From fee4fb29f28d49509b74bfe6516a5feb9fd1a20f Mon Sep 17 00:00:00 2001 From: mkasper Date: Sun, 8 Jan 2006 12:35:27 +0000 Subject: [PATCH] Import build-related files (kernel configs, miniBSD stuff, patches and tools). git-svn-id: https://svn.m0n0.ch/wall/trunk@32 e36fee2c-cc09-0410-a7cc-ebac5c6737de --- build/kernelconfigs/M0N0WALL_GENERIC | 229 +++ build/kernelconfigs/M0N0WALL_NET45XX | 121 ++ build/kernelconfigs/M0N0WALL_NET48XX | 126 ++ build/kernelconfigs/M0N0WALL_WRAP | 113 ++ build/minibsd/m0n0wall.files | 82 + build/minibsd/mklibs.pl | 37 + build/minibsd/mkmini.pl | 46 + build/patches/boot/boot-wrap.patch | 15 + build/patches/boot/boot.patch | 29 + build/patches/kernel/README-ipfilter3435.txt | 140 ++ build/patches/kernel/README-ppp.txt | 55 + build/patches/kernel/kernel-411.patch | 1593 +++++++++++++++++ build/patches/packages/ez-ipupdate.c.patch | 243 +++ build/patches/packages/mini_httpd.c.patch | 520 ++++++ .../packages/patch-crypto_openssl.c.x509 | 55 + build/patches/packages/patch-isakmp_quick.c | 24 + build/patches/user/clog-1.0.1.tar.gz | Bin 0 -> 3922 bytes build/patches/user/dhclient-script.patch | 42 + build/patches/user/ipf.c.patch | 16 + build/patches/user/syslogd.c.patch | 207 +++ build/tools/atareinit.c | 22 + build/tools/choparp.c | 465 +++++ build/tools/minicron.c | 73 + build/tools/ppp-linkup | 21 + build/tools/runmsntp.sh | 12 + build/tools/stats.c | 142 ++ build/tools/verifysig.c | 173 ++ build/tools/vpn-linkdown | 7 + build/tools/vpn-linkup | 7 + 29 files changed, 4615 insertions(+) create mode 100644 build/kernelconfigs/M0N0WALL_GENERIC create mode 100644 build/kernelconfigs/M0N0WALL_NET45XX create mode 100644 build/kernelconfigs/M0N0WALL_NET48XX create mode 100644 build/kernelconfigs/M0N0WALL_WRAP create mode 100644 build/minibsd/m0n0wall.files create mode 100644 build/minibsd/mklibs.pl create mode 100644 build/minibsd/mkmini.pl create mode 100644 build/patches/boot/boot-wrap.patch create mode 100644 build/patches/boot/boot.patch create mode 100644 build/patches/kernel/README-ipfilter3435.txt create mode 100644 build/patches/kernel/README-ppp.txt create mode 100644 build/patches/kernel/kernel-411.patch create mode 100644 build/patches/packages/ez-ipupdate.c.patch create mode 100644 build/patches/packages/mini_httpd.c.patch create mode 100644 build/patches/packages/patch-crypto_openssl.c.x509 create mode 100644 build/patches/packages/patch-isakmp_quick.c create mode 100644 build/patches/user/clog-1.0.1.tar.gz create mode 100644 build/patches/user/dhclient-script.patch create mode 100644 build/patches/user/ipf.c.patch create mode 100644 build/patches/user/syslogd.c.patch create mode 100644 build/tools/atareinit.c create mode 100644 build/tools/choparp.c create mode 100644 build/tools/minicron.c create mode 100644 build/tools/ppp-linkup create mode 100644 build/tools/runmsntp.sh create mode 100644 build/tools/stats.c create mode 100644 build/tools/verifysig.c create mode 100644 build/tools/vpn-linkdown create mode 100644 build/tools/vpn-linkup diff --git a/build/kernelconfigs/M0N0WALL_GENERIC b/build/kernelconfigs/M0N0WALL_GENERIC new file mode 100644 index 0000000..6b3ad37 --- /dev/null +++ b/build/kernelconfigs/M0N0WALL_GENERIC @@ -0,0 +1,229 @@ +machine i386 +cpu I486_CPU +cpu I586_CPU +cpu I686_CPU +ident M0N0WALL_GENERIC +maxusers 0 +options INCLUDE_CONFIG_FILE + +#makeoptions DEBUG=-g #Build kernel with gdb(1) debug symbols +makeoptions MODULES_OVERRIDE="dummynet if_tap if_vlan ipfw" + +options INET #InterNETworking +options FAST_IPSEC +options FFS #Berkeley Fast Filesystem +options FFS_ROOT #FFS usable as root device [keep this!] +options SOFTUPDATES #Enable FFS soft updates support +options MFS #Memory Filesystem +options MD_ROOT #MD is a potential root device +options MSDOSFS #MSDOS Filesystem +options CD9660 #ISO 9660 Filesystem +options CD9660_ROOT #CD-ROM usable as root, CD9660 required +options PROCFS #Process filesystem +options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!] +options SCSI_DELAY=15000 #Delay (in ms) before probing SCSI +options UCONSOLE #Allow users to grab the console +options KTRACE #ktrace(1) support +options SYSVSHM #SYSV-style shared memory +options SYSVMSG #SYSV-style message queues +options SYSVSEM #SYSV-style semaphores +options P1003_1B #Posix P1003_1B real-time extensions +options _KPOSIX_PRIORITY_SCHEDULING +options ICMP_BANDLIM #Rate limit bad replies +options KBD_INSTALL_CDEV # install a CDEV entry in /dev + +options HZ=1000 + +options IPFILTER +options IPFILTER_LOG +options IPFILTER_DEFAULT_BLOCK +options IPSTATE_SIZE=42859 +options IPSTATE_MAX=30000 +options IPFILTER_MSSCLAMP_FORCE +options IPFIREWALL_DEFAULT_TO_ACCEPT + +options BRIDGE +options DEVICE_POLLING + +options NO_SWAPPING + +device isa +device eisa +device pci + +# Floppy drives +device fdc0 at isa? port IO_FD1 irq 6 drq 2 +device fd0 at fdc0 drive 0 +device fd1 at fdc0 drive 1 + +# ATA and ATAPI devices +device ata0 at isa? port IO_WD1 irq 14 +device ata1 at isa? port IO_WD2 irq 15 +device ata +device atadisk # ATA disk drives +device atapicd # ATAPI CDROM drives +device atapifd # ATAPI floppy drives +device atapist # ATAPI tape drives +options ATA_STATIC_ID #Static device numbering + +# SCSI Controllers +device ahb # EISA AHA1742 family +device ahc # AHA2940 and onboard AIC7xxx devices +device ahd # AHA39320/29320 and onboard AIC79xx devices +device amd # AMD 53C974 (Tekram DC-390(T)) +device isp # Qlogic family +device mpt # LSI-Logic MPT/Fusion +device ncr # NCR/Symbios Logic +device sym # NCR/Symbios Logic (newer chipsets) +options SYM_SETUP_LP_PROBE_MAP=0x40 + # Allow ncr to attach legacy NCR devices when + # both sym and ncr are configured + +device adv0 at isa? +device adw +device bt0 at isa? +device aha0 at isa? +device aic0 at isa? + +device ncv # NCR 53C500 +device nsp # Workbit Ninja SCSI-3 +device stg # TMC 18C30/18C50 + +# SCSI peripherals +device scbus # SCSI bus (required) +device da # Direct Access (disks) +device sa # Sequential Access (tape etc) +device cd # CD +device pass # Passthrough device (direct SCSI access) + +# atkbdc0 controls both the keyboard and the PS/2 mouse +device atkbdc0 at isa? port IO_KBD +device atkbd0 at atkbdc? irq 1 flags 0x1 + +device vga0 at isa? + +# syscons is the default console driver, resembling an SCO console +device sc0 at isa? flags 0x100 + +# Floating point support - do not disable. +device npx0 at nexus? port IO_NPX irq 13 + +# Power management support (see LINT for more options) +device apm0 at nexus? disable flags 0x20 # Advanced Power Management + +# PCCARD (PCMCIA) support +device card +device pcic0 at isa? irq 0 port 0x3e0 iomem 0xd0000 +device pcic1 at isa? irq 0 port 0x3e2 iomem 0xd4000 disable + +# Serial (COM) ports +device sio0 at isa? port IO_COM1 flags 0x10 irq 4 +device sio1 at isa? port IO_COM2 irq 3 +device sio2 at isa? disable port IO_COM3 irq 5 +device sio3 at isa? disable port IO_COM4 irq 9 + +# PCI Ethernet NICs. +device de # DEC/Intel DC21x4x (``Tulip'') +device txp # 3Com 3cR990 (``Typhoon'') +device vx # 3Com 3c590, 3c595 (``Vortex'') + +# PCI Ethernet NICs that use the common MII bus controller code. +# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs! +device miibus # MII bus support +device bfe # Broadcom BCM4401 10/100. +device dc # DEC/Intel 21143 and various workalikes +device fxp # Intel EtherExpress PRO/100B (82557, 82558) +device my # Myson Fast Ethernet (MTD80X, MTD89X) +device pcn # AMD Am79C97x PCI 10/100 NICs +device rl # RealTek 8129/8139 +device sf # Adaptec AIC-6915 (``Starfire'') +device sis # Silicon Integrated Systems SiS 900/SiS 7016 +device ste # Sundance ST201 (D-Link DFE-550TX) +device tl # Texas Instruments ThunderLAN +device tx # SMC EtherPower II (83c170 ``EPIC'') +device vr # VIA Rhine, Rhine II +device wb # Winbond W89C840F +device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'') + +# Gigabit Ethernet NICs. +device bge # Broadcom BCM570x (``Tigon III'') +device em # Intel Pro/1000 (82542,82543,82544,82540) +device gx # Intel Pro/1000 (82542, 82543) +device lge # Level 1 LXT1001 (``Mercury'') +device nge # NatSemi DP83820 and DP83821 +device sk # SysKonnect GEnesis +device ti # Alteon (``Tigon I'', ``Tigon II'') +device wx + +# ISA Ethernet NICs. +# 'device ed' requires 'device miibus' +device ed0 at isa? disable port 0x280 irq 10 iomem 0xd8000 +device ex +device ep +device fe0 at isa? disable port 0x300 +# Xircom Ethernet +device xe +# PRISM I IEEE 802.11b wireless NIC. +device awi +# WaveLAN/IEEE 802.11 wireless NICs. Note: the WaveLAN/IEEE really +# exists only as a PCMCIA device, so there is no ISA attachment needed +# and resources will always be dynamically assigned by the pccard code. +device wi +# Aironet 4500/4800 802.11 wireless NICs. Note: the declaration below will +# work for PCMCIA and PCI cards, as well as ISA cards set to ISA PnP +# mode (the factory default). If you set the switches on your ISA +# card for a manually chosen I/O address and IRQ, you must specify +# those parameters here. +device an +# The probe order of these is presently determined by i386/isa/isa_compat.c. +device ie0 at isa? disable port 0x300 irq 10 iomem 0xd0000 +#device le0 at isa? disable port 0x300 irq 5 iomem 0xd0000 +device lnc0 at isa? disable port 0x280 irq 10 drq 0 +device cs0 at isa? disable port 0x300 +device sn0 at isa? disable port 0x300 irq 10 + +# Pseudo devices - the number indicates how many units to allocate. +pseudo-device loop # Network loopback +pseudo-device ether # Ethernet support +pseudo-device tun # Packet tunnel. +pseudo-device pty # Pseudo-ttys (telnet etc) +pseudo-device md # Memory "disks" +pseudo-device gif # IPv6 and IPv4 tunneling + +# The `bpf' pseudo-device enables the Berkeley Packet Filter. +# Be aware of the administrative consequences of enabling this! +pseudo-device bpf #Berkeley packet filter + +# USB support +device uhci # UHCI PCI->USB interface +device ohci # OHCI PCI->USB interface +device usb # USB Bus (required) +device ugen # Generic +device uhid # "Human Interface Devices" +device ukbd # Keyboard +device umass +# USB Ethernet, requires mii +device aue # ADMtek USB ethernet +device cue # CATC USB ethernet +device kue # Kawasaki LSI USB ethernet +device rue + +options NETGRAPH #netgraph(4) system +options NETGRAPH_ASYNC +options NETGRAPH_BPF +options NETGRAPH_ETHER +options NETGRAPH_IFACE +options NETGRAPH_KSOCKET +options NETGRAPH_L2TP +options NETGRAPH_MPPC_ENCRYPTION +options NETGRAPH_PPP +options NETGRAPH_PPPOE +options NETGRAPH_PPTPGRE +options NETGRAPH_SOCKET +options NETGRAPH_TEE +options NETGRAPH_UI +options NETGRAPH_VJC + +pseudo-device crypto +pseudo-device cryptodev +device hifn diff --git a/build/kernelconfigs/M0N0WALL_NET45XX b/build/kernelconfigs/M0N0WALL_NET45XX new file mode 100644 index 0000000..aaa9b72 --- /dev/null +++ b/build/kernelconfigs/M0N0WALL_NET45XX @@ -0,0 +1,121 @@ + +machine i386 +cpu I486_CPU +ident M0N0WALL_NET45XX +maxusers 0 +options INCLUDE_CONFIG_FILE + +#makeoptions DEBUG=-g #Build kernel with gdb(1) debug symbols +makeoptions MODULES_OVERRIDE="dummynet if_tap if_vlan ipfw" + +options INET #InterNETworking +options FAST_IPSEC +options FFS #Berkeley Fast Filesystem +options FFS_ROOT #FFS usable as root device [keep this!] +options SOFTUPDATES #Enable FFS soft updates support +options MFS #Memory Filesystem +options MD_ROOT #MD is a potential root device +options PROCFS #Process filesystem +options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!] +options SCSI_DELAY=15000 #Delay (in ms) before probing SCSI +options UCONSOLE #Allow users to grab the console +options KTRACE #ktrace(1) support +options SYSVSHM #SYSV-style shared memory +options SYSVMSG #SYSV-style message queues +options SYSVSEM #SYSV-style semaphores +options P1003_1B #Posix P1003_1B real-time extensions +options _KPOSIX_PRIORITY_SCHEDULING +options ICMP_BANDLIM #Rate limit bad replies + +options CLK_USE_I8254_CALIBRATION +options CPU_ELAN +options HZ=1000 + +options IPFILTER +options IPFILTER_LOG +options IPFILTER_DEFAULT_BLOCK +options IPSTATE_SIZE=42859 +options IPSTATE_MAX=30000 +options IPFILTER_MSSCLAMP_FORCE +options IPFIREWALL_DEFAULT_TO_ACCEPT + +options BRIDGE +options DEVICE_POLLING + +options NO_SWAPPING + +device isa +device pci + +# ATA and ATAPI devices +device ata0 at isa? port IO_WD1 irq 14 +device ata1 at isa? port IO_WD2 irq 15 +device ata +device atadisk # ATA disk drives +options ATA_STATIC_ID #Static device numbering + +# Floating point support - do not disable. +device npx0 at nexus? port IO_NPX irq 13 + +# Power management support (see LINT for more options) +device apm0 at nexus? disable flags 0x20 # Advanced Power Management + +# PCCARD (PCMCIA) support +device card +device pcic0 at isa? irq 0 port 0x3e0 iomem 0xd0000 +device pcic1 at isa? irq 0 port 0x3e2 iomem 0xd4000 disable + +# Serial (COM) ports +device sio0 at isa? port IO_COM1 flags 0x30 irq 4 +device sio1 at isa? port IO_COM2 irq 3 +device sio2 at isa? disable port IO_COM3 irq 5 +device sio3 at isa? disable port IO_COM4 irq 9 + +# PCI Ethernet NICs that use the common MII bus controller code. +# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs! +device miibus # MII bus support +device sis # Silicon Integrated Systems SiS 900/SiS 7016 + +# WaveLAN/IEEE 802.11 wireless NICs. Note: the WaveLAN/IEEE really +# exists only as a PCMCIA device, so there is no ISA attachment needed +# and resources will always be dynamically assigned by the pccard code. +device wi + +# Aironet 4500/4800 802.11 wireless NICs. Note: the declaration below will +# work for PCMCIA and PCI cards, as well as ISA cards set to ISA PnP +# mode (the factory default). If you set the switches on your ISA +# card for a manually chosen I/O address and IRQ, you must specify +# those parameters here. +device an + +# Pseudo devices - the number indicates how many units to allocate. +pseudo-device loop # Network loopback +pseudo-device ether # Ethernet support +pseudo-device tun # Packet tunnel. +pseudo-device pty # Pseudo-ttys (telnet etc) +pseudo-device md # Memory "disks" +pseudo-device gif # IPv6 and IPv4 tunneling + +# The `bpf' pseudo-device enables the Berkeley Packet Filter. +# Be aware of the administrative consequences of enabling this! +pseudo-device bpf #Berkeley packet filter + +options NETGRAPH #netgraph(4) system +options NETGRAPH_ASYNC +options NETGRAPH_BPF +options NETGRAPH_ETHER +options NETGRAPH_IFACE +options NETGRAPH_KSOCKET +options NETGRAPH_L2TP +options NETGRAPH_MPPC_ENCRYPTION +options NETGRAPH_PPP +options NETGRAPH_PPPOE +options NETGRAPH_PPTPGRE +options NETGRAPH_SOCKET +options NETGRAPH_TEE +options NETGRAPH_UI +options NETGRAPH_VJC + +pseudo-device crypto +pseudo-device cryptodev +device hifn diff --git a/build/kernelconfigs/M0N0WALL_NET48XX b/build/kernelconfigs/M0N0WALL_NET48XX new file mode 100644 index 0000000..13943b2 --- /dev/null +++ b/build/kernelconfigs/M0N0WALL_NET48XX @@ -0,0 +1,126 @@ + +machine i386 +cpu I586_CPU +ident M0N0WALL_NET48XX +maxusers 0 +options INCLUDE_CONFIG_FILE + +#makeoptions DEBUG=-g #Build kernel with gdb(1) debug symbols +makeoptions MODULES_OVERRIDE="dummynet if_tap if_vlan ipfw" + +options INET #InterNETworking +options FAST_IPSEC +options FFS #Berkeley Fast Filesystem +options FFS_ROOT #FFS usable as root device [keep this!] +options SOFTUPDATES #Enable FFS soft updates support +options MFS #Memory Filesystem +options MD_ROOT #MD is a potential root device +options PROCFS #Process filesystem +options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!] +options SCSI_DELAY=15000 #Delay (in ms) before probing SCSI +options UCONSOLE #Allow users to grab the console +options KTRACE #ktrace(1) support +options SYSVSHM #SYSV-style shared memory +options SYSVMSG #SYSV-style message queues +options SYSVSEM #SYSV-style semaphores +options P1003_1B #Posix P1003_1B real-time extensions +options _KPOSIX_PRIORITY_SCHEDULING +options ICMP_BANDLIM #Rate limit bad replies + +options HZ=1000 + +options IPFILTER +options IPFILTER_LOG +options IPFILTER_DEFAULT_BLOCK +options IPSTATE_SIZE=42859 +options IPSTATE_MAX=30000 +options IPFILTER_MSSCLAMP_FORCE +options IPFIREWALL_DEFAULT_TO_ACCEPT + +options BRIDGE +options DEVICE_POLLING + +options NO_SWAPPING + +device isa +device pci + +# ATA and ATAPI devices +device ata0 at isa? port IO_WD1 irq 14 +device ata1 at isa? port IO_WD2 irq 15 +device ata +device atadisk # ATA disk drives +options ATA_STATIC_ID #Static device numbering + +# Floating point support - do not disable. +device npx0 at nexus? port IO_NPX irq 13 + +# Power management support (see LINT for more options) +device apm0 at nexus? disable flags 0x20 # Advanced Power Management + +# Serial (COM) ports +device sio0 at isa? port IO_COM1 flags 0x30 irq 4 +device sio1 at isa? port IO_COM2 irq 3 +device sio2 at isa? disable port IO_COM3 irq 5 +device sio3 at isa? disable port IO_COM4 irq 9 + +# PCI Ethernet NICs that use the common MII bus controller code. +# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs! +device miibus # MII bus support +device sis # Silicon Integrated Systems SiS 900/SiS 7016 + +# WaveLAN/IEEE 802.11 wireless NICs. Note: the WaveLAN/IEEE really +# exists only as a PCMCIA device, so there is no ISA attachment needed +# and resources will always be dynamically assigned by the pccard code. +device wi + +# Aironet 4500/4800 802.11 wireless NICs. Note: the declaration below will +# work for PCMCIA and PCI cards, as well as ISA cards set to ISA PnP +# mode (the factory default). If you set the switches on your ISA +# card for a manually chosen I/O address and IRQ, you must specify +# those parameters here. +device an + +# Pseudo devices - the number indicates how many units to allocate. +pseudo-device loop # Network loopback +pseudo-device ether # Ethernet support +pseudo-device tun # Packet tunnel. +pseudo-device pty # Pseudo-ttys (telnet etc) +pseudo-device md # Memory "disks" +pseudo-device gif # IPv6 and IPv4 tunneling + +# The `bpf' pseudo-device enables the Berkeley Packet Filter. +# Be aware of the administrative consequences of enabling this! +pseudo-device bpf #Berkeley packet filter + +options NETGRAPH #netgraph(4) system +options NETGRAPH_ASYNC +options NETGRAPH_BPF +options NETGRAPH_ETHER +options NETGRAPH_IFACE +options NETGRAPH_KSOCKET +options NETGRAPH_L2TP +options NETGRAPH_MPPC_ENCRYPTION +options NETGRAPH_PPP +options NETGRAPH_PPPOE +options NETGRAPH_PPTPGRE +options NETGRAPH_SOCKET +options NETGRAPH_TEE +options NETGRAPH_UI +options NETGRAPH_VJC + +pseudo-device crypto +pseudo-device cryptodev +device hifn + +# USB support +device ohci # OHCI PCI->USB interface +device usb # USB Bus (required) +device ugen # Generic +device uhid # "Human Interface Devices" +device ukbd # Keyboard +# USB Ethernet, requires mii +device aue # ADMtek USB ethernet +device cue # CATC USB ethernet +device kue # Kawasaki LSI USB ethernet +device rue diff --git a/build/kernelconfigs/M0N0WALL_WRAP b/build/kernelconfigs/M0N0WALL_WRAP new file mode 100644 index 0000000..d7f7816 --- /dev/null +++ b/build/kernelconfigs/M0N0WALL_WRAP @@ -0,0 +1,113 @@ + +machine i386 +cpu I586_CPU +ident M0N0WALL_WRAP +maxusers 0 +options INCLUDE_CONFIG_FILE + +#makeoptions DEBUG=-g #Build kernel with gdb(1) debug symbols +makeoptions MODULES_OVERRIDE="dummynet if_tap if_vlan ipfw" + +options INET #InterNETworking +options FAST_IPSEC +options FFS #Berkeley Fast Filesystem +options FFS_ROOT #FFS usable as root device [keep this!] +options SOFTUPDATES #Enable FFS soft updates support +options MFS #Memory Filesystem +options MD_ROOT #MD is a potential root device +options PROCFS #Process filesystem +options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!] +options SCSI_DELAY=15000 #Delay (in ms) before probing SCSI +options UCONSOLE #Allow users to grab the console +options KTRACE #ktrace(1) support +options SYSVSHM #SYSV-style shared memory +options SYSVMSG #SYSV-style message queues +options SYSVSEM #SYSV-style semaphores +options P1003_1B #Posix P1003_1B real-time extensions +options _KPOSIX_PRIORITY_SCHEDULING +options ICMP_BANDLIM #Rate limit bad replies + +options HZ=1000 + +options IPFILTER +options IPFILTER_LOG +options IPFILTER_DEFAULT_BLOCK +options IPSTATE_SIZE=42859 +options IPSTATE_MAX=30000 +options IPFILTER_MSSCLAMP_FORCE +options IPFIREWALL_DEFAULT_TO_ACCEPT + +options BRIDGE +options DEVICE_POLLING + +options NO_SWAPPING + +device isa +device pci + +# ATA and ATAPI devices +device ata +device atadisk # ATA disk drives +options ATA_STATIC_ID #Static device numbering +options ATA_DISABLE_SLAVE + +# Floating point support - do not disable. +device npx0 at nexus? port IO_NPX irq 13 + +# Power management support (see LINT for more options) +device apm0 at nexus? disable flags 0x20 # Advanced Power Management + +# Serial (COM) ports +device sio0 at isa? port IO_COM1 flags 0x30 irq 4 +device sio1 at isa? disable port IO_COM2 irq 3 +device sio2 at isa? disable port IO_COM3 irq 5 +device sio3 at isa? disable port IO_COM4 irq 9 + +# PCI Ethernet NICs that use the common MII bus controller code. +# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs! +device miibus # MII bus support +device sis # Silicon Integrated Systems SiS 900/SiS 7016 + +# WaveLAN/IEEE 802.11 wireless NICs. Note: the WaveLAN/IEEE really +# exists only as a PCMCIA device, so there is no ISA attachment needed +# and resources will always be dynamically assigned by the pccard code. +device wi + +# Aironet 4500/4800 802.11 wireless NICs. Note: the declaration below will +# work for PCMCIA and PCI cards, as well as ISA cards set to ISA PnP +# mode (the factory default). If you set the switches on your ISA +# card for a manually chosen I/O address and IRQ, you must specify +# those parameters here. +device an + +# Pseudo devices - the number indicates how many units to allocate. +pseudo-device loop # Network loopback +pseudo-device ether # Ethernet support +pseudo-device tun # Packet tunnel. +pseudo-device pty # Pseudo-ttys (telnet etc) +pseudo-device md # Memory "disks" +pseudo-device gif # IPv6 and IPv4 tunneling + +# The `bpf' pseudo-device enables the Berkeley Packet Filter. +# Be aware of the administrative consequences of enabling this! +pseudo-device bpf #Berkeley packet filter + +options NETGRAPH #netgraph(4) system +options NETGRAPH_ASYNC +options NETGRAPH_BPF +options NETGRAPH_ETHER +options NETGRAPH_IFACE +options NETGRAPH_KSOCKET +options NETGRAPH_L2TP +options NETGRAPH_MPPC_ENCRYPTION +options NETGRAPH_PPP +options NETGRAPH_PPPOE +options NETGRAPH_PPTPGRE +options NETGRAPH_SOCKET +options NETGRAPH_TEE +options NETGRAPH_UI +options NETGRAPH_VJC + +pseudo-device crypto +pseudo-device cryptodev +device hifn diff --git a/build/minibsd/m0n0wall.files b/build/minibsd/m0n0wall.files new file mode 100644 index 0000000..dfb2e28 --- /dev/null +++ b/build/minibsd/m0n0wall.files @@ -0,0 +1,82 @@ +# contents of /bin +bin/[:bin/test +bin/cat +bin/chmod +bin/cp +bin/date +bin/dd +bin/df +bin/echo +bin/expr +bin/hostname +bin/kill +bin/ls +bin/mkdir +bin/mv +bin/ps +bin/rm +bin/sh +bin/sleep +bin/stty +bin/sync + +# contents of /sbin +sbin/adjkerntz +sbin/dhclient +sbin/dhclient-script +sbin/dmesg +sbin/fastboot:sbin/fasthalt:sbin/halt:sbin/reboot +sbin/ifconfig +sbin/init +sbin/ipf +sbin/ipfs +sbin/ipfstat +sbin/ipfw +sbin/ipmon +sbin/ipnat +sbin/kldload +sbin/kldunload +sbin/ldconfig +sbin/mount +sbin/mount_fdesc:sbin/mount_linprocfs:sbin/mount_procfs:sbin/mount_std +sbin/mount_mfs +sbin/mount_msdos +sbin/mount_null +sbin/mount_umap +sbin/mount_union +sbin/nologin +sbin/ping +sbin/reboot +sbin/route +sbin/shutdown +sbin/sysctl +sbin/umount + +# contents of /usr/bin +usr/bin/gzip:usr/bin/gunzip +usr/bin/killall +usr/bin/logger +usr/bin/netstat +usr/bin/nohup +usr/bin/su +usr/bin/tail +usr/bin/tar +usr/bin/top +usr/bin/touch +usr/bin/uptime:usr/bin/w + +# contents of usr/sbin +usr/sbin/ancontrol +usr/sbin/arp +usr/sbin/chown +usr/sbin/chroot +usr/sbin/dev_mkdb +usr/sbin/nsupdate +usr/sbin/pccardd +usr/sbin/pwd_mkdb +usr/sbin/setkey +usr/sbin/traceroute +usr/sbin/wicontrol + +# contents of /usr/libexec +usr/libexec/ld-elf.so.1 diff --git a/build/minibsd/mklibs.pl b/build/minibsd/mklibs.pl new file mode 100644 index 0000000..1e7bd9f --- /dev/null +++ b/build/minibsd/mklibs.pl @@ -0,0 +1,37 @@ +#!/usr/bin/perl + +# arguments: binaries_tree + +use File::Find; + +exit unless $#ARGV == 0; + +undef @liblist; + +# check_libs(path) +sub check_libs { + @filestat = stat($File::Find::name); + + if ((($filestat[2] & 0170000) == 0100000) && + ($filestat[2] & 0111) && (!/.ko$/)) { + + @curlibs = qx{/usr/bin/ldd -f "%p\n" $File::Find::name 2>/dev/null}; + + push(@liblist, @curlibs); + } +} + +# walk the directory tree +find(\&check_libs, $ARGV[0]); + +# throw out dupes +undef %hlib; +@hlib{@liblist} = (); +@liblist = sort keys %hlib; + +foreach $lib (@liblist) { + $lib = substr($lib, 1); +} + +print @liblist; + diff --git a/build/minibsd/mkmini.pl b/build/minibsd/mkmini.pl new file mode 100644 index 0000000..3e502f5 --- /dev/null +++ b/build/minibsd/mkmini.pl @@ -0,0 +1,46 @@ +#!/usr/bin/perl + +# arguments: source_tree dest_tree + +use File::Copy; + +exit unless $#ARGV == 2; + +print "Populating MiniBSD tree: $ARGV[2]\n"; + +# populate_tree(treefile, srcpath, destpath) +sub populate_tree { + my @args = @_; + + open TREEFILE, $args[0]; + + TREE: while () { + + next TREE if /^#/; + next TREE if /^ *$/; + + @srcfiles = split(/:/); + chomp @srcfiles; + + $srcfile = shift(@srcfiles); + @srcstat = stat($args[1] . "/" . $srcfile); + + if (copy($args[1] . "/" . $srcfile, $args[2] . "/" . $srcfile)) { + printf "Copy $args[1]/$srcfile -> $args[2]/$srcfile ($srcstat[4]/$srcstat[5]/%04o)\n", ($srcstat[2] & 07777); + chown $srcstat[4], $srcstat[5], $args[2] . "/" . $srcfile; + chmod $srcstat[2] & 07777, $args[2] . "/" . $srcfile; + } else { + print "ERROR while copying file $args[1]/$srcfile\n"; + } + + foreach $lnfile (@srcfiles) { + if (link($args[2] . "/" . $srcfile, $args[2] . "/" . $lnfile)) { + print "Link $args[2]/$srcfile -> $args[2]/$lnfile\n"; + } else { + print "ERROR while linking file $args[2]/$srcfile\n"; + } + } + } +} + +populate_tree $ARGV[0], $ARGV[1], $ARGV[2]; diff --git a/build/patches/boot/boot-wrap.patch b/build/patches/boot/boot-wrap.patch new file mode 100644 index 0000000..6fa1833 --- /dev/null +++ b/build/patches/boot/boot-wrap.patch @@ -0,0 +1,15 @@ +--- sys/boot.orig/i386/boot2/boot1.s Sat Apr 30 10:14:27 2005 ++++ sys/boot/i386/boot2/boot1.s Sat Apr 30 10:32:38 2005 +@@ -195,7 +195,11 @@ + xorb %al,%al # Zero assumed bss from + rep # the end of boot2.bin + stosb # up to 0x10000 +- callw seta20 # Enable A20 ++# callw seta20 # Enable A20 ++ nop ++ nop ++ nop ++ nop + jmp start+MEM_JMP-MEM_ORG # Start BTX + # + # Enable A20 so we can access memory above 1 meg. diff --git a/build/patches/boot/boot.patch b/build/patches/boot/boot.patch new file mode 100644 index 0000000..3ba7163 --- /dev/null +++ b/build/patches/boot/boot.patch @@ -0,0 +1,29 @@ +diff -u -r sys/boot.orig/i386/boot2/boot1.s sys/boot/i386/boot2/boot1.s +--- sys/boot.orig/i386/boot2/boot1.s Wed Aug 15 00:55:29 2001 ++++ sys/boot/i386/boot2/boot1.s Sat Apr 30 10:14:27 2005 +@@ -297,8 +297,11 @@ + subb %ah,%al # Sectors this track + mov 0x2(%bp),%ah # Blocks to read + cmpb %ah,%al # To read +- jb read.2 # this +- movb %ah,%al # track ++# jb read.2 # this ++# movb %ah,%al # track ++ movb $1,%al ++ nop ++ nop + read.2: mov $0x5,%di # Try count + read.3: les 0x4(%bp),%bx # Transfer buffer + push %ax # Save +diff -u -r sys/boot.orig/i386/libi386/biosdisk.c sys/boot/i386/libi386/biosdisk.c +--- sys/boot.orig/i386/libi386/biosdisk.c Wed Jan 28 17:28:50 2004 ++++ sys/boot/i386/libi386/biosdisk.c Sat Apr 30 10:13:31 2005 +@@ -846,6 +846,8 @@ + maxfer = 0; + } + ++ maxfer = 1; ++ + while (resid > 0) { + x = dblk; + cyl = x / bpc; /* block # / blocks per cylinder */ diff --git a/build/patches/kernel/README-ipfilter3435.txt b/build/patches/kernel/README-ipfilter3435.txt new file mode 100644 index 0000000..bb9f4d4 --- /dev/null +++ b/build/patches/kernel/README-ipfilter3435.txt @@ -0,0 +1,140 @@ + + Changes to IPFilter 3.4.35 + -------------------------- + +1) The BSD version conditionals in the definitions of IFNAME and struct ipflog +have been updated to handle later FreeBSD 5.x versions correctly. FreeBSD was +the last BSD variant to incorporate the change from the if_name/if_unit to +if_xname in naming interfaces, and the change wasn't taken into account in all +places. The affected files are ip_compat.h and ip_fil.h. Note that there may +be additional fixes for this needed in ip_fil.c, but they only appear to relate +to the userland build. + +2) The include of FreeBSD's opt_ipfilter.h in fil.c was too late to override +default parameters, so it was moved earlier. + +3) M0n0wall's "forced MSS clamping" hack has been incorporated under the +conditional IPFILTER_MSSCLAMP_FORCE, which defaults off. The affected files +are ip_nat.h, ip_nat.c, mlfk_ipl.c, and mlf_ipl.c. + +4) The window scaling bug previously fixed in 3.4.33 has been fixed again. The +affected file is ip_state.c. + +5) The code for adjusting checksums in NATted ICMP errors has been fixed again, +since it was still failing in some cases. The affected file is ip_nat.c. + +6) The NAT checksum adjustment routines have been fixed to perform a normal sum, +rather than doing the computation "upside down". This prefers the -0 result, +and therefore doesn't risk adjusting a UDP checksum to "disabled". Either form +of zero is acceptable for non-UDP cases. + +7) The filter code no longer treats the ICMP sequence number as part of the key +for the state entry. This means that a sequence of pings now uses a single +state entry (unless the pings are spaced farther apart than the state lifetime), +and the stats in the entry reflect the ongoing stream. This behavior avoids +keeping multiple state entries for a single ping stream, including potentially +filling the entire state table during flood pings. + +8) Since ICMP state entries are now usefully recycled, the default "ack" timeout +has been increased to the same 60 seconds as the default request timeout. + +9) The code for matching ICMP (v4) query replies against requests now handles +all four supported reply types, rather than just echo reply. + + + Notes on ICMP Checksum Issues + ----------------------------- + +The NAT ICMP error checksum adjustments have been the subject of many rounds of +tweaking, and still weren't right. Even some workimng cases were being handled +in an unnecessarily roundabout and confusing way (e.g. adding double corrections +when the real problem was that the correction had originally been applied in the +wrong direction. The code has been reworked more than minimally, but less than +it really should be. The general flow (for the embedded packet) is: + +1) The IP address difference is applied (oppositely) to the IP header checksum. +It is not directly applied to the ICMP checksum, since the header checksum +change cancels the address change. To put it another way, all valid IP headers +have an overall checksum of 0, so any change that transforms one valid IP header +into another is guaranteed to be checksum-neutral. + +2) For TCP and UDP, the IP address change is applied to the TCP/UDP checksum (if +present) due to its effect on the pseudo-header, and any such adjustment is +applied (oppositely) to the ICMP checksum in compensation. This does not require +"observing" the TCP/UDP checksum change, since the difference is precisely the +correction just applied. For UDP, "present" means not being +0, while for TCP, +"present" means being within the included portion of the offending packet. + +3) For TCP and UDP, any port number change is applied (oppositely) to the ICMP +checksum, to compensate the change in the port number field. + +4) For TCP and UDP, any port number change is applied (oppositely) to the +TCP/UDP checksum (if present), and any such change is applied (non-oppositely) +to the ICMP checksum. If present, this adjustment cancels the effect of #3. + +5) The accumulated ICMP checksum adjustment is applied, without any extra +complement or bizarre direction-dependent increment. + + + Notes on General Checksum Issues + -------------------------------- + +Since the ones-complement representation has two possible zero values (0 and +~0), implementations vary as to which zero result is produced in which cases. In +fact, hardware implementations are actually nondeterministic in this regard +without special logic to force a preference. The only IP-related checksum whose +zero value is precisely specified is the UDP checksum, where the +0 value is +reserved for "none", requiring the ~0 form to be used for "real" zero. + +The most common software implementation of ones-complement add produces the ~0 +result in almost all cases, so the "complement of the sum" language in the +specification of various IP-related checksums *could* be construed as preferring +the +0 form. But since it doesn't explicitly specify the zero preference of the +underlying sum, that can't necessarily be assumed. The real intent of the +checksum definition is to provide a value which causes the overall checksum of +the entire set of bytes (including the checksum) to be zero, hence making the +checksum the complement of the sum of everything else. This condition is met by +either form of zero, something which is mentioned in the discussion of the UDP +checksum in RFC1122. + +It's also worth noting that if an implementation used the same checksum check +code for non-UDP checksums as for UDP checksums, it might erroneously regard ++0 non-UDP checksums as absent. While this behavior is clearly incorrect, it +can be avoided by preferring ~0 checksums for non-UDP cases as well. + +Thus, an argument can be made for using the ~0 representation for zero checksums +in all cases, which is also the natural result of using a UDP-compatible +calculation in other places. The only way to prefer +0 for non-UDP checksums +while generating the required ~0 in the UDP case would be to use different +calculations for UDP and non-UDP cases, which is almost certainly not necessary +and probably not desirable. + +With regard to the meaning of "prefer", let's use "@" to represent ones- +complement addition. For any "natural" @ operation, the three cases that +produce mathematically zero results are as follows: + + +0 @ +0 -> +0 always + ~0 @ ~0 -> ~0 always + x @ ~x -> +0 or ~0, depending on implementation + +The most common form (end-around carry initially presumed false) prefers the ~0 +result in the last case, meaning that the only time the result can be +0 is when +all summands are +0. Thus, as long as at least one bit in the checksummed area +can be guaranteed nonzero, the normal calculation can be used to produce the ~0 +form of zero without any special check. + + +Note that the proper way to compute a ones-complement difference is to compute a +ones-complement sum using the *ones* complement of the subtrahend. I.e the +ones-complement equivalent of (x - y) is (x @ ~y). Twos-complement subtraction +can't be used unless an "end-around borrow" is also included, and the result +then has a +0 preference. + + +As noted in RFC1071, all checksum calculations can be performed in network byte +order on any processor, althought the unnecessary byte swapping hasn't been +removed from IPFilter. + + Fred Wright + fw@well.com + 5-Apr-2005 diff --git a/build/patches/kernel/README-ppp.txt b/build/patches/kernel/README-ppp.txt new file mode 100644 index 0000000..62c30c2 --- /dev/null +++ b/build/patches/kernel/README-ppp.txt @@ -0,0 +1,55 @@ + + PFC Workaround in Netgraph PPP Implementation + --------------------------------------------- + +An interoperability problem has arisen when using certain broken PPTP +implementations with the netgraph PPTP/PPP code. This is, at least in part, +due to a lack of clear specification in the RFCs as to whether protocol-field +compression should be allowed for additional nested PPP encapsulations. It +is never explicitly stated whether the LCP-negotiated PFC enable is to apply +to additional levels. Although the PPP protocol encoding was designed to be +self-describing with respect to PFC, and hence the robustness principle dictates +that it should always be accepted by the receiver, in practice there are +implementations that choke on unexpected PFC. + +Part of the problem arises because, when Multilink PPP is in use, most levels +of protocol type are per-bundle rather than per-link, but there are no LCP +negotiations at the bundle level. Thus, the PFC enable is conceptually +nonexistent in the protocol for some protocol levels. However, RFC1990 does +suggest using the PFC enable from the first link to determine the bundle's use +of PFC. + +There are three places in ng_ppp.c where PPP protocol types are inserted, with +possible PFC. Two are used only at the bundle level, and normally enable PFC +unconditionally. The third could be used at either the link or bundle level, +and uses the link's PFC enable in the latter case while unconditionally enabling +it in the former. + +The initially recommended patch to get around the buggy peer involved disabling +PFC in the two calls where it was unconditionally true. This of course means +disabling PFC even in cases where it works. The version of ng_ppp.c released +with FreeBSD 4.11 made this change in *one of* the two places (perhaps the only +one immediately causing trouble) while leaving the other alone. The version +released with FreeBSD 5.3 did not have this change at all. + +The modification to ng_ppp.c here changes all three bundle-level protocol-type +insertions to use the PFC enable from the first link as the condition. While +this is not completely ideal, it does permit PFC to be used everywhere when it +doesn't cause trouble, while also permitting it to be disabled by configuration +at either end. In particular, it can be disabled in buggy peers without +penalizing others. + +A more flexible approach would be to introuduce a bundle-level PFC enable in +the configuration parameters, perhaps even three separate enables (one for each +instance in the code). That would allow the userland code to decide where PFC +is permitted, without further kernel changes. Probably the most reasonable +default would be to derive those enables from the first link (as is hard-coded +now), or perhaps even from the AND across all links. + + +Although RFC1990 suggests taking alignment considerations into account when +deciding whether or not to use PFC, that issue is not addressed by this change. + + Fred Wright + fw@well.com + 5-Apr-2005 diff --git a/build/patches/kernel/kernel-411.patch b/build/patches/kernel/kernel-411.patch new file mode 100644 index 0000000..2d31230 --- /dev/null +++ b/build/patches/kernel/kernel-411.patch @@ -0,0 +1,1593 @@ +diff -u -r sys.orig/conf/options sys/conf/options +--- sys.orig/conf/options Mon Apr 19 08:02:17 2004 ++++ sys/conf/options Sun Apr 24 10:02:07 2005 +@@ -252,6 +252,7 @@ + + # Options used in the 'ata' ATA/ATAPI driver + ATA_STATIC_ID opt_ata.h ++ATA_DISABLE_SLAVE opt_ata.h + + # Net stuff. + ACCEPT_FILTER_DATA +@@ -280,6 +281,12 @@ + IPFILTER opt_ipfilter.h + IPFILTER_LOG opt_ipfilter.h + IPFILTER_DEFAULT_BLOCK opt_ipfilter.h ++# Existing options made configurable for m0n0wall ++IPSTATE_SIZE opt_ipfilter.h ++IPSTATE_MAX opt_ipfilter.h ++# New options for m0n0wall ++IPFILTER_MSSCLAMP_FORCE opt_ipfilter.h ++# End of m0n0wall additions + IPFIREWALL opt_ipfw.h + IPFW2 opt_ipfw.h + IPFIREWALL_VERBOSE opt_ipfw.h +diff -u -r sys.orig/contrib/ipfilter/netinet/fil.c sys/contrib/ipfilter/netinet/fil.c +--- sys.orig/contrib/ipfilter/netinet/fil.c Thu Dec 16 21:43:51 2004 ++++ sys/contrib/ipfilter/netinet/fil.c Sun Apr 24 08:51:20 2005 +@@ -68,6 +68,12 @@ + # include + # include + #endif ++# if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000) ++# include ++# if defined(_KERNEL) && !defined(IPFILTER_LKM) ++# include "opt_ipfilter.h" ++# endif ++# endif + #include + #include + #include +@@ -85,12 +91,6 @@ + #include "netinet/ip_state.h" + #include "netinet/ip_proxy.h" + #include "netinet/ip_auth.h" +-# if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000) +-# include +-# if defined(_KERNEL) && !defined(IPFILTER_LKM) +-# include "opt_ipfilter.h" +-# endif +-# endif + #ifndef MIN + # define MIN(a,b) (((a)<(b))?(a):(b)) + #endif +diff -u -r sys.orig/contrib/ipfilter/netinet/ip_compat.h sys/contrib/ipfilter/netinet/ip_compat.h +--- sys.orig/contrib/ipfilter/netinet/ip_compat.h Sun Jul 4 11:24:38 2004 ++++ sys/contrib/ipfilter/netinet/ip_compat.h Sun Apr 24 08:51:20 2005 +@@ -545,7 +545,8 @@ + # ifndef linux + # define GETUNIT(n, v) ifunit(n) + # if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ +- (defined(OpenBSD) && (OpenBSD >= 199603)) ++ (defined(OpenBSD) && (OpenBSD >= 199603)) || \ ++ (defined(__FreeBSD_version) && (__FreeBSD_version >= 501113)) + # define IFNAME(x) ((struct ifnet *)x)->if_xname + # else + # define USE_GETIFNAME 1 +diff -u -r sys.orig/contrib/ipfilter/netinet/ip_fil.h sys/contrib/ipfilter/netinet/ip_fil.h +--- sys.orig/contrib/ipfilter/netinet/ip_fil.h Mon Jul 5 08:02:35 2004 ++++ sys/contrib/ipfilter/netinet/ip_fil.h Sun Apr 24 08:51:20 2005 +@@ -430,7 +430,8 @@ + + typedef struct ipflog { + #if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \ +- (defined(OpenBSD) && (OpenBSD >= 199603)) ++ (defined(OpenBSD) && (OpenBSD >= 199603)) || \ ++ (defined(__FreeBSD_version) && (__FreeBSD_version >= 501113)) + char fl_ifname[LIFNAMSIZ]; + #else + u_int fl_unit; +diff -u -r sys.orig/contrib/ipfilter/netinet/ip_nat.c sys/contrib/ipfilter/netinet/ip_nat.c +--- sys.orig/contrib/ipfilter/netinet/ip_nat.c Fri Dec 17 03:24:30 2004 ++++ sys/contrib/ipfilter/netinet/ip_nat.c Mon May 9 01:38:17 2005 +@@ -127,6 +127,11 @@ + ipnat_t **rdr_rules = NULL; + hostmap_t **maptable = NULL; + ++#if IPFILTER_MSSCLAMP_FORCE ++int fr_mssclamp = 0; ++char fr_mssif[IFNAMSIZ] = ""; ++#endif /* IPFILTER_MSSCLAMP_FORCE */ ++ + u_long fr_defnatage = DEF_NAT_AGE, + fr_defnaticmpage = 6; /* 3 seconds */ + natstat_t nat_stats; +@@ -321,12 +326,13 @@ + *sp = n & 0xffff; + return; + } +- sum1 = (~ntohs(*sp)) & 0xffff; +- sum1 += (n); +- sum1 = (sum1 >> 16) + (sum1 & 0xffff); +- /* Again */ +- sum1 = (sum1 >> 16) + (sum1 & 0xffff); +- sumshort = ~(u_short)sum1; ++ /* Perform the adjustment in noninverted form ++ * in order to prefer the -0 result over the +0 result. ++ * Otherwise a UDP checksum could be "adjusted" to nonexistent. ++ */ ++ sum1 = ntohs(*sp) + (~n & 0xFFFF); ++ /* One folding step is sufficient for a sum of two 16-bit operands */ ++ sumshort = (u_short)((sum1 >> 16) + (sum1 & 0xffff)); + *(sp) = htons(sumshort); + } + +@@ -348,16 +354,17 @@ + *sp = n & 0xffff; + return; + } ++ /* Perform the adjustment in noninverted form ++ * in order to prefer the -0 result over the +0 result ++ * Otherwise a UDP checksum could be "adjusted" to nonexistent. ++ */ + #ifdef sparc +- sum1 = (~(*sp)) & 0xffff; ++ sum1 = *sp + n; + #else +- sum1 = (~ntohs(*sp)) & 0xffff; ++ sum1 = ntohs(*sp) + n; + #endif +- sum1 += ~(n) & 0xffff; +- sum1 = (sum1 >> 16) + (sum1 & 0xffff); +- /* Again */ +- sum1 = (sum1 >> 16) + (sum1 & 0xffff); +- sumshort = ~(u_short)sum1; ++ /* One folding step is sufficient for a sum of two 16-bit operands */ ++ sumshort = (u_short)((sum1 >> 16) + (sum1 & 0xffff)); + *(sp) = htons(sumshort); + } + +@@ -385,12 +392,13 @@ + if (!n) + return; + +- sum1 = (~ntohs(*sp)) & 0xffff; +- sum1 += (n); +- sum1 = (sum1 >> 16) + (sum1 & 0xffff); +- /* Again */ +- sum1 = (sum1 >> 16) + (sum1 & 0xffff); +- sumshort = ~(u_short)sum1; ++ /* Perform the adjustment in noninverted form ++ * in order to prefer the -0 result over the +0 result ++ * Otherwise a UDP checksum could be "adjusted" to nonexistent. ++ */ ++ sum1 = ntohs(*sp) + (~n & 0xFFFF); ++ /* One folding step is sufficient for a sum of two 16-bit operands */ ++ sumshort = (u_short)((sum1 >> 16) + (sum1 & 0xffff)); + *(sp) = htons(sumshort); + } + +@@ -1757,7 +1765,8 @@ + + sum2 = LONG_SUM(ntohl(in.s_addr)); + +- CALC_SUMD(sum1, sum2, sumd); ++ CALC_SUMD(sum1, sum2, sumd); /* CKS of new-old IP */ ++ sumd = (sumd & 0xFFFF) + (sumd >> 16); /* Finish folding */ + + /* + * Fix IP checksum of the offending IP packet to adjust for +@@ -1788,17 +1797,14 @@ + * The UDP checksum is optional, only adjust it + * if it has been set. + */ +- sum1 = ntohs(udp->uh_sum); + fix_datacksum(&udp->uh_sum, sumd); +- sum2 = ntohs(udp->uh_sum); + + /* + * Fix ICMP checksum to compensate the UDP + * checksum adjustment. ++ * Since CKS adjustment was negative, this one is positive. + */ +- sumd2 = sumd << 1; +- CALC_SUMD(sum1, sum2, sumd); +- sumd2 += sumd; ++ sumd2 = sumd; + } + + /* +@@ -1808,23 +1814,14 @@ + * the TCP checksum (normally it does not!). + */ + else if ((oip->ip_p == IPPROTO_TCP) && (dlen >= 18)) { +- sum1 = ntohs(tcp->th_sum); + fix_datacksum(&tcp->th_sum, sumd); +- sum2 = ntohs(tcp->th_sum); + + /* + * Fix ICMP checksum to compensate the TCP + * checksum adjustment. ++ * Since CKS adjustment was negative, this one is positive. + */ +- sumd2 = sumd << 1; +- CALC_SUMD(sum1, sum2, sumd); +- sumd2 += sumd; +- } else { +- sumd2 = (sumd >> 16); +- if (nat->nat_dir == NAT_OUTBOUND) +- sumd2 = ~sumd2; +- else +- sumd2 = ~sumd2 + 1; ++ sumd2 = sumd; + } + + if (((flags & IPN_TCPUDP) != 0) && (dlen >= 4)) { +@@ -1847,103 +1844,46 @@ + * include the TCP checksum. So we have to check if the + * ip->ip_len actually holds the TCP checksum of the oip! + */ ++ ++ sumd = 0; /* Assume no port adjustment & no CKS change */ + if (nat->nat_oport == tcp->th_dport) { + if (tcp->th_sport != nat->nat_inport) { +- /* +- * Fix ICMP checksum to compensate port +- * adjustment. +- */ +- sum1 = ntohs(nat->nat_inport); +- sum2 = ntohs(tcp->th_sport); ++ sumd = ntohs(nat->nat_inport) ++ + (ntohs(tcp->th_sport) ^ 0xFFFF); + tcp->th_sport = nat->nat_inport; +- +- /* +- * Fix udp checksum to compensate port +- * adjustment. NOTE : the offending IP packet +- * flows the other direction compared to the +- * ICMP message. +- * +- * The UDP checksum is optional, only adjust +- * it if it has been set. +- */ +- if ((oip->ip_p == IPPROTO_UDP) && +- (dlen >= 8) && udp->uh_sum) { +- sumd = sum1 - sum2; +- sumd2 += sumd; +- +- sum1 = ntohs(udp->uh_sum); +- fix_datacksum(&udp->uh_sum, sumd); +- sum2 = ntohs(udp->uh_sum); +- +- /* +- * Fix ICMP checksum to compensate +- * UDP checksum adjustment. +- */ +- CALC_SUMD(sum1, sum2, sumd); +- sumd2 += sumd; +- } +- +- /* +- * Fix tcp checksum (if present) to compensate +- * port adjustment. NOTE : the offending IP +- * packet flows the other direction compared to +- * the ICMP message. +- */ +- if (oip->ip_p == IPPROTO_TCP) { +- if (dlen >= 18) { +- sumd = sum1 - sum2; +- sumd2 += sumd; +- +- sum1 = ntohs(tcp->th_sum); +- fix_datacksum(&tcp->th_sum, +- sumd); +- sum2 = ntohs(tcp->th_sum); +- +- /* +- * Fix ICMP checksum to +- * compensate TCP checksum +- * adjustment. +- */ +- CALC_SUMD(sum1, sum2, sumd); +- sumd2 += sumd; +- } else { +- sumd = sum2 - sum1 + 1; +- sumd2 += sumd; +- } +- } ++ } else if (tcp->th_dport != nat->nat_outport) { ++ sumd = ntohs(nat->nat_outport) ++ + (ntohs(tcp->th_dport) ^ 0xFFFF); ++ tcp->th_dport = nat->nat_outport; + } +- } else if (tcp->th_dport != nat->nat_outport) { ++ } ++ ++ if ( sumd ) { ++ sumd = (sumd >> 16) + (sumd & 0xFFFF); + /* + * Fix ICMP checksum to compensate port + * adjustment. ++ * Since sumd has new-old, CKS adjustment is negative. + */ +- sum1 = ntohs(nat->nat_outport); +- sum2 = ntohs(tcp->th_dport); +- tcp->th_dport = nat->nat_outport; ++ sumd2 += sumd ^ 0xFFFF; + + /* + * Fix udp checksum to compensate port +- * adjustment. NOTE : the offending IP +- * packet flows the other direction compared +- * to the ICMP message. ++ * adjustment. NOTE : the offending IP packet ++ * flows the other direction compared to the ++ * ICMP message. + * + * The UDP checksum is optional, only adjust + * it if it has been set. + */ +- if ((oip->ip_p == IPPROTO_UDP) && +- (dlen >= 8) && udp->uh_sum) { +- sumd = sum1 - sum2; +- sumd2 += sumd; +- +- sum1 = ntohs(udp->uh_sum); ++ if ((oip->ip_p == IPPROTO_UDP) && (dlen >= 8) && udp->uh_sum) { + fix_datacksum(&udp->uh_sum, sumd); +- sum2 = ntohs(udp->uh_sum); +- + /* + * Fix ICMP checksum to compensate + * UDP checksum adjustment. ++ * Since UDP CKS adjustment was negative, this one is positive. + */ +- CALC_SUMD(sum1, sum2, sumd); ++ sumd2 += sumd; + } + + /* +@@ -1952,27 +1892,15 @@ + * packet flows the other direction compared to + * the ICMP message. + */ +- if (oip->ip_p == IPPROTO_TCP) { +- if (dlen >= 18) { +- sumd = sum1 - sum2; +- sumd2 += sumd; +- +- sum1 = ntohs(tcp->th_sum); +- fix_datacksum(&tcp->th_sum, sumd); +- sum2 = ntohs(tcp->th_sum); +- +- /* +- * Fix ICMP checksum to compensate +- * UDP checksum adjustment. +- */ +- CALC_SUMD(sum1, sum2, sumd); +- } else { +- sumd = sum2 - sum1; +- if (nat->nat_dir == NAT_OUTBOUND) +- sumd++; +- } ++ if ((oip->ip_p == IPPROTO_TCP) && (dlen >= 18)) { ++ fix_datacksum(&tcp->th_sum, sumd); ++ /* ++ * Fix ICMP checksum to compensate ++ * TCP checksum adjustment. ++ * Since TCP CKS adjustment was negative, this one is positive. ++ */ ++ sumd2 += sumd; + } +- sumd2 += sumd; + } + if (sumd2) { + sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16); +@@ -2319,8 +2247,15 @@ + void *sifp; + u_32_t iph; + nat_t *nat; ++#if IPFILTER_MSSCLAMP_FORCE ++ int clamped = 0; ++ int retval = 0; ++ ++ if (fr_nat_lock) ++#else /* !IPFILTER_MSSCLAMP_FORCE */ + + if (nat_list == NULL || (fr_nat_lock)) ++#endif /* !IPFILTER_MSSCLAMP_FORCE */ + return 0; + + if ((fr = fin->fin_fr) && !(fr->fr_flags & FR_DUP) && +@@ -2344,6 +2279,11 @@ + } + + ipa = fin->fin_saddr; ++ ++#if IPFILTER_MSSCLAMP_FORCE ++ if (nat_list == NULL) ++ goto ip_natout_mss; ++#endif /* IPFILTER_MSSCLAMP_FORCE */ + + READ_ENTER(&ipf_nat); + +@@ -2495,9 +2435,13 @@ + * only deal IPv4 for now. + */ + if (nat->nat_mssclamp && +- (tcp->th_flags & TH_SYN) != 0) ++ (tcp->th_flags & TH_SYN) != 0) { + nat_mssclamp(tcp, nat->nat_mssclamp, + fin, csump); ++ #if IPFILTER_MSSCLAMP_FORCE ++ clamped = 1; ++ #endif /* IPFILTER_MSSCLAMP_FORCE */ ++ } + + MUTEX_EXIT(&nat->nat_lock); + } else if (fin->fin_p == IPPROTO_UDP) { +@@ -2527,6 +2471,7 @@ + } else + i = 1; + ATOMIC_INCL(nat_stats.ns_mapped[1]); ++#if !IPFILTER_MSSCLAMP_FORCE + RWLOCK_EXIT(&ipf_nat); /* READ */ + fin->fin_ifp = sifp; + return i; +@@ -2534,6 +2479,28 @@ + RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */ + fin->fin_ifp = sifp; + return 0; ++#else /* IPFILTER_MSSCLAMP_FORCE */ ++ retval = i; ++ } ++ RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */ ++ ++ip_natout_mss: ++ /* Handle MSS clamping, if necessary */ ++ if (!clamped && (fr_mssclamp > 0) && (fr_mssif[0] != 0) && ++ (fin->fin_off == 0) && !(fin->fin_fl & FI_SHORT) && ++ (fin->fin_p == IPPROTO_TCP)) { ++ ++ if ((tcp->th_flags & TH_SYN) != 0) { ++ ++ /* Does the interface name match? */ ++ if (strncmp(IFNAME(ifp), fr_mssif, IFNAMSIZ) == 0) ++ nat_mssclamp(tcp, fr_mssclamp, fin, &tcp->th_sum); ++ } ++ } ++ ++ fin->fin_ifp = sifp; ++ return retval; ++#endif /* IPFILTER_MSSCLAMP_FORCE */ + } + + +@@ -2555,8 +2522,14 @@ + int i, icmpset = 0; + nat_t *nat; + u_32_t iph; ++#if IPFILTER_MSSCLAMP_FORCE ++ int clamped = 0; ++ int retval = 0; + ++ if ((ip->ip_v != 4) || (fr_nat_lock)) ++#else /* !IPFILTER_MSSCLAMP_FORCE */ + if ((nat_list == NULL) || (ip->ip_v != 4) || (fr_nat_lock)) ++#endif /* !IPFILTER_MSSCLAMP_FORCE */ + return 0; + + if ((fin->fin_off == 0) && !(fin->fin_fl & FI_SHORT)) { +@@ -2574,6 +2547,11 @@ + in = fin->fin_dst; + /* make sure the source address is to be redirected */ + src = fin->fin_src; ++ ++#if IPFILTER_MSSCLAMP_FORCE ++ if (nat_list == NULL) ++ goto ip_natin_mss; ++#endif /* IPFILTER_MSSCLAMP_FORCE */ + + READ_ENTER(&ipf_nat); + +@@ -2718,9 +2696,13 @@ + * only deal IPv4 for now. + */ + if (nat->nat_mssclamp && +- (tcp->th_flags & TH_SYN) != 0) ++ (tcp->th_flags & TH_SYN) != 0) { + nat_mssclamp(tcp, nat->nat_mssclamp, + fin, csump); ++ #if IPFILTER_MSSCLAMP_FORCE ++ clamped = 1; ++ #endif /* IPFILTER_MSSCLAMP_FORCE */ ++ } + + MUTEX_EXIT(&nat->nat_lock); + } else if (fin->fin_p == IPPROTO_UDP) { +@@ -2740,11 +2722,33 @@ + } + } + ATOMIC_INCL(nat_stats.ns_mapped[0]); ++#if !IPFILTER_MSSCLAMP_FORCE + RWLOCK_EXIT(&ipf_nat); /* READ */ + return 1; + } + RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */ + return 0; ++#else /* IPFILTER_MSSCLAMP_FORCE */ ++ retval = 1; ++ } ++ RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */ ++ ++ip_natin_mss: ++ /* Handle MSS clamping, if necessary */ ++ if (!clamped && (fr_mssclamp > 0) && (fr_mssif[0] != 0) && ++ (fin->fin_off == 0) && !(fin->fin_fl & FI_SHORT) && ++ (fin->fin_p == IPPROTO_TCP)) { ++ ++ if ((tcp->th_flags & TH_SYN) != 0) { ++ ++ /* Does the interface name match? */ ++ if (strncmp(IFNAME(ifp), fr_mssif, IFNAMSIZ) == 0) ++ nat_mssclamp(tcp, fr_mssclamp, fin, &tcp->th_sum); ++ } ++ } ++ ++ return retval; ++#endif /* IPFILTER_MSSCLAMP_FORCE */ + } + + +@@ -2966,6 +2970,7 @@ + v = htons(maxmss); + bcopy(&v, &cp[2], sizeof(v)); + CALC_SUMD(mss, maxmss, sumd); ++ sumd = (sumd & 0xFFFF) + (sumd >> 16); + fix_outcksum(fin, csump, sumd); + } + break; +diff -u -r sys.orig/contrib/ipfilter/netinet/ip_nat.h sys/contrib/ipfilter/netinet/ip_nat.h +--- sys.orig/contrib/ipfilter/netinet/ip_nat.h Sun Jul 4 11:24:39 2004 ++++ sys/contrib/ipfilter/netinet/ip_nat.h Fri Mar 25 04:25:14 2005 +@@ -76,6 +76,11 @@ + + #define DEF_NAT_AGE 1200 /* 10 minutes (600 seconds) */ + ++/* Define this NZ to enable special sysctl to force MSS clamping */ ++#ifndef IPFILTER_MSSCLAMP_FORCE ++#define IPFILTER_MSSCLAMP_FORCE 0 ++#endif ++ + struct ap_session; + + typedef struct nat { +@@ -303,6 +308,10 @@ + extern void ip_natsync __P((void *)); + extern u_long fr_defnatage; + extern u_long fr_defnaticmpage; ++#if IPFILTER_MSSCLAMP_FORCE ++extern int fr_mssclamp; ++extern char fr_mssif[]; ++#endif /* IPFILTER_MSSCLAMP_FORCE */ + extern nat_t **nat_table[2]; + extern nat_t *nat_instances; + extern ipnat_t **nat_rules; +diff -u -r sys.orig/contrib/ipfilter/netinet/ip_state.c sys/contrib/ipfilter/netinet/ip_state.c +--- sys.orig/contrib/ipfilter/netinet/ip_state.c Sun Jul 4 11:24:39 2004 ++++ sys/contrib/ipfilter/netinet/ip_state.c Sun Apr 24 08:51:20 2005 +@@ -143,7 +143,7 @@ + fr_udptimeout = 240, + fr_udpacktimeout = 24, + fr_icmptimeout = 120, +- fr_icmpacktimeout = 12; ++ fr_icmpacktimeout = 120; /* Longer now that it matches multiple seqs */ + int fr_statemax = IPSTATE_MAX, + fr_statesize = IPSTATE_SIZE; + int fr_state_doflush = 0, +@@ -172,6 +172,11 @@ + icmpreplytype4[ICMP_TSTAMP] = ICMP_TSTAMPREPLY; + icmpreplytype4[ICMP_IREQ] = ICMP_IREQREPLY; + icmpreplytype4[ICMP_MASKREQ] = ICMP_MASKREPLY; ++ ++#define ICMP_REPLY_MASK ((1<is_icmp.ics_type = ic->icmp_type; + hv += (is->is_icmp.ics_id = ic->icmp_id); +- hv += (is->is_icmp.ics_seq = ic->icmp_seq); ++ /* Don't include the sequence # in the key, but record it */ ++ is->is_icmp.ics_seq = ic->icmp_seq; + break; + case ICMP6_MEMBERSHIP_QUERY : + case ND_ROUTER_SOLICIT : +@@ -679,7 +685,8 @@ + case ICMP_MASKREQ : + is->is_icmp.ics_type = ic->icmp_type; + hv += (is->is_icmp.ics_id = ic->icmp_id); +- hv += (is->is_icmp.ics_seq = ic->icmp_seq); ++ /* Don't include the sequence # in the key, but record it */ ++ is->is_icmp.ics_seq = ic->icmp_seq; + break; + default : + return NULL; +@@ -958,8 +965,8 @@ + (SEQ_GE(seq, fdata->td_end - maxwin)) && + /* XXX what about big packets */ + #define MAXACKWINDOW 66000 +- (-ackskew <= (MAXACKWINDOW << tdata->td_wscale)) && +- ( ackskew <= (MAXACKWINDOW << tdata->td_wscale))) { ++ (-ackskew <= (MAXACKWINDOW << fdata->td_wscale)) && ++ ( ackskew <= (MAXACKWINDOW << fdata->td_wscale))) { + + /* if ackskew < 0 then this should be due to fragmented + * packets. There is no way to know the length of the +@@ -1151,11 +1158,9 @@ + */ + if ((!rev && (icmp->icmp_type == is->is_type)) || + (rev && (icmpreplytype4[is->is_type] == icmp->icmp_type))) { +- if (icmp->icmp_type != ICMP_ECHOREPLY) +- return 1; +- if ((icmp->icmp_id == is->is_icmp.ics_id) && +- (icmp->icmp_seq == is->is_icmp.ics_seq)) ++ if (!ICMP_IS_REPLY_TYPE(icmp->icmp_type)) + return 1; ++ if (icmp->icmp_id == is->is_icmp.ics_id) return 1; + } + } + #ifdef USE_INET6 +@@ -1164,9 +1169,7 @@ + (rev && (icmpreplytype6[is->is_type] == icmp->icmp_type))) { + if (icmp->icmp_type != ICMP6_ECHO_REPLY) + return 1; +- if ((icmp->icmp_id == is->is_icmp.ics_id) && +- (icmp->icmp_seq == is->is_icmp.ics_seq)) +- return 1; ++ if (icmp->icmp_id == is->is_icmp.ics_id) return 1; + } + } + #endif +@@ -1325,7 +1328,6 @@ + dst.in4 = oip->ip_dst; + hv += dst.in4.s_addr; + hv += icmp->icmp_id; +- hv += icmp->icmp_seq; + hv %= fr_statesize; + + READ_ENTER(&ipf_state); +@@ -1497,7 +1499,7 @@ + if ((ic->icmp_type == ICMP6_ECHO_REQUEST) || + (ic->icmp_type == ICMP6_ECHO_REPLY)) { + hv += ic->icmp_id; +- hv += ic->icmp_seq; ++ /* Do *not* include seq # here */ + } + } + READ_ENTER(&ipf_state); +@@ -1507,6 +1509,8 @@ + if ((is->is_p == pr) && (is->is_v == v) && + fr_matchsrcdst(is, src, dst, fin, NULL) && + fr_matchicmpqueryreply(v, is, ic, fin->fin_rev)) { ++ /* Record seq # for perusal */ ++ is->is_icmp.ics_seq = ic->icmp_seq; + rev = fin->fin_rev; + if (is->is_frage[rev] != 0) + is->is_age = is->is_frage[rev]; +@@ -1554,7 +1558,7 @@ + tcp = NULL; + if (v == 4) { + hv += ic->icmp_id; +- hv += ic->icmp_seq; ++ /* Do *not* include seq # here */ + } + hvm = hv % fr_statesize; + READ_ENTER(&ipf_state); +@@ -1562,6 +1566,8 @@ + if ((is->is_p == pr) && (is->is_v == v) && + fr_matchsrcdst(is, src, dst, fin, NULL) && + fr_matchicmpqueryreply(v, is, ic, fin->fin_rev)) { ++ /* Record seq # for perusal */ ++ is->is_icmp.ics_seq = ic->icmp_seq; + rev = fin->fin_rev; + if (is->is_frage[rev] != 0) + is->is_age = is->is_frage[rev]; +@@ -2239,7 +2245,6 @@ + for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_hnext) + if ((is->is_p == pr) && + (oic->icmp6_id == is->is_icmp.ics_id) && +- (oic->icmp6_seq == is->is_icmp.ics_seq) && + fr_matchsrcdst(is, src, dst, &ofin, NULL)) { + /* + * in the state table ICMP query's are stored +diff -u -r sys.orig/contrib/ipfilter/netinet/mlfk_ipl.c sys/contrib/ipfilter/netinet/mlfk_ipl.c +--- sys.orig/contrib/ipfilter/netinet/mlfk_ipl.c Sat Apr 27 19:37:12 2002 ++++ sys/contrib/ipfilter/netinet/mlfk_ipl.c Mon May 9 00:58:58 2005 +@@ -45,6 +45,11 @@ + # include + #endif + ++#if __FreeBSD_version >= 300000 ++# if defined(_KERNEL) && !defined(IPFILTER_LKM) ++# include "opt_ipfilter.h" ++# endif ++#endif + + #include + #include +@@ -102,6 +107,12 @@ + SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &fr_minttl, 0, ""); + SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_minttllog, CTLFLAG_RW, + &fr_minttllog, 0, ""); ++#if IPFILTER_MSSCLAMP_FORCE ++SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_mssclamp, CTLFLAG_RW, ++ &fr_mssclamp, 0, ""); ++SYSCTL_STRING(_net_inet_ipf, OID_AUTO, fr_mssif, CTLFLAG_RW, ++ fr_mssif, IFNAMSIZ, ""); ++#endif /* IPFILTER_MSSCLAMP_FORCE */ + + #define CDEV_MAJOR 79 + static struct cdevsw ipl_cdevsw = { +diff -u -r sys.orig/i386/isa/clock.c sys/i386/isa/clock.c +--- sys.orig/i386/isa/clock.c Sat Nov 2 05:41:50 2002 ++++ sys/i386/isa/clock.c Sun Apr 24 08:51:20 2005 +@@ -950,7 +950,7 @@ + writertc(RTC_HRS, bin2bcd(tm%24)); tm /= 24; /* Write back Hours */ + + /* We have now the days since 01-01-1970 in tm */ +- writertc(RTC_WDAY, (tm+4)%7); /* Write back Weekday */ ++ writertc(RTC_WDAY, (tm+4)%7+1); /* Write back Weekday */ + for (y = 1970, m = DAYSPERYEAR + LEAPYEAR(y); + tm >= m; + y++, m = DAYSPERYEAR + LEAPYEAR(y)) +diff -u -r sys.orig/kern/subr_diskslice.c sys/kern/subr_diskslice.c +--- sys.orig/kern/subr_diskslice.c Tue Jul 24 11:49:41 2001 ++++ sys/kern/subr_diskslice.c Sun Apr 24 08:51:20 2005 +@@ -892,9 +892,11 @@ + } + if (pp->p_size != sp->ds_size) { + if (sname != NULL) { ++ /* + printf("%s: raw partition size != slice size\n", sname); + slice_info(sname, sp); + partition_info(sname, RAW_PART, pp); ++ */ + } + if (pp->p_size > sp->ds_size) { + if (sname == NULL) +diff -u -r sys.orig/net/if_ethersubr.c sys/net/if_ethersubr.c +--- sys.orig/net/if_ethersubr.c Wed Mar 3 13:35:16 2004 ++++ sys/net/if_ethersubr.c Sun Apr 24 08:51:20 2005 +@@ -605,8 +605,10 @@ + * it dropped (m_free'd) the packet itself. + */ + if (m == NULL) { ++ /* + if (bif == BDG_BCAST || bif == BDG_MCAST) + printf("bdg_forward drop MULTICAST PKT\n"); ++ */ + return; + } + eh = &save_eh ; +diff -u -r sys.orig/netgraph/ng_ppp.c sys/netgraph/ng_ppp.c +--- sys.orig/netgraph/ng_ppp.c Sun Dec 12 20:37:52 2004 ++++ sys/netgraph/ng_ppp.c Sun Apr 24 08:51:21 2005 +@@ -744,7 +744,11 @@ + case HOOK_INDEX_VJC_VJIP: + if (priv->conf.enableCompression + && priv->hooks[HOOK_INDEX_COMPRESS] != NULL) { +- if ((m = ng_ppp_addproto(m, proto, 0)) == NULL) { ++ if ((m = ng_ppp_addproto(m, proto, ++ /* Get the PFC enable from the first link (RFC1990) */ ++ priv->links[priv->activeLinks[0]] ++ .conf.enableProtoComp ++ )) == NULL) { + NG_FREE_META(meta); + return (ENOBUFS); + } +@@ -755,7 +759,11 @@ + case HOOK_INDEX_COMPRESS: + if (priv->conf.enableEncryption + && priv->hooks[HOOK_INDEX_ENCRYPT] != NULL) { +- if ((m = ng_ppp_addproto(m, proto, 1)) == NULL) { ++ if ((m = ng_ppp_addproto(m, proto, ++ /* Get the PFC enable from the first link (RFC1990) */ ++ priv->links[priv->activeLinks[0]] ++ .conf.enableProtoComp ++ )) == NULL) { + NG_FREE_META(meta); + return (ENOBUFS); + } +@@ -973,8 +981,9 @@ + + /* Prepend protocol number, possibly compressed */ + if ((m = ng_ppp_addproto(m, proto, +- linkNum == NG_PPP_BUNDLE_LINKNUM +- || link->conf.enableProtoComp)) == NULL) { ++ /* On a bundle, get the PFC enable from the first link (RFC1990) */ ++ (link ? link ++ : &priv->links[priv->activeLinks[0]])->conf.enableProtoComp)) == NULL) { + NG_FREE_META(meta); + return (ENOBUFS); + } +diff -u -r sys.orig/netinet/ip_input.c sys/netinet/ip_input.c +--- sys.orig/netinet/ip_input.c Sun Jan 2 06:03:16 2005 ++++ sys/netinet/ip_input.c Sun Apr 24 08:51:21 2005 +@@ -356,7 +356,7 @@ + if (args.rule) { /* dummynet already filtered us */ + ip = mtod(m, struct ip *); + hlen = IP_VHL_HL(ip->ip_vhl) << 2; +- goto iphack ; ++ goto ipfw; /* skip ipfilter now (already passed it)! */ + } + + ipstat.ips_total++; +@@ -467,7 +467,6 @@ + * - Encapsulate: put it in another IP and send out. + */ + +-iphack: + /* + * Check if we want to allow this packet to be processed. + * Consider it to be bad if not. +@@ -479,6 +478,7 @@ + return; + ip = mtod(m = m1, struct ip *); + } ++ipfw: + if (fw_enable && IPFW_LOADED) { + /* + * If we've been forwarded from the output side, then +diff -u -r sys.orig/netinet/ip_output.c sys/netinet/ip_output.c +--- sys.orig/netinet/ip_output.c Tue Jun 1 09:38:56 2004 ++++ sys/netinet/ip_output.c Sun Apr 24 08:51:21 2005 +@@ -705,20 +705,6 @@ + } + spd_done: + #endif /* FAST_IPSEC */ +- /* +- * IpHack's section. +- * - Xlate: translate packet's addr/port (NAT). +- * - Firewall: deny/allow/etc. +- * - Wrap: fake packet's addr/port +- * - Encapsulate: put it in another IP and send out. +- */ +- if (fr_checkp) { +- struct mbuf *m1 = m; +- +- if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1) +- goto done; +- ip = mtod(m = m1, struct ip *); +- } + + /* + * Check with the firewall... +@@ -952,6 +938,21 @@ + } + + pass: ++ /* ++ * IpHack's section. ++ * - Xlate: translate packet's addr/port (NAT). ++ * - Firewall: deny/allow/etc. ++ * - Wrap: fake packet's addr/port ++ * - Encapsulate: put it in another IP and send out. ++ */ ++ if (fr_checkp) { ++ struct mbuf *m1 = m; ++ ++ if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1) ++ goto done; ++ ip = mtod(m = m1, struct ip *); ++ } ++ + /* 127/8 must not appear on wire - RFC1122. */ + if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET || + (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) { +diff -u -r sys.orig/netipsec/key.c sys/netipsec/key.c +--- sys.orig/netipsec/key.c Sat Feb 14 23:23:23 2004 ++++ sys/netipsec/key.c Sun Apr 24 08:51:21 2005 +@@ -110,6 +110,34 @@ + * field hits 0 (= no external reference other than from SA header. + */ + ++/* ++ * New feature: SA holdoff ++ * When key_preferred_oldsa is negative, new SAs are preferred (as if =0), ++ * but only when established for at least -key_preferred_oldsa seconds. ++ * If no "sufficiently mature" SAs are found, the oldest is used. ++ * This gets around the "blackout" problem caused by sender/receiver skew ++ * when establishing new SAs, without the potentially lingering inconsistencies ++ * caused by preferring old SAs. ++ * Fred Wright ++ */ ++#ifndef IPSEC_SA_HOLDOFF ++#define IPSEC_SA_HOLDOFF 1 ++#endif ++ ++/* ++ * Old, probably obsolete feature: SA "early retirement" ++ * There was code to delete non-preferred send SAs discovered while sending. ++ * This was only operative with key_preferred_oldsa=0, and we suspect it was ++ * an attempt at solving the "blackout" problem. Since there is now better ++ * control over SA selection, that other code is probably unnecessary and ++ * certainly adds complication, so it's conditionaled out here. Nevertheless, ++ * it's tweaked to work correctly if it is enabled. ++ * Fred Wright ++ */ ++#ifndef IPSEC_SA_EARLY_RETIRE ++#define IPSEC_SA_EARLY_RETIRE 0 ++#endif ++ + u_int32_t key_debug_level = 0; + static u_int key_spi_trycnt = 1000; + static u_int32_t key_spi_minval = 0x100; +@@ -119,7 +147,7 @@ + static u_int key_larval_lifetime = 30; /* interval to expire acquiring, 30(s)*/ + static int key_blockacq_count = 10; /* counter for blocking SADB_ACQUIRE.*/ + static int key_blockacq_lifetime = 20; /* lifetime for blocking SADB_ACQUIRE.*/ +-static int key_prefered_oldsa = 1; /* prefered old sa rather than new sa.*/ ++static int key_preferred_oldsa = 1; /* preferred old sa rather than new sa.*/ + + static u_int32_t acq_seq = 0; + static int key_tick_init_random = 0; +@@ -134,12 +162,11 @@ + static LIST_HEAD(_spacqtree, secspacq) spacqtree; /* SP acquiring list */ + + /* search order for SAs */ +-static u_int saorder_state_valid[] = { ++static const u_int saorder_state_valid_prefer_old[] = { + SADB_SASTATE_DYING, SADB_SASTATE_MATURE, +- /* +- * This order is important because we must select the oldest SA +- * for outbound processing. For inbound, This is not important. +- */ ++}; ++static const u_int saorder_state_valid_prefer_new[] = { ++ SADB_SASTATE_MATURE, SADB_SASTATE_DYING, + }; + static u_int saorder_state_alive[] = { + /* except DEAD */ +@@ -247,8 +274,8 @@ + &ipsec_ah_keymin, 0, ""); + + /* perfered old SA rather than new SA */ +-SYSCTL_INT(_net_key, KEYCTL_PREFERED_OLDSA, prefered_oldsa, CTLFLAG_RW,\ +- &key_prefered_oldsa, 0, ""); ++SYSCTL_INT(_net_key, KEYCTL_PREFERED_OLDSA, preferred_oldsa, CTLFLAG_RW,\ ++ &key_preferred_oldsa, 0, ""); + + #ifndef LIST_FOREACH + #define LIST_FOREACH(elm, head, field) \ +@@ -351,7 +378,8 @@ + + static struct secasvar *key_allocsa_policy __P((const struct secasindex *)); + static void key_freesp_so __P((struct secpolicy **)); +-static struct secasvar *key_do_allocsa_policy __P((struct secashead *, u_int)); ++static struct secasvar *key_do_allocsa_policy __P((struct secashead *, u_int, ++ time_t, struct secasvar **)); + static void key_delsp __P((struct secpolicy *)); + static struct secpolicy *key_getsp __P((struct secpolicyindex *)); + static struct secpolicy *key_getspbyid __P((u_int32_t)); +@@ -816,6 +844,10 @@ + struct secashead *sah; + struct secasvar *sav; + u_int stateidx, state; ++ const u_int *saorder_state_valid; ++ int arraysize; ++ time_t cutoff = 0; ++ struct secasvar *fallback = NULL; + + LIST_FOREACH(sah, &sahtree, chain) { + if (sah->state == SADB_SASTATE_DEAD) +@@ -828,17 +860,29 @@ + + found: + +- /* search valid state */ +- for (stateidx = 0; +- stateidx < _ARRAYLEN(saorder_state_valid); +- stateidx++) { ++ /* ++ * search a valid state list for outbound packet. ++ * This search order is important. ++ */ ++ if (key_preferred_oldsa > 0) { ++ saorder_state_valid = saorder_state_valid_prefer_old; ++ arraysize = _ARRAYLEN(saorder_state_valid_prefer_old); ++ } else { ++ saorder_state_valid = saorder_state_valid_prefer_new; ++ arraysize = _ARRAYLEN(saorder_state_valid_prefer_new); ++ cutoff = time_second - key_preferred_oldsa; ++ } ++ ++ for (stateidx = 0; stateidx < arraysize; stateidx++) { + + state = saorder_state_valid[stateidx]; + +- sav = key_do_allocsa_policy(sah, state); ++ sav = key_do_allocsa_policy(sah, state, cutoff, &fallback); + if (sav != NULL) + return sav; + } ++ /* If we have fallback, feed it through for refcnt update */ ++ if ( fallback ) return key_do_allocsa_policy(NULL, 0, 0, &fallback); + + return NULL; + } +@@ -851,13 +895,24 @@ + * others : found, pointer to a SA. + */ + static struct secasvar * +-key_do_allocsa_policy(struct secashead *sah, u_int state) ++key_do_allocsa_policy(struct secashead *sah, u_int state, ++ time_t cutoff, struct secasvar **fbp) + { +- struct secasvar *sav, *nextsav, *candidate, *d; ++ struct secasvar *sav, *nextsav, *candidate; ++#if !SA_EARLY_RETIRE ++ #define RETIRE_SA(sa) ++#else ++ struct secasvar *d = NULL; ++ #define RETIRE_SA(sa) d = sa; ++#endif + + /* initilize */ + candidate = NULL; + ++#if IPSEC_SA_HOLDOFF ++ if ( !sah ) candidate = *fbp; ++ else ++#endif + for (sav = LIST_FIRST(&sah->savtree[state]); + sav != NULL; + sav = nextsav) { +@@ -880,8 +935,9 @@ + panic("key_do_allocsa_policy: " + "lifetime_current is NULL.\n"); + ++#if !IPSEC_SA_HOLDOFF + /* What the best method is to compare ? */ +- if (key_prefered_oldsa) { ++ if (key_preferred_oldsa > 0) { + if (candidate->lft_c->sadb_lifetime_addtime > + sav->lft_c->sadb_lifetime_addtime) { + candidate = sav; +@@ -890,20 +946,47 @@ + /*NOTREACHED*/ + } + +- /* prefered new sa rather than old sa */ ++ /* preferred new sa rather than old sa */ + if (candidate->lft_c->sadb_lifetime_addtime < + sav->lft_c->sadb_lifetime_addtime) { +- d = candidate; ++ RETIRE_SA(candidate) + candidate = sav; +- } else +- d = sav; ++ } else { ++ RETIRE_SA(sav) ++ } ++#else /* IPSEC_SA_HOLDOFF */ ++ /* Decide handling based on SA addtime vs. cutoff */ ++ if ( sav->lft_c->sadb_lifetime_addtime < cutoff ) { ++ /* Prefer newer among "sufficiently old */ ++ if ( sav->lft_c->sadb_lifetime_addtime ++ > candidate->lft_c->sadb_lifetime_addtime ) { ++ RETIRE_SA(candidate) ++ candidate = sav; ++ } else { ++ RETIRE_SA(sav) ++ } ++ } else { ++ /* Prefer older among "too new" */ ++ if ( sav->lft_c->sadb_lifetime_addtime ++ < candidate->lft_c->sadb_lifetime_addtime ) { ++ if ( !cutoff ) { ++ /* Use immediately in "pure older" mode */ ++ candidate = sav; ++ } else { ++ /* Otherwise use as fallback */ ++ *fbp = sav; ++ } ++ } ++ } ++#endif /* IPSEC_SA_HOLDOFF */ + ++#if IPSEC_SA_EARLY_RETIRE + /* + * prepared to delete the SA when there is more + * suitable candidate and the lifetime of the SA is not + * permanent. + */ +- if (d->lft_c->sadb_lifetime_addtime != 0) { ++ if (d && d->lft_c->sadb_lifetime_addtime != 0) { + struct mbuf *m, *result; + + key_sa_chgstate(d, SADB_SASTATE_DEAD); +@@ -959,6 +1042,7 @@ + msgfail: + KEY_FREESAV(&d); + } ++#endif /* IPSEC_SA_EARLY_RETIRE */ + } + + if (candidate) { +@@ -997,6 +1081,8 @@ + struct secasvar *sav; + u_int stateidx, state; + int s; ++ const u_int *saorder_state_valid; ++ int arraysize; + + KASSERT(dst != NULL, ("key_allocsa: null dst address")); + +@@ -1004,6 +1090,22 @@ + printf("DP key_allocsa from %s:%u\n", where, tag)); + + /* ++ * when both systems employ similar strategy to use a SA. ++ * the search order is important even in the inbound case. ++ */ ++ /* ++ * The above should be untrue since the lookup is by SPI, ++ * but we're leaving this aspect alone for now. - FW ++ */ ++ if (key_preferred_oldsa > 0) { ++ saorder_state_valid = saorder_state_valid_prefer_old; ++ arraysize = _ARRAYLEN(saorder_state_valid_prefer_old); ++ } else { ++ saorder_state_valid = saorder_state_valid_prefer_new; ++ arraysize = _ARRAYLEN(saorder_state_valid_prefer_new); ++ } ++ ++ /* + * searching SAD. + * XXX: to be checked internal IP header somewhere. Also when + * IPsec tunnel packet is received. But ESP tunnel mode is +@@ -1011,10 +1113,11 @@ + */ + s = splnet(); /*called from softclock()*/ + LIST_FOREACH(sah, &sahtree, chain) { +- /* search valid state */ +- for (stateidx = 0; +- stateidx < _ARRAYLEN(saorder_state_valid); +- stateidx++) { ++ /* ++ * search a valid state list for inbound packet. ++ * the search order is not important. ++ */ ++ for (stateidx = 0; stateidx < arraysize; stateidx++) { + state = saorder_state_valid[stateidx]; + LIST_FOREACH(sav, &sah->savtree[state], chain) { + /* sanity check */ +Only in sys/netipsec: key.c.netkey +diff -u -r sys.orig/netipsec/key_var.h sys/netipsec/key_var.h +--- sys.orig/netipsec/key_var.h Fri Jan 24 06:11:36 2003 ++++ sys/netipsec/key_var.h Sun Apr 24 08:51:21 2005 +@@ -61,7 +61,7 @@ + { "esp_keymin", CTLTYPE_INT }, \ + { "esp_auth", CTLTYPE_INT }, \ + { "ah_keymin", CTLTYPE_INT }, \ +- { "prefered_oldsa", CTLTYPE_INT }, \ ++ { "preferred_oldsa", CTLTYPE_INT }, \ + } + + #ifdef _KERNEL +diff -u -r sys.orig/i386/i386/identcpu.c sys/i386/i386/identcpu.c +--- sys.orig/i386/i386/identcpu.c Tue Apr 6 03:40:30 2004 ++++ sys/i386/i386/identcpu.c Sun Apr 24 09:16:38 2005 +@@ -380,7 +380,13 @@ + break; + case 0x540: + cpu_class = CPUCLASS_586; +- strcat(cpu_model, "GXm"); ++ if (cyrix_did < 0x6000) { ++ strcat(cpu_model, "GXm"); ++ } else if (cyrix_did < 0x7000) { ++ strcat(cpu_model, "GXLV"); ++ } else { ++ strcat(cpu_model, "GX1"); ++ } + break; + case 0x600: + strcat(cpu_model, "6x86MX"); +@@ -504,6 +510,13 @@ + } + break; + } ++ } else if (strcmp(cpu_vendor, "Geode by NSC") == 0) { ++ strcpy(cpu_model, "NSC Geode"); ++ switch (cpu_id & 0xff0) { ++ case 0x540: ++ cpu_class = CPUCLASS_586; ++ break; ++ } + } else if (strcmp(cpu_vendor, "RiseRiseRise") == 0) { + strcpy(cpu_model, "Rise "); + switch (cpu_id & 0xff0) { +@@ -602,10 +615,11 @@ + strcmp(cpu_vendor, "AuthenticAMD") == 0 || + strcmp(cpu_vendor, "RiseRiseRise") == 0 || + strcmp(cpu_vendor, "CentaurHauls") == 0 || ++ strcmp(cpu_vendor, "Geode by NSC") == 0 || + ((strcmp(cpu_vendor, "CyrixInstead") == 0) && +- ((cpu_id & 0xf00) > 0x500))) { ++ ((cpu_id & 0xff0) >= 0x540))) { + printf(" Stepping = %u", cpu_id & 0xf); +- if (strcmp(cpu_vendor, "CyrixInstead") == 0) ++ if ((strcmp(cpu_vendor, "CyrixInstead") == 0) || (strcmp(cpu_vendor, "Geode by NSC") == 0)) + printf(" DIR=0x%04x", cyrix_did); + if (cpu_high > 0) { + /* +@@ -938,6 +952,14 @@ + cpu_feature = regs[3]; /* edx */ + break; + } ++ } ++ } else if (strcmp(cpu_vendor, "Geode by NSC") == 0) { ++ identifycyrix(); ++ switch (cyrix_did & 0x00f0) { ++ case 0x40: /* GX1 */ ++ case 0xb0: /* SCx200 */ ++ cpu = CPU_M1SC; ++ break; + } + } else if (cpu == CPU_486 && *cpu_vendor == '\0') { + /* +diff -u -r sys.orig/i386/i386/vm_machdep.c sys/i386/i386/vm_machdep.c +--- sys.orig/i386/i386/vm_machdep.c Sun Aug 31 02:16:27 2003 ++++ sys/i386/i386/vm_machdep.c Sun Apr 24 09:31:04 2005 +@@ -432,6 +432,16 @@ + outb(0xf0, 0x00); /* Reset. */ + #else + /* ++ * reset Geode via PCI function 0 ++ */ ++ if (strcmp(cpu_vendor, "Geode by NSC") == 0) { ++ if (((cpu_id & 0xfff0) == 0x0540) && ((cyrix_did & 0xfff0) == 0x81b0)) { ++ outl(0xcf8, 0x80009044); ++ outb(0xcfc, 0x0f); ++ outl(0xcf8, 0); ++ } ++ } ++ /* + * Attempt to do a CPU reset via the keyboard controller, + * do not turn of the GateA20, as any machine that fails + * to do the reset here would then end up in no man's land. +diff -u -r sys.orig/dev/ata/ata-pci.c sys/dev/ata/ata-pci.c +--- sys.orig/dev/ata/ata-pci.c Wed Dec 31 19:05:16 2003 ++++ sys/dev/ata/ata-pci.c Sun Apr 24 10:01:12 2005 +@@ -28,6 +28,7 @@ + * $FreeBSD: src/sys/dev/ata/ata-pci.c,v 1.32.2.21 2003/12/31 18:05:16 jhb Exp $ + */ + ++#include "opt_ata.h" + #include + #include + #include +@@ -569,8 +570,10 @@ + + ata_pci_add_child(dev, 0); + ++#ifndef ATA_DISABLE_SLAVE + if (ATA_MASTERDEV(dev) || pci_read_config(dev, 0x18, 4) & IOMASK) + ata_pci_add_child(dev, 1); ++#endif + + return bus_generic_attach(dev); + } +diff -u -r sys.orig/dev/ata/ata-disk.c sys/dev/ata/ata-disk.c +--- sys.orig/dev/ata/ata-disk.c Sat Sep 18 12:26:12 2004 ++++ sys/dev/ata/ata-disk.c Sat Apr 30 21:05:21 2005 +@@ -105,7 +105,7 @@ + "ATA disk write caching"); + SYSCTL_INT(_hw_ata, OID_AUTO, tags, CTLFLAG_RD, &ata_tags, 0, + "ATA disk tagged queuing support"); +-SYSCTL_INT(_hw_ata, OID_AUTO, suspend, CTLFLAG_RD, &ata_suspend, 0, ++SYSCTL_INT(_hw_ata, OID_AUTO, suspend, CTLFLAG_RW, &ata_suspend, 0, + "ATA disk suspend timer"); + + void +@@ -940,6 +940,34 @@ + ata_umode(adp->device->param)); + else + ata_dmainit(atadev, ata_pmode(adp->device->param), -1, -1); ++ ++ if (ata_suspend > 0) { ++ /* ++ * Attempt to set the standby timer. ++ * The parameters are documented in sections 8.42.4 p. 210 and ++ * 8.14.4 (table 23) p. 118 of the ATAPI-5 interface spec ++ * http://www.t13.org. ++ */ ++ int value = ata_suspend; ++ if (atadev->param->stdby_ovlap) { ++ /* ++ * The device supports the standard values. ++ * Scale the seconds in value appropriately. ++ */ ++ if (value <= 1200) ++ /* Values 1-240 specify 5 second increments. */ ++ value /= 5; ++ else if (value <= 18000) ++ /* Values 241-251 specify 30 minute increments. */ ++ value = (value / 60 / 30) + 241; ++ else ++ /* A period between 8 and 12 hours. */ ++ value = 253; ++ } else ++ ata_prtdev(atadev, "timer value is vendor-specific\n"); ++ if (ata_command(atadev, ATA_C_STANDBY, 0, value, 0, ATA_WAIT_INTR)) ++ ata_prtdev(atadev, "suspend mode failed\n"); ++ } + } + + void +diff -u -r sys.orig/modules/ipfw/Makefile sys/modules/ipfw/Makefile +--- sys.orig/modules/ipfw/Makefile Fri Feb 14 15:09:21 2003 ++++ sys/modules/ipfw/Makefile Mon May 9 21:19:08 2005 +@@ -16,7 +16,7 @@ + #CFLAGS+= -DIPFIREWALL_VERBOSE_LIMIT=100 + # + #If you want it to pass all packets by default +-#CFLAGS+= -DIPFIREWALL_DEFAULT_TO_ACCEPT ++CFLAGS+= -DIPFIREWALL_DEFAULT_TO_ACCEPT + # + + .include +diff -u -r sys.orig/pci/if_sis.c sys/pci/if_sis.c +--- sys.orig/pci/if_sis.c Fri Apr 23 00:03:28 2004 ++++ sys/pci/if_sis.c Fri May 27 06:49:50 2005 +@@ -921,6 +921,7 @@ + struct sis_softc *sc; + { + register int i; ++ u_int32_t ns_srr; + + SIS_SETBIT(sc, SIS_CSR, SIS_CSR_RESET); + +@@ -942,6 +943,54 @@ + if (sc->sis_type == SIS_TYPE_83815) { + CSR_WRITE_4(sc, NS_CLKRUN, NS_CLKRUN_PMESTS); + CSR_WRITE_4(sc, NS_CLKRUN, 0); ++ ++ /* ++ * Page 78 of the DP83815 manual recommends the ++ * following (0x300 case) register settings "for optimum ++ * performance." Note however that at least three ++ * of the registers are listed as "reserved" in ++ * the register map, so who knows what they do. ++ * ++ * This has now been updated for various chip revisions, ++ * as "documented" in the NatSemi Linux driver. ++ * ++ * The documented 83815/83816 SRR values are: ++ * DP83815CVNG 0x00000302 ++ * DP83815DVNG/UJB 0x00000403 ++ * DP83816AVNG 0x00000505 ++ */ ++ ++ ns_srr = CSR_READ_4(sc, NS_SRR); ++ switch ( ns_srr & 0xF00 ) { ++ ++ case 0x200: ++ CSR_WRITE_4(sc, NS_PHY_PAGE, 0x0001); ++ CSR_WRITE_4(sc, NS_PHY_CR, 0x0802); ++ CSR_WRITE_4(sc, NS_PHY_FCSCR, 0x0010); ++ CSR_WRITE_4(sc, NS_PHY_SDCFG, 0x0333); ++ CSR_WRITE_4(sc, NS_PHY_10BTSCR, 0x0860); ++ CSR_WRITE_4(sc, NS_PHY_RECR, 0x2100); ++ CSR_WRITE_4(sc, 0xE0, 0x4F48); ++ CSR_WRITE_4(sc, NS_PHY_PAGE, 0x0000); ++ SIS_SETBIT(sc, NS_PHY_10BTSCR, 0x04); ++ break; ++ ++ case 0x300: ++ CSR_WRITE_4(sc, NS_PHY_PAGE, 0x0001); ++ CSR_WRITE_4(sc, NS_PHY_CR, 0x189C); ++ CSR_WRITE_4(sc, NS_PHY_TDATA, 0x0000); ++ CSR_WRITE_4(sc, NS_PHY_DSPCFG, 0x5040); ++ CSR_WRITE_4(sc, NS_PHY_SDCFG, 0x008C); ++ CSR_WRITE_4(sc, NS_PHY_PAGE, 0x0000); ++ break; ++ ++ case 0x400: ++ case 0x500: ++ CSR_WRITE_4(sc, NS_PHY_PAGE, 0x0001); ++ CSR_WRITE_4(sc, NS_PHY_CR, 0x189C); ++ CSR_WRITE_4(sc, NS_PHY_PAGE, 0x0000); ++ break; ++ } + } + + return; +@@ -1823,6 +1872,7 @@ + * Cancel pending I/O and free all RX/TX buffers. + */ + sis_stop(sc); ++ sc->sis_stopped = 0; + + mii = device_get_softc(sc->sis_miibus); + +@@ -1940,27 +1990,46 @@ + SIS_CLRBIT(sc, SIS_RX_CFG, SIS_RXCFG_RX_TXPKTS); + } + +- if (sc->sis_type == SIS_TYPE_83815 && +- IFM_SUBTYPE(mii->mii_media_active) == IFM_100_TX) { +- uint32_t reg; ++ if ( sc->sis_type == SIS_TYPE_83815 ) { ++ uint32_t phy_status, ns_srr, tmp_val; + + /* + * Some DP83815s experience problems when used with short + * (< 30m/100ft) Ethernet cables in 100BaseTX mode. This + * sequence adjusts the DSP's signal attenuation to fix the + * problem. ++ * ++ * This has now been updated to duplicate the logic in ++ * the NatSemi Linux driver. + */ +- CSR_WRITE_4(sc, NS_PHY_PAGE, 0x0001); + +- reg = CSR_READ_4(sc, NS_PHY_DSPCFG); +- CSR_WRITE_4(sc, NS_PHY_DSPCFG, (reg & 0xfff) | 0x1000); +- DELAY(100); +- reg = CSR_READ_4(sc, NS_PHY_TDATA); +- if ((reg & 0x0080) == 0 || (reg & 0xff) >= 0xd8) { +- CSR_WRITE_4(sc, NS_PHY_TDATA, 0x00e8); +- SIS_SETBIT(sc, NS_PHY_DSPCFG, 0x20); ++ phy_status = CSR_READ_4(sc, NS_PHY_PHYSTS); ++ /* Check for link valid and not 10Mb */ ++ if ( (phy_status & 0x03) == 0x01 ) { ++ ns_srr = CSR_READ_4(sc, NS_SRR); ++ switch ( ns_srr & 0xF00 ) { ++ ++ case 0x500: ++ if ( (ns_srr & 0xFFF) == 0x505 ) break; ++ case 0x300: ++ case 0x400: ++ CSR_WRITE_4(sc, NS_PHY_PAGE, 0x0001); ++ tmp_val = CSR_READ_4(sc, NS_PHY_DSPCFG); ++ tmp_val = (tmp_val & 0x0FFF) | 0x1000; ++ CSR_WRITE_4(sc, NS_PHY_DSPCFG, tmp_val); ++ DELAY(2000); ++ tmp_val = CSR_READ_4(sc, NS_PHY_TDATA); ++ tmp_val &= 0x00FF; ++ if ( tmp_val < 0x80 ++ || tmp_val >= 0xD8 ) { ++ CSR_WRITE_4(sc, NS_PHY_TDATA, ++ 0x00E8); ++ SIS_SETBIT(sc, NS_PHY_DSPCFG, ++ 0x20); ++ } ++ CSR_WRITE_4(sc, NS_PHY_PAGE, 0x0000); ++ } + } +- CSR_WRITE_4(sc, NS_PHY_PAGE, 0); + } + + /* +@@ -1986,21 +2055,6 @@ + mii_mediachg(mii); + #endif + +- /* +- * Page 75 of the DP83815 manual recommends the +- * following register settings "for optimum +- * performance." Note however that at least three +- * of the registers are listed as "reserved" in +- * the register map, so who knows what they do. +- */ +- if (sc->sis_type == SIS_TYPE_83815) { +- CSR_WRITE_4(sc, NS_PHY_PAGE, 0x0001); +- CSR_WRITE_4(sc, NS_PHY_CR, 0x189C); +- CSR_WRITE_4(sc, NS_PHY_TDATA, 0x0000); +- CSR_WRITE_4(sc, NS_PHY_DSPCFG, 0x5040); +- CSR_WRITE_4(sc, NS_PHY_SDCFG, 0x008C); +- } +- + ifp->if_flags |= IFF_RUNNING; + ifp->if_flags &= ~IFF_OACTIVE; + +@@ -2138,6 +2192,9 @@ + register int i; + struct ifnet *ifp; + ++ if (sc->sis_stopped) ++ return; ++ + ifp = &sc->arpcom.ac_if; + ifp->if_timer = 0; + +@@ -2180,6 +2237,8 @@ + + bzero((char *)&sc->sis_ldata->sis_tx_list, + sizeof(sc->sis_ldata->sis_tx_list)); ++ ++ sc->sis_stopped = 1; + + return; + } +diff -u -r sys.orig/pci/if_sisreg.h sys/pci/if_sisreg.h +--- sys.orig/pci/if_sisreg.h Wed Feb 5 22:49:01 2003 ++++ sys/pci/if_sisreg.h Fri May 27 06:13:22 2005 +@@ -76,6 +76,7 @@ + + /* NS DP83815 registers */ + #define NS_CLKRUN 0x3C ++#define NS_SRR 0x58 + #define NS_BMCR 0x80 + #define NS_BMSR 0x84 + #define NS_PHYIDR1 0x88 +@@ -85,6 +86,9 @@ + #define NS_ANER 0x98 + #define NS_ANNPTR 0x9C + ++#define NS_PHY_PHYSTS 0xC0 ++#define NS_PHY_FCSCR 0xD0 ++#define NS_PHY_RECR 0xD4 + #define NS_PHY_CR 0xE4 + #define NS_PHY_10BTSCR 0xE8 + #define NS_PHY_PAGE 0xCC +@@ -444,6 +448,7 @@ + struct sis_list_data *sis_ldata; + struct sis_ring_data sis_cdata; + struct callout_handle sis_stat_ch; ++ int sis_stopped; + #ifdef DEVICE_POLLING + int rxcycles; + #endif +diff -u -r sys.orig/dev/wi/if_wi.c sys/dev/wi/if_wi.c +--- sys.orig/dev/wi/if_wi.c Tue May 18 08:57:33 2004 ++++ sys/dev/wi/if_wi.c Sat Jun 18 19:48:38 2005 +@@ -1018,9 +1018,11 @@ + * set in the event status register. + */ + s = CSR_READ_2(sc, WI_EVENT_STAT); ++ DELAY(1); + if (s & WI_EV_CMD) { + /* Ack the event and read result code. */ + s = CSR_READ_2(sc, WI_STATUS); ++ DELAY(1); + CSR_WRITE_2(sc, WI_EVENT_ACK, WI_EV_CMD); + #ifdef foo + if ((s & WI_CMD_CODE_MASK) != (cmd & WI_CMD_CODE_MASK)) +diff -u -r sys.orig/pci/if_xl.c sys/pci/if_xl.c +--- sys.orig/pci/if_xl.c Fri Aug 13 16:42:18 2004 ++++ sys/pci/if_xl.c Sat Jun 18 19:57:54 2005 +@@ -188,6 +188,8 @@ + "3Com 3c905C-TX Fast Etherlink XL" }, + { TC_VENDORID, TC_DEVICEID_TORNADO_10_100BT_920B, + "3Com 3c920B-EMB Integrated Fast Etherlink XL" }, ++ { TC_VENDORID, TC_DEVICEID_TORNADO_10_100BT_920B_WNM, ++ "3Com 3c920B-EMB-WNM Integrated Fast Etherlink XL" }, + { TC_VENDORID, TC_DEVICEID_HURRICANE_10_100BT_SERV, + "3Com 3c980 Fast Etherlink XL" }, + { TC_VENDORID, TC_DEVICEID_TORNADO_10_100BT_SERV, +@@ -1268,6 +1270,7 @@ + case TC_DEVICEID_HURRICANE_656B: /* 3c656B */ + case TC_DEVICEID_TORNADO_656C: /* 3c656C */ + case TC_DEVICEID_TORNADO_10_100BT_920B: /* 3c920B-EMB */ ++ case TC_DEVICEID_TORNADO_10_100BT_920B_WNM: /* 3c920B-EMB-WNM */ + sc->xl_media = XL_MEDIAOPT_MII; + sc->xl_xcvr = XL_XCVR_MII; + if (verbose) +@@ -1365,7 +1368,8 @@ + pci_get_device(dev) == TC_DEVICEID_HURRICANE_656B) + sc->xl_flags |= XL_FLAG_INVERT_MII_PWR | + XL_FLAG_INVERT_LED_PWR; +- if (pci_get_device(dev) == TC_DEVICEID_TORNADO_10_100BT_920B) ++ if (pci_get_device(dev) == TC_DEVICEID_TORNADO_10_100BT_920B || ++ pci_get_device(dev) == TC_DEVICEID_TORNADO_10_100BT_920B_WNM) + sc->xl_flags |= XL_FLAG_PHYOK; + #ifndef BURN_BRIDGES + /* +diff -u -r sys.orig/pci/if_xlreg.h sys/pci/if_xlreg.h +--- sys.orig/pci/if_xlreg.h Sun Aug 10 23:55:57 2003 ++++ sys/pci/if_xlreg.h Sat Jun 18 19:58:13 2005 +@@ -683,6 +683,7 @@ + #define TC_DEVICEID_CYCLONE_10_100FX 0x905A + #define TC_DEVICEID_TORNADO_10_100BT 0x9200 + #define TC_DEVICEID_TORNADO_10_100BT_920B 0x9201 ++#define TC_DEVICEID_TORNADO_10_100BT_920B_WNM 0x9202 + #define TC_DEVICEID_HURRICANE_10_100BT_SERV 0x9800 + #define TC_DEVICEID_TORNADO_10_100BT_SERV 0x9805 + #define TC_DEVICEID_HURRICANE_SOHO100TX 0x7646 diff --git a/build/patches/packages/ez-ipupdate.c.patch b/build/patches/packages/ez-ipupdate.c.patch new file mode 100644 index 0000000..706bb86 --- /dev/null +++ b/build/patches/packages/ez-ipupdate.c.patch @@ -0,0 +1,243 @@ +--- ez-ipupdate.c.orig Tue Mar 12 00:31:47 2002 ++++ ez-ipupdate.c Sun May 8 13:18:47 2005 +@@ -798,7 +798,7 @@ + sprintf(buf, "message incomplete because your OS sucks: %s\n", fmt); + #endif + +- syslog(LOG_NOTICE, buf); ++ syslog(LOG_NOTICE, "%s", buf); + } + else + { +@@ -1602,26 +1602,23 @@ + return(bread); + } + +-int get_if_addr(int sock, char *name, struct sockaddr_in *sin) ++int get_if_addr(char *name, struct sockaddr_in *sin) + { + #ifdef IF_LOOKUP + struct ifreq ifr; ++ int mysock; ++ ++ mysock = socket(AF_INET, SOCK_DGRAM, 0); + + memset(&ifr, 0, sizeof(ifr)); + strcpy(ifr.ifr_name, name); +- /* why does this need to be done twice? */ +- if(ioctl(sock, SIOCGIFADDR, &ifr) < 0) +- { +- perror("ioctl(SIOCGIFADDR)"); +- memset(sin, 0, sizeof(struct sockaddr_in)); +- dprintf((stderr, "%s: %s\n", name, "unknown interface")); +- return -1; +- } +- if(ioctl(sock, SIOCGIFADDR, &ifr) < 0) ++ ++ if(ioctl(mysock, SIOCGIFADDR, &ifr) < 0) + { + perror("ioctl(SIOCGIFADDR)"); + memset(sin, 0, sizeof(struct sockaddr_in)); + dprintf((stderr, "%s: %s\n", name, "unknown interface")); ++ close(mysock); + return -1; + } + +@@ -1629,14 +1626,17 @@ + { + memcpy(sin, &(ifr.ifr_addr), sizeof(struct sockaddr_in)); + dprintf((stderr, "%s: %s\n", name, inet_ntoa(sin->sin_addr))); ++ close(mysock); + return 0; + } + else + { + memset(sin, 0, sizeof(struct sockaddr_in)); + dprintf((stderr, "%s: %s\n", name, "could not resolve interface")); ++ close(mysock); + return -1; + } ++ close(mysock); + return -1; + #else + return -1; +@@ -4487,13 +4487,6 @@ + if(mx == NULL) { mx = strdup(""); } + if(url == NULL) { url = strdup(""); } + +-#ifdef IF_LOOKUP +- if(options & OPT_DAEMON) +- { +- sock = socket(AF_INET, SOCK_STREAM, 0); +- } +-#endif +- + if(options & OPT_DAEMON) + { + int local_update_period = update_period; +@@ -4584,7 +4577,7 @@ + } + #endif + +- if(get_if_addr(sock, interface, &sin2) == 0) ++ if(get_if_addr(interface, &sin2) == 0) + { + ifresolve_warned = 0; + if(memcmp(&sin.sin_addr, &sin2.sin_addr, sizeof(struct in_addr)) != 0 || +@@ -4607,6 +4600,19 @@ + show_message("successful update for %s->%s (%s)\n", + interface, inet_ntoa(sin.sin_addr), N_STR(host)); + ++ if(cache_file) ++ { ++ char ipbuf[64]; ++ ++ snprintf(ipbuf, sizeof(ipbuf), "%s", inet_ntoa(sin.sin_addr)); ++ ++ if(write_cache_file(cache_file, last_update, ipbuf) != 0) ++ { ++ show_message("unable to write cache file \"%s\": %s\n", ++ cache_file, error_string); ++ } ++ } ++ + if(post_update_cmd) + { + int res; +@@ -4631,19 +4637,6 @@ + } + } + } +- +- if(cache_file) +- { +- char ipbuf[64]; +- +- snprintf(ipbuf, sizeof(ipbuf), "%s", inet_ntoa(sin.sin_addr)); +- +- if(write_cache_file(cache_file, last_update, ipbuf) != 0) +- { +- show_message("unable to write cache file \"%s\": %s\n", +- cache_file, error_string); +- } +- } + } + else + { +@@ -4743,14 +4736,11 @@ + { + #ifdef IF_LOOKUP + struct sockaddr_in sin; +- int sock; + +- sock = socket(AF_INET, SOCK_STREAM, 0); +- if(get_if_addr(sock, interface, &sin) != 0) ++ if(get_if_addr(interface, &sin) != 0) + { + exit(1); + } +- close(sock); + snprintf(ipbuf, sizeof(ipbuf), "%s", inet_ntoa(sin.sin_addr)); + #else + fprintf(stderr, "interface lookup not enabled at compile time\n"); +@@ -4789,10 +4779,8 @@ + if(address == NULL && interface != NULL) + { + struct sockaddr_in sin; +- int sock; + +- sock = socket(AF_INET, SOCK_STREAM, 0); +- if(get_if_addr(sock, interface, &sin) == 0) ++ if(get_if_addr(interface, &sin) == 0) + { + if(address) { free(address); } + address = strdup(inet_ntoa(sin.sin_addr)); +@@ -4802,7 +4790,6 @@ + show_message("could not resolve ip address for %s.\n", interface); + exit(1); + } +- close(sock); + } + + for(i=0; i 0) { close(sock); } +-#endif + + if(address) { free(address); } + if(cache_file) { free(cache_file); } diff --git a/build/patches/packages/mini_httpd.c.patch b/build/patches/packages/mini_httpd.c.patch new file mode 100644 index 0000000..e4e86b4 --- /dev/null +++ b/build/patches/packages/mini_httpd.c.patch @@ -0,0 +1,520 @@ +--- mini_httpd.c.orig Wed Dec 3 19:27:22 2003 ++++ mini_httpd.c Sun Dec 18 11:39:28 2005 +@@ -74,7 +74,7 @@ + + + #if defined(AF_INET6) && defined(IN6_IS_ADDR_V4MAPPED) +-#define USE_IPV6 ++/* #define USE_IPV6 */ + #endif + + #ifndef STDIN_FILENO +@@ -141,7 +141,7 @@ + #define AUTH_FILE ".htpasswd" + #endif /* AUTH_FILE */ + #ifndef READ_TIMEOUT +-#define READ_TIMEOUT 60 ++#define READ_TIMEOUT 30 + #endif /* READ_TIMEOUT */ + #ifndef WRITE_TIMEOUT + #define WRITE_TIMEOUT 300 +@@ -167,13 +167,25 @@ + #endif /* USE_IPV6 */ + } usockaddr; + ++typedef struct { ++ int cpid; /* child PID - 0 if unused */ ++ in_addr_t caddr; /* client address */ ++} conninfo; + + static char* argv0; + static int debug; + static unsigned short port; ++static conninfo* clients; ++static int maxproc; ++static int maxperip; ++static sigset_t sigchildset; ++static int currproc; + static char* dir; + static char* data_dir; + static int do_chroot; ++static int captivemode; ++static char* cpelementpath; ++static char* cpelementhost; + static int vhost; + static char* user; + static char* cgi_pattern; +@@ -209,6 +221,7 @@ + static size_t request_size, request_len, request_idx; + static int method; + static char* path; ++static char* captive_reqpath; + static char* file; + static char* pathinfo; + struct stat sb; +@@ -322,9 +335,15 @@ + argv0 = argv[0]; + debug = 0; + port = 0; ++ maxproc = 16 ; ++ maxperip = 0 ; ++ currproc = 0 ; + dir = (char*) 0; + data_dir = (char*) 0; + do_chroot = 0; ++ captivemode = 0; ++ cpelementpath = NULL; ++ captive_reqpath = NULL; + vhost = 0; + cgi_pattern = (char*) 0; + url_pattern = (char*) 0; +@@ -377,6 +396,20 @@ + ++argn; + port = (unsigned short) atoi( argv[argn] ); + } ++ else if ( strcmp( argv[argn], "-maxproc" ) == 0 && argn + 1 < argc ) ++ { ++ ++argn; ++ maxproc = (unsigned short) atoi( argv[argn] ); ++ if (maxproc <= 0) ++ usage(); ++ } ++ else if ( strcmp( argv[argn], "-maxperip" ) == 0 && argn + 1 < argc ) ++ { ++ ++argn; ++ maxperip = (unsigned short) atoi( argv[argn] ); ++ if (maxperip < 0) ++ usage(); ++ } + else if ( strcmp( argv[argn], "-d" ) == 0 && argn + 1 < argc ) + { + ++argn; +@@ -431,12 +464,24 @@ + ++argn; + max_age = atoi( argv[argn] ); + } ++ else if ( strcmp( argv[argn], "-cpelement" ) == 0 && argn + 2 < argc ) ++ { ++ ++argn; ++ cpelementpath = argv[argn]; ++ ++argn; ++ cpelementhost = argv[argn]; ++ } ++ else if ( strcmp( argv[argn], "-a" ) == 0 ) ++ captivemode = 1; + else + usage(); + ++argn; + } + if ( argn != argc ) + usage(); ++ ++ if (maxproc < maxperip) ++ usage(); + + cp = strrchr( argv0, '/' ); + if ( cp != (char*) 0 ) +@@ -445,6 +490,16 @@ + cp = argv0; + openlog( cp, LOG_NDELAY|LOG_PID, LOG_DAEMON ); + ++ if (maxperip != 0) { ++ int i; ++ clients = e_malloc(sizeof(conninfo) * maxproc); ++ for (i = 0; i < maxproc; i++) ++ clients[i].cpid = 0; ++ ++ sigemptyset(&sigchildset); ++ sigaddset(&sigchildset, SIGCHLD); ++ } ++ + if ( port == 0 ) + { + #ifdef USE_SSL +@@ -722,6 +777,7 @@ + exit( 1 ); + } + /* Check for unnecessary security exposure. */ ++ /* + if ( ! do_chroot ) + { + syslog( LOG_WARNING, +@@ -729,6 +785,7 @@ + (void) fprintf( stderr, + "%s: started as root without requesting chroot(), warning only\n", argv0 ); + } ++ */ + } + + /* Catch various signals. */ +@@ -751,6 +808,7 @@ + + init_mime(); + ++ /* + if ( hostname == (char*) 0 ) + syslog( + LOG_NOTICE, "%.80s starting on port %d", SERVER_SOFTWARE, +@@ -759,7 +817,8 @@ + syslog( + LOG_NOTICE, "%.80s starting on %.80s, port %d", SERVER_SOFTWARE, + hostname, (int) port ); +- ++ */ ++ + /* Main loop. */ + for (;;) + { +@@ -816,7 +875,7 @@ + } + if ( conn_fd < 0 ) + { +- if ( errno == EINTR || errno == EAGAIN ) ++ if ( errno == EINTR || errno == EAGAIN || errno == ECONNABORTED ) + continue; /* try again */ + #ifdef EPROTO + if ( errno == EPROTO ) +@@ -827,6 +886,36 @@ + exit( 1 ); + } + ++ /* If we've reached max child procs, then close the connection - ++ don't attempt to send back a response since that itself may ++ cause our process to hang. */ ++ if (currproc >= maxproc) { ++ close(conn_fd) ; ++ continue ; ++ } ++ ++ sigprocmask(SIG_BLOCK, &sigchildset, NULL); ++ ++ /* If maxperip is enabled, count the number of existing connections ++ from this client and close the connection if the max is exceeded. */ ++ if (maxperip != 0) { ++ int i; ++ int nconns = 0; ++ ++ for (i = 0; i < maxproc; i++) { ++ if (clients[i].cpid == 0) ++ continue; ++ else if (clients[i].caddr == usa.sa_in.sin_addr.s_addr) ++ nconns++; ++ } ++ ++ if (nconns >= maxperip) { ++ close(conn_fd); ++ sigprocmask(SIG_UNBLOCK, &sigchildset, NULL); ++ continue; ++ } ++ } ++ + /* Fork a sub-process to handle the connection. */ + r = fork(); + if ( r < 0 ) +@@ -846,6 +935,26 @@ + handle_request(); + exit( 0 ); + } ++ ++ currproc++; ++ ++ if (maxperip != 0) { ++ int i; ++ ++ /* record in table of clients */ ++ for (i = 0; i < maxproc; i++) { ++ if (clients[i].cpid == 0) { ++ clients[i].cpid = r; ++ clients[i].caddr = usa.sa_in.sin_addr.s_addr; ++ break; ++ } ++ } ++ ++ if (i == maxproc) ++ syslog(LOG_CRIT, "client connection table full!"); ++ } ++ sigprocmask(SIG_UNBLOCK, &sigchildset, NULL); ++ + (void) close( conn_fd ); + } + } +@@ -855,9 +964,9 @@ + usage( void ) + { + #ifdef USE_SSL +- (void) fprintf( stderr, "usage: %s [-C configfile] [-D] [-S] [-E certfile] [-Y cipher] [-p port] [-d dir] [-dd data_dir] [-c cgipat] [-u user] [-h hostname] [-r] [-v] [-l logfile] [-i pidfile] [-T charset] [-P P3P] [-M maxage]\n", argv0 ); ++ (void) fprintf( stderr, "usage: %s [-C configfile] [-D] [-S] [-E certfile] [-Y cipher] [-p port] [-d dir] [-dd data_dir] [-c cgipat] [-u user] [-h hostname] [-r] [-v] [-l logfile] [-i pidfile] [-T charset] [-P P3P] [-M maxage] [-maxproc max_concurrent_procs] [-maxperip max_concurrent_procs_per_ip] [-cpelement path host]\n", argv0 ); + #else /* USE_SSL */ +- (void) fprintf( stderr, "usage: %s [-C configfile] [-D] [-p port] [-d dir] [-dd data_dir] [-c cgipat] [-u user] [-h hostname] [-r] [-v] [-l logfile] [-i pidfile] [-T charset] [-P P3P] [-M maxage]\n", argv0 ); ++ (void) fprintf( stderr, "usage: %s [-C configfile] [-D] [-p port] [-d dir] [-dd data_dir] [-c cgipat] [-u user] [-h hostname] [-r] [-v] [-l logfile] [-i pidfile] [-T charset] [-P P3P] [-M maxage] [-maxproc max_concurrent_procs] [-maxperip max_concurrent_procs_per_ip] [-cpelement path host]\n", argv0 ); + #endif /* USE_SSL */ + exit( 1 ); + } +@@ -1128,7 +1237,7 @@ + char* cp; + int r, file_len, i; + const char* index_names[] = { +- "index.html", "index.htm", "index.xhtml", "index.xht", "Default.htm", ++ "index.php", "index.html", "index.htm", "index.xhtml", "index.xht", "Default.htm", + "index.cgi" }; + + /* Set up the timeout for reading. */ +@@ -1166,9 +1275,11 @@ + ** solution is writev() (as used in thttpd), or send the headers with + ** send(MSG_MORE) (only available in Linux so far). + */ ++ /* + r = 1; + (void) setsockopt( + conn_fd, IPPROTO_TCP, TCP_NOPUSH, (void*) &r, sizeof(r) ); ++ */ + #endif /* TCP_NOPUSH */ + + #ifdef USE_SSL +@@ -1215,11 +1326,13 @@ + send_error( 400, "Bad Request", "", "Can't parse request." ); + *protocol++ = '\0'; + protocol += strspn( protocol, " \t\012\015" ); +- query = strchr( path, '?' ); +- if ( query == (char*) 0 ) +- query = ""; +- else +- *query++ = '\0'; ++ if (!captivemode) { ++ query = strchr( path, '?' ); ++ if ( query == (char*) 0 ) ++ query = ""; ++ else ++ *query++ = '\0'; ++ } + + /* Parse the rest of the request headers. */ + while ( ( line = get_request_line() ) != (char*) 0 ) +@@ -1286,6 +1399,81 @@ + method = METHOD_POST; + else + send_error( 501, "Not Implemented", "", "That method is not implemented." ); ++ ++ if (captivemode) { ++ /* only accept GET in captive portal mode */ ++ int iscpelement = 0; ++ ++ captive_reqpath = path; ++ ++ if (cpelementpath != NULL && cpelementhost != NULL && ++ host != NULL && strcmp(cpelementhost, host) == 0) { ++ /* the host name in the request headers matches our host name; ++ see if the request matches a CP element */ ++ char *mypath, *myfile; ++ ++ mypath = e_strdup(path); ++ ++ strdecode(mypath, mypath); ++ if (mypath[0] == '/') { ++ myfile = &(mypath[1]); ++ de_dotdot( myfile ); ++ ++ iscpelement = 1; ++ ++ /* any slashes left? */ ++ for (i = 0; myfile[i]; i++) { ++ if (myfile[i] == '/') { ++ iscpelement = 0; ++ break; ++ } ++ } ++ ++ if (iscpelement && myfile[0] != '\0' && ++ !(myfile[0] == '.' && myfile[1] == '.' && ++ myfile[2] == '\0')) { ++ ++ char *cpelpath; ++ ++ iscpelement = 0; ++ ++ /* see if that CP element exists */ ++ cpelpath = e_malloc(strlen(myfile) + strlen(cpelementpath) + 2); ++ ++ strcpy(cpelpath, cpelementpath); ++ strcat(cpelpath, "/"); ++ strcat(cpelpath, myfile); ++ ++ r = stat(cpelpath, &sb); ++ if (r == 0 && !S_ISDIR(sb.st_mode)) { ++ iscpelement = 1; ++ file = cpelpath; ++ path = mypath; ++ pathinfo = 0; ++ } ++ } else { ++ iscpelement = 0; ++ } ++ } ++ } ++ ++ /* Set up the timeout for writing. */ ++#ifdef HAVE_SIGSET ++ (void) sigset( SIGALRM, handle_write_timeout ); ++#else /* HAVE_SIGSET */ ++ (void) signal( SIGALRM, handle_write_timeout ); ++#endif /* HAVE_SIGSET */ ++ (void) alarm( WRITE_TIMEOUT ); ++ ++ if (iscpelement) { ++ do_file(); ++ } else { ++ path = "/index.php"; ++ file = "index.php"; ++ do_cgi(); ++ } ++ ++ } else { + + strdecode( path, path ); + if ( path[0] != '/' ) +@@ -1360,7 +1548,7 @@ + + got_one: ; + } +- ++ } + #ifdef USE_SSL + SSL_free( ssl ); + #endif /* USE_SSL */ +@@ -2117,6 +2305,7 @@ + int envn; + char* cp; + char buf[256]; ++ char rp[MAXPATHLEN]; + + envn = 0; + envp[envn++] = build_env( "PATH=%s", CGI_PATH ); +@@ -2135,6 +2324,7 @@ + envp[envn++] = build_env( + "REQUEST_METHOD=%s", get_method_str( method ) ); + envp[envn++] = build_env( "SCRIPT_NAME=%s", path ); ++ envp[envn++] = build_env( "SCRIPT_FILENAME=%s", realpath(file, rp) ); + if ( pathinfo != (char*) 0 ) + { + envp[envn++] = build_env( "PATH_INFO=/%s", pathinfo ); +@@ -2166,6 +2356,9 @@ + envp[envn++] = build_env( "AUTH_TYPE=%s", "Basic" ); + if ( getenv( "TZ" ) != (char*) 0 ) + envp[envn++] = build_env( "TZ=%s", getenv( "TZ" ) ); ++ ++ if (captive_reqpath != NULL) ++ envp[envn++] = build_env("CAPTIVE_REQPATH=%s", captive_reqpath); + + envp[envn] = (char*) 0; + return envp; +@@ -2341,8 +2534,6 @@ + + send_error_body( s, title, text ); + +- send_error_tail(); +- + send_response(); + + #ifdef USE_SSL +@@ -2378,14 +2569,15 @@ + /* Send built-in error page. */ + buflen = snprintf( + buf, sizeof(buf), "\ +-\n\ +-%d %s\n\ +-\n\ +-

%d %s

\n", ++\n\ ++%d %s\n\ ++\n\ ++

%d %s

\n", + s, title, s, title ); + add_to_response( buf, buflen ); + buflen = snprintf( buf, sizeof(buf), "%s\n", text ); + add_to_response( buf, buflen ); ++ send_error_tail(); + } + + +@@ -2416,7 +2608,7 @@ + { + char buf[500]; + int buflen; +- ++/* + if ( match( "**MSIE**", useragent ) ) + { + int n; +@@ -2430,13 +2622,10 @@ + buflen = snprintf( buf, sizeof(buf), "-->\n" ); + add_to_response( buf, buflen ); + } +- ++*/ + buflen = snprintf( buf, sizeof(buf), "\ +-
\n\ +-
%s
\n\ +-\n\ +-\n", +- SERVER_URL, SERVER_SOFTWARE ); ++\n\ ++\n"); + add_to_response( buf, buflen ); + } + +@@ -2457,8 +2646,10 @@ + start_response(); + buflen = snprintf( buf, sizeof(buf), "%s %d %s\015\012", protocol, status, title ); + add_to_response( buf, buflen ); ++/* + buflen = snprintf( buf, sizeof(buf), "Server: %s\015\012", SERVER_SOFTWARE ); + add_to_response( buf, buflen ); ++*/ + now = time( (time_t*) 0 ); + (void) strftime( timebuf, sizeof(timebuf), rfc1123_fmt, gmtime( &now ) ); + buflen = snprintf( buf, sizeof(buf), "Date: %s\015\012", timebuf ); +@@ -3034,8 +3225,10 @@ + { + /* Don't need to set up the handler again, since it's a one-shot. */ + ++ /* + syslog( LOG_NOTICE, "exiting due to signal %d", sig ); + (void) fprintf( stderr, "%s: exiting due to signal %d\n", argv0, sig ); ++ */ + closelog(); + exit( 1 ); + } +@@ -3096,6 +3289,23 @@ + } + break; + } ++ currproc-- ; ++ ++ if (maxperip != 0) { ++ int i; ++ ++ /* remove from list of clients */ ++ for (i = 0; i < maxproc; i++) { ++ if (clients[i].cpid == pid) { ++ clients[i].cpid = 0; ++ break; ++ } ++ } ++ ++ if (i == maxproc) ++ syslog(LOG_CRIT, "reaped child %d not found in table!", pid); ++ } ++ + } + + /* Restore previous errno. */ +@@ -3128,7 +3338,9 @@ + static void + handle_read_timeout( int sig ) + { ++ /* + syslog( LOG_INFO, "%.80s connection timed out reading", ntoa( &client_addr ) ); ++ */ + send_error( + 408, "Request Timeout", "", + "No request appeared within a reasonable time period." ); diff --git a/build/patches/packages/patch-crypto_openssl.c.x509 b/build/patches/packages/patch-crypto_openssl.c.x509 new file mode 100644 index 0000000..1ab40b1 --- /dev/null +++ b/build/patches/packages/patch-crypto_openssl.c.x509 @@ -0,0 +1,55 @@ +--- crypto_openssl.c.orig2 Sat Jun 18 20:46:38 2005 ++++ crypto_openssl.c Sat Jun 18 20:48:08 2005 +@@ -32,6 +32,10 @@ + #include + #include + ++#include ++#include ++#include ++ + #include + #include + #include +@@ -494,12 +498,36 @@ + goto end; + } + +- len = gen->d.ia5->length + 1; +- *altname = racoon_malloc(len); +- if (!*altname) +- goto end; ++ if (gen->type == GEN_IPADD && gen->d.ia5->length == 4 /* IPv4 */) { ++ char *ipv4_string = inet_ntoa(*((struct in_addr *)gen->d.iPAddress->data)); ++ *altname = NULL; ++ if (ipv4_string) { ++ len = strlen(ipv4_string)+1; ++ *altname = racoon_malloc(len); ++ } ++ if (!*altname) { ++#ifndef EAYDEBUG ++ plog(LLV_ERROR, LOCATION, NULL, "failed to extract ipv4 alt name from certificate\n"); ++#else ++ printf("failed to extract ipv4 alt name from certificate\n"); ++#endif ++ goto end; ++ } ++ strcpy(*altname, ipv4_string); ++#ifndef EAYDEBUG ++ plog(LLV_DEBUG2, LOCATION, NULL, "extracted ipv4 alt name from certificate: %s\n", *altname); ++#else ++ printf("extracted ipv4 alt name from certificate: %s\n", *altname); ++#endif ++ } ++ else { ++ len = gen->d.ia5->length + 1; ++ *altname = racoon_malloc(len); ++ if (!*altname) ++ goto end; + +- strlcpy(*altname, gen->d.ia5->data, len); ++ strlcpy(*altname, gen->d.ia5->data, len); ++ } + *type = gen->type; + + error = 0; diff --git a/build/patches/packages/patch-isakmp_quick.c b/build/patches/packages/patch-isakmp_quick.c new file mode 100644 index 0000000..588ea30 --- /dev/null +++ b/build/patches/packages/patch-isakmp_quick.c @@ -0,0 +1,24 @@ +--- isakmp_quick.c.orig Tue Jan 11 02:09:50 2005 ++++ isakmp_quick.c Wed Sep 7 17:45:47 2005 +@@ -2031,6 +2031,21 @@ + "no policy found: %s\n", spidx2str(&spidx)); + return ISAKMP_INTERNAL_ERROR; + } ++ ++ /* Refresh existing generated policies ++ */ ++ if (iph2->ph1->rmconf->gen_policy) { ++ plog(LLV_INFO, LOCATION, NULL, ++ "Update the generated policy : %s\n", ++ spidx2str(&spidx)); ++ iph2->spidx_gen = racoon_malloc(sizeof(spidx)); ++ if (!iph2->spidx_gen) { ++ plog(LLV_ERROR, LOCATION, NULL, ++ "buffer allocation failed.\n"); ++ return ISAKMP_INTERNAL_ERROR; ++ } ++ memcpy(iph2->spidx_gen, &spidx, sizeof(spidx)); ++ } + + /* get outbound policy */ + { diff --git a/build/patches/user/clog-1.0.1.tar.gz b/build/patches/user/clog-1.0.1.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..be92d4dc51e57f40ad633039f659bd7b79a5e6c4 GIT binary patch literal 3922 zcmV-Y53TSYiwFoJ54t-517mD&XDu-qci7g&N=f+ zGsdnHMC0A>zGkCZ<<-FfeMdyqT21~Zs$~DO8+x^WPzPOYzXqyGb-(f*9eh=-vNlgr zJ0|+>ukOu*bT<ZIGFeeIgu;q#!e^#CqJ}Q%~L-L$qrp& zYCohTn#YciJtGK+7vx3pG|}nCPbUy7|3~wbxlAM1_k71@9y-~vpqYrLewsp;SsY#a zE-uoEo#KxGpCE{C{BR5_Lf7X(33K6bQ;{C=b=A17TIA&_N!zE0C5lCA`+;O?kD_aS zl)E-_X&9xxBXp3!X#w~#pOsi?-nvc@>IAkw6|r>E-fcw^c22<~xhAmFokP2Olz9SO zSSX%loZQHnPeqv8`K0Y)J|aAiX=QldaHn?i^Ov3d= zulu9bGFx=|j{abtozc}>(`>)(UiMA;%U>FO(7bp-jZO={@5ub=qG$H|)a^-+Tjv*T z3uD2o*XRr^v#*oYX|^w0R_BdQr`8BWe`-5{5oASe>6J- z>c4HY+jp!xHKADJv~4QRu&!nG%;tbi$giZ4ohBRvo!UC}FU+RJ7v@hUjA-=U>FkSU zx6?QObO|Cnq*mj+@dh@PmabTOg83D_0q-|2d*(T73G@4xr~QF7xEz@DrrT{vKljbv zk5<#{A5*)_o!UySx}!-A1`c`+_DFxwvzmh<8DtK+y+P4j>3#D}+j?Vm znkG|pnbVckH_MnVtItH15`Wcz>`Q4r#|F=gye!12&ir^P$vUG(>qm<%$mkIPeJhI= z>A~jPYy$F-r{7xc5vf&JzecIqmqmEDTG_4aQT6cXpn9}dClpLFKh5a37_+Ns+A}|N zf;mdh@9ZQIacWFn7y3jThtYbM=Y(mn-ZevNulFR*M7X!Q{4ompt-jRtqdQ%JKf2u) zqi(GC%|oQU6j3BxB)ik89o`y_UM$h+-QKy9USP2;9XQ!W->!1&043)1^6bp)4g1#r znsjXkb1WqZ{go>umKBt@h_F;eSSe5>X*Bmdlq_!^1Y8O`m+f|<3U?Bz<-(>=+zHN#Z?E0>Sepct|q9OQ>sQD&*P95GMq zu~6iE&;43)+>FPej|WcSl@edr@z~Kbf|t0tF4I4>Eq>xmj@1RLPbXB#ZduF1Evukz zwJj+DH_YdKrrxZcWCsUGvq2rl|~yd+5!Nv58iMnMU}Af+s+F}Edtc5+fFD_51u_p$L5 zo6IaJ>0hvehs*J=E9K|UORNZUQaXAw=y~ znQ#EzP=eOQuKbZn%?zxvt-05}D0jzSNsPtc=6);^nEx1A>~_BVqAV}4$6)SB7$pTW zjOBy}N*V>?0ijB2E_9ilYo69+E`ogbC0B)|UKv`;=+h;A`IrmAR-Ux$ykwTL7EF-N zAm;ht~^M4TZ*Y4cu|b;9Gf#SD~<^Eb0z>t!}6Nj-Af4=eZ{* zC@x=$DJPl-F5`B|i@jd@J}ECft1ISE2m_I}Vcd=gFx2Nb%C= zj~2h5 zEq}nF2EJVE<$6`hCQIGqQ~)v`)o=!J!-X#bSFIs({5m`CUJG`$0I}fL{9FlOlJ|=2 zgMt6U5wAhuw6c{)9Iuo9@Pi@_5Tq-qQ~MLUV@Y33D)#LoWPMJQw6h?CO}dHwR9u&; zI>>Z2s1WWyFLERg!h$%%nz$Z0_r**WGzaC}vfR|AxcVmJy&{dYbvJBY*Bjdc!rF*vG1Ucys?@?ehD7vGL!R%pE6kw zrYUpHd?TibNK2V(DtbYu^5@F@RqvnOVH4$SpjYa3c$~gv$=@r$7!Rg}{Hnu6zZ7}i zFfCUeTlsSykJcnF{&@xCnSNb#pwwZRu&iU|=OU5R_OW^U2vwD?wPoVUc-%QDzBwr~ z)H}Dd;&&(OaiE;d=2bp#6hHrkW$4l792C-=bqNw7KC&)5Srn8WSflj5Y5s9&c3O|d z2oS=b2_G9M^+L!ly@qtwGbJ6oP(D%>y|F?Hg+dHW8{!hKO+5h<_?b+7vOV7&r^lu#+RVtl|_@fBKqD=MO z`tJYiYtPi@$(%}lpxi5dpsdu7D*H!!)xrl#4G{j#$reYK*6%g@>e6sXJ8yIjv%5pB z*}WL_e>mCNxw5&+=3m7$%~*cx8zrtWi$Oj8`1;qEVE^Ts?D7_5^A@S^lHuj$w7p^uXi(7w%4>a#-kRBoaC3Saa-(~9`- z@GHsq0{*Ml`OK%ne|raY`TmF3zzzQU7R~tc_I=kD3No7~z=F(X2?qJ*4jN284+q105g2p%Kf^(0@+5fh3AD)p zVaDo75aBYeo(>Z-yC(#N%9{Su?@bK_{cvxNk`X;)H7-p)h1@-CUZ!g>IMshBe4+m<}~?>gO!zSUSy z?L;eTk)IJ$YRK(dUh)>H`0Sji1wNU`9U%=GWD*~+PnzfF=4pl*$XIQha>_TYo+{=@ zr!%W<_Br}w=;w2h%xAMGMikvvg`+Z7)0e+c9g?9n?&=KO;)xjaaWwtR#Hv--malUY zc@)(1KM7Zpr%y2@>Mcy}fsNznMwk9xc7;N{0Ky+}lxF_8;&{HLo(69@lg!~F%#N7e zR#;AP;!kG?NaQ4&V6D{}zASH%j4 zN>+#@&_$VP-kDE{DPw;vI6nxh0UZcL+? z55@u|N2!{ToVT%jd1sf(6U;D7sMEsvxMXHK@?5hfPbkk~G4Iu6Tv51sGx!3#P(?O&~_X#V?S~v-L;wzKPR>)?u2SCg7Fu`NAYSd=0X(2t_Pw1zzxdH&|!@i$LBG&D*lb;6Pm4 zA*0x24i3nPB@@USbIC!RiP3z_bB1@6bYW;}1v7!k+WqdW*w+j9ctZ(2I*{a8=7ApG z-AR0Y_2JOQ8X|+>EEYm8wZ=ZNuD;5>g-~&+Qi%!HvG0HS-Eh-3ZPPYw(>86>Hf_^3 gZPPYw(>86>Hf_^3ZPPYw(|*0}--;x85&%#D0KUZXApigX literal 0 HcmV?d00001 diff --git a/build/patches/user/dhclient-script.patch b/build/patches/user/dhclient-script.patch new file mode 100644 index 0000000..8e1ad2c --- /dev/null +++ b/build/patches/user/dhclient-script.patch @@ -0,0 +1,42 @@ +--- dhclient-script.orig Wed Mar 24 19:48:49 2004 ++++ dhclient-script Sat Mar 27 09:42:38 2004 +@@ -13,12 +13,13 @@ + make_resolv_conf() { + if [ x"$new_domain_name_servers" != x ]; then + if [ "x$new_domain_name" != x ]; then +- echo search $new_domain_name >/etc/resolv.conf ++ echo $new_domain_name >/var/etc/defaultdomain.conf + else +- rm /etc/resolv.conf ++ rm -f /var/etc/defaultdomain.conf + fi ++ rm -f /var/etc/nameservers.conf + for nameserver in $new_domain_name_servers; do +- echo nameserver $nameserver >>/etc/resolv.conf ++ echo $nameserver >>/var/etc/nameservers.conf + done + fi + } +@@ -69,7 +70,7 @@ + eval "ifconfig $interface $medium" + eval "ifconfig $interface inet -alias 0.0.0.0 $medium" >/dev/null 2>&1 + sleep 1 +- exit_with_hooks 0 ++ exit 0 + fi + + if [ x$reason = xPREINIT ]; then +@@ -79,11 +80,11 @@ + fi + ifconfig $interface inet 0.0.0.0 netmask 0.0.0.0 \ + broadcast 255.255.255.255 up +- exit_with_hooks 0 ++ exit 0 + fi + + if [ x$reason = xARPCHECK ] || [ x$reason = xARPSEND ]; then +- exit_with_hooks 0; ++ exit 0; + fi + + if [ x$reason = xBOUND ] || [ x$reason = xRENEW ] || \ diff --git a/build/patches/user/ipf.c.patch b/build/patches/user/ipf.c.patch new file mode 100644 index 0000000..15c4815 --- /dev/null +++ b/build/patches/user/ipf.c.patch @@ -0,0 +1,16 @@ +--- contrib/ipfilter/ipf.c.orig Sun Jul 4 11:24:39 2004 ++++ contrib/ipfilter/ipf.c Sun Apr 24 05:37:52 2005 +@@ -380,13 +380,11 @@ + if (ioctl(fd, del, &fr) == -1) { + fprintf(stderr, "%d:", linenum); + perror("ioctl(delete rule)"); +- exit(1); + } + } else if (!(opts & OPT_DONOTHING)) { + if (ioctl(fd, add, &fr) == -1) { + fprintf(stderr, "%d:", linenum); + perror("ioctl(add/insert rule)"); +- exit(1); + } + } + } diff --git a/build/patches/user/syslogd.c.patch b/build/patches/user/syslogd.c.patch new file mode 100644 index 0000000..54084d0 --- /dev/null +++ b/build/patches/user/syslogd.c.patch @@ -0,0 +1,207 @@ +--- usr.sbin/syslogd/syslogd.c.orig Tue Jun 29 12:07:35 2004 ++++ usr.sbin/syslogd/syslogd.c Sun Apr 24 05:59:35 2005 +@@ -69,6 +69,7 @@ + * by Peter da Silva. + * -u and -v by Harlan Stenn. + * Priority comparison code by Harlan Stenn. ++ * Ring buffer code by Jeff Wheelhouse. + */ + + #define MAXLINE 1024 /* maximum line length */ +@@ -89,6 +90,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -111,6 +113,7 @@ + #include + + #include "pathnames.h" ++#include "../clog/clog.h" + #include "ttymsg.h" + + #define SYSLOG_NAMES +@@ -125,6 +128,7 @@ + const char *ConfFile = _PATH_LOGCONF; + const char *PidFile = _PATH_LOGPID; + const char ctty[] = _PATH_CONSOLE; ++const char ring_magic[] = "CLOG"; + + #define dprintf if (Debug) printf + +@@ -177,6 +181,11 @@ + char f_pname[MAXPATHLEN]; + pid_t f_pid; + } f_pipe; ++ struct { ++ char f_rname[MAXPATHLEN]; ++ struct clog_footer *f_footer; ++ size_t f_size; ++ } f_ring; + } f_un; + char f_prevline[MAXSVLINE]; /* last message logged */ + char f_lasttime[16]; /* time of last occurrence */ +@@ -254,10 +263,12 @@ + #define F_USERS 5 /* list of users */ + #define F_WALL 6 /* everyone logged on */ + #define F_PIPE 7 /* pipe to program */ ++#define F_RING 8 /* ring buffer (circular log) */ + +-const char *TypeNames[8] = { ++const char *TypeNames[9] = { + "UNUSED", "FILE", "TTY", "CONSOLE", +- "FORW", "USERS", "WALL", "PIPE" ++ "FORW", "USERS", "WALL", "PIPE", ++ "RING" + }; + + static struct filed *Files; /* Log files that we write to */ +@@ -314,6 +325,8 @@ + static void printline(const char *, char *); + static void printsys(char *); + static int p_open(const char *, pid_t *); ++ssize_t rbwrite(struct filed *, char *, size_t); ++ssize_t rbwritev(struct filed *, struct iovec *, int); + static void readklog(void); + static void reapchild(int); + static void usage(void); +@@ -1150,6 +1163,20 @@ + } else if ((flags & SYNC_FILE) && (f->f_flags & FFLAG_SYNC)) + (void)fsync(f->f_file); + break; ++ ++ case F_RING: ++ dprintf(" %s\n", f->f_un.f_ring.f_rname); ++ v->iov_base = "\n"; ++ v->iov_len = 1; ++ if (rbwritev(f, iov, 7)==-1) { ++ int e = errno; ++ (void)munmap(f->f_un.f_ring.f_footer,sizeof(struct clog_footer)); ++ (void)close(f->f_file); ++ f->f_type = F_UNUSED; ++ errno = e; ++ logerror(f->f_un.f_fname); ++ } ++ break; + + case F_PIPE: + dprintf(" %s\n", f->f_un.f_pipe.f_pname); +@@ -1463,6 +1490,10 @@ + } + f->f_un.f_pipe.f_pid = 0; + break; ++ case F_RING: ++ (void)munmap(f->f_un.f_ring.f_footer,sizeof(struct clog_footer)); ++ (void)close(f->f_file); ++ break; + } + next = f->f_next; + if (f->f_program) free(f->f_program); +@@ -1584,6 +1615,10 @@ + case F_FORW: + printf("%s", f->f_un.f_forw.f_hname); + break; ++ ++ case F_RING: ++ printf("%s", f->f_un.f_ring.f_rname); ++ break; + + case F_PIPE: + printf("%s", f->f_un.f_pipe.f_pname); +@@ -1625,6 +1660,7 @@ + const char *p, *q; + char *bp; + char buf[MAXLINE], ebuf[100]; ++ struct stat sb; + + dprintf("cfline(\"%s\", f, \"%s\", \"%s\")\n", line, prog, host); + +@@ -1812,6 +1848,38 @@ + f->f_type = F_FILE; + } + break; ++ ++ case '%': ++ if ((f->f_file = open(p+1, O_RDWR, 0 )) < 0) { ++ f->f_type = F_UNUSED; ++ logerror(p+1); ++ break; ++ } ++ if (fstat(f->f_file,&sb)<0) { ++ (void)close(f->f_file); ++ f->f_type = F_UNUSED; ++ logerror(p+1); ++ break; ++ } ++ f->f_un.f_ring.f_footer = mmap(NULL,sizeof(struct clog_footer),PROT_READ|PROT_WRITE,MAP_SHARED,f->f_file,sb.st_size-sizeof(struct clog_footer)); ++ if (f->f_un.f_ring.f_footer==NULL) { ++ (void)close(f->f_file); ++ f->f_type = F_UNUSED; ++ logerror(p+1); ++ break; ++ } ++ if (memcmp(&(f->f_un.f_ring.f_footer->cf_magic),MAGIC_CONST,4)!=0) { ++ (void)munmap(f->f_un.f_ring.f_footer,sizeof(struct clog_footer)); ++ (void)close(f->f_file); ++ f->f_type = F_UNUSED; ++ errno = ENODEV; ++ logerror(p+1); ++ break; ++ } ++ f->f_un.f_ring.f_size = sb.st_size; ++ (void)strcpy(f->f_un.f_ring.f_rname, p + 1); ++ f->f_type = F_RING; ++ break; + + case '|': + f->f_un.f_pipe.f_pid = 0; +@@ -2500,4 +2568,46 @@ + freeaddrinfo(res); + + return (socks); ++} ++ ++ssize_t rbwritev(struct filed *f, struct iovec *iov, int iovcnt) { ++ int i; ++ ssize_t out = 0; ++ ssize_t err; ++ ++ for(i=0;if_un.f_ring.f_footer->cf_max - f->f_un.f_ring.f_footer->cf_next; ++ ssize_t err; ++ ssize_t out = 0; ++ ++ f->f_un.f_ring.f_footer->cf_lock = 1; ++ while (nbytes>0) { ++ maxwrite = f->f_un.f_ring.f_footer->cf_max - f->f_un.f_ring.f_footer->cf_next; ++ if (maxwrite>nbytes) maxwrite = nbytes; ++ err = pwrite(f->f_file,buf,maxwrite,f->f_un.f_ring.f_footer->cf_next); ++ if (err==-1) { ++ f->f_un.f_ring.f_footer->cf_lock = 0; ++ return -1; ++ } ++ nbytes -= err; ++ out += err; ++ buf += err; ++ f->f_un.f_ring.f_footer->cf_next += err; ++ if (f->f_un.f_ring.f_footer->cf_next==f->f_un.f_ring.f_footer->cf_max) { ++ f->f_un.f_ring.f_footer->cf_next = 0; ++ f->f_un.f_ring.f_footer->cf_wrap = 1; ++ } ++ ++ } ++ ++ f->f_un.f_ring.f_footer->cf_lock = 0; ++ return out; + } diff --git a/build/tools/atareinit.c b/build/tools/atareinit.c new file mode 100644 index 0000000..c5b03c3 --- /dev/null +++ b/build/tools/atareinit.c @@ -0,0 +1,22 @@ +#include +#include +#include +#include +#include + +int main() { + struct ata_cmd iocmd; + int fd; + + bzero(&iocmd, sizeof(struct ata_cmd)); + + if ((fd = open("/dev/ata", O_RDWR)) < 0) + err(1, "control device not found"); + + iocmd.channel = 0; + iocmd.cmd = ATAREINIT; + if (ioctl(fd, IOCATA, &iocmd) < 0) + warn("ioctl(ATAREINIT)"); + + close(fd); +} diff --git a/build/tools/choparp.c b/build/tools/choparp.c new file mode 100644 index 0000000..47eb1a4 --- /dev/null +++ b/build/tools/choparp.c @@ -0,0 +1,465 @@ +/* + choparp - cheap & omitted proxy arp + + Copyright (c) 1997 Takamichi Tateoka (tree@mma.club.uec.ac.jp) + Copyright (c) 2002 Thomas Quinot (thomas@cuivre.fr.eu.org) + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. Neither the name of the authors nor the names of their contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + + + History: + 17 Jun 1997 Creation (tate) + 7 Oct 1997 fix some comments (tate) + 19 Jun 1998 fix read result as ssize_t (tate / pointed by msaitoh) + 11 Feb 2004 add support for ranges (mkasper) +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +/* #include */ +#if (__FreeBSD__ >= 3) + #include +#endif +#include +#include +#include +#include +#include + +#ifdef DEBUG +#include +#endif + +#define BPFFILENAME "/dev/bpf%d" /* bpf file template */ +#ifndef NBPFILTER /* number of available bpf */ +# define NBPFILTER (16) +#endif + +struct cidr { + struct cidr *next; + u_int8_t isrange; + u_int32_t addr; /* addr and mask are host order */ + u_int32_t mask; +}; + +struct cidr *targets = NULL, *excludes = NULL; +u_char target_mac[ETHER_ADDR_LEN]; /* target MAC address */ + +/* + ARP filter program +*/ +struct bpf_insn bpf_filter_arp[] = { + /* check Ethernet Encapsulation (RFC894) first */ + BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12), /* load frame type */ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_ARP, 0, 3), /* check it */ + BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 20), /* load OP code */ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARPOP_REQUEST, 0, 1), /* check it */ + BPF_STMT(BPF_RET+BPF_K, 14+28), /* return Ethernet encap ARP req. */ + /* XXX: IEEE 802.2/802.3 Encap (RFC1042) should be available... */ + BPF_STMT(BPF_RET+BPF_K, 0), /* discard */ +}; + +/* + openbpf: + + open bpf & set ARP filter program for named interface & + allocate enough buffer for BPF. + return file descripter or -1 for error +*/ +int +openbpf(char *ifname, char **bufp, size_t *buflen){ + char bpffile[sizeof(BPFFILENAME)+5]; /* XXX: */ + int fd = -1; + int n; + struct bpf_version bpf_version; + struct ifreq bpf_ifreq; + u_int ui; + struct bpf_program bpf_program; + + /* open BPF file */ + for (n=0; n= 0) + break; + } + if (fd < 0){ + fprintf(stderr,"openbpf: Can't open BPF\n"); + return(-1); /* error */ + } + + /* check version number */ + if ((ioctl(fd, BIOCVERSION, &bpf_version) == -1) || + bpf_version.bv_major != BPF_MAJOR_VERSION || + bpf_version.bv_minor < BPF_MINOR_VERSION){ + fprintf(stderr,"openbpf: incorrect BPF version\n"); + close(fd); + return(-1); + } + + /* set interface name */ + strncpy(bpf_ifreq.ifr_name, ifname, IFNAMSIZ); + bpf_ifreq.ifr_name[IFNAMSIZ-1] = '\0'; /* paranoia */ + if (ioctl(fd, BIOCSETIF, &bpf_ifreq) == -1){ + fprintf(stderr,"openbpf: BIOCSETIF failed for interface <%s>\n", + ifname); + close(fd); + return(-1); + } + + /* set BPF immediate mode */ + ui = 1; + if (ioctl(fd, BIOCIMMEDIATE, &ui) == -1){ + fprintf(stderr,"openbpf: BIOCIMMEDIATE failed.\n"); + close(fd); + return(-1); + } + + /* set ARP request filter */ + bpf_program.bf_len = sizeof(bpf_filter_arp) / sizeof(struct bpf_insn); + bpf_program.bf_insns = bpf_filter_arp; + if (ioctl(fd, BIOCSETF, &bpf_program) == -1){ + fprintf(stderr,"openbpf: BIOCSETF failed.\n"); + close(fd); + return(-1); + } + + /* allocate reasonable size & alimented buffer */ + if (ioctl(fd, BIOCGBLEN, &ui) == -1){ + fprintf(stderr,"openbpf: BIOCGBLEN failed.\n"); + close(fd); + return(-1); + } + *buflen = (size_t)ui; + if ((*bufp = (char *)malloc((size_t) ui)) == NULL){ + fprintf(stderr,"openbpf: malloc failed.\n"); + close(fd); + return(-1); + } + + return(fd); +} + +/* + get ARP datalink frame pointer + + NULL if no more ARP frame +*/ +char * +getarp(char *bpfframe, ssize_t bpfflen, char **next, ssize_t *nextlen){ + int bias; + char *p; + + if (bpfframe == NULL || bpfflen == 0) + return(NULL); + + bias = BPF_WORDALIGN(((struct bpf_hdr *)bpfframe)->bh_hdrlen + + ((struct bpf_hdr *)bpfframe)->bh_caplen); + if (bias < bpfflen){ + /* there is another packet packed into same bpf frame */ + *next = bpfframe + bias; + *nextlen = (size_t) bpfflen - bias; + } else { + /* no more packet */ + *next = NULL; + *nextlen = 0; + } + + /* cut off BPF header */ + p = bpfframe + ((struct bpf_hdr *)bpfframe)->bh_hdrlen; + return(p); +} + +/* + match + + match an IP address against a list of address/netmask pairs +*/ + +static int +match (u_int32_t addr, struct cidr *list) { + while (list) { + if (list->isrange) { + if ((addr >= list->addr) && (addr <= list->mask)) + return 1; + } else { + if ((addr & list->mask) == list->addr) + return 1; + } + list = list->next; + } + return 0; +} + +/* + checkarp + + check responsibility of the ARP request + return true if responsible + + arpbuf is pointing top of link-level frame +*/ + +static int +checkarp(char *arpbuf){ + struct ether_arp *arp; + u_int32_t target_ip; + + arp = (struct ether_arp *)(arpbuf + 14); /* skip ethernet header */ + if (ntohs(arp->arp_hrd) != ARPHRD_ETHER || + /* XXX: ARPHRD_802 */ + ntohs(arp->arp_pro) != ETHERTYPE_IP || + (int) (arp->arp_hln) != ETHER_ADDR_LEN || /* length of ethernet addr */ + (int) (arp->arp_pln) != 4){ /* length of protocol addr */ + fprintf(stderr,"checkarp: WARNING: received unknown type ARP request.\n"); + return(0); + } + target_ip = ntohl(*(u_int32_t *)(arp->arp_tpa)); + return match(target_ip, targets) && !match(target_ip, excludes); +} + +/* + genarpreply + + generate arp reply link level frame + arpbuf is pointing top of link-level frame + this routine overwrite arpbuf + + return reply buffer & its length +*/ +char * +gen_arpreply(char *arpbuf, size_t *rlen){ + struct ether_arp *arp; + u_char ipbuf[4]; /* sender IP */ + + /* set ethernet dst/src address */ + memcpy(arpbuf, arpbuf+ETHER_ADDR_LEN, ETHER_ADDR_LEN); + memcpy(arpbuf+ETHER_ADDR_LEN, target_mac, ETHER_ADDR_LEN); + /* set result of ARP request */ + arp = (struct ether_arp *)(arpbuf + 14); /* skip ethernet header */ + memcpy(ipbuf, arp->arp_tpa, 4); /* save protocol addr */ + memcpy(arp->arp_tha, arp->arp_sha, 10); /* set target hard/proto addr */ + memcpy(arp->arp_spa, ipbuf, 4); /* set source protocol addr */ + memcpy(arp->arp_sha, target_mac, ETHER_ADDR_LEN); /* set source hard addr */ + arp->arp_op = htons(ARPOP_REPLY); + + *rlen = 14 + 28; /* ethernet header & arp reply */ + return(arpbuf); +} + +void +loop(int fd, char *buf, size_t buflen){ + ssize_t rlen; + char *p, *nextp; + ssize_t nextlen; + char *rframe; + char *sframe; + size_t frame_len; + fd_set fdset; + + FD_ZERO(&fdset); + FD_SET(fd,&fdset); + + for(;;){ + int r = select(fd+1,&fdset, 0, 0, 0); + + if (r < 0) { + if (errno == EINTR) + continue; + perror("select"); + return; + } + + rlen = read(fd, buf, buflen); + if (rlen < 0) { + if (errno == EINTR) + continue; + perror("read"); + return; + } + + p = buf; + while((rframe = getarp(p, rlen, &nextp, &nextlen)) != NULL){ + if (checkarp(rframe)){ + sframe = gen_arpreply(rframe, &frame_len); + write(fd, sframe, frame_len); + } + p = nextp; + rlen = nextlen; + } + } + /* not reach */ +} + +int +setmac(char *addr, char *ifname){ + u_int m0, m1, m2, m3, m4, m5; + + if (!strcmp (addr, "auto")) { + struct ifaddrs *ifas, *ifa; + + getifaddrs (&ifas); + for (ifa = ifas; ifa != NULL; ifa = ifa->ifa_next) { +#define SDL ((struct sockaddr_dl *)ifa->ifa_addr) + if (strcmp (ifa->ifa_name, ifname) + || SDL->sdl_family != AF_LINK + || SDL->sdl_alen != 6) + continue; + memcpy (target_mac, SDL->sdl_data + SDL->sdl_nlen, 6); + return 0; + } + return -1; + } + if (sscanf(addr, "%x:%x:%x:%x:%x:%x", &m0, &m1, &m2, &m3, &m4, &m5) < 6) + return(-1); + target_mac[0] = (u_char )m0; + target_mac[1] = (u_char )m1; + target_mac[2] = (u_char )m2; + target_mac[3] = (u_char )m3; + target_mac[4] = (u_char )m4; + target_mac[5] = (u_char )m5; + return(0); +} + +int +atoip(char *buf, u_int32_t *ip_addr){ + u_int i0, i1, i2, i3; + + if (sscanf(buf, "%u.%u.%u.%u", &i0, &i1, &i2, &i3) == 4){ + *ip_addr = (i0 << 24) + (i1 << 16) + (i2 << 8) + i3; + return(0); + } + if (sscanf(buf, "0x%lx", ip_addr) == 1) + return(0); + + return(-1); +} + +void +usage(void){ + fprintf(stderr,"usage: choparp if_name mac_addr [-]addr/mask...\n"); + exit(-1); +} + +int +main(int argc, char **argv){ + int fd; + char *buf, *ifname; + struct cidr **targets_tail = &targets, **excludes_tail = &excludes; +#define APPEND(LIST,ADDR,MASK,ISRANGE) \ + do { \ + *(LIST ## _tail) = malloc(sizeof (struct cidr)); \ + (*(LIST ## _tail))->addr = ADDR; \ + (*(LIST ## _tail))->mask = MASK; \ + (*(LIST ## _tail))->isrange = ISRANGE; \ + (*(LIST ## _tail))->next = NULL; \ + (LIST ## _tail) = &(*(LIST ## _tail))->next; \ + } while (0) + size_t buflen; + + if (argc < 4) + usage(); + + ifname = argv[1]; + if (setmac(argv[2], ifname)) + usage(); + argv += 3; argc -= 3; + + while (argc > 0) { + u_int32_t addr, mask = ~0; + char *slash = strchr (*argv, '/'); + char *dash; + int exclude = 0; + u_int8_t isrange; + + if (**argv == '-') { + (*argv)++; + exclude = 1; + } + dash = strchr (*argv, '-'); + if (dash != NULL) { + *(dash++) = '\0'; + if (atoip(*argv, &addr)) + usage(); + if (atoip(dash, &mask)) + usage(); + isrange = 1; + } else { + if (slash != NULL) + *(slash++) = '\0'; + if (atoip (*argv, &addr)) + usage(); + if (slash != NULL) { + char *end; + u_int32_t len = strtol (slash, &end, 10); + if (*end == '\0') + mask <<= (32 - len); + else if (atoip (slash, &mask)) + usage(); + } + isrange = 0; + } + if (exclude) + APPEND(excludes, addr, mask, isrange); + else + APPEND(targets, addr, mask, isrange); + argv++, argc--; + } + +#ifdef DEBUG +#define SHOW(LIST) \ + do { \ + struct cidr *t; \ + printf (#LIST ":\n"); \ + for (t = LIST; t; t = t->next) { \ + u_int32_t x; \ + x = htonl (t->addr); \ + printf (" %s", inet_ntoa (*(struct in_addr *)&x)); \ + x = htonl (t->mask); \ + if (t->isrange) \ + printf ("-%s\n", inet_ntoa (*(struct in_addr *)&x)); \ + else \ + printf ("/%s\n", inet_ntoa (*(struct in_addr *)&x)); \ + } \ + } while (0) + + SHOW(targets); + SHOW(excludes); + exit (0); +#endif + if ((fd = openbpf(ifname, &buf, &buflen)) < 0) + return(-1); + loop(fd, buf, buflen); + return(-1); +} diff --git a/build/tools/minicron.c b/build/tools/minicron.c new file mode 100644 index 0000000..81d8a80 --- /dev/null +++ b/build/tools/minicron.c @@ -0,0 +1,73 @@ +/* + minicron.c + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2004 Manuel Kasper . + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +#include +#include + +/* usage: minicron interval pidfile cmd */ + +int main(int argc, char *argv[]) { + + int interval; + FILE *pidfd; + + if (argc < 4) + exit(1); + + interval = atoi(argv[1]); + if (interval == 0) + exit(1); + + /* unset loads of CGI environment variables */ + unsetenv("CONTENT_TYPE"); unsetenv("GATEWAY_INTERFACE"); + unsetenv("REMOTE_USER"); unsetenv("REMOTE_ADDR"); + unsetenv("AUTH_TYPE"); unsetenv("SCRIPT_FILENAME"); + unsetenv("CONTENT_LENGTH"); unsetenv("HTTP_USER_AGENT"); + unsetenv("HTTP_HOST"); unsetenv("SERVER_SOFTWARE"); + unsetenv("HTTP_REFERER"); unsetenv("SERVER_PROTOCOL"); + unsetenv("REQUEST_METHOD"); unsetenv("SERVER_PORT"); + unsetenv("SCRIPT_NAME"); unsetenv("SERVER_NAME"); + + /* go into background */ + if (daemon(0, 0) == -1) + exit(1); + + /* write PID to file */ + pidfd = fopen(argv[2], "w"); + if (pidfd) { + fprintf(pidfd, "%d\n", getpid()); + fclose(pidfd); + } + + while (1) { + sleep(interval); + + system(argv[3]); + } +} diff --git a/build/tools/ppp-linkup b/build/tools/ppp-linkup new file mode 100644 index 0000000..4071abb --- /dev/null +++ b/build/tools/ppp-linkup @@ -0,0 +1,21 @@ +#!/bin/sh + +rm -f /var/etc/nameservers.conf + +# unset CGI environment variables so as not to confuse PHP +unset CONTENT_TYPE GATEWAY_INTERFACE REMOTE_USER REMOTE_ADDR AUTH_TYPE +unset HTTP_USER_AGENT CONTENT_LENGTH SCRIPT_FILENAME HTTP_HOST +unset SERVER_SOFTWARE HTTP_REFERER SERVER_PROTOCOL REQUEST_METHOD +unset SERVER_PORT SCRIPT_NAME SERVER_NAME + +# write nameservers to file +if [ "$6" = "dns1" ]; then + echo $7 >> /var/etc/nameservers.conf +fi +if [ "$8" = "dns2" ]; then + echo $9 >> /var/etc/nameservers.conf +fi + +# let the configuration system know that the +# WAN IP address has changed +/etc/rc.newwanip & diff --git a/build/tools/runmsntp.sh b/build/tools/runmsntp.sh new file mode 100644 index 0000000..f7100b9 --- /dev/null +++ b/build/tools/runmsntp.sh @@ -0,0 +1,12 @@ +#!/bin/sh + +# write our PID to file +echo $$ > $1 + +# execute msntp in endless loop; restart if it +# exits (wait 1 second to avoid restarting too fast in case +# the network is not yet setup) +while true; do + /usr/local/bin/msntp -r -P no -l $2 -x $3 $4 + sleep 1 +done diff --git a/build/tools/stats.c b/build/tools/stats.c new file mode 100644 index 0000000..73a8813 --- /dev/null +++ b/build/tools/stats.c @@ -0,0 +1,142 @@ +/* + stats.c + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2004-2005 Manuel Kasper . + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +void cpu_stats() { + + long cp_time1[CPUSTATES], cp_time2[CPUSTATES]; + long total1, total2; + size_t len; + double cpuload; + + len = sizeof(cp_time1); + + if (sysctlbyname("kern.cp_time", &cp_time1, &len, NULL, 0) < 0) + exit(1); + + sleep(1); + + len = sizeof(cp_time2); + + if (sysctlbyname("kern.cp_time", &cp_time2, &len, NULL, 0) < 0) + exit(1); + + total1 = cp_time1[CP_USER] + cp_time1[CP_NICE] + cp_time1[CP_SYS] + + cp_time1[CP_INTR] + cp_time1[CP_IDLE]; + total2 = cp_time2[CP_USER] + cp_time2[CP_NICE] + cp_time2[CP_SYS] + + cp_time2[CP_INTR] + cp_time2[CP_IDLE]; + + cpuload = 1 - ((double)(cp_time2[CP_IDLE] - cp_time1[CP_IDLE]) / (double)(total2 - total1)); + + printf("%.0f\n", 100.0*cpuload); +} + +void if_stats(char *cl) { + + struct ifmibdata ifmd; + size_t ifmd_size = sizeof(ifmd); + int nr_network_devs; + size_t int_size = sizeof(nr_network_devs); + int name[6]; + int i; + struct timeval tv; + double uusec; + + /* check interface name syntax */ + for (i = 0; cl[i]; i++) { + if (!((cl[i] >= 'a' && cl[i] <= 'z') || (cl[i] >= '0' && cl[i] <= '9'))) + exit(1); + } + + name[0] = CTL_NET; + name[1] = PF_LINK; + name[2] = NETLINK_GENERIC; + name[3] = IFMIB_IFDATA; name[5] = IFDATA_GENERAL; + + if (sysctlbyname("net.link.generic.system.ifcount", &nr_network_devs, + &int_size, (void*)0, 0) == -1) { + + exit(1); + + } else { + + for (i = 1; i <= nr_network_devs; i++) { + + name[4] = i; /* row of the ifmib table */ + + if (sysctl(name, 6, &ifmd, &ifmd_size, (void*)0, 0) == -1) { + continue; + } + + if (strncmp(ifmd.ifmd_name, cl, strlen(cl)) == 0) { + gettimeofday(&tv, NULL); + uusec = (double)tv.tv_sec + (double)tv.tv_usec / 1000000.0; + printf("%lf|%u|%u\n", uusec, + ifmd.ifmd_data.ifi_ibytes, ifmd.ifmd_data.ifi_obytes); + exit(0); + } + } + } +} + +int main(int argc, char *argv[]) { + + char *cl, *rm; + + printf("Content-Type: text/plain\n\n"); + + rm = getenv("REQUEST_METHOD"); + if (rm == NULL) + exit(1); + if (strcmp(rm, "GET") != 0) + exit(1); + + cl = getenv("QUERY_STRING"); + if (cl == NULL) + exit(1); + + if ((strlen(cl) < 3) || (strlen(cl) > 16)) + exit(1); + + if (strcmp(cl, "cpu") == 0) + cpu_stats(); + else + if_stats(cl); + + return 0; +} diff --git a/build/tools/verifysig.c b/build/tools/verifysig.c new file mode 100644 index 0000000..09a5a73 --- /dev/null +++ b/build/tools/verifysig.c @@ -0,0 +1,173 @@ +/* + verifysig.c + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2004 Manuel Kasper . + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* + m0n0wall binary image file format: + + +-----------------------------------------------------------------------+ + | std. gzip file | sig | sig.len. in bytes (2) | magic (0xe14d77cb) | + +-----------------------------------------------------------------------+ + + sig. len. and magic in Intel byte order! + + WARNING: in the process of verifying the signature, this program actually + removes it from the file - this is to facilitate later processing where + it might confuse other programs (gzip just warns about trailing garbage, + but we might sign other files in the future...). +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define SIG_MAGIC 0xe14d77cb /* XXX - not byte order safe! */ +#define SIG_INBUFLEN 65536 + +void usage(void) { + + fprintf(stderr, "usage: verifysig pubkey file\n\n" + "return values: 0 -> signature verified OK\n" + " 1 -> signature invalid\n" + " 2 -> no signature found\n" + " 3 -> signature verification error\n" + " 4 -> other error\n"); + exit(4); +} + +int main(int argc, char *argv[]) { + + FILE *fin, *fkey; + u_int16_t siglen; + u_int32_t magic; + long nread, ndata; + char *sigbuf, *inbuf; + EVP_PKEY *pkey; + EVP_MD_CTX ctx; + int err, retval; + + if (argc != 3) + usage(); + + ERR_load_crypto_strings(); + + /* open file and check for magic */ + fin = fopen(argv[2], "r+"); + if (fin == NULL) { + fprintf(stderr, "unable to open file '%s'\n", argv[2]); + exit(4); + } + + fseek(fin, -(sizeof(magic)), SEEK_END); + fread(&magic, sizeof(magic), 1, fin); + + if (magic != SIG_MAGIC) { + fclose(fin); + exit(2); + } + + /* magic is good; get signature length */ + fseek(fin, -(sizeof(magic) + sizeof(siglen)), SEEK_END); + fread(&siglen, sizeof(siglen), 1, fin); + + /* read public key */ + fkey = fopen(argv[1], "r"); + if (fkey == NULL) { + fprintf(stderr, "unable to open public key file '%s'\n", argv[1]); + exit(4); + } + + pkey = PEM_read_PUBKEY(fkey, NULL, NULL, NULL); + fclose(fkey); + + if (pkey == NULL) { + ERR_print_errors_fp(stderr); + exit(4); + } + + /* check if siglen is sane */ + if ((siglen == 0) || (siglen > EVP_PKEY_size(pkey))) + exit(3); + + /* got signature length; read signature */ + sigbuf = malloc(siglen); + if (sigbuf == NULL) + exit(4); + + fseek(fin, -(sizeof(magic) + sizeof(siglen) + siglen), SEEK_END); + if (fread(sigbuf, 1, siglen, fin) != siglen) + exit(4); + + /* signature read; truncate file to remove sig */ + fseek(fin, 0, SEEK_END); + ndata = ftell(fin) - (sizeof(magic) + sizeof(siglen) + siglen); + ftruncate(fileno(fin), ndata); + + /* verify the signature now */ + EVP_VerifyInit(&ctx, EVP_sha1()); + + /* allocate data buffer */ + inbuf = malloc(SIG_INBUFLEN); + if (inbuf == NULL) + exit(4); + + rewind(fin); + while (!feof(fin)) { + nread = fread(inbuf, 1, SIG_INBUFLEN, fin); + if (nread != SIG_INBUFLEN) { + if (ferror(fin)) { + fprintf(stderr, "read error in file '%s'\n", argv[2]); + exit(4); + } + } + + EVP_VerifyUpdate(&ctx, inbuf, nread); + } + + err = EVP_VerifyFinal(&ctx, sigbuf, siglen, pkey); + EVP_PKEY_free(pkey); + + if (err == 1) + retval = 0; /* correct signature */ + else if (err == 0) + retval = 1; /* invalid signature */ + else + retval = 3; /* error */ + + free(inbuf); + free(sigbuf); + fclose(fin); + + return retval; +} diff --git a/build/tools/vpn-linkdown b/build/tools/vpn-linkdown new file mode 100644 index 0000000..130f5bc --- /dev/null +++ b/build/tools/vpn-linkdown @@ -0,0 +1,7 @@ +#!/bin/sh + +# record logout +/usr/bin/logger -p local3.info "logout,$1,,$3" + +# resync ipfilter +/sbin/ipf -y \ No newline at end of file diff --git a/build/tools/vpn-linkup b/build/tools/vpn-linkup new file mode 100644 index 0000000..c56cb95 --- /dev/null +++ b/build/tools/vpn-linkup @@ -0,0 +1,7 @@ +#!/bin/sh + +# record login +/usr/bin/logger -p local3.info "login,$1,$4,$5" + +# resync ipfilter +/sbin/ipf -y -- 2.43.0