The link-level address and the mbuf shall not overlap. Prefer memcmp()
over bcmp() for slight performance gain.
No functional change intended.
Reviewed by: glebius
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D52345
(cherry picked from commit 51098f0529f0d1cc532512e0eae9bfcffb8e68e4)
This ensures other threads, e.g. ioctl threads, see the correct counter
routine once after the interface has been attached.
This change partially reverts commit 23ac9029f9, which for unclear
reason moved setting the get counter routine after ether_ifattach().
Reviewed by: kbowling, kgalazka, #iflib
Fixes: 23ac9029f9 Update iflib to support more NIC designs
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D50712
(cherry picked from commit ae7f8da8bf6ed0c4f0e9f0e95ae2b08abce54378)
Upgrading from 14.x to 15.x with freebsd-update broke because libc
depends on the new libsys library; freebsd-update installed the new
libc before creating libsys, and every step after that failed because
all the tools (including gunzip and install) are dynamically linked
and need a working libc.
Enforce ordering when installing shared objects: First libsys, then
libc, then libthr, and then all the rest of the shared object files.
This is a candidate for an Errata Notice since the issue this fixes
breaks upgrades.
PR: 289769
Reported by: Graham Perrin
Reviewed by: kib
MFC after: 3 days
Sponsored by: https://www.patreon.com/cperciva
Differential Revision: https://reviews.freebsd.org/D52688
Approved by: so
Security: FreeBSD-EN-25:18.freebsd-update
(cherry picked from commit 7ece602e00e85195fc426a2401c49921cd39735e)
(cherry picked from commit e26928669f39c8683aea74040b9e2472e944c43a)
Commit 197997a broke handling of the offset
arguments to copy_file_range() when specified non-NULL.
The code fails to update the offsets and, as such, a loop like:
do {
len = copy_file_range(infd, &inpos, outfd, &outpos,
SSIZE_MAX, 0);
} while (len > 0);
becomes an infinite loop, just doing the same copy over and
over again.
This patch fixes it.
The clause "(foffsets_locked || foffsets_set)" in the if is not
actually needed for correctness, but I thought it made the code
a little more readable and might avoid some static
analyzer from throwing a "used before being set" for
the savinoff and savoutoff variables.
Approved by: so
Security: FreeBSD-EN-25:16.vfs
(cherry picked from commit 4046ad6bb0ee542a42d89a48a7d6a56564ed7f33)
(cherry picked from commit 2fd0083fcc23f4c25860b8890292448720a5961c)
if the syscall muxes are used, up to two additional arguments
may be required. This means that the 8 required for mmap increases
up to 10 (for __syscall).
Sponsored by: Juniper Networks, Inc.
Approved by: so
Security: FreeBSD-EN-25:15.arm64
(cherry picked from commit 740b879c6ade531adebeba7cd2f261bbe650797f)
(cherry picked from commit 17d87881a363c160e7e8cdb252d0261214c1a50b)
This will be useful in an upcoming change. No functional change
intended.
Reviewed by: jamie
MFC after: 2 weeks
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D51524
(cherry picked from commit 748a4ea1caffca48c4949d5a7b964853c44fbdae)
Since there are multicast and broadcast specific error counters,
use them.
Reviewed by: rrs
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51869
(cherry picked from commit 0312f80349eedfc2b0d2f24b4fd073795148d3d5)
When reflecting a packet, use an offset of 0 and clear all three bits,
in particular the DF bit.
PR: 288558
Reviewed by: markj, zlei
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51991
(cherry picked from commit b9a2d84b1bf7f9cf556e2f0b68023d5af8362797)
If a blind attacker wants to guess by sending ACK segments if there
exists a TCP connection , this might trigger a challenge ACK on an
existing TCP connection. To make this hit non-observable for the
attacker, also increment the global counter, which would have been
incremented if it would have been a non-hit.
This issue was reported as issue number 11 in Keyu Man et al.:
SCAD: Towards a Universal and Automated Network Side-Channel
Vulnerability Detection
Reviewed by: Nick Banks, Peter Lei
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51724
(cherry picked from commit f0f6e50388963cae44bb92bb69ed7a1135dd2eec)
It is not used anymore...
Reviewed by: rscheff, Peter Lei
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D50900
(cherry picked from commit 124120d44ba23ccc44144f9fc48d35818c660dc1)
The sysctl-variable net.inet.tcp.blackhole_local should affect
TCP segments from an IPv6 address of the local host, not of a host
on the local area network.
Thanks to cc@ for pointing me to the issue.
Reviewed by: cc
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D50828
(cherry picked from commit de8fb1b3835758998a53d772deeebcdb71bbb823)
The sysctl-variable net.inet.udp.blackhole_local should affect
UDP packets from an IPv6 address of the local host, not of a host on
the local area network.
Thanks to cc@ for pointing me to the issue.
Reviewed by: cc
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D50829
(cherry picked from commit 16587f60a69820f1a319644da4ec1a40efbcbdf0)
The sysctl-variable net.inet.tcp.nolocaltimewait should affect
TCP connections where the remote endpoint is on the local host and
not on the local area network.
Reported by: cc
Reviewed by: cc
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D50830
(cherry picked from commit 49eabd405f661fa3a9f0a005c2e54dc4cad07e48)
This commit restores if_bpfmtap and if_etherbpfmtap functions, and
implement them as wrappers around bpf_mtap_if and ether_bpf_mtap_if
funcitons.
Fixes: bceb9c2f2b19
Sponsored by: Juniper Networks, Inc.
Summary:
These came in the original DrvAPI commits in 2014, and are obsoleted by
bpf_mtap_if() and ether_bpf_mtap_if(). The `_if` suffix, rather than
prefix, conveys that it's operating on the bpf of the interface, instead
than the interface itself.
Reviewed by: glebius
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D41146
(cherry picked from commit 2a3716432d209c5fef1eb1a719f4c1914e7c8b5a)
Include opt_inet.h and opt_inet6.h early in the files including
virtio_net.h, since they use INET and/or INET6.
While there, remove redundant inclusion of sys/types.h, since it is
included already by sys/param.h.
There was a discussion to include opt_inet.h and opt_inet6.h also
in virtio_net.h. glebius suggested to add a mechanism for files
to check, if required opt_*.h files were included. virtio_net.h
will be the first consumer of this mechanism.
Reviewed by: glebius, Peter Lei
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D52046
(cherry picked from commit 3077532b1bb2911d3012ee90bae9d9499c960569)
If a client changes its IP address notify userspace of this.
The UDP filtering function supplies the remote IP address, so we check if the
address changed there. If so, we tag the packet with the new address. Once the
packet is decrypted (and as part of that, has had its signature checked) we
can commit to the address change. Take the write lock and notify userspace of
the change.
Reviewed by: markj
MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D51468
(cherry picked from commit 9c52600a5a150117b4396df3b868cf2516e1674c)
When we parse an nvlist sockaddr we should set the sockaddr_in(6)'s length
field. This isn't currently used by anything yet, but it's reasonable to expect
a sockaddr to contain its length.
MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit e83df5367d30761803e09bd7fcf518638dfe43d2)
A if_ovpn interface carries a reference to a socket, which has a
credential reference, which holds a reference on the containing prison
and prevents SYSUNINITs from being invoked. So, register a
PR_METHOD_REMOVE callback and destroy the cloner from there instead,
since that mechanism doesn't require the prison refcount to drop to zero
first.
This fixes a bug where jails get left stuck in the DYING state after
running if_ovpn regression tests.
Reviewed by: kp
MFC after: 2 weeks
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D51526
(cherry picked from commit 96b29c7f0cffd377a757ad8ccc0cdd8fcb96d0dd)
Add an optional "vlan <n>" argument to the bridge static and deladdr
commands to allow addresses to be added to / removed from a particular
vlan. No changes to if_bridge are required as the kernel API already
supports this, it just wasn't exposed in ifconfig.
Add tests for the new functionality, and improve the test for the
existing "static" command.
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D51243
(cherry picked from commit 3650722abf2922893540361a1369b54abc5ff8d2)
When reinstalling FreeBSD bsdinstall reported "There are multiple
FreeBSD EFI boot entries." This sounds like something went wrong in the
past. Clarify that there may be only one existing entry, which is not
surprising for a reinstall.
Reviewed by: manu, ziaee
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D51527
(cherry picked from commit ebc6ff8db17683b566d49fe89a43a668d3d67915)
According to zfsprops(7), the canonical property for the compression
algorithm is "compression", with "compress" accepted as an alternate
name. Use the canonical name in bsdinstall.
While here, change "lz4" to "on" so we pick up any future changes in
the default compression algorithm.
MFC after: 1 week
Reviewed by: delphij
Differential Revision: https://reviews.freebsd.org/D51572
(cherry picked from commit 16045420e7f83489ecd5e2163aa9bb11236962f5)
This is like get_val() but takes an ether_vlanid_t* and ensures the
value is a valid VLAN ID. This avoids redundant comparisons and
casting when parsing VLAN IDs.
Reviewed by: des
Differential Revision: https://reviews.freebsd.org/D51548
(cherry picked from commit 287a5fdcd3c941ce73705c664b5df4932ba3bad4)
Add a new type of command, DEF_CMD_VARG, which takes an (argc, argv)
pair instead of a fixed number of arguments. This allows commands
to do their own argument parsing and accept a variable number of
arguments.
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D51243
(cherry picked from commit 7d4a177efc653bc60a496ba0adf5cb4e0560fa07)
Make sure that only a CA without a CRL is being reported.
1. CRL verification takes places when provided. As OpenSSL
assumes that hidden CRLs may exist but a distribution point
is not mandatory there is no definitive truth about the matter.
OpenSSL makes no effort to bridge this gap.
2. CRLs are anchored in the CA that is signing the certificate
underneath so printing when that check fails because no CRL
was provided is enough.
and the macro EN_SWABIPS.
The macro EN_SWABIPS is identical to IFF_LINK0 (also historically
IFF_LLC0) and we already have the parameter link0 to toggle IFF_LINK0.
These were inherited from 386BSD 0.1 and have never been used since
the very first FreeBSD release.
Reviewed by: adrian, #network
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D51368
(cherry picked from commit 8632e4e73a6934f3f9996a18932e36b04e6a3faf)
Remove an always-false check for whether the request has already
completed before sleeping. Even if the request is complete, the
response tag is updated while holding the channel lock, which is also
held here.
No functional change intended.
Sponsored by: Klara, Inc.
(cherry picked from commit 28c9b13b236d25512cfe4e1902411ff421a14b64)
