Any domain in the blacklist that starts with '.', which is not a legal
name due to an empty label, is treated as any subdomain on that zone.
This means that .example.com blocks all requests to any subdomain of
example.com, but allows example.com.
No objections: florian@ OK: kn@
reads odd to repeat, e.g. -F, when listing all its modifiers.
as a consequence, automatic tagging wouldn't work, e.g. no "zero"
tag would exist to jump to that -F modifier's definition.
also add manual tags for -R and -T as get explained together with
-s and -t, respectively, where only the first flag gets tagged.
One needs to first check imsg_get() if there is a imsg already in
the queue. Then if that returns 0 call imsgbuf_read(). Do this in
a loop until imsg_get() returns an imsg.
OK tb@ and nicm@ for file
this should let people specify interface and queue bandwidths greater
than ~4Gbit.
this changes the pf ioctls used to specify queues, so if you want
to try this you'll need a new kernel, new headers, and a new pfctl
(and systat). or upgrade using a snapshot. the effort and benefit
of providing compat isn't worth it.
putting it in now so people can kick it around.
This is meaningless in dhcpleased(8) and *not* needed to receive
leases for an interface. In fact dhcpleased(8) works just fine without
any configuration file at all.
man page diff & OK kn
Replace literal braces with .Brq, use a list and indent the interface options
under that interface entry to reflect hierarchy (rad.conf(5) does that, too).
Feedback from/fine with jmc
Our kernel supports 16 groups (NGROUPS_MAX), but nothing prevents
an admin from adding a user to more groups. With that tweak we'll keep
on ignoring them instead of potentially reading past the buffer passed to
getgrouplist(3). That behavior is explicitely described in initgroups(3).
ok millert@ gilles@
this is like the -t command line option on iked itself, but you get
to keep the ike listener on port 500 and you can enable this on
specific policies instead of all of them.
this is useful if you're dealing with an org that can't firewall
ESP traffic well and so you need to force the traffic to be udp
encapsulated even if there's no NAT involved.
ok markus@ tobhe@
Leave the notion of repition to ... and markup optional prefixes as such;
'name/prefix [name/prefix ...]' becomes 'name[/prefix] ...'.
Also sync with unwind.conf.5 to fix curly braces and indentation.
OK florian
Input OK jmc
Instead of closing the just received UDP socket we closed the imsg fd
thus cleanly shutting down dhcpleased(8).
Problem triggered by sf@ with something like
while :; do ifconfig vio0 -inet; done
while :; do ifconfig vio0 inet autoconf; done
The problem triggers when dhcpleased configured a lease and in just
the right moment the autoconf flag gets removed. The main process
opens a udp socket and sends it to the frontend. At the same time the
frontend learned (from the route socket), that the interface lost its
autoconf flag. When the frontend then receives the udp socket via fd
passing it tries to close it. Due to a typo it would instead close the
imsg file descriptor.
Found by me after lots of head scratching.
OK tb
