The length of the attribute header needs to be excluded when comparing
the attribute length against the length of the packet. Otherwise,
validation may incorrectly fail when fetching the final attribute in a
message.
Fixes: 8d5c78130 ("libradius: Fix input validation bugs")
Reported by: Peter Eriksson
Tested by: Peter Eriksson
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 6bb5699d2b)
Track (and display) the interface that created a state, even if it's a
floating state (and thus uses virtual interface 'all').
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30245
(cherry picked from commit d0fdf2b28f)
Migrate to using the new nvlist-based DIOCGETSTATESNV call to obtain the
states list.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30244
(cherry picked from commit bc94129147)
Approved by: so
Security: FreeBSD-SA-21:12.libradius
Security: CVE-2021-29629
Sponsored by: The FreeBSD Foundation
(cherry picked from commit e73975dc321a9ccbbbd65b609aa386b187dad2c1)
- Defined MAXLINE constant (8192 octets by default instead 2048) for
centralized limit setting up. It sets maximum number of characters of
the syslog message. RFC5424 doesn't limit maximum size of the message.
Named after MAXLINE in syslogd(8).
- Fixed size of fmt_cpy buffer up to MAXLINE for rendering formatted
(%m) messages.
- Introduced autoexpansion of sending socket buffer up to MAXLINE.
Differential Revision: https://reviews.freebsd.org/D27205
(cherry picked from commit 9bd7345212)
This allows us to kill states created from a rule with route-to/reply-to
set. This is particularly useful in multi-wan setups, where one of the
WAN links goes down.
Submitted by: Steven Brown
Obtained from: https://github.com/pfsense/FreeBSD-src/pull/11/
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30058
(cherry picked from commit abbcba9cf5)
Usually rule counters are reset to zero on every update of the ruleset.
With keepcounters set pf will attempt to find matching rules between old
and new rulesets and preserve the rule counters.
MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29780
(cherry picked from commit 42ec75f83a)
MAP-E (RFC 7597) requires special care for selecting source ports
in NAT operation on the Customer Edge because a part of bits of the port
numbers are used by the Border Relay to distinguish another side of the
IPv4-over-IPv6 tunnel.
PR: 254577
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D29468
(cherry picked from commit 2aa21096c7)
While most 64-bit architectures have an assembly implementation of this
file, RISC-V does not. As we now store 8 bytes instead of 4 it should speed
up RISC-V.
Reviewed By: kib
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D29536
(cherry picked from commit ab147542b7)
While most 64-bit architectures have an assembly implementation of this
file RISC-V does not. As we now copy 8 bytes instead of 4 it should speed
up RISC-V. Using intptr_t instead of int also allows using this file for
CHERI pure-capability code since trying to copy pointers using integer
loads/stores will invalidate pointers.
Reviewed By: kib
Obtained from: CheriBSD (partially)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D29535
(cherry picked from commit 0b4ad01d91)
Allow up to 5 labels to be set on each rule.
This offers more flexibility in using labels. For example, it replaces
the customer 'schedule' keyword used by pfSense to terminate states
according to a schedule.
Reviewed by: glebius
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29936
(cherry picked from commit 6fcc8e042a)
When parsing the nvlist for a struct pf_addr_wrap we unconditionally
tried to parse "ifname". This broke for PF_ADDR_TABLE when the table
name was longer than IFNAMSIZ. PF_TABLE_NAME_SIZE is longer than
IFNAMSIZ, so this is a valid configuration.
Only parse (or return) ifname or tblname for the corresponding
pf_addr_wrap type.
This manifested as a failure to set rules such as these, where the pfctl
optimiser generated an automatic table:
pass in proto tcp to 192.168.0.1 port ssh
pass in proto tcp to 192.168.0.2 port ssh
pass in proto tcp to 192.168.0.3 port ssh
pass in proto tcp to 192.168.0.4 port ssh
pass in proto tcp to 192.168.0.5 port ssh
pass in proto tcp to 192.168.0.6 port ssh
pass in proto tcp to 192.168.0.7 port ssh
Reported by: Florian Smeets
Tested by: Florian Smeets
Reviewed by: donner
X-MFC-With: 5c11c5a365
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29962
(cherry picked from commit 402dfb0a8d)
Use ${PICFLAG} rather than hard-adding -fPIC, which removes the
requirement for libnv to be built PIC.
MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 8403170b3d)
After the migration to libpfctl for rule retrieval we accidentally lost
support for clearing the rules counters.
Introduce a get_clear variant of pfctl_get_rule() which allows rules
counters to be cleared.
MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29727
(cherry picked from commit 4eabfe468b)
Introduce pfctl_pool to be able to extend the pool part of the pf rule
without breaking the ABI.
Reviewed by: kp
MFC after: 4 weeks
Differential Revision: https://reviews.freebsd.org/D29721
(cherry picked from commit 600bd6ce06)
struct pf_rule had a few counter_u64_t counters. Those couldn't be
usefully comminicated with userspace, so the fields were doubled up in
uint64_t u_* versions.
Now that we use struct pfctl_rule (i.e. a fully userspace version) we
can safely change the structure and remove this wart.
Reviewed by: glebius
MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29645
(cherry picked from commit ab5707a5cf)
Stop using the kernel's struct pf_rule, switch to libpfctl's pfctl_rule.
Now that we use nvlists to communicate with the kernel these structures
can be fully decoupled.
Reviewed by: glebius
MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29644
(cherry picked from commit e9eb09414a)
Build libnv as position independent code so we can use it from shared
libraries.
MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29561
(cherry picked from commit 0dd13c7743)
- Correct the type of the sysctl value.
- Initialize the oldsize parameter to cap_sysctlbyname()
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 44bbda649d)
This was added in b2ca2e50b9, and serves to provide an initial value
to the PMC, eliminating the need for a second syscall via pmc_set(3).
Reviewed by: gnn, 0mp (manpages)
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D29885
(cherry picked from commit 50f6c13997)
Found in "Understanding and Detecting Disordered Error Handling with
Precise Function Pairing" by Qiushi Wu et al.
Reviewed by: imp, jhb
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D29896
(cherry picked from commit 3cfd08c1c7)
During device destruction it is possible that open() succeed, but
fdevname() return NULL, that can't be assigned to string variable.
Fix that by adding explicit NULL check.
Also while there switch from fdevname() to fdevname_r().
Sponsored by: iXsystems, Inc.
MFC after: 2 weeks
(cherry picked from commit e49d3eb403)
For some reason the ld128 log1pl() implementation is less accurate than
logl(), but does at least guarantee precision >= the ld80 implementation.
Mark log1p_accuracy_tests as XFAIL for ld128 and increase the log1p tolerance
to the ld80 equivalent in accuracy_tests to avoid losing test coverage for
the other functions.
PR: 253984
Reviewed By: ngie, dim
Differential Revision: https://reviews.freebsd.org/D29039
(cherry picked from commit 1ad83445fc)
