From owner-p4-projects@FreeBSD.ORG Sat May 13 00:17:20 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 300A316A5A8; Sat, 13 May 2006 00:17:20 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE1E716A545 for ; Sat, 13 May 2006 00:17:19 +0000 (UTC) (envelope-from marcel@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5151043D49 for ; Sat, 13 May 2006 00:17:19 +0000 (GMT) (envelope-from marcel@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k4D0HI43007695 for ; Sat, 13 May 2006 00:17:18 GMT (envelope-from marcel@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k4D0HHNu007692 for perforce@freebsd.org; Sat, 13 May 2006 00:17:17 GMT (envelope-from marcel@freebsd.org) Date: Sat, 13 May 2006 00:17:17 GMT Message-Id: <200605130017.k4D0HHNu007692@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to marcel@freebsd.org using -f From: Marcel Moolenaar To: Perforce Change Reviews Cc: Subject: PERFORCE change 97042 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 May 2006 00:17:20 -0000 http://perforce.freebsd.org/chv.cgi?CH=97042 Change 97042 by marcel@marcel_nfs on 2006/05/13 00:16:50 IFC @97039 Affected files ... .. //depot/projects/ia64/etc/defaults/periodic.conf#19 integrate .. //depot/projects/ia64/etc/periodic/security/600.ip6fwdenied#6 delete .. //depot/projects/ia64/etc/periodic/security/650.ip6fwlimit#7 delete .. //depot/projects/ia64/etc/periodic/security/Makefile#5 integrate .. //depot/projects/ia64/etc/rc.d/ip6fw#7 integrate .. //depot/projects/ia64/etc/rc.firewall6#8 integrate .. //depot/projects/ia64/include/netdb.h#14 integrate .. //depot/projects/ia64/lib/libc/net/gethostbydns.c#16 integrate .. //depot/projects/ia64/lib/libc/net/gethostbyht.c#7 integrate .. //depot/projects/ia64/lib/libc/net/gethostbyname.3#10 integrate .. //depot/projects/ia64/lib/libc/net/gethostbynis.c#8 integrate .. //depot/projects/ia64/lib/libc/net/gethostnamadr.c#8 integrate .. //depot/projects/ia64/lib/libc/net/netdb_private.h#6 integrate .. //depot/projects/ia64/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml#158 integrate .. //depot/projects/ia64/sbin/Makefile#48 integrate .. //depot/projects/ia64/sbin/ip6fw/Makefile#5 delete .. //depot/projects/ia64/sbin/ip6fw/ip6fw.8#14 delete .. //depot/projects/ia64/sbin/ip6fw/ip6fw.c#12 delete .. //depot/projects/ia64/sbin/ip6fw/sample.sh#2 delete .. //depot/projects/ia64/sbin/ipfw/ipfw.8#51 integrate .. //depot/projects/ia64/share/man/man4/ath.4#28 integrate .. //depot/projects/ia64/share/man/man5/periodic.conf.5#21 integrate .. //depot/projects/ia64/share/man/man5/rc.conf.5#72 integrate .. //depot/projects/ia64/share/man/man7/security.7#15 integrate .. //depot/projects/ia64/sys/boot/Makefile#16 integrate .. //depot/projects/ia64/sys/boot/common/Makefile.inc#9 integrate .. //depot/projects/ia64/sys/boot/common/load_elf.c#17 integrate .. //depot/projects/ia64/sys/boot/common/loader.8#31 integrate .. //depot/projects/ia64/sys/boot/efi/libefi/bootinfo.c#15 integrate .. //depot/projects/ia64/sys/boot/ficl/Makefile#14 integrate .. //depot/projects/ia64/sys/boot/ficl/alpha/sysdep.c#2 delete .. //depot/projects/ia64/sys/boot/ficl/alpha/sysdep.h#4 delete .. //depot/projects/ia64/sys/boot/ficl/loader.c#8 integrate .. //depot/projects/ia64/sys/boot/forth/loader.4th#4 integrate .. //depot/projects/ia64/sys/boot/ia64/ski/bootinfo.c#6 integrate .. //depot/projects/ia64/sys/boot/ia64/ski/conf.c#3 integrate .. //depot/projects/ia64/sys/boot/powerpc/loader/conf.c#5 integrate .. //depot/projects/ia64/sys/compat/linprocfs/linprocfs.c#40 integrate .. //depot/projects/ia64/sys/conf/NOTES#101 integrate .. //depot/projects/ia64/sys/conf/files#141 integrate .. //depot/projects/ia64/sys/conf/kern.post.mk#59 integrate .. //depot/projects/ia64/sys/conf/options#94 integrate .. //depot/projects/ia64/sys/contrib/pf/net/pf_ioctl.c#16 integrate .. //depot/projects/ia64/sys/dev/asr/asr.c#31 integrate .. //depot/projects/ia64/sys/dev/ata/ata-all.c#69 integrate .. //depot/projects/ia64/sys/dev/ata/ata-pci.c#51 integrate .. //depot/projects/ia64/sys/dev/atkbdc/atkbd.c#3 integrate .. //depot/projects/ia64/sys/dev/atkbdc/atkbdc.c#4 integrate .. //depot/projects/ia64/sys/dev/dc/if_dc.c#5 integrate .. //depot/projects/ia64/sys/dev/de/if_de.c#2 integrate .. //depot/projects/ia64/sys/dev/fb/tga.c#9 delete .. //depot/projects/ia64/sys/dev/fb/tga.h#3 delete .. //depot/projects/ia64/sys/dev/lge/if_lgereg.h#7 integrate .. //depot/projects/ia64/sys/dev/nge/if_ngereg.h#10 integrate .. //depot/projects/ia64/sys/dev/pdq/pdq_freebsd.h#12 integrate .. //depot/projects/ia64/sys/dev/pdq/pdqvar.h#9 integrate .. //depot/projects/ia64/sys/dev/ppc/ppc.c#9 integrate .. //depot/projects/ia64/sys/dev/sound/isa/es1888.c#7 delete .. //depot/projects/ia64/sys/dev/sound/isa/gusc.c#6 integrate .. //depot/projects/ia64/sys/dev/sym/sym_hipd.c#25 integrate .. //depot/projects/ia64/sys/dev/syscons/scterm-sc.c#7 integrate .. //depot/projects/ia64/sys/dev/syscons/scvgarndr.c#11 integrate .. //depot/projects/ia64/sys/dev/syscons/syscons.h#10 integrate .. //depot/projects/ia64/sys/dev/uart/uart_dev_z8530.c#13 integrate .. //depot/projects/ia64/sys/isa/isa_common.c#15 integrate .. //depot/projects/ia64/sys/isa/isa_common.h#5 integrate .. //depot/projects/ia64/sys/kern/init_main.c#54 integrate .. //depot/projects/ia64/sys/kern/kern_mutex.c#43 integrate .. //depot/projects/ia64/sys/kern/kern_sig.c#91 integrate .. //depot/projects/ia64/sys/kern/vfs_subr.c#87 integrate .. //depot/projects/ia64/sys/modules/ip6fw/Makefile#3 delete .. //depot/projects/ia64/sys/modules/sound/driver/ess/Makefile#3 integrate .. //depot/projects/ia64/sys/net/if.h#25 integrate .. //depot/projects/ia64/sys/net/if_loop.c#30 integrate .. //depot/projects/ia64/sys/netinet/ip_fw.h#31 integrate .. //depot/projects/ia64/sys/netinet/ip_fw2.c#55 integrate .. //depot/projects/ia64/sys/netinet/ip_fw_pfil.c#12 integrate .. //depot/projects/ia64/sys/netinet/ip_input.c#62 integrate .. //depot/projects/ia64/sys/netinet6/ip6_fw.c#21 delete .. //depot/projects/ia64/sys/netinet6/ip6_fw.h#6 delete .. //depot/projects/ia64/sys/pci/agp.c#28 integrate .. //depot/projects/ia64/sys/pci/if_pcnreg.h#6 integrate .. //depot/projects/ia64/sys/pci/if_sfreg.h#6 integrate .. //depot/projects/ia64/sys/pci/if_stereg.h#9 integrate .. //depot/projects/ia64/sys/pci/if_tl.c#25 integrate .. //depot/projects/ia64/sys/pci/if_tlreg.h#7 integrate .. //depot/projects/ia64/sys/pci/if_vrreg.h#13 integrate .. //depot/projects/ia64/sys/pci/if_wbreg.h#6 integrate .. //depot/projects/ia64/sys/pci/ncr.c#21 integrate .. //depot/projects/ia64/sys/sys/_timeval.h#3 integrate .. //depot/projects/ia64/sys/sys/conf.h#43 integrate .. //depot/projects/ia64/sys/sys/disklabel.h#30 integrate .. //depot/projects/ia64/sys/sys/elf64.h#5 integrate .. //depot/projects/ia64/sys/sys/param.h#74 integrate .. //depot/projects/ia64/sys/sys/signal.h#18 integrate .. //depot/projects/ia64/sys/sys/ucontext.h#9 integrate .. //depot/projects/ia64/sys/sys/user.h#21 integrate .. //depot/projects/ia64/tools/tools/tinderbox/etc/update_releng_6.rc#3 integrate .. //depot/projects/ia64/usr.sbin/jail/jail.c#15 integrate .. //depot/projects/ia64/usr.sbin/portsnap/portsnap/portsnap.sh#6 integrate Differences ... ==== //depot/projects/ia64/etc/defaults/periodic.conf#19 (text+ko) ==== @@ -13,7 +13,7 @@ # For a more detailed explanation of all the periodic.conf variables, please # refer to the periodic.conf(5) manual page. # -# $FreeBSD: src/etc/defaults/periodic.conf,v 1.37 2006/03/02 14:46:00 brueffer Exp $ +# $FreeBSD: src/etc/defaults/periodic.conf,v 1.38 2006/05/12 19:17:33 mlaier Exp $ # # What files override these defaults ? @@ -171,15 +171,9 @@ # 550.ipfwlimit daily_status_security_ipfwlimit_enable="YES" -# 600.ip6fwdenied -daily_status_security_ip6fwdenied_enable="YES" - # 610.ipf6denied daily_status_security_ipf6denied_enable="YES" -# 650.ip6fwlimit -daily_status_security_ip6fwlimit_enable="YES" - # 700.kernelmsg daily_status_security_kernelmsg_enable="YES" ==== //depot/projects/ia64/etc/periodic/security/Makefile#5 (text+ko) ==== @@ -1,4 +1,4 @@ -# $FreeBSD: src/etc/periodic/security/Makefile,v 1.4 2004/11/24 18:41:53 mlaier Exp $ +# $FreeBSD: src/etc/periodic/security/Makefile,v 1.5 2006/05/12 19:17:34 mlaier Exp $ FILES= 100.chksetuid \ 200.chkmounts \ @@ -8,8 +8,6 @@ 510.ipfdenied \ 520.pfdenied \ 550.ipfwlimit \ - 600.ip6fwdenied \ - 650.ip6fwlimit \ 700.kernelmsg \ 800.loginfail \ 900.tcpwrap \ ==== //depot/projects/ia64/etc/rc.d/ip6fw#7 (text+ko) ==== @@ -1,6 +1,6 @@ #!/bin/sh # -# $FreeBSD: src/etc/rc.d/ip6fw,v 1.6 2004/10/07 13:55:26 mtm Exp $ +# $FreeBSD: src/etc/rc.d/ip6fw,v 1.7 2006/05/12 19:17:34 mlaier Exp $ # # PROVIDE: ip6fw @@ -20,7 +20,7 @@ { # Load IPv6 firewall module, if not already loaded if ! ${SYSCTL} net.inet6.ip6.fw.enable > /dev/null 2>&1; then - kldload ip6fw && { + kldload ipfw && { debug 'Kernel IPv6 firewall module loaded.' return 0 } @@ -41,7 +41,7 @@ if [ -r "${ipv6_firewall_script}" ]; then . "${ipv6_firewall_script}" echo 'IPv6 Firewall rules loaded.' - elif [ "`ip6fw l 65535`" = "65535 deny ipv6 from any to any" ]; then + elif [ "`ipfw show 65535`" = "65535 deny ip from any to any" ]; then warn 'IPv6 firewall rules have not been loaded. Default' \ ' to DENY all access.' fi @@ -50,7 +50,7 @@ # if checkyesno ipv6_firewall_logging; then echo 'IPv6 Firewall logging=YES' - sysctl net.inet6.ip6.fw.verbose=1 >/dev/null + sysctl net.inet.ip.fw.verbose=1 >/dev/null fi # Enable the firewall ==== //depot/projects/ia64/etc/rc.firewall6#8 (text+ko) ==== @@ -1,7 +1,7 @@ #!/bin/sh - ############ # Setup system for IPv6 firewall service. -# $FreeBSD: src/etc/rc.firewall6,v 1.16 2005/10/05 07:00:42 ume Exp $ +# $FreeBSD: src/etc/rc.firewall6,v 1.17 2006/05/12 19:17:33 mlaier Exp $ # Suck in the configuration variables. if [ -z "${source_rc_confs_defined}" ]; then @@ -54,17 +54,17 @@ ############ # Only in rare cases do you want to change these rules # - ${fw6cmd} add 100 pass all from any to any via lo0 - ${fw6cmd} add 200 deny all from any to ::1 - ${fw6cmd} add 300 deny all from ::1 to any + ${fw6cmd} add 100 pass ip6 from any to any via lo0 + ${fw6cmd} add 200 deny ip6 from any to ::1 + ${fw6cmd} add 300 deny ip6 from ::1 to any # # ND # # DAD - ${fw6cmd} add pass ipv6-icmp from :: to ff02::/16 + ${fw6cmd} add pass ip6 from :: to ff02::/16 proto ipv6-icmp # RS, RA, NS, NA, redirect... - ${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10 - ${fw6cmd} add pass ipv6-icmp from fe80::/10 to ff02::/16 + ${fw6cmd} add pass ip6 from fe80::/10 to fe80::/10 proto ipv6-icmp + ${fw6cmd} add pass ip6 from fe80::/10 to ff02::/16 proto ipv6-icmp } if [ -n "${1}" ]; then @@ -76,10 +76,10 @@ # case ${ipv6_firewall_quiet} in [Yy][Ee][Ss]) - fw6cmd="/sbin/ip6fw -q" + fw6cmd="/sbin/ipfw -q" ;; *) - fw6cmd="/sbin/ip6fw" + fw6cmd="/sbin/ipfw" ;; esac @@ -102,7 +102,7 @@ case ${ipv6_firewall_type} in [Oo][Pp][Ee][Nn]) setup_local - ${fw6cmd} add 65000 pass all from any to any + ${fw6cmd} add 65000 pass ip6 from any to any ;; [Cc][Ll][Ii][Ee][Nn][Tt]) @@ -122,41 +122,42 @@ setup_local # Allow any traffic to or from my own net. - ${fw6cmd} add pass all from ${ip} to ${net}/${prefixlen} - ${fw6cmd} add pass all from ${net}/${prefixlen} to ${ip} + ${fw6cmd} add pass ip6 from ${ip} to ${net}/${prefixlen} + ${fw6cmd} add pass ip6 from ${net}/${prefixlen} to ${ip} # Allow any link-local multicast traffic - ${fw6cmd} add pass all from fe80::/10 to ff02::/16 - ${fw6cmd} add pass all from ${net}/${prefixlen} to ff02::/16 + ${fw6cmd} add pass ip6 from fe80::/10 to ff02::/16 + ${fw6cmd} add pass ip6 from ${net}/${prefixlen} to ff02::/16 # Allow TCP through if setup succeeded - ${fw6cmd} add pass tcp from any to any established + ${fw6cmd} add pass ip6 from any to any established proto tcp # Allow IP fragments to pass through - ${fw6cmd} add pass all from any to any frag + ${fw6cmd} add pass ip6 from any to any frag # Allow setup of incoming email - ${fw6cmd} add pass tcp from any to ${ip} 25 setup + ${fw6cmd} add pass ip6 from any to ${ip} 25 setup proto tcp # Allow setup of outgoing TCP connections only - ${fw6cmd} add pass tcp from ${ip} to any setup + ${fw6cmd} add pass ip6 from ${ip} to any setup proto tcp # Disallow setup of all other TCP connections - ${fw6cmd} add deny tcp from any to any setup + ${fw6cmd} add deny ip6 from any to any setup proto tcp # Allow DNS queries out in the world - ${fw6cmd} add pass udp from any 53 to ${ip} - ${fw6cmd} add pass udp from ${ip} to any 53 + ${fw6cmd} add pass ip6 from any 53 to ${ip} proto udp + ${fw6cmd} add pass ip6 from ${ip} to any 53 proto udp # Allow NTP queries out in the world - ${fw6cmd} add pass udp from any 123 to ${ip} - ${fw6cmd} add pass udp from ${ip} to any 123 + ${fw6cmd} add pass ip6 from any 123 to ${ip} proto udp + ${fw6cmd} add pass ip6 from ${ip} to any 123 proto udp # Allow ICMPv6 destination unreach - ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 1 + ${fw6cmd} add pass ip6 from any to any icmp6types 1 proto ipv6-icmp # Allow NS/NA/toobig (don't filter it out) - ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 2,135,136 + ${fw6cmd} add pass ip6 from any to any icmp6types 2,135,136 \ + proto ipv6-icmp # Everything else is denied by default, unless the # IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel @@ -185,94 +186,96 @@ setup_local # Stop spoofing - ${fw6cmd} add deny all from ${inet}/${iprefixlen} to any in via ${oif} - ${fw6cmd} add deny all from ${onet}/${oprefixlen} to any in via ${iif} + ${fw6cmd} add deny ip6 from ${inet}/${iprefixlen} to any in via ${oif} + ${fw6cmd} add deny ip6 from ${onet}/${oprefixlen} to any in via ${iif} # Stop unique local unicast address on the outside interface - ${fw6cmd} add deny all from fc00::/7 to any via ${oif} - ${fw6cmd} add deny all from any to fc00::/7 via ${oif} + ${fw6cmd} add deny ip6 from fc00::/7 to any via ${oif} + ${fw6cmd} add deny ip6 from any to fc00::/7 via ${oif} # Stop site-local on the outside interface - ${fw6cmd} add deny all from fec0::/10 to any via ${oif} - ${fw6cmd} add deny all from any to fec0::/10 via ${oif} + ${fw6cmd} add deny ip6 from fec0::/10 to any via ${oif} + ${fw6cmd} add deny ip6 from any to fec0::/10 via ${oif} # Disallow "internal" addresses to appear on the wire. - ${fw6cmd} add deny all from ::ffff:0.0.0.0/96 to any via ${oif} - ${fw6cmd} add deny all from any to ::ffff:0.0.0.0/96 via ${oif} + ${fw6cmd} add deny ip6 from ::ffff:0.0.0.0/96 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ::ffff:0.0.0.0/96 via ${oif} # Disallow packets to malicious IPv4 compatible prefix. - ${fw6cmd} add deny all from ::224.0.0.0/100 to any via ${oif} - ${fw6cmd} add deny all from any to ::224.0.0.0/100 via ${oif} - ${fw6cmd} add deny all from ::127.0.0.0/104 to any via ${oif} - ${fw6cmd} add deny all from any to ::127.0.0.0/104 via ${oif} - ${fw6cmd} add deny all from ::0.0.0.0/104 to any via ${oif} - ${fw6cmd} add deny all from any to ::0.0.0.0/104 via ${oif} - ${fw6cmd} add deny all from ::255.0.0.0/104 to any via ${oif} - ${fw6cmd} add deny all from any to ::255.0.0.0/104 via ${oif} + ${fw6cmd} add deny ip6 from ::224.0.0.0/100 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ::224.0.0.0/100 via ${oif} + ${fw6cmd} add deny ip6 from ::127.0.0.0/104 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ::127.0.0.0/104 via ${oif} + ${fw6cmd} add deny ip6 from ::0.0.0.0/104 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ::0.0.0.0/104 via ${oif} + ${fw6cmd} add deny ip6 from ::255.0.0.0/104 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ::255.0.0.0/104 via ${oif} - ${fw6cmd} add deny all from ::0.0.0.0/96 to any via ${oif} - ${fw6cmd} add deny all from any to ::0.0.0.0/96 via ${oif} + ${fw6cmd} add deny ip6 from ::0.0.0.0/96 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ::0.0.0.0/96 via ${oif} # Disallow packets to malicious 6to4 prefix. - ${fw6cmd} add deny all from 2002:e000::/20 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:e000::/20 via ${oif} - ${fw6cmd} add deny all from 2002:7f00::/24 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:7f00::/24 via ${oif} - ${fw6cmd} add deny all from 2002:0000::/24 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:0000::/24 via ${oif} - ${fw6cmd} add deny all from 2002:ff00::/24 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:ff00::/24 via ${oif} + ${fw6cmd} add deny ip6 from 2002:e000::/20 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:e000::/20 via ${oif} + ${fw6cmd} add deny ip6 from 2002:7f00::/24 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:7f00::/24 via ${oif} + ${fw6cmd} add deny ip6 from 2002:0000::/24 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:0000::/24 via ${oif} + ${fw6cmd} add deny ip6 from 2002:ff00::/24 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:ff00::/24 via ${oif} - ${fw6cmd} add deny all from 2002:0a00::/24 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:0a00::/24 via ${oif} - ${fw6cmd} add deny all from 2002:ac10::/28 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:ac10::/28 via ${oif} - ${fw6cmd} add deny all from 2002:c0a8::/32 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:c0a8::/32 via ${oif} + ${fw6cmd} add deny ip6 from 2002:0a00::/24 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:0a00::/24 via ${oif} + ${fw6cmd} add deny ip6 from 2002:ac10::/28 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:ac10::/28 via ${oif} + ${fw6cmd} add deny ip6 from 2002:c0a8::/32 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:c0a8::/32 via ${oif} - ${fw6cmd} add deny all from ff05::/16 to any via ${oif} - ${fw6cmd} add deny all from any to ff05::/16 via ${oif} + ${fw6cmd} add deny ip6 from ff05::/16 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ff05::/16 via ${oif} # Allow TCP through if setup succeeded ${fw6cmd} add pass tcp from any to any established # Allow IP fragments to pass through - ${fw6cmd} add pass all from any to any frag + ${fw6cmd} add pass ip6 from any to any frag # Allow setup of incoming email - ${fw6cmd} add pass tcp from any to ${oip} 25 setup + ${fw6cmd} add pass ip6 from any to ${oip} 25 setup proto tcp # Allow access to our DNS - ${fw6cmd} add pass tcp from any to ${oip} 53 setup - ${fw6cmd} add pass udp from any to ${oip} 53 - ${fw6cmd} add pass udp from ${oip} 53 to any + ${fw6cmd} add pass ip6 from any to ${oip} 53 setup proto tcp + ${fw6cmd} add pass ip6 from any to ${oip} 53 proto udp + ${fw6cmd} add pass ip6 from ${oip} 53 to any proto udp # Allow access to our WWW - ${fw6cmd} add pass tcp from any to ${oip} 80 setup + ${fw6cmd} add pass ip6 from any to ${oip} 80 setup proto tcp # Reject&Log all setup of incoming connections from the outside - ${fw6cmd} add deny log tcp from any to any in via ${oif} setup + ${fw6cmd} add deny log ip6 from any to any in via ${oif} setup \ + proto tcp # Allow setup of any other TCP connection - ${fw6cmd} add pass tcp from any to any setup + ${fw6cmd} add pass ip6 from any to any setup proto tcp # Allow DNS queries out in the world - ${fw6cmd} add pass udp from any 53 to ${oip} - ${fw6cmd} add pass udp from ${oip} to any 53 + ${fw6cmd} add pass ip6 from any 53 to ${oip} proto udp + ${fw6cmd} add pass ip6 from ${oip} to any 53 proto udp # Allow NTP queries out in the world - ${fw6cmd} add pass udp from any 123 to ${oip} - ${fw6cmd} add pass udp from ${oip} to any 123 + ${fw6cmd} add pass ip6 from any 123 to ${oip} proto udp + ${fw6cmd} add pass ip6 from ${oip} to any 123 proto udp # Allow RIPng - #${fw6cmd} add pass udp from fe80::/10 521 to ff02::9 521 - #${fw6cmd} add pass udp from fe80::/10 521 to fe80::/10 521 + #${fw6cmd} add pass ip6 from fe80::/10 521 to ff02::9 521 proto udp + #${fw6cmd} add pass ip6 from fe80::/10 521 to fe80::/10 521 proto udp # Allow ICMPv6 destination unreach - ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 1 + ${fw6cmd} add pass ip6 from any to any icmp6types 1 proto ipv6-icmp # Allow NS/NA/toobig (don't filter it out) - ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 2,135,136 + ${fw6cmd} add pass ip6 from any to any icmp6types 2,135,136 \ + proto ipv6-icmp # Everything else is denied by default, unless the # IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel @@ -281,7 +284,7 @@ [Cc][Ll][Oo][Ss][Ee][Dd]) # Only enable the loopback interface - ${fw6cmd} add 100 pass all from any to any via lo0 + ${fw6cmd} add 100 pass ip6 from any to any via lo0 ;; [Uu][Nn][Kk][Nn][Oo][Ww][Nn]) ;; ==== //depot/projects/ia64/include/netdb.h#14 (text+ko) ==== @@ -55,7 +55,7 @@ /* * @(#)netdb.h 8.1 (Berkeley) 6/2/93 * From: Id: netdb.h,v 8.9 1996/11/19 08:39:29 vixie Exp $ - * $FreeBSD: src/include/netdb.h,v 1.41 2006/04/15 16:20:26 ume Exp $ + * $FreeBSD: src/include/netdb.h,v 1.42 2006/05/12 15:37:22 ume Exp $ */ #ifndef _NETDB_H_ @@ -63,6 +63,7 @@ #include #include +#include #ifndef _SIZE_T_DECLARED typedef __size_t size_t; @@ -220,9 +221,15 @@ void endprotoent(void); void endservent(void); void freehostent(struct hostent *); -struct hostent *gethostbyaddr(const char *, int, int); -int gethostbyaddr_r(const char *, int, int, struct hostent *, +#if __LONG_BIT == 64 +struct hostent *gethostbyaddr(const void *, int, int); +int gethostbyaddr_r(const void *, int, int, struct hostent *, + char *, size_t, struct hostent **, int *); +#else +struct hostent *gethostbyaddr(const void *, socklen_t, int); +int gethostbyaddr_r(const void *, socklen_t, int, struct hostent *, char *, size_t, struct hostent **, int *); +#endif struct hostent *gethostbyname(const char *); int gethostbyname_r(const char *, struct hostent *, char *, size_t, struct hostent **, int *); ==== //depot/projects/ia64/lib/libc/net/gethostbydns.c#16 (text+ko) ==== @@ -58,7 +58,7 @@ static char fromrcsid[] = "From: Id: gethnamaddr.c,v 8.23 1998/04/07 04:59:46 vixie Exp $"; #endif /* LIBC_SCCS and not lint */ #include -__FBSDID("$FreeBSD: src/lib/libc/net/gethostbydns.c,v 1.56 2006/04/15 16:20:27 ume Exp $"); +__FBSDID("$FreeBSD: src/lib/libc/net/gethostbydns.c,v 1.57 2006/05/12 15:37:23 ume Exp $"); #include #include @@ -550,11 +550,13 @@ int _dns_gethostbyaddr(void *rval, void *cb_data, va_list ap) { - const u_char *uaddr; - int len, af; + const void *addr; + socklen_t len; + int af; char *buffer; size_t buflen; int *errnop, *h_errnop; + const u_char *uaddr; struct hostent *hptr, he; struct hostent_data *hed; int n; @@ -570,14 +572,15 @@ int ret_h_error; #endif /*SUNSECURITY*/ - uaddr = va_arg(ap, const u_char *); - len = va_arg(ap, int); + addr = va_arg(ap, const void *); + len = va_arg(ap, socklen_t); af = va_arg(ap, int); hptr = va_arg(ap, struct hostent *); buffer = va_arg(ap, char *); buflen = va_arg(ap, size_t); errnop = va_arg(ap, int *); h_errnop = va_arg(ap, int *); + uaddr = (const u_char *)addr; *((struct hostent **)rval) = NULL; ==== //depot/projects/ia64/lib/libc/net/gethostbyht.c#7 (text+ko) ==== @@ -55,7 +55,7 @@ static char sccsid[] = "@(#)gethostnamadr.c 8.1 (Berkeley) 6/4/93"; #endif /* LIBC_SCCS and not lint */ #include -__FBSDID("$FreeBSD: src/lib/libc/net/gethostbyht.c,v 1.25 2006/04/15 16:20:27 ume Exp $"); +__FBSDID("$FreeBSD: src/lib/libc/net/gethostbyht.c,v 1.26 2006/05/12 15:37:23 ume Exp $"); #include #include @@ -282,8 +282,9 @@ int _ht_gethostbyaddr(void *rval, void *cb_data, va_list ap) { - const char *addr; - int len, af; + const void *addr; + socklen_t len; + int af; char *buffer; size_t buflen; int *errnop, *h_errnop; @@ -292,8 +293,8 @@ res_state statp; int error; - addr = va_arg(ap, const char *); - len = va_arg(ap, int); + addr = va_arg(ap, const void *); + len = va_arg(ap, socklen_t); af = va_arg(ap, int); hptr = va_arg(ap, struct hostent *); buffer = va_arg(ap, char *); ==== //depot/projects/ia64/lib/libc/net/gethostbyname.3#10 (text+ko) ==== @@ -30,7 +30,7 @@ .\" SUCH DAMAGE. .\" .\" From: @(#)gethostbyname.3 8.4 (Berkeley) 5/25/95 -.\" $FreeBSD: src/lib/libc/net/gethostbyname.3,v 1.34 2005/04/28 18:03:43 ume Exp $ +.\" $FreeBSD: src/lib/libc/net/gethostbyname.3,v 1.35 2006/05/12 15:37:23 ume Exp $ .\" .Dd May 25, 1995 .Dt GETHOSTBYNAME 3 @@ -55,7 +55,7 @@ .Ft struct hostent * .Fn gethostbyname2 "const char *name" "int af" .Ft struct hostent * -.Fn gethostbyaddr "const char *addr" "int len" "int type" +.Fn gethostbyaddr "const void *addr" "socklen_t len" "int type" .Ft struct hostent * .Fn gethostent void .Ft void @@ -246,7 +246,7 @@ if (!inet_aton(ipstr, &ip)) errx(1, "can't parse IP address %s", ipstr); -if ((hp = gethostbyaddr((const char *)&ip, +if ((hp = gethostbyaddr((const void *)&ip, sizeof ip, AF_INET)) == NULL) errx(1, "no name associated with %s", ipstr); ==== //depot/projects/ia64/lib/libc/net/gethostbynis.c#8 (text+ko) ==== @@ -24,7 +24,7 @@ */ #include -__FBSDID("$FreeBSD: src/lib/libc/net/gethostbynis.c,v 1.27 2006/04/15 16:20:27 ume Exp $"); +__FBSDID("$FreeBSD: src/lib/libc/net/gethostbynis.c,v 1.28 2006/05/12 15:37:23 ume Exp $"); #include #include @@ -178,8 +178,8 @@ } static int -_gethostbynisaddr_r(const char *addr, int len, int af, struct hostent *he, - struct hostent_data *hed) +_gethostbynisaddr_r(const void *addr, socklen_t len, int af, + struct hostent *he, struct hostent_data *hed) { char *map; char numaddr[46]; @@ -227,7 +227,7 @@ } struct hostent * -_gethostbynisaddr(const char *addr, int len, int af) +_gethostbynisaddr(const void *addr, socklen_t len, int af) { #ifdef YP struct hostent *he; @@ -303,8 +303,8 @@ _nis_gethostbyaddr(void *rval, void *cb_data, va_list ap) { #ifdef YP - const char *addr; - int len; + const void *addr; + socklen_t len; int af; char *buffer; size_t buflen; @@ -313,8 +313,8 @@ struct hostent_data *hed; res_state statp; - addr = va_arg(ap, const char *); - len = va_arg(ap, int); + addr = va_arg(ap, const void *); + len = va_arg(ap, socklen_t); af = va_arg(ap, int); hptr = va_arg(ap, struct hostent *); buffer = va_arg(ap, char *); ==== //depot/projects/ia64/lib/libc/net/gethostnamadr.c#8 (text+ko) ==== @@ -24,7 +24,7 @@ */ #include -__FBSDID("$FreeBSD: src/lib/libc/net/gethostnamadr.c,v 1.31 2006/04/28 12:03:35 ume Exp $"); +__FBSDID("$FreeBSD: src/lib/libc/net/gethostnamadr.c,v 1.32 2006/05/12 15:37:23 ume Exp $"); #include "namespace.h" #include "reentrant.h" @@ -573,8 +573,14 @@ } int -gethostbyaddr_r(const char *addr, int len, int af, struct hostent *hp, - char *buf, size_t buflen, struct hostent **result, int *h_errnop) +gethostbyaddr_r(const void *addr, +#if __LONG_BIT == 64 + int len, +#else + socklen_t len, +#endif + int af, struct hostent *hp, char *buf, size_t buflen, + struct hostent **result, int *h_errnop) { const u_char *uaddr = (const u_char *)addr; const struct in6_addr *addr6; @@ -606,7 +612,7 @@ } if (af == AF_INET6 && len == NS_IN6ADDRSZ) { - addr6 = (const struct in6_addr *)(const void *)uaddr; + addr6 = (const struct in6_addr *)addr; if (IN6_IS_ADDR_LINKLOCAL(addr6)) { RES_SET_H_ERRNO(statp, HOST_NOT_FOUND); *h_errnop = statp->res_h_errno; @@ -678,7 +684,11 @@ } struct hostent * -gethostbyaddr(const char *addr, int len, int af) +#if __LONG_BIT == 64 +gethostbyaddr(const void *addr, int len, int af) +#else +gethostbyaddr(const void *addr, socklen_t len, int af) +#endif { struct hostdata *hd; struct hostent *rval; ==== //depot/projects/ia64/lib/libc/net/netdb_private.h#6 (text+ko) ==== @@ -22,7 +22,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/lib/libc/net/netdb_private.h,v 1.12 2006/04/28 12:03:35 ume Exp $ + * $FreeBSD: src/lib/libc/net/netdb_private.h,v 1.13 2006/05/12 15:37:23 ume Exp $ */ #ifndef _NETDB_PRIVATE_H_ @@ -133,7 +133,7 @@ void _endhosthtent(struct hostent_data *); void _endnetdnsent(void); void _endnethtent(struct netent_data *); -struct hostent *_gethostbynisaddr(const char *, int, int); +struct hostent *_gethostbynisaddr(const void *, socklen_t, int); struct hostent *_gethostbynisname(const char *, int); void _map_v4v6_address(const char *, char *); void _map_v4v6_hostent(struct hostent *, char **, char *); ==== //depot/projects/ia64/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml#158 (text+ko) ==== @@ -3,7 +3,7 @@ The &os; Project - $FreeBSD: src/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml,v 1.927 2006/05/11 22:55:18 bmah Exp $ + $FreeBSD: src/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml,v 1.929 2006/05/12 19:31:29 bmah Exp $ 2000 @@ -349,6 +349,12 @@ The &man.acpi.thermal.4; driver now supports passive cooling. &merged; + + Support for the alpha architecture has been removed. Alpha + support will remain on the RELENG_5 and RELENG_6 codelines. + The &man.cardbus.4; driver now supports /dev/cardbus%d.cis. @@ -994,12 +1000,15 @@ also specified, no output is made for disks with no activity. - The &man.jail.8; utility pports a WPA Supplicant has been updated from version 0.3.9 to version 0.4.8. ==== //depot/projects/ia64/sbin/Makefile#48 (text+ko) ==== @@ -1,5 +1,5 @@ # @(#)Makefile 8.5 (Berkeley) 3/31/94 -# $FreeBSD: src/sbin/Makefile,v 1.159 2006/03/17 18:54:30 ru Exp $ +# $FreeBSD: src/sbin/Makefile,v 1.160 2006/05/12 20:39:21 mlaier Exp $ .include @@ -38,7 +38,6 @@ gvinum \ ifconfig \ init \ - ${_ip6fw} \ ${_ipf} \ ipfw \ kldconfig \ @@ -112,7 +111,6 @@ .endif .if ${MK_INET6} != "no" -_ip6fw= ip6fw _ping6= ping6 .endif ==== //depot/projects/ia64/sbin/ipfw/ipfw.8#51 (text+ko) ==== @@ -1,7 +1,7 @@ .\" -.\" $FreeBSD: src/sbin/ipfw/ipfw.8,v 1.186 2006/03/05 15:55:46 ume Exp $ +.\" $FreeBSD: src/sbin/ipfw/ipfw.8,v 1.187 2006/05/12 18:09:33 mlaier Exp $ .\" -.Dd January 16, 2006 +.Dd May 12, 2006 .Dt IPFW 8 .Os .Sh NAME @@ -327,7 +327,7 @@ | | +----------->-----------+ ^ V - [ip(6)_input] [ip(6)_output] net.inet.ip.fw.enable=1 + [ip(6)_input] [ip(6)_output] net.inet(6).ip(6).fw.enable=1 | | ^ V [ether_demux] [ether_output_frame] net.link.ether.ipfw=1 @@ -2051,6 +2051,8 @@ Enables the firewall. Setting this variable to 0 lets you run your machine without firewall even if compiled in. +.It Em net.inet6.ip6.fw.enable : No 1 +provides the same functionality as above for the IPv6 case. .It Em net.inet.ip.fw.one_pass : No 1 When set, the packet exiting from the .Xr dummynet 4 ==== //depot/projects/ia64/share/man/man4/ath.4#28 (text+ko) ==== @@ -29,7 +29,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF .\" THE POSSIBILITY OF SUCH DAMAGES. .\" -.\" $FreeBSD: src/share/man/man4/ath.4,v 1.38 2006/04/28 21:45:08 maxim Exp $ +.\" $FreeBSD: src/share/man/man4/ath.4,v 1.40 2006/05/12 17:58:11 keramida Exp $ .\"/ .Dd September 5, 2005 .Dt ATH 4 @@ -125,54 +125,12 @@ driver come in either Cardbus or mini-PCI packages. Wireless cards in Cardbus slots may be inserted and ejected on the fly. .Sh HARDWARE -The following cards are among those supported by the +The .Nm -driver: +driver supports all Atheros Cardbus or PCI cards, +except those that are based on the AR5005VL chipset. .Pp -.Bl -column -compact "Samsung SWL-5200N" "AR5212" "Cardbus" "a/b/g" -.It Em "Card Chip Bus Standard" -.It "Aztech WL830PC AR5212 CardBus b/g" -.It "Cisco AIR-CB21AG AR5115 Cardbus a/b/g" -.It "Cisco AIR-PI21AG AR5115 PCI a/b/g" -.It "D-Link DWL-A650 AR5210 CardBus a" -.It "D-Link DWL-AB650 AR5211 CardBus a/b" -.It "D-Link DWL-A520 AR5210 PCI a" -.It "D-Link DWL-AG520 AR5212 PCI a/b/g" -.It "D-Link DWL-AG650 AR5212 CardBus a/b/g" -.It "D-Link DWL-G520B AR5212 PCI b/g" -.It "D-Link DWL-G650B AR5212 CardBus b/g" -.It "Elecom LD-WL54AG AR5212 Cardbus a/b/g" -.It "Elecom LD-WL54 AR5211 Cardbus a" -.It "Fujitsu E5454 AR5212 Cardbus a/b/g" -.It "Fujitsu FMV-JW481 AR5212 Cardbus a/b/g" -.It "Fujitsu E5454 AR5212 Cardbus a/b/g" -.It "HP NC4000 AR5212 PCI a/b/g" -.It "I/O Data WN-AB AR5212 CardBus a/b" -.It "I/O Data WN-AG AR5212 CardBus a/b/g" -.It "I/O Data WN-A54 AR5212 CardBus a" -.It "Linksys WMP55AG AR5212 PCI a/b/g" -.It "Linksys WPC51AB AR5211 CardBus a/b" -.It "Linksys WPC55AG AR5212 CardBus a/b/g" -.It "NEC PA-WL/54AG AR5212 CardBus a/b/g" -.It "Netgear WAG311 AR5212 PCI a/b/g" -.It "Netgear WAB501 AR5211 CardBus a/b" -.It "Netgear WAG511 AR5212 CardBus a/b/g" -.It "Netgear WG311T AR5212 PCI b/g" -.It "Netgear WG511T AR5212 CardBus b/g" -.It "Orinoco 8480 AR5212 CardBus a/b/g" -.It "Orinoco 8470WD AR5212 CardBus a/b/g" -.It "Proxim Skyline 4030 AR5210 CardBus a" -.It "Proxim Skyline 4032 AR5210 PCI a" -.It "Samsung SWL-5200N AR5212 CardBus a/b/g" -.It "SMC SMC2536W-AG AR5212 CardBus a/b/g" -.It "SMC SMC2735W AR5210 CardBus a" -.It "Sony PCWA-C700 AR5212 Cardbus a/b" -.It "Sony PCWA-C300S AR5212 Cardbus b/g" -.It "Sony PCWA-C500 AR5210 Cardbus a" -.It "3Com 3CRPAG175 AR5212 CardBus a/b/g" -.El -.Pp -An up to date list can be found at +A list of cards that are supported can be found at .Pa http://customerproducts.atheros.com/customerproducts . .Sh EXAMPLES Join an existing BSS network (ie: connect to an access point): ==== //depot/projects/ia64/share/man/man5/periodic.conf.5#21 (text+ko) ==== @@ -23,7 +23,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD: src/share/man/man5/periodic.conf.5,v 1.59 2006/03/02 14:55:07 brueffer Exp $ +.\" $FreeBSD: src/share/man/man5/periodic.conf.5,v 1.60 2006/05/12 19:17:34 mlaier Exp $ .\" .Dd March 2, 2006 .Dt PERIODIC.CONF 5 @@ -536,20 +536,6 @@ to display .Xr ipfw 8 rules that have reached their verbosity limit. -.It Va daily_status_security_ip6fwdenied_enable -.Pq Vt bool -Set to -.Dq YES -to show log entries for packets denied by -.Xr ip6fw 8 -since yesterday's check. -.It Va daily_status_security_ip6fwlimit_enable -.Pq Vt bool -Set to -.Dq YES -to display -.Xr ip6fw 8 -rules that have reached their verbosity limit. .It Va daily_status_security_kernelmsg_enable .Pq Vt bool Set to ==== //depot/projects/ia64/share/man/man5/rc.conf.5#72 (text+ko) ==== @@ -22,7 +22,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD: src/share/man/man5/rc.conf.5,v 1.294 2006/05/11 14:23:43 flz Exp $ +.\" $FreeBSD: src/share/man/man5/rc.conf.5,v 1.295 2006/05/12 19:17:34 mlaier Exp $ .\" .Dd May 11, 2006 .Dt RC.CONF 5 @@ -402,7 +402,7 @@ If the kernel was not built with .Cd "options IPV6FIREWALL" , the -.Pa ip6fw.ko +.Pa ipfw.ko kernel module will be loaded. .It Va firewall_script .Pq Vt str ==== //depot/projects/ia64/share/man/man7/security.7#15 (text+ko) ==== @@ -21,15 +21,14 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD: src/share/man/man7/security.7,v 1.45 2006/01/19 20:01:43 ceri Exp $ +.\" $FreeBSD: src/share/man/man7/security.7,v 1.46 2006/05/12 17:42:48 keramida Exp $ .\" .Dd November 29, 2004 .Dt SECURITY 7 .Os .Sh NAME .Nm security -.Nd introduction to security under >>> TRUNCATED FOR MAIL (1000 lines) <<<