rcs_set_tz: Use timegm() to parse broken-down UTC
We used to use mktime() (which expects local time not UTC) and
manually adjust the time zone, but this did not take DST into
account. From Tomas Rippl
newsyslog: use localtime_r(3) with error handling
Replace localtime(3) with localtime_r(3) to avoid editing of struct tm
in libc. While here do correct error handling of the return value.
suggested by bluhm
ok bluhm
Move kernal local struct disklabel variables off of stack and into malloc'd
memory.
Note that sr_hibernate_io() will be a special case handled separately.
Required for future increases in the number of disk partitions and thus the size
of a disklabel.
Most work by & ok deraadt@
Revert: Clear RTF_MPATH flag for cloned routes.
In rev 1.449 the multipath flag was cleared for cloned routes to
avoid a crash during removal. Unfortunately this breaks a feature
where we have multiple llinfo entries for interfaces with different
priority. regress/sbin/route rttest32 detects this and fails.
Meanwhile ARP and ND6 lists use iterator to be MP safe. So removing
the wrong llinfo route should not be a problem anymore. Eventually
the timeout will catch both of them. Do not clear RTF_MPATH flag
anymore.
regress failure noted by anton@
Add thisUpdate in ManifestRef in CCR file format
Store the thisUpdate value from Manifest eContent payloads in
the CCR/Erik protocol ManifestRef structure. This will be useful
for debugging Erik protocol exchanges, but also paves the way to
generate Erik objects directly from CCR objects.
OK tb@
Be able to limit interface configured lifetimes.
When a prefix on an advertising interface is configured with
lifetimes, rad(8) would use those and ignore lifetimes from the
configuration.
On "sensible" networks, this is perfectly fine, however some dhcpv6
servers might hand out leases with excessively long lifetimes (months)
and there was no way to limit those lifetimes. Now the minimum of
lifetimes from the config file and the interface is used.
Problem pointed out by Ryan Vogt (rvogt.ca AT gmail), who also
provided a diff, which inspired this change.
Lots of testing by Ryan Vogt.
OK bluhm
Disable aggressive-nsec when "force" is in use.
When resolution of a domain is forced to a resolver type, the resolver
might have an nsec chain in its cache that proofs the non-existence of
the domain. With aggressive-nsec enabled (the default in unbound), the
query will then not be forwarded and resolution fails, even if "accept
bogus" is configured.
For example, if one squats on the undelegated tld "foobar":
force forwarder { foobar }
and then typo's it as foobaa:
foo. 86400 IN NSEC food. NS DS RRSIG NSEC
Problem reported by, testing & OK tb
Suggestion to turn off aggressive-nsec by otto
