And put the tcp-wrapper utilities in it.
Reviewed by: emaste
MFC after: 2 weeks
Sponsored by: Beckhoff Automation GmbH & Co. KG
Differential Revision: https://reviews.freebsd.org/D33439
Move some needed binaries/libs from FreeBSD-utilities to FreeBSD_runtime.
This is everything needed to boot to multiuser with FreeBSD-rc installed.
MFC after: 2 weeks
Sponsored by: Beckhoff Automation GmbH & Co. KG
Differential Revision: https://reviews.freebsd.org/D33435
YP is less and less used, split them to users have the choice to not
install them.
MFC after: 2 weeks
Sponsored by: Beckhoff Automation GmbH & Co. KG
Differential Revision: https://reviews.freebsd.org/D33441
Various tools can have alternate versions elsewhere, eg: the GNU
mailutils port (a dependency of emacs*) brings /usr/local/bin/mail.
Match the preset PATH in /etc/crontab for deterministic path searches
even when run manually with a different environment.
PR: 259265
Reported by: iandstanley@gmail.com
The tcp:::debug-input probe is passed an mbuf pointer, use the correct
translator for ipinfo_t when defining tcp:::debug-input.
Fixes: 82988b50a1 ("Add an mbuf to ipinfo_t translator to finish ...")
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D33066
Commit 867c27c23a modified the NFS client so that
it does IO_APPEND writes directly to the NFS server,
bypassing the buffer cache. However, this could result
in stale data in client pages when the file is mmap(2)'d.
As such, the NFS client needs to call vm_object_is_active()
to check if the file is mmap(2)'d and only do direct
output if the file is not mmap(2)'d.
This patch adds this check.
Although a simple patch, I have given it a long MFC,
since the related commit 867c27c23a made a significant
semantics change and, as such, has a long MFC.
MFC after: 3 months
Implement a -v option to usbconfig(8), as a shortcut for the most
frequently needed commands dump_device_desc, dump_curr_config_desc,
and show_ifdrv.
While here, implement a real -h option that has been promised by the
man page.
Use <sysexits.h> to declare the utility return codes.
Reviewed by: hselasky
Differential Revision: https://reviews.freebsd.org/D33586
MFC after: 2 weeks
When a connection is established to use TCP-MD5, tcp_twrespond() doesn't
respond with a signed segment. This results in the host performing the
active close to remain in a TIME_WAIT state and the other host in the
LAST_ACK state. Fix this by sending a signed segment when the connection
is established to use TCP-MD5.
Reviewed by: glebius
Differential Revision: https://reviews.freebsd.org/D33490
Use of lorder(1) is not required by contemporary linkers.
The GNU coreutils manual[1] has a good description of the use of lorder
and tsort:
This whole procedure has been obsolete since about 1980, because
Unix archives now contain a symbol table (traditionally built by
ranlib, now generally built by ar itself), and the Unix linker uses
the symbol table to effectively make multiple passes over an archive
file.
See 0e1e341b48 for some more details.
[1] https://www.gnu.org/software/coreutils/manual/html_node/tsort-background.html
PR: 259254 [exp-run]
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
This reverts commit 4f741801d8.
As per discussion in PR: 260303 the reverted patch covered the
real issue with a fixed address of the top of the stack.
Remove the remaining unused source files. These were never used.
This is the last of a three commit series to move ipfilter.
Discussed with: glebius
Reviewed by: glebius, kp (for #network)
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D33510
Through fixes and improvements our ipfilter sources have diverged
enough to warrant move from contrib into sbin/ipf. Now that I'm
planning on implementing MSS clamping as in iptables it makes more
sense to move ipfilter to sbin.
This is the second of three commits of the ipfilter move.
Suggested by glebius on two occaions.
Suggested by and discussed with: glebius
Reviewed by: glebius, kp (for #network)
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D33510
Through fixes and improvements our ipfilter sources have diverged
enough to warrant move from contrib into sys/netpil. Now that I'm
planning on implementing MSS clamping as in iptables it makes more
sense to move ipfilter to netpfil.
This is the first of three commits the ipfilter move.
Suggested by glebius on two occaions.
Suggested by and discussed with: glebius
Reviewed by: glebius, kp (for #network)
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D33510
On boot we don't need to perform any CPU cache management when the IDC
and DIC fields in the ctr_el0 register are set. Add a command to tell
loader to ignore these fields. This could be useful, for example, if the
hardware is misreporting the values and we are missing a quirk to enable
it.
It is not expected this will be needed, but is only intended as a
workaround to ensure the kernel can still boot.
Sponsored by: The FreeBSD Foundation
In the arm64 loader we need to syncronise the I and D caches. On some
newer CPUs the I and D caches are coherent so we don't need to perform
these operations.
While here remove the arguments to cpu_inval_icache as they are unneeded.
Reported by: cperciva
Tested by: cperciva
Sponsored by: Innovate UK
* in usage(), clearly mark -i interface as optional
* both, -u busnum and -a devaddr are optional as well
* various minor man page fixes
* clearly mark those two commands that actually use -i ifaceidx
* remove unused bitfield tag got_iface
* fix indentation level according to review comment
Differential Revision: https://reviews.freebsd.org/D33579/
Reviewed by: hselasky
MFC after: 2 weeks
This makes option handling consistent with other utilities as well as
Posix rules. By that, it's no longer important whether option name and
its argument are separated by a space or not, so -d5.3 works the same
as -d 5.3.
Also, recognize either /dev/ugen or ugen as prefix to the -d argument.
Note that this removes the undocumented feature that allowed to
specify multiple -d n.m options interleaved with commands referring to
that particular device in a single run.
This driver does not use DMA at the moment, so some care is needed to
prevent TX FIFO underruns and RX FIFO overflows.
Several improvements are done in oder to minimize chances of those.
First, the interrupt handling is moved to a filter to minimize latency.
Second, FIFO trigger thresholds are configured for both FIFOs.
The TX FIFO threshold is set to 3/4-th of its size and the RX FIFO
threshold is set to 1/4-th of its size.
The interrupt conditions are changed from the empty FIFO and full FIFO
for the TX and RX correspondingly to going below and above the thresholds.
While here I renamed AW_SPI_IER_RF_ERQ to AW_SPI_IER_RF_RDY which is
closer to what the documentation uses, RF_RDY_INT_EN in the interrupt
control register and RX_RDY in the interrupt status register.
Reviewed by: manu
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D33558
In C, plain inline functions should never be used: they should be
declared either static inline or extern inline. In this case, they are
clearly meant to be static inline.
MFC after: 3 days
Don't send the SCSI comand SYNCHRONIZE CACHE on devices that are still
open when RB_NOSYNC is the reboot method. This may avoid recursive panics
when doadump is called due to a SCSI/CAM/USB error/bug.
Obtained from: Semihalf
Sponsored by: Stormshield
Reviewed by: imp
Differential revision: https://reviews.freebsd.org/D31549
With ASLR enabled by default, RLIMIT_STACK test fails due to the fact
that default stack gap can be as big as 15M. Because of that the
resource limit of 4M results in test program receiving SIGSEGV
immediately after exiting the setrlimit syscall. Since the idea of this
test is to check if rlim_cur does not extend past rlim_max, adjusting
the resource limit to 20M should not invalidate the test results.
Obtained from: Semihalf
Sponsored by: Alstom Group
Differential revision: https://reviews.freebsd.org/D33116
Summary:
One was required to press a key to continue after every 18 lines of
output. This requirement had been in the "show vmopag" command since it
was introduced, which was many years before paging was added to DDB.
With paging, this explict key check is no longer necessary.
Obtained from: Juniper Networks, Inc.
MFC after: 1 week
Test Plan:
Run "show vmopag" from db> prompt and see that it does not need additional
keypresses other than the ones needed for the pager.
Subscribers: imp, #contributor_reviews_base
Differential Revision: https://reviews.freebsd.org/D33550
Commit 867c27c23a modified the NFS client so that
it does IO_APPEND writes directly to the NFS server,
bypassing the buffer cache. However, this could result
in stale data in client pages when the file is mmap(2)'d.
As such, the NFS client needs to call is_object_active()
to check if the file is mmap(2)'d.
This patch renames is_object_active() to vm_object_is_active(),
moves it to sys/vm/vm_object.c and makes it global, so that
the NFS client can call it in a future commit.
Reviewed by: kib
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D33520
The structure goes away anyway, but it would be interesting to know
how much memory we used to save with it. So for the record, structure
size with this revision is 64 bytes.
From OpenSSH 8.8p1's release notes:
---
Potentially-incompatible changes
================================
This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K [1]
For most users, this change should be invisible and there is
no need to replace ssh-rsa keys. OpenSSH has supported RFC8332
RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys
will automatically use the stronger algorithm where possible.
Incompatibility is more likely when connecting to older SSH
implementations that have not been upgraded or have not closely tracked
improvements in the SSH protocol. For these cases, it may be necessary
to selectively re-enable RSA/SHA1 to allow connection and/or user
authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
options. For example, the following stanza in ~/.ssh/config will enable
RSA/SHA1 for host and user authentication for a single destination host:
Host old-host
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
We recommend enabling RSA/SHA1 only as a stopgap measure until legacy
implementations can be upgraded or reconfigured with another key type
(such as ECDSA or Ed25519).
[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
Application to the PGP Web of Trust" Leurent, G and Peyrin, T
(2020) https://eprint.iacr.org/2020/014.pdf
---
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
OpenSSH v8.8p1 was motivated primarily by a security update and
deprecation of RSA/SHA1 signatures. It also has a few minor bug fixes.
The security update was already applied to FreeBSD as an independent
change, and the RSA/SHA1 deprecation is excluded from this commit but
will immediately follow.
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Running sys/netpfil/pf/fragmentation v6 results in:
lock order reversal:
1st 0xfffffe00050429a8 rip (rip, sleep mutex) @ /usr/src/sys/netinet6/raw_ip6.c:803
2nd 0xfffff8009491e1d0 rawinp (rawinp, rw) @ /usr/src/sys/netinet6/raw_ip6.c:804
lock order rawinp -> rip established at:
0xffffffff8068e26a at witness_lock_order_add+0x28a
0xffffffff8068d087 at witness_checkorder+0x627
0xffffffff805a9f05 at __mtx_lock_flags+0x205
0xffffffff808102e4 at in_pcballoc+0x204
0xffffffff808d53c6 at rip6_attach+0x116
0xffffffff806dc4e8 at socreate+0x368
0xffffffff806eaedc at kern_socket+0xfc
0xffffffff806eadcd at sys_socket+0x2d
0xffffffff80abc774 at syscallenter+0x5c4
0xffffffff80abbeeb at amd64_syscall+0x1b
0xffffffff80a8044b at fast_syscall_common+0xf8
lock order rip -> rawinp attempted at:
0xffffffff8068dc2a at witness_checkorder+0x11ca
0xffffffff805d1b7f at _rw_wlock_cookie+0x18f
0xffffffff808d596c at rip6_connect+0x19c
0xffffffff806e0842 at soconnectat+0x142
0xffffffff806ebe36 at kern_connectat+0x136
0xffffffff806ebcdf at sys_connect+0x4f
0xffffffff80abc774 at syscallenter+0x5c4
0xffffffff80abbeeb at amd64_syscall+0x1b
0xffffffff80a8044b at fast_syscall_common+0xf8
Reviewed by: glebius
Fixes: de2d47842e ("SMR protection for inpcbs")
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D33508
Make sure to reset 'message_done' flag when jumping from a message to the
next one within the same interrupt handler call. This happens only when
a write with no-stop flag message is followed by a write with no-start
flag message.
Without this fix the second message would be prematurely "completed"
without waiting for an ACK (or NACK) for its first byte and without
sending subsequent bytes (if any).
Fixes: ff1e8581 twsi: support more message combinations in transfers
MFC after: 4 days
The problem is that carp(4) would clear the error counter on first
successful send, and stop counting successes after that. Fix this
logic and document it in human language.
PR: 260499
Differential revision: https://reviews.freebsd.org/D33536
Thanks to gallatin@ for suggesting the patch.
PR: 260330
Reported by: Vincent Milum Jr.
Reviewed by: gallatin, glebius
Tested by: Vincent Milum Jr.
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D33395
dirdeps.mk: simplify computation of qualified vs unqualified dirdeps.
Note the importance of avoiding unresolved variables in DIRDEPS
Fix DIRDEP_LOADAVG_REPORT - expr(1) fails if expression evaluates to 0
Trim ${SRCTOP}/ from debug etc messages to make comparison easier.
Include number of DIRDEPS in debug output.
Trim ${SRCTOP}/ when exporting to env while building DIRDEPS_CACHE
to help avoid env exhaustion.
Use DIRDEPS_ALL_MACHINES_FILTER to better handle ALL_MACHINES
in complex build environments.
dirdeps-options.mk: use separate .undef for each variable
dirdeps-targets.mk: allow for '.' in DIRDEPS_TARGETS_DIRS
meta.autodep.mk: leverage ${.SUFFIXES} if we can.
meta.sys.mk: allow use in META_MODE vs DIRDEPS_BUILD
meta2deps.py: compute a list of dirdep extensions that map to current
TARGET_SPEC to avoid confusion.
Reviewed by: stevek
