During software installation, use veriexec -S to strictly
enforce certificate validity checks (notBefore, notAfter).
Otherwise ignore certificate validity period.
It is generally unacceptible for the Internet to stop working
just because someone did not upgrade their infrastructure for a decade.
Sponsored by: Juniper Networks, Inc.
Reviewed by: sebastien.bini_stormshield.eu
Differential Revision: https://reviews.freebsd.org/D35758
Generally, access to the kernel debugger is considered to be unsafe from
a security perspective since it presents an unrestricted interface to
inspect or modify the system state, including sensitive data such as
signing keys.
However, having some access to debugger functionality on production
systems may be useful in determining the cause of a panic or hang.
Therefore, it is desirable to have an optional policy which allows
limited use of ddb(4) while disabling the functionality which could
reveal system secrets.
This loadable MAC module allows for the use of some ddb(4) commands
while preventing the execution of others. The commands have been broadly
grouped into three categories:
- Those which are 'safe' and will not emit sensitive data (e.g. trace).
Generally, these commands are deterministic and don't accept
arguments.
- Those which are definitively unsafe (e.g. examine <addr>, search
<addr> <value>)
- Commands which may be safe to execute depending on the arguments
provided (e.g. show thread <addr>).
Safe commands have been flagged as such with the DB_CMD_MEMSAFE flag.
Commands requiring extra validation can provide a function to do so.
For example, 'show thread <addr>' can be used as long as addr can be
checked against the system's list of process structures.
The policy also prevents debugger backends other than ddb(4) from
executing, for example gdb(4).
Reviewed by: markj, pauamma_gundo.com (manpages)
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D35371
Historically, GEOM utilities (gpart(8), gstripe(8), gmirror(8),
etc) used the gctl_error() routine to report errors. If they called
gctl_error() they would exit with EXIT_FAILURE, otherwise they would
return with EXIT_SUCCESS. If they used gctl_error() to output an
informational message, for example when run with the -v (verbose)
option, they would mistakenly exit with EXIT_FAILURE. A further
limitation of the gctl_error() function was that it could only be
called once. Messages from any additional calls to gctl_error()
would be silently discarded.
To resolve these problems a new function, gctl_msg() has been added.
It can be called multiple times to output multiple messages. It
also has an additional errno argument which should be zero if it is
an informational message or an errno value (EINVAL, EBUSY, etc) if
it is an error. When done the gctl_post_messages() function should
be called to indicate that all messages have been posted. If any
of the messages had a non-zero errno, the utility will EXIT_FAILURE.
If only informational messages (with zero errno) were posted, the
utility will EXIT_SUCCESS.
Tested by: Peter Holm
PR: 265184
MFC after: 1 week
Replace ppp(4) removed since FreeBSD 8.0-RELEASE with vlan(4).
While here, remove commented out reference to non-existing "egress"
interface group hiding since initial import of interface groups
from OpenBSD in 2006.
Jails without VNET have complete access to the ipfilter rules, NAT,
pools and logs. This is insecure. Only allow jails to manipulate
ipfilter rules, NAT tables and ippools if the jail has its own VNET.
Otherwise a jail can affect the global system.
This patch brings ipfilter in line with ipfw's support of VNET jails and
non-support of non-VNET jails.
MFC after: 1 week
If the "intr" and/or "soft" mount options are used for
NFSv4 mounts, the protocol can be broken when the
operation returns without waiting for the RPC reply.
The likelyhood of failure increases for NFSv4.1/4.2
mounts, since the session slot will be broken when
an RPC reply is not processed.
This is mentioned in the BUGS section of "man mount_nfs",
but there was no specific mention of the session slot
problem. This patch adds a sentence for this case.
PR: 260011
Reviewed by: gbe
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D35693
If the "intr" and/or "soft" mount options are used for
NFSv4 mounts, the protocol can be broken when the
operation returns without waiting for the RPC reply.
The likelyhood of failure increases for NFSv4.1/4.2
mounts, since the session slot will be broken when
an RPC reply is not processed.
This is mentioned in the BUGS section of "man mount_nfs",
but more needs to be done. This patch adds code that
generates a warning message when the mount is done.
PR: 260011
Reviewed by: emaste
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D35407
Provide more robust parameter parsing in veriexec. Do a little cleanup as well.
Differential revision: https://reviews.freebsd.org/D33246
Obtained from: Semihalf
Reviewed by: sjg, sebastien.bini_stormshield.eu
When growing a UFS/FFS filesystem, the size of the summary information
may expand into additional blocks. These blocks must be removed from
fs_dsize which records the number of blocks in the filesystem that can
be used to hold filesystem data.
While here also update the fs_old_dsize and fs_old_size fields for
compatibility with kernels that were compiled before the addition
of UFS2.
Reported by: Edward Tomasz Napiera
MFC after: 1 week
Any field that starts with # is a commented out field (there as a place
holder only, the data in that place holder is completely ignored). The
previous code improperly detected this using strcmp. Instead, any field
whose names starts with '#' is ignored.
Differential Reivsion: https://reviews.freebsd.org/D34633
named(8) hasn't been in base for some time. Remove all references to it in
manual pages.
Approved by: manpages (Pau Amma)
Differential Revision: https://reviews.freebsd.org/D35586
It may happen that "adjkerntz -a" called from jailed root crontab.
In that case it spams logs with a line:
sysctl(set: "machdep.wall_cmos_clock"): Operation not permitted
Be silent in that case.
MFC after: 1 month
The current situation is fairly confusing, where an integer is interpreted
as a percent until you slap a decimal on it and magically it becomes an
absolute value.
Let's have a flag day in 14.0 and remove this shim entirely. Setting with
percent can still be useful, so allow a trailing '%' to indicate as such.
As a side effect, we tighten down the format allowed in the volume a little
bit by ensuring there's no trailing garbage after the value once it's
separated into left and right components.
Reviewed by: christos, hselasky, pauamma_gundo.com (manpages)
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D35101
Honor -q parameter and do not display any warning messages when -q is
specified.
Approved by: dfr
MFC after: 2 weeks
Sponsored by: Resulta, s.r.o.
Differential Revision: https://reviews.freebsd.org/D35511
It may not be known at compile time so we should detect it at run time.
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D35118
If isc-dhcp44-server is not installed (as is the case the project's CI
servers) we don't create ngctl.shutdown, causing the 'rm' to fail.
That in turn causes the cleanup function to return non-zero, which
causes kyua to consider the test failed.
Use 'rm -f' instead, so we don't error even if the file doesn't exist.
Sponsored by: Rubicon Communications, LLC ("Netgate")
They are no longer needed, but were likely missed simply because they
don't show up in a grep for 'mips'.
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D35475
This avoids the need to drop into the ddb to figure out vnode
usage per file system. It helps to see if they are or are not
being freed. Suggestion to report active vnode count was from
kib@
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D35436
By analogy with IP address matching, add a way to use ipfw radix
tables for MAC matching. This is implemented using new ipfw table
with mac:radix type. Also there are src-mac and dst-mac lookup
commands added.
Usage example:
ipfw table 1 create type mac
ipfw table 1 add 11:22:33:44:55:66/48
ipfw add skipto tablearg src-mac 'table(1)'
ipfw add deny src-mac 'table(1, 100)'
ipfw add deny lookup dst-mac 1
Note: sysctl net.link.ether.ipfw=1 should be set to enable ipfw
filtering on L2.
Reviewed by: melifaro
Obtained from: Yandex LLC
MFC after: 1 month
Relnotes: yes
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D35103
mount_nfs creates entries in the mounttab file and umount removes
them. Entries in the mounttab file ae used by rpc.umntall to
notify the NFS server that NFSv3 entries need to be removed when
they have not been removed by umount.
Without this patch, an enty will be created in the mounttab file,
even if the nmount(2) syscall fails for the mount. This patch
modifies the code so that the mounttab entry is only created
after nmount(2) succeeds.
This change only affects NFSv3 and only affects how showmount
displays NFSv3 mounts.
MFC after: 2 weeks
Provide sticky ARP flag for network interface which marks it as the
"sticky" one similarly to what we have for bridges. Once interface is
marked sticky, any address resolved using the ARP will be saved as a
static one in the ARP table. Such functionality may be used to prevent
ARP spoofing or to decrease latencies in Ethernet networks.
The drawbacks include potential limitations in usage of ARP-based
load-balancers and high-availability solutions such as carp(4).
The implemented option is disabled by default, therefore should not
impact the default behaviour of the networking stack.
Sponsored by: Conclusive Engineering sp. z o.o.
Reviewed By: melifaro, pauamma_gundo.com
Differential Revision: https://reviews.freebsd.org/D35314
MFC after: 2 weeks
This tests both both normal (untagged), and pcp tagged (VLAN 0)
networks which are now common for fiber ISPs.
Reviewed by: markj, kp
Differential Revision: https://reviews.freebsd.org/D35178
/etc/rc.d/jail no longer creates /dev/log as a symbolic link since
commit 84b354cb9a.
PR: 228351
Reviewed by: jamie, mark
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D34563
If pfctl is called with "pfctl -a ''" we read outside of the anchoropt
buffer. Check that the buffer is sufficiently long to avoid that.
Maintain the existing (and desired, because it's used as such in
/etc/periodic/security/520.pfdenied) behaviour of treating "-a ''" as a
request for the root anchor (or no anchor specified).
PR: 264128
Reviewed by: kp
The command "ping -S dotted.quad hostname" fails on dual-stack hosts
with the confusing message "ping: invalid source address: Name does
not resolve" because IPv6 is selected in preference. If the argument
to -S is numeric (likely), select the corresponding address family,
as if -4 or -6 was specified. Add tests that either IPv4 or IPv6 can
be forced via a -S parameter.
Reviewed by: asomers
Differential Revision: https://reviews.freebsd.org/D35271
MFC after: 1 week
Previously we expected the DIOCSKERNELDUMP ioctl to return ENXIO if the
interface was down, but it does not actually do this. Grab the link
status using getifaddrs(3) instead, and downgrade this case from an
error to a warning; the user might bring the link back up at a later
time.
Reviewed by: cem
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D35196
I pushed the last changes before I'd noticed the better wording
suggestions in the review. Also include a note that not all lines will
have a timestampe. Some multi-line messages are generated with sbuf, and
when those are pushed, only the first line will have the
timestamp. Document this quirky behavior as well since fixing it likely
won't happen soon. CAM periph drivers generate all the lines in their
announce message together so they aren't intermingled with other things,
for example.
Suggested by: allanjude, emaste, rpokala
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D35139
Differential Revision: https://reviews.freebsd.org/D35141
Today, kern.msgbuf_show_timestamp=1 will give 1 second granularity
timestamps on dmesg lines. When kern.msgbuf_show_timestamp=2, we'll
produce microsecond level graunlarity.
For example:
old (== 1):
[13] Dual Console: Video Primary, Serial Secondary
[14] lo0: link state changed to UP
[15] bxe0: NIC Link is Up, 10000 Mbps full duplex, Flow control: ON - receive & transmit
[15] bxe0: link state changed to UP
new (== 2):
[13.807015] Dual Console: Video Primary, Serial Secondary
[14.544150] lo0: link state changed to UP
[15.272044] bxe0: NIC Link is Up, 10000 Mbps full duplex, Flow control: ON - receive & transmit
[15.272052] bxe0: link state changed to UP
Sponsored by: Netflix
its attempt to install SA/SPD into the kernel results in cryptic
EINVAL error code.
Let it be a bit more user-friendly and try to load ipsec.ko
automatically if it is not loaded, just like ifconfig(8) does it
for modules it needs.
PR: 263379
MFC after: 2 weeks
The daemon can specify fsname=XXX in its mount options. If so, the file
system should report f_mntfromname as XXX during statfs. This will show
up in the output of commands like mount and df.
Submitted by: Ali Abdallah <ali.abdallah@suse.com>
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D35090
AEAD ciphers for IPsec combine both encryption and authentication. As
such, ESP configurations using an AEAD cipher should not use a
seperate authentication algorithm via -A. However, this was not
apparent from the setkey manpage and 12.x and earlier did not perform
sufficient argument validation permitting users to pair an explicit -A
such as SHA256-HMAC with AES-GCM. (The result was a non-standard
combination of AES-CTR with the specified MAC, but with the wrong
initial block counter (and thus different keystream) compared to using
AES-CTR as the cipher.)
Attempt to clarify this in the manpage by explicitly calling out AEAD
ciphers (currently only AES-GCM) and noting that AEAD ciphers should
not use -A.
While here, explicitly note which authentication algorithms can be
used with esp vs esp-old. Also add subsection headings for the
different algorithm lists and tidy some language.
I did not convert the tables to column lists (Bl -column) though that
would probably be more correct than using literal blocks (Bd
-literal).
PR: 263379
Reviewed by: Pau Amma <pauamma@gundo.com>, markj
Differential Revision: https://reviews.freebsd.org/D34947
Similar to ipfw rule timestamps, these timestamps internally are
uint32_t snaps of the system time in seconds. The timestamp is CPU local
and updated each time a rule or a state associated with a rule or state
is matched.
Reviewed by: kp
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D34970
Since a16732d670 we always print the l3 src/destination for Ethernet
rules. Update the tests to account for this.
Sponsored by: Rubicon Communications, LLC ("Netgate")
While the kernel only performs the L3 check for
ETHERTYPE_IP/ETHERTYPE_IP6 we should always print the source and
destination addresses.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D34918
Allow tables to be used for the l3 source/destination matching.
This requires taking the PF_RULES read lock.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D34917
After this, we'll be able to ping a host and not spam the terminal, and
no flooding will have to be involved. I've been doing this under Linux
as ping -fi1 host.
Reviewed by: rpokala, Pau Amma
Differential Revision: https://reviews.freebsd.org/D34882
The new '-L' flag will cause savecore to invoke the new mem(4) kernel
dump ioctl, taking a dump of the running system and writing the result
to a temporary file. Validation of the dump header is performed, similar
to regular crash dumps, and the final result is written to
livecore.X[.zst|.gz].
Also added is the '-Z' flag, which instructs the kernel to compress the
livedump compressed with zstd, akin to the existing -z flag. This option
has no effect in normal savecore(8) operation, but in theory could be
extended to perform such compression while reading the dump from the
dump device.
Encryption is unsupported for live dumps.
For example: 'savecore -Lz /var/crash' would create:
/var/crash/livecore.0.gz
Reviewed by: markj
MFC after: 2 weeks
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D34347
Move it to a separate function, allowing its reuse.
Reviewed by: markj
MFC after: 3 days
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D34822
All files are now created relative to savedirfd, e.g. with openat(2).
Therefore, we do not need character buffers to be PATH_MAX bytes long,
just long enough to hold the complete filename. 32 bytes is long enough
in all cases. These can be allocated on the stack.
While here, fix an error message that attempts to use an uninitialized
infoname.
Reviewed by: markj
MFC after: 3 days
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D34821
So that new callers of getbounds() don't need to duplicate it.
Reviewed by: markj
MFC after: 3 days
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D34783
When asked to print rules recursively, correctly recurse for anchors
included in pf.conf with "anchorname/*".
PR: 262590
Reviewed by: kp
MFC after: 3 weeks
This fixes a performance problem where poudriere -j 104 keeps remounting
filesystems, which induce wanting to signal mountd, if running. The
current code tries to do it by creating the pidfile in /var/run and
unlinking it if the operation succeeds, inducing contention against
anything doing an exec as it tries to look up /var/run/ld-elf.so.hints
Differential Revision: https://reviews.freebsd.org/D34681
This check was previously in `create` only, not applying to renames. It
should really be applied at the libbe level, so that we can avoid
writing about this restriction over and over again.
While we're here: `bectl rename` always succeeds, even when it doesn't.
Start returning the error.
Reported By: Christian McDonald <cmcdonald netgate com>
Reviewed by: rew, jwmaag_gmail.com (earlier version)
Differential Revision: https://reviews.freebsd.org/D34605
Discuss the standard type of layout, as well as the "deep" BE layout,
and some of the properties of both. Point the various -r flags at this
new section, to help users understand which they're working with and
what the -r flag is actually doing. Note that we may just deprecate the
-r flag in future versions, but the flag will be recognized as a NOP at
that point.
Reviewed by: pauamma_gundo.com, rew
Differential Revision: https://reviews.freebsd.org/D34538
"ifconfig -g groupname" prints a list of interface names,
which could be confusing, because it differs from
the behavior of "ifconfig -a -g groupname".
While here, add two examples showing the difference between
"ifconfig -a -g groupname" and "ifconfig -g groupname".
Fixes: 0dad3f0e15 Import interface groups from OpenBSD.
MFC after: 2 weeks
This reference has been present in the manual page since the initial
import of BSD 4.4 Lite sbin Sources. It's time for it to be removed.
MFC after: 2 weeks
- Remove extraneous examples
- Apply "-compact" to the list macros so that it is possible to fit the
definitions of the types and formats in one terminal screen.
MFC after: 2 weeks
This change is about moving the -f documentation into the right place in
the manual. Also, document the IFCONFIG_FORMAT variable in the
ENVIRONMENT section.
MFC after: 2 weeks
In order to clean up the layout of the manual page, let's keep
parameters in the end of the DESCRIPTION section. This patch does not
change any content, it's meant to only move the content around before
refactoring.
MFC after: 2 weeks
- There is no need to mention in the synopsis that -f can be a list of
comma-separated type:format pairs. Let's keep it simple instead.
- Mention that -f can be supplied multiple times.
- Add -f to other entries in the synopsis where it can be used.
MFC after: 2 weeks
As documented, the -C flag can only be used on its own. Any other
command modifiers and flags are ignored when -C is used. Reflect that in
synopsis.
MFC after: 2 weeks
We document capability codes (the CAPS field of "ifconfig wlan0 scan")
in both ifconfig(8) and the handbook. The list is more complete in the
manual page, while the descriptions of individual capabilities are more
detailed in the handbook.
In order to reduce content duplication and bit rot, let's move
handbook's details to the manual page and reference the manual page
whenever necessary.
Reviewed by: debdrup
Reviewed by: Pau Amma
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D34662
Disallow the use of tables in ethernet rules. Using tables requires
taking the PF_RULES lock. Moreover, the current table code isn't ready
to deal with ethernet rules.
Disallow their use for now.
Sponsored by: Rubicon Communications, LLC ("Netgate")
When using the snapshot option, all other options are ignored. This
update reflects changes made in ab2dbd9b87.
Reviewed by: 0mp, mckusick
Differential Revision: https://reviews.freebsd.org/D34584
When retrieving nat rules in anchors we need to set the path just like
we do for regular rules.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
The -r flag is ignored by the FreeBSD implementation of bsdlabel(8)
(also called disklabel(8) in the past). Remove its use from examples
and tests in the tree.
This commit does not touch historical documentation under share/doc/smm
and files under contrib/netbsd-tests.
Reviewed by: imp
MFC after: 2 weeks
Approved by: imp (src)
Fixes: 57dfbec57b More axe-work:
Differential Revision: https://reviews.freebsd.org/D34585
for missing devices.
The fsck_ffs(8) utility uses its internal function openfilesys()
when opening a disk to be checked. This change avoids the use
of pfatal() in openfilesys() which always exits with failure (exit
value 8) so that the caller can choose the correct exit value.
In the case of a non-existent device it should exit with value 3
which allows the startup system to wait for drives (such as those
attached by USB) to come online.
Reported by: karels
Tested by: karels
PR: 262580
MFC after: 3 days
Allow filtering based on the source or destination IP/IPv6 address in
the Ethernet layer rules.
Reviewed by: pauamma_gundo.com (man), debdrup (man)
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D34482
FreeBSD 14.0 is going to ship with a new implementation of the mixer(8)
command. Unfortunately, in order to support new features like mute, the
command-line interface of the new implementation is not backwards
compatible.
Update all the remaining documentation and scripts in the src tree
to use the new syntax.
While here, document in usbhidaction.1 that the mute functionality is
now supported.
Reviewed by: christos, debdrup, hselasky
Approved by: hselasky (src)
Fixes: 903873ce15 Implement and use new mixer(3) library for FreeBSD.
Differential Revision: https://reviews.freebsd.org/D34545
Traditionally the GEOM's primary channel of information from kernel to
user-space was confxml, fetched by libgeom through kern.geom.confxml
sysctl. It is convenient and informative, representing full state of
GEOM in a single XML document. But problems start to arise on systems
with hundreds of disks, where the full confxml size reaches many
megabytes, taking significant time to first write it and then parse.
This patch introduces alternative solution, allowing to fetch much
smaller XML document, subset of the full confxml, limited to 64KB and
representing only one specified geom and optionally its parents. It
uses existing GEOM control interface, extended with new "getxml" verb.
In case of any error, such as the buffer overflow, it just transparently
falls back to traditional full confxml. This patch uses the new API in
user-space GEOM tools where it is possible.
Reviewed by: imp
MFC after: 2 month
Sponsored by: iXsystems, Inc.
Differential Revision: https://reviews.freebsd.org/D34529
I see more user-friendly to do nothing if the module is already
loaded, rather than returning quite confusing error message.
As side effect it allows to avoid std_list_available() call, using
quite expensive on large systems geom_gettree().
MFC after: 1 month
Introduce pfctl_get_rules_info(), similar to pfctl_get_eth_rules_info()
to retrieve rules information (ticket and total number of rules).
Use the new function in pfctl.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D34443
Make gctl_add_param() API public, allowing more precise control over
parameter flags. Previously it was impossible to properly declare
write-only ASCII parameters, used for result reporting, they were
declared as read-write binary instead, that was not nice.
MFC after: 1 month
When printing the interface name from the ipstate_t struct the interface
name in is_ifp may not always be avaiable when reading it from kmem
(tested on FreeBSD and NetBSD). However the is_ifname (the interface
name character string) is almost always available -- it is not available
when the source of the packet is a process running on the firewall
itself. Rather than print both interface name strings, print only the
one.
MFC after: 1 week
Rather than use a kmem read to determine the interface name used by a
nat_t structure through a pointer, nat_ipfs->netif->if_xname, obtain it
directly from nat_ifnames in the nat_t structure itself using the new
FORMAT_IF macro.
MFC after: 1 week