Date: Mon, 15 May 2006 12:35:27 GMT From: soc-bushman <soc-bushman@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 97190 for review Message-ID: <200605151235.k4FCZR8c079103@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=97190 Change 97190 by soc-bushman@soc-bushman_stinger on 2006/05/15 12:35:02 revisions integrated Affected files ... .. //depot/projects/soc2005/nsswitch_cached/src/etc/Makefile#4 integrate .. //depot/projects/soc2005/nsswitch_cached/src/etc/cached.conf#2 integrate .. //depot/projects/soc2005/nsswitch_cached/src/etc/defaults/periodic.conf#2 integrate .. //depot/projects/soc2005/nsswitch_cached/src/etc/defaults/rc.conf#5 integrate .. //depot/projects/soc2005/nsswitch_cached/src/etc/etc.sparc64/ttys#2 integrate .. //depot/projects/soc2005/nsswitch_cached/src/etc/mtree/BSD.root.dist#2 integrate .. //depot/projects/soc2005/nsswitch_cached/src/etc/nsswitch.conf#1 branch .. //depot/projects/soc2005/nsswitch_cached/src/etc/periodic/security/600.ip6fwdenied#2 delete .. //depot/projects/soc2005/nsswitch_cached/src/etc/periodic/security/650.ip6fwlimit#2 delete .. //depot/projects/soc2005/nsswitch_cached/src/etc/periodic/security/Makefile#2 integrate .. //depot/projects/soc2005/nsswitch_cached/src/etc/rc.d/Makefile#4 integrate .. //depot/projects/soc2005/nsswitch_cached/src/etc/rc.d/cached#3 integrate .. //depot/projects/soc2005/nsswitch_cached/src/etc/rc.d/ip6fw#2 integrate .. //depot/projects/soc2005/nsswitch_cached/src/etc/rc.d/jail#3 integrate .. //depot/projects/soc2005/nsswitch_cached/src/etc/rc.d/nsswitch#3 edit .. //depot/projects/soc2005/nsswitch_cached/src/etc/rc.firewall6#2 integrate .. //depot/projects/soc2005/nsswitch_cached/src/include/netdb.h#4 integrate .. //depot/projects/soc2005/nsswitch_cached/src/include/nsswitch.h#10 integrate .. //depot/projects/soc2005/nsswitch_cached/src/include/resolv.h#5 integrate .. //depot/projects/soc2005/nsswitch_cached/src/include/rpc/rpcent.h#5 integrate .. //depot/projects/soc2005/nsswitch_cached/src/lib/libc/Makefile#7 integrate .. //depot/projects/soc2005/nsswitch_cached/src/lib/libc/gen/getgrent.c#10 integrate .. //depot/projects/soc2005/nsswitch_cached/src/lib/libc/gen/getpwent.c#13 integrate .. //depot/projects/soc2005/nsswitch_cached/src/lib/libc/gen/syslog.c#4 integrate .. //depot/projects/soc2005/nsswitch_cached/src/lib/libc/i386/sys/i386_set_watch.3#3 integrate .. //depot/projects/soc2005/nsswitch_cached/src/lib/libc/include/nscache.h#3 edit .. //depot/projects/soc2005/nsswitch_cached/src/lib/libc/include/nscachedcli.h#3 edit .. //depot/projects/soc2005/nsswitch_cached/src/lib/libc/net/Makefile.inc#9 edit .. //depot/projects/soc2005/nsswitch_cached/src/lib/libc/net/getaddrinfo.c#14 integrate .. //depot/projects/soc2005/nsswitch_cached/src/lib/libc/net/gethostbydns.c#4 integrate .. //depot/projects/soc2005/nsswitch_cached/src/lib/libc/net/gethostbyht.c#4 integrate .. //depot/projects/soc2005/nsswitch_cached/src/lib/libc/net/gethostbyname.3#3 integrate .. //depot/projects/soc2005/nsswitch_cached/src/lib/libc/net/gethostbynis.c#4 integrate .. //depot/projects/soc2005/nsswitch_cached/src/lib/libc/net/gethostnamadr.c#12 integrate .. //depot/projects/soc2005/nsswitch_cached/src/lib/libc/net/getnetnamadr.c#5 edit .. //depot/projects/soc2005/nsswitch_cached/src/lib/libc/net/getproto.c#7 integrate .. //depot/projects/soc2005/nsswitch_cached/src/lib/libc/net/getprotoent.c#12 integrate .. //depot/projects/soc2005/nsswitch_cached/src/lib/libc/net/getprotoname.c#7 integrate .. //depot/projects/soc2005/nsswitch_cached/src/lib/libc/net/getservent.c#22 integrate .. //depot/projects/soc2005/nsswitch_cached/src/lib/libc/net/name6.c#12 integrate .. //depot/projects/soc2005/nsswitch_cached/src/lib/libc/net/netdb_private.h#11 integrate .. //depot/projects/soc2005/nsswitch_cached/src/lib/libc/net/nscache.c#11 edit .. //depot/projects/soc2005/nsswitch_cached/src/lib/libc/net/nscachedcli.c#12 edit .. //depot/projects/soc2005/nsswitch_cached/src/lib/libc/net/nsdispatch.c#18 integrate .. //depot/projects/soc2005/nsswitch_cached/src/lib/libc/net/nsparser.y#5 integrate .. //depot/projects/soc2005/nsswitch_cached/src/lib/libc/rpc/getrpcent.c#12 integrate .. //depot/projects/soc2005/nsswitch_cached/src/lib/libc/stdlib/malloc.c#5 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/Makefile#9 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/bluetooth/sdpd/server.c#5 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/Makefile#9 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/agent.c#2 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/agent.h#2 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/agents/Makefile.inc#3 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/agents/group.c#2 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/agents/group.h#2 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/agents/passwd.c#2 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/agents/passwd.h#2 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/agents/services.c#2 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/agents/services.h#2 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/cached.8#2 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/cached.c#4 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/cached.conf#2 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/cached.conf.5#2 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/cachedcli.c#2 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/cachedcli.h#2 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/cachelib.c#2 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/cachelib.h#2 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/cacheplcs.c#2 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/cacheplcs.h#2 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/config.c#2 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/config.h#2 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/debug.c#2 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/debug.h#2 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/hashtable.h#2 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/log.c#2 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/log.h#2 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/mp_rs_query.c#4 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/mp_rs_query.h#3 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/mp_ws_query.c#4 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/mp_ws_query.h#3 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/parser.c#2 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/parser.h#2 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/protocol.c#2 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/protocol.h#2 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/query.c#4 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/query.h#3 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/singletons.c#2 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/cached/singletons.h#2 edit .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/i4b/isdnd/alias.c#3 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/i4b/isdnd/controller.c#3 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/i4b/isdnd/curses.c#3 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/i4b/isdnd/dial.c#3 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/i4b/isdnd/exec.c#3 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/i4b/isdnd/fsm.c#3 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/i4b/isdnd/holiday.c#3 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/i4b/isdnd/isdnd.h#3 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/i4b/isdnd/log.c#4 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/i4b/isdnd/main.c#3 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/i4b/isdnd/monitor.c#3 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/i4b/isdnd/msghdl.c#3 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/i4b/isdnd/process.c#3 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/i4b/isdnd/rates.c#3 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/i4b/isdnd/rc_config.c#3 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/i4b/isdnd/support.c#3 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/i4b/isdnd/timer.c#3 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/i4b/isdntest/main.c#3 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/jail/jail.8#5 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/jail/jail.c#5 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/mergemaster/mergemaster.8#4 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/mergemaster/mergemaster.sh#4 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/mount_nwfs/mount_nwfs.c#3 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/mountd/mountd.8#3 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/portsnap/phttpget/phttpget.c#6 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/portsnap/portsnap/portsnap.8#5 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/portsnap/portsnap/portsnap.sh#7 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/sysinstall/installUpgrade.c#4 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/sysinstall/sysinstall.8#4 integrate .. //depot/projects/soc2005/nsswitch_cached/src/usr.sbin/sysinstall/sysinstall.h#6 integrate Differences ... ==== //depot/projects/soc2005/nsswitch_cached/src/etc/Makefile#4 (text+ko) ==== @@ -1,5 +1,5 @@ # from: @(#)Makefile 5.11 (Berkeley) 5/21/91 -# $FreeBSD: src/etc/Makefile,v 1.354 2006/03/17 18:54:20 ru Exp $ +# $FreeBSD: src/etc/Makefile,v 1.356 2006/05/03 15:14:46 ume Exp $ .include <bsd.own.mk> @@ -11,8 +11,8 @@ crontab csh.cshrc csh.login csh.logout devd.conf devfs.conf \ dhclient.conf disktab fbtab ftpusers gettytab group \ hosts hosts.allow hosts.equiv hosts.lpd \ - inetd.conf login.access login.conf \ - mac.conf motd netconfig network.subr networks newsyslog.conf \ + inetd.conf login.access login.conf mac.conf motd \ + netconfig network.subr networks newsyslog.conf nsswitch.conf \ portsnap.conf pf.conf pf.os phones profile protocols \ rc rc.bsdextended rc.firewall rc.firewall6 rc.initdiskless \ rc.sendmail rc.shutdown \ @@ -35,7 +35,7 @@ BIN1+= printcap .endif -.if !defined(NO_NS_CACHING) +.if ${MK_NS_CACHING} != "no" BIN1+= cached.conf .endif ==== //depot/projects/soc2005/nsswitch_cached/src/etc/cached.conf#2 (text+ko) ==== ==== //depot/projects/soc2005/nsswitch_cached/src/etc/defaults/periodic.conf#2 (text+ko) ==== @@ -13,7 +13,7 @@ # For a more detailed explanation of all the periodic.conf variables, please # refer to the periodic.conf(5) manual page. # -# $FreeBSD: src/etc/defaults/periodic.conf,v 1.37 2006/03/02 14:46:00 brueffer Exp $ +# $FreeBSD: src/etc/defaults/periodic.conf,v 1.38 2006/05/12 19:17:33 mlaier Exp $ # # What files override these defaults ? @@ -171,15 +171,9 @@ # 550.ipfwlimit daily_status_security_ipfwlimit_enable="YES" -# 600.ip6fwdenied -daily_status_security_ip6fwdenied_enable="YES" - # 610.ipf6denied daily_status_security_ipf6denied_enable="YES" -# 650.ip6fwlimit -daily_status_security_ip6fwlimit_enable="YES" - # 700.kernelmsg daily_status_security_kernelmsg_enable="YES" ==== //depot/projects/soc2005/nsswitch_cached/src/etc/defaults/rc.conf#5 (text+ko) ==== @@ -15,7 +15,7 @@ # For a more detailed explanation of all the rc.conf variables, please # refer to the rc.conf(5) manual page. # -# $FreeBSD: src/etc/defaults/rc.conf,v 1.281 2006/04/18 15:02:24 flz Exp $ +# $FreeBSD: src/etc/defaults/rc.conf,v 1.283 2006/05/11 14:23:43 flz Exp $ ############################################################## ### Important initial Boot-time options #################### @@ -472,7 +472,7 @@ auditd_enable="NO" # Run the audit daemon. auditd_flags="" # Which options to pass to the audit daemon. -cached_enable="NO" # Run the nsswitch caching daemon +cached_enable="NO" # Run the nsswitch caching daemon. cron_enable="YES" # Run the periodic job daemon. cron_program="/usr/sbin/cron" # Which cron executable to run (if enabled). cron_dst="YES" # Handle DST transitions intelligently (YES/NO) @@ -555,11 +555,15 @@ # # To use rc's built-in jail infrastructure create entries for # each jail, specified in jail_list, with the following variables. -# NOTE: replace 'example' with the jail's name. +# NOTES: +# - replace 'example' with the jail's name. +# - except rootdir, hostname and ip, all of the following variables may be made +# global jail variables if you don't specify a jail name (ie. jail_interface). # #jail_example_rootdir="/usr/jail/default" # Jail's root directory #jail_example_hostname="default.domain.com" # Jail's hostname #jail_example_ip="192.168.0.10" # Jail's IP number +#jail_example_interface="" # Interface to create the IP alias on #jail_example_exec_start="/bin/sh /etc/rc" # command to execute in jail for starting #jail_example_exec_stop="/bin/sh /etc/rc.shutdown" # command to execute in jail for stopping #jail_example_devfs_enable="NO" # mount devfs in the jail ==== //depot/projects/soc2005/nsswitch_cached/src/etc/etc.sparc64/ttys#2 (text+ko) ==== @@ -1,5 +1,5 @@ # -# $FreeBSD: src/etc/etc.sparc64/ttys,v 1.12 2006/02/04 23:30:09 marius Exp $ +# $FreeBSD: src/etc/etc.sparc64/ttys,v 1.13 2006/04/25 19:43:53 marius Exp $ # @(#)ttys 5.1 (Berkeley) 4/17/89 # # This file specifies various information about terminals on the system. @@ -35,9 +35,6 @@ screen "/usr/libexec/getty Pc" vt100 off secure ttya "/usr/libexec/getty 3wire.9600" vt100 off secure ttyb "/usr/libexec/getty 3wire.9600" vt100 off secure -# sab(4) -ttyz0 "/usr/libexec/getty 3wire.9600" vt100 off secure -ttyz1 "/usr/libexec/getty 3wire.9600" vt100 off secure # syscons(4) ttyv0 "/usr/libexec/getty Pc" cons25 on secure # Virtual terminals ==== //depot/projects/soc2005/nsswitch_cached/src/etc/mtree/BSD.root.dist#2 (text+ko) ==== @@ -1,4 +1,4 @@ -# $FreeBSD: src/etc/mtree/BSD.root.dist,v 1.76 2005/12/29 14:40:19 dfr Exp $ +# $FreeBSD: src/etc/mtree/BSD.root.dist,v 1.77 2006/05/10 18:53:15 marcus Exp $ # # Please see the file src/etc/mtree/README before making changes to this file. # @@ -69,6 +69,8 @@ .. libexec .. + media + .. mnt .. proc mode=0555 ==== //depot/projects/soc2005/nsswitch_cached/src/etc/periodic/security/Makefile#2 (text+ko) ==== @@ -1,4 +1,4 @@ -# $FreeBSD: src/etc/periodic/security/Makefile,v 1.4 2004/11/24 18:41:53 mlaier Exp $ +# $FreeBSD: src/etc/periodic/security/Makefile,v 1.5 2006/05/12 19:17:34 mlaier Exp $ FILES= 100.chksetuid \ 200.chkmounts \ @@ -8,8 +8,6 @@ 510.ipfdenied \ 520.pfdenied \ 550.ipfwlimit \ - 600.ip6fwdenied \ - 650.ip6fwlimit \ 700.kernelmsg \ 800.loginfail \ 900.tcpwrap \ ==== //depot/projects/soc2005/nsswitch_cached/src/etc/rc.d/Makefile#4 (text+ko) ==== @@ -1,5 +1,5 @@ # $NetBSD: Makefile,v 1.16 2001/01/14 15:37:22 minoura Exp $ -# $FreeBSD: src/etc/rc.d/Makefile,v 1.69 2006/03/28 18:28:33 simon Exp $ +# $FreeBSD: src/etc/rc.d/Makefile,v 1.70 2006/04/28 12:03:33 ume Exp $ .include <bsd.own.mk> @@ -46,7 +46,7 @@ FILES+= sshd .endif -.if !defined(NO_NS_CACHING) +.if ${MK_NS_CACHING} != "no" FILES+= cached .endif ==== //depot/projects/soc2005/nsswitch_cached/src/etc/rc.d/cached#3 (text+ko) ==== ==== //depot/projects/soc2005/nsswitch_cached/src/etc/rc.d/ip6fw#2 (text+ko) ==== @@ -1,6 +1,6 @@ #!/bin/sh # -# $FreeBSD: src/etc/rc.d/ip6fw,v 1.6 2004/10/07 13:55:26 mtm Exp $ +# $FreeBSD: src/etc/rc.d/ip6fw,v 1.7 2006/05/12 19:17:34 mlaier Exp $ # # PROVIDE: ip6fw @@ -20,7 +20,7 @@ { # Load IPv6 firewall module, if not already loaded if ! ${SYSCTL} net.inet6.ip6.fw.enable > /dev/null 2>&1; then - kldload ip6fw && { + kldload ipfw && { debug 'Kernel IPv6 firewall module loaded.' return 0 } @@ -41,7 +41,7 @@ if [ -r "${ipv6_firewall_script}" ]; then . "${ipv6_firewall_script}" echo 'IPv6 Firewall rules loaded.' - elif [ "`ip6fw l 65535`" = "65535 deny ipv6 from any to any" ]; then + elif [ "`ipfw show 65535`" = "65535 deny ip from any to any" ]; then warn 'IPv6 firewall rules have not been loaded. Default' \ ' to DENY all access.' fi @@ -50,7 +50,7 @@ # if checkyesno ipv6_firewall_logging; then echo 'IPv6 Firewall logging=YES' - sysctl net.inet6.ip6.fw.verbose=1 >/dev/null + sysctl net.inet.ip.fw.verbose=1 >/dev/null fi # Enable the firewall ==== //depot/projects/soc2005/nsswitch_cached/src/etc/rc.d/jail#3 (text+ko) ==== @@ -1,6 +1,6 @@ #!/bin/sh # -# $FreeBSD: src/etc/rc.d/jail,v 1.27 2006/04/08 12:15:35 flz Exp $ +# $FreeBSD: src/etc/rc.d/jail,v 1.32 2006/05/11 14:23:43 flz Exp $ # # PROVIDE: jail @@ -27,65 +27,76 @@ return fi - eval jail_rootdir=\"\$jail_${_j}_rootdir\" - jail_devdir="${jail_rootdir}/dev" - jail_fdescdir="${jail_devdir}/fd" - jail_procdir="${jail_rootdir}/proc" - eval jail_hostname=\"\$jail_${_j}_hostname\" - eval jail_ip=\"\$jail_${_j}_ip\" - eval jail_interface=\"\${jail_${_j}_interface:-${jail_interface}}\" - eval jail_exec=\"\$jail_${_j}_exec\" - eval jail_exec_start=\"\${jail_${_j}_exec_start:-${jail_exec_start}}\" - eval jail_exec_stop=\"\${jail_${_j}_exec_stop:-${jail_exec_stop}}\" - if [ -n "${jail_exec}" ]; then + eval _rootdir=\"\$jail_${_j}_rootdir\" + _devdir="${_rootdir}/dev" + _fdescdir="${_devdir}/fd" + _procdir="${_rootdir}/proc" + eval _hostname=\"\$jail_${_j}_hostname\" + eval _ip=\"\$jail_${_j}_ip\" + eval _interface=\"\${jail_${_j}_interface:-${jail_interface}}\" + eval _exec=\"\$jail_${_j}_exec\" + eval _exec_start=\"\${jail_${_j}_exec_start:-${jail_exec_start}}\" + eval _exec_stop=\"\${jail_${_j}_exec_stop:-${jail_exec_stop}}\" + if [ -n "${_exec}" ]; then # simple/backward-compatible execution - jail_exec_start="${jail_exec}" - jail_exec_stop="" + _exec_start="${_exec}" + _exec_stop="" else # flexible execution - if [ -z "${jail_exec_start}" ]; then - jail_exec_start="/bin/sh /etc/rc" - if [ -z "${jail_exec_stop}" ]; then - jail_exec_stop="/bin/sh /etc/rc.shutdown" + if [ -z "${_exec_start}" ]; then + _exec_start="/bin/sh /etc/rc" + if [ -z "${_exec_stop}" ]; then + _exec_stop="/bin/sh /etc/rc.shutdown" fi fi fi # The default jail ruleset will be used by rc.subr if none is specified. - eval jail_ruleset=\"\${jail_${_j}_devfs_ruleset:-${jail_devfs_ruleset}}\" - eval jail_devfs=\"\${jail_${_j}_devfs_enable:-${jail_devfs_enable}}\" - [ -z "${jail_devfs}" ] && jail_devfs="NO" - eval jail_fdescfs=\"\${jail_${_j}_fdescfs_enable:-${jail_fdescfs_enable}}\" - [ -z "${jail_fdescfs}" ] && jail_fdescfs="NO" - eval jail_procfs=\"\${jail_${_j}_procfs_enable:-${jail_procfs_enable}}\" - [ -z "${jail_procfs}" ] && jail_procfs="NO" + eval _ruleset=\"\${jail_${_j}_devfs_ruleset:-${jail_devfs_ruleset}}\" + eval _devfs=\"\${jail_${_j}_devfs_enable:-${jail_devfs_enable}}\" + [ -z "${_devfs}" ] && _devfs="NO" + eval _fdescfs=\"\${jail_${_j}_fdescfs_enable:-${jail_fdescfs_enable}}\" + [ -z "${_fdescfs}" ] && _fdescfs="NO" + eval _procfs=\"\${jail_${_j}_procfs_enable:-${jail_procfs_enable}}\" + [ -z "${_procfs}" ] && _procfs="NO" - eval jail_mount=\"\${jail_${_j}_mount_enable:-${jail_mount_enable}}\" - [ -z "${jail_mount}" ] && jail_mount="NO" + eval _mount=\"\${jail_${_j}_mount_enable:-${jail_mount_enable}}\" + [ -z "${_mount}" ] && _mount="NO" # "/etc/fstab.${_j}" will be used for {,u}mount(8) if none is specified. - eval jail_fstab=\"\${jail_${_j}_fstab:-${jail_fstab}}\" - [ -z "${jail_fstab}" ] && jail_fstab="/etc/fstab.${_j}" - eval jail_flags=\"\${jail_${_j}_flags:-${jail_flags}}\" - [ -z "${jail_flags}" ] && jail_flags="-l -U root" + eval _fstab=\"\${jail_${_j}_fstab:-${jail_fstab}}\" + [ -z "${_fstab}" ] && _fstab="/etc/fstab.${_j}" + eval _flags=\"\${jail_${_j}_flags:-${jail_flags}}\" + [ -z "${_flags}" ] && _flags="-l -U root" # Debugging aid # - debug "$_j devfs enable: $jail_devfs" - debug "$_j fdescfs enable: $jail_fdescfs" - debug "$_j procfs enable: $jail_procfs" - debug "$_j mount enable: $jail_mount" - debug "$_j hostname: $jail_hostname" - debug "$_j ip: $jail_ip" - debug "$_j interface: $jail_interface" - debug "$_j root: $jail_rootdir" - debug "$_j devdir: $jail_devdir" - debug "$_j fdescdir: $jail_fdescdir" - debug "$_j procdir: $jail_procdir" - debug "$_j ruleset: $jail_ruleset" - debug "$_j fstab: $jail_fstab" - debug "$_j exec start: $jail_exec_start" - debug "$_j exec stop: $jail_exec_stop" - debug "$_j flags: $jail_flags" + debug "$_j devfs enable: $_devfs" + debug "$_j fdescfs enable: $_fdescfs" + debug "$_j procfs enable: $_procfs" + debug "$_j mount enable: $_mount" + debug "$_j hostname: $_hostname" + debug "$_j ip: $_ip" + debug "$_j interface: $_interface" + debug "$_j root: $_rootdir" + debug "$_j devdir: $_devdir" + debug "$_j fdescdir: $_fdescdir" + debug "$_j procdir: $_procdir" + debug "$_j ruleset: $_ruleset" + debug "$_j fstab: $_fstab" + debug "$_j exec start: $_exec_start" + debug "$_j exec stop: $_exec_stop" + debug "$_j flags: $_flags" + + if [ -z "${_hostname}" ]; then + err 3 "$name: No hostname has been defined for ${_j}" + fi + if [ -z "${_rootdir}" ]; then + err 3 "$name: No root directory has been defined for ${_j}" + fi + if [ -z "${_ip}" ]; then + err 3 "$name: No IP address has been defined for ${_j}" + fi + } # set_sysctl rc_knob mib msg @@ -122,24 +133,24 @@ # jail_umount_fs() { - if checkyesno jail_fdescfs; then - if [ -d "${jail_fdescdir}" ] ; then - umount -f ${jail_fdescdir} >/dev/null 2>&1 + if checkyesno _fdescfs; then + if [ -d "${_fdescdir}" ] ; then + umount -f ${_fdescdir} >/dev/null 2>&1 fi fi - if checkyesno jail_devfs; then - if [ -d "${jail_devdir}" ] ; then - umount -f ${jail_devdir} >/dev/null 2>&1 + if checkyesno _devfs; then + if [ -d "${_devdir}" ] ; then + umount -f ${_devdir} >/dev/null 2>&1 fi fi - if checkyesno jail_procfs; then - if [ -d "${jail_procdir}" ] ; then - umount -f ${jail_procdir} >/dev/null 2>&1 + if checkyesno _procfs; then + if [ -d "${_procdir}" ] ; then + umount -f ${_procdir} >/dev/null 2>&1 fi fi - if checkyesno jail_mount; then - [ -f "${jail_fstab}" ] || warn "${jail_fstab} does not exist" - umount -a -F "${jail_fstab}" >/dev/null 2>&1 + if checkyesno _mount; then + [ -f "${_fstab}" ] || warn "${_fstab} does not exist" + umount -a -F "${_fstab}" >/dev/null 2>&1 fi } @@ -161,29 +172,29 @@ do init_variables $_jail if [ -f /var/run/jail_${_jail}.id ]; then - echo -n " [${jail_hostname} already running (/var/run/jail_${_jail}.id exists)]" + echo -n " [${_hostname} already running (/var/run/jail_${_jail}.id exists)]" continue; fi - if [ -n ${jail_interface} ]; then - ifconfig ${jail_interface} alias ${jail_ip} netmask 255.255.255.255 + if [ -n "${_interface}" ]; then + ifconfig ${_interface} alias ${_ip} netmask 255.255.255.255 fi - if checkyesno jail_mount; then - info "Mounting fstab for jail ${_jail} (${jail_fstab})" - if [ ! -f "${jail_fstab}" ]; then - err 3 "$name: ${jail_fstab} does not exist" + if checkyesno _mount; then + info "Mounting fstab for jail ${_jail} (${_fstab})" + if [ ! -f "${_fstab}" ]; then + err 3 "$name: ${_fstab} does not exist" fi - mount -a -F "${jail_fstab}" + mount -a -F "${_fstab}" fi - if checkyesno jail_devfs; then + if checkyesno _devfs; then # If devfs is already mounted here, skip it. - df -t devfs "${jail_devdir}" >/dev/null + df -t devfs "${_devdir}" >/dev/null if [ $? -ne 0 ]; then - info "Mounting devfs on ${jail_devdir}" - devfs_mount_jail "${jail_devdir}" ${jail_ruleset} + info "Mounting devfs on ${_devdir}" + devfs_mount_jail "${_devdir}" ${_ruleset} # Transitional symlink for old binaries - if [ ! -L "${jail_devdir}/log" ]; then + if [ ! -L "${_devdir}/log" ]; then __pwd="`pwd`" - cd "${jail_devdir}" + cd "${_devdir}" ln -sf ../var/run/log log cd "$__pwd" fi @@ -193,28 +204,37 @@ # is a devfs(5) device of the same name. # Jail console output # __pwd="`pwd`" - # cd "${jail_devdir}" + # cd "${_devdir}" # ln -sf ../var/log/console console # cd "$__pwd" fi - if checkyesno jail_fdescfs; then - info "Mounting fdescfs on ${jail_fdescdir}" - mount -t fdescfs fdesc "${jail_fdescdir}" + if checkyesno _fdescfs; then + info "Mounting fdescfs on ${_fdescdir}" + mount -t fdescfs fdesc "${_fdescdir}" fi - if checkyesno jail_procfs; then - info "Mounting procfs onto ${jail_procdir}" - if [ -d "${jail_procdir}" ] ; then - mount -t procfs proc "${jail_procdir}" + if checkyesno _procfs; then + info "Mounting procfs onto ${_procdir}" + if [ -d "${_procdir}" ] ; then + mount -t procfs proc "${_procdir}" fi fi _tmp_jail=${_tmp_dir}/jail.$$ - eval jail ${jail_flags} -i ${jail_rootdir} ${jail_hostname} \ - ${jail_ip} ${jail_exec_start} > ${_tmp_jail} 2>&1 - [ "$?" -eq 0 ] && echo -n " $jail_hostname" - _jail_id=$(head -1 ${_tmp_jail}) - tail +2 ${_tmp_jail} >${jail_rootdir}/var/log/console.log + eval jail ${_flags} -i ${_rootdir} ${_hostname} \ + ${_ip} ${_exec_start} > ${_tmp_jail} 2>&1 + if [ "$?" -eq 0 ] ; then + echo -n " $_hostname" + _jail_id=$(head -1 ${_tmp_jail}) + tail +2 ${_tmp_jail} >${_rootdir}/var/log/console.log + echo ${_jail_id} > /var/run/jail_${_jail}.id + else + jail_umount_fs + if [ -n "${jail_interface}" ]; then + ifconfig ${jail_interface} -alias ${jail_ip} + fi + echo " cannot start jail \"${_jail}\": " + tail +2 ${_tmp_jail} + fi rm -f ${_tmp_jail} - echo ${_jail_id} > /var/run/jail_${_jail}.id done rmdir ${_tmp_dir} echo '.' @@ -229,22 +249,22 @@ _jail_id=$(cat /var/run/jail_${_jail}.id) if [ ! -z "${_jail_id}" ]; then init_variables $_jail - if [ -n "${jail_exec_stop}" ]; then - eval env -i /usr/sbin/jexec ${_jail_id} ${jail_exec_stop} \ - >> ${jail_rootdir}/var/log/console.log 2>&1 + if [ -n "${_exec_stop}" ]; then + eval env -i /usr/sbin/jexec ${_jail_id} ${_exec_stop} \ + >> ${_rootdir}/var/log/console.log 2>&1 fi killall -j ${_jail_id} -TERM > /dev/null 2>&1 sleep 1 killall -j ${_jail_id} -KILL > /dev/null 2>&1 jail_umount_fs - echo -n " $jail_hostname" + echo -n " $_hostname" fi - if [ -n ${jail_interface} ]; then - ifconfig ${jail_interface} -alias ${jail_ip} + if [ -n "${_interface}" ]; then + ifconfig ${_interface} -alias ${_ip} fi rm /var/run/jail_${_jail}.id else - echo "cannot stop jail ${_jail}. No jail id in /var/run" + echo " cannot stop jail ${_jail}. No jail id in /var/run" fi done echo '.' ==== //depot/projects/soc2005/nsswitch_cached/src/etc/rc.d/nsswitch#3 (text+ko) ==== @@ -23,7 +23,7 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD: src/etc/rc.d/nsswitch,v 1.7 2006/04/12 12:01:53 ume Exp $ +# $FreeBSD: src/etc/rc.d/nsswitch,v 1.11 2006/05/03 15:14:47 ume Exp $ # # PROVIDE: nsswitch @@ -36,50 +36,6 @@ start_cmd="nsswitch_start" stop_cmd=":" -convert_host_conf() -{ - host_conf=$1; shift; - nsswitch_conf=$1; shift; - - while read line; do - line=${line##[ ]} - case $line in - hosts|local|file) - _nsswitch="${_nsswitch}${_nsswitch+ }files" - ;; - dns|bind) - _nsswitch="${_nsswitch}${_nsswitch+ }dns" - ;; - nis) - _nsswitch="${_nsswitch}${_nsswitch+ }nis" - ;; - '#'*) - ;; - *) - printf "Warning: unrecognized line [%s]", $line > "/dev/stderr" - ;; - - esac - done < $host_conf - - echo "hosts: $_nsswitch" > $nsswitch_conf -} - -generate_nsswitch_conf() -{ - nsswitch_conf=$1; shift; - - cat >$nsswitch_conf <<EOF -group: compat -group_compat: nis -hosts: files dns -networks: files -passwd: compat -passwd_compat: nis -shells: files -EOF -} - generate_host_conf() { nsswitch_conf=$1; shift; @@ -130,25 +86,11 @@ nsswitch_start() { - # Convert host.conf to nsswitch.conf if necessary - # - if [ -f "/etc/host.conf" -a ! -f "/etc/nsswitch.conf" ]; then - echo '' - echo 'Warning: /etc/host.conf is no longer used' - echo ' /etc/nsswitch.conf will be created for you' - convert_host_conf /etc/host.conf /etc/nsswitch.conf - fi - - # Generate default nsswitch.conf if none exists - # - if [ ! -f "/etc/nsswitch.conf" ]; then - echo 'Generating nsswitch.conf.' - generate_nsswitch_conf /etc/nsswitch.conf - fi - # Generate host.conf for compatibility # - if [ ! -f "/etc/host.conf" ]; then + if [ ! -f "/etc/host.conf" -o \ + "/etc/host.conf" -ot "/etc/nsswitch.conf" ] + then echo 'Generating host.conf.' generate_host_conf /etc/nsswitch.conf /etc/host.conf fi ==== //depot/projects/soc2005/nsswitch_cached/src/etc/rc.firewall6#2 (text+ko) ==== @@ -1,7 +1,7 @@ #!/bin/sh - ############ # Setup system for IPv6 firewall service. -# $FreeBSD: src/etc/rc.firewall6,v 1.16 2005/10/05 07:00:42 ume Exp $ +# $FreeBSD: src/etc/rc.firewall6,v 1.17 2006/05/12 19:17:33 mlaier Exp $ # Suck in the configuration variables. if [ -z "${source_rc_confs_defined}" ]; then @@ -54,17 +54,17 @@ ############ # Only in rare cases do you want to change these rules # - ${fw6cmd} add 100 pass all from any to any via lo0 - ${fw6cmd} add 200 deny all from any to ::1 - ${fw6cmd} add 300 deny all from ::1 to any + ${fw6cmd} add 100 pass ip6 from any to any via lo0 + ${fw6cmd} add 200 deny ip6 from any to ::1 + ${fw6cmd} add 300 deny ip6 from ::1 to any # # ND # # DAD - ${fw6cmd} add pass ipv6-icmp from :: to ff02::/16 + ${fw6cmd} add pass ip6 from :: to ff02::/16 proto ipv6-icmp # RS, RA, NS, NA, redirect... - ${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10 - ${fw6cmd} add pass ipv6-icmp from fe80::/10 to ff02::/16 + ${fw6cmd} add pass ip6 from fe80::/10 to fe80::/10 proto ipv6-icmp + ${fw6cmd} add pass ip6 from fe80::/10 to ff02::/16 proto ipv6-icmp } if [ -n "${1}" ]; then @@ -76,10 +76,10 @@ # case ${ipv6_firewall_quiet} in [Yy][Ee][Ss]) - fw6cmd="/sbin/ip6fw -q" + fw6cmd="/sbin/ipfw -q" ;; *) - fw6cmd="/sbin/ip6fw" + fw6cmd="/sbin/ipfw" ;; esac @@ -102,7 +102,7 @@ case ${ipv6_firewall_type} in [Oo][Pp][Ee][Nn]) setup_local - ${fw6cmd} add 65000 pass all from any to any + ${fw6cmd} add 65000 pass ip6 from any to any ;; [Cc][Ll][Ii][Ee][Nn][Tt]) @@ -122,41 +122,42 @@ setup_local # Allow any traffic to or from my own net. - ${fw6cmd} add pass all from ${ip} to ${net}/${prefixlen} - ${fw6cmd} add pass all from ${net}/${prefixlen} to ${ip} + ${fw6cmd} add pass ip6 from ${ip} to ${net}/${prefixlen} + ${fw6cmd} add pass ip6 from ${net}/${prefixlen} to ${ip} # Allow any link-local multicast traffic - ${fw6cmd} add pass all from fe80::/10 to ff02::/16 - ${fw6cmd} add pass all from ${net}/${prefixlen} to ff02::/16 + ${fw6cmd} add pass ip6 from fe80::/10 to ff02::/16 + ${fw6cmd} add pass ip6 from ${net}/${prefixlen} to ff02::/16 # Allow TCP through if setup succeeded - ${fw6cmd} add pass tcp from any to any established + ${fw6cmd} add pass ip6 from any to any established proto tcp # Allow IP fragments to pass through - ${fw6cmd} add pass all from any to any frag + ${fw6cmd} add pass ip6 from any to any frag # Allow setup of incoming email - ${fw6cmd} add pass tcp from any to ${ip} 25 setup + ${fw6cmd} add pass ip6 from any to ${ip} 25 setup proto tcp # Allow setup of outgoing TCP connections only - ${fw6cmd} add pass tcp from ${ip} to any setup + ${fw6cmd} add pass ip6 from ${ip} to any setup proto tcp # Disallow setup of all other TCP connections - ${fw6cmd} add deny tcp from any to any setup + ${fw6cmd} add deny ip6 from any to any setup proto tcp # Allow DNS queries out in the world - ${fw6cmd} add pass udp from any 53 to ${ip} - ${fw6cmd} add pass udp from ${ip} to any 53 + ${fw6cmd} add pass ip6 from any 53 to ${ip} proto udp + ${fw6cmd} add pass ip6 from ${ip} to any 53 proto udp # Allow NTP queries out in the world - ${fw6cmd} add pass udp from any 123 to ${ip} - ${fw6cmd} add pass udp from ${ip} to any 123 + ${fw6cmd} add pass ip6 from any 123 to ${ip} proto udp + ${fw6cmd} add pass ip6 from ${ip} to any 123 proto udp # Allow ICMPv6 destination unreach - ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 1 + ${fw6cmd} add pass ip6 from any to any icmp6types 1 proto ipv6-icmp # Allow NS/NA/toobig (don't filter it out) - ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 2,135,136 + ${fw6cmd} add pass ip6 from any to any icmp6types 2,135,136 \ + proto ipv6-icmp # Everything else is denied by default, unless the # IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel @@ -185,94 +186,96 @@ setup_local # Stop spoofing - ${fw6cmd} add deny all from ${inet}/${iprefixlen} to any in via ${oif} - ${fw6cmd} add deny all from ${onet}/${oprefixlen} to any in via ${iif} + ${fw6cmd} add deny ip6 from ${inet}/${iprefixlen} to any in via ${oif} + ${fw6cmd} add deny ip6 from ${onet}/${oprefixlen} to any in via ${iif} # Stop unique local unicast address on the outside interface - ${fw6cmd} add deny all from fc00::/7 to any via ${oif} - ${fw6cmd} add deny all from any to fc00::/7 via ${oif} + ${fw6cmd} add deny ip6 from fc00::/7 to any via ${oif} + ${fw6cmd} add deny ip6 from any to fc00::/7 via ${oif} # Stop site-local on the outside interface - ${fw6cmd} add deny all from fec0::/10 to any via ${oif} - ${fw6cmd} add deny all from any to fec0::/10 via ${oif} + ${fw6cmd} add deny ip6 from fec0::/10 to any via ${oif} + ${fw6cmd} add deny ip6 from any to fec0::/10 via ${oif} # Disallow "internal" addresses to appear on the wire. - ${fw6cmd} add deny all from ::ffff:0.0.0.0/96 to any via ${oif} - ${fw6cmd} add deny all from any to ::ffff:0.0.0.0/96 via ${oif} + ${fw6cmd} add deny ip6 from ::ffff:0.0.0.0/96 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ::ffff:0.0.0.0/96 via ${oif} # Disallow packets to malicious IPv4 compatible prefix. - ${fw6cmd} add deny all from ::224.0.0.0/100 to any via ${oif} - ${fw6cmd} add deny all from any to ::224.0.0.0/100 via ${oif} - ${fw6cmd} add deny all from ::127.0.0.0/104 to any via ${oif} - ${fw6cmd} add deny all from any to ::127.0.0.0/104 via ${oif} - ${fw6cmd} add deny all from ::0.0.0.0/104 to any via ${oif} - ${fw6cmd} add deny all from any to ::0.0.0.0/104 via ${oif} - ${fw6cmd} add deny all from ::255.0.0.0/104 to any via ${oif} - ${fw6cmd} add deny all from any to ::255.0.0.0/104 via ${oif} + ${fw6cmd} add deny ip6 from ::224.0.0.0/100 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ::224.0.0.0/100 via ${oif} + ${fw6cmd} add deny ip6 from ::127.0.0.0/104 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ::127.0.0.0/104 via ${oif} + ${fw6cmd} add deny ip6 from ::0.0.0.0/104 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ::0.0.0.0/104 via ${oif} + ${fw6cmd} add deny ip6 from ::255.0.0.0/104 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ::255.0.0.0/104 via ${oif} - ${fw6cmd} add deny all from ::0.0.0.0/96 to any via ${oif} - ${fw6cmd} add deny all from any to ::0.0.0.0/96 via ${oif} + ${fw6cmd} add deny ip6 from ::0.0.0.0/96 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ::0.0.0.0/96 via ${oif} # Disallow packets to malicious 6to4 prefix. - ${fw6cmd} add deny all from 2002:e000::/20 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:e000::/20 via ${oif} - ${fw6cmd} add deny all from 2002:7f00::/24 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:7f00::/24 via ${oif} - ${fw6cmd} add deny all from 2002:0000::/24 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:0000::/24 via ${oif} - ${fw6cmd} add deny all from 2002:ff00::/24 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:ff00::/24 via ${oif} + ${fw6cmd} add deny ip6 from 2002:e000::/20 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:e000::/20 via ${oif} + ${fw6cmd} add deny ip6 from 2002:7f00::/24 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:7f00::/24 via ${oif} + ${fw6cmd} add deny ip6 from 2002:0000::/24 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:0000::/24 via ${oif} + ${fw6cmd} add deny ip6 from 2002:ff00::/24 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:ff00::/24 via ${oif} - ${fw6cmd} add deny all from 2002:0a00::/24 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:0a00::/24 via ${oif} - ${fw6cmd} add deny all from 2002:ac10::/28 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:ac10::/28 via ${oif} - ${fw6cmd} add deny all from 2002:c0a8::/32 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:c0a8::/32 via ${oif} + ${fw6cmd} add deny ip6 from 2002:0a00::/24 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:0a00::/24 via ${oif} + ${fw6cmd} add deny ip6 from 2002:ac10::/28 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:ac10::/28 via ${oif} + ${fw6cmd} add deny ip6 from 2002:c0a8::/32 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:c0a8::/32 via ${oif} - ${fw6cmd} add deny all from ff05::/16 to any via ${oif} - ${fw6cmd} add deny all from any to ff05::/16 via ${oif} + ${fw6cmd} add deny ip6 from ff05::/16 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ff05::/16 via ${oif} # Allow TCP through if setup succeeded ${fw6cmd} add pass tcp from any to any established # Allow IP fragments to pass through - ${fw6cmd} add pass all from any to any frag + ${fw6cmd} add pass ip6 from any to any frag # Allow setup of incoming email - ${fw6cmd} add pass tcp from any to ${oip} 25 setup + ${fw6cmd} add pass ip6 from any to ${oip} 25 setup proto tcp # Allow access to our DNS - ${fw6cmd} add pass tcp from any to ${oip} 53 setup - ${fw6cmd} add pass udp from any to ${oip} 53 - ${fw6cmd} add pass udp from ${oip} 53 to any + ${fw6cmd} add pass ip6 from any to ${oip} 53 setup proto tcp + ${fw6cmd} add pass ip6 from any to ${oip} 53 proto udp + ${fw6cmd} add pass ip6 from ${oip} 53 to any proto udp # Allow access to our WWW - ${fw6cmd} add pass tcp from any to ${oip} 80 setup + ${fw6cmd} add pass ip6 from any to ${oip} 80 setup proto tcp # Reject&Log all setup of incoming connections from the outside - ${fw6cmd} add deny log tcp from any to any in via ${oif} setup + ${fw6cmd} add deny log ip6 from any to any in via ${oif} setup \ + proto tcp # Allow setup of any other TCP connection - ${fw6cmd} add pass tcp from any to any setup + ${fw6cmd} add pass ip6 from any to any setup proto tcp # Allow DNS queries out in the world - ${fw6cmd} add pass udp from any 53 to ${oip} - ${fw6cmd} add pass udp from ${oip} to any 53 + ${fw6cmd} add pass ip6 from any 53 to ${oip} proto udp + ${fw6cmd} add pass ip6 from ${oip} to any 53 proto udp # Allow NTP queries out in the world - ${fw6cmd} add pass udp from any 123 to ${oip} - ${fw6cmd} add pass udp from ${oip} to any 123 + ${fw6cmd} add pass ip6 from any 123 to ${oip} proto udp + ${fw6cmd} add pass ip6 from ${oip} to any 123 proto udp # Allow RIPng - #${fw6cmd} add pass udp from fe80::/10 521 to ff02::9 521 - #${fw6cmd} add pass udp from fe80::/10 521 to fe80::/10 521 + #${fw6cmd} add pass ip6 from fe80::/10 521 to ff02::9 521 proto udp + #${fw6cmd} add pass ip6 from fe80::/10 521 to fe80::/10 521 proto udp # Allow ICMPv6 destination unreach - ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 1 + ${fw6cmd} add pass ip6 from any to any icmp6types 1 proto ipv6-icmp # Allow NS/NA/toobig (don't filter it out) - ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 2,135,136 + ${fw6cmd} add pass ip6 from any to any icmp6types 2,135,136 \ + proto ipv6-icmp # Everything else is denied by default, unless the # IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel @@ -281,7 +284,7 @@ [Cc][Ll][Oo][Ss][Ee][Dd]) # Only enable the loopback interface - ${fw6cmd} add 100 pass all from any to any via lo0 + ${fw6cmd} add 100 pass ip6 from any to any via lo0 ;; >>> TRUNCATED FOR MAIL (1000 lines) <<<
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200605151235.k4FCZR8c079103>