Prefer libpfctl functions over direct access to the ioctl whenever
possible. This will allow subsequent removal of DIOCGETSTATUS (in 15) as
there already is an nvlist-based alternative.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D41647
At least one user reports issues with vmx interfaces after 725e4008ef,
where we default to not resetting the interface on VLAN changes. This
was on an ESXi 7.0.3 setup.
Reported by: Marcos Mendoza <mmendoza@netgate.com>
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
These aren't really needed, since TACACS+ does not support enumeration, but providing placeholders keeps nsdispatch() from complaining that they're missing.
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D41658
This is intended to be used with the upcoming updated ice(4) version
1.38.16-k.
Signed-off-by: Eric Joyner <erj@FreeBSD.org>
MFC after: 3 days
Sponsored by: Intel Corporation
A few recent makefiles should have been added to FILES.
Rename sys.machine.mk to local.sys.machine.mk as it is very
tree specific so does not belong in /usr/share/mk/
Reviewed by: stevek
Differential Revision: https://reviews.freebsd.org/D41642
For oubound traffic, the flag M_VLANTAG is set in mbuf packet header to
indicate the underlaying interface do hardware VLAN tag insertion if
capable, otherwise the net stack will do 802.1Q encapsulation instead.
Commit 868aabb470 introduced per-flow priority which set the priority ID
in the mbuf packet header. There's a corner case that when the driver is
disabled to do hardware VLAN tag insertion, and the net stack do 802.1Q
encapsulation, then it will result double tagged packets if the driver do
not check the enabled capability (hardware VLAN tag insertion).
Unfortunately some drivers, currently known cxgbe(4) re(4) ure(4) igc(4)
and vmx(4), have this issue. From a quick review for other interface
drivers I believe a lot more drivers have the same issue. It makes more
sense to fix in net stack than to try to change every single driver.
PR: 270736
Reviewed by: kp
Fixes: 868aabb470 Add IP(V6)_VLAN_PCP to set 802.1 priority per-flow
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D39499
IGMP requires hosts to use the lowest version they've seen on the
network. When the IGMP timers expire we take the opportunity to upgrade again.
However, we did not take the net.inet.igmp.default_version sysctl
setting into account, so we could end up switching to IGMPv3 even if the
user had requested IGMPv2 or IGMPv1 via the sysctl.
Check V_igmp_default_version before we upgrade the IGMP version.
Reviewed by: adrian
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D41628
These targets generate all the assembly files in sys/crypto/openssl.
Reviewed by: markj, emaste (earlier version)
Differential Revision: https://reviews.freebsd.org/D41590
Currently Makefile.asm relies on the current buildenv to set CFLAGS
for i386. The current approach also leaves various temporary *.s
files around in the current directory. To make this a bit better:
- Instead of using CFLAGS from buildenv for i386, define the actual
flags the perl scripts need: -DOPENSSL_IA32_SSE2 to enable SSE2.
- Change i386 to have the perl scripts write to /dev/stdout to avoid
creating temporaries. Previously i386 was generating the temporary
files in the OpenSSL contrib src.
- Cleanup temporary *.s files in the all target after generating the
real *.S files for architectures which need them.
- Remove a duplicate rule for aes-armv4.S.
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D41589
The :R:S expressions removed the .pl extension only to add it back
again, so just trim them to using :T alone.
Reviewed by: Pierre Pronchery <pierre@freebsdfoundation.org>, markj, emaste
Differential Revision: https://reviews.freebsd.org/D41588
When $label == "0", $label is not truthy, so `if ($label)` thinks there isn't
a label. Correct this by looking at the result of the s/// command.
Verified that there are no changes in the .S files created during a normal
build, and that the "0:" labels appear in the translation given in the error
report (and they are the only difference in the before and after output).
Obtained from: OpenSSL commit 9607f5ccf285ac9988a86f95c5ad9f92b556a843
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D41587
To overcome package name changing on default Python version updates.
Approved by: gjb (re)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41453
Lack of an AMD IOMMU driver means we cannot successfully route
interrupts to APIC IDs 255 and over. Do not add the corresponding CPUs
to the per-domain lists of CPUs to which interrupts can be assigned.
This change should be reverted (or, at least the APIC ID limit) once we
have an AMD IOMMU / interrupt remapping driver.
See also commits fa5f94140a ("msi: handle error from BUS_REMAP_INTR in
msi_assign_cpu") and 4258eb5a0d ("x86: handle domains with no CPUs
usable for intr delivery.").
Reviewed by: markj, jhb
Tested by: cperciva (earlier version)
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41618
These now have nvlist based alternatives, so remove them.
Reviewed by: mjg, Pau Amma <pauamma@gundo.com> (man page)
MFC after: never
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30056
After commit 937b4473be aesni_cipher_crypt() and aesni_cipher_mac()
execute in a FPU_KERN_NOCTX section, which means that they must run with
preemption disabled. These functions handle discontiguous I/O buffers
by allocating a contiguous buffer and copying as necessary, but this
allocation cannot happen with preemption disabled. Fix the problem by
pushing the FPU section down into aesni_cipher_crypt() and
aesni_cipher_mac(). In particular, encrypt-then-auth transforms need
not be handled with a single FPU section.
Reported by: syzbot+78258dbb02eb92157357@syzkaller.appspotmail.com
Discussed with: jhb
Fixes: 937b4473be ("aesni: Switch to using FPU_KERN_NOCTX.")
With ade70a1ad(svn r332196) ofw_spibus probes at the BUS_PROBE_DEFAULT
instead of 0. However, this races with spibus, resulting in ofw_spibus
often times losing the race and the OFW node not being referenced. This
in turn causes child device tree nodes to not be attached. Solve this
by returning 1 higher than spibus, just like acpi_spibus.
Sponsored by: Juniper Networks, Inc.
MFC after: 1 week
crypto_unregister_all already disables new sessions and waits for
existing sessions to be destroyed before returning.
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D41581
crypto_unregister_all already disables new sessions and waits for
existing sessions to be destroyed before returning.
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D41579
src.opts.mk includes bsd.own.mk, which sets SHLIBDIR, so having this
line after it does nothing. Hoist it like other libraries so it takes
effect.
Reported by: vishwin
Fixes: 2964804ef9 ("librt: unbreak LIB32 build")
The synopsis section of jail(8) is fine at showing everything that could
be on the command line, but doesn't make much sense. Add some sub-
ections for the different uses of the command.
Also fix up the paragraph about command-line parameter specification,
including removing some clearly erroneous information.
Reviewed by: dvl
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D41606
This adds formatted input/output of binary integer numbers to the printf(), scanf(), and strtol() families, including their wide-character counterparts.
Reviewed by: imp, emaste
Differential Revision: https://reviews.freebsd.org/D41511
Make sure that it can be used to change the passphrase of both attached
and detached providers.
PR: 254966
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Clear cached_passphrase before generating a new key, otherwise the
operation nonsensically tries to reuse the old passphrase.
PR: 254966
Pull Request: https://github.com/freebsd/freebsd-src/pull/780
MFC after: 1 week
libzfs uses librt as a dependency. Following 315ee00fa9 systems with
a separate / and /usr will fail to load the libzfs.so library because
librt.so is not available due to the fact that /usr is not mounted yet.
Install librt in /lib making it available to libzfs.
Reported by: emaste, imp
Fixes: 315ee00fa9
Differential Revision: https://reviews.freebsd.org/D41612
This adds the --crlf option to netcat, which triggers translation of \n
characters into \r\n sequences in the input -> network direction.
The Linux version of nc also supports this functionality with --crlf and
-C. The OpenBSD version uses -C to specify client certificates. Our
version is too old and doesn't have it, but I avoided adding -C anyway
to ease future syncs with upstream.
Attempts to upstream the feature were unsuccessful:
https://marc.info/?t=169282068500001
Differential Revision: https://reviews.freebsd.org/D41489
It's inefficient to ring the doorbell page every time a WQE is posted to
the received queue. Excessive MMIO writes result in CPU spending more
time waiting on LOCK instructions (atomic operations), resulting in
poor scaling performance.
Move the code for ringing doorbell page to where after we have posted all
WQEs to the receive queue in mana_poll_rx_cq().
In addition, use the correct WQE count for ringing RQ doorbell.
The hardware specification specifies that WQE_COUNT should set to 0 for
the Receive Queue. Although currently the hardware doesn't enforce the
check, in the future releases it may check on this value.
Tested by: whu
MFC after: 1 week
Sponsored by: Microsoft
Notable upstream pull request merges:
#15024 Add missed DMU_PROJECTUSED_OBJECT prefetch
#15029 Do not request data L1 buffers on scan prefetch
#15036 FreeBSD: catch up to __FreeBSD_version 1400093
#15039 Fix raw receive with different indirect block size
#15047 FreeBSD: Fix build on stable/13 after 1302506
#15049 Fix the ZFS checksum error histograms with larger record sizes
#15052 Reduce bloat in ereport.fs.zfs.checksum events
#15056 Avoid extra snprintf() in dsl_deadlist_merge()
#15061 Ignore pool ashift property during vdev attachment
#15063 Don't panic if setting vdev properties is unsupported for this vdev type
#15067 spa_min_alloc should be GCD, not min
#15071 Add explicit prefetches to bpobj_iterate()
#15072 Adjust prefetch parameters
#15076 Refactor dmu_prefetch()
#15079 set autotrim default to 'off' everywhere
#15080 ZIL: Fix config lock deadlock
#15088 metaslab: tuneable to better control force ganging
#15096 Avoid waiting in dmu_sync_late_arrival()
#15097 BRT should return EOPNOTSUPP
#15103 Remove zl_issuer_lock from zil_suspend()
#15107 Remove fastwrite mechanism
#15113 libzfs: sendrecv: send_progress_thread: handle SIGINFO/SIGUSR1
#15122 ZIL: Second attempt to reduce scope of zl_issuer_lock
#15129 zpool_vdev_remove() should handle EALREADY error return
#15132 ZIL: Replay blocks without next block pointer
#15148 zfs_clone_range should return descriptive error codes
#15153 ZIL: Avoid dbuf_read() before dmu_sync()
#15172 copy_file_range: fix fallback when source create on same txg
#15180 Update outdated assertion from zio_write_compress
Obtained from: OpenZFS
OpenZFS commit: 804414aad2
Implemented based on the tsec(4) multicast support. This is the minimum
required to support VLANs. The hardware does support vlan tagging,
among other acceleration features, which will be added at a later time.
MFC after: 2 weeks
The MNT_IGNORE flag can be used to mark certain filesystem mounts so
that utilities such as df(1) and mount(8) can filter out those mounts by
default. This can be used, for instance, to reduce the noise from
running container workloads inside jails which often have at least three
and sometimes as many as ten mounts per container.
The flag is supplied by the nmount(2) system call and is recorded so
that it can be reported by statfs(2). Unfortunately several filesystems
override the default behaviour and mask out the flag, defeating its
purpose. This change preserves the MNT_IGNORE flag for those filesystems
so that it can be reported correctly.
MFC after: 1 week
Summary:
- Six (6) new roots
- Four (4) distrusted roots
Note that this was intentionally generated with OpenSSL 1.1.1 to avoid
mixing updates and non-functional changes -- there will be some churn
with OpenSSL 3. The next commit will update the current batch of
trusted certs with the format OpenSSL 3 produces, which I've tested
against OpenSSL 1.1.1 to be sure that that doesn't hurt us in older
branches.
With this change, we'll drop the "with $FreeBSD$" lines from trusted/
certs in the next update. untrusted/ will need to be done manually, but
I'll likely just do them all manually, commit, then run the script and
commit any legitimate updates after confirming the output matches what
I did manually.
Reported by: imp
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D41597
