Commit Graph

28 Commits

Author SHA1 Message Date
tls 4147a3c54a Add new Makefile knob, USE_FORT, which extends USE_SSP by turning on the
FORTIFY_SOURCE feature of libssp, thus checking the size of arguments to
various string and memory copy and set functions (as well as a few system
calls and other miscellany) where known at function entry.  RedHat has
evidently built all "core system packages" with this option for some time.

This option should be used at the top of Makefiles (or Makefile.inc where
this is used for subdirectories) but after any setting of LIB.

This is only useful for userland code, and cannot be used in libc or in
any code which includes the libc internals, because it overrides certain
libc functions with macros.  Some effort has been made to make USE_FORT=yes
work correctly for a full-system build by having the bsd.sys.mk logic
disable the feature where it should not be used (libc, libssp iteself,
the kernel) but no attempt has been made to build the entire system with
USE_FORT and doing so will doubtless expose numerous bugs and misfeatures.

Adjust the system build so that all programs and libraries that are setuid,
directly handle network data (including serial comm data), perform
authentication, or appear likely to have (or have a history of having)
data-driven bugs (e.g. file(1)) are built with USE_FORT=yes by default,
with the exception of libc, which cannot use USE_FORT and thus uses
only USE_SSP by default.  Tested on i386 with no ill results; USE_FORT=no
per-directory or in a system build will disable if desired.
2007-05-28 12:06:17 +00:00
matt a5db205458 Conditionalize XNS support. No longer enabled. 2006-08-26 15:33:20 +00:00
elad 5d7aa1a613 Make netstat use sysctl when dumping routing tables/stats.
Heavily based on similar code from Claudio Jeker (at OpenBSD).

While here, fix inet/inet6 sysctl stuff commited previously to
actually work, and some other nits to make netstat more sysctl
friendly.

One step closer to losing setgid kmem on this one...
2006-05-28 16:51:40 +00:00
rpaulo 22a0fcf290 Added bpf.c. 2005-08-04 19:40:00 +00:00
lukem 7157011597 Only compile in IPv6 support if ${USE_INET6} != "no"
MKINET6 is for providing IPv6 infrastructure.
USE_INET6 is for compiling IPv6 support into the programs (needs MKINET6).
2005-01-10 02:58:58 +00:00
jonathan 85b3ba5bf1 Redo net.inet.* sysctl subtree for fast-ipsec from scratch.
Attach FAST-IPSEC statistics with 64-bit counters to new sysctl MIB.
Rework netstat to show FAST_IPSEC statistics, via sysctl,  for
netstat -p ipsec.

New kernel files:
	sys/netipsec/Makefile		(new file; install *_var.h includes)
	sys/netipsec/ipsec_var.h	(new 64-bit mib counter struct)

Changed kernel files:
	sys/Makefile			(recurse into sys/netipsec/)
	sys/netinet/in.h		(fake IP_PROTO name for fast_ipsec
					sysctl subtree.)
	sys/netipsec/ipsec.h		(minimal userspace inclusion)
	sys/netipsec/ipsec_osdep.h	(minimal userspace inclusion)
	sys/netipsec/ipsec_netbsd.c	(redo sysctl subtree from scratch)
	sys/netipsec/key*.c		(fix broken net.key subtree)

	sys/netipsec/ah_var.h		(increase all counters to 64 bits)
	sys/netipsec/esp_var.h		(increase all counters to 64 bits)
	sys/netipsec/ipip_var.h		(increase all counters to 64 bits)
	sys/netipsec/ipcomp_var.h	(increase all counters to 64 bits)

	sys/netipsec/ipsec.c		(add #include netipsec/ipsec_var.h)
	sys/netipsec/ipsec_mbuf.c	(add #include netipsec/ipsec_var.h)
	sys/netipsec/ipsec_output.c	(add #include netipsec/ipsec_var.h)

	sys/netinet/raw_ip.c		(add #include netipsec/ipsec_var.h)
	sys/netinet/tcp_input.c		(add #include netipsec/ipsec_var.h)
	sys/netinet/udp_usrreq.c	(add #include netipsec/ipsec_var.h)

Changes to usr.bin/netstat to print the new fast-ipsec sysctl tree
for "netstat -s -p ipsec":

New file:
	usr.bin/netstat/fast_ipsec.c	(print fast-ipsec counters)

Changed files:
	usr.bin/netstat/Makefile	(add fast_ipsec.c)
	usr.bin/netstat/netstat.h	(declarations for fast_ipsec.c)
	usr.bin/netstat/main.c		(call KAME-vs-fast-ipsec dispatcher)
2004-05-07 00:55:14 +00:00
itojun 47d22404d4 use proper #ifdef to determine behavior (__KAME__) 2003-05-14 23:36:32 +00:00
lukem 5d4973fe97 makefile delint. use NETBSDSRCDIR as appropriate 2002-09-18 14:00:33 +00:00
itojun 9da359bbec revise IPsec, pfkey, IPv6 multicast and IPv6 statistics. (sync with kame) 2000-02-26 09:55:24 +00:00
itojun 033763d6c9 per-interface statistics.
bring in and enable KAME scopeid hack.
lots of cleanups.
(sync with latest KAME)
1999-12-13 15:22:55 +00:00
thorpej 00fb13f649 Revert previous, as it merely worked around a recent bug in make(1) which
is now fixed.
1999-07-12 18:17:56 +00:00
itojun e56c252759 make sure to use files in ${.CURDIR} before ${.CURDIR}/../../sys/netiso.
(namely iso.c)
1999-07-12 17:53:42 +00:00
itojun 5d56439d90 merge SRCS into one. 1999-07-12 17:48:45 +00:00
itojun 414ee1ddfb make netstat IPv6-ready. 1999-07-01 18:40:35 +00:00
gwr 10e180cc49 Back out the .PATH.c changes. The .depend problem (and others)
will be fixed using the new .NOPATH make feature instead.
1997-05-08 21:11:01 +00:00
gwr 012e528f2e Use .PATH.c: ... 1997-05-06 20:44:56 +00:00
christos c3a7122e73 - netatalk additions
- printf format fixes
- minor prototype cleanups
1997-04-03 04:46:44 +00:00
thorpej 67f6822225 New-style RCS ids. 1995-10-03 21:42:34 +00:00
mycroft 4f96184b10 Re-enable some ugly ISO code. 1994-10-06 16:30:55 +00:00
deraadt e5c0834b50 do not need -I/sys 1994-08-03 20:34:13 +00:00
pk 1eacf67a6e Use ${DESTDIR}/sys in CFLAGS. 1994-08-02 09:35:50 +00:00
mycroft d3877f2073 Clean up import. 1994-05-13 08:08:09 +00:00
cgd da1d84230b needs -lkvm, not -lutil 1994-01-28 00:48:33 +00:00
brezak 4b860495c5 Incorporate changes for IP mcast and IGMP from cmaeda@cs.washington.edu. 1994-01-11 19:42:48 +00:00
pk 0915419517 -I/sys --> -I${DESTDIR}/sys, to support cross-compilation. 1993-09-25 13:19:49 +00:00
mycroft 07832ac9cf Add RCS identifiers. 1993-07-31 00:20:24 +00:00
mycroft b64231f035 Reenable NS and ISO code. 1993-05-01 16:26:52 +00:00
cgd e541169ce2 after 0.2.2 "stable" patches applied 1993-03-21 18:04:42 +00:00