[Midnightbsd-cvs] [MidnightBSD/src] f902b5: rc.d/var_run: Add needed "shutdown" keyword
Gleb Smirnoff
noreply at github.com
Tue Jun 27 07:02:20 EDT 2023
Branch: refs/heads/master
Home: https://github.com/MidnightBSD/src
Commit: f902b5203e848133b01e569e6a6c5597ed90a26a
https://github.com/MidnightBSD/src/commit/f902b5203e848133b01e569e6a6c5597ed90a26a
Author: Cy Schubert <cy at FreeBSD.org>
Date: 2023-06-27 (Tue, 27 Jun 2023)
Changed paths:
M libexec/rc/rc.d/var_run
Log Message:
-----------
rc.d/var_run: Add needed "shutdown" keyword
The "shutdown" keyword invokes rcorder with the -k flag, for rc scripts
with the keyword at shutdown.
Reported by: bdrewery
Fixes: 27b9777c28b4
(cherry picked from commit b77b3099685f27fa1da89cb5b8f376bef87b05ec)
Commit: a0b4c03e993fa8c42d85252d94f14e5ab977fd3f
https://github.com/MidnightBSD/src/commit/a0b4c03e993fa8c42d85252d94f14e5ab977fd3f
Author: Gordon Bergling <gbe at FreeBSD.org>
Date: 2023-06-27 (Tue, 27 Jun 2023)
Changed paths:
M usr.bin/uname/uname.1
M usr.sbin/midnightbsd-update/midnightbsd-update.8
Log Message:
-----------
uname.1: Clarify the -r option
It is some times hard to understand the difference between
kernel version and userland version. So clarify the -r option
of uname(1) in terms of a printed kernel version.
While here, add some cross references:
- cross reference freebsd-version(1) in uname(1)
- cross reference freebsd-version(1) and uname(1) in freebsd-update(8)
PR: 265594
Reported by: rwatson
Reviewed by: gbe, imp
Differential Revision: https://reviews.freebsd.org/D36516
(cherry picked from commit 8f98a937ed726399b89e87e95769a9adc809281a)
Commit: 95193f9310e2617b6be9f5294105b92272b80aff
https://github.com/MidnightBSD/src/commit/95193f9310e2617b6be9f5294105b92272b80aff
Author: Michael Tuexen <tuexen at FreeBSD.org>
Date: 2023-06-27 (Tue, 27 Jun 2023)
Changed paths:
M sys/netinet/tcp_output.c
Log Message:
-----------
tcp: fix computation of offset
Only update the offset if actually retransmitting from the
scoreboard. If not done correctly, this may result in
trying to (re)-transmit data not being being in the socket
buffe and therefore resulting in a panic.
PR: 264257
PR: 263445
PR: 260393
Reviewed by: rscheff@
MFC after: 3 days
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D36626
(cherry picked from commit 6d9e911fbadf3b409802a211c1dae9b47cb5a2b8)
Commit: 73fe2bd616d386524ad160db6064656fa43654c8
https://github.com/MidnightBSD/src/commit/73fe2bd616d386524ad160db6064656fa43654c8
Author: Michael Tuexen <tuexen at FreeBSD.org>
Date: 2023-06-27 (Tue, 27 Jun 2023)
Changed paths:
M sys/netinet/tcp_input.c
Log Message:
-----------
tcp: send ACKs when requested
When doing Limited Transmit send an ACK when needed by the protocol
processing (like sending ACKs with a DSACK block).
PR: 264257
PR: 263445
PR: 260393
Reviewed by: rscheff@
MFC after: 3 days
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D36631
(cherry picked from commit 5ae83e0d871bc7cbe4dcc9a33d37eb689e631efe)
Commit: b12d561dcd79e8a515cae226db55dd3b2c20e901
https://github.com/MidnightBSD/src/commit/b12d561dcd79e8a515cae226db55dd3b2c20e901
Author: Richard Scheffenegger <rscheff at FreeBSD.org>
Date: 2023-06-27 (Tue, 27 Jun 2023)
Changed paths:
M sys/netinet/tcp_output.c
Log Message:
-----------
tcp: fix cwnd restricted SACK retransmission loop
While doing the initial SACK retransmission segment while heavily cwnd
constrained, tcp_ouput can erroneously send out the entire sendbuffer
again. This may happen after an retransmission timeout, which resets
snd_nxt to snd_una while the SACK scoreboard is still populated.
Reviewed By: tuexen, #transport
PR: 264257
PR: 263445
PR: 260393
MFC after: 3 days
Sponsored by: NetApp, Inc.
Differential Revision: https://reviews.freebsd.org/D36637
(cherry picked from commit a743fc8826fa348b09d219632594c537f8e5690e)
Commit: c34a56622e38987d9b605531b896849119745914
https://github.com/MidnightBSD/src/commit/c34a56622e38987d9b605531b896849119745914
Author: Brooks Davis <brooks at FreeBSD.org>
Date: 2023-06-27 (Tue, 27 Jun 2023)
Changed paths:
M share/man/man9/cpuset.9
Log Message:
-----------
cpuset(9): Refer to CPU_SETSIZE not MAXCPU
The maximum CPU number of a cpuset_t is determined by CPU_SETSIZE. In
the kernel this is MAXCPU, but in userspace it is CPU_MAXSIZE unless
CPU_SETSIZE is defined before including sys/_cpuset.h. CPU_MAXSIZE is
256 and in userspace MAXCPU is generally 1 because it being set to a
larger MD value is gated on SMP being defined (not generally the case in
userspace).
Reported by: Nathaniel Wesley Filardo <nwfilardo at gmail.com>
Reviewed by: cem, jhb
Differential Revision: https://reviews.freebsd.org/D36679
(cherry picked from commit 8232a1eddadd6e70ce7bee085344b182517d44a7)
Commit: d1122c89b36d98510db6f84d7212a589d26a8d78
https://github.com/MidnightBSD/src/commit/d1122c89b36d98510db6f84d7212a589d26a8d78
Author: Kristof Provost <kp at FreeBSD.org>
Date: 2023-06-27 (Tue, 27 Jun 2023)
Changed paths:
M sbin/pfctl/parse.y
M sbin/pfctl/pfctl.c
M sbin/pfctl/pfctl_parser.c
M sbin/pfctl/tests/files/pf0100.ok
Log Message:
-----------
pfctl: fix recrusive printing of anchors
Fix a couple of problems with printing of anchors, in particular recursive
printing, both of inline anchors and when requested explicitly with a '*'
in the anchor.
- Correct recursive printing of wildcard anchors (recurse into child anchors
rather than rules, which don't exist)
- Print multi-part anchor paths correctly (pr6065)
- Fix comments and prevent users from specifying multi-component names for
inline anchors.
tested by phessler
ok henning
Also fix the relevant pfctl test case to reflect the new (and now
correct) behaviour).
MFC after: 3 weeks
Obtained from: OpenBSD (mcbride, f9a568a27c740528301ca3419316c85a9fc7f1de)
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D36416
(cherry picked from commit 585a5ed0bef4a0b874c8fa495ae53901799759c3)
Commit: e1d586ba05da7829efb0579e1352b5f08c4569d0
https://github.com/MidnightBSD/src/commit/e1d586ba05da7829efb0579e1352b5f08c4569d0
Author: Brooks Davis <brooks at FreeBSD.org>
Date: 2023-06-27 (Tue, 27 Jun 2023)
Changed paths:
M tools/bsdbox/Makefile
R tools/bsdbox/Makefile.telnetd
Log Message:
-----------
bsdbox: remove previously broken telnet(d) support
Support for telnet(d) was commented out some time ago. Remove because
telnetd is gone in main and this is unlikely to be fixed.
Reviewed by: imp, delphij, emaste
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D36782
(cherry picked from commit c0f94ccbb241f530c9f89d5259efb695e4f6de95)
Commit: 74cae637a193f9da676df5cda7c465f18828b370
https://github.com/MidnightBSD/src/commit/74cae637a193f9da676df5cda7c465f18828b370
Author: Lucas Holt <luke at foolishgames.com>
Date: 2023-06-27 (Tue, 27 Jun 2023)
Changed paths:
M usr.sbin/unbound/config.h
Log Message:
-----------
update config.h to match 1.16.x version in contrib/unbound
Commit: 9ee1eb19ee122d5abc254067ebc944c2790c04e7
https://github.com/MidnightBSD/src/commit/9ee1eb19ee122d5abc254067ebc944c2790c04e7
Author: Cy Schubert <cy at FreeBSD.org>
Date: 2023-06-27 (Tue, 27 Jun 2023)
Changed paths:
M sbin/ipf/ippool/ippool.8
M sbin/ipf/ippool/ippool.c
M sbin/ipf/libipf/printpool_live.c
M sbin/ipf/libipf/printpooldata.c
Log Message:
-----------
ipfilter/ippool: Dump a copy of ippool in ippool.conf format
Add an ippool(8) option to dump a copy of the inm-memory ippool tables
in an ippool(5) format so that it can be reloaded using ippool -f.
(cherry picked from commit 7531c434a593b2f369d69c85551e7ad1ebb7499a)
Commit: 314843fedc4b62994a2b599161d09aed28fbed4d
https://github.com/MidnightBSD/src/commit/314843fedc4b62994a2b599161d09aed28fbed4d
Author: Cy Schubert <cy at FreeBSD.org>
Date: 2023-06-27 (Tue, 27 Jun 2023)
Changed paths:
M sbin/ipf/ippool/ippool.c
Log Message:
-----------
ipfilter/ippool: Return error code when listing a pool fails
When an internal or other error occurs during the listing of a pool,
return an error code when extiting ippool(8). Printing an error to
stderr without returning an error code is useless in shell scripts.
(cherry picked from commit 5568c8b2c58a65a07b42af0e09c3fc619f13316c)
Commit: 919777a881e37c73b3762816b0d0df8d426388d4
https://github.com/MidnightBSD/src/commit/919777a881e37c73b3762816b0d0df8d426388d4
Author: Cy Schubert <cy at FreeBSD.org>
Date: 2023-06-27 (Tue, 27 Jun 2023)
Changed paths:
M sbin/ipf/common/ipf.h
M sbin/ipf/libipf/printpool_live.c
Log Message:
-----------
ipfilter/libipf: printpool_live() consumer ignores return code
The single consumer of printpool_live() ignores the return code.
Avoid wasting resources on this.
(cherry picked from commit 00d8a28f19b21ce2955c0cf24a040824ec506da5)
Commit: 7b3d2f2ee7b9b8c9bd95256320350ff8370de882
https://github.com/MidnightBSD/src/commit/7b3d2f2ee7b9b8c9bd95256320350ff8370de882
Author: Zhenlei Huang <zlei.huang at gmail.com>
Date: 2023-06-27 (Tue, 27 Jun 2023)
Changed paths:
M sys/fs/nfs/nfs_commonsubs.c
Log Message:
-----------
nfscl: Fix parameter order in the calls to MGET().
(cherry picked from commit 8b43388c745ebb42414496f2925f47acac662c2f)
Commit: 4ffbf2002617fc5cb15b5b06ff8d911dadb14b1d
https://github.com/MidnightBSD/src/commit/4ffbf2002617fc5cb15b5b06ff8d911dadb14b1d
Author: Lucas Holt <luke at foolishgames.com>
Date: 2023-06-27 (Tue, 27 Jun 2023)
Changed paths:
M Makefile.inc1
M Makefile.libcompat
M lib/clang/llvm.build.mk
Log Message:
-----------
update version we emulate
Commit: d5b046205d01bae191c637277d5c038e751d9ae1
https://github.com/MidnightBSD/src/commit/d5b046205d01bae191c637277d5c038e751d9ae1
Author: Gleb Smirnoff <glebius at FreeBSD.org>
Date: 2023-06-27 (Tue, 27 Jun 2023)
Changed paths:
M crypto/openssh/sshd.c
Log Message:
-----------
sshd: update the libwrap patch to drop connections early
OpenSSH has dropped libwrap support in OpenSSH 6.7p in 2014
(f2719b7c in github.com/openssh/openssh-portable) and we
maintain the patch ourselves since 2016 (a0ee8cc636cd).
Over the years, the libwrap support has deteriotated and probably
that was reason for removal upstream. Original idea of libwrap was
to drop illegitimate connection as soon as possible, but over the
years the code was pushed further down and down and ended in the
forked client connection handler.
The negative effects of late dropping is increasing attack surface
for hosts that are to be dropped anyway. Apart from hypothetical
future vulnerabilities in connection handling, today a malicious
host listed in /etc/hosts.allow still can trigger sshd to enter
connection throttling mode, which is enabled by default (see
MaxStartups in sshd_config(5)), effectively casting DoS attack.
Note that on OpenBSD this attack isn't possible, since they enable
MaxStartups together with UseBlacklist.
A only negative effect from early drop, that I can imagine, is that
now main listener parses file in /etc, and if our root filesystems
goes bad, it would get stuck. But unlikely you'd be able to login
in that case anyway.
Implementation details:
- For brevity we reuse the same struct request_info. This isn't
a documented feature of libwrap, but code review, viewing data
in a debugger and real life testing shows that if we clear
RQ_CLIENT_NAME and RQ_CLIENT_ADDR every time, it works as intended.
- We set SO_LINGER on the socket to force immediate connection reset.
- We log message exactly as libwrap's refuse() would do.
Differential revision: https://reviews.freebsd.org/D33044
(cherry picked from commit ca573c9a1779bdeeea6d0a6e948676555977737e)
(cherry picked from commit 46aaea6c19ef1f377936eede16b4bdb626421dd6)
Compare: https://github.com/MidnightBSD/src/compare/4fc7de56bf65...d5b046205d01
More information about the Midnightbsd-cvs
mailing list