usr.sbin: missing void to appease clang 15's -Wstrict-prototype.

For open/openat, if the flags parameter does not contain O_CREAT, the
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which mig

For open/openat, if the flags parameter does not contain O_CREAT, the
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which might lead future people
to copy this broken idiom, and perhaps even believe this parameter has some
meaning or implication or application. Delete them all.
This comes out of a conversation where tb@ noticed that a strange (but
intentional) pledge behaviour is to always knock-out high-bits from
mode_t on a number of system calls as a safety factor, and his bewilderment
that this appeared to be happening against valid modes (at least visually),
but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef.
ok millert

show more ...

Change the error reporting pattern throughout the tree when unveil
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.

Work done and verified by A

Change the error reporting pattern throughout the tree when unveil
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.

Work done and verified by Ashton Fagg <ashton@fagg.id.au>

ok deraadt@ semarie@ claudio@

show more ...

One missing piece when I added pledge(2) to dhcpd(8) was in the code path when
it's invoked with either -A/-C/-L, which at the time I left alone due to some
forbidden ioctls by pledge(2).

Now we hav

One missing piece when I added pledge(2) to dhcpd(8) was in the code path when
it's invoked with either -A/-C/-L, which at the time I left alone due to some
forbidden ioctls by pledge(2).

Now we have unveil(2) and this path can be further restricted by using it
instead of chroot(2) since this "sandbox" (not sure why people call sandbox to
about everything these days) can be escaped with *at(2) calls.

Since no filesystem access is needed here then we can disable its access by
calling unveil("/", "") unveil(NULL, NULL).

added /* no filesystem visibility */ as per suggestion by and OK deraadt@

show more ...

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

show more ...

I noticed the "pf table handler" process not going away on dhcpd restart,
looked at the error handling here, and.... oh my.
If opening /dev/pf on startup fails, don't just warn and move on, but bail.

I noticed the "pf table handler" process not going away on dhcpd restart,
looked at the error handling here, and.... oh my.
If opening /dev/pf on startup fails, don't just warn and move on, but bail.
If chroot (or the chdir after) fail, don't just warn and move on, bail.
If dropping privileges fails, the last thing we want to do is to just move
on with root privs, having warned or not.
If the pipe to the parent process is closed, that almost certainly means
that the parent process went away, and it absolutely certainly means that
the table handler process has no meaningful reason to exist any more, thus
bail.
ok florian ccardenas krw

show more ...

Eliminate pointless'%m' (a.k.a. hand rolled strerror()) by using fatal() and
log_warn(). Zap a couple of explicit 'syslog()' calls.

Do the strerror() elimination dance with log_warnx() -> log_warn(),
fatalx() -> fatal() and even a couple of fprintf(stderr) -> log_warn().

Switch from old errwarn.c logging to shiny new log.[ch].

ok benno@

Replace bzero(3) with memset(3)

"Looks good" to deraadt@

Eliminate #include inside *.h files and include only needed headers in
each *.c file.

Inspired by mention of header silliness by Edgar Pettijohn and mmcc@
on tech@.

The pf table process should die if the pipe to the dhcpd process is
closed. e.g. dhcpd has been killed.

ok henning@

Include <netinet/in.h> before <net/pfvar.h>. In a future change when
ports is ready, <net/pfvar.h> will stop including a pile of balony.

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_N

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

show more ...

Scattering a few bcopy()'s around source using mostly memcpy() is just
asking for confusion. Replace bcopy()'s with memcpy()'s.

remove double word in comment;

Allow the various pf table actions to operate independently. For example,
"-L leased" wouldn't work without "-A abandoned".
testing help from merdely
"i like" deraadt

use the correct fd for poll. we're waiting on the pipe, not pf
ok ckuethe deraadt

indent

This diff allows dhcpd to put active leases into a pf table. Dhcpd will then
periodically - based on the length of the shortest lease time - walk across
all leases searching for expired leases which

This diff allows dhcpd to put active leases into a pf table. Dhcpd will then
periodically - based on the length of the shortest lease time - walk across
all leases searching for expired leases which are then removed from the pf
table.

ok henning

show more ...

Move the transmission of privsep messages into its own function. Wherever
we might have conditionally sent a message, we now just call the pfmsg()
function, and let it figure out whether the message

Move the transmission of privsep messages into its own function. Wherever
we might have conditionally sent a message, we now just call the pfmsg()
function, and let it figure out whether the message should be sent or not.

ok henning

show more ...

Avoid changing pf tables when table name is NULL
ok henning

Missing $OpenBSD$ tag. Spotted by Masao Uebayashi.
ok henning@

This diff makes dhcpd able to manipulate pf tables on certain lease events.

dhcpd is now able to place abandoned addresses into a table (to offer some
protection against machines camping on an addre

This diff makes dhcpd able to manipulate pf tables on certain lease events.

dhcpd is now able to place abandoned addresses into a table (to offer some
protection against machines camping on an address) and remove them from the
table if they are properly leased.

When dhcpd assigns an IP to a new hardware address, it can remove that
address from a table. This is for use with the overload table in pf; newly
arrived machines will not be punished for the actions of a machine that
went away.

beck@ and krw@ liked previous versions of this, henning@ final ok

show more ...