Date: Sat, 13 May 2006 00:07:01 GMT From: Marcel Moolenaar <marcel@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 97040 for review Message-ID: <200605130007.k4D0713g007263@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=97040 Change 97040 by marcel@marcel_nfs on 2006/05/13 00:06:52 IFC @97039 Affected files ... .. //depot/projects/tty/etc/defaults/periodic.conf#8 integrate .. //depot/projects/tty/etc/periodic/security/600.ip6fwdenied#3 delete .. //depot/projects/tty/etc/periodic/security/650.ip6fwlimit#3 delete .. //depot/projects/tty/etc/periodic/security/Makefile#3 integrate .. //depot/projects/tty/etc/rc.d/ip6fw#5 integrate .. //depot/projects/tty/etc/rc.firewall6#7 integrate .. //depot/projects/tty/include/netdb.h#12 integrate .. //depot/projects/tty/lib/libc/net/gethostbydns.c#9 integrate .. //depot/projects/tty/lib/libc/net/gethostbyht.c#6 integrate .. //depot/projects/tty/lib/libc/net/gethostbyname.3#8 integrate .. //depot/projects/tty/lib/libc/net/gethostbynis.c#7 integrate .. //depot/projects/tty/lib/libc/net/gethostnamadr.c#7 integrate .. //depot/projects/tty/lib/libc/net/netdb_private.h#6 integrate .. //depot/projects/tty/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml#34 integrate .. //depot/projects/tty/sbin/Makefile#20 integrate .. //depot/projects/tty/sbin/ip6fw/Makefile#3 delete .. //depot/projects/tty/sbin/ip6fw/ip6fw.8#8 delete .. //depot/projects/tty/sbin/ip6fw/ip6fw.c#8 delete .. //depot/projects/tty/sbin/ip6fw/sample.sh#2 delete .. //depot/projects/tty/sbin/ipfw/ipfw.8#23 integrate .. //depot/projects/tty/share/man/man4/ath.4#12 integrate .. //depot/projects/tty/share/man/man5/periodic.conf.5#11 integrate .. //depot/projects/tty/share/man/man5/rc.conf.5#26 integrate .. //depot/projects/tty/share/man/man7/security.7#8 integrate .. //depot/projects/tty/sys/boot/Makefile#9 integrate .. //depot/projects/tty/sys/boot/common/Makefile.inc#7 integrate .. //depot/projects/tty/sys/boot/common/load_elf.c#8 integrate .. //depot/projects/tty/sys/boot/common/loader.8#17 integrate .. //depot/projects/tty/sys/boot/efi/libefi/bootinfo.c#6 integrate .. //depot/projects/tty/sys/boot/ficl/Makefile#8 integrate .. //depot/projects/tty/sys/boot/ficl/alpha/sysdep.c#2 delete .. //depot/projects/tty/sys/boot/ficl/alpha/sysdep.h#2 delete .. //depot/projects/tty/sys/boot/ficl/loader.c#5 integrate .. //depot/projects/tty/sys/boot/forth/loader.4th#2 integrate .. //depot/projects/tty/sys/boot/ia64/ski/bootinfo.c#3 integrate .. //depot/projects/tty/sys/boot/ia64/ski/conf.c#2 integrate .. //depot/projects/tty/sys/boot/powerpc/loader/conf.c#3 integrate .. //depot/projects/tty/sys/compat/linprocfs/linprocfs.c#15 integrate .. //depot/projects/tty/sys/conf/NOTES#33 integrate .. //depot/projects/tty/sys/conf/files#42 integrate .. //depot/projects/tty/sys/conf/kern.post.mk#21 integrate .. //depot/projects/tty/sys/conf/options#30 integrate .. //depot/projects/tty/sys/contrib/pf/net/pf_ioctl.c#10 integrate .. //depot/projects/tty/sys/dev/asr/asr.c#13 integrate .. //depot/projects/tty/sys/dev/ata/ata-all.c#26 integrate .. //depot/projects/tty/sys/dev/ata/ata-pci.c#20 integrate .. //depot/projects/tty/sys/dev/atkbdc/atkbd.c#3 integrate .. //depot/projects/tty/sys/dev/atkbdc/atkbdc.c#4 integrate .. //depot/projects/tty/sys/dev/dc/if_dc.c#5 integrate .. //depot/projects/tty/sys/dev/de/if_de.c#2 integrate .. //depot/projects/tty/sys/dev/fb/tga.c#7 delete .. //depot/projects/tty/sys/dev/fb/tga.h#3 delete .. //depot/projects/tty/sys/dev/lge/if_lgereg.h#6 integrate .. //depot/projects/tty/sys/dev/nge/if_ngereg.h#6 integrate .. //depot/projects/tty/sys/dev/pdq/pdq_freebsd.h#9 integrate .. //depot/projects/tty/sys/dev/pdq/pdqvar.h#6 integrate .. //depot/projects/tty/sys/dev/ppc/ppc.c#6 integrate .. //depot/projects/tty/sys/dev/sound/isa/es1888.c#5 delete .. //depot/projects/tty/sys/dev/sound/isa/gusc.c#5 integrate .. //depot/projects/tty/sys/dev/sym/sym_hipd.c#11 integrate .. //depot/projects/tty/sys/dev/syscons/scterm-sc.c#5 integrate .. //depot/projects/tty/sys/dev/syscons/scvgarndr.c#9 integrate .. //depot/projects/tty/sys/dev/syscons/syscons.h#9 integrate .. //depot/projects/tty/sys/dev/uart/uart_dev_z8530.c#8 integrate .. //depot/projects/tty/sys/isa/isa_common.c#8 integrate .. //depot/projects/tty/sys/isa/isa_common.h#3 integrate .. //depot/projects/tty/sys/kern/init_main.c#17 integrate .. //depot/projects/tty/sys/kern/kern_mutex.c#16 integrate .. //depot/projects/tty/sys/kern/kern_sig.c#21 integrate .. //depot/projects/tty/sys/kern/vfs_subr.c#26 integrate .. //depot/projects/tty/sys/modules/ip6fw/Makefile#2 delete .. //depot/projects/tty/sys/modules/sound/driver/ess/Makefile#2 integrate .. //depot/projects/tty/sys/net/if.h#12 integrate .. //depot/projects/tty/sys/net/if_loop.c#16 integrate .. //depot/projects/tty/sys/netinet/ip_fw.h#15 integrate .. //depot/projects/tty/sys/netinet/ip_fw2.c#26 integrate .. //depot/projects/tty/sys/netinet/ip_fw_pfil.c#5 integrate .. //depot/projects/tty/sys/netinet/ip_input.c#22 integrate .. //depot/projects/tty/sys/netinet6/ip6_fw.c#12 delete .. //depot/projects/tty/sys/netinet6/ip6_fw.h#5 delete .. //depot/projects/tty/sys/pci/agp.c#13 integrate .. //depot/projects/tty/sys/pci/if_pcnreg.h#6 integrate .. //depot/projects/tty/sys/pci/if_sfreg.h#6 integrate .. //depot/projects/tty/sys/pci/if_stereg.h#7 integrate .. //depot/projects/tty/sys/pci/if_tl.c#15 integrate .. //depot/projects/tty/sys/pci/if_tlreg.h#6 integrate .. //depot/projects/tty/sys/pci/if_vrreg.h#9 integrate .. //depot/projects/tty/sys/pci/if_wbreg.h#7 integrate .. //depot/projects/tty/sys/pci/ncr.c#10 integrate .. //depot/projects/tty/sys/sys/_timeval.h#3 integrate .. //depot/projects/tty/sys/sys/conf.h#15 integrate .. //depot/projects/tty/sys/sys/disklabel.h#8 integrate .. //depot/projects/tty/sys/sys/elf64.h#3 integrate .. //depot/projects/tty/sys/sys/param.h#26 integrate .. //depot/projects/tty/sys/sys/signal.h#9 integrate .. //depot/projects/tty/sys/sys/ucontext.h#4 integrate .. //depot/projects/tty/sys/sys/user.h#10 integrate .. //depot/projects/tty/tools/tools/tinderbox/etc/update_releng_6.rc#3 integrate .. //depot/projects/tty/usr.sbin/jail/jail.c#10 integrate .. //depot/projects/tty/usr.sbin/portsnap/portsnap/portsnap.sh#6 integrate Differences ... ==== //depot/projects/tty/etc/defaults/periodic.conf#8 (text+ko) ==== @@ -13,7 +13,7 @@ # For a more detailed explanation of all the periodic.conf variables, please # refer to the periodic.conf(5) manual page. # -# $FreeBSD: src/etc/defaults/periodic.conf,v 1.37 2006/03/02 14:46:00 brueffer Exp $ +# $FreeBSD: src/etc/defaults/periodic.conf,v 1.38 2006/05/12 19:17:33 mlaier Exp $ # # What files override these defaults ? @@ -171,15 +171,9 @@ # 550.ipfwlimit daily_status_security_ipfwlimit_enable="YES" -# 600.ip6fwdenied -daily_status_security_ip6fwdenied_enable="YES" - # 610.ipf6denied daily_status_security_ipf6denied_enable="YES" -# 650.ip6fwlimit -daily_status_security_ip6fwlimit_enable="YES" - # 700.kernelmsg daily_status_security_kernelmsg_enable="YES" ==== //depot/projects/tty/etc/periodic/security/Makefile#3 (text+ko) ==== @@ -1,4 +1,4 @@ -# $FreeBSD: src/etc/periodic/security/Makefile,v 1.4 2004/11/24 18:41:53 mlaier Exp $ +# $FreeBSD: src/etc/periodic/security/Makefile,v 1.5 2006/05/12 19:17:34 mlaier Exp $ FILES= 100.chksetuid \ 200.chkmounts \ @@ -8,8 +8,6 @@ 510.ipfdenied \ 520.pfdenied \ 550.ipfwlimit \ - 600.ip6fwdenied \ - 650.ip6fwlimit \ 700.kernelmsg \ 800.loginfail \ 900.tcpwrap \ ==== //depot/projects/tty/etc/rc.d/ip6fw#5 (text+ko) ==== @@ -1,6 +1,6 @@ #!/bin/sh # -# $FreeBSD: src/etc/rc.d/ip6fw,v 1.6 2004/10/07 13:55:26 mtm Exp $ +# $FreeBSD: src/etc/rc.d/ip6fw,v 1.7 2006/05/12 19:17:34 mlaier Exp $ # # PROVIDE: ip6fw @@ -20,7 +20,7 @@ { # Load IPv6 firewall module, if not already loaded if ! ${SYSCTL} net.inet6.ip6.fw.enable > /dev/null 2>&1; then - kldload ip6fw && { + kldload ipfw && { debug 'Kernel IPv6 firewall module loaded.' return 0 } @@ -41,7 +41,7 @@ if [ -r "${ipv6_firewall_script}" ]; then . "${ipv6_firewall_script}" echo 'IPv6 Firewall rules loaded.' - elif [ "`ip6fw l 65535`" = "65535 deny ipv6 from any to any" ]; then + elif [ "`ipfw show 65535`" = "65535 deny ip from any to any" ]; then warn 'IPv6 firewall rules have not been loaded. Default' \ ' to DENY all access.' fi @@ -50,7 +50,7 @@ # if checkyesno ipv6_firewall_logging; then echo 'IPv6 Firewall logging=YES' - sysctl net.inet6.ip6.fw.verbose=1 >/dev/null + sysctl net.inet.ip.fw.verbose=1 >/dev/null fi # Enable the firewall ==== //depot/projects/tty/etc/rc.firewall6#7 (text+ko) ==== @@ -1,7 +1,7 @@ #!/bin/sh - ############ # Setup system for IPv6 firewall service. -# $FreeBSD: src/etc/rc.firewall6,v 1.16 2005/10/05 07:00:42 ume Exp $ +# $FreeBSD: src/etc/rc.firewall6,v 1.17 2006/05/12 19:17:33 mlaier Exp $ # Suck in the configuration variables. if [ -z "${source_rc_confs_defined}" ]; then @@ -54,17 +54,17 @@ ############ # Only in rare cases do you want to change these rules # - ${fw6cmd} add 100 pass all from any to any via lo0 - ${fw6cmd} add 200 deny all from any to ::1 - ${fw6cmd} add 300 deny all from ::1 to any + ${fw6cmd} add 100 pass ip6 from any to any via lo0 + ${fw6cmd} add 200 deny ip6 from any to ::1 + ${fw6cmd} add 300 deny ip6 from ::1 to any # # ND # # DAD - ${fw6cmd} add pass ipv6-icmp from :: to ff02::/16 + ${fw6cmd} add pass ip6 from :: to ff02::/16 proto ipv6-icmp # RS, RA, NS, NA, redirect... - ${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10 - ${fw6cmd} add pass ipv6-icmp from fe80::/10 to ff02::/16 + ${fw6cmd} add pass ip6 from fe80::/10 to fe80::/10 proto ipv6-icmp + ${fw6cmd} add pass ip6 from fe80::/10 to ff02::/16 proto ipv6-icmp } if [ -n "${1}" ]; then @@ -76,10 +76,10 @@ # case ${ipv6_firewall_quiet} in [Yy][Ee][Ss]) - fw6cmd="/sbin/ip6fw -q" + fw6cmd="/sbin/ipfw -q" ;; *) - fw6cmd="/sbin/ip6fw" + fw6cmd="/sbin/ipfw" ;; esac @@ -102,7 +102,7 @@ case ${ipv6_firewall_type} in [Oo][Pp][Ee][Nn]) setup_local - ${fw6cmd} add 65000 pass all from any to any + ${fw6cmd} add 65000 pass ip6 from any to any ;; [Cc][Ll][Ii][Ee][Nn][Tt]) @@ -122,41 +122,42 @@ setup_local # Allow any traffic to or from my own net. - ${fw6cmd} add pass all from ${ip} to ${net}/${prefixlen} - ${fw6cmd} add pass all from ${net}/${prefixlen} to ${ip} + ${fw6cmd} add pass ip6 from ${ip} to ${net}/${prefixlen} + ${fw6cmd} add pass ip6 from ${net}/${prefixlen} to ${ip} # Allow any link-local multicast traffic - ${fw6cmd} add pass all from fe80::/10 to ff02::/16 - ${fw6cmd} add pass all from ${net}/${prefixlen} to ff02::/16 + ${fw6cmd} add pass ip6 from fe80::/10 to ff02::/16 + ${fw6cmd} add pass ip6 from ${net}/${prefixlen} to ff02::/16 # Allow TCP through if setup succeeded - ${fw6cmd} add pass tcp from any to any established + ${fw6cmd} add pass ip6 from any to any established proto tcp # Allow IP fragments to pass through - ${fw6cmd} add pass all from any to any frag + ${fw6cmd} add pass ip6 from any to any frag # Allow setup of incoming email - ${fw6cmd} add pass tcp from any to ${ip} 25 setup + ${fw6cmd} add pass ip6 from any to ${ip} 25 setup proto tcp # Allow setup of outgoing TCP connections only - ${fw6cmd} add pass tcp from ${ip} to any setup + ${fw6cmd} add pass ip6 from ${ip} to any setup proto tcp # Disallow setup of all other TCP connections - ${fw6cmd} add deny tcp from any to any setup + ${fw6cmd} add deny ip6 from any to any setup proto tcp # Allow DNS queries out in the world - ${fw6cmd} add pass udp from any 53 to ${ip} - ${fw6cmd} add pass udp from ${ip} to any 53 + ${fw6cmd} add pass ip6 from any 53 to ${ip} proto udp + ${fw6cmd} add pass ip6 from ${ip} to any 53 proto udp # Allow NTP queries out in the world - ${fw6cmd} add pass udp from any 123 to ${ip} - ${fw6cmd} add pass udp from ${ip} to any 123 + ${fw6cmd} add pass ip6 from any 123 to ${ip} proto udp + ${fw6cmd} add pass ip6 from ${ip} to any 123 proto udp # Allow ICMPv6 destination unreach - ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 1 + ${fw6cmd} add pass ip6 from any to any icmp6types 1 proto ipv6-icmp # Allow NS/NA/toobig (don't filter it out) - ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 2,135,136 + ${fw6cmd} add pass ip6 from any to any icmp6types 2,135,136 \ + proto ipv6-icmp # Everything else is denied by default, unless the # IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel @@ -185,94 +186,96 @@ setup_local # Stop spoofing - ${fw6cmd} add deny all from ${inet}/${iprefixlen} to any in via ${oif} - ${fw6cmd} add deny all from ${onet}/${oprefixlen} to any in via ${iif} + ${fw6cmd} add deny ip6 from ${inet}/${iprefixlen} to any in via ${oif} + ${fw6cmd} add deny ip6 from ${onet}/${oprefixlen} to any in via ${iif} # Stop unique local unicast address on the outside interface - ${fw6cmd} add deny all from fc00::/7 to any via ${oif} - ${fw6cmd} add deny all from any to fc00::/7 via ${oif} + ${fw6cmd} add deny ip6 from fc00::/7 to any via ${oif} + ${fw6cmd} add deny ip6 from any to fc00::/7 via ${oif} # Stop site-local on the outside interface - ${fw6cmd} add deny all from fec0::/10 to any via ${oif} - ${fw6cmd} add deny all from any to fec0::/10 via ${oif} + ${fw6cmd} add deny ip6 from fec0::/10 to any via ${oif} + ${fw6cmd} add deny ip6 from any to fec0::/10 via ${oif} # Disallow "internal" addresses to appear on the wire. - ${fw6cmd} add deny all from ::ffff:0.0.0.0/96 to any via ${oif} - ${fw6cmd} add deny all from any to ::ffff:0.0.0.0/96 via ${oif} + ${fw6cmd} add deny ip6 from ::ffff:0.0.0.0/96 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ::ffff:0.0.0.0/96 via ${oif} # Disallow packets to malicious IPv4 compatible prefix. - ${fw6cmd} add deny all from ::224.0.0.0/100 to any via ${oif} - ${fw6cmd} add deny all from any to ::224.0.0.0/100 via ${oif} - ${fw6cmd} add deny all from ::127.0.0.0/104 to any via ${oif} - ${fw6cmd} add deny all from any to ::127.0.0.0/104 via ${oif} - ${fw6cmd} add deny all from ::0.0.0.0/104 to any via ${oif} - ${fw6cmd} add deny all from any to ::0.0.0.0/104 via ${oif} - ${fw6cmd} add deny all from ::255.0.0.0/104 to any via ${oif} - ${fw6cmd} add deny all from any to ::255.0.0.0/104 via ${oif} + ${fw6cmd} add deny ip6 from ::224.0.0.0/100 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ::224.0.0.0/100 via ${oif} + ${fw6cmd} add deny ip6 from ::127.0.0.0/104 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ::127.0.0.0/104 via ${oif} + ${fw6cmd} add deny ip6 from ::0.0.0.0/104 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ::0.0.0.0/104 via ${oif} + ${fw6cmd} add deny ip6 from ::255.0.0.0/104 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ::255.0.0.0/104 via ${oif} - ${fw6cmd} add deny all from ::0.0.0.0/96 to any via ${oif} - ${fw6cmd} add deny all from any to ::0.0.0.0/96 via ${oif} + ${fw6cmd} add deny ip6 from ::0.0.0.0/96 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ::0.0.0.0/96 via ${oif} # Disallow packets to malicious 6to4 prefix. - ${fw6cmd} add deny all from 2002:e000::/20 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:e000::/20 via ${oif} - ${fw6cmd} add deny all from 2002:7f00::/24 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:7f00::/24 via ${oif} - ${fw6cmd} add deny all from 2002:0000::/24 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:0000::/24 via ${oif} - ${fw6cmd} add deny all from 2002:ff00::/24 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:ff00::/24 via ${oif} + ${fw6cmd} add deny ip6 from 2002:e000::/20 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:e000::/20 via ${oif} + ${fw6cmd} add deny ip6 from 2002:7f00::/24 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:7f00::/24 via ${oif} + ${fw6cmd} add deny ip6 from 2002:0000::/24 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:0000::/24 via ${oif} + ${fw6cmd} add deny ip6 from 2002:ff00::/24 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:ff00::/24 via ${oif} - ${fw6cmd} add deny all from 2002:0a00::/24 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:0a00::/24 via ${oif} - ${fw6cmd} add deny all from 2002:ac10::/28 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:ac10::/28 via ${oif} - ${fw6cmd} add deny all from 2002:c0a8::/32 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:c0a8::/32 via ${oif} + ${fw6cmd} add deny ip6 from 2002:0a00::/24 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:0a00::/24 via ${oif} + ${fw6cmd} add deny ip6 from 2002:ac10::/28 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:ac10::/28 via ${oif} + ${fw6cmd} add deny ip6 from 2002:c0a8::/32 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:c0a8::/32 via ${oif} - ${fw6cmd} add deny all from ff05::/16 to any via ${oif} - ${fw6cmd} add deny all from any to ff05::/16 via ${oif} + ${fw6cmd} add deny ip6 from ff05::/16 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ff05::/16 via ${oif} # Allow TCP through if setup succeeded ${fw6cmd} add pass tcp from any to any established # Allow IP fragments to pass through - ${fw6cmd} add pass all from any to any frag + ${fw6cmd} add pass ip6 from any to any frag # Allow setup of incoming email - ${fw6cmd} add pass tcp from any to ${oip} 25 setup + ${fw6cmd} add pass ip6 from any to ${oip} 25 setup proto tcp # Allow access to our DNS - ${fw6cmd} add pass tcp from any to ${oip} 53 setup - ${fw6cmd} add pass udp from any to ${oip} 53 - ${fw6cmd} add pass udp from ${oip} 53 to any + ${fw6cmd} add pass ip6 from any to ${oip} 53 setup proto tcp + ${fw6cmd} add pass ip6 from any to ${oip} 53 proto udp + ${fw6cmd} add pass ip6 from ${oip} 53 to any proto udp # Allow access to our WWW - ${fw6cmd} add pass tcp from any to ${oip} 80 setup + ${fw6cmd} add pass ip6 from any to ${oip} 80 setup proto tcp # Reject&Log all setup of incoming connections from the outside - ${fw6cmd} add deny log tcp from any to any in via ${oif} setup + ${fw6cmd} add deny log ip6 from any to any in via ${oif} setup \ + proto tcp # Allow setup of any other TCP connection - ${fw6cmd} add pass tcp from any to any setup + ${fw6cmd} add pass ip6 from any to any setup proto tcp # Allow DNS queries out in the world - ${fw6cmd} add pass udp from any 53 to ${oip} - ${fw6cmd} add pass udp from ${oip} to any 53 + ${fw6cmd} add pass ip6 from any 53 to ${oip} proto udp + ${fw6cmd} add pass ip6 from ${oip} to any 53 proto udp # Allow NTP queries out in the world - ${fw6cmd} add pass udp from any 123 to ${oip} - ${fw6cmd} add pass udp from ${oip} to any 123 + ${fw6cmd} add pass ip6 from any 123 to ${oip} proto udp + ${fw6cmd} add pass ip6 from ${oip} to any 123 proto udp # Allow RIPng - #${fw6cmd} add pass udp from fe80::/10 521 to ff02::9 521 - #${fw6cmd} add pass udp from fe80::/10 521 to fe80::/10 521 + #${fw6cmd} add pass ip6 from fe80::/10 521 to ff02::9 521 proto udp + #${fw6cmd} add pass ip6 from fe80::/10 521 to fe80::/10 521 proto udp # Allow ICMPv6 destination unreach - ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 1 + ${fw6cmd} add pass ip6 from any to any icmp6types 1 proto ipv6-icmp # Allow NS/NA/toobig (don't filter it out) - ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 2,135,136 + ${fw6cmd} add pass ip6 from any to any icmp6types 2,135,136 \ + proto ipv6-icmp # Everything else is denied by default, unless the # IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel @@ -281,7 +284,7 @@ [Cc][Ll][Oo][Ss][Ee][Dd]) # Only enable the loopback interface - ${fw6cmd} add 100 pass all from any to any via lo0 + ${fw6cmd} add 100 pass ip6 from any to any via lo0 ;; [Uu][Nn][Kk][Nn][Oo][Ww][Nn]) ;; ==== //depot/projects/tty/include/netdb.h#12 (text+ko) ==== @@ -55,7 +55,7 @@ /* * @(#)netdb.h 8.1 (Berkeley) 6/2/93 * From: Id: netdb.h,v 8.9 1996/11/19 08:39:29 vixie Exp $ - * $FreeBSD: src/include/netdb.h,v 1.41 2006/04/15 16:20:26 ume Exp $ + * $FreeBSD: src/include/netdb.h,v 1.42 2006/05/12 15:37:22 ume Exp $ */ #ifndef _NETDB_H_ @@ -63,6 +63,7 @@ #include <sys/cdefs.h> #include <sys/_types.h> +#include <machine/_limits.h> #ifndef _SIZE_T_DECLARED typedef __size_t size_t; @@ -220,9 +221,15 @@ void endprotoent(void); void endservent(void); void freehostent(struct hostent *); -struct hostent *gethostbyaddr(const char *, int, int); -int gethostbyaddr_r(const char *, int, int, struct hostent *, +#if __LONG_BIT == 64 +struct hostent *gethostbyaddr(const void *, int, int); +int gethostbyaddr_r(const void *, int, int, struct hostent *, + char *, size_t, struct hostent **, int *); +#else +struct hostent *gethostbyaddr(const void *, socklen_t, int); +int gethostbyaddr_r(const void *, socklen_t, int, struct hostent *, char *, size_t, struct hostent **, int *); +#endif struct hostent *gethostbyname(const char *); int gethostbyname_r(const char *, struct hostent *, char *, size_t, struct hostent **, int *); ==== //depot/projects/tty/lib/libc/net/gethostbydns.c#9 (text+ko) ==== @@ -58,7 +58,7 @@ static char fromrcsid[] = "From: Id: gethnamaddr.c,v 8.23 1998/04/07 04:59:46 vixie Exp $"; #endif /* LIBC_SCCS and not lint */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: src/lib/libc/net/gethostbydns.c,v 1.56 2006/04/15 16:20:27 ume Exp $"); +__FBSDID("$FreeBSD: src/lib/libc/net/gethostbydns.c,v 1.57 2006/05/12 15:37:23 ume Exp $"); #include <sys/types.h> #include <sys/param.h> @@ -550,11 +550,13 @@ int _dns_gethostbyaddr(void *rval, void *cb_data, va_list ap) { - const u_char *uaddr; - int len, af; + const void *addr; + socklen_t len; + int af; char *buffer; size_t buflen; int *errnop, *h_errnop; + const u_char *uaddr; struct hostent *hptr, he; struct hostent_data *hed; int n; @@ -570,14 +572,15 @@ int ret_h_error; #endif /*SUNSECURITY*/ - uaddr = va_arg(ap, const u_char *); - len = va_arg(ap, int); + addr = va_arg(ap, const void *); + len = va_arg(ap, socklen_t); af = va_arg(ap, int); hptr = va_arg(ap, struct hostent *); buffer = va_arg(ap, char *); buflen = va_arg(ap, size_t); errnop = va_arg(ap, int *); h_errnop = va_arg(ap, int *); + uaddr = (const u_char *)addr; *((struct hostent **)rval) = NULL; ==== //depot/projects/tty/lib/libc/net/gethostbyht.c#6 (text+ko) ==== @@ -55,7 +55,7 @@ static char sccsid[] = "@(#)gethostnamadr.c 8.1 (Berkeley) 6/4/93"; #endif /* LIBC_SCCS and not lint */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: src/lib/libc/net/gethostbyht.c,v 1.25 2006/04/15 16:20:27 ume Exp $"); +__FBSDID("$FreeBSD: src/lib/libc/net/gethostbyht.c,v 1.26 2006/05/12 15:37:23 ume Exp $"); #include <sys/param.h> #include <sys/socket.h> @@ -282,8 +282,9 @@ int _ht_gethostbyaddr(void *rval, void *cb_data, va_list ap) { - const char *addr; - int len, af; + const void *addr; + socklen_t len; + int af; char *buffer; size_t buflen; int *errnop, *h_errnop; @@ -292,8 +293,8 @@ res_state statp; int error; - addr = va_arg(ap, const char *); - len = va_arg(ap, int); + addr = va_arg(ap, const void *); + len = va_arg(ap, socklen_t); af = va_arg(ap, int); hptr = va_arg(ap, struct hostent *); buffer = va_arg(ap, char *); ==== //depot/projects/tty/lib/libc/net/gethostbyname.3#8 (text+ko) ==== @@ -30,7 +30,7 @@ .\" SUCH DAMAGE. .\" .\" From: @(#)gethostbyname.3 8.4 (Berkeley) 5/25/95 -.\" $FreeBSD: src/lib/libc/net/gethostbyname.3,v 1.34 2005/04/28 18:03:43 ume Exp $ +.\" $FreeBSD: src/lib/libc/net/gethostbyname.3,v 1.35 2006/05/12 15:37:23 ume Exp $ .\" .Dd May 25, 1995 .Dt GETHOSTBYNAME 3 @@ -55,7 +55,7 @@ .Ft struct hostent * .Fn gethostbyname2 "const char *name" "int af" .Ft struct hostent * -.Fn gethostbyaddr "const char *addr" "int len" "int type" +.Fn gethostbyaddr "const void *addr" "socklen_t len" "int type" .Ft struct hostent * .Fn gethostent void .Ft void @@ -246,7 +246,7 @@ if (!inet_aton(ipstr, &ip)) errx(1, "can't parse IP address %s", ipstr); -if ((hp = gethostbyaddr((const char *)&ip, +if ((hp = gethostbyaddr((const void *)&ip, sizeof ip, AF_INET)) == NULL) errx(1, "no name associated with %s", ipstr); ==== //depot/projects/tty/lib/libc/net/gethostbynis.c#7 (text+ko) ==== @@ -24,7 +24,7 @@ */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: src/lib/libc/net/gethostbynis.c,v 1.27 2006/04/15 16:20:27 ume Exp $"); +__FBSDID("$FreeBSD: src/lib/libc/net/gethostbynis.c,v 1.28 2006/05/12 15:37:23 ume Exp $"); #include <sys/param.h> #include <sys/socket.h> @@ -178,8 +178,8 @@ } static int -_gethostbynisaddr_r(const char *addr, int len, int af, struct hostent *he, - struct hostent_data *hed) +_gethostbynisaddr_r(const void *addr, socklen_t len, int af, + struct hostent *he, struct hostent_data *hed) { char *map; char numaddr[46]; @@ -227,7 +227,7 @@ } struct hostent * -_gethostbynisaddr(const char *addr, int len, int af) +_gethostbynisaddr(const void *addr, socklen_t len, int af) { #ifdef YP struct hostent *he; @@ -303,8 +303,8 @@ _nis_gethostbyaddr(void *rval, void *cb_data, va_list ap) { #ifdef YP - const char *addr; - int len; + const void *addr; + socklen_t len; int af; char *buffer; size_t buflen; @@ -313,8 +313,8 @@ struct hostent_data *hed; res_state statp; - addr = va_arg(ap, const char *); - len = va_arg(ap, int); + addr = va_arg(ap, const void *); + len = va_arg(ap, socklen_t); af = va_arg(ap, int); hptr = va_arg(ap, struct hostent *); buffer = va_arg(ap, char *); ==== //depot/projects/tty/lib/libc/net/gethostnamadr.c#7 (text+ko) ==== @@ -24,7 +24,7 @@ */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: src/lib/libc/net/gethostnamadr.c,v 1.31 2006/04/28 12:03:35 ume Exp $"); +__FBSDID("$FreeBSD: src/lib/libc/net/gethostnamadr.c,v 1.32 2006/05/12 15:37:23 ume Exp $"); #include "namespace.h" #include "reentrant.h" @@ -573,8 +573,14 @@ } int -gethostbyaddr_r(const char *addr, int len, int af, struct hostent *hp, - char *buf, size_t buflen, struct hostent **result, int *h_errnop) +gethostbyaddr_r(const void *addr, +#if __LONG_BIT == 64 + int len, +#else + socklen_t len, +#endif + int af, struct hostent *hp, char *buf, size_t buflen, + struct hostent **result, int *h_errnop) { const u_char *uaddr = (const u_char *)addr; const struct in6_addr *addr6; @@ -606,7 +612,7 @@ } if (af == AF_INET6 && len == NS_IN6ADDRSZ) { - addr6 = (const struct in6_addr *)(const void *)uaddr; + addr6 = (const struct in6_addr *)addr; if (IN6_IS_ADDR_LINKLOCAL(addr6)) { RES_SET_H_ERRNO(statp, HOST_NOT_FOUND); *h_errnop = statp->res_h_errno; @@ -678,7 +684,11 @@ } struct hostent * -gethostbyaddr(const char *addr, int len, int af) +#if __LONG_BIT == 64 +gethostbyaddr(const void *addr, int len, int af) +#else +gethostbyaddr(const void *addr, socklen_t len, int af) +#endif { struct hostdata *hd; struct hostent *rval; ==== //depot/projects/tty/lib/libc/net/netdb_private.h#6 (text+ko) ==== @@ -22,7 +22,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/lib/libc/net/netdb_private.h,v 1.12 2006/04/28 12:03:35 ume Exp $ + * $FreeBSD: src/lib/libc/net/netdb_private.h,v 1.13 2006/05/12 15:37:23 ume Exp $ */ #ifndef _NETDB_PRIVATE_H_ @@ -133,7 +133,7 @@ void _endhosthtent(struct hostent_data *); void _endnetdnsent(void); void _endnethtent(struct netent_data *); -struct hostent *_gethostbynisaddr(const char *, int, int); +struct hostent *_gethostbynisaddr(const void *, socklen_t, int); struct hostent *_gethostbynisname(const char *, int); void _map_v4v6_address(const char *, char *); void _map_v4v6_hostent(struct hostent *, char **, char *); ==== //depot/projects/tty/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml#34 (text+ko) ==== @@ -3,7 +3,7 @@ <corpauthor>The &os; Project</corpauthor> - <pubdate>$FreeBSD: src/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml,v 1.927 2006/05/11 22:55:18 bmah Exp $</pubdate> + <pubdate>$FreeBSD: src/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml,v 1.929 2006/05/12 19:31:29 bmah Exp $</pubdate> <copyright> <year>2000</year> @@ -349,6 +349,12 @@ <para>The &man.acpi.thermal.4; driver now supports passive cooling. &merged;</para> +<!-- The following note should remain MI (i.e. don't set arch="alpha") -- + -- because the alpha docs will be disappearing at some point before -- + -- 7.0-RELEASE. --> + <para>Support for the alpha architecture has been removed. Alpha + support will remain on the RELENG_5 and RELENG_6 codelines.</para> + <para>The &man.cardbus.4; driver now supports <filename>/dev/cardbus<replaceable>%d</replaceable>.cis</filename>.</para> @@ -994,12 +1000,15 @@ also specified, no output is made for disks with no activity.</para> - <para>The &man.jail.8; utility pports a <option>-J + <para>The &man.jail.8; utility supports a <option>-J <replaceable>jid_file</replaceable></option> option to write out a JidFile, similar to a PidFile, containing the jailid, path, hostname, IP and the command used to start the jail. &merged;</para> + <para>The &man.jail.8; program now support a <option>-s</option> + option to specify a jail's securelevel.</para> + <para>The &man.kdump.1; utility now supports a <option>-H</option> flag, which causes kdump to print an additional field holding the threadid. &merged;</para> @@ -1166,6 +1175,11 @@ <para>The &man.sysctl.8; utility now supports a <option>-q</option> flag to suppress a limited set of warnings and errors.</para> + <para>The &man.traceroute.8; utility now supports + a <option>-e</option> option, which sets a fixed destination + port for probe packets. This can be useful for tracing behind + packet-filtering firewalls.</para> + <para>The &man.truss.1; utility now supports an <option>-s</option> flag for the same functionality as the strace utility (<filename role="package">devel/strace</filename>).</para> @@ -1309,7 +1323,7 @@ <para>The timezone database has been updated from the <application>tzdata2005l</application> release to the - <application>tzdata2005r</application> release. &merged;</para> + <application>tzdata2006g</application> release. &merged;</para> <para><application>WPA Supplicant</application> has been updated from version 0.3.9 to version 0.4.8. ==== //depot/projects/tty/sbin/Makefile#20 (text+ko) ==== @@ -1,5 +1,5 @@ # @(#)Makefile 8.5 (Berkeley) 3/31/94 -# $FreeBSD: src/sbin/Makefile,v 1.159 2006/03/17 18:54:30 ru Exp $ +# $FreeBSD: src/sbin/Makefile,v 1.160 2006/05/12 20:39:21 mlaier Exp $ .include <bsd.own.mk> @@ -38,7 +38,6 @@ gvinum \ ifconfig \ init \ - ${_ip6fw} \ ${_ipf} \ ipfw \ kldconfig \ @@ -112,7 +111,6 @@ .endif .if ${MK_INET6} != "no" -_ip6fw= ip6fw _ping6= ping6 .endif ==== //depot/projects/tty/sbin/ipfw/ipfw.8#23 (text+ko) ==== @@ -1,7 +1,7 @@ .\" -.\" $FreeBSD: src/sbin/ipfw/ipfw.8,v 1.186 2006/03/05 15:55:46 ume Exp $ +.\" $FreeBSD: src/sbin/ipfw/ipfw.8,v 1.187 2006/05/12 18:09:33 mlaier Exp $ .\" -.Dd January 16, 2006 +.Dd May 12, 2006 .Dt IPFW 8 .Os .Sh NAME @@ -327,7 +327,7 @@ | | +----------->-----------+ ^ V - [ip(6)_input] [ip(6)_output] net.inet.ip.fw.enable=1 + [ip(6)_input] [ip(6)_output] net.inet(6).ip(6).fw.enable=1 | | ^ V [ether_demux] [ether_output_frame] net.link.ether.ipfw=1 @@ -2051,6 +2051,8 @@ Enables the firewall. Setting this variable to 0 lets you run your machine without firewall even if compiled in. +.It Em net.inet6.ip6.fw.enable : No 1 +provides the same functionality as above for the IPv6 case. .It Em net.inet.ip.fw.one_pass : No 1 When set, the packet exiting from the .Xr dummynet 4 ==== //depot/projects/tty/share/man/man4/ath.4#12 (text+ko) ==== @@ -29,7 +29,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF .\" THE POSSIBILITY OF SUCH DAMAGES. .\" -.\" $FreeBSD: src/share/man/man4/ath.4,v 1.38 2006/04/28 21:45:08 maxim Exp $ +.\" $FreeBSD: src/share/man/man4/ath.4,v 1.40 2006/05/12 17:58:11 keramida Exp $ .\"/ .Dd September 5, 2005 .Dt ATH 4 @@ -125,54 +125,12 @@ driver come in either Cardbus or mini-PCI packages. Wireless cards in Cardbus slots may be inserted and ejected on the fly. .Sh HARDWARE -The following cards are among those supported by the +The .Nm -driver: +driver supports all Atheros Cardbus or PCI cards, +except those that are based on the AR5005VL chipset. .Pp -.Bl -column -compact "Samsung SWL-5200N" "AR5212" "Cardbus" "a/b/g" -.It Em "Card Chip Bus Standard" -.It "Aztech WL830PC AR5212 CardBus b/g" -.It "Cisco AIR-CB21AG AR5115 Cardbus a/b/g" -.It "Cisco AIR-PI21AG AR5115 PCI a/b/g" -.It "D-Link DWL-A650 AR5210 CardBus a" -.It "D-Link DWL-AB650 AR5211 CardBus a/b" -.It "D-Link DWL-A520 AR5210 PCI a" -.It "D-Link DWL-AG520 AR5212 PCI a/b/g" -.It "D-Link DWL-AG650 AR5212 CardBus a/b/g" -.It "D-Link DWL-G520B AR5212 PCI b/g" -.It "D-Link DWL-G650B AR5212 CardBus b/g" -.It "Elecom LD-WL54AG AR5212 Cardbus a/b/g" -.It "Elecom LD-WL54 AR5211 Cardbus a" -.It "Fujitsu E5454 AR5212 Cardbus a/b/g" -.It "Fujitsu FMV-JW481 AR5212 Cardbus a/b/g" -.It "Fujitsu E5454 AR5212 Cardbus a/b/g" -.It "HP NC4000 AR5212 PCI a/b/g" -.It "I/O Data WN-AB AR5212 CardBus a/b" -.It "I/O Data WN-AG AR5212 CardBus a/b/g" -.It "I/O Data WN-A54 AR5212 CardBus a" -.It "Linksys WMP55AG AR5212 PCI a/b/g" -.It "Linksys WPC51AB AR5211 CardBus a/b" -.It "Linksys WPC55AG AR5212 CardBus a/b/g" -.It "NEC PA-WL/54AG AR5212 CardBus a/b/g" -.It "Netgear WAG311 AR5212 PCI a/b/g" -.It "Netgear WAB501 AR5211 CardBus a/b" -.It "Netgear WAG511 AR5212 CardBus a/b/g" -.It "Netgear WG311T AR5212 PCI b/g" -.It "Netgear WG511T AR5212 CardBus b/g" -.It "Orinoco 8480 AR5212 CardBus a/b/g" -.It "Orinoco 8470WD AR5212 CardBus a/b/g" -.It "Proxim Skyline 4030 AR5210 CardBus a" -.It "Proxim Skyline 4032 AR5210 PCI a" -.It "Samsung SWL-5200N AR5212 CardBus a/b/g" -.It "SMC SMC2536W-AG AR5212 CardBus a/b/g" -.It "SMC SMC2735W AR5210 CardBus a" -.It "Sony PCWA-C700 AR5212 Cardbus a/b" -.It "Sony PCWA-C300S AR5212 Cardbus b/g" -.It "Sony PCWA-C500 AR5210 Cardbus a" -.It "3Com 3CRPAG175 AR5212 CardBus a/b/g" -.El -.Pp -An up to date list can be found at +A list of cards that are supported can be found at .Pa http://customerproducts.atheros.com/customerproducts . .Sh EXAMPLES Join an existing BSS network (ie: connect to an access point): ==== //depot/projects/tty/share/man/man5/periodic.conf.5#11 (text+ko) ==== @@ -23,7 +23,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD: src/share/man/man5/periodic.conf.5,v 1.59 2006/03/02 14:55:07 brueffer Exp $ +.\" $FreeBSD: src/share/man/man5/periodic.conf.5,v 1.60 2006/05/12 19:17:34 mlaier Exp $ .\" .Dd March 2, 2006 .Dt PERIODIC.CONF 5 @@ -536,20 +536,6 @@ to display .Xr ipfw 8 rules that have reached their verbosity limit. -.It Va daily_status_security_ip6fwdenied_enable -.Pq Vt bool -Set to -.Dq YES -to show log entries for packets denied by -.Xr ip6fw 8 -since yesterday's check. -.It Va daily_status_security_ip6fwlimit_enable -.Pq Vt bool -Set to -.Dq YES -to display -.Xr ip6fw 8 -rules that have reached their verbosity limit. .It Va daily_status_security_kernelmsg_enable .Pq Vt bool Set to ==== //depot/projects/tty/share/man/man5/rc.conf.5#26 (text+ko) ==== @@ -22,7 +22,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD: src/share/man/man5/rc.conf.5,v 1.294 2006/05/11 14:23:43 flz Exp $ +.\" $FreeBSD: src/share/man/man5/rc.conf.5,v 1.295 2006/05/12 19:17:34 mlaier Exp $ .\" .Dd May 11, 2006 .Dt RC.CONF 5 @@ -402,7 +402,7 @@ If the kernel was not built with .Cd "options IPV6FIREWALL" , the -.Pa ip6fw.ko +.Pa ipfw.ko kernel module will be loaded. .It Va firewall_script .Pq Vt str ==== //depot/projects/tty/share/man/man7/security.7#8 (text+ko) ==== @@ -21,15 +21,14 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD: src/share/man/man7/security.7,v 1.45 2006/01/19 20:01:43 ceri Exp $ +.\" $FreeBSD: src/share/man/man7/security.7,v 1.46 2006/05/12 17:42:48 keramida Exp $ .\" .Dd November 29, 2004 .Dt SECURITY 7 .Os .Sh NAME .Nm security -.Nd introduction to security under >>> TRUNCATED FOR MAIL (1000 lines) <<<
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200605130007.k4D0713g007263>