cvs-src summary for 18/04/04 - 26/04/04

Mark Johnston mjohnston at
Mon Apr 26 18:23:40 PDT 2004

Here's the first Monday summary - for those who didn't get the first post, 
I've switched to producing the summaries Monday evenings.

FreeBSD cvs-src summary for 18/04/04 to 26/04/04
This is a regular weekly summary of FreeBSD's cutting-edge development.
It is intended to help the FreeBSD community keep up with the fast-paced
work going on in FreeBSD-CURRENT by distilling the deluge of data from
the CVS mailing list into a (hopefully) easy-to-read newsletter.  This
newsletter is marked up in reStructuredText_, so any odd punctuation
that you see is likely intended for the reST parser.

.. _reStructuredText:

You can get old summaries, and an HTML version of this one, at  Please send any comments to Mark Johnston
(mark at

For Lukasz Dudek and Szymon Roczniak's Polish translations of these
summaries, which may lag the English ones slightly, please see

.. contents::

New features
TCP security and reliability improvements
Mike Silbersack (silby) enhanced the generation of new TCP sequence
numbers for very fast (gigabit plus) networks, correcting a problem where
the second connection in a few milliseconds from the same host and port
could fail.  He also added OpenBSD's code for allocating temporary port
numbers randomly instead of sequentially, making attacks against TCP more
difficult.  This random allocation code can be turned off with the sysctl
net.inet.ip.portrange.randomized.  It has also been MFC'ed.

OpenSSH 3.8.1p1 imported
Dag-Erling Smorgrav (des) imported OpenSSH 3.8.1p1, replacing the old
3.8p1.  3.8.1 fixes many minor bugs with the portable version of OpenSSH,
as well as a potential crash in PAM and the accidental clearing of the TZ
environment variable.  For details, please see the `release announcement`_
or `changelog`_.

.. _`release announcement`:
.. _`changelog`:

Asus ACPI extras driver added
Philip Paeps (philip) added a driver called acpi_asus that provides
support for ACPI-controlled features like hotkeys and LCDs on Asus
laptops.  Philip is planning to track the similar acpi4asus_ Linux project
closely to keep this functionality up to date.

.. _acpi4asus:

ipfw versrcreach (verify source reachability) option added
Andre Oppermann (andre) added an option to ipfw called versrcreach that
verifies that a valid route to the source of a packet exists in the
routing table.  The new option is used as follows:

ipfw add 1000 deny ip from any to any not versrcreach

This is similar to the option "ip verify unicast source reachable-via
any" on Cisco routers.  Note that versrcreach ignores the default route,
so if you use it on machines that don't do BGP routing (like desktops or
servers,) you will likely deny all traffic.  With this change, ipfw will
need to be recompiled.

Raw socket support inside jails
Bosko Milekic (bmilekic) committed a modified version of a patch by
Christian S.  J. Peron that adds a sysctl, security.jail.allow_raw_sockets,
to control raw socket access inside jails.  When the sysctl is turned on,
ping and traceroute will work inside jails; however, jailed processes will
be able to spoof their IP address on outgoing packets.  Christian's patch was
submitted in `PR 65800`_.

.. _`PR 65800`:

Israel Hebrew locale added
Tim J. Robbins (tjr) added an Israel/Hebrew locale, named he_IL.UTF-8.  The
patch was submitted by Hye-Shik Chang in `PR 65826`_.

.. _`PR 65826`:

Per-interface polling control and vr polling MFC'ed
Ruslan Ermilov (ru) merged his per-interface polling support code to 4.x,
along with polling support for the vr (Via Rhine) interface.  Polling can
be controlled with the ifconfig option named "polling".  This code will
not be in 4.10.

Notable changes
Change to callout ABI requires kernel module rebuild
Colin Percival (cperciva) removed binary compatibility for the
callout_stop function, which cancels a pending delayed function call.
Because of this change, you will need to recompile all your kernel modules
next time you rebuild your kernel.  The change is also documented in

Discussion topics
BGP routing implementation under discussion
Luigi Rizzo (luigi) made a number of readability fixes to the routing
code, adding comments and macros.  Darren Reed (darrenr) objected that
the changes were adding gratuitous differences, making it hard to compare
the FreeBSD code to other versions.  Colin Percival (cperciva) explained
that the changes were to make proper locking easier to add.  Darren asked
why the variable name changes and macros were needed to make locking
easier; Dag-Erling Smorgrav (des) and Max Laier (mlaier) both pointed out
that making the code easier to understand makes it easier to add locking.
Darren argued that the code is hard to read not because of the variable
names, but because of the complexity of the work it does, and suggested
that reading W.  Richard Stevens's `TCP/IP Illustrated`_ would be more
helpful to understanding the code than the changes Luigi was making.
Brian Feldman (green) and Bruce M. Simpson (bms) both noted that Stevens's
book was significantly out of date vs. the current code.  Luigi explained
that the part he plans to work on is the undocumented one.

Luigi also mentioned that the current routing structure is big and slow,
and in need of optimization.  Darren noted that Cisco routers use 320
bytes per entry, also giving a link to `BGP reports`_.  Andre Oppermann
(andre) mentioned that he had designed a data representation for OpenBSD's
bgpd that uses 234 bytes per prefix with a few bytes for each extra path;
this is as good or better than Cisco IOS; he also said that the kernel's
routing base could be made as small as 1 MB to fit in the CPU's cache.
Alexey Dokuchaev (danfe) asked why bgpd was imported into OpenBSD and not
FreeBSD; Andre said that the code works on FreeBSD and that a port was in
the works, but that he didn't think bgpd belonged in the base system.

.. _`BGP reports`:
.. _`TCP/IP Illustrated`:

Committer changes
Marcel Moolenaar (marcel) noted that Marius is no longer under mentorship.

Important bug fixes
TCP reset handling improved
Mike Silbersack (silby) modified the handling of TCP reset packets using
an idea from Darren Reed (darrenr).  The goal was to make the `TCP reset
attack`_ recently announced as difficult as possible while maintaining
compatibility with as many TCP stacks as possible.  The new code accepts
only reset packets that match the expected sequence number exactly on
established connections.  He also added a field to netstat that counts the
number of resets ignored under these rules.

.. _`TCP reset attack`:

Unintended read access to memory-resident files eliminated
Alan Cox (alc) committed a patch to the mmap memory-mapped file handling
code to fix an issue where pages marked as PROT_NONE (inaccessible) could 
become readable.  This problem was discovered by Mark W. Krentel and 
submitted in `PR 64573`_.

.. _`PR 64573`:

Other bug fixes
Darren Reed (darrenr) fixed a bug in the rc.d code that made ipmon exit
immediately when configured to start on bootup.

More information about the freebsd-current mailing list