cvs-src summary for 03/05/04 - 10/05/04

From: Mark Johnston <mjohnston_at_skyweb.ca>
Date: Mon, 10 May 2004 21:36:23 -0500
FreeBSD cvs-src summary for 03/05/04 - 10/05/04
++++++++++++++++++++++++++++++++++++++++++++++++
This is a regular weekly summary of FreeBSD's cutting-edge development.
It is intended to help the FreeBSD community keep up with the fast-paced
work going on in FreeBSD-CURRENT by distilling the deluge of data from
the CVS mailing list into a (hopefully) easy-to-read newsletter.  This
newsletter is marked up in reStructuredText_, so any odd punctuation
that you see is likely intended for the reST parser.

.. _reStructuredText: http://docutils.sourceforge.net/rst.html

You can get old summaries, and an HTML version of this one, at
http://www.xl0.org/FreeBSD/.  Please send any comments to Mark Johnston
(mark at xl0.org).

For Lukasz Dudek and Szymon Roczniak's Polish translations of these
summaries, which may lag the English ones slightly, please see
http://mocart.pinco.pl/FreeBSD/.

.. contents::

============
New features
============
Support added for Cronyx Tau-PCI adapters
-----------------------------------------
Roman Kurakin (rik) introduced support for Cronyx_ Tau-PCI_ WAN adapters.
The Tau-PCI cards support E1, E3, RS-232, and RS-530 interfaces.  The new
driver is called "cp".

.. _Cronyx: http://www.cronyx.ru/
.. _Tau-PCI: http://www.cronyx.ru/hardware/wan.html

http://www.freebsd.org/cgi/mid.cgi?200405051611.i45GBjTC071299

Driver added for the ELCR register
----------------------------------
John Baldwin (jhb) added a mini-driver for the i386's ELCR (Edge/Level
Control Register).  This register was originally used to control EISA
interrupts, but it is now used to control ISA interrupts too.  The driver
will be used by the atpic driver and the mptable parsing code to manage
ISA IRQs.

http://www.freebsd.org/cgi/mid.cgi?200405042007.i44K7kTf073264

Unwind Express (libuwx) upgraded to Beta 7
------------------------------------------
Marcel Moolenaar (marcel) upgraded Unwind Express, a library used to
generate stack traces under ia64, to beta 7.  The new version has a number
of bug fixes and introduces C++ support.

http://www.freebsd.org/cgi/mid.cgi?200405090306.i4936P2J081306

===============
Notable changes
===============
ACPI hw.acpi.force_sci_lo sysctl replaced
-----------------------------------------
John Baldwin (jhb) removed the old ACPI hw.acpi.force_sci_lo
tunable, replacing it with two new ones: hw.acpi.sci.trigger and
hw.acpi.sci.polarity.  To get the behavior of the old sysctl, set
hw.acpi.sci.trigger to "level" and hw.acpi.sci.polarity to "low"; if you
are having ACPI problems, especially with interrupt storms, playing with
these tunables may correct them.

http://www.freebsd.org/cgi/mid.cgi?200405042039.i44KdOfk079648

=================
Discussion topics
=================
ACPI fixes and extending laptop battery life
--------------------------------------------
Nate Lawson added a machine-independent implementation of the ACPI locking
routines.  Mike Silbersack (silby) followed up that either that change
or John Baldwin (jhb)'s support for the ELCR register had gotten his
laptop's wireless network working.  Nate admitted that the ELCR changes
were probably responsible.  Mike posted an error with EmbeddedControl
returning AE_NO_HARDWARE_RESPONSE that he has been getting since the
changes, but then followed up that a BIOS update had fixed the problem.
He also asked whether devd could be used to react to ACPI events like the
lid being closed.  Nate explained that the error was a harmless warning
and confirmed that devd could be used for ACPI events.

Mike got a script working to throttle down the CPU when he closes his laptop
lid; he didn't expect much savings in battery life, though.  Scott Long 
(scottl)
suggested that turning down the display brightness gives the most
significant battery life savings.  M. Warner Losh (imp) agreed, adding that
throttling the CPU from 8 down to 2 on his laptop gives him another hour of
battery life.

http://www.freebsd.org/cgi/mid.cgi?200405052004.i45K4EnF029671

IP-option-related controls in the kernel
----------------------------------------
This is a long one, but it has contributions from all the firewall
maintainers, some brilliant security and networking gurus, and a good
chunk of core_at_ to boot - not to imply that the three groups don't overlap,
of course.  You may find it worthwhile to read the original thread.

Andre Oppermann (andre) added a new sysctl, net.inet.ip.process_options,
that can be set to 0 to ignore IP options, 1 (the default) to process IP
options, or 2 to reject all packets with IP options.  Jacques Vidrine
(nectar) replied with a suggestion that the default could be set to reject
all packets with options.  Darren Reed (darrenr) responded, arguing that
the same functionality is provided by any of the 3 firewalls in the kernel
already.  Julian Elischer (julian) pointed out that a firewall couldn't
simulate setting 0, ignoring the existing IP options.  Sam Leffler (sam)
elaborated on the reasoning, explaining that packet filters have to
examine every packet, but the sysctl could be done with no extra overhead.
Darren argued that Sam's reasoning was the beginning of a slippery slope
towards building in lots of filtering-related kernel options.  Darren
also posted a more detailed opinion, suggesting that the sysctl was an
attempt to dodge expensive or untrusted processing rather than improving
the performance or security of it.  Pawel Jakub Dawidek (pjd) disagreed,
arguing that avoiding potentially unsafe processing is worth the simple
code change.

Luigi Rizzo (luigi) followed up, agreeing with Darren on the principle
that duplication of functionality should be avoided, but not wanting to
make a big fuss about this particular change.  Max Laier (mlaier) found
the duplication acceptable, but suggested a kernel option eliminating the
extra code.  Julian responded to Darren again, reiterating that he didn't
believe the functionality was exactly the same, since a firewall can't
ignore IP options.  Sam posted again, stating that requiring a packet
filter to be configured to get the functionality on every system that
might want it is overkill.  Darren pointed out that Microsoft, Apple, and
Sun are all working on firewall technology being included by default; he
stated that the real issue is that FreeBSD's packet filtering is difficult
for users to work with, especially in large environments.

Wes Peters (wes) responded, on unofficial behalf of core, to a footnote on
one of Darren's posts that said he would bring the issue to core if there
were an active one.  Wes said that core was active and was watching the
conversation, but that there was no clear consensus yet; he personally
could see both sides but had no objection to the feature.  M. Warner
Losh (imp) responded as well, explaining that core had not had much to
do lately since people were behaving so well.  Robert Watson (rwatson)
gave an interesting clarification, noting that the change wasn't made
for security's sake, but to allow the networking code to skip IP option
processing for high speed routing.  Using a packet filter would slow down
packet forwarding, whereas skipping IP option processing in-kernel speeds
it up by avoiding an uncommon code path.

http://www.freebsd.org/cgi/mid.cgi?200405061846.i46Ik3Jc060969

=================
Committer changes
=================
David Schultz (das) introduced Stefan Farfeleder (stefan) as a new src
committer.  Stefan is a developer on the `TenDRA compiler project`_ and
will be working on C99 support and compiler portability issues, among
other things.

.. _`TenDRA compiler project`: http://www.tendra.org/

http://www.freebsd.org/cgi/mid.cgi?200405041657.i44GvP0F024592

Bosko Milekic (bmilekic) introduced Christian S. J. Peron (csjp) as a src
committer.  Christian will be working on general src things, including a
project related to Darwin's lookupd.  He also recently contributed the
code that allowed raw sockets inside jails.

http://www.freebsd.org/cgi/mid.cgi?200405042037.i44KbJ5Z079541

===================
Important bug fixes
===================
Kerberos authentication flaw fixed
----------------------------------
Jacques Vidrine (nectar) committed a fix to the Kerberos code in 5.2,
-STABLE, 4.10, 4.9, and 4.8 that eliminates a security hole.  Before
the fix, a rogue KDC with an established cross-realm relationship
could impersonate any KDC in the authentication path.  This problem is
documented in `FreeBSD-SA-04:08.heimdal`_.

.. _`FreeBSD-SA-04:08.heimdal`: 
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:08.heimdal.asc

http://www.freebsd.org/cgi/mid.cgi?200405051949.i45JnfZd024108

Kerberos buffer overflow fixed
------------------------------
Jacques Vidrine (nectar) committed a fix to the Kerberos code in
-STABLE, 4.10, 4.9 and 4.8 that eliminates a buffer overflow.  The
buffer overflow was in k5admind, and it was a problem only when k5admind
was built with Kerberos IV support.  This problem is documented in
`FreeBSD-SA-04:09.kadmind`_.

.. _`FreeBSD-SA-04:09.kadmind`: 
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:09.kadmind.asc

http://www.freebsd.org/cgi/mid.cgi?200405052017.i45KHpNi032252

===============
Other bug fixes
===============
John Polstra (jdp) MFC'ed an update to the bge driver for Broadcom Gigabit
Ethernet cards that makes them work much better when interrupts are
shared.  The update was also merged to 4.10.

http://www.freebsd.org/cgi/mid.cgi?200405032032.i43KWWkC025502

Peter Edwards (peadar) fixed a problem in fts, a system call used to
traverse a directory hierarchy.  The code was enabling an optimization
specific to UFS on all filesystems; this led to some filesystems (like
NTFS) being only partially traversed by the find command.

http://www.freebsd.org/cgi/mid.cgi?200405081509.i48F92Ha007544
Received on Mon May 10 2004 - 17:35:43 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:53 UTC