Correct the wifi regexp to include iwlwifi and remove wi driver that was
has been retired.
Sponsored by: Netflix
(cherry picked from commit e0ab0ff104)
We don't really use the scsi regexp for anything. The rescan was a
workaround that was fixed a long time ago and has been disabled for
ages. And the regexp was incomplete.
Sponsored by: Netflix
(cherry picked from commit 926e825ef8)
Introduce pfctl_get_rules_info(), similar to pfctl_get_eth_rules_info()
to retrieve rules information (ticket and total number of rules).
Use the new function in pfctl.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D34443
(cherry picked from commit 8c1400b0a1)
When printing the interface name from the ipstate_t struct the interface
name in is_ifp may not always be avaiable when reading it from kmem
(tested on FreeBSD and NetBSD). However the is_ifname (the interface
name character string) is almost always available -- it is not available
when the source of the packet is a process running on the firewall
itself. Rather than print both interface name strings, print only the
one.
(cherry picked from commit 93c1048a13)
Rather than use a kmem read to determine the interface name used by a
nat_t structure through a pointer, nat_ipfs->netif->if_xname, obtain it
directly from nat_ifnames in the nat_t structure itself using the new
FORMAT_IF macro.
(cherry picked from commit ec793543fe)
Interface names stored in the ipstate_t and ipnat_t structures can be
NULL. This occurs when an application, such as named, is running on the
firewall machine itself. For example an application, i.e. named, running
on the firewall itself will cause a state table display and NAT mapping
display to show a null ingress interface and its egress interface. This
is perfectly valid but confusing to human eyes. Rather than print
nothing, print "(null)".
(cherry picked from commit 915395a280)
Minor improvements to the fwdownload code suggested by chs@:
o Print the path_id/target we're rescanning so it's not invisible
o No need for XPT_GDEVLIST, all the info is filled in. Remove sending it
as well as a comment related to it from a mistaken observation. libcam
always fills these in properly, so use those for the ccb path/target.
o Don't leak /dev/xpt fd in success cases.
o Rename fw_rescan_lun to fw_rescan_target and pass sim_mode to
only print path_id and target_id info.
Reviewed by: chs@
Fixes: 9835900cb9
Sponsored by: Netflix
MFC After: 1 week
Differential Revision: https://reviews.freebsd.org/D34348
(cherry picked from commit 78fbaa1fac)
After downloading the firmware to a device, it's inquiry data likely
will change. Force a rescan of the target with the CAM_EXPECT_INQ_CHANGE
flag to get it to record the new inqury data as being expected. This
avoids the need for a 'camcontrol rescan' on the device which detaches
and re-attaches the disk (da, ada) device. This brings fwdownload up to
nvmecontrol's ability to do the same thing w/o changing the exposed
nvme/nvd/nda device. We scan the target and not the LUN because dual
actuator drives have multiple LUNs, but the firmware is global across
many vendors' drives (and the so far theoretical ones that aren't won't
be harmed by the rescan).
Since the underlying struct disk is now preserved accross this
operation, it's now possible to upgrade firmware of a root device w/o
crashing the system. On systems that are quite busy, the worst that
happens is that certain operaions are reported cancelled when the new
firmware is activated. These operations are retried with the normal CAM
recovery mechanisms and will work on the retry. The only visible hiccup
is the time that new firmware is flashing / initializing. One should not
consider this operation completely risk free, however, since not all
drives are well behaved after a firmware download.
MFC After: 1 week
Relnotes: yes
Sponsored by: Netflix
Feedback by: mav
Differential Revision: https://reviews.freebsd.org/D34325
(cherry picked from commit 9835900cb9)
NAT table mappings list only the source and destination IP, the source
and destinaion port numbers, and their mappings. But the protocol is not
listed. Now that Facebook and Google use QUIC, seeing port 443 in in a
list of active NAT sessions could mean 443/tcp or 443/udp. This patch
adds the protocol to the listing to aid in determining whether HTTPS is
TCP or QUIC in a NAT mapping listing. This also helps differentiatinete
between other protocols such as ICMP, ESP, and AH in ipnat list of active
sessions.
(cherry picked from commit 9291d079d5)
VLAN ID 0 is supposed to be interpreted as having no VLAN with a bit of
priority on the side, but the kernel is not able to decapsulate this on
the fly so dhclient needs to take care of it.
Reviewed by: markj
(cherry picked from commit abf5bff71d)
NetBSD has an ATF test for newfs_msdos. Connect it to the build.
Adapt it for FreeBSD. This would have caught the bug fixed by my
previous commit.
Reviewed by: delphij, emaste
MFC after: 1 week
Sponsored by: Dell EMC Isilon
Differential Revision: https://reviews.freebsd.org/D34116
(cherry picked from commit 4e71258227)
Add an option to dumpfs, `-s`, that only prints the super block information.
Reviewed by: chs, imp
Differential Revision: https://reviews.freebsd.org/D30881
(cherry picked from commit dc35484536)
We provide the hostid (which is the state creatorid) to the kernel as a
big endian number (see pfctl/pfctl.c pfctl_set_hostid()), so convert it
back to system endianness when we get it from the kernel.
This avoids a confusing mismatch between the value the user configures
and the value displayed in the state.
MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D33989
(cherry picked from commit 735748f30a)
If an invalid (i.e. overly long) interface name is specified error out
immediately, rather than in expand_rule() so we point at the incorrect
line.
PR: 260958
MFC after: 3 weeks
Differential Revision: https://reviews.freebsd.org/D34008
(cherry picked from commit e68de66943)
Dynamically size buffers in ggatec. Instead of static size on the stack.
Add flush support.
Submitted by: Johannes Totz <jo@bruelltuete.com>
Reviewed by: asomers
Differential Revision: https://reviews.freebsd.org/D31722
(cherry picked from commit 6226477a46)
geom_gate: ensure readprov is null-terminated
With crafted input to the G_GATE_CMD_CREATE ioctl, geom_gate can be made
to print kernel memory to the system console, potentially revealing
sensitive data from whatever was previously in that memory page.
But but but: this is a case of the sys admin misconfiguring, and you'd
need root privileges to do this.
Submitted By: Johannes Totz <jo@bruelltuete.com>
Reviewed By: asomers
Differential Revision: https://reviews.freebsd.org/D31727
(cherry picked from commit f284bed200)
ipfsync is a WIP sync daemon designed to be used in a failover scenario.
It was removed by 5ee61c7daa. This commit
restores its three files. ipfsync is in my work queue.
(cherry picked from commit 08ab34a06a)
The work to ANSIfy and adjust returns to style(9) resulted in a mismerge
of a stash when ipfilter was moved from contrib to sbin. An older file
replaced WIP at the time, resulting in a regression.
The majority of this work was done in 2018 saved as git stashes within
a git-svn tree and migrated to the git tree. The regression occurred
when the various stashes were sequentially merged to create individual
commits, following the ipfilter move to netpfil and sbin.
Reported by: jrtc27
Fixes: 2582ae5740
Pointy hat to: cy
(cherry picked from commit a3522837b0)
Replace the INLINE macro with inline. Some ancient compilers supported
__inline__ instead of inline. The INLINE hack compensated for it.
Ancient compilers are history.
Reported by: glebius
(cherry picked from commit 9be9c1c084)
Convert ipfilter userland function declarations from K&R to ANSI. This
syncs our function declarations with NetBSD hg commit 75edcd7552a0
(apply our changes). Though not copied from NetBSD, this change was
partially inspired by NetBSD's work and inspired by style(9).
Reviewed by: glebius (for #network)
Differential Revision: https://reviews.freebsd.org/D33595
(cherry picked from commit efeb8bffe3)
Since the move of ipfilter from contrib to sbin adjusting the source path
is no longer required.
Fixes: 41edb306f0
(cherry picked from commit 7cb2d7c413)
Through fixes and improvements our ipfilter sources have diverged
enough to warrant move from contrib into sbin/ipf. Now that I'm
planning on implementing MSS clamping as in iptables it makes more
sense to move ipfilter to sbin.
This is the second of three commits of the ipfilter move.
Suggested by glebius on two occaions.
Suggested by and discussed with: glebius
Reviewed by: glebius, kp (for #network)
Differential Revision: https://reviews.freebsd.org/D33510
(cherry picked from commit 41edb306f0)
Through fixes and improvements our ipfilter sources have diverged
enough to warrant move from contrib into sys/netpil. Now that I'm
planning on implementing MSS clamping as in iptables it makes more
sense to move ipfilter to netpfil.
This is the first of three commits the ipfilter move.
Suggested by glebius on two occaions.
Suggested by and discussed with: glebius
Reviewed by: glebius, kp (for #network)
Differential Revision: https://reviews.freebsd.org/D33510
(cherry picked from commit 3b9b51fe46)
Under some INET/INET6 src.conf configurations sbin/route previously
failed to build due to an unused variable warning. It was functionally
write-only anyway, so just remove it.
Reported by: melifaro
Reviewed by: melifaro
MFC after: 3 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D33717
(cherry picked from commit c217390359)
(cherry picked from commit f567fcb2ff)
The "bg" option does not go background until the initial mount
attempt fails, which can take 60+ seconds.
This new "bgnow" option goes background immediately, avoiding
the 60+ second delay, if the NFS server is not yet available.
The man page update is a content change.
PR: 260764
(cherry picked from commit 08a8d16cbb)
Those can be returned by CHECK POWER MODE command (0xe5).
Note that some of the definitions duplicate definitions for Extended
Power Conditions.
(cherry picked from commit 75bc7150f4)
