When fixing bug 286692, the change eafe5967ac, that fixed a case when
peer side does close(), also had regressed a case when our side does
shutdown(SHUT_WR). These actually are two independent code paths, and the
eafe5967ac shouldn't have touched the second block. The removal of
'kn->kn_flags |= EV_EOF' was incorrect and the statement on original
behavior in the commit message was also incorrect.
Do not add back so_error setting, since I failed to find a test case that
would return anything but 0 in kevent.fflags when run on stable/14.
This was found with help of https://github.com/tokio-rs/mio. Add a test
case into our test suite for that.
Fixes: eafe5967ac
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D52327
if_bridge(4) should not prohibit adding a gif(4) interface which is
assigned with IP addresses as a bridge member regardless of the setting
of sysctl variable net.link.bridge.member_ifaddrs.
Assigning IP addresses on the gif(4) interface should not be affected
no matter whether it is member of a bridge interface or not.
PR: 227450
Reported by: Siva Mahadevan <me@svmhdvn.name>
Reviewed by: ivy (previous version)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D52200
Now that pf is aware of address family of each pool address and source
tracking uses distinct address family for source and redirection
adddresses it is possible to add a new pool option prefer-ipv6-nexthop
which enables routing of IPv4 packets over IPv6 next hops for rules
with the route-to option.
Add a pool option flag PF_POOL_IPV6NH, apply it to pools with a keyword
prefer-ipv6-nexthop.
Modify pf_map_addr() to handle pools with addresses of different
families. Use *naf as a hint about what address family the forwarded
packet is, then pick from the pool addresses of family that can be used
as a next hop for the forwarded packet, controlled by the PF_POOL_IPV6NH
flag. For NAT pools this flag is never set and thus pf_map_addr()
will return an IP address of the same family as the forwarded packet.
For route-to pools when the flag is enabled IPv6 addresses can be
returned or IPv4 packets.
In pf_route() check rt_af, it is not guaranteed to be AF_INET anymore
because pf_map_addr() could have changed it (as *naf).
Add tests for behaviour of pf_map_addr() both with PF_POOL_IPV6NH and
without, for single IP addresses, prefixes and subnets.
Reviewed by: kp
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D50781
Transient tunnel devices are removed immediately after last close, so
that an application that's created the tunnel could eliminate the need
to manually destroy the tunnel whose lifetime it's already managing.
Reviewed by: zlei
Differential Revision: https://reviews.freebsd.org/D44200
The 'nadd' returned by these calls is the number of addresses actually added
or deleted. It can differ from the number userspace sent to the kernel if the
addresses are already present (or not present for the delete case).
This meant that if all of the addresses were already handled the kernel would
return zero, putting us in an infinite loop.
Handle this, and extend the test case to provoke this scenario.
Reported by: netchild@
Fixes: bad279e12d ("pf: convert DIOCRDELADDRS to netlink")
Fixes: 8b388995b8 ("pf: convert DIOCRADDADDRS to netlink")
Sponsored by: Rubicon Communications, LLC ("Netgate")
ints can be up to 10 digits, plus NUL. Make the val array 12 to silences
a lame gcc warning (the range of the int is such that we'll never
truncate, but this is a cheap fix).
Sponsored by: Netflix
These cover a few bugs that have cropped up, including the ones fixed by
commits 4046ad6bb0 and 2319ca6a01.
PR: 276045
Reviewed by: rmacklem
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D51856
This was originally added for if_bridge_test:span which uses scapy, but
that requirement is now annotated in the test itself.
Remove the requirement so the remaining bridge tests can run without
Python installed.
The ifuntagged option was added as part of the VLAN filtering feature,
but it's useful on its own to be able to place interface traffic in a
VLAN without having to configure every interface for VLAN filtering.
Always do the pvid processing in bridge even if IFBRF_VLANFILTER isn't
enabled, and don't prohibit configuring it.
Add a test for the specific case of setting untagged without vlanfilter.
This has no effect on bridges which don't have at least one interface
configured with ifuntagged.
Differential Revision: https://reviews.freebsd.org/D51760
Tunnel IPv[46] traffic over IPv[46] should still function when the
gif(4) interface is member of a if_bridge(4) interface, aka the
EtherIP setup.
PR: 227450
Reviewed by: kp
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D51682
To allow for Hardware-assisted AddressSanitizer (HWASAN) and future
work to enable MTE we need to enable TBI in userspace. As address space
that previously would have faulted will now not it could be considered
an ABI change so only enable for processes with a late enough revision.
Relnotes: yes
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D51637
NAT64 performed on inbound direction bypasses outbound filtering
and creates only a single state which is bound to the outbound
interface. Extend TCP NAT64 tests to cover all combinations
of inbound/outbound rule and floating/if-bound states.
Reviewed by: kp
Approved by: kp
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D51788
Ever since the first GSoC contribution, fusefs has had a curious
behavior. If the daemon hasn't finished responding to FUSE_INIT,
fuse_vnop_getattr would reply to VOP_GETATTR requests for the mountpoint
by returning all zeros. I don't know why. It isn't necessary for
unmounting, even if the daemon is dead.
Delete that behavior. Now VOP_GETATTR for the mountpoint will wait for
the daemon to be ready, just like it will for any other vnode.
Reported by: Vassili Tchersky
Sponsored by: ConnectWise
Differential Revision: https://reviews.freebsd.org/D50800
If we handle a fragment and are configured not to reassemble it the
pd->proto field will show the layer 4 protocol (i.e. UDP,TCP,SCTP,...) but
pd->virtual_proto will show we're a fragment.
In that case we also don't have the layer 4 checksum pointer. Have code that
cares about L4 (e.g. NAT) check virtual_proto so it doesn't try to dereference a
NULL pcksum field.
PR: 288549
Reported by: Danilo Egea Gondolfo <danilo@FreeBSD.org>
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D51722
Make a few tests less likely to intermittently fail by giving background server
processes a bit more time to finish starting.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Add up to 64 addresses at once. We are limited by the netlink socket buffer, so
we can only add a limited number at once.
Sponsored by: Rubicon Communications, LLC ("Netgate")
The current syntax to add an interface to a filtering bridge requires
repeating the interface name up to three times:
ifconfig bridge0 addm ix0 untagged ix0 10 tagged ix0 100-199
Since at least one of these options nearly always needs to be set,
this results in excessively verbose configuration.
Extend "addm" to support optional arguments, and add two arguments,
"untagged" and "tagged", which infer the interface name from the
addm command. Now the interface only has to be given once:
ifconfig bridge0 addm ix0 untagged 10 tagged 100-199
To avoid confusion with the existing untagged and tagged commands,
rename those to ifuntagged and iftagged.
In future, this syntax will make it possible to add an interface and
set its vlan configuration atomically (once the API supports that),
but switching to the new syntax now means we don't need to change it
after 15.0.
Differential Revision: https://reviews.freebsd.org/D51707
Allowing tag stacking by default can permit VLAN-hopping attacks in
certain configurations. To mitigate this, disallow sending Q-in-Q
frames by default unless the new "qinq" option is enabled on the
interface. The bridge flag "defqinq" can be used to restore the
previous behaviour of allowing Q-in-Q on all interfaces.
The bridge.4 changes from the differential are omitted here and
will be landed via D51185.
Reviewed by: kevans, pauamma_gundo.com (manpages)
Differential Revision: https://reviews.freebsd.org/D51227
If the system administrator does "zpool offline", he's doing it for a
reason. zfsd shouldn't consider an offline disk to be an event that
requires automatic healing. Don't online it in response to a GEOM
event, and don't try to activate a hotspare to take over from it.
MFC after: 2 weeks
Sponsored by: ConnectWise
If we fail to route the packet in pf_route()/pf_route6() (e.g. because it
hit the TTL limit) we free the mbuf. If that packet is an SCTP packet that
establishes extra (i.e. multihome) states we have a queued job to handle that.
These jobs reference the now freed mbuf.
Pass the error from pf_route()/pf_route6() on, so that
pf_sctp_multihome_delayed() doesn't attempt to use the invalid mbuf pointer (or
establishes states for a packet we're not passing).
PR: 288274
Reported by: Robert Morris <rtm@lcs.mit.edu>
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D51627
vlanfilter was originally a per-interface flag to allow more flexible
configurations where some interfaces had VLAN filtering enabled and
some didn't. In practice, this just makes the configuration more
confusing without any real benefit, so remove it, and make vlanfilter
a bridge flag instead.
Add a new bridge option "defuntagged", which sets the automatically
assigned PVID for new members. If set to 0 (the default) then no
PVID is assigned, which matches the current behaviour.
While here, add some more atf_checks to the bridge VLAN tests to
make debugging easier.
Differential Revision: https://reviews.freebsd.org/D51600
Add an optional "vlan <n>" argument to the bridge static and deladdr
commands to allow addresses to be added to / removed from a particular
vlan. No changes to if_bridge are required as the kernel API already
supports this, it just wasn't exposed in ifconfig.
Add tests for the new functionality, and improve the test for the
existing "static" command.
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D51243
The function pf_map_addr() and source tracking operate on a single
address family. This made sense before introducing address family
translation. When combining af-to with route-to or with sticky-address,
the next-hop or the NAT address are of different address family than
the source address. For example in NAT64 scenaro an IPv6 source address
is translated to an IPv4 address and routed over IPv4 gateway.
Make source nodes dual-AF, that is have a separate source AF and
redirection AF. Store route AF in struct pf_kstate, export it to pfctl.
When loading rules with redirection pools with pfctl store address
family of each address. When printing states don't deduce next-hop's
address family from af-to, use the one stored in state.
Reviewed by: kp
Approved by: kp
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D51659
There are scenarios where we can end up looking up an interface by its scope and
turn up an interface that doesn't have IPv6 enabled on it. If that happens we
could end up dereferencing a NULL pointer accessing ifp->if_afdata[AF_INET6].
Check for this.
One such scenario is if a firewall rewrites a destination address to a
link-local address, with an embedded scope for such an interface. Attach a test
case which provokes this.
PR: 288263
Reported by: Robert Morris <rtm@lcs.mit.edu>
Reviewed by: zlei
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D51500
Disallow this:
ifconfig bridge0 create
ifconfig bridge0.1 create
ifconfig bridge0 addm bridge0.1
Also disallow this:
ifconfig vlan1 create
ifconfig bridge0 create
ifconfig bridge0 addm vlan1
ifconfig vlan1 vlan 1 vlandev bridge0
Firstly, this panics due to trying to take BRIDGE_LOCK recursively.
Secondly, even if it worked, it could cause packet forwarding loops.
Reviewed by: des
Differential Revision: https://reviews.freebsd.org/D51310
"ifconfig gif0 ether" doesn't return any output, so this wasn't
correctly checking the MTU on the gif interface. Remove "ether".
Reviewed by: zlei, kp
Differential Revision: https://reviews.freebsd.org/D51245
Both tests rely on ports 77 and 7777 to be available
and thus cannot be run concurrently. This is a temporary
measure to ensure that they don't conflict with each other.
In the future, these should be rewritten to wait until the
necessary ports are available, or deterministically select a
free port instead.
Signed-off-by: Siva Mahadevan <me@svmhdvn.name>
Sponsored by: The FreeBSD Foundation
Pull Request: https://github.com/freebsd/freebsd-src/pull/1790
These test cases are variants of the 4in4 and 6in6 tests wherein the
server interface has an alias assigned and the client is configured to
connect to the alias rather than the primary address.
Reviewed by: kp
MFC after: 1 month
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D51499
All of these are passing consistently in the latest CI environment
in 15 back-to-back test runs.
Signed-off-by: Siva Mahadevan <me@svmhdvn.name>
PR: 260458, 260459, 260460, 264805
Sponsored by: The FreeBSD Foundation
Pull Request: https://github.com/freebsd/freebsd-src/pull/1788
Use the standard required_kmods reporting mechanism to notify Kyua of
which kernel modules are required.
MFC after: 2 weeks
Sponsored by: ConnectWise
Reviewed by: Siva Mahadevan <me@svmhdvn.name>
Pull Request: https://github.com/freebsd/freebsd-src/pull/1783
That's not supported:
> /usr/local/lib/python3.11/site-packages/scapy/sendrecv.py:726: SyntaxWarning: 'iface' has no effect on L3 I/O sr1().
Sponsored by: Rubicon Communications, LLC ("Netgate")
The PFNL_CMD_CLR_ADDRS command returns a PF_T_NBR_DELETED, not a PF_TS_NZEO.
Handle this correctly.
While here add a test case to verify we return the expected counts when adding
or flushing addresses to/from a table.
PR: 288353
Sponsored by: Rubicon Communications, LLC ("Netgate")
This function has always been dead. It isn't needed, since ctladm will
automatically load the module, if needed.
MFC after: 2 weeks
Sponsored by: ConnectWise
Previously the googletest tests would skip themselves if /dev/fuse could
not be found. But that information would not be passed to Kyua.
Instead it would think that they had passed. Also, the atf-sh test
would previously fail if the fusefs module weren't loaded. Now both
tests will correctly report their requirements to Kyua.
Note that fusefs's googletest tests still require that the
mac_bsdextended(4) module _not_ be loaded, but Kyua has no way to report
such a requirement.
MFC after: 2 weeks
Sponsored by: ConnectWise
Reviewed by: Siva Mahadevan <me@svmhdvn.name>
Pull Request: https://github.com/freebsd/freebsd-src/pull/1782
The mbuf:inet6_in_mbuf_len test sometimes fails because it encountered
unexpected extra packets. These turn out to be MLD packets, so block these
packets on the host with pf so they don't disturb what we're actually trying
to test.
Reviewed by: igoro
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D51408
We failed to verify that the packet was long enough for the provided IPv6 packet
length. This could result in us walking off the end of the mbuf and panicing.
PR: 288224
Reported by: Robert Morris <rtm@lcs.mit.edu>
Tested by: Robert Morris <rtm@lcs.mit.edu>
Reviewed by: emaste
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D51324
Raw sockets have a separate check for this in rip6_bind() that was
missed in the previous change. This fixes e.g. 'ping -S' using an
anycast address.
Fixes: ca4b046105 ("netinet6: allow binding to anycast addresses")
Reviewed by: tuexen, kevans, des (previous version)
Approved by: kevans (mentor)
Differential Revision: https://reviews.freebsd.org/D50438
In FreeBSD each redirection pool (struct pf_kpool) consists of multiple
hosts (struct pf_addr_wrap). In OpenBSD that is not the case, and a
round-robin pool having a table as a host loops infinitely only over
that single table.
In FreeBSD once all addresses from a table are returned the pool must
iterate to the next host. Add a custom flag to have pfr_pool_get() break
its loop once it reaches the last index. Use this flag in round-robin
pools. When changing pool's host set index to 0 to always start
iterating each table from beginning.
Reviewed by: kp
Approved by: kp
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D50779
