarding log messages.
3.) document the above in the man page and usage.
Justification: in light of the possibility of future DoS attacks, or the
desire to set up a machine which is relatively uninformative in the face
of port scans, users may quite legitimately want to control what sockets
are open on their machine. Telling such users that they cannot run
syslogd is non-ideal.
option pulls in a set of symbols that increases the size of dhclient
with functionality that is not required for installation media.
This was discussed with Ted Lemon, and the patch is being submitted to him
for inclusion in his source tree.
short enough to put on the same line.
- Kill the comma at the end of SEE ALSO list.
- Remove empty line in the source.
- Break line at the end of statement in the source for better output (in other
words, let the roff to format it).
adding support for Heimdal/KTH Kerberos where easy to do so. Eliminate
bsd.crypto.mk.
There is still a bunch more work to do, but crypto is now more-or-less
fully merged into the base NetBSD distribution.
a bit, to make them more descriptive
* in findbestmatchingname_fn, fix a bug where a null pointer wasn't
caught (I wonder why we didn't actually hit that case...)
* Bugfix in findbestmatchingname_fn: when comparing, strip off any
trailing ".tgz", as this will give wrong results. "1.9.8.tgz" was
found to be greater than "1.9.8.1".
Add flags "-b" and "-I" to dumplfs, to allow the user to specify the
location of the superblock and Ifile inode, respectively.
Don't print "corrupt segment header" any more for leftover slivers of
space too close to the next segment to write a partial-segment. In the
event that there was no such sliver, the segment still ends; recognize
this and print out the segment number, and superblock if asked.
Document all the flags in the man page.
Print the partial-segment write flags (SS_DIROP, SS_CONT).
Make the "-a" flag output look slightly better.
Change all hex numbers to lowercase, instead of having some upper and
some lower.
+ Make depend required all the source files to be built before
the dependencies were generated due to some sub-optimal logic
in the version generation.
Fix from Bernd Ernesti in private mail.
+ Make the version string contain ${PROG} as originally intended
and not "ntpd" for all 7 programs.
Also move version generation to Makefile.inc to stop having 7 copies
of exactly the same thing.
to mention here. notable changes are like below.
kernel:
- make PF_KEY kernel interface more robust against broken input stream.
it includes complete internal structure change in sys/netkey/key.c.
- remove non-RFC compliant change in PF_KEY API, in particular,
in struct sadb_msg. we cannot just change these standard structs.
sadb_x_sa2 is introduced instead.
- remove prototypes for pfkey_xx functions from /usr/include/net/pfkeyv2.h.
these functions are not supplied in /usr/lib.
setkey(8):
- get/delete does not require "-m mode" (ignored with warning, if you
specify it)
- spddelete takes direction specification
file, make command specified, and no flags or attrs-which-cause-inclusion
are spec'd. The notion is, if you change either of the last 2, it will
probably have very undesirable results, so only allow the make command to
be changed. override by clobbering the make command in the previous entry.
also, fix a bug where line number of original entry would get clobbered on
dup entry, so that if you had multiple dups the later ones would get bogus
initial definition info.
fhopen() and flock(). This means that if you kill lockd, all locks will
be relased (but you're supposed to kill statd at the same time, so
remote hosts will know it and re-establish the lock).
Tested against solaris 2.7 and linux 2.2.14 clients.
Shared lock are not handled efficiently, they're serialised in lockd when they
could be granted.
with both names. So log the "Unsolicited notification" with LOG_DEBUG
instead of LOG_ERR.
Don't return failure if we received a notification for which the host is
unknown, or we don't have outstanding requests. The remote host will retry
forever otherwise.
had been granted access to the portmapper via hosts.{allow,deny} could use
PMAPPROC_CALLIT to call PMAPPROC_{SET,UNSET} to (un)register services as if
they were running on the local host.
The new code disallows all indirect calls to the portmapper except for
PMAPPROC_NULL unless the -i (insecure) flag has been specified.
While there, add a new flag, -p (paranoid) which also disallows indirect calls
to a small number of other services, including key parts of NFS and NIS. This
code hardcodes the services to be disallowed, and is thus somewhat of a hack,
but will serve for the time being (until portmap is replaced by rpcbind as part
of fvdl's current rpc work, due to happen before 1.5).
Problem pointed out by Frank van der Linden <fvdl@netbsd.org>, solution determined
in discussion with Frank van der Linden and with Bill Sommerfeld <sommerfeld@netbsd.org>.
Some inspiration drawn from the (less general) handling of this problem in Wietse
Venema's libwrap'ed portmap.
use of non-exported function __ivaliduser{,_sa}().
we cannot make __ivaliduser{,_sa}() static yet, since doing that would choke
compiled lpd binaries. we should do it on next libc major version bump.
added a memo on lib/libc/shlib_version.
while here, do some whitespace/const cleanup, convert to use addentry(),
g/c section[] (now uses buf[] directly) - 10 character limit for section
name is gone
- decrease warning level on missing rtadvd.conf (actually, the file
can be omitted)
- strict prototype
- gather stats better, emit stats on SIGUSR1 to /var/run
+ Use _PATH_GROUP and _PATH_MASTERPASSWD (from OpenBSD)
+ Use -G group1,group2,group3 for multiple groups in useradd and usermod
(pointed out by Matt Green, and also changed in OpenBSD, but done more
efficiently here)
+ is_number should not be inside #ifdef EXTENSIONS (from OpenBSD)
+ clear up yet another usage message (for user(8) and group(8)) - noticed
in passing, unknown if fixed anywhere else
support the address family (like including "tcp6" in inetd.conf, on
non-IPv6 kernel).
was:
inetd[185]: ftp/tcp6: *: hostname nor servname provided, or not known
now:
inetd[315]: ftp/tcp6: *: the address family is not supported by the kernel
1. if there is a colon present, use that as a separator for user:group
2. if there is no colon, attempt to convert the arg into a username,
searching backwards in the string for a '.' for us.er.group
3. if the arg doesn't match a username and has a '.' in it, split it
up and try user.group
package matching a certain pattern. Examples:
yui# cd /usr/pkgsrc/packages/i386ELF/All/
yui# ls unzip*
unzip-5.40.tgz unzip-5.41.tgz
yui# pkg_admin lsall 'unzip*'
unzip-5.40.tgz
unzip-5.41.tgz
yui# pkg_admin lsall 'unzip>=5.40'
unzip-5.40.tgz
unzip-5.41.tgz
yui# pkg_admin lsall 'unzip>=5.41'
unzip-5.41.tgz
yui# pkg_admin lsbest 'unzip>=5.40'
unzip-5.41.tgz
yui# pkg_admin lsall /usr/pkgsrc/packages/i386ELF/All/'{mit,unproven}-pthread*'
/usr/pkgsrc/packages/i386ELF/All/mit-pthreads-1.60b6.tgz
This adds a shell/user-interface to pkg-patterns, which are a superset
of sh/csh patterns and can't be expanded by any shell.
a static once-generated version instead. We know we have IPv6
headers available here.
The probing was problematical for several reasons:
o it probed the host headers, not the headers in the build or DESTDIR
tree (could be fixed in another way)
o the probe_ipv6 script mucks with PATH, which would be problematical
for cross compilation.
contents of that header (the only file that includes it compiles to the
same object code on multiple architectures with or without including
<ieeefp.h>), so remove all references to it.
Fix sent to NTP maintainers - they will probably implement this change
after the immenient 4.1.0 release, but don't want to change it so close
to the release date.
- isakmp: print CERT and SIG payload. fix IPsec-AH algorithm type.
- rt6: avoid duplicated IPv6 src/dst.
sync with tcpdump.org.
XXX we need to think about future synchronization with tcpdump.org...
default nis-domain "";
would cause a NULL pointer deref while writing out the lease into
the persistent database if the server didn't include an nis-domain
option in the reply.
From: hiro@takechi.org
XXX checkremote() should be improved. gethostname -> getaddrinfo is
not the right thing to do, we cannot assume DNS FQDNs is configured
as hostname. if the goal here is to check if it is really remote or not,
getifaddrs() is the way to go.
struct dirent *, rather than non-const. this makes scandir(3) the
same as the scandir implementations in libiberty and glibc, and the
select function has no need to modify the dirent.
itojun