from:"Kurt Lidl"

svn commit: r345684 - stable/12/libexec/rc/rc.d

2019-09-03 Thread Kurt Lidl

Author: lidl
Date: Fri Mar 29 13:03:05 2019
New Revision: 345684
URL: https://svnweb.freebsd.org/changeset/base/345684

Log:
  MFC r345005:
  Remove an unneeded 'tail -n 1' from a pipeline in growfs rc script

Modified:
  stable/12/libexec/rc/rc.d/growfs
Directory Properties:
  stable/12/   (props changed)

Modified: stable/12/libexec/rc/rc.d/growfs
==
--- stable/12/libexec/rc/rc.d/growfsFri Mar 29 11:59:54 2019
(r345683)
+++ stable/12/libexec/rc/rc.d/growfsFri Mar 29 13:03:05 2019
(r345684)
@@ -57,7 +57,7 @@ growfs_start ()
;;
zfs)
pool=${FSDEV%%/*}
-   rootdev=$(zpool list -v $pool | tail -n 1 | awk '{ print $1 }')
+   rootdev=$(zpool list -v $pool | awk 'END { print $1 }')
;;
*)
echo "Don't know how to grow root filesystem type: $FSTYPE"


___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r345684 - stable/12/libexec/rc/rc.d

2019-03-29 Thread Kurt Lidl

Author: lidl
Date: Fri Mar 29 13:03:05 2019
New Revision: 345684
URL: https://svnweb.freebsd.org/changeset/base/345684

Log:
  MFC r345005:
  Remove an unneeded 'tail -n 1' from a pipeline in growfs rc script

Modified:
  stable/12/libexec/rc/rc.d/growfs
Directory Properties:
  stable/12/   (props changed)

Modified: stable/12/libexec/rc/rc.d/growfs
==
--- stable/12/libexec/rc/rc.d/growfsFri Mar 29 11:59:54 2019
(r345683)
+++ stable/12/libexec/rc/rc.d/growfsFri Mar 29 13:03:05 2019
(r345684)
@@ -57,7 +57,7 @@ growfs_start ()
;;
zfs)
pool=${FSDEV%%/*}
-   rootdev=$(zpool list -v $pool | tail -n 1 | awk '{ print $1 }')
+   rootdev=$(zpool list -v $pool | awk 'END { print $1 }')
;;
*)
echo "Don't know how to grow root filesystem type: $FSTYPE"
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r345276 - head/contrib/blacklist/bin

2019-03-18 Thread Kurt Lidl

Author: lidl
Date: Mon Mar 18 15:45:06 2019
New Revision: 345276
URL: https://svnweb.freebsd.org/changeset/base/345276

Log:
  Fixup syslog() call that should have used logging function pointer
  
  PR:   236614
  Submitted by: Helge Oldach 

Modified:
  head/contrib/blacklist/bin/blacklistd.c

Modified: head/contrib/blacklist/bin/blacklistd.c
==
--- head/contrib/blacklist/bin/blacklistd.c Mon Mar 18 14:00:19 2019
(r345275)
+++ head/contrib/blacklist/bin/blacklistd.c Mon Mar 18 15:45:06 2019
(r345276)
@@ -328,7 +328,7 @@ again:
if (dbi.id[0]) {
run_change("rem", , dbi.id, 0);
sockaddr_snprintf(buf, sizeof(buf), "%a", ss);
-   syslog(LOG_INFO, "released %s/%d:%d after %d seconds",
+   (*lfun)(LOG_INFO, "released %s/%d:%d after %d seconds",
buf, c.c_lmask, c.c_port, c.c_duration);
}
state_del(state, );
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r345005 - head/libexec/rc/rc.d

2019-03-11 Thread Kurt Lidl

Author: lidl
Date: Mon Mar 11 13:33:03 2019
New Revision: 345005
URL: https://svnweb.freebsd.org/changeset/base/345005

Log:
  Remove an unneeded 'tail -n 1' from a pipeline
  
  When piping to awk, it's almost always an anti-pattern to use 'grep'
  first.
  
  When not in a pipeline, sometimes it is faster to use tail, as awk
  must process all the lines in the input stream, and won't 'seek'.
  In a pipeline, both grep and awk must process all lines, so we might
  as well skip the extra process creation for tail and just use awk
  for all the processing.
  
  Reviewed by:  jilles
  MFC after:2 weeks
  Differential Revision:https://reviews.freebsd.org/D19441

Modified:
  head/libexec/rc/rc.d/growfs

Modified: head/libexec/rc/rc.d/growfs
==
--- head/libexec/rc/rc.d/growfs Mon Mar 11 10:42:09 2019(r345004)
+++ head/libexec/rc/rc.d/growfs Mon Mar 11 13:33:03 2019(r345005)
@@ -57,7 +57,7 @@ growfs_start ()
;;
zfs)
pool=${FSDEV%%/*}
-   rootdev=$(zpool list -v $pool | tail -n 1 | awk '{ print $1 }')
+   rootdev=$(zpool list -v $pool | awk 'END { print $1 }')
;;
*)
echo "Don't know how to grow root filesystem type: $FSTYPE"
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r339199 - head/contrib/blacklist/bin

2018-10-05 Thread Kurt Lidl

Author: lidl
Date: Fri Oct  5 16:52:21 2018
New Revision: 339199
URL: https://svnweb.freebsd.org/changeset/base/339199

Log:
  Document signal handling in blacklistd(8).
  
  Reviewed by:  bcr@, 0mp@
  Approved by:  re (gjb@)
  MFC after:1 week
  Differential Revision:https://reviews.freebsd.org/D17423

Modified:
  head/contrib/blacklist/bin/blacklistd.8

Modified: head/contrib/blacklist/bin/blacklistd.8
==
--- head/contrib/blacklist/bin/blacklistd.8 Fri Oct  5 16:35:24 2018
(r339198)
+++ head/contrib/blacklist/bin/blacklistd.8 Fri Oct  5 16:52:21 2018
(r339199)
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd June 7, 2016
+.Dd October 5, 2018
 .Dt BLACKLISTD 8
 .Os
 .Sh NAME
@@ -178,7 +178,7 @@ Specify the default rule name for the packet filter ru
 .It Fl r
 Re-read the firewall rules from the internal database, then
 remove and re-add them.
-This helps for packet filters that don't retain state across reboots.
+This helps for packet filters that do not retain state across reboots.
 .It Fl s Ar sockpath
 Add
 .Ar sockpath
@@ -197,6 +197,27 @@ diagnostic messages to
 .Dv stdout
 instead of
 .Xr syslogd 8 .
+.El
+.Sh SIGNAL HANDLING
+.Nm
+deals with the following signals:
+.Bl -tag -width "USR2"
+.It HUP
+Receipt of this signal causes
+.Nm
+to re-read the configuration file.
+.It INT, TERM & QUIT
+These signals tell
+.Nm
+to exit in an orderly fashion.
+.It USR1
+This signal tells
+.Nm
+to increase the internal debugging level by 1.
+.It USR2
+This signal tells
+.Nm
+to decrease the internal debugging level by 1.
 .El
 .Sh FILES
 .Bl -tag -width /usr/libexec/blacklistd-helper -compact
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r338332 - stable/11/stand/sparc64/loader

2018-08-26 Thread Kurt Lidl

Author: lidl
Date: Mon Aug 27 03:32:40 2018
New Revision: 338332
URL: https://svnweb.freebsd.org/changeset/base/338332

Log:
  MFC r338201: increase heap size during "loader" on sparc64
  
  Increase the size of the heap size available on sparc64 during
  operation of "loader".  The dramatic increase in size of
  SPA_MAXBLOCKSIZE in r304321 causes the heap space to be exhausted,
  so malloc() fails, ultimately leading to a memcpy() with a
  destination of 0x0.

Modified:
  stable/11/stand/sparc64/loader/main.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/stand/sparc64/loader/main.c
==
--- stable/11/stand/sparc64/loader/main.c   Sun Aug 26 18:04:54 2018
(r338331)
+++ stable/11/stand/sparc64/loader/main.c   Mon Aug 27 03:32:40 2018
(r338332)
@@ -79,7 +79,7 @@ extern char bootprog_info[];
 
 enum {
HEAPVA  = 0x80,
-   HEAPSZ  = 0x100,
+   HEAPSZ  = 0x300,
LOADSZ  = 0x100 /* for kernel and modules */
 };
 
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r338203 - head/share/mk

2018-08-22 Thread Kurt Lidl

Author: lidl
Date: Wed Aug 22 15:29:54 2018
New Revision: 338203
URL: https://svnweb.freebsd.org/changeset/base/338203

Log:
  Turn off LOADER_GELI and LOADER_LUA for sparc64, until those options
  are fully debugged.  With these options off, the unified "loader"
  binary for sparc64 works to boot a kernel from ZFS.
  
  Submitted by: kevans
  Reviewed by:  imp kevans

Modified:
  head/share/mk/src.opts.mk

Modified: head/share/mk/src.opts.mk
==
--- head/share/mk/src.opts.mk   Wed Aug 22 14:58:52 2018(r338202)
+++ head/share/mk/src.opts.mk   Wed Aug 22 15:29:54 2018(r338203)
@@ -354,6 +354,11 @@ BROKEN_OPTIONS+=LOADER_OFW
 .if ${__T:Marm*} == "" && ${__T:Mmips*} == "" && ${__T:Mpowerpc*} == ""
 BROKEN_OPTIONS+=LOADER_UBOOT
 .endif
+# GELI and Lua in loader currently cause boot failures on sparc64.
+# Further debugging is required.
+.if ${__T} == "sparc64"
+BROKEN_OPTIONS+=LOADER_GELI LOADER_LUA
+.endif
 
 .if ${__T:Mmips64*}
 # profiling won't work on MIPS64 because there is only assembly for o32
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r338201 - head/stand/sparc64/loader

2018-08-22 Thread Kurt Lidl

Author: lidl
Date: Wed Aug 22 14:33:57 2018
New Revision: 338201
URL: https://svnweb.freebsd.org/changeset/base/338201

Log:
  Increase the size of the heap size available on sparc64 during
  operation of "loader".  The dramatic increase in size of
  SPA_MAXBLOCKSIZE in r304321 causes the heap space to be exhausted,
  so malloc() fails, ultimately leading to a memcpy() with a
  destination of 0x0.
  
  MFC after:3 days

Modified:
  head/stand/sparc64/loader/main.c

Modified: head/stand/sparc64/loader/main.c
==
--- head/stand/sparc64/loader/main.cWed Aug 22 14:06:31 2018
(r338200)
+++ head/stand/sparc64/loader/main.cWed Aug 22 14:33:57 2018
(r338201)
@@ -77,7 +77,7 @@ __FBSDID("$FreeBSD$");
 
 enum {
HEAPVA  = 0x80,
-   HEAPSZ  = 0x100,
+   HEAPSZ  = 0x300,
LOADSZ  = 0x100 /* for kernel and modules */
 };
 
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Re: svn commit: r336465 - in head/sys/netinet: . tcp_stacks

2018-07-29 Thread Kurt Lidl


On 7/19/18 9:18 AM, Maxim Konovalov wrote:

On Thu, 19 Jul 2018, 08:09-0400, Michael Tuexen wrote:


On 19. Jul 2018, at 03:12, Maxim Konovalov  wrote:

Hi Randall,

On Wed, 18 Jul 2018, 22:49-, Randall Stewart wrote:


Author: rrs
Date: Wed Jul 18 22:49:53 2018
New Revision: 336465
URL: https://svnweb.freebsd.org/changeset/base/336465

Log:
  Bump the ICMP echo limits to match the RFC


[...]

Just wonder, are there any practical reasons to do that?

In case you send encapsulated packets triggering an ICMP message
you actually need more than the 8 bytes which are currently
reflected.


OK, let me rephrase: why do you need more than 8 bytes?  It looks like
it has been working rather well for 20+ years.


Coming late to the game (I was away for vacation)...

It's handy to have more than 8 bytes of returned payload for ICMP 
packets to allow for more sophisticated network health scanning metrics.


Back when I worked at UUNET, we used the ICMP ECHO REQUEST packets to 
carry accurate timestamps for monitoring dispersion of multicast 
datagrams to select hosts.  I know, ICMP ECHO REQUEST packets have 
required all payload to be returned since at least RFC 1712 - so it's 
not exactly the same as what is being change here...


I imagine that a similar generic treatment of payload data for other 
ICMP type message might be handy too.


-Kurt

___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Re: svn commit: r334947 - head/sys/modules

2018-06-17 Thread Kurt Lidl


On 6/16/18 5:50 PM, Dimitry Andric wrote:

On 16 Jun 2018, at 16:57, Kurt Lidl  wrote:


On 6/11/18 4:42 AM, Dimitry Andric wrote:

Author: dim
Date: Mon Jun 11 08:42:03 2018
New Revision: 334947
URL: https://svnweb.freebsd.org/changeset/base/334947
Log:
   Disable building aesni with base gcc
  Because base gcc does not support the required intrinsics, do not
   attempt to compile the aesni module with it.
  Noticed by:   Dan Allen 
   MFC after:   3 days
Modified:
   head/sys/modules/Makefile
Modified: head/sys/modules/Makefile
==
--- head/sys/modules/Makefile   Mon Jun 11 08:11:35 2018(r334946)
+++ head/sys/modules/Makefile   Mon Jun 11 08:42:03 2018(r334947)
@@ -627,7 +627,9 @@ _aac=   aac
  _aacraid= aacraid
  _acpi=acpi
  .if ${MK_CRYPT} != "no" || defined(ALL_MODULES)
+.if ${COMPILER_TYPE} != "gcc" || ${COMPILER_VERSION} > 40201
  _aesni=   aesni
+.endif
  .endif
  _amd_ecc_inject=amd_ecc_inject
  _amdsbwd= amdsbwd


I thought that FreeBSD's base gcc (but not a stock 4.2.1 gcc) had support for 
this.  As documented in UPDATING:

20130903:
  AES-NI intrinsic support has been added to gcc.  The AES-NI module
  has been updated to use this support.  A new gcc is required to build
  the aesni module on both i386 and amd64.


It didn't work for the original reporter on freebsd-stable@ here:

https://lists.freebsd.org/pipermail/freebsd-stable/2018-May/089026.html

and for me it still gives:

$ make -C /usr/src/sys/modules/aesni
gcc -c -O3 -pipe -fno-strict-aliasing -Werror -D_KERNEL -DKLD_MODULE -I. 
-I/usr/src/sys -fno-common -mno-mmx -mno-sse -msoft-float -ffreestanding 
-fwrapv -fstack-protector -Wall -Wredundant-decls -Wnested-externs 
-Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual 
-Wundef -Wno-pointer-sign -fformat-extensions -Wmissing-include-dirs 
-fdiagnostics-show-option -Wno-unknown-pragmas -Wno-uninitialized 
-finline-limit=8000 -fms-extensions --param inline-unit-growth=100 --param 
large-function-growth=1000 -mno-align-long-strings -mpreferred-stack-boundary=2 
-std=iso9899:1999 -Werror   -mmmx -msse -msse4 -maes -mpclmul 
/usr/src/sys/crypto/aesni/aesni_ghash.c
cc1: error: unrecognized command line option "-msse4"
cc1: error: unrecognized command line option "-mpclmul"
*** Error code 1

Those unrecognized flags were added more than 3 years ago, in r275732,
so I assume this has been broken since that time.  Maybe nobody built
any kernels with gcc for 3 years? :)


Looking at the reported problem, I see that the user is attempting to 
make this work on a Pentium-4 (ie, 32bit) machine.  Which doesn't have 
any of the CPU support needed for the AES code to work anyway.  I'm 
pretty sure that the AES stuff didn't exist on any of the 32 bit CPUs.


So, whether or not the compiler could compile the code or not, that CPU 
isn't going to be able to execute it.


Thanks everyone for your comments and looking into the issue.

-Kurt
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Re: svn commit: r334947 - head/sys/modules

2018-06-16 Thread Kurt Lidl


On 6/11/18 4:42 AM, Dimitry Andric wrote:

Author: dim
Date: Mon Jun 11 08:42:03 2018
New Revision: 334947
URL: https://svnweb.freebsd.org/changeset/base/334947

Log:
   Disable building aesni with base gcc
   
   Because base gcc does not support the required intrinsics, do not

   attempt to compile the aesni module with it.
   
   Noticed by:	Dan Allen 

   MFC after:   3 days

Modified:
   head/sys/modules/Makefile

Modified: head/sys/modules/Makefile
==
--- head/sys/modules/Makefile   Mon Jun 11 08:11:35 2018(r334946)
+++ head/sys/modules/Makefile   Mon Jun 11 08:42:03 2018(r334947)
@@ -627,7 +627,9 @@ _aac=   aac
  _aacraid= aacraid
  _acpi=acpi
  .if ${MK_CRYPT} != "no" || defined(ALL_MODULES)
+.if ${COMPILER_TYPE} != "gcc" || ${COMPILER_VERSION} > 40201
  _aesni=   aesni
+.endif
  .endif
  _amd_ecc_inject=amd_ecc_inject
  _amdsbwd= amdsbwd



I thought that FreeBSD's base gcc (but not a stock 4.2.1 gcc) had 
support for this.  As documented in UPDATING:


20130903:
  AES-NI intrinsic support has been added to gcc.  The AES-NI module
  has been updated to use this support.  A new gcc is required to build
  the aesni module on both i386 and amd64.

-Kurt
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Re: Deorbiting i386

2018-05-26 Thread Kurt Lidl


On 5/24/18 3:22 PM, Matthew Macy wrote:

i386 is definitely on the wane, but so long as it's used by more than
a handful of people it will be supported. All you need to know about
sparc64 vitality is that HEAD didn't boot for 3 months until last week.


I stopped testing HEAD on sparc64 when the introduction if the iflib'd
igb driver made booting on a sparc64 equipped with a dual-port igb
PCI card stop working.

-Kurt
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r332948 - stable/11/contrib/top

2018-04-24 Thread Kurt Lidl

Author: lidl
Date: Tue Apr 24 17:37:29 2018
New Revision: 332948
URL: https://svnweb.freebsd.org/changeset/base/332948

Log:
  MFC r332671: top: fix warnings from clang/gcc
  
  Add includes for  and  where necessary, and
  rename a few internal functions to have a "top_" prefix to avoid
  clashes with standard names from curses.h/termcap.h headers.
  
  Top now compiles without warnings on both gcc and clang.

Modified:
  stable/11/contrib/top/display.c
  stable/11/contrib/top/screen.c
  stable/11/contrib/top/screen.h
  stable/11/contrib/top/top.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/contrib/top/display.c
==
--- stable/11/contrib/top/display.c Tue Apr 24 17:35:13 2018
(r332947)
+++ stable/11/contrib/top/display.c Tue Apr 24 17:37:29 2018
(r332948)
@@ -32,7 +32,9 @@
 
 #include 
 
+#include 
 #include 
+#include 
 #include 
 #include 
 
@@ -255,7 +257,7 @@ double *avenrun;
 register int i;
 
 /* i_loadave also clears the screen, since it is first */
-clear();
+top_clear();
 
 /* mpid == -1 implies this system doesn't have an _mpid */
 if (mpid != -1)
@@ -796,7 +798,7 @@ i_message()
 }
 if (next_msg[0] != '\0')
 {
-   standout(next_msg);
+   top_standout(next_msg);
msglen = strlen(next_msg);
next_msg[0] = '\0';
 }
@@ -1076,7 +1078,7 @@ caddr_t a1, a2, a3;
i = strlen(next_msg);
if ((type & MT_delayed) == 0)
{
-   type & MT_standout ? standout(next_msg) :
+   type & MT_standout ? top_standout(next_msg) :
 fputs(next_msg, stdout);
(void) clear_eol(msglen - i);
msglen = i;
@@ -1088,7 +1090,7 @@ caddr_t a1, a2, a3;
 {
if ((type & MT_delayed) == 0)
{
-   type & MT_standout ? standout(next_msg) : fputs(next_msg, stdout);
+   type & MT_standout ? top_standout(next_msg) : fputs(next_msg, 
stdout);
msglen = strlen(next_msg);
next_msg[0] = '\0';
}

Modified: stable/11/contrib/top/screen.c
==
--- stable/11/contrib/top/screen.c  Tue Apr 24 17:35:13 2018
(r332947)
+++ stable/11/contrib/top/screen.c  Tue Apr 24 17:37:29 2018
(r332948)
@@ -45,6 +45,8 @@
 #  endif
 # endif
 #endif
+#include 
+#include 
 #include "screen.h"
 #include "boolean.h"
 
@@ -432,10 +434,7 @@ get_screensize()
 }
 
 void
-standout(msg)
-
-char *msg;
-
+top_standout(char *msg)
 {
 if (smart_terminal)
 {
@@ -450,8 +449,7 @@ char *msg;
 }
 
 void
-clear()
-
+top_clear()
 {
 if (smart_terminal)
 {
@@ -460,10 +458,7 @@ clear()
 }
 
 int
-clear_eol(len)
-
-int len;
-
+clear_eol(int len)
 {
 if (smart_terminal && !overstrike && len > 0)
 {
@@ -496,12 +491,8 @@ go_home()
 
 /* This has to be defined as a subroutine for tputs (instead of a macro) */
 
-void
-putstdout(ch)
-
-char ch;
-
+int
+putstdout(int ch)
 {
-putchar(ch);
+return putchar(ch);
 }
-

Modified: stable/11/contrib/top/screen.h
==
--- stable/11/contrib/top/screen.h  Tue Apr 24 17:35:13 2018
(r332947)
+++ stable/11/contrib/top/screen.h  Tue Apr 24 17:37:29 2018
(r332948)
@@ -28,10 +28,10 @@ extern int  screen_length;
 extern int  screen_width;
 
 /* a function that puts a single character on stdout */
-void   putstdout(char ch);
+intputstdout(int ch);
 intclear_eol(int len);
-void   standout(char *msg);
-void   clear(void);
+void   top_standout(char *msg);
+void   top_clear(void);
 void   go_home(void);
 void   reinit_screen(void);
 void   get_screensize(void);

Modified: stable/11/contrib/top/top.c
==
--- stable/11/contrib/top/top.c Tue Apr 24 17:35:13 2018(r332947)
+++ stable/11/contrib/top/top.c Tue Apr 24 17:37:29 2018(r332948)
@@ -39,6 +39,7 @@ char *copyright =
 #include 
 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -79,7 +80,7 @@ int pcpu_stats = No;
 sigret_t leave();
 sigret_t tstop();
 #ifdef SIGWINCH
-sigret_t winch();
+sigret_t top_winch(int);
 #endif
 
 volatile sig_atomic_t leaveflag;
@@ -681,7 +682,7 @@ char *argv[];
 (void) signal(SIGQUIT, leave);
 (void) signal(SIGTSTP, tstop);
 #ifdef SIGWINCH
-(void) signal(SIGWINCH, winch);
+(void) signal(SIGWINCH, top_winch);
 #endif
 #ifdef SIGRELSE
 sigrelse(SIGINT);
@@ -896,7 +897,7 @@ restart:
max_topn = display_resize();
 
/* reset the signal handler */
-   (void) signal(SIGWINCH, winch);
+   (void) signal(SIGWINCH, top_winch);
 
reset_display();
winchflag = 0;

svn commit: r332671 - head/contrib/top

2018-04-18 Thread Kurt Lidl

Author: lidl
Date: Wed Apr 18 13:17:14 2018
New Revision: 332671
URL: https://svnweb.freebsd.org/changeset/base/332671

Log:
  top: fix warnings from clang/gcc
  
  Add includes for  and  where necessary, and
  rename a few internal functions to have a "top_" prefix to avoid
  clashes with standard names from curses.h/termcap.h headers.
  
  Top now compiles without warnings on both gcc and clang.
  
  Reviewed by:  emaste, imp, jhb
  MFC after:3 days
  Differential Revision:https://reviews.freebsd.org/D15115

Modified:
  head/contrib/top/display.c
  head/contrib/top/screen.c
  head/contrib/top/screen.h
  head/contrib/top/top.c

Modified: head/contrib/top/display.c
==
--- head/contrib/top/display.c  Wed Apr 18 12:56:17 2018(r332670)
+++ head/contrib/top/display.c  Wed Apr 18 13:17:14 2018(r332671)
@@ -32,7 +32,9 @@
 
 #include 
 
+#include 
 #include 
+#include 
 #include 
 #include 
 
@@ -255,7 +257,7 @@ double *avenrun;
 register int i;
 
 /* i_loadave also clears the screen, since it is first */
-clear();
+top_clear();
 
 /* mpid == -1 implies this system doesn't have an _mpid */
 if (mpid != -1)
@@ -796,7 +798,7 @@ i_message()
 }
 if (next_msg[0] != '\0')
 {
-   standout(next_msg);
+   top_standout(next_msg);
msglen = strlen(next_msg);
next_msg[0] = '\0';
 }
@@ -1076,7 +1078,7 @@ caddr_t a1, a2, a3;
i = strlen(next_msg);
if ((type & MT_delayed) == 0)
{
-   type & MT_standout ? standout(next_msg) :
+   type & MT_standout ? top_standout(next_msg) :
 fputs(next_msg, stdout);
(void) clear_eol(msglen - i);
msglen = i;
@@ -1088,7 +1090,7 @@ caddr_t a1, a2, a3;
 {
if ((type & MT_delayed) == 0)
{
-   type & MT_standout ? standout(next_msg) : fputs(next_msg, stdout);
+   type & MT_standout ? top_standout(next_msg) : fputs(next_msg, 
stdout);
msglen = strlen(next_msg);
next_msg[0] = '\0';
}

Modified: head/contrib/top/screen.c
==
--- head/contrib/top/screen.c   Wed Apr 18 12:56:17 2018(r332670)
+++ head/contrib/top/screen.c   Wed Apr 18 13:17:14 2018(r332671)
@@ -45,6 +45,8 @@
 #  endif
 # endif
 #endif
+#include 
+#include 
 #include "screen.h"
 #include "boolean.h"
 
@@ -432,10 +434,7 @@ get_screensize()
 }
 
 void
-standout(msg)
-
-char *msg;
-
+top_standout(char *msg)
 {
 if (smart_terminal)
 {
@@ -450,8 +449,7 @@ char *msg;
 }
 
 void
-clear()
-
+top_clear()
 {
 if (smart_terminal)
 {
@@ -460,10 +458,7 @@ clear()
 }
 
 int
-clear_eol(len)
-
-int len;
-
+clear_eol(int len)
 {
 if (smart_terminal && !overstrike && len > 0)
 {
@@ -496,12 +491,8 @@ go_home()
 
 /* This has to be defined as a subroutine for tputs (instead of a macro) */
 
-void
-putstdout(ch)
-
-char ch;
-
+int
+putstdout(int ch)
 {
-putchar(ch);
+return putchar(ch);
 }
-

Modified: head/contrib/top/screen.h
==
--- head/contrib/top/screen.h   Wed Apr 18 12:56:17 2018(r332670)
+++ head/contrib/top/screen.h   Wed Apr 18 13:17:14 2018(r332671)
@@ -28,10 +28,10 @@ extern int  screen_length;
 extern int  screen_width;
 
 /* a function that puts a single character on stdout */
-void   putstdout(char ch);
+intputstdout(int ch);
 intclear_eol(int len);
-void   standout(char *msg);
-void   clear(void);
+void   top_standout(char *msg);
+void   top_clear(void);
 void   go_home(void);
 void   reinit_screen(void);
 void   get_screensize(void);

Modified: head/contrib/top/top.c
==
--- head/contrib/top/top.c  Wed Apr 18 12:56:17 2018(r332670)
+++ head/contrib/top/top.c  Wed Apr 18 13:17:14 2018(r332671)
@@ -39,6 +39,7 @@ char *copyright =
 #include 
 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -79,7 +80,7 @@ int pcpu_stats = No;
 sigret_t leave();
 sigret_t tstop();
 #ifdef SIGWINCH
-sigret_t winch();
+sigret_t top_winch(int);
 #endif
 
 volatile sig_atomic_t leaveflag;
@@ -682,7 +683,7 @@ char *argv[];
 (void) signal(SIGQUIT, leave);
 (void) signal(SIGTSTP, tstop);
 #ifdef SIGWINCH
-(void) signal(SIGWINCH, winch);
+(void) signal(SIGWINCH, top_winch);
 #endif
 #ifdef SIGRELSE
 sigrelse(SIGINT);
@@ -897,7 +898,7 @@ restart:
max_topn = display_resize();
 
/* reset the signal handler */
-   (void) signal(SIGWINCH, winch);
+   (void) signal(SIGWINCH, top_winch);
 
reset_display();
winchflag = 0;
@@ -971,9 +972,9 @@ restart:

svn commit: r332571 - stable/11/contrib/blacklist/libexec

2018-04-16 Thread Kurt Lidl

Author: lidl
Date: Mon Apr 16 14:46:02 2018
New Revision: 332571
URL: https://svnweb.freebsd.org/changeset/base/332571

Log:
  MFC r328861: Update blacklist-helper to not emit messages from pf during 
operation.
  
  Use 'pfctl -k' when blocking a site to kill active tcp connections
  from the blocked address.
  
  Fix 'purge' operation for pf, which must dynamically determine which
  filters have been created, so the filters can be flushed by name.

Modified:
  stable/11/contrib/blacklist/libexec/blacklistd-helper
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/contrib/blacklist/libexec/blacklistd-helper
==
--- stable/11/contrib/blacklist/libexec/blacklistd-helper   Mon Apr 16 
14:43:01 2018(r332570)
+++ stable/11/contrib/blacklist/libexec/blacklistd-helper   Mon Apr 16 
14:46:02 2018(r332571)
@@ -80,8 +80,8 @@ add)
echo "block in quick $proto from  to any $port" | \
/sbin/pfctl -a "$2/$6" -f -
# insert $ip/$mask into per-protocol/port anchored table
-   /sbin/pfctl -a "$2/$6" -t "port$6" -T add "$addr/$mask" && \
-   echo OK
+   /sbin/pfctl -qa "$2/$6" -t "port$6" -T add "$addr/$mask" && \
+   /sbin/pfctl -q -k $addr && echo OK
;;
esac
;;
@@ -101,7 +101,7 @@ rem)
/sbin/npfctl rule "$2" rem-id "$7"
;;
pf)
-   /sbin/pfctl -a "$2/$6" -t "port$6" -T delete "$addr/$mask" && \
+   /sbin/pfctl -qa "$2/$6" -t "port$6" -T delete "$addr/$mask" && \
echo OK
;;
esac
@@ -118,7 +118,13 @@ flush)
/sbin/npfctl rule "$2" flush
;;
pf)
-   /sbin/pfctl -a "$2/$6" -t "port$6" -T flush && echo OK
+   # dynamically determine which anchors exist
+   anchors=$(/sbin/pfctl -a $2 -s Anchors)
+   for anchor in $anchors; do
+   /sbin/pfctl -a $anchor -t "port${anchor##*/}" -T flush
+   /sbin/pfctl -a $anchor -F rules
+   done
+   echo OK
;;
esac
;;
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r332569 - stable/11/sys/sparc64/sparc64

2018-04-16 Thread Kurt Lidl

Author: lidl
Date: Mon Apr 16 14:42:25 2018
New Revision: 332569
URL: https://svnweb.freebsd.org/changeset/base/332569

Log:
  MFC r324512: Don't use a non-zero argument for __builtin_frame_address
  
  Mirror the change made for powerpc64 in r323687.  With this
  change, gcc 6.4.0 can successfully compile and link a kernel
  that runs on sparc64.

Modified:
  stable/11/sys/sparc64/sparc64/stack_machdep.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/sparc64/sparc64/stack_machdep.c
==
--- stable/11/sys/sparc64/sparc64/stack_machdep.c   Mon Apr 16 14:41:12 
2018(r332568)
+++ stable/11/sys/sparc64/sparc64/stack_machdep.c   Mon Apr 16 14:42:25 
2018(r332569)
@@ -93,5 +93,5 @@ void
 stack_save(struct stack *st)
 {
 
-   stack_capture(st, (struct frame *)__builtin_frame_address(1));
+   stack_capture(st, (struct frame *)__builtin_frame_address(0));
 }
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r332566 - in stable/11/sys: cddl/dev/dtrace/mips cddl/dev/fbt/mips mips/conf modules/dtrace modules/dtrace/dtraceall

2018-04-16 Thread Kurt Lidl

Author: lidl
Date: Mon Apr 16 14:39:04 2018
New Revision: 332566
URL: https://svnweb.freebsd.org/changeset/base/332566

Log:
  MFC r323206: Enable dtrace support for mips64 and the ERL kernel config
  
  Turn on the required options in the ERL config file, and ensure
  that the fbt module is listed as a dependency for mips in
  the modules/dtrace/dtraceall/dtraceall.c file.

Modified:
  stable/11/sys/cddl/dev/dtrace/mips/dtrace_asm.S
  stable/11/sys/cddl/dev/dtrace/mips/dtrace_subr.c
  stable/11/sys/cddl/dev/fbt/mips/fbt_isa.c
  stable/11/sys/mips/conf/ERL
  stable/11/sys/modules/dtrace/Makefile
  stable/11/sys/modules/dtrace/dtraceall/Makefile
  stable/11/sys/modules/dtrace/dtraceall/dtraceall.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/cddl/dev/dtrace/mips/dtrace_asm.S
==
--- stable/11/sys/cddl/dev/dtrace/mips/dtrace_asm.S Mon Apr 16 14:10:19 
2018(r332565)
+++ stable/11/sys/cddl/dev/dtrace/mips/dtrace_asm.S Mon Apr 16 14:39:04 
2018(r332566)
@@ -37,8 +37,6 @@
 #include 
 #include 
 
-#include "assym.s"
-
 .setnoreorder   # Noreorder is default style!
 
 /*

Modified: stable/11/sys/cddl/dev/dtrace/mips/dtrace_subr.c
==
--- stable/11/sys/cddl/dev/dtrace/mips/dtrace_subr.cMon Apr 16 14:10:19 
2018(r332565)
+++ stable/11/sys/cddl/dev/dtrace/mips/dtrace_subr.cMon Apr 16 14:39:04 
2018(r332566)
@@ -50,6 +50,8 @@ extern int (*dtrace_invop_jump_addr)(struct trapframe 
 extern dtrace_id_t dtrace_probeid_error;
 
 int dtrace_invop(uintptr_t, struct trapframe *, uintptr_t);
+void dtrace_invop_init(void);
+void dtrace_invop_uninit(void);
 
 typedef struct dtrace_invop_hdlr {
int (*dtih_func)(uintptr_t, struct trapframe *, uintptr_t);

Modified: stable/11/sys/cddl/dev/fbt/mips/fbt_isa.c
==
--- stable/11/sys/cddl/dev/fbt/mips/fbt_isa.c   Mon Apr 16 14:10:19 2018
(r332565)
+++ stable/11/sys/cddl/dev/fbt/mips/fbt_isa.c   Mon Apr 16 14:39:04 2018
(r332566)
@@ -82,7 +82,6 @@ fbt_provide_module_function(linker_file_t lf, int symi
 linker_symval_t *symval, void *opaque)
 {
fbt_probe_t *fbt, *retfbt;
-   uint32_t *target, *start;
uint32_t *instr, *limit;
const char *name;
char *modname;

Modified: stable/11/sys/mips/conf/ERL
==
--- stable/11/sys/mips/conf/ERL Mon Apr 16 14:10:19 2018(r332565)
+++ stable/11/sys/mips/conf/ERL Mon Apr 16 14:39:04 2018(r332566)
@@ -85,15 +85,16 @@ options PRINTF_BUFR_SIZE=128# Prevent printf output 
 optionsHWPMC_HOOKS # Necessary kernel hooks for hwpmc(4)
 optionsAUDIT   # Security event auditing
 optionsMAC # TrustedBSD MAC Framework
-#options   KDTRACE_FRAME   # Ensure frames are compiled in
-#options   KDTRACE_HOOKS   # Kernel DTrace hooks
-optionsINCLUDE_CONFIG_FILE # Include this file in kernel
+optionsKDTRACE_FRAME   # Ensure frames are compiled in
+optionsKDTRACE_HOOKS   # Kernel DTrace hooks
+optionsDDB_CTF # Kernel ELF linker loads CTF data
+optionsINCLUDE_CONFIG_FILE # Include this file in kernel
 optionsNO_SWAPPING # Disable support for paging
 optionsTMPFS   # Temporary file system
 
 # Debugging for use in -current
 #options   KDB # Enable kernel debugger support.
-#options   DDB # Support DDB.
+optionsDDB # Support DDB.
 #options   GDB # Support remote GDB.
 #options   DEADLKRES   # Enable the deadlock resolver
 #options   INVARIANTS  # Enable calls of extra sanity checking

Modified: stable/11/sys/modules/dtrace/Makefile
==
--- stable/11/sys/modules/dtrace/Makefile   Mon Apr 16 14:10:19 2018
(r332565)
+++ stable/11/sys/modules/dtrace/Makefile   Mon Apr 16 14:39:04 2018
(r332566)
@@ -21,10 +21,14 @@ SUBDIR+=systrace_linux32
 .if ${MACHINE_CPUARCH} == "powerpc"
 SUBDIR+=   fbt fasttrap
 .endif
-.if ${MACHINE_CPUARCH} == "amd64" || ${MACHINE_ARCH} == "powerpc64"
+.if ${MACHINE_CPUARCH} == "amd64" || \
+${MACHINE_ARCH} == "mips64" || \
+${MACHINE_ARCH} == "powerpc64"
 SUBDIR+=   systrace_freebsd32
 .endif
-.if ${MACHINE_CPUARCH} == "aarch64" || ${MACHINE_CPUARCH} == "arm"
+.if ${MACHINE_CPUARCH} == "aarch64" || \
+${MACHINE_CPUARCH} == "arm" || \
+${MACHINE_CPUARCH} == "mips"
 SUBDIR+=   fbt
 .endif

svn commit: r331080 - in stable/11/contrib/blacklist: bin libexec

2018-03-16 Thread Kurt Lidl

Author: lidl
Date: Fri Mar 16 23:39:49 2018
New Revision: 331080
URL: https://svnweb.freebsd.org/changeset/base/331080

Log:
  Revert attempted MFC.  It included unwanted changes.

Modified:
  stable/11/contrib/blacklist/bin/blacklistd.8
  stable/11/contrib/blacklist/bin/blacklistd.c
  stable/11/contrib/blacklist/libexec/blacklistd-helper
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/contrib/blacklist/bin/blacklistd.8
==
--- stable/11/contrib/blacklist/bin/blacklistd.8Fri Mar 16 23:34:44 
2018(r331079)
+++ stable/11/contrib/blacklist/bin/blacklistd.8Fri Mar 16 23:39:49 
2018(r331080)
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd Dec 6, 2017
+.Dd June 7, 2016
 .Dt BLACKLISTD 8
 .Os
 .Sh NAME
@@ -35,7 +35,7 @@
 .Nd block and release ports on demand to avoid DoS abuse
 .Sh SYNOPSIS
 .Nm
-.Op Fl Bdfrv
+.Op Fl dfrv
 .Op Fl C Ar controlprog
 .Op Fl c Ar configfile
 .Op Fl D Ar dbfile
@@ -154,8 +154,6 @@ The Berkeley DB file where
 .Nm
 stores its state, usually
 .Pa /var/run/blacklistd.db .
-.It Fl B
-Disable processing of bad-usernames.
 .It Fl d
 Normally,
 .Nm

Modified: stable/11/contrib/blacklist/bin/blacklistd.c
==
--- stable/11/contrib/blacklist/bin/blacklistd.cFri Mar 16 23:34:44 
2018(r331079)
+++ stable/11/contrib/blacklist/bin/blacklistd.cFri Mar 16 23:39:49 
2018(r331080)
@@ -76,7 +76,6 @@ static DB *state;
 static const char *dbfile = _PATH_BLSTATE;
 static sig_atomic_t readconf;
 static sig_atomic_t done;
-static int Bflag;
 static int vflag;
 
 static void
@@ -165,85 +164,12 @@ getremoteaddress(bl_info_t *bi, struct sockaddr_storag
return 0;
 }
 
-static const char *badnames_email[] = {
-   "info",
-   "root",
-   "admin",
-   "support",
-   "webmaster",
-   "sales",
-   "postmaster",
-   "marketing",
-   "administrator",
-   "default",
-   "noreply",
-   "ftpuser",
-   "backup",
-   "webadmin",
-   "security",
-   NULL
-};
-
-static const char *badnames_ssh[] = {
-   "admin",
-   "support",
-   "pi",
-   "info",
-   "root",
-   "guest",
-   "webmaster",
-   "ubnt",
-   "abuse",
-   "default",
-   "apache",
-   "nginx",
-   "cisco",
-   "administrator",
-   "ftpuser",
-   "supervisor",
-   "mysql",
-   "postgres",
-   "oracle",
-   "security",
-   "nagios",
-   "webadmin",
-   "usuario",
-   "uucp",
-   "PlcmSpIp",
-   " 0101",
-   NULL
-};
-
-static int
-lookup_username(int proto, int port, const char *username)
-{
-   int i;
-   const char **names;
-
-   if (proto != IPPROTO_TCP)
-   return 0;
-
-   if (port == 22)
-   names = badnames_ssh;
-   else if (port == 25 || port == 587)
-   names = badnames_email;
-   else
-   return 0;
-
-   for (i = 0; names[i] != NULL; i++) {
-   if (strcmp(username, names[i]) == 0)
-   return 1;
-   }
-   return 0;
-}
-
 static void
 process(bl_t bl)
 {
struct sockaddr_storage rss;
socklen_t rsl;
char rbuf[BUFSIZ];
-   int runadd, rundelete;
bl_info_t *bi;
struct conf c;
struct dbinfo dbi;
@@ -287,74 +213,59 @@ process(bl_t bl)
fmttime(b2, sizeof(b2), ts.tv_sec));
}
 
-   runadd = rundelete = 0;
-
switch (bi->bi_type) {
case BL_ABUSE:
/*
 * If the application has signaled abusive behavior,
-* set the number of fails to be the configured limit.
+* set the number of fails to be one less than the
+* configured limit.  Fallthrough to the normal BL_ADD
+* processing, which will increment the failure count
+* to the threshhold, and block the abusive address.
 */
if (c.c_nfail != -1)
-   dbi.count = c.c_nfail;
-   rundelete = 1;
-   runadd = 1;
+   dbi.count = c.c_nfail - 1;
+   /*FALLTHROUGH*/
+   case BL_ADD:
+   dbi.count++;
+   dbi.last = ts.tv_sec;
+   if (dbi.id[0]) {
+   /*
+* We should not be getting this since the rule
+* should have blocked the address. A possible
+* explanation is that someone removed that rule,
+* and another would be that we got another attempt
+* before we added the rule. In anycase, we remove
+* and

svn commit: r331079 - in stable/11/contrib/blacklist: bin libexec

2018-03-16 Thread Kurt Lidl

Author: lidl
Date: Fri Mar 16 23:34:44 2018
New Revision: 331079
URL: https://svnweb.freebsd.org/changeset/base/331079

Log:
  MFC r328861: improve blacklist-helper shell script

Modified:
  stable/11/contrib/blacklist/bin/blacklistd.8
  stable/11/contrib/blacklist/bin/blacklistd.c
  stable/11/contrib/blacklist/libexec/blacklistd-helper
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/contrib/blacklist/bin/blacklistd.8
==
--- stable/11/contrib/blacklist/bin/blacklistd.8Fri Mar 16 22:25:33 
2018(r331078)
+++ stable/11/contrib/blacklist/bin/blacklistd.8Fri Mar 16 23:34:44 
2018(r331079)
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd June 7, 2016
+.Dd Dec 6, 2017
 .Dt BLACKLISTD 8
 .Os
 .Sh NAME
@@ -35,7 +35,7 @@
 .Nd block and release ports on demand to avoid DoS abuse
 .Sh SYNOPSIS
 .Nm
-.Op Fl dfrv
+.Op Fl Bdfrv
 .Op Fl C Ar controlprog
 .Op Fl c Ar configfile
 .Op Fl D Ar dbfile
@@ -154,6 +154,8 @@ The Berkeley DB file where
 .Nm
 stores its state, usually
 .Pa /var/run/blacklistd.db .
+.It Fl B
+Disable processing of bad-usernames.
 .It Fl d
 Normally,
 .Nm

Modified: stable/11/contrib/blacklist/bin/blacklistd.c
==
--- stable/11/contrib/blacklist/bin/blacklistd.cFri Mar 16 22:25:33 
2018(r331078)
+++ stable/11/contrib/blacklist/bin/blacklistd.cFri Mar 16 23:34:44 
2018(r331079)
@@ -76,6 +76,7 @@ static DB *state;
 static const char *dbfile = _PATH_BLSTATE;
 static sig_atomic_t readconf;
 static sig_atomic_t done;
+static int Bflag;
 static int vflag;
 
 static void
@@ -164,12 +165,85 @@ getremoteaddress(bl_info_t *bi, struct sockaddr_storag
return 0;
 }
 
+static const char *badnames_email[] = {
+   "info",
+   "root",
+   "admin",
+   "support",
+   "webmaster",
+   "sales",
+   "postmaster",
+   "marketing",
+   "administrator",
+   "default",
+   "noreply",
+   "ftpuser",
+   "backup",
+   "webadmin",
+   "security",
+   NULL
+};
+
+static const char *badnames_ssh[] = {
+   "admin",
+   "support",
+   "pi",
+   "info",
+   "root",
+   "guest",
+   "webmaster",
+   "ubnt",
+   "abuse",
+   "default",
+   "apache",
+   "nginx",
+   "cisco",
+   "administrator",
+   "ftpuser",
+   "supervisor",
+   "mysql",
+   "postgres",
+   "oracle",
+   "security",
+   "nagios",
+   "webadmin",
+   "usuario",
+   "uucp",
+   "PlcmSpIp",
+   " 0101",
+   NULL
+};
+
+static int
+lookup_username(int proto, int port, const char *username)
+{
+   int i;
+   const char **names;
+
+   if (proto != IPPROTO_TCP)
+   return 0;
+
+   if (port == 22)
+   names = badnames_ssh;
+   else if (port == 25 || port == 587)
+   names = badnames_email;
+   else
+   return 0;
+
+   for (i = 0; names[i] != NULL; i++) {
+   if (strcmp(username, names[i]) == 0)
+   return 1;
+   }
+   return 0;
+}
+
 static void
 process(bl_t bl)
 {
struct sockaddr_storage rss;
socklen_t rsl;
char rbuf[BUFSIZ];
+   int runadd, rundelete;
bl_info_t *bi;
struct conf c;
struct dbinfo dbi;
@@ -213,59 +287,74 @@ process(bl_t bl)
fmttime(b2, sizeof(b2), ts.tv_sec));
}
 
+   runadd = rundelete = 0;
+
switch (bi->bi_type) {
case BL_ABUSE:
/*
 * If the application has signaled abusive behavior,
-* set the number of fails to be one less than the
-* configured limit.  Fallthrough to the normal BL_ADD
-* processing, which will increment the failure count
-* to the threshhold, and block the abusive address.
+* set the number of fails to be the configured limit.
 */
if (c.c_nfail != -1)
-   dbi.count = c.c_nfail - 1;
-   /*FALLTHROUGH*/
-   case BL_ADD:
-   dbi.count++;
-   dbi.last = ts.tv_sec;
-   if (dbi.id[0]) {
-   /*
-* We should not be getting this since the rule
-* should have blocked the address. A possible
-* explanation is that someone removed that rule,
-* and another would be that we got another attempt
-* before we added the rule. In anycase, we remove
-* and re-add the rule because we don't want to add
-* it twice, because then we'd lose track

svn commit: r328861 - head/contrib/blacklist/libexec

2018-02-04 Thread Kurt Lidl

Author: lidl
Date: Sun Feb  4 19:43:51 2018
New Revision: 328861
URL: https://svnweb.freebsd.org/changeset/base/328861

Log:
  Update blacklist-helper to not emit messages from pf during operation.
  
  Use 'pfctl -k' when blocking a site to kill active tcp connections
  from the blocked address.
  
  Fix 'purge' operation for pf, which must dynamically determine which
  filters have been created, so the filters can be flushed by name.
  
  MFC after:2 weeks

Modified:
  head/contrib/blacklist/libexec/blacklistd-helper

Modified: head/contrib/blacklist/libexec/blacklistd-helper
==
--- head/contrib/blacklist/libexec/blacklistd-helperSun Feb  4 19:14:09 
2018(r328860)
+++ head/contrib/blacklist/libexec/blacklistd-helperSun Feb  4 19:43:51 
2018(r328861)
@@ -80,8 +80,8 @@ add)
echo "block in quick $proto from  to any $port" | \
/sbin/pfctl -a "$2/$6" -f -
# insert $ip/$mask into per-protocol/port anchored table
-   /sbin/pfctl -a "$2/$6" -t "port$6" -T add "$addr/$mask" && \
-   echo OK
+   /sbin/pfctl -qa "$2/$6" -t "port$6" -T add "$addr/$mask" && \
+   /sbin/pfctl -q -k $addr && echo OK
;;
esac
;;
@@ -101,7 +101,7 @@ rem)
/sbin/npfctl rule "$2" rem-id "$7"
;;
pf)
-   /sbin/pfctl -a "$2/$6" -t "port$6" -T delete "$addr/$mask" && \
+   /sbin/pfctl -qa "$2/$6" -t "port$6" -T delete "$addr/$mask" && \
echo OK
;;
esac
@@ -118,7 +118,13 @@ flush)
/sbin/npfctl rule "$2" flush
;;
pf)
-   /sbin/pfctl -a "$2/$6" -t "port$6" -T flush && echo OK
+   # dynamically determine which anchors exist
+   anchors=$(/sbin/pfctl -a $2 -s Anchors)
+   for anchor in $anchors; do
+   /sbin/pfctl -a $anchor -t "port${anchor##*/}" -T flush
+   /sbin/pfctl -a $anchor -F rules
+   done
+   echo OK
;;
esac
;;
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Re: svn commit: r327086 - head/sys/dev/lmc

2018-01-04 Thread Kurt Lidl


On 1/4/18 5:00 AM, Poul-Henning Kamp wrote:


In message <3f4a7247-e711-c65a-d973-c929ac872...@freebsd.org>, Stefan Esser 
writes:

Am 04.01.18 um 00:41 schrieb Pedro Giffuni:



It appears to be a strange beast that uses the Ethernet chip to generate a
bit stream which is then converted to HDLC. Not sure whether these were used
for Frame Relay or to connect to the British X.25 JANET, a few decades ago.
Perhaps also to connect to SS7 signaling networks?


They were actually pretty versatile, we used them both for "blank"
E1 and Nx64 scenarios, and I know they were used for Frame Relay
several places in US.

I don't think they could do SS7 or ISDN like the MUSYCC chip could.

But nobody uses T1/E1/T3/E3 lines any more for anything...


There's thousands upon thousands of customers that attach to networks
via T1 lines, running Frame-Relay to this day.  Granted, ADSL has
captured the consumer market, but NxT1 is still popular in the
business world.  (And pretty much all the T1s in the world are
actually delivered over 2Mmbps SDSL, which is then turned into the
1.544 mbps T1 interface, but that's not really germane to this...)

As for the lmc product itself, and that driver-  David Boggs, when
working at DEC-WRL (Dec's Western Research Lab) realized that the
Ethernet controller that ran the "de" Ethernet chips could be easily
plumbed into an FPGA and used as the front-end controller for the
framer for the serial line.

In 1999 I worked with David Boggs to modernize this driver (or more
precisely, the "sbe" version of it), so it had SMP locking for
FreeBSD and BSD/OS.  Dave is really easy to work with, and we were
able to make the driver deal with Frame Relay, in addition to the
"Cisco HDLC" (aka chdlc) framing.  I don't think we attempted to
get the synch PPP stuff working, as I only had access to a T1 line
with FR signaling on it.

T1 is just an electrical standard for interface, you can do all sorts
of different signaling and protocols over that interface.

I still have this hardware (but not in use), as well as a pair of
the HSSI boards (54mbps, suitable for use with a T3 circuit).

If you just want someone to test it, I can probably lash together
two machines with these cards as the interconnect.

-Kurt

___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r324512 - head/sys/sparc64/sparc64

2017-10-10 Thread Kurt Lidl

Author: lidl
Date: Wed Oct 11 03:50:44 2017
New Revision: 324512
URL: https://svnweb.freebsd.org/changeset/base/324512

Log:
  Don't use a non-zero argument for __builtin_frame_address
  
  Mirror the change made for powerpc64 in r323687.  With this
  change, gcc 6.4.0 can successfully compile and link a kernel
  that runs on sparc64.
  
  MFC after:2 weeks

Modified:
  head/sys/sparc64/sparc64/stack_machdep.c

Modified: head/sys/sparc64/sparc64/stack_machdep.c
==
--- head/sys/sparc64/sparc64/stack_machdep.cWed Oct 11 02:39:20 2017
(r324511)
+++ head/sys/sparc64/sparc64/stack_machdep.cWed Oct 11 03:50:44 2017
(r324512)
@@ -93,5 +93,5 @@ void
 stack_save(struct stack *st)
 {
 
-   stack_capture(st, (struct frame *)__builtin_frame_address(1));
+   stack_capture(st, (struct frame *)__builtin_frame_address(0));
 }
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r323206 - in head/sys: cddl/dev/dtrace/mips cddl/dev/fbt/mips mips/conf modules/dtrace modules/dtrace/dtraceall

2017-09-05 Thread Kurt Lidl

Author: lidl
Date: Wed Sep  6 03:19:52 2017
New Revision: 323206
URL: https://svnweb.freebsd.org/changeset/base/323206

Log:
  Enable dtrace support for mips64 and the ERL kernel config
  
  Turn on the required options in the ERL config file, and ensure
  that the fbt module is listed as a dependency for mips in
  the modules/dtrace/dtraceall/dtraceall.c file.
  
  PR:   220346
  Reviewed by:  gnn, markj
  MFC after:2 weeks
  Differential Revision:https://reviews.freebsd.org/D12227

Modified:
  head/sys/cddl/dev/dtrace/mips/dtrace_asm.S
  head/sys/cddl/dev/dtrace/mips/dtrace_subr.c
  head/sys/cddl/dev/fbt/mips/fbt_isa.c
  head/sys/mips/conf/ERL
  head/sys/modules/dtrace/Makefile
  head/sys/modules/dtrace/dtraceall/Makefile
  head/sys/modules/dtrace/dtraceall/dtraceall.c

Modified: head/sys/cddl/dev/dtrace/mips/dtrace_asm.S
==
--- head/sys/cddl/dev/dtrace/mips/dtrace_asm.S  Wed Sep  6 02:07:44 2017
(r323205)
+++ head/sys/cddl/dev/dtrace/mips/dtrace_asm.S  Wed Sep  6 03:19:52 2017
(r323206)
@@ -37,8 +37,6 @@
 #include 
 #include 
 
-#include "assym.s"
-
 .setnoreorder   # Noreorder is default style!
 
 /*

Modified: head/sys/cddl/dev/dtrace/mips/dtrace_subr.c
==
--- head/sys/cddl/dev/dtrace/mips/dtrace_subr.c Wed Sep  6 02:07:44 2017
(r323205)
+++ head/sys/cddl/dev/dtrace/mips/dtrace_subr.c Wed Sep  6 03:19:52 2017
(r323206)
@@ -50,6 +50,8 @@ extern int (*dtrace_invop_jump_addr)(struct trapframe 
 extern dtrace_id_t dtrace_probeid_error;
 
 int dtrace_invop(uintptr_t, struct trapframe *, uintptr_t);
+void dtrace_invop_init(void);
+void dtrace_invop_uninit(void);
 
 typedef struct dtrace_invop_hdlr {
int (*dtih_func)(uintptr_t, struct trapframe *, uintptr_t);

Modified: head/sys/cddl/dev/fbt/mips/fbt_isa.c
==
--- head/sys/cddl/dev/fbt/mips/fbt_isa.cWed Sep  6 02:07:44 2017
(r323205)
+++ head/sys/cddl/dev/fbt/mips/fbt_isa.cWed Sep  6 03:19:52 2017
(r323206)
@@ -82,7 +82,6 @@ fbt_provide_module_function(linker_file_t lf, int symi
 linker_symval_t *symval, void *opaque)
 {
fbt_probe_t *fbt, *retfbt;
-   uint32_t *target, *start;
uint32_t *instr, *limit;
const char *name;
char *modname;

Modified: head/sys/mips/conf/ERL
==
--- head/sys/mips/conf/ERL  Wed Sep  6 02:07:44 2017(r323205)
+++ head/sys/mips/conf/ERL  Wed Sep  6 03:19:52 2017(r323206)
@@ -86,14 +86,15 @@ options PRINTF_BUFR_SIZE=128# Prevent printf output 
 optionsHWPMC_HOOKS # Necessary kernel hooks for hwpmc(4)
 optionsAUDIT   # Security event auditing
 optionsMAC # TrustedBSD MAC Framework
-#options   KDTRACE_FRAME   # Ensure frames are compiled in
-#options   KDTRACE_HOOKS   # Kernel DTrace hooks
-optionsINCLUDE_CONFIG_FILE # Include this file in kernel
+optionsKDTRACE_FRAME   # Ensure frames are compiled in
+optionsKDTRACE_HOOKS   # Kernel DTrace hooks
+optionsDDB_CTF # Kernel ELF linker loads CTF data
+optionsINCLUDE_CONFIG_FILE # Include this file in kernel
 optionsTMPFS   # Temporary file system
 
 # Debugging for use in -current
 #options   KDB # Enable kernel debugger support.
-#options   DDB # Support DDB.
+optionsDDB # Support DDB.
 #options   GDB # Support remote GDB.
 #options   DEADLKRES   # Enable the deadlock resolver
 #options   INVARIANTS  # Enable calls of extra sanity checking

Modified: head/sys/modules/dtrace/Makefile
==
--- head/sys/modules/dtrace/MakefileWed Sep  6 02:07:44 2017
(r323205)
+++ head/sys/modules/dtrace/MakefileWed Sep  6 03:19:52 2017
(r323206)
@@ -22,11 +22,14 @@ SUBDIR+=systrace_linux32
 .if ${MACHINE_CPUARCH} == "powerpc"
 SUBDIR+=   fbt fasttrap
 .endif
-.if ${MACHINE_CPUARCH} == "amd64" || ${MACHINE_ARCH} == "powerpc64"
+.if ${MACHINE_CPUARCH} == "amd64" || \
+${MACHINE_ARCH} == "mips64" || \
+${MACHINE_ARCH} == "powerpc64"
 SUBDIR+=   systrace_freebsd32
 .endif
 .if ${MACHINE_CPUARCH} == "aarch64" || \
 ${MACHINE_CPUARCH} == "arm" || \
+${MACHINE_CPUARCH} == "mips" || \
 ${MACHINE_CPUARCH} == "riscv"
 SUBDIR+=   fbt
 .endif

Modified: head/sys/modules/dtrace/dtraceall/Makefile
==
---

svn commit: r323156 - head/sys/mips/conf

2017-09-04 Thread Kurt Lidl

Author: lidl
Date: Mon Sep  4 20:10:34 2017
New Revision: 323156
URL: https://svnweb.freebsd.org/changeset/base/323156

Log:
  Fix whitespace on "options" to be , no functional change

Modified:
  head/sys/mips/conf/ERL

Modified: head/sys/mips/conf/ERL
==
--- head/sys/mips/conf/ERL  Mon Sep  4 18:59:44 2017(r323155)
+++ head/sys/mips/conf/ERL  Mon Sep  4 20:10:34 2017(r323156)
@@ -39,7 +39,7 @@ makeoptions   DEBUG=-g#Build kernel with 
gdb(1) debug 
 #options   OCTEON_VENDOR_LANNER# Support for Lanner boards.
 #options   OCTEON_VENDOR_RADISYS   # Support for Radisys boards.
 optionsOCTEON_VENDOR_UBIQUITI  # Support for Ubiquiti boards.
-#options   OCTEON_VENDOR_GEFES # Support for GE LANIC boards
+#options   OCTEON_VENDOR_GEFES # Support for GE LANIC boards
 #options   OCTEON_BOARD_CAPK_0100ND# Support for CAPK-0100nd.
 
 # Compile for a specified Octeon model.  If not specified, support for
@@ -89,7 +89,7 @@ options   MAC # TrustedBSD MAC 
Framework
 #options   KDTRACE_FRAME   # Ensure frames are compiled in
 #options   KDTRACE_HOOKS   # Kernel DTrace hooks
 optionsINCLUDE_CONFIG_FILE # Include this file in kernel
-optionsTMPFS   # Temporary file system
+optionsTMPFS   # Temporary file system
 
 # Debugging for use in -current
 #options   KDB # Enable kernel debugger support.
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r320369 - head/sys/mips/conf

2017-06-26 Thread Kurt Lidl

Author: lidl
Date: Mon Jun 26 18:28:00 2017
New Revision: 320369
URL: https://svnweb.freebsd.org/changeset/base/320369

Log:
  Add IPSEC support to mips ERL kernel config file

Modified:
  head/sys/mips/conf/ERL

Modified: head/sys/mips/conf/ERL
==
--- head/sys/mips/conf/ERL  Mon Jun 26 18:23:40 2017(r320368)
+++ head/sys/mips/conf/ERL  Mon Jun 26 18:28:00 2017(r320369)
@@ -53,6 +53,7 @@ options   SCHED_ULE   # ULE scheduler
 optionsPREEMPTION  # Enable kernel thread preemption
 optionsINET# InterNETworking
 optionsINET6   # IPv6 communications protocols
+optionsIPSEC   # IP (v4/v6) security
 optionsTCP_HHOOK   # hhook(9) framework for TCP
 optionsSCTP# Stream Control Transmission Protocol
 optionsFFS # Berkeley Fast Filesystem
@@ -201,7 +202,7 @@ device  ural# Ralink Technology 
RT2500USB wireless N
 device zyd # ZyDAS zd1211/zd1211b wireless NICs
 
 # crypto subsystem
-device crypto  # core crypto support
+device crypto  # core crypto support (required for IPSEC)
 device cryptodev   # /dev/crypto for access to h/w
 device cryptocteon # Octeon coprocessor 2 crypto offload
 
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r318950 - in stable/11/contrib/blacklist: bin include lib

2017-05-26 Thread Kurt Lidl

Author: lidl
Date: Fri May 26 15:13:46 2017
New Revision: 318950
URL: https://svnweb.freebsd.org/changeset/base/318950

Log:
  MFC r318755: Extend libblacklist support with new action types
  
  The original blacklist library supported two notification types:
   - failed auth attempt, which incremented the failed login count
 by one for the remote address
   - successful auth attempt, which reset the failed login count
 to zero for that remote address
  
  When the failed login count reached the limit in the configuration
  file, the remote address would be blocked by a packet filter.
  
  This patch implements a new notification type, "abusive behavior",
  and accepts, but does not act on an additional type, "bad username".
  It is envisioned that a system administrator will configure a small
  list of "known bad usernames" that should be blocked immediately.
  
  Sponsored by: The FreeBSD Foundation

Modified:
  stable/11/contrib/blacklist/bin/blacklistd.c
  stable/11/contrib/blacklist/include/bl.h
  stable/11/contrib/blacklist/include/blacklist.h
  stable/11/contrib/blacklist/lib/blacklist.c
  stable/11/contrib/blacklist/lib/libblacklist.3
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/contrib/blacklist/bin/blacklistd.c
==
--- stable/11/contrib/blacklist/bin/blacklistd.cFri May 26 13:09:16 
2017(r318949)
+++ stable/11/contrib/blacklist/bin/blacklistd.cFri May 26 15:13:46 
2017(r318950)
@@ -214,6 +214,17 @@ process(bl_t bl)
}
 
switch (bi->bi_type) {
+   case BL_ABUSE:
+   /*
+* If the application has signaled abusive behavior,
+* set the number of fails to be one less than the
+* configured limit.  Fallthrough to the normal BL_ADD
+* processing, which will increment the failure count
+* to the threshhold, and block the abusive address.
+*/
+   if (c.c_nfail != -1)
+   dbi.count = c.c_nfail - 1;
+   /*FALLTHROUGH*/
case BL_ADD:
dbi.count++;
dbi.last = ts.tv_sec;
@@ -249,6 +260,9 @@ process(bl_t bl)
dbi.count = 0;
dbi.last = 0;
break;
+   case BL_BADUSER:
+   /* ignore for now */
+   break;
default:
(*lfun)(LOG_ERR, "unknown message %d", bi->bi_type); 
}

Modified: stable/11/contrib/blacklist/include/bl.h
==
--- stable/11/contrib/blacklist/include/bl.hFri May 26 13:09:16 2017
(r318949)
+++ stable/11/contrib/blacklist/include/bl.hFri May 26 15:13:46 2017
(r318950)
@@ -40,7 +40,9 @@
 typedef enum {
BL_INVALID,
BL_ADD,
-   BL_DELETE
+   BL_DELETE,
+   BL_ABUSE,
+   BL_BADUSER
 } bl_type_t;
 
 typedef struct {

Modified: stable/11/contrib/blacklist/include/blacklist.h
==
--- stable/11/contrib/blacklist/include/blacklist.h Fri May 26 13:09:16 
2017(r318949)
+++ stable/11/contrib/blacklist/include/blacklist.h Fri May 26 15:13:46 
2017(r318950)
@@ -43,4 +43,13 @@ int blacklist_sa_r(struct blacklist *, i
 const struct sockaddr *, socklen_t, const char *);
 __END_DECLS
 
+/* action values for user applications */
+#define BLACKLIST_API_ENUM 1
+enum {
+BLACKLIST_AUTH_OK = 0,
+BLACKLIST_AUTH_FAIL,
+BLACKLIST_ABUSIVE_BEHAVIOR,
+BLACKLIST_BAD_USER
+};
+
 #endif /* _BLACKLIST_H */

Modified: stable/11/contrib/blacklist/lib/blacklist.c
==
--- stable/11/contrib/blacklist/lib/blacklist.c Fri May 26 13:09:16 2017
(r318949)
+++ stable/11/contrib/blacklist/lib/blacklist.c Fri May 26 15:13:46 2017
(r318950)
@@ -61,7 +61,27 @@ int
 blacklist_sa_r(struct blacklist *bl, int action, int rfd,
const struct sockaddr *sa, socklen_t slen, const char *msg)
 {
-   return bl_send(bl, action ? BL_ADD : BL_DELETE, rfd, sa, slen, msg);
+   int internal_action;
+
+   /* internal values are not the same as user application values */
+   switch (action) {
+   case BLACKLIST_AUTH_FAIL:
+   internal_action = BL_ADD;
+   break;
+   case BLACKLIST_AUTH_OK:
+   internal_action = BL_DELETE;
+   break;
+   case BLACKLIST_ABUSIVE_BEHAVIOR:
+   internal_action = BL_ABUSE;
+   break;
+   case BLACKLIST_BAD_USER:
+   internal_action = BL_BADUSER;
+   break;
+   default:
+   internal_action = BL_INVALID;
+   break;
+   }
+   return bl_send(bl, internal_action, rfd, sa, slen,

svn commit: r318755 - in head/contrib/blacklist: bin include lib

2017-05-23 Thread Kurt Lidl

Author: lidl
Date: Tue May 23 19:03:07 2017
New Revision: 318755
URL: https://svnweb.freebsd.org/changeset/base/318755

Log:
  Extend libblacklist support with new action types
  
  The original blacklist library supported two notification types:
   - failed auth attempt, which incremented the failed login count
 by one for the remote address
   - successful auth attempt, which reset the failed login count
 to zero for that remote address
  
  When the failed login count reached the limit in the configuration
  file, the remote address would be blocked by a packet filter.
  
  This patch implements a new notification type, "abusive behavior",
  and accepts, but does not act on an additional type, "bad username".
  It is envisioned that a system administrator will configure a small
  list of "known bad usernames" that should be blocked immediately.
  
  Reviewed by:  emaste
  MFC after:3 days
  Sponsored by: The FreeBSD Foundation
  Differential Revision: https://reviews.freebsd.org/D10604

Modified:
  head/contrib/blacklist/bin/blacklistd.c
  head/contrib/blacklist/include/bl.h
  head/contrib/blacklist/include/blacklist.h
  head/contrib/blacklist/lib/blacklist.c
  head/contrib/blacklist/lib/libblacklist.3

Modified: head/contrib/blacklist/bin/blacklistd.c
==
--- head/contrib/blacklist/bin/blacklistd.c Tue May 23 17:41:09 2017
(r318754)
+++ head/contrib/blacklist/bin/blacklistd.c Tue May 23 19:03:07 2017
(r318755)
@@ -214,6 +214,17 @@ process(bl_t bl)
}
 
switch (bi->bi_type) {
+   case BL_ABUSE:
+   /*
+* If the application has signaled abusive behavior,
+* set the number of fails to be one less than the
+* configured limit.  Fallthrough to the normal BL_ADD
+* processing, which will increment the failure count
+* to the threshhold, and block the abusive address.
+*/
+   if (c.c_nfail != -1)
+   dbi.count = c.c_nfail - 1;
+   /*FALLTHROUGH*/
case BL_ADD:
dbi.count++;
dbi.last = ts.tv_sec;
@@ -249,6 +260,9 @@ process(bl_t bl)
dbi.count = 0;
dbi.last = 0;
break;
+   case BL_BADUSER:
+   /* ignore for now */
+   break;
default:
(*lfun)(LOG_ERR, "unknown message %d", bi->bi_type); 
}

Modified: head/contrib/blacklist/include/bl.h
==
--- head/contrib/blacklist/include/bl.h Tue May 23 17:41:09 2017
(r318754)
+++ head/contrib/blacklist/include/bl.h Tue May 23 19:03:07 2017
(r318755)
@@ -40,7 +40,9 @@
 typedef enum {
BL_INVALID,
BL_ADD,
-   BL_DELETE
+   BL_DELETE,
+   BL_ABUSE,
+   BL_BADUSER
 } bl_type_t;
 
 typedef struct {

Modified: head/contrib/blacklist/include/blacklist.h
==
--- head/contrib/blacklist/include/blacklist.h  Tue May 23 17:41:09 2017
(r318754)
+++ head/contrib/blacklist/include/blacklist.h  Tue May 23 19:03:07 2017
(r318755)
@@ -43,4 +43,13 @@ int blacklist_sa_r(struct blacklist *, i
 const struct sockaddr *, socklen_t, const char *);
 __END_DECLS
 
+/* action values for user applications */
+#define BLACKLIST_API_ENUM 1
+enum {
+BLACKLIST_AUTH_OK = 0,
+BLACKLIST_AUTH_FAIL,
+BLACKLIST_ABUSIVE_BEHAVIOR,
+BLACKLIST_BAD_USER
+};
+
 #endif /* _BLACKLIST_H */

Modified: head/contrib/blacklist/lib/blacklist.c
==
--- head/contrib/blacklist/lib/blacklist.c  Tue May 23 17:41:09 2017
(r318754)
+++ head/contrib/blacklist/lib/blacklist.c  Tue May 23 19:03:07 2017
(r318755)
@@ -61,7 +61,27 @@ int
 blacklist_sa_r(struct blacklist *bl, int action, int rfd,
const struct sockaddr *sa, socklen_t slen, const char *msg)
 {
-   return bl_send(bl, action ? BL_ADD : BL_DELETE, rfd, sa, slen, msg);
+   int internal_action;
+
+   /* internal values are not the same as user application values */
+   switch (action) {
+   case BLACKLIST_AUTH_FAIL:
+   internal_action = BL_ADD;
+   break;
+   case BLACKLIST_AUTH_OK:
+   internal_action = BL_DELETE;
+   break;
+   case BLACKLIST_ABUSIVE_BEHAVIOR:
+   internal_action = BL_ABUSE;
+   break;
+   case BLACKLIST_BAD_USER:
+   internal_action = BL_BADUSER;
+   break;
+   default:
+   internal_action = BL_INVALID;
+   break;
+   }
+   return bl_send(bl, internal_action, rfd, sa, slen, msg);
 }
 
 int

Modified:

svn commit: r318402 - stable/11/crypto/openssh

2017-05-17 Thread Kurt Lidl

Author: lidl
Date: Wed May 17 14:28:01 2017
New Revision: 318402
URL: https://svnweb.freebsd.org/changeset/base/318402

Log:
  MFC r318242: Refine and update blacklist support in sshd
  
  Adjust notification points slightly to catch all auth failures, rather
  than just the ones caused by bad usernames.  Modify notification point
  for bad usernames to send new type of BLACKLIST_BAD_USER.  (Support in
  libblacklist will be forthcoming soon.)  Add guards to allow library
  headers to expose the enum of action values.
  
  Reviewed by:  des
  Relnotes: yes
  Sponsored by: The FreeBSD Foundation

Modified:
  stable/11/crypto/openssh/auth-pam.c
  stable/11/crypto/openssh/auth.c
  stable/11/crypto/openssh/auth1.c
  stable/11/crypto/openssh/auth2.c
  stable/11/crypto/openssh/blacklist.c
  stable/11/crypto/openssh/blacklist_client.h
  stable/11/crypto/openssh/packet.c
  stable/11/crypto/openssh/sshd.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/crypto/openssh/auth-pam.c
==
--- stable/11/crypto/openssh/auth-pam.c Wed May 17 13:22:13 2017
(r318401)
+++ stable/11/crypto/openssh/auth-pam.c Wed May 17 14:28:01 2017
(r318402)
@@ -795,7 +795,8 @@ sshpam_query(void *ctx, char **name, cha
free(msg);
return (0);
}
-   BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+   BLACKLIST_NOTIFY(BLACKLIST_BAD_USER,
+   sshpam_authctxt->user);
error("PAM: %s for %s%.100s from %.100s", msg,
sshpam_authctxt->valid ? "" : "illegal user ",
sshpam_authctxt->user,

Modified: stable/11/crypto/openssh/auth.c
==
--- stable/11/crypto/openssh/auth.c Wed May 17 13:22:13 2017
(r318401)
+++ stable/11/crypto/openssh/auth.c Wed May 17 14:28:01 2017
(r318402)
@@ -296,7 +296,7 @@ auth_log(Authctxt *authctxt, int authent
else {
authmsg = authenticated ? "Accepted" : "Failed";
if (authenticated)
-   BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK);
+   BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK, "ssh");
}
 
authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s",
@@ -644,7 +644,7 @@ getpwnamallow(const char *user)
}
 #endif
if (pw == NULL) {
-   BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+   BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, user);
logit("Invalid user %.100s from %.100s",
user, get_remote_ipaddr());
 #ifdef CUSTOM_FAILED_LOGIN

Modified: stable/11/crypto/openssh/auth1.c
==
--- stable/11/crypto/openssh/auth1.cWed May 17 13:22:13 2017
(r318401)
+++ stable/11/crypto/openssh/auth1.cWed May 17 14:28:01 2017
(r318402)
@@ -338,7 +338,7 @@ do_authloop(Authctxt *authctxt)
char *msg;
size_t len;
 
-   BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+   BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
error("Access denied for user %s by PAM account "
"configuration", authctxt->user);
len = buffer_len();
@@ -364,6 +364,7 @@ do_authloop(Authctxt *authctxt)
if (authenticated)
return;
 
+   BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
if (++authctxt->failures >= options.max_authtries) {
 #ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
@@ -406,7 +407,7 @@ do_authentication(Authctxt *authctxt)
else {
debug("do_authentication: invalid user %s", user);
authctxt->pw = fakepw();
-   BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+   BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, user);
}
 
/* Configuration may have changed as a result of Match */

Modified: stable/11/crypto/openssh/auth2.c
==
--- stable/11/crypto/openssh/auth2.cWed May 17 13:22:13 2017
(r318401)
+++ stable/11/crypto/openssh/auth2.cWed May 17 14:28:01 2017
(r318402)
@@ -249,7 +249,6 @@ input_userauth_request(int type, u_int32
} else {
logit("input_userauth_request: invalid user %s", user);
authctxt->pw = fakepw();
-   BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
 #ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(SSH_INVALID_USER));
 #endif
@@ -389,8 +388,10 @@ userauth_finish(Authctxt *authctxt,

Re: svn commit: r318242 - head/crypto/openssh

2017-05-12 Thread Kurt Lidl


On 5/12/17 11:20 AM, Kurt Lidl wrote:

Author: lidl
Date: Fri May 12 15:20:12 2017
New Revision: 318242
URL: https://svnweb.freebsd.org/changeset/base/318242

Log:
   Refine and update blacklist support in sshd
   
   Adjust notification points slightly to catch all auth failures,

   rather than just the ones caused by bad usernames.
   
   Modify notification point for bad usernames to send new type of

   BLACKLIST_BAD_USER. (Support in libblacklist will be forthcoming soon.)
   Add guards to allow library headers to expose the enum of action values.
   
   Reviewed by:	des

   Approved by: des
   Sponsored by:The FreeBSD Foundation


Forgot:

MFC after: 3 days

-Kurt

___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r318242 - head/crypto/openssh

2017-05-12 Thread Kurt Lidl

Author: lidl
Date: Fri May 12 15:20:12 2017
New Revision: 318242
URL: https://svnweb.freebsd.org/changeset/base/318242

Log:
  Refine and update blacklist support in sshd
  
  Adjust notification points slightly to catch all auth failures,
  rather than just the ones caused by bad usernames.
  
  Modify notification point for bad usernames to send new type of
  BLACKLIST_BAD_USER. (Support in libblacklist will be forthcoming soon.)
  Add guards to allow library headers to expose the enum of action values.
  
  Reviewed by:  des
  Approved by:  des
  Sponsored by: The FreeBSD Foundation

Modified:
  head/crypto/openssh/auth-pam.c
  head/crypto/openssh/auth.c
  head/crypto/openssh/auth1.c
  head/crypto/openssh/auth2.c
  head/crypto/openssh/blacklist.c
  head/crypto/openssh/blacklist_client.h
  head/crypto/openssh/packet.c
  head/crypto/openssh/sshd.c

Modified: head/crypto/openssh/auth-pam.c
==
--- head/crypto/openssh/auth-pam.c  Fri May 12 15:08:23 2017
(r318241)
+++ head/crypto/openssh/auth-pam.c  Fri May 12 15:20:12 2017
(r318242)
@@ -799,7 +799,8 @@ sshpam_query(void *ctx, char **name, cha
free(msg);
return (0);
}
-   BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+   BLACKLIST_NOTIFY(BLACKLIST_BAD_USER,
+   sshpam_authctxt->user);
error("PAM: %s for %s%.100s from %.100s", msg,
sshpam_authctxt->valid ? "" : "illegal user ",
sshpam_authctxt->user,

Modified: head/crypto/openssh/auth.c
==
--- head/crypto/openssh/auth.c  Fri May 12 15:08:23 2017(r318241)
+++ head/crypto/openssh/auth.c  Fri May 12 15:20:12 2017(r318242)
@@ -311,7 +311,7 @@ auth_log(Authctxt *authctxt, int authent
else {
authmsg = authenticated ? "Accepted" : "Failed";
if (authenticated)
-   BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK);
+   BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK, "ssh");
}
 
authlog("%s %s%s%s for %s%.100s from %.200s port %d ssh2%s%s",
@@ -664,7 +664,7 @@ getpwnamallow(const char *user)
}
 #endif
if (pw == NULL) {
-   BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+   BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, user);
logit("Invalid user %.100s from %.100s port %d",
user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
 #ifdef CUSTOM_FAILED_LOGIN

Modified: head/crypto/openssh/auth1.c
==
--- head/crypto/openssh/auth1.c Fri May 12 15:08:23 2017(r318241)
+++ head/crypto/openssh/auth1.c Fri May 12 15:20:12 2017(r318242)
@@ -338,7 +338,7 @@ do_authloop(Authctxt *authctxt)
char *msg;
size_t len;
 
-   BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+   BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
error("Access denied for user %s by PAM account "
"configuration", authctxt->user);
len = buffer_len();
@@ -364,6 +364,7 @@ do_authloop(Authctxt *authctxt)
if (authenticated)
return;
 
+   BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
if (++authctxt->failures >= options.max_authtries) {
 #ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
@@ -406,7 +407,7 @@ do_authentication(Authctxt *authctxt)
else {
debug("do_authentication: invalid user %s", user);
authctxt->pw = fakepw();
-   BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
+   BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, user);
}
 
/* Configuration may have changed as a result of Match */

Modified: head/crypto/openssh/auth2.c
==
--- head/crypto/openssh/auth2.c Fri May 12 15:08:23 2017(r318241)
+++ head/crypto/openssh/auth2.c Fri May 12 15:20:12 2017(r318242)
@@ -245,7 +245,6 @@ input_userauth_request(int type, u_int32
} else {
logit("input_userauth_request: invalid user %s", user);
authctxt->pw = fakepw();
-   BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
 #ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(SSH_INVALID_USER));
 #endif
@@ -386,8 +385,10 @@ userauth_finish(Authctxt *authctxt, int 
 
/* Allow initial try of "none" auth without failure penalty */
if (!partial &&

svn commit: r318240 - stable/11/libexec/ftpd

2017-05-12 Thread Kurt Lidl

Author: lidl
Date: Fri May 12 15:03:09 2017
New Revision: 318240
URL: https://svnweb.freebsd.org/changeset/base/318240

Log:
  MFC r317862:
  Improve blacklist support before upgrading libblacklist
  
  The locally declared enum of blacklistd actions needs to be
  hidden when the soon to be committed changes to libblacklist
  are brought into the tree.  Fix the type of the "msg" parameter
  to match the library.
  
  There should be no functional changes.
  Sponsored by: The FreeBSD Foundation

Modified:
  stable/11/libexec/ftpd/blacklist.c
  stable/11/libexec/ftpd/blacklist_client.h
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/libexec/ftpd/blacklist.c
==
--- stable/11/libexec/ftpd/blacklist.c  Fri May 12 15:00:06 2017
(r318239)
+++ stable/11/libexec/ftpd/blacklist.c  Fri May 12 15:03:09 2017
(r318240)
@@ -33,8 +33,8 @@
 #include 
 #include 
 
-#include "blacklist_client.h"
 #include 
+#include "blacklist_client.h"
 
 static struct blacklist *blstate;
 extern int use_blacklist;
@@ -48,7 +48,7 @@ blacklist_init(void)
 }
 
 void
-blacklist_notify(int action, int fd, char *msg)
+blacklist_notify(int action, int fd, const char *msg)
 {
 
if (blstate == NULL)

Modified: stable/11/libexec/ftpd/blacklist_client.h
==
--- stable/11/libexec/ftpd/blacklist_client.h   Fri May 12 15:00:06 2017
(r318239)
+++ stable/11/libexec/ftpd/blacklist_client.h   Fri May 12 15:03:09 2017
(r318240)
@@ -31,14 +31,16 @@
 #ifndef BLACKLIST_CLIENT_H
 #define BLACKLIST_CLIENT_H
 
+#ifndef BLACKLIST_API_ENUM
 enum {
BLACKLIST_AUTH_OK = 0,
BLACKLIST_AUTH_FAIL
 };
+#endif
 
 #ifdef USE_BLACKLIST
 void blacklist_init(void);
-void blacklist_notify(int, int, char *);
+void blacklist_notify(int, int, const char *);
 
 #define BLACKLIST_INIT() blacklist_init()
 #define BLACKLIST_NOTIFY(x, y, z) blacklist_notify(x, y, z)
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r318239 - in stable/11/contrib/blacklist: . bin etc/rc.d lib libexec port

2017-05-12 Thread Kurt Lidl

Author: lidl
Date: Fri May 12 15:00:06 2017
New Revision: 318239
URL: https://svnweb.freebsd.org/changeset/base/318239

Log:
  MFC r317802:
  Merge latest version of blacklist sources from NetBSD (@ 20170503)
  
  Sponsored by: The FreeBSD Foundation

Replaced:
  stable/11/contrib/blacklist/port/config.h
 - copied unchanged from r317802, head/contrib/blacklist/port/config.h
Modified:
  stable/11/contrib/blacklist/README
  stable/11/contrib/blacklist/bin/blacklistctl.8
  stable/11/contrib/blacklist/bin/blacklistctl.c
  stable/11/contrib/blacklist/bin/blacklistd.c
  stable/11/contrib/blacklist/bin/blacklistd.conf.5
  stable/11/contrib/blacklist/etc/rc.d/blacklistd
  stable/11/contrib/blacklist/lib/bl.c
  stable/11/contrib/blacklist/lib/libblacklist.3
  stable/11/contrib/blacklist/libexec/blacklistd-helper
  stable/11/contrib/blacklist/port/Makefile.am
  stable/11/contrib/blacklist/port/sockaddr_snprintf.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/contrib/blacklist/README
==
--- stable/11/contrib/blacklist/README  Fri May 12 14:38:09 2017
(r318238)
+++ stable/11/contrib/blacklist/README  Fri May 12 15:00:06 2017
(r318239)
@@ -1,4 +1,4 @@
-# $NetBSD: README,v 1.7 2015/01/26 00:34:50 christos Exp $
+# $NetBSD: README,v 1.8 2017/04/13 17:59:34 christos Exp $
 
 This package contains library that can be used by network daemons to
 communicate with a packet filter via a daemon to enforce opening and
@@ -98,6 +98,16 @@ group "internal" on $int_if {
...
 }
 
+You can use 'blacklistctl dump -a' to list all the current entries
+in the database; the ones that have nfail / where urrent
+>= otal, should have an id assosiated with them; this means that
+there is a packet filter rule added for that entry. For npf, you
+can examine the packet filter dynamic rule entries using 'npfctl
+rule  list'.  The number of current entries can exceed
+the total. This happens because entering packet filter rules is
+asynchronous; there could be other connection before the rule
+becomes activated.
+
 Enjoy,
 
 christos

Modified: stable/11/contrib/blacklist/bin/blacklistctl.8
==
--- stable/11/contrib/blacklist/bin/blacklistctl.8  Fri May 12 14:38:09 
2017(r318238)
+++ stable/11/contrib/blacklist/bin/blacklistctl.8  Fri May 12 15:00:06 
2017(r318239)
@@ -1,4 +1,4 @@
-.\" $NetBSD: blacklistctl.8,v 1.7 2015/04/30 06:20:43 riz Exp $
+.\" $NetBSD: blacklistctl.8,v 1.9 2016/06/08 12:48:37 wiz Exp $
 .\"
 .\" Copyright (c) 2015 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -77,7 +77,8 @@ it to make sure that there is only one r
 .Nm
 first appeared in
 .Nx 7 .
-.Fx support for
+.Fx
+support for
 .Nm
 was implemented in
 .Fx 11 .

Modified: stable/11/contrib/blacklist/bin/blacklistctl.c
==
--- stable/11/contrib/blacklist/bin/blacklistctl.c  Fri May 12 14:38:09 
2017(r318238)
+++ stable/11/contrib/blacklist/bin/blacklistctl.c  Fri May 12 15:00:06 
2017(r318239)
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklistctl.c,v 1.20 2016/04/04 15:52:56 christos Exp $   
*/
+/* $NetBSD: blacklistctl.c,v 1.21 2016/11/02 03:15:07 jnemeth Exp $
*/
 
 /*-
  * Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
 #endif
 
 #include 
-__RCSID("$NetBSD: blacklistctl.c,v 1.20 2016/04/04 15:52:56 christos Exp $");
+__RCSID("$NetBSD: blacklistctl.c,v 1.21 2016/11/02 03:15:07 jnemeth Exp $");
 
 #include 
 #include 

Modified: stable/11/contrib/blacklist/bin/blacklistd.c
==
--- stable/11/contrib/blacklist/bin/blacklistd.cFri May 12 14:38:09 
2017(r318238)
+++ stable/11/contrib/blacklist/bin/blacklistd.cFri May 12 15:00:06 
2017(r318239)
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklistd.c,v 1.35 2016/09/26 19:43:43 christos Exp $ */
+/* $NetBSD: blacklistd.c,v 1.37 2017/02/18 00:26:16 christos Exp $ */
 
 /*-
  * Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
 #include "config.h"
 #endif
 #include 
-__RCSID("$NetBSD: blacklistd.c,v 1.35 2016/09/26 19:43:43 christos Exp $");
+__RCSID("$NetBSD: blacklistd.c,v 1.37 2017/02/18 00:26:16 christos Exp $");
 
 #include 
 #include 
@@ -403,12 +403,14 @@ int
 main(int argc, char *argv[])
 {
int c, tout, flags, flush, restore, ret;
-   const char *spath, *blsock;
+   const char *spath, **blsock;
+   size_t nblsock, maxblsock;
 
setprogname(argv[0]);
 
spath = NULL;
-   blsock = _PATH_BLSOCK;
+   blsock = NULL;
+   maxblsock = nblsock = 0;
flush = 0;
restore = 0;
tout = 0;
@@ -440,7 +442,17 @@ main(int argc, char *argv[])
restore++;

svn commit: r317862 - head/libexec/ftpd

2017-05-05 Thread Kurt Lidl

Author: lidl
Date: Sat May  6 04:17:48 2017
New Revision: 317862
URL: https://svnweb.freebsd.org/changeset/base/317862

Log:
  Improve blacklist support before upgrading libblacklist
  
  The locally declared enum of blacklistd actions needs to be
  hidden when the soon to be committed changes to libblacklist
  are brought into the tree.  Fix the type of the "msg" parameter
  to match the library.
  
  There should be no functional changes.
  
  MFC after:3 days
  Sponsored by: The FreeBSD Foundation

Modified:
  head/libexec/ftpd/blacklist.c
  head/libexec/ftpd/blacklist_client.h

Modified: head/libexec/ftpd/blacklist.c
==
--- head/libexec/ftpd/blacklist.c   Sat May  6 02:43:26 2017
(r317861)
+++ head/libexec/ftpd/blacklist.c   Sat May  6 04:17:48 2017
(r317862)
@@ -33,8 +33,8 @@
 #include 
 #include 
 
-#include "blacklist_client.h"
 #include 
+#include "blacklist_client.h"
 
 static struct blacklist *blstate;
 extern int use_blacklist;
@@ -48,7 +48,7 @@ blacklist_init(void)
 }
 
 void
-blacklist_notify(int action, int fd, char *msg)
+blacklist_notify(int action, int fd, const char *msg)
 {
 
if (blstate == NULL)

Modified: head/libexec/ftpd/blacklist_client.h
==
--- head/libexec/ftpd/blacklist_client.hSat May  6 02:43:26 2017
(r317861)
+++ head/libexec/ftpd/blacklist_client.hSat May  6 04:17:48 2017
(r317862)
@@ -31,14 +31,16 @@
 #ifndef BLACKLIST_CLIENT_H
 #define BLACKLIST_CLIENT_H
 
+#ifndef BLACKLIST_API_ENUM
 enum {
BLACKLIST_AUTH_OK = 0,
BLACKLIST_AUTH_FAIL
 };
+#endif
 
 #ifdef USE_BLACKLIST
 void blacklist_init(void);
-void blacklist_notify(int, int, char *);
+void blacklist_notify(int, int, const char *);
 
 #define BLACKLIST_INIT() blacklist_init()
 #define BLACKLIST_NOTIFY(x, y, z) blacklist_notify(x, y, z)
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r317802 - in head/contrib/blacklist: . bin etc/rc.d lib libexec port

2017-05-04 Thread Kurt Lidl

Author: lidl
Date: Thu May  4 19:07:37 2017
New Revision: 317802
URL: https://svnweb.freebsd.org/changeset/base/317802

Log:
  Merge latest version of blacklist sources from NetBSD (@ 20170503)
  
  MFC after:3 days
  Sponsored by: The FreeBSD Foundation

Replaced:
  head/contrib/blacklist/port/config.h   (contents, props changed)
Modified:
  head/contrib/blacklist/README
  head/contrib/blacklist/bin/blacklistctl.8
  head/contrib/blacklist/bin/blacklistctl.c
  head/contrib/blacklist/bin/blacklistd.c
  head/contrib/blacklist/bin/blacklistd.conf.5
  head/contrib/blacklist/etc/rc.d/blacklistd
  head/contrib/blacklist/lib/bl.c
  head/contrib/blacklist/lib/libblacklist.3
  head/contrib/blacklist/libexec/blacklistd-helper
  head/contrib/blacklist/port/Makefile.am
  head/contrib/blacklist/port/sockaddr_snprintf.c
Directory Properties:
  head/contrib/blacklist/   (props changed)

Modified: head/contrib/blacklist/README
==
--- head/contrib/blacklist/README   Thu May  4 19:01:17 2017
(r317801)
+++ head/contrib/blacklist/README   Thu May  4 19:07:37 2017
(r317802)
@@ -1,4 +1,4 @@
-# $NetBSD: README,v 1.7 2015/01/26 00:34:50 christos Exp $
+# $NetBSD: README,v 1.8 2017/04/13 17:59:34 christos Exp $
 
 This package contains library that can be used by network daemons to
 communicate with a packet filter via a daemon to enforce opening and
@@ -98,6 +98,16 @@ group "internal" on $int_if {
...
 }
 
+You can use 'blacklistctl dump -a' to list all the current entries
+in the database; the ones that have nfail / where urrent
+>= otal, should have an id assosiated with them; this means that
+there is a packet filter rule added for that entry. For npf, you
+can examine the packet filter dynamic rule entries using 'npfctl
+rule  list'.  The number of current entries can exceed
+the total. This happens because entering packet filter rules is
+asynchronous; there could be other connection before the rule
+becomes activated.
+
 Enjoy,
 
 christos

Modified: head/contrib/blacklist/bin/blacklistctl.8
==
--- head/contrib/blacklist/bin/blacklistctl.8   Thu May  4 19:01:17 2017
(r317801)
+++ head/contrib/blacklist/bin/blacklistctl.8   Thu May  4 19:07:37 2017
(r317802)
@@ -1,4 +1,4 @@
-.\" $NetBSD: blacklistctl.8,v 1.7 2015/04/30 06:20:43 riz Exp $
+.\" $NetBSD: blacklistctl.8,v 1.9 2016/06/08 12:48:37 wiz Exp $
 .\"
 .\" Copyright (c) 2015 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -77,7 +77,8 @@ it to make sure that there is only one r
 .Nm
 first appeared in
 .Nx 7 .
-.Fx support for
+.Fx
+support for
 .Nm
 was implemented in
 .Fx 11 .

Modified: head/contrib/blacklist/bin/blacklistctl.c
==
--- head/contrib/blacklist/bin/blacklistctl.c   Thu May  4 19:01:17 2017
(r317801)
+++ head/contrib/blacklist/bin/blacklistctl.c   Thu May  4 19:07:37 2017
(r317802)
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklistctl.c,v 1.20 2016/04/04 15:52:56 christos Exp $   
*/
+/* $NetBSD: blacklistctl.c,v 1.21 2016/11/02 03:15:07 jnemeth Exp $
*/
 
 /*-
  * Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
 #endif
 
 #include 
-__RCSID("$NetBSD: blacklistctl.c,v 1.20 2016/04/04 15:52:56 christos Exp $");
+__RCSID("$NetBSD: blacklistctl.c,v 1.21 2016/11/02 03:15:07 jnemeth Exp $");
 
 #include 
 #include 

Modified: head/contrib/blacklist/bin/blacklistd.c
==
--- head/contrib/blacklist/bin/blacklistd.c Thu May  4 19:01:17 2017
(r317801)
+++ head/contrib/blacklist/bin/blacklistd.c Thu May  4 19:07:37 2017
(r317802)
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklistd.c,v 1.35 2016/09/26 19:43:43 christos Exp $ */
+/* $NetBSD: blacklistd.c,v 1.37 2017/02/18 00:26:16 christos Exp $ */
 
 /*-
  * Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
 #include "config.h"
 #endif
 #include 
-__RCSID("$NetBSD: blacklistd.c,v 1.35 2016/09/26 19:43:43 christos Exp $");
+__RCSID("$NetBSD: blacklistd.c,v 1.37 2017/02/18 00:26:16 christos Exp $");
 
 #include 
 #include 
@@ -403,12 +403,14 @@ int
 main(int argc, char *argv[])
 {
int c, tout, flags, flush, restore, ret;
-   const char *spath, *blsock;
+   const char *spath, **blsock;
+   size_t nblsock, maxblsock;
 
setprogname(argv[0]);
 
spath = NULL;
-   blsock = _PATH_BLSOCK;
+   blsock = NULL;
+   maxblsock = nblsock = 0;
flush = 0;
restore = 0;
tout = 0;
@@ -440,7 +442,17 @@ main(int argc, char *argv[])
restore++;
break;
case 's':
-   blsock = optarg;
+   if (nblsock >= maxblsock) {
+

svn commit: r317725 - vendor/NetBSD/blacklist/20170503

2017-05-02 Thread Kurt Lidl

Author: lidl
Date: Wed May  3 04:42:35 2017
New Revision: 317725
URL: https://svnweb.freebsd.org/changeset/base/317725

Log:
  Tag import of NetBSD's external/bsd/blacklist @ 20170503

Added:
  vendor/NetBSD/blacklist/20170503/
 - copied from r317724, vendor/NetBSD/blacklist/dist/
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r317724 - in vendor/NetBSD/blacklist/dist: . bin etc/rc.d lib libexec port

2017-05-02 Thread Kurt Lidl

Author: lidl
Date: Wed May  3 04:39:43 2017
New Revision: 317724
URL: https://svnweb.freebsd.org/changeset/base/317724

Log:
  Vendor import of NetBSD's external/bsd/blacklist @ 20170503
  
  Sponsored by: The FreeBSD Foundation

Deleted:
  vendor/NetBSD/blacklist/dist/port/config.h
Modified:
  vendor/NetBSD/blacklist/dist/README
  vendor/NetBSD/blacklist/dist/bin/blacklistctl.8
  vendor/NetBSD/blacklist/dist/bin/blacklistctl.c
  vendor/NetBSD/blacklist/dist/bin/blacklistd.8
  vendor/NetBSD/blacklist/dist/bin/blacklistd.c
  vendor/NetBSD/blacklist/dist/bin/blacklistd.conf.5
  vendor/NetBSD/blacklist/dist/bin/state.c
  vendor/NetBSD/blacklist/dist/etc/rc.d/blacklistd
  vendor/NetBSD/blacklist/dist/lib/bl.c
  vendor/NetBSD/blacklist/dist/lib/libblacklist.3
  vendor/NetBSD/blacklist/dist/libexec/blacklistd-helper
  vendor/NetBSD/blacklist/dist/port/Makefile.am
  vendor/NetBSD/blacklist/dist/port/sockaddr_snprintf.c

Modified: vendor/NetBSD/blacklist/dist/README
==
--- vendor/NetBSD/blacklist/dist/README Wed May  3 02:54:11 2017
(r317723)
+++ vendor/NetBSD/blacklist/dist/README Wed May  3 04:39:43 2017
(r317724)
@@ -1,4 +1,4 @@
-# $NetBSD: README,v 1.7 2015/01/26 00:34:50 christos Exp $
+# $NetBSD: README,v 1.8 2017/04/13 17:59:34 christos Exp $
 
 This package contains library that can be used by network daemons to
 communicate with a packet filter via a daemon to enforce opening and
@@ -98,6 +98,16 @@ group "internal" on $int_if {
...
 }
 
+You can use 'blacklistctl dump -a' to list all the current entries
+in the database; the ones that have nfail / where urrent
+>= otal, should have an id assosiated with them; this means that
+there is a packet filter rule added for that entry. For npf, you
+can examine the packet filter dynamic rule entries using 'npfctl
+rule  list'.  The number of current entries can exceed
+the total. This happens because entering packet filter rules is
+asynchronous; there could be other connection before the rule
+becomes activated.
+
 Enjoy,
 
 christos

Modified: vendor/NetBSD/blacklist/dist/bin/blacklistctl.8
==
--- vendor/NetBSD/blacklist/dist/bin/blacklistctl.8 Wed May  3 02:54:11 
2017(r317723)
+++ vendor/NetBSD/blacklist/dist/bin/blacklistctl.8 Wed May  3 04:39:43 
2017(r317724)
@@ -1,4 +1,4 @@
-.\" $NetBSD: blacklistctl.8,v 1.7 2015/04/30 06:20:43 riz Exp $
+.\" $NetBSD: blacklistctl.8,v 1.9 2016/06/08 12:48:37 wiz Exp $
 .\"
 .\" Copyright (c) 2015 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd April 29, 2015
+.Dd June 7, 2016
 .Dt BLACKLISTCTL 8
 .Os
 .Sh NAME
@@ -75,7 +75,12 @@ will first attempt to remove the existin
 it to make sure that there is only one rule active.
 .Sh HISTORY
 .Nm
-appeared in
+first appeared in
 .Nx 7 .
+.Fx
+support for
+.Nm
+was implemented in
+.Fx 11 .
 .Sh AUTHORS
 .An Christos Zoulas

Modified: vendor/NetBSD/blacklist/dist/bin/blacklistctl.c
==
--- vendor/NetBSD/blacklist/dist/bin/blacklistctl.c Wed May  3 02:54:11 
2017(r317723)
+++ vendor/NetBSD/blacklist/dist/bin/blacklistctl.c Wed May  3 04:39:43 
2017(r317724)
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklistctl.c,v 1.20 2016/04/04 15:52:56 christos Exp $   
*/
+/* $NetBSD: blacklistctl.c,v 1.21 2016/11/02 03:15:07 jnemeth Exp $
*/
 
 /*-
  * Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
 #endif
 
 #include 
-__RCSID("$NetBSD: blacklistctl.c,v 1.20 2016/04/04 15:52:56 christos Exp $");
+__RCSID("$NetBSD: blacklistctl.c,v 1.21 2016/11/02 03:15:07 jnemeth Exp $");
 
 #include 
 #include 
@@ -96,10 +96,10 @@ main(int argc, char *argv[])
break;
case 'b':
blocked = 1;
+   break;
case 'D':
dbname = optarg;
break;
-   break;
case 'd':
debug++;
break;

Modified: vendor/NetBSD/blacklist/dist/bin/blacklistd.8
==
--- vendor/NetBSD/blacklist/dist/bin/blacklistd.8   Wed May  3 02:54:11 
2017(r317723)
+++ vendor/NetBSD/blacklist/dist/bin/blacklistd.8   Wed May  3 04:39:43 
2017(r317724)
@@ -1,4 +1,4 @@
-.\" $NetBSD: blacklistd.8,v 1.15 2016/03/11 17:16:40 christos Exp $
+.\" $NetBSD: blacklistd.8,v 1.18 2016/07/30 06:09:29 dholland Exp $
 .\"
 .\" Copyright (c) 2015 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

Re: svn commit: r315653 - in head: lib/libstand sys/boot/common sys/boot/i386/libi386

2017-03-23 Thread Kurt Lidl


On 3/21/17 11:53 AM, Toomas Soome wrote:



On 21. märts 2017, at 17:15, Ian Lepore  wrote:

On Tue, 2017-03-21 at 15:35 +0300, Slawa Olhovchenkov wrote:

On Mon, Mar 20, 2017 at 10:20:17PM +, Toomas Soome wrote:



Author: tsoome
Date: Mon Mar 20 22:20:17 2017
New Revision: 315653
URL: https://svnweb.freebsd.org/changeset/base/315653

Log:
  loader: verify the value from dhcp.interface-mtu and use snprintf
to set mtu

  Since the uset can set dhcp.interface-mtu, we need to try to
validate the
  value. So we verify if the conversion to int is successful and we
will not
  allow to set value greater than max IPv4 packet size.

+   tmp > USHRT_MAX) {
+   printf("%s: bad value:
\"%s\", "
+   "ignoring\n",
+   "dhcp.interface-mtu",
val);

===
USHRT_MAX   Maximum value for an object of type unsigned short
int
65535 (216-1) or greater*

* the actual value depends on the particular system and library
implementation, but shall reflect the limits of these types in the
target platform.
===

I mean IF_MAXMTU more correct.



The context here is libstand; because it is standalone by design, the
code doesn't have access to IF_MAXMTU or other kernel/userland
constants.  There is also no question that a short is 16 bits or that
USHRT_MAX will be anything other than 65535 in that environment.  If
some platform did appear that had a different-sized short by default,
we would add whatever flags are necessary to force it back to 16 bits
in src/share/mk/bsd.stand.mk.




Also note the “upper” value is entirely fictional - we felt we need
to  pick some “sane” default, with current (common 1Gb/s) ethernet hardware
you will be in trouble long before reaching that value;)


All the world is not an VAX, nor is every network Ethernet.

HIPPI, not that you see much of it nowadays, had a MTU for
switched networks of 65280 (64K - 216 bytes of overhead).
Using USHRT_MAX is exactly the right thing here.

-Kurt


___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Re: svn commit: r314654 - in head/cddl: lib/drti lib/libavl lib/libctf lib/libdtrace lib/libnvpair lib/libumem lib/libuutil lib/libzfs lib/libzfs_core lib/libzpool sbin/zfs sbin/zpool usr.bin/ctfconve

2017-03-06 Thread Kurt Lidl


On 3/4/17 3:39 PM, Rodney W. Grimes wrote:


Idk, maybe I am to personally attached to the relative paths.. cause I
had a major part in helping them all to work, or perhaps its my been
burned by absolute paths that had to be reworked too many times in
my past.  But my gutt is telling me this change is Bad(tm).



At my prior job, where we ended up starting off with a bunch of userland
programs in a repository, we had a variable that was set to get you
to the top of the source tree.  It was set in ../Makefile.inc, so if
one just used ".include " in the Makefile, one got
the variable "for free", as the stock bsd.prog.mk file would include
the ../Makefile.inc by default.

While there were maintenance issues with this scheme, I ultimately
ended up coding up something similar to the SRCTOP for our purposes,
once we decided to start moving programs around in the tree.

I think one of the big issues with relative locations of other resources
in the tree is that one has to encode two pieces of information in
the Makefiles.  Both the location of the program being compiled (so
it can find the top), and the location of the resource that is being
accessed (so the compile can walk down the tree to find whatever is
being referenced).

With something like SRCTOP, only the second piece of information needs
to be encoded in the Makefile.  I think that eliminating half of the
information about how to find the external resources is actually a good
thing.

-Kurt

___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r314325 - stable/11/contrib/blacklist/bin

2017-02-26 Thread Kurt Lidl

Author: lidl
Date: Mon Feb 27 04:08:08 2017
New Revision: 314325
URL: https://svnweb.freebsd.org/changeset/base/314325

Log:
  MFC r314120: Reset failed login count to zero when removing a blocked address
  
  The blacklistd daemon keeps records of failed login attempts for
  each address:port that is flagged as a failed login.  When a
  successful login occurs for that address:port combination,
  the record's last update time is set to zero, to indicate no current
  failed login attempts.
  
  Reset the failed login count to zero, so that at the next failed
  login attempt, the counting will restart properly at zero.  Without
  this reset to zero, the first failed login after a successful login
  will cause the address to be blocked immediately.
  
  When debugging is turned on, output more information about database
  state before and after the database updates have occured.
  
  A similar patch has already been upstreamed to NetBSD.
  
  Sponsored by: The FreeBSD Foundation

Modified:
  stable/11/contrib/blacklist/bin/blacklistd.c

Modified: stable/11/contrib/blacklist/bin/blacklistd.c
==
--- stable/11/contrib/blacklist/bin/blacklistd.cMon Feb 27 04:05:34 
2017(r314324)
+++ stable/11/contrib/blacklist/bin/blacklistd.cMon Feb 27 04:08:08 
2017(r314325)
@@ -207,7 +207,7 @@ process(bl_t bl)
 
if (debug) {
char b1[128], b2[128];
-   (*lfun)(LOG_DEBUG, "%s: db state info for %s: count=%d/%d "
+   (*lfun)(LOG_DEBUG, "%s: initial db state for %s: count=%d/%d "
"last=%s now=%s", __func__, rbuf, dbi.count, c.c_nfail,
fmttime(b1, sizeof(b1), dbi.last),
fmttime(b2, sizeof(b2), ts.tv_sec));
@@ -246,15 +246,24 @@ process(bl_t bl)
case BL_DELETE:
if (dbi.last == 0)
goto out;
+   dbi.count = 0;
dbi.last = 0;
break;
default:
(*lfun)(LOG_ERR, "unknown message %d", bi->bi_type); 
}
-   if (state_put(state, , ) == -1)
-   goto out;
+   state_put(state, , );
+
 out:
close(bi->bi_fd);
+
+   if (debug) {
+   char b1[128], b2[128];
+   (*lfun)(LOG_DEBUG, "%s: final db state for %s: count=%d/%d "
+   "last=%s now=%s", __func__, rbuf, dbi.count, c.c_nfail,
+   fmttime(b1, sizeof(b1), dbi.last),
+   fmttime(b2, sizeof(b2), ts.tv_sec));
+   }
 }
 
 static void
@@ -393,7 +402,7 @@ rules_restore(void)
 int
 main(int argc, char *argv[])
 {
-   int c, tout, flags, flush, restore;
+   int c, tout, flags, flush, restore, ret;
const char *spath, *blsock;
 
setprogname(argv[0]);
@@ -512,7 +521,10 @@ main(int argc, char *argv[])
readconf = 0;
conf_parse(configfile);
}
-   switch (poll(pfd, (nfds_t)nfd, tout)) {
+   ret = poll(pfd, (nfds_t)nfd, tout);
+   if (debug)
+   (*lfun)(LOG_DEBUG, "received %d from poll()", ret);
+   switch (ret) {
case -1:
if (errno == EINTR)
continue;
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r314324 - stable/11/contrib/blacklist/libexec

2017-02-26 Thread Kurt Lidl

Author: lidl
Date: Mon Feb 27 04:05:34 2017
New Revision: 314324
URL: https://svnweb.freebsd.org/changeset/base/314324

Log:
  MFC r314111: Improve ipfw rule creation for blacklist-helper script
  
  When blocking an address, the blacklist-helper script
  needs to do the following things for the ipfw packet
  filter:
  
   - create a table to hold the addresses to be blocked,
 so lookups can be done quickly, and place the address
 to be blocked in that table
   - create rule that does the lookup in the table and
 blocks the packet
  
  The ipfw system allows multiple rules to be inserted for
  a given rule number.  There only needs to be one rule
  to do the lookup per port.  Modify the script to probe
  for the existence of the rule before attempting to create
  it, so only one rule is inserted, rather than one rule per
  blocked address.
  
  PR:   214980
  Reported by:  azhegalov (at) gmail.com
  Reviewed by:  emaste
  Sponsored by: The FreeBSD Foundation
  Differential Revision:https://reviews.freebsd.org/D9681

Modified:
  stable/11/contrib/blacklist/libexec/blacklistd-helper

Modified: stable/11/contrib/blacklist/libexec/blacklistd-helper
==
--- stable/11/contrib/blacklist/libexec/blacklistd-helper   Mon Feb 27 
03:52:32 2017(r314323)
+++ stable/11/contrib/blacklist/libexec/blacklistd-helper   Mon Feb 27 
04:05:34 2017(r314324)
@@ -63,8 +63,11 @@ add)
tname="port$6"
/sbin/ipfw table $tname create type addr 2>/dev/null
/sbin/ipfw -q table $tname add "$addr/$mask"
-   /sbin/ipfw -q add $rule drop $3 from "table("$tname")" to \
-   any dst-port $6 && echo OK
+   # if rule number $rule does not already exist, create it
+   /sbin/ipfw show $rule >/dev/null 2>&1 || \
+   /sbin/ipfw add $rule drop $3 from \
+   table"("$tname")" to any dst-port $6 >/dev/null && \
+   echo OK
;;
npf)
/sbin/npfctl rule "$2" add block in final $proto from \
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r314120 - head/contrib/blacklist/bin

2017-02-22 Thread Kurt Lidl

Author: lidl
Date: Thu Feb 23 05:40:59 2017
New Revision: 314120
URL: https://svnweb.freebsd.org/changeset/base/314120

Log:
  Reset failed login count to zero when removing a blocked address
  
  The blacklistd daemon keeps records of failed login attempts for
  each address:port that is flagged as a failed login.  When a
  successful login occurs for that address:port combination,
  the record's last update time is set to zero, to indicate no current
  failed login attempts.
  
  Reset the failed login count to zero, so that at the next failed
  login attempt, the counting will restart properly at zero.  Without
  this reset to zero, the first failed login after a successful login
  will cause the address to be blocked immediately.
  
  When debugging is turned on, output more information about database
  state before and after the database updates have occured.
  
  A similar patch has already been upstreamed to NetBSD.
  
  MFC after:3 days
  Sponsored by: The FreeBSD Foundation

Modified:
  head/contrib/blacklist/bin/blacklistd.c

Modified: head/contrib/blacklist/bin/blacklistd.c
==
--- head/contrib/blacklist/bin/blacklistd.c Thu Feb 23 05:33:20 2017
(r314119)
+++ head/contrib/blacklist/bin/blacklistd.c Thu Feb 23 05:40:59 2017
(r314120)
@@ -207,7 +207,7 @@ process(bl_t bl)
 
if (debug) {
char b1[128], b2[128];
-   (*lfun)(LOG_DEBUG, "%s: db state info for %s: count=%d/%d "
+   (*lfun)(LOG_DEBUG, "%s: initial db state for %s: count=%d/%d "
"last=%s now=%s", __func__, rbuf, dbi.count, c.c_nfail,
fmttime(b1, sizeof(b1), dbi.last),
fmttime(b2, sizeof(b2), ts.tv_sec));
@@ -246,15 +246,24 @@ process(bl_t bl)
case BL_DELETE:
if (dbi.last == 0)
goto out;
+   dbi.count = 0;
dbi.last = 0;
break;
default:
(*lfun)(LOG_ERR, "unknown message %d", bi->bi_type); 
}
-   if (state_put(state, , ) == -1)
-   goto out;
+   state_put(state, , );
+
 out:
close(bi->bi_fd);
+
+   if (debug) {
+   char b1[128], b2[128];
+   (*lfun)(LOG_DEBUG, "%s: final db state for %s: count=%d/%d "
+   "last=%s now=%s", __func__, rbuf, dbi.count, c.c_nfail,
+   fmttime(b1, sizeof(b1), dbi.last),
+   fmttime(b2, sizeof(b2), ts.tv_sec));
+   }
 }
 
 static void
@@ -393,7 +402,7 @@ rules_restore(void)
 int
 main(int argc, char *argv[])
 {
-   int c, tout, flags, flush, restore;
+   int c, tout, flags, flush, restore, ret;
const char *spath, *blsock;
 
setprogname(argv[0]);
@@ -512,7 +521,10 @@ main(int argc, char *argv[])
readconf = 0;
conf_parse(configfile);
}
-   switch (poll(pfd, (nfds_t)nfd, tout)) {
+   ret = poll(pfd, (nfds_t)nfd, tout);
+   if (debug)
+   (*lfun)(LOG_DEBUG, "received %d from poll()", ret);
+   switch (ret) {
case -1:
if (errno == EINTR)
continue;
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r314111 - head/contrib/blacklist/libexec

2017-02-22 Thread Kurt Lidl

Author: lidl
Date: Wed Feb 22 21:50:37 2017
New Revision: 314111
URL: https://svnweb.freebsd.org/changeset/base/314111

Log:
  Improve ipfw rule creation for blacklist-helper script
  
  When blocking an address, the blacklist-helper script
  needs to do the following things for the ipfw packet
  filter:
  
   - create a table to hold the addresses to be blocked,
 so lookups can be done quickly, and place the address
 to be blocked in that table
   - create rule that does the lookup in the table and
 blocks the packet
  
  The ipfw system allows multiple rules to be inserted for
  a given rule number.  There only needs to be one rule
  to do the lookup per port.  Modify the script to probe
  for the existence of the rule before attempting to create
  it, so only one rule is inserted, rather than one rule per
  blocked address.
  
  PR:   214980
  Reported by:  azhegalov (at) gmail.com
  Reviewed by:  emaste
  MFC after:3 days
  Sponsored by: The FreeBSD Foundation
  Differential Revision:https://reviews.freebsd.org/D9681

Modified:
  head/contrib/blacklist/libexec/blacklistd-helper

Modified: head/contrib/blacklist/libexec/blacklistd-helper
==
--- head/contrib/blacklist/libexec/blacklistd-helperWed Feb 22 20:47:25 
2017(r314110)
+++ head/contrib/blacklist/libexec/blacklistd-helperWed Feb 22 21:50:37 
2017(r314111)
@@ -63,8 +63,11 @@ add)
tname="port$6"
/sbin/ipfw table $tname create type addr 2>/dev/null
/sbin/ipfw -q table $tname add "$addr/$mask"
-   /sbin/ipfw -q add $rule drop $3 from "table("$tname")" to \
-   any dst-port $6 && echo OK
+   # if rule number $rule does not already exist, create it
+   /sbin/ipfw show $rule >/dev/null 2>&1 || \
+   /sbin/ipfw add $rule drop $3 from \
+   table"("$tname")" to any dst-port $6 >/dev/null && \
+   echo OK
;;
npf)
/sbin/npfctl rule "$2" add block in final $proto from \
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r314072 - stable/11/crypto/openssh

2017-02-21 Thread Kurt Lidl

Author: lidl
Date: Wed Feb 22 04:15:39 2017
New Revision: 314072
URL: https://svnweb.freebsd.org/changeset/base/314072

Log:
  MFC r313965:
  
  Only notify blacklistd for successful logins in auth.c
  
  Before this change, every pass through auth.c resulted in a
  call to blacklist_notify().
  
  In a normal remote login, there would be a failed login flagged for
  the printing of the "xxx login:" prompt, before the remote user
  could enter a password.
  
  If the user successfully entered a good password, then a good login
  would be flagged, and everything would be OK.
  
  If the user entered an incorrect password, there would be another
  failed login flagged in auth1.c (or auth2.c) for the actual bad
  password attempt.  Finally, when sshd got around to issuing the
  second "xxx login:" prompt, there would be yet another failed login
  notice sent to blacklistd.
  
  So, if there was a 3 bad logins limit set (the default), the system
  would actually block the address after the first bad password attempt.
  
  Reported by:  Rick Adams
  Reviewed by:  des
  Sponsored by: The FreeBSD Foundation

Modified:
  stable/11/crypto/openssh/auth.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/crypto/openssh/auth.c
==
--- stable/11/crypto/openssh/auth.c Wed Feb 22 03:49:46 2017
(r314071)
+++ stable/11/crypto/openssh/auth.c Wed Feb 22 04:15:39 2017
(r314072)
@@ -295,8 +295,8 @@ auth_log(Authctxt *authctxt, int authent
authmsg = "Partial";
else {
authmsg = authenticated ? "Accepted" : "Failed";
-   BLACKLIST_NOTIFY(authenticated ?
-   BLACKLIST_AUTH_OK : BLACKLIST_AUTH_FAIL);
+   if (authenticated)
+   BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK);
}
 
authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s",
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Re: svn commit: r313965 - head/crypto/openssh

2017-02-19 Thread Kurt Lidl


On 2/19/17 6:22 PM, Oliver Pinter wrote:

On 2/20/17, Kurt Lidl <l...@freebsd.org> wrote:

On 2/19/17 4:42 PM, Oliver Pinter wrote:

Hello!

On 2/19/17, Kurt Lidl <l...@freebsd.org> wrote:

Author: lidl
Date: Sun Feb 19 20:35:39 2017
New Revision: 313965
URL: https://svnweb.freebsd.org/changeset/base/313965

Log:
  Only notify blacklistd for successful logins in auth.c


What's the rationale behind this change?


Without this change, every pass through auth.c results in a
call to blacklist_notify().

So, in a normal remote login, you'd get a failed
login flagged for the printing of the "xxx login:" prompt,
before the remote user could enter a password.

If the user successfully entered a good password,
you'd get a good login flagged, and everything would be OK.

If the user entered an incorrect password, you'd get
another failed login in auth1.c (or auth2.c), and finally,
when sshd got around to issuing the second "xxx login:"
prompt, you'd have yet another failed login notice sent
to blacklistd.

So, if you had 3 bad logins set to the limit, you'd actually
be blocking the address after the first bad login attempt.

-Kurt


Thanks for the detailed answer. Could you please include these
sentences when you MFC this change?


Sure, I will do that.

-Kurt


___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r313965 - head/crypto/openssh

2017-02-19 Thread Kurt Lidl

Author: lidl
Date: Sun Feb 19 20:35:39 2017
New Revision: 313965
URL: https://svnweb.freebsd.org/changeset/base/313965

Log:
  Only notify blacklistd for successful logins in auth.c
  
  Reported by:  Rick Adams
  Reviewed by:  des
  MFC after:3 days
  Sponsored by: The FreeBSD Foundation

Modified:
  head/crypto/openssh/auth.c

Modified: head/crypto/openssh/auth.c
==
--- head/crypto/openssh/auth.c  Sun Feb 19 19:56:12 2017(r313964)
+++ head/crypto/openssh/auth.c  Sun Feb 19 20:35:39 2017(r313965)
@@ -295,8 +295,8 @@ auth_log(Authctxt *authctxt, int authent
authmsg = "Partial";
else {
authmsg = authenticated ? "Accepted" : "Failed";
-   BLACKLIST_NOTIFY(authenticated ?
-   BLACKLIST_AUTH_OK : BLACKLIST_AUTH_FAIL);
+   if (authenticated)
+   BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK);
}
 
authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s",
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Re: svn commit: r313037 - in head/sys: amd64/include kern mips/include net powerpc/include sparc64/include

2017-02-06 Thread Kurt Lidl

On 2/5/17 1:59 PM, Jason Harmening wrote:

Actually attaching the patch this time ( gmail client)

On Sun, Feb 5, 2017 at 10:58 AM, Jason Harmening
> wrote:

Hmm, it's a good idea to consider the possibility of a barrier
issue.  It wouldn't be the first time we've had such a problem on a
weakly-ordered architecture. That said, I don't see a problem in
this case.  smp_rendezvous_cpus() takes a spinlock and then issues
atomic_store_rel_int()  to ensure the rendezvous params are visible
to other cpus.  The latter corresponds to lwsync on powerpc, which
AFAIK should be sufficient to ensure visibility of prior stores.

For now I'm going with the simpler explanation that I made a bad
assumption  in the powerpc get_pcpu() and there is some context in
which the read of sprg0 doesn't return a consistent pointer value.
Unfortunately I don't see where that might be right now.

On the mips side, Kurt/Alexander can you test the attached patch?
It contains a simple fix to ensure get_pcpu() returns the consistent
per-cpu pointer.

I applied this patch on top of r313347 (which I had verified that a
kernel built from that revisions to boot from successfully).
The kernel from r313347+(this patch) least gets to multi-user on my ERL.

So, that's a big improvement.

I'll start a native buildworld/buildkernel on the ERL, and that ought
to give it a reasonable workout.

-Kurt

On Sat, Feb 4, 2017 at 1:34 PM, Svatopluk Kraus > wrote:

Probably not related. But when I took short look to the patch to see
what could go wrong, I walked into the following comment in
_rm_wlock(): "Assumes rm->rm_writecpus update is visible on
other CPUs
before rm_cleanIPI is called." There is no explicit barrier to
ensure
it. However, there might be some barriers inside of
smp_rendezvous_cpus(). I have no idea what could happened if this
assumption is not met. Note that rm_cleanIPI() is affected by the
patch.

On Sat, Feb 4, 2017 at 9:39 PM, Jason Harmening
>
wrote:
> Can you post an example of such panic?  Only 2 MI pieces were
changed,
> netisr and rmlock.  I haven't seen problems on my own
amd64/i386/arm testing
> of this, so a backtrace might help to narrow down the cause.
>
> On Sat, Feb 4, 2017 at 12:22 PM, Andreas Tobler
>
> wrote:
>>
>> On 04.02.17 20:54, Jason Harmening wrote:
>>>
>>> I suspect this broke rmlocks for mips because the rmlock
implementation
>>> takes the address of the per-CPU pc_rm_queue when building
tracker
>>> lists.  That address may be later accessed from another CPU
and will
>>> then translate to the wrong physical region if the address
was taken
>>> relative to the globally-constant pcpup VA used on mips.
>>>
>>> Regardless, for mips get_pcpup() should be implemented as
>>> pcpu_find(curcpu) since returning an address that may mean
something
>>> different depending on the CPU seems like a big POLA
violation if
>>> nothing else.
>>>
>>> I'm more concerned about the report of powerpc breakage.
For powerpc we
>>> simply take each pcpu pointer from the pc_allcpu list (which
is the same
>>> value stored in the cpuid_to_pcpu array) and pass it through
the ap_pcpu
>>> global to each AP's startup code, which then stores it in
sprg0.  It
>>> should be globally unique and won't have the
variable-translation issues
>>> seen on mips.   Andreas, are you certain this change was
responsible the
>>> breakage you saw, and was it the same sort of hang observed
on mips?
>>
>>
>> I'm really sure. 313036 booted fine, allowed me to execute heavy
>> compilation jobs, np. 313037 on the other side gave me
various patterns of
>> panics. During startup, but I also succeeded to get into
multiuser and then
>> the panic happend during port building.
>>
>> I have no deeper inside where pcpu data is used. Justin
mentioned netisr?
>>
>> Andreas
>>
>

___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Re: svn commit: r313037 - in head/sys: amd64/include kern mips/include net powerpc/include sparc64/include

2017-02-03 Thread Kurt Lidl

Having just spent a couple of hours bisecting what broke the kernel on
my mips64 machine, I can definitively state it was this commit.

With this commit in place, the kernel hangs early in the
autoconfiguration:

gcc version 4.2.1 20070831 patched [FreeBSD]
Preloaded elf kernel "kernel" at 0x80aa96a0.
real memory  = 523239424 (510976K bytes)
Physical memory chunk(s):
0x00bf3000 - 0x080d5fff, 122564608 bytes (29923 pages)
0x08101000 - 0x0ff00fff, 132120576 bytes (32256 pages)
0x41000 - 0x41f196fff, 253325312 bytes (61847 pages)
avail memory = 504360960 (480MB)
Create COP2 context zone
AP #1 started!
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
 hangs here 

-Kurt

On 2/4/17 12:29 AM, Jason Harmening wrote:

Hi,

I'm a bit confused as to how this change breaks MIPS.  The new function,
get_pcpu() is intended to be used only to access the per-cpu data
pointer locally.  It returns pcpup, which is the per-cpu pointer wired
into the local TLB to translate to the local CPU's physical data region,
correct?

This is the same value used by the per-CPU accessors such as PCPU_ADD
and PCPU_GET.  The MI portions of this change only use get_pcpu() to
access  the local CPU's data, e.g. under a critical section in the
rmlock.  It is not intended to be used for iterating all CPUs.

If I've missed something and MIPS is truly broken by this, then I'll
gladly revert, but (maybe because it's late) I'm not seeing where this
goes wrong on MIPS.

Thanks,
Jason

On Fri, Feb 3, 2017 at 8:12 PM, Alexander Kabaev > wrote:

On Wed, 1 Feb 2017 03:32:49 + (UTC)
"Jason A. Harmening"  wrote:

> Author: jah
> Date: Wed Feb  1 03:32:49 2017
> New Revision: 313037
> URL: https://svnweb.freebsd.org/changeset/base/313037

>
> Log:
>   Implement get_pcpu() for the remaining architectures and use it to
>   replace pcpu_find(curcpu) in MI code.
>
> Modified:
>   head/sys/amd64/include/pcpu.h
>   head/sys/kern/kern_rmlock.c
>   head/sys/mips/include/pcpu.h
>   head/sys/net/netisr.c
>   head/sys/powerpc/include/cpufunc.h
>   head/sys/powerpc/include/pcpu.h
>   head/sys/sparc64/include/pcpu.h
>

Hi,

this change was not reviewed nor testing was thought for all
architectures it touches. The change happens to break MIPS quite
thoroughly, since MIPS is using different pointers when accessing PCPU
area locally and when doing iterations using cpu_to_cpuid array. I
therefore officially am requesting this change to be reverted until
reasonable solution is found to unbreak architectures that use wired
TLBs to access local per-CPU data.

--
Alexander Kabaev

___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r313098 - head/sys/modules

2017-02-02 Thread Kurt Lidl

Author: lidl
Date: Thu Feb  2 17:43:00 2017
New Revision: 313098
URL: https://svnweb.freebsd.org/changeset/base/313098

Log:
  Fix compilation for mips64 platforms
  
  The hwpmc_mips24k / hwpmc_mips74k modules are only for mips 32-bit hosts.
  Reviewed by:  adrian

Modified:
  head/sys/modules/Makefile

Modified: head/sys/modules/Makefile
==
--- head/sys/modules/Makefile   Thu Feb  2 17:29:15 2017(r313097)
+++ head/sys/modules/Makefile   Thu Feb  2 17:43:00 2017(r313098)
@@ -522,7 +522,7 @@ _cxgbe= cxgbe
 SUBDIR+=   zfs
 .endif
 
-.if ${MACHINE_CPUARCH} == "mips"
+.if (${MACHINE_CPUARCH} == "mips" && ${MACHINE_ARCH:Mmips64} == "")
 _hwpmc_mips24k=hwpmc_mips24k
 _hwpmc_mips74k=hwpmc_mips74k
 .endif
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r312833 - head/sys/mips/conf

2017-01-26 Thread Kurt Lidl

Author: lidl
Date: Thu Jan 26 20:45:04 2017
New Revision: 312833
URL: https://svnweb.freebsd.org/changeset/base/312833

Log:
  Remove 'options NO_SWAPPING' from ERL configuration file

Modified:
  head/sys/mips/conf/ERL

Modified: head/sys/mips/conf/ERL
==
--- head/sys/mips/conf/ERL  Thu Jan 26 20:39:43 2017(r312832)
+++ head/sys/mips/conf/ERL  Thu Jan 26 20:45:04 2017(r312833)
@@ -88,7 +88,6 @@ options   MAC # TrustedBSD MAC 
Framewor
 #options   KDTRACE_FRAME   # Ensure frames are compiled in
 #options   KDTRACE_HOOKS   # Kernel DTrace hooks
 optionsINCLUDE_CONFIG_FILE # Include this file in kernel
-optionsNO_SWAPPING # Disable support for paging
 optionsTMPFS   # Temporary file system
 
 # Debugging for use in -current
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r308703 - stable/11/libexec/ftpd

2016-11-15 Thread Kurt Lidl

Author: lidl
Date: Tue Nov 15 23:03:57 2016
New Revision: 308703
URL: https://svnweb.freebsd.org/changeset/base/308703

Log:
  MFC r308567: Fix build when WITHOUT_BLACKLIST=yes is specified
  
  Sponsored by: The FreeBSD Foundation

Modified:
  stable/11/libexec/ftpd/ftpd.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/libexec/ftpd/ftpd.c
==
--- stable/11/libexec/ftpd/ftpd.c   Tue Nov 15 22:30:25 2016
(r308702)
+++ stable/11/libexec/ftpd/ftpd.c   Tue Nov 15 23:03:57 2016
(r308703)
@@ -93,10 +93,7 @@ __FBSDID("$FreeBSD$");
 #include 
 #endif
 
-#ifdef USE_BLACKLIST
 #include "blacklist_client.h"
-#endif
-
 #include "pathnames.h"
 #include "extern.h"
 
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Re: svn commit: r308175 - head/libexec/ftpd

2016-11-11 Thread Kurt Lidl


On 11/10/16 4:25 PM, Matteo Riondato wrote:



On Nov 1, 2016, at 2:18 PM, Kurt Lidl <l...@freebsd.org> wrote:

Author: lidl
Date: Tue Nov  1 18:18:09 2016
New Revision: 308175
URL: https://svnweb.freebsd.org/changeset/base/308175

Log:
 Revisit blacklistd support in ftpd


This commit is breaking buildworld for me with WITHOUT_BLACKLIST=y in src.conf :


Oops.

Should be fixed in r308567.

-Kurt


___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r308567 - head/libexec/ftpd

2016-11-11 Thread Kurt Lidl

Author: lidl
Date: Sat Nov 12 03:07:41 2016
New Revision: 308567
URL: https://svnweb.freebsd.org/changeset/base/308567

Log:
  Fix build when WITHOUT_BLACKLIST=yes is specified
  
  PR:   214409
  Submitted by: matthew
  Reported by:  matteo
  MFC after:3 days
  Sponsored by: The FreeBSD Foundation

Modified:
  head/libexec/ftpd/ftpd.c

Modified: head/libexec/ftpd/ftpd.c
==
--- head/libexec/ftpd/ftpd.cSat Nov 12 01:41:43 2016(r308566)
+++ head/libexec/ftpd/ftpd.cSat Nov 12 03:07:41 2016(r308567)
@@ -93,10 +93,7 @@ __FBSDID("$FreeBSD$");
 #include 
 #endif
 
-#ifdef USE_BLACKLIST
 #include "blacklist_client.h"
-#endif
-
 #include "pathnames.h"
 #include "extern.h"
 
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r308446 - stable/11/libexec/ftpd

2016-11-08 Thread Kurt Lidl

Author: lidl
Date: Tue Nov  8 20:12:13 2016
New Revision: 308446
URL: https://svnweb.freebsd.org/changeset/base/308446

Log:
  MFC r308175: Revisit blacklistd support in ftpd
  
  Enhance blacklistd support to not log anything by default,
  unless blacklistd support is enabled on the command line.
  Document new flag in man page, cleanup patches to be less
  intrusive in code.
  
  Sponsored by: The FreeBSD Foundation

Modified:
  stable/11/libexec/ftpd/blacklist.c
  stable/11/libexec/ftpd/blacklist_client.h
  stable/11/libexec/ftpd/ftpd.8
  stable/11/libexec/ftpd/ftpd.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/libexec/ftpd/blacklist.c
==
--- stable/11/libexec/ftpd/blacklist.c  Tue Nov  8 17:36:19 2016
(r308445)
+++ stable/11/libexec/ftpd/blacklist.c  Tue Nov  8 20:12:13 2016
(r308446)
@@ -37,16 +37,20 @@
 #include 
 
 static struct blacklist *blstate;
+extern int use_blacklist;
 
 void
 blacklist_init(void)
 {
-   blstate = blacklist_open();
+
+   if (use_blacklist)
+   blstate = blacklist_open();
 }
 
 void
 blacklist_notify(int action, int fd, char *msg)
 {
+
if (blstate == NULL)
return;
(void)blacklist_r(blstate, action, fd, msg);

Modified: stable/11/libexec/ftpd/blacklist_client.h
==
--- stable/11/libexec/ftpd/blacklist_client.h   Tue Nov  8 17:36:19 2016
(r308445)
+++ stable/11/libexec/ftpd/blacklist_client.h   Tue Nov  8 20:12:13 2016
(r308446)
@@ -28,5 +28,26 @@
 
 /* $FreeBSD$ */
 
-void blacklist_notify(int, int, char *);
+#ifndef BLACKLIST_CLIENT_H
+#define BLACKLIST_CLIENT_H
+
+enum {
+   BLACKLIST_AUTH_OK = 0,
+   BLACKLIST_AUTH_FAIL
+};
+
+#ifdef USE_BLACKLIST
 void blacklist_init(void);
+void blacklist_notify(int, int, char *);
+
+#define BLACKLIST_INIT() blacklist_init()
+#define BLACKLIST_NOTIFY(x, y, z) blacklist_notify(x, y, z)
+
+#else
+
+#define BLACKLIST_INIT()
+#define BLACKLIST_NOTIFY(x, y, z)
+
+#endif
+
+#endif /* BLACKLIST_CLIENT_H */

Modified: stable/11/libexec/ftpd/ftpd.8
==
--- stable/11/libexec/ftpd/ftpd.8   Tue Nov  8 17:36:19 2016
(r308445)
+++ stable/11/libexec/ftpd/ftpd.8   Tue Nov  8 20:12:13 2016
(r308446)
@@ -36,7 +36,7 @@
 .Nd Internet File Transfer Protocol server
 .Sh SYNOPSIS
 .Nm
-.Op Fl 468ADdEhMmOoRrSUvW
+.Op Fl 468ABDdEhMmOoRrSUvW
 .Op Fl l Op Fl l
 .Op Fl a Ar address
 .Op Fl P Ar port
@@ -95,6 +95,14 @@ When
 .Fl D
 is specified, accept connections only on the specified
 .Ar address .
+.It Fl B
+With this option set,
+.Nm
+sends authentication success and failure messages to the
+.Xr blacklistd 8
+daemon.  If this option is not specified, no communcation with the
+.Xr blacklistd 8
+daemon is attempted.
 .It Fl D
 With this option set,
 .Nm

Modified: stable/11/libexec/ftpd/ftpd.c
==
--- stable/11/libexec/ftpd/ftpd.c   Tue Nov  8 17:36:19 2016
(r308445)
+++ stable/11/libexec/ftpd/ftpd.c   Tue Nov  8 20:12:13 2016
(r308446)
@@ -144,6 +144,7 @@ int noretr = 0; /* RETR command is disa
 intnoguestretr = 0;/* RETR command is disabled for anon users. */
 intnoguestmkd = 0; /* MKD command is disabled for anon users. */
 intnoguestmod = 1; /* anon users may not modify existing files. */
+intuse_blacklist = 0;
 
 off_t  file_size;
 off_t  byte_count;
@@ -305,7 +306,7 @@ main(int argc, char *argv[], char **envp
openlog("ftpd", LOG_PID | LOG_NDELAY, LOG_FTP);
 
while ((ch = getopt(argc, argv,
-   "468a:AdDEhlmMoOp:P:rRSt:T:u:UvW")) != -1) {
+   "468a:ABdDEhlmMoOp:P:rRSt:T:u:UvW")) != -1) {
switch (ch) {
case '4':
family = (family == AF_INET6) ? AF_UNSPEC : AF_INET;
@@ -327,6 +328,14 @@ main(int argc, char *argv[], char **envp
anon_only = 1;
break;
 
+   case 'B':
+#ifdef USE_BLACKLIST
+   use_blacklist = 1;
+#else
+   syslog(LOG_WARNING, "not compiled with USE_BLACKLIST 
support");
+#endif
+   break;
+
case 'd':
ftpdebug++;
break;
@@ -644,9 +653,7 @@ gotchild:
reply(220, "%s FTP server (%s) ready.", hostname, version);
else
reply(220, "FTP server ready.");
-#ifdef USE_BLACKLIST
-   blacklist_init();
-#endif
+   BLACKLIST_INIT();
for (;;)
(void) yyparse();
/* NOTREACHED */
@@ -1422,9 +1429,7 @@ skip:
 */
if (rval) {

svn commit: r308175 - head/libexec/ftpd

2016-11-01 Thread Kurt Lidl

Author: lidl
Date: Tue Nov  1 18:18:09 2016
New Revision: 308175
URL: https://svnweb.freebsd.org/changeset/base/308175

Log:
  Revisit blacklistd support in ftpd
  
  Enhance blacklistd support to not log anything by default,
  unless blacklistd support is enabled on the command line.
  Document new flag in man page, cleanup patches to be less
  intrusive in code.
  
  Reported by:  Rick Adams
  Reviewed by:  cem, emaste
  MFC after:1 week
  Sponsored by: The FreeBSD Foundation
  Differential Revision:https://reviews.freebsd.org/D8374

Modified:
  head/libexec/ftpd/blacklist.c
  head/libexec/ftpd/blacklist_client.h
  head/libexec/ftpd/ftpd.8
  head/libexec/ftpd/ftpd.c

Modified: head/libexec/ftpd/blacklist.c
==
--- head/libexec/ftpd/blacklist.c   Tue Nov  1 17:11:10 2016
(r308174)
+++ head/libexec/ftpd/blacklist.c   Tue Nov  1 18:18:09 2016
(r308175)
@@ -37,16 +37,20 @@
 #include 
 
 static struct blacklist *blstate;
+extern int use_blacklist;
 
 void
 blacklist_init(void)
 {
-   blstate = blacklist_open();
+
+   if (use_blacklist)
+   blstate = blacklist_open();
 }
 
 void
 blacklist_notify(int action, int fd, char *msg)
 {
+
if (blstate == NULL)
return;
(void)blacklist_r(blstate, action, fd, msg);

Modified: head/libexec/ftpd/blacklist_client.h
==
--- head/libexec/ftpd/blacklist_client.hTue Nov  1 17:11:10 2016
(r308174)
+++ head/libexec/ftpd/blacklist_client.hTue Nov  1 18:18:09 2016
(r308175)
@@ -28,5 +28,26 @@
 
 /* $FreeBSD$ */
 
-void blacklist_notify(int, int, char *);
+#ifndef BLACKLIST_CLIENT_H
+#define BLACKLIST_CLIENT_H
+
+enum {
+   BLACKLIST_AUTH_OK = 0,
+   BLACKLIST_AUTH_FAIL
+};
+
+#ifdef USE_BLACKLIST
 void blacklist_init(void);
+void blacklist_notify(int, int, char *);
+
+#define BLACKLIST_INIT() blacklist_init()
+#define BLACKLIST_NOTIFY(x, y, z) blacklist_notify(x, y, z)
+
+#else
+
+#define BLACKLIST_INIT()
+#define BLACKLIST_NOTIFY(x, y, z)
+
+#endif
+
+#endif /* BLACKLIST_CLIENT_H */

Modified: head/libexec/ftpd/ftpd.8
==
--- head/libexec/ftpd/ftpd.8Tue Nov  1 17:11:10 2016(r308174)
+++ head/libexec/ftpd/ftpd.8Tue Nov  1 18:18:09 2016(r308175)
@@ -36,7 +36,7 @@
 .Nd Internet File Transfer Protocol server
 .Sh SYNOPSIS
 .Nm
-.Op Fl 468ADdEhMmOoRrSUvW
+.Op Fl 468ABDdEhMmOoRrSUvW
 .Op Fl l Op Fl l
 .Op Fl a Ar address
 .Op Fl P Ar port
@@ -95,6 +95,14 @@ When
 .Fl D
 is specified, accept connections only on the specified
 .Ar address .
+.It Fl B
+With this option set,
+.Nm
+sends authentication success and failure messages to the
+.Xr blacklistd 8
+daemon.  If this option is not specified, no communcation with the
+.Xr blacklistd 8
+daemon is attempted.
 .It Fl D
 With this option set,
 .Nm

Modified: head/libexec/ftpd/ftpd.c
==
--- head/libexec/ftpd/ftpd.cTue Nov  1 17:11:10 2016(r308174)
+++ head/libexec/ftpd/ftpd.cTue Nov  1 18:18:09 2016(r308175)
@@ -144,6 +144,7 @@ int noretr = 0; /* RETR command is disa
 intnoguestretr = 0;/* RETR command is disabled for anon users. */
 intnoguestmkd = 0; /* MKD command is disabled for anon users. */
 intnoguestmod = 1; /* anon users may not modify existing files. */
+intuse_blacklist = 0;
 
 off_t  file_size;
 off_t  byte_count;
@@ -305,7 +306,7 @@ main(int argc, char *argv[], char **envp
openlog("ftpd", LOG_PID | LOG_NDELAY, LOG_FTP);
 
while ((ch = getopt(argc, argv,
-   "468a:AdDEhlmMoOp:P:rRSt:T:u:UvW")) != -1) {
+   "468a:ABdDEhlmMoOp:P:rRSt:T:u:UvW")) != -1) {
switch (ch) {
case '4':
family = (family == AF_INET6) ? AF_UNSPEC : AF_INET;
@@ -327,6 +328,14 @@ main(int argc, char *argv[], char **envp
anon_only = 1;
break;
 
+   case 'B':
+#ifdef USE_BLACKLIST
+   use_blacklist = 1;
+#else
+   syslog(LOG_WARNING, "not compiled with USE_BLACKLIST 
support");
+#endif
+   break;
+
case 'd':
ftpdebug++;
break;
@@ -644,9 +653,7 @@ gotchild:
reply(220, "%s FTP server (%s) ready.", hostname, version);
else
reply(220, "FTP server ready.");
-#ifdef USE_BLACKLIST
-   blacklist_init();
-#endif
+   BLACKLIST_INIT();
for (;;)
(void) yyparse();
/* NOTREACHED */
@@ -1422,9 +1429,7 @@ skip:
 */
if (rval) {

svn commit: r307173 - stable/11/sys/netinet

2016-10-12 Thread Kurt Lidl

Author: lidl
Date: Thu Oct 13 03:10:04 2016
New Revision: 307173
URL: https://svnweb.freebsd.org/changeset/base/307173

Log:
  MFC r306458: Properly preserve ip_tos bits for IPv4 packets
  
  Restructure code slightly to save ip_tos bits earlier.  Fix the bug
  where the ip_tos field is zeroed out before assigning to the iptos
  variable. Restore the ip_tos and ip_ver fields only if they have
  been zeroed during the pseudo-header checksum calculation.

Modified:
  stable/11/sys/netinet/tcp_input.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/netinet/tcp_input.c
==
--- stable/11/sys/netinet/tcp_input.c   Thu Oct 13 03:08:32 2016
(r307172)
+++ stable/11/sys/netinet/tcp_input.c   Thu Oct 13 03:10:04 2016
(r307173)
@@ -601,7 +601,7 @@ tcp_input(struct mbuf **mp, int *offp, i
 #ifdef TCP_SIGNATURE
uint8_t sig_checked = 0;
 #endif
-   uint8_t iptos = 0;
+   uint8_t iptos;
struct m_tag *fwd_tag = NULL;
 #ifdef INET6
struct ip6_hdr *ip6 = NULL;
@@ -673,6 +673,7 @@ tcp_input(struct mbuf **mp, int *offp, i
/* XXX stat */
goto drop;
}
+   iptos = (ntohl(ip6->ip6_flow) >> 20) & 0xff;
}
 #endif
 #if defined(INET) && defined(INET6)
@@ -699,6 +700,7 @@ tcp_input(struct mbuf **mp, int *offp, i
th = (struct tcphdr *)((caddr_t)ip + off0);
tlen = ntohs(ip->ip_len) - off0;
 
+   iptos = ip->ip_tos;
if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) {
if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR)
th->th_sum = m->m_pkthdr.csum_data;
@@ -719,29 +721,20 @@ tcp_input(struct mbuf **mp, int *offp, i
ipov->ih_len = htons(tlen);
th->th_sum = in_cksum(m, len);
/* Reset length for SDT probes. */
-   ip->ip_len = htons(tlen + off0);
+   ip->ip_len = htons(len);
+   /* Reset TOS bits */
+   ip->ip_tos = iptos;
+   /* Re-initialization for later version check */
+   ip->ip_v = IPVERSION;
}
 
if (th->th_sum) {
TCPSTAT_INC(tcps_rcvbadsum);
goto drop;
}
-   /* Re-initialization for later version check */
-   ip->ip_v = IPVERSION;
}
 #endif /* INET */
 
-#ifdef INET6
-   if (isipv6)
-   iptos = (ntohl(ip6->ip6_flow) >> 20) & 0xff;
-#endif
-#if defined(INET) && defined(INET6)
-   else
-#endif
-#ifdef INET
-   iptos = ip->ip_tos;
-#endif
-
/*
 * Check that TCP offset makes sense,
 * pull out TCP options and adjust length.  XXX
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r307172 - stable/11/etc/periodic/security

2016-10-12 Thread Kurt Lidl

Author: lidl
Date: Thu Oct 13 03:08:32 2016
New Revision: 307172
URL: https://svnweb.freebsd.org/changeset/base/307172

Log:
  MFC r306696: Make 502.pfdenied find blacklistd/* filter names dynamically
  
  This change is needed to make the 520.pfdenied script find the new
  blacklistd/* anchor points for reporting blocked traffic.
  
  Sponsored by: The FreeBSD Foundation

Modified:
  stable/11/etc/periodic/security/520.pfdenied
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/etc/periodic/security/520.pfdenied
==
--- stable/11/etc/periodic/security/520.pfdeniedThu Oct 13 03:06:23 
2016(r307171)
+++ stable/11/etc/periodic/security/520.pfdeniedThu Oct 13 03:08:32 
2016(r307172)
@@ -44,8 +44,7 @@ rc=0
 if check_yesno_period security_status_pfdenied_enable
 then
TMP=`mktemp -t security`
-   touch ${TMP}
-   for _a in "" blacklistd
+   for _a in "" $(pfctl -a "blacklistd" -sA 2>/dev/null)
do
pfctl -a ${_a} -sr -v -z 2>/dev/null | \
nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if 
($5 > 0) print buf$0;} }' >> ${TMP}
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r307171 - stable/11/contrib/blacklist/libexec

2016-10-12 Thread Kurt Lidl

Author: lidl
Date: Thu Oct 13 03:06:23 2016
New Revision: 307171
URL: https://svnweb.freebsd.org/changeset/base/307171

Log:
  MFC r306695: Make blacklist-helper commands emit a message when successful
  
  The blacklistd daemon expects to see a message on stdout, instead
  of just relying on the exit value from any invoked programs.
  
  Change the pf filtering to create multiple filters, attached under
  a the "blacklist/*" anchor point.  This prevents the filtering for
  each port's filtering rule from overwriting the previously installed
  filtering rule.  Check for an existing filtering rule for each port,
  so the installation of a given filtering rule only happens once.
  Reinstalling the same rule resets the counters for the pf rule, and
  we don't want that.
  
  Sponsored by: The FreeBSD Foundation

Modified:
  stable/11/contrib/blacklist/libexec/blacklistd-helper
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/contrib/blacklist/libexec/blacklistd-helper
==
--- stable/11/contrib/blacklist/libexec/blacklistd-helper   Thu Oct 13 
03:00:56 2016(r307170)
+++ stable/11/contrib/blacklist/libexec/blacklistd-helper   Thu Oct 13 
03:06:23 2016(r307171)
@@ -19,8 +19,8 @@ fi
 if [ -z "$pf" ]; then
for f in npf pf ipf; do
if [ -f "/etc/$f.conf" ]; then
-   pf="$f"
-   break
+   pf="$f"
+   break
fi
done
 fi
@@ -54,8 +54,8 @@ add)
ipf)
/sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1
echo block in quick $proto from $addr/$mask to \
-   any port=$6 head port$6 | \
-   /sbin/ipf -I -f - -s >/dev/null 2>&1
+   any port=$6 head port$6 | \
+   /sbin/ipf -I -f - -s >/dev/null 2>&1 && echo OK
;;
ipfw)
# use $ipfw_offset+$port for rule number
@@ -64,17 +64,21 @@ add)
/sbin/ipfw table $tname create type addr 2>/dev/null
/sbin/ipfw -q table $tname add "$addr/$mask"
/sbin/ipfw -q add $rule drop $3 from "table("$tname")" to \
-   any dst-port $6
+   any dst-port $6 && echo OK
;;
npf)
/sbin/npfctl rule "$2" add block in final $proto from \
"$addr/$mask" to any $port
;;
pf)
-   # insert $ip/$mask into per-protocol anchored table
-   /sbin/pfctl -a "$2" -t "port$6" -T add "$addr/$mask"
-   echo "block in quick $proto from  to any $port" | \
-   /sbin/pfctl -a "$2" -f -
+   # if the filtering rule does not exist, create it
+   /sbin/pfctl -a "$2/$6" -sr 2>/dev/null | \
+   grep -q "" || \
+   echo "block in quick $proto from  to any $port" | \
+   /sbin/pfctl -a "$2/$6" -f -
+   # insert $ip/$mask into per-protocol/port anchored table
+   /sbin/pfctl -a "$2/$6" -t "port$6" -T add "$addr/$mask" && \
+   echo OK
;;
esac
;;
@@ -83,33 +87,35 @@ rem)
ipf)
/sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1
echo block in quick $proto from $addr/$mask to \
-   any port=$6 head port$6 | \
-   /sbin/ipf -I -r -f - -s >/dev/null 2>&1
+   any port=$6 head port$6 | \
+   /sbin/ipf -I -r -f - -s >/dev/null 2>&1 && echo OK
;;
ipfw)
-   /sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null
+   /sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null && \
+   echo OK
;;
npf)
/sbin/npfctl rule "$2" rem-id "$7"
;;
pf)
-   /sbin/pfctl -a "$2" -t "port$6" -T delete "$addr/$mask"
+   /sbin/pfctl -a "$2/$6" -t "port$6" -T delete "$addr/$mask" && \
+   echo OK
;;
esac
;;
 flush)
case "$pf" in
ipf)
-   /sbin/ipf -Z -I -Fi -s > /dev/null
+   /sbin/ipf -Z -I -Fi -s > /dev/null && echo OK
;;
ipfw)
-   /sbin/ipfw table "port$6" flush 2>/dev/null
+   /sbin/ipfw table "port$6" flush 2>/dev/null && echo OK
;;
npf)
/sbin/npfctl rule "$2" flush
;;
pf)
-   /sbin/pfctl -a "$2" -t "port$6" -T flush
+   /sbin/pfctl -a "$2/$6" -t "port$6" -T flush && echo OK
;;
esac
;;
___
svn-src-all@freebsd.org mailing list

svn commit: r306799 - stable/11/contrib/blacklist/bin

2016-10-06 Thread Kurt Lidl

Author: lidl
Date: Fri Oct  7 02:33:45 2016
New Revision: 306799
URL: https://svnweb.freebsd.org/changeset/base/306799

Log:
  MFC r306508: Fix blacklistd's state restoral at startup
  
  The blacklistd daemon attempted to restore the filtering rules
  before the database of blocked addresses was opened, so no rules
  were being reloaded.  Now the rules are properly recreated when the
  daemon is started with '-r'.
  
  This bug was fixed locally, and then sent upstream to NetBSD.
  This changeset is the import the NetBSD version of the change,
  which added debugging output to alert about a null database.
  
  Sponsored by: The FreeBSD Foundation

Modified:
  stable/11/contrib/blacklist/bin/blacklistd.c
  stable/11/contrib/blacklist/bin/state.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/contrib/blacklist/bin/blacklistd.c
==
--- stable/11/contrib/blacklist/bin/blacklistd.cFri Oct  7 02:32:01 
2016(r306798)
+++ stable/11/contrib/blacklist/bin/blacklistd.cFri Oct  7 02:33:45 
2016(r306799)
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklistd.c,v 1.34 2016/04/04 15:52:56 christos Exp $ */
+/* $NetBSD: blacklistd.c,v 1.35 2016/09/26 19:43:43 christos Exp $ */
 
 /*-
  * Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
 #include "config.h"
 #endif
 #include 
-__RCSID("$NetBSD: blacklistd.c,v 1.34 2016/04/04 15:52:56 christos Exp $");
+__RCSID("$NetBSD: blacklistd.c,v 1.35 2016/09/26 19:43:43 christos Exp $");
 
 #include 
 #include 
@@ -473,9 +473,6 @@ main(int argc, char *argv[])
flags |= O_TRUNC;
}
 
-   if (restore)
-   rules_restore();
-
struct pollfd *pfd = NULL;
bl_t *bl = NULL;
size_t nfd = 0;
@@ -500,6 +497,9 @@ main(int argc, char *argv[])
if (state == NULL)
return EXIT_FAILURE;
 
+   if (restore)
+   rules_restore();
+
if (!debug) {
if (daemon(0, 0) == -1)
err(EXIT_FAILURE, "daemon failed");

Modified: stable/11/contrib/blacklist/bin/state.c
==
--- stable/11/contrib/blacklist/bin/state.c Fri Oct  7 02:32:01 2016
(r306798)
+++ stable/11/contrib/blacklist/bin/state.c Fri Oct  7 02:33:45 2016
(r306799)
@@ -1,4 +1,4 @@
-/* $NetBSD: state.c,v 1.18 2016/04/04 15:52:56 christos Exp $  */
+/* $NetBSD: state.c,v 1.19 2016/09/26 19:43:43 christos Exp $  */
 
 /*-
  * Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
 #endif
 
 #include 
-__RCSID("$NetBSD: state.c,v 1.18 2016/04/04 15:52:56 christos Exp $");
+__RCSID("$NetBSD: state.c,v 1.19 2016/09/26 19:43:43 christos Exp $");
 
 #include 
 #include 
@@ -200,8 +200,10 @@ state_iterate(DB *db, struct conf *c, st
int rv;
DBT k, v;
 
-   if (db == NULL)
+   if (db == NULL) {
+   (*lfun)(LOG_ERR, "%s: called with no database file", __func__);
return -1;
+   }
 
first = first ? R_FIRST : R_NEXT;
 
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r306798 - stable/11/contrib/blacklist/bin

2016-10-06 Thread Kurt Lidl

Author: lidl
Date: Fri Oct  7 02:32:01 2016
New Revision: 306798
URL: https://svnweb.freebsd.org/changeset/base/306798

Log:
  MFC r306507: Update blacklistd.8 with changes from NetBSD
  
  Sponsored by: The FreeBSD Foundation

Modified:
  stable/11/contrib/blacklist/bin/blacklistd.8
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/contrib/blacklist/bin/blacklistd.8
==
--- stable/11/contrib/blacklist/bin/blacklistd.8Fri Oct  7 01:33:03 
2016(r306797)
+++ stable/11/contrib/blacklist/bin/blacklistd.8Fri Oct  7 02:32:01 
2016(r306798)
@@ -1,4 +1,4 @@
-.\" $NetBSD: blacklistd.8,v 1.15 2016/03/11 17:16:40 christos Exp $
+.\" $NetBSD: blacklistd.8,v 1.18 2016/07/30 06:09:29 dholland Exp $
 .\"
 .\" Copyright (c) 2015 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -47,7 +47,7 @@
 .Nm
 is a daemon similar to
 .Xr syslogd 8
-that listens to a sockets at paths specified in the
+that listens to sockets at paths specified in the
 .Ar sockpathsfile
 for notifications from other daemons about successful or failed connection
 attempts.
@@ -218,7 +218,8 @@ Socket to receive connection notificatio
 .Nm
 first appeared in
 .Nx 7 .
-.Fx support for
+.Fx
+support for
 .Nm
 was implemented in
 .Fx 11 .
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r306696 - head/etc/periodic/security

2016-10-04 Thread Kurt Lidl

Author: lidl
Date: Tue Oct  4 23:12:35 2016
New Revision: 306696
URL: https://svnweb.freebsd.org/changeset/base/306696

Log:
  Make 502.pfdenied find blacklistd/* filter names dynamically
  
  This change is needed to make the 520.pfdenied script find the new
  blacklistd/* anchor points for reporting blocked traffic.
  
  Reviewed by:  kp
  MFC after:1 week
  Sponsored by: The FreeBSD Foundation

Modified:
  head/etc/periodic/security/520.pfdenied

Modified: head/etc/periodic/security/520.pfdenied
==
--- head/etc/periodic/security/520.pfdenied Tue Oct  4 23:10:43 2016
(r306695)
+++ head/etc/periodic/security/520.pfdenied Tue Oct  4 23:12:35 2016
(r306696)
@@ -44,8 +44,7 @@ rc=0
 if check_yesno_period security_status_pfdenied_enable
 then
TMP=`mktemp -t security`
-   touch ${TMP}
-   for _a in "" blacklistd
+   for _a in "" $(pfctl -a "blacklistd" -sA 2>/dev/null)
do
pfctl -a ${_a} -sr -v -z 2>/dev/null | \
nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if 
($5 > 0) print buf$0;} }' >> ${TMP}
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r306695 - head/contrib/blacklist/libexec

2016-10-04 Thread Kurt Lidl

Author: lidl
Date: Tue Oct  4 23:10:43 2016
New Revision: 306695
URL: https://svnweb.freebsd.org/changeset/base/306695

Log:
  Make blacklist-helper commands emit a message when successful
  
  The blacklistd daemon expects to see a message on stdout, instead
  of just relying on the exit value from any invoked programs.
  
  Change the pf filtering to create multiple filters, attached under
  a the "blacklist/*" anchor point.  This prevents the filtering for
  each port's filtering rule from overwriting the previously installed
  filtering rule.  Check for an existing filtering rule for each port,
  so the installation of a given filtering rule only happens once.
  Reinstalling the same rule resets the counters for the pf rule, and
  we don't want that.
  
  Reported by:  David Horn (dhorn2000 at gmail.com)
  Reviewed by:  emaste
  MFC after:1 week
  Sponsored by: The FreeBSD Foundation
  Differential Revision:https://reviews.freebsd.org/D8081

Modified:
  head/contrib/blacklist/libexec/blacklistd-helper

Modified: head/contrib/blacklist/libexec/blacklistd-helper
==
--- head/contrib/blacklist/libexec/blacklistd-helperTue Oct  4 22:36:36 
2016(r306694)
+++ head/contrib/blacklist/libexec/blacklistd-helperTue Oct  4 23:10:43 
2016(r306695)
@@ -19,8 +19,8 @@ fi
 if [ -z "$pf" ]; then
for f in npf pf ipf; do
if [ -f "/etc/$f.conf" ]; then
-   pf="$f"
-   break
+   pf="$f"
+   break
fi
done
 fi
@@ -54,8 +54,8 @@ add)
ipf)
/sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1
echo block in quick $proto from $addr/$mask to \
-   any port=$6 head port$6 | \
-   /sbin/ipf -I -f - -s >/dev/null 2>&1
+   any port=$6 head port$6 | \
+   /sbin/ipf -I -f - -s >/dev/null 2>&1 && echo OK
;;
ipfw)
# use $ipfw_offset+$port for rule number
@@ -64,17 +64,21 @@ add)
/sbin/ipfw table $tname create type addr 2>/dev/null
/sbin/ipfw -q table $tname add "$addr/$mask"
/sbin/ipfw -q add $rule drop $3 from "table("$tname")" to \
-   any dst-port $6
+   any dst-port $6 && echo OK
;;
npf)
/sbin/npfctl rule "$2" add block in final $proto from \
"$addr/$mask" to any $port
;;
pf)
-   # insert $ip/$mask into per-protocol anchored table
-   /sbin/pfctl -a "$2" -t "port$6" -T add "$addr/$mask"
-   echo "block in quick $proto from  to any $port" | \
-   /sbin/pfctl -a "$2" -f -
+   # if the filtering rule does not exist, create it
+   /sbin/pfctl -a "$2/$6" -sr 2>/dev/null | \
+   grep -q "" || \
+   echo "block in quick $proto from  to any $port" | \
+   /sbin/pfctl -a "$2/$6" -f -
+   # insert $ip/$mask into per-protocol/port anchored table
+   /sbin/pfctl -a "$2/$6" -t "port$6" -T add "$addr/$mask" && \
+   echo OK
;;
esac
;;
@@ -83,33 +87,35 @@ rem)
ipf)
/sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1
echo block in quick $proto from $addr/$mask to \
-   any port=$6 head port$6 | \
-   /sbin/ipf -I -r -f - -s >/dev/null 2>&1
+   any port=$6 head port$6 | \
+   /sbin/ipf -I -r -f - -s >/dev/null 2>&1 && echo OK
;;
ipfw)
-   /sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null
+   /sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null && \
+   echo OK
;;
npf)
/sbin/npfctl rule "$2" rem-id "$7"
;;
pf)
-   /sbin/pfctl -a "$2" -t "port$6" -T delete "$addr/$mask"
+   /sbin/pfctl -a "$2/$6" -t "port$6" -T delete "$addr/$mask" && \
+   echo OK
;;
esac
;;
 flush)
case "$pf" in
ipf)
-   /sbin/ipf -Z -I -Fi -s > /dev/null
+   /sbin/ipf -Z -I -Fi -s > /dev/null && echo OK
;;
ipfw)
-   /sbin/ipfw table "port$6" flush 2>/dev/null
+   /sbin/ipfw table "port$6" flush 2>/dev/null && echo OK
;;
npf)
/sbin/npfctl rule "$2" flush
;;
pf)
-   /sbin/pfctl -a "$2" -t "port$6" -T flush
+   /sbin/pfctl -a "$2/$6" -t "port$6" -T flush && echo OK
;;
esac
;;

svn commit: r306508 - head/contrib/blacklist/bin

2016-09-30 Thread Kurt Lidl

Author: lidl
Date: Fri Sep 30 16:35:30 2016
New Revision: 306508
URL: https://svnweb.freebsd.org/changeset/base/306508

Log:
  Fix blacklistd's state restoral at startup
  
  The blacklistd daemon attempted to restore the filtering rules
  before the database of blocked addresses was opened, so no rules
  were being reloaded.  Now the rules are properly recreated when the
  daemon is started with '-r'.
  
  This bug was fixed locally, and then sent upstream to NetBSD.
  This changeset is the import the NetBSD version of the change,
  which added debugging output to alert about a null database.
  
  Reviewed by:  emaste
  Obtained from:NetBSD
  MFC after:1 week
  Sponsored by: The FreeBSD Foundation

Modified:
  head/contrib/blacklist/bin/blacklistd.c
  head/contrib/blacklist/bin/state.c

Modified: head/contrib/blacklist/bin/blacklistd.c
==
--- head/contrib/blacklist/bin/blacklistd.c Fri Sep 30 16:31:12 2016
(r306507)
+++ head/contrib/blacklist/bin/blacklistd.c Fri Sep 30 16:35:30 2016
(r306508)
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklistd.c,v 1.34 2016/04/04 15:52:56 christos Exp $ */
+/* $NetBSD: blacklistd.c,v 1.35 2016/09/26 19:43:43 christos Exp $ */
 
 /*-
  * Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
 #include "config.h"
 #endif
 #include 
-__RCSID("$NetBSD: blacklistd.c,v 1.34 2016/04/04 15:52:56 christos Exp $");
+__RCSID("$NetBSD: blacklistd.c,v 1.35 2016/09/26 19:43:43 christos Exp $");
 
 #include 
 #include 
@@ -473,9 +473,6 @@ main(int argc, char *argv[])
flags |= O_TRUNC;
}
 
-   if (restore)
-   rules_restore();
-
struct pollfd *pfd = NULL;
bl_t *bl = NULL;
size_t nfd = 0;
@@ -500,6 +497,9 @@ main(int argc, char *argv[])
if (state == NULL)
return EXIT_FAILURE;
 
+   if (restore)
+   rules_restore();
+
if (!debug) {
if (daemon(0, 0) == -1)
err(EXIT_FAILURE, "daemon failed");

Modified: head/contrib/blacklist/bin/state.c
==
--- head/contrib/blacklist/bin/state.c  Fri Sep 30 16:31:12 2016
(r306507)
+++ head/contrib/blacklist/bin/state.c  Fri Sep 30 16:35:30 2016
(r306508)
@@ -1,4 +1,4 @@
-/* $NetBSD: state.c,v 1.18 2016/04/04 15:52:56 christos Exp $  */
+/* $NetBSD: state.c,v 1.19 2016/09/26 19:43:43 christos Exp $  */
 
 /*-
  * Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
 #endif
 
 #include 
-__RCSID("$NetBSD: state.c,v 1.18 2016/04/04 15:52:56 christos Exp $");
+__RCSID("$NetBSD: state.c,v 1.19 2016/09/26 19:43:43 christos Exp $");
 
 #include 
 #include 
@@ -200,8 +200,10 @@ state_iterate(DB *db, struct conf *c, st
int rv;
DBT k, v;
 
-   if (db == NULL)
+   if (db == NULL) {
+   (*lfun)(LOG_ERR, "%s: called with no database file", __func__);
return -1;
+   }
 
first = first ? R_FIRST : R_NEXT;
 
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r306507 - head/contrib/blacklist/bin

2016-09-30 Thread Kurt Lidl

Author: lidl
Date: Fri Sep 30 16:31:12 2016
New Revision: 306507
URL: https://svnweb.freebsd.org/changeset/base/306507

Log:
  Update blacklistd.8 with changes from NetBSD
  
  Obtained from:NetBSD
  MFC after:1 week
  Sponsored by: The FreeBSD Foundation
  Differential Revision:https://reviews.freebsd.org/D8079

Modified:
  head/contrib/blacklist/bin/blacklistd.8

Modified: head/contrib/blacklist/bin/blacklistd.8
==
--- head/contrib/blacklist/bin/blacklistd.8 Fri Sep 30 16:02:25 2016
(r306506)
+++ head/contrib/blacklist/bin/blacklistd.8 Fri Sep 30 16:31:12 2016
(r306507)
@@ -1,4 +1,4 @@
-.\" $NetBSD: blacklistd.8,v 1.15 2016/03/11 17:16:40 christos Exp $
+.\" $NetBSD: blacklistd.8,v 1.18 2016/07/30 06:09:29 dholland Exp $
 .\"
 .\" Copyright (c) 2015 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -47,7 +47,7 @@
 .Nm
 is a daemon similar to
 .Xr syslogd 8
-that listens to a sockets at paths specified in the
+that listens to sockets at paths specified in the
 .Ar sockpathsfile
 for notifications from other daemons about successful or failed connection
 attempts.
@@ -218,7 +218,8 @@ Socket to receive connection notificatio
 .Nm
 first appeared in
 .Nx 7 .
-.Fx support for
+.Fx
+support for
 .Nm
 was implemented in
 .Fx 11 .
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r306458 - head/sys/netinet

2016-09-29 Thread Kurt Lidl

Author: lidl
Date: Thu Sep 29 19:45:24 2016
New Revision: 306458
URL: https://svnweb.freebsd.org/changeset/base/306458

Log:
  Properly preserve ip_tos bits for IPv4 packets
  
  Restructure code slightly to save ip_tos bits earlier.  Fix the bug
  where the ip_tos field is zeroed out before assigning to the iptos
  variable. Restore the ip_tos and ip_ver fields only if they have
  been zeroed during the pseudo-header checksum calculation.
  
  Reviewed by:  cem, gnn, hiren
  MFC after:2 weeks
  Differential Revision:https://reviews.freebsd.org/D8053

Modified:
  head/sys/netinet/tcp_input.c

Modified: head/sys/netinet/tcp_input.c
==
--- head/sys/netinet/tcp_input.cThu Sep 29 18:24:29 2016
(r306457)
+++ head/sys/netinet/tcp_input.cThu Sep 29 19:45:24 2016
(r306458)
@@ -603,7 +603,7 @@ tcp_input(struct mbuf **mp, int *offp, i
 #ifdef TCP_SIGNATURE
uint8_t sig_checked = 0;
 #endif
-   uint8_t iptos = 0;
+   uint8_t iptos;
struct m_tag *fwd_tag = NULL;
 #ifdef INET6
struct ip6_hdr *ip6 = NULL;
@@ -675,6 +675,7 @@ tcp_input(struct mbuf **mp, int *offp, i
/* XXX stat */
goto drop;
}
+   iptos = (ntohl(ip6->ip6_flow) >> 20) & 0xff;
}
 #endif
 #if defined(INET) && defined(INET6)
@@ -701,6 +702,7 @@ tcp_input(struct mbuf **mp, int *offp, i
th = (struct tcphdr *)((caddr_t)ip + off0);
tlen = ntohs(ip->ip_len) - off0;
 
+   iptos = ip->ip_tos;
if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) {
if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR)
th->th_sum = m->m_pkthdr.csum_data;
@@ -721,29 +723,20 @@ tcp_input(struct mbuf **mp, int *offp, i
ipov->ih_len = htons(tlen);
th->th_sum = in_cksum(m, len);
/* Reset length for SDT probes. */
-   ip->ip_len = htons(tlen + off0);
+   ip->ip_len = htons(len);
+   /* Reset TOS bits */
+   ip->ip_tos = iptos;
+   /* Re-initialization for later version check */
+   ip->ip_v = IPVERSION;
}
 
if (th->th_sum) {
TCPSTAT_INC(tcps_rcvbadsum);
goto drop;
}
-   /* Re-initialization for later version check */
-   ip->ip_v = IPVERSION;
}
 #endif /* INET */
 
-#ifdef INET6
-   if (isipv6)
-   iptos = (ntohl(ip6->ip6_flow) >> 20) & 0xff;
-#endif
-#if defined(INET) && defined(INET6)
-   else
-#endif
-#ifdef INET
-   iptos = ip->ip_tos;
-#endif
-
/*
 * Check that TCP offset makes sense,
 * pull out TCP options and adjust length.  XXX
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r305476 - in stable/11: crypto/openssh secure/usr.sbin/sshd

2016-09-06 Thread Kurt Lidl

ult of Match */

Modified: stable/11/crypto/openssh/auth2.c
==
--- stable/11/crypto/openssh/auth2.cTue Sep  6 14:26:41 2016
(r305475)
+++ stable/11/crypto/openssh/auth2.cTue Sep  6 14:52:14 2016
(r305476)
@@ -52,6 +52,7 @@ __RCSID("$FreeBSD$");
 #include "pathnames.h"
 #include "buffer.h"
 #include "canohost.h"
+#include "blacklist_client.h"
 
 #ifdef GSSAPI
 #include "ssh-gss.h"
@@ -248,6 +249,7 @@ input_userauth_request(int type, u_int32
} else {
logit("input_userauth_request: invalid user %s", user);
authctxt->pw = fakepw();
+   BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
 #ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(SSH_INVALID_USER));
 #endif

Copied: stable/11/crypto/openssh/blacklist.c (from r305065, 
head/crypto/openssh/blacklist.c)
==
--- /dev/null   00:00:00 1970   (empty, because file is newly added)
+++ stable/11/crypto/openssh/blacklist.cTue Sep  6 14:52:14 2016
(r305476, copy of r305065, head/crypto/openssh/blacklist.c)
@@ -0,0 +1,97 @@
+/*-
+ * Copyright (c) 2015 The NetBSD Foundation, Inc.
+ * Copyright (c) 2016 The FreeBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Portions of this software were developed by Kurt Lidl
+ * under sponsorship from the FreeBSD Foundation.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Christos Zoulas.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *notice, this list of conditions and the following disclaimer in the
+ *documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include "ssh.h"
+#include "packet.h"
+#include "log.h"
+#include "misc.h"
+#include "servconf.h"
+#include "blacklist_client.h"
+#include 
+
+static struct blacklist *blstate = NULL;
+
+/* import */
+extern ServerOptions options;
+
+/* internal definition from bl.h */
+struct blacklist *bl_create(bool, char *, void (*)(int, const char *, 
va_list));
+
+/* impedence match vsyslog() to sshd's internal logging levels */
+void
+im_log(int priority, const char *message, va_list args)
+{
+   LogLevel imlevel;
+
+   switch (priority) {
+   case LOG_ERR:
+   imlevel = SYSLOG_LEVEL_ERROR;
+   break;
+   case LOG_DEBUG:
+   imlevel = SYSLOG_LEVEL_DEBUG1;
+   break;
+   case LOG_INFO:
+   imlevel = SYSLOG_LEVEL_INFO;
+   break;
+   default:
+   imlevel = SYSLOG_LEVEL_DEBUG2;
+   }
+   do_log(imlevel, message, args);
+}
+
+void
+blacklist_init(void)
+{
+
+   if (options.use_blacklist)
+   blstate = bl_create(false, NULL, im_log);
+}
+
+void
+blacklist_notify(int action)
+{
+
+   if (blstate != NULL && packet_connection_is_on_socket())
+   (void)blacklist_r(blstate, action,
+   packet_get_connection_in(), "ssh");
+}

Copied: stable/11/crypto/openssh/blacklist_client.h (from r305065, 
head/crypto/openssh/blacklist_client.h)
==
--- /dev/null   00:00:00 1970   (empty, because file is newly added)
+++ stable/11/crypto/openssh/blacklist_client.h Tue Sep  6 14:52:14 2016
(r305476, copy of r305065, head/crypto/openssh/blacklist_client.h)
@@ -0,0 +1,57 @@
+/*-
+ * Copyright (c) 2015 The NetBSD Foundation, Inc.
+ * Copyright (c) 2016 Th

svn commit: r305065 - in head: crypto/openssh secure/usr.sbin/sshd

2016-08-30 Thread Kurt Lidl

/auth2.c Tue Aug 30 13:56:11 2016(r305064)
+++ head/crypto/openssh/auth2.c Tue Aug 30 14:09:24 2016(r305065)
@@ -52,6 +52,7 @@ __RCSID("$FreeBSD$");
 #include "pathnames.h"
 #include "buffer.h"
 #include "canohost.h"
+#include "blacklist_client.h"
 
 #ifdef GSSAPI
 #include "ssh-gss.h"
@@ -248,6 +249,7 @@ input_userauth_request(int type, u_int32
} else {
logit("input_userauth_request: invalid user %s", user);
authctxt->pw = fakepw();
+   BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL);
 #ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(SSH_INVALID_USER));
 #endif

Added: head/crypto/openssh/blacklist.c
==
--- /dev/null   00:00:00 1970   (empty, because file is newly added)
+++ head/crypto/openssh/blacklist.c Tue Aug 30 14:09:24 2016
(r305065)
@@ -0,0 +1,97 @@
+/*-
+ * Copyright (c) 2015 The NetBSD Foundation, Inc.
+ * Copyright (c) 2016 The FreeBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Portions of this software were developed by Kurt Lidl
+ * under sponsorship from the FreeBSD Foundation.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Christos Zoulas.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *notice, this list of conditions and the following disclaimer in the
+ *documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include "ssh.h"
+#include "packet.h"
+#include "log.h"
+#include "misc.h"
+#include "servconf.h"
+#include "blacklist_client.h"
+#include 
+
+static struct blacklist *blstate = NULL;
+
+/* import */
+extern ServerOptions options;
+
+/* internal definition from bl.h */
+struct blacklist *bl_create(bool, char *, void (*)(int, const char *, 
va_list));
+
+/* impedence match vsyslog() to sshd's internal logging levels */
+void
+im_log(int priority, const char *message, va_list args)
+{
+   LogLevel imlevel;
+
+   switch (priority) {
+   case LOG_ERR:
+   imlevel = SYSLOG_LEVEL_ERROR;
+   break;
+   case LOG_DEBUG:
+   imlevel = SYSLOG_LEVEL_DEBUG1;
+   break;
+   case LOG_INFO:
+   imlevel = SYSLOG_LEVEL_INFO;
+   break;
+   default:
+   imlevel = SYSLOG_LEVEL_DEBUG2;
+   }
+   do_log(imlevel, message, args);
+}
+
+void
+blacklist_init(void)
+{
+
+   if (options.use_blacklist)
+   blstate = bl_create(false, NULL, im_log);
+}
+
+void
+blacklist_notify(int action)
+{
+
+   if (blstate != NULL && packet_connection_is_on_socket())
+   (void)blacklist_r(blstate, action,
+   packet_get_connection_in(), "ssh");
+}

Added: head/crypto/openssh/blacklist_client.h
======
--- /dev/null   00:00:00 1970   (empty, because file is newly added)
+++ head/crypto/openssh/blacklist_client.h  Tue Aug 30 14:09:24 2016
(r305065)
@@ -0,0 +1,57 @@
+/*-
+ * Copyright (c) 2015 The NetBSD Foundation, Inc.
+ * Copyright (c) 2016 The FreeBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Portions of this software were developed by Kurt Lidl
+ * under sponsorship from the FreeBSD Foundation.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Christos Zoulas.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * ar

svn commit: r304028 - stable/11/contrib/blacklist/lib

2016-08-12 Thread Kurt Lidl

Author: lidl
Date: Fri Aug 12 23:27:56 2016
New Revision: 304028
URL: https://svnweb.freebsd.org/changeset/base/304028

Log:
  MFC r303518:
libblacklist: Do not use %m for logging, use strerror(errno)
  
The blacklist library can accept a function to use for logging,
defaulting to vsyslog(), if no function is specified.  Make the
blacklist library use strerror(errno) explicitly, instead of %m,
so that the passed in function does not need to support the
syslog specific placeholder.
  
This matches a change already submitted and accepted upstream.
  Sponsored by: The FreeBSD Foundation

Modified:
  stable/11/contrib/blacklist/lib/bl.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/contrib/blacklist/lib/bl.c
==
--- stable/11/contrib/blacklist/lib/bl.cFri Aug 12 23:25:22 2016
(r304027)
+++ stable/11/contrib/blacklist/lib/bl.cFri Aug 12 23:27:56 2016
(r304028)
@@ -152,8 +152,8 @@ bl_init(bl_t b, bool srv)
b->b_fd = socket(PF_LOCAL,
SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK|SOCK_NOSIGPIPE, 0);
if (b->b_fd == -1) {
-   bl_log(b->b_fun, LOG_ERR, "%s: socket failed (%m)",
-   __func__);
+   bl_log(b->b_fun, LOG_ERR, "%s: socket failed (%s)",
+   __func__, strerror(errno));
BL_UNLOCK(b);
return -1;
}
@@ -200,8 +200,8 @@ bl_init(bl_t b, bool srv)
 */
if (b->b_connected != 1) {
bl_log(b->b_fun, LOG_DEBUG,
-   "%s: connect failed for `%s' (%m)",
-   __func__, sun->sun_path);
+   "%s: connect failed for `%s' (%s)",
+   __func__, sun->sun_path, strerror(errno));
b->b_connected = 1;
}
BL_UNLOCK(b);
@@ -220,8 +220,8 @@ bl_init(bl_t b, bool srv)
errno = serrno;
if (rv == -1) {
bl_log(b->b_fun, LOG_ERR,
-   "%s: bind failed for `%s' (%m)",
-   __func__, sun->sun_path);
+   "%s: bind failed for `%s' (%s)",
+   __func__, sun->sun_path, strerror(errno));
goto out;
}
}
@@ -260,7 +260,8 @@ bl_init(bl_t b, bool srv)
if (setsockopt(b->b_fd, CRED_LEVEL, CRED_NAME,
, (socklen_t)sizeof(one)) == -1) {
bl_log(b->b_fun, LOG_ERR, "%s: setsockopt %s "
-   "failed (%m)", __func__, __STRING(CRED_NAME));
+   "failed (%s)", __func__, __STRING(CRED_NAME),
+   strerror(errno));
goto out;
}
 #endif
@@ -296,7 +297,8 @@ bl_create(bool srv, const char *path, vo
return b;
 out:
free(b);
-   bl_log(fun, LOG_ERR, "%s: malloc failed (%m)", __func__);
+   bl_log(fun, LOG_ERR, "%s: malloc failed (%s)", __func__,
+   strerror(errno));
return NULL;
 }
 
@@ -451,7 +453,8 @@ bl_recv(bl_t b)
 
 rlen = recvmsg(b->b_fd, , 0);
 if (rlen == -1) {
-   bl_log(b->b_fun, LOG_ERR, "%s: recvmsg failed (%m)", __func__);
+   bl_log(b->b_fun, LOG_ERR, "%s: recvmsg failed (%s)", __func__,
+   strerror(errno));
return NULL;
 }
 
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r304027 - stable/11/usr.bin/resizewin

2016-08-12 Thread Kurt Lidl

Author: lidl
Date: Fri Aug 12 23:25:22 2016
New Revision: 304027
URL: https://svnweb.freebsd.org/changeset/base/304027

Log:
  MFC r303515:
Make resizewin.1 manpage use .Fx macro
  
Fix capitalization of "PuTTY" also.

Modified:
  stable/11/usr.bin/resizewin/resizewin.1
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/usr.bin/resizewin/resizewin.1
==
--- stable/11/usr.bin/resizewin/resizewin.1 Fri Aug 12 22:44:59 2016
(r304026)
+++ stable/11/usr.bin/resizewin/resizewin.1 Fri Aug 12 23:25:22 2016
(r304027)
@@ -27,7 +27,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd March 17, 2016
+.Dd July 9, 2016
 .Dt RESIZEWIN 1
 .Os
 .Sh NAME
@@ -55,10 +55,12 @@ updates the kernel's window size to matc
 .Pp
 Note that virtually all modern terninals support VT100/ANSI escape
 sequences, including xterm, konsole, gnome-terminal iTerm,
-Terminal.app, and puTTY.
+Terminal.app, and PuTTY.
 .Sh SEE ALSO
 .Xr resize 1 ,
 .Xr stty 1
 .Sh HISTORY
+The
 .Nm
-appeared in FreeBSD 11.
+command first appeared in
+.Fx 11 .
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r303518 - head/contrib/blacklist/lib

2016-07-29 Thread Kurt Lidl

Author: lidl
Date: Fri Jul 29 21:11:32 2016
New Revision: 303518
URL: https://svnweb.freebsd.org/changeset/base/303518

Log:
  libblacklist: Do not use %m for logging, use strerror(errno)
  
  The blacklist library can accept a function to use for logging,
  defaulting to vsyslog(), if no function is specified.  Make the
  blacklist library use strerror(errno) explicitly, instead of %m,
  so that the passed in function does not need to support the
  syslog specific placeholder.
  
  This matches a change already submitted and accepted upstream.
  
  MFC after:1 week
  Sponsored by: The FreeBSD Foundation

Modified:
  head/contrib/blacklist/lib/bl.c

Modified: head/contrib/blacklist/lib/bl.c
==
--- head/contrib/blacklist/lib/bl.c Fri Jul 29 21:07:17 2016
(r303517)
+++ head/contrib/blacklist/lib/bl.c Fri Jul 29 21:11:32 2016
(r303518)
@@ -152,8 +152,8 @@ bl_init(bl_t b, bool srv)
b->b_fd = socket(PF_LOCAL,
SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK|SOCK_NOSIGPIPE, 0);
if (b->b_fd == -1) {
-   bl_log(b->b_fun, LOG_ERR, "%s: socket failed (%m)",
-   __func__);
+   bl_log(b->b_fun, LOG_ERR, "%s: socket failed (%s)",
+   __func__, strerror(errno));
BL_UNLOCK(b);
return -1;
}
@@ -200,8 +200,8 @@ bl_init(bl_t b, bool srv)
 */
if (b->b_connected != 1) {
bl_log(b->b_fun, LOG_DEBUG,
-   "%s: connect failed for `%s' (%m)",
-   __func__, sun->sun_path);
+   "%s: connect failed for `%s' (%s)",
+   __func__, sun->sun_path, strerror(errno));
b->b_connected = 1;
}
BL_UNLOCK(b);
@@ -220,8 +220,8 @@ bl_init(bl_t b, bool srv)
errno = serrno;
if (rv == -1) {
bl_log(b->b_fun, LOG_ERR,
-   "%s: bind failed for `%s' (%m)",
-   __func__, sun->sun_path);
+   "%s: bind failed for `%s' (%s)",
+   __func__, sun->sun_path, strerror(errno));
goto out;
}
}
@@ -260,7 +260,8 @@ bl_init(bl_t b, bool srv)
if (setsockopt(b->b_fd, CRED_LEVEL, CRED_NAME,
, (socklen_t)sizeof(one)) == -1) {
bl_log(b->b_fun, LOG_ERR, "%s: setsockopt %s "
-   "failed (%m)", __func__, __STRING(CRED_NAME));
+   "failed (%s)", __func__, __STRING(CRED_NAME),
+   strerror(errno));
goto out;
}
 #endif
@@ -296,7 +297,8 @@ bl_create(bool srv, const char *path, vo
return b;
 out:
free(b);
-   bl_log(fun, LOG_ERR, "%s: malloc failed (%m)", __func__);
+   bl_log(fun, LOG_ERR, "%s: malloc failed (%s)", __func__,
+   strerror(errno));
return NULL;
 }
 
@@ -451,7 +453,8 @@ bl_recv(bl_t b)
 
 rlen = recvmsg(b->b_fd, , 0);
 if (rlen == -1) {
-   bl_log(b->b_fun, LOG_ERR, "%s: recvmsg failed (%m)", __func__);
+   bl_log(b->b_fun, LOG_ERR, "%s: recvmsg failed (%s)", __func__,
+   strerror(errno));
return NULL;
 }
 
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r303515 - head/usr.bin/resizewin

2016-07-29 Thread Kurt Lidl

Author: lidl
Date: Fri Jul 29 21:05:17 2016
New Revision: 303515
URL: https://svnweb.freebsd.org/changeset/base/303515

Log:
  Make resizewin.1 manpage use .Fx macro
  
  Fix capitalization of "PuTTY" also.
  
  MFC after:1 week

Modified:
  head/usr.bin/resizewin/resizewin.1

Modified: head/usr.bin/resizewin/resizewin.1
==
--- head/usr.bin/resizewin/resizewin.1  Fri Jul 29 21:03:30 2016
(r303514)
+++ head/usr.bin/resizewin/resizewin.1  Fri Jul 29 21:05:17 2016
(r303515)
@@ -27,7 +27,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd March 17, 2016
+.Dd July 9, 2016
 .Dt RESIZEWIN 1
 .Os
 .Sh NAME
@@ -55,10 +55,12 @@ updates the kernel's window size to matc
 .Pp
 Note that virtually all modern terninals support VT100/ANSI escape
 sequences, including xterm, konsole, gnome-terminal iTerm,
-Terminal.app, and puTTY.
+Terminal.app, and PuTTY.
 .Sh SEE ALSO
 .Xr resize 1 ,
 .Xr stty 1
 .Sh HISTORY
+The
 .Nm
-appeared in FreeBSD 11.
+command first appeared in
+.Fx 11 .
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r302149 - head/etc/defaults

2016-06-23 Thread Kurt Lidl

Author: lidl
Date: Thu Jun 23 19:37:00 2016
New Revision: 302149
URL: https://svnweb.freebsd.org/changeset/base/302149

Log:
  Add support for a /etc/defaults/vendor.conf override file
  
  Reviewed by:  stas, imp
  Approved by:  re (gjb)
  Differential Revision:https://reviews.freebsd.org/D6895

Modified:
  head/etc/defaults/rc.conf

Modified: head/etc/defaults/rc.conf
==
--- head/etc/defaults/rc.conf   Thu Jun 23 19:27:29 2016(r302148)
+++ head/etc/defaults/rc.conf   Thu Jun 23 19:37:00 2016(r302149)
@@ -741,3 +741,9 @@ if [ -z "${source_rc_confs_defined}" ]; 
done
}
 fi
+
+# Allow vendors to override FreeBSD defaults in /etc/default/rc.conf
+# without the need to carefully manage /etc/rc.conf.
+if [ -r /etc/defaults/vendor.conf ]; then
+   . /etc/defaults/vendor.conf
+fi
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r301991 - head/release/doc/en_US.ISO8859-1/relnotes

2016-06-17 Thread Kurt Lidl

Author: lidl
Date: Fri Jun 17 16:34:25 2016
New Revision: 301991
URL: https://svnweb.freebsd.org/changeset/base/301991

Log:
  Note ipfilter support in blacklist-helper script in relnotes
  
  Approved by:  re (gjb)
  Sponsored by: The FreeBSD Foundation

Modified:
  head/release/doc/en_US.ISO8859-1/relnotes/article.xml

Modified: head/release/doc/en_US.ISO8859-1/relnotes/article.xml
==
--- head/release/doc/en_US.ISO8859-1/relnotes/article.xml   Fri Jun 17 
16:14:42 2016(r301990)
+++ head/release/doc/en_US.ISO8859-1/relnotes/article.xml   Fri Jun 17 
16:34:25 2016(r301991)
@@ -631,6 +631,9 @@
the  packet filter has been added to the
blacklistd-helper script.
 
+  Support for
+   the  packet filter has been added to the
+   blacklistd-helper script.
 
 
 
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r301843 - head/contrib/blacklist/libexec

2016-06-12 Thread Kurt Lidl

Author: lidl
Date: Sun Jun 12 23:34:48 2016
New Revision: 301843
URL: https://svnweb.freebsd.org/changeset/base/301843

Log:
  Add ipfilter support to blacklistd-helper
  
  In addition to adding initial support for the ipfilter
  packet filtering system, wrap a few long lines, perform
  whitespace cleanup and sync with upstream changes made
  in NetBSD.
  
  Submitted by: cy
  Reviewed by:  cy
  Approved by:  re (hrs)
  Relnotes: YES
  Sponsored by: The FreeBSD Foundation
  Differential Revision:https://reviews.freebsd.org/D6823

Modified:
  head/contrib/blacklist/libexec/blacklistd-helper

Modified: head/contrib/blacklist/libexec/blacklistd-helper
==
--- head/contrib/blacklist/libexec/blacklistd-helperSun Jun 12 23:26:38 
2016(r301842)
+++ head/contrib/blacklist/libexec/blacklistd-helperSun Jun 12 23:34:48 
2016(r301843)
@@ -10,12 +10,6 @@
 # $7 id
 
 pf=
-for f in npf pf; do
-   if [ -f "/etc/$f.conf" ]; then
-   pf="$f"
-   break
-   fi
-done
 if [ -f "/etc/ipfw-blacklist.rc" ]; then
pf="ipfw"
. /etc/ipfw-blacklist.rc
@@ -23,6 +17,15 @@ if [ -f "/etc/ipfw-blacklist.rc" ]; then
 fi
 
 if [ -z "$pf" ]; then
+   for f in npf pf ipf; do
+   if [ -f "/etc/$f.conf" ]; then
+   pf="$f"
+   break
+   fi
+   done
+fi
+
+if [ -z "$pf" ]; then
echo "$0: Unsupported packet filter" 1>&2
exit 1
 fi
@@ -48,12 +51,20 @@ esac
 case "$1" in
 add)
case "$pf" in
+   ipf)
+   /sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1
+   echo block in quick $proto from $addr/$mask to \
+   any port=$6 head port$6 | \
+   /sbin/ipf -I -f - -s >/dev/null 2>&1
+   ;;
ipfw)
-   rule=$(( $ipfw_offset + $6 )) # use $ipfw_offset+$port for rule 
number
+   # use $ipfw_offset+$port for rule number
+   rule=$(($ipfw_offset + $6))
tname="port$6"
/sbin/ipfw table $tname create type addr 2>/dev/null
/sbin/ipfw -q table $tname add "$addr/$mask"
-   /sbin/ipfw -q add $rule drop $3 from "table("$tname")" to any 
dst-port $6
+   /sbin/ipfw -q add $rule drop $3 from "table("$tname")" to \
+   any dst-port $6
;;
npf)
/sbin/npfctl rule "$2" add block in final $proto from \
@@ -69,6 +80,12 @@ add)
;;
 rem)
case "$pf" in
+   ipf)
+   /sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1
+   echo block in quick $proto from $addr/$mask to \
+   any port=$6 head port$6 | \
+   /sbin/ipf -I -r -f - -s >/dev/null 2>&1
+   ;;
ipfw)
/sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null
;;
@@ -81,7 +98,10 @@ rem)
esac
;;
 flush)
-   case "$pf" in 
+   case "$pf" in
+   ipf)
+   /sbin/ipf -Z -I -Fi -s > /dev/null
+   ;;
ipfw)
/sbin/ipfw table "port$6" flush 2>/dev/null
;;
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r301797 - head/release/doc/en_US.ISO8859-1/relnotes

2016-06-10 Thread Kurt Lidl

Author: lidl
Date: Fri Jun 10 15:05:35 2016
New Revision: 301797
URL: https://svnweb.freebsd.org/changeset/base/301797

Log:
  Relnotes entries for blacklist project
  
  Approved by:  re (gjb)
  Sponsored by: The FreeBSD Foundation

Modified:
  head/release/doc/en_US.ISO8859-1/relnotes/article.xml

Modified: head/release/doc/en_US.ISO8859-1/relnotes/article.xml
==
--- head/release/doc/en_US.ISO8859-1/relnotes/article.xml   Fri Jun 10 
15:03:45 2016(r301796)
+++ head/release/doc/en_US.ISO8859-1/relnotes/article.xml   Fri Jun 10 
15:05:35 2016(r301797)
@@ -608,6 +608,29 @@
   OpenBSM has been
updated to version 1.2 alpha 4.
 
+  The NetBSD
+   Project's  library and applications
+   have been ported and integrated into the system.  Packet
+   filtering support for the  packet filtering systems
+   has been implemented.  The blacklist
+   system provides the blacklistd
+   daemon, the helper script
+   blacklistd-helper to make changes
+   to the running packet filter system and the
+   blacklistctl control program.
+   A selection of system daemons, including:
+   fingerd,
+   ftpd,
+   rlogind,
+   rshd, and
+   sshd have been modified to support
+   sending notifications to the blacklistd
+   daemon.
+
+  Support for
+   the  packet filter has been added to the
+   blacklistd-helper script.
+
 
 
 
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r301736 - head/contrib/blacklist/libexec

2016-06-09 Thread Kurt Lidl

Author: lidl
Date: Thu Jun  9 15:19:48 2016
New Revision: 301736
URL: https://svnweb.freebsd.org/changeset/base/301736

Log:
  Add IPFW support to blacklistd-helper
  
  Relnotes: YES
  Sponsored by: The FreeBSD Foundation
  Differential Revision:https://reviews.freebsd.org/D6753

Modified:
  head/contrib/blacklist/libexec/blacklistd-helper

Modified: head/contrib/blacklist/libexec/blacklistd-helper
==
--- head/contrib/blacklist/libexec/blacklistd-helperThu Jun  9 14:44:05 
2016(r301735)
+++ head/contrib/blacklist/libexec/blacklistd-helperThu Jun  9 15:19:48 
2016(r301736)
@@ -16,6 +16,11 @@ for f in npf pf; do
break
fi
 done
+if [ -f "/etc/ipfw-blacklist.rc" ]; then
+   pf="ipfw"
+   . /etc/ipfw-blacklist.rc
+   ipfw_offset=${ipfw_offset:-2000}
+fi
 
 if [ -z "$pf" ]; then
echo "$0: Unsupported packet filter" 1>&2
@@ -43,6 +48,13 @@ esac
 case "$1" in
 add)
case "$pf" in
+   ipfw)
+   rule=$(( $ipfw_offset + $6 )) # use $ipfw_offset+$port for rule 
number
+   tname="port$6"
+   /sbin/ipfw table $tname create type addr 2>/dev/null
+   /sbin/ipfw -q table $tname add "$addr/$mask"
+   /sbin/ipfw -q add $rule drop $3 from "table("$tname")" to any 
dst-port $6
+   ;;
npf)
/sbin/npfctl rule "$2" add block in final $proto from \
"$addr/$mask" to any $port
@@ -57,6 +69,9 @@ add)
;;
 rem)
case "$pf" in
+   ipfw)
+   /sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null
+   ;;
npf)
/sbin/npfctl rule "$2" rem-id "$7"
;;
@@ -67,6 +82,9 @@ rem)
;;
 flush)
case "$pf" in 
+   ipfw)
+   /sbin/ipfw table "port$6" flush 2>/dev/null
+   ;;
npf)
/sbin/npfctl rule "$2" flush
;;
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r301555 - head/contrib/blacklist/bin

2016-06-07 Thread Kurt Lidl

Author: lidl
Date: Tue Jun  7 16:51:56 2016
New Revision: 301555
URL: https://svnweb.freebsd.org/changeset/base/301555

Log:
  Bump dates in blacklist related manpages
  
  Reported by:  araujo
  Sponsored by: The FreeBSD Foundation

Modified:
  head/contrib/blacklist/bin/blacklistctl.8
  head/contrib/blacklist/bin/blacklistd.8
  head/contrib/blacklist/bin/blacklistd.conf.5

Modified: head/contrib/blacklist/bin/blacklistctl.8
==
--- head/contrib/blacklist/bin/blacklistctl.8   Tue Jun  7 16:35:55 2016
(r301554)
+++ head/contrib/blacklist/bin/blacklistctl.8   Tue Jun  7 16:51:56 2016
(r301555)
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd April 29, 2015
+.Dd June 7, 2016
 .Dt BLACKLISTCTL 8
 .Os
 .Sh NAME

Modified: head/contrib/blacklist/bin/blacklistd.8
==
--- head/contrib/blacklist/bin/blacklistd.8 Tue Jun  7 16:35:55 2016
(r301554)
+++ head/contrib/blacklist/bin/blacklistd.8 Tue Jun  7 16:51:56 2016
(r301555)
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd June 4, 2015
+.Dd June 7, 2016
 .Dt BLACKLISTD 8
 .Os
 .Sh NAME

Modified: head/contrib/blacklist/bin/blacklistd.conf.5
==
--- head/contrib/blacklist/bin/blacklistd.conf.5Tue Jun  7 16:35:55 
2016(r301554)
+++ head/contrib/blacklist/bin/blacklistd.conf.5Tue Jun  7 16:51:56 
2016(r301555)
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd April 29, 2015
+.Dd June 7, 2016
 .Dt BLACKLISTD.CONF 5
 .Os
 .Sh NAME
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r301554 - head/tools/build/options

2016-06-07 Thread Kurt Lidl

Author: lidl
Date: Tue Jun  7 16:35:55 2016
New Revision: 301554
URL: https://svnweb.freebsd.org/changeset/base/301554

Log:
  Document BLACKLIST related build options
  
  Reported by:  bdrewery
  Sponsored by: The FreeBSD Foundation

Added:
  head/tools/build/options/WITHOUT_BLACKLIST   (contents, props changed)
  head/tools/build/options/WITHOUT_BLACKLIST_SUPPORT   (contents, props changed)

Added: head/tools/build/options/WITHOUT_BLACKLIST
==
--- /dev/null   00:00:00 1970   (empty, because file is newly added)
+++ head/tools/build/options/WITHOUT_BLACKLIST  Tue Jun  7 16:35:55 2016
(r301554)
@@ -0,0 +1,2 @@
+.\" $FreeBSD$
+Set this if you do not want to build blacklistd / blacklistctl.

Added: head/tools/build/options/WITHOUT_BLACKLIST_SUPPORT
==
--- /dev/null   00:00:00 1970   (empty, because file is newly added)
+++ head/tools/build/options/WITHOUT_BLACKLIST_SUPPORT  Tue Jun  7 16:35:55 
2016(r301554)
@@ -0,0 +1,8 @@
+.\" $FreeBSD$
+Set to build some programs without blacklistd support, like
+.Xr fingerd 8 ,
+.Xr ftpd 8 ,
+.Xr rlogind 8 ,
+.Xr rshd 8 ,
+and
+.Xr sshd 8 .
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r301553 - in head: etc etc/rc.d lib libexec tools/build/mk usr.sbin

2016-06-07 Thread Kurt Lidl

Author: lidl
Date: Tue Jun  7 16:31:03 2016
New Revision: 301553
URL: https://svnweb.freebsd.org/changeset/base/301553

Log:
  Separate BLACKLIST vs BLACKLIST_SUPPORT properly
  
  Sponsored by: The FreeBSD Foundation

Modified:
  head/etc/Makefile
  head/etc/rc.d/Makefile
  head/lib/Makefile
  head/libexec/Makefile
  head/tools/build/mk/OptionalObsoleteFiles.inc
  head/usr.sbin/Makefile

Modified: head/etc/Makefile
==
--- head/etc/Makefile   Tue Jun  7 16:26:34 2016(r301552)
+++ head/etc/Makefile   Tue Jun  7 16:31:03 2016(r301553)
@@ -86,7 +86,7 @@ BIN1+= apmd.conf
 BIN1+= auto_master
 .endif
 
-.if ${MK_BLACKLIST_SUPPORT} != "no"
+.if ${MK_BLACKLIST} != "no"
 BIN1+= blacklistd.conf
 .endif
 

Modified: head/etc/rc.d/Makefile
==
--- head/etc/rc.d/Makefile  Tue Jun  7 16:26:34 2016(r301552)
+++ head/etc/rc.d/Makefile  Tue Jun  7 16:31:03 2016(r301553)
@@ -170,7 +170,7 @@ FILES+= automountd
 FILES+=autounmountd
 .endif
 
-.if ${MK_BLACKLIST_SUPPORT} != "no"
+.if ${MK_BLACKLIST} != "no"
 _blacklistd+=  blacklistd
 .endif
 

Modified: head/lib/Makefile
==
--- head/lib/Makefile   Tue Jun  7 16:26:34 2016(r301552)
+++ head/lib/Makefile   Tue Jun  7 16:31:03 2016(r301553)
@@ -161,7 +161,7 @@ SUBDIR_DEPEND_liblzma= ${_libthr}
 _libngatm= libngatm
 .endif
 
-.if ${MK_BLACKLIST_SUPPORT} != "no"
+.if ${MK_BLACKLIST} != "no"
 _libblacklist= libblacklist
 .endif
 

Modified: head/libexec/Makefile
==
--- head/libexec/Makefile   Tue Jun  7 16:26:34 2016(r301552)
+++ head/libexec/Makefile   Tue Jun  7 16:31:03 2016(r301553)
@@ -34,7 +34,7 @@ SUBDIR=   ${_atf} \
 _atrun=atrun
 .endif
 
-.if ${MK_BLACKLIST_SUPPORT} != "no"
+.if ${MK_BLACKLIST} != "no"
 _blacklistd-helper+=   blacklistd-helper
 .endif
 

Modified: head/tools/build/mk/OptionalObsoleteFiles.inc
==
--- head/tools/build/mk/OptionalObsoleteFiles.inc   Tue Jun  7 16:26:34 
2016(r301552)
+++ head/tools/build/mk/OptionalObsoleteFiles.inc   Tue Jun  7 16:31:03 
2016(r301553)
@@ -431,7 +431,7 @@ OLD_FILES+=usr/share/man/man7/ldint.7.gz
 OLD_FILES+=usr/share/man/man7/binutils.7.gz
 .endif
 
-.if ${MK_BLACKLIST_SUPPORT} == no
+.if ${MK_BLACKLIST} == no
 OLD_FILES+=etc/rc.d/blacklistd
 OLD_FILES+=usr/include/blacklist.h
 OLD_FILES+=usr/lib/libblacklist.a

Modified: head/usr.sbin/Makefile
==
--- head/usr.sbin/Makefile  Tue Jun  7 16:26:34 2016(r301552)
+++ head/usr.sbin/Makefile  Tue Jun  7 16:31:03 2016(r301553)
@@ -113,9 +113,9 @@ SUBDIR.${MK_AUDIT}+=auditreduce
 SUBDIR.${MK_AUDIT}+=   praudit
 SUBDIR.${MK_AUTHPF}+=  authpf
 SUBDIR.${MK_AUTOFS}+=  autofs
-.if ${MK_BLACKLIST_SUPPORT} != "no"
-SUBDIR.${MK_BLACKLIST_SUPPORT}+=   blacklistctl
-SUBDIR.${MK_BLACKLIST_SUPPORT}+=   blacklistd
+.if ${MK_BLACKLIST} != "no"
+SUBDIR.${MK_BLACKLIST}+=   blacklistctl
+SUBDIR.${MK_BLACKLIST}+=   blacklistd
 .endif
 SUBDIR.${MK_BLUETOOTH}+=   bluetooth
 SUBDIR.${MK_BOOTPARAMD}+=  bootparamd
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r301552 - head/contrib/blacklist/bin

2016-06-07 Thread Kurt Lidl

Author: lidl
Date: Tue Jun  7 16:26:34 2016
New Revision: 301552
URL: https://svnweb.freebsd.org/changeset/base/301552

Log:
  Note blacklist support first appeared in FreeBSD 11
  
  Reported by:  jbeich
  Sponsored by: The FreeBSD Foundation

Modified:
  head/contrib/blacklist/bin/blacklistctl.8
  head/contrib/blacklist/bin/blacklistd.8
  head/contrib/blacklist/bin/blacklistd.conf.5

Modified: head/contrib/blacklist/bin/blacklistctl.8
==
--- head/contrib/blacklist/bin/blacklistctl.8   Tue Jun  7 16:18:09 2016
(r301551)
+++ head/contrib/blacklist/bin/blacklistctl.8   Tue Jun  7 16:26:34 2016
(r301552)
@@ -75,7 +75,11 @@ will first attempt to remove the existin
 it to make sure that there is only one rule active.
 .Sh HISTORY
 .Nm
-appeared in
+first appeared in
 .Nx 7 .
+.Fx support for
+.Nm
+was implemented in
+.Fx 11 .
 .Sh AUTHORS
 .An Christos Zoulas

Modified: head/contrib/blacklist/bin/blacklistd.8
==
--- head/contrib/blacklist/bin/blacklistd.8 Tue Jun  7 16:18:09 2016
(r301551)
+++ head/contrib/blacklist/bin/blacklistd.8 Tue Jun  7 16:26:34 2016
(r301552)
@@ -216,7 +216,11 @@ Socket to receive connection notificatio
 .Xr syslogd 8
 .Sh HISTORY
 .Nm
-appeared in
+first appeared in
 .Nx 7 .
+.Fx support for
+.Nm
+was implemented in
+.Fx 11 .
 .Sh AUTHORS
 .An Christos Zoulas

Modified: head/contrib/blacklist/bin/blacklistd.conf.5
==
--- head/contrib/blacklist/bin/blacklistd.conf.5Tue Jun  7 16:18:09 
2016(r301551)
+++ head/contrib/blacklist/bin/blacklistd.conf.5Tue Jun  7 16:26:34 
2016(r301552)
@@ -216,7 +216,11 @@ bnx0:ssh   *   *   *   *   3   6h
 .Xr blacklistd 8
 .Sh HISTORY
 .Nm
-appeared in
+first appeared in
 .Nx 7 .
+.Fx support for
+.Nm
+was implemented in
+.Fx 11 .
 .Sh AUTHORS
 .An Christos Zoulas
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r301551 - in head: crypto/openssh secure/usr.sbin/sshd

2016-06-07 Thread Kurt Lidl

Author: lidl
Date: Tue Jun  7 16:18:09 2016
New Revision: 301551
URL: https://svnweb.freebsd.org/changeset/base/301551

Log:
  Add blacklist support to sshd
  
  Reviewed by:  rpaulo
  Approved by:  rpaulo (earlier version of changes)
  Relnotes: YES
  Sponsored by: The FreeBSD Foundation
  Differential Revision:https://reviews.freebsd.org/D5915

Added:
  head/crypto/openssh/blacklist.c   (contents, props changed)
  head/crypto/openssh/blacklist_client.h   (contents, props changed)
Modified:
  head/crypto/openssh/auth-pam.c
  head/crypto/openssh/auth.c
  head/crypto/openssh/auth1.c
  head/crypto/openssh/auth2.c
  head/crypto/openssh/packet.c
  head/crypto/openssh/sshd.c
  head/secure/usr.sbin/sshd/Makefile

Modified: head/crypto/openssh/auth-pam.c
==
--- head/crypto/openssh/auth-pam.c  Tue Jun  7 15:20:53 2016
(r301550)
+++ head/crypto/openssh/auth-pam.c  Tue Jun  7 16:18:09 2016
(r301551)
@@ -98,6 +98,9 @@
 #include "ssh-gss.h"
 #endif
 #include "monitor_wrap.h"
+#ifdef USE_BLACKLIST
+#include "blacklist_client.h"
+#endif
 
 extern ServerOptions options;
 extern Buffer loginmsg;
@@ -794,6 +797,9 @@ sshpam_query(void *ctx, char **name, cha
free(msg);
return (0);
}
+#ifdef USE_BLACKLIST
+   blacklist_notify(1);
+#endif
error("PAM: %s for %s%.100s from %.100s", msg,
sshpam_authctxt->valid ? "" : "illegal user ",
sshpam_authctxt->user,

Modified: head/crypto/openssh/auth.c
==
--- head/crypto/openssh/auth.c  Tue Jun  7 15:20:53 2016(r301550)
+++ head/crypto/openssh/auth.c  Tue Jun  7 16:18:09 2016(r301551)
@@ -75,6 +75,9 @@ __RCSID("$FreeBSD$");
 #include "authfile.h"
 #include "ssherr.h"
 #include "compat.h"
+#ifdef USE_BLACKLIST
+#include "blacklist_client.h"
+#endif
 
 /* import */
 extern ServerOptions options;
@@ -306,6 +309,10 @@ auth_log(Authctxt *authctxt, int authent
compat20 ? "ssh2" : "ssh1",
authctxt->info != NULL ? ": " : "",
authctxt->info != NULL ? authctxt->info : "");
+#ifdef USE_BLACKLIST
+   if (!authctxt->postponed)
+   blacklist_notify(!authenticated);
+#endif
free(authctxt->info);
authctxt->info = NULL;
 
@@ -640,6 +647,9 @@ getpwnamallow(const char *user)
}
 #endif
if (pw == NULL) {
+#ifdef USE_BLACKLIST
+   blacklist_notify(1);
+#endif
logit("Invalid user %.100s from %.100s",
user, get_remote_ipaddr());
 #ifdef CUSTOM_FAILED_LOGIN

Modified: head/crypto/openssh/auth1.c
==
--- head/crypto/openssh/auth1.c Tue Jun  7 15:20:53 2016(r301550)
+++ head/crypto/openssh/auth1.c Tue Jun  7 16:18:09 2016(r301551)
@@ -43,6 +43,9 @@
 #endif
 #include "monitor_wrap.h"
 #include "buffer.h"
+#ifdef USE_BLACKLIST
+#include "blacklist_client.h"
+#endif
 
 /* import */
 extern ServerOptions options;
@@ -337,6 +340,9 @@ do_authloop(Authctxt *authctxt)
char *msg;
size_t len;
 
+#ifdef USE_BLACKLIST
+   blacklist_notify(1);
+#endif
error("Access denied for user %s by PAM account "
"configuration", authctxt->user);
len = buffer_len();
@@ -404,6 +410,9 @@ do_authentication(Authctxt *authctxt)
else {
debug("do_authentication: invalid user %s", user);
authctxt->pw = fakepw();
+#ifdef USE_BLACKLIST
+   blacklist_notify(1);
+#endif
}
 
/* Configuration may have changed as a result of Match */

Modified: head/crypto/openssh/auth2.c
==
--- head/crypto/openssh/auth2.c Tue Jun  7 15:20:53 2016(r301550)
+++ head/crypto/openssh/auth2.c Tue Jun  7 16:18:09 2016(r301551)
@@ -52,6 +52,9 @@ __RCSID("$FreeBSD$");
 #include "pathnames.h"
 #include "buffer.h"
 #include "canohost.h"
+#ifdef USE_BLACKLIST
+#include "blacklist_client.h"
+#endif
 
 #ifdef GSSAPI
 #include "ssh-gss.h"
@@ -248,6 +251,9 @@ input_userauth_request(int type, u_int32
} else {
logit("input_userauth_request: invalid user %s", user);
authctxt->pw = fakepw();
+#ifdef USE_BLACKLIST
+   blacklist_notify(1);
+#endif
 #ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(SSH_INVALID_USER));
 #endif

Added: head/crypto/openssh/blacklist.c
==
--- /dev/null   00:00:00 1970   (empty, because

svn commit: r301517 - head/libexec/ftpd

2016-06-06 Thread Kurt Lidl

Author: lidl
Date: Mon Jun  6 20:00:13 2016
New Revision: 301517
URL: https://svnweb.freebsd.org/changeset/base/301517

Log:
  Update blacklist support in ftpd to clarify fd usage
  
  The ftp daemon dups the control socket to stdin and uses that fd
  throughout the code.  Clarify this usage slightly by changing from
  explicit use of "0" for the fd to a variable, to make it clear what
  the zero represents in the non-blacklist code. Make the
  blacklist_notify routine use STDIN_FILENO so as to have less of a
  "magic number" feel to the code.
  
  Reviewed by:  cem
  Sponsored by: The FreeBSD Foundation
  Differential Revision:https://reviews.freebsd.org/D6716

Modified:
  head/libexec/ftpd/blacklist.c
  head/libexec/ftpd/ftpd.c

Modified: head/libexec/ftpd/blacklist.c
==
--- head/libexec/ftpd/blacklist.c   Mon Jun  6 18:45:09 2016
(r301516)
+++ head/libexec/ftpd/blacklist.c   Mon Jun  6 20:00:13 2016
(r301517)
@@ -48,8 +48,6 @@ void
 blacklist_notify(int action, int fd, char *msg)
 {
if (blstate == NULL)
-   blacklist_init();
-   if (blstate == NULL)
return;
(void)blacklist_r(blstate, action, fd, msg);
 }

Modified: head/libexec/ftpd/ftpd.c
==
--- head/libexec/ftpd/ftpd.cMon Jun  6 18:45:09 2016(r301516)
+++ head/libexec/ftpd/ftpd.cMon Jun  6 20:00:13 2016(r301517)
@@ -268,7 +268,7 @@ int
 main(int argc, char *argv[], char **envp)
 {
socklen_t addrlen;
-   int ch, on = 1, tos;
+   int ch, on = 1, tos, s = STDIN_FILENO;
char *cp, line[LINE_MAX];
FILE *fd;
char*bindname = NULL;
@@ -504,8 +504,8 @@ main(int argc, char *argv[], char **envp
switch (pid = fork()) {
case 0:
/* child */
-   (void) dup2(fd, 0);
-   (void) dup2(fd, 1);
+   (void) dup2(fd, s);
+   (void) dup2(fd, STDOUT_FILENO);
(void) close(fd);
for (i = 1; i <= *ctl_sock; i++)
close(ctl_sock[i]);
@@ -522,7 +522,7 @@ main(int argc, char *argv[], char **envp
}
} else {
addrlen = sizeof(his_addr);
-   if (getpeername(0, (struct sockaddr *)_addr, ) < 0) 
{
+   if (getpeername(s, (struct sockaddr *)_addr, ) < 0) 
{
syslog(LOG_ERR, "getpeername (%s): %m",argv[0]);
exit(1);
}
@@ -557,7 +557,7 @@ gotchild:
(void)sigaction(SIGPIPE, , NULL);
 
addrlen = sizeof(ctrl_addr);
-   if (getsockname(0, (struct sockaddr *)_addr, ) < 0) {
+   if (getsockname(s, (struct sockaddr *)_addr, ) < 0) {
syslog(LOG_ERR, "getsockname (%s): %m",argv[0]);
exit(1);
}
@@ -570,7 +570,7 @@ gotchild:
if (ctrl_addr.su_family == AF_INET)
   {
tos = IPTOS_LOWDELAY;
-   if (setsockopt(0, IPPROTO_IP, IP_TOS, , sizeof(int)) < 0)
+   if (setsockopt(s, IPPROTO_IP, IP_TOS, , sizeof(int)) < 0)
syslog(LOG_WARNING, "control setsockopt (IP_TOS): %m");
   }
 #endif
@@ -578,7 +578,7 @@ gotchild:
 * Disable Nagle on the control channel so that we don't have to wait
 * for peer's ACK before issuing our next reply.
 */
-   if (setsockopt(0, IPPROTO_TCP, TCP_NODELAY, , sizeof(on)) < 0)
+   if (setsockopt(s, IPPROTO_TCP, TCP_NODELAY, , sizeof(on)) < 0)
syslog(LOG_WARNING, "control setsockopt (TCP_NODELAY): %m");
 
data_source.su_port = htons(ntohs(ctrl_addr.su_port) - 1);
@@ -587,12 +587,12 @@ gotchild:
 
/* Try to handle urgent data inline */
 #ifdef SO_OOBINLINE
-   if (setsockopt(0, SOL_SOCKET, SO_OOBINLINE, , sizeof(on)) < 0)
+   if (setsockopt(s, SOL_SOCKET, SO_OOBINLINE, , sizeof(on)) < 0)
syslog(LOG_WARNING, "control setsockopt (SO_OOBINLINE): %m");
 #endif
 
 #ifdef F_SETOWN
-   if (fcntl(fileno(stdin), F_SETOWN, getpid()) == -1)
+   if (fcntl(s, F_SETOWN, getpid()) == -1)
syslog(LOG_ERR, "fcntl F_SETOWN: %m");
 #endif
dolog((struct sockaddr *)_addr);
@@ -1423,7 +1423,7 @@ skip:
if (rval) {
reply(530, "Login incorrect.");
 #ifdef USE_BLACKLIST
-   blacklist_notify(1, 0, "Login incorrect");
+   blacklist_notify(1, STDIN_FILENO, "Login incorrect");
 #endif
if (logging) {

Re: svn commit: r301226 - in head: etc etc/defaults etc/periodic/security etc/rc.d lib lib/libblacklist libexec libexec/blacklistd-helper share/mk tools/build/mk usr.sbin usr.sbin/blacklistctl usr.sbi

2016-06-06 Thread Kurt Lidl


On 6/6/16 1:22 PM, Ian Lepore wrote:

No, it should still not be enabled by default.  Maybe it should be
enabled in response to some question in the installer, or maybe even
better, enabled only if some firewall software that understands it is
also enabled.  But afaik, all the available firewalls are disabled by
default in defaults/rc.conf, and this should be too.


I have already committed a change to turn it off by default.

-Kurt


___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r301515 - head/etc/defaults

2016-06-06 Thread Kurt Lidl

Author: lidl
Date: Mon Jun  6 17:01:35 2016
New Revision: 301515
URL: https://svnweb.freebsd.org/changeset/base/301515

Log:
  Turn off blacklistd daemon in defaults
  
  Reported by:  Matteo Riondato ( matteo @ FreeBSD.org )
  Reviewed by:  rpaulo
  Approved by:  rpaulo
  Relnotes: YES
  Sponsored by: The FreeBSD Foundation

Modified:
  head/etc/defaults/rc.conf

Modified: head/etc/defaults/rc.conf
==
--- head/etc/defaults/rc.conf   Mon Jun  6 16:23:02 2016(r301514)
+++ head/etc/defaults/rc.conf   Mon Jun  6 17:01:35 2016(r301515)
@@ -270,7 +270,7 @@ hastd_program="/sbin/hastd" # path to ha
 hastd_flags="" # Optional flags to hastd.
 ctld_enable="NO"   # CAM Target Layer / iSCSI target daemon.
 local_unbound_enable="NO"  # local caching resolver
-blacklistd_enable="YES"# Run blacklistd daemon (YES/NO).
+blacklistd_enable="NO" # Run blacklistd daemon (YES/NO).
 blacklistd_flags=""# Optional flags for blacklistd(8).
 
 #
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Re: svn commit: r301226 - in head: etc etc/defaults etc/periodic/security etc/rc.d lib lib/libblacklist libexec libexec/blacklistd-helper share/mk tools/build/mk usr.sbin usr.sbin/blacklistctl usr.sbi

2016-06-06 Thread Kurt Lidl


On 6/5/16 2:39 PM, Matteo Riondato wrote:



On Jun 2, 2016, at 3:06 PM, Kurt Lidl <l...@freebsd.org> wrote:

Author: lidl
Date: Thu Jun  2 19:06:04 2016
New Revision: 301226
URL: https://svnweb.freebsd.org/changeset/base/301226

Log:
 Add basic blacklist build support


[snip]

Modified: head/etc/defaults/rc.conf
==
--- head/etc/defaults/rc.conf   Thu Jun  2 18:41:33 2016(r301225)
+++ head/etc/defaults/rc.conf   Thu Jun  2 19:06:04 2016(r301226)
@@ -270,6 +270,8 @@ hastd_program="/sbin/hastd"   # path to ha
hastd_flags=""# Optional flags to hastd.
ctld_enable="NO"  # CAM Target Layer / iSCSI target daemon.
local_unbound_enable="NO" # local caching resolver
+blacklistd_enable="YES"  # Run blacklistd daemon (YES/NO).
+blacklistd_flags=""  # Optional flags for blacklistd(8).


What is the rationale for having this enabled by default?


Well, from a certain standpoint, it will encourage more people to enable
the packet filtering it in their pf.conf and get the benefit of having
a system-wide blacklist notification system running.

Without a one-line change to enable the blocking in the pf.conf file,
it won't do any blocking.


Is any of the services that use it (in their default config) enabled by default?


I suppose, technically speaking, no there are no daemons with blacklist
support enabled by default. I am planning to commit the sshd support
tomorrow morning, and even *that* daemon isn't enabled by default.

I am happy enough to turn off the blacklist daemon by default. You are 
the first person to question this since I posted the review back near 
the beginning of April.


-Kurt






___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r301417 - head/libexec/rlogind

2016-06-04 Thread Kurt Lidl

Author: lidl
Date: Sun Jun  5 01:42:58 2016
New Revision: 301417
URL: https://svnweb.freebsd.org/changeset/base/301417

Log:
  Add blacklist support to rlogind
  
  Reviewed by:  rpaulo
  Approved by:  rpaulo
  Sponsored by: The FreeBSD Foundation
  Differential Revision:https://reviews.freebsd.org/D6593

Modified:
  head/libexec/rlogind/Makefile
  head/libexec/rlogind/rlogind.c

Modified: head/libexec/rlogind/Makefile
==
--- head/libexec/rlogind/Makefile   Sun Jun  5 01:42:37 2016
(r301416)
+++ head/libexec/rlogind/Makefile   Sun Jun  5 01:42:58 2016
(r301417)
@@ -14,4 +14,10 @@ WARNS?=  2
 CFLAGS+= -DINET6
 .endif
 
+.if ${MK_BLACKLIST_SUPPORT} != "no"
+CFLAGS+= -DUSE_BLACKLIST -I${SRCTOP}/contrib/blacklist/include
+LIBADD+= blacklist
+LDFLAGS+=-L${LIBBLACKLISTDIR}
+.endif
+
 .include 

Modified: head/libexec/rlogind/rlogind.c
==
--- head/libexec/rlogind/rlogind.c  Sun Jun  5 01:42:37 2016
(r301416)
+++ head/libexec/rlogind/rlogind.c  Sun Jun  5 01:42:58 2016
(r301417)
@@ -83,7 +83,9 @@ __FBSDID("$FreeBSD$");
 #include 
 #include 
 #include 
-
+#ifdef USE_BLACKLIST
+#include 
+#endif
 
 #ifndef TIOCPKT_WINDOW
 #define TIOCPKT_WINDOW 0x80
@@ -229,6 +231,9 @@ doit(int f, union sockunion *fromp)
/* error check ? */
syslog(LOG_NOTICE, "Connection from %s on illegal port",
   nameinfo);
+#ifdef USE_BLACKLIST
+   blacklist(1, STDIN_FILENO, "illegal port");
+#endif
fatal(f, "Permission denied", 0);
}
 #ifdef IP_OPTIONS
@@ -252,6 +257,9 @@ doit(int f, union sockunion *fromp)
"Connection refused from %s 
with IP option %s",

inet_ntoa(fromp->su_sin.sin_addr),
c == IPOPT_LSRR ? "LSRR" : 
"SSRR");
+#ifdef USE_BLACKLIST
+   blacklist(1, STDIN_FILENO, "source 
routing present");
+#endif
exit(1);
}
if (c == IPOPT_EOL)
@@ -281,11 +289,17 @@ doit(int f, union sockunion *fromp)
if (f > 2)  /* f should always be 0, but... */
(void) close(f);
setup_term(0);
-if (*lusername=='-') {
+   if (*lusername=='-') {
syslog(LOG_ERR, "tried to pass user \"%s\" to login",
   lusername);
+#ifdef USE_BLACKLIST
+   blacklist(1, STDIN_FILENO, "invalid user");
+#endif
fatal(STDERR_FILENO, "invalid user", 0);
}
+#ifdef USE_BLACKLIST
+   blacklist(0, STDIN_FILENO, "success");
+#endif
if (authenticated) {
execl(_PATH_LOGIN, "login", "-p",
"-h", hostname, "-f", lusername, (char *)NULL);
@@ -508,8 +522,12 @@ getstr(char *buf, int cnt, char *errmsg)
do {
if (read(STDIN_FILENO, , 1) != 1)
exit(1);
-   if (--cnt < 0)
+   if (--cnt < 0) {
+#ifdef USE_BLACKLIST
+   blacklist(1, STDIN_FILENO, "buffer overflow");
+#endif
fatal(STDOUT_FILENO, errmsg, 0);
+   }
*buf++ = c;
} while (c != 0);
 }
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r301415 - head/tools/build/mk

2016-06-04 Thread Kurt Lidl

Author: lidl
Date: Sun Jun  5 01:40:08 2016
New Revision: 301415
URL: https://svnweb.freebsd.org/changeset/base/301415

Log:
  Correct path for blacklistd.conf in OptionalObsoleteFiles.inc
  
  Fix typo made when adding the blacklistd.conf file to 
OptionalObsoleteFiles.inc
  
  Submitted by: Herbert J. Skuhra ( herbert at mailbox.org )
  Reviewed by:  rpaulo
  Approved by:  rpaulo
  Sponsored by: The FreeBSD Foundation
  Differential Revision:https://reviews.freebsd.org/D6715

Modified:
  head/tools/build/mk/OptionalObsoleteFiles.inc

Modified: head/tools/build/mk/OptionalObsoleteFiles.inc
==
--- head/tools/build/mk/OptionalObsoleteFiles.inc   Sat Jun  4 23:34:51 
2016(r301414)
+++ head/tools/build/mk/OptionalObsoleteFiles.inc   Sun Jun  5 01:40:08 
2016(r301415)
@@ -447,9 +447,9 @@ OLD_FILES+=usr/share/man/man3/blacklist_
 OLD_FILES+=usr/share/man/man3/blacklist_r.3.gz
 OLD_FILES+=usr/share/man/man3/blacklist_sa.3.gz
 OLD_FILES+=usr/share/man/man3/blacklist_sa_r.3.gz
+OLD_FILES+=usr/share/man/man5/blacklistd.conf.5.gz
 OLD_FILES+=usr/share/man/man8/blacklistctl.8.gz
 OLD_FILES+=usr/share/man/man8/blacklistd.8.gz
-OLD_FILES+=usr/share/man/man8/blacklistd.conf.5.gz
 .endif
 
 .if ${MK_BLUETOOTH} == no
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r301243 - head/libexec/fingerd

2016-06-03 Thread Kurt Lidl

Author: lidl
Date: Fri Jun  3 07:00:28 2016
New Revision: 301243
URL: https://svnweb.freebsd.org/changeset/base/301243

Log:
  Add blacklist support to fingerd
  
  Reviewed by:  rpaulo
  Approved by:  rpaulo
  Relnotes: YES
  Sponsored by: The FreeBSD Foundation
  Differential Revision:https://reviews.freebsd.org/D5916

Modified:
  head/libexec/fingerd/Makefile
  head/libexec/fingerd/fingerd.c

Modified: head/libexec/fingerd/Makefile
==
--- head/libexec/fingerd/Makefile   Fri Jun  3 06:58:20 2016
(r301242)
+++ head/libexec/fingerd/Makefile   Fri Jun  3 07:00:28 2016
(r301243)
@@ -1,6 +1,8 @@
 #  @(#)Makefile8.1 (Berkeley) 6/4/93
 # $FreeBSD$
 
+.include 
+
 PROG=  fingerd
 LIBADD=util
 MAN=   fingerd.8
@@ -8,4 +10,10 @@ MAN=  fingerd.8
 WARNS?=2
 WFORMAT=0
 
+.if ${MK_BLACKLIST_SUPPORT} != "no"
+CFLAGS+= -DUSE_BLACKLIST -I${SRCTOP}/contrib/blacklist/include
+LIBADD+= blacklist
+LDFLAGS+=-L${LIBBLACKLISTDIR}
+.endif
+
 .include 

Modified: head/libexec/fingerd/fingerd.c
==
--- head/libexec/fingerd/fingerd.c  Fri Jun  3 06:58:20 2016
(r301242)
+++ head/libexec/fingerd/fingerd.c  Fri Jun  3 07:00:28 2016
(r301243)
@@ -57,6 +57,9 @@ static const char rcsid[] =
 #include 
 #include 
 #include "pathnames.h"
+#ifdef USE_BLACKLIST
+#include 
+#endif
 
 void logerr(const char *, ...) __printflike(1, 2) __dead2;
 
@@ -153,12 +156,18 @@ main(int argc, char *argv[])
*ap = strtok(lp, " \t\r\n");
if (!*ap) {
if (secure && ap == [4]) {
+#ifdef USE_BLACKLIST
+   blacklist(1, STDIN_FILENO, "nousername");
+#endif
puts("must provide username\r\n");
exit(1);
}
break;
}
if (secure && strchr(*ap, '@')) {
+#ifdef USE_BLACKLIST
+   blacklist(1, STDIN_FILENO, "noforwarding");
+#endif
puts("forwarding service denied\r\n");
exit(1);
}
@@ -197,6 +206,9 @@ main(int argc, char *argv[])
}
dup2(STDOUT_FILENO, STDERR_FILENO);
 
+#ifdef USE_BLACKLIST
+   blacklist(0, STDIN_FILENO, "success");
+#endif
execv(prog, comp);
write(STDERR_FILENO, prog, strlen(prog));
 #define MSG ": cannot execute\n"
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r301242 - head/libexec/rshd

2016-06-03 Thread Kurt Lidl

Author: lidl
Date: Fri Jun  3 06:58:20 2016
New Revision: 301242
URL: https://svnweb.freebsd.org/changeset/base/301242

Log:
  Add blacklist support to rshd
  
  Reviewed by:  rpaulo
  Approved by:  rpaulo
  Relnotes: YES
  Sponsored by: The FreeBSD Foundation
  Differential Revision:https://reviews.freebsd.org/D6594

Modified:
  head/libexec/rshd/Makefile
  head/libexec/rshd/rshd.c

Modified: head/libexec/rshd/Makefile
==
--- head/libexec/rshd/Makefile  Fri Jun  3 06:24:03 2016(r301241)
+++ head/libexec/rshd/Makefile  Fri Jun  3 06:58:20 2016(r301242)
@@ -2,6 +2,9 @@
 # $FreeBSD$
 
 PACKAGE=rcmds
+
+.include 
+
 PROG=  rshd
 MAN=   rshd.8
 
@@ -12,4 +15,10 @@ WFORMAT=0
 
 LIBADD=util pam
 
+.if ${MK_BLACKLIST_SUPPORT} != "no"
+CFLAGS+= -DUSE_BLACKLIST -I${SRCTOP}/contrib/blacklist/include
+LIBADD+= blacklist
+LDFLAGS+=-L${LIBBLACKLISTDIR}
+.endif
+
 .include 

Modified: head/libexec/rshd/rshd.c
==
--- head/libexec/rshd/rshd.cFri Jun  3 06:24:03 2016(r301241)
+++ head/libexec/rshd/rshd.cFri Jun  3 06:58:20 2016(r301242)
@@ -88,6 +88,10 @@ __FBSDID("$FreeBSD$");
 #include 
 #include 
 
+#ifdef USE_BLACKLIST
+#include 
+#endif
+
 static struct pam_conv pamc = { openpam_nullconv, NULL };
 static pam_handle_t *pamh;
 static int pam_err;
@@ -252,6 +256,9 @@ doit(struct sockaddr *fromp)
"connection from %s on illegal port %u",
numericname,
srcport);
+#ifdef USE_BLACKLIST
+   blacklist(1, STDIN_FILENO, "illegal port");
+#endif
exit(1);
}
 
@@ -285,6 +292,9 @@ doit(struct sockaddr *fromp)
"2nd socket from %s on unreserved port %u",
numericname,
port);
+#ifdef USE_BLACKLIST
+   blacklist(1, STDIN_FILENO, "unreserved port");
+#endif
exit(1);
}
*((in_port_t *)>sa_data) = htons(port);
@@ -309,6 +319,9 @@ doit(struct sockaddr *fromp)
if (pam_err != PAM_SUCCESS) {
syslog(LOG_ERR|LOG_AUTH, "pam_start(): %s",
pam_strerror(pamh, pam_err));
+#ifdef USE_BLACKLIST
+   blacklist(1, STDIN_FILENO, "login incorrect");
+#endif
rshd_errx(1, "Login incorrect.");
}
 
@@ -316,6 +329,9 @@ doit(struct sockaddr *fromp)
(pam_err = pam_set_item(pamh, PAM_RHOST, rhost)) != PAM_SUCCESS) {
syslog(LOG_ERR|LOG_AUTH, "pam_set_item(): %s",
pam_strerror(pamh, pam_err));
+#ifdef USE_BLACKLIST
+   blacklist(1, STDIN_FILENO, "login incorrect");
+#endif
rshd_errx(1, "Login incorrect.");
}
 
@@ -332,6 +348,9 @@ doit(struct sockaddr *fromp)
syslog(LOG_INFO|LOG_AUTH,
"%s@%s as %s: permission denied (%s). cmd='%.80s'",
ruser, rhost, luser, pam_strerror(pamh, pam_err), cmdbuf);
+#ifdef USE_BLACKLIST
+   blacklist(1, STDIN_FILENO, "permission denied");
+#endif
rshd_errx(1, "Login incorrect.");
}
 
@@ -341,6 +360,9 @@ doit(struct sockaddr *fromp)
syslog(LOG_INFO|LOG_AUTH,
"%s@%s as %s: unknown login. cmd='%.80s'",
ruser, rhost, luser, cmdbuf);
+#ifdef USE_BLACKLIST
+   blacklist(1, STDIN_FILENO, "unknown login");
+#endif
if (errorstr == NULL)
errorstr = "Login incorrect.";
rshd_errx(1, errorstr, rhost);
@@ -373,6 +395,9 @@ doit(struct sockaddr *fromp)
"%s@%s as %s: permission denied (%s). cmd='%.80s'",
ruser, rhost, luser, __rcmd_errstr,
cmdbuf);
+#ifdef USE_BLACKLIST
+   blacklist(1, STDIN_FILENO, "permission denied");
+#endif
rshd_errx(1, "Login incorrect.");
}
if (!auth_timeok(lc, time(NULL)))
@@ -468,6 +493,9 @@ doit(struct sockaddr *fromp)
}
}
 
+#ifdef USE_BLACKLIST
+   blacklist(0, STDIN_FILENO, "success");
+#endif
for (fd = getdtablesize(); fd > 2; fd--)
(void) close(fd);
if (setsid() == -1)
@@ -534,8 +562,12 @@ getstr(char *buf, int cnt, const char *e
if (read(STDIN_FILENO, , 1) != 1)
exit(1);
*buf++ = c;
-   if (--cnt == 0)
+   if (--cnt == 0) {
+#ifdef USE_BLACKLIST
+   blacklist(1, STDIN_FILENO, "buffer overflow");
+#endif
rshd_errx(1, "%s too long", error);
+   }
} while (c != 0);
 }
 
___
svn-src-all@freebsd.org

svn commit: r301241 - head/libexec/ftpd

2016-06-03 Thread Kurt Lidl

Author: lidl
Date: Fri Jun  3 06:24:03 2016
New Revision: 301241
URL: https://svnweb.freebsd.org/changeset/base/301241

Log:
  Add blacklist support to ftpd
  
  Reviewed by:  rpaulo
  Approved by:  rpaulo
  Relnotes: YES
  Sponsored by: The FreeBSD Foundation
  Differential Revision:https://reviews.freebsd.org/D6703

Added:
  head/libexec/ftpd/blacklist.c   (contents, props changed)
  head/libexec/ftpd/blacklist_client.h   (contents, props changed)
Modified:
  head/libexec/ftpd/Makefile
  head/libexec/ftpd/ftpd.c

Modified: head/libexec/ftpd/Makefile
==
--- head/libexec/ftpd/Makefile  Fri Jun  3 06:15:52 2016(r301240)
+++ head/libexec/ftpd/Makefile  Fri Jun  3 06:24:03 2016(r301241)
@@ -24,6 +24,13 @@ SRCS+=   ls.c cmp.c print.c util.c
 CFLAGS+=-Dmain=ls_main -I${.CURDIR}/${LSDIR}
 LIBADD+=   m
 
+.if ${MK_BLACKLIST_SUPPORT} != "no"
+CFLAGS+= -DUSE_BLACKLIST -I${SRCTOP}/contrib/blacklist/include
+SRCS+= blacklist.c
+LIBADD+= blacklist
+LDFLAGS+=-L${LIBBLACKLISTDIR}
+.endif
+
 .if ${MK_INET6_SUPPORT} != "no"
 CFLAGS+=-DINET6
 .endif

Added: head/libexec/ftpd/blacklist.c
==
--- /dev/null   00:00:00 1970   (empty, because file is newly added)
+++ head/libexec/ftpd/blacklist.c   Fri Jun  3 06:24:03 2016
(r301241)
@@ -0,0 +1,55 @@
+/*-
+ * Copyright (c) 2016 The FreeBSD Foundation
+ * All rights reserved.
+ *
+ * This software was developed by Kurt Lidl under sponsorship from the
+ * FreeBSD Foundation.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *notice, this list of conditions and the following disclaimer in the
+ *documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE. */
+
+/* $FreeBSD$ */
+
+#include 
+#include 
+#include 
+#include 
+
+#include "blacklist_client.h"
+#include 
+
+static struct blacklist *blstate;
+
+void
+blacklist_init(void)
+{
+   blstate = blacklist_open();
+}
+
+void
+blacklist_notify(int action, int fd, char *msg)
+{
+   if (blstate == NULL)
+   blacklist_init();
+   if (blstate == NULL)
+   return;
+   (void)blacklist_r(blstate, action, fd, msg);
+}

Added: head/libexec/ftpd/blacklist_client.h
==
--- /dev/null   00:00:00 1970   (empty, because file is newly added)
+++ head/libexec/ftpd/blacklist_client.hFri Jun  3 06:24:03 2016
(r301241)
@@ -0,0 +1,32 @@
+/*-
+ * Copyright (c) 2016 The FreeBSD Foundation
+ * All rights reserved.
+ *
+ * This software was developed by Kurt Lidl under sponsorship from the
+ * FreeBSD Foundation.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *notice, this list of conditions and the following disclaimer in the
+ *documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILIT

svn commit: r301240 - in head: tools/build/mk usr.sbin/blacklistd

2016-06-03 Thread Kurt Lidl

Author: lidl
Date: Fri Jun  3 06:15:52 2016
New Revision: 301240
URL: https://svnweb.freebsd.org/changeset/base/301240

Log:
  Add blacklistd.conf manpage
  
  Install the blacklistd.conf man page, missed in the original commit.
  
  Submitted by: Herbert J. Skuhra ( herbert at mailbox.org )
  Reviewed by:  rpaulo
  Approved by:  rpaulo
  Sponsored by: The FreeBSD Foundation
  Differential Revision:https://reviews.freebsd.org/D6702

Modified:
  head/tools/build/mk/OptionalObsoleteFiles.inc
  head/usr.sbin/blacklistd/Makefile

Modified: head/tools/build/mk/OptionalObsoleteFiles.inc
==
--- head/tools/build/mk/OptionalObsoleteFiles.inc   Fri Jun  3 06:01:32 
2016(r301239)
+++ head/tools/build/mk/OptionalObsoleteFiles.inc   Fri Jun  3 06:15:52 
2016(r301240)
@@ -449,6 +449,7 @@ OLD_FILES+=usr/share/man/man3/blacklist_
 OLD_FILES+=usr/share/man/man3/blacklist_sa_r.3.gz
 OLD_FILES+=usr/share/man/man8/blacklistctl.8.gz
 OLD_FILES+=usr/share/man/man8/blacklistd.8.gz
+OLD_FILES+=usr/share/man/man8/blacklistd.conf.5.gz
 .endif
 
 .if ${MK_BLUETOOTH} == no

Modified: head/usr.sbin/blacklistd/Makefile
==
--- head/usr.sbin/blacklistd/Makefile   Fri Jun  3 06:01:32 2016
(r301239)
+++ head/usr.sbin/blacklistd/Makefile   Fri Jun  3 06:15:52 2016
(r301240)
@@ -6,7 +6,7 @@ BLACKLIST_DIR=${SRCTOP}/contrib/blacklis
 PROG=  blacklistd
 SRCS=  blacklistd.c conf.c run.c state.c support.c internal.c \
sockaddr_snprintf.c pidfile.c strtoi.c popenve.c
-MAN=   blacklistd.8
+MAN=   blacklistd.8 blacklistd.conf.5
 
 LDFLAGS+=-L${LIBBLACKLISTDIR}
 LIBADD+= blacklist util
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r301226 - in head: etc etc/defaults etc/periodic/security etc/rc.d lib lib/libblacklist libexec libexec/blacklistd-helper share/mk tools/build/mk usr.sbin usr.sbin/blacklistctl usr.sbin...

2016-06-02 Thread Kurt Lidl

itdistd \
bgfsck \
+   ${_blacklistd} \
${_bluetooth} \
bridge \
${_bthidd} \
@@ -168,6 +169,10 @@ FILES+=automountd
 FILES+=autounmountd
 .endif
 
+.if ${MK_BLACKLIST_SUPPORT} != "no"
+_blacklistd+=  blacklistd
+.endif
+
 .if ${MK_BLUETOOTH} != "no"
 _bluetooth=bluetooth
 _bthidd=   bthidd

Added: head/etc/rc.d/blacklistd
==
--- /dev/null   00:00:00 1970   (empty, because file is newly added)
+++ head/etc/rc.d/blacklistd    Thu Jun  2 19:06:04 2016(r301226)
@@ -0,0 +1,45 @@
+#!/bin/sh
+#
+# Copyright (c) 2016 The FreeBSD Foundation
+# All rights reserved.
+#
+# This software was developed by Kurt Lidl under sponsorship from the
+# FreeBSD Foundation.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#notice, this list of conditions and the following disclaimer in the
+#documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+# 
+# $FreeBSD$
+#
+
+# PROVIDE: blacklistd
+# REQUIRE: netif pf
+
+. /etc/rc.subr
+
+name="blacklistd"
+desc="System blacklist daemon"
+rcvar="blacklistd_enable"
+command="/usr/sbin/${name}"
+required_files="/etc/blacklistd.conf"
+
+load_rc_config $name
+run_rc_command "$1"

Modified: head/lib/Makefile
==
--- head/lib/Makefile   Thu Jun  2 18:41:33 2016(r301225)
+++ head/lib/Makefile   Thu Jun  2 19:06:04 2016(r301226)
@@ -28,6 +28,7 @@ SUBDIR=   ${SUBDIR_ORDERED} \
${_libatm} \
libauditd \
libbegemot \
+   ${_libblacklist} \
libblocksruntime \
${_libbluetooth} \
${_libbsnmp} \
@@ -161,6 +162,10 @@ SUBDIR_DEPEND_liblzma= ${_libthr}
 _libngatm= libngatm
 .endif
 
+.if ${MK_BLACKLIST_SUPPORT} != "no"
+_libblacklist= libblacklist
+.endif
+
 .if ${MK_BLUETOOTH} != "no"
 _libbluetooth= libbluetooth
 _libsdp=   libsdp

Added: head/lib/libblacklist/Makefile
==
--- /dev/null   00:00:00 1970   (empty, because file is newly added)
+++ head/lib/libblacklist/Makefile  Thu Jun  2 19:06:04 2016
(r301226)
@@ -0,0 +1,30 @@
+# $FreeBSD$
+
+BLACKLIST_DIR=${SRCTOP}/contrib/blacklist
+
+.PATH: ${BLACKLIST_DIR}/lib ${BLACKLIST_DIR}/include
+
+LIB=   blacklist
+SHLIB_MAJOR= 0
+
+LIBADD+= pthread
+
+CFLAGS.clang+=-Wno-thread-safety-analysis
+
+CFLAGS+=-I${BLACKLIST_DIR}/include -I${BLACKLIST_DIR}/port \
+   -D_REENTRANT -DHAVE_CONFIG_H -DHAVE_DB_H -DHAVE_LIBUTIL_H \
+   -DHAVE_CLOCK_GETTIME -DHAVE_FGETLN -DHAVE_GETPROGNAME \
+   -DHAVE_STRLCAT -DHAVE_STRLCPY -DHAVE_STRUCT_SOCKADDR_SA_LEN
+
+SRCS=  bl.c blacklist.c
+INCS=  blacklist.h
+MAN=   libblacklist.3
+
+MLINKS=libblacklist.3 blacklist_open.3 \
+   libblacklist.3 blacklist_close.3\
+   libblacklist.3 blacklist.3  \
+   libblacklist.3 blacklist_r.3\
+   libblacklist.3 blacklist_sa.3   \
+   libblacklist.3 blacklist_sa_r.3
+
+.include 

Modified: head/libexec/Makefile
==
--- head/libexec/Makefile   Thu Jun  2 18:41:33 2016(r301225)
+++ head/libexec/Makefile   Thu Jun  2 19:06:04 2016(r301226)
@@ -5,6 +5,7 @@
 
 SUBDIR=${_atf} \
${_atrun} \
+   ${_blacklistd-helper} \
${_comsat} \
${_dma} \
getty \
@@ -33,6 +34,10 @@ SUBDIR=  ${_atf} \
 _atrun=atrun
 .endif
 
+.if ${MK_BLACKLIST_SUPPORT} != "no"
+_blacklistd-helper+=   blacklistd-helper
+.endif
+
 .if ${MK_BOOTPD} != "no"
 SUBDIR+=   bootpd
 .endif

Added: head/libexec/bl

svn commit: r301219 - head/contrib/blacklist/bin

2016-06-02 Thread Kurt Lidl

Author: lidl
Date: Thu Jun  2 18:25:32 2016
New Revision: 301219
URL: https://svnweb.freebsd.org/changeset/base/301219

Log:
  Fixup path in NetBSD supplied documentation for FreeBSD
  
  NetBSD installs the blacklist-helper script in /libexec, and
  it goes into /usr/libexec on FreeBSD.  Update the docs to
  match FreeBSD's installation location.
  
  Reviewed by:  rpaulo
  Approved by:  rpaulo
  Sponsored by: The FreeBSD Foundation
  Differential Revision:https://reviews.freebsd.org/D6592

Modified:
  head/contrib/blacklist/bin/blacklistd.8

Modified: head/contrib/blacklist/bin/blacklistd.8
==
--- head/contrib/blacklist/bin/blacklistd.8 Thu Jun  2 18:24:00 2016
(r301218)
+++ head/contrib/blacklist/bin/blacklistd.8 Thu Jun  2 18:25:32 2016
(r301219)
@@ -117,7 +117,7 @@ The following options are available:
 Use
 .Ar controlprog
 to communicate with the packet filter, usually
-.Pa /libexec/blacklistd-helper .
+.Pa /usr/libexec/blacklistd-helper .
 The following arguments are passed to the control program:
 .Bl -tag -width protocol
 .It action
@@ -199,8 +199,8 @@ instead of
 .Xr syslogd 8 .
 .El
 .Sh FILES
-.Bl -tag -width /libexec/blacklistd-helper -compact
-.It Pa /libexec/blacklistd-helper
+.Bl -tag -width /usr/libexec/blacklistd-helper -compact
+.It Pa /usr/libexec/blacklistd-helper
 Shell script invoked to interface with the packet filter.
 .It Pa /etc/blacklistd.conf
 Configuration file.
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r301169 - in vendor/NetBSD/blacklist: . dist dist/bin dist/diff dist/etc dist/etc/rc.d dist/include dist/lib dist/libexec dist/port dist/port/m4 dist/test

2016-06-02 Thread Kurt Lidl

Author: lidl
Date: Wed Jun  1 21:48:22 2016
New Revision: 301169
URL: https://svnweb.freebsd.org/changeset/base/301169

Log:
  Reviewed by:  rpaulo
  Approved by:  rpaulo
  Obtained from:NetBSD external/bsd/blacklist @ 20160409
  Relnotes: YES
  Sponsored by: The FreeBSD Foundation
  Differential Revision:https://reviews.freebsd.org/D5912

Added:
  vendor/NetBSD/blacklist/
  vendor/NetBSD/blacklist/dist/
  vendor/NetBSD/blacklist/dist/Makefile   (contents, props changed)
  vendor/NetBSD/blacklist/dist/Makefile.inc   (contents, props changed)
  vendor/NetBSD/blacklist/dist/README
  vendor/NetBSD/blacklist/dist/TODO
  vendor/NetBSD/blacklist/dist/bin/
  vendor/NetBSD/blacklist/dist/bin/Makefile   (contents, props changed)
  vendor/NetBSD/blacklist/dist/bin/blacklistctl.8   (contents, props changed)
  vendor/NetBSD/blacklist/dist/bin/blacklistctl.c   (contents, props changed)
  vendor/NetBSD/blacklist/dist/bin/blacklistd.8   (contents, props changed)
  vendor/NetBSD/blacklist/dist/bin/blacklistd.c   (contents, props changed)
  vendor/NetBSD/blacklist/dist/bin/blacklistd.conf.5   (contents, props changed)
  vendor/NetBSD/blacklist/dist/bin/conf.c   (contents, props changed)
  vendor/NetBSD/blacklist/dist/bin/conf.h   (contents, props changed)
  vendor/NetBSD/blacklist/dist/bin/internal.c   (contents, props changed)
  vendor/NetBSD/blacklist/dist/bin/internal.h   (contents, props changed)
  vendor/NetBSD/blacklist/dist/bin/run.c   (contents, props changed)
  vendor/NetBSD/blacklist/dist/bin/run.h   (contents, props changed)
  vendor/NetBSD/blacklist/dist/bin/state.c   (contents, props changed)
  vendor/NetBSD/blacklist/dist/bin/state.h   (contents, props changed)
  vendor/NetBSD/blacklist/dist/bin/support.c   (contents, props changed)
  vendor/NetBSD/blacklist/dist/bin/support.h   (contents, props changed)
  vendor/NetBSD/blacklist/dist/diff/
  vendor/NetBSD/blacklist/dist/diff/ftpd.diff
  vendor/NetBSD/blacklist/dist/diff/named.diff
  vendor/NetBSD/blacklist/dist/diff/proftpd.diff
  vendor/NetBSD/blacklist/dist/diff/ssh.diff
  vendor/NetBSD/blacklist/dist/etc/
  vendor/NetBSD/blacklist/dist/etc/Makefile   (contents, props changed)
  vendor/NetBSD/blacklist/dist/etc/blacklistd.conf   (contents, props changed)
  vendor/NetBSD/blacklist/dist/etc/npf.conf   (contents, props changed)
  vendor/NetBSD/blacklist/dist/etc/rc.d/
  vendor/NetBSD/blacklist/dist/etc/rc.d/Makefile   (contents, props changed)
  vendor/NetBSD/blacklist/dist/etc/rc.d/blacklistd
  vendor/NetBSD/blacklist/dist/include/
  vendor/NetBSD/blacklist/dist/include/Makefile   (contents, props changed)
  vendor/NetBSD/blacklist/dist/include/bl.h   (contents, props changed)
  vendor/NetBSD/blacklist/dist/include/blacklist.h   (contents, props changed)
  vendor/NetBSD/blacklist/dist/lib/
  vendor/NetBSD/blacklist/dist/lib/Makefile   (contents, props changed)
  vendor/NetBSD/blacklist/dist/lib/bl.c   (contents, props changed)
  vendor/NetBSD/blacklist/dist/lib/blacklist.c   (contents, props changed)
  vendor/NetBSD/blacklist/dist/lib/libblacklist.3   (contents, props changed)
  vendor/NetBSD/blacklist/dist/lib/shlib_version
  vendor/NetBSD/blacklist/dist/libexec/
  vendor/NetBSD/blacklist/dist/libexec/Makefile   (contents, props changed)
  vendor/NetBSD/blacklist/dist/libexec/blacklistd-helper
  vendor/NetBSD/blacklist/dist/port/
  vendor/NetBSD/blacklist/dist/port/Makefile.am   (contents, props changed)
  vendor/NetBSD/blacklist/dist/port/_strtoi.h   (contents, props changed)
  vendor/NetBSD/blacklist/dist/port/clock_gettime.c   (contents, props changed)
  vendor/NetBSD/blacklist/dist/port/config.h   (contents, props changed)
  vendor/NetBSD/blacklist/dist/port/configure.ac
  vendor/NetBSD/blacklist/dist/port/fgetln.c   (contents, props changed)
  vendor/NetBSD/blacklist/dist/port/fparseln.c   (contents, props changed)
  vendor/NetBSD/blacklist/dist/port/getprogname.c   (contents, props changed)
  vendor/NetBSD/blacklist/dist/port/m4/
  vendor/NetBSD/blacklist/dist/port/m4/.cvsignore
  vendor/NetBSD/blacklist/dist/port/pidfile.c   (contents, props changed)
  vendor/NetBSD/blacklist/dist/port/popenve.c   (contents, props changed)
  vendor/NetBSD/blacklist/dist/port/port.h   (contents, props changed)
  vendor/NetBSD/blacklist/dist/port/sockaddr_snprintf.c   (contents, props 
changed)
  vendor/NetBSD/blacklist/dist/port/strlcat.c   (contents, props changed)
  vendor/NetBSD/blacklist/dist/port/strlcpy.c   (contents, props changed)
  vendor/NetBSD/blacklist/dist/port/strtoi.c   (contents, props changed)
  vendor/NetBSD/blacklist/dist/test/
  vendor/NetBSD/blacklist/dist/test/Makefile   (contents, props changed)
  vendor/NetBSD/blacklist/dist/test/cltest.c   (contents, props changed)
  vendor/NetBSD/blacklist/dist/test/srvtest.c   (contents, props changed)

Added: vendor/NetBSD/blacklist/dist/Makefile
==
--- /dev/null   00:00:00 1970   (empty, because file is

svn commit: r301172 - head/contrib/blacklist

2016-06-02 Thread Kurt Lidl

Author: lidl
Date: Wed Jun  1 22:04:10 2016
New Revision: 301172
URL: https://svnweb.freebsd.org/changeset/base/301172

Log:
  Import NetBSD's blacklist source from vendor tree
  
  This import includes The basic blacklist library and utility programs,
  to add a system-wide packet filtering notification mechanism to
  FreeBSD.
  
  The rational behind the daemon was given by Christos Zoulas in a
  presentation at vBSDcon 2015: https://youtu.be/fuuf8G28mjs
  
  Reviewed by:  rpaulo
  Approved by:  rpaulo
  Obtained from:NetBSD
  Relnotes: YES
  Sponsored by: The FreeBSD Foundation
  Differential Revision:https://reviews.freebsd.org/D5912

Added:
  head/contrib/blacklist/
 - copied from r301170, vendor/NetBSD/blacklist/dist/
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r301170 - vendor/NetBSD/blacklist/20160409

2016-06-02 Thread Kurt Lidl

Author: lidl
Date: Wed Jun  1 21:52:12 2016
New Revision: 301170
URL: https://svnweb.freebsd.org/changeset/base/301170

Log:
  Tag import of NetBSD's external/bsd/blacklist
  
  Reviewed by:  rpaulo
  Approved by:  rpaulo
  Sponsored by: The FreeBSD Foundation

Added:
  vendor/NetBSD/blacklist/20160409/
 - copied from r301169, vendor/NetBSD/blacklist/dist/
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r300980 - head

2016-05-29 Thread Kurt Lidl

Author: lidl
Date: Mon May 30 02:09:19 2016
New Revision: 300980
URL: https://svnweb.freebsd.org/changeset/base/300980

Log:
  Remove extraneous altq header files
  
  At some point during stable/10, the headers altq_codel.h and
  altq_fairq.h where added to /usr/include/altq, before all of altq
  was moved to /usr/include/net/altq.
  
  Reviewed by:  rpaulo
  Approved by:  rpaulo
  Differential Revision:https://reviews.freebsd.org/D6596

Modified:
  head/ObsoleteFiles.inc

Modified: head/ObsoleteFiles.inc
==
--- head/ObsoleteFiles.inc  Mon May 30 01:21:44 2016(r300979)
+++ head/ObsoleteFiles.inc  Mon May 30 02:09:19 2016(r300980)
@@ -38,6 +38,9 @@
 #   xargs -n1 | sort | uniq -d;
 # done
 
+# 20160523: remove extranous ALTQ files
+OLD_FILES+=usr/include/altq/altq_codel.h
+OLD_FILES+=usr/include/altq/altq_fairq.h
 # 20160519: remove DTrace Toolkit from base
 OLD_FILES+=usr/share/dtrace/toolkit/execsnoop
 OLD_FILES+=usr/share/dtrace/toolkit/hotkernel
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Re: svn commit: r299090 - in head: etc/mtree include lib/libbluetooth sbin/hastd share/man/man3 sys/dev/xen/blkback sys/kern sys/net sys/sys tests/sys tests/sys/sys usr.sbin/bluetooth/hccontrol

2016-05-23 Thread Kurt Lidl


On 5/23/16 4:30 PM, Alan Somers wrote:

On Fri, May 6, 2016 at 8:45 AM, Kurt Lidl <l...@pix.net
<mailto:l...@pix.net>> wrote:

On 5/5/16 12:31 PM, John Baldwin wrote:

On Wednesday, May 04, 2016 10:34:11 PM Alan Somers wrote:

Author: asomers
Date: Wed May  4 22:34:11 2016
New Revision: 299090
URL: https://svnweb.freebsd.org/changeset/base/299090

Log:
  Improve performance and functionality of the bitstring(3) api

  Two new functions are provided, bit_ffs_at() and
bit_ffc_at(), which allow
  for efficient searching of set or cleared bits starting
from any bit offset
  within the bit string.

  Performance is improved by operating on longs instead of
bytes and using
  ffsl() for searches within a long. ffsl() is a compiler
builtin in both
  clang and gcc for most architectures, converting what was
a brute force
  while loop search into a couple of instructions.

  All of the bitstring(3) API continues to be contained in
the header file.
  Some of the functions are large enough that perhaps they
should be uninlined
  and moved to a library, but that is beyond the scope of
this commit.


Doesn't switching from bytes to longs break the ABI?  That is,
setting bit 9
now has a different representation on big-endian systems (0x00
0x01 before,
now 0x00 0x00 0x01 0x00 on 32-bit BE, and 4 more leading 0 bytes
on 64-bit).
This means you can't have an object file compiled against the
old header
pass a bitstring to an object file compiled against the new
header on big-endian
systems.

Even on little-endian systems if an old object file allocates
storage for a
bitstring the new code might read off the end of it and fault
(or return
garbage if bits are set in the extra bytes it reads off the end)?

Is the API is so little used we don't care?


Just as a note - at my prior job (Pi-Coral, now defunct) we used this
API everywhere in the dataplane code of our product.  Since the company
is gone, that particular use-case doesn't matter anymore.

At the very least, this deserves a mention in the release notes, and
also UPDATING!

-Kurt


UPDATING is updated as of r300539.  Any objection to merging this to
stable/10?


Not to me - as I mentioned, the company went out of business, so
catering to its needs is a NOP.  Go for it!

-Kurt

___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Re: svn commit: r299090 - in head: etc/mtree include lib/libbluetooth sbin/hastd share/man/man3 sys/dev/xen/blkback sys/kern sys/net sys/sys tests/sys tests/sys/sys usr.sbin/bluetooth/hccontrol

2016-05-06 Thread Kurt Lidl


On 5/5/16 12:31 PM, John Baldwin wrote:

On Wednesday, May 04, 2016 10:34:11 PM Alan Somers wrote:

Author: asomers
Date: Wed May  4 22:34:11 2016
New Revision: 299090
URL: https://svnweb.freebsd.org/changeset/base/299090

Log:
  Improve performance and functionality of the bitstring(3) api

  Two new functions are provided, bit_ffs_at() and bit_ffc_at(), which allow
  for efficient searching of set or cleared bits starting from any bit offset
  within the bit string.

  Performance is improved by operating on longs instead of bytes and using
  ffsl() for searches within a long. ffsl() is a compiler builtin in both
  clang and gcc for most architectures, converting what was a brute force
  while loop search into a couple of instructions.

  All of the bitstring(3) API continues to be contained in the header file.
  Some of the functions are large enough that perhaps they should be uninlined
  and moved to a library, but that is beyond the scope of this commit.


Doesn't switching from bytes to longs break the ABI?  That is, setting bit 9
now has a different representation on big-endian systems (0x00 0x01 before,
now 0x00 0x00 0x01 0x00 on 32-bit BE, and 4 more leading 0 bytes on 64-bit).
This means you can't have an object file compiled against the old header
pass a bitstring to an object file compiled against the new header on big-endian
systems.

Even on little-endian systems if an old object file allocates storage for a
bitstring the new code might read off the end of it and fault (or return
garbage if bits are set in the extra bytes it reads off the end)?

Is the API is so little used we don't care?



Just as a note - at my prior job (Pi-Coral, now defunct) we used this
API everywhere in the dataplane code of our product.  Since the company
is gone, that particular use-case doesn't matter anymore.

At the very least, this deserves a mention in the release notes, and
also UPDATING!

-Kurt


___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r296873 - head/usr.bin/finger

2016-03-14 Thread Kurt Lidl

Author: lidl
Date: Mon Mar 14 22:20:22 2016
New Revision: 296873
URL: https://svnweb.freebsd.org/changeset/base/296873

Log:
  Do not truncate office phones in finger's summary listing
  
  When finger is invoked as as "finger username", it produces the
  long listing by default, and phones numbers are pretty-printed
  by the prphone() function. When invoked as just "finger", the
  same pretty-printing happens, but is truncated at 9 characters.
  Given the summary listing is already greater than 80 columns,
  making it even wider is of no harm.
  
  Approved by:  rpaulo (mentor)
  Differential Revision:https://reviews.freebsd.org/D5638

Modified:
  head/usr.bin/finger/sprint.c

Modified: head/usr.bin/finger/sprint.c
==
--- head/usr.bin/finger/sprint.cMon Mar 14 21:00:16 2016
(r296872)
+++ head/usr.bin/finger/sprint.cMon Mar 14 22:20:22 2016
(r296873)
@@ -149,7 +149,7 @@ office:
else if (pn->officephone)
(void)printf(" %-7.7s", " ");
if (pn->officephone)
-   (void)printf(" %-.9s",
+   (void)printf(" %-.15s",
prphone(pn->officephone));
} else
(void)printf(" %.*s", MAXHOSTNAME, w->host);
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r296423 - head/lib/libc/db/db

2016-03-05 Thread Kurt Lidl

Author: lidl
Date: Sun Mar  6 04:38:08 2016
New Revision: 296423
URL: https://svnweb.freebsd.org/changeset/base/296423

Log:
  Allow O_CLOEXEC to be used in dbopen() flags
  
  There is also a small portability crutch, also present in NetBSD,
  to allow compiling on a system that doesn't define O_CLOEXEC.
  
  Approved by:  rpaulo (mentor)
  Obtained from:NetBSD (r1.17, r1.18)
  Differential Revision:https://reviews.freebsd.org/D5549

Modified:
  head/lib/libc/db/db/db.c

Modified: head/lib/libc/db/db/db.c
==
--- head/lib/libc/db/db/db.cSun Mar  6 04:13:17 2016(r296422)
+++ head/lib/libc/db/db/db.cSun Mar  6 04:38:08 2016(r296423)
@@ -44,6 +44,10 @@ __FBSDID("$FreeBSD$");
 
 static int __dberr(void);
 
+#ifndef O_CLOEXEC
+#define O_CLOEXEC 0
+#endif
+
 DB *
 dbopen(const char *fname, int flags, int mode, DBTYPE type, const void 
*openinfo)
 {
@@ -51,7 +55,7 @@ dbopen(const char *fname, int flags, int
 #defineDB_FLAGS(DB_LOCK | DB_SHMEM | DB_TXN)
 #defineUSE_OPEN_FLAGS  
\
(O_CREAT | O_EXCL | O_EXLOCK | O_NOFOLLOW | O_NONBLOCK |\
-O_RDONLY | O_RDWR | O_SHLOCK | O_SYNC | O_TRUNC)
+O_RDONLY | O_RDWR | O_SHLOCK | O_SYNC | O_TRUNC | O_CLOEXEC)
 
if ((flags & ~(USE_OPEN_FLAGS | DB_FLAGS)) == 0)
switch (type) {
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

1 2 >

1 - 100 of 112 matches

Mail list logo