This only provides the sysctl wrapper in glibc, which we do not use and is not available in other libc implementations for Linux. Thanks to ncopa from github.
henning@ 9 years ago because of an issue with the /dev/hotplug device
- it does not support multiple readers opening it. Nobody ever cared
enough to fix it so it is time to sent the dead code to the Attic.
OK henning@ (feeling sad about it), mpi@ and others
conflicting symbols we can combine the configs.
Multiple umg files are still required however. The bsd.umg target in
the kernel is replaced by targets for bsd.IMX.umg, bsd.OMAP.umg and
bsd.SUNXI.umg.
Similiar changes were made in bitrig by Patrick Wildt.
As part of this change the physical load address for imx and sunxi have
changed. Any u-boot settings that include it will need to be modified.
imx: 0x10800000 -> 0x10300000
sunxi: 0x40800000 -> 0x40300000
Tested by bmercer, canacar and myself.
ok bmercer@
divert-to has many advantages over rdr-to for proxies. For example,
it is much easier to use, requires less code, does not depend on
/dev/pf, works in-band without the asynchronous lookup (DIOCNATLOOK
ioctl), saves us from additional port allocations by the rdr/NAT code,
and even avoids potential collisions and race conditions that could
theoretically happen with the lookup.
Heads up: users will have to update their spamd PF rules from rdr-to
to divert-to. spamd now also listens to 127.0.0.1 instead of "any"
(0.0.0.0) by default which should be fine with most setups but has to
be considered for some special configurations.
Based on a diff is almost two years old but got delayed several times
... beck@: "now is the time to get it in" :)
Tested by many
With help from okan@
OK okan@ beck@ millert@
of being wrong, not the NTP responses, reset it and query it from all
the constraint servers all over again. This is turned out to be a bit
aggressive because it could get triggered with just a few bad NTP
peers in a larger pool. To avoid constant reconnections, scale the
error margin with the number of resolved NTP peers using peer_cnt * 4.
This way a single or a few outliers in a NTP pool cannot trigger
reconnecting to the constraint servers immediately. More NTP peers,
less reason to mistrust the constraint.
Found by dtucker@
OK deraadt@
constraint to keep them in check. in the worst case of being on a
dark net, nothing changes.
this is being enabled by default to allow gathering of more operational
information from users. and if the operational heuristics in ntpd can be
suitable refined, this may stay the default into the future. if not, ntpd
will become even more awesome along the way.
with reyk rpe
addresses and try one after another until the connection succeeded -
based on the existing mechanism of "server". "constraint" previously
only tried to connect to the first returned address, aborted and
skipped the constraint on failure. In difference to "constraints"
(plural), it still only connects to one address at a time and not to
all of them at once.
Pointed out by rpe@
OK rpe@ deraadt@
that aren't are redundant because they can be found in the rc.d(8)
scripts themselves, and they risk getting out of sync.
While here, sort the daemons alphabetically.
No functional change.
Triggered by a much smaller nameserver-only patch from stephan@.
OK ajacoutot@ rpe@ stephan@ and looks good to sthen@.
tweakable: there's no real point and these files support the 'include' option so
one can always get its config from whatever path... especially useful when
testing a new ruleset.
man page inputs from schwarze@
ok halex@ schwarze@ rpe@ deraadt@
reported by jasper@
While here: _rc_is_supported() -> _rc_not_supported()
- saves a fork
- reduces triple negation to double negation in _rc_not_supported()
- simplifie condition for rc_restart=NO
from schwarze@
ok jasper@ schwarze@
consistent handling of negative ids on 32bit/64bit systems.
The only negative uid/gid allowed is -1 which is special-cased
so it can be preserved when writing the new master.passwd file
instead of being written as an unsigned number. OK deraadt@
subdirectories (/var/nsd/zones/{master,slave}) and create these in mtree.
Nearly everybody that uses NSD for slave zones that I talked to already has
this layout. Bikesh^Wdiscussed with ajacoutot florian millert and others.
ok ajacoutot@ florian@ phessler@ claudio@ jung@
The issetugid() API is supposed to make a strong promise where "0
means it is safe to look at the environment". Way back in the past
someone on the OpenSSL team responded to the environment access danger
by creating a wrapper called OPENSSL_issetugid, and went to use it a
number of places. However, by default on systems lacking true
issetugid(), OPENSSL_issetugid returns 0. 0 indicating safely. False
safety. Which means OPENSSL_issetugid() fails to make any sort of
promise about safety, in fact it is just the opposite.
Can you believe the OpenSSL team?
This nastiness was noticed over the years, however noone could gain traction
and get it fixed in OpenSSL. Also see a paragraph about this in
http://www.tedunangst.com/flak/post/worst-common-denominator-programming
ok jsing
deraadt