can't be removed as ofw_console(4) and zs(4) use them so one has to
live with some complaints about non-existent devices at boot time and
remove the respective entries locally for now.
adapters from usbd.conf to devd.conf. USB ethernet devices were
already handled in devd.conf so this just removes their usbd.conf
entry.
PR: conf/73799
packet counts by pf(4).
This adds a ``daily_status_security_pfdenied_enable'' variable to
periodic.conf, which defaults to ``YES'' as the matching IPF(W) versions.
The output will look like this (line wrapped):
pf denied packets:
> block drop log on rl0 proto tcp all [ Evaluations: 504986 Packets: 0
Bytes: 0 States: 0 ]
> block drop log on rl0 all [ Evaluations: 18559 Packets: 427 Bytes: 140578
States: 0 ]
Submitted by: clive (thanks a lot!)
MFC after: 2 weeks
this feature for a jail named foo :
jail_foo_mount_enable="YES"
jail_foo_fstab="/etc/fstab.foo"
The second line is actually useless, since the code defaults to
using "/etc/fstab.$jailname" as the fstab file if none is specified.
MFC after: 3 days
Submitted by: Jeremie Le Hen <jeremie@le-hen.org>
These can be used to pass extra options to the mdmfs(8) utility,
to customize the finer details of the md file system creation
(i.e. to turn on/off softupdates, to specify a default owner for md
filesystem, etc).
Use these two new flags to mount tmpmfs and varmfs without
softupdates, since it doesn't make much sense to use SU on
malloc-backed file systems.
Reviewed by: mtm
Inspired by: J. D. Bronson, jbronson at wixb dot com
user (for creation of the zone journal file). This is separate from the
master/ directory for security. Give an example dynamic zone in the
sample named.conf.
Approved by: dougb
Noticed by: Eivind Olsen <eivind at aminor.no>
MFC after: 1 week
on the system.
To start/stop/check on a specific device give the device name as
the second argument to the script:
# /etc/rc.d/moused start ums0
To use different rc.conf(5) knobs with different mice use the device
name as part of the knob. For example, if the mouse device is ums0, then:
moused_ums0_enable=yes
moused_ums0_flags="-z 4"
moused_ums0_port="/dev/ums0"
Starting rc.d/moused without the device argument will use the standard
moused_* flags. So, this commit should not disrupt or change current usage.
To preserve current behaviour with respect to usb mice, which appear
automatically when inserted, there is a new knob, moused_nondefault_enable,
which will treat any devices without rc.conf knobs as enabled.
To minimize knobs in /etc/rc.conf, the device file and pid file are
auto-computed, so that in the typical case for a usb mouse you don't
need to add anything extra in /etc/rc.conf to get it working.
Additionally, this updates /etc/usbd.conf to use the rc.d/moused script so
people don't have to modify it to configure their usb mouse anymore.
MFC after: 1 month
unbreak /etc/rc.d/root for diskless systems that get their root
filesystem from a read-only NFS mount.
PR: conf/72927
Submitted by: Ralf Wenk <RZ-FreeBSD1004@fh-karlsruhe.de>
Reviewed by: brooks
do not have these device special files. Where this previously failed
quietly, it now emits annoying but complete messages at best and
incomprehensible prefixes on average. During all of October, this is
a string of 16 O's, as in:
:
Starting inetd.
Sun Oct 17 15:09:09 PDT 2004
OOOOOOOOOOOOOOOO
FreeBSD/ia64 (itanium.pn.xcllnt.net) (ttyu2)
login:
pointed out that /usr/local/etc/rc.d/000.pkgtools.sh installed
with the portupgrade does an equivalent thing, so I personally
would like to see the change reverted, but let David handle it.
/etc/namedb symlink is created.
2. Incorporate Brian's suggestion to make the link relative. This
is necessary to handle situations (such as mergemaster) where the
user is building a tree in a seperate environment. This will also
fix the problem with the way DESTDIR is set in 'make release'.
3. Add a new knob, NO_BIND_MTREE, as suggested by the folks who
already have stuff in /var/named that they don't want me to mess with.
4. Update make.conf(5) with the new stuff, and correct a few paths
that have changed since I last updated it.
device
device.bde
/dev/device
/dev/device.bde
- Fix stop routine:
+ There don't have to be file system mounted on gbde device,
so ignore errors from umount(8).
+ Only detach existing gbde devices.
I used ugly "/dev/${parent}" instead of "${parentdev}", because "/dev/"
prefix for devices listed in gbde_devices variable is optional.
Reported by: Sean McNeil <sean@mcneil.com>
install now complains about ttyu0/ttyu1 not existing at boot time.
Since users wanting the uart based devices as terminals will need
to do something special to get them anyway set it up so a default
config doesn't complain.
MFC after: 3 days
authoritative servers.
2. Add an IPv4 listen-on option for 127.0.0.1, which is appropriate
for the default use as a local resolver.
3. Add a commented out listen-on-v6 option.
so we'll use the more secure default till I have a chance to prove
myself wrong. :)
Add a /var/stats directory to be enabled in named.conf.
Submitted by: gshapiro
to NO of course). Provide a basic ruleset file, rc.bsdextended, but allow
the filename to be overridden through rc.conf.
Discussed with: rwatson (awhile ago)
1. Update text about later BINDs using a pseudo-random, unpriviliged
query port for UDP by default.
2. We are now running in a sandbox by default, with a dedicated dump
directory, so remove the stale comment.
3. The topology configuration is not for the faint of heart, so
remove the commented example.
4. Tighten up some language a bit.
5. s/secondary/slave/
6. No need for the example about a bind-owned directory for slave zones.
7. Change domain.com to example.com in the example, per RFC 2606.
8. Update the path for slave zones in the example.
- Thanks to Scot Hetzel <swhetzel@gmail.com>
There is more work to do here, but this is an improvement.
by default when named is enabled. Also, improve our default directory
layout by creating /var/named/etc/namedb/{master|slave} directories,
and use the former for the generated localhost* files.
Rather than using pax to copy device entries, mount devfs in the
chroot directory.
There may be some corner cases where things need to be adjusted,
but overall this structure has been well tested on a production
network, and should serve the needs of the vast majority of users.
UPDATING has instructions on how to do the conversion for those
with existing configurations.
NO_BIND_DNSSEC, NO_BIND_ETC, NO_BIND_NAMED, and NO_BIND_UTILS.
2. Make creation of directories in /usr/include that are only needed
in the WITH_BIND_LIBS case conditional.
Reviewed by: ru, des
chrooted the pid symlink code should not fire. Also, remove the quotes
around the chroot variable in the rndc-confgen invocation so that if
not chrooted the command will still succeed.
Pointed out by: Sean McNeil <sean@mcneil.com>
1. Making the pid symlink now has to happen after named starts, otherwise
it can generate a fatal error.
2. named-xfer is not part of the BIND 9 world.
3. BIND 9 needs a /dev/random in the chroot directory if chrooted.
4. Only the pid file is symlinked now, the ndc socket is BIND 8 only.
5. Create an rndc.key file for the user if one does not exist.
This (generally) allows a BIND 8 config file to be used in a BIND 9
world with little or no modification.
Without this change, if one had a swap-on-mirror configuration, gmirror
will rebuild mirror component(s) on boot, because they are dirty (they
were open on shutdown).
complete backout as the ntpd_sync_on_start etc/rc.conf tunable is still
present, though the default is now NO (was YES). Since we're no longer
syncing time at startup by default when ntpd is enabled (as was the case
24hrs ago), remove UPDATING entry pointing out that ntpd(1) -g is slower
than ntpdate(1).
Hopefully ntpd_sync_on_start="YES" can be made the default for -CURRENT
after 5.3 is cut. At the very least, this should be set to YES when a
user requests to have ntpd enabled via sysinstall(1).
Requested by: many
calls to ntpd -g. ntpd is noticeably slower than ntpdate, but is also more
accurate. This removes the nasty hackery in rc.d/ntpdate that would parse
out ntp servers from /etc/ntp.conf (ntpd knows how to read its own config
file). By default, ntpd *will* sync with its listed time servers. To
turn this off so that ntpd does not sync, ntpd_sync_on_start="NO" can be
added to /etc/rc.conf. If ntpd is not enabled (the default), then time is
not synced on startup. ntpdate has been depreciated by the ntpd authors
for quite some time so this change shouldn't be unexpected.
Suggested by: des
Approved by: roberto (resident ntp guru)
calls to ntpd -g. ntpd is noticably slower than ntpdate, but is also more
accurate. This removes the nasty hackery in rc.d/ntpdate that would parse
out ntp servers from /etc/ntp.conf (ntpd knows how to read its own config
file). By default, ntpd *will* sync with its listed time servers. To
turn this off so that ntpd does not sync, ntpd_sync_on_start="NO" can be
added to /etc/rc.conf. If ntpd is not enabled (the default), then time is
not synced on startup. ntpdate's use has been depreciated by the ntpd
authors for quite some time so this change shouldn't be unexpected.
Suggested by: des
Approved by: roberto (resident ntp guru)
- Add OpenBSD example rulesets as advertised in etc/pf.conf and pf.conf(5)
- Tweak the pointer to fit the FreeBSD default location share/examples/pf
- Account for the new directory in BSD.usr.dist (no hier(7) change required
as share/examples is an opaque item there).
Obtained from: OpenBSD
Reminded by: Thomas T. Veldhouse
PR: docs/71691
MFC after: 2 days
VT6122 gigabit ethernet chip and integrated 10/100/1000 copper PHY.
The vge driver has been added to GENERIC for i386, pc98 and amd64,
but not to sparc or ia64 since I don't have the ability to test
it there. The vge(4) driver supports VLANs, checksum offload and
jumbo frames.
Also added the lge(4) and nge(4) drivers to GENERIC for i386 and
pc98 since I was in the neighborhood. There's no reason to leave them
out anymore.
part of the pf module.
While here fix a comment that was c'n'ped from rc.d/pf
PR: bin/71096 (partly)
Submitted by: Ville-Pertti Keinonen
MFC after: 2 days
from list_net_interfaces() when network_interfaces=auto.
Rationale: Since the auto case is special, the lesser evil
had to be chosen among not adding cloned interfaces to
_tmplist or removing duplicates from _tmplist after adding
cloned interfaces. Since list_net_interfaces() must not use
/usr/bin tools, the former "evil" appeared clearer and much
more efficient. (See the PR audit trail for discussion.)
PR: conf/63700
Reviewed by: brooks
MFC after: 5 days
the submit and outbound daemon, else if sendmail_submit_enable=yes, don't
start the outbound daemon. Only one daemon should be started.
Also, do not rebuild database maps at boot time. The code didn't pay
attention to SENDMAIL_MAP_TYPE and assumed 'hash'. Also, admins may
not want maps automatically rebuilt just because the back end database
has changed. Finally, some maps are built with mode tools than just
makemap (e.g., using cidrexpand on the access text file before sending
it to makemap).
Noticed by: ache
Reviewed by: ache
so reflect this in the default. The uucp uid is a bit funny, and
is used by mtree in /var/spool for locks, so we can't remove it
without thinking about it a bit harder.
than one interface from the command line:
# /etc/rc.d/netif start bfe0 xl0
It's also possible to restart an interface(s):
# /etc/rc.d/netif restart bfe0
This required some changes to rc.subr(8) so that if the start/stop commands
are overidden the rest of the command line (after the start/stop/etc... cmd)
is passed through to the subroutines.
o Separate out local (ports) scripts that use rc.d, and the old style
startup/shutdown scripts and execute them separately. On startup the
rc.d style scripts are executed first and then the old-style scripts.
On shutdown, exactly the reverse happens.
o The rc.d ports scripts should now behave more like base system scripts.
Scripts ending in .sh will be sourced into the current shell, while the
rest will be executed in a subshell. Previously, all ports scripts,
regardless of the .sh suffix, were executed in a subshell.
o The parent script, /etc/rc.d/localpkg, passes its command line arguments
straight to the rc.d ports scripts. This means they should now honor
faststop and faststart commands as well. Old style scripts, should not see
any differences. They will still get either a start or stop command.
o The initial phrase shown during shutdown has been changed to use
"local packages" instead of "daemon processes" to be more inline with the
phrase used during local package startup. The phrases are also used only for
old-style ports script startup/shutdown, whereas previously they were being
used for both rc.d and old-style scripts. This should make startup/shutdown
output a bit less ugly.
Discussed with: portmgr
Has Reservations: eik
- Ask the user up to X times (3 by default) for the pass-phrase, if
it is incorrect the first time.
- Add support for storing the lockfiles in another other directory
than /etc.
- Document that it is possible to override the location of each single
lockfile.
Approved by: pjd
if [ -z "${_rc_subr_loaded}" ]; then
_rc_subr_loaded="YES"
...
fi
in order to avoid re-interpreting rc.subr every time an rc.d
script is run. In my tests, this speeds up rc time by about
8-10%.
This class is used for detecting volume labels on file systems:
UFS, MSDOSFS (FAT12, FAT16, FAT32) and ISO9660.
It also provide native labelization (there is no need for file system).
g_label_ufs.c is based on geom_vol_ffs from Gordon Tetlow.
g_label_msdos.c and g_label_iso9660.c are probably hacks, I just found
where volume labels are stored and I use those offsets here,
but with this class it should be easy to do it as it should be done by
someone who know how.
Implementing volume labels detection for other file systems also should
be trivial.
New providers are created in those directories:
/dev/ufs/ (UFS1, UFS2)
/dev/msdosfs/ (FAT12, FAT16, FAT32)
/dev/iso9660/ (ISO9660)
/dev/label/ (native labels, configured with glabel(8))
Manual page cleanups and some comments inside were submitted by
Simon L. Nielsen, who was, as always, very helpful. Thanks!
Most notably, this cleans up messages when shutting down from
single user. In such a case there are usually no daemons running,
but their pid files are still in /var/run. This causes rc.d to
output diagnostics about daemons with pidfiles, but that are
not running.
again. This user/group is not required for install* targets, hence do not
add them to CHECK_UIDS/CHECK_GIDS in Makefile.inc1 (no need to annoy
people).
Discussed-on: -current
your (network) modules as well as any userland that might make sense of
sizeof(struct ifnet).
This does not change the queueing yet. These changes will follow in a
seperate commit. Same with the driver changes, which need case by case
evaluation.
__FreeBSD_version bump will follow.
Tested-by: (i386)LINT
ip6addrctl_enable is set to YES, address selection policy is installed
into kernel.
If there is /etc/ip6addrctl.conf, it is used for address selection
policy. Even if there is no /etc/ip6addrctl.conf, we install default
policy. In this case, if ipv6_enable is set to YES, we use address
selection policy described in RFC 3484 as default. Otherwise, we
install priority policy for IPv4 address.
The default of ip6addrctl_enable is NO for now. However, it may
better to enable it by default.
/usr/local/www
[1] Semi-arbitrary cutoff, but I didn't want to add every locale directory
used by ports, because a lot are only used by one or two, and it's less
intrusive for these ports to just clean up after themselves.
MFC after: 2 days
The reason for doing this is that (at least some) 4.x binaries are very
unhappy if host.conf does not exist, and if we create host.conf but not
nsswitch.conf, nsswitch.conf will be created at the next reboot, so it
is better to create a correct nsswitch.conf right away.
use the conf/* stuff for their firewall configuration.
Running ipfw before could seem to make sense in that it would allow
one to setup access to the NFS server on a "default-deny" kernel,
but it is pretty obvious to the casual observer that such a configuration
never makes it far enough to mount the NFS-root in the first place.
debug.watchdog since it is not created by hardware watchdog(4) devices.
The watchdog(4) device is always compiled in the kernel, so removing the
check should not cause any problems.
Approved by: phk
initdiskless. The output of several commands and if available the
contents of /entropy are feed into /dev/random to kickstart the PRNG.
/etc/rc.d/initrandom is left alone to maintain the previous behavior as
much as possiable.
Further work in this area is probably needed.
Discussed with: markm
and permissions specified per rc.conf(5) now apply both to the md
device and to the mountpoint directory, after the mount has completed.
This has to be done in two steps, because chown is not available
until after /usr has been mounted, but the mdconfig and newfs steps
have to complete before fstab processing.
(when new natd is started before old natd died) and allows to manage natd
without touching ipfw.
natd should probably be killed with SIGKILL when stopping natd.
- Use sendmail_foo variables after load_rc_config so that they actually work.
- Utilize sendmail_procname.
- Check sendmail_submit_enable instead of sendmail_enable when dealing
with mail submission MTA.
comments and empty lines have been touched.
All of this should go in the diskless(8) manpage, now if we had
some kind of 'literate programming' tool to extract the comments
from the script and put them in a reasonable nroff format, it
would be a lot easier to keep code and docs in sync
+ SUBDIR.cpio.gz prevents files from SUBDIR/ to be copied when
priming the memory filesystems. This restores the old behaviour
and makes the copy process a lot more efficient
+ look for templates also in the list of directories supplied by
bootp/dhcp via the T134 option aka kern.bootp_cookie
+ keep track of directories temporarily mounted with "remount"
or "diskless_remount" commands and unmount them once we are done
with them (at the end of this script).
1. Add the shutdown keyword so that the script is run at shutdown time,
and the mixer* files are saved.
2. Twiddle whitespace.
3. Remove an unecessary function, and therefore collapse one variable.
hostname, resolve, tmp, and var scripts. The latter three are new and
were repo copied. These scripts no longer depend on being booted with
and NFS root instead attempt to automaticly create mfs /tmp and /var
volumes if the they are not writable. This behavior can be overridden
in /etc/rc.conf.
Reviewed by: luigi, pjd
Yes, this means for stuff OTHER than jails, too. Example usage:
#devfs_system_ruleset="root"
devfs_set_rulesets="/dev=root /etc/namedb/dev=named_devfs"
in the system on shutdown and restores the settings on boot. The settings
can also be reset to the saved values via 'mixer reload'.
Reviewed by: current@
thing, but we're ready to move on.
2. Remove the -g default argument in named_flags. It doesn't actually do
what most users think it does, and what most users want it to do is already
accomplished with a proper default group for the bind user, which we have.
Also, the -g knob does something entirely different in BIND 9, which leads
to a lot of needless confusion/aggravation.
3. In the rc.d script, don't bogusly override $command, or $rc_flags. Both
are adequately handled in rc.conf[.local].
4. DO properly override $rc_flags if user has named_chrootdir set.
This may need to be revisited, but should be ok for now.
5. Protect all chrootdir-related bits under that variable, instead of
named_rcng.
There is more work to be done here, especially in the area of BIND 9
compatibility, but this is a start at least.
Prompted in part by (legitmate) grousing from: kuriyama, Randy Bush
identical) on GENERIC.hints, hence the following change:
Moved the creation of /boot/device.hints where it belongs. This
should aid in merging GENERIC.hints changes to /boot/device.hints,
using mergemaster(8) or a similar approach.
In particular, this allows a "virgin" system installed from
source (installworld, installkernel, cd etc && make distribution)
to boot correctly and modestly simplifies the creation
of single-partition network/cdrom/CF bootable images.
Trigger not only on diskless booting sysctls being set, but also
on the existence of the file "/etc/diskless". But do not try to
extract IP# related keywords in that case.
Add a general "remount" facility to allow non-NFS remounting.
This adds the former ports registered groups: proxy and authpf as well as
the proxy user. Make sure to run mergemaster -p in oder to complete make
installworld without errors.
This also provides the passive OS fingerprints from OpenBSD (pf.os) and an
example pf.conf.
For those who want to go without pf; it provides a NO_PF knob to make.conf.
__FreeBSD_version will be bumped soon to reflect this and to be able to
change ports accordingly.
Approved by: bms(mentor)
included a start_precmd check for gated. The precommand was not
executed in the FreeBSD branch. When I did a mass removal of
NetBSD specific logic a while back this file apparently got only
a partial treatement. This bug did not have any functional consequences,
however, since the precommand was not declared to the rc.subr routines.
Noticed by: pjd
they exit. Sometimes they simply can't (core-dump, for example).
So, when searching for a running program send standard error
output from ps(1) to never-never land.
# This should quite those
# ps: kvm_getprocs: No such user
# errors. Since ports use a duplicate rc.subr(8) you might
# still see this error from ports startup scripts.
Certain MTA configurations mean that the notifications from
virecover keep bouncing; so here's a patch to allow administrators
to turn them off.
PR: conf/54910
Submitted by: bms (with a minor cleanup)
cannot or does not want to be executed in a jail the
KEYWORDS line should contain the nojail keyword.
o Update Copyright
# I suggest people who use jails more extensively than I do
# make commits to the appropriate files.
Implement ``one'' prefix to allow a "one shot" operation as if
${rcvar}=yes yet all the other prerequisite tests are still performed.
The existing ``force'' prefix is a sledgehammer that ignores all the
prerequisite checks and always returns a zero exit status; this is a
more gentle approach to the problem of "manipulate this disabled
service without editing rc.conf(5)".
Obtained From: NetBSD
# We have a work-around in our version of rc.subr that
# makes force* return a non-zero exit status if the
# command/service could not be acted upon. The work-around
# is no longer necessary and should be removed.
run_rc_command(): when checking if ${command} exists before executing it,
be sure to check under ${name_chroot} (if set).
Fix from Ed Ravin in [bin/18523]
Obtained From: NetBSD
