From owner-freebsd-security@FreeBSD.ORG Tue Apr 26 02:09:26 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BEBE016A4CE for ; Tue, 26 Apr 2005 02:09:26 +0000 (GMT) Received: from keylime.silverwraith.com (keylime.silverwraith.com [69.55.228.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9555743D49 for ; Tue, 26 Apr 2005 02:09:26 +0000 (GMT) (envelope-from lists-freebsd@silverwraith.com) Received: from keylime.silverwraith.com ([69.55.228.10]) by keylime.silverwraith.com with esmtp (Exim 4.41 (FreeBSD)) id 1DQFVt-0004Oc-OZ; Mon, 25 Apr 2005 19:09:25 -0700 Received: (from avleen@localhost)j3Q29Oda016896; Mon, 25 Apr 2005 19:09:24 -0700 (PDT) (envelope-from lists-freebsd@silverwraith.com) X-Authentication-Warning: keylime.silverwraith.com: avleen set sender to lists-freebsd@silverwraith.com using -f Date: Mon, 25 Apr 2005 19:09:24 -0700 From: Avleen Vig To: Danny Pansters Message-ID: <20050426020924.GX29262@silverwraith.com> References: <20050412213328.GC1953@lava.net> <6.2.1.2.2.20050417185631.05349ee0@localhost> <200504180330.37184.danny@ricin.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200504180330.37184.danny@ricin.com> User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org Subject: Re: Will 5.4 be an "Extended Life" release? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2005 02:09:27 -0000 On Mon, Apr 18, 2005 at 03:30:37AM +0200, Danny Pansters wrote: > Let me just boldly insert that IMHO, if 6.X is going to become stable this > autumn already that indeed 5.4 or maybe 5.5 at least one of those must be > long-term-supported. I'm sure one of the two will, as one of the two will > reflcet ultimately the walk-of-life of 5-STABLE, won't it? Why don't we just skip 6 and name it "FreeBSD X" or "FreeBSD 10" ? From owner-freebsd-security@FreeBSD.ORG Tue Apr 26 09:48:04 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C54416A4CE for ; Tue, 26 Apr 2005 09:48:04 +0000 (GMT) Received: from mail21.syd.optusnet.com.au (mail21.syd.optusnet.com.au [211.29.133.158]) by mx1.FreeBSD.org (Postfix) with ESMTP id A67CB43D2F for ; Tue, 26 Apr 2005 09:48:03 +0000 (GMT) (envelope-from PeterJeremy@optushome.com.au) Received: from cirb503493.alcatel.com.au (c211-30-75-229.belrs2.nsw.optusnet.com.au [211.30.75.229]) j3Q9lxuR003143 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Tue, 26 Apr 2005 19:48:01 +1000 Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au [127.0.0.1])j3Q9lx7l025931; Tue, 26 Apr 2005 19:47:59 +1000 (EST) (envelope-from pjeremy@cirb503493.alcatel.com.au) Received: (from pjeremy@localhost)j3Q9lwLu025930; Tue, 26 Apr 2005 19:47:58 +1000 (EST) (envelope-from pjeremy) Date: Tue, 26 Apr 2005 19:47:58 +1000 From: Peter Jeremy To: Avleen Vig Message-ID: <20050426094758.GI12673@cirb503493.alcatel.com.au> References: <20050412213328.GC1953@lava.net> <6.2.1.2.2.20050417185631.05349ee0@localhost> <200504180330.37184.danny@ricin.com> <20050426020924.GX29262@silverwraith.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050426020924.GX29262@silverwraith.com> User-Agent: Mutt/1.4.2i cc: freebsd-security@freebsd.org Subject: Re: Will 5.4 be an "Extended Life" release? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2005 09:48:04 -0000 On Mon, 2005-Apr-25 19:09:24 -0700, Avleen Vig wrote: >On Mon, Apr 18, 2005 at 03:30:37AM +0200, Danny Pansters wrote: >> Let me just boldly insert that IMHO, if 6.X is going to become stable this >> autumn already that indeed 5.4 or maybe 5.5 at least one of those must be >> long-term-supported. I'm sure one of the two will, as one of the two will >> reflcet ultimately the walk-of-life of 5-STABLE, won't it? > >Why don't we just skip 6 and name it "FreeBSD X" or "FreeBSD 10" ? Why not just merge XFree86 (or X.org) into 4.11 and release it as "FreeDeskTop 12"? -- Peter Jeremy From owner-freebsd-security@FreeBSD.ORG Tue Apr 26 15:29:18 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A63AF16A4CE for ; Tue, 26 Apr 2005 15:29:18 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4797D43D39 for ; Tue, 26 Apr 2005 15:29:18 +0000 (GMT) (envelope-from mureninc@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so1589142wra for ; Tue, 26 Apr 2005 08:29:17 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=O9kU3VDwqJly1Ey5v4rIiv8hKi0xePpO9c+EEHZcg2d6jfmK+8zxPU4RALIA2nn+Wvb/zT74QRi4XmzS7aTL1L8RMVvaebRapBsbyFo6I2UvAWBzAjgIXit8ua/8+AVxG1qsZmmxTR1gsypxSOB/DA1aUgWs10EKSct1r1uoGE4= Received: by 10.54.100.20 with SMTP id x20mr2677471wrb; Tue, 26 Apr 2005 08:29:17 -0700 (PDT) Received: by 10.54.83.8 with HTTP; Tue, 26 Apr 2005 08:29:17 -0700 (PDT) Message-ID: Date: Tue, 26 Apr 2005 11:29:17 -0400 From: "Constantine A. Murenin" To: Avleen Vig In-Reply-To: <20050426020924.GX29262@silverwraith.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20050412213328.GC1953@lava.net> <6.2.1.2.2.20050417185631.05349ee0@localhost> <200504180330.37184.danny@ricin.com> <20050426020924.GX29262@silverwraith.com> cc: freebsd-security@freebsd.org cc: Danny Pansters Subject: Re: Will 5.4 be an "Extended Life" release? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Constantine A. Murenin" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2005 15:29:18 -0000 On 25/04/05, Avleen Vig wrote: > On Mon, Apr 18, 2005 at 03:30:37AM +0200, Danny Pansters wrote: > > Let me just boldly insert that IMHO, if 6.X is going to become stable t= his > > autumn already that indeed 5.4 or maybe 5.5 at least one of those must = be > > long-term-supported. I'm sure one of the two will, as one of the two wi= ll > > reflcet ultimately the walk-of-life of 5-STABLE, won't it? >=20 > Why don't we just skip 6 and name it "FreeBSD X" or "FreeBSD 10" ? 'cause we ain't Apple. :-)=20 Any suggestions to name it XP? :-) Constantine. From owner-freebsd-security@FreeBSD.ORG Thu Apr 28 13:10:33 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8764816A4CE for ; Thu, 28 Apr 2005 13:10:33 +0000 (GMT) Received: from addr9.addr.com (addr9.addr.com [209.249.147.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id D3ACC43D31 for ; Thu, 28 Apr 2005 13:10:31 +0000 (GMT) (envelope-from markzero@logik.ath.cx) Received: from logik.ath.cx (localhost [127.0.0.1])j3SDAKl0050892 for ; Thu, 28 Apr 2005 06:10:27 -0700 (PDT) Received: by logik.ath.cx (Postfix, from userid 1001) id BD4586123; Thu, 28 Apr 2005 14:10:17 +0100 (BST) Date: Thu, 28 Apr 2005 14:10:17 +0100 From: markzero To: freebsd-security@freebsd.org Message-ID: <20050428131017.GA10134@logik.ath.cx> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="6TrnltStXW4iwmi0" Content-Disposition: inline X-GPG-Key: http://darklogik.org/pub/pgp/pgp.txt X-Fingerprint: B776 43DC 8A5D EAF9 2126 9A67 A7DA 390F DEFF 9DD1 X-ADDRSpamFilter: Passed, probability (12%) X-ADDRSignature: 1F82113C Subject: make installworld, permissions and labels X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Apr 2005 13:10:33 -0000 --6TrnltStXW4iwmi0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Just a quick question, My system is quite heavily customised with regard to permissions and MAC labels on system binaries. Is there any way to stop make installworld resetting all my customisation? At the moment I have a set of scripts to set permissions on everything but that's not exactly ideal. Mark --=20 PGP: http://www.darklogik.org/pub/pgp/pgp.txt B776 43DC 8A5D EAF9 2126 9A67 A7DA 390F DEFF 9DD1 --6TrnltStXW4iwmi0 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iQIVAwUBQnDguKfaOQ/e/53RAQpRmRAAniM4T2kzFapLVxJkDY9smWk8egu839z4 wcNr0IsEmaNRw+Wy5n3Y7oO1zr3RBtFSfm70fIaiK3EKviYYXJuki/Tgo10lpp1d k7XOVfIkdDRZooFQ6OmkutKCmUBDiCNIRZVZX3Ca9psoRqSk8xjjCKqktROeTDid Fk/GCUKs5jUNud972fAlH6abtTEJFrDE7Y+dyLGL5MH0JW83OD/XiDS3//NNPtSu 9VjSuJxByEG+xQ+vmdhaBooHab4AHczEcEKN6ZLR00LI/JgQll0PMBqKVPaq2IxR jhk0PRt3zh0ahzVPZ3L50BjPABdflnkfXTsp/26qoOYBCHBqKXkIv+LDhIE8cICG FzY5s07TbtSZqyYo0yOXgShQnnCsHh63Y8H9bvJu/dYq8+6e/9xAFEp46xGkLaaB cFLsPpMn1J1g5Yn1cSuUdr6eCzckapKbcxdWciRyA6UCtIiKa6C88Y13j3bEX6yT IS/5Q1uKK3sY/Rin1j8IveUAVaXIlaB0qvVsSk+TKHA1NESXc+kaNw9gXb37JyeX yi+6R/cKtLHwIf0gxZHBFZyEt+D187q//9kNrjicy1hUiFr9jyKjrjXVc96ZiMPF NSmrZM+XKMKZguqlc1mzAN1p+RKcUv1Waj1u3BhKo54BuqG/gcPMwN6usui3A0V7 MqVemZTasps= =WK0i -----END PGP SIGNATURE----- --6TrnltStXW4iwmi0-- From owner-freebsd-security@FreeBSD.ORG Thu Apr 28 16:00:26 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7CF4D16A4CE; Thu, 28 Apr 2005 16:00:26 +0000 (GMT) Received: from addr9.addr.com (addr9.addr.com [209.249.147.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4B94343D49; Thu, 28 Apr 2005 16:00:26 +0000 (GMT) (envelope-from markzero@logik.ath.cx) Received: from logik.ath.cx (localhost [127.0.0.1])j3SG0MRY037625; Thu, 28 Apr 2005 09:00:23 -0700 (PDT) Received: by logik.ath.cx (Postfix, from userid 1001) id A317D6123; Thu, 28 Apr 2005 17:00:22 +0100 (BST) Date: Thu, 28 Apr 2005 17:00:22 +0100 From: markzero To: Tom Rhodes Message-ID: <20050428160022.GD10134@logik.ath.cx> References: <20050428131017.GA10134@logik.ath.cx> <20050428113648.23d9b68b@mobile.pittgoth.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="WBsA/oQW3eTA3LlM" Content-Disposition: inline In-Reply-To: <20050428113648.23d9b68b@mobile.pittgoth.com> X-GPG-Key: http://darklogik.org/pub/pgp/pgp.txt X-Fingerprint: B776 43DC 8A5D EAF9 2126 9A67 A7DA 390F DEFF 9DD1 X-ADDRSpamFilter: Passed, probability (10%) X-ADDRSignature: 29F567C3 cc: freebsd-security@freebsd.org Subject: Re: make installworld, permissions and labels X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Apr 2005 16:00:26 -0000 --WBsA/oQW3eTA3LlM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > On Thu, 28 Apr 2005 14:10:17 +0100 > markzero wrote: >=20 > > Just a quick question, >=20 > Hey, I know you! You called me an asshole! But it was funny. :) Hehe, sorry about that. I was young and stupid. ;) It's a small world isn't it? > Anyway Mark, >=20 > > My system is quite heavily customised with regard to permissions > > and MAC labels on system binaries. Is there any way to stop > > make installworld resetting all my customisation? At the moment > > I have a set of scripts to set permissions on everything but that's > > not exactly ideal. >=20 > You can create a /etc/policy.contexts file, see the Handbook > for my example. Then read this in using the setfsmac(1) > command. Then edit /etc/mac.conf, while this really doesn't > prevent the clobbering, it makes a quick permission setup. > I would think that easier than a script. Sounds interesting, I'll give it a try. If it works I can simply make my script do the above at the end to fix the labels (instead of reinventing the wheel like it does at the moment). > Though, I'll bring this up with some of the other TrustedBSD > developers. There should be a better way, in my opinion. Thanks, Tom. Out of interest, how is TrustedBSD coming along? I don't track -CURRENT and even in -STABLE there are still warnings about apropriateness for production use. I find it pretty much does all that I require (even if setting it up isn't the most enjoyable of procedures!) but I'm always interested to know how things are progressing. Thanks, Mark --=20 PGP: http://www.darklogik.org/pub/pgp/pgp.txt B776 43DC 8A5D EAF9 2126 9A67 A7DA 390F DEFF 9DD1 --WBsA/oQW3eTA3LlM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iQIVAwUBQnEIlafaOQ/e/53RAQr9OhAArl4nhOLwE7g7tzxXy2SkypMVJ3aTOTeg 5X+9lMXHgHo1NDcqWiK3ZyRaFC4WVPlaSMCBZXyjedsXdaKjxuydS8DuG8f4hSfx 9VLnogZ2RuLVm70mzOV6GY2SCdFeqU40/cP+0DXkw7cMtNw5RLpjrw+9Nb/z9Kee r6E6aXy5XPdxdVnBZoRl9/M9pr3Ya7jHg32VRSBrgqMq6aO+O8m7V3oLUC+3ub7w sjiBkTBE39eEtvUxtmsiVPm3pE7YFroNd8ytBYUBwMbjKS8rqEqR55dUspofZqoE MWmXgy494UrhTPEY0POToIbQzCGhHf35Z13dek0qABjvTuNaQlREnWhvxfSofh2U JMiqfRwwxtp89TyTD2Ia/QxMf+ccK+kO6QCk9pfP1uhWEws4uV9HcPF+UUm8/Gnj /7U//tE28/utmXU3+DiHRzef3QzRBR1Swfn81bQN0RELlLWR4QFGoYlbaFpFWPU4 U+FglxXEEAeso3x8u51zjHfsLwuUMeHUPfbTwMxjkqxPFmf5zWgZwDqU3QOChRGF LKzDGocmnIVL7d1ZHX1vUS5Gr7z/v29zvGXwkd+zCsZGpPdoTHfxGrZBujppFDYl 8oXBXBdiTJ9RiKHxXxBkM0fL/Us+f5hRNME7PE/Od46i2dlYmWRSUHUl/ErdSGcc TJL9ltEQy4U= =Mr+8 -----END PGP SIGNATURE----- --WBsA/oQW3eTA3LlM-- From owner-freebsd-security@FreeBSD.ORG Fri Apr 29 09:40:50 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E464F16A4CE for ; Fri, 29 Apr 2005 09:40:50 +0000 (GMT) Received: from mymail.netmagicians.com (mymail.netmagicians.com [202.87.39.126]) by mx1.FreeBSD.org (Postfix) with SMTP id F118D43D4C for ; Fri, 29 Apr 2005 09:40:49 +0000 (GMT) (envelope-from sid@netmagicsolutions.com) Received: (qmail 8846 invoked from network); 29 Apr 2005 09:41:24 -0000 Received: from intra.netmagicsolutions.com (HELO ?127.0.0.1?) (202.87.39.242) by mymail.netmagicians.com with SMTP; 29 Apr 2005 09:41:24 -0000 Message-ID: <4272011F.9040707@netmagicsolutions.com> Date: Fri, 29 Apr 2005 15:10:47 +0530 From: Siddhartha Jain User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org X-Enigmail-Version: 0.91.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: IPFW disconnections and resets X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Apr 2005 09:40:51 -0000 Hi, I am using IPFW on FreeBSD 4.11 I am facing two problems: - SSH sessions timeout after a while - When I run "/sbin/ipfw -q -f flush" in the rules script all connection get reset (and I am thrown out of the box). Is this standard functioning of ipfw or do I need to change any configuration? Thanks, Siddhartha From owner-freebsd-security@FreeBSD.ORG Fri Apr 29 09:48:06 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B1E3216A4CE for ; Fri, 29 Apr 2005 09:48:06 +0000 (GMT) Received: from Neo-Vortex.net (203-173-19-223.dyn.iinet.net.au [203.173.19.223]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8F32443D5E for ; Fri, 29 Apr 2005 09:48:01 +0000 (GMT) (envelope-from root@Neo-Vortex.net) Received: from localhost.Neo-Vortex.got-root.cc (Neo-Vortex@localhost.Neo-Vortex.got-root.cc [127.0.0.1]) by Neo-Vortex.net (8.13.1/8.12.10) with ESMTP id j3T9m089079295; Fri, 29 Apr 2005 19:48:00 +1000 (EST) (envelope-from root@Neo-Vortex.net) Date: Fri, 29 Apr 2005 19:47:59 +1000 (EST) From: Neo-Vortex To: Siddhartha Jain In-Reply-To: <4272011F.9040707@netmagicsolutions.com> Message-ID: <20050429194242.I78552@Neo-Vortex.net> References: <4272011F.9040707@netmagicsolutions.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: IPFW disconnections and resets X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Apr 2005 09:48:06 -0000 On Fri, 29 Apr 2005, Siddhartha Jain wrote: > I am facing two problems: > - SSH sessions timeout after a while In PuTTY or whatever other SSH client you use - enable sending of keepalive packets (for PuTTY - under connection settings) (not sure if this is cause of ipfw or what, but the tcp session is timing out) > - When I run "/sbin/ipfw -q -f flush" in the rules script all connection > get reset (and I am thrown out of the box). Yep, standard functionality, easy fix though: -- Start file /root/bin/fws -- #!/bin/sh fw > /root/fws-out 2>&1 & -- End File -- -- Start file /root/bin/fw -- #!/bin/sh ipfw="ipfw" # Flush Old Rules $ipfw -f flush # Tempoary rules to stop connections being killed when reloading rules $ipfw add 1 allow tcp from any to any established $ipfw add 2 allow udp from any to any - your rules go here (dont use rule 1 or 2 though) # Clean up tempoary rules used to stop connections being killed $ipfw delete 1 $ipfw delete 2 -- End File -- I use that all the time, mabe 1 out of 100 times it will kill a ssh session (only one that has irssi open cause of the time updating it kills it, i have it set to update every second though, so normally it'd be like 1 out of 500 or so) and even if it does, it still finishes loading the ruleset anyway so you can just ssh straight back in If you havn't guessed, you run /root/bin/fws - you can change it to whatever you want of course, also, the output is redirected to /root/fws-out - if you dont redirect it, it'll kill your ssh session - although it won't stop it loading the other rules ~Neo-Vortex From owner-freebsd-security@FreeBSD.ORG Fri Apr 29 10:30:46 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EEDC416A4D0 for ; Fri, 29 Apr 2005 10:30:45 +0000 (GMT) Received: from mymail.netmagicians.com (mymail.netmagicians.com [202.87.39.126]) by mx1.FreeBSD.org (Postfix) with SMTP id 4997243D55 for ; Fri, 29 Apr 2005 10:30:44 +0000 (GMT) (envelope-from sid@netmagicsolutions.com) Received: (qmail 12849 invoked from network); 29 Apr 2005 10:31:18 -0000 Received: from intra.netmagicsolutions.com (HELO ?127.0.0.1?) (202.87.39.242) by mymail.netmagicians.com with SMTP; 29 Apr 2005 10:31:18 -0000 Message-ID: <42720CD0.3080300@netmagicsolutions.com> Date: Fri, 29 Apr 2005 16:00:40 +0530 From: Siddhartha Jain User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <4272011F.9040707@netmagicsolutions.com> <20050429194242.I78552@Neo-Vortex.net> In-Reply-To: <20050429194242.I78552@Neo-Vortex.net> X-Enigmail-Version: 0.91.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: IPFW disconnections and resets X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Apr 2005 10:30:46 -0000 Neo-Vortex wrote: >>- When I run "/sbin/ipfw -q -f flush" in the rules script all connection >>get reset (and I am thrown out of the box). > > > Yep, standard functionality, easy fix though: > > -- Start file /root/bin/fws -- > #!/bin/sh > fw > /root/fws-out 2>&1 & > -- End File -- > > -- Start file /root/bin/fw -- > #!/bin/sh > > ipfw="ipfw" > > > # Flush Old Rules > $ipfw -f flush > > # Tempoary rules to stop connections being killed when reloading rules > $ipfw add 1 allow tcp from any to any established > $ipfw add 2 allow udp from any to any > > - your rules go here (dont use rule 1 or 2 though) > > # Clean up tempoary rules used to stop connections being killed > $ipfw delete 1 > $ipfw delete 2 > -- End File -- > > I use that all the time, mabe 1 out of 100 times it will kill a ssh > session (only one that has irssi open cause of the time updating it kills > it, i have it set to update every second though, so normally it'd be like > 1 out of 500 or so) and even if it does, it still finishes loading the > ruleset anyway so you can just ssh straight back in > > If you havn't guessed, you run /root/bin/fws - you can change it to > whatever you want of course, also, the output is redirected to > /root/fws-out - if you dont redirect it, it'll kill your ssh session - > although it won't stop it loading the other rules Thanks :) My changed rule file looks like this: ----start file ipfw.rules----------- #!/bin/sh /sbin/ipfw -q -f flush cmd="/sbin/ipfw add " # build rule prefix ks="keep-state" # just too lazy to key this each time /sbin/ipfw add 1 allow tcp from any to any established ##################################### $cmd 00500 check-state $cmd 00502 deny all from any to any frag #$cmd 00501 deny tcp from any to any established $cmd 00602 allow tcp from 20x.xx.xx.xx/32 to any 22 in via ed0 $ks $cmd 00603 allow tcp from 20x.xx.xx.xx/32 to any 22 in via ed0 $ks $cmd 00604 allow all from 20x.xx.xx.xx/32 to any out via ed0 $ks $cmd 00609 allow tcp from 22x.xx.0.0/16 to any 22 in via ed0 $ks $cmd 00610 allow icmp from 22x.xx.0.0/16 to any in via ed0 $ks $cmd 00611 allow tcp from 220.xx.0.0/16 to any 22 in via ed0 $ks $cmd 00612 allow icmp from 220.xx.0.0/16 to any in via ed0 $ks $cmd 02500 divert 8000 log tcp from any to any 80 $cmd 02501 allow tcp from any to any 80 in via ed0 $ks ##################################### /sbin/ipfw delete 1 ----end file ipfw.rules----------- Even if I run this script as it is (without running from within another script and redirecting), I don't get disconnected. Thanks again, - Siddhartha From owner-freebsd-security@FreeBSD.ORG Fri Apr 29 10:35:13 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8518416A4CE for ; Fri, 29 Apr 2005 10:35:13 +0000 (GMT) Received: from Neo-Vortex.net (203-173-19-223.dyn.iinet.net.au [203.173.19.223]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6038743D55 for ; Fri, 29 Apr 2005 10:35:12 +0000 (GMT) (envelope-from root@Neo-Vortex.net) Received: from localhost.Neo-Vortex.got-root.cc (Neo-Vortex@localhost.Neo-Vortex.got-root.cc [127.0.0.1]) by Neo-Vortex.net (8.13.1/8.12.10) with ESMTP id j3TAZA74086264; Fri, 29 Apr 2005 20:35:10 +1000 (EST) (envelope-from root@Neo-Vortex.net) Date: Fri, 29 Apr 2005 20:35:10 +1000 (EST) From: Neo-Vortex To: Siddhartha Jain In-Reply-To: <42720CD0.3080300@netmagicsolutions.com> Message-ID: <20050429203417.P85987@Neo-Vortex.net> References: <4272011F.9040707@netmagicsolutions.com> <20050429194242.I78552@Neo-Vortex.net> <42720CD0.3080300@netmagicsolutions.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: IPFW disconnections and resets X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Apr 2005 10:35:13 -0000 On Fri, 29 Apr 2005, Siddhartha Jain wrote: > Even if I run this script as it is (without running from within another > script and redirecting), I don't get disconnected. hehe, probobly different shells or something (i use tcsh) - or mabe luck :) but without it i get disconnected like 99.9% of times (although because of the first rule after flush, only like 1% of the time do i get locked out :P) From owner-freebsd-security@FreeBSD.ORG Fri Apr 29 12:21:03 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF0B116A4CE for ; Fri, 29 Apr 2005 12:21:03 +0000 (GMT) Received: from mymail.netmagicians.com (mymail.netmagicians.com [202.87.39.126]) by mx1.FreeBSD.org (Postfix) with SMTP id 2029843D55 for ; Fri, 29 Apr 2005 12:21:02 +0000 (GMT) (envelope-from sid@netmagicsolutions.com) Received: (qmail 20948 invoked from network); 29 Apr 2005 12:21:35 -0000 Received: from intra.netmagicsolutions.com (HELO ?127.0.0.1?) (202.87.39.242) by mymail.netmagicians.com with SMTP; 29 Apr 2005 12:21:35 -0000 Message-ID: <427226AB.6080702@netmagicsolutions.com> Date: Fri, 29 Apr 2005 17:50:59 +0530 From: Siddhartha Jain User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: In-Reply-To: X-Enigmail-Version: 0.91.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: IPFW disconnections and resets X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Apr 2005 12:21:03 -0000 Michael Scheidell wrote: >>I use that all the time, maybe 1 out of 100 times it will kill >>a ssh session (only one that has irssi open cause of the time >>updating it kills it, i have it set to update every second >>though, so normally it'd be like 1 out of 500 or so) and even >>if it does, it still finishes loading the ruleset anyway so >>you can just ssh straight back in > > > I used > > sysctl -a net.inet.ip.fw.enable=0 && firewall.sh && > net.inet.ip.fw.enable=1 && sleep 60 && reboot > and I would hit a ^c to stop the sleep and reboot if I didn't wack the > firewall rules. > The reboot would put it back to rc.conf firewall > > Never got disconnected. > Just out of curiosity, why is that IPFW behaves this way and PF and IPF don't? - Siddhartha From owner-freebsd-security@FreeBSD.ORG Fri Apr 29 12:22:40 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E0C2016A4CF for ; Fri, 29 Apr 2005 12:22:40 +0000 (GMT) Received: from a2.scoop.co.nz (aurora.scoop.co.nz [202.50.109.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B0B143D60 for ; Fri, 29 Apr 2005 12:22:40 +0000 (GMT) (envelope-from andrew@scoop.co.nz) Received: from a2.scoop.co.nz (localhost [127.0.0.1]) by a2.scoop.co.nz (8.13.3/8.12.11) with ESMTP id j3TCMc8B005518; Sat, 30 Apr 2005 00:22:38 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Received: from localhost (andrew@localhost)j3TCMcmw005515; Sat, 30 Apr 2005 00:22:38 +1200 (NZST) (envelope-from andrew@scoop.co.nz) X-Authentication-Warning: a2.scoop.co.nz: andrew owned process doing -bs Date: Sat, 30 Apr 2005 00:22:38 +1200 (NZST) From: Andrew McNaughton To: Neo-Vortex In-Reply-To: <20050429203417.P85987@Neo-Vortex.net> Message-ID: <20050430001910.C3271@a2.scoop.co.nz> References: <4272011F.9040707@netmagicsolutions.com> <20050429194242.I78552@Neo-Vortex.net> <20050429203417.P85987@Neo-Vortex.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: ClamAV version 0.83, clamav-milter version 0.83 on a2.scoop.co.nz X-Virus-Status: Clean cc: freebsd-security@freebsd.org cc: Siddhartha Jain Subject: Re: IPFW disconnections and resets X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Apr 2005 12:22:41 -0000 On Fri, 29 Apr 2005, Neo-Vortex wrote: > On Fri, 29 Apr 2005, Siddhartha Jain wrote: > >> Even if I run this script as it is (without running from within another >> script and redirecting), I don't get disconnected. > > hehe, probobly different shells or something (i use tcsh) - or mabe luck > :) but without it i get disconnected like 99.9% of times (although because > of the first rule after flush, only like 1% of the time do i get locked > out :P) 1% is way too much. use nohup. eg: nohup sh /etc/rc.firewall simple & You can wrap that in a script if you think it's necessary. Other common advice is to run the firewall script while in a 'screen' environment. See ports for screen. Andrew McNaughton -- There is no way to happiness Happiness is the way ------------------------------------------------------------------- Andrew McNaughton http://www.scoop.co.nz/ andrew@scoop.co.nz Mobile: +61 422 753 792 -- pgp encrypted mail welcome keyid: 70F6C32D keyserver: pgp.mit.edu 5688 2396 AA81 036A EBAC 2DD4 1BEA 7975 A84F 6686 From owner-freebsd-security@FreeBSD.ORG Fri Apr 29 12:28:48 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E99C016A4CE for ; Fri, 29 Apr 2005 12:28:47 +0000 (GMT) Received: from buexe.b-5.de (buexe.b-5.de [84.19.0.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id A82B843D1D for ; Fri, 29 Apr 2005 12:28:46 +0000 (GMT) (envelope-from lupe@lupe-christoph.de) Received: from buexe.b-5.de (www-data@localhost [127.0.0.1]) j3TCSjQU030614 for ; Fri, 29 Apr 2005 14:28:45 +0200 Received: (from www-data@localhost) by buexe.b-5.de (8.12.3/8.12.3/b-5/buexe-msp1.2) id j3TCSil8030612 for freebsd-security@freebsd.org; Fri, 29 Apr 2005 14:28:44 +0200 Received: from blueice3n1.de.ibm.com (blueice3n1.de.ibm.com [195.212.29.179]) by buexe.b-5.de (IMP) with HTTP for ; Fri, 29 Apr 2005 14:28:44 +0200 Message-ID: <1114777724.4272287cdce1b@buexe.b-5.de> Date: Fri, 29 Apr 2005 14:28:44 +0200 From: Lupe Christoph To: freebsd-security@freebsd.org References: <20050421135601.2718.qmail@gta.com> In-Reply-To: <20050421135601.2718.qmail@gta.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.2.2 Subject: Re: Fwd: (KAME-snap 9012) racoon in the kame project X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Apr 2005 12:28:48 -0000 Quoting Larry Baird : > In article <6.2.1.2.0.20050421090724.04cc1668@64.7.153.2> you wrote: > > FYI, looks like support for Racoon is ending. Does anyone have any > > experience with the version in ipsec-tools ? > I have been using it with FreeBSD 4.11. The only issues I have ran > into is that some of its debug messages use %zu and %zd. The %z > isn't know by 4.x libc and causes a core dump. This issue is easily > fixed with sed. Since 5.x know about %z, this should be a non-issue > for more current versions of FreeBSD. I can't find a port for ipsec-tools. Is anybody working on wrapping it in a port? I'd rather not convert from racoon to ipsec-tools before it becomes easier to track new versions. Or maybe I should try isakmpd. That does have a port. Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | "... putting a mail server on the Internet without filtering is like | | covering yourself with barbecue sauce and breaking into the Charity | | Home for Badgers with Rabies. Michael Lucas | From owner-freebsd-security@FreeBSD.ORG Fri Apr 29 12:35:18 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 77C8716A4CE for ; Fri, 29 Apr 2005 12:35:18 +0000 (GMT) Received: from mailhost.stack.nl (vaak.stack.nl [131.155.140.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 93F3243D49 for ; Fri, 29 Apr 2005 12:35:17 +0000 (GMT) (envelope-from marcolz@stack.nl) Received: from hammer.stack.nl (hammer.stack.nl [IPv6:2001:610:1108:5010::153]) by mailhost.stack.nl (Postfix) with ESMTP id 9D0E71F18C; Fri, 29 Apr 2005 14:35:16 +0200 (CEST) Received: by hammer.stack.nl (Postfix, from userid 333) id 81ECF680B; Fri, 29 Apr 2005 14:35:16 +0200 (CEST) Date: Fri, 29 Apr 2005 14:35:16 +0200 From: Marc Olzheim To: Lupe Christoph Message-ID: <20050429123516.GB604@stack.nl> References: <20050421135601.2718.qmail@gta.com> <1114777724.4272287cdce1b@buexe.b-5.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="1SQmhf2mF2YjsYvc" Content-Disposition: inline In-Reply-To: <1114777724.4272287cdce1b@buexe.b-5.de> X-Operating-System: FreeBSD hammer.stack.nl 5.4-STABLE FreeBSD 5.4-STABLE X-URL: http://www.stack.nl/~marcolz/ User-Agent: Mutt/1.5.9i cc: freebsd-security@freebsd.org Subject: Re: Fwd: (KAME-snap 9012) racoon in the kame project X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Apr 2005 12:35:18 -0000 --1SQmhf2mF2YjsYvc Content-Type: multipart/mixed; boundary="9zSXsLTf0vkW971A" Content-Disposition: inline --9zSXsLTf0vkW971A Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > > In article <6.2.1.2.0.20050421090724.04cc1668@64.7.153.2> you wrote: > > > FYI, looks like support for Racoon is ending. Does anyone have any= =20 > > > experience with the version in ipsec-tools ? > > I have been using it with FreeBSD 4.11. The only issues I have ran > > into is that some of its debug messages use %zu and %zd. The %z > > isn't know by 4.x libc and causes a core dump. This issue is easily > > fixed with sed. Since 5.x know about %z, this should be a non-issue > > for more current versions of FreeBSD. =20 >=20 > I can't find a port for ipsec-tools. Is anybody working on wrapping > it in a port? I'd rather not convert from racoon to ipsec-tools > before it becomes easier to track new versions. >=20 > Or maybe I should try isakmpd. That does have a port. Or run the attached patches on the 4.x src tree. Marc --9zSXsLTf0vkW971A Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="libc_vfprintf.patch" Content-Transfer-Encoding: quoted-printable --- /usr/src/lib/libc/stdio/vfprintf.c Sun Oct 13 16:28:00 2002 +++ /usr/src/lib/libc/stdio/vfprintf.c Tue Mar 22 11:57:31 2005 @@ -39,7 +39,7 @@ static char sccsid[] =3D "@(#)vfprintf.c 8.1 (Berkeley) 6/4/93"; #endif static const char rcsid[] =3D - "$FreeBSD: src/lib/libc/stdio/vfprintf.c,v 1.22.2.5 2002/10/12 10:46:37 = schweikh Exp $"; + "$FreeBSD: src/lib/libc/stdio/vfprintf.c,v 1.32 2001/11/30 06:12:15 fenn= er Exp $"; #endif /* LIBC_SCCS and not lint */ =20 /* @@ -50,10 +50,13 @@ =20 #include =20 +#include #include +#include #include #include #include +#include =20 #if __STDC__ #include @@ -65,15 +68,60 @@ #include "local.h" #include "fvwrite.h" =20 +typedef int64_t intmax_t; +typedef uint64_t uintmax_t; +#define INTMAX_MAX INT64_MAX +#define UINTMAX_MAX UINT64_MAX +#define INT64_MAX 0x7fffffffffffffffLL +#define UINT64_MAX 0xffffffffffffffffULL + /* Define FLOATING_POINT to get floating point. */ #define FLOATING_POINT =20 +union arg { + int intarg; + u_int uintarg; + long longarg; + u_long ulongarg; + long long longlongarg; + unsigned long long ulonglongarg; + ptrdiff_t ptrdiffarg; + size_t sizearg; + intmax_t intmaxarg; + uintmax_t uintmaxarg; + void *pvoidarg; + char *pchararg; + signed char *pschararg; + short *pshortarg; + int *pintarg; + long *plongarg; + long long *plonglongarg; + ptrdiff_t *pptrdiffarg; + size_t *psizearg; + intmax_t *pintmaxarg; +#ifdef FLOATING_POINT + double doublearg; + long double longdoublearg; +#endif +}; + +/* + * Type ids for argument type table. + */ +enum typeid { + T_UNUSED, TP_SHORT, T_INT, T_U_INT, TP_INT, + T_LONG, T_U_LONG, TP_LONG, T_LLONG, T_U_LLONG, TP_LLONG, + T_PTRDIFFT, TP_PTRDIFFT, T_SIZET, TP_SIZET, + T_INTMAXT, T_UINTMAXT, TP_INTMAXT, TP_VOID, TP_CHAR, TP_SCHAR, + T_DOUBLE, T_LONG_DOUBLE +}; + static int __sprint __P((FILE *, struct __suio *)); static int __sbprintf __P((FILE *, const char *, va_list)); -static char * __ultoa __P((u_long, char *, int, int, char *)); -static char * __uqtoa __P((u_quad_t, char *, int, int, char *)); -static void __find_arguments __P((const char *, va_list, void ***)); -static void __grow_type_table __P((int, unsigned char **, int *)); +static char * __ujtoa __P((uintmax_t, char *, int, int, char *, const char= *)); +static char * __ultoa __P((u_long, char *, int, int, char *, const char *)= ); +static void __find_arguments __P((const char *, va_list, union arg **)); +static void __grow_type_table __P((int, enum typeid **, int *)); =20 /* * Flush out all the vectors defined by the given uio, @@ -118,8 +166,8 @@ fake._lbfsize =3D 0; /* not actually used, but Just In Case */ =20 /* do the work, then copy any error status */ - ret =3D vfprintf(&fake, fmt, ap); - if (ret >=3D 0 && fflush(&fake)) + ret =3D __vfprintf(&fake, fmt, ap); + if (ret >=3D 0 && __fflush(&fake)) ret =3D EOF; if (fake._flags & __SERR) fp->_flags |=3D __SERR; @@ -140,10 +188,12 @@ * use the given digits. */ static char * -__ultoa(u_long val, char *endp, int base, int octzero, char *xdigs) +__ultoa(u_long val, char *endp, int base, int octzero, char *xdigs, + const char *thousep) { register char *cp =3D endp; register long sval; + int ndig; =20 /* * Handle the three cases separately, in the hope of getting @@ -155,6 +205,7 @@ *--cp =3D to_char(val); return (cp); } + ndig =3D 0; /* * On many machines, unsigned arithmetic is harder than * signed arithmetic, so we do at most one unsigned mod and @@ -163,11 +214,16 @@ */ if (val > LONG_MAX) { *--cp =3D to_char(val % 10); + ndig++; sval =3D val / 10; } else sval =3D val; do { *--cp =3D to_char(sval % 10); + if (++ndig =3D=3D 3 && thousep && *thousep !=3D '\0') { + *--cp =3D *thousep; + ndig =3D 0; + } sval /=3D 10; } while (sval !=3D 0); break; @@ -194,30 +250,39 @@ return (cp); } =20 -/* Identical to __ultoa, but for quads. */ +/* Identical to __ultoa, but for intmax_t. */ static char * -__uqtoa(u_quad_t val, char *endp, int base, int octzero, char *xdigs) +__ujtoa(uintmax_t val, char *endp, int base, int octzero, char *xdigs,=20 + const char *thousep) { char *cp =3D endp; - quad_t sval; + intmax_t sval; + int ndig; =20 /* quick test for small values; __ultoa is typically much faster */ /* (perhaps instead we should run until small, then call __ultoa?) */ if (val <=3D ULONG_MAX) - return (__ultoa((u_long)val, endp, base, octzero, xdigs)); + return (__ultoa((u_long)val, endp, base, octzero, xdigs, + thousep)); switch (base) { case 10: if (val < 10) { *--cp =3D to_char(val % 10); return (cp); } - if (val > QUAD_MAX) { + ndig =3D 0; + if (val > INTMAX_MAX) { *--cp =3D to_char(val % 10); + ndig++; sval =3D val / 10; } else sval =3D val; do { *--cp =3D to_char(sval % 10); + if (++ndig =3D=3D 3 && thousep && *thousep !=3D '\0') { + *--cp =3D *thousep; + ndig =3D 0; + } sval /=3D 10; } while (sval !=3D 0); break; @@ -244,12 +309,26 @@ return (cp); } =20 +/* + * MT-safe version + */ +int +vfprintf(FILE *fp, const char *fmt0, va_list ap) +{ + int ret; + + FLOCKFILE(fp); + ret =3D __vfprintf(fp, fmt0, ap); + FUNLOCKFILE(fp); + return (ret); +} + #ifdef FLOATING_POINT #include #include #include "floatio.h" =20 -#define BUF (MAXEXP+MAXFRACT+1) /* + decimal point */ +#define BUF ((MAXEXP*4/3)+MAXFRACT+1) /* + decimal point */ #define DEFPREC 6 =20 static char *cvt __P((double, int, int, char *, int *, int, int *, char **= )); @@ -257,7 +336,7 @@ =20 #else /* no FLOATING_POINT */ =20 -#define BUF 68 +#define BUF 90 =20 #endif /* FLOATING_POINT */ =20 @@ -271,12 +350,21 @@ #define LADJUST 0x004 /* left adjustment */ #define LONGDBL 0x008 /* long double */ #define LONGINT 0x010 /* long integer */ -#define QUADINT 0x020 /* quad integer */ +#define LLONGINT 0x020 /* long long integer */ #define SHORTINT 0x040 /* short integer */ #define ZEROPAD 0x080 /* zero (as opposed to blank) pad */ #define FPT 0x100 /* Floating point number */ + /* C99 additional size modifiers: */ +#define SIZET 0x200 /* size_t */ +#define PTRDIFFT 0x400 /* ptrdiff_t */ +#define INTMAXT 0x800 /* intmax_t */ +#define CHARINT 0x1000 /* print char using int format */ + +/* + * Non-MT-safe version + */ int -vfprintf(FILE *fp, const char *fmt0, va_list ap) +__vfprintf(FILE *fp, const char *fmt0, va_list ap) { char *fmt; /* format string */ int ch; /* character from fmt */ @@ -288,8 +376,9 @@ int width; /* width from format (%8d), or 0 */ int prec; /* precision from format (%.3d), or -1 */ char sign; /* sign prefix (' ', '+', '-', or \0) */ + const char *thousands_sep; #ifdef FLOATING_POINT - char *decimal_point =3D localeconv()->decimal_point; + char *decimal_point; char softsign; /* temporary negative sign for floats */ double _double; /* double precision arguments %[eEfgG] */ int expt; /* integer value of exponent */ @@ -299,7 +388,7 @@ char *dtoaresult; /* buffer allocated by dtoa */ #endif u_long ulval; /* integer arguments %[diouxX] */ - u_quad_t uqval; /* %q integers */ + uintmax_t ujval; /* %j, %ll, %q, %t, %z integers */ int base; /* base for [diouxX] conversion */ int dprec; /* a copy of prec if [diouxX], 0 otherwise */ int realsz; /* field size expanded by dprec, sign, etc */ @@ -309,10 +398,10 @@ #define NIOV 8 struct __suio uio; /* output information: summary */ struct __siov iov[NIOV];/* ... and individual io vectors */ - char buf[BUF]; /* space for %c, %[diouxX], %[eEfgG] */ + char buf[BUF]; /* space for %c, %[diouxX], %[eEfFgG] */ char ox[2]; /* space for 0x hex-prefix */ - void **argtable; /* args, built due to positional arg */ - void *statargtable [STATIC_ARG_TBL_SIZE]; + union arg *argtable; /* args, built due to positional arg */ + union arg statargtable [STATIC_ARG_TBL_SIZE]; int nextarg; /* 1-based argument index */ va_list orgap; /* original argument pointer */ =20 @@ -363,7 +452,7 @@ * argument (and arguments must be gotten sequentially). */ #define GETARG(type) \ - ((argtable !=3D NULL) ? *((type*)(argtable[nextarg++])) : \ + ((argtable !=3D NULL) ? *((type*)(&argtable[nextarg++])) : \ (nextarg++, va_arg(ap, type))) =20 /* @@ -373,11 +462,24 @@ #define SARG() \ (flags&LONGINT ? GETARG(long) : \ flags&SHORTINT ? (long)(short)GETARG(int) : \ + flags&CHARINT ? (long)(signed char)GETARG(int) : \ (long)GETARG(int)) #define UARG() \ (flags&LONGINT ? GETARG(u_long) : \ flags&SHORTINT ? (u_long)(u_short)GETARG(int) : \ + flags&CHARINT ? (u_long)(u_char)GETARG(int) : \ (u_long)GETARG(u_int)) +#define INTMAX_SIZE (INTMAXT|SIZET|PTRDIFFT|LLONGINT) +#define SJARG() \ + (flags&INTMAXT ? GETARG(intmax_t) : \ + flags&SIZET ? (intmax_t)GETARG(size_t) : \ + flags&PTRDIFFT ? (intmax_t)GETARG(ptrdiff_t) : \ + (intmax_t)GETARG(long long)) +#define UJARG() \ + (flags&INTMAXT ? GETARG(uintmax_t) : \ + flags&SIZET ? (uintmax_t)GETARG(size_t) : \ + flags&PTRDIFFT ? (uintmax_t)GETARG(ptrdiff_t) : \ + (uintmax_t)GETARG(unsigned long long)) =20 /* * Get * arguments, including the form *nn$. Preserve the nextarg @@ -405,22 +507,19 @@ } =20 =20 + thousands_sep =3D NULL; #ifdef FLOATING_POINT dtoaresult =3D NULL; + decimal_point =3D localeconv()->decimal_point; #endif - FLOCKFILE(fp); /* sorry, fprintf(read_only_file, "") returns EOF, not 0 */ - if (cantwrite(fp)) { - FUNLOCKFILE(fp); + if (cantwrite(fp)) return (EOF); - } =20 /* optimise fprintf(stderr) (and other unbuffered Unix files) */ if ((fp->_flags & (__SNBF|__SWR|__SRW)) =3D=3D (__SNBF|__SWR) && - fp->_file >=3D 0) { - FUNLOCKFILE(fp); + fp->_file >=3D 0) return (__sbprintf(fp, fmt0, ap)); - } =20 fmt =3D (char *)fmt0; argtable =3D NULL; @@ -487,6 +586,9 @@ case '+': sign =3D '+'; goto rflag; + case '\'': + thousands_sep =3D localeconv()->thousands_sep; + goto rflag; case '.': if ((ch =3D *fmt++) =3D=3D '*') { GETASTER (n); @@ -532,16 +634,30 @@ goto rflag; #endif case 'h': - flags |=3D SHORTINT; + if (flags & SHORTINT) { + flags &=3D ~SHORTINT; + flags |=3D CHARINT; + } else + flags |=3D SHORTINT; + goto rflag; + case 'j': + flags |=3D INTMAXT; goto rflag; case 'l': - if (flags & LONGINT) - flags |=3D QUADINT; - else + if (flags & LONGINT) { + flags &=3D ~LONGINT; + flags |=3D LLONGINT; + } else flags |=3D LONGINT; goto rflag; case 'q': - flags |=3D QUADINT; + flags |=3D LLONGINT; /* not necessarily */ + goto rflag; + case 't': + flags |=3D PTRDIFFT; + goto rflag; + case 'z': + flags |=3D SIZET; goto rflag; case 'c': *(cp =3D buf) =3D GETARG(int); @@ -553,10 +669,10 @@ /*FALLTHROUGH*/ case 'd': case 'i': - if (flags & QUADINT) { - uqval =3D GETARG(quad_t); - if ((quad_t)uqval < 0) { - uqval =3D -uqval; + if (flags & INTMAX_SIZE) { + ujval =3D SJARG(); + if ((intmax_t)ujval < 0) { + ujval =3D -ujval; sign =3D '-'; } } else { @@ -569,9 +685,14 @@ base =3D 10; goto number; #ifdef FLOATING_POINT +#ifdef HEXFLOAT + case 'a': + case 'A': +#endif case 'e': case 'E': case 'f': + case 'F': goto fp_begin; case 'g': case 'G': @@ -588,12 +709,18 @@ if (isinf(_double)) { if (_double < 0) sign =3D '-'; - cp =3D "Inf"; + if (isupper(ch)) + cp =3D "INF"; + else + cp =3D "inf"; size =3D 3; break; } if (isnan(_double)) { - cp =3D "NaN"; + if (isupper(ch)) + cp =3D "NAN"; + else + cp =3D "nan"; size =3D 3; break; } @@ -610,13 +737,13 @@ else ch =3D 'g'; } - if (ch <=3D 'e') { /* 'e' or 'E' fmt */ + if (ch =3D=3D 'e' || ch =3D=3D 'E') { --expt; expsize =3D exponent(expstr, expt, ch); size =3D expsize + ndig; if (ndig > 1 || flags & ALT) ++size; - } else if (ch =3D=3D 'f') { /* f fmt */ + } else if (ch =3D=3D 'f' || ch =3D=3D 'F') { if (expt > 0) { size =3D expt; if (prec || flags & ALT) @@ -636,12 +763,25 @@ break; #endif /* FLOATING_POINT */ case 'n': - if (flags & QUADINT) - *GETARG(quad_t *) =3D ret; + /* + * Assignment-like behavior is specified if the + * value overflows or is otherwise unrepresentable. + * C99 says to use `signed char' for %hhn conversions. + */ + if (flags & LLONGINT) + *GETARG(long long *) =3D ret; + else if (flags & SIZET) + *GETARG(ssize_t *) =3D (ssize_t)ret; + else if (flags & PTRDIFFT) + *GETARG(ptrdiff_t *) =3D ret; + else if (flags & INTMAXT) + *GETARG(intmax_t *) =3D ret; else if (flags & LONGINT) *GETARG(long *) =3D ret; else if (flags & SHORTINT) *GETARG(short *) =3D ret; + else if (flags & CHARINT) + *GETARG(signed char *) =3D ret; else *GETARG(int *) =3D ret; continue; /* no output */ @@ -649,8 +789,8 @@ flags |=3D LONGINT; /*FALLTHROUGH*/ case 'o': - if (flags & QUADINT) - uqval =3D GETARG(u_quad_t); + if (flags & INTMAX_SIZE) + ujval =3D UJARG(); else ulval =3D UARG(); base =3D 8; @@ -663,10 +803,10 @@ * defined manner.'' * -- ANSI X3J11 */ - ulval =3D (u_long)GETARG(void *); + ujval =3D (uintmax_t)(uintptr_t)GETARG(void *); base =3D 16; xdigs =3D "0123456789abcdef"; - flags =3D (flags & ~QUADINT) | HEXPREFIX; + flags =3D flags | INTMAXT | HEXPREFIX; ch =3D 'x'; goto nosign; case 's': @@ -694,8 +834,8 @@ flags |=3D LONGINT; /*FALLTHROUGH*/ case 'u': - if (flags & QUADINT) - uqval =3D GETARG(u_quad_t); + if (flags & INTMAX_SIZE) + ujval =3D UJARG(); else ulval =3D UARG(); base =3D 10; @@ -705,14 +845,15 @@ goto hex; case 'x': xdigs =3D "0123456789abcdef"; -hex: if (flags & QUADINT) - uqval =3D GETARG(u_quad_t); +hex: + if (flags & INTMAX_SIZE) + ujval =3D UJARG(); else ulval =3D UARG(); base =3D 16; /* leading 0x/X only if non-zero */ if (flags & ALT && - (flags & QUADINT ? uqval !=3D 0 : ulval !=3D 0)) + (flags & INTMAX_SIZE ? ujval !=3D 0 : ulval !=3D 0)) flags |=3D HEXPREFIX; =20 /* unsigned conversions */ @@ -731,14 +872,14 @@ * -- ANSI X3J11 */ cp =3D buf + BUF; - if (flags & QUADINT) { - if (uqval !=3D 0 || prec !=3D 0) - cp =3D __uqtoa(uqval, cp, base, - flags & ALT, xdigs); + if (flags & INTMAX_SIZE) { + if (ujval !=3D 0 || prec !=3D 0) + cp =3D __ujtoa(ujval, cp, base, + flags & ALT, xdigs, thousands_sep); } else { if (ulval !=3D 0 || prec !=3D 0) cp =3D __ultoa(ulval, cp, base, - flags & ALT, xdigs); + flags & ALT, xdigs, thousands_sep); } size =3D buf + BUF - cp; break; @@ -864,7 +1005,6 @@ #endif if (__sferror(fp)) ret =3D EOF; - FUNLOCKFILE(fp); if ((argtable !=3D NULL) && (argtable !=3D statargtable)) free (argtable); return (ret); @@ -872,34 +1012,13 @@ } =20 /* - * Type ids for argument type table. - */ -#define T_UNUSED 0 -#define T_SHORT 1 -#define T_U_SHORT 2 -#define TP_SHORT 3 -#define T_INT 4 -#define T_U_INT 5 -#define TP_INT 6 -#define T_LONG 7 -#define T_U_LONG 8 -#define TP_LONG 9 -#define T_QUAD 10 -#define T_U_QUAD 11 -#define TP_QUAD 12 -#define T_DOUBLE 13 -#define T_LONG_DOUBLE 14 -#define TP_CHAR 15 -#define TP_VOID 16 - -/* * Find all arguments when a positional parameter is encountered. Returns= a * table, indexed by argument number, of pointers to each arguments. The * initial argument table should be an array of STATIC_ARG_TBL_SIZE entrie= s. * It will be replaces with a malloc-ed one if it overflows. */=20 static void -__find_arguments (const char *fmt0, va_list ap, void ***argtable) +__find_arguments (const char *fmt0, va_list ap, union arg **argtable) { char *fmt; /* format string */ int ch; /* character from fmt */ @@ -907,8 +1026,8 @@ char *cp; /* handy char pointer (short term usage) */ int flags; /* flags as above */ int width; /* width from format (%8d), or 0 */ - unsigned char *typetable; /* table of types */ - unsigned char stattypetable [STATIC_ARG_TBL_SIZE]; + enum typeid *typetable; /* table of types */ + enum typeid stattypetable [STATIC_ARG_TBL_SIZE]; int tablesize; /* current size of type table */ int tablemax; /* largest used index in table */ int nextarg; /* 1-based argument index */ @@ -923,12 +1042,18 @@ typetable[nextarg++] =3D type) =20 #define ADDSARG() \ - ((flags&LONGINT) ? ADDTYPE(T_LONG) : \ - ((flags&SHORTINT) ? ADDTYPE(T_SHORT) : ADDTYPE(T_INT))) + ((flags&INTMAXT) ? ADDTYPE(T_INTMAXT) : \ + ((flags&SIZET) ? ADDTYPE(T_SIZET) : \ + ((flags&PTRDIFFT) ? ADDTYPE(T_PTRDIFFT) : \ + ((flags&LLONGINT) ? ADDTYPE(T_LLONG) : \ + ((flags&LONGINT) ? ADDTYPE(T_LONG) : ADDTYPE(T_INT)))))) =20 #define ADDUARG() \ - ((flags&LONGINT) ? ADDTYPE(T_U_LONG) : \ - ((flags&SHORTINT) ? ADDTYPE(T_U_SHORT) : ADDTYPE(T_U_INT))) + ((flags&INTMAXT) ? ADDTYPE(T_UINTMAXT) : \ + ((flags&SIZET) ? ADDTYPE(T_SIZET) : \ + ((flags&PTRDIFFT) ? ADDTYPE(T_PTRDIFFT) : \ + ((flags&LLONGINT) ? ADDTYPE(T_U_LLONG) : \ + ((flags&LONGINT) ? ADDTYPE(T_U_LONG) : ADDTYPE(T_U_INT)))))) =20 /* * Add * arguments to the type array. @@ -979,6 +1104,7 @@ goto rflag; case '-': case '+': + case '\'': goto rflag; case '.': if ((ch =3D *fmt++) =3D=3D '*') { @@ -1010,16 +1136,30 @@ goto rflag; #endif case 'h': - flags |=3D SHORTINT; + if (flags & SHORTINT) { + flags &=3D ~SHORTINT; + flags |=3D CHARINT; + } else + flags |=3D SHORTINT; + goto rflag; + case 'j': + flags |=3D INTMAXT; goto rflag; case 'l': - if (flags & LONGINT) - flags |=3D QUADINT; - else + if (flags & LONGINT) { + flags &=3D ~LONGINT; + flags |=3D LLONGINT; + } else flags |=3D LONGINT; goto rflag; case 'q': - flags |=3D QUADINT; + flags |=3D LLONGINT; /* not necessarily */ + goto rflag; + case 't': + flags |=3D PTRDIFFT; + goto rflag; + case 'z': + flags |=3D SIZET; goto rflag; case 'c': ADDTYPE(T_INT); @@ -1029,13 +1169,13 @@ /*FALLTHROUGH*/ case 'd': case 'i': - if (flags & QUADINT) { - ADDTYPE(T_QUAD); - } else { - ADDSARG(); - } + ADDSARG(); break; #ifdef FLOATING_POINT +#ifdef HEXFLOAT + case 'a': + case 'A': +#endif case 'e': case 'E': case 'f': @@ -1048,12 +1188,20 @@ break; #endif /* FLOATING_POINT */ case 'n': - if (flags & QUADINT) - ADDTYPE(TP_QUAD); + if (flags & INTMAXT) + ADDTYPE(TP_INTMAXT); + else if (flags & PTRDIFFT) + ADDTYPE(TP_PTRDIFFT); + else if (flags & SIZET) + ADDTYPE(TP_SIZET); + else if (flags & LLONGINT) + ADDTYPE(TP_LLONG); else if (flags & LONGINT) ADDTYPE(TP_LONG); else if (flags & SHORTINT) ADDTYPE(TP_SHORT); + else if (flags & CHARINT) + ADDTYPE(TP_SCHAR); else ADDTYPE(TP_INT); continue; /* no output */ @@ -1061,10 +1209,7 @@ flags |=3D LONGINT; /*FALLTHROUGH*/ case 'o': - if (flags & QUADINT) - ADDTYPE(T_U_QUAD); - else - ADDUARG(); + ADDUARG(); break; case 'p': ADDTYPE(TP_VOID); @@ -1076,17 +1221,9 @@ flags |=3D LONGINT; /*FALLTHROUGH*/ case 'u': - if (flags & QUADINT) - ADDTYPE(T_U_QUAD); - else - ADDUARG(); - break; case 'X': case 'x': - if (flags & QUADINT) - ADDTYPE(T_U_QUAD); - else - ADDUARG(); + ADDUARG(); break; default: /* "%?" prints ?, unless ? is NUL */ if (ch =3D=3D '\0') @@ -1099,63 +1236,83 @@ * Build the argument table. */ if (tablemax >=3D STATIC_ARG_TBL_SIZE) { - *argtable =3D (void **) - malloc (sizeof (void *) * (tablemax + 1)); + *argtable =3D (union arg *) + malloc (sizeof (union arg) * (tablemax + 1)); } =20 - (*argtable) [0] =3D NULL; + (*argtable) [0].intarg =3D 0; for (n =3D 1; n <=3D tablemax; n++) { switch (typetable [n]) { - case T_UNUSED: - (*argtable) [n] =3D (void *) &va_arg (ap, int); + case T_UNUSED: /* whoops! */ + (*argtable) [n].intarg =3D va_arg (ap, int); break; - case T_SHORT: - (*argtable) [n] =3D (void *) &va_arg (ap, int); - break; - case T_U_SHORT: - (*argtable) [n] =3D (void *) &va_arg (ap, int); + case TP_SCHAR: + (*argtable) [n].pschararg =3D va_arg (ap, signed char *); break; case TP_SHORT: - (*argtable) [n] =3D (void *) &va_arg (ap, short *); + (*argtable) [n].pshortarg =3D va_arg (ap, short *); break; case T_INT: - (*argtable) [n] =3D (void *) &va_arg (ap, int); + (*argtable) [n].intarg =3D va_arg (ap, int); break; case T_U_INT: - (*argtable) [n] =3D (void *) &va_arg (ap, unsigned int); + (*argtable) [n].uintarg =3D va_arg (ap, unsigned int); break; case TP_INT: - (*argtable) [n] =3D (void *) &va_arg (ap, int *); + (*argtable) [n].pintarg =3D va_arg (ap, int *); break; case T_LONG: - (*argtable) [n] =3D (void *) &va_arg (ap, long); + (*argtable) [n].longarg =3D va_arg (ap, long); break; case T_U_LONG: - (*argtable) [n] =3D (void *) &va_arg (ap, unsigned long); + (*argtable) [n].ulongarg =3D va_arg (ap, unsigned long); break; case TP_LONG: - (*argtable) [n] =3D (void *) &va_arg (ap, long *); + (*argtable) [n].plongarg =3D va_arg (ap, long *); + break; + case T_LLONG: + (*argtable) [n].longlongarg =3D va_arg (ap, long long); break; - case T_QUAD: - (*argtable) [n] =3D (void *) &va_arg (ap, quad_t); + case T_U_LLONG: + (*argtable) [n].ulonglongarg =3D va_arg (ap, unsigned long long); break; - case T_U_QUAD: - (*argtable) [n] =3D (void *) &va_arg (ap, u_quad_t); + case TP_LLONG: + (*argtable) [n].plonglongarg =3D va_arg (ap, long long *); break; - case TP_QUAD: - (*argtable) [n] =3D (void *) &va_arg (ap, quad_t *); + case T_PTRDIFFT: + (*argtable) [n].ptrdiffarg =3D va_arg (ap, ptrdiff_t); break; + case TP_PTRDIFFT: + (*argtable) [n].pptrdiffarg =3D va_arg (ap, ptrdiff_t *); + break; + case T_SIZET: + (*argtable) [n].sizearg =3D va_arg (ap, size_t); + break; + case TP_SIZET: + (*argtable) [n].psizearg =3D va_arg (ap, ssize_t *); + break; + case T_INTMAXT: + (*argtable) [n].intmaxarg =3D va_arg (ap, intmax_t); + break; + case T_UINTMAXT: + (*argtable) [n].uintmaxarg =3D va_arg (ap, uintmax_t); + break; + case TP_INTMAXT: + (*argtable) [n].pintmaxarg =3D va_arg (ap, intmax_t *); + break; +#ifdef FLOATING_POINT case T_DOUBLE: - (*argtable) [n] =3D (void *) &va_arg (ap, double); + (*argtable) [n].doublearg =3D va_arg (ap, double); break; case T_LONG_DOUBLE: - (*argtable) [n] =3D (void *) &va_arg (ap, long double); + (*argtable) [n].longdoublearg =3D va_arg (ap, long double); break; +#endif case TP_CHAR: - (*argtable) [n] =3D (void *) &va_arg (ap, char *); + (*argtable) [n].pchararg =3D va_arg (ap, char *); break; case TP_VOID: - (*argtable) [n] =3D (void *) &va_arg (ap, void *); + (*argtable) [n].pvoidarg =3D va_arg (ap, void *); break; } } @@ -1168,11 +1325,11 @@ * Increase the size of the type table. */ static void -__grow_type_table (int nextarg, unsigned char **typetable, int *tablesize) +__grow_type_table (int nextarg, enum typeid **typetable, int *tablesize) { - unsigned char *const oldtable =3D *typetable; + enum typeid *const oldtable =3D *typetable; const int oldsize =3D *tablesize; - unsigned char *newtable; + enum typeid *newtable; int newsize =3D oldsize * 2; =20 if (newsize < nextarg + 1) @@ -1215,8 +1372,13 @@ ndigits++; mode =3D 2; /* ndigits significant digits */ } - digits =3D __dtoa(value, mode, ndigits, decpt, &dsgn, &rve, dtoaresultp); - *sign =3D dsgn !=3D 0; + if (value < 0) { + value =3D -value; + *sign =3D '-'; + } else + *sign =3D '\000'; + digits =3D __dtoa(value, mode, ndigits, decpt, &dsgn, &rve, + dtoaresultp); if ((ch !=3D 'g' && ch !=3D 'G') || flags & ALT) { /* print trailing zeros */ bp =3D digits + ndigits; --- /usr/src/lib/libc/stdio/fflush.c Sat Aug 28 02:00:58 1999 +++ /usr/src/lib/libc/stdio/fflush.c Tue Mar 22 12:37:03 2005 @@ -35,44 +35,75 @@ */ =20 #if defined(LIBC_SCCS) && !defined(lint) -#if 0 static char sccsid[] =3D "@(#)fflush.c 8.1 (Berkeley) 6/4/93"; -#endif -static const char rcsid[] =3D - "$FreeBSD: src/lib/libc/stdio/fflush.c,v 1.7 1999/08/28 00:00:58 peter E= xp $"; #endif /* LIBC_SCCS and not lint */ +#include +__FBSDID("$FreeBSD: src/lib/libc/stdio/fflush.c,v 1.13 2004/07/04 20:17:00= cperciva Exp $"); =20 #include #include -#include "local.h" #include "libc_private.h" +#include "local.h" =20 -/* Flush a single file, or (if fp is NULL) all files. */ +static int sflush_locked(FILE *); + +/* + * Flush a single file, or (if fp is NULL) all files. + * MT-safe version + */ int -fflush(fp) - register FILE *fp; +fflush(FILE *fp) { int retval; =20 if (fp =3D=3D NULL) - return (_fwalk(__sflush)); + return (_fwalk(sflush_locked)); FLOCKFILE(fp); + + /* + * There is disagreement about the correct behaviour of fflush() + * when passed a file which is not open for reading. According to + * the ISO C standard, the behaviour is undefined. + * Under linux, such an fflush returns success and has no effect; + * under Windows, such an fflush is documented as behaving instead + * as fpurge(). + * Given that applications may be written with the expectation of + * either of these two behaviours, the only safe (non-astonishing) + * option is to return EBADF and ask that applications be fixed. + */ if ((fp->_flags & (__SWR | __SRW)) =3D=3D 0) { errno =3D EBADF; retval =3D EOF; - } else { + } else retval =3D __sflush(fp); - } FUNLOCKFILE(fp); return (retval); } =20 +/* + * Flush a single file, or (if fp is NULL) all files. + * Non-MT-safe version + */ int -__sflush(fp) - register FILE *fp; +__fflush(FILE *fp) { - register unsigned char *p; - register int n, t; + int retval; + + if (fp =3D=3D NULL) + return (_fwalk(sflush_locked)); + if ((fp->_flags & (__SWR | __SRW)) =3D=3D 0) { + errno =3D EBADF; + retval =3D EOF; + } else + retval =3D __sflush(fp); + return (retval); +} + +int +__sflush(FILE *fp) +{ + unsigned char *p; + int n, t; =20 t =3D fp->_flags; if ((t & __SWR) =3D=3D 0) @@ -98,4 +129,15 @@ } } return (0); +} + +static int +sflush_locked(FILE *fp) +{ + int ret; + + FLOCKFILE(fp); + ret =3D __sflush(fp); + FUNLOCKFILE(fp); + return (ret); } --9zSXsLTf0vkW971A Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="gcc.4.patch" --- /usr/src/contrib/gcc/c-common.c Fri Jun 21 01:12:24 2002 +++ /usr/src/contrib/gcc/c-common.c Tue Mar 22 14:46:14 2005 @@ -1778,6 +1778,8 @@ { if (*format_chars == 'h' || *format_chars == 'l') length_char = *format_chars++; + else if (*format_chars == 'z' || *format_chars == 't') + length_char = *format_chars++; else if ((*format_chars == 'q' || *format_chars == 'L') && !flag_format_extensions) { @@ -1936,6 +1938,8 @@ case 'q': wanted_type = fci->qlen ? *(fci->qlen) : 0; break; case 'L': wanted_type = fci->bigllen ? *(fci->bigllen) : 0; break; case 'Z': wanted_type = fci->zlen ? *fci->zlen : 0; break; + case 'z': wanted_type = fci->zlen ? *fci->zlen : 0; break; + case 't': wanted_type = fci->nolen ? *fci->nolen : 0; break; } if (wanted_type == 0) warning ("use of `%c' length character with `%c' type character", --9zSXsLTf0vkW971A-- --1SQmhf2mF2YjsYvc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCcioEezjnobFOgrERAos5AJ9saUStvJlA7goG2w29cUNBi1zHewCgkSnt SqHpn+EzMDfKS3WiO7pU/7w= =1U18 -----END PGP SIGNATURE----- --1SQmhf2mF2YjsYvc-- From owner-freebsd-security@FreeBSD.ORG Fri Apr 29 12:52:14 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B37C16A4CE for ; Fri, 29 Apr 2005 12:52:14 +0000 (GMT) Received: from buexe.b-5.de (buexe.b-5.de [84.19.0.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id E476143D45 for ; Fri, 29 Apr 2005 12:52:13 +0000 (GMT) (envelope-from lupe@lupe-christoph.de) Received: from buexe.b-5.de (www-data@localhost [127.0.0.1]) j3TCqDQU030925; Fri, 29 Apr 2005 14:52:13 +0200 Received: (from www-data@localhost) by buexe.b-5.de (8.12.3/8.12.3/b-5/buexe-msp1.2) id j3TCqCkK030923; Fri, 29 Apr 2005 14:52:12 +0200 Received: from blueice3n1.de.ibm.com (blueice3n1.de.ibm.com [195.212.29.179]) by buexe.b-5.de (IMP) with HTTP for ; Fri, 29 Apr 2005 14:52:12 +0200 Message-ID: <1114779132.42722dfc77a6d@buexe.b-5.de> Date: Fri, 29 Apr 2005 14:52:12 +0200 From: Lupe Christoph To: Marc Olzheim References: <20050421135601.2718.qmail@gta.com> <1114777724.4272287cdce1b@buexe.b-5.de> <20050429123516.GB604@stack.nl> In-Reply-To: <20050429123516.GB604@stack.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.2.2 cc: freebsd-security@freebsd.org Subject: Re: Fwd: (KAME-snap 9012) racoon in the kame project X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Apr 2005 12:52:14 -0000 Quoting Marc Olzheim : > > In article <6.2.1.2.0.20050421090724.04cc1668@64.7.153.2> you wrote: > > I can't find a port for ipsec-tools. Is anybody working on wrapping > > it in a port? I'd rather not convert from racoon to ipsec-tools > > before it becomes easier to track new versions. > > Or maybe I should try isakmpd. That does have a port. > Or run the attached patches on the 4.x src tree. I fail to see how this creates an ipsec-tools port. But thanks anyway for the patches. I'm still undecided if I want to upgrade tp 5.3. Lupe -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | "... putting a mail server on the Internet without filtering is like | | covering yourself with barbecue sauce and breaking into the Charity | | Home for Badgers with Rabies. Michael Lucas | From owner-freebsd-security@FreeBSD.ORG Fri Apr 29 12:56:58 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1EB0E16A4CE for ; Fri, 29 Apr 2005 12:56:58 +0000 (GMT) Received: from Neo-Vortex.net (203-173-19-223.dyn.iinet.net.au [203.173.19.223]) by mx1.FreeBSD.org (Postfix) with ESMTP id EED7043D53 for ; Fri, 29 Apr 2005 12:56:56 +0000 (GMT) (envelope-from root@Neo-Vortex.net) Received: from localhost.Neo-Vortex.got-root.cc (Neo-Vortex@localhost.Neo-Vortex.got-root.cc [127.0.0.1]) by Neo-Vortex.net (8.13.1/8.12.10) with ESMTP id j3TCurvM006920; Fri, 29 Apr 2005 22:56:53 +1000 (EST) (envelope-from root@Neo-Vortex.net) Date: Fri, 29 Apr 2005 22:56:53 +1000 (EST) From: Neo-Vortex To: Andrew McNaughton In-Reply-To: <20050430001910.C3271@a2.scoop.co.nz> Message-ID: <20050429225510.P6468@Neo-Vortex.net> References: <4272011F.9040707@netmagicsolutions.com> <20050429194242.I78552@Neo-Vortex.net> <20050429203417.P85987@Neo-Vortex.net> <20050430001910.C3271@a2.scoop.co.nz> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org cc: Siddhartha Jain Subject: Re: IPFW disconnections and resets X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Apr 2005 12:56:58 -0000 On Sat, 30 Apr 2005, Andrew McNaughton wrote: > 1% is way too much. use nohup. eg: SSH dies, asin i get "Connection reset by peer" and my ssh session closes, i can restart it fine though and the rest of the rules are parsed fine, also, i dont get that on the window that im loading the firewall rulesets, only on my other session wich has irssi running wich sends a packet once every second to update the time... the box never needs to be physically touched :) ~Neo-Vortex From owner-freebsd-security@FreeBSD.ORG Fri Apr 29 12:17:50 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A0CBA16A4CE for ; Fri, 29 Apr 2005 12:17:50 +0000 (GMT) Received: from secnap2.secnap.com (secnap2.secnap.net [204.89.241.128]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB99843D2F for ; Fri, 29 Apr 2005 12:17:49 +0000 (GMT) (envelope-from scheidell@secnap.net) MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0 Date: Fri, 29 Apr 2005 08:17:48 -0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: IPFW disconnections and resets Thread-Index: AcVMoKVL+fqz71hCTAajEx7YdA/DUQAFE45w From: "Michael Scheidell" To: "Neo-Vortex" , "Siddhartha Jain" X-Mailman-Approved-At: Fri, 29 Apr 2005 13:31:58 +0000 cc: freebsd-security@freebsd.org Subject: RE: IPFW disconnections and resets X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Apr 2005 12:17:50 -0000 >=20 > I use that all the time, maybe 1 out of 100 times it will kill=20 > a ssh session (only one that has irssi open cause of the time=20 > updating it kills it, i have it set to update every second=20 > though, so normally it'd be like 1 out of 500 or so) and even=20 > if it does, it still finishes loading the ruleset anyway so=20 > you can just ssh straight back in I used=20 sysctl -a net.inet.ip.fw.enable=3D0 && firewall.sh && net.inet.ip.fw.enable=3D1 && sleep 60 && reboot and I would hit a ^c to stop the sleep and reboot if I didn't wack the firewall rules. The reboot would put it back to rc.conf firewall Never got disconnected. Only window of vulnerability was while loading new firewall rules. Yours is safer. From owner-freebsd-security@FreeBSD.ORG Fri Apr 29 14:10:41 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 431C216A4CE for ; Fri, 29 Apr 2005 14:10:41 +0000 (GMT) Received: from viefep18-int.chello.at (viefep18-int.chello.at [213.46.255.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4DB5F43D1D for ; Fri, 29 Apr 2005 14:10:37 +0000 (GMT) (envelope-from nagy.istvan1@chello.hu) Received: from PIHP ([80.98.114.199]) by viefep18-int.chello.at (InterMail vM.6.01.04.04 201-2131-118-104-20050224) with SMTP id <20050429141035.HMGT12975.viefep18-int.chello.at@PIHP>; Fri, 29 Apr 2005 16:10:35 +0200 Message-ID: <005f01c54cc5$36ab6e40$0200a8c0@PIHP> From: "Nagy Istvan" To: "Siddhartha Jain" , References: <4272011F.9040707@netmagicsolutions.com> Date: Fri, 29 Apr 2005 16:10:33 +0200 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-RFC2646: Format=Flowed; Original Subject: Re: IPFW disconnections and resets X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Apr 2005 14:10:41 -0000 Hi, im playing with the /etc/crontab to reload the rules periodically, while i remotly edit both crontab and ipfw_rules.sh, this solves the problem of lock-out (but i dont know exactly what other problems it might cause...:) sshd_config has a ClientAliveInterval (seconds between trys) and ClientAliveCountMax (how many times to try keepalive, before client known as nonrespondig and disconnected) option, and on the client side as ~Neo-Vortex wrote find the keepalive setting. (and if the client is untrustable, disable it >:) Istvan ----- Original Message ----- From: "Siddhartha Jain" To: Sent: Friday, April 29, 2005 11:40 AM Subject: IPFW disconnections and resets > Hi, > > I am using IPFW on FreeBSD 4.11 > > I am facing two problems: > - SSH sessions timeout after a while > - When I run "/sbin/ipfw -q -f flush" in the rules script all connection > get reset (and I am thrown out of the box). > > Is this standard functioning of ipfw or do I need to change any > configuration? > > > Thanks, > > Siddhartha > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > > > -- > No virus found in this incoming message. > Checked by AVG Anti-Virus. > Version: 7.0.308 / Virus Database: 266.10.4 - Release Date: 2005.04.27. > > From owner-freebsd-security@FreeBSD.ORG Sat Apr 30 04:33:26 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 781E116A4CE for ; Sat, 30 Apr 2005 04:33:26 +0000 (GMT) Received: from cowbert.2y.net (d46h180.public.uconn.edu [137.99.46.180]) by mx1.FreeBSD.org (Postfix) with SMTP id 1946043D41 for ; Sat, 30 Apr 2005 04:33:26 +0000 (GMT) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 58779 invoked by uid 1001); 30 Apr 2005 04:33:25 -0000 Date: Sat, 30 Apr 2005 00:33:25 -0400 From: "Peter C. Lai" To: Siddhartha Jain Message-ID: <20050430043325.GH1758@cowbert.2y.net> References: <4272011F.9040707@netmagicsolutions.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4272011F.9040707@netmagicsolutions.com> User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org Subject: Re: IPFW disconnections and resets X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Apr 2005 04:33:26 -0000 On Fri, Apr 29, 2005 at 03:10:47PM +0530, Siddhartha Jain wrote: > Hi, > > I am using IPFW on FreeBSD 4.11 > > I am facing two problems: > - SSH sessions timeout after a while Use stateful connections. (i.e. use a setup rule and a subsequent established rule). -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology Yale University School of Medicine SenseLab | Research Assistant http://cowbert.2y.net/ From owner-freebsd-security@FreeBSD.ORG Fri Apr 29 22:26:40 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 70F3C16A4CE for ; Fri, 29 Apr 2005 22:26:40 +0000 (GMT) Received: from redqueen.evilcoder-services.org (redqueen.evilcoder-services.org [217.148.169.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id 24EBB43D2D for ; Fri, 29 Apr 2005 22:26:40 +0000 (GMT) (envelope-from remko@freebsd.org) Received: from localhost (localhost [127.0.0.1])47BDD2954DB; Sat, 30 Apr 2005 00:26:39 +0200 (CEST) Received: from redqueen.evilcoder-services.org ([127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03039-08; Sat, 30 Apr 2005 00:26:38 +0200 (CEST) Message-ID: <4272B49D.6050805@FreeBSD.org> Date: Sat, 30 Apr 2005 00:26:37 +0200 From: Remko Lodder User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Neo-Vortex References: <4272011F.9040707@netmagicsolutions.com> <20050429194242.I78552@Neo-Vortex.net> <20050429203417.P85987@Neo-Vortex.net> <20050430001910.C3271@a2.scoop.co.nz> <20050429225510.P6468@Neo-Vortex.net> In-Reply-To: <20050429225510.P6468@Neo-Vortex.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by the evilcoder-services.org maildomain X-Mailman-Approved-At: Sat, 30 Apr 2005 13:32:45 +0000 cc: freebsd-security@freebsd.org cc: Siddhartha Jain Subject: Re: IPFW disconnections and resets X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Apr 2005 22:26:40 -0000 Neo-Vortex wrote: > > On Sat, 30 Apr 2005, Andrew McNaughton wrote: > > >>1% is way too much. use nohup. eg: > > > SSH dies, asin i get "Connection reset by peer" and my ssh session closes, > i can restart it fine though and the rest of the rules are parsed fine, > also, i dont get that on the window that im loading the firewall rulesets, > only on my other session wich has irssi running wich sends a packet once > every second to update the time... the box never needs to be physically > touched :) > > ~Neo-Vortex The best reply sofar (imho) was to use screen. When i reload my ruleset i do that with: pfctl -Fa -f /etc/pf.conf.new && sleep 180 && pfctl -Fa -f /etc/pf.conf where the new file is my test setup and the other file is the current working one. When i reload them with screen i am sure that the commands read correctly and even when i get kicked out the screen application still carries the commands given. In worst case i can access the machine again after three minutes, which isn't that bad ;-) Just my 0.02E(urocents) -- Kind regards, Remko Lodder ** remko@elvandar.org Reporter DSINET ** remko@DSINet.org Founder Tienervaders ** remko@tienervaders.org FreeBSD Documentation Project ** remko@FreeBSD.org From owner-freebsd-security@FreeBSD.ORG Sat Apr 30 14:56:30 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1D49516A4CE for ; Sat, 30 Apr 2005 14:56:30 +0000 (GMT) Received: from secnap2.secnap.com (secnap2.secnap.net [204.89.241.128]) by mx1.FreeBSD.org (Postfix) with ESMTP id BDD7643D5A for ; Sat, 30 Apr 2005 14:56:29 +0000 (GMT) (envelope-from scheidell@secnap.net) MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0 Date: Sat, 30 Apr 2005 10:56:29 -0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: IPFW disconnections and resets Thread-Index: AcVMtgRILp+v9UV2RfKrXRpXMqy/jQA3mOaw From: "Michael Scheidell" To: "Siddhartha Jain" , Subject: RE: IPFW disconnections and resets X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Apr 2005 14:56:30 -0000 > -----Original Message----- > From: owner-freebsd-security@freebsd.org=20 > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of=20 > Siddhartha Jain > Sent: Friday, April 29, 2005 8:21 AM > To: freebsd-security@freebsd.org > Subject: Re: IPFW disconnections and resets >=20 > Just out of curiosity, why is that IPFW behaves this way and=20 > PF and IPF don't? >=20 > - Siddhartha I think if you recompile kernel with: options IPFIREWALL_DEFAULT_TO_ACCEPT (default is to deny) then it will work like pf and ipf. Think about it, if default is to deny, and you just flushed all the rules, it did exactlay what you told it to do: deny all connections by default. This also may explain the one thag gets dropped 1% of the time.