be executed in the if() conditional. If its not supposed to be printed
inside the conditional, then the braces should be removed and the extra
tabs on the fprintf() should be removed.
Noted by cross compilation with gcc-mips.
- add static in a number of places
- initialize __progname rather than rely on magical extern values
- use nitems() instead of manually spelling it out
- unshadow 'idi'
- teach 'error' that it is '__dead2'
- add missing 'break'
- remove param: unused since r95357.
- correct definition of usage
- add explicit fallthrough notice. The existing one doesn't work with
our selection of "implicit-fallthrough" strictness.
This results in WARNS=6 building on amd64, but not other arches
Normally pf rules are expected to do one of two things: pass the traffic or
block it. Blocking can be silent - "drop", or loud - "return", "return-rst",
"return-icmp". Yet there is a 3rd category of traffic passing through pf:
Packets matching a "pass" rule but when applying the rule fails. This happens
when redirection table is empty or when src node or state creation fails. Such
rules always fail silently without notifying the sender.
Allow users to configure this behaviour too, so that pf returns an error packet
in these cases.
PR: 226850
Submitted by: Kajetan Staszkiewicz <vegeta tuxpowered.net>
MFC after: 1 week
Sponsored by: InnoGames GmbH
We do not have code to fix this situation, and the mismatch does not
prevent the kernel driver from consuming the file system, and some factory
formatted SD cards seem to have a garbage backup block.
This makes the code match to its comments (replacing pfatal with pwarn).
Inspired by: NetBSD r1.13
Inspired by: b47b16353f
MFC after: 2 weeks
containing paths, fingerprints, and optional option flags which in turn
get pushed into the MAC/veriexec meta-data store via the veriexec device.
The format of the fingerprints file is as follows:
path type fingerprint options
The type of fingerprint supported depends on what MAC/veriexec fingerprint
modules have been loaded into the system. The veriexecctl application is
able to determine which ones are available by consulting the
security.mac.veriexec.algorithms sysctl.
The following options are currently supported in MAC/veriexec and by the
veriexecctl application:
indirect
If this option is set then the executable cannot be invoked directly, it
can only be used as an interpreter in shell scripts.
file
Indicates that the fingerprint is associated with a file, not an
executable. Files have their fingerprints verified during open(2) and are
automatically made read only. This option may be used to verify shared
libraries have not been tampered with.
no_ptrace
If this option is set then the executable cannot be traced with the
ptrace(2) process tracing and debugging call.
trusted
If this option is set then the executable is allowed to write to the
mem(4) devices. By default, when verified execution is enforced, no
process is allowed to write to the mem(4) devices.
The options are not case sensitive.
Reviewed by: jtl, wblock
Obtained from: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D8575
Continuing with a NULL hints variable just triggers a segfault later on.
The other error cases in this function all exit for an error rather than
warning.
Reviewed by: imp
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D15579
Implement MK_NVME now that the expression for where NVMe is
complicated. Default it to "yes" for x86 and powerpc64 and
no everywhere else. Use it in camcontrol to define WITH_NVME
for those platforms where we support nvme.
This should fix the newly introduced nvme files to camcontrol
which were building everywhere.
Pointy Hat To: imp
Sponsored by: Netflix
Both ATA and NVME have an identify command. They are completely
different, but to the user they are the same. Leverage nvmecontrol's
print_controller code to provide that functionality to camcontrol
identify. Query the path to see what kind of protocol it supports, and
send the most appropriate command down. Refactor nvme_print_dev a
little to make it easy to get the nvme cdata.
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D15371
Rename print_controller to nvme_print_controller. Put it in its
own file for easy inclusion. Move util.c to be nc_util.c to not
conflict with camcontrol. add nvecontrol_ext.h to define shared
interfaces.
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D15371
The size limits came from a flawed understanding of dump records.
The real issue was that dump was bogusly interpreting c_count
sometimes. r334978 fixes that.
We shouldn't count the bytes set in c_addr for TS_CLRI and TS_BITS
nodes. Those block overload c_count to communicate how many blocks
follow, not now many c_addr spaces are used. Dump would dump core
(now) because memory layout moved around and we'd access elements past
the end to make a count.
Reviewed by: kib@
Add some asserts that prevents the overflows of c_addr. This can't
happen, absent bugs. However, certain large filesystems can cause
problems. These have been prevented by r334968, but a solution
is needed. These asserts will help assure that solution is correct.
PR: 228807
Reviewed by: db
c_addr in spcl. So check before we start dumping otherwise we can
end up with a corrupted dump.
PR: 228807
Submitted by: db
Reviewed by: imp
Approved by: imp
PowerPC has PAGE_SIZE as a long, not an int. This causes the compiler to throw
a format mismatch warning on this print. To work around the difference, print
it as a long instead of an int, and force the argument to a long.
Reviewed By: imp
Differential Revision: https://reviews.freebsd.org/D15653
In the pf rc.d script the output of `/etc/rc.d/pf status` or `/etc/rc.d/pf
onestatus` always provided an exit status of zero. This made it fiddly to
programmatically determine if pf was running or not.
Return a non-zero status if the pf module is not loaded, extend pfctl to have
an option to return an error status if pf is not enabled.
PR: 228632
Submitted by: James Park-Watt <jimmypw AT gmail.com>
MFC after: 1 week
In some cases broken DHCP servers might send invalid MTU value, so allow to
use 'supersede' in dhclient.conf to override this. When superseded value is
0, MTU value is not updated at all.
PR: 206721
Submitted by: novel@
Reported by: <jimp AT pfsense.org>
MFC after: 37 minutes (if you care about 11, please MFC to 11.2)
Relnotes: yes (potentially surprising behavior change w/ broken dhcpd mtu)
Differential Revision: https://reviews.freebsd.org/D15484
This change also makes alignment and spacing an explicit number rather
than a bunch of spaces.
Reviewed by: mmacy
Requested by: Yuri Pankov <yuripv@yuripv.net>
The objdir is temporary, and the current example points to GENERIC.
Instead point to the installed location of the debug symbols that are
supposed to match the kernel you are using.
PR: 223993
Submitted by: Trond.Endrestol@ximalas.info
I'm not quite sure why this wasn't caught before. Most likely due to
some generated file not being properly cleaned.
Fix build by just hiding the warnings that `-i` was supposed to fix.
Tested with clang, gcc9, gcc7
match the name of this capability. It was added recently and is not merged
to stable branch, so I hope it is not too late to change the name.
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D15475
Perhaps RB_MUTE could mute user startup (rc) output as well, but right
now it mutes only kernel console output, so make the documentation match
reality.
PR: 228193
Sponsored by: The FreeBSD Foundation
Previously gpart's man page listed some command options in prose, and
some in table form, which made it more difficult to use as a reference.
Reviewed by: bcr
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D15135
Alphabetical order, uppercase before lowercase for each letter and with
no regard to whether an option takes an argument.
Sponsored by: The FreeBSD Foundation
Change uint8_t type of opcode argument to int in the print_opcode()
function. Use negative value to print the rest of opcodes, because
zero value is O_NOP, and it can't be uses for this purpose.
Reported by: lev
MFC after: 1 week
