aboutsummaryrefslogtreecommitdiff
path: root/libexec
diff options
context:
space:
mode:
Diffstat (limited to 'libexec')
-rw-r--r--libexec/Makefile6
-rw-r--r--libexec/blacklistd-helper/Makefile7
-rw-r--r--libexec/blocklistd-helper/Makefile10
-rw-r--r--libexec/blocklistd-helper/Makefile.depend (renamed from libexec/blacklistd-helper/Makefile.depend)0
-rw-r--r--libexec/blocklistd-helper/blacklistd-helper293
-rw-r--r--libexec/fingerd/Makefile8
-rw-r--r--libexec/fingerd/Makefile.depend.options2
-rw-r--r--libexec/fingerd/fingerd.c16
-rw-r--r--libexec/rc/rc.conf9
-rw-r--r--libexec/rc/rc.d/Makefile7
-rwxr-xr-xlibexec/rc/rc.d/blacklistd10
-rw-r--r--libexec/rc/rc.d/blocklistd46
-rwxr-xr-xlibexec/rc/rc.d/dmesg2
-rwxr-xr-xlibexec/rc/rc.d/hostapd9
-rw-r--r--libexec/rc/rc.d/virtual_oss4
15 files changed, 387 insertions, 42 deletions
diff --git a/libexec/Makefile b/libexec/Makefile
index e87b48b153a8..180dd10b5d29 100644
--- a/libexec/Makefile
+++ b/libexec/Makefile
@@ -4,7 +4,7 @@
SUBDIR= ${_atf} \
${_atrun} \
- ${_blacklistd-helper} \
+ ${_blocklistd-helper} \
${_comsat} \
${_dma} \
flua \
@@ -37,8 +37,8 @@ SUBDIR= ${_atf} \
_atrun= atrun
.endif
-.if ${MK_BLACKLIST} != "no"
-_blacklistd-helper+= blacklistd-helper
+.if ${MK_BLOCKLIST} != "no"
+_blocklistd-helper+= blocklistd-helper
.endif
.if ${MK_BOOTPD} != "no"
diff --git a/libexec/blacklistd-helper/Makefile b/libexec/blacklistd-helper/Makefile
deleted file mode 100644
index d32b69c278a8..000000000000
--- a/libexec/blacklistd-helper/Makefile
+++ /dev/null
@@ -1,7 +0,0 @@
-BLOCKLIST_DIR=${SRCTOP}/contrib/blocklist
-
-PACKAGE= blocklist
-
-SCRIPTS= ${BLOCKLIST_DIR}/libexec/blacklistd-helper
-
-.include <bsd.prog.mk>
diff --git a/libexec/blocklistd-helper/Makefile b/libexec/blocklistd-helper/Makefile
new file mode 100644
index 000000000000..5c72b5155662
--- /dev/null
+++ b/libexec/blocklistd-helper/Makefile
@@ -0,0 +1,10 @@
+BLOCKLIST_DIR=${SRCTOP}/contrib/blocklist
+
+PACKAGE= blocklist
+
+SCRIPTS= ${BLOCKLIST_DIR}/libexec/blocklistd-helper
+
+# blacklist
+SCRIPTS+= blacklistd-helper
+
+.include <bsd.prog.mk>
diff --git a/libexec/blacklistd-helper/Makefile.depend b/libexec/blocklistd-helper/Makefile.depend
index 11aba52f82cf..11aba52f82cf 100644
--- a/libexec/blacklistd-helper/Makefile.depend
+++ b/libexec/blocklistd-helper/Makefile.depend
diff --git a/libexec/blocklistd-helper/blacklistd-helper b/libexec/blocklistd-helper/blacklistd-helper
new file mode 100644
index 000000000000..92f768e86cdf
--- /dev/null
+++ b/libexec/blocklistd-helper/blacklistd-helper
@@ -0,0 +1,293 @@
+#!/bin/sh
+#echo "run $@" 1>&2
+#set -x
+# $1 command
+# $2 rulename
+# $3 protocol
+# $4 address
+# $5 mask
+# $6 port
+# $7 id
+
+pf=
+if [ -f "/etc/ipfw-blacklist.rc" ]; then
+ echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" >&2
+ echo "@ WARNING: rename /etc/ipfw-blacklist.rc to @" >&2
+ echo "@ /etc/ipfw-blocklist.rc @" >&2
+ echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" >&2
+
+ pf="ipfw"
+ . /etc/ipfw-blacklist.rc
+ ipfw_offset=${ipfw_offset:-2000}
+fi
+
+if [ -z "$pf" ]; then
+ for f in npf pf ipfilter ipfw; do
+ if [ -x /etc/rc.d/$f ]; then
+ if /etc/rc.d/$f status >/dev/null 2>&1; then
+ pf="$f"
+ break
+ fi
+ elif [ -f "/etc/$f.conf" ]; then
+ # xxx assume a config file means it can be enabled --
+ # and the first one wins!
+ pf="$f"
+ break
+ fi
+ done
+fi
+
+if [ -z "$pf" -a -x "/sbin/iptables" ]; then
+ pf="iptables"
+fi
+
+if [ -z "$pf" ]; then
+ echo "$0: Unsupported packet filter" 1>&2
+ exit 1
+fi
+
+flags=
+if [ -n "$3" ]; then
+ raw_proto="$3"
+ proto="proto $3"
+ if [ $3 = "tcp" ]; then
+ flags="flags S/SAFR"
+ fi
+fi
+
+if [ -n "$6" ]; then
+ raw_port="$6"
+ port="port $6"
+fi
+
+addr="$4"
+mask="$5"
+case "$4" in
+::ffff:*.*.*.*)
+ if [ "$5" = 128 ]; then
+ mask=32
+ addr=${4#::ffff:}
+ fi;;
+esac
+
+if [ "$pf" = "pf" ]; then
+ for anchor in $(/sbin/pfctl -s Anchors 2> /dev/null); do
+ if [ "$anchor" = "blacklistd" ]; then
+ echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" >&2
+ echo "@ WARNING: rename the blacklist anchor to blocklist @" >&2
+ echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" >&2
+ fi
+ done
+fi
+
+if [ "$pf" = "ipfilter" ]; then
+ echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" >&2
+ echo "@ WARNING: blacklist has been renamed to blocklist @" >&2
+ echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" >&2
+fi
+
+case "$1" in
+add)
+ case "$pf" in
+ ipfilter)
+ # N.B.: If you reload /etc/ipf.conf then you need to stop and
+ # restart blacklistd (and make sure blacklistd_flags="-r").
+ # This should normally already be implemented in
+ # /etc/rc.d/ipfilter, but if then not add the following lines to
+ # the end of the ipfilter_reload() function:
+ #
+ # if checkyesnox blacklistd; then
+ # /etc/rc.d/blacklistd restart
+ # fi
+ #
+ # XXX we assume the following rule is present in /etc/ipf.conf:
+ # (should we check? -- it probably cannot be added dynamically)
+ #
+ # block in proto tcp/udp from any to any head blacklistd
+ #
+ # where "blacklistd" is the default rulename (i.e. "$2")
+ #
+ # This rule can come before any rule that logs connections,
+ # etc., and should be followed by final rules such as:
+ #
+ # # log all as-yet unblocked incoming TCP connection
+ # # attempts
+ # log in proto tcp from any to any flags S/SAFR
+ # # last "pass" match wins for all non-blocked packets
+ # pass in all
+ # pass out all
+ #
+ # I.e. a "pass" rule which will be the final match and override
+ # the "block". This way the rules added by blacklistd will
+ # actually block packets, and prevent logging of them as
+ # connections, because they include the "quick" flag.
+ #
+ # N.b.: $port is not included/used in rules -- abusers are cut
+ # off completely from all services!
+ #
+ # Note RST packets are not returned for blocked SYN packets of
+ # active attacks, so the port will not appear to be closed.
+ # This will probably give away the fact that a firewall has been
+ # triggered to block connections, but it prevents generating
+ # extra outbound traffic, and it may also slow down the attacker
+ # somewhat.
+ #
+ # Note also that we don't block all packets, just new attempts
+ # to open connections (see $flags above). This allows us to do
+ # counterespionage against the attacker (or continue to make use
+ # of any other services that might be on the same subnet as the
+ # supposed attacker). However it does not kill any active
+ # connections -- we rely on the reporting daemon to do its own
+ # protection and cleanup.
+ #
+ # N.B.: The rule generated here must exactly match the
+ # corresponding rule generated for the "rem" command below!
+ #
+ echo block in log quick $proto \
+ from $addr/$mask to any $flags group $2 | \
+ /sbin/ipf -A -f - >/dev/null 2>&1 && echo OK
+ ;;
+
+ ipfw)
+ # use $ipfw_offset+$port for rule number
+ rule=$(($ipfw_offset + $6))
+ tname="port$6"
+ /sbin/ipfw table $tname create type addr 2>/dev/null
+ /sbin/ipfw -q table $tname add "$addr/$mask"
+ # if rule number $rule does not already exist, create it
+ /sbin/ipfw show $rule >/dev/null 2>&1 || \
+ /sbin/ipfw add $rule drop $3 from \
+ table"("$tname")" to any dst-port $6 >/dev/null && \
+ echo OK
+ ;;
+
+ iptables)
+ if ! /sbin/iptables --list "$2" >/dev/null 2>&1; then
+ /sbin/iptables --new-chain "$2"
+ fi
+ /sbin/iptables --append INPUT --proto "$raw_proto" \
+ --dport "$raw_port" --jump "$2"
+ /sbin/iptables --append "$2" --proto "$raw_proto" \
+ --source "$addr/$mask" --dport "$raw_port" --jump DROP
+ echo OK
+ ;;
+
+ npf)
+ /sbin/npfctl rule "$2" add block in final $proto from \
+ "$addr/$mask" to any $port
+ ;;
+
+ pf)
+ # if the filtering rule does not exist, create it
+ /sbin/pfctl -a "$2/$6" -sr 2>/dev/null | \
+ grep -q "<port$6>" || \
+ echo "block in quick $proto from <port$6> to any $port" | \
+ /sbin/pfctl -a "$2/$6" -f -
+ # insert $ip/$mask into per-protocol/port anchored table
+ /sbin/pfctl -qa "$2/$6" -t "port$6" -T add "$addr/$mask" && \
+ /sbin/pfctl -qk "$addr" && echo OK
+ ;;
+
+ esac
+ ;;
+rem)
+ case "$pf" in
+ ipfilter)
+ # N.B.: The rule generated here must exactly match the
+ # corresponding rule generated for the "add" command above!
+ #
+ echo block in log quick $proto \
+ from $addr/$mask to any $flags group $2 | \
+ /sbin/ipf -A -r -f - >/dev/null 2>&1 && echo OK
+ ;;
+
+ ipfw)
+ /sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null && \
+ echo OK
+ ;;
+
+ iptables)
+ if /sbin/iptables --list "$2" >/dev/null 2>&1; then
+ /sbin/iptables --delete "$2" --proto "$raw_proto" \
+ --source "$addr/$mask" --dport "$raw_port" \
+ --jump DROP
+ fi
+ echo OK
+ ;;
+
+ npf)
+ /sbin/npfctl rule "$2" rem-id "$7"
+ ;;
+
+ pf)
+ /sbin/pfctl -qa "$2/$6" -t "port$6" -T delete "$addr/$mask" && \
+ echo OK
+ ;;
+
+ esac
+ ;;
+flush)
+ case "$pf" in
+ ipfilter)
+ #
+ # N.B. WARNING: This is obviously not reentrant!
+ #
+ # First we flush all the rules from the inactive set, then we
+ # reload the ones that do not belong to the group "$2", and
+ # finally we swap the active and inactive rule sets.
+ #
+ /sbin/ipf -I -F a
+ #
+ # "ipf -I -F a" also flushes active accounting rules!
+ #
+ # Note that accounting rule groups are unique to accounting
+ # rules and have nothing to do with filter rules, though of
+ # course theoretically one could use the same group name for
+ # them too.
+ #
+ # In theory anyone using any such accounting rules should have a
+ # wrapper /etc/rc.conf.d/blacklistd script (and corresponding
+ # /etc/rc.conf.d/ipfilter script) that will record and
+ # consolidate the values accumulated by such accounting rules
+ # before they are flushed, since otherwise their counts will be
+ # lost forever.
+ #
+ /usr/sbin/ipfstat -io | fgrep -v "group $2" | \
+ /sbin/ipf -I -f - >/dev/null 2>&1
+ #
+ # This MUST be done last and separately as "-s" is executed
+ # _while_ the command arguments are being processed!
+ #
+ /sbin/ipf -s && echo OK
+ ;;
+
+ ipfw)
+ /sbin/ipfw table "port$6" flush 2>/dev/null && echo OK
+ ;;
+
+ iptables)
+ if /sbin/iptables --list "$2" >/dev/null 2>&1; then
+ /sbin/iptables --flush "$2"
+ fi
+ echo OK
+ ;;
+
+ npf)
+ /sbin/npfctl rule "$2" flush
+ ;;
+
+ pf)
+ # dynamically determine which anchors exist
+ for anchor in $(/sbin/pfctl -a "$2" -s Anchors 2> /dev/null); do
+ /sbin/pfctl -a "$anchor" -t "port${anchor##*/}" -T flush 2> /dev/null
+ /sbin/pfctl -a "$anchor" -F rules
+ done
+ echo OK
+ ;;
+ esac
+ ;;
+*)
+ echo "$0: Unknown command '$1'" 1>&2
+ exit 1
+ ;;
+esac
diff --git a/libexec/fingerd/Makefile b/libexec/fingerd/Makefile
index 296cb504bab1..e2fe412df8bc 100644
--- a/libexec/fingerd/Makefile
+++ b/libexec/fingerd/Makefile
@@ -7,10 +7,10 @@ MAN= fingerd.8
WARNS?= 2
WFORMAT=0
-.if ${MK_BLACKLIST_SUPPORT} != "no"
-CFLAGS+= -DUSE_BLACKLIST -I${SRCTOP}/contrib/blocklist/include
-LIBADD+= blacklist
-LDFLAGS+=-L${LIBBLACKLISTDIR}
+.if ${MK_BLOCKLIST_SUPPORT} != "no"
+CFLAGS+= -DUSE_BLOCKLIST -I${SRCTOP}/contrib/blocklist/include
+LIBADD+= blocklist
+LDFLAGS+=-L${LIBBLOCKLISTDIR}
.endif
.include <bsd.prog.mk>
diff --git a/libexec/fingerd/Makefile.depend.options b/libexec/fingerd/Makefile.depend.options
index 5a94eff626dc..f68343adae89 100644
--- a/libexec/fingerd/Makefile.depend.options
+++ b/libexec/fingerd/Makefile.depend.options
@@ -1,5 +1,5 @@
# This file is not autogenerated - take care!
-DIRDEPS_OPTIONS= BLACKLIST_SUPPORT
+DIRDEPS_OPTIONS= BLOCKLIST_SUPPORT
.include <dirdeps-options.mk>
diff --git a/libexec/fingerd/fingerd.c b/libexec/fingerd/fingerd.c
index c30d5e5e0ef5..8b63aa338b0c 100644
--- a/libexec/fingerd/fingerd.c
+++ b/libexec/fingerd/fingerd.c
@@ -45,8 +45,8 @@
#include <stdlib.h>
#include <string.h>
#include "pathnames.h"
-#ifdef USE_BLACKLIST
-#include <blacklist.h>
+#ifdef USE_BLOCKLIST
+#include <blocklist.h>
#endif
void logerr(const char *, ...) __printflike(1, 2) __dead2;
@@ -144,8 +144,8 @@ main(int argc, char *argv[])
*ap = strtok(lp, " \t\r\n");
if (!*ap) {
if (secure && ap == &av[4]) {
-#ifdef USE_BLACKLIST
- blacklist(1, STDIN_FILENO, "nousername");
+#ifdef USE_BLOCKLIST
+ blocklist(1, STDIN_FILENO, "nousername");
#endif
puts("must provide username\r\n");
exit(1);
@@ -153,8 +153,8 @@ main(int argc, char *argv[])
break;
}
if (secure && strchr(*ap, '@')) {
-#ifdef USE_BLACKLIST
- blacklist(1, STDIN_FILENO, "noforwarding");
+#ifdef USE_BLOCKLIST
+ blocklist(1, STDIN_FILENO, "noforwarding");
#endif
puts("forwarding service denied\r\n");
exit(1);
@@ -194,8 +194,8 @@ main(int argc, char *argv[])
}
dup2(STDOUT_FILENO, STDERR_FILENO);
-#ifdef USE_BLACKLIST
- blacklist(0, STDIN_FILENO, "success");
+#ifdef USE_BLOCKLIST
+ blocklist(0, STDIN_FILENO, "success");
#endif
execv(prog, comp);
write(STDERR_FILENO, prog, strlen(prog));
diff --git a/libexec/rc/rc.conf b/libexec/rc/rc.conf
index c776a815003c..ada9094360f6 100644
--- a/libexec/rc/rc.conf
+++ b/libexec/rc/rc.conf
@@ -24,7 +24,7 @@
: ${_localbase:="$(/sbin/sysctl -n user.localbase 2> /dev/null)"}
: ${_localbase:="/usr/local"}
-# rc_debug can't be set here without interferring with rc.subr's setting it
+# rc_debug can't be set here without interfering with rc.subr's setting it
# when the kenv variable rc.debug is set.
#rc_debug="NO" # Set to YES to enable debugging output from rc.d
rc_info="NO" # Enables display of informational messages at boot.
@@ -319,8 +319,10 @@ ctld_enable="NO" # CAM Target Layer / iSCSI target daemon.
local_unbound_enable="NO" # Local caching DNS resolver
local_unbound_oomprotect="YES" # Don't kill local_unbound when swap space is exhausted.
local_unbound_tls="NO" # Use DNS over TLS
-blacklistd_enable="NO" # Run blacklistd daemon (YES/NO).
-blacklistd_flags="" # Optional flags for blacklistd(8).
+blacklistd_enable="NO" # Renamed to blocklistd_enable.
+blacklistd_flags="" # Renamed to blocklistd_flags.
+blocklistd_enable="NO" # Run blocklistd daemon (YES/NO).
+blocklistd_flags="" # Optional flags for blocklistd(8).
resolv_enable="YES" # Enable resolv / resolvconf
#
@@ -705,6 +707,7 @@ osrelease_enable="YES" # Update /var/run/os-release on boot (or NO).
osrelease_file="/var/run/os-release" # File to update for os-release.
osrelease_perms="444" # Default permission for os-release file.
dmesg_enable="YES" # Save dmesg(8) to /var/run/dmesg.boot
+dmesg_umask="022" # Default umask for /var/run/dmesg.boot file.
watchdogd_enable="NO" # Start the software watchdog daemon
watchdogd_flags="" # Flags to watchdogd (if enabled)
watchdogd_timeout="" # watchdogd timeout, overrides -t in watchdogd_flags
diff --git a/libexec/rc/rc.d/Makefile b/libexec/rc/rc.d/Makefile
index f6d1a34ceb9e..3b7f45e8f101 100644
--- a/libexec/rc/rc.d/Makefile
+++ b/libexec/rc/rc.d/Makefile
@@ -111,9 +111,10 @@ AUTOFS= automount \
automountd \
autounmountd
-CONFGROUPS.${MK_BLACKLIST}+= BLOCKLIST
+CONFGROUPS.${MK_BLOCKLIST}+= BLOCKLIST
BLOCKLISTPACKAGE= blocklist
-BLOCKLIST= blacklistd
+BLOCKLIST= blacklistd \
+ blocklistd
CONFGROUPS.${MK_BLUETOOTH}+= BLUETOOTH
BLUETOOTHPACKAGE= bluetooth
@@ -293,7 +294,7 @@ SSHPACKAGE= ssh
SSH= sshd
CONFGROUPS.${MK_UNBOUND}+= UNBOUND
-UNBOUNDPACKAGE= unbound
+UNBOUNDPACKAGE= local-unbound
UNBOUND= local_unbound
CONFGROUPS.${MK_VI}+= VI
diff --git a/libexec/rc/rc.d/blacklistd b/libexec/rc/rc.d/blacklistd
index 5248b0ea3580..9157e258f43f 100755
--- a/libexec/rc/rc.d/blacklistd
+++ b/libexec/rc/rc.d/blacklistd
@@ -34,13 +34,21 @@
. /etc/rc.subr
name="blacklistd"
-desc="System blacklist daemon"
+desc="The blacklist daemon has been renamed to blocklist"
rcvar="blacklistd_enable"
command="/usr/sbin/${name}"
required_files="/etc/blacklistd.conf"
+start_precmd="blacklistd_prestart"
# no svcj options needed
: ${blacklistd_svcj_options:=""}
+blacklistd_prestart()
+{
+ echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
+ echo "@ WARNING: blacklistd has been renamed to blocklistd @"
+ echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
+}
+
load_rc_config $name
run_rc_command "$1"
diff --git a/libexec/rc/rc.d/blocklistd b/libexec/rc/rc.d/blocklistd
new file mode 100644
index 000000000000..24cbae77fd40
--- /dev/null
+++ b/libexec/rc/rc.d/blocklistd
@@ -0,0 +1,46 @@
+#!/bin/sh
+#
+# Copyright (c) 2016 The FreeBSD Foundation
+#
+# This software was developed by Kurt Lidl under sponsorship from the
+# FreeBSD Foundation.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+#
+
+# PROVIDE: blocklistd
+# REQUIRE: netif pf
+
+. /etc/rc.subr
+
+name="blocklistd"
+desc="System blocklist daemon"
+rcvar="blocklistd_enable"
+command="/usr/sbin/${name}"
+required_files="/etc/blocklistd.conf"
+
+# no svcj options needed
+: ${blocklistd_svcj_options:=""}
+
+load_rc_config $name
+run_rc_command "$1"
diff --git a/libexec/rc/rc.d/dmesg b/libexec/rc/rc.d/dmesg
index 51e35d5d4e80..736449f3b159 100755
--- a/libexec/rc/rc.d/dmesg
+++ b/libexec/rc/rc.d/dmesg
@@ -19,7 +19,7 @@ stop_cmd=":"
do_dmesg()
{
rm -f ${dmesg_file}
- ( umask 022 ; /sbin/dmesg $rc_flags > ${dmesg_file} )
+ ( umask "${dmesg_umask}" ; /sbin/dmesg $rc_flags > ${dmesg_file} )
}
load_rc_config $name
diff --git a/libexec/rc/rc.d/hostapd b/libexec/rc/rc.d/hostapd
index 264cb4ef476b..15b20c95c488 100755
--- a/libexec/rc/rc.d/hostapd
+++ b/libexec/rc/rc.d/hostapd
@@ -11,15 +11,6 @@
name="hostapd"
desc="Authenticator for IEEE 802.11 networks"
command=${hostapd_program}
-start_postcmd="hostapd_poststart"
-
-hostapd_poststart() {
- if [ -n "$ifn" ]; then
- ifconfig ${ifn} down
- sleep 2
- ifconfig ${ifn} up
- fi
-}
ifn="$2"
if [ -z "$ifn" ]; then
diff --git a/libexec/rc/rc.d/virtual_oss b/libexec/rc/rc.d/virtual_oss
index 4f5c34ce03f3..b9c830617385 100644
--- a/libexec/rc/rc.d/virtual_oss
+++ b/libexec/rc/rc.d/virtual_oss
@@ -1,8 +1,8 @@
#!/bin/sh
# PROVIDE: virtual_oss
-# REQUIRE: kld ldconfig
-# BEFORE: LOGIN sndiod
+# REQUIRE: NETWORKING kld ldconfig
+# BEFORE: LOGIN
# KEYWORD: shutdown
. /etc/rc.subr