KNF, pass lint.

Add new Makefile knob, USE_FORT, which extends USE_SSP by turning on the
FORTIFY_SOURCE feature of libssp, thus checking the size of arguments to
various string and memory copy and set functions (as well as a few system
calls and other miscellany) where known at function entry. RedHat has
evidently built all "core system packages" with this option for some time.

This option should be used at the top of Makefiles (or Makefile.inc where
this is used for subdirectories) but after any setting of LIB.

This is only useful for userland code, and cannot be used in libc or in
any code which includes the libc internals, because it overrides certain
libc functions with macros. Some effort has been made to make USE_FORT=yes
work correctly for a full-system build by having the bsd.sys.mk logic
disable the feature where it should not be used (libc, libssp iteself,
the kernel) but no attempt has been made to build the entire system with
USE_FORT and doing so will doubtless expose numerous bugs and misfeatures.

Adjust the system build so that all programs and libraries that are setuid,
directly handle network data (including serial comm data), perform
authentication, or appear likely to have (or have a history of having)
data-driven bugs (e.g. file(1)) are built with USE_FORT=yes by default,
with the exception of libc, which cannot use USE_FORT and thus uses
only USE_SSP by default. Tested on i386 with no ill results; USE_FORT=no
per-directory or in a system build will disable if desired.

drop support for rsh/rlogin relaying.
use of .rhosts authentication should be discouraged with relaying service.
sync w/kame

pull latest faithd from kame. /etc/faithd.conf allows you to filter by prefix.
manpage cleanups.

add faithd, IPv6-to-IPv4 tcp relay translator.
utilizes pseudo-device "faith".

fix a typo

s/netbsd.org/NetBSD.org/i

drop support for rsh/rlogin relaying.
use of .rhosts authentication should be discouraged with relaying service.
sync w/kame

fix tyop

sync document with latest kame. now uses 3ffe:501:ffff::/48 in example.

Update ifconfig example to show that the interface has to be created.

correct usage of route(8) in example.

branches: 1.6.2;
sync with latest kame code. a bug with malloc() size (that can lead to
SEGV) is corrected.

branches: 1.5.2;
fix pathname for netbsd-current (/usr/local/v6/libexec -> /usr/libexec).

wording fix.

sync with latest KAME. nuke use of ss_{len,family}.
CVsA: ----------------------------------------------------------------------

branches: 1.2.4;
typo and wording fixes. sync'ed with latest KAME.

add faithd, IPv6-to-IPv4 tcp relay translator.
utilizes pseudo-device "faith".

Use Lk macro when dealing with URLs. While here update or remove some
dead URL links. Another part of PR/29238.

branches: 1.28.6;
Use .%U for URLs instead of .%O.

Various language fixes.
From FreeBSD.

Bump date for previous.

Renumber 6bone addresses to documentation prefix.
Fix broken URL for totd site.
Add reference to pkgsrc/net/totd.

Fix markup.

branches: 1.23.40;
Consistently use 'RFC 1234' instead of 'RFC1234' or 'RFC-1234'.
From jmc@openbsd.

Remove superfluous Ns.

Ic Ar -> Ar.

make the given example actually work.

.Nm does not need a dummy argument ("") before punctuation or
for correct formatting of the SYNOPSIS any longer.

drop support for rsh/rlogin relaying.
use of .rhosts authentication should be discouraged with relaying service.
sync w/kame

Drop .Pp before subsection, whitespace nit and sort sections.

sync with the latest kame.
- select() with the right maxfd.
- don't write() with len <= 0.
- no wacky macro ERRSTR.

faith(4) is now documented in RFC3142.

avoid null pointer deref. sync with kame.

pull latest faithd from kame. /etc/faithd.conf allows you to filter by prefix.
manpage cleanups.

sync with latest kame.
- improve logging.
- correct multicast address check for the relayed destination.
- repair EPRT translation.
- support 227 result without paren.
- change behavior on no-argument to more sensible side
(before: relay telnet, now: error)
WARNING: you may need to change your startup script.

For commands and utilities, use EXIT STATUS rather than RETURN VALUES or
DIAGNOSTICS as appropriate (and documented in mdoc(7)).

allow faithd(8) to be invoked via inetd(8), just like tcpd (of tcp_wrappers).
sync with kame.

benefits: allows us to access-control inbound traffic by using hosts.allow(5).
possible drawbacks: inetd mode has no chance for multi-connection-per-single-
process enhancement. current faithd(8) needs 1 process per 1 connection
anyways.

add more security notice about relaying rsh/rlogin taffic. (sync with kame)

branches: 1.8.2;
sync with latest kame code. a bug with malloc() size (that can lead to
SEGV) is corrected.

branches: 1.7.2;
wording

improve SECURITY section. (sync with kame)

add reference to i-d.

s/.Os KAME/.Os/

sync with latest KAME. nuke use of ss_{len,family}.
CVsA: ----------------------------------------------------------------------

branches: 1.2.4;
typo and wording fixes. sync'ed with latest KAME.

add faithd, IPv6-to-IPv4 tcp relay translator.
utilizes pseudo-device "faith".

use new scopeid functions

branches: 1.35.2; 1.35.8;
Use __dead

__dead + __printflike

KNF, pass lint.

include sys/cdefs.h so that __attribute__ can be fixed later

branches: 1.31.22;
poll() argument mistake. Tatoku Ogaito

use poll(2) instead of select(2). based on patch from deraadt@openbsd, via kame

simplify by strdup. expilcitly specify IPPROTO_TCP (to cope with sctp-ready
getaddrinfo).

socklen_t audit. from deraadt, sync w/kame

die if fd_set overrun. explicitly turn off use of IPv4 mapped addr on AF_INET6
socket.

remove unmaintained option (#ifdef FAITH4). sync w/kame

drop support for rsh/rlogin relaying.
use of .rhosts authentication should be discouraged with relaying service.
sync w/kame

handle ECONNABORTED at accept(2). correct error handling for connect(2)
sync w/ kame

daemon(3) has to be called before opening file descriptors.
noticed by markus@openbsd, sync with kame

assume the presense of getifaddrs(3). sync with kame

deal with wait3() returning -1. be careful on malloc failures. sync with kame

sync with the latest kame.
- select() with the right maxfd.
- don't write() with len <= 0.
- no wacky macro ERRSTR.

avoid null pointer deref. sync with kame.

avoid zombies on abnormal disconnects. sync with kame

pull latest faithd from kame. /etc/faithd.conf allows you to filter by prefix.
manpage cleanups.

fix tyop

printf-format audit. from sommrfeld@netbsd.org. sync with kame.

sync with latest kame.
- improve logging.
- correct multicast address check for the relayed destination.
- repair EPRT translation.
- support 227 result without paren.
- change behavior on no-argument to more sensible side
(before: relay telnet, now: error)
WARNING: you may need to change your startup script.

always use %s for setproctitle. from openbsd-current

allow faithd(8) to be invoked via inetd(8), just like tcpd (of tcp_wrappers).
sync with kame.

benefits: allows us to access-control inbound traffic by using hosts.allow(5).
possible drawbacks: inetd mode has no chance for multi-connection-per-single-
process enhancement. current faithd(8) needs 1 process per 1 connection
anyways.

use %s with syslog, to prevent abuse. from: deraadt (sync with kame)

branches: 1.10.2;
sync with latest kame code. a bug with malloc() size (that can lead to
SEGV) is corrected.

branches: 1.9.2;
use getifaddrs, not SIOCGIFCONF.

typo (sa_family must be sa_len)
NetBSD PR: 9084

void unbounded sprintf().
fix proc title.

fix wrong indentation.

oops, fix typo.

fix uninitialized pointer access on mapped addr handling.
add more debugging info on setsockopt errors.

fix possible infinite loop in tcp relay (avoid possible DoS).
PR: 8640
From: Feico Dillema

sync with latest KAME. nuke use of ss_{len,family}.
CVsA: ----------------------------------------------------------------------

branches: 1.1.4;
add faithd, IPv6-to-IPv4 tcp relay translator.
utilizes pseudo-device "faith".

Use __dead

__dead + __printflike

KNF, pass lint.

drop support for rsh/rlogin relaying.
use of .rhosts authentication should be discouraged with relaying service.
sync w/kame

handle ECONNABORTED at accept(2). correct error handling for connect(2)
sync w/ kame

sync with the latest kame.
- select() with the right maxfd.
- don't write() with len <= 0.
- no wacky macro ERRSTR.

printf-format audit. from sommrfeld@netbsd.org. sync with kame.

sync with latest kame.
- improve logging.
- correct multicast address check for the relayed destination.
- repair EPRT translation.
- support 227 result without paren.
- change behavior on no-argument to more sensible side
(before: relay telnet, now: error)
WARNING: you may need to change your startup script.

allow faithd(8) to be invoked via inetd(8), just like tcpd (of tcp_wrappers).
sync with kame.

benefits: allows us to access-control inbound traffic by using hosts.allow(5).
possible drawbacks: inetd mode has no chance for multi-connection-per-single-
process enhancement. current faithd(8) needs 1 process per 1 connection
anyways.

branches: 1.3.2;
sync with latest kame code. a bug with malloc() size (that can lead to
SEGV) is corrected.

branches: 1.2.2;
fix default daemon pathname.

branches: 1.1.4;
add faithd, IPv6-to-IPv4 tcp relay translator.
utilizes pseudo-device "faith".

s/connetion/connection/ in messages.

KNF, pass lint.

Fix -Wsign-compare issues

branches: 1.17.28;
Coverity CID 1321: False -gative detection.

Coverity CID 3671: Cast close to void and don't close negative fds.

plug memory leak. Patrick Latifi

Add (unsigned char) cast to ctype functions

use poll(2) instead of select(2). based on patch from deraadt@openbsd, via kame

socklen_t audit. from deraadt, sync w/kame

die if fd_set overrun. explicitly turn off use of IPv4 mapped addr on AF_INET6
socket.

correct ftp relay functionality.

remove unmaintained option (#ifdef FAITH4). sync w/kame

branches: 1.8.2;
handle ECONNABORTED at accept(2). correct error handling for connect(2)
sync w/ kame

sync with the latest kame.
- select() with the right maxfd.
- don't write() with len <= 0.
- no wacky macro ERRSTR.

sync with latest kame.
- improve logging.
- correct multicast address check for the relayed destination.
- repair EPRT translation.
- support 227 result without paren.
- change behavior on no-argument to more sensible side
(before: relay telnet, now: error)
WARNING: you may need to change your startup script.

sync with latest kame code. a bug with malloc() size (that can lead to
SEGV) is corrected.

branches: 1.4.2;
void unbounded sprintf().
fix proc title.

fix uninitialized pointer access on mapped addr handling.
add more debugging info on setsockopt errors.

sync with latest KAME. nuke use of ss_{len,family}.
CVsA: ----------------------------------------------------------------------

branches: 1.1.4;
add faithd, IPv6-to-IPv4 tcp relay translator.
utilizes pseudo-device "faith".

ansify - drop the K&R style prototypes & implementations.

KNF, pass lint.

Fix -Wsign-compare issues

branches: 1.6.40;
initialize sentinel.next so that config_list does not get garbage

socklen_t audit. from deraadt, sync w/kame

remove unmaintained option (#ifdef FAITH4). sync w/kame

deal with wait3() returning -1. be careful on malloc failures. sync with kame

sync with the latest kame.
- select() with the right maxfd.
- don't write() with len <= 0.
- no wacky macro ERRSTR.

pull latest faithd from kame. /etc/faithd.conf allows you to filter by prefix.
manpage cleanups.

More K&R style prototypes missed in the previous run

drop support for rsh/rlogin relaying.
use of .rhosts authentication should be discouraged with relaying service.
sync w/kame

pull latest faithd from kame. /etc/faithd.conf allows you to filter by prefix.
manpage cleanups.

no longer in use

sync with the latest kame.
- select() with the right maxfd.
- don't write() with len <= 0.
- no wacky macro ERRSTR.

pull latest faithd from kame. /etc/faithd.conf allows you to filter by prefix.
manpage cleanups.

sync with latest kame code. a bug with malloc() size (that can lead to
SEGV) is corrected.

branches: 1.2.2;
sync with latest KAME. nuke use of ss_{len,family}.
CVsA: ----------------------------------------------------------------------

branches: 1.1.4;
add faithd, IPv6-to-IPv4 tcp relay translator.
utilizes pseudo-device "faith".

__dead + __printflike

KNF, pass lint.

die if fd_set overrun. explicitly turn off use of IPv4 mapped addr on AF_INET6
socket.

remove unmaintained option (#ifdef FAITH4). sync w/kame

handle ECONNABORTED at accept(2). correct error handling for connect(2)
sync w/ kame

deal with wait3() returning -1. be careful on malloc failures. sync with kame

sync with the latest kame.
- select() with the right maxfd.
- don't write() with len <= 0.
- no wacky macro ERRSTR.

pull latest faithd from kame. /etc/faithd.conf allows you to filter by prefix.
manpage cleanups.

sync with latest kame.
- improve logging.
- correct multicast address check for the relayed destination.
- repair EPRT translation.
- support 227 result without paren.
- change behavior on no-argument to more sensible side
(before: relay telnet, now: error)
WARNING: you may need to change your startup script.

sync with latest kame code. a bug with malloc() size (that can lead to
SEGV) is corrected.

branches: 1.1.6;
add faithd, IPv6-to-IPv4 tcp relay translator.
utilizes pseudo-device "faith".