derive IP address(es) from the interface (e.g "... from any to fxp0").
This however, creates window for possible attacks from the network.
Implement the solution proposed by YAMAMOTO Takashi:
Add /etc/defaults/pf.boot.conf and load it with the /etc/rc.d/pf_boot
script before starting the network. People who don't like the default
rules can override it with their own /etc/pf.boot.conf.
The default rules have been obtained from OpenBSD.
No objections on: tech-security
Alan Perez-Rathke and Ram Vedam.
Prototyping, KNF, WARNS=3 by me.
Note that this is marked experimental for now. It works well enough to
make NetBSD/i386 bootable images, but does need more work.
*tp > LONG_MAX is never true, so replace that check with a test
for strtol() setting errno == ERANGE (oddly, some ports' build
swallowed this without warning).
There's no guarantee that a time_t stores the same number of bits
as a long, so check for an overflow there as well, and pass any
error up.
Discussed with christos, martin and mrg.
- cast more returns to void.
- use waitpid instead of wait() to wait for our process, not accidentally
wait for other children.
- return exitstatus only if exited, and return the termination signal otherwise.
- Add new -C option to 'usermod'. This allows a quick way to temporary
lock a users account. This is similar to how FreeBSD do it using
'adduser'. This function can be very handy to administrators!
- Import a function to check if the inputted class actually exists. It
contains my modifications to test whether /etc/login.conf exists
in the first place. -OpenBSD
- Add new -C option to 'usermod'. This allows a quick way to temporary
lock a users account. This is similar to how FreeBSD do it using
'adduser'. This function can be very handy to administrators!
- Import a function to check if the inputted class actually exists. It
contains my modifications to test whether /etc/login.conf exists
in the first place. -OpenBSD
While I am there:
- KNF (long wrapped lines, and spaces after void casts).
- Factor out some common code.
- Fix error messages.
1. Consistently capitalize them.
2. Fix err->errx and warn->warnx inappropriate uses.
3. Use regerror where appropriate.
4. Don't call warn()/err() to report errors after you trashed errno
by calling other syscalls. Save and restore the errno instead,
or in the warn() case, call warn() first.
- Fix size_t - int, uid_t - int confusion.
- Pass lint
and plain file images too. If no TOC can be read, a single track is
assumed which spans the whole thing.
The disklabel will be updated if supported by the device. If not, just
the ISO volume label information will be printed.
- system(), rmdir() sets errno, use it
- Use warnx() if strchr failed, not warn()
- Constify some arguments
- Fix cases when errx()/warnx() should be used instead of err()/warn()
due to errno not being set.
Group code:
------------
- List members in a neat fashion, separated by commas
- groupmod(): Use find_group_info - consistency