Clarify some statements around PMTUD blackhole detection to make
the behavior more clear in the man page.
Submitted by: Mikhail <mp@lenta.ru>
MFC after: 2 weeks
A _NEW flag passed to _init_flags() to avoid check for double-init.
Differential Revision: https://reviews.freebsd.org/D1208
Reviewed by: jhb, wblock
MFC after: 1 Month
for counter mode), and AES-GCM. Both of these modes have been added to
the aesni module.
Included is a set of tests to validate that the software and aesni
module calculate the correct values. These use the NIST KAT test
vectors. To run the test, you will need to install a soon to be
committed port, nist-kat that will install the vectors. Using a port
is necessary as the test vectors are around 25MB.
All the man pages were updated. I have added a new man page, crypto.7,
which includes a description of how to use each mode. All the new modes
and some other AES modes are present. It would be good for someone
else to go through and document the other modes.
A new ioctl was added to support AEAD modes which AES-GCM is one of them.
Without this ioctl, it is not possible to test AEAD modes from userland.
Add a timing safe bcmp for use to compare MACs. Previously we were using
bcmp which could leak timing info and result in the ability to forge
messages.
Add a minor optimization to the aesni module so that single segment
mbufs don't get copied and instead are updated in place. The aesni
module needs to be updated to support blocked IO so segmented mbufs
don't have to be copied.
We require that the IV be specified for all calls for both GCM and ICM.
This is to ensure proper use of these functions.
Obtained from: p4: //depot/projects/opencrypto
Relnotes: yes
Sponsored by: FreeBSD Foundation
Sponsored by: NetGate
to how they differ. This will assist users in selecting which interface
is more appropriate for their purposes.
Approved by: grog (co-mentor)
MFC after: 2 week
- bootparamd
- bootpd
- finger/fingerd
- ftp/ftpd
- hastctl/hastd
- iscsid, et al
- rbootd
- talk/talkd
- tcpd, et al
- tftp/tftpd
Add src.conf entries for the various components and do a best effort
at adding components to tools/build/mk/OptionalObsoleteFiles.inc
supported hardware list. Judging by the PCI driver attachment, dpt_pci.c
only supports a single adapter rather than the various PCI adapters listed.
The list of EISA adapters listed somewhat overlaps with the device IDs in
dpt_eisa.c. It's not clear which devices are ISA-only devices.
Initially in_matrote() in_clsroute() in their current state was introduced by
r4105 20 years ago. Instead of deleting inactive routes immediately, we kept them
in route table, setting RTPRF_OURS flag and some expire time. After that, either
GC came or RTPRF_OURS got removed on first-packet. It was a good solution
in that days (and probably another decade after that) to keep TCP metrics.
However, after moving metrics to TCP hostcache in r122922, most of in_rmx
functionality became unused. It might had been used for flushing icmp-originated
routes before rte mutexes/refcounting, but I'm not sure about that.
So it looks like this is nearly impossible to make GC do its work nowadays:
in_rtkill() ignores non-RTPRF_OURS routes.
route can only become RTPRF_OURS after dropping last reference via rtfree()
which calls in_clsroute(), which, it turn, ignores UP and non-RTF_DYNAMIC routes.
Dynamic routes can still be installed via received redirect, but they
have default lifetime (no specific rt_expire) and no one has another trie walker
to call RTFREE() on them.
So, the changelist:
* remove custom rnh_match / rnh_close matching function.
* remove all GC functions
* partially revert r256695 (proto3 is no more used inside kernel,
it is not possible to use rt_expire from user point of view, proto3 support
is not complete)
* Finish r241884 (similar to this commit) and remove remaining IPv6 parts
MFC after: 1 month
The canonical standalone debug directory established by the GNU
toolchain is /usr/lib/debug, and we use it when WITH_DEBUG_FILES is set.
Mention it in the file system hierarchy page.
Reviewed by: bcr
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D1134
have chosen different (and more traditional) stateless/statuful
NAT64 as translation mechanism. Last non-trivial commits to both
faith(4) and faithd(8) happened more than 12 years ago, so I assume
it is time to drop RFC3142 in FreeBSD.
No objections from: net@
Split it into two modules: if_gre(4) for GRE encapsulation and
if_me(4) for minimal encapsulation within IP.
gre(4) changes:
* convert to if_transmit;
* rework locking: protect access to softc with rmlock,
protect from concurrent ioctls with sx lock;
* correct interface accounting for outgoing datagramms (count only payload size);
* implement generic support for using IPv6 as delivery header;
* make implementation conform to the RFC 2784 and partially to RFC 2890;
* add support for GRE checksums - calculate for outgoing datagramms and check
for inconming datagramms;
* add support for sending sequence number in GRE header;
* remove support of cached routes. This fixes problem, when gre(4) doesn't
work at system startup. But this also removes support for having tunnels with
the same addresses for inner and outer header.
* deprecate support for various GREXXX ioctls, that doesn't used in FreeBSD.
Use our standard ioctls for tunnels.
me(4):
* implementation conform to RFC 2004;
* use if_transmit;
* use the same locking model as gre(4);
PR: 164475
Differential Revision: D1023
No objections from: net@
Relnotes: yes
Sponsored by: Yandex LLC
Those tunables are used to set a specific mode in vt(4) instead of using
the default mode.
Differential Revision: https://reviews.freebsd.org/D1098
Reviewed by: ak@, emaste@, kwm@
MFC after: 1 week
whether the shared request for already shared-locked lock could be
granted. Both problems result in the exclusive locker starvation.
The concurrent exclusive request is indicated by either
LK_EXCLUSIVE_WAITERS or LK_EXCLUSIVE_SPINNERS flags. The reverse
condition, i.e. no exclusive waiters, must check that both flags are
cleared.
Add a flag LK_NODDLKTREAT for shared lock request to indicate that
current thread guarantees that it does not own the lock in shared
mode. This turns back the exclusive lock starvation avoidance code;
see man page update for detailed description.
Use LK_NODDLKTREAT when doing lookup(9).
Reported and tested by: pho
No objections from: attilio
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
of fuword(9) and suword(9). This makes the functions type-compatible
with volatile objects and does not require devolatile force, e.g. in
kern_umtx.c.
Requested by: bde
Reviewed by: jhb
Sponsored by: The FreeBSD Foundation
MFC after: 3 weeks
and casuword(9), but do not mix value read and indication of fault.
I know (or remember) enough assembly to handle x86 and powerpc. For
arm, mips and sparc64, implement fueword() and casueword() as wrappers
around fuword() and casuword(), which means that the functions cannot
distinguish between -1 and fault.
On architectures where fueword() and casueword() are native, implement
fuword() and casuword() using fueword() and casuword(), to reduce
assembly code duplication.
Sponsored by: The FreeBSD Foundation
Tested by: pho
MFC after: 2 weeks (ia64 needs treating)
While I'm there also correct typos in OptionalObsoleteFiles and add
information of the command line options for hv_kvp_daemon(8).
Reported by: jmg [1]
Reviewed by: jmg
MFC after: 2 weeks
create a new code block and thus must be balanced at the same lexical
scope. (This is also a requirement in POSIX.)
PR: 194280
Submitted by: dr2867.business@pacbell.net
MFC after: 1 week
Support for the multiport feature is mostly implemented, but currently
disabled due to some potential races in the hot plug code paths.
Requested by: marcel
MFC after: 1 month
Relnotes: yes
- Wrong integer type was specified.
- Wrong or missing "access" specifier. The "access" specifier
sometimes included the SYSCTL type, which it should not, except for
procedural SYSCTL nodes.
- Logical OR where binary OR was expected.
- Properly assert the "access" argument passed to all SYSCTL macros,
using the CTASSERT macro. This applies to both static- and dynamically
created SYSCTLs.
- Properly assert the the data type for both static and dynamic
SYSCTLs. In the case of static SYSCTLs we only assert that the data
pointed to by the SYSCTL data pointer has the correct size, hence
there is no easy way to assert types in the C language outside a
C-function.
- Rewrote some code which doesn't pass a constant "access" specifier
when creating dynamic SYSCTL nodes, which is now a requirement.
- Updated "EXAMPLES" section in SYSCTL manual page.
MFC after: 3 days
Sponsored by: Mellanox Technologies
vxlan creates a virtual LAN by encapsulating the inner Ethernet frame in
a UDP packet. This implementation is based on RFC7348.
Currently, the IPv6 support is not fully compliant with the specification:
we should be able to receive UPDv6 packets with a zero checksum, but we
need to support RFC6935 first. Patches for this should come soon.
Encapsulation protocols such as vxlan emphasize the need for the FreeBSD
network stack to support batching, GRO, and GSO. Each frame has to make
two trips through the network stack, and each frame will be at most MTU
sized. Performance suffers accordingly.
Some latest generation NICs have begun to support vxlan HW offloads that
we should also take advantage of. VIMAGE support should also be added soon.
Differential Revision: https://reviews.freebsd.org/D384
Reviewed by: gnn
Relnotes: yes
vt(4) is the default console for UEFI boot [1], and the bitmapped
kern.vt.spclkeys sysctl has been replaced with individual kern.vt.kbd_*
enable sysctls.
PR: 193710
Submitted by: wblock [1]
Reviewed by: wblock
MFC after: 3 days
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D953
r273170:
MK_ARB_EABI was removed in r272350 so remove the documentation.
r273171:
Per r273155, HYPERV is built by default on platforms where it makes
sense and ignored on others.
r273172:
Document that WITHOUT_TOOLCHAIN causes headers to not be installed, not
just programs.
o convert to if_transmit;
o use rmlock to protect access to gif_softc;
o use sx lock to protect from concurrent ioctls;
o remove a lot of unneeded and duplicated code;
o remove cached route support (it won't work with concurrent io);
o style fixes.
Reviewed by: melifaro
Obtained from: Yandex LLC
MFC after: 1 month
Sponsored by: Yandex LLC
of timeout(9) to the end and mark it prominently as deprecated. Document
somewhat how times are specified for the 'sbt' variants. Better explain
how using callout_init_*() to associate a lock with a callout resolves
common races.
Differential Revision: https://reviews.freebsd.org/D847
Reviewed by: wblock, bjk
MFC after: 1 week
r272234, r272236, r272262, r272264, r272269, r272271, r272272,
r272277, r272279, r272376, r272380, r272381, r272392, r272234,
r272412:
r272234:
Initial commit to include virtual machine images as part
of the FreeBSD release builds.
This adds a make(1) environment variable requirement,
WITH_VMIMAGES, which triggers the virtual machine image
targets when not defined to an empty value.
Relevant user-driven variables include:
o VMFORMATS: The virtual machine image formats to create.
Valid formats are provided by running 'mkimg --formats'
o VMSIZE: The size of the resulting virtual machine
image. Typical compression is roughly 140Mb, regardless
of the target size (10GB, 15GB, 20GB, 40GB sizes have been
tested with the same result).
o VMBASE: The prefix of the virtual machine disk images.
The VMBASE make(1) environment variable is suffixed with
each format in VMFORMATS for each individual disk image, as
well as '.img' for the source UFS filesystem passed to
mkimg(1).
This also includes a new script, mk-vmimage.sh, based on how
the VM images for 10.0-RELEASE, 9.3-RELEASE, and 10.1-RELEASE
were created (mk-vmimage.sh in ^/user/gjb/thermite/).
With the order in which the stages need to occur, as well as
sanity-checking error cases, it makes much more sense to
execute a shell script called from make(1), using env(1) to
set specific parameters for the target image than it does to
do this in make(1) directly.
r272236:
Use VMBASE in place of a hard-coded filename in the CLEANFILES
list.
r272262:
Remove a 'set -x' that snuck in during testing.
r272264:
release/Makefile:
Connect the virtual machine image build to the release
target if WITH_VMIMAGES is set to a non-empty value.
release/release.sh:
Add WITH_VMIMAGES to RELEASE_RMAKEFLAGS.
release/release.conf.sample:
Add commented entries for tuning the release build if the
WITH_VMIMAGES make(1) environment variable is set to
a non-empty value.
r272269:
release/Makefile:
Include .OBJDIR in DESTDIR in the vm-base target.
release/release.sh:
Provide the full path to mddev.
r272271:
Fix UFS label for the root filesystem.
r272272:
Remove comments left in accidentally while testing, so the
VM /etc/fstab is actually created.
r272277:
Remove the UFS label from the root filesystem since it is added
by mkimg(1) as a gpt label, consistent with the fstab(5) entry.
r272279:
Comment cleanup in panic() message when mkimg(1) does not support
the requested disk image format.
r272376:
Separate release/scripts/mk-vmimage.sh to machine-specific
scripts, making it possible to mimic the functionality for
non-x86 targets.
Move echo output if MAKEFLAGS is empty outside of usage().
Remove TARGET/TARGET_ARCH evaluation.
r272380:
Avoid using env(1) to set values passed to mk-vmimage.sh,
and instead pass the values as arguments to the script,
making it easier to run this by hand, without 'make release'.
Add usage_vm_base() and usage_vm_image() usage helpers.
r272381:
After evaluating WITH_VMIMAGES is non-empty, ensure
the mk-vmimage.sh script exists before running it.
r272392:
Add WITH_COMPRESSED_VMIMAGES variable, which when set enables
xz(1) compression of the virtual machine images.
This is intentionally separate to allow more fine-grained
tuning over which images are compressed, especially in cases
where compressing 20GB sparse images can take hours.
r272412:
Document the new 'vm-image' target, and associated release.conf
variables.
r272413:
Remove two stray comments added during the initial iterations
of testing, no longer needed.
MFC after: 5 days
X-MFC-10.1: yes
Tested on: r272269, r272272, r272279, r272380, r272392
Sponsored by: The FreeBSD Foundation
if_lagg(4) interfaces which were cloned in a vnet jail.
Sysctl nodes which are dynamically generated for each cloned interface
(net.link.lagg.N.*) have been removed, and use_flowid and flowid_shift
ifconfig(8) parameters have been added instead. Flags and per-interface
statistics counters are displayed in "ifconfig -v".
CR: D842