support IPv6 if KAME IPSEC (RFC is not explicit about how we make data stream
for checksum with IPv6, but i'm pretty sure using normal pseudo-header is the
right thing).
XXX
current TCP MD5 signature code has giant flaw:
it does not validate signature on input (can't believe it! what is the point?)
The sys/netipsec policy-cache (added by Jason Thorpe as a rewrite of
the KAME per-PCB policy cache) assumes that policy-cacheable PCBs
always has a non-NULL inph_sp in the common PCB header. So we must
do all the per-PCB policy cache calls when either (KAME) IPSEC, or
FAST_IPSEC is defined. ``Make it so''.
We can now support non-IPsec'ed IPv6 traffic, when both
``options FAST_IPSEC'' and ``options INET6'' are configured.
(MD5 signatures for TCP, as used with BGP). Credit for original
FreeBSD code goes to Bruce M. Simpson, with FreeBSD sponsorship
credited to sentex.net. Shortening of the setsockopt() name
attributed to Vincent Jardin.
This commit is a minimal, working version of the FreeBSD code, as
MFC'ed to FreeBSD-4. It has received minimal testing with a ttcp
modified to set the TCP-MD5 option; BMS's additions to tcpdump-current
(tcpdump -M) confirm that the MD5 signatures are correct. Committed
as-is for further testing between a NetBSD BGP speaker (e.g., quagga)
and industry-standard BGP speakers (e.g., Cisco, Juniper).
NOTE: This version has two potential flaws. First, I do see any code
that verifies recieved TCP-MD5 signatures. Second, the TCP-MD5
options are internally padded and assumed to be 32-bit aligned. A more
space-efficient scheme is to pack all TCP options densely (and
possibly unaligned) into the TCP header ; then do one final padding to
a 4-byte boundary. Pre-existing comments note that accounting for
TCP-option space when we add SACK is yet to be done. For now, I'm
punting on that; we can solve it properly, in a way that will handle
SACK blocks, as a separate exercise.
In case a pullup to NetBSD-2 is requested, this adds sys/netipsec/xform_tcp.c
,and modifies:
sys/net/pfkeyv2.h,v 1.15
sys/netinet/files.netinet,v 1.5
sys/netinet/ip.h,v 1.25
sys/netinet/tcp.h,v 1.15
sys/netinet/tcp_input.c,v 1.200
sys/netinet/tcp_output.c,v 1.109
sys/netinet/tcp_subr.c,v 1.165
sys/netinet/tcp_usrreq.c,v 1.89
sys/netinet/tcp_var.h,v 1.109
sys/netipsec/files.netipsec,v 1.3
sys/netipsec/ipsec.c,v 1.11
sys/netipsec/ipsec.h,v 1.7
sys/netipsec/key.c,v 1.11
share/man/man4/tcp.4,v 1.16
lib/libipsec/pfkey.c,v 1.20
lib/libipsec/pfkey_dump.c,v 1.17
lib/libipsec/policy_token.l,v 1.8
sbin/setkey/parse.y,v 1.14
sbin/setkey/setkey.8,v 1.27
sbin/setkey/token.l,v 1.15
Note that the preceding two revisions to tcp.4 will be
required to cleanly apply this diff.
written into the correct place - even if the user decides not to update
the mbr code and has the old (pre layout change) code installed.
Tell the user that the mbr code needs updating if the new install uses
'all the disk' and teh old version had the bootselect code (otherwise you
get an empty menu).
Probably fixes PR install/25146
there are now alternate non-kernel checks and fixes for this problem.
relevent prs include:
bin/17910 kern/21283 kern/21404 port-macppc/23925 port-macppc/23926
install/25138
use union to align struct fs
don't check error return from fsck upgrade/downgrade runs
use RUN_DISPLAY | RUN_PROGRESS when running upgrade runs
don't use opendisk
much the same function).
Mainly some extra comments, also moved a 'static' so we use 512bytes of
stack and not static data. Killed call to access() as it is pointless
and doesn't do what you want (access is for suid programs to check whether
the real user could do the operation).
to pool_init. Untouched pools are ones that either in arch-specific
code, or aren't initialiased during initial system startup.
Convert struct session, ucred and lockf to pools.
anymore, use the low-level inflate()/deflate() directly. this
allows support file-type detection on stdin; now can decompress
.Z and .bz2 files fed to stdin (fixes PR#25192) additionally it
makes -v work with stdin or stdout (fixes PR#25215.)
(with these changes, we no longer need gzopenfull(3) in libz.)
thanks to martin@ for the code gzip.c:gz_uncompress() is based on.
The problem is with the program that generates the tar file:
-rwxrwxrwx 1 root wheel 0 Feb 8 16:46 faad2/aacDECdrop/
It creates directory nodes without the 'd' bit set, so that pax thinks
they are files and does the temporary name and dance with them. Added
code to detect this condition, warn about it, and work around it.
make the `unmatched vendor code' error message slightly more verbose to
make things easier next time this kind of issue arises.
Reported and tested by Pierre-Philipp Braun.
