For some devices, like Marvell 88SE9230, it takes more time
to connect to the device. This patch introduces a special flag
that extends the timeout from around 100ms to around 500ms.
This change is based on the work of: Peter Eriksson <pen@lysator.liu.se>
PR: 243401
Reviewed by: imp
Tested by: dch
MFC after: 3 days
Sponsored by: Equinix
Sponsored by: SkunkWerks, GmbH
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D38413
(cherry picked from commit f08ac4cb14c1c0740346a4363f82e1e1367c2bad)
This function has been around since 4.4BSD but was dropped upstream in 2020. This went unnoticed when tzcode was updated. Bring it back, but prepare for removing it before 14.0 is released.
PR: 269445
MFC after: 3 days
Reported by: val@packett.cool
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D38445
(cherry picked from commit 71e0c8906e)
Release notes are available at https://www.openssh.com/txt/release-9.2
OpenSSH 9.2 contains fixes for two security problems and a memory safety
problem. The memory safety problem is not believed to be exploitable.
These fixes have already been committed to OpenSSH 9.1 in FreeBSD.
Some other notable items from the release notes:
* ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that
controls whether the client-side ~C escape sequence that provides a
command-line is available. Among other things, the ~C command-line
could be used to add additional port-forwards at runtime.
* sshd(8): add support for channel inactivity timeouts via a new
sshd_config(5) ChannelTimeout directive. This allows channels that
have not seen traffic in a configurable interval to be
automatically closed. Different timeouts may be applied to session,
X11, agent and TCP forwarding channels.
* sshd(8): add a sshd_config UnusedConnectionTimeout option to
terminate client connections that have no open channels for a
length of time. This complements the ChannelTimeout option above.
* sshd(8): add a -V (version) option to sshd like the ssh client has.
* scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to
allow control over some SFTP protocol parameters: the copy buffer
length and the number of in-flight requests, both of which are used
during upload/download. Previously these could be controlled in
sftp(1) only. This makes them available in both SFTP protocol
clients using the same option character sequence.
* ssh-keyscan(1): allow scanning of complete CIDR address ranges,
e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then
it will be expanded to all possible addresses in the range
including the all-0s and all-1s addresses. bz#976
* ssh(1): support dynamic remote port forwarding in escape
command-line's -R processing. bz#3499
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
(cherry picked from commit f374ba41f5)
Don't force /etc/ssl/cert.pem. It does not exist by default, only if
security/ca_root_nss is installed. Just use the default OpenSSL search
locations which are /etc/ssl/cert.pem and /etc/ssl/certs/.
The tls-system-cert option was added in Unbound 1.16.0.
Reviewed by: zlei
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D38243
(cherry picked from commit 8932f7ce17)
After a failed upgrade, having fetch(1) on a system that is
physically unnreachable would be very useful to download files
required to get the OS back up and functional.
On my system this adds 589,824 bytes (3.8%) to the binary size.
PR: 266224
Reported by: Dan Mahoney
Differential Revision: https://reviews.freebsd.org/D38193
(cherry picked from commit ea34aa4780)
rescue: Fix link order of SSL libraries and fetch.
ld.bfd requires libraries to be linked in order. libssl requires
libcrypto. libfetch requires libssl. To fix the latter, move fetch
up above tar rather than listing the ssl libraries twice.
Reviewed by: delphij
Fixes: ea34aa4780 rescue: Add fetch(1) to the rescue tool.
Differential Revision: https://reviews.freebsd.org/D38304
(cherry picked from commit 0f031350f3)
Netlink sockets sometimes require larger buffers than other sockets.
For example, full-view IPv4 dump sent via netlink may consume 50+ megabytes.
The desired buffer may be bigger than the system maximum `sb_max`.
FreeBSD HEAD has a mechanism for overriding protocol `setsockopt()` handler,
which netlink uses to permit buffer reservations beyond `sb_max`.
This behaviour is handy as it doesn't require system administrator to lift
the limits for other sockets.
Stable/13 lack such muchanism, so a different approach has to be used.
This diff is a direct commit to stable/13 and it simply copies the logic from
Netlink in -HEAD for checking if the larger buffer size should be permitted.
Differential Revision: https://reviews.freebsd.org/D38472
Use serial port setup done by system firmware.
ARM64 Hyper-V does hung if we attempt to override the defaults,
therefore we should default to use settings from firmware.
Tested by: schakrabarti@microsoft.com
PR: 266248
MFC after: 1 week
(cherry picked from commit c243de11cf)
This commit allows a kbdcontrol binary built with a version of kbio.h
that supports Unicode characters in dead key maps to load and display
keymaps including the dead key tables on a kernel built with a
previous version of kbio.h (that only supported 8 bit characters in
the dead key map).
This commit is meant as a temporary compatibility shim that will be
reverted when it can be assumed that all relevant systems have been
upgraded to a kernel that uses the updated kbio.h.
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D38388
(cherry picked from commit b92f8e5c0d)
Support for Unicode characters had been added to the keyboard code,
but there are keymaps that have accented characters accessed via dead
key combinations, and those were still restricted to 8 bit codes.
This update to kbd.c adds support for Unicode characters and
compatibility code that allows a kbdcontrol command built from kbio.h
without these patches to work on a new kernel.
Compatibility code that allows a new kbdcontrol binary running on an
old kernel to load and display the dead key map will be committed in a
separate commit.
Reviewed by: imp, brooks
Approved by: brooks
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D38381
(cherry picked from commit 4972fb9276)
This update contains only documentation changes (new main repository
URL and changed mail address of the program author) and changes to
the build system that do not affect the FreeBSD base system build.
MFC after: 3 days
(cherry picked from commit 4fca8e0f65)
Under the scenario with a packet with length of 67 bytes, a header length
using the default of 20 bytes and a TCP data offset (th_off) of 48 will
cause m_pullup() to fail to make sure bytes are arragned contiguously.
m_pullup() will free the mbuf chain and return a null. ipfilter stores
the resultant mbuf address (or the resulting NULL) in its fr_info_t
structure. Unfortuntely the eroneous packet is not flagged for drop.
This results in a kernel page fault at line 410 of sys/netinet/ip_fastfwd.c
as it tries to use a now previously freed, by m_pullup(), mbuf.
PR: 266442
Reported by: Robert Morris <rtm@lcs.mit.edu>
(cherry picked from commit 79f7745c09)
ipf_pullup() outputs a pointer to ip_t. Though returning a pointer to
void does work, it is imprecise and not completely correct.
(cherry picked from commit c941e8c65d)
Protocols such as netlink may need a large socket receive buffer,
measured in tens of megabytes. This change allows netlink to
set larger socket buffers (given the privs are in place), without
requiring user to manuall bump maxsockbuf.
Reviewed by: glebius
Differential Revision: https://reviews.freebsd.org/D36747
(cherry picked from commit 7b660faa9e)
While there, remove .Tn from man pages.
Also remove an obsolete comment about the 80386.
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: kevans, allanjude
Differential Revision: https://reviews.freebsd.org/D38373
(cherry picked from commit 2768d70567)
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D38290
(cherry picked from commit 822fa7ae1e)
cp: Simplify the common case.
* The allocated buffer is only used in the fallback case, so move it
there. The argument for passing it in from the caller was that if
malloc(3) were to fail, we'd want it to fail before we started
copying anything, but firstly, it was already not in the right place
to ensure that, and secondly, malloc(3) never fails (except in very
contrived circumstances, such as an unreasonable RLIMIT_AS or
RLIMIT_DATA).
* Remove the mmap(2) option. It is almost never beneficial,
especially when the alternative is copy_file_range(2), and it adds
needless complexity and indentation.
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: rmacklem, mav
Differential Revision: https://reviews.freebsd.org/D38291
(cherry picked from commit 6c85042afc)
cp: Minor code cleanup.
* Fix includes in utils.c, cf. style(9).
* Fix type mismatch: readlink(2) returns ssize_t, not int.
* It is not necessary to set errno to 0 as fts_read(3) already does it.
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: allanjude
Differential Revision: https://reviews.freebsd.org/D38369
(cherry picked from commit cb96a0ef00)
cp: Adjust the sparse file tests.
* The sparsity check was ineffective: it compared the apparent size in bytes to the actual size in blocks. Instead, write a tool that reliably detects sparseness.
* Some of the seq commands were missing an argument.
* Based on empirical evidence, 1 MB holes are not necessarily large enough to be preserved by the underlying filesystem. Increase the hole size to 16 MB.
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: cracauer
Differential Revision: https://reviews.freebsd.org/D38414
(cherry picked from commit 8b418c83d1)
Arguments follow primaries, not the other way around.
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D38173
(cherry picked from commit 14ebab25e1)
While here, complete the libxo conversion and switch return value to standard constants.
MFC after: 1 week
Sponsored by: Klara, Inc.
Differential revision: https://reviews.freebsd.org/D38097
(cherry picked from commit c968598479)
The BSD style commands (with names not ending in "sum") ignored the -c
options and the passed digest value when invoked with -q.
The man page stated that -q causes only the calculated digest to be
printed, but did not consider the case of both the -q and -c being
used in combination.
Since there is no warning that -c will be ignored when the -q option
is used, users night (and did) expect that the exit code would reflect
the matching of the calculated digest and the argument passed with -c.
This update implements and documents this expected behavior.
PR: 265461
Reported by: Dmitrij <bugs.freebsd@1fff.net>
MFC after: 2 weeks
(cherry picked from commit 9f3aa538e3)
Implement Linux-variant of MSG_TRUNC input flag used in recv(), recvfrom() and recvmsg().
Posix defines MSG_TRUNC as an output flag, indicating packet/datagram truncation.
Linux extended it a while (~15+ years) ago to act as input flag,
resulting in returning the full packet size regarless of the input
buffer size.
It's a (relatively) popular pattern to do recvmsg( MSG_PEEK | MSG_TRUNC) to get the
packet size, allocate the buffer and issue another call to fetch the packet.
In particular, it's popular in userland netlink code, which is the primary driving factor of this change.
This commit implements the MSG_TRUNC support for SOCK_DGRAM sockets (udp, unix and all soreceive_generic() users).
PR: kern/176322
Reviewed by: pauamma(doc)
Differential Revision: https://reviews.freebsd.org/D35909
MFC after: 1 month
(cherry picked from commit be1f485d7d)
The testloop function is called with various parameters, but those
were ignored in the coreutils-c-test script. This was an oversight
and is fixed by passing the option to all invocations of the hash
functions in this test script.
Reported by: des
MFC after: 3 days
(cherry picked from commit d804497068)
Add support for the scenario when user adds/deletes paths for a single
prefix one-by-one, all with different weights.
This change adds a new FreeBSD-specific RTA attribute, NL_RTA_WEIGHT.
When dumping non-multipath routes, this attribute is added if the
route weight is not RT_DEFAULT_WEIGHT.
When adding a new route, this attribute is parsed as a relative path
weight.
MFC after: 2 weeks
(cherry picked from commit 3ebccb20d5)
Currently CARP starts announcing its state when initialised, regardless
of the state of the other services provided by the server.
As a result, the device can become master while still loading the
firewall ruleset or initialising long-starting service.
This change adds the way to request delayed CARP start by setting the
net.inet.carp.allow=0 in the loader.conf.
Differential Revision: https://reviews.freebsd.org/D38167
MFC after: 2 weeks
(cherry picked from commit ee49c5d33d)
This is a followup of 692e19cf51 (add netlink to GENERIC@amd64).
Netlink is a communication protocol defined in RFC 3549. It is async,
TLV-based protocol, providing 1-1 and 1-many communications between kernel
and userland. Netlink is currently used in Linux kernel to modify, read and
subscribe for nearly all networking states. Interface state, addresses, routes,
firewall, rules, fibs, etc, are controlled via Netlink.
Netlink support was added in D36002. It has got a number of improvements and
first customers since then:
* net/bird2 got netlink support, enabling route multipath in FreeBSD
* netlink-based devd notifications are being worked on ( D37574 ).
* linux(4) fully supports and depends on Netlink
Enabling Netlink in GENERIC targets two goals.
The first one is to provide stability for the third-party userland applications,
so they can rely on the fact that netlink always exists since 14.0 and potentially 13.2.
Loadable module makes life of the app delepers harder. For example, `net/bird2` can be
either build with netlink or rtsock support, but not both.
The second goal is to enable gradual conversion of the base userland tools
to use netlink(4) interfaces. Converting tools like netstat (D36529), route,
ifconfig one-by-one simplifies testing and addressing the feedback.
Othewise, switching all base to use netlink at once may be too big of a leap.
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D37783
(cherry picked from commit e80699a809)
This change follows the approach used in 80fc25025f, to
minimise the impact of the delayed interface migration.
MFC after: 2 weeks
(cherry picked from commit 20ea7f26e4)
Currently, under the conditions specified below, IPv6 ingress packet
processing can ignore blackhole/reject flag on the prefix. The packet
will instead be looped locally till TTL expiration and a single ICMPv6
unreachable message will be send to the source even in case of
RTF_BLACKHOLE.
The following conditions needs hold to make the scenario happen:
* IPv6 forwarding is enabled
* Packet is not fast-forwarded
* Destination prefix has either RTF_BLACKHOLE or RTF_REJECT flag
Fix this behavior by checking for the blackhole/reject flags in
ip6_forward().
Reported by: Dmitriy Smirnov <fox@sage.su>
Reviewed by: ae
Differential Revision: https://reviews.freebsd.org/D38164
MFC after: 3 days
(cherry picked from commit 30dd227cff)
Pass `-vv` to pytest in order to always get the full output.
While here, enforce the modeline.
Differential Revision: https://reviews.freebsd.org/D37894
MFC after: 2 weeks
(cherry picked from commit 058ac3e806)
When handling userspace exceptions on arm64 we need to dereference the
current thread pointer. If this is being promoted/demoted there is a
small window where it will cause another exception to be hit. As this
second exception will set the fault address register we will read the
incorrect value in the userspace exception handler.
Fix this be always reading the fault address before dereferencing the
current thread pointer.
Reported by: olivier@
Reviewed by: markj
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D38196
(cherry picked from commit f29942229d)