CVS commit: src/distrib/sets/lists/debug
Module Name:src Committed By: njoly Date: Mon Jul 8 18:10:16 UTC 2013 Modified Files: src/distrib/sets/lists/debug: md.amd64 Log Message: ld.elf_so-i386.debug entries are only needed for MKCOMPAT=yes builds. To generate a diff of this commit: cvs rdiff -u -r1.23 -r1.24 src/distrib/sets/lists/debug/md.amd64 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/distrib/sets/lists/debug/md.amd64 diff -u src/distrib/sets/lists/debug/md.amd64:1.23 src/distrib/sets/lists/debug/md.amd64:1.24 --- src/distrib/sets/lists/debug/md.amd64:1.23 Fri May 10 00:50:50 2013 +++ src/distrib/sets/lists/debug/md.amd64 Mon Jul 8 18:10:16 2013 @@ -1,9 +1,9 @@ -# $NetBSD: md.amd64,v 1.23 2013/05/10 00:50:50 htodd Exp $ +# $NetBSD: md.amd64,v 1.24 2013/07/08 18:10:16 njoly Exp $ ./usr/libdata/debug/lib/i386/npf/ext_log.so.0.0.debug comp-npf-debug debug,compat ./usr/libdata/debug/lib/i386/npf/ext_normalize.so.0.0.debug comp-npf-debug debug,compat ./usr/libdata/debug/lib/i386/npf/ext_rndblock.so.0.0.debug comp-npf-debug debug,compat -./usr/libdata/debug/libexec/ld.elf_so-i386.debug comp-sys-debug debug -./usr/libdata/debug/usr/libexec/ld.elf_so-i386.debug comp-sys-debug debug +./usr/libdata/debug/libexec/ld.elf_so-i386.debug comp-sys-debug debug,compat +./usr/libdata/debug/usr/libexec/ld.elf_so-i386.debug comp-sys-debug debug,compat ./usr/libdata/debug/usr/libexec/ld.elf_so-i386 comp-obsolete obsolete ./usr/libdata/debug/usr/bin/fdformat.debug comp-util-debug debug ./usr/libdata/debug/usr/bin/iasl.debug comp-util-debug debug
CVS commit: src/sys/arch/sparc64/sparc64
Module Name:src Committed By: mhitch Date: Mon Jul 8 17:01:05 UTC 2013 Modified Files: src/sys/arch/sparc64/sparc64: ofw_machdep.c Log Message: Changes from OpenBSD to OF_mapintr(). Adds support for PCIe. My Ultra 45 now can install from the CD, I can access USB flash drives, and the onboard bge interfaces now work. Tested on some other machines by jdc. To generate a diff of this commit: cvs rdiff -u -r1.38 -r1.39 src/sys/arch/sparc64/sparc64/ofw_machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/sparc64/sparc64/ofw_machdep.c diff -u src/sys/arch/sparc64/sparc64/ofw_machdep.c:1.38 src/sys/arch/sparc64/sparc64/ofw_machdep.c:1.39 --- src/sys/arch/sparc64/sparc64/ofw_machdep.c:1.38 Sun Jul 17 20:54:48 2011 +++ src/sys/arch/sparc64/sparc64/ofw_machdep.c Mon Jul 8 17:01:05 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: ofw_machdep.c,v 1.38 2011/07/17 20:54:48 joerg Exp $ */ +/* $NetBSD: ofw_machdep.c,v 1.39 2013/07/08 17:01:05 mhitch Exp $ */ /* * Copyright (C) 1996 Wolfgang Solfrank. @@ -34,7 +34,7 @@ #include "opt_multiprocessor.h" #include -__KERNEL_RCSID(0, "$NetBSD: ofw_machdep.c,v 1.38 2011/07/17 20:54:48 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ofw_machdep.c,v 1.39 2013/07/08 17:01:05 mhitch Exp $"); #include #include @@ -668,7 +668,8 @@ find_pci_host_node(int node) &dev_type, sizeof(dev_type)); if (len <= 0) continue; - if (!strcmp(dev_type, "pci")) + if (!strcmp(dev_type, "pci") || + !strcmp(dev_type, "pciex")) pch = node; } return pch; @@ -687,7 +688,7 @@ OF_mapintr(int node, int *interrupt, int { int i, len; int address_cells, size_cells, interrupt_cells, interrupt_map_len; - int static_interrupt_map[100]; + int static_interrupt_map[256]; int interrupt_map_mask[10]; int *interrupt_map = &static_interrupt_map[0]; int maplen = sizeof static_interrupt_map; @@ -697,8 +698,11 @@ OF_mapintr(int node, int *interrupt, int int phc_node; int rc = -1; - /* Don't need to map OBP interrupt, it's already */ - if (*interrupt & 0x20) + /* + * Don't try to map interrupts for onboard devices, or if the + * interrupt is already fully specified. + */ + if (*interrupt & 0x20 || *interrupt & 0x7c0) return validlen; /* @@ -722,7 +726,7 @@ OF_mapintr(int node, int *interrupt, int phc_node = find_pci_host_node(node); - for (; node; node = OF_parent(node)) { + while (node) { #ifdef DEBUG char name[40]; @@ -740,7 +744,8 @@ OF_mapintr(int node, int *interrupt, int /* Swizzle interrupt if this is a PCI bridge. */ if (((len = OF_getprop(node, "device_type", &dev_type, sizeof(dev_type))) > 0) && - !strcmp(dev_type, "pci") && + (!strcmp(dev_type, "pci") || + !strcmp(dev_type, "pciex")) && (node != phc_node)) { #ifdef DEBUG int ointerrupt = *interrupt; @@ -755,6 +760,8 @@ OF_mapintr(int node, int *interrupt, int /* Get reg for next level compare. */ reg[0] = 0; OF_getprop(node, "reg", ®, sizeof(reg)); + + node = OF_parent(node); continue; } if (interrupt_map_len > maplen) { @@ -813,7 +820,7 @@ OF_mapintr(int node, int *interrupt, int /* finally we can attempt the compare */ i = 0; - while (i < interrupt_map_len) { + while (i < interrupt_map_len + address_cells + interrupt_cells) { int pintr_cells; int *imap = &interrupt_map[i]; int *parent = &imap[address_cells + interrupt_cells]; @@ -850,6 +857,7 @@ OF_mapintr(int node, int *interrupt, int free(free_map, M_DEVBUF); return (-1); } +node = *parent; parent++; #ifdef DEBUG DPRINTF(("Match! using ")); @@ -860,6 +868,8 @@ OF_mapintr(int node, int *interrupt, int for (i = 0; i < pintr_cells; i++) interrupt[i] = parent[i]; rc = validlen = pintr_cells; +if (node == phc_node) + return(rc); break; } /* Move on to the next interrupt_map entry. */ @@ -877,14 +887,15 @@ OF_mapintr(int node, int *interrupt, int /* Get reg for the next level search. */ if ((len = OF_getprop(node, "reg", ®, sizeof(reg))) <= 0) { DPRINTF(("OF_mapintr: no reg property?\n")); - continue; + } else { + DPRINTF(("reg len %d\n", len)); } - DPRINTF(("reg len %d\n", len)); if (free_map) { free(free_map, M_DEVBUF); free_map = NULL; } + node = OF_parent(node); } return (rc); }
CVS commit: src/usr.sbin/usbdevs
Module Name:src Committed By: jakllsch Date: Mon Jul 8 14:47:18 UTC 2013 Modified Files: src/usr.sbin/usbdevs: usbdevs.c Log Message: Use symbolic constants EXIT_SUCCESS, EXIT_FAILURE, and NULL where appropriate. To generate a diff of this commit: cvs rdiff -u -r1.28 -r1.29 src/usr.sbin/usbdevs/usbdevs.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/usbdevs/usbdevs.c diff -u src/usr.sbin/usbdevs/usbdevs.c:1.28 src/usr.sbin/usbdevs/usbdevs.c:1.29 --- src/usr.sbin/usbdevs/usbdevs.c:1.28 Tue Aug 30 20:51:29 2011 +++ src/usr.sbin/usbdevs/usbdevs.c Mon Jul 8 14:47:18 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: usbdevs.c,v 1.28 2011/08/30 20:51:29 joerg Exp $ */ +/* $NetBSD: usbdevs.c,v 1.29 2013/07/08 14:47:18 jakllsch Exp $ */ /* * Copyright (c) 1998 The NetBSD Foundation, Inc. @@ -58,7 +58,7 @@ usage(void) fprintf(stderr, "usage: %s [-dv] [-a addr] [-f dev]\n", getprogname()); - exit(1); + exit(EXIT_FAILURE); } static char done[USB_MAX_DEVICES]; @@ -198,7 +198,7 @@ main(int argc, char **argv) { int ch, i, f; char buf[50]; - char *dev = 0; + char *dev = NULL; int addr = 0; int ncont; @@ -224,7 +224,7 @@ main(int argc, char **argv) argc -= optind; argv += optind; - if (dev == 0) { + if (dev == NULL) { for (ncont = 0, i = 0; i < 10; i++) { snprintf(buf, sizeof(buf), "%s%d", USBDEV, i); f = open(buf, O_RDONLY); @@ -248,5 +248,5 @@ main(int argc, char **argv) else err(1, "%s", dev); } - exit(0); + exit(EXIT_SUCCESS); }
CVS commit: src/sys/fs/udf
Module Name:src Committed By: reinoud Date: Mon Jul 8 08:21:13 UTC 2013 Modified Files: src/sys/fs/udf: udf_vnops.c Log Message: Clarify the sticky-bit check To generate a diff of this commit: cvs rdiff -u -r1.83 -r1.84 src/sys/fs/udf/udf_vnops.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/fs/udf/udf_vnops.c diff -u src/sys/fs/udf/udf_vnops.c:1.83 src/sys/fs/udf/udf_vnops.c:1.84 --- src/sys/fs/udf/udf_vnops.c:1.83 Sun Jul 7 20:16:22 2013 +++ src/sys/fs/udf/udf_vnops.c Mon Jul 8 08:21:12 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: udf_vnops.c,v 1.83 2013/07/07 20:16:22 reinoud Exp $ */ +/* $NetBSD: udf_vnops.c,v 1.84 2013/07/08 08:21:12 reinoud Exp $ */ /* * Copyright (c) 2006, 2008 Reinoud Zandijk @@ -32,7 +32,7 @@ #include #ifndef lint -__KERNEL_RCSID(0, "$NetBSD: udf_vnops.c,v 1.83 2013/07/07 20:16:22 reinoud Exp $"); +__KERNEL_RCSID(0, "$NetBSD: udf_vnops.c,v 1.84 2013/07/08 08:21:12 reinoud Exp $"); #endif /* not lint */ @@ -792,7 +792,7 @@ udf_lookup(void *v) if (error) goto out; - /* check the permissions */ + /* check permissions */ if (islastcn && (cnp->cn_nameiop == DELETE || cnp->cn_nameiop == RENAME) ) { error = VOP_ACCESS(dvp, VWRITE, cnp->cn_cred); @@ -801,10 +801,14 @@ udf_lookup(void *v) goto out; } - /* get node attributes */ + /* + * Check if the directory has its sticky bit set. If so, ask + * for clearance since only the owner of a file or directory + * can remove/rename from taht directory. + */ mode = udf_getaccessmode(dir_node); - udf_getownership(dir_node, &d_uid, &d_gid); if ((mode & S_ISTXT) != 0) { + udf_getownership(dir_node, &d_uid, &d_gid); error = kauth_authorize_vnode(cnp->cn_cred, KAUTH_VNODE_DELETE, res_node->vnode, dir_node->vnode, genfs_can_sticky(cnp->cn_cred,
CVS commit: [netbsd-6-0] src/doc
Module Name:src Committed By: jdc Date: Mon Jul 8 07:41:41 UTC 2013 Modified Files: src/doc [netbsd-6-0]: CHANGES-6.0.3 Log Message: Ticket 905. To generate a diff of this commit: cvs rdiff -u -r1.1.2.8 -r1.1.2.9 src/doc/CHANGES-6.0.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.0.3 diff -u src/doc/CHANGES-6.0.3:1.1.2.8 src/doc/CHANGES-6.0.3:1.1.2.9 --- src/doc/CHANGES-6.0.3:1.1.2.8 Thu Jun 27 01:27:56 2013 +++ src/doc/CHANGES-6.0.3 Mon Jul 8 07:41:40 2013 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.0.3,v 1.1.2.8 2013/06/27 01:27:56 msaitoh Exp $ +# $NetBSD: CHANGES-6.0.3,v 1.1.2.9 2013/07/08 07:41:40 jdc Exp $ A complete list of changes from the NetBSD 6.0.2 release to the NetBSD 6.0.3 release: @@ -108,3 +108,18 @@ external/gpl3/binutils/dist/ld/emultempl PR 47922: Properly resolve DT_NEEDED entries under sysroot and don't accidently try the installed system. [joerg, ticket #911] + +share/man/man7/sysctl.71.73 via patch +sys/netinet6/icmp6.c1.161 via patch +sys/netinet6/in6.c1.161 via patch +sys/netinet6/in6_proto.c 1.97 via patch +sys/netinet6/in6_var.h1.65 via patch +sys/netinet6/ip6_input.c 1.139 via patch +sys/netinet6/ip6_var.h1.59 via patch +sys/netinet6/nd6.c1.143 via patch +sys/netinet6/nd6.h1.57 via patch +sys/netinet6/nd6_rtr.c1.83 via patch + + 4 new sysctls to avoid ipv6 DoS attacks from OpenBSD + [christos, ticket #905] +
CVS commit: [netbsd-6-1] src/doc
Module Name:src Committed By: jdc Date: Mon Jul 8 07:41:54 UTC 2013 Modified Files: src/doc [netbsd-6-1]: CHANGES-6.1.1 Log Message: Ticket 905. To generate a diff of this commit: cvs rdiff -u -r1.1.2.8 -r1.1.2.9 src/doc/CHANGES-6.1.1 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.1.1 diff -u src/doc/CHANGES-6.1.1:1.1.2.8 src/doc/CHANGES-6.1.1:1.1.2.9 --- src/doc/CHANGES-6.1.1:1.1.2.8 Thu Jun 27 01:34:34 2013 +++ src/doc/CHANGES-6.1.1 Mon Jul 8 07:41:54 2013 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.1.1,v 1.1.2.8 2013/06/27 01:34:34 msaitoh Exp $ +# $NetBSD: CHANGES-6.1.1,v 1.1.2.9 2013/07/08 07:41:54 jdc Exp $ A complete list of changes from the NetBSD 6.1 release to the NetBSD 6.1.1 release: @@ -108,3 +108,18 @@ external/gpl3/binutils/dist/ld/emultempl PR 47922: Properly resolve DT_NEEDED entries under sysroot and don't accidently try the installed system. [joerg, ticket #911] + +share/man/man7/sysctl.71.73 via patch +sys/netinet6/icmp6.c1.161 via patch +sys/netinet6/in6.c1.161 via patch +sys/netinet6/in6_proto.c 1.97 via patch +sys/netinet6/in6_var.h1.65 via patch +sys/netinet6/ip6_input.c 1.139 via patch +sys/netinet6/ip6_var.h1.59 via patch +sys/netinet6/nd6.c1.143 via patch +sys/netinet6/nd6.h1.57 via patch +sys/netinet6/nd6_rtr.c1.83 via patch + + 4 new sysctls to avoid ipv6 DoS attacks from OpenBSD + [christos, ticket #905] +
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: jdc Date: Mon Jul 8 07:41:28 UTC 2013 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Ticket 905. To generate a diff of this commit: cvs rdiff -u -r1.1.2.13 -r1.1.2.14 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.13 src/doc/CHANGES-6.2:1.1.2.14 --- src/doc/CHANGES-6.2:1.1.2.13 Thu Jun 27 01:19:36 2013 +++ src/doc/CHANGES-6.2 Mon Jul 8 07:41:28 2013 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.13 2013/06/27 01:19:36 msaitoh Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.14 2013/07/08 07:41:28 jdc Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -264,3 +264,18 @@ external/gpl3/binutils/dist/ld/emultempl PR 47922: Properly resolve DT_NEEDED entries under sysroot and don't accidently try the installed system. [joerg, ticket #911] + +share/man/man7/sysctl.71.73 via patch +sys/netinet6/icmp6.c1.161 via patch +sys/netinet6/in6.c1.161 via patch +sys/netinet6/in6_proto.c 1.97 via patch +sys/netinet6/in6_var.h1.65 via patch +sys/netinet6/ip6_input.c 1.139 via patch +sys/netinet6/ip6_var.h1.59 via patch +sys/netinet6/nd6.c1.143 via patch +sys/netinet6/nd6.h1.57 via patch +sys/netinet6/nd6_rtr.c1.83 via patch + + 4 new sysctls to avoid ipv6 DoS attacks from OpenBSD + [christos, ticket #905] +
CVS commit: [netbsd-6-0] src
Module Name:src Committed By: jdc Date: Mon Jul 8 07:40:34 UTC 2013 Modified Files: src/share/man/man7 [netbsd-6-0]: sysctl.7 src/sys/netinet6 [netbsd-6-0]: icmp6.c in6.c in6_proto.c in6_var.h ip6_input.c ip6_var.h nd6.c nd6.h nd6_rtr.c Log Message: Pull up revisions: src/share/man/man7/sysctl.7 revision 1.73 via patch src/sys/netinet6/icmp6.c revision 1.161 via patch src/sys/netinet6/in6.c revision 1.161 via patch src/sys/netinet6/in6_proto.c revision 1.97 via patch src/sys/netinet6/in6_var.h revision 1.65 via patch src/sys/netinet6/ip6_input.c revision 1.139 via patch src/sys/netinet6/ip6_var.h revision 1.59 via patch src/sys/netinet6/nd6.c revision 1.143 via patch src/sys/netinet6/nd6.h revision 1.57 via patch src/sys/netinet6/nd6_rtr.c revision 1.83 via patch (requested by christos in ticket #905). Patch by Loganaden Velvindron. 4 new sysctls to avoid ipv6 DoS attacks from OpenBSD To generate a diff of this commit: cvs rdiff -u -r1.68 -r1.68.6.1 src/share/man/man7/sysctl.7 cvs rdiff -u -r1.159 -r1.159.6.1 src/sys/netinet6/icmp6.c cvs rdiff -u -r1.159 -r1.159.8.1 src/sys/netinet6/in6.c cvs rdiff -u -r1.95 -r1.95.6.1 src/sys/netinet6/in6_proto.c cvs rdiff -u -r1.64 -r1.64.24.1 src/sys/netinet6/in6_var.h cvs rdiff -u -r1.136 -r1.136.6.1 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.58 -r1.58.6.1 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.141 -r1.141.6.1 src/sys/netinet6/nd6.c cvs rdiff -u -r1.56 -r1.56.8.1 src/sys/netinet6/nd6.h cvs rdiff -u -r1.82 -r1.82.8.1 src/sys/netinet6/nd6_rtr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/share/man/man7/sysctl.7 diff -u src/share/man/man7/sysctl.7:1.68 src/share/man/man7/sysctl.7:1.68.6.1 --- src/share/man/man7/sysctl.7:1.68 Thu Nov 3 00:29:00 2011 +++ src/share/man/man7/sysctl.7 Mon Jul 8 07:40:34 2013 @@ -1,4 +1,4 @@ -.\" $NetBSD: sysctl.7,v 1.68 2011/11/03 00:29:00 jym Exp $ +.\" $NetBSD: sysctl.7,v 1.68.6.1 2013/07/08 07:40:34 jdc Exp $ .\" .\" Copyright (c) 1993 .\" The Regents of the University of California. All rights reserved. @@ -29,7 +29,7 @@ .\" .\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 .\" -.Dd September 24, 2011 +.Dd June 22, 2012 .Dt SYSCTL 7 .Os .Sh NAME @@ -1212,8 +1212,12 @@ The currently defined protocols and name .It ip hostzerobroadcast integer yes .It ip lowportmin integer yes .It ip lowportmax integer yes +.It ip6 maxdynroutes integer yes +.It ip6 maxifprefixes integer yes +.It ip6 maxifdefrouters integer yes .It ip maxflows integer yes .It ip maxfragpackets integer yes +.It ip6 neighborgcthresh integer yes .It ip mtudisc integer yes .It ip mtudisctimeout integer yes .It ip random_id integer yes @@ -1687,6 +1691,18 @@ The lowest port number to use for TCP an This cannot be set to less than 0 or greater than 1024, and must be smaller than .Li ip6.lowportmax . +.It Li ip6.maxdynroutes +Maximum number of routes created by redirect. +Set it to negative to disable. +The default value is 4096. +.It Li ip6.maxifprefixes +Maximum number of prefixes created by route advertisements per interface. +Set it to negative to disable. +The default value is 16. +.It Li ip6.maxifdefrouters 16 +Maximum number of default routers created by route advertisements per interface. +Set it to negative to disable. +The default value is 16. .It Li ip6.maxflows IPv6 Fast Forwarding is enabled by default. If set to 0, IPv6 Fast Forwarding is disabled. @@ -1703,6 +1719,10 @@ The maximum number of fragments the node 0 means that the node will not accept any fragments. \-1 means that the node will accept as many fragments as it receives. The flag is provided basically for avoiding possible DoS attacks. +.It Li ip6.neighborgcthresh +Maximum number of entries in neighbor cache. +Set to negative to disable. +The default value is 2048. .It Li ip6.redirect If set to 1, ICMPv6 redirects may be sent by the node. This option is ignored unless the node is routing IP packets, Index: src/sys/netinet6/icmp6.c diff -u src/sys/netinet6/icmp6.c:1.159 src/sys/netinet6/icmp6.c:1.159.6.1 --- src/sys/netinet6/icmp6.c:1.159 Sat Dec 31 20:41:59 2011 +++ src/sys/netinet6/icmp6.c Mon Jul 8 07:40:34 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: icmp6.c,v 1.159 2011/12/31 20:41:59 christos Exp $ */ +/* $NetBSD: icmp6.c,v 1.159.6.1 2013/07/08 07:40:34 jdc Exp $ */ /* $KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.159 2011/12/31 20:41:59 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.159.6.1 2013/07/08 07:40:34 jdc Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -2284,6 +2284,8 @@ icmp6_redirect_input(struct mbuf *m, int * (there will be additional hops, though). */ rtcount = rt_timer_count(icmp6_redirect_timeout_q); + if (0 <= ip6_maxdynroutes && rtcount >= ip6_maxdynroutes) + goto fr
CVS commit: [netbsd-6-1] src
Module Name:src Committed By: jdc Date: Mon Jul 8 07:40:56 UTC 2013 Modified Files: src/share/man/man7 [netbsd-6-1]: sysctl.7 src/sys/netinet6 [netbsd-6-1]: icmp6.c in6.c in6_proto.c in6_var.h ip6_input.c ip6_var.h nd6.c nd6.h nd6_rtr.c Log Message: Pull up revisions: src/share/man/man7/sysctl.7 revision 1.73 via patch src/sys/netinet6/icmp6.c revision 1.161 via patch src/sys/netinet6/in6.c revision 1.161 via patch src/sys/netinet6/in6_proto.c revision 1.97 via patch src/sys/netinet6/in6_var.h revision 1.65 via patch src/sys/netinet6/ip6_input.c revision 1.139 via patch src/sys/netinet6/ip6_var.h revision 1.59 via patch src/sys/netinet6/nd6.c revision 1.143 via patch src/sys/netinet6/nd6.h revision 1.57 via patch src/sys/netinet6/nd6_rtr.c revision 1.83 via patch (requested by christos in ticket #905). Patch by Loganaden Velvindron. 4 new sysctls to avoid ipv6 DoS attacks from OpenBSD To generate a diff of this commit: cvs rdiff -u -r1.68 -r1.68.8.1 src/share/man/man7/sysctl.7 cvs rdiff -u -r1.159 -r1.159.8.1 src/sys/netinet6/icmp6.c cvs rdiff -u -r1.159 -r1.159.10.1 src/sys/netinet6/in6.c cvs rdiff -u -r1.95 -r1.95.8.1 src/sys/netinet6/in6_proto.c cvs rdiff -u -r1.64.20.1 -r1.64.20.1.2.1 src/sys/netinet6/in6_var.h cvs rdiff -u -r1.136 -r1.136.8.1 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.58 -r1.58.8.1 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.141 -r1.141.8.1 src/sys/netinet6/nd6.c cvs rdiff -u -r1.56 -r1.56.10.1 src/sys/netinet6/nd6.h cvs rdiff -u -r1.82 -r1.82.10.1 src/sys/netinet6/nd6_rtr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/share/man/man7/sysctl.7 diff -u src/share/man/man7/sysctl.7:1.68 src/share/man/man7/sysctl.7:1.68.8.1 --- src/share/man/man7/sysctl.7:1.68 Thu Nov 3 00:29:00 2011 +++ src/share/man/man7/sysctl.7 Mon Jul 8 07:40:56 2013 @@ -1,4 +1,4 @@ -.\" $NetBSD: sysctl.7,v 1.68 2011/11/03 00:29:00 jym Exp $ +.\" $NetBSD: sysctl.7,v 1.68.8.1 2013/07/08 07:40:56 jdc Exp $ .\" .\" Copyright (c) 1993 .\" The Regents of the University of California. All rights reserved. @@ -29,7 +29,7 @@ .\" .\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 .\" -.Dd September 24, 2011 +.Dd June 22, 2012 .Dt SYSCTL 7 .Os .Sh NAME @@ -1212,8 +1212,12 @@ The currently defined protocols and name .It ip hostzerobroadcast integer yes .It ip lowportmin integer yes .It ip lowportmax integer yes +.It ip6 maxdynroutes integer yes +.It ip6 maxifprefixes integer yes +.It ip6 maxifdefrouters integer yes .It ip maxflows integer yes .It ip maxfragpackets integer yes +.It ip6 neighborgcthresh integer yes .It ip mtudisc integer yes .It ip mtudisctimeout integer yes .It ip random_id integer yes @@ -1687,6 +1691,18 @@ The lowest port number to use for TCP an This cannot be set to less than 0 or greater than 1024, and must be smaller than .Li ip6.lowportmax . +.It Li ip6.maxdynroutes +Maximum number of routes created by redirect. +Set it to negative to disable. +The default value is 4096. +.It Li ip6.maxifprefixes +Maximum number of prefixes created by route advertisements per interface. +Set it to negative to disable. +The default value is 16. +.It Li ip6.maxifdefrouters 16 +Maximum number of default routers created by route advertisements per interface. +Set it to negative to disable. +The default value is 16. .It Li ip6.maxflows IPv6 Fast Forwarding is enabled by default. If set to 0, IPv6 Fast Forwarding is disabled. @@ -1703,6 +1719,10 @@ The maximum number of fragments the node 0 means that the node will not accept any fragments. \-1 means that the node will accept as many fragments as it receives. The flag is provided basically for avoiding possible DoS attacks. +.It Li ip6.neighborgcthresh +Maximum number of entries in neighbor cache. +Set to negative to disable. +The default value is 2048. .It Li ip6.redirect If set to 1, ICMPv6 redirects may be sent by the node. This option is ignored unless the node is routing IP packets, Index: src/sys/netinet6/icmp6.c diff -u src/sys/netinet6/icmp6.c:1.159 src/sys/netinet6/icmp6.c:1.159.8.1 --- src/sys/netinet6/icmp6.c:1.159 Sat Dec 31 20:41:59 2011 +++ src/sys/netinet6/icmp6.c Mon Jul 8 07:40:56 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: icmp6.c,v 1.159 2011/12/31 20:41:59 christos Exp $ */ +/* $NetBSD: icmp6.c,v 1.159.8.1 2013/07/08 07:40:56 jdc Exp $ */ /* $KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.159 2011/12/31 20:41:59 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.159.8.1 2013/07/08 07:40:56 jdc Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -2284,6 +2284,8 @@ icmp6_redirect_input(struct mbuf *m, int * (there will be additional hops, though). */ rtcount = rt_timer_count(icmp6_redirect_timeout_q); + if (0 <= ip6_maxdynroutes && rtcount >= ip6_maxdynroutes)
CVS commit: [netbsd-6] src
Module Name:src Committed By: jdc Date: Mon Jul 8 07:40:07 UTC 2013 Modified Files: src/share/man/man7 [netbsd-6]: sysctl.7 src/sys/netinet6 [netbsd-6]: icmp6.c in6.c in6_proto.c in6_var.h ip6_input.c ip6_var.h nd6.c nd6.h nd6_rtr.c Log Message: Pull up revisions: src/share/man/man7/sysctl.7 revision 1.73 via patch src/sys/netinet6/icmp6.c revision 1.161 via patch src/sys/netinet6/in6.c revision 1.161 via patch src/sys/netinet6/in6_proto.c revision 1.97 via patch src/sys/netinet6/in6_var.h revision 1.65 via patch src/sys/netinet6/ip6_input.c revision 1.139 via patch src/sys/netinet6/ip6_var.h revision 1.59 via patch src/sys/netinet6/nd6.c revision 1.143 via patch src/sys/netinet6/nd6.h revision 1.57 via patch src/sys/netinet6/nd6_rtr.c revision 1.83 via patch (requested by christos in ticket #905). Patch by Loganaden Velvindron. 4 new sysctls to avoid ipv6 DoS attacks from OpenBSD To generate a diff of this commit: cvs rdiff -u -r1.68 -r1.68.2.1 src/share/man/man7/sysctl.7 cvs rdiff -u -r1.159 -r1.159.2.1 src/sys/netinet6/icmp6.c cvs rdiff -u -r1.159 -r1.159.4.1 src/sys/netinet6/in6.c cvs rdiff -u -r1.95 -r1.95.2.1 src/sys/netinet6/in6_proto.c cvs rdiff -u -r1.64.20.1 -r1.64.20.2 src/sys/netinet6/in6_var.h cvs rdiff -u -r1.136 -r1.136.2.1 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.58 -r1.58.2.1 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.141 -r1.141.2.1 src/sys/netinet6/nd6.c cvs rdiff -u -r1.56 -r1.56.4.1 src/sys/netinet6/nd6.h cvs rdiff -u -r1.82 -r1.82.4.1 src/sys/netinet6/nd6_rtr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/share/man/man7/sysctl.7 diff -u src/share/man/man7/sysctl.7:1.68 src/share/man/man7/sysctl.7:1.68.2.1 --- src/share/man/man7/sysctl.7:1.68 Thu Nov 3 00:29:00 2011 +++ src/share/man/man7/sysctl.7 Mon Jul 8 07:40:07 2013 @@ -1,4 +1,4 @@ -.\" $NetBSD: sysctl.7,v 1.68 2011/11/03 00:29:00 jym Exp $ +.\" $NetBSD: sysctl.7,v 1.68.2.1 2013/07/08 07:40:07 jdc Exp $ .\" .\" Copyright (c) 1993 .\" The Regents of the University of California. All rights reserved. @@ -29,7 +29,7 @@ .\" .\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 .\" -.Dd September 24, 2011 +.Dd June 22, 2012 .Dt SYSCTL 7 .Os .Sh NAME @@ -1212,8 +1212,12 @@ The currently defined protocols and name .It ip hostzerobroadcast integer yes .It ip lowportmin integer yes .It ip lowportmax integer yes +.It ip6 maxdynroutes integer yes +.It ip6 maxifprefixes integer yes +.It ip6 maxifdefrouters integer yes .It ip maxflows integer yes .It ip maxfragpackets integer yes +.It ip6 neighborgcthresh integer yes .It ip mtudisc integer yes .It ip mtudisctimeout integer yes .It ip random_id integer yes @@ -1687,6 +1691,18 @@ The lowest port number to use for TCP an This cannot be set to less than 0 or greater than 1024, and must be smaller than .Li ip6.lowportmax . +.It Li ip6.maxdynroutes +Maximum number of routes created by redirect. +Set it to negative to disable. +The default value is 4096. +.It Li ip6.maxifprefixes +Maximum number of prefixes created by route advertisements per interface. +Set it to negative to disable. +The default value is 16. +.It Li ip6.maxifdefrouters 16 +Maximum number of default routers created by route advertisements per interface. +Set it to negative to disable. +The default value is 16. .It Li ip6.maxflows IPv6 Fast Forwarding is enabled by default. If set to 0, IPv6 Fast Forwarding is disabled. @@ -1703,6 +1719,10 @@ The maximum number of fragments the node 0 means that the node will not accept any fragments. \-1 means that the node will accept as many fragments as it receives. The flag is provided basically for avoiding possible DoS attacks. +.It Li ip6.neighborgcthresh +Maximum number of entries in neighbor cache. +Set to negative to disable. +The default value is 2048. .It Li ip6.redirect If set to 1, ICMPv6 redirects may be sent by the node. This option is ignored unless the node is routing IP packets, Index: src/sys/netinet6/icmp6.c diff -u src/sys/netinet6/icmp6.c:1.159 src/sys/netinet6/icmp6.c:1.159.2.1 --- src/sys/netinet6/icmp6.c:1.159 Sat Dec 31 20:41:59 2011 +++ src/sys/netinet6/icmp6.c Mon Jul 8 07:40:07 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: icmp6.c,v 1.159 2011/12/31 20:41:59 christos Exp $ */ +/* $NetBSD: icmp6.c,v 1.159.2.1 2013/07/08 07:40:07 jdc Exp $ */ /* $KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.159 2011/12/31 20:41:59 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.159.2.1 2013/07/08 07:40:07 jdc Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -2284,6 +2284,8 @@ icmp6_redirect_input(struct mbuf *m, int * (there will be additional hops, though). */ rtcount = rt_timer_count(icmp6_redirect_timeout_q); + if (0 <= ip6_maxdynroutes && rtcount >= ip6_maxdynroutes) + goto f