- Designed to be fully MP-safe and highly efficient.
- Tables/IP sets (hash or red-black tree) for high performance lookups.
- Stateful filtering and Network Address Port Translation (NAPT).
Framework for application level gateways (ALGs).
- Packet inspection engine called n-code processor - inspired by BPF -
supporting generic RISC-like and specific CISC-like instructions for
common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual.
- Convenient userland utility npfctl(8) with npf.conf(8).
NOTE: This is not yet a fully capable alternative to PF or IPFilter.
Further work (support for binat/rdr, return-rst/return-icmp, common ALGs,
state saving/restoring, logging, etc) is in progress.
Thanks a lot to Matt Thomas for various useful comments and code review.
Aye by: board@
Under some circumstances, ${TOOL_CAT} may refer to an executable
that does not exist. As a stopgap fix, use cat(1) instead of
${TOOL_CAT} in emit_dist_file.
that assembles /etc/mtree/NetBSD.dist. Instead, use the Makefile's
new target, emit_dist_file, to assemble the correct NetBSD.dist.
Previously, 'postinstall -m amd64 -s $SRC_TOP' would install a
NetBSD.dist that was missing /usr/lib/i386/ et cetera.
the command being executed. This is to allow rc.d scripts to do:
run_rc_command "${@}"
instead of:
run_rc_command "${1}"
and let the command handler (start, stop, etc.) receive the arguments after
the command name.
None of the default commands allow extra arguments, and they will error out
if any are given. This is mostly useful for script-specific commands that
are only supposed to be used through the command line and, therefore, need
to provide a friendly interface.
Proposed in tech-userlevel@. No major objections except for some minor
concerns regarding whether this should be allowed or not at all. Note that
I'm not touching any of the rc.d scripts in the base system, so this is
effectively a no-op from the user point of view.
s/MP/UP/ kernels were otherwise in place.
in my testing on a U60, i couldn't really notice any different in
speed, but we need testing on a U1/U5/U10 systems to be sure that
GENERIC.UP isn't necessary.
for sparc64, this is some what required as USIIIi systems have the
memory controller on the CPU, and unless the CPU is spunup, a UP
kernel will not function on these systems. (we obviously need to
join the NUMA-for-netbsd camp now, too! :-)
this should enable the installer to function on all systems that we
support, but also give the option for people to install GENERIC.UP
on their single-cpu systems if they choose.
XXX: i haven't actually tested sysinst with this, but i have built
both sparc and sparc64 release iso's successfully with this change
(sans having to comment out kern_ctf.c.)
favor of the PKG_DBDIR variable in /etc/pkg_install.conf. The purpose
of this is to only have to define the location of the packages database
in a single place and have all other system components pick it up.
pkgdb_dir is still honored if defined and the scripts will spit out a
warning in that case, asking the administrator to migrate to the
PKG_DBDIR setting. We can't remove this compatibility workaround until,
at least, after NetBSD 6 is released.
remains world-readable. Otherwise, it ends up with 600 permissions which
make it unusable for building pkgsrc packages as non-root.
Problem found by wiz@.
value when packages are found (so that the user knows he is not getting the
vulnerability checks).
Why? People is complaining. (And somehow, the argument that NetBSD doesn't
do any network operation by default convinces me that it should continue to
do so.)
But still, I will be adding a question to sysinst to enable/disable this.
packages vulnerability database up to date. This will only fetch the
file from the server if it has changed since the last run.
Add the check_pkg_vulnerabilities and check_pkg_signatures options to the
security script to check that the installed packages are sane.
All of these options are enabled by default but they will only run if
there is, at least, one installed package.
decide whether to make kernel modules: set MKKMOD to no for evbppc.
Use this in etc/Makefile to decide whether to do the "modules"
obsolete sets. Move the ./var/db/obsolete/modules entry from the
"mi" to the "module.mi" file set.
Fixes the build for evbppc.
Discussed with uebayasi@
- nss_mdns renamed to nss_multicast_dns for clarity and less chance of
confusion with nss_mdnsd (see next).
- Support using mdnsd for all unicast too with new nss_mdnsd module
(note: this mode requires an updated mdnsd too, not yet committed)
- Implement resolv.conf "search" directive support. Needed for nss_mdnsd,
potentially useful with nss_multicast_dns (you could now do
"search example.com local" in resolv.conf if you wanted to and it would
act as you might expect)
- Add references in nsswitch.conf man page and sample file
- Implement AI_CANONNAME
- Various bug fixes
is stored in /etc/zpool.cache and it is automatically loaded to kernel from
filesystem. Filesystems are then configured accordingly to their properties
loaded from cache file.
- Enhance the built-in drop-privs support and use it instead of
having the rc.conf do it. Avoids log error on startup.
From OpenSolaris, with enhancements.
- Add dumping of the unicast server list to the DumpStateLog
debugging output, a'la Mac OS X.
- Fix a locking botch that caused warnings in the log.
- Fix FILE leak. From OpenSolaris.
in the release.
Using the modularise "GENERIC" kernel on an existing NetBSD 5.0 system
is difficult and error-prone. The "MONOLITHIC" kernel provides an
easy way to test a new kernel or to upgrade an existing system.
in rc.subr to be marked as optional. This means that it's not an
error if the file system is not mentioned in /etc/fstab. It is
still an error if something else goes wrong.
Change the defaults for these two variables in /etc/defaults/rc.conf:
critical_filesystems_local="OPTIONAL:/var"
critical_filesystems_remote="OPTIONAL:/usr"
Pfsync interface exposes change in the pf(4) over a pseudo-interface, and can
be used to synchronise different pf.
This work was part of my 2009 GSoC
No objection on tech-net@
Add "KEYWORD: interactive" so that prompting for passwords work, and
use print_rc_normal to print a message that could safely be suppressed.
Part of the /etc/rc silent changes requested in PR 41946
and proposed in tech-userlevel.
Add "KEYWORD: interactive" so that the script's prompts work,
and use rc_print_metadata to add a message to the log.
Part of the /etc/rc silent changes requested in PR 41946
and proposed in tech-userlevel.
and which can suppress output in silent mode. Silent mode is enabled
via the new rc_silent variable, which defaults to a value that depends
on the kern.boothowto sysctl.
Part of the /etc/rc silent changes requested in PR 41946
and proposed in tech-userlevel.
in this situation caused the contents of ${.CURDIR} to be cat'ed
into the generated NetBSD.dist mtree spec file, resulting in
${DESTDIR}/var/yp/binding/<garbage> being created, causing set list
check failure at the end of the build.
makes {MK,HAVE_}BINUTILS consistent with {MK,HAVE_}{GCC,GDB}.
Allow MKBFD to defines MKBINUTILS as a backwards compatibility hook.
Update the sets lists and add conditionals for lib{bfd,opcodes}.
- we now only create them when building X11, and only create the ones
we need (X11R6 xor X11R7)
- all these subdirs are now in the xbase set
- move the logic for running mtree into etc/mtree/Makefile
- split NetBSD.dist into 3 files, and have the build and postinstall handle
creating a possibly merged one. we still have a single installed file
called "NetBSD.dist".
It will replace azalia(4) after testing.
To use, comment out azalia in your kernel configuration and uncomment the
hdaudio and hdafg lines so it reads:
# Intel High Definition Audio
hdaudio* at pci? dev ? function ?
hdafg* at hdaudiobus?
You should also:
cd /dev
sh MAKEDEV audio
running.
Apparently it is rare for rcorder to place it after ntpd but there was
previously nothing actually preventing it.
Fixes PR 40707 by Ondrej Tuma
names in it. We therefore now depend on it.
However, this would have then created a circular dependency because named
depended on "SERVERS", and racoon was before SERVERS and required kdc,
and kdc needs the time to be right and thus depended on ntp.
Instead, have named depend on NETWORKING (so that there is a network
there), mountcritremote (so we know that named has a directory to work
from) and syslogd (so that named has some place to spew information).
I'm not sure this is perfect, but it is certainly a big improvement
over constantly failing ntpdate runs during boot.
gnulib, the implementation goes back to the AMD Software Optimizer
guide. A number of platforms will want to replace the C version with
assembler code using native instructions.
The algorithm used is the Jenkins hash. The name (mi_vector_hash)
reflects the nature of the hash function.
Add glue for libc ATF tests and include a test case to make sure that
(mis)alignment and endianess are handled correctly.
Bump libc minor to 169.
Based on PR port-powerpc/40421 from Wojciech Galazka,
with misc tweaks by me.
Note sysinst part is not pulled because there is
no supported storage device yet on this port.
INSTALL_DIR would want to write to the metalog, and it can't do that
if the metalog is inside DESTDIR but DESTDIR doesn't yet exist.
This allows some XXX comments to be removed.
first, mount root and run the various disk providers. Add swap and
check the remaining file systems after that.
This breaks the dependency cycle for lvm, which needs writeable /dev.
Depend on rndctl in cgd.
ddb.onpanic to 1, change it back to 0 in sysctl.conf and make sure
postinstall installs this setting.
This avoids us trying to dump while booting from install CD, but keeps
the default the same once we are far enough through /etc/rc.d. Failing
earlier is unlikely to be recovered by an automatic reboot.
OK: core.
christos