Dimitry Andric [Thu, 26 Aug 2021 15:36:03 +0000 (17:36 +0200)]
Add -Wno-error=unused-but-set-variable when building with Clang 13+
This warning triggers many times while building world. Downgrade it to a
warning until all occurrences have been fixed. Once the Clang warnings
have been fixed we should be able to turn it on for GCC as well. See
also f4fed768bba45a406f73ed1491d7e52fd1a8711d which did the same for the
kernel builds.
tag2name() returns a uint16_t, so we don't need to use uint32_t for the
qid (or pqid). This reduces the size of struct pf_kstate slightly. That
in turn buys us space to add extra fields for dummynet later.
Happily these fields are not exposed to user space (there are user space
versions of them, but they can just stay uint32_t), so there's no ABI
breakage in modifying this.
When we're synproxy-ing a connection that's going to us (as opposed to a
forwarded one) we wound up trying to send out the pf-generated tcp
packets through pf_intr(), which called ip(6)_output(). That doesn't
work all that well for packets that are destined for us, so in that case
we must call ip(6)_input() instead.
Alexander Motin [Wed, 18 Aug 2021 21:11:03 +0000 (17:11 -0400)]
geli(8): Do not report error on resize to the same size.
Just validate the old metadata and exit. Originally the check was
added to not thash the only copy of metadata, but we can achieve the
same just by skipping the writing/trashing. The metadata validation
should protect user from wrongly specifying new size instead of old.
Mark Johnston [Tue, 30 Jun 2020 15:56:54 +0000 (15:56 +0000)]
Remove CRYPTO_TIMING.
It was added a very long time ago. It is single-threaded, so only
really useful for basic measurements, and in the meantime we've gotten
some more sophisticated profiling tools.
Alexander Motin [Thu, 2 Sep 2021 22:11:58 +0000 (18:11 -0400)]
bnxt(4): Fix bugs in WOL support.
Before this change driver reported IFCAP_WOL_MAGIC enabled, but not
supported. It caused errors on some SIOCSIFCAP calls. Instead
report the support if hardware supports WOL, and enabled status if
it has such filter installed on boot.
Also bnxt_wol_config() should check WOL status in if_getcapenable(),
not in if_getcapabilities() to get current one.
Because lld 13 and higher default to garbage collecting start/stop
symbols when using --gc-sections, the linker sets used in the i386 boot
loaders will disappear. This leads to the loaders not recognizing any
commands, and failure to boot.
Until we have a good set of linker scripts for the loaders, work around
it by disabling the start-stop-gc feature.
Ed Maste [Tue, 31 Aug 2021 19:30:50 +0000 (15:30 -0400)]
openssh: simplify login class restrictions
Login class-based restrictions were introduced in 5b400a39b8ad. The
code was adapted for sshd's Capsicum sandbox and received many changes
over time, including at least fc3c19a9fcee, bd393de91cc3, and e8c56fba2926.
During an attempt to upstream the work a much simpler approach was
suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with
future updates.
Test prioritisation and dummynet queues.
We need to give the pipe sufficient bandwidth for dummynet to work.
Given that we can't rely on the TCP connection failing alltogether, but
we can measure the effect of dummynet by imposing a time limit on a
larger data transfer.
If TCP is prioritised it'll get most of the pipe bandwidth and easily
manage to transfer the data in 3 seconds or less. When not prioritised
this will not succeed.
Kristof Provost [Fri, 21 May 2021 09:14:34 +0000 (11:14 +0200)]
netpfil tests: Basic dummynet pipe test
Test dummynet pipes (i.e. bandwidth limitation) with ipfw. This is put
in the common tests because we hope to add dummynet support to pf in the
near future.
Kristof Provost [Tue, 20 Aug 2019 14:31:22 +0000 (14:31 +0000)]
netpfil tests: Add the set ToS test for ipfw and pf
This test tests the following:
- The firewall is able to set the tos bits
- The firewall is able to set the DSCP bits when EN bits is already set and
the EN bits remains unchanged.
- The firewall is able to drop the packets based on ToS value
Tom Jones [Mon, 5 Aug 2019 11:47:34 +0000 (11:47 +0000)]
Add common firewall test suite
Add a common test suite for the firewalls included in the base system. The test
suite allows common test infrastructure to test pf, ipfw and ipf firewalls from
test files containing the setup for all three firewalls.
Add the pass block test for pf, ipfw and ipf. The pass block test checks the
allow/deny functionality of the firewalls tested.
Kristof Provost [Tue, 25 May 2021 14:54:32 +0000 (16:54 +0200)]
ipfw: Introduce dnctl
Introduce a link to the ipfw command, dnctl, for dummynet configuration.
dnctl only handles dummynet configuration, and is part of the effort to
support dummynet in pf.
/sbin/ipfw continues to accept pipe, queue and sched commands, but these can
now also be issued via the new dnctl command.
Guinan Sun [Thu, 9 Jul 2020 08:00:33 +0000 (08:00 +0000)]
ixgbe: cleanup spelling mistakes in comments
Several functions in the driver code have a weird function comment
formatting which uses two spaces instead of only one space for the main
function body.
This formatting will be mechanically fixed by sed in a future patch, but
doing so leads to some spelling warnings on that patch. Cleanup the
spelling mistakes that will be detected first. This way, it is easier to
verify the mechanical transformation done by sed in the following patch.
Guinan Sun [Thu, 9 Jul 2020 08:00:35 +0000 (08:00 +0000)]
ixgbe: move increments after evaluations
The retry variable was being incremented before it was evaluated by the
subsequent conditional against the maximum retries to figure out which
message to print. So we'll move the increment op to the end.
Xiaoyun Li [Mon, 17 Sep 2018 09:28:12 +0000 (17:28 +0800)]
ixgbe: update X550 SFP identification
Use ixgbe_identify_sfp_module_X550em to update SFP identification
flow. ixgbe_identify_sfp_module_X550em includes specific checks for
X550 about supported SFP modules.
Ashijeet Acharya [Fri, 24 May 2019 09:30:15 +0000 (11:30 +0200)]
ixgbe: wait for link after copper MAC setup
After setting up the link on x552/X557-AT 10GBASE-T NICs, sometimes the
link does not get set up properly and as a result all the subsequent
calls to ixgbe_check_link() from ixgbe_dev_link_update_share() fail.
Introduce a delay time of 1s in ixgbe_setup_mac_link_t_X550em() before
beginning to set up the external PHY link speed to ensure that the
controller can acquire the link.
Guinan Sun [Thu, 9 Jul 2020 08:00:40 +0000 (08:00 +0000)]
ixgbe: initialize data field in struct buffer
While sending request using ixgbe_hic_unlocked() the data field in
buffer struct is not used. It is set when the struct is overwritten by
FW to deliver the response. To not pass random data to FW the whole
structure should be zeroed before use.
Signed-off-by: Krzysztof Galazka <krzysztof.galazka@intel.com> Signed-off-by: Piotr Pietruszewski <piotr.pietruszewski@intel.com> Signed-off-by: Guinan Sun <guinanx.sun@intel.com> Reviewed-by: Wei Zhao <wei.zhao1@intel.com>
Approved by: imp
Obtained from: DPDK (40543be5376ca415b2a7e196315d0555725b8bdf)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D31621
Guinan Sun [Thu, 9 Jul 2020 08:00:30 +0000 (08:00 +0000)]
ixgbe: fix x550em 10G NIC link status
With the NVM image for x550em XFI will not report
the auto-negotiation feature correctly. The auto-negotiation
should be "No" for supports and advertised items.
At the same time update speed makes it support 1G and 10G.
Matthew Smith [Mon, 16 Jul 2018 16:36:04 +0000 (11:36 -0500)]
ixgbe: wait longer for link after fiber MAC setup
After setting up the link on a fiber port, the maximum wait time for
the link to come up is 500 ms in ixgbe_setup_mac_link_multispeed_fiber().
On an x550 SFP+ port, this is often not sufficiently long for the link
to come up. This can result in never being able to retrieve accurate
link status for the port using rte_eth_link_get_nowait().
Increase the maximum wait time in ixgbe_setup_mac_link_multispeed_fiber()
to 1 s.
Guinan Sun [Thu, 9 Jul 2020 08:00:41 +0000 (08:00 +0000)]
ixgbe: improve log about autoneg being disabled
On ESXi OS, when user disables auto negotiation, the following log
appears: "(unsupported) Flow control autoneg is disabled".
It is true that auto negotiation is disabled but it is
not necessarily true that it is not supported.
Guinan Sun [Thu, 9 Jul 2020 08:00:31 +0000 (08:00 +0000)]
ixgbe: fix infinite recursion on PCIe link down
In some corner cases the functions ixgbe_clear_rar_generic and
ixgbe_clear_vmdq_generic may call one another leading to infinite
recursion.
When ixgbe_clear_vmdq_generic is called with IXGBE_CLEAR_VMDQ_ALL
flag, it's going to clear MPSAR registers, and proceed to call
ixgbe_clear_rar_generic, which in turn will clear the RAR registers,
and recursively call back ixgbe_clear_vmdq_generic. Normally, the
latter would detect that MPSAR registers have already been cleared
and terminate the recursion.
However, when PCIe link is down, and before the driver has had the
opportunity to shut itself down, all register reads return 0xFFFFFFFF,
and all register writes fail silently. In such case, because
ixgbe_clear_vmdq_generic blindly assumes that clearing MPSAR registers
succeeded, it's going to always call ixgbe_clear_rar_generic, which
in turn will always call back ixgbe_clear_vmdq_generic, creating
infinite recursion.
This patch re-reads MPSAR register values after they had been cleared.
In case of PCIe link failure, the values read will be non-zero, which
will terminate the recursion. On the other hand, under normal
circumstances the value read from MPSAR registers is going to be equal
to the value previously written, so this patch is expected not to cause
any regressions.
Simon Ellmann [Thu, 17 Dec 2020 17:14:52 +0000 (18:14 +0100)]
ixgbe: clear all queues on VF reset
ixgbe devices support up to 8 Rx and Tx queues per virtual function.
Currently, the registers of only seven queues are set to default when
resetting a VF.
Cy Schubert [Thu, 12 Aug 2021 13:38:21 +0000 (06:38 -0700)]
wpa: Add wpa_cli action file event
Yang Zhong at FreeBSD Foundation is working on a wireless network
configuratior for an experimental FreeBSD installer. The new installer
requires an event to detect when connecting to a network fails due to a
bad password. When this happens a WPA-EVENT-TEMP-DISABLED event is
triggered. This patch passes the event to an action file provided by
the new experimental installer.
Submitted by: Yang Zhong <yzhong () freebsdfoundation.org>
Reviewed by: assumed to be reviewed by emaste (and cy)
Cy Schubert [Wed, 2 Jun 2021 19:46:02 +0000 (12:46 -0700)]
wpa: Fix a SIGBUS error in wpa_sm_set_rekey_offload
Incorrectly linked built-in wpa functions resulted in overwriting
sm->ctx->set_rekey_offload with garbage. It was initialized correctly
however it changed after wpa_supplicant became a daemon.
No SIGBUS violations reported by dhw@ were experienced during testing
of the original commit by msyelf or philip@.
Cy Schubert [Thu, 20 May 2021 21:28:17 +0000 (14:28 -0700)]
wpa: Restructure wpa build
The current WPA build assumes a flat namespace. However the latest sources
from w1.fi now have a duplicate config.c, in two separate subdirectories.
The flat namespace will overwrite config.o with the output from the most
recently modified config.c, of which there are two of them.
This commit resolves this problem by building each component in
wpa's src subdirectory tree into its own .a archive, just as the w1.fi
upstream build as used by the port does. The advantages of this approach
are:
1. Duplicate source file names, i.e. config.c in the wpa_supplicant
direcory and another config.c in src/utils in the next wpa
will result in both compiles writing to the same .o file.
2. This restructure simplifies maintanence. A develper needs only to add
new files as identified by git status in the vendor branch to the
appropriate Makefile within the usr.sbin/wpa tree. This also reduces
time required to prepare a new import and should reduce error.
3. The new wpa build structure more closely represents the build as
performed by the upstream tarball.
This is in preparation for the next wpa update from w1.fi.
Reviewed by: philip
Tested by: philip
MFC after: 2 months
Differential Revision: https://reviews.freebsd.org/D30372
To fix, discard both positive and negative vhid values in
in_aifaddr_ioctl, if carp(4) is not loaded. This prevents NULL pointer
dereference and kernel panic.
Warner Losh [Wed, 11 Aug 2021 16:59:28 +0000 (10:59 -0600)]
stand: Add MK_PIE=no to defs.mk
There's no need to build both pie and non-pie .o's for stand. There's
some other build thing with MK_BEAR_SSL=yes and/or MK_LOADER_VERIEXEC=yes
that causes the pie build to fail that the 'ar' stage now. Since we don't
need the PIE stuff and the non-PIE stuff, disable PIE for the boot loader.
Warner Losh [Thu, 10 Jun 2021 00:10:12 +0000 (18:10 -0600)]
mk: WITH_FOO=no now generates a warning
Many people are used to gnu configure's behavior of changing
--with-foo=no to --without-foo. At the same time, several folks have
WITH_FOO=no in their config files to enable this ironic form of the
option because of an old meme from IRC, a mailing list or the forums (I
forget which). Add a warning to allow to alert people w/o breaking POLA.
Warner Losh [Wed, 28 Jul 2021 19:47:05 +0000 (13:47 -0600)]
genoffset: simplify and rewrite in sh
genoffset used the fully generic ASSYM macro to generate the offsets
needed for the thread_lite structure. However, since these are offsets
into a structure, they will always be necessarily small and positive. As
such, just create a simple character array of the right size and use a
naming convention such that we can recover the field name, structure
name and type. Use nm -t d and sort -n to sort these into order, then
loop over the resutls to generate the thread_lite structure.
John Hood [Wed, 28 Jul 2021 19:43:02 +0000 (13:43 -0600)]
loader: support.4th resets the read buffer incorrectly
Large nextboot.conf files (over 80 bytes) are not read correctly by the
Forth loader, causing file parsing to abort, and nextboot configuration
fails to apply.
Simple repro:
nextboot -e foo=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
shutdown -r now
That will cause the bug to cause a parse failure but shouldn't otherwise
affect the boot. Depending on your loader configuration, you may also
have to set beastie_disable and/or reduce the number of modules loaded
to see the error on a small console screen. 12.0 or CURRENT users will
also have to explicitly use the Forth loader instead of the Lua loader.
The error will look something like:
Warning: syntax error on file /boot/loader.conf.local
foo="xxxxxxxxxxxxxxnextboot_enable="YES"
^
/boot/support.4th has crude file I/O buffering, which uses a buffer
'read_buffer', defined to be 80 bytes by the 'read_buffer_size'
constant. The loader first tastes nextboot.conf, reading and parsing
the first line in it for nextboot_enable="YES". If this is true, then
it reopens the file and parses it like other loader .conf files.
Unfortunately, the file I/O buffering code does not fully reset the
buffer state in the reset_line_reading word. If the last file was read
to the end, that doesn't matter; the file buffer is treated as empty
anyway. But in the nextboot.conf case, the loader will not read to the
end of file if it is over 80 bytes, and the file buffer may be reused
when reading the next file. When the file is reread, the corrupt text
may cause file parsing to abort on bad syntax (if the corrupt line has
<>2 quotes in it), the wrong variable to be set, no variable to be set
at all, or (if the splice happens to land at a line ending) something
approximating normal operation.
The bug is very old, dating back to at least 2000 if not before, and is
still present in 12.0 and CURRENT r345863 (though it is now hidden by
the Lua loader by default).
Suggested one-line attached. This does change the behavior of the
reset_line_reading word, which is exported in the line-reading
dictionary (though the export is not documented in loader man pages).
But repo history shows it was probably exported for the PNP support
code, which was never included in the loader build, and was removed 5
months ago.
One thing that puzzles me: how has this bug gone unnoticed/unfixed for
nearly 2 decades? I find it hard to believe that nobody's tried to do
something interesting with nextboot, like load a kernel and filesystem,
which is what I'm doing.
The behavior remains the same, but lualoader now uses the more concise
verbiage that forthloader used. This is particularly important because
the previous line would exceed the right boundary of the menu and run
straight into space that would typically be allowed for the logo.
This makes it slightly easier to port logos from forthloader to
lualoader.
Colin Percival [Fri, 27 Aug 2021 00:54:53 +0000 (17:54 -0700)]
Add support for recording EC2 AMI Ids in SSM
If SSMPREFIX is specified, AMI Ids will be recorded in the SSM
Parameter Store under the name
${SSMPREFIX}/${ARCH}/${FLAVOUR}/${ROOTFS}/${REVISION}/${BRANCH}
where ARCH is "amd64" or "arm64", FLAVOUR is "base" (but may have
other options in the future), ROOTFS is "ufs" (but may have other
options in the future), and REVISION and BRANCH have their normal
meanings.
FreeBSD will be using the public prefix "/aws/service/freebsd",
resulting in SSM Parameter names which look like
/aws/service/freebsd/amd64/base/ufs/14.0/CURRENT
pf: ensure states passed to pf_free_state() are always unlinked
In pf_create_state() we can end up deleting the state immediately. This
can happen if we fail to map the relevant addresses or fail
normalization or fail to insert it into the state table.
If that happens we delete the state again with pf_free_state(). However,
this asserts that the state must be unlinked.
It's correct to simply set the state to PFTM_UNLINKED because we've not
yet linked it.
Martin Matuska [Mon, 23 Aug 2021 00:54:15 +0000 (02:54 +0200)]
libarchive: import changes from upstream
Libarchive 3.5.2
New features:
PR #1502: Support for PWB and v7 binary cpio formats
PR #1509: Support of deflate algorithm in symbolic link decompression
for ZIP archives
Important bugfixes:
IS #1044: fix extraction of hardlinks to symlinks
PR #1480: Fix truncation of size values during 7zip archive
extraction on 32bit architectures
PR #1504: fix rar header skiming
PR #1514: ZIP excessive disk read - fix location of central directory
PR #1520: fix double-free in CAB reader
PR #1521: Fixed leak of rar before ending with error
PR #1530: Handle short writes from archive_write_callback
PR #1532: 7zip: Use compression settings from file also for file header
IS #1566: do not follow symlinks when processing the fixup list
Ed Maste [Thu, 2 Sep 2021 00:23:40 +0000 (20:23 -0400)]
openssh: clarify krb5 use in freebsd-configure
freebsd-configure.sh runs configure twice, --with-kerberos5 and
--without-kerberos5, in order to build a config.h that defaults to
kerberos5 disabled, and a small config file that represents the
differences.
Rename config.h.orig to config.h.kerberos5 to clarify the intent of this
script.
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
to change a state's state (that term is overloaded in pf, protocol state
like ESTABLISHED for tcp here), don't do it directly, but go through a newly
introduced pf_set_protostate()
Alexander Motin [Tue, 31 Aug 2021 17:34:48 +0000 (13:34 -0400)]
nvme(4): Add MSI and single MSI-X support.
If we can't allocate more MSI-X vectors, accept using single shared.
If we can't allocate any MSI-X, try to allocate 2 MSI vectors, but
accept single shared. If still no luck, fall back to shared INTx.
This provides maximal flexibility in some limited scenarios. For
example, vmd(4) does not support INTx and can handle only limited
number of MSI/MSI-X vectors without sharing.
projects / FreeBSD / FreeBSD.git / log