net.bpf.stats and net.bpf.peers sysctls respectively. netstat(1) now
has an additional syntax:
netstat [-s] [-B] [-I Interface]
Only the super user can see a list of BPF peers with the following command:
# netstat -B
Active BPF peers
PID Int Recv Drop Capt Flags Bufsize Comm
4941 lo0 0 0 0 I--S- 262144 tcpdump
252 ex0 19668 0 5 I-RS- 32768 dhclient
And every user can see the BPF statistics with:
$ netstat -s -B
bpf:
19669 total packets received
5 total packets captured
0 total packets dropped
This idea came from FreeBSD (Christian S.J. Peron) but, currently, they
doen't have a userland utility in the base system to read the sysctls.
Reviewed by: christos@
and net.bpf.peers sysctls respectively.
A new structure was added to describe the external (user viewable)
representation of a BPF file; a new entry was added to the bpf_d
structure to store the PID of the calling process; a simple_lock was added
to protect the insert/removal from the net.bpf.peers sysctl handler.
This idea came from FreeBSD (Christian S.J. Peron) but while it is
implemented with sysctl's it differs a bit.
Reviewed by: christos@ and atatat@ (who gave me the tip for the net.bpf.peers
sysctl helper function).
ftpd will listen on the default FTP port for incoming connections and fork
a child for each connection. This is lower overhead than starting ftpd from
inetd(8) and thus might be useful on busy servers to reduce load.
Inspired by FreeBSD.
Reviewed by lukem@.
Contrast control is different but similar enough, so refactor the code
to support both. Tested by Christer Andersson.
XXX: platid_mask_MACH_HP_LX also matches 360LX. It's not confirmed
whether touch panel in 360LX is connected in the same way. We may
need to regroup platid masks.
the decapsulator dispatch changes in 2001. Problems found and fixed
by Christine Jones of BBN. Specifically:
Check for a packet's protocol to be ENCAP_PROTO, not AF_INET.
Remove one-back cache for last vif, because vif_encapcheck is called
for each vif, rather than being expected to find the appropriate vif.
The cache usage caused packets to be input on the wrong vif and hence
usually dropped.
In vif_encapcheck, verify the local source as well. While mrouted
endeavors not to create multiple tunnels with a peer, a packet
arriving with the wrong local address is still wrong and should not be
accepted. (This is a correctness nit, not a security issue.) Order
checks to fail quickly for packets being checked to see if they match
a vif other than the one they belong on (essentially, check peer
source address in outer header first).
Claim 69 bits of match (32 each from outer src/dst and 5 from checking
that inner dst is within 224/5). This should result in the vif having
a higher priority for multicast packets compared to a parallel gif(4)
tunnel, and that both seems appropriate if both are configured and
seems to match the semantics expected by the decapsulator dispatch
machinery.
(These changes were made in 2.99.15 and about a dozen nodes are
running them with many vifs. ip_mroute.c has not changed
significantly since then (February 2005) and the changes applied
cleanly to current and compile cleanly.)
- Verified Exec -> Veriexec
- pseudo-device is `veriexec'
- veriexec.conf -> signatures, and mention /etc/signatures as the default
location
- We use veriexec's strict level, not the system securelevel
- Mention the `direct' option
- Mention that the signatures file can have multiple options in a single
entry, comma-separated
- Mention that both `direct' and `indirect' access modes are implied
if no access modes are explicitly mention in the options
- Bump date
rpaulo