If VOP_READLINK returns a path that contains a NUL, it will trigger an
assertion in vfs_lookup. Sanitize such paths in fusefs, rejecting any
and warning the user about the misbehaving server.
PR: 274268
Sponsored by: Axcient
Reviewed by: mjg, markj
Differential Revision: https://reviews.freebsd.org/D42081
(cherry picked from commit 662ec2f781521c36b76af748d74bb0a3c2e27a76)
Client one is supposed to be assigend 198.51.100.2, but sometimes it
loses the race and the address ends up assigned to client two. When this
happened one would try to ping itself, which failed because the loopback
interface isn't up.
Ideally we'd generate static address assignments, but that would
complicate the test. Activate loopback interfaces so the test always
passes, and just try to ping both possible addresses.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 956a46311462423f97b2410065f8caff2c630701)
If we're evaluating a pfsync'd state (and have different rules on both
ends) our state may point to the default rule, which does not have
rpool.cur set. As a result we can end up dereferencing a NULL pointer.
Explicitly check for this when we try to re-construct the route-to interface.
Also add a test case which can trigger this issue.
MFC after: 3 days
See also: https://redmine.pfsense.org/issues/14804
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 74c2461386ea5eeb41e674df6b16a44b0509a882)
When using cached attributes, we must update a file's atime during
close, if it has been read since the last attribute refresh. But,
* Don't update atime if we lack write permissions to the file or if the
file system is readonly.
* If the daemon fails our atime update request for any reason, don't
report this as a failure for VOP_CLOSE.
PR: 270749
Reported by: Jamie Landeg-Jones <jamie@catflap.org>
Sponsored by: Axcient
Reviewed by: pfg
Differential Revision: https://reviews.freebsd.org/D41925
(cherry picked from commit fb619c94c679e939496fe0cf94b8d2cba95e6e63)
fusefs: fix unused variables from fb619c94c67
PR: 270749
Reported by: cy
Sponsored by: Axcient
(cherry picked from commit e5236d25f2c0709acf3547e6af45f4bb4eec4f02)
The test tries to trigger creation of a superpage mapping in an
mlock()ed region.
MFC after: 2 weeks
(cherry picked from commit 8f26ed01bd74aab21309ac04ae1d1368a6346c90)
pf can now mark shut down multihomed connections shutting down. Verify
that pf does the right thing.
MFC after: 3 weeks
Sponsored by: Orange Business Services
(cherry picked from commit 97340b68d18bbbdebf0f73ed900c5a33894061dd)
The SCTP server will announce multiple addresses. Block one of them with
pf, connect to the other have the client use the blocked address. pf
is expected to have created state for all of the addresses announced by
the server.
In a separate test case add the secondary (client) IP after the
connection has been established. The intent is to verify the
functionality of the ASCONF chunk parsing.
MFC after: 3 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D41638
(cherry picked from commit 1a28d5fea7edf200c37d14f7ed5865910664ec3d)
Make sure that it can be used to change the passphrase of both attached
and detached providers.
Approved by: re (kib)
PR: 254966
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 2b7b09ac9675023869fddbae4911c9b674b1155a)
`INSTANTIATE_TEST_CASE_P` has been replaced with `INSTANTIATE_TEST_SUITE_P`.
Replace all uses of the former macro with the latter macro.
While here, address the fact that the latter macro doesn't permit some
of the constructions that the former macro did, e.g., empty parameters,
etc.
MFC after: 2 weeks
Reviewed by: asomers
Differential Revision: https://reviews.freebsd.org/D41398
Send an ICMPv6 echo request packet with multiple IPv6 fragment headers.
Set rules to pass all packets, except for ICMPv6 echo requests.
pf ought to drop the echo request, but doesn't because it reassembles
the packet, and then doesn't handle the second fragment header. In other
words: it fails to detect the ICMPv6 echo header.
Reported by: Enrico Bassetti bassetti@di.uniroma1.it (NetSecurityLab @ Sapienza University of Rome)
MFC after: instant
Sponsored by: Rubicon Communications, LLC ("Netgate")
The mac_ipacl policy module enables fine-grained control over IP address
configuration within VNET jails from the base system.
It allows the root user to define rules governing IP addresses for
jails and their interfaces using the sysctl interface.
Requested by: multiple
Sponsored by: Google, Inc. (GSoC 2019)
MFC after: 2 months
Reviewed by: bz, dch (both earlier versions)
Differential Revision: https://reviews.freebsd.org/D20967
The multicast code has an issue where it can lose the Solicited-node
multicast group subscription if the same address is added twice.
Test for this.
PR: 233683
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D41123
Ensure that SCTP connections survive a failover to the backup pf
instance.
MFC after: 3 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D40869
Explicitly test that we cannot change the port number with rdr.
That's not a desireable feature on SCTP, because it could break
multihomed connections.
MFC after: 3 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D40868
Ensure that we send a correct abort message for 'block return' rules.
Test this by validating that nc doesn't sit around waiting for a
connection. It should give up immediately when it receives the abort.
MFC after: 3 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D40865
pf can now inspect SCTP. Check that we can set up a connection.
IPv4 and IPv6 tests.
MFC after: 3 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D40863
* Wait for gnop devices to disappear after "gnop destroy".
Apparently that process is asynchronous now, or maybe it's just slower
than it used to be. Also, after removing a gnop wait for its pool to
be degraded. That isn't instant.
* The zfsd tests no longer require camcontrol.
This was a harmless oversight from
11ed0a95bf
* Fix the zfsd_degrade_001_pos test for recent zfs versions.
ZFS now rate limits checksum errors to about 20 per second. But
zfsd's threshold for degrading a disk is 50 per minute. So we must
alternately corrupt and scrub the pool to ensure that checksum errors
are generated in multiple 1-second windows, so that zfsd will see
enough of them.
* Fix the zfsd_fault_001_pos test in VMs
And, for that matter, when using NVME or SATA disks. As originally
written, the test used the da driver to inject errors. Rewrite it to
use gnop vdevs. gnop can also inject errors. It works on top of any
disk device, and it's also faster than using da.
MFC after: 2 weeks
Sponsored by: Axcient
Differential Revision: https://reviews.freebsd.org/D39437
In most cases, usage does not return, so mark them as __dead2. For the
cases where they do return, they have not been marked __dead2.
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/735
It only ever worked by accident.
* Actually set autoreplace=off as stated in the description
* Wait for the removed device to disappear from the pool before
proceeding.
* In the assertion, verify that the new disk does not get added, as
described in the description.
MFC after: 2 weeks
Sponsored by: Axcient
Build a setup where a given packet will be passed through the codel code
twice. This used to trigger issues with double-free on mtags.
Sponsored by: Rubicon Communications, LLC ("Netgate")
GCC complains that DNAME in the inval_entry_below_root test is not
used, but EXPECT_LOOKUP() does pass DNAME to strcmp in an internal
lambda function.
Reviewed by: asomers
Differential Revision: https://reviews.freebsd.org/D40661
This is disabled by default since it potentially changes the behavior of
existing filter rule sets. To enable this extra filter for packets being
delivered locally, use:
sysctl net.pf.filter_local=1
service pf restart
PR: 268717
Reviewed-by: kp
MFC-after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D40373
