diff options
Diffstat (limited to 'libexec')
| -rw-r--r-- | libexec/Makefile | 6 | ||||
| -rw-r--r-- | libexec/blacklistd-helper/Makefile | 7 | ||||
| -rw-r--r-- | libexec/blocklistd-helper/Makefile | 10 | ||||
| -rw-r--r-- | libexec/blocklistd-helper/Makefile.depend (renamed from libexec/blacklistd-helper/Makefile.depend) | 0 | ||||
| -rw-r--r-- | libexec/blocklistd-helper/blacklistd-helper | 293 | ||||
| -rw-r--r-- | libexec/fingerd/Makefile | 8 | ||||
| -rw-r--r-- | libexec/fingerd/Makefile.depend.options | 2 | ||||
| -rw-r--r-- | libexec/fingerd/fingerd.c | 16 | ||||
| -rw-r--r-- | libexec/rc/rc.conf | 6 | ||||
| -rw-r--r-- | libexec/rc/rc.d/Makefile | 468 | ||||
| -rwxr-xr-x | libexec/rc/rc.d/blacklistd | 10 | ||||
| -rw-r--r-- | libexec/rc/rc.d/blocklistd | 46 | ||||
| -rw-r--r-- | libexec/rc/rc.d/virtual_oss | 4 | ||||
| -rwxr-xr-x | libexec/rc/rc.d/zpoolreguid | 2 | ||||
| -rwxr-xr-x | libexec/rc/rc.d/zpoolupgrade | 2 | ||||
| -rw-r--r-- | libexec/rc/tests/rc_subr_test.sh | 12 |
16 files changed, 600 insertions, 292 deletions
diff --git a/libexec/Makefile b/libexec/Makefile index e87b48b153a8..180dd10b5d29 100644 --- a/libexec/Makefile +++ b/libexec/Makefile @@ -4,7 +4,7 @@ SUBDIR= ${_atf} \ ${_atrun} \ - ${_blacklistd-helper} \ + ${_blocklistd-helper} \ ${_comsat} \ ${_dma} \ flua \ @@ -37,8 +37,8 @@ SUBDIR= ${_atf} \ _atrun= atrun .endif -.if ${MK_BLACKLIST} != "no" -_blacklistd-helper+= blacklistd-helper +.if ${MK_BLOCKLIST} != "no" +_blocklistd-helper+= blocklistd-helper .endif .if ${MK_BOOTPD} != "no" diff --git a/libexec/blacklistd-helper/Makefile b/libexec/blacklistd-helper/Makefile deleted file mode 100644 index d32b69c278a8..000000000000 --- a/libexec/blacklistd-helper/Makefile +++ /dev/null @@ -1,7 +0,0 @@ -BLOCKLIST_DIR=${SRCTOP}/contrib/blocklist - -PACKAGE= blocklist - -SCRIPTS= ${BLOCKLIST_DIR}/libexec/blacklistd-helper - -.include <bsd.prog.mk> diff --git a/libexec/blocklistd-helper/Makefile b/libexec/blocklistd-helper/Makefile new file mode 100644 index 000000000000..5c72b5155662 --- /dev/null +++ b/libexec/blocklistd-helper/Makefile @@ -0,0 +1,10 @@ +BLOCKLIST_DIR=${SRCTOP}/contrib/blocklist + +PACKAGE= blocklist + +SCRIPTS= ${BLOCKLIST_DIR}/libexec/blocklistd-helper + +# blacklist +SCRIPTS+= blacklistd-helper + +.include <bsd.prog.mk> diff --git a/libexec/blacklistd-helper/Makefile.depend b/libexec/blocklistd-helper/Makefile.depend index 11aba52f82cf..11aba52f82cf 100644 --- a/libexec/blacklistd-helper/Makefile.depend +++ b/libexec/blocklistd-helper/Makefile.depend diff --git a/libexec/blocklistd-helper/blacklistd-helper b/libexec/blocklistd-helper/blacklistd-helper new file mode 100644 index 000000000000..92f768e86cdf --- /dev/null +++ b/libexec/blocklistd-helper/blacklistd-helper @@ -0,0 +1,293 @@ +#!/bin/sh +#echo "run $@" 1>&2 +#set -x +# $1 command +# $2 rulename +# $3 protocol +# $4 address +# $5 mask +# $6 port +# $7 id + +pf= +if [ -f "/etc/ipfw-blacklist.rc" ]; then + echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" >&2 + echo "@ WARNING: rename /etc/ipfw-blacklist.rc to @" >&2 + echo "@ /etc/ipfw-blocklist.rc @" >&2 + echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" >&2 + + pf="ipfw" + . /etc/ipfw-blacklist.rc + ipfw_offset=${ipfw_offset:-2000} +fi + +if [ -z "$pf" ]; then + for f in npf pf ipfilter ipfw; do + if [ -x /etc/rc.d/$f ]; then + if /etc/rc.d/$f status >/dev/null 2>&1; then + pf="$f" + break + fi + elif [ -f "/etc/$f.conf" ]; then + # xxx assume a config file means it can be enabled -- + # and the first one wins! + pf="$f" + break + fi + done +fi + +if [ -z "$pf" -a -x "/sbin/iptables" ]; then + pf="iptables" +fi + +if [ -z "$pf" ]; then + echo "$0: Unsupported packet filter" 1>&2 + exit 1 +fi + +flags= +if [ -n "$3" ]; then + raw_proto="$3" + proto="proto $3" + if [ $3 = "tcp" ]; then + flags="flags S/SAFR" + fi +fi + +if [ -n "$6" ]; then + raw_port="$6" + port="port $6" +fi + +addr="$4" +mask="$5" +case "$4" in +::ffff:*.*.*.*) + if [ "$5" = 128 ]; then + mask=32 + addr=${4#::ffff:} + fi;; +esac + +if [ "$pf" = "pf" ]; then + for anchor in $(/sbin/pfctl -s Anchors 2> /dev/null); do + if [ "$anchor" = "blacklistd" ]; then + echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" >&2 + echo "@ WARNING: rename the blacklist anchor to blocklist @" >&2 + echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" >&2 + fi + done +fi + +if [ "$pf" = "ipfilter" ]; then + echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" >&2 + echo "@ WARNING: blacklist has been renamed to blocklist @" >&2 + echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" >&2 +fi + +case "$1" in +add) + case "$pf" in + ipfilter) + # N.B.: If you reload /etc/ipf.conf then you need to stop and + # restart blacklistd (and make sure blacklistd_flags="-r"). + # This should normally already be implemented in + # /etc/rc.d/ipfilter, but if then not add the following lines to + # the end of the ipfilter_reload() function: + # + # if checkyesnox blacklistd; then + # /etc/rc.d/blacklistd restart + # fi + # + # XXX we assume the following rule is present in /etc/ipf.conf: + # (should we check? -- it probably cannot be added dynamically) + # + # block in proto tcp/udp from any to any head blacklistd + # + # where "blacklistd" is the default rulename (i.e. "$2") + # + # This rule can come before any rule that logs connections, + # etc., and should be followed by final rules such as: + # + # # log all as-yet unblocked incoming TCP connection + # # attempts + # log in proto tcp from any to any flags S/SAFR + # # last "pass" match wins for all non-blocked packets + # pass in all + # pass out all + # + # I.e. a "pass" rule which will be the final match and override + # the "block". This way the rules added by blacklistd will + # actually block packets, and prevent logging of them as + # connections, because they include the "quick" flag. + # + # N.b.: $port is not included/used in rules -- abusers are cut + # off completely from all services! + # + # Note RST packets are not returned for blocked SYN packets of + # active attacks, so the port will not appear to be closed. + # This will probably give away the fact that a firewall has been + # triggered to block connections, but it prevents generating + # extra outbound traffic, and it may also slow down the attacker + # somewhat. + # + # Note also that we don't block all packets, just new attempts + # to open connections (see $flags above). This allows us to do + # counterespionage against the attacker (or continue to make use + # of any other services that might be on the same subnet as the + # supposed attacker). However it does not kill any active + # connections -- we rely on the reporting daemon to do its own + # protection and cleanup. + # + # N.B.: The rule generated here must exactly match the + # corresponding rule generated for the "rem" command below! + # + echo block in log quick $proto \ + from $addr/$mask to any $flags group $2 | \ + /sbin/ipf -A -f - >/dev/null 2>&1 && echo OK + ;; + + ipfw) + # use $ipfw_offset+$port for rule number + rule=$(($ipfw_offset + $6)) + tname="port$6" + /sbin/ipfw table $tname create type addr 2>/dev/null + /sbin/ipfw -q table $tname add "$addr/$mask" + # if rule number $rule does not already exist, create it + /sbin/ipfw show $rule >/dev/null 2>&1 || \ + /sbin/ipfw add $rule drop $3 from \ + table"("$tname")" to any dst-port $6 >/dev/null && \ + echo OK + ;; + + iptables) + if ! /sbin/iptables --list "$2" >/dev/null 2>&1; then + /sbin/iptables --new-chain "$2" + fi + /sbin/iptables --append INPUT --proto "$raw_proto" \ + --dport "$raw_port" --jump "$2" + /sbin/iptables --append "$2" --proto "$raw_proto" \ + --source "$addr/$mask" --dport "$raw_port" --jump DROP + echo OK + ;; + + npf) + /sbin/npfctl rule "$2" add block in final $proto from \ + "$addr/$mask" to any $port + ;; + + pf) + # if the filtering rule does not exist, create it + /sbin/pfctl -a "$2/$6" -sr 2>/dev/null | \ + grep -q "<port$6>" || \ + echo "block in quick $proto from <port$6> to any $port" | \ + /sbin/pfctl -a "$2/$6" -f - + # insert $ip/$mask into per-protocol/port anchored table + /sbin/pfctl -qa "$2/$6" -t "port$6" -T add "$addr/$mask" && \ + /sbin/pfctl -qk "$addr" && echo OK + ;; + + esac + ;; +rem) + case "$pf" in + ipfilter) + # N.B.: The rule generated here must exactly match the + # corresponding rule generated for the "add" command above! + # + echo block in log quick $proto \ + from $addr/$mask to any $flags group $2 | \ + /sbin/ipf -A -r -f - >/dev/null 2>&1 && echo OK + ;; + + ipfw) + /sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null && \ + echo OK + ;; + + iptables) + if /sbin/iptables --list "$2" >/dev/null 2>&1; then + /sbin/iptables --delete "$2" --proto "$raw_proto" \ + --source "$addr/$mask" --dport "$raw_port" \ + --jump DROP + fi + echo OK + ;; + + npf) + /sbin/npfctl rule "$2" rem-id "$7" + ;; + + pf) + /sbin/pfctl -qa "$2/$6" -t "port$6" -T delete "$addr/$mask" && \ + echo OK + ;; + + esac + ;; +flush) + case "$pf" in + ipfilter) + # + # N.B. WARNING: This is obviously not reentrant! + # + # First we flush all the rules from the inactive set, then we + # reload the ones that do not belong to the group "$2", and + # finally we swap the active and inactive rule sets. + # + /sbin/ipf -I -F a + # + # "ipf -I -F a" also flushes active accounting rules! + # + # Note that accounting rule groups are unique to accounting + # rules and have nothing to do with filter rules, though of + # course theoretically one could use the same group name for + # them too. + # + # In theory anyone using any such accounting rules should have a + # wrapper /etc/rc.conf.d/blacklistd script (and corresponding + # /etc/rc.conf.d/ipfilter script) that will record and + # consolidate the values accumulated by such accounting rules + # before they are flushed, since otherwise their counts will be + # lost forever. + # + /usr/sbin/ipfstat -io | fgrep -v "group $2" | \ + /sbin/ipf -I -f - >/dev/null 2>&1 + # + # This MUST be done last and separately as "-s" is executed + # _while_ the command arguments are being processed! + # + /sbin/ipf -s && echo OK + ;; + + ipfw) + /sbin/ipfw table "port$6" flush 2>/dev/null && echo OK + ;; + + iptables) + if /sbin/iptables --list "$2" >/dev/null 2>&1; then + /sbin/iptables --flush "$2" + fi + echo OK + ;; + + npf) + /sbin/npfctl rule "$2" flush + ;; + + pf) + # dynamically determine which anchors exist + for anchor in $(/sbin/pfctl -a "$2" -s Anchors 2> /dev/null); do + /sbin/pfctl -a "$anchor" -t "port${anchor##*/}" -T flush 2> /dev/null + /sbin/pfctl -a "$anchor" -F rules + done + echo OK + ;; + esac + ;; +*) + echo "$0: Unknown command '$1'" 1>&2 + exit 1 + ;; +esac diff --git a/libexec/fingerd/Makefile b/libexec/fingerd/Makefile index 296cb504bab1..e2fe412df8bc 100644 --- a/libexec/fingerd/Makefile +++ b/libexec/fingerd/Makefile @@ -7,10 +7,10 @@ MAN= fingerd.8 WARNS?= 2 WFORMAT=0 -.if ${MK_BLACKLIST_SUPPORT} != "no" -CFLAGS+= -DUSE_BLACKLIST -I${SRCTOP}/contrib/blocklist/include -LIBADD+= blacklist -LDFLAGS+=-L${LIBBLACKLISTDIR} +.if ${MK_BLOCKLIST_SUPPORT} != "no" +CFLAGS+= -DUSE_BLOCKLIST -I${SRCTOP}/contrib/blocklist/include +LIBADD+= blocklist +LDFLAGS+=-L${LIBBLOCKLISTDIR} .endif .include <bsd.prog.mk> diff --git a/libexec/fingerd/Makefile.depend.options b/libexec/fingerd/Makefile.depend.options index 5a94eff626dc..f68343adae89 100644 --- a/libexec/fingerd/Makefile.depend.options +++ b/libexec/fingerd/Makefile.depend.options @@ -1,5 +1,5 @@ # This file is not autogenerated - take care! -DIRDEPS_OPTIONS= BLACKLIST_SUPPORT +DIRDEPS_OPTIONS= BLOCKLIST_SUPPORT .include <dirdeps-options.mk> diff --git a/libexec/fingerd/fingerd.c b/libexec/fingerd/fingerd.c index c30d5e5e0ef5..8b63aa338b0c 100644 --- a/libexec/fingerd/fingerd.c +++ b/libexec/fingerd/fingerd.c @@ -45,8 +45,8 @@ #include <stdlib.h> #include <string.h> #include "pathnames.h" -#ifdef USE_BLACKLIST -#include <blacklist.h> +#ifdef USE_BLOCKLIST +#include <blocklist.h> #endif void logerr(const char *, ...) __printflike(1, 2) __dead2; @@ -144,8 +144,8 @@ main(int argc, char *argv[]) *ap = strtok(lp, " \t\r\n"); if (!*ap) { if (secure && ap == &av[4]) { -#ifdef USE_BLACKLIST - blacklist(1, STDIN_FILENO, "nousername"); +#ifdef USE_BLOCKLIST + blocklist(1, STDIN_FILENO, "nousername"); #endif puts("must provide username\r\n"); exit(1); @@ -153,8 +153,8 @@ main(int argc, char *argv[]) break; } if (secure && strchr(*ap, '@')) { -#ifdef USE_BLACKLIST - blacklist(1, STDIN_FILENO, "noforwarding"); +#ifdef USE_BLOCKLIST + blocklist(1, STDIN_FILENO, "noforwarding"); #endif puts("forwarding service denied\r\n"); exit(1); @@ -194,8 +194,8 @@ main(int argc, char *argv[]) } dup2(STDOUT_FILENO, STDERR_FILENO); -#ifdef USE_BLACKLIST - blacklist(0, STDIN_FILENO, "success"); +#ifdef USE_BLOCKLIST + blocklist(0, STDIN_FILENO, "success"); #endif execv(prog, comp); write(STDERR_FILENO, prog, strlen(prog)); diff --git a/libexec/rc/rc.conf b/libexec/rc/rc.conf index c776a815003c..b7cce777c4f6 100644 --- a/libexec/rc/rc.conf +++ b/libexec/rc/rc.conf @@ -319,8 +319,10 @@ ctld_enable="NO" # CAM Target Layer / iSCSI target daemon. local_unbound_enable="NO" # Local caching DNS resolver local_unbound_oomprotect="YES" # Don't kill local_unbound when swap space is exhausted. local_unbound_tls="NO" # Use DNS over TLS -blacklistd_enable="NO" # Run blacklistd daemon (YES/NO). -blacklistd_flags="" # Optional flags for blacklistd(8). +blacklistd_enable="NO" # Renamed to blocklistd_enable. +blacklistd_flags="" # Renamed to blocklistd_flags. +blocklistd_enable="NO" # Run blocklistd daemon (YES/NO). +blocklistd_flags="" # Optional flags for blocklistd(8). resolv_enable="YES" # Enable resolv / resolvconf # diff --git a/libexec/rc/rc.d/Makefile b/libexec/rc/rc.d/Makefile index 03f0933533ca..3b7f45e8f101 100644 --- a/libexec/rc/rc.d/Makefile +++ b/libexec/rc/rc.d/Makefile @@ -4,6 +4,7 @@ CONFDIR= /etc/rc.d CONFGROUPS= CONFS CONFSPACKAGE= rc +# Files which are always installed and go in the -rc package. CONFS= DAEMON \ FILESYSTEMS \ LOGIN \ @@ -47,8 +48,6 @@ CONFS= DAEMON \ netoptions \ netwait \ noshutdown \ - ${_nscd} \ - ${_opensm} \ os-release \ pwcheck \ quota \ @@ -77,218 +76,259 @@ CONFS= DAEMON \ var_run \ watchdogd -CONFGROUPS+= DEVD -DEVD= devd -DEVDPACKAGE= devd - -CONFGROUPS+= DEVMATCH -DEVMATCH= devmatch -DEVMATCHPACKAGE= devmatch - -CONFGROUPS+= DHCLIENT -DHCLIENT= dhclient -DHCLIENTPACKAGE= dhclient - -CONFGROUPS+= GEOM -GEOM= geli \ - geli2 \ - gptboot -GEOMPACKAGE= geom - -CONFGROUPS+= GGATED -GGATED= ggated -GGATEDPACKAGE= ggate - -CONFGROUPS+= RESOLVCONF -RESOLVCONF= resolv -RESOLVCONFPACKAGE= resolvconf - -CONFGROUPS+= CRON -CRON+= cron -CRONPACKAGE= cron - -CONFGROUPS+= CTL -CTL= ctld -CTLPACKAGE= ctl - -CONFGROUPS+= NFS -NFS= lockd \ - mountd \ - nfscbd \ - nfsclient \ - nfsd \ - nfsuserd \ - statd -NFSPACKAGE= nfs - -CONFGROUPS+= NEWSYSLOG -NEWSYSLOG= newsyslog -NEWSYSLOGPACKAGE= newsyslog - -CONFGROUPS+= POWERD -POWERD= powerd -POWERDPACKAGE= powerd - -CONFGROUPS+= PPPOED -PPPOED= pppoed -PPPOEDPACKAGE= ppp - -CONFGROUPS+= SYSLOGD -SYSLOGD= syslogd -SYSLOGDPACKAGE= syslogd - -CONFGROUPS+= RCMDS -RCMDS= rwho -RCMDSPACKAGE= rcmds +# Groups for files which don't go in -rc, or which depend on src.conf knobs. .if ${MK_ACCT} != "no" || ${MK_UTMPX} != "no" -CONFGROUPS+= ACCT -ACCTPACKAGE= acct +CONFGROUPS+= ACCT +ACCTPACKAGE= acct .if ${MK_ACCT} != "no" -ACCT+= accounting +ACCT= accounting .endif .if ${MK_UTMPX} != "no" ACCT+= utx .endif .endif -.if ${MK_ACPI} != "no" -CONFGROUPS+= ACPI +CONFGROUPS.${MK_ACPI}+= ACPI +ACPIPACKAGE= acpi ACPI= power_profile -ACPIPACKAGE= acpi -.endif -.if ${MK_APM} != "no" -CONFGROUPS+= APM -APM+= apm +CONFGROUPS.${MK_APM}+= APM +APMPACKAGE= apm +APM= apm .if ${MACHINE} == "i386" APM+= apmd .endif -APMPACKAGE= apm -.endif -.if ${MK_AUDIT} != "no" -CONFGROUPS+= AUDIT -AUDIT+= auditd -AUDIT+= auditdistd -AUDITPACKAGE= audit -.endif +CONFGROUPS.${MK_AUDIT}+= AUDIT +AUDITPACKAGE= audit +AUDIT= auditd \ + auditdistd -.if ${MK_AUTOFS} != "no" -CONFGROUPS+= AUTOFS +CONFGROUPS.${MK_AUTOFS}+= AUTOFS +AUTOFSPACKAGE= autofs AUTOFS= automount \ automountd \ autounmountd -AUTOFSPACKAGE= autofs -.endif -.if ${MK_BLACKLIST} != "no" -CONFGROUPS+= BLOCKLIST -BLOCKLIST= blacklistd -BLOCKLISTPACKAGE=blocklist -.endif +CONFGROUPS.${MK_BLOCKLIST}+= BLOCKLIST +BLOCKLISTPACKAGE= blocklist +BLOCKLIST= blacklistd \ + blocklistd -.if ${MK_BLUETOOTH} != "no" -CONFGROUPS+= BLUETOOTH -BLUETOOTH+= bluetooth \ +CONFGROUPS.${MK_BLUETOOTH}+= BLUETOOTH +BLUETOOTHPACKAGE= bluetooth +BLUETOOTH= bluetooth \ bthidd \ hcsecd \ rfcomm_pppd_server \ sdpd \ ubthidhci -BLUETOOTHPACKAGE= bluetooth -.endif -.if ${MK_BOOTPARAMD} != "no" -CONFS+= bootparams -.endif +CONFGROUPS.${MK_BOOTPARAMD}+= BOOTPARAMD +BOOTPARAMD= bootparams -.if ${MK_BSNMP} != "no" -CONFGROUPS+= BSNMP -BSNMP+= bsnmpd -BSNMPPACKAGE= bsnmp -.endif +CONFGROUPS.${MK_BSNMP}+= BSNMP +BSNMPPACKAGE= bsnmp +BSNMP= bsnmpd -.if ${MK_CCD} != "no" -CONFGROUPS+= CCD +CONFGROUPS.${MK_CCD}+= CCD +CCDPACKAGE= ccdconfig CCD= ccd -CCDPACKAGE= ccdconfig -.endif -.if ${MK_CUSE} != "no" -CONFGROUPS+= VOSS -VOSS= virtual_oss -VOSSPACKAGE= sound -.endif +CONFGROUPS+= DEVD +DEVDPACKAGE= devd +DEVD= devd + +CONFGROUPS+= DEVMATCH +DEVMATCHPACKAGE= devmatch +DEVMATCH= devmatch + +CONFGROUPS+= DHCLIENT +DHCLIENTPACKAGE= dhclient +DHCLIENT= dhclient + +CONFGROUPS+= CRON +CRONPACKAGE= cron +CRON= cron -.if ${MK_KERBEROS_SUPPORT} != "no" -CONFGROUPS+= GSSD +CONFGROUPS+= CTL +CTLPACKAGE= ctl +CTL= ctld + +CONFGROUPS+= GEOM +GEOMPACKAGE= geom +GEOM= geli \ + geli2 \ + gptboot + +CONFGROUPS+= GGATED +GGATEDPACKAGE= ggate +GGATED= ggated + +CONFGROUPS.${MK_KERBEROS_SUPPORT}+=GSSD +GSSDPACKAGE= gssd GSSD= gssd -GSSDPACKAGE= gssd -.endif -.if ${MK_HAST} != "no" -CONFGROUPS+= HAST +CONFGROUPS.${MK_HAST}+= HAST +HASTPACKAGE= hast HAST= hastd -HASTPACKAGE= hast -.endif -.if ${MK_INETD} != "no" -CONFGROUPS+= INETD +CONFGROUPS.${MK_INETD}+= INETD +INETDPACKAGE= inetd INETD= inetd -INETDPACKAGE= inetd -.endif -.if ${MK_IPFILTER} != "no" -CONFGROUPS+= IPF +CONFGROUPS.${MK_IPFILTER}+= IPF +IPFPACKAGE= ipf IPF= ipfilter \ ipfs \ ipmon \ ipnat \ ippool -IPFPACKAGE= ipf -.endif -.if ${MK_IPFW} != "no" -CONFGROUPS+= IPFW -IPFW= ipfw dnctl +CONFGROUPS.${MK_IPFW}+= IPFW +IPFWPACKAGE= ipfw +IPFW= ipfw \ + dnctl .if ${MK_NETGRAPH} != "no" IPFW+= ipfw_netflow .endif -IPFWPACKAGE= ipfw -# natd is only built when ipfw is built -CONFGROUPS+= NATD -NATD+= natd -NATDPACKAGE= natd -.endif - -.if ${MK_ISCSI} != "no" -CONFGROUPS+= ISCSI +CONFGROUPS.${MK_ISCSI}+= ISCSI +ISCSIPACKAGE= iscsi ISCSI= iscsictl \ iscsid -ISCSIPACKAGE= iscsi -.endif -.if ${MK_JAIL} != "no" -CONFGROUPS+= JAIL -JAIL+= jail -JAILPACKAGE= jail -.endif +# natd is only built when ipfw is built +CONFGROUPS.${MK_IPFW}+= NATD +NATDPACKAGE= natd +NATD= natd + +CONFGROUPS.${MK_JAIL}+= JAIL +JAILPACKAGE= jail +JAIL= jail + +CONFGROUPS.${MK_LPR}+= LP +LPPACKAGE= lp +LP= lpd + +CONFGROUPS+= NEWSYSLOG +NEWSYSLOGPACKAGE= newsyslog +NEWSYSLOG= newsyslog + +CONFGROUPS+= NFS +NFSPACKAGE= nfs +NFS= lockd \ + mountd \ + nfscbd \ + nfsclient \ + nfsd \ + nfsuserd \ + statd + +CONFGROUPS.${MK_NIS}+= NIS +NISPACKAGE= yp +NIS= ypbind \ + ypldap \ + yppasswdd \ + ypserv \ + ypset \ + ypupdated \ + ypxfrd \ + nisdomain -.if ${MK_LEGACY_CONSOLE} != "no" -CONFGROUPS+= CONSOLE -CONSOLE+= moused -CONSOLE+= msconvd -CONSOLE+= syscons -CONSOLEPACKAGE= console-tools -.endif +CONFGROUPS.${MK_NS_CACHING}+= NSCD +NSCD= nscd -.if ${MK_LPR} != "no" -CONFGROUPS+= LP -LP+= lpd -LPPACKAGE= lp -.endif +CONFGROUPS.${MK_NTP}+= NTP +NTPPACKAGE= ntp +NTP= ntpd \ + ntpdate + +CONFGROUPS.${MK_NUAGEINIT}+= NUAGEINIT +NUAGEINITPACKAGE= nuageinit +NUAGEINIT= nuageinit \ + nuageinit_post_net \ + nuageinit_user_data_script + +CONFGROUPS.${MK_OFED_EXTRA}+= OPENSM +OPENSM= opensm + +CONFGROUPS.${MK_PF}+= PF +PFPACKAGE= pf +PF= pf \ + pflog \ + pfsync \ + ftp-proxy + +CONFGROUPS+= POWERD +POWERDPACKAGE= powerd +POWERD= powerd + +CONFGROUPS.${MK_PPP}+= PPP +PPPPACKAGE= ppp +PPP= ppp + +CONFGROUPS+= PPPOED +PPPOEDPACKAGE= ppp +PPPOED= pppoed + +CONFGROUPS+= SYSLOGD +SYSLOGDPACKAGE= syslogd +SYSLOGD= syslogd + +CONFGROUPS+= RCMDS +RCMDSPACKAGE= rcmds +RCMDS= rwho + +CONFGROUPS+= RESOLVCONF +RESOLVCONFPACKAGE= resolvconf +RESOLVCONF= resolv + +CONFGROUPS.${MK_SENDMAIL}+= SENDMAIL +SENDMAILPACKAGE= sendmail +SENDMAIL= sendmail + +CONFGROUPS.${MK_OPENSSH}+= SSH +SSHPACKAGE= ssh +SSH= sshd + +CONFGROUPS.${MK_UNBOUND}+= UNBOUND +UNBOUNDPACKAGE= local-unbound +UNBOUND= local_unbound + +CONFGROUPS.${MK_VI}+= VI +VIPACKAGE= vi +VI= virecover + +CONFGROUPS.${MK_CUSE}+= VOSS +VOSSPACKAGE= sound +VOSS= virtual_oss + +CONFGROUPS.${MK_WIRELESS}+= HOSTAPD +HOSTAPDPACKAGE= hostapd +HOSTAPD= hostapd + +CONFGROUPS.${MK_WIRELESS}+= WPA +WPAPACKAGE= wpa +WPA= wpa_supplicant + +CONFGROUPS.${MK_ZFS}+= ZFS +ZFSPACKAGE= zfs +ZFS= zfs \ + zfsbe \ + zfsd \ + zfskeys \ + zpool \ + zpoolreguid \ + zpoolupgrade \ + zvol + +CONFGROUPS.${MK_LEGACY_CONSOLE}+=SYSCONS +SYSCONSPACKAGE= console-tools +SYSCONS= moused \ + msconvd \ + syscons .if ${MK_KERBEROS} != "no" .if ${MK_MITKRB5} == "no" @@ -318,58 +358,10 @@ KRB5PACKAGE= kerberos-kdc .endif # ${MK_MITKRB5} .endif # ${MK_KERBEROS} -.if ${MK_NIS} != "no" -CONFGROUPS+= YP -YP= ypbind \ - ypldap \ - yppasswdd \ - ypserv \ - ypset \ - ypupdated \ - ypxfrd \ - nisdomain -YPPACKAGE= yp -.endif - -.if ${MK_NS_CACHING} != "no" -_nscd= nscd -.endif - -.if ${MK_NTP} != "no" -CONFGROUPS+= NTP -NTP+= ntpd \ - ntpdate -NTPPACKAGE= ntp -.endif - -.if ${MK_OFED_EXTRA} != "no" -_opensm= opensm -.endif - .if ${MK_OPENSSL} != "no" && ${MK_OPENSSL_KTLS} != "no" -CONFS+= tlsclntd \ - tlsservd -.endif - -.if ${MK_OPENSSH} != "no" -CONFGROUPS+= SSH -SSH= sshd -SSHPACKAGE= ssh -.endif - -.if ${MK_PF} != "no" -CONFGROUPS+= PF -PF= pf \ - pflog \ - pfsync \ - ftp-proxy -PFPACKAGE= pf -.endif - -.if ${MK_PPP} != "no" -CONFGROUPS+= PPP -PPP= ppp -PPPPACKAGE= ppp +CONFGROUPS+= KTLS +KTLS= tlsclntd \ + tlsservd .endif .if ${MK_INET6} != "no" || ${MK_ROUTED} != "no" @@ -384,57 +376,9 @@ RIP+= routed .endif .endif -.if ${MK_SENDMAIL} != "no" -CONFGROUPS+= SMRCD -SMRCD= sendmail -SMRCDPACKAGE= sendmail -.endif - -.if ${MK_NUAGEINIT} != "no" -CONFGROUPS+= NIUAGEINIT -NIUAGEINIT= nuageinit \ - nuageinit_post_net \ - nuageinit_user_data_script -NIUAGEINITPACKAGE= nuageinit -.endif - -.if ${MK_UNBOUND} != "no" -CONFGROUPS+= UNBOUND -UNBOUND+= local_unbound -UNBOUNDPACKAGE= unbound -.endif - -.if ${MK_VI} != "no" -CONFGROUPS+= VI -VI+= virecover -VIPACKAGE= vi -.endif - -.if ${MK_WIRELESS} != "no" -CONFGROUPS+= HOSTAPD -HOSTAPD= hostapd -HOSTAPDPACKAGE= hostapd - -CONFGROUPS+= WPA -WPA= wpa_supplicant -WPAPACKAGE= wpa -.endif - -.if ${MK_ZFS} != "no" -CONFGROUPS+= ZFS -ZFS+= zfs -ZFS+= zfsbe -ZFS+= zfsd -ZFS+= zfskeys -ZFS+= zpool -ZFS+= zpoolreguid -ZFS+= zpoolupgrade -ZFS+= zvol -ZFSPACKAGE= zfs -.endif - -.for fg in ${CONFGROUPS} +.for fg in ${CONFGROUPS} ${CONFGROUPS.yes} ${fg}MODE?= ${BINMODE} +${fg}PACKAGE?= rc .endfor .include <bsd.prog.mk> diff --git a/libexec/rc/rc.d/blacklistd b/libexec/rc/rc.d/blacklistd index 5248b0ea3580..9157e258f43f 100755 --- a/libexec/rc/rc.d/blacklistd +++ b/libexec/rc/rc.d/blacklistd @@ -34,13 +34,21 @@ . /etc/rc.subr name="blacklistd" -desc="System blacklist daemon" +desc="The blacklist daemon has been renamed to blocklist" rcvar="blacklistd_enable" command="/usr/sbin/${name}" required_files="/etc/blacklistd.conf" +start_precmd="blacklistd_prestart" # no svcj options needed : ${blacklistd_svcj_options:=""} +blacklistd_prestart() +{ + echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" + echo "@ WARNING: blacklistd has been renamed to blocklistd @" + echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" +} + load_rc_config $name run_rc_command "$1" diff --git a/libexec/rc/rc.d/blocklistd b/libexec/rc/rc.d/blocklistd new file mode 100644 index 000000000000..24cbae77fd40 --- /dev/null +++ b/libexec/rc/rc.d/blocklistd @@ -0,0 +1,46 @@ +#!/bin/sh +# +# Copyright (c) 2016 The FreeBSD Foundation +# +# This software was developed by Kurt Lidl under sponsorship from the +# FreeBSD Foundation. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# + +# PROVIDE: blocklistd +# REQUIRE: netif pf + +. /etc/rc.subr + +name="blocklistd" +desc="System blocklist daemon" +rcvar="blocklistd_enable" +command="/usr/sbin/${name}" +required_files="/etc/blocklistd.conf" + +# no svcj options needed +: ${blocklistd_svcj_options:=""} + +load_rc_config $name +run_rc_command "$1" diff --git a/libexec/rc/rc.d/virtual_oss b/libexec/rc/rc.d/virtual_oss index 4f5c34ce03f3..b9c830617385 100644 --- a/libexec/rc/rc.d/virtual_oss +++ b/libexec/rc/rc.d/virtual_oss @@ -1,8 +1,8 @@ #!/bin/sh # PROVIDE: virtual_oss -# REQUIRE: kld ldconfig -# BEFORE: LOGIN sndiod +# REQUIRE: NETWORKING kld ldconfig +# BEFORE: LOGIN # KEYWORD: shutdown . /etc/rc.subr diff --git a/libexec/rc/rc.d/zpoolreguid b/libexec/rc/rc.d/zpoolreguid index f94630d9283f..c19f52d3d702 100755 --- a/libexec/rc/rc.d/zpoolreguid +++ b/libexec/rc/rc.d/zpoolreguid @@ -2,7 +2,7 @@ # PROVIDE: zpoolreguid # REQUIRE: zpool -# BEFORE: mountcritlocal +# BEFORE: FILESYSTEMS # KEYWORD: firstboot nojail . /etc/rc.subr diff --git a/libexec/rc/rc.d/zpoolupgrade b/libexec/rc/rc.d/zpoolupgrade index 1435cba7199c..5e623a9c2bf0 100755 --- a/libexec/rc/rc.d/zpoolupgrade +++ b/libexec/rc/rc.d/zpoolupgrade @@ -2,7 +2,7 @@ # PROVIDE: zpoolupgrade # REQUIRE: zpool -# BEFORE: mountcritlocal +# BEFORE: FILESYSTEMS # KEYWORD: firstboot nojail . /etc/rc.subr diff --git a/libexec/rc/tests/rc_subr_test.sh b/libexec/rc/tests/rc_subr_test.sh index fe6d3b8264c9..9ddd13b61a7c 100644 --- a/libexec/rc/tests/rc_subr_test.sh +++ b/libexec/rc/tests/rc_subr_test.sh @@ -26,6 +26,17 @@ # SUCH DAMAGE. # +atf_test_case no_cycles +no_cycles_head() +{ + atf_set "descr" "Verify that /etc/rc.d/* contains no cycles" +} + +no_cycles_body() +{ + atf_check -e empty -o ignore rcorder /etc/rc.d/* +} + atf_test_case oomprotect_all oomprotect_all_head() { @@ -130,6 +141,7 @@ EOF atf_init_test_cases() { + atf_add_test_case no_cycles atf_add_test_case oomprotect_all atf_add_test_case oomprotect_yes atf_add_test_case wait_for_pids_progress |