FreeBSD cvs-src summary for 03/05/04 - 10/05/04 ++++++++++++++++++++++++++++++++++++++++++++++++ This is a regular weekly summary of FreeBSD's cutting-edge development. It is intended to help the FreeBSD community keep up with the fast-paced work going on in FreeBSD-CURRENT by distilling the deluge of data from the CVS mailing list into a (hopefully) easy-to-read newsletter. This newsletter is marked up in reStructuredText_, so any odd punctuation that you see is likely intended for the reST parser. .. _reStructuredText: http://docutils.sourceforge.net/rst.html You can get old summaries, and an HTML version of this one, at http://www.xl0.org/FreeBSD/. Please send any comments to Mark Johnston (mark at xl0.org). For Lukasz Dudek and Szymon Roczniak's Polish translations of these summaries, which may lag the English ones slightly, please see http://mocart.pinco.pl/FreeBSD/. .. contents:: ============ New features ============ Support added for Cronyx Tau-PCI adapters ----------------------------------------- Roman Kurakin (rik) introduced support for Cronyx_ Tau-PCI_ WAN adapters. The Tau-PCI cards support E1, E3, RS-232, and RS-530 interfaces. The new driver is called "cp". .. _Cronyx: http://www.cronyx.ru/ .. _Tau-PCI: http://www.cronyx.ru/hardware/wan.html http://www.freebsd.org/cgi/mid.cgi?200405051611.i45GBjTC071299 Driver added for the ELCR register ---------------------------------- John Baldwin (jhb) added a mini-driver for the i386's ELCR (Edge/Level Control Register). This register was originally used to control EISA interrupts, but it is now used to control ISA interrupts too. The driver will be used by the atpic driver and the mptable parsing code to manage ISA IRQs. http://www.freebsd.org/cgi/mid.cgi?200405042007.i44K7kTf073264 Unwind Express (libuwx) upgraded to Beta 7 ------------------------------------------ Marcel Moolenaar (marcel) upgraded Unwind Express, a library used to generate stack traces under ia64, to beta 7. The new version has a number of bug fixes and introduces C++ support. http://www.freebsd.org/cgi/mid.cgi?200405090306.i4936P2J081306 =============== Notable changes =============== ACPI hw.acpi.force_sci_lo sysctl replaced ----------------------------------------- John Baldwin (jhb) removed the old ACPI hw.acpi.force_sci_lo tunable, replacing it with two new ones: hw.acpi.sci.trigger and hw.acpi.sci.polarity. To get the behavior of the old sysctl, set hw.acpi.sci.trigger to "level" and hw.acpi.sci.polarity to "low"; if you are having ACPI problems, especially with interrupt storms, playing with these tunables may correct them. http://www.freebsd.org/cgi/mid.cgi?200405042039.i44KdOfk079648 ================= Discussion topics ================= ACPI fixes and extending laptop battery life -------------------------------------------- Nate Lawson added a machine-independent implementation of the ACPI locking routines. Mike Silbersack (silby) followed up that either that change or John Baldwin (jhb)'s support for the ELCR register had gotten his laptop's wireless network working. Nate admitted that the ELCR changes were probably responsible. Mike posted an error with EmbeddedControl returning AE_NO_HARDWARE_RESPONSE that he has been getting since the changes, but then followed up that a BIOS update had fixed the problem. He also asked whether devd could be used to react to ACPI events like the lid being closed. Nate explained that the error was a harmless warning and confirmed that devd could be used for ACPI events. Mike got a script working to throttle down the CPU when he closes his laptop lid; he didn't expect much savings in battery life, though. Scott Long (scottl) suggested that turning down the display brightness gives the most significant battery life savings. M. Warner Losh (imp) agreed, adding that throttling the CPU from 8 down to 2 on his laptop gives him another hour of battery life. http://www.freebsd.org/cgi/mid.cgi?200405052004.i45K4EnF029671 IP-option-related controls in the kernel ---------------------------------------- This is a long one, but it has contributions from all the firewall maintainers, some brilliant security and networking gurus, and a good chunk of core_at_ to boot - not to imply that the three groups don't overlap, of course. You may find it worthwhile to read the original thread. Andre Oppermann (andre) added a new sysctl, net.inet.ip.process_options, that can be set to 0 to ignore IP options, 1 (the default) to process IP options, or 2 to reject all packets with IP options. Jacques Vidrine (nectar) replied with a suggestion that the default could be set to reject all packets with options. Darren Reed (darrenr) responded, arguing that the same functionality is provided by any of the 3 firewalls in the kernel already. Julian Elischer (julian) pointed out that a firewall couldn't simulate setting 0, ignoring the existing IP options. Sam Leffler (sam) elaborated on the reasoning, explaining that packet filters have to examine every packet, but the sysctl could be done with no extra overhead. Darren argued that Sam's reasoning was the beginning of a slippery slope towards building in lots of filtering-related kernel options. Darren also posted a more detailed opinion, suggesting that the sysctl was an attempt to dodge expensive or untrusted processing rather than improving the performance or security of it. Pawel Jakub Dawidek (pjd) disagreed, arguing that avoiding potentially unsafe processing is worth the simple code change. Luigi Rizzo (luigi) followed up, agreeing with Darren on the principle that duplication of functionality should be avoided, but not wanting to make a big fuss about this particular change. Max Laier (mlaier) found the duplication acceptable, but suggested a kernel option eliminating the extra code. Julian responded to Darren again, reiterating that he didn't believe the functionality was exactly the same, since a firewall can't ignore IP options. Sam posted again, stating that requiring a packet filter to be configured to get the functionality on every system that might want it is overkill. Darren pointed out that Microsoft, Apple, and Sun are all working on firewall technology being included by default; he stated that the real issue is that FreeBSD's packet filtering is difficult for users to work with, especially in large environments. Wes Peters (wes) responded, on unofficial behalf of core, to a footnote on one of Darren's posts that said he would bring the issue to core if there were an active one. Wes said that core was active and was watching the conversation, but that there was no clear consensus yet; he personally could see both sides but had no objection to the feature. M. Warner Losh (imp) responded as well, explaining that core had not had much to do lately since people were behaving so well. Robert Watson (rwatson) gave an interesting clarification, noting that the change wasn't made for security's sake, but to allow the networking code to skip IP option processing for high speed routing. Using a packet filter would slow down packet forwarding, whereas skipping IP option processing in-kernel speeds it up by avoiding an uncommon code path. http://www.freebsd.org/cgi/mid.cgi?200405061846.i46Ik3Jc060969 ================= Committer changes ================= David Schultz (das) introduced Stefan Farfeleder (stefan) as a new src committer. Stefan is a developer on the `TenDRA compiler project`_ and will be working on C99 support and compiler portability issues, among other things. .. _`TenDRA compiler project`: http://www.tendra.org/ http://www.freebsd.org/cgi/mid.cgi?200405041657.i44GvP0F024592 Bosko Milekic (bmilekic) introduced Christian S. J. Peron (csjp) as a src committer. Christian will be working on general src things, including a project related to Darwin's lookupd. He also recently contributed the code that allowed raw sockets inside jails. http://www.freebsd.org/cgi/mid.cgi?200405042037.i44KbJ5Z079541 =================== Important bug fixes =================== Kerberos authentication flaw fixed ---------------------------------- Jacques Vidrine (nectar) committed a fix to the Kerberos code in 5.2, -STABLE, 4.10, 4.9, and 4.8 that eliminates a security hole. Before the fix, a rogue KDC with an established cross-realm relationship could impersonate any KDC in the authentication path. This problem is documented in `FreeBSD-SA-04:08.heimdal`_. .. _`FreeBSD-SA-04:08.heimdal`: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:08.heimdal.asc http://www.freebsd.org/cgi/mid.cgi?200405051949.i45JnfZd024108 Kerberos buffer overflow fixed ------------------------------ Jacques Vidrine (nectar) committed a fix to the Kerberos code in -STABLE, 4.10, 4.9 and 4.8 that eliminates a buffer overflow. The buffer overflow was in k5admind, and it was a problem only when k5admind was built with Kerberos IV support. This problem is documented in `FreeBSD-SA-04:09.kadmind`_. .. _`FreeBSD-SA-04:09.kadmind`: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:09.kadmind.asc http://www.freebsd.org/cgi/mid.cgi?200405052017.i45KHpNi032252 =============== Other bug fixes =============== John Polstra (jdp) MFC'ed an update to the bge driver for Broadcom Gigabit Ethernet cards that makes them work much better when interrupts are shared. The update was also merged to 4.10. http://www.freebsd.org/cgi/mid.cgi?200405032032.i43KWWkC025502 Peter Edwards (peadar) fixed a problem in fts, a system call used to traverse a directory hierarchy. The code was enabling an optimization specific to UFS on all filesystems; this led to some filesystems (like NTFS) being only partially traversed by the find command. http://www.freebsd.org/cgi/mid.cgi?200405081509.i48F92Ha007544Received on Mon May 10 2004 - 17:35:43 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:53 UTC