When the interface does not exist avoid passing host with special pf
modifiers to DNS resolution as they come up empty anyway.
Reviewed by: kp
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D35429
(cherry picked from commit 28b64169ea)
pass inet proto icmp icmp-type {unreach}
pass route-to (if0 127.0.0.1/8) sticky-address inet
The wrong struct was being tested. The parser tries to prevent
"sticky-address sticky-address" syntax but was actually cross-rule
enforcing that ICMP filter cannot be before the use of "sticky-address"
in next rule.
MFC after: 2 weeks
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D36050
(cherry picked from commit 1e73fbd8b2)
Replace ppp(4) removed since FreeBSD 8.0-RELEASE with vlan(4).
While here, remove commented out reference to non-existing "egress"
interface group hiding since initial import of interface groups
from OpenBSD in 2006.
(cherry picked from commit 3c9ad9398f)
The type of the kern.maxphys sysctl OID is now ulong. Change the
local variable type to match.
Reviewed by: delphij, emaste
Sponsored by: Dell EMC Isilon
(cherry picked from commit 9990450e17)
It may not be known at compile time so we should detect it at run time.
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D35118
(cherry picked from commit ea578b34cb)
If the "intr" and/or "soft" mount options are used for
NFSv4 mounts, the protocol can be broken when the
operation returns without waiting for the RPC reply.
The likelyhood of failure increases for NFSv4.1/4.2
mounts, since the session slot will be broken when
an RPC reply is not processed.
This is mentioned in the BUGS section of "man mount_nfs",
but there was no specific mention of the session slot
problem. This patch adds a sentence for this case.
PR: 260011
(cherry picked from commit aba7a81ab7)
If the "intr" and/or "soft" mount options are used for
NFSv4 mounts, the protocol can be broken when the
operation returns without waiting for the RPC reply.
The likelyhood of failure increases for NFSv4.1/4.2
mounts, since the session slot will be broken when
an RPC reply is not processed.
This is mentioned in the BUGS section of "man mount_nfs",
but more needs to be done. This patch adds code that
generates a warning message when the mount is done.
PR: 260011
(cherry picked from commit c0d14b0220)
Jails without VNET have complete access to the ipfilter rules, NAT,
pools and logs. This is insecure. Only allow jails to manipulate
ipfilter rules, NAT tables and ippools if the jail has its own VNET.
Otherwise a jail can affect the global system.
This patch brings ipfilter in line with ipfw's support of VNET jails and
non-support of non-VNET jails.
(cherry picked from commit c47db49ba4)
By analogy with IP address matching, add a way to use ipfw radix
tables for MAC matching. This is implemented using new ipfw table
with mac:radix type. Also there are src-mac and dst-mac lookup
commands added.
Usage example:
ipfw table 1 create type mac
ipfw table 1 add 11:22:33:44:55:66/48
ipfw add skipto tablearg src-mac 'table(1)'
ipfw add deny src-mac 'table(1, 100)'
ipfw add deny lookup dst-mac 1
Note: sysctl net.link.ether.ipfw=1 should be set to enable ipfw
filtering on L2.
Reviewed by: melifaro
Obtained from: Yandex LLC
Relnotes: yes
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D35103
(cherry picked from commit 81cac3906e)
When growing a UFS/FFS filesystem, the size of the summary information
may expand into additional blocks. These blocks must be removed from
fs_dsize which records the number of blocks in the filesystem that can
be used to hold filesystem data.
While here also update the fs_old_dsize and fs_old_size fields for
compatibility with kernels that were compiled before the addition
of UFS2.
(cherry picked from commit 2049cc3218)
Honor -q parameter and do not display any warning messages when -q is
specified.
Approved by: dfr
MFC after: 2 weeks
Sponsored by: Resulta, s.r.o.
Differential Revision: https://reviews.freebsd.org/D35511
(cherry picked from commit ad0a7ea650)
"ifconfig -g groupname" prints a list of interface names,
which could be confusing, because it differs from
the behavior of "ifconfig -a -g groupname".
While here, add two examples showing the difference between
"ifconfig -a -g groupname" and "ifconfig -g groupname".
Fixes: 0dad3f0e15 Import interface groups from OpenBSD.
MFC after: 2 weeks
(cherry picked from commit 4d91c53a78)
This reference has been present in the manual page since the initial
import of BSD 4.4 Lite sbin Sources. It's time for it to be removed.
MFC after: 2 weeks
(cherry picked from commit e57f6630d9)
Support for Xeros Network Systems seems to be long gone. There is no
reason to keep this in the manual page.
MFC after: 2 weeks
(cherry picked from commit 1969cc7bdc)
Commands like "ifconfig wlan0 up" are valid. There is no need to always
specify the address family.
MFC after: 2 weeks
(cherry picked from commit 2cd28d6f9b)
Also, move the description of the special case of "ifconfig -l ether" to
the description of the -l flag.
MFC after: 2 weeks
(cherry picked from commit ad8cac1229)
- Remove extraneous examples
- Apply "-compact" to the list macros so that it is possible to fit the
definitions of the types and formats in one terminal screen.
MFC after: 2 weeks
(cherry picked from commit 39da6db9bc)
This change is about moving the -f documentation into the right place in
the manual. Also, document the IFCONFIG_FORMAT variable in the
ENVIRONMENT section.
MFC after: 2 weeks
(cherry picked from commit f4f02fa1e3)
In order to clean up the layout of the manual page, let's keep
parameters in the end of the DESCRIPTION section. This patch does not
change any content, it's meant to only move the content around before
refactoring.
MFC after: 2 weeks
(cherry picked from commit f15eed7c2a)
The new '-L' flag will cause savecore to invoke the new mem(4) kernel
dump ioctl, taking a dump of the running system and writing the result
to a temporary file. Validation of the dump header is performed, similar
to regular crash dumps, and the final result is written to
livecore.X[.zst|.gz].
Also added is the '-Z' flag, which instructs the kernel to compress the
livedump compressed with zstd, akin to the existing -z flag. This option
has no effect in normal savecore(8) operation, but in theory could be
extended to perform such compression while reading the dump from the
dump device.
Encryption is unsupported for live dumps.
For example: 'savecore -Lz /var/crash' would create:
/var/crash/livecore.0.gz
Reviewed by: markj
MFC after: 2 weeks
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D34347
(cherry picked from commit 0a5c04a892)
mount_nfs creates entries in the mounttab file and umount removes
them. Entries in the mounttab file ae used by rpc.umntall to
notify the NFS server that NFSv3 entries need to be removed when
they have not been removed by umount.
Without this patch, an enty will be created in the mounttab file,
even if the nmount(2) syscall fails for the mount. This patch
modifies the code so that the mounttab entry is only created
after nmount(2) succeeds.
This change only affects NFSv3 and only affects how showmount
displays NFSv3 mounts.
(cherry picked from commit 7cab630ba4)
/etc/rc.d/jail no longer creates /dev/log as a symbolic link since
commit 84b354cb9a.
PR: 228351
Reviewed by: jamie, markj
(cherry picked from commit 2670ea8a07)
Previously we expected the DIOCSKERNELDUMP ioctl to return ENXIO if the
interface was down, but it does not actually do this. Grab the link
status using getifaddrs(3) instead, and downgrade this case from an
error to a warning; the user might bring the link back up at a later
time.
Reviewed by: cem
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D35196
(cherry picked from commit 6543fa5a5c)
The command "ping -S dotted.quad hostname" fails on dual-stack hosts
with the confusing message "ping: invalid source address: Name does
not resolve" because IPv6 is selected in preference. If the argument
to -S is numeric (likely), select the corresponding address family,
as if -4 or -6 was specified. Add tests that either IPv4 or IPv6 can
be forced via a -S parameter.
Reviewed by: asomers
Differential Revision: https://reviews.freebsd.org/D35271
(cherry picked from commit 5af718a592)
The daemon can specify fsname=XXX in its mount options. If so, the file
system should report f_mntfromname as XXX during statfs. This will show
up in the output of commands like mount and df.
Submitted by: Ali Abdallah <ali.abdallah@suse.com>
Differential Revision: https://reviews.freebsd.org/D35090
(cherry picked from commit 2f6362484c)
AEAD ciphers for IPsec combine both encryption and authentication. As
such, ESP configurations using an AEAD cipher should not use a
seperate authentication algorithm via -A. However, this was not
apparent from the setkey manpage and 12.x and earlier did not perform
sufficient argument validation permitting users to pair an explicit -A
such as SHA256-HMAC with AES-GCM. (The result was a non-standard
combination of AES-CTR with the specified MAC, but with the wrong
initial block counter (and thus different keystream) compared to using
AES-CTR as the cipher.)
Attempt to clarify this in the manpage by explicitly calling out AEAD
ciphers (currently only AES-GCM) and noting that AEAD ciphers should
not use -A.
While here, explicitly note which authentication algorithms can be
used with esp vs esp-old. Also add subsection headings for the
different algorithm lists and tidy some language.
I did not convert the tables to column lists (Bl -column) though that
would probably be more correct than using literal blocks (Bd
-literal).
PR: 263379
Reviewed by: Pau Amma <pauamma@gundo.com>, markj
Differential Revision: https://reviews.freebsd.org/D34947
(cherry picked from commit e6dede1456)
If setkey(8) is used without ipsec.ko loaded beforehand,
its attempt to install SA/SPD into the kernel results in cryptic
EINVAL error code.
Let it be a bit more user-friendly and try to load ipsec.ko
automatically if it is not loaded, just like ifconfig(8) does it
for modules it needs.
PR: 263379
(cherry picked from commit 0aef862845)
This devd config file is useless without hyperv-tools, so we're moving
it into the hyperv-tools package. pr#263691
PR: 263691
MFC after: 3 days
(cherry picked from commit 7ac164dc8e)
Move it to a separate function, allowing its reuse.
Reviewed by: markj
MFC after: 3 days
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D34822
(cherry picked from commit cf02cf8dbf)
All files are now created relative to savedirfd, e.g. with openat(2).
Therefore, we do not need character buffers to be PATH_MAX bytes long,
just long enough to hold the complete filename. 32 bytes is long enough
in all cases. These can be allocated on the stack.
While here, fix an error message that attempts to use an uninitialized
infoname.
Reviewed by: markj
MFC after: 3 days
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D34821
(cherry picked from commit fafeb5342b)
So that new callers of getbounds() don't need to duplicate it.
Reviewed by: markj
MFC after: 3 days
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D34783
(cherry picked from commit 4243d307d3)
Traditionally the GEOM's primary channel of information from kernel to
user-space was confxml, fetched by libgeom through kern.geom.confxml
sysctl. It is convenient and informative, representing full state of
GEOM in a single XML document. But problems start to arise on systems
with hundreds of disks, where the full confxml size reaches many
megabytes, taking significant time to first write it and then parse.
This patch introduces alternative solution, allowing to fetch much
smaller XML document, subset of the full confxml, limited to 64KB and
representing only one specified geom and optionally its parents. It
uses existing GEOM control interface, extended with new "getxml" verb.
In case of any error, such as the buffer overflow, it just transparently
falls back to traditional full confxml. This patch uses the new API in
user-space GEOM tools where it is possible.
Reviewed by: imp
MFC after: 2 month
Sponsored by: iXsystems, Inc.
Differential Revision: https://reviews.freebsd.org/D34529
(cherry picked from commit 7f16b501e2)
When asked to print rules recursively, correctly recurse for anchors
included in pf.conf with "anchorname/*".
PR: 262590
Reviewed by: kp
MFC after: 3 weeks
(cherry picked from commit d86cf44350)
When using the snapshot option, all other options are ignored. This
update reflects changes made in ab2dbd9b87.
Reviewed by: 0mp, mckusick
Differential Revision: https://reviews.freebsd.org/D34584
(cherry picked from commit 8772a9117b)
- There is no need to mention in the synopsis that -f can be a list of
comma-separated type:format pairs. Let's keep it simple instead.
- Mention that -f can be supplied multiple times.
- Add -f to other entries in the synopsis where it can be used.
MFC after: 2 weeks
(cherry picked from commit 52ec8807d8)
As documented, the -C flag can only be used on its own. Any other
command modifiers and flags are ignored when -C is used. Reflect that in
synopsis.
MFC after: 2 weeks
(cherry picked from commit efb4f7fd09)
We document capability codes (the CAPS field of "ifconfig wlan0 scan")
in both ifconfig(8) and the handbook. The list is more complete in the
manual page, while the descriptions of individual capabilities are more
detailed in the handbook.
In order to reduce content duplication and bit rot, let's move
handbook's details to the manual page and reference the manual page
whenever necessary.
Reviewed by: debdrup
Reviewed by: Pau Amma
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D34662
(cherry picked from commit 05621e0b20)
This check was previously in `create` only, not applying to renames. It
should really be applied at the libbe level, so that we can avoid
writing about this restriction over and over again.
While we're here: `bectl rename` always succeeds, even when it doesn't.
Start returning the error.
Reported By: Christian McDonald <cmcdonald netgate com>
(cherry picked from commit dadb9c7093)
Discuss the standard type of layout, as well as the "deep" BE layout,
and some of the properties of both. Point the various -r flags at this
new section, to help users understand which they're working with and
what the -r flag is actually doing. Note that we may just deprecate the
-r flag in future versions, but the flag will be recognized as a NOP at
that point.
(cherry picked from commit c0f846ff23)
I see more user-friendly to do nothing if the module is already
loaded, rather than returning quite confusing error message.
As side effect it allows to avoid std_list_available() call, using
quite expensive on large systems geom_gettree().
MFC after: 1 month
(cherry picked from commit 5678114cd8)
Make gctl_add_param() API public, allowing more precise control over
parameter flags. Previously it was impossible to properly declare
write-only ASCII parameters, used for result reporting, they were
declared as read-write binary instead, that was not nice.
MFC after: 1 month
(cherry picked from commit 2117cdd4b4)
The -r flag is ignored by the FreeBSD implementation of bsdlabel(8)
(also called disklabel(8) in the past). Remove its use from examples
and tests in the tree.
This commit does not touch historical documentation under share/doc/smm
and files under contrib/netbsd-tests.
Reviewed by: imp
MFC after: 2 weeks
Approved by: imp (src)
Fixes: 57dfbec57b More axe-work:
Differential Revision: https://reviews.freebsd.org/D34585
(cherry picked from commit fd06117525)
When retrieving nat rules in anchors we need to set the path just like
we do for regular rules.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit a632d9e360)
Correct the wifi regexp to include iwlwifi and remove wi driver that was
has been retired.
Sponsored by: Netflix
(cherry picked from commit e0ab0ff104)
We don't really use the scsi regexp for anything. The rescan was a
workaround that was fixed a long time ago and has been disabled for
ages. And the regexp was incomplete.
Sponsored by: Netflix
(cherry picked from commit 926e825ef8)
Introduce pfctl_get_rules_info(), similar to pfctl_get_eth_rules_info()
to retrieve rules information (ticket and total number of rules).
Use the new function in pfctl.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D34443
(cherry picked from commit 8c1400b0a1)
When printing the interface name from the ipstate_t struct the interface
name in is_ifp may not always be avaiable when reading it from kmem
(tested on FreeBSD and NetBSD). However the is_ifname (the interface
name character string) is almost always available -- it is not available
when the source of the packet is a process running on the firewall
itself. Rather than print both interface name strings, print only the
one.
(cherry picked from commit 93c1048a13)
Rather than use a kmem read to determine the interface name used by a
nat_t structure through a pointer, nat_ipfs->netif->if_xname, obtain it
directly from nat_ifnames in the nat_t structure itself using the new
FORMAT_IF macro.
(cherry picked from commit ec793543fe)
Interface names stored in the ipstate_t and ipnat_t structures can be
NULL. This occurs when an application, such as named, is running on the
firewall machine itself. For example an application, i.e. named, running
on the firewall itself will cause a state table display and NAT mapping
display to show a null ingress interface and its egress interface. This
is perfectly valid but confusing to human eyes. Rather than print
nothing, print "(null)".
(cherry picked from commit 915395a280)
Minor improvements to the fwdownload code suggested by chs@:
o Print the path_id/target we're rescanning so it's not invisible
o No need for XPT_GDEVLIST, all the info is filled in. Remove sending it
as well as a comment related to it from a mistaken observation. libcam
always fills these in properly, so use those for the ccb path/target.
o Don't leak /dev/xpt fd in success cases.
o Rename fw_rescan_lun to fw_rescan_target and pass sim_mode to
only print path_id and target_id info.
Reviewed by: chs@
Fixes: 9835900cb9
Sponsored by: Netflix
MFC After: 1 week
Differential Revision: https://reviews.freebsd.org/D34348
(cherry picked from commit 78fbaa1fac)
After downloading the firmware to a device, it's inquiry data likely
will change. Force a rescan of the target with the CAM_EXPECT_INQ_CHANGE
flag to get it to record the new inqury data as being expected. This
avoids the need for a 'camcontrol rescan' on the device which detaches
and re-attaches the disk (da, ada) device. This brings fwdownload up to
nvmecontrol's ability to do the same thing w/o changing the exposed
nvme/nvd/nda device. We scan the target and not the LUN because dual
actuator drives have multiple LUNs, but the firmware is global across
many vendors' drives (and the so far theoretical ones that aren't won't
be harmed by the rescan).
Since the underlying struct disk is now preserved accross this
operation, it's now possible to upgrade firmware of a root device w/o
crashing the system. On systems that are quite busy, the worst that
happens is that certain operaions are reported cancelled when the new
firmware is activated. These operations are retried with the normal CAM
recovery mechanisms and will work on the retry. The only visible hiccup
is the time that new firmware is flashing / initializing. One should not
consider this operation completely risk free, however, since not all
drives are well behaved after a firmware download.
MFC After: 1 week
Relnotes: yes
Sponsored by: Netflix
Feedback by: mav
Differential Revision: https://reviews.freebsd.org/D34325
(cherry picked from commit 9835900cb9)
NAT table mappings list only the source and destination IP, the source
and destinaion port numbers, and their mappings. But the protocol is not
listed. Now that Facebook and Google use QUIC, seeing port 443 in in a
list of active NAT sessions could mean 443/tcp or 443/udp. This patch
adds the protocol to the listing to aid in determining whether HTTPS is
TCP or QUIC in a NAT mapping listing. This also helps differentiatinete
between other protocols such as ICMP, ESP, and AH in ipnat list of active
sessions.
(cherry picked from commit 9291d079d5)
VLAN ID 0 is supposed to be interpreted as having no VLAN with a bit of
priority on the side, but the kernel is not able to decapsulate this on
the fly so dhclient needs to take care of it.
Reviewed by: markj
(cherry picked from commit abf5bff71d)
NetBSD has an ATF test for newfs_msdos. Connect it to the build.
Adapt it for FreeBSD. This would have caught the bug fixed by my
previous commit.
Reviewed by: delphij, emaste
MFC after: 1 week
Sponsored by: Dell EMC Isilon
Differential Revision: https://reviews.freebsd.org/D34116
(cherry picked from commit 4e71258227)
Add an option to dumpfs, `-s`, that only prints the super block information.
Reviewed by: chs, imp
Differential Revision: https://reviews.freebsd.org/D30881
(cherry picked from commit dc35484536)
We provide the hostid (which is the state creatorid) to the kernel as a
big endian number (see pfctl/pfctl.c pfctl_set_hostid()), so convert it
back to system endianness when we get it from the kernel.
This avoids a confusing mismatch between the value the user configures
and the value displayed in the state.
MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D33989
(cherry picked from commit 735748f30a)
If an invalid (i.e. overly long) interface name is specified error out
immediately, rather than in expand_rule() so we point at the incorrect
line.
PR: 260958
MFC after: 3 weeks
Differential Revision: https://reviews.freebsd.org/D34008
(cherry picked from commit e68de66943)
Dynamically size buffers in ggatec. Instead of static size on the stack.
Add flush support.
Submitted by: Johannes Totz <jo@bruelltuete.com>
Reviewed by: asomers
Differential Revision: https://reviews.freebsd.org/D31722
(cherry picked from commit 6226477a46)
geom_gate: ensure readprov is null-terminated
With crafted input to the G_GATE_CMD_CREATE ioctl, geom_gate can be made
to print kernel memory to the system console, potentially revealing
sensitive data from whatever was previously in that memory page.
But but but: this is a case of the sys admin misconfiguring, and you'd
need root privileges to do this.
Submitted By: Johannes Totz <jo@bruelltuete.com>
Reviewed By: asomers
Differential Revision: https://reviews.freebsd.org/D31727
(cherry picked from commit f284bed200)
ipfsync is a WIP sync daemon designed to be used in a failover scenario.
It was removed by 5ee61c7daa. This commit
restores its three files. ipfsync is in my work queue.
(cherry picked from commit 08ab34a06a)
The work to ANSIfy and adjust returns to style(9) resulted in a mismerge
of a stash when ipfilter was moved from contrib to sbin. An older file
replaced WIP at the time, resulting in a regression.
The majority of this work was done in 2018 saved as git stashes within
a git-svn tree and migrated to the git tree. The regression occurred
when the various stashes were sequentially merged to create individual
commits, following the ipfilter move to netpfil and sbin.
Reported by: jrtc27
Fixes: 2582ae5740
Pointy hat to: cy
(cherry picked from commit a3522837b0)
Replace the INLINE macro with inline. Some ancient compilers supported
__inline__ instead of inline. The INLINE hack compensated for it.
Ancient compilers are history.
Reported by: glebius
(cherry picked from commit 9be9c1c084)
Convert ipfilter userland function declarations from K&R to ANSI. This
syncs our function declarations with NetBSD hg commit 75edcd7552a0
(apply our changes). Though not copied from NetBSD, this change was
partially inspired by NetBSD's work and inspired by style(9).
Reviewed by: glebius (for #network)
Differential Revision: https://reviews.freebsd.org/D33595
(cherry picked from commit efeb8bffe3)
Since the move of ipfilter from contrib to sbin adjusting the source path
is no longer required.
Fixes: 41edb306f0
(cherry picked from commit 7cb2d7c413)
Through fixes and improvements our ipfilter sources have diverged
enough to warrant move from contrib into sbin/ipf. Now that I'm
planning on implementing MSS clamping as in iptables it makes more
sense to move ipfilter to sbin.
This is the second of three commits of the ipfilter move.
Suggested by glebius on two occaions.
Suggested by and discussed with: glebius
Reviewed by: glebius, kp (for #network)
Differential Revision: https://reviews.freebsd.org/D33510
(cherry picked from commit 41edb306f0)
Through fixes and improvements our ipfilter sources have diverged
enough to warrant move from contrib into sys/netpil. Now that I'm
planning on implementing MSS clamping as in iptables it makes more
sense to move ipfilter to netpfil.
This is the first of three commits the ipfilter move.
Suggested by glebius on two occaions.
Suggested by and discussed with: glebius
Reviewed by: glebius, kp (for #network)
Differential Revision: https://reviews.freebsd.org/D33510
(cherry picked from commit 3b9b51fe46)
Under some INET/INET6 src.conf configurations sbin/route previously
failed to build due to an unused variable warning. It was functionally
write-only anyway, so just remove it.
Reported by: melifaro
Reviewed by: melifaro
MFC after: 3 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D33717
(cherry picked from commit c217390359)
(cherry picked from commit f567fcb2ff)
The "bg" option does not go background until the initial mount
attempt fails, which can take 60+ seconds.
This new "bgnow" option goes background immediately, avoiding
the 60+ second delay, if the NFS server is not yet available.
The man page update is a content change.
PR: 260764
(cherry picked from commit 08a8d16cbb)
Those can be returned by CHECK POWER MODE command (0xe5).
Note that some of the definitions duplicate definitions for Extended
Power Conditions.
(cherry picked from commit 75bc7150f4)
A quick grep through the kernel code shows network drivers compute the
changed bits of network capabilities after a SIOCSIFCAP IOCTL(2) by
using the bitwise exclusive or operation. When the set capabilities
are equal to the already read capabilities, no action will be taken.
Let ifconfig(8) predict this case and skip the SIOCSIFCAP IOCTL(2)
system call.
Discussed with: kib@ (revert change in case of issues)
Sponsored by: NVIDIA Networking
(cherry picked from commit ad8f078f66)
Move some needed binaries/libs from FreeBSD-utilities to FreeBSD_runtime.
This is everything needed to boot to multiuser with FreeBSD-rc installed.
MFC after: 2 weeks
Sponsored by: Beckhoff Automation GmbH & Co. KG
Differential Revision: https://reviews.freebsd.org/D33435
(cherry picked from commit 93c4369096)
There is no need to have it in runtime as it's not essential.
MFC after: 2 weeks
Sponsored by: Beckhoff Automation GmbH & Co. KG
(cherry picked from commit 0855e37c72)
when the fstab(5) entry for the filesystem has the "failok" attribute.
PR: 246201
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D33424
(cherry picked from commit c72372c693)
When we exposed the PFSYNCF_OK flag to userspace in 5f5bf88949 we
unintentionally caused defer mode to always be enabled.
The ioctl check only looked for nonzero, not for the PFSYNCF_DEFER flag.
Fix this check and ensure ifconfig sets the flag.
Reviewed by: glebius
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D33244
(cherry picked from commit 73fd0eaf59)
It does not build (and serves no purpose) if neither is true (i.e.,
building WITHOUT_INET and WITHOUT_INET6). Also add an explicit error
in ping to make this case clear.
PR: 260082
Sponsored by: The FreeBSD Foundation
(cherry picked from commit a4ef9e58bc)
OptionalObsoleteFiles: remove ping with INET & INET6 disabled
Reported by: kevans
Fixes: a4ef9e58bc ("sbin: build ping if at least one of...")
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 0179739a00)
ping uses a two-pass option parser. The first pass determines whether
ipv4 or ipv6 is desired, and the second parses the rest of the options.
But the first pass wrongly detects a '4' or '6' in an option's value as
a request to use ipv6 or ipv6 respectively, for example in an invocation
like "ping -c6 1.2.3.4".
Fix this confusion by including all options in the first round of
parsing, but ignoring those unrelated to ipv4/ipv6 selection.
PR: 258048
Reported by: ghuckriede@blackberry.com
Submitted by: ghuckriede@blackberry.com
MFC after: 2 weeks
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D32344
(cherry picked from commit 9ce201f2ee)
Add a postproc function for af_inet, and add interface flags as a
parameter. Check there if setting an address without a mask unless
the interface is loopback or point-to-point, where mask is not really
meaningful; warn if so. This will hopefully be an error in the future.
(cherry picked from commit d8237b9555)
Vinum is a Logical Volume Manager that was introduced in FreeBSD 3.0,
and for FreeBSD 5 was ported to geom(4) as gvinum. gvinum has had no
specific development at least as far back as 2010, and has a number of
known bugs which are unlikely to be resolved.
Add a deprecation notice to raise awareness but state that vinum "may
not be" available in FreeBSD 14. Either it will be removed and the
notice will be updated to "is not" available, or someone will step up
to fix issues and maintain it and we will remove the notice.
Reviewed by: imp (earlier version)
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D29424
(cherry picked from commit b218441ac0)
Allow users to set a number on rules which will be exposed as part of
the pflog header.
The intent behind this is to allow users to correlate rules across
updates (remember that pf rules continue to exist and match existing
states, even if they're removed from the active ruleset) and pflog.
Obtained from: pfSense
MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32750
(cherry picked from commit 76c5eecc34)
Revision 9e9be081d8 introduced a new devfs rule devfsrules_jail_vnet. It
includes rule devfsrules_jail which include other rules. Unfortunately
devfs could not recursively parse the action include and thus
devfsrules_jail_vnet will expose all nodes.
PR: 255660
Reviewed by: kp
Obtained from: Gijs Peskens <gijs@peskens.net>
MFC after: 3 weeks
Differential Revision: https://reviews.freebsd.org/D32814
(cherry picked from commit 7acd322ebe)
For some cloud/virtualization use cases it can be convenient to grow the
filesystem on boot any time the disk/partition happens to be larger, but
not fail if it remains the same size.
Continue to emit a message if we have no action to take, but exit with
status 0 if the size remains the same.
Reviewed by: trasz
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D32856
(cherry picked from commit 3f9acedb02)
I made a mistaking in merging the final commits for the devctl changes. This
adds the 'hushed' variable and has the correct dates for the manuals.
Pointy hat to: imp
(cherry picked from commit 80f21bb039)
Generate VT events when the bell beeps. When coupled with disabling the
bell,this allows custom bells to be rung when we'd otherwise beep.
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D32656
(cherry picked from commit 4ac3d08a96)
Patch the manpage to remove references to devq_openings and devq_queued.
Document the allocated tag that has been added in the same commit. The
relevant code change was committed as r271588
(959ec2581b) by mav@.
PR: 223651
Reported by: Bertrand Petit <bsdpr@phoe.frmug.org>
(cherry picked from commit d4cf7dc0df)
We used to expand the $nr macro in labels into the rule number prior to
the optimisation step. This would occasionally produce incorrect rule
numbers in the labels.
Delay all macro expansion until after the optimisation step to ensure
that we expand the correct values.
MFC after: 1 week
Reported by: Özkan KIRIK <ozkan.kirik@gmail.com>
Differential Revision: https://reviews.freebsd.org/D32488
(cherry picked from commit 09c7f23869)
Introduce a link to the ipfw command, dnctl, for dummynet configuration.
dnctl only handles dummynet configuration, and is part of the effort to
support dummynet in pf.
/sbin/ipfw continues to accept pipe, queue and sched commands, but these can
now also be issued via the new dnctl command.
Reviewed by: donner
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30465
(cherry picked from commit 0b95680e07)
795d78a467 pfctl: Don't use PRIu64 mistakenly changed these to be
printed as hexadecimal numbers.
Reported by: Florian Smeets
MFC after: 4 days
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 846a6e8f9a)
Rather than PRIu64 we can just treat the data as uintmax_t, and use %jx
instead.
MFC after: 1 week
Suggested by: kib
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 795d78a467)
Use PRIu64 to printf(3) uint64_t quantities, otherwise this will result
in "error: format specifies type 'unsigned long' but the argument has
type 'uint64_t' (aka 'unsigned long long') [-Werror,-Wformat]" on 32-bit
architectures.
Fixes: 80078d9d38
MFC after: 1 week
(cherry picked from commit 5b8f07b12f)
Rather than call DIOCGETSTATUS ourselves use the new libpfctl functions.
MFC after: 1 week
Sponsored by: Modirum MDPay
Differential Revision: https://reviews.freebsd.org/D31697
(cherry picked from commit 80078d9d38)
Since the conversion to the new DIOCKILLSTATESNV the kernel no longer
exists the id and creatorid to be big-endian.
As a result killing states by id (i.e. `pfctl -k id -k 12345`) no longer
worked.
Reported by: Özkan KIRIK
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit e59eff9ad3)
This allows the maximum value of 4294967295 (~4Gb/s) instead of previous
value of 2147483647 (~2Gb/s).
Reviewed by: np, scottl
Obtained from: pfSense
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31582
(cherry picked from commit 20ffd88ed5)
This can be useful for, e.g., unmounting filesystems that were needed
for shutdown.
Sponsored by: NetApp, Inc.
Sponsored by: Klara, Inc.
X-NetApp-PR: #63
(cherry picked from commit 4d15976919)
SO_RERROR indicates that receive buffer overflows should be handled as
errors. Historically receive buffer overflows have been ignored and
programs could not tell if they missed messages or messages had been
truncated because of overflows. Since programs historically do not
expect to get receive overflow errors, this behavior is not the
default.
This is really really important for programs that use route(4) to keep
in sync with the system. If we loose a message then we need to reload
the full system state, otherwise the behaviour from that point is
undefined and can lead to chasing bogus bug reports.
Reviewed by: philip (network), kbowling (transport), gbe (manpages)
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D26652
(cherry picked from commit 7045b1603b)
Commit 1e0a518d65 added a new NFS mount option "nconnect".
This patch adds information on this option to the man page.
It also adds an IMPLEMENTATION section that explains how
the default I/O size is determined and that "nfsstat -m" can
be used to find out what option settings are actually in use.
This is a content change.
(cherry picked from commit 4488c8c34b)
This allows the use of VLAN PCP in dhclient, which is required for
certain ISPs (such as Orange.fr).
Reviewed by: bcr (man page)
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31263
(cherry picked from commit 1e7fe2fbb9)
Support the 'match' keyword.
Note that support is limited to adding queuing information, so without
ALTQ support in the kernel setting match rules is pointless.
For the avoidance of doubt: this is NOT full support for the match
keyword as found in OpenBSD's pf. That could potentially be built on top
of this, but this commit is NOT that.
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31115
(cherry picked from commit ef950daa35)
These were all incorrectly labeled as 2-clause BSD licenses by a
semi-automated process, when in fact they are 3-clause.
Discussed with: pfg, imp
Sponsored by: Axcient
(cherry picked from commit 3874c0abb0)
Xen VMs get a simulated serial device meant for use as a console. Often
an xterm or other advanced terminal is used, so use xterm as the type.
Depending on configuration, FreeBSD on Xen for amd64 may instead use an
emulated serial port, but the virtual console may also be available.
Submitted by: Elliott Mitchell <ehem+freebsd@m5p.com>
Reviewed by: imp (slightly earlier version)
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D29873
(cherry picked from commit 2b2c460d7b)
The tty lists were already pretty similar and there hadn't been any real
need for them to remain distinct for some time. As such, merge to a
single file.
The RISC-V console is preserved. For systems where it doesn't exist, its
presence in /etc/ttys is harmless. The uncommented version of the
ttyv8/XDM line from ttys.amd64 was the one chosen.
Reviewed by: imp
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D30256
(cherry picked from commit c76616f496)
Back in the day, we used to have a number of entries that were either
'on' or 'off' directly, rather than conditionally on 'onifexists'
etc. Back then, we tried to line up the 'secure' columns by using the
construct 'on secure' or 'off secure' (one space or two). Now that these
have all moved to a conditional construct, remove the second space on
the ttys that still have it. This reduces diffs between the different
ttys and is no functional change. i386 and amd64 did this a long time
ago, and those are the only ones that affected external users (who used
to sed 's/on /off /' the entires as part of the automation).
MFC After: 3 days
Sponsored by: Netflix
(cherry picked from commit 36be84b966)
According to the spec: "If the value reported is 0h, then LBA format
is not supported / used or is not currently available".
MFC after: 1 week
(cherry picked from commit d379886a41)
Background checks are only allowed for mounted filesystems - don't try
to open the device for writing when performing a background check.
While here, remove a debugging printf that's commented out.
PR: 256746
Fixes: 5cc52631b3
Reviewed by: mckusick
Differential Revision: https://reviews.freebsd.org/D30880
(cherry picked from commit 0c5a59252c)
Beauty correction for verbose mode or in case we print multiple key
information to not continue with the next options directly after
as we did so far, e.g.:
AES-CCM 2:128-bit
AES-CCM 3:128-bit powersavemode ...
Sponsored by: The FreeBSD Foundation
Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D29393
(cherry picked from commit 5ba4c8de15)
I wrote this code, not Intel, so put my copyright on this. I mistakenly
copied it for the initial commit.
Sponsored by: Netflix
(cherry picked from commit 6d6cca3633)
Report status from dword0 for passthru commands. Many commands report
some status or information here, so reporting it can help know what's
going on.
Sponsored by: Netflix
(cherry picked from commit 510a3da147)
The description of the power command is missing. While the synopsis is
present, there's no explanation. Add one.
Reviewed by: mav, chuck
PR: 237866
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D31122
(cherry picked from commit 445b5554bf)
The NFSv4 client now uses the highest minor version of NFSv4
by default instead of minor version 0, for NFSv4 mounts.
The "minorversion" mount option may be used to override this default.
This patch updates the man page to reflect this change. While here,
fix nfsstat(8) to be nfsstat(1).
(cherry picked from commit b413b03597)
The previous changes that added support for the coreutils -c option
modified the output generated by passing -r to match that of the
coreutils versions. The difference is that coreutils separates the
hash from the file name by two blanks " " (or a blank followed by
an asterisk " *" with the -b option denoting).
While most scripts or users will not notice the difference, it might
be considered a violation of POLA and this commit reverts the change
for the non-sum programs. These will print a single blank " " as the
separator, as they die before the previous commit.
In order to still generate output that is identical to that of the
coreutils programs, this commit generates the " " or " *" separator
used by them for the -sum versions, depending on the presence of the
-b option.
(cherry picked from commit b33d1898c1)
As for example pfctl -ss keeps calling it, it saves a lot of overhead
from elided parsing of /etc/nsswitch.conf and /etc/protocols.
Sample result when running a pre-nvlist binary with nfs root and dumping
7 mln states:
before: 24.817u 62.993s 1:28.52 99.1%
after: 8.064u 1.117s 0:18.87 48.5%
Idea by Jim Thompson
Reviewed by: kp
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 858937bea4)
On macOS and Linux the current set of headers do not end up pulling in
sys/param.h, causing MAXPATHLEN to not be defined and the build to fail.
(cherry picked from commit cab31e0e21)
The -c option expects a digest file in either BSD or coreutils format.
The output for matched and mismatched files is identical to that
of the coreutils version.
The review of these changes included test cases that have already
been committed for the functionality that existed before.
Another test script is added to cover the coreutils compatible
extension implemented by this patch.
This commit contains a tests/Makefile that has been cleaned up
compared to the review version, using an implicit rule to apply the
TESTBASE path at build time (and the scripts have been renamed to
have an extension of .SH instead of .sh to trigger this rule).
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D30812
(cherry picked from commit 84f35b6f86)
(cherry picked from commit c2870e576b)
stdbool.h needs to be included to use type bool variables. Due to
namespace pollution, this gets brought in on FreeBSD, but not on
other systems. Include it explicilty.
Noticed by: arichards@
Sponsored by: Netflix
(cherry picked from commit d0ea5e467f)
On Linux, there's a similar set of programs to ours, but that end in the
letters 'sum'. These act basically like FreeBSD versions run with the -r
option. Add code so that when the program ends in 'sum' you get the
linux -r behavior. This is enough to make most things that use sha*sum
work correctly (the -c / --check options, as well as the long args are
not implemented). When running with the -sum programs, ignore -t instead
of running internal speed tests and make -c an error.
Reviewed by: sef, and kp and allanjude (earlier version)
Relnotes: yes
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D30309
(cherry picked from commit 086feed850)
While the correctness of the supported hash algorithms can be tested
with the built-in self-test feature, these test cases are meant to
detect changes in the output format.
A follow-up commit will improve the compatibility with the coreutils
versions of the hash programs, and these tests should detect any
unintended side-effects of such a change on existing functionality.
(cherry picked from commit 884fc5527a)
sbin/md5: Create /usr/tests/sbin/md5 directory for placing tests
(Fix by lwhsu (Li-Wen Hsu) to un-break "make distribute".)
(cherry picked from commit cb194afef5)
sbin/md5: fix test case to not write outside temp directory
The bsd-p-test did create files 1.out .. 8.out in the test directory.
This has been fixed and the temporary output files are now written
to the temporary directory.
(cherry picked from commit 95d3044bbd)
Sponsored by: The FreeBSD Foundation (commit cb194afef5 only)
Document the existing behavior, which is currently only available by
reading third party documentation or the source code itself.
PR: 254617
Submitted by: Oliver Kiddle
Differential Revision: https://reviews.freebsd.org/D30189
(cherry picked from commit c8250c5ada)
Boot environment datasets that contain spaces are not bootable.
When a user attempts to create a boot environment with a space, abort
the creation and print an error message.
PR: 254441
Reviewed by: allanjude
Differential Revision: https://reviews.freebsd.org/D30194
(cherry picked from commit 0e6549c874)
The segfault was being hit in ckfini() (sbin/fsck_ffs/fsutil.c) while
attempting to traverse the buffer cache. The tail queue used for the
buffer cache was not initialized before dropping into gjournal_check().
Initialize the buffer cache before calling gjournal_check().
PR: 245907
Reviewed by: jhb, mckusick
Differential Revision: https://reviews.freebsd.org/D30537
(cherry picked from commit 441e69e419)
Only print buffer cache debug message when a cache lookup has been done.
When running `fsck_ffs -d` on a gjournal'ed filesystem, it's possible
that totalreads is greater than zero when no cache lookup has been
done - causing a divide by zero. This commit fixes the following error:
Floating point exception (core dumped)
Reviewed by: mckusick
Differential Revision: https://reviews.freebsd.org/D30370
(cherry picked from commit 20123b25ee)
We used to have a bug where pfctl could crash setting fairq queues. Test
this case and ensure it does not crash pfctl.
Reviewed by: donner
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30348
(cherry picked from commit 9938fcaa65)
The following config could crash pfctl:
altq on igb0 fairq bandwidth 1Gb queue { qLink }
queue qLink fairq(default)
That happens because when we're parsing the parent queue (on igb0) it
doesn't have a parent, and the check in eval_pfqueue_fairq() checks
pa->parent rather than parent.
This was changed in eval_pfqueue_hfsc() in
1d34c9dac8, but not for fairq.
Reviewed by: pkelsey
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30346
(cherry picked from commit 26705a39e5)
Track (and display) the interface that created a state, even if it's a
floating state (and thus uses virtual interface 'all').
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30245
(cherry picked from commit d0fdf2b28f)
Migrate to using the new nvlist-based DIOCGETSTATESNV call to obtain the
states list.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30244
(cherry picked from commit bc94129147)
We failed to account for the FAIRQ scheduler in expand_altq(), which led
it to be set up without its parent queue.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30347
(cherry picked from commit dc78428796)
Fix some erronous lines in the example section.
PR: 248943
Submitted by: Jose Luis Duran
Reviewers: ae, manpages (gbe)
Differential Revision: https://reviews.freebsd.org/D30191
(cherry picked from commit 802637be06)
