rc: Use check_jail to check values of security.jail MIBs

PR: 282404
Reviewed by: markj, netchild
Approved by: markj (mentor)
MFC after: 2 weeks
Event: Berlin Hackathon 202507
Differential Revision

rc: Use check_jail to check values of security.jail MIBs

PR: 282404
Reviewed by: markj, netchild
Approved by: markj (mentor)
MFC after: 2 weeks
Event: Berlin Hackathon 202507
Differential Revision: https://reviews.freebsd.org/D47329

show more ...

rc.d: add a service jails config to all base system services

This gives more permissions to services (e.g. network access to
services which require this) when they are started as an automatic
servic

rc.d: add a service jails config to all base system services

This gives more permissions to services (e.g. network access to
services which require this) when they are started as an automatic
service jail.

The sshd patch is important for the sshd-related functionality as
described in the man-page in the service jails part.

The location of the added env vars is supposed to allow overriding them
in rc.conf, and to hard-disable the use of svcj for some parts where it
doesn't make sense or will not work.

Only a subset of all of the services are fully tested (I'm running this
since more than a year with various services started as service jails).
The untested parts should be most of the time ok, in some edge-cases
more permissions are needed inside the service jail.
Differential Revision: https://reviews.freebsd.org/D40371

show more ...

Remove $FreeBSD$: one-line sh pattern

Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/

etc/rc.d/routing: use find_system_scripts

In 3693d9140e05aba9942232df13468f51a6cde136 /etc/rc switched to using
find_system_scripts rather than directly including /etc/rc.d/* in the
list of scripts

etc/rc.d/routing: use find_system_scripts

In 3693d9140e05aba9942232df13468f51a6cde136 /etc/rc switched to using
find_system_scripts rather than directly including /etc/rc.d/* in the
list of scripts to run in order to skip .pkgsave files. Follow suit
in etc/rc.d/routing.

Sponsored by: DARPA

show more ...

rc.d/routing: Correct setting default gateway for each FIB

There was a mistake in the previous commit, it used the incorrect
spelling of the FIB variable name and was not functional

Also corrects a

rc.d/routing: Correct setting default gateway for each FIB

There was a mistake in the previous commit, it used the incorrect
spelling of the FIB variable name and was not functional

Also corrects an issue with the IPv6 default route variable name.

Fixes: 30659d1dcbcc ("Add support for adding default routes for other FIBs")
Sponsored-by: ScaleEngine Inc.
Differential Revision: https://reviews.freebsd.org/D37685

show more ...

Add support for adding default routes for other FIBs

Make rc.d/routing read defaultrouter_fibN and ipv6_defaultrouter_fibN, and
set it as the default gateway for FIB N, where N is from 1 to (net.fib

Add support for adding default routes for other FIBs

Make rc.d/routing read defaultrouter_fibN and ipv6_defaultrouter_fibN, and
set it as the default gateway for FIB N, where N is from 1 to (net.fibs - 1)
This allows adding gateways for multiple FIBs in the same format as the main
gateway. (FIB 0)

Reviewed by: olivier, rgrimes, bcr (man page)
Sponsored by: ScaleEngine Inc.
Differential Revision: https://reviews.freebsd.org/D22706

show more ...

Make ICMP redirect processing depend on routing daemon.

Submitted by: lutz at donnerhacke.de
Reviewed by: melifaro,rgrimes
Differential Revision: https://reviews.freebsd.org/D23329

Move the rc framework out of sbin/init into libexec/rc.

The reasons for this are forward looking to pkgbase:
* /sbin/init is a special binary; try not to replace it with
every package update bec

Move the rc framework out of sbin/init into libexec/rc.

The reasons for this are forward looking to pkgbase:
* /sbin/init is a special binary; try not to replace it with
every package update because an rc script was touched.
(a follow-up commit will make init its own package)
* having rc in its own place will allow more easy replacement
of the rc framework with alternatives, such as openrc.

Discussed with: brd (during BSDCam), kmoore
Requested by: cem, bz
PR: 231522
Approved by: re (gjb)

show more ...

Move rc startup scripts from etc/ to sbin/init/

This keeps most startup scripts as CONFS per discussion on src-committers from
back during BSDCan.

Approved by: will (mentor)
Differential Revision:

Move rc startup scripts from etc/ to sbin/init/

This keeps most startup scripts as CONFS per discussion on src-committers from
back during BSDCan.

Approved by: will (mentor)
Differential Revision: https://reviews.freebsd.org/D16466

show more ...

Silence sysctl in startup scripts.

This makes 'stop' behave consistently with 'start' in the script.
Also use $SYSCTL instead of sysctl for consistency within that script.

MFC after: 3 weeks

Remove NATM configuration bits and assorted NATM and ATM remnants.

Reported by: ak
Reviewed by: ngie (first version)
Differential Revision: https://reviews.freebsd.org/D10497

Fix exit status of "service routing start <af> <iface>"

etc/rc.d/routing
Ignore the exit status of options_{inet,inet6,atm}. It's
meaningless.

Reviewed by: hrs
MFC after: 4 weeks
Sponsored by: Sp

Fix exit status of "service routing start <af> <iface>"

etc/rc.d/routing
Ignore the exit status of options_{inet,inet6,atm}. It's
meaningless.

Reviewed by: hrs
MFC after: 4 weeks
Sponsored by: Spectra Logic Corp
Differential Revision: https://reviews.freebsd.org/D6687

show more ...

Always create loopback routes on every fib

Always create loopback routes on every fib, for both IPv4 and IPv6

etc/rc.d/routing
Create loopback IPv4 and IPv6 routes on every fib at boot. Revert
27

Always create loopback routes on every fib

Always create loopback routes on every fib, for both IPv4 and IPv6

etc/rc.d/routing
Create loopback IPv4 and IPv6 routes on every fib at boot. Revert
278302; now that all FIBs have IPv6 loopback routes, the
"route add -reject" commands won't fail.

tests/etc/rc.d/routing_test.sh
Greatly simplify static_ipv6_loopback_route_for_each_fib. It was
written under the assumption that loopback routes would be added to
a given fib by the kernel as soon as an interface is configured on
that fib. However, the logic can be much simpler now that we simply
add loopback routes to all fibs at boot. This also removes the need
to run the test as root, removes the restriction that
net.add_addr_allfibs=0, and removes the need to configure fibs in
kyua.conf.

Also, add a test case for IPv4 loopback routes

Sponsored by: Spectra Logic Corp
Differential Revision: https://reviews.freebsd.org/D6582

show more ...

- Add descriptions to most of the rc scripts. Those are mostly taken from their
daemon's manpage and probably improved.
- Consistently use "filesystem" not "file system".

Approved by: bapt, brueff

- Add descriptions to most of the rc scripts. Those are mostly taken from their
daemon's manpage and probably improved.
- Consistently use "filesystem" not "file system".

Approved by: bapt, brueffer
Differential Revision: D452

show more ...

Don't add static IPv6 routes when to all FIBs when net.add_addr_allfibs is 0.

This avoids a bunch of boot time warnings when rc.d/routing runs.

MFC after: 1 week

Renove faith(4) and faithd(8) from base. It looks like industry
have chosen different (and more traditional) stateless/statuful
NAT64 as translation mechanism. Last non-trivial commits to both
faith(

Renove faith(4) and faithd(8) from base. It looks like industry
have chosen different (and more traditional) stateless/statuful
NAT64 as translation mechanism. Last non-trivial commits to both
faith(4) and faithd(8) happened more than 12 years ago, so I assume
it is time to drop RFC3142 in FreeBSD.

No objections from: net@

show more ...

Make net.inet.ip.sourceroute, net.inet.ip.accept_sourceroute, and
net.inet.ip.process_options vnet-aware. Revert changes in r271545.

Suggested by: bz

Do not set net.inet.ip.{sourceroute,accept_sourceroute} in a vnet jail.
The following warnings were displayed:

sysctl: net.inet.ip.sourceroute=0: Operation not permitted
sysctl: net.inet.ip.accept

Do not set net.inet.ip.{sourceroute,accept_sourceroute} in a vnet jail.
The following warnings were displayed:

sysctl: net.inet.ip.sourceroute=0: Operation not permitted
sysctl: net.inet.ip.accept_sourceroute=0: Operation not permitted

show more ...

Return false status only when adding a route is failed. It could
erroneously return false due to an afexists() check loop in routing_start().

Remove IPX support.

IPX was a network transport protocol in Novell's NetWare network operating
system from late 80s and then 90s. The NetWare itself switched to TCP/IP
as default transport in 1998.

Remove IPX support.

IPX was a network transport protocol in Novell's NetWare network operating
system from late 80s and then 90s. The NetWare itself switched to TCP/IP
as default transport in 1998. Later, in this century the Novell Open
Enterprise Server became successor of Novell NetWare. The last release
that claimed to still support IPX was OES 2 in 2007. Routing equipment
vendors (e.g. Cisco) discontinued support for IPX in 2011.

Thus, IPX won't be supported in FreeBSD 11.0-RELEASE.

show more ...

Create the default router last. This allows using an static
interface route for default routes, which seems to be common
among many dedicated hosting providers.

Reviewed by: hrs
MFC after: 2 weeks

Add :ifname modifier to specify interface-specific routes into
{,ipv6_}static_routes and rc.d/routing. For example:

static_routes="foo bar:em0"
route_foo="-net 10.0.0.0/24 -gateway 192.168.2.1"

Add :ifname modifier to specify interface-specific routes into
{,ipv6_}static_routes and rc.d/routing. For example:

static_routes="foo bar:em0"
route_foo="-net 10.0.0.0/24 -gateway 192.168.2.1"
route_bar="-net 192.168.1.0/24 -gateway 192.168.0.2"

At boot time, all of the static routes are installed as before.
The differences are:

- "/etc/rc.d/netif start/stop <if>" now configures static routes
with :<if> if any.
- "/etc/rc.d/routing start/stop <af> <if>" works as well. <af> cannot be
omitted when <if> is specified, but a keyword "any" or "all" can be used
for <af> and <if>.

show more ...

Refine the "nojail" rc keyword, adding "nojailvnet" for files that don't
apply to most jails but do apply to vnet jails. This includes adding
a new sysctl "security.jail.vnet" to identify vnet jails

Refine the "nojail" rc keyword, adding "nojailvnet" for files that don't
apply to most jails but do apply to vnet jails. This includes adding
a new sysctl "security.jail.vnet" to identify vnet jails.

PR: conf/149050
Submitted by: mdodd
MFC after: 3 days

show more ...

Fix condition to check if the maximum number of FIBs is greater than 0 or not.

Spotted by: zont

Use -fib N modifier to add/delete a route to/from multiple FIBs.