* Add missing dash before long option name in synopsis.
* Remove spurious paragraph break and bullet item.
* While there, fix mandoc -T lint complaints.
Reviewed by: ziaee, des
Differential Revision: https://reviews.freebsd.org/D48388
Hop-by-hop headers on IPv6 are now blocked by default. Specify 'allow-opts' to
allow them.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D50663
Block IPv6 packets in pf(4) that have hop-by-hop options header or
destination options header. Such packets can be passed by adding
"allow-opts" to the rule. So IPv6 options are handled like their
counterpart in IPv4 now.
tested by benno@; OK henning@
Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, c50c83ac27
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D50662
IPFilter interferes with the header.py:TestHeader6::test_too_many test, so skip
it if the module is loaded.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D50661
Verify that we drop packets with 20 or more AH headers (IPv4) or 20 or more
extension headers (IPv6).
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D50660
Limit the nested header chain for IPv6 extensions headers and for
authentication headers in the IPv4 case. This prevents spending
excessive cpu time on crafted packets.
OK henning@
Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 2e5bc81177
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D50659
This fixes the build for NOINET6 kernels, but also more accurately reflects what
we're doing. The first two fields are the same, so the only functional change is
that we require slightly more data in the first fragment now.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D50658
Pf was handling IPv4 and IPv6 differently regarding AH extension
headers. pf_walk_header6() steps over it and detects the real
protocol. So to implement a minimal header walking function
pf_walk_header() for IPv4. It does the header checks and jumps
over AH. Then pf does not understand AH as a protocol, it is just
an extension that authenticates the packet. Move some header and
option checks to pf_walk_header() for consistency with IPv6. This
also improves the header check for IPv4 packets in ICMP payload.
OK henning@
Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 22ef11432c
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D50657
These were present in the SEE ALSO section but were not explicitly
mentioned. Add a brief description of both.
Reviewed by: ziaee
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D50707
libcam in userspace also includes nvme_all.c which now depends on
nvme_util.c, so add nvme_util.c to libcam's sources. This requires
exporting the opcode and status code routines in nvme_util.c to
userspace as well as the kernel. In turn, this means nvmecontrol now
depends on libsbuf (which is already present in /lib).
Reported by: viswhin, Jenkins
Fixes: 60159a98a8 ("nvme: Move opcode and status code tables from base CAM to nvme_util.c")
Sponsored by: Chelsio Communications
In CheriBSD we use two bits to control load and store of CHERI
capabilities (pointers). In anticipation of merging CHERI support in
time for FreeBSD 16, reserved these two bits to avoid the (low, but
non-zero) risk of a flag day downstream.
I've used PROT_CHERI0 and PROT_CHERI1 rather than their downstream name
in hopes of avoiding the impression they do something today.
Reviewed by: kevans, adrian
Suggested by: kevans, adrian
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D50621
Commit 1cbb58886a (shipped in 12.0.0) removed all lint infrastructure.
A bunch of NO_LINT definitions remained (perhaps as a bootstrapping
measture). Remove them.
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D50704
There are enough cases where the duplicate name is caused by dubious
hardware configuration. Stopping the whole system instead of failing a
driver, or even a diagnostic subsystem in a driver, is more
user-friendly.
Another issue right now is that the check is only present for the
INVARIANTS builds, silently accepting the request to create an entry
with the existing name on production builds.
Reviewed by: markj
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D50669
We need to invalidate timestamps when a TX queue is cleared so that the
TX timeout detection callout does not mistakenly fire for cleared
packets. When using DQO queue formats, timestamps are set on the pending
packet array whose length is not the same as the length of the
descriptor ring itself. This commit fixes logic which invalidated the
wrong number of pending packets.
Signed-off-by: Jasper Tran O'Leary <jtranoleary@google.com>
Fixes: 3d2957336c ("gve: Add callout to detect and handle TX timeouts")
Reviewed by: markj
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D50688
These lines have been commented out ever since the first import of fuse.
The intention seems to be for the original developer to experiment with
different error handling strategies, but they're very obsolete by now.
Delete them.
MFC after: 2 weeks
Sponsored by: ConnectWise
This bug was fixed by googletest back in 2019 and released in googletest
1.10.0, I think. Using GTEST_SKIP from a test environment works now.
https://github.com/google/googletest/issues/2189
MFC after: 2 weeks
Sponsored by: ConnectWise
This reduces the number of duplicate string tables for NVMe opcodes
and status codes.
Adjust the formatting of unknown opcodes and status codes to more
closely match nvme(4).
Reviewed by: imp
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D50652
This makes it possible to share these tables with the nvme(4) driver
in custom kernels that do not include any CAM support, only nvd(4).
Reviewed by: imp
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D50685
The original list of IEs got expanded from TLV to TLextTV.
If the T matches 255 then we have a second list of IEs where the
meaning of TL stays the same. That means the 1 octet extT is part
of the length and the value starts at ie+3.
Start populating the list with IEEE802.11-2020 and 802.11ax-2021
values.
They will be initially used to start decoding some of the announced IEs
for ifconfig [-v] list (scan|sta). That should help users with
AX-enabled APs to see this (rather than no or UNKNOWN_ELEMID_255 and
make debugging easier once we implement 11ax.
Sposored by: The FreeBSD Foundation
MFC after: 3 days
Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D50674
Annotate a few which are obsolete (gone).
Naming as usual is questionable and I contemplated using the names
from wpa with a different prefix but then we end up with another mix.
While updating the reference to the newer standard I haven't made
a full pass again and I cannot say which version I used in 2020.
The motivation for this is to get rid of unknown IEs displayed in
ifconfig and elsewhere.
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Fixes: 50982d26e4 (MMIC -> MGMT_MIC)
Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D50671
While we decided that we will not provide WEP support for the LinuxKPI
802.11 compat code, some of it is in there already (also because drivers
still support it). Put proper keylen checks in place as net80211 only
knows about WEP while LinuxKPI has WEP40 and WEP104.
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
For iwlwifi, rtw88, and rtw89 we can treat GCMP the same way as we
treat CCMP which allows us to re-use the CCMP code for now.
Add the missing case statements and factor out some common code.
Allow IEEE80211_CRYPTO_AES_GCM_128 through our filter of supported
cipher suites to announce it to net80211.
Sponsored by; The FreeBSD Foundation
MFC after: 3 days
During testing I hit a case where htcap->mcs.rx_mask[0,1] were zero.
This should not happen as that would mean we are not supporting HT.
After adding extra caution for debugging I could no longer reproduce
the case.
So just to deal with the eventuality make synching from HT more
resilient by checking that we have nss > 0 or otherwise disable
HT operations.
Move setting the bandwidth below this check to not alter it in
case of the now early return.
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
add_route_flags() frees the rtentry on error when called with the RTM_F_CREATE
flag. Don't free the rtentry a second time.
Reviewed by: ae
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D50665
Import MIT KRB5 1.21.3, which will gracefully replace KTH Heimdal.
The tarball used in this import is the same tarball used in
ports/krb5-121.
The Makefiles to add MIT KRB5 to the build will be added later.
Obtained from: http://web.mit.edu/kerberos/dist/
Sponsored by: The FreeBSD Foundation
Add 'crypto/krb5/' from commit '8f7d3ef26dec89a92ec0665de84a5936310a5574'
git-subtree-dir: crypto/krb5
git-subtree-mainline: bf6873c578
git-subtree-split: 8f7d3ef26d
From https://www.eyrie.org/~eagle/software/pam-krb5/:
pam-krb5 provides a Kerberos PAM module that supports authentication,
user ticket cache handling, simple authorization (via .k5login or
checking Kerberos principals against local usernames), and password
changing. It can be configured through either options in the PAM
configuration itself or through entries in the system krb5.conf file,
and it tries to work around PAM implementation flaws in commonly-used
PAM-enabled applications such as OpenSSH and xdm. It supports both
PKINIT and FAST to the extent that the underlying Kerberos libraries
support these features.
The reason for this import is to provide an MIT KRB5 compatible
pam_krb5 PAM module. The existing pam_krb5 in FreeBS only works
with Heimdal.
The Makefiles to hook this software into the build willl come later.
Sponsored by: The FreeBSD Foundation
Add 'contrib/pam-krb5/' from commit '24f0b4ca2d565cdbb4fe7839ff28320706bf2386'
git-subtree-dir: contrib/pam-krb5
git-subtree-mainline: 290e8aaa38
git-subtree-split: 24f0b4ca2d
This is the first in a series of commits to replace Heimdal with
MIT KRB5. This first commit adds the WITH_MITKRB5/MK_MITKRB5 knob
to src.opts.mk and its corresponding documentation in
tools/build/options. The default is off.
This change of and by itself is of no consequence as MIT KRB5 has
yet to be imported in to HEAD. But it does insulate the build from
inremental change until the last patch is committed when WITH_MITKRB5
will build MIT KRB5 1.21.3 instead of Heimdal.
The affords us the opportunity to review smaller commits.
This is the first of many commits.
Reviewed by: imp, jhb, brooks, markj
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D50684
If a NFSv4 client does an exclusive open where the file
already exists, the server returns EEXIST. However,
without this patch, a partially filled in nfslockfile
structure is allocated, but is not referenced by any open
and, as such, never gets freed.
This patch fixes the bug by checking for EEXIST before
calling nfsvno_open().
Reported by: Christoper Iler <ciler@volexity.com>
Tested by: Christoper Iler <ciler@volexity.com>
MFC after: 2 weeks
Commit 2ec2ba7e23 added support for the O_NAMEDATTR flag to
the open(2) and openat(2) syscalls for main.
This patch updates the man page for this flag.
Another man page that explains named attributes will
be introduced in a future commit.
This is a content change.
Reviewed by: emaste (earlier version), kib (earlier version)
Differential Revision: https://reviews.freebsd.org/D49691
Fixes: 2ec2ba7e23 ("vfs: Add VFS/syscall support for Solaris style extended attributes")
It's unused, and the naked strcpy() was susceptible to buffer overflow
if one creates, say, a probe called "profile-2000000000ns".
Reported by: CHERI
MFC after: 1 week
Sponsored by: Innovate UK
Now that bsd.prog.mk uses .pieo instead of .o for object files linked
into PIEs, we need to ensure that the object file generated by dtrace -G
has the same extension.
Fixes: 245bb01106 ("Use .pieo extension for WITH_PIE bsd.prog.mk output")
Sponsored by: Innovate UK
If we are doing DIRDEPS_BUILD and MK_RUN_TESTS is yes
we can hook tests associated with dirs to be built into the graph
such that we avoid circular dependencies but the build will fail
should any test fail.
Make MK_RUN_TESTS independent of MK_TESTS
also for non-DIRDEPS_BUILD ensure we have RELDIR and check it
against patterns in HOST_RUN_TESTS.
Reviewed by: stevek
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D50387
This allows userspace to run on a (somewhat) out of date kernel.
Avoid a __FreeBSD_version bump and use the bump from a02180cf60 which
has occured since exterrctl was added.
Reviewed by: kevans
Fixes: b9c8a07d4d ("C runtime: enable extended error reporting from kernel")
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D50687
The primary benefit of this rewrite is that it parallelizes a number of
the make(1) jobs that it needs to do. It does so with a very naive
forking model that could likely be improved, but is sufficient for our
purposes. This version also doesn't assume that CWD is sane, and
instead operates relative to the directory the script resides in.
Note that this initial version is only intended to match the output of
the legacy script. Some work is planned afterward to refactor the
script out into various components to improve maintainability after we
have switched over to it.
In my horribly performing dev environment, this version runs in 40s
rather than the original ~2 minutes. On a Mt. Snow machine, this
version runs in ~15s rather than the original ~1m40s.
This change does not yet switch the top-level `makeman` target over to
the new version.
Reviewed by: bapt (earlier version), emaste
Differential Revision: https://reviews.freebsd.org/D39084
Replace nvme_cmd_string and nvme_opcode_string with a single function.
nvme_cmd_string was already using an sbuf around a caller-supplied
string, so use the same pattern for the entire command string.
Reviewed by: imp
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D50651
This file depends on sys/types.h being included before it, which isn't
the best assumption. Include it here since we have no namespace
pollution concerns.
Sponsored by: Netflix
