--- /dev/null
+machine i386
+cpu I486_CPU
+cpu I586_CPU
+cpu I686_CPU
+ident M0N0WALL_GENERIC
+maxusers 0
+options INCLUDE_CONFIG_FILE
+
+#makeoptions DEBUG=-g #Build kernel with gdb(1) debug symbols
+makeoptions MODULES_OVERRIDE="dummynet if_tap if_vlan ipfw"
+
+options INET #InterNETworking
+options FAST_IPSEC
+options FFS #Berkeley Fast Filesystem
+options FFS_ROOT #FFS usable as root device [keep this!]
+options SOFTUPDATES #Enable FFS soft updates support
+options MFS #Memory Filesystem
+options MD_ROOT #MD is a potential root device
+options MSDOSFS #MSDOS Filesystem
+options CD9660 #ISO 9660 Filesystem
+options CD9660_ROOT #CD-ROM usable as root, CD9660 required
+options PROCFS #Process filesystem
+options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!]
+options SCSI_DELAY=15000 #Delay (in ms) before probing SCSI
+options UCONSOLE #Allow users to grab the console
+options KTRACE #ktrace(1) support
+options SYSVSHM #SYSV-style shared memory
+options SYSVMSG #SYSV-style message queues
+options SYSVSEM #SYSV-style semaphores
+options P1003_1B #Posix P1003_1B real-time extensions
+options _KPOSIX_PRIORITY_SCHEDULING
+options ICMP_BANDLIM #Rate limit bad replies
+options KBD_INSTALL_CDEV # install a CDEV entry in /dev
+
+options HZ=1000
+
+options IPFILTER
+options IPFILTER_LOG
+options IPFILTER_DEFAULT_BLOCK
+options IPSTATE_SIZE=42859
+options IPSTATE_MAX=30000
+options IPFILTER_MSSCLAMP_FORCE
+options IPFIREWALL_DEFAULT_TO_ACCEPT
+
+options BRIDGE
+options DEVICE_POLLING
+
+options NO_SWAPPING
+
+device isa
+device eisa
+device pci
+
+# Floppy drives
+device fdc0 at isa? port IO_FD1 irq 6 drq 2
+device fd0 at fdc0 drive 0
+device fd1 at fdc0 drive 1
+
+# ATA and ATAPI devices
+device ata0 at isa? port IO_WD1 irq 14
+device ata1 at isa? port IO_WD2 irq 15
+device ata
+device atadisk # ATA disk drives
+device atapicd # ATAPI CDROM drives
+device atapifd # ATAPI floppy drives
+device atapist # ATAPI tape drives
+options ATA_STATIC_ID #Static device numbering
+
+# SCSI Controllers
+device ahb # EISA AHA1742 family
+device ahc # AHA2940 and onboard AIC7xxx devices
+device ahd # AHA39320/29320 and onboard AIC79xx devices
+device amd # AMD 53C974 (Tekram DC-390(T))
+device isp # Qlogic family
+device mpt # LSI-Logic MPT/Fusion
+device ncr # NCR/Symbios Logic
+device sym # NCR/Symbios Logic (newer chipsets)
+options SYM_SETUP_LP_PROBE_MAP=0x40
+ # Allow ncr to attach legacy NCR devices when
+ # both sym and ncr are configured
+
+device adv0 at isa?
+device adw
+device bt0 at isa?
+device aha0 at isa?
+device aic0 at isa?
+
+device ncv # NCR 53C500
+device nsp # Workbit Ninja SCSI-3
+device stg # TMC 18C30/18C50
+
+# SCSI peripherals
+device scbus # SCSI bus (required)
+device da # Direct Access (disks)
+device sa # Sequential Access (tape etc)
+device cd # CD
+device pass # Passthrough device (direct SCSI access)
+
+# atkbdc0 controls both the keyboard and the PS/2 mouse
+device atkbdc0 at isa? port IO_KBD
+device atkbd0 at atkbdc? irq 1 flags 0x1
+
+device vga0 at isa?
+
+# syscons is the default console driver, resembling an SCO console
+device sc0 at isa? flags 0x100
+
+# Floating point support - do not disable.
+device npx0 at nexus? port IO_NPX irq 13
+
+# Power management support (see LINT for more options)
+device apm0 at nexus? disable flags 0x20 # Advanced Power Management
+
+# PCCARD (PCMCIA) support
+device card
+device pcic0 at isa? irq 0 port 0x3e0 iomem 0xd0000
+device pcic1 at isa? irq 0 port 0x3e2 iomem 0xd4000 disable
+
+# Serial (COM) ports
+device sio0 at isa? port IO_COM1 flags 0x10 irq 4
+device sio1 at isa? port IO_COM2 irq 3
+device sio2 at isa? disable port IO_COM3 irq 5
+device sio3 at isa? disable port IO_COM4 irq 9
+
+# PCI Ethernet NICs.
+device de # DEC/Intel DC21x4x (``Tulip'')
+device txp # 3Com 3cR990 (``Typhoon'')
+device vx # 3Com 3c590, 3c595 (``Vortex'')
+
+# PCI Ethernet NICs that use the common MII bus controller code.
+# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
+device miibus # MII bus support
+device bfe # Broadcom BCM4401 10/100.
+device dc # DEC/Intel 21143 and various workalikes
+device fxp # Intel EtherExpress PRO/100B (82557, 82558)
+device my # Myson Fast Ethernet (MTD80X, MTD89X)
+device pcn # AMD Am79C97x PCI 10/100 NICs
+device rl # RealTek 8129/8139
+device sf # Adaptec AIC-6915 (``Starfire'')
+device sis # Silicon Integrated Systems SiS 900/SiS 7016
+device ste # Sundance ST201 (D-Link DFE-550TX)
+device tl # Texas Instruments ThunderLAN
+device tx # SMC EtherPower II (83c170 ``EPIC'')
+device vr # VIA Rhine, Rhine II
+device wb # Winbond W89C840F
+device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'')
+
+# Gigabit Ethernet NICs.
+device bge # Broadcom BCM570x (``Tigon III'')
+device em # Intel Pro/1000 (82542,82543,82544,82540)
+device gx # Intel Pro/1000 (82542, 82543)
+device lge # Level 1 LXT1001 (``Mercury'')
+device nge # NatSemi DP83820 and DP83821
+device sk # SysKonnect GEnesis
+device ti # Alteon (``Tigon I'', ``Tigon II'')
+device wx
+
+# ISA Ethernet NICs.
+# 'device ed' requires 'device miibus'
+device ed0 at isa? disable port 0x280 irq 10 iomem 0xd8000
+device ex
+device ep
+device fe0 at isa? disable port 0x300
+# Xircom Ethernet
+device xe
+# PRISM I IEEE 802.11b wireless NIC.
+device awi
+# WaveLAN/IEEE 802.11 wireless NICs. Note: the WaveLAN/IEEE really
+# exists only as a PCMCIA device, so there is no ISA attachment needed
+# and resources will always be dynamically assigned by the pccard code.
+device wi
+# Aironet 4500/4800 802.11 wireless NICs. Note: the declaration below will
+# work for PCMCIA and PCI cards, as well as ISA cards set to ISA PnP
+# mode (the factory default). If you set the switches on your ISA
+# card for a manually chosen I/O address and IRQ, you must specify
+# those parameters here.
+device an
+# The probe order of these is presently determined by i386/isa/isa_compat.c.
+device ie0 at isa? disable port 0x300 irq 10 iomem 0xd0000
+#device le0 at isa? disable port 0x300 irq 5 iomem 0xd0000
+device lnc0 at isa? disable port 0x280 irq 10 drq 0
+device cs0 at isa? disable port 0x300
+device sn0 at isa? disable port 0x300 irq 10
+
+# Pseudo devices - the number indicates how many units to allocate.
+pseudo-device loop # Network loopback
+pseudo-device ether # Ethernet support
+pseudo-device tun # Packet tunnel.
+pseudo-device pty # Pseudo-ttys (telnet etc)
+pseudo-device md # Memory "disks"
+pseudo-device gif # IPv6 and IPv4 tunneling
+
+# The `bpf' pseudo-device enables the Berkeley Packet Filter.
+# Be aware of the administrative consequences of enabling this!
+pseudo-device bpf #Berkeley packet filter
+
+# USB support
+device uhci # UHCI PCI->USB interface
+device ohci # OHCI PCI->USB interface
+device usb # USB Bus (required)
+device ugen # Generic
+device uhid # "Human Interface Devices"
+device ukbd # Keyboard
+device umass
+# USB Ethernet, requires mii
+device aue # ADMtek USB ethernet
+device cue # CATC USB ethernet
+device kue # Kawasaki LSI USB ethernet
+device rue
+
+options NETGRAPH #netgraph(4) system
+options NETGRAPH_ASYNC
+options NETGRAPH_BPF
+options NETGRAPH_ETHER
+options NETGRAPH_IFACE
+options NETGRAPH_KSOCKET
+options NETGRAPH_L2TP
+options NETGRAPH_MPPC_ENCRYPTION
+options NETGRAPH_PPP
+options NETGRAPH_PPPOE
+options NETGRAPH_PPTPGRE
+options NETGRAPH_SOCKET
+options NETGRAPH_TEE
+options NETGRAPH_UI
+options NETGRAPH_VJC
+
+pseudo-device crypto
+pseudo-device cryptodev
+device hifn
--- /dev/null
+
+machine i386
+cpu I486_CPU
+ident M0N0WALL_NET45XX
+maxusers 0
+options INCLUDE_CONFIG_FILE
+
+#makeoptions DEBUG=-g #Build kernel with gdb(1) debug symbols
+makeoptions MODULES_OVERRIDE="dummynet if_tap if_vlan ipfw"
+
+options INET #InterNETworking
+options FAST_IPSEC
+options FFS #Berkeley Fast Filesystem
+options FFS_ROOT #FFS usable as root device [keep this!]
+options SOFTUPDATES #Enable FFS soft updates support
+options MFS #Memory Filesystem
+options MD_ROOT #MD is a potential root device
+options PROCFS #Process filesystem
+options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!]
+options SCSI_DELAY=15000 #Delay (in ms) before probing SCSI
+options UCONSOLE #Allow users to grab the console
+options KTRACE #ktrace(1) support
+options SYSVSHM #SYSV-style shared memory
+options SYSVMSG #SYSV-style message queues
+options SYSVSEM #SYSV-style semaphores
+options P1003_1B #Posix P1003_1B real-time extensions
+options _KPOSIX_PRIORITY_SCHEDULING
+options ICMP_BANDLIM #Rate limit bad replies
+
+options CLK_USE_I8254_CALIBRATION
+options CPU_ELAN
+options HZ=1000
+
+options IPFILTER
+options IPFILTER_LOG
+options IPFILTER_DEFAULT_BLOCK
+options IPSTATE_SIZE=42859
+options IPSTATE_MAX=30000
+options IPFILTER_MSSCLAMP_FORCE
+options IPFIREWALL_DEFAULT_TO_ACCEPT
+
+options BRIDGE
+options DEVICE_POLLING
+
+options NO_SWAPPING
+
+device isa
+device pci
+
+# ATA and ATAPI devices
+device ata0 at isa? port IO_WD1 irq 14
+device ata1 at isa? port IO_WD2 irq 15
+device ata
+device atadisk # ATA disk drives
+options ATA_STATIC_ID #Static device numbering
+
+# Floating point support - do not disable.
+device npx0 at nexus? port IO_NPX irq 13
+
+# Power management support (see LINT for more options)
+device apm0 at nexus? disable flags 0x20 # Advanced Power Management
+
+# PCCARD (PCMCIA) support
+device card
+device pcic0 at isa? irq 0 port 0x3e0 iomem 0xd0000
+device pcic1 at isa? irq 0 port 0x3e2 iomem 0xd4000 disable
+
+# Serial (COM) ports
+device sio0 at isa? port IO_COM1 flags 0x30 irq 4
+device sio1 at isa? port IO_COM2 irq 3
+device sio2 at isa? disable port IO_COM3 irq 5
+device sio3 at isa? disable port IO_COM4 irq 9
+
+# PCI Ethernet NICs that use the common MII bus controller code.
+# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
+device miibus # MII bus support
+device sis # Silicon Integrated Systems SiS 900/SiS 7016
+
+# WaveLAN/IEEE 802.11 wireless NICs. Note: the WaveLAN/IEEE really
+# exists only as a PCMCIA device, so there is no ISA attachment needed
+# and resources will always be dynamically assigned by the pccard code.
+device wi
+
+# Aironet 4500/4800 802.11 wireless NICs. Note: the declaration below will
+# work for PCMCIA and PCI cards, as well as ISA cards set to ISA PnP
+# mode (the factory default). If you set the switches on your ISA
+# card for a manually chosen I/O address and IRQ, you must specify
+# those parameters here.
+device an
+
+# Pseudo devices - the number indicates how many units to allocate.
+pseudo-device loop # Network loopback
+pseudo-device ether # Ethernet support
+pseudo-device tun # Packet tunnel.
+pseudo-device pty # Pseudo-ttys (telnet etc)
+pseudo-device md # Memory "disks"
+pseudo-device gif # IPv6 and IPv4 tunneling
+
+# The `bpf' pseudo-device enables the Berkeley Packet Filter.
+# Be aware of the administrative consequences of enabling this!
+pseudo-device bpf #Berkeley packet filter
+
+options NETGRAPH #netgraph(4) system
+options NETGRAPH_ASYNC
+options NETGRAPH_BPF
+options NETGRAPH_ETHER
+options NETGRAPH_IFACE
+options NETGRAPH_KSOCKET
+options NETGRAPH_L2TP
+options NETGRAPH_MPPC_ENCRYPTION
+options NETGRAPH_PPP
+options NETGRAPH_PPPOE
+options NETGRAPH_PPTPGRE
+options NETGRAPH_SOCKET
+options NETGRAPH_TEE
+options NETGRAPH_UI
+options NETGRAPH_VJC
+
+pseudo-device crypto
+pseudo-device cryptodev
+device hifn
--- /dev/null
+
+machine i386
+cpu I586_CPU
+ident M0N0WALL_NET48XX
+maxusers 0
+options INCLUDE_CONFIG_FILE
+
+#makeoptions DEBUG=-g #Build kernel with gdb(1) debug symbols
+makeoptions MODULES_OVERRIDE="dummynet if_tap if_vlan ipfw"
+
+options INET #InterNETworking
+options FAST_IPSEC
+options FFS #Berkeley Fast Filesystem
+options FFS_ROOT #FFS usable as root device [keep this!]
+options SOFTUPDATES #Enable FFS soft updates support
+options MFS #Memory Filesystem
+options MD_ROOT #MD is a potential root device
+options PROCFS #Process filesystem
+options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!]
+options SCSI_DELAY=15000 #Delay (in ms) before probing SCSI
+options UCONSOLE #Allow users to grab the console
+options KTRACE #ktrace(1) support
+options SYSVSHM #SYSV-style shared memory
+options SYSVMSG #SYSV-style message queues
+options SYSVSEM #SYSV-style semaphores
+options P1003_1B #Posix P1003_1B real-time extensions
+options _KPOSIX_PRIORITY_SCHEDULING
+options ICMP_BANDLIM #Rate limit bad replies
+
+options HZ=1000
+
+options IPFILTER
+options IPFILTER_LOG
+options IPFILTER_DEFAULT_BLOCK
+options IPSTATE_SIZE=42859
+options IPSTATE_MAX=30000
+options IPFILTER_MSSCLAMP_FORCE
+options IPFIREWALL_DEFAULT_TO_ACCEPT
+
+options BRIDGE
+options DEVICE_POLLING
+
+options NO_SWAPPING
+
+device isa
+device pci
+
+# ATA and ATAPI devices
+device ata0 at isa? port IO_WD1 irq 14
+device ata1 at isa? port IO_WD2 irq 15
+device ata
+device atadisk # ATA disk drives
+options ATA_STATIC_ID #Static device numbering
+
+# Floating point support - do not disable.
+device npx0 at nexus? port IO_NPX irq 13
+
+# Power management support (see LINT for more options)
+device apm0 at nexus? disable flags 0x20 # Advanced Power Management
+
+# Serial (COM) ports
+device sio0 at isa? port IO_COM1 flags 0x30 irq 4
+device sio1 at isa? port IO_COM2 irq 3
+device sio2 at isa? disable port IO_COM3 irq 5
+device sio3 at isa? disable port IO_COM4 irq 9
+
+# PCI Ethernet NICs that use the common MII bus controller code.
+# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
+device miibus # MII bus support
+device sis # Silicon Integrated Systems SiS 900/SiS 7016
+
+# WaveLAN/IEEE 802.11 wireless NICs. Note: the WaveLAN/IEEE really
+# exists only as a PCMCIA device, so there is no ISA attachment needed
+# and resources will always be dynamically assigned by the pccard code.
+device wi
+
+# Aironet 4500/4800 802.11 wireless NICs. Note: the declaration below will
+# work for PCMCIA and PCI cards, as well as ISA cards set to ISA PnP
+# mode (the factory default). If you set the switches on your ISA
+# card for a manually chosen I/O address and IRQ, you must specify
+# those parameters here.
+device an
+
+# Pseudo devices - the number indicates how many units to allocate.
+pseudo-device loop # Network loopback
+pseudo-device ether # Ethernet support
+pseudo-device tun # Packet tunnel.
+pseudo-device pty # Pseudo-ttys (telnet etc)
+pseudo-device md # Memory "disks"
+pseudo-device gif # IPv6 and IPv4 tunneling
+
+# The `bpf' pseudo-device enables the Berkeley Packet Filter.
+# Be aware of the administrative consequences of enabling this!
+pseudo-device bpf #Berkeley packet filter
+
+options NETGRAPH #netgraph(4) system
+options NETGRAPH_ASYNC
+options NETGRAPH_BPF
+options NETGRAPH_ETHER
+options NETGRAPH_IFACE
+options NETGRAPH_KSOCKET
+options NETGRAPH_L2TP
+options NETGRAPH_MPPC_ENCRYPTION
+options NETGRAPH_PPP
+options NETGRAPH_PPPOE
+options NETGRAPH_PPTPGRE
+options NETGRAPH_SOCKET
+options NETGRAPH_TEE
+options NETGRAPH_UI
+options NETGRAPH_VJC
+
+pseudo-device crypto
+pseudo-device cryptodev
+device hifn
+
+# USB support
+device ohci # OHCI PCI->USB interface
+device usb # USB Bus (required)
+device ugen # Generic
+device uhid # "Human Interface Devices"
+device ukbd # Keyboard
+# USB Ethernet, requires mii
+device aue # ADMtek USB ethernet
+device cue # CATC USB ethernet
+device kue # Kawasaki LSI USB ethernet
+device rue
--- /dev/null
+
+machine i386
+cpu I586_CPU
+ident M0N0WALL_WRAP
+maxusers 0
+options INCLUDE_CONFIG_FILE
+
+#makeoptions DEBUG=-g #Build kernel with gdb(1) debug symbols
+makeoptions MODULES_OVERRIDE="dummynet if_tap if_vlan ipfw"
+
+options INET #InterNETworking
+options FAST_IPSEC
+options FFS #Berkeley Fast Filesystem
+options FFS_ROOT #FFS usable as root device [keep this!]
+options SOFTUPDATES #Enable FFS soft updates support
+options MFS #Memory Filesystem
+options MD_ROOT #MD is a potential root device
+options PROCFS #Process filesystem
+options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!]
+options SCSI_DELAY=15000 #Delay (in ms) before probing SCSI
+options UCONSOLE #Allow users to grab the console
+options KTRACE #ktrace(1) support
+options SYSVSHM #SYSV-style shared memory
+options SYSVMSG #SYSV-style message queues
+options SYSVSEM #SYSV-style semaphores
+options P1003_1B #Posix P1003_1B real-time extensions
+options _KPOSIX_PRIORITY_SCHEDULING
+options ICMP_BANDLIM #Rate limit bad replies
+
+options HZ=1000
+
+options IPFILTER
+options IPFILTER_LOG
+options IPFILTER_DEFAULT_BLOCK
+options IPSTATE_SIZE=42859
+options IPSTATE_MAX=30000
+options IPFILTER_MSSCLAMP_FORCE
+options IPFIREWALL_DEFAULT_TO_ACCEPT
+
+options BRIDGE
+options DEVICE_POLLING
+
+options NO_SWAPPING
+
+device isa
+device pci
+
+# ATA and ATAPI devices
+device ata
+device atadisk # ATA disk drives
+options ATA_STATIC_ID #Static device numbering
+options ATA_DISABLE_SLAVE
+
+# Floating point support - do not disable.
+device npx0 at nexus? port IO_NPX irq 13
+
+# Power management support (see LINT for more options)
+device apm0 at nexus? disable flags 0x20 # Advanced Power Management
+
+# Serial (COM) ports
+device sio0 at isa? port IO_COM1 flags 0x30 irq 4
+device sio1 at isa? disable port IO_COM2 irq 3
+device sio2 at isa? disable port IO_COM3 irq 5
+device sio3 at isa? disable port IO_COM4 irq 9
+
+# PCI Ethernet NICs that use the common MII bus controller code.
+# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
+device miibus # MII bus support
+device sis # Silicon Integrated Systems SiS 900/SiS 7016
+
+# WaveLAN/IEEE 802.11 wireless NICs. Note: the WaveLAN/IEEE really
+# exists only as a PCMCIA device, so there is no ISA attachment needed
+# and resources will always be dynamically assigned by the pccard code.
+device wi
+
+# Aironet 4500/4800 802.11 wireless NICs. Note: the declaration below will
+# work for PCMCIA and PCI cards, as well as ISA cards set to ISA PnP
+# mode (the factory default). If you set the switches on your ISA
+# card for a manually chosen I/O address and IRQ, you must specify
+# those parameters here.
+device an
+
+# Pseudo devices - the number indicates how many units to allocate.
+pseudo-device loop # Network loopback
+pseudo-device ether # Ethernet support
+pseudo-device tun # Packet tunnel.
+pseudo-device pty # Pseudo-ttys (telnet etc)
+pseudo-device md # Memory "disks"
+pseudo-device gif # IPv6 and IPv4 tunneling
+
+# The `bpf' pseudo-device enables the Berkeley Packet Filter.
+# Be aware of the administrative consequences of enabling this!
+pseudo-device bpf #Berkeley packet filter
+
+options NETGRAPH #netgraph(4) system
+options NETGRAPH_ASYNC
+options NETGRAPH_BPF
+options NETGRAPH_ETHER
+options NETGRAPH_IFACE
+options NETGRAPH_KSOCKET
+options NETGRAPH_L2TP
+options NETGRAPH_MPPC_ENCRYPTION
+options NETGRAPH_PPP
+options NETGRAPH_PPPOE
+options NETGRAPH_PPTPGRE
+options NETGRAPH_SOCKET
+options NETGRAPH_TEE
+options NETGRAPH_UI
+options NETGRAPH_VJC
+
+pseudo-device crypto
+pseudo-device cryptodev
+device hifn
--- /dev/null
+# contents of /bin
+bin/[:bin/test
+bin/cat
+bin/chmod
+bin/cp
+bin/date
+bin/dd
+bin/df
+bin/echo
+bin/expr
+bin/hostname
+bin/kill
+bin/ls
+bin/mkdir
+bin/mv
+bin/ps
+bin/rm
+bin/sh
+bin/sleep
+bin/stty
+bin/sync
+
+# contents of /sbin
+sbin/adjkerntz
+sbin/dhclient
+sbin/dhclient-script
+sbin/dmesg
+sbin/fastboot:sbin/fasthalt:sbin/halt:sbin/reboot
+sbin/ifconfig
+sbin/init
+sbin/ipf
+sbin/ipfs
+sbin/ipfstat
+sbin/ipfw
+sbin/ipmon
+sbin/ipnat
+sbin/kldload
+sbin/kldunload
+sbin/ldconfig
+sbin/mount
+sbin/mount_fdesc:sbin/mount_linprocfs:sbin/mount_procfs:sbin/mount_std
+sbin/mount_mfs
+sbin/mount_msdos
+sbin/mount_null
+sbin/mount_umap
+sbin/mount_union
+sbin/nologin
+sbin/ping
+sbin/reboot
+sbin/route
+sbin/shutdown
+sbin/sysctl
+sbin/umount
+
+# contents of /usr/bin
+usr/bin/gzip:usr/bin/gunzip
+usr/bin/killall
+usr/bin/logger
+usr/bin/netstat
+usr/bin/nohup
+usr/bin/su
+usr/bin/tail
+usr/bin/tar
+usr/bin/top
+usr/bin/touch
+usr/bin/uptime:usr/bin/w
+
+# contents of usr/sbin
+usr/sbin/ancontrol
+usr/sbin/arp
+usr/sbin/chown
+usr/sbin/chroot
+usr/sbin/dev_mkdb
+usr/sbin/nsupdate
+usr/sbin/pccardd
+usr/sbin/pwd_mkdb
+usr/sbin/setkey
+usr/sbin/traceroute
+usr/sbin/wicontrol
+
+# contents of /usr/libexec
+usr/libexec/ld-elf.so.1
--- /dev/null
+#!/usr/bin/perl\r
+\r
+# arguments: binaries_tree\r
+\r
+use File::Find;\r
+\r
+exit unless $#ARGV == 0;\r
+\r
+undef @liblist;\r
+\r
+# check_libs(path)\r
+sub check_libs {\r
+ @filestat = stat($File::Find::name);\r
+ \r
+ if ((($filestat[2] & 0170000) == 0100000) &&\r
+ ($filestat[2] & 0111) && (!/.ko$/)) {\r
+\r
+ @curlibs = qx{/usr/bin/ldd -f "%p\n" $File::Find::name 2>/dev/null};\r
+\r
+ push(@liblist, @curlibs);\r
+ }\r
+}\r
+\r
+# walk the directory tree\r
+find(\&check_libs, $ARGV[0]);\r
+\r
+# throw out dupes\r
+undef %hlib;\r
+@hlib{@liblist} = ();\r
+@liblist = sort keys %hlib;\r
+\r
+foreach $lib (@liblist) {\r
+ $lib = substr($lib, 1);\r
+}\r
+\r
+print @liblist;\r
+\r
--- /dev/null
+#!/usr/bin/perl\r
+\r
+# arguments: source_tree dest_tree\r
+\r
+use File::Copy;\r
+\r
+exit unless $#ARGV == 2;\r
+\r
+print "Populating MiniBSD tree: $ARGV[2]\n";\r
+\r
+# populate_tree(treefile, srcpath, destpath)\r
+sub populate_tree {\r
+ my @args = @_;\r
+ \r
+ open TREEFILE, $args[0];\r
+ \r
+ TREE: while (<TREEFILE>) {\r
+ \r
+ next TREE if /^#/;\r
+ next TREE if /^ *$/;\r
+ \r
+ @srcfiles = split(/:/);\r
+ chomp @srcfiles;\r
+\r
+ $srcfile = shift(@srcfiles);\r
+ @srcstat = stat($args[1] . "/" . $srcfile); \r
+\r
+ if (copy($args[1] . "/" . $srcfile, $args[2] . "/" . $srcfile)) {\r
+ printf "Copy $args[1]/$srcfile -> $args[2]/$srcfile ($srcstat[4]/$srcstat[5]/%04o)\n", ($srcstat[2] & 07777);\r
+ chown $srcstat[4], $srcstat[5], $args[2] . "/" . $srcfile;\r
+ chmod $srcstat[2] & 07777, $args[2] . "/" . $srcfile;\r
+ } else {\r
+ print "ERROR while copying file $args[1]/$srcfile\n";\r
+ }\r
+\r
+ foreach $lnfile (@srcfiles) {\r
+ if (link($args[2] . "/" . $srcfile, $args[2] . "/" . $lnfile)) {\r
+ print "Link $args[2]/$srcfile -> $args[2]/$lnfile\n";\r
+ } else {\r
+ print "ERROR while linking file $args[2]/$srcfile\n";\r
+ }\r
+ }\r
+ }\r
+}\r
+\r
+populate_tree $ARGV[0], $ARGV[1], $ARGV[2];\r
--- /dev/null
+--- sys/boot.orig/i386/boot2/boot1.s Sat Apr 30 10:14:27 2005
++++ sys/boot/i386/boot2/boot1.s Sat Apr 30 10:32:38 2005
+@@ -195,7 +195,11 @@
+ xorb %al,%al # Zero assumed bss from
+ rep # the end of boot2.bin
+ stosb # up to 0x10000
+- callw seta20 # Enable A20
++# callw seta20 # Enable A20
++ nop
++ nop
++ nop
++ nop
+ jmp start+MEM_JMP-MEM_ORG # Start BTX
+ #
+ # Enable A20 so we can access memory above 1 meg.
--- /dev/null
+diff -u -r sys/boot.orig/i386/boot2/boot1.s sys/boot/i386/boot2/boot1.s
+--- sys/boot.orig/i386/boot2/boot1.s Wed Aug 15 00:55:29 2001
++++ sys/boot/i386/boot2/boot1.s Sat Apr 30 10:14:27 2005
+@@ -297,8 +297,11 @@
+ subb %ah,%al # Sectors this track
+ mov 0x2(%bp),%ah # Blocks to read
+ cmpb %ah,%al # To read
+- jb read.2 # this
+- movb %ah,%al # track
++# jb read.2 # this
++# movb %ah,%al # track
++ movb $1,%al
++ nop
++ nop
+ read.2: mov $0x5,%di # Try count
+ read.3: les 0x4(%bp),%bx # Transfer buffer
+ push %ax # Save
+diff -u -r sys/boot.orig/i386/libi386/biosdisk.c sys/boot/i386/libi386/biosdisk.c
+--- sys/boot.orig/i386/libi386/biosdisk.c Wed Jan 28 17:28:50 2004
++++ sys/boot/i386/libi386/biosdisk.c Sat Apr 30 10:13:31 2005
+@@ -846,6 +846,8 @@
+ maxfer = 0;
+ }
+
++ maxfer = 1;
++
+ while (resid > 0) {
+ x = dblk;
+ cyl = x / bpc; /* block # / blocks per cylinder */
--- /dev/null
+
+ Changes to IPFilter 3.4.35
+ --------------------------
+
+1) The BSD version conditionals in the definitions of IFNAME and struct ipflog
+have been updated to handle later FreeBSD 5.x versions correctly. FreeBSD was
+the last BSD variant to incorporate the change from the if_name/if_unit to
+if_xname in naming interfaces, and the change wasn't taken into account in all
+places. The affected files are ip_compat.h and ip_fil.h. Note that there may
+be additional fixes for this needed in ip_fil.c, but they only appear to relate
+to the userland build.
+
+2) The include of FreeBSD's opt_ipfilter.h in fil.c was too late to override
+default parameters, so it was moved earlier.
+
+3) M0n0wall's "forced MSS clamping" hack has been incorporated under the
+conditional IPFILTER_MSSCLAMP_FORCE, which defaults off. The affected files
+are ip_nat.h, ip_nat.c, mlfk_ipl.c, and mlf_ipl.c.
+
+4) The window scaling bug previously fixed in 3.4.33 has been fixed again. The
+affected file is ip_state.c.
+
+5) The code for adjusting checksums in NATted ICMP errors has been fixed again,
+since it was still failing in some cases. The affected file is ip_nat.c.
+
+6) The NAT checksum adjustment routines have been fixed to perform a normal sum,
+rather than doing the computation "upside down". This prefers the -0 result,
+and therefore doesn't risk adjusting a UDP checksum to "disabled". Either form
+of zero is acceptable for non-UDP cases.
+
+7) The filter code no longer treats the ICMP sequence number as part of the key
+for the state entry. This means that a sequence of pings now uses a single
+state entry (unless the pings are spaced farther apart than the state lifetime),
+and the stats in the entry reflect the ongoing stream. This behavior avoids
+keeping multiple state entries for a single ping stream, including potentially
+filling the entire state table during flood pings.
+
+8) Since ICMP state entries are now usefully recycled, the default "ack" timeout
+has been increased to the same 60 seconds as the default request timeout.
+
+9) The code for matching ICMP (v4) query replies against requests now handles
+all four supported reply types, rather than just echo reply.
+
+
+ Notes on ICMP Checksum Issues
+ -----------------------------
+
+The NAT ICMP error checksum adjustments have been the subject of many rounds of
+tweaking, and still weren't right. Even some workimng cases were being handled
+in an unnecessarily roundabout and confusing way (e.g. adding double corrections
+when the real problem was that the correction had originally been applied in the
+wrong direction. The code has been reworked more than minimally, but less than
+it really should be. The general flow (for the embedded packet) is:
+
+1) The IP address difference is applied (oppositely) to the IP header checksum.
+It is not directly applied to the ICMP checksum, since the header checksum
+change cancels the address change. To put it another way, all valid IP headers
+have an overall checksum of 0, so any change that transforms one valid IP header
+into another is guaranteed to be checksum-neutral.
+
+2) For TCP and UDP, the IP address change is applied to the TCP/UDP checksum (if
+present) due to its effect on the pseudo-header, and any such adjustment is
+applied (oppositely) to the ICMP checksum in compensation. This does not require
+"observing" the TCP/UDP checksum change, since the difference is precisely the
+correction just applied. For UDP, "present" means not being +0, while for TCP,
+"present" means being within the included portion of the offending packet.
+
+3) For TCP and UDP, any port number change is applied (oppositely) to the ICMP
+checksum, to compensate the change in the port number field.
+
+4) For TCP and UDP, any port number change is applied (oppositely) to the
+TCP/UDP checksum (if present), and any such change is applied (non-oppositely)
+to the ICMP checksum. If present, this adjustment cancels the effect of #3.
+
+5) The accumulated ICMP checksum adjustment is applied, without any extra
+complement or bizarre direction-dependent increment.
+
+
+ Notes on General Checksum Issues
+ --------------------------------
+
+Since the ones-complement representation has two possible zero values (0 and
+~0), implementations vary as to which zero result is produced in which cases. In
+fact, hardware implementations are actually nondeterministic in this regard
+without special logic to force a preference. The only IP-related checksum whose
+zero value is precisely specified is the UDP checksum, where the +0 value is
+reserved for "none", requiring the ~0 form to be used for "real" zero.
+
+The most common software implementation of ones-complement add produces the ~0
+result in almost all cases, so the "complement of the sum" language in the
+specification of various IP-related checksums *could* be construed as preferring
+the +0 form. But since it doesn't explicitly specify the zero preference of the
+underlying sum, that can't necessarily be assumed. The real intent of the
+checksum definition is to provide a value which causes the overall checksum of
+the entire set of bytes (including the checksum) to be zero, hence making the
+checksum the complement of the sum of everything else. This condition is met by
+either form of zero, something which is mentioned in the discussion of the UDP
+checksum in RFC1122.
+
+It's also worth noting that if an implementation used the same checksum check
+code for non-UDP checksums as for UDP checksums, it might erroneously regard
++0 non-UDP checksums as absent. While this behavior is clearly incorrect, it
+can be avoided by preferring ~0 checksums for non-UDP cases as well.
+
+Thus, an argument can be made for using the ~0 representation for zero checksums
+in all cases, which is also the natural result of using a UDP-compatible
+calculation in other places. The only way to prefer +0 for non-UDP checksums
+while generating the required ~0 in the UDP case would be to use different
+calculations for UDP and non-UDP cases, which is almost certainly not necessary
+and probably not desirable.
+
+With regard to the meaning of "prefer", let's use "@" to represent ones-
+complement addition. For any "natural" @ operation, the three cases that
+produce mathematically zero results are as follows:
+
+ +0 @ +0 -> +0 always
+ ~0 @ ~0 -> ~0 always
+ x @ ~x -> +0 or ~0, depending on implementation
+
+The most common form (end-around carry initially presumed false) prefers the ~0
+result in the last case, meaning that the only time the result can be +0 is when
+all summands are +0. Thus, as long as at least one bit in the checksummed area
+can be guaranteed nonzero, the normal calculation can be used to produce the ~0
+form of zero without any special check.
+
+
+Note that the proper way to compute a ones-complement difference is to compute a
+ones-complement sum using the *ones* complement of the subtrahend. I.e the
+ones-complement equivalent of (x - y) is (x @ ~y). Twos-complement subtraction
+can't be used unless an "end-around borrow" is also included, and the result
+then has a +0 preference.
+
+
+As noted in RFC1071, all checksum calculations can be performed in network byte
+order on any processor, althought the unnecessary byte swapping hasn't been
+removed from IPFilter.
+
+ Fred Wright
+ fw@well.com
+ 5-Apr-2005
--- /dev/null
+
+ PFC Workaround in Netgraph PPP Implementation
+ ---------------------------------------------
+
+An interoperability problem has arisen when using certain broken PPTP
+implementations with the netgraph PPTP/PPP code. This is, at least in part,
+due to a lack of clear specification in the RFCs as to whether protocol-field
+compression should be allowed for additional nested PPP encapsulations. It
+is never explicitly stated whether the LCP-negotiated PFC enable is to apply
+to additional levels. Although the PPP protocol encoding was designed to be
+self-describing with respect to PFC, and hence the robustness principle dictates
+that it should always be accepted by the receiver, in practice there are
+implementations that choke on unexpected PFC.
+
+Part of the problem arises because, when Multilink PPP is in use, most levels
+of protocol type are per-bundle rather than per-link, but there are no LCP
+negotiations at the bundle level. Thus, the PFC enable is conceptually
+nonexistent in the protocol for some protocol levels. However, RFC1990 does
+suggest using the PFC enable from the first link to determine the bundle's use
+of PFC.
+
+There are three places in ng_ppp.c where PPP protocol types are inserted, with
+possible PFC. Two are used only at the bundle level, and normally enable PFC
+unconditionally. The third could be used at either the link or bundle level,
+and uses the link's PFC enable in the latter case while unconditionally enabling
+it in the former.
+
+The initially recommended patch to get around the buggy peer involved disabling
+PFC in the two calls where it was unconditionally true. This of course means
+disabling PFC even in cases where it works. The version of ng_ppp.c released
+with FreeBSD 4.11 made this change in *one of* the two places (perhaps the only
+one immediately causing trouble) while leaving the other alone. The version
+released with FreeBSD 5.3 did not have this change at all.
+
+The modification to ng_ppp.c here changes all three bundle-level protocol-type
+insertions to use the PFC enable from the first link as the condition. While
+this is not completely ideal, it does permit PFC to be used everywhere when it
+doesn't cause trouble, while also permitting it to be disabled by configuration
+at either end. In particular, it can be disabled in buggy peers without
+penalizing others.
+
+A more flexible approach would be to introuduce a bundle-level PFC enable in
+the configuration parameters, perhaps even three separate enables (one for each
+instance in the code). That would allow the userland code to decide where PFC
+is permitted, without further kernel changes. Probably the most reasonable
+default would be to derive those enables from the first link (as is hard-coded
+now), or perhaps even from the AND across all links.
+
+
+Although RFC1990 suggests taking alignment considerations into account when
+deciding whether or not to use PFC, that issue is not addressed by this change.
+
+ Fred Wright
+ fw@well.com
+ 5-Apr-2005
--- /dev/null
+diff -u -r sys.orig/conf/options sys/conf/options
+--- sys.orig/conf/options Mon Apr 19 08:02:17 2004
++++ sys/conf/options Sun Apr 24 10:02:07 2005
+@@ -252,6 +252,7 @@
+
+ # Options used in the 'ata' ATA/ATAPI driver
+ ATA_STATIC_ID opt_ata.h
++ATA_DISABLE_SLAVE opt_ata.h
+
+ # Net stuff.
+ ACCEPT_FILTER_DATA
+@@ -280,6 +281,12 @@
+ IPFILTER opt_ipfilter.h
+ IPFILTER_LOG opt_ipfilter.h
+ IPFILTER_DEFAULT_BLOCK opt_ipfilter.h
++# Existing options made configurable for m0n0wall
++IPSTATE_SIZE opt_ipfilter.h
++IPSTATE_MAX opt_ipfilter.h
++# New options for m0n0wall
++IPFILTER_MSSCLAMP_FORCE opt_ipfilter.h
++# End of m0n0wall additions
+ IPFIREWALL opt_ipfw.h
+ IPFW2 opt_ipfw.h
+ IPFIREWALL_VERBOSE opt_ipfw.h
+diff -u -r sys.orig/contrib/ipfilter/netinet/fil.c sys/contrib/ipfilter/netinet/fil.c
+--- sys.orig/contrib/ipfilter/netinet/fil.c Thu Dec 16 21:43:51 2004
++++ sys/contrib/ipfilter/netinet/fil.c Sun Apr 24 08:51:20 2005
+@@ -68,6 +68,12 @@
+ # include <sys/hashing.h>
+ # include <netinet/in_var.h>
+ #endif
++# if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
++# include <sys/malloc.h>
++# if defined(_KERNEL) && !defined(IPFILTER_LKM)
++# include "opt_ipfilter.h"
++# endif
++# endif
+ #include <netinet/tcp.h>
+ #include <netinet/udp.h>
+ #include <netinet/ip_icmp.h>
+@@ -85,12 +91,6 @@
+ #include "netinet/ip_state.h"
+ #include "netinet/ip_proxy.h"
+ #include "netinet/ip_auth.h"
+-# if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
+-# include <sys/malloc.h>
+-# if defined(_KERNEL) && !defined(IPFILTER_LKM)
+-# include "opt_ipfilter.h"
+-# endif
+-# endif
+ #ifndef MIN
+ # define MIN(a,b) (((a)<(b))?(a):(b))
+ #endif
+diff -u -r sys.orig/contrib/ipfilter/netinet/ip_compat.h sys/contrib/ipfilter/netinet/ip_compat.h
+--- sys.orig/contrib/ipfilter/netinet/ip_compat.h Sun Jul 4 11:24:38 2004
++++ sys/contrib/ipfilter/netinet/ip_compat.h Sun Apr 24 08:51:20 2005
+@@ -545,7 +545,8 @@
+ # ifndef linux
+ # define GETUNIT(n, v) ifunit(n)
+ # if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
+- (defined(OpenBSD) && (OpenBSD >= 199603))
++ (defined(OpenBSD) && (OpenBSD >= 199603)) || \
++ (defined(__FreeBSD_version) && (__FreeBSD_version >= 501113))
+ # define IFNAME(x) ((struct ifnet *)x)->if_xname
+ # else
+ # define USE_GETIFNAME 1
+diff -u -r sys.orig/contrib/ipfilter/netinet/ip_fil.h sys/contrib/ipfilter/netinet/ip_fil.h
+--- sys.orig/contrib/ipfilter/netinet/ip_fil.h Mon Jul 5 08:02:35 2004
++++ sys/contrib/ipfilter/netinet/ip_fil.h Sun Apr 24 08:51:20 2005
+@@ -430,7 +430,8 @@
+
+ typedef struct ipflog {
+ #if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \
+- (defined(OpenBSD) && (OpenBSD >= 199603))
++ (defined(OpenBSD) && (OpenBSD >= 199603)) || \
++ (defined(__FreeBSD_version) && (__FreeBSD_version >= 501113))
+ char fl_ifname[LIFNAMSIZ];
+ #else
+ u_int fl_unit;
+diff -u -r sys.orig/contrib/ipfilter/netinet/ip_nat.c sys/contrib/ipfilter/netinet/ip_nat.c
+--- sys.orig/contrib/ipfilter/netinet/ip_nat.c Fri Dec 17 03:24:30 2004
++++ sys/contrib/ipfilter/netinet/ip_nat.c Mon May 9 01:38:17 2005
+@@ -127,6 +127,11 @@
+ ipnat_t **rdr_rules = NULL;
+ hostmap_t **maptable = NULL;
+
++#if IPFILTER_MSSCLAMP_FORCE
++int fr_mssclamp = 0;
++char fr_mssif[IFNAMSIZ] = "";
++#endif /* IPFILTER_MSSCLAMP_FORCE */
++
+ u_long fr_defnatage = DEF_NAT_AGE,
+ fr_defnaticmpage = 6; /* 3 seconds */
+ natstat_t nat_stats;
+@@ -321,12 +326,13 @@
+ *sp = n & 0xffff;
+ return;
+ }
+- sum1 = (~ntohs(*sp)) & 0xffff;
+- sum1 += (n);
+- sum1 = (sum1 >> 16) + (sum1 & 0xffff);
+- /* Again */
+- sum1 = (sum1 >> 16) + (sum1 & 0xffff);
+- sumshort = ~(u_short)sum1;
++ /* Perform the adjustment in noninverted form
++ * in order to prefer the -0 result over the +0 result.
++ * Otherwise a UDP checksum could be "adjusted" to nonexistent.
++ */
++ sum1 = ntohs(*sp) + (~n & 0xFFFF);
++ /* One folding step is sufficient for a sum of two 16-bit operands */
++ sumshort = (u_short)((sum1 >> 16) + (sum1 & 0xffff));
+ *(sp) = htons(sumshort);
+ }
+
+@@ -348,16 +354,17 @@
+ *sp = n & 0xffff;
+ return;
+ }
++ /* Perform the adjustment in noninverted form
++ * in order to prefer the -0 result over the +0 result
++ * Otherwise a UDP checksum could be "adjusted" to nonexistent.
++ */
+ #ifdef sparc
+- sum1 = (~(*sp)) & 0xffff;
++ sum1 = *sp + n;
+ #else
+- sum1 = (~ntohs(*sp)) & 0xffff;
++ sum1 = ntohs(*sp) + n;
+ #endif
+- sum1 += ~(n) & 0xffff;
+- sum1 = (sum1 >> 16) + (sum1 & 0xffff);
+- /* Again */
+- sum1 = (sum1 >> 16) + (sum1 & 0xffff);
+- sumshort = ~(u_short)sum1;
++ /* One folding step is sufficient for a sum of two 16-bit operands */
++ sumshort = (u_short)((sum1 >> 16) + (sum1 & 0xffff));
+ *(sp) = htons(sumshort);
+ }
+
+@@ -385,12 +392,13 @@
+ if (!n)
+ return;
+
+- sum1 = (~ntohs(*sp)) & 0xffff;
+- sum1 += (n);
+- sum1 = (sum1 >> 16) + (sum1 & 0xffff);
+- /* Again */
+- sum1 = (sum1 >> 16) + (sum1 & 0xffff);
+- sumshort = ~(u_short)sum1;
++ /* Perform the adjustment in noninverted form
++ * in order to prefer the -0 result over the +0 result
++ * Otherwise a UDP checksum could be "adjusted" to nonexistent.
++ */
++ sum1 = ntohs(*sp) + (~n & 0xFFFF);
++ /* One folding step is sufficient for a sum of two 16-bit operands */
++ sumshort = (u_short)((sum1 >> 16) + (sum1 & 0xffff));
+ *(sp) = htons(sumshort);
+ }
+
+@@ -1757,7 +1765,8 @@
+
+ sum2 = LONG_SUM(ntohl(in.s_addr));
+
+- CALC_SUMD(sum1, sum2, sumd);
++ CALC_SUMD(sum1, sum2, sumd); /* CKS of new-old IP */
++ sumd = (sumd & 0xFFFF) + (sumd >> 16); /* Finish folding */
+
+ /*
+ * Fix IP checksum of the offending IP packet to adjust for
+@@ -1788,17 +1797,14 @@
+ * The UDP checksum is optional, only adjust it
+ * if it has been set.
+ */
+- sum1 = ntohs(udp->uh_sum);
+ fix_datacksum(&udp->uh_sum, sumd);
+- sum2 = ntohs(udp->uh_sum);
+
+ /*
+ * Fix ICMP checksum to compensate the UDP
+ * checksum adjustment.
++ * Since CKS adjustment was negative, this one is positive.
+ */
+- sumd2 = sumd << 1;
+- CALC_SUMD(sum1, sum2, sumd);
+- sumd2 += sumd;
++ sumd2 = sumd;
+ }
+
+ /*
+@@ -1808,23 +1814,14 @@
+ * the TCP checksum (normally it does not!).
+ */
+ else if ((oip->ip_p == IPPROTO_TCP) && (dlen >= 18)) {
+- sum1 = ntohs(tcp->th_sum);
+ fix_datacksum(&tcp->th_sum, sumd);
+- sum2 = ntohs(tcp->th_sum);
+
+ /*
+ * Fix ICMP checksum to compensate the TCP
+ * checksum adjustment.
++ * Since CKS adjustment was negative, this one is positive.
+ */
+- sumd2 = sumd << 1;
+- CALC_SUMD(sum1, sum2, sumd);
+- sumd2 += sumd;
+- } else {
+- sumd2 = (sumd >> 16);
+- if (nat->nat_dir == NAT_OUTBOUND)
+- sumd2 = ~sumd2;
+- else
+- sumd2 = ~sumd2 + 1;
++ sumd2 = sumd;
+ }
+
+ if (((flags & IPN_TCPUDP) != 0) && (dlen >= 4)) {
+@@ -1847,103 +1844,46 @@
+ * include the TCP checksum. So we have to check if the
+ * ip->ip_len actually holds the TCP checksum of the oip!
+ */
++
++ sumd = 0; /* Assume no port adjustment & no CKS change */
+ if (nat->nat_oport == tcp->th_dport) {
+ if (tcp->th_sport != nat->nat_inport) {
+- /*
+- * Fix ICMP checksum to compensate port
+- * adjustment.
+- */
+- sum1 = ntohs(nat->nat_inport);
+- sum2 = ntohs(tcp->th_sport);
++ sumd = ntohs(nat->nat_inport)
++ + (ntohs(tcp->th_sport) ^ 0xFFFF);
+ tcp->th_sport = nat->nat_inport;
+-
+- /*
+- * Fix udp checksum to compensate port
+- * adjustment. NOTE : the offending IP packet
+- * flows the other direction compared to the
+- * ICMP message.
+- *
+- * The UDP checksum is optional, only adjust
+- * it if it has been set.
+- */
+- if ((oip->ip_p == IPPROTO_UDP) &&
+- (dlen >= 8) && udp->uh_sum) {
+- sumd = sum1 - sum2;
+- sumd2 += sumd;
+-
+- sum1 = ntohs(udp->uh_sum);
+- fix_datacksum(&udp->uh_sum, sumd);
+- sum2 = ntohs(udp->uh_sum);
+-
+- /*
+- * Fix ICMP checksum to compensate
+- * UDP checksum adjustment.
+- */
+- CALC_SUMD(sum1, sum2, sumd);
+- sumd2 += sumd;
+- }
+-
+- /*
+- * Fix tcp checksum (if present) to compensate
+- * port adjustment. NOTE : the offending IP
+- * packet flows the other direction compared to
+- * the ICMP message.
+- */
+- if (oip->ip_p == IPPROTO_TCP) {
+- if (dlen >= 18) {
+- sumd = sum1 - sum2;
+- sumd2 += sumd;
+-
+- sum1 = ntohs(tcp->th_sum);
+- fix_datacksum(&tcp->th_sum,
+- sumd);
+- sum2 = ntohs(tcp->th_sum);
+-
+- /*
+- * Fix ICMP checksum to
+- * compensate TCP checksum
+- * adjustment.
+- */
+- CALC_SUMD(sum1, sum2, sumd);
+- sumd2 += sumd;
+- } else {
+- sumd = sum2 - sum1 + 1;
+- sumd2 += sumd;
+- }
+- }
++ } else if (tcp->th_dport != nat->nat_outport) {
++ sumd = ntohs(nat->nat_outport)
++ + (ntohs(tcp->th_dport) ^ 0xFFFF);
++ tcp->th_dport = nat->nat_outport;
+ }
+- } else if (tcp->th_dport != nat->nat_outport) {
++ }
++
++ if ( sumd ) {
++ sumd = (sumd >> 16) + (sumd & 0xFFFF);
+ /*
+ * Fix ICMP checksum to compensate port
+ * adjustment.
++ * Since sumd has new-old, CKS adjustment is negative.
+ */
+- sum1 = ntohs(nat->nat_outport);
+- sum2 = ntohs(tcp->th_dport);
+- tcp->th_dport = nat->nat_outport;
++ sumd2 += sumd ^ 0xFFFF;
+
+ /*
+ * Fix udp checksum to compensate port
+- * adjustment. NOTE : the offending IP
+- * packet flows the other direction compared
+- * to the ICMP message.
++ * adjustment. NOTE : the offending IP packet
++ * flows the other direction compared to the
++ * ICMP message.
+ *
+ * The UDP checksum is optional, only adjust
+ * it if it has been set.
+ */
+- if ((oip->ip_p == IPPROTO_UDP) &&
+- (dlen >= 8) && udp->uh_sum) {
+- sumd = sum1 - sum2;
+- sumd2 += sumd;
+-
+- sum1 = ntohs(udp->uh_sum);
++ if ((oip->ip_p == IPPROTO_UDP) && (dlen >= 8) && udp->uh_sum) {
+ fix_datacksum(&udp->uh_sum, sumd);
+- sum2 = ntohs(udp->uh_sum);
+-
+ /*
+ * Fix ICMP checksum to compensate
+ * UDP checksum adjustment.
++ * Since UDP CKS adjustment was negative, this one is positive.
+ */
+- CALC_SUMD(sum1, sum2, sumd);
++ sumd2 += sumd;
+ }
+
+ /*
+@@ -1952,27 +1892,15 @@
+ * packet flows the other direction compared to
+ * the ICMP message.
+ */
+- if (oip->ip_p == IPPROTO_TCP) {
+- if (dlen >= 18) {
+- sumd = sum1 - sum2;
+- sumd2 += sumd;
+-
+- sum1 = ntohs(tcp->th_sum);
+- fix_datacksum(&tcp->th_sum, sumd);
+- sum2 = ntohs(tcp->th_sum);
+-
+- /*
+- * Fix ICMP checksum to compensate
+- * UDP checksum adjustment.
+- */
+- CALC_SUMD(sum1, sum2, sumd);
+- } else {
+- sumd = sum2 - sum1;
+- if (nat->nat_dir == NAT_OUTBOUND)
+- sumd++;
+- }
++ if ((oip->ip_p == IPPROTO_TCP) && (dlen >= 18)) {
++ fix_datacksum(&tcp->th_sum, sumd);
++ /*
++ * Fix ICMP checksum to compensate
++ * TCP checksum adjustment.
++ * Since TCP CKS adjustment was negative, this one is positive.
++ */
++ sumd2 += sumd;
+ }
+- sumd2 += sumd;
+ }
+ if (sumd2) {
+ sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16);
+@@ -2319,8 +2247,15 @@
+ void *sifp;
+ u_32_t iph;
+ nat_t *nat;
++#if IPFILTER_MSSCLAMP_FORCE
++ int clamped = 0;
++ int retval = 0;
++
++ if (fr_nat_lock)
++#else /* !IPFILTER_MSSCLAMP_FORCE */
+
+ if (nat_list == NULL || (fr_nat_lock))
++#endif /* !IPFILTER_MSSCLAMP_FORCE */
+ return 0;
+
+ if ((fr = fin->fin_fr) && !(fr->fr_flags & FR_DUP) &&
+@@ -2344,6 +2279,11 @@
+ }
+
+ ipa = fin->fin_saddr;
++
++#if IPFILTER_MSSCLAMP_FORCE
++ if (nat_list == NULL)
++ goto ip_natout_mss;
++#endif /* IPFILTER_MSSCLAMP_FORCE */
+
+ READ_ENTER(&ipf_nat);
+
+@@ -2495,9 +2435,13 @@
+ * only deal IPv4 for now.
+ */
+ if (nat->nat_mssclamp &&
+- (tcp->th_flags & TH_SYN) != 0)
++ (tcp->th_flags & TH_SYN) != 0) {
+ nat_mssclamp(tcp, nat->nat_mssclamp,
+ fin, csump);
++ #if IPFILTER_MSSCLAMP_FORCE
++ clamped = 1;
++ #endif /* IPFILTER_MSSCLAMP_FORCE */
++ }
+
+ MUTEX_EXIT(&nat->nat_lock);
+ } else if (fin->fin_p == IPPROTO_UDP) {
+@@ -2527,6 +2471,7 @@
+ } else
+ i = 1;
+ ATOMIC_INCL(nat_stats.ns_mapped[1]);
++#if !IPFILTER_MSSCLAMP_FORCE
+ RWLOCK_EXIT(&ipf_nat); /* READ */
+ fin->fin_ifp = sifp;
+ return i;
+@@ -2534,6 +2479,28 @@
+ RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */
+ fin->fin_ifp = sifp;
+ return 0;
++#else /* IPFILTER_MSSCLAMP_FORCE */
++ retval = i;
++ }
++ RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */
++
++ip_natout_mss:
++ /* Handle MSS clamping, if necessary */
++ if (!clamped && (fr_mssclamp > 0) && (fr_mssif[0] != 0) &&
++ (fin->fin_off == 0) && !(fin->fin_fl & FI_SHORT) &&
++ (fin->fin_p == IPPROTO_TCP)) {
++
++ if ((tcp->th_flags & TH_SYN) != 0) {
++
++ /* Does the interface name match? */
++ if (strncmp(IFNAME(ifp), fr_mssif, IFNAMSIZ) == 0)
++ nat_mssclamp(tcp, fr_mssclamp, fin, &tcp->th_sum);
++ }
++ }
++
++ fin->fin_ifp = sifp;
++ return retval;
++#endif /* IPFILTER_MSSCLAMP_FORCE */
+ }
+
+
+@@ -2555,8 +2522,14 @@
+ int i, icmpset = 0;
+ nat_t *nat;
+ u_32_t iph;
++#if IPFILTER_MSSCLAMP_FORCE
++ int clamped = 0;
++ int retval = 0;
+
++ if ((ip->ip_v != 4) || (fr_nat_lock))
++#else /* !IPFILTER_MSSCLAMP_FORCE */
+ if ((nat_list == NULL) || (ip->ip_v != 4) || (fr_nat_lock))
++#endif /* !IPFILTER_MSSCLAMP_FORCE */
+ return 0;
+
+ if ((fin->fin_off == 0) && !(fin->fin_fl & FI_SHORT)) {
+@@ -2574,6 +2547,11 @@
+ in = fin->fin_dst;
+ /* make sure the source address is to be redirected */
+ src = fin->fin_src;
++
++#if IPFILTER_MSSCLAMP_FORCE
++ if (nat_list == NULL)
++ goto ip_natin_mss;
++#endif /* IPFILTER_MSSCLAMP_FORCE */
+
+ READ_ENTER(&ipf_nat);
+
+@@ -2718,9 +2696,13 @@
+ * only deal IPv4 for now.
+ */
+ if (nat->nat_mssclamp &&
+- (tcp->th_flags & TH_SYN) != 0)
++ (tcp->th_flags & TH_SYN) != 0) {
+ nat_mssclamp(tcp, nat->nat_mssclamp,
+ fin, csump);
++ #if IPFILTER_MSSCLAMP_FORCE
++ clamped = 1;
++ #endif /* IPFILTER_MSSCLAMP_FORCE */
++ }
+
+ MUTEX_EXIT(&nat->nat_lock);
+ } else if (fin->fin_p == IPPROTO_UDP) {
+@@ -2740,11 +2722,33 @@
+ }
+ }
+ ATOMIC_INCL(nat_stats.ns_mapped[0]);
++#if !IPFILTER_MSSCLAMP_FORCE
+ RWLOCK_EXIT(&ipf_nat); /* READ */
+ return 1;
+ }
+ RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */
+ return 0;
++#else /* IPFILTER_MSSCLAMP_FORCE */
++ retval = 1;
++ }
++ RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */
++
++ip_natin_mss:
++ /* Handle MSS clamping, if necessary */
++ if (!clamped && (fr_mssclamp > 0) && (fr_mssif[0] != 0) &&
++ (fin->fin_off == 0) && !(fin->fin_fl & FI_SHORT) &&
++ (fin->fin_p == IPPROTO_TCP)) {
++
++ if ((tcp->th_flags & TH_SYN) != 0) {
++
++ /* Does the interface name match? */
++ if (strncmp(IFNAME(ifp), fr_mssif, IFNAMSIZ) == 0)
++ nat_mssclamp(tcp, fr_mssclamp, fin, &tcp->th_sum);
++ }
++ }
++
++ return retval;
++#endif /* IPFILTER_MSSCLAMP_FORCE */
+ }
+
+
+@@ -2966,6 +2970,7 @@
+ v = htons(maxmss);
+ bcopy(&v, &cp[2], sizeof(v));
+ CALC_SUMD(mss, maxmss, sumd);
++ sumd = (sumd & 0xFFFF) + (sumd >> 16);
+ fix_outcksum(fin, csump, sumd);
+ }
+ break;
+diff -u -r sys.orig/contrib/ipfilter/netinet/ip_nat.h sys/contrib/ipfilter/netinet/ip_nat.h
+--- sys.orig/contrib/ipfilter/netinet/ip_nat.h Sun Jul 4 11:24:39 2004
++++ sys/contrib/ipfilter/netinet/ip_nat.h Fri Mar 25 04:25:14 2005
+@@ -76,6 +76,11 @@
+
+ #define DEF_NAT_AGE 1200 /* 10 minutes (600 seconds) */
+
++/* Define this NZ to enable special sysctl to force MSS clamping */
++#ifndef IPFILTER_MSSCLAMP_FORCE
++#define IPFILTER_MSSCLAMP_FORCE 0
++#endif
++
+ struct ap_session;
+
+ typedef struct nat {
+@@ -303,6 +308,10 @@
+ extern void ip_natsync __P((void *));
+ extern u_long fr_defnatage;
+ extern u_long fr_defnaticmpage;
++#if IPFILTER_MSSCLAMP_FORCE
++extern int fr_mssclamp;
++extern char fr_mssif[];
++#endif /* IPFILTER_MSSCLAMP_FORCE */
+ extern nat_t **nat_table[2];
+ extern nat_t *nat_instances;
+ extern ipnat_t **nat_rules;
+diff -u -r sys.orig/contrib/ipfilter/netinet/ip_state.c sys/contrib/ipfilter/netinet/ip_state.c
+--- sys.orig/contrib/ipfilter/netinet/ip_state.c Sun Jul 4 11:24:39 2004
++++ sys/contrib/ipfilter/netinet/ip_state.c Sun Apr 24 08:51:20 2005
+@@ -143,7 +143,7 @@
+ fr_udptimeout = 240,
+ fr_udpacktimeout = 24,
+ fr_icmptimeout = 120,
+- fr_icmpacktimeout = 12;
++ fr_icmpacktimeout = 120; /* Longer now that it matches multiple seqs */
+ int fr_statemax = IPSTATE_MAX,
+ fr_statesize = IPSTATE_SIZE;
+ int fr_state_doflush = 0,
+@@ -172,6 +172,11 @@
+ icmpreplytype4[ICMP_TSTAMP] = ICMP_TSTAMPREPLY;
+ icmpreplytype4[ICMP_IREQ] = ICMP_IREQREPLY;
+ icmpreplytype4[ICMP_MASKREQ] = ICMP_MASKREPLY;
++
++#define ICMP_REPLY_MASK ((1<<ICMP_ECHOREPLY)|(1<<ICMP_TSTAMPREPLY) \
++ |(1<<ICMP_IREQREPLY)|(1<<ICMP_MASKREPLY))
++#define ICMP_IS_REPLY_TYPE(type) ((1<<(type)) & ICMP_REPLY_MASK)
++
+ #ifdef USE_INET6
+ /* fill icmp reply type table */
+ for (i = 0; i <= ICMP6_MAXTYPE; i++)
+@@ -653,7 +658,8 @@
+ case ICMP6_ECHO_REQUEST :
+ is->is_icmp.ics_type = ic->icmp_type;
+ hv += (is->is_icmp.ics_id = ic->icmp_id);
+- hv += (is->is_icmp.ics_seq = ic->icmp_seq);
++ /* Don't include the sequence # in the key, but record it */
++ is->is_icmp.ics_seq = ic->icmp_seq;
+ break;
+ case ICMP6_MEMBERSHIP_QUERY :
+ case ND_ROUTER_SOLICIT :
+@@ -679,7 +685,8 @@
+ case ICMP_MASKREQ :
+ is->is_icmp.ics_type = ic->icmp_type;
+ hv += (is->is_icmp.ics_id = ic->icmp_id);
+- hv += (is->is_icmp.ics_seq = ic->icmp_seq);
++ /* Don't include the sequence # in the key, but record it */
++ is->is_icmp.ics_seq = ic->icmp_seq;
+ break;
+ default :
+ return NULL;
+@@ -958,8 +965,8 @@
+ (SEQ_GE(seq, fdata->td_end - maxwin)) &&
+ /* XXX what about big packets */
+ #define MAXACKWINDOW 66000
+- (-ackskew <= (MAXACKWINDOW << tdata->td_wscale)) &&
+- ( ackskew <= (MAXACKWINDOW << tdata->td_wscale))) {
++ (-ackskew <= (MAXACKWINDOW << fdata->td_wscale)) &&
++ ( ackskew <= (MAXACKWINDOW << fdata->td_wscale))) {
+
+ /* if ackskew < 0 then this should be due to fragmented
+ * packets. There is no way to know the length of the
+@@ -1151,11 +1158,9 @@
+ */
+ if ((!rev && (icmp->icmp_type == is->is_type)) ||
+ (rev && (icmpreplytype4[is->is_type] == icmp->icmp_type))) {
+- if (icmp->icmp_type != ICMP_ECHOREPLY)
+- return 1;
+- if ((icmp->icmp_id == is->is_icmp.ics_id) &&
+- (icmp->icmp_seq == is->is_icmp.ics_seq))
++ if (!ICMP_IS_REPLY_TYPE(icmp->icmp_type))
+ return 1;
++ if (icmp->icmp_id == is->is_icmp.ics_id) return 1;
+ }
+ }
+ #ifdef USE_INET6
+@@ -1164,9 +1169,7 @@
+ (rev && (icmpreplytype6[is->is_type] == icmp->icmp_type))) {
+ if (icmp->icmp_type != ICMP6_ECHO_REPLY)
+ return 1;
+- if ((icmp->icmp_id == is->is_icmp.ics_id) &&
+- (icmp->icmp_seq == is->is_icmp.ics_seq))
+- return 1;
++ if (icmp->icmp_id == is->is_icmp.ics_id) return 1;
+ }
+ }
+ #endif
+@@ -1325,7 +1328,6 @@
+ dst.in4 = oip->ip_dst;
+ hv += dst.in4.s_addr;
+ hv += icmp->icmp_id;
+- hv += icmp->icmp_seq;
+ hv %= fr_statesize;
+
+ READ_ENTER(&ipf_state);
+@@ -1497,7 +1499,7 @@
+ if ((ic->icmp_type == ICMP6_ECHO_REQUEST) ||
+ (ic->icmp_type == ICMP6_ECHO_REPLY)) {
+ hv += ic->icmp_id;
+- hv += ic->icmp_seq;
++ /* Do *not* include seq # here */
+ }
+ }
+ READ_ENTER(&ipf_state);
+@@ -1507,6 +1509,8 @@
+ if ((is->is_p == pr) && (is->is_v == v) &&
+ fr_matchsrcdst(is, src, dst, fin, NULL) &&
+ fr_matchicmpqueryreply(v, is, ic, fin->fin_rev)) {
++ /* Record seq # for perusal */
++ is->is_icmp.ics_seq = ic->icmp_seq;
+ rev = fin->fin_rev;
+ if (is->is_frage[rev] != 0)
+ is->is_age = is->is_frage[rev];
+@@ -1554,7 +1558,7 @@
+ tcp = NULL;
+ if (v == 4) {
+ hv += ic->icmp_id;
+- hv += ic->icmp_seq;
++ /* Do *not* include seq # here */
+ }
+ hvm = hv % fr_statesize;
+ READ_ENTER(&ipf_state);
+@@ -1562,6 +1566,8 @@
+ if ((is->is_p == pr) && (is->is_v == v) &&
+ fr_matchsrcdst(is, src, dst, fin, NULL) &&
+ fr_matchicmpqueryreply(v, is, ic, fin->fin_rev)) {
++ /* Record seq # for perusal */
++ is->is_icmp.ics_seq = ic->icmp_seq;
+ rev = fin->fin_rev;
+ if (is->is_frage[rev] != 0)
+ is->is_age = is->is_frage[rev];
+@@ -2239,7 +2245,6 @@
+ for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_hnext)
+ if ((is->is_p == pr) &&
+ (oic->icmp6_id == is->is_icmp.ics_id) &&
+- (oic->icmp6_seq == is->is_icmp.ics_seq) &&
+ fr_matchsrcdst(is, src, dst, &ofin, NULL)) {
+ /*
+ * in the state table ICMP query's are stored
+diff -u -r sys.orig/contrib/ipfilter/netinet/mlfk_ipl.c sys/contrib/ipfilter/netinet/mlfk_ipl.c
+--- sys.orig/contrib/ipfilter/netinet/mlfk_ipl.c Sat Apr 27 19:37:12 2002
++++ sys/contrib/ipfilter/netinet/mlfk_ipl.c Mon May 9 00:58:58 2005
+@@ -45,6 +45,11 @@
+ # include <netinet/tcpip.h>
+ #endif
+
++#if __FreeBSD_version >= 300000
++# if defined(_KERNEL) && !defined(IPFILTER_LKM)
++# include "opt_ipfilter.h"
++# endif
++#endif
+
+ #include <netinet/ipl.h>
+ #include <netinet/ip_compat.h>
+@@ -102,6 +107,12 @@
+ SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &fr_minttl, 0, "");
+ SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_minttllog, CTLFLAG_RW,
+ &fr_minttllog, 0, "");
++#if IPFILTER_MSSCLAMP_FORCE
++SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_mssclamp, CTLFLAG_RW,
++ &fr_mssclamp, 0, "");
++SYSCTL_STRING(_net_inet_ipf, OID_AUTO, fr_mssif, CTLFLAG_RW,
++ fr_mssif, IFNAMSIZ, "");
++#endif /* IPFILTER_MSSCLAMP_FORCE */
+
+ #define CDEV_MAJOR 79
+ static struct cdevsw ipl_cdevsw = {
+diff -u -r sys.orig/i386/isa/clock.c sys/i386/isa/clock.c
+--- sys.orig/i386/isa/clock.c Sat Nov 2 05:41:50 2002
++++ sys/i386/isa/clock.c Sun Apr 24 08:51:20 2005
+@@ -950,7 +950,7 @@
+ writertc(RTC_HRS, bin2bcd(tm%24)); tm /= 24; /* Write back Hours */
+
+ /* We have now the days since 01-01-1970 in tm */
+- writertc(RTC_WDAY, (tm+4)%7); /* Write back Weekday */
++ writertc(RTC_WDAY, (tm+4)%7+1); /* Write back Weekday */
+ for (y = 1970, m = DAYSPERYEAR + LEAPYEAR(y);
+ tm >= m;
+ y++, m = DAYSPERYEAR + LEAPYEAR(y))
+diff -u -r sys.orig/kern/subr_diskslice.c sys/kern/subr_diskslice.c
+--- sys.orig/kern/subr_diskslice.c Tue Jul 24 11:49:41 2001
++++ sys/kern/subr_diskslice.c Sun Apr 24 08:51:20 2005
+@@ -892,9 +892,11 @@
+ }
+ if (pp->p_size != sp->ds_size) {
+ if (sname != NULL) {
++ /*
+ printf("%s: raw partition size != slice size\n", sname);
+ slice_info(sname, sp);
+ partition_info(sname, RAW_PART, pp);
++ */
+ }
+ if (pp->p_size > sp->ds_size) {
+ if (sname == NULL)
+diff -u -r sys.orig/net/if_ethersubr.c sys/net/if_ethersubr.c
+--- sys.orig/net/if_ethersubr.c Wed Mar 3 13:35:16 2004
++++ sys/net/if_ethersubr.c Sun Apr 24 08:51:20 2005
+@@ -605,8 +605,10 @@
+ * it dropped (m_free'd) the packet itself.
+ */
+ if (m == NULL) {
++ /*
+ if (bif == BDG_BCAST || bif == BDG_MCAST)
+ printf("bdg_forward drop MULTICAST PKT\n");
++ */
+ return;
+ }
+ eh = &save_eh ;
+diff -u -r sys.orig/netgraph/ng_ppp.c sys/netgraph/ng_ppp.c
+--- sys.orig/netgraph/ng_ppp.c Sun Dec 12 20:37:52 2004
++++ sys/netgraph/ng_ppp.c Sun Apr 24 08:51:21 2005
+@@ -744,7 +744,11 @@
+ case HOOK_INDEX_VJC_VJIP:
+ if (priv->conf.enableCompression
+ && priv->hooks[HOOK_INDEX_COMPRESS] != NULL) {
+- if ((m = ng_ppp_addproto(m, proto, 0)) == NULL) {
++ if ((m = ng_ppp_addproto(m, proto,
++ /* Get the PFC enable from the first link (RFC1990) */
++ priv->links[priv->activeLinks[0]]
++ .conf.enableProtoComp
++ )) == NULL) {
+ NG_FREE_META(meta);
+ return (ENOBUFS);
+ }
+@@ -755,7 +759,11 @@
+ case HOOK_INDEX_COMPRESS:
+ if (priv->conf.enableEncryption
+ && priv->hooks[HOOK_INDEX_ENCRYPT] != NULL) {
+- if ((m = ng_ppp_addproto(m, proto, 1)) == NULL) {
++ if ((m = ng_ppp_addproto(m, proto,
++ /* Get the PFC enable from the first link (RFC1990) */
++ priv->links[priv->activeLinks[0]]
++ .conf.enableProtoComp
++ )) == NULL) {
+ NG_FREE_META(meta);
+ return (ENOBUFS);
+ }
+@@ -973,8 +981,9 @@
+
+ /* Prepend protocol number, possibly compressed */
+ if ((m = ng_ppp_addproto(m, proto,
+- linkNum == NG_PPP_BUNDLE_LINKNUM
+- || link->conf.enableProtoComp)) == NULL) {
++ /* On a bundle, get the PFC enable from the first link (RFC1990) */
++ (link ? link
++ : &priv->links[priv->activeLinks[0]])->conf.enableProtoComp)) == NULL) {
+ NG_FREE_META(meta);
+ return (ENOBUFS);
+ }
+diff -u -r sys.orig/netinet/ip_input.c sys/netinet/ip_input.c
+--- sys.orig/netinet/ip_input.c Sun Jan 2 06:03:16 2005
++++ sys/netinet/ip_input.c Sun Apr 24 08:51:21 2005
+@@ -356,7 +356,7 @@
+ if (args.rule) { /* dummynet already filtered us */
+ ip = mtod(m, struct ip *);
+ hlen = IP_VHL_HL(ip->ip_vhl) << 2;
+- goto iphack ;
++ goto ipfw; /* skip ipfilter now (already passed it)! */
+ }
+
+ ipstat.ips_total++;
+@@ -467,7 +467,6 @@
+ * - Encapsulate: put it in another IP and send out. <unimp.>
+ */
+
+-iphack:
+ /*
+ * Check if we want to allow this packet to be processed.
+ * Consider it to be bad if not.
+@@ -479,6 +478,7 @@
+ return;
+ ip = mtod(m = m1, struct ip *);
+ }
++ipfw:
+ if (fw_enable && IPFW_LOADED) {
+ /*
+ * If we've been forwarded from the output side, then
+diff -u -r sys.orig/netinet/ip_output.c sys/netinet/ip_output.c
+--- sys.orig/netinet/ip_output.c Tue Jun 1 09:38:56 2004
++++ sys/netinet/ip_output.c Sun Apr 24 08:51:21 2005
+@@ -705,20 +705,6 @@
+ }
+ spd_done:
+ #endif /* FAST_IPSEC */
+- /*
+- * IpHack's section.
+- * - Xlate: translate packet's addr/port (NAT).
+- * - Firewall: deny/allow/etc.
+- * - Wrap: fake packet's addr/port <unimpl.>
+- * - Encapsulate: put it in another IP and send out. <unimp.>
+- */
+- if (fr_checkp) {
+- struct mbuf *m1 = m;
+-
+- if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1)
+- goto done;
+- ip = mtod(m = m1, struct ip *);
+- }
+
+ /*
+ * Check with the firewall...
+@@ -952,6 +938,21 @@
+ }
+
+ pass:
++ /*
++ * IpHack's section.
++ * - Xlate: translate packet's addr/port (NAT).
++ * - Firewall: deny/allow/etc.
++ * - Wrap: fake packet's addr/port <unimpl.>
++ * - Encapsulate: put it in another IP and send out. <unimp.>
++ */
++ if (fr_checkp) {
++ struct mbuf *m1 = m;
++
++ if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1)
++ goto done;
++ ip = mtod(m = m1, struct ip *);
++ }
++
+ /* 127/8 must not appear on wire - RFC1122. */
+ if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET ||
+ (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) {
+diff -u -r sys.orig/netipsec/key.c sys/netipsec/key.c
+--- sys.orig/netipsec/key.c Sat Feb 14 23:23:23 2004
++++ sys/netipsec/key.c Sun Apr 24 08:51:21 2005
+@@ -110,6 +110,34 @@
+ * field hits 0 (= no external reference other than from SA header.
+ */
+
++/*
++ * New feature: SA holdoff
++ * When key_preferred_oldsa is negative, new SAs are preferred (as if =0),
++ * but only when established for at least -key_preferred_oldsa seconds.
++ * If no "sufficiently mature" SAs are found, the oldest is used.
++ * This gets around the "blackout" problem caused by sender/receiver skew
++ * when establishing new SAs, without the potentially lingering inconsistencies
++ * caused by preferring old SAs.
++ * Fred Wright
++ */
++#ifndef IPSEC_SA_HOLDOFF
++#define IPSEC_SA_HOLDOFF 1
++#endif
++
++/*
++ * Old, probably obsolete feature: SA "early retirement"
++ * There was code to delete non-preferred send SAs discovered while sending.
++ * This was only operative with key_preferred_oldsa=0, and we suspect it was
++ * an attempt at solving the "blackout" problem. Since there is now better
++ * control over SA selection, that other code is probably unnecessary and
++ * certainly adds complication, so it's conditionaled out here. Nevertheless,
++ * it's tweaked to work correctly if it is enabled.
++ * Fred Wright
++ */
++#ifndef IPSEC_SA_EARLY_RETIRE
++#define IPSEC_SA_EARLY_RETIRE 0
++#endif
++
+ u_int32_t key_debug_level = 0;
+ static u_int key_spi_trycnt = 1000;
+ static u_int32_t key_spi_minval = 0x100;
+@@ -119,7 +147,7 @@
+ static u_int key_larval_lifetime = 30; /* interval to expire acquiring, 30(s)*/
+ static int key_blockacq_count = 10; /* counter for blocking SADB_ACQUIRE.*/
+ static int key_blockacq_lifetime = 20; /* lifetime for blocking SADB_ACQUIRE.*/
+-static int key_prefered_oldsa = 1; /* prefered old sa rather than new sa.*/
++static int key_preferred_oldsa = 1; /* preferred old sa rather than new sa.*/
+
+ static u_int32_t acq_seq = 0;
+ static int key_tick_init_random = 0;
+@@ -134,12 +162,11 @@
+ static LIST_HEAD(_spacqtree, secspacq) spacqtree; /* SP acquiring list */
+
+ /* search order for SAs */
+-static u_int saorder_state_valid[] = {
++static const u_int saorder_state_valid_prefer_old[] = {
+ SADB_SASTATE_DYING, SADB_SASTATE_MATURE,
+- /*
+- * This order is important because we must select the oldest SA
+- * for outbound processing. For inbound, This is not important.
+- */
++};
++static const u_int saorder_state_valid_prefer_new[] = {
++ SADB_SASTATE_MATURE, SADB_SASTATE_DYING,
+ };
+ static u_int saorder_state_alive[] = {
+ /* except DEAD */
+@@ -247,8 +274,8 @@
+ &ipsec_ah_keymin, 0, "");
+
+ /* perfered old SA rather than new SA */
+-SYSCTL_INT(_net_key, KEYCTL_PREFERED_OLDSA, prefered_oldsa, CTLFLAG_RW,\
+- &key_prefered_oldsa, 0, "");
++SYSCTL_INT(_net_key, KEYCTL_PREFERED_OLDSA, preferred_oldsa, CTLFLAG_RW,\
++ &key_preferred_oldsa, 0, "");
+
+ #ifndef LIST_FOREACH
+ #define LIST_FOREACH(elm, head, field) \
+@@ -351,7 +378,8 @@
+
+ static struct secasvar *key_allocsa_policy __P((const struct secasindex *));
+ static void key_freesp_so __P((struct secpolicy **));
+-static struct secasvar *key_do_allocsa_policy __P((struct secashead *, u_int));
++static struct secasvar *key_do_allocsa_policy __P((struct secashead *, u_int,
++ time_t, struct secasvar **));
+ static void key_delsp __P((struct secpolicy *));
+ static struct secpolicy *key_getsp __P((struct secpolicyindex *));
+ static struct secpolicy *key_getspbyid __P((u_int32_t));
+@@ -816,6 +844,10 @@
+ struct secashead *sah;
+ struct secasvar *sav;
+ u_int stateidx, state;
++ const u_int *saorder_state_valid;
++ int arraysize;
++ time_t cutoff = 0;
++ struct secasvar *fallback = NULL;
+
+ LIST_FOREACH(sah, &sahtree, chain) {
+ if (sah->state == SADB_SASTATE_DEAD)
+@@ -828,17 +860,29 @@
+
+ found:
+
+- /* search valid state */
+- for (stateidx = 0;
+- stateidx < _ARRAYLEN(saorder_state_valid);
+- stateidx++) {
++ /*
++ * search a valid state list for outbound packet.
++ * This search order is important.
++ */
++ if (key_preferred_oldsa > 0) {
++ saorder_state_valid = saorder_state_valid_prefer_old;
++ arraysize = _ARRAYLEN(saorder_state_valid_prefer_old);
++ } else {
++ saorder_state_valid = saorder_state_valid_prefer_new;
++ arraysize = _ARRAYLEN(saorder_state_valid_prefer_new);
++ cutoff = time_second - key_preferred_oldsa;
++ }
++
++ for (stateidx = 0; stateidx < arraysize; stateidx++) {
+
+ state = saorder_state_valid[stateidx];
+
+- sav = key_do_allocsa_policy(sah, state);
++ sav = key_do_allocsa_policy(sah, state, cutoff, &fallback);
+ if (sav != NULL)
+ return sav;
+ }
++ /* If we have fallback, feed it through for refcnt update */
++ if ( fallback ) return key_do_allocsa_policy(NULL, 0, 0, &fallback);
+
+ return NULL;
+ }
+@@ -851,13 +895,24 @@
+ * others : found, pointer to a SA.
+ */
+ static struct secasvar *
+-key_do_allocsa_policy(struct secashead *sah, u_int state)
++key_do_allocsa_policy(struct secashead *sah, u_int state,
++ time_t cutoff, struct secasvar **fbp)
+ {
+- struct secasvar *sav, *nextsav, *candidate, *d;
++ struct secasvar *sav, *nextsav, *candidate;
++#if !SA_EARLY_RETIRE
++ #define RETIRE_SA(sa)
++#else
++ struct secasvar *d = NULL;
++ #define RETIRE_SA(sa) d = sa;
++#endif
+
+ /* initilize */
+ candidate = NULL;
+
++#if IPSEC_SA_HOLDOFF
++ if ( !sah ) candidate = *fbp;
++ else
++#endif
+ for (sav = LIST_FIRST(&sah->savtree[state]);
+ sav != NULL;
+ sav = nextsav) {
+@@ -880,8 +935,9 @@
+ panic("key_do_allocsa_policy: "
+ "lifetime_current is NULL.\n");
+
++#if !IPSEC_SA_HOLDOFF
+ /* What the best method is to compare ? */
+- if (key_prefered_oldsa) {
++ if (key_preferred_oldsa > 0) {
+ if (candidate->lft_c->sadb_lifetime_addtime >
+ sav->lft_c->sadb_lifetime_addtime) {
+ candidate = sav;
+@@ -890,20 +946,47 @@
+ /*NOTREACHED*/
+ }
+
+- /* prefered new sa rather than old sa */
++ /* preferred new sa rather than old sa */
+ if (candidate->lft_c->sadb_lifetime_addtime <
+ sav->lft_c->sadb_lifetime_addtime) {
+- d = candidate;
++ RETIRE_SA(candidate)
+ candidate = sav;
+- } else
+- d = sav;
++ } else {
++ RETIRE_SA(sav)
++ }
++#else /* IPSEC_SA_HOLDOFF */
++ /* Decide handling based on SA addtime vs. cutoff */
++ if ( sav->lft_c->sadb_lifetime_addtime < cutoff ) {
++ /* Prefer newer among "sufficiently old */
++ if ( sav->lft_c->sadb_lifetime_addtime
++ > candidate->lft_c->sadb_lifetime_addtime ) {
++ RETIRE_SA(candidate)
++ candidate = sav;
++ } else {
++ RETIRE_SA(sav)
++ }
++ } else {
++ /* Prefer older among "too new" */
++ if ( sav->lft_c->sadb_lifetime_addtime
++ < candidate->lft_c->sadb_lifetime_addtime ) {
++ if ( !cutoff ) {
++ /* Use immediately in "pure older" mode */
++ candidate = sav;
++ } else {
++ /* Otherwise use as fallback */
++ *fbp = sav;
++ }
++ }
++ }
++#endif /* IPSEC_SA_HOLDOFF */
+
++#if IPSEC_SA_EARLY_RETIRE
+ /*
+ * prepared to delete the SA when there is more
+ * suitable candidate and the lifetime of the SA is not
+ * permanent.
+ */
+- if (d->lft_c->sadb_lifetime_addtime != 0) {
++ if (d && d->lft_c->sadb_lifetime_addtime != 0) {
+ struct mbuf *m, *result;
+
+ key_sa_chgstate(d, SADB_SASTATE_DEAD);
+@@ -959,6 +1042,7 @@
+ msgfail:
+ KEY_FREESAV(&d);
+ }
++#endif /* IPSEC_SA_EARLY_RETIRE */
+ }
+
+ if (candidate) {
+@@ -997,6 +1081,8 @@
+ struct secasvar *sav;
+ u_int stateidx, state;
+ int s;
++ const u_int *saorder_state_valid;
++ int arraysize;
+
+ KASSERT(dst != NULL, ("key_allocsa: null dst address"));
+
+@@ -1004,6 +1090,22 @@
+ printf("DP key_allocsa from %s:%u\n", where, tag));
+
+ /*
++ * when both systems employ similar strategy to use a SA.
++ * the search order is important even in the inbound case.
++ */
++ /*
++ * The above should be untrue since the lookup is by SPI,
++ * but we're leaving this aspect alone for now. - FW
++ */
++ if (key_preferred_oldsa > 0) {
++ saorder_state_valid = saorder_state_valid_prefer_old;
++ arraysize = _ARRAYLEN(saorder_state_valid_prefer_old);
++ } else {
++ saorder_state_valid = saorder_state_valid_prefer_new;
++ arraysize = _ARRAYLEN(saorder_state_valid_prefer_new);
++ }
++
++ /*
+ * searching SAD.
+ * XXX: to be checked internal IP header somewhere. Also when
+ * IPsec tunnel packet is received. But ESP tunnel mode is
+@@ -1011,10 +1113,11 @@
+ */
+ s = splnet(); /*called from softclock()*/
+ LIST_FOREACH(sah, &sahtree, chain) {
+- /* search valid state */
+- for (stateidx = 0;
+- stateidx < _ARRAYLEN(saorder_state_valid);
+- stateidx++) {
++ /*
++ * search a valid state list for inbound packet.
++ * the search order is not important.
++ */
++ for (stateidx = 0; stateidx < arraysize; stateidx++) {
+ state = saorder_state_valid[stateidx];
+ LIST_FOREACH(sav, &sah->savtree[state], chain) {
+ /* sanity check */
+Only in sys/netipsec: key.c.netkey
+diff -u -r sys.orig/netipsec/key_var.h sys/netipsec/key_var.h
+--- sys.orig/netipsec/key_var.h Fri Jan 24 06:11:36 2003
++++ sys/netipsec/key_var.h Sun Apr 24 08:51:21 2005
+@@ -61,7 +61,7 @@
+ { "esp_keymin", CTLTYPE_INT }, \
+ { "esp_auth", CTLTYPE_INT }, \
+ { "ah_keymin", CTLTYPE_INT }, \
+- { "prefered_oldsa", CTLTYPE_INT }, \
++ { "preferred_oldsa", CTLTYPE_INT }, \
+ }
+
+ #ifdef _KERNEL
+diff -u -r sys.orig/i386/i386/identcpu.c sys/i386/i386/identcpu.c
+--- sys.orig/i386/i386/identcpu.c Tue Apr 6 03:40:30 2004
++++ sys/i386/i386/identcpu.c Sun Apr 24 09:16:38 2005
+@@ -380,7 +380,13 @@
+ break;
+ case 0x540:
+ cpu_class = CPUCLASS_586;
+- strcat(cpu_model, "GXm");
++ if (cyrix_did < 0x6000) {
++ strcat(cpu_model, "GXm");
++ } else if (cyrix_did < 0x7000) {
++ strcat(cpu_model, "GXLV");
++ } else {
++ strcat(cpu_model, "GX1");
++ }
+ break;
+ case 0x600:
+ strcat(cpu_model, "6x86MX");
+@@ -504,6 +510,13 @@
+ }
+ break;
+ }
++ } else if (strcmp(cpu_vendor, "Geode by NSC") == 0) {
++ strcpy(cpu_model, "NSC Geode");
++ switch (cpu_id & 0xff0) {
++ case 0x540:
++ cpu_class = CPUCLASS_586;
++ break;
++ }
+ } else if (strcmp(cpu_vendor, "RiseRiseRise") == 0) {
+ strcpy(cpu_model, "Rise ");
+ switch (cpu_id & 0xff0) {
+@@ -602,10 +615,11 @@
+ strcmp(cpu_vendor, "AuthenticAMD") == 0 ||
+ strcmp(cpu_vendor, "RiseRiseRise") == 0 ||
+ strcmp(cpu_vendor, "CentaurHauls") == 0 ||
++ strcmp(cpu_vendor, "Geode by NSC") == 0 ||
+ ((strcmp(cpu_vendor, "CyrixInstead") == 0) &&
+- ((cpu_id & 0xf00) > 0x500))) {
++ ((cpu_id & 0xff0) >= 0x540))) {
+ printf(" Stepping = %u", cpu_id & 0xf);
+- if (strcmp(cpu_vendor, "CyrixInstead") == 0)
++ if ((strcmp(cpu_vendor, "CyrixInstead") == 0) || (strcmp(cpu_vendor, "Geode by NSC") == 0))
+ printf(" DIR=0x%04x", cyrix_did);
+ if (cpu_high > 0) {
+ /*
+@@ -938,6 +952,14 @@
+ cpu_feature = regs[3]; /* edx */
+ break;
+ }
++ }
++ } else if (strcmp(cpu_vendor, "Geode by NSC") == 0) {
++ identifycyrix();
++ switch (cyrix_did & 0x00f0) {
++ case 0x40: /* GX1 */
++ case 0xb0: /* SCx200 */
++ cpu = CPU_M1SC;
++ break;
+ }
+ } else if (cpu == CPU_486 && *cpu_vendor == '\0') {
+ /*
+diff -u -r sys.orig/i386/i386/vm_machdep.c sys/i386/i386/vm_machdep.c
+--- sys.orig/i386/i386/vm_machdep.c Sun Aug 31 02:16:27 2003
++++ sys/i386/i386/vm_machdep.c Sun Apr 24 09:31:04 2005
+@@ -432,6 +432,16 @@
+ outb(0xf0, 0x00); /* Reset. */
+ #else
+ /*
++ * reset Geode via PCI function 0
++ */
++ if (strcmp(cpu_vendor, "Geode by NSC") == 0) {
++ if (((cpu_id & 0xfff0) == 0x0540) && ((cyrix_did & 0xfff0) == 0x81b0)) {
++ outl(0xcf8, 0x80009044);
++ outb(0xcfc, 0x0f);
++ outl(0xcf8, 0);
++ }
++ }
++ /*
+ * Attempt to do a CPU reset via the keyboard controller,
+ * do not turn of the GateA20, as any machine that fails
+ * to do the reset here would then end up in no man's land.
+diff -u -r sys.orig/dev/ata/ata-pci.c sys/dev/ata/ata-pci.c
+--- sys.orig/dev/ata/ata-pci.c Wed Dec 31 19:05:16 2003
++++ sys/dev/ata/ata-pci.c Sun Apr 24 10:01:12 2005
+@@ -28,6 +28,7 @@
+ * $FreeBSD: src/sys/dev/ata/ata-pci.c,v 1.32.2.21 2003/12/31 18:05:16 jhb Exp $
+ */
+
++#include "opt_ata.h"
+ #include <sys/param.h>
+ #include <sys/systm.h>
+ #include <sys/kernel.h>
+@@ -569,8 +570,10 @@
+
+ ata_pci_add_child(dev, 0);
+
++#ifndef ATA_DISABLE_SLAVE
+ if (ATA_MASTERDEV(dev) || pci_read_config(dev, 0x18, 4) & IOMASK)
+ ata_pci_add_child(dev, 1);
++#endif
+
+ return bus_generic_attach(dev);
+ }
+diff -u -r sys.orig/dev/ata/ata-disk.c sys/dev/ata/ata-disk.c
+--- sys.orig/dev/ata/ata-disk.c Sat Sep 18 12:26:12 2004
++++ sys/dev/ata/ata-disk.c Sat Apr 30 21:05:21 2005
+@@ -105,7 +105,7 @@
+ "ATA disk write caching");
+ SYSCTL_INT(_hw_ata, OID_AUTO, tags, CTLFLAG_RD, &ata_tags, 0,
+ "ATA disk tagged queuing support");
+-SYSCTL_INT(_hw_ata, OID_AUTO, suspend, CTLFLAG_RD, &ata_suspend, 0,
++SYSCTL_INT(_hw_ata, OID_AUTO, suspend, CTLFLAG_RW, &ata_suspend, 0,
+ "ATA disk suspend timer");
+
+ void
+@@ -940,6 +940,34 @@
+ ata_umode(adp->device->param));
+ else
+ ata_dmainit(atadev, ata_pmode(adp->device->param), -1, -1);
++
++ if (ata_suspend > 0) {
++ /*
++ * Attempt to set the standby timer.
++ * The parameters are documented in sections 8.42.4 p. 210 and
++ * 8.14.4 (table 23) p. 118 of the ATAPI-5 interface spec
++ * http://www.t13.org.
++ */
++ int value = ata_suspend;
++ if (atadev->param->stdby_ovlap) {
++ /*
++ * The device supports the standard values.
++ * Scale the seconds in value appropriately.
++ */
++ if (value <= 1200)
++ /* Values 1-240 specify 5 second increments. */
++ value /= 5;
++ else if (value <= 18000)
++ /* Values 241-251 specify 30 minute increments. */
++ value = (value / 60 / 30) + 241;
++ else
++ /* A period between 8 and 12 hours. */
++ value = 253;
++ } else
++ ata_prtdev(atadev, "timer value is vendor-specific\n");
++ if (ata_command(atadev, ATA_C_STANDBY, 0, value, 0, ATA_WAIT_INTR))
++ ata_prtdev(atadev, "suspend mode failed\n");
++ }
+ }
+
+ void
+diff -u -r sys.orig/modules/ipfw/Makefile sys/modules/ipfw/Makefile
+--- sys.orig/modules/ipfw/Makefile Fri Feb 14 15:09:21 2003
++++ sys/modules/ipfw/Makefile Mon May 9 21:19:08 2005
+@@ -16,7 +16,7 @@
+ #CFLAGS+= -DIPFIREWALL_VERBOSE_LIMIT=100
+ #
+ #If you want it to pass all packets by default
+-#CFLAGS+= -DIPFIREWALL_DEFAULT_TO_ACCEPT
++CFLAGS+= -DIPFIREWALL_DEFAULT_TO_ACCEPT
+ #
+
+ .include <bsd.kmod.mk>
+diff -u -r sys.orig/pci/if_sis.c sys/pci/if_sis.c
+--- sys.orig/pci/if_sis.c Fri Apr 23 00:03:28 2004
++++ sys/pci/if_sis.c Fri May 27 06:49:50 2005
+@@ -921,6 +921,7 @@
+ struct sis_softc *sc;
+ {
+ register int i;
++ u_int32_t ns_srr;
+
+ SIS_SETBIT(sc, SIS_CSR, SIS_CSR_RESET);
+
+@@ -942,6 +943,54 @@
+ if (sc->sis_type == SIS_TYPE_83815) {
+ CSR_WRITE_4(sc, NS_CLKRUN, NS_CLKRUN_PMESTS);
+ CSR_WRITE_4(sc, NS_CLKRUN, 0);
++
++ /*
++ * Page 78 of the DP83815 manual recommends the
++ * following (0x300 case) register settings "for optimum
++ * performance." Note however that at least three
++ * of the registers are listed as "reserved" in
++ * the register map, so who knows what they do.
++ *
++ * This has now been updated for various chip revisions,
++ * as "documented" in the NatSemi Linux driver.
++ *
++ * The documented 83815/83816 SRR values are:
++ * DP83815CVNG 0x00000302
++ * DP83815DVNG/UJB 0x00000403
++ * DP83816AVNG 0x00000505
++ */
++
++ ns_srr = CSR_READ_4(sc, NS_SRR);
++ switch ( ns_srr & 0xF00 ) {
++
++ case 0x200:
++ CSR_WRITE_4(sc, NS_PHY_PAGE, 0x0001);
++ CSR_WRITE_4(sc, NS_PHY_CR, 0x0802);
++ CSR_WRITE_4(sc, NS_PHY_FCSCR, 0x0010);
++ CSR_WRITE_4(sc, NS_PHY_SDCFG, 0x0333);
++ CSR_WRITE_4(sc, NS_PHY_10BTSCR, 0x0860);
++ CSR_WRITE_4(sc, NS_PHY_RECR, 0x2100);
++ CSR_WRITE_4(sc, 0xE0, 0x4F48);
++ CSR_WRITE_4(sc, NS_PHY_PAGE, 0x0000);
++ SIS_SETBIT(sc, NS_PHY_10BTSCR, 0x04);
++ break;
++
++ case 0x300:
++ CSR_WRITE_4(sc, NS_PHY_PAGE, 0x0001);
++ CSR_WRITE_4(sc, NS_PHY_CR, 0x189C);
++ CSR_WRITE_4(sc, NS_PHY_TDATA, 0x0000);
++ CSR_WRITE_4(sc, NS_PHY_DSPCFG, 0x5040);
++ CSR_WRITE_4(sc, NS_PHY_SDCFG, 0x008C);
++ CSR_WRITE_4(sc, NS_PHY_PAGE, 0x0000);
++ break;
++
++ case 0x400:
++ case 0x500:
++ CSR_WRITE_4(sc, NS_PHY_PAGE, 0x0001);
++ CSR_WRITE_4(sc, NS_PHY_CR, 0x189C);
++ CSR_WRITE_4(sc, NS_PHY_PAGE, 0x0000);
++ break;
++ }
+ }
+
+ return;
+@@ -1823,6 +1872,7 @@
+ * Cancel pending I/O and free all RX/TX buffers.
+ */
+ sis_stop(sc);
++ sc->sis_stopped = 0;
+
+ mii = device_get_softc(sc->sis_miibus);
+
+@@ -1940,27 +1990,46 @@
+ SIS_CLRBIT(sc, SIS_RX_CFG, SIS_RXCFG_RX_TXPKTS);
+ }
+
+- if (sc->sis_type == SIS_TYPE_83815 &&
+- IFM_SUBTYPE(mii->mii_media_active) == IFM_100_TX) {
+- uint32_t reg;
++ if ( sc->sis_type == SIS_TYPE_83815 ) {
++ uint32_t phy_status, ns_srr, tmp_val;
+
+ /*
+ * Some DP83815s experience problems when used with short
+ * (< 30m/100ft) Ethernet cables in 100BaseTX mode. This
+ * sequence adjusts the DSP's signal attenuation to fix the
+ * problem.
++ *
++ * This has now been updated to duplicate the logic in
++ * the NatSemi Linux driver.
+ */
+- CSR_WRITE_4(sc, NS_PHY_PAGE, 0x0001);
+
+- reg = CSR_READ_4(sc, NS_PHY_DSPCFG);
+- CSR_WRITE_4(sc, NS_PHY_DSPCFG, (reg & 0xfff) | 0x1000);
+- DELAY(100);
+- reg = CSR_READ_4(sc, NS_PHY_TDATA);
+- if ((reg & 0x0080) == 0 || (reg & 0xff) >= 0xd8) {
+- CSR_WRITE_4(sc, NS_PHY_TDATA, 0x00e8);
+- SIS_SETBIT(sc, NS_PHY_DSPCFG, 0x20);
++ phy_status = CSR_READ_4(sc, NS_PHY_PHYSTS);
++ /* Check for link valid and not 10Mb */
++ if ( (phy_status & 0x03) == 0x01 ) {
++ ns_srr = CSR_READ_4(sc, NS_SRR);
++ switch ( ns_srr & 0xF00 ) {
++
++ case 0x500:
++ if ( (ns_srr & 0xFFF) == 0x505 ) break;
++ case 0x300:
++ case 0x400:
++ CSR_WRITE_4(sc, NS_PHY_PAGE, 0x0001);
++ tmp_val = CSR_READ_4(sc, NS_PHY_DSPCFG);
++ tmp_val = (tmp_val & 0x0FFF) | 0x1000;
++ CSR_WRITE_4(sc, NS_PHY_DSPCFG, tmp_val);
++ DELAY(2000);
++ tmp_val = CSR_READ_4(sc, NS_PHY_TDATA);
++ tmp_val &= 0x00FF;
++ if ( tmp_val < 0x80
++ || tmp_val >= 0xD8 ) {
++ CSR_WRITE_4(sc, NS_PHY_TDATA,
++ 0x00E8);
++ SIS_SETBIT(sc, NS_PHY_DSPCFG,
++ 0x20);
++ }
++ CSR_WRITE_4(sc, NS_PHY_PAGE, 0x0000);
++ }
+ }
+- CSR_WRITE_4(sc, NS_PHY_PAGE, 0);
+ }
+
+ /*
+@@ -1986,21 +2055,6 @@
+ mii_mediachg(mii);
+ #endif
+
+- /*
+- * Page 75 of the DP83815 manual recommends the
+- * following register settings "for optimum
+- * performance." Note however that at least three
+- * of the registers are listed as "reserved" in
+- * the register map, so who knows what they do.
+- */
+- if (sc->sis_type == SIS_TYPE_83815) {
+- CSR_WRITE_4(sc, NS_PHY_PAGE, 0x0001);
+- CSR_WRITE_4(sc, NS_PHY_CR, 0x189C);
+- CSR_WRITE_4(sc, NS_PHY_TDATA, 0x0000);
+- CSR_WRITE_4(sc, NS_PHY_DSPCFG, 0x5040);
+- CSR_WRITE_4(sc, NS_PHY_SDCFG, 0x008C);
+- }
+-
+ ifp->if_flags |= IFF_RUNNING;
+ ifp->if_flags &= ~IFF_OACTIVE;
+
+@@ -2138,6 +2192,9 @@
+ register int i;
+ struct ifnet *ifp;
+
++ if (sc->sis_stopped)
++ return;
++
+ ifp = &sc->arpcom.ac_if;
+ ifp->if_timer = 0;
+
+@@ -2180,6 +2237,8 @@
+
+ bzero((char *)&sc->sis_ldata->sis_tx_list,
+ sizeof(sc->sis_ldata->sis_tx_list));
++
++ sc->sis_stopped = 1;
+
+ return;
+ }
+diff -u -r sys.orig/pci/if_sisreg.h sys/pci/if_sisreg.h
+--- sys.orig/pci/if_sisreg.h Wed Feb 5 22:49:01 2003
++++ sys/pci/if_sisreg.h Fri May 27 06:13:22 2005
+@@ -76,6 +76,7 @@
+
+ /* NS DP83815 registers */
+ #define NS_CLKRUN 0x3C
++#define NS_SRR 0x58
+ #define NS_BMCR 0x80
+ #define NS_BMSR 0x84
+ #define NS_PHYIDR1 0x88
+@@ -85,6 +86,9 @@
+ #define NS_ANER 0x98
+ #define NS_ANNPTR 0x9C
+
++#define NS_PHY_PHYSTS 0xC0
++#define NS_PHY_FCSCR 0xD0
++#define NS_PHY_RECR 0xD4
+ #define NS_PHY_CR 0xE4
+ #define NS_PHY_10BTSCR 0xE8
+ #define NS_PHY_PAGE 0xCC
+@@ -444,6 +448,7 @@
+ struct sis_list_data *sis_ldata;
+ struct sis_ring_data sis_cdata;
+ struct callout_handle sis_stat_ch;
++ int sis_stopped;
+ #ifdef DEVICE_POLLING
+ int rxcycles;
+ #endif
+diff -u -r sys.orig/dev/wi/if_wi.c sys/dev/wi/if_wi.c
+--- sys.orig/dev/wi/if_wi.c Tue May 18 08:57:33 2004
++++ sys/dev/wi/if_wi.c Sat Jun 18 19:48:38 2005
+@@ -1018,9 +1018,11 @@
+ * set in the event status register.
+ */
+ s = CSR_READ_2(sc, WI_EVENT_STAT);
++ DELAY(1);
+ if (s & WI_EV_CMD) {
+ /* Ack the event and read result code. */
+ s = CSR_READ_2(sc, WI_STATUS);
++ DELAY(1);
+ CSR_WRITE_2(sc, WI_EVENT_ACK, WI_EV_CMD);
+ #ifdef foo
+ if ((s & WI_CMD_CODE_MASK) != (cmd & WI_CMD_CODE_MASK))
+diff -u -r sys.orig/pci/if_xl.c sys/pci/if_xl.c
+--- sys.orig/pci/if_xl.c Fri Aug 13 16:42:18 2004
++++ sys/pci/if_xl.c Sat Jun 18 19:57:54 2005
+@@ -188,6 +188,8 @@
+ "3Com 3c905C-TX Fast Etherlink XL" },
+ { TC_VENDORID, TC_DEVICEID_TORNADO_10_100BT_920B,
+ "3Com 3c920B-EMB Integrated Fast Etherlink XL" },
++ { TC_VENDORID, TC_DEVICEID_TORNADO_10_100BT_920B_WNM,
++ "3Com 3c920B-EMB-WNM Integrated Fast Etherlink XL" },
+ { TC_VENDORID, TC_DEVICEID_HURRICANE_10_100BT_SERV,
+ "3Com 3c980 Fast Etherlink XL" },
+ { TC_VENDORID, TC_DEVICEID_TORNADO_10_100BT_SERV,
+@@ -1268,6 +1270,7 @@
+ case TC_DEVICEID_HURRICANE_656B: /* 3c656B */
+ case TC_DEVICEID_TORNADO_656C: /* 3c656C */
+ case TC_DEVICEID_TORNADO_10_100BT_920B: /* 3c920B-EMB */
++ case TC_DEVICEID_TORNADO_10_100BT_920B_WNM: /* 3c920B-EMB-WNM */
+ sc->xl_media = XL_MEDIAOPT_MII;
+ sc->xl_xcvr = XL_XCVR_MII;
+ if (verbose)
+@@ -1365,7 +1368,8 @@
+ pci_get_device(dev) == TC_DEVICEID_HURRICANE_656B)
+ sc->xl_flags |= XL_FLAG_INVERT_MII_PWR |
+ XL_FLAG_INVERT_LED_PWR;
+- if (pci_get_device(dev) == TC_DEVICEID_TORNADO_10_100BT_920B)
++ if (pci_get_device(dev) == TC_DEVICEID_TORNADO_10_100BT_920B ||
++ pci_get_device(dev) == TC_DEVICEID_TORNADO_10_100BT_920B_WNM)
+ sc->xl_flags |= XL_FLAG_PHYOK;
+ #ifndef BURN_BRIDGES
+ /*
+diff -u -r sys.orig/pci/if_xlreg.h sys/pci/if_xlreg.h
+--- sys.orig/pci/if_xlreg.h Sun Aug 10 23:55:57 2003
++++ sys/pci/if_xlreg.h Sat Jun 18 19:58:13 2005
+@@ -683,6 +683,7 @@
+ #define TC_DEVICEID_CYCLONE_10_100FX 0x905A
+ #define TC_DEVICEID_TORNADO_10_100BT 0x9200
+ #define TC_DEVICEID_TORNADO_10_100BT_920B 0x9201
++#define TC_DEVICEID_TORNADO_10_100BT_920B_WNM 0x9202
+ #define TC_DEVICEID_HURRICANE_10_100BT_SERV 0x9800
+ #define TC_DEVICEID_TORNADO_10_100BT_SERV 0x9805
+ #define TC_DEVICEID_HURRICANE_SOHO100TX 0x7646
--- /dev/null
+--- ez-ipupdate.c.orig Tue Mar 12 00:31:47 2002
++++ ez-ipupdate.c Sun May 8 13:18:47 2005
+@@ -798,7 +798,7 @@
+ sprintf(buf, "message incomplete because your OS sucks: %s\n", fmt);
+ #endif
+
+- syslog(LOG_NOTICE, buf);
++ syslog(LOG_NOTICE, "%s", buf);
+ }
+ else
+ {
+@@ -1602,26 +1602,23 @@
+ return(bread);
+ }
+
+-int get_if_addr(int sock, char *name, struct sockaddr_in *sin)
++int get_if_addr(char *name, struct sockaddr_in *sin)
+ {
+ #ifdef IF_LOOKUP
+ struct ifreq ifr;
++ int mysock;
++
++ mysock = socket(AF_INET, SOCK_DGRAM, 0);
+
+ memset(&ifr, 0, sizeof(ifr));
+ strcpy(ifr.ifr_name, name);
+- /* why does this need to be done twice? */
+- if(ioctl(sock, SIOCGIFADDR, &ifr) < 0)
+- {
+- perror("ioctl(SIOCGIFADDR)");
+- memset(sin, 0, sizeof(struct sockaddr_in));
+- dprintf((stderr, "%s: %s\n", name, "unknown interface"));
+- return -1;
+- }
+- if(ioctl(sock, SIOCGIFADDR, &ifr) < 0)
++
++ if(ioctl(mysock, SIOCGIFADDR, &ifr) < 0)
+ {
+ perror("ioctl(SIOCGIFADDR)");
+ memset(sin, 0, sizeof(struct sockaddr_in));
+ dprintf((stderr, "%s: %s\n", name, "unknown interface"));
++ close(mysock);
+ return -1;
+ }
+
+@@ -1629,14 +1626,17 @@
+ {
+ memcpy(sin, &(ifr.ifr_addr), sizeof(struct sockaddr_in));
+ dprintf((stderr, "%s: %s\n", name, inet_ntoa(sin->sin_addr)));
++ close(mysock);
+ return 0;
+ }
+ else
+ {
+ memset(sin, 0, sizeof(struct sockaddr_in));
+ dprintf((stderr, "%s: %s\n", name, "could not resolve interface"));
++ close(mysock);
+ return -1;
+ }
++ close(mysock);
+ return -1;
+ #else
+ return -1;
+@@ -4487,13 +4487,6 @@
+ if(mx == NULL) { mx = strdup(""); }
+ if(url == NULL) { url = strdup(""); }
+
+-#ifdef IF_LOOKUP
+- if(options & OPT_DAEMON)
+- {
+- sock = socket(AF_INET, SOCK_STREAM, 0);
+- }
+-#endif
+-
+ if(options & OPT_DAEMON)
+ {
+ int local_update_period = update_period;
+@@ -4584,7 +4577,7 @@
+ }
+ #endif
+
+- if(get_if_addr(sock, interface, &sin2) == 0)
++ if(get_if_addr(interface, &sin2) == 0)
+ {
+ ifresolve_warned = 0;
+ if(memcmp(&sin.sin_addr, &sin2.sin_addr, sizeof(struct in_addr)) != 0 ||
+@@ -4607,6 +4600,19 @@
+ show_message("successful update for %s->%s (%s)\n",
+ interface, inet_ntoa(sin.sin_addr), N_STR(host));
+
++ if(cache_file)
++ {
++ char ipbuf[64];
++
++ snprintf(ipbuf, sizeof(ipbuf), "%s", inet_ntoa(sin.sin_addr));
++
++ if(write_cache_file(cache_file, last_update, ipbuf) != 0)
++ {
++ show_message("unable to write cache file \"%s\": %s\n",
++ cache_file, error_string);
++ }
++ }
++
+ if(post_update_cmd)
+ {
+ int res;
+@@ -4631,19 +4637,6 @@
+ }
+ }
+ }
+-
+- if(cache_file)
+- {
+- char ipbuf[64];
+-
+- snprintf(ipbuf, sizeof(ipbuf), "%s", inet_ntoa(sin.sin_addr));
+-
+- if(write_cache_file(cache_file, last_update, ipbuf) != 0)
+- {
+- show_message("unable to write cache file \"%s\": %s\n",
+- cache_file, error_string);
+- }
+- }
+ }
+ else
+ {
+@@ -4743,14 +4736,11 @@
+ {
+ #ifdef IF_LOOKUP
+ struct sockaddr_in sin;
+- int sock;
+
+- sock = socket(AF_INET, SOCK_STREAM, 0);
+- if(get_if_addr(sock, interface, &sin) != 0)
++ if(get_if_addr(interface, &sin) != 0)
+ {
+ exit(1);
+ }
+- close(sock);
+ snprintf(ipbuf, sizeof(ipbuf), "%s", inet_ntoa(sin.sin_addr));
+ #else
+ fprintf(stderr, "interface lookup not enabled at compile time\n");
+@@ -4789,10 +4779,8 @@
+ if(address == NULL && interface != NULL)
+ {
+ struct sockaddr_in sin;
+- int sock;
+
+- sock = socket(AF_INET, SOCK_STREAM, 0);
+- if(get_if_addr(sock, interface, &sin) == 0)
++ if(get_if_addr(interface, &sin) == 0)
+ {
+ if(address) { free(address); }
+ address = strdup(inet_ntoa(sin.sin_addr));
+@@ -4802,7 +4790,6 @@
+ show_message("could not resolve ip address for %s.\n", interface);
+ exit(1);
+ }
+- close(sock);
+ }
+
+ for(i=0; i<ntrys; i++)
+@@ -4814,26 +4801,6 @@
+ }
+ if(i+1 != ntrys) { sleep(10 + 10*i); }
+ }
+- if(retval == 0 && post_update_cmd)
+- {
+- if((res=exec_cmd(post_update_cmd)) != 0)
+- {
+- if(!(options & OPT_QUIET))
+- {
+- if(res == -1)
+- {
+- fprintf(stderr, "error running post update command: %s\n",
+- error_string);
+- }
+- else
+- {
+- fprintf(stderr,
+- "error running post update command, command exit code: %d\n",
+- res);
+- }
+- }
+- }
+- }
+
+ // write cache file
+ if(retval == 0 && cache_file)
+@@ -4844,14 +4811,11 @@
+ {
+ #ifdef IF_LOOKUP
+ struct sockaddr_in sin;
+- int sock;
+
+- sock = socket(AF_INET, SOCK_STREAM, 0);
+- if(get_if_addr(sock, interface, &sin) != 0)
++ if(get_if_addr(interface, &sin) != 0)
+ {
+ exit(1);
+ }
+- close(sock);
+ snprintf(ipbuf, sizeof(ipbuf), "%s", inet_ntoa(sin.sin_addr));
+ #else
+ fprintf(stderr, "interface lookup not enabled at compile time\n");
+@@ -4870,16 +4834,33 @@
+ exit(1);
+ }
+ }
++
++ if(retval == 0 && post_update_cmd)
++ {
++ if((res=exec_cmd(post_update_cmd)) != 0)
++ {
++ if(!(options & OPT_QUIET))
++ {
++ if(res == -1)
++ {
++ fprintf(stderr, "error running post update command: %s\n",
++ error_string);
++ }
++ else
++ {
++ fprintf(stderr,
++ "error running post update command, command exit code: %d\n",
++ res);
++ }
++ }
++ }
++ }
+ }
+ else
+ {
+ fprintf(stderr, "no update needed at this time\n");
+ }
+ }
+-
+-#ifdef IF_LOOKUP
+- if(sock > 0) { close(sock); }
+-#endif
+
+ if(address) { free(address); }
+ if(cache_file) { free(cache_file); }
--- /dev/null
+--- mini_httpd.c.orig Wed Dec 3 19:27:22 2003
++++ mini_httpd.c Sun Dec 18 11:39:28 2005
+@@ -74,7 +74,7 @@
+
+
+ #if defined(AF_INET6) && defined(IN6_IS_ADDR_V4MAPPED)
+-#define USE_IPV6
++/* #define USE_IPV6 */
+ #endif
+
+ #ifndef STDIN_FILENO
+@@ -141,7 +141,7 @@
+ #define AUTH_FILE ".htpasswd"
+ #endif /* AUTH_FILE */
+ #ifndef READ_TIMEOUT
+-#define READ_TIMEOUT 60
++#define READ_TIMEOUT 30
+ #endif /* READ_TIMEOUT */
+ #ifndef WRITE_TIMEOUT
+ #define WRITE_TIMEOUT 300
+@@ -167,13 +167,25 @@
+ #endif /* USE_IPV6 */
+ } usockaddr;
+
++typedef struct {
++ int cpid; /* child PID - 0 if unused */
++ in_addr_t caddr; /* client address */
++} conninfo;
+
+ static char* argv0;
+ static int debug;
+ static unsigned short port;
++static conninfo* clients;
++static int maxproc;
++static int maxperip;
++static sigset_t sigchildset;
++static int currproc;
+ static char* dir;
+ static char* data_dir;
+ static int do_chroot;
++static int captivemode;
++static char* cpelementpath;
++static char* cpelementhost;
+ static int vhost;
+ static char* user;
+ static char* cgi_pattern;
+@@ -209,6 +221,7 @@
+ static size_t request_size, request_len, request_idx;
+ static int method;
+ static char* path;
++static char* captive_reqpath;
+ static char* file;
+ static char* pathinfo;
+ struct stat sb;
+@@ -322,9 +335,15 @@
+ argv0 = argv[0];
+ debug = 0;
+ port = 0;
++ maxproc = 16 ;
++ maxperip = 0 ;
++ currproc = 0 ;
+ dir = (char*) 0;
+ data_dir = (char*) 0;
+ do_chroot = 0;
++ captivemode = 0;
++ cpelementpath = NULL;
++ captive_reqpath = NULL;
+ vhost = 0;
+ cgi_pattern = (char*) 0;
+ url_pattern = (char*) 0;
+@@ -377,6 +396,20 @@
+ ++argn;
+ port = (unsigned short) atoi( argv[argn] );
+ }
++ else if ( strcmp( argv[argn], "-maxproc" ) == 0 && argn + 1 < argc )
++ {
++ ++argn;
++ maxproc = (unsigned short) atoi( argv[argn] );
++ if (maxproc <= 0)
++ usage();
++ }
++ else if ( strcmp( argv[argn], "-maxperip" ) == 0 && argn + 1 < argc )
++ {
++ ++argn;
++ maxperip = (unsigned short) atoi( argv[argn] );
++ if (maxperip < 0)
++ usage();
++ }
+ else if ( strcmp( argv[argn], "-d" ) == 0 && argn + 1 < argc )
+ {
+ ++argn;
+@@ -431,12 +464,24 @@
+ ++argn;
+ max_age = atoi( argv[argn] );
+ }
++ else if ( strcmp( argv[argn], "-cpelement" ) == 0 && argn + 2 < argc )
++ {
++ ++argn;
++ cpelementpath = argv[argn];
++ ++argn;
++ cpelementhost = argv[argn];
++ }
++ else if ( strcmp( argv[argn], "-a" ) == 0 )
++ captivemode = 1;
+ else
+ usage();
+ ++argn;
+ }
+ if ( argn != argc )
+ usage();
++
++ if (maxproc < maxperip)
++ usage();
+
+ cp = strrchr( argv0, '/' );
+ if ( cp != (char*) 0 )
+@@ -445,6 +490,16 @@
+ cp = argv0;
+ openlog( cp, LOG_NDELAY|LOG_PID, LOG_DAEMON );
+
++ if (maxperip != 0) {
++ int i;
++ clients = e_malloc(sizeof(conninfo) * maxproc);
++ for (i = 0; i < maxproc; i++)
++ clients[i].cpid = 0;
++
++ sigemptyset(&sigchildset);
++ sigaddset(&sigchildset, SIGCHLD);
++ }
++
+ if ( port == 0 )
+ {
+ #ifdef USE_SSL
+@@ -722,6 +777,7 @@
+ exit( 1 );
+ }
+ /* Check for unnecessary security exposure. */
++ /*
+ if ( ! do_chroot )
+ {
+ syslog( LOG_WARNING,
+@@ -729,6 +785,7 @@
+ (void) fprintf( stderr,
+ "%s: started as root without requesting chroot(), warning only\n", argv0 );
+ }
++ */
+ }
+
+ /* Catch various signals. */
+@@ -751,6 +808,7 @@
+
+ init_mime();
+
++ /*
+ if ( hostname == (char*) 0 )
+ syslog(
+ LOG_NOTICE, "%.80s starting on port %d", SERVER_SOFTWARE,
+@@ -759,7 +817,8 @@
+ syslog(
+ LOG_NOTICE, "%.80s starting on %.80s, port %d", SERVER_SOFTWARE,
+ hostname, (int) port );
+-
++ */
++
+ /* Main loop. */
+ for (;;)
+ {
+@@ -816,7 +875,7 @@
+ }
+ if ( conn_fd < 0 )
+ {
+- if ( errno == EINTR || errno == EAGAIN )
++ if ( errno == EINTR || errno == EAGAIN || errno == ECONNABORTED )
+ continue; /* try again */
+ #ifdef EPROTO
+ if ( errno == EPROTO )
+@@ -827,6 +886,36 @@
+ exit( 1 );
+ }
+
++ /* If we've reached max child procs, then close the connection -
++ don't attempt to send back a response since that itself may
++ cause our process to hang. */
++ if (currproc >= maxproc) {
++ close(conn_fd) ;
++ continue ;
++ }
++
++ sigprocmask(SIG_BLOCK, &sigchildset, NULL);
++
++ /* If maxperip is enabled, count the number of existing connections
++ from this client and close the connection if the max is exceeded. */
++ if (maxperip != 0) {
++ int i;
++ int nconns = 0;
++
++ for (i = 0; i < maxproc; i++) {
++ if (clients[i].cpid == 0)
++ continue;
++ else if (clients[i].caddr == usa.sa_in.sin_addr.s_addr)
++ nconns++;
++ }
++
++ if (nconns >= maxperip) {
++ close(conn_fd);
++ sigprocmask(SIG_UNBLOCK, &sigchildset, NULL);
++ continue;
++ }
++ }
++
+ /* Fork a sub-process to handle the connection. */
+ r = fork();
+ if ( r < 0 )
+@@ -846,6 +935,26 @@
+ handle_request();
+ exit( 0 );
+ }
++
++ currproc++;
++
++ if (maxperip != 0) {
++ int i;
++
++ /* record in table of clients */
++ for (i = 0; i < maxproc; i++) {
++ if (clients[i].cpid == 0) {
++ clients[i].cpid = r;
++ clients[i].caddr = usa.sa_in.sin_addr.s_addr;
++ break;
++ }
++ }
++
++ if (i == maxproc)
++ syslog(LOG_CRIT, "client connection table full!");
++ }
++ sigprocmask(SIG_UNBLOCK, &sigchildset, NULL);
++
+ (void) close( conn_fd );
+ }
+ }
+@@ -855,9 +964,9 @@
+ usage( void )
+ {
+ #ifdef USE_SSL
+- (void) fprintf( stderr, "usage: %s [-C configfile] [-D] [-S] [-E certfile] [-Y cipher] [-p port] [-d dir] [-dd data_dir] [-c cgipat] [-u user] [-h hostname] [-r] [-v] [-l logfile] [-i pidfile] [-T charset] [-P P3P] [-M maxage]\n", argv0 );
++ (void) fprintf( stderr, "usage: %s [-C configfile] [-D] [-S] [-E certfile] [-Y cipher] [-p port] [-d dir] [-dd data_dir] [-c cgipat] [-u user] [-h hostname] [-r] [-v] [-l logfile] [-i pidfile] [-T charset] [-P P3P] [-M maxage] [-maxproc max_concurrent_procs] [-maxperip max_concurrent_procs_per_ip] [-cpelement path host]\n", argv0 );
+ #else /* USE_SSL */
+- (void) fprintf( stderr, "usage: %s [-C configfile] [-D] [-p port] [-d dir] [-dd data_dir] [-c cgipat] [-u user] [-h hostname] [-r] [-v] [-l logfile] [-i pidfile] [-T charset] [-P P3P] [-M maxage]\n", argv0 );
++ (void) fprintf( stderr, "usage: %s [-C configfile] [-D] [-p port] [-d dir] [-dd data_dir] [-c cgipat] [-u user] [-h hostname] [-r] [-v] [-l logfile] [-i pidfile] [-T charset] [-P P3P] [-M maxage] [-maxproc max_concurrent_procs] [-maxperip max_concurrent_procs_per_ip] [-cpelement path host]\n", argv0 );
+ #endif /* USE_SSL */
+ exit( 1 );
+ }
+@@ -1128,7 +1237,7 @@
+ char* cp;
+ int r, file_len, i;
+ const char* index_names[] = {
+- "index.html", "index.htm", "index.xhtml", "index.xht", "Default.htm",
++ "index.php", "index.html", "index.htm", "index.xhtml", "index.xht", "Default.htm",
+ "index.cgi" };
+
+ /* Set up the timeout for reading. */
+@@ -1166,9 +1275,11 @@
+ ** solution is writev() (as used in thttpd), or send the headers with
+ ** send(MSG_MORE) (only available in Linux so far).
+ */
++ /*
+ r = 1;
+ (void) setsockopt(
+ conn_fd, IPPROTO_TCP, TCP_NOPUSH, (void*) &r, sizeof(r) );
++ */
+ #endif /* TCP_NOPUSH */
+
+ #ifdef USE_SSL
+@@ -1215,11 +1326,13 @@
+ send_error( 400, "Bad Request", "", "Can't parse request." );
+ *protocol++ = '\0';
+ protocol += strspn( protocol, " \t\012\015" );
+- query = strchr( path, '?' );
+- if ( query == (char*) 0 )
+- query = "";
+- else
+- *query++ = '\0';
++ if (!captivemode) {
++ query = strchr( path, '?' );
++ if ( query == (char*) 0 )
++ query = "";
++ else
++ *query++ = '\0';
++ }
+
+ /* Parse the rest of the request headers. */
+ while ( ( line = get_request_line() ) != (char*) 0 )
+@@ -1286,6 +1399,81 @@
+ method = METHOD_POST;
+ else
+ send_error( 501, "Not Implemented", "", "That method is not implemented." );
++
++ if (captivemode) {
++ /* only accept GET in captive portal mode */
++ int iscpelement = 0;
++
++ captive_reqpath = path;
++
++ if (cpelementpath != NULL && cpelementhost != NULL &&
++ host != NULL && strcmp(cpelementhost, host) == 0) {
++ /* the host name in the request headers matches our host name;
++ see if the request matches a CP element */
++ char *mypath, *myfile;
++
++ mypath = e_strdup(path);
++
++ strdecode(mypath, mypath);
++ if (mypath[0] == '/') {
++ myfile = &(mypath[1]);
++ de_dotdot( myfile );
++
++ iscpelement = 1;
++
++ /* any slashes left? */
++ for (i = 0; myfile[i]; i++) {
++ if (myfile[i] == '/') {
++ iscpelement = 0;
++ break;
++ }
++ }
++
++ if (iscpelement && myfile[0] != '\0' &&
++ !(myfile[0] == '.' && myfile[1] == '.' &&
++ myfile[2] == '\0')) {
++
++ char *cpelpath;
++
++ iscpelement = 0;
++
++ /* see if that CP element exists */
++ cpelpath = e_malloc(strlen(myfile) + strlen(cpelementpath) + 2);
++
++ strcpy(cpelpath, cpelementpath);
++ strcat(cpelpath, "/");
++ strcat(cpelpath, myfile);
++
++ r = stat(cpelpath, &sb);
++ if (r == 0 && !S_ISDIR(sb.st_mode)) {
++ iscpelement = 1;
++ file = cpelpath;
++ path = mypath;
++ pathinfo = 0;
++ }
++ } else {
++ iscpelement = 0;
++ }
++ }
++ }
++
++ /* Set up the timeout for writing. */
++#ifdef HAVE_SIGSET
++ (void) sigset( SIGALRM, handle_write_timeout );
++#else /* HAVE_SIGSET */
++ (void) signal( SIGALRM, handle_write_timeout );
++#endif /* HAVE_SIGSET */
++ (void) alarm( WRITE_TIMEOUT );
++
++ if (iscpelement) {
++ do_file();
++ } else {
++ path = "/index.php";
++ file = "index.php";
++ do_cgi();
++ }
++
++ } else {
+
+ strdecode( path, path );
+ if ( path[0] != '/' )
+@@ -1360,7 +1548,7 @@
+
+ got_one: ;
+ }
+-
++ }
+ #ifdef USE_SSL
+ SSL_free( ssl );
+ #endif /* USE_SSL */
+@@ -2117,6 +2305,7 @@
+ int envn;
+ char* cp;
+ char buf[256];
++ char rp[MAXPATHLEN];
+
+ envn = 0;
+ envp[envn++] = build_env( "PATH=%s", CGI_PATH );
+@@ -2135,6 +2324,7 @@
+ envp[envn++] = build_env(
+ "REQUEST_METHOD=%s", get_method_str( method ) );
+ envp[envn++] = build_env( "SCRIPT_NAME=%s", path );
++ envp[envn++] = build_env( "SCRIPT_FILENAME=%s", realpath(file, rp) );
+ if ( pathinfo != (char*) 0 )
+ {
+ envp[envn++] = build_env( "PATH_INFO=/%s", pathinfo );
+@@ -2166,6 +2356,9 @@
+ envp[envn++] = build_env( "AUTH_TYPE=%s", "Basic" );
+ if ( getenv( "TZ" ) != (char*) 0 )
+ envp[envn++] = build_env( "TZ=%s", getenv( "TZ" ) );
++
++ if (captive_reqpath != NULL)
++ envp[envn++] = build_env("CAPTIVE_REQPATH=%s", captive_reqpath);
+
+ envp[envn] = (char*) 0;
+ return envp;
+@@ -2341,8 +2534,6 @@
+
+ send_error_body( s, title, text );
+
+- send_error_tail();
+-
+ send_response();
+
+ #ifdef USE_SSL
+@@ -2378,14 +2569,15 @@
+ /* Send built-in error page. */
+ buflen = snprintf(
+ buf, sizeof(buf), "\
+-<HTML>\n\
+-<HEAD><TITLE>%d %s</TITLE></HEAD>\n\
+-<BODY BGCOLOR=\"#cc9999\" TEXT=\"#000000\" LINK=\"#2020ff\" VLINK=\"#4040cc\">\n\
+-<H4>%d %s</H4>\n",
++<html>\n\
++<head><title>%d %s</title></head>\n\
++<body>\n\
++<h3>%d %s</h3>\n",
+ s, title, s, title );
+ add_to_response( buf, buflen );
+ buflen = snprintf( buf, sizeof(buf), "%s\n", text );
+ add_to_response( buf, buflen );
++ send_error_tail();
+ }
+
+
+@@ -2416,7 +2608,7 @@
+ {
+ char buf[500];
+ int buflen;
+-
++/*
+ if ( match( "**MSIE**", useragent ) )
+ {
+ int n;
+@@ -2430,13 +2622,10 @@
+ buflen = snprintf( buf, sizeof(buf), "-->\n" );
+ add_to_response( buf, buflen );
+ }
+-
++*/
+ buflen = snprintf( buf, sizeof(buf), "\
+-<HR>\n\
+-<ADDRESS><A HREF=\"%s\">%s</A></ADDRESS>\n\
+-</BODY>\n\
+-</HTML>\n",
+- SERVER_URL, SERVER_SOFTWARE );
++</body>\n\
++</html>\n");
+ add_to_response( buf, buflen );
+ }
+
+@@ -2457,8 +2646,10 @@
+ start_response();
+ buflen = snprintf( buf, sizeof(buf), "%s %d %s\015\012", protocol, status, title );
+ add_to_response( buf, buflen );
++/*
+ buflen = snprintf( buf, sizeof(buf), "Server: %s\015\012", SERVER_SOFTWARE );
+ add_to_response( buf, buflen );
++*/
+ now = time( (time_t*) 0 );
+ (void) strftime( timebuf, sizeof(timebuf), rfc1123_fmt, gmtime( &now ) );
+ buflen = snprintf( buf, sizeof(buf), "Date: %s\015\012", timebuf );
+@@ -3034,8 +3225,10 @@
+ {
+ /* Don't need to set up the handler again, since it's a one-shot. */
+
++ /*
+ syslog( LOG_NOTICE, "exiting due to signal %d", sig );
+ (void) fprintf( stderr, "%s: exiting due to signal %d\n", argv0, sig );
++ */
+ closelog();
+ exit( 1 );
+ }
+@@ -3096,6 +3289,23 @@
+ }
+ break;
+ }
++ currproc-- ;
++
++ if (maxperip != 0) {
++ int i;
++
++ /* remove from list of clients */
++ for (i = 0; i < maxproc; i++) {
++ if (clients[i].cpid == pid) {
++ clients[i].cpid = 0;
++ break;
++ }
++ }
++
++ if (i == maxproc)
++ syslog(LOG_CRIT, "reaped child %d not found in table!", pid);
++ }
++
+ }
+
+ /* Restore previous errno. */
+@@ -3128,7 +3338,9 @@
+ static void
+ handle_read_timeout( int sig )
+ {
++ /*
+ syslog( LOG_INFO, "%.80s connection timed out reading", ntoa( &client_addr ) );
++ */
+ send_error(
+ 408, "Request Timeout", "",
+ "No request appeared within a reasonable time period." );
--- /dev/null
+--- crypto_openssl.c.orig2 Sat Jun 18 20:46:38 2005
++++ crypto_openssl.c Sat Jun 18 20:48:08 2005
+@@ -32,6 +32,10 @@
+ #include <sys/types.h>
+ #include <sys/param.h>
+
++#include <sys/socket.h>
++#include <netinet/in.h>
++#include <arpa/inet.h>
++
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <limits.h>
+@@ -494,12 +498,36 @@
+ goto end;
+ }
+
+- len = gen->d.ia5->length + 1;
+- *altname = racoon_malloc(len);
+- if (!*altname)
+- goto end;
++ if (gen->type == GEN_IPADD && gen->d.ia5->length == 4 /* IPv4 */) {
++ char *ipv4_string = inet_ntoa(*((struct in_addr *)gen->d.iPAddress->data));
++ *altname = NULL;
++ if (ipv4_string) {
++ len = strlen(ipv4_string)+1;
++ *altname = racoon_malloc(len);
++ }
++ if (!*altname) {
++#ifndef EAYDEBUG
++ plog(LLV_ERROR, LOCATION, NULL, "failed to extract ipv4 alt name from certificate\n");
++#else
++ printf("failed to extract ipv4 alt name from certificate\n");
++#endif
++ goto end;
++ }
++ strcpy(*altname, ipv4_string);
++#ifndef EAYDEBUG
++ plog(LLV_DEBUG2, LOCATION, NULL, "extracted ipv4 alt name from certificate: %s\n", *altname);
++#else
++ printf("extracted ipv4 alt name from certificate: %s\n", *altname);
++#endif
++ }
++ else {
++ len = gen->d.ia5->length + 1;
++ *altname = racoon_malloc(len);
++ if (!*altname)
++ goto end;
+
+- strlcpy(*altname, gen->d.ia5->data, len);
++ strlcpy(*altname, gen->d.ia5->data, len);
++ }
+ *type = gen->type;
+
+ error = 0;
--- /dev/null
+--- isakmp_quick.c.orig Tue Jan 11 02:09:50 2005
++++ isakmp_quick.c Wed Sep 7 17:45:47 2005
+@@ -2031,6 +2031,21 @@
+ "no policy found: %s\n", spidx2str(&spidx));
+ return ISAKMP_INTERNAL_ERROR;
+ }
++
++ /* Refresh existing generated policies
++ */
++ if (iph2->ph1->rmconf->gen_policy) {
++ plog(LLV_INFO, LOCATION, NULL,
++ "Update the generated policy : %s\n",
++ spidx2str(&spidx));
++ iph2->spidx_gen = racoon_malloc(sizeof(spidx));
++ if (!iph2->spidx_gen) {
++ plog(LLV_ERROR, LOCATION, NULL,
++ "buffer allocation failed.\n");
++ return ISAKMP_INTERNAL_ERROR;
++ }
++ memcpy(iph2->spidx_gen, &spidx, sizeof(spidx));
++ }
+
+ /* get outbound policy */
+ {
--- /dev/null
+--- dhclient-script.orig Wed Mar 24 19:48:49 2004
++++ dhclient-script Sat Mar 27 09:42:38 2004
+@@ -13,12 +13,13 @@
+ make_resolv_conf() {
+ if [ x"$new_domain_name_servers" != x ]; then
+ if [ "x$new_domain_name" != x ]; then
+- echo search $new_domain_name >/etc/resolv.conf
++ echo $new_domain_name >/var/etc/defaultdomain.conf
+ else
+- rm /etc/resolv.conf
++ rm -f /var/etc/defaultdomain.conf
+ fi
++ rm -f /var/etc/nameservers.conf
+ for nameserver in $new_domain_name_servers; do
+- echo nameserver $nameserver >>/etc/resolv.conf
++ echo $nameserver >>/var/etc/nameservers.conf
+ done
+ fi
+ }
+@@ -69,7 +70,7 @@
+ eval "ifconfig $interface $medium"
+ eval "ifconfig $interface inet -alias 0.0.0.0 $medium" >/dev/null 2>&1
+ sleep 1
+- exit_with_hooks 0
++ exit 0
+ fi
+
+ if [ x$reason = xPREINIT ]; then
+@@ -79,11 +80,11 @@
+ fi
+ ifconfig $interface inet 0.0.0.0 netmask 0.0.0.0 \
+ broadcast 255.255.255.255 up
+- exit_with_hooks 0
++ exit 0
+ fi
+
+ if [ x$reason = xARPCHECK ] || [ x$reason = xARPSEND ]; then
+- exit_with_hooks 0;
++ exit 0;
+ fi
+
+ if [ x$reason = xBOUND ] || [ x$reason = xRENEW ] || \
--- /dev/null
+--- contrib/ipfilter/ipf.c.orig Sun Jul 4 11:24:39 2004
++++ contrib/ipfilter/ipf.c Sun Apr 24 05:37:52 2005
+@@ -380,13 +380,11 @@
+ if (ioctl(fd, del, &fr) == -1) {
+ fprintf(stderr, "%d:", linenum);
+ perror("ioctl(delete rule)");
+- exit(1);
+ }
+ } else if (!(opts & OPT_DONOTHING)) {
+ if (ioctl(fd, add, &fr) == -1) {
+ fprintf(stderr, "%d:", linenum);
+ perror("ioctl(add/insert rule)");
+- exit(1);
+ }
+ }
+ }
--- /dev/null
+--- usr.sbin/syslogd/syslogd.c.orig Tue Jun 29 12:07:35 2004
++++ usr.sbin/syslogd/syslogd.c Sun Apr 24 05:59:35 2005
+@@ -69,6 +69,7 @@
+ * by Peter da Silva.
+ * -u and -v by Harlan Stenn.
+ * Priority comparison code by Harlan Stenn.
++ * Ring buffer code by Jeff Wheelhouse.
+ */
+
+ #define MAXLINE 1024 /* maximum line length */
+@@ -89,6 +90,7 @@
+ #include <sys/time.h>
+ #include <sys/resource.h>
+ #include <sys/syslimits.h>
++#include <sys/mman.h>
+ #include <sys/types.h>
+
+ #include <netinet/in.h>
+@@ -111,6 +113,7 @@
+ #include <utmp.h>
+
+ #include "pathnames.h"
++#include "../clog/clog.h"
+ #include "ttymsg.h"
+
+ #define SYSLOG_NAMES
+@@ -125,6 +128,7 @@
+ const char *ConfFile = _PATH_LOGCONF;
+ const char *PidFile = _PATH_LOGPID;
+ const char ctty[] = _PATH_CONSOLE;
++const char ring_magic[] = "CLOG";
+
+ #define dprintf if (Debug) printf
+
+@@ -177,6 +181,11 @@
+ char f_pname[MAXPATHLEN];
+ pid_t f_pid;
+ } f_pipe;
++ struct {
++ char f_rname[MAXPATHLEN];
++ struct clog_footer *f_footer;
++ size_t f_size;
++ } f_ring;
+ } f_un;
+ char f_prevline[MAXSVLINE]; /* last message logged */
+ char f_lasttime[16]; /* time of last occurrence */
+@@ -254,10 +263,12 @@
+ #define F_USERS 5 /* list of users */
+ #define F_WALL 6 /* everyone logged on */
+ #define F_PIPE 7 /* pipe to program */
++#define F_RING 8 /* ring buffer (circular log) */
+
+-const char *TypeNames[8] = {
++const char *TypeNames[9] = {
+ "UNUSED", "FILE", "TTY", "CONSOLE",
+- "FORW", "USERS", "WALL", "PIPE"
++ "FORW", "USERS", "WALL", "PIPE",
++ "RING"
+ };
+
+ static struct filed *Files; /* Log files that we write to */
+@@ -314,6 +325,8 @@
+ static void printline(const char *, char *);
+ static void printsys(char *);
+ static int p_open(const char *, pid_t *);
++ssize_t rbwrite(struct filed *, char *, size_t);
++ssize_t rbwritev(struct filed *, struct iovec *, int);
+ static void readklog(void);
+ static void reapchild(int);
+ static void usage(void);
+@@ -1150,6 +1163,20 @@
+ } else if ((flags & SYNC_FILE) && (f->f_flags & FFLAG_SYNC))
+ (void)fsync(f->f_file);
+ break;
++
++ case F_RING:
++ dprintf(" %s\n", f->f_un.f_ring.f_rname);
++ v->iov_base = "\n";
++ v->iov_len = 1;
++ if (rbwritev(f, iov, 7)==-1) {
++ int e = errno;
++ (void)munmap(f->f_un.f_ring.f_footer,sizeof(struct clog_footer));
++ (void)close(f->f_file);
++ f->f_type = F_UNUSED;
++ errno = e;
++ logerror(f->f_un.f_fname);
++ }
++ break;
+
+ case F_PIPE:
+ dprintf(" %s\n", f->f_un.f_pipe.f_pname);
+@@ -1463,6 +1490,10 @@
+ }
+ f->f_un.f_pipe.f_pid = 0;
+ break;
++ case F_RING:
++ (void)munmap(f->f_un.f_ring.f_footer,sizeof(struct clog_footer));
++ (void)close(f->f_file);
++ break;
+ }
+ next = f->f_next;
+ if (f->f_program) free(f->f_program);
+@@ -1584,6 +1615,10 @@
+ case F_FORW:
+ printf("%s", f->f_un.f_forw.f_hname);
+ break;
++
++ case F_RING:
++ printf("%s", f->f_un.f_ring.f_rname);
++ break;
+
+ case F_PIPE:
+ printf("%s", f->f_un.f_pipe.f_pname);
+@@ -1625,6 +1660,7 @@
+ const char *p, *q;
+ char *bp;
+ char buf[MAXLINE], ebuf[100];
++ struct stat sb;
+
+ dprintf("cfline(\"%s\", f, \"%s\", \"%s\")\n", line, prog, host);
+
+@@ -1812,6 +1848,38 @@
+ f->f_type = F_FILE;
+ }
+ break;
++
++ case '%':
++ if ((f->f_file = open(p+1, O_RDWR, 0 )) < 0) {
++ f->f_type = F_UNUSED;
++ logerror(p+1);
++ break;
++ }
++ if (fstat(f->f_file,&sb)<0) {
++ (void)close(f->f_file);
++ f->f_type = F_UNUSED;
++ logerror(p+1);
++ break;
++ }
++ f->f_un.f_ring.f_footer = mmap(NULL,sizeof(struct clog_footer),PROT_READ|PROT_WRITE,MAP_SHARED,f->f_file,sb.st_size-sizeof(struct clog_footer));
++ if (f->f_un.f_ring.f_footer==NULL) {
++ (void)close(f->f_file);
++ f->f_type = F_UNUSED;
++ logerror(p+1);
++ break;
++ }
++ if (memcmp(&(f->f_un.f_ring.f_footer->cf_magic),MAGIC_CONST,4)!=0) {
++ (void)munmap(f->f_un.f_ring.f_footer,sizeof(struct clog_footer));
++ (void)close(f->f_file);
++ f->f_type = F_UNUSED;
++ errno = ENODEV;
++ logerror(p+1);
++ break;
++ }
++ f->f_un.f_ring.f_size = sb.st_size;
++ (void)strcpy(f->f_un.f_ring.f_rname, p + 1);
++ f->f_type = F_RING;
++ break;
+
+ case '|':
+ f->f_un.f_pipe.f_pid = 0;
+@@ -2500,4 +2568,46 @@
+ freeaddrinfo(res);
+
+ return (socks);
++}
++
++ssize_t rbwritev(struct filed *f, struct iovec *iov, int iovcnt) {
++ int i;
++ ssize_t out = 0;
++ ssize_t err;
++
++ for(i=0;i<iovcnt;i++) {
++ err = rbwrite(f,iov[i].iov_base,iov[i].iov_len);
++ if (err==-1) return -1;
++ out += err;
++ }
++ return out;
++}
++
++ssize_t rbwrite(struct filed *f, char *buf, size_t nbytes) {
++ size_t maxwrite = f->f_un.f_ring.f_footer->cf_max - f->f_un.f_ring.f_footer->cf_next;
++ ssize_t err;
++ ssize_t out = 0;
++
++ f->f_un.f_ring.f_footer->cf_lock = 1;
++ while (nbytes>0) {
++ maxwrite = f->f_un.f_ring.f_footer->cf_max - f->f_un.f_ring.f_footer->cf_next;
++ if (maxwrite>nbytes) maxwrite = nbytes;
++ err = pwrite(f->f_file,buf,maxwrite,f->f_un.f_ring.f_footer->cf_next);
++ if (err==-1) {
++ f->f_un.f_ring.f_footer->cf_lock = 0;
++ return -1;
++ }
++ nbytes -= err;
++ out += err;
++ buf += err;
++ f->f_un.f_ring.f_footer->cf_next += err;
++ if (f->f_un.f_ring.f_footer->cf_next==f->f_un.f_ring.f_footer->cf_max) {
++ f->f_un.f_ring.f_footer->cf_next = 0;
++ f->f_un.f_ring.f_footer->cf_wrap = 1;
++ }
++
++ }
++
++ f->f_un.f_ring.f_footer->cf_lock = 0;
++ return out;
+ }
--- /dev/null
+#include <sys/types.h>
+#include <sys/ata.h>
+#include <err.h>
+#include <fcntl.h>
+#include <string.h>
+
+int main() {
+ struct ata_cmd iocmd;
+ int fd;
+
+ bzero(&iocmd, sizeof(struct ata_cmd));
+
+ if ((fd = open("/dev/ata", O_RDWR)) < 0)
+ err(1, "control device not found");
+
+ iocmd.channel = 0;
+ iocmd.cmd = ATAREINIT;
+ if (ioctl(fd, IOCATA, &iocmd) < 0)
+ warn("ioctl(ATAREINIT)");
+
+ close(fd);
+}
--- /dev/null
+/*
+ choparp - cheap & omitted proxy arp
+
+ Copyright (c) 1997 Takamichi Tateoka (tree@mma.club.uec.ac.jp)
+ Copyright (c) 2002 Thomas Quinot (thomas@cuivre.fr.eu.org)
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ 3. Neither the name of the authors nor the names of their contributors
+ may be used to endorse or promote products derived from this software
+ without specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ SUCH DAMAGE.
+
+
+ History:
+ 17 Jun 1997 Creation (tate)
+ 7 Oct 1997 fix some comments (tate)
+ 19 Jun 1998 fix read result as ssize_t (tate / pointed by msaitoh)
+ 11 Feb 2004 add support for ranges (mkasper)
+*/
+
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <sys/time.h>
+#include <sys/ioctl.h>
+#include <net/bpf.h>
+#include <sys/socket.h>
+#include <net/if.h>
+#include <netinet/in.h>
+/* #include <net/if_arp.h> */
+#if (__FreeBSD__ >= 3)
+ #include <net/if_var.h>
+#endif
+#include <netinet/if_ether.h>
+#include <sys/param.h>
+#include <errno.h>
+#include <ifaddrs.h>
+#include <net/if_dl.h>
+
+#ifdef DEBUG
+#include <arpa/inet.h>
+#endif
+
+#define BPFFILENAME "/dev/bpf%d" /* bpf file template */
+#ifndef NBPFILTER /* number of available bpf */
+# define NBPFILTER (16)
+#endif
+
+struct cidr {
+ struct cidr *next;
+ u_int8_t isrange;
+ u_int32_t addr; /* addr and mask are host order */
+ u_int32_t mask;
+};
+
+struct cidr *targets = NULL, *excludes = NULL;
+u_char target_mac[ETHER_ADDR_LEN]; /* target MAC address */
+
+/*
+ ARP filter program
+*/
+struct bpf_insn bpf_filter_arp[] = {
+ /* check Ethernet Encapsulation (RFC894) first */
+ BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12), /* load frame type */
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_ARP, 0, 3), /* check it */
+ BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 20), /* load OP code */
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARPOP_REQUEST, 0, 1), /* check it */
+ BPF_STMT(BPF_RET+BPF_K, 14+28), /* return Ethernet encap ARP req. */
+ /* XXX: IEEE 802.2/802.3 Encap (RFC1042) should be available... */
+ BPF_STMT(BPF_RET+BPF_K, 0), /* discard */
+};
+
+/*
+ openbpf:
+
+ open bpf & set ARP filter program for named interface &
+ allocate enough buffer for BPF.
+ return file descripter or -1 for error
+*/
+int
+openbpf(char *ifname, char **bufp, size_t *buflen){
+ char bpffile[sizeof(BPFFILENAME)+5]; /* XXX: */
+ int fd = -1;
+ int n;
+ struct bpf_version bpf_version;
+ struct ifreq bpf_ifreq;
+ u_int ui;
+ struct bpf_program bpf_program;
+
+ /* open BPF file */
+ for (n=0; n<NBPFILTER; n++){
+ sprintf(bpffile, BPFFILENAME, n);
+ if ((fd = open(bpffile, O_RDWR, 0)) >= 0)
+ break;
+ }
+ if (fd < 0){
+ fprintf(stderr,"openbpf: Can't open BPF\n");
+ return(-1); /* error */
+ }
+
+ /* check version number */
+ if ((ioctl(fd, BIOCVERSION, &bpf_version) == -1) ||
+ bpf_version.bv_major != BPF_MAJOR_VERSION ||
+ bpf_version.bv_minor < BPF_MINOR_VERSION){
+ fprintf(stderr,"openbpf: incorrect BPF version\n");
+ close(fd);
+ return(-1);
+ }
+
+ /* set interface name */
+ strncpy(bpf_ifreq.ifr_name, ifname, IFNAMSIZ);
+ bpf_ifreq.ifr_name[IFNAMSIZ-1] = '\0'; /* paranoia */
+ if (ioctl(fd, BIOCSETIF, &bpf_ifreq) == -1){
+ fprintf(stderr,"openbpf: BIOCSETIF failed for interface <%s>\n",
+ ifname);
+ close(fd);
+ return(-1);
+ }
+
+ /* set BPF immediate mode */
+ ui = 1;
+ if (ioctl(fd, BIOCIMMEDIATE, &ui) == -1){
+ fprintf(stderr,"openbpf: BIOCIMMEDIATE failed.\n");
+ close(fd);
+ return(-1);
+ }
+
+ /* set ARP request filter */
+ bpf_program.bf_len = sizeof(bpf_filter_arp) / sizeof(struct bpf_insn);
+ bpf_program.bf_insns = bpf_filter_arp;
+ if (ioctl(fd, BIOCSETF, &bpf_program) == -1){
+ fprintf(stderr,"openbpf: BIOCSETF failed.\n");
+ close(fd);
+ return(-1);
+ }
+
+ /* allocate reasonable size & alimented buffer */
+ if (ioctl(fd, BIOCGBLEN, &ui) == -1){
+ fprintf(stderr,"openbpf: BIOCGBLEN failed.\n");
+ close(fd);
+ return(-1);
+ }
+ *buflen = (size_t)ui;
+ if ((*bufp = (char *)malloc((size_t) ui)) == NULL){
+ fprintf(stderr,"openbpf: malloc failed.\n");
+ close(fd);
+ return(-1);
+ }
+
+ return(fd);
+}
+
+/*
+ get ARP datalink frame pointer
+
+ NULL if no more ARP frame
+*/
+char *
+getarp(char *bpfframe, ssize_t bpfflen, char **next, ssize_t *nextlen){
+ int bias;
+ char *p;
+
+ if (bpfframe == NULL || bpfflen == 0)
+ return(NULL);
+
+ bias = BPF_WORDALIGN(((struct bpf_hdr *)bpfframe)->bh_hdrlen +
+ ((struct bpf_hdr *)bpfframe)->bh_caplen);
+ if (bias < bpfflen){
+ /* there is another packet packed into same bpf frame */
+ *next = bpfframe + bias;
+ *nextlen = (size_t) bpfflen - bias;
+ } else {
+ /* no more packet */
+ *next = NULL;
+ *nextlen = 0;
+ }
+
+ /* cut off BPF header */
+ p = bpfframe + ((struct bpf_hdr *)bpfframe)->bh_hdrlen;
+ return(p);
+}
+
+/*
+ match
+
+ match an IP address against a list of address/netmask pairs
+*/
+
+static int
+match (u_int32_t addr, struct cidr *list) {
+ while (list) {
+ if (list->isrange) {
+ if ((addr >= list->addr) && (addr <= list->mask))
+ return 1;
+ } else {
+ if ((addr & list->mask) == list->addr)
+ return 1;
+ }
+ list = list->next;
+ }
+ return 0;
+}
+
+/*
+ checkarp
+
+ check responsibility of the ARP request
+ return true if responsible
+
+ arpbuf is pointing top of link-level frame
+*/
+
+static int
+checkarp(char *arpbuf){
+ struct ether_arp *arp;
+ u_int32_t target_ip;
+
+ arp = (struct ether_arp *)(arpbuf + 14); /* skip ethernet header */
+ if (ntohs(arp->arp_hrd) != ARPHRD_ETHER ||
+ /* XXX: ARPHRD_802 */
+ ntohs(arp->arp_pro) != ETHERTYPE_IP ||
+ (int) (arp->arp_hln) != ETHER_ADDR_LEN || /* length of ethernet addr */
+ (int) (arp->arp_pln) != 4){ /* length of protocol addr */
+ fprintf(stderr,"checkarp: WARNING: received unknown type ARP request.\n");
+ return(0);
+ }
+ target_ip = ntohl(*(u_int32_t *)(arp->arp_tpa));
+ return match(target_ip, targets) && !match(target_ip, excludes);
+}
+
+/*
+ genarpreply
+
+ generate arp reply link level frame
+ arpbuf is pointing top of link-level frame
+ this routine overwrite arpbuf
+
+ return reply buffer & its length
+*/
+char *
+gen_arpreply(char *arpbuf, size_t *rlen){
+ struct ether_arp *arp;
+ u_char ipbuf[4]; /* sender IP */
+
+ /* set ethernet dst/src address */
+ memcpy(arpbuf, arpbuf+ETHER_ADDR_LEN, ETHER_ADDR_LEN);
+ memcpy(arpbuf+ETHER_ADDR_LEN, target_mac, ETHER_ADDR_LEN);
+ /* set result of ARP request */
+ arp = (struct ether_arp *)(arpbuf + 14); /* skip ethernet header */
+ memcpy(ipbuf, arp->arp_tpa, 4); /* save protocol addr */
+ memcpy(arp->arp_tha, arp->arp_sha, 10); /* set target hard/proto addr */
+ memcpy(arp->arp_spa, ipbuf, 4); /* set source protocol addr */
+ memcpy(arp->arp_sha, target_mac, ETHER_ADDR_LEN); /* set source hard addr */
+ arp->arp_op = htons(ARPOP_REPLY);
+
+ *rlen = 14 + 28; /* ethernet header & arp reply */
+ return(arpbuf);
+}
+
+void
+loop(int fd, char *buf, size_t buflen){
+ ssize_t rlen;
+ char *p, *nextp;
+ ssize_t nextlen;
+ char *rframe;
+ char *sframe;
+ size_t frame_len;
+ fd_set fdset;
+
+ FD_ZERO(&fdset);
+ FD_SET(fd,&fdset);
+
+ for(;;){
+ int r = select(fd+1,&fdset, 0, 0, 0);
+
+ if (r < 0) {
+ if (errno == EINTR)
+ continue;
+ perror("select");
+ return;
+ }
+
+ rlen = read(fd, buf, buflen);
+ if (rlen < 0) {
+ if (errno == EINTR)
+ continue;
+ perror("read");
+ return;
+ }
+
+ p = buf;
+ while((rframe = getarp(p, rlen, &nextp, &nextlen)) != NULL){
+ if (checkarp(rframe)){
+ sframe = gen_arpreply(rframe, &frame_len);
+ write(fd, sframe, frame_len);
+ }
+ p = nextp;
+ rlen = nextlen;
+ }
+ }
+ /* not reach */
+}
+
+int
+setmac(char *addr, char *ifname){
+ u_int m0, m1, m2, m3, m4, m5;
+
+ if (!strcmp (addr, "auto")) {
+ struct ifaddrs *ifas, *ifa;
+
+ getifaddrs (&ifas);
+ for (ifa = ifas; ifa != NULL; ifa = ifa->ifa_next) {
+#define SDL ((struct sockaddr_dl *)ifa->ifa_addr)
+ if (strcmp (ifa->ifa_name, ifname)
+ || SDL->sdl_family != AF_LINK
+ || SDL->sdl_alen != 6)
+ continue;
+ memcpy (target_mac, SDL->sdl_data + SDL->sdl_nlen, 6);
+ return 0;
+ }
+ return -1;
+ }
+ if (sscanf(addr, "%x:%x:%x:%x:%x:%x", &m0, &m1, &m2, &m3, &m4, &m5) < 6)
+ return(-1);
+ target_mac[0] = (u_char )m0;
+ target_mac[1] = (u_char )m1;
+ target_mac[2] = (u_char )m2;
+ target_mac[3] = (u_char )m3;
+ target_mac[4] = (u_char )m4;
+ target_mac[5] = (u_char )m5;
+ return(0);
+}
+
+int
+atoip(char *buf, u_int32_t *ip_addr){
+ u_int i0, i1, i2, i3;
+
+ if (sscanf(buf, "%u.%u.%u.%u", &i0, &i1, &i2, &i3) == 4){
+ *ip_addr = (i0 << 24) + (i1 << 16) + (i2 << 8) + i3;
+ return(0);
+ }
+ if (sscanf(buf, "0x%lx", ip_addr) == 1)
+ return(0);
+
+ return(-1);
+}
+
+void
+usage(void){
+ fprintf(stderr,"usage: choparp if_name mac_addr [-]addr/mask...\n");
+ exit(-1);
+}
+
+int
+main(int argc, char **argv){
+ int fd;
+ char *buf, *ifname;
+ struct cidr **targets_tail = &targets, **excludes_tail = &excludes;
+#define APPEND(LIST,ADDR,MASK,ISRANGE) \
+ do { \
+ *(LIST ## _tail) = malloc(sizeof (struct cidr)); \
+ (*(LIST ## _tail))->addr = ADDR; \
+ (*(LIST ## _tail))->mask = MASK; \
+ (*(LIST ## _tail))->isrange = ISRANGE; \
+ (*(LIST ## _tail))->next = NULL; \
+ (LIST ## _tail) = &(*(LIST ## _tail))->next; \
+ } while (0)
+ size_t buflen;
+
+ if (argc < 4)
+ usage();
+
+ ifname = argv[1];
+ if (setmac(argv[2], ifname))
+ usage();
+ argv += 3; argc -= 3;
+
+ while (argc > 0) {
+ u_int32_t addr, mask = ~0;
+ char *slash = strchr (*argv, '/');
+ char *dash;
+ int exclude = 0;
+ u_int8_t isrange;
+
+ if (**argv == '-') {
+ (*argv)++;
+ exclude = 1;
+ }
+ dash = strchr (*argv, '-');
+ if (dash != NULL) {
+ *(dash++) = '\0';
+ if (atoip(*argv, &addr))
+ usage();
+ if (atoip(dash, &mask))
+ usage();
+ isrange = 1;
+ } else {
+ if (slash != NULL)
+ *(slash++) = '\0';
+ if (atoip (*argv, &addr))
+ usage();
+ if (slash != NULL) {
+ char *end;
+ u_int32_t len = strtol (slash, &end, 10);
+ if (*end == '\0')
+ mask <<= (32 - len);
+ else if (atoip (slash, &mask))
+ usage();
+ }
+ isrange = 0;
+ }
+ if (exclude)
+ APPEND(excludes, addr, mask, isrange);
+ else
+ APPEND(targets, addr, mask, isrange);
+ argv++, argc--;
+ }
+
+#ifdef DEBUG
+#define SHOW(LIST) \
+ do { \
+ struct cidr *t; \
+ printf (#LIST ":\n"); \
+ for (t = LIST; t; t = t->next) { \
+ u_int32_t x; \
+ x = htonl (t->addr); \
+ printf (" %s", inet_ntoa (*(struct in_addr *)&x)); \
+ x = htonl (t->mask); \
+ if (t->isrange) \
+ printf ("-%s\n", inet_ntoa (*(struct in_addr *)&x)); \
+ else \
+ printf ("/%s\n", inet_ntoa (*(struct in_addr *)&x)); \
+ } \
+ } while (0)
+
+ SHOW(targets);
+ SHOW(excludes);
+ exit (0);
+#endif
+ if ((fd = openbpf(ifname, &buf, &buflen)) < 0)
+ return(-1);
+ loop(fd, buf, buflen);
+ return(-1);
+}
--- /dev/null
+/*
+ minicron.c
+ part of m0n0wall (http://m0n0.ch/wall)
+
+ Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+
+/* usage: minicron interval pidfile cmd */
+
+int main(int argc, char *argv[]) {
+
+ int interval;
+ FILE *pidfd;
+
+ if (argc < 4)
+ exit(1);
+
+ interval = atoi(argv[1]);
+ if (interval == 0)
+ exit(1);
+
+ /* unset loads of CGI environment variables */
+ unsetenv("CONTENT_TYPE"); unsetenv("GATEWAY_INTERFACE");
+ unsetenv("REMOTE_USER"); unsetenv("REMOTE_ADDR");
+ unsetenv("AUTH_TYPE"); unsetenv("SCRIPT_FILENAME");
+ unsetenv("CONTENT_LENGTH"); unsetenv("HTTP_USER_AGENT");
+ unsetenv("HTTP_HOST"); unsetenv("SERVER_SOFTWARE");
+ unsetenv("HTTP_REFERER"); unsetenv("SERVER_PROTOCOL");
+ unsetenv("REQUEST_METHOD"); unsetenv("SERVER_PORT");
+ unsetenv("SCRIPT_NAME"); unsetenv("SERVER_NAME");
+
+ /* go into background */
+ if (daemon(0, 0) == -1)
+ exit(1);
+
+ /* write PID to file */
+ pidfd = fopen(argv[2], "w");
+ if (pidfd) {
+ fprintf(pidfd, "%d\n", getpid());
+ fclose(pidfd);
+ }
+
+ while (1) {
+ sleep(interval);
+
+ system(argv[3]);
+ }
+}
--- /dev/null
+#!/bin/sh
+
+rm -f /var/etc/nameservers.conf
+
+# unset CGI environment variables so as not to confuse PHP
+unset CONTENT_TYPE GATEWAY_INTERFACE REMOTE_USER REMOTE_ADDR AUTH_TYPE
+unset HTTP_USER_AGENT CONTENT_LENGTH SCRIPT_FILENAME HTTP_HOST
+unset SERVER_SOFTWARE HTTP_REFERER SERVER_PROTOCOL REQUEST_METHOD
+unset SERVER_PORT SCRIPT_NAME SERVER_NAME
+
+# write nameservers to file
+if [ "$6" = "dns1" ]; then
+ echo $7 >> /var/etc/nameservers.conf
+fi
+if [ "$8" = "dns2" ]; then
+ echo $9 >> /var/etc/nameservers.conf
+fi
+
+# let the configuration system know that the
+# WAN IP address has changed
+/etc/rc.newwanip &
--- /dev/null
+#!/bin/sh
+
+# write our PID to file
+echo $$ > $1
+
+# execute msntp in endless loop; restart if it
+# exits (wait 1 second to avoid restarting too fast in case
+# the network is not yet setup)
+while true; do
+ /usr/local/bin/msntp -r -P no -l $2 -x $3 $4
+ sleep 1
+done
--- /dev/null
+/*
+ stats.c
+ part of m0n0wall (http://m0n0.ch/wall)
+
+ Copyright (C) 2004-2005 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/sysctl.h>
+#include <net/if.h>
+#include <net/if_mib.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/time.h>
+#include <sys/dkstat.h>
+
+void cpu_stats() {
+
+ long cp_time1[CPUSTATES], cp_time2[CPUSTATES];
+ long total1, total2;
+ size_t len;
+ double cpuload;
+
+ len = sizeof(cp_time1);
+
+ if (sysctlbyname("kern.cp_time", &cp_time1, &len, NULL, 0) < 0)
+ exit(1);
+
+ sleep(1);
+
+ len = sizeof(cp_time2);
+
+ if (sysctlbyname("kern.cp_time", &cp_time2, &len, NULL, 0) < 0)
+ exit(1);
+
+ total1 = cp_time1[CP_USER] + cp_time1[CP_NICE] + cp_time1[CP_SYS] +
+ cp_time1[CP_INTR] + cp_time1[CP_IDLE];
+ total2 = cp_time2[CP_USER] + cp_time2[CP_NICE] + cp_time2[CP_SYS] +
+ cp_time2[CP_INTR] + cp_time2[CP_IDLE];
+
+ cpuload = 1 - ((double)(cp_time2[CP_IDLE] - cp_time1[CP_IDLE]) / (double)(total2 - total1));
+
+ printf("%.0f\n", 100.0*cpuload);
+}
+
+void if_stats(char *cl) {
+
+ struct ifmibdata ifmd;
+ size_t ifmd_size = sizeof(ifmd);
+ int nr_network_devs;
+ size_t int_size = sizeof(nr_network_devs);
+ int name[6];
+ int i;
+ struct timeval tv;
+ double uusec;
+
+ /* check interface name syntax */
+ for (i = 0; cl[i]; i++) {
+ if (!((cl[i] >= 'a' && cl[i] <= 'z') || (cl[i] >= '0' && cl[i] <= '9')))
+ exit(1);
+ }
+
+ name[0] = CTL_NET;
+ name[1] = PF_LINK;
+ name[2] = NETLINK_GENERIC;
+ name[3] = IFMIB_IFDATA; name[5] = IFDATA_GENERAL;
+
+ if (sysctlbyname("net.link.generic.system.ifcount", &nr_network_devs,
+ &int_size, (void*)0, 0) == -1) {
+
+ exit(1);
+
+ } else {
+
+ for (i = 1; i <= nr_network_devs; i++) {
+
+ name[4] = i; /* row of the ifmib table */
+
+ if (sysctl(name, 6, &ifmd, &ifmd_size, (void*)0, 0) == -1) {
+ continue;
+ }
+
+ if (strncmp(ifmd.ifmd_name, cl, strlen(cl)) == 0) {
+ gettimeofday(&tv, NULL);
+ uusec = (double)tv.tv_sec + (double)tv.tv_usec / 1000000.0;
+ printf("%lf|%u|%u\n", uusec,
+ ifmd.ifmd_data.ifi_ibytes, ifmd.ifmd_data.ifi_obytes);
+ exit(0);
+ }
+ }
+ }
+}
+
+int main(int argc, char *argv[]) {
+
+ char *cl, *rm;
+
+ printf("Content-Type: text/plain\n\n");
+
+ rm = getenv("REQUEST_METHOD");
+ if (rm == NULL)
+ exit(1);
+ if (strcmp(rm, "GET") != 0)
+ exit(1);
+
+ cl = getenv("QUERY_STRING");
+ if (cl == NULL)
+ exit(1);
+
+ if ((strlen(cl) < 3) || (strlen(cl) > 16))
+ exit(1);
+
+ if (strcmp(cl, "cpu") == 0)
+ cpu_stats();
+ else
+ if_stats(cl);
+
+ return 0;
+}
--- /dev/null
+/*
+ verifysig.c
+ part of m0n0wall (http://m0n0.ch/wall)
+
+ Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+/*
+ m0n0wall binary image file format:
+
+ +-----------------------------------------------------------------------+
+ | std. gzip file | sig | sig.len. in bytes (2) | magic (0xe14d77cb) |
+ +-----------------------------------------------------------------------+
+
+ sig. len. and magic in Intel byte order!
+
+ WARNING: in the process of verifying the signature, this program actually
+ removes it from the file - this is to facilitate later processing where
+ it might confuse other programs (gzip just warns about trailing garbage,
+ but we might sign other files in the future...).
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <openssl/rsa.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+
+#define SIG_MAGIC 0xe14d77cb /* XXX - not byte order safe! */
+#define SIG_INBUFLEN 65536
+
+void usage(void) {
+
+ fprintf(stderr, "usage: verifysig pubkey file\n\n"
+ "return values: 0 -> signature verified OK\n"
+ " 1 -> signature invalid\n"
+ " 2 -> no signature found\n"
+ " 3 -> signature verification error\n"
+ " 4 -> other error\n");
+ exit(4);
+}
+
+int main(int argc, char *argv[]) {
+
+ FILE *fin, *fkey;
+ u_int16_t siglen;
+ u_int32_t magic;
+ long nread, ndata;
+ char *sigbuf, *inbuf;
+ EVP_PKEY *pkey;
+ EVP_MD_CTX ctx;
+ int err, retval;
+
+ if (argc != 3)
+ usage();
+
+ ERR_load_crypto_strings();
+
+ /* open file and check for magic */
+ fin = fopen(argv[2], "r+");
+ if (fin == NULL) {
+ fprintf(stderr, "unable to open file '%s'\n", argv[2]);
+ exit(4);
+ }
+
+ fseek(fin, -(sizeof(magic)), SEEK_END);
+ fread(&magic, sizeof(magic), 1, fin);
+
+ if (magic != SIG_MAGIC) {
+ fclose(fin);
+ exit(2);
+ }
+
+ /* magic is good; get signature length */
+ fseek(fin, -(sizeof(magic) + sizeof(siglen)), SEEK_END);
+ fread(&siglen, sizeof(siglen), 1, fin);
+
+ /* read public key */
+ fkey = fopen(argv[1], "r");
+ if (fkey == NULL) {
+ fprintf(stderr, "unable to open public key file '%s'\n", argv[1]);
+ exit(4);
+ }
+
+ pkey = PEM_read_PUBKEY(fkey, NULL, NULL, NULL);
+ fclose(fkey);
+
+ if (pkey == NULL) {
+ ERR_print_errors_fp(stderr);
+ exit(4);
+ }
+
+ /* check if siglen is sane */
+ if ((siglen == 0) || (siglen > EVP_PKEY_size(pkey)))
+ exit(3);
+
+ /* got signature length; read signature */
+ sigbuf = malloc(siglen);
+ if (sigbuf == NULL)
+ exit(4);
+
+ fseek(fin, -(sizeof(magic) + sizeof(siglen) + siglen), SEEK_END);
+ if (fread(sigbuf, 1, siglen, fin) != siglen)
+ exit(4);
+
+ /* signature read; truncate file to remove sig */
+ fseek(fin, 0, SEEK_END);
+ ndata = ftell(fin) - (sizeof(magic) + sizeof(siglen) + siglen);
+ ftruncate(fileno(fin), ndata);
+
+ /* verify the signature now */
+ EVP_VerifyInit(&ctx, EVP_sha1());
+
+ /* allocate data buffer */
+ inbuf = malloc(SIG_INBUFLEN);
+ if (inbuf == NULL)
+ exit(4);
+
+ rewind(fin);
+ while (!feof(fin)) {
+ nread = fread(inbuf, 1, SIG_INBUFLEN, fin);
+ if (nread != SIG_INBUFLEN) {
+ if (ferror(fin)) {
+ fprintf(stderr, "read error in file '%s'\n", argv[2]);
+ exit(4);
+ }
+ }
+
+ EVP_VerifyUpdate(&ctx, inbuf, nread);
+ }
+
+ err = EVP_VerifyFinal(&ctx, sigbuf, siglen, pkey);
+ EVP_PKEY_free(pkey);
+
+ if (err == 1)
+ retval = 0; /* correct signature */
+ else if (err == 0)
+ retval = 1; /* invalid signature */
+ else
+ retval = 3; /* error */
+
+ free(inbuf);
+ free(sigbuf);
+ fclose(fin);
+
+ return retval;
+}
--- /dev/null
+#!/bin/sh
+
+# record logout
+/usr/bin/logger -p local3.info "logout,$1,,$3"
+
+# resync ipfilter
+/sbin/ipf -y
\ No newline at end of file
--- /dev/null
+#!/bin/sh
+
+# record login
+/usr/bin/logger -p local3.info "login,$1,$4,$5"
+
+# resync ipfilter
+/sbin/ipf -y
projects / m0n0chwall.git / commitdiff