This change is about moving the -f documentation into the right place in
the manual. Also, document the IFCONFIG_FORMAT variable in the
ENVIRONMENT section.
MFC after: 2 weeks
In order to clean up the layout of the manual page, let's keep
parameters in the end of the DESCRIPTION section. This patch does not
change any content, it's meant to only move the content around before
refactoring.
MFC after: 2 weeks
- There is no need to mention in the synopsis that -f can be a list of
comma-separated type:format pairs. Let's keep it simple instead.
- Mention that -f can be supplied multiple times.
- Add -f to other entries in the synopsis where it can be used.
MFC after: 2 weeks
As documented, the -C flag can only be used on its own. Any other
command modifiers and flags are ignored when -C is used. Reflect that in
synopsis.
MFC after: 2 weeks
We document capability codes (the CAPS field of "ifconfig wlan0 scan")
in both ifconfig(8) and the handbook. The list is more complete in the
manual page, while the descriptions of individual capabilities are more
detailed in the handbook.
In order to reduce content duplication and bit rot, let's move
handbook's details to the manual page and reference the manual page
whenever necessary.
Reviewed by: debdrup
Reviewed by: Pau Amma
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D34662
When we exposed the PFSYNCF_OK flag to userspace in 5f5bf88949 we
unintentionally caused defer mode to always be enabled.
The ioctl check only looked for nonzero, not for the PFSYNCF_DEFER flag.
Fix this check and ensure ifconfig sets the flag.
Reviewed by: glebius
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D33244
A quick grep through the kernel code shows network drivers compute the
changed bits of network capabilities after a SIOCSIFCAP IOCTL(2) by
using the bitwise exclusive or operation. When the set capabilities
are equal to the already read capabilities, no action will be taken.
Let ifconfig(8) predict this case and skip the SIOCSIFCAP IOCTL(2)
system call.
Discussed with: kib@ (revert change in case of issues)
MFC after: 1 week
Sponsored by: NVIDIA Networking
Add a postproc function for af_inet, and add interface flags as a
parameter. Check there if setting an address without a mask unless
the interface is loopback or point-to-point, where mask is not really
meaningful; warn if so. This will hopefully be an error in the future.
MFC after: 1 month
Reviewd by: bz
Differential Revision: https://reviews.freebsd.org/D32709
Fix what appears to have been a small copy/paste typo in ifconfig(8)'s
documentation (man page and header file).
Not that it matters anymore.
Reference: Table I-2 in IEEE Std 802.1Q-2014.
PR: 255557
Submitted by: Jose Luis Duran <jlduran@gmail.com>
MFC after: 1 week
Add 'syncok' field to ifconfig's pfsync interface output. This allows
userspace to figure out when pfsync has completed the initial bulk
import.
Reviewed by: donner
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29948
This restores behavior lost in code cleanup, fixing a regression after
2803fa471e where changing media options
only applies some of the changes, not all.
Reported by: np
Reviewed by: donner
MFC after: immediately
Differential Revision: https://reviews.freebsd.org/D29741
Beauty correction for verbose mode or in case we print multiple key
information to not continue with the next options directly after
as we did so far, e.g.:
AES-CCM 2:128-bit
AES-CCM 3:128-bit powersavemode ...
Sponsored-by: The FreeBSD Foundation
MFC-after: 2 weeks
Reviewed-by: adrian
Differential Revision: https://reviews.freebsd.org/D29393
After length decisions, we've decided that the if_wg(4) driver and
related work is not yet ready to live in the tree. This driver has
larger security implications than many, and thus will be held to
more scrutiny than other drivers.
Please also see the related message sent to the freebsd-hackers@
and freebsd-arch@ lists by Kyle Evans <kevans@FreeBSD.org> on
2021/03/16, with the subject line "Removing WireGuard Support From Base"
for additional context.
This is the culmination of about a week of work from three developers to
fix a number of functional and security issues. This patch consists of
work done by the following folks:
- Jason A. Donenfeld <Jason@zx2c4.com>
- Matt Dunwoodie <ncon@noconroy.net>
- Kyle Evans <kevans@FreeBSD.org>
Notable changes include:
- Packets are now correctly staged for processing once the handshake has
completed, resulting in less packet loss in the interim.
- Various race conditions have been resolved, particularly w.r.t. socket
and packet lifetime (panics)
- Various tests have been added to assure correct functionality and
tooling conformance
- Many security issues have been addressed
- if_wg now maintains jail-friendly semantics: sockets are created in
the interface's home vnet so that it can act as the sole network
connection for a jail
- if_wg no longer fails to remove peer allowed-ips of 0.0.0.0/0
- if_wg now exports via ioctl a format that is future proof and
complete. It is additionally supported by the upstream
wireguard-tools (which we plan to merge in to base soon)
- if_wg now conforms to the WireGuard protocol and is more closely
aligned with security auditing guidelines
Note that the driver has been rebased away from using iflib. iflib
poses a number of challenges for a cloned device trying to operate in a
vnet that are non-trivial to solve and adds complexity to the
implementation for little gain.
The crypto implementation that was previously added to the tree was a
super complex integration of what previously appeared in an old out of
tree Linux module, which has been reduced to crypto.c containing simple
boring reference implementations. This is part of a near-to-mid term
goal to work with FreeBSD kernel crypto folks and take advantage of or
improve accelerated crypto already offered elsewhere.
There's additional test suite effort underway out-of-tree taking
advantage of the aforementioned jail-friendly semantics to test a number
of real-world topologies, based on netns.sh.
Also note that this is still a work in progress; work going further will
be much smaller in nature.
MFC after: 1 month (maybe)
The kernel-side already accepted a persistent-keepalive-interval, so
just add a verb to ifconfig(8) for it and start exporting it so that
ifconfig(8) can view it.
PR: 253790
MFC after: 3 days
Discussed with: decke
The way that wireguard is designed does not actually require all peers
to have endpoints. In an architecture that might mimic a traditional
VPN server <-> client, the wg interface on a server would have a number
of peers without set endpoints -- the expectation is that the "clients"
will connect to the "server" peer, which will authenticate the
connection as a known peer and learn the endpoint from there.
MFC after: 3 days
Discussed with: decke, grehan (independently)
This should eventually replace the socket passed to the various
handlers. In the meantime, making it global avoids repeatedly opening
and closing handles.
Reported by: kp
Reviewed by: kp (earlier version)
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D28990
Also trimmed an unused block of code that never prints out LAGG_PROTOS.
Reviewed by: kp (earlier version)
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D28961
A trivial change now that ifconfig is already using libifconfig.
Reviewed by: kp (earlier version)
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D28955
Currently when peer information is displayed with `ifconfig wgN peer ..`
or `ifconfig wgN peer-list`, the netmask of the first `allowed-ips` will
be used as the netmask of all CIDR in `allowed-ips`. For example, if
the list is `192.168.1.0/24, 172.16.0.0/16`, it will display as
`192.168.1.0/24, 172.16.0.0/24`. While this does not affect the actual
functionality, it is very confusing.
Submitted by: Michael Chiu <nyan -at- myuji.xyz>
Reviewed by: grehan
Differential Revision: https://reviews.freebsd.org/D28655
MFC after: 1 day
Originally IFCAP_NOMAP meant that the mbuf has external storage pointer
that points to unmapped address. Then, this was extended to array of
such pointers. Then, such mbufs were augmented with header/trailer.
Basically, extended mbufs are extended, and set of features is subject
to change. The new name should be generic enough to avoid further
renaming.
QinQ is better known by this name, so accept it as an alias
Reported-by: Mike Geiger
Reviewed-by: melifaro, hselasky, rpokala
MFC-with: 366917
Sponsored-by: Klara Inc.
Differential-Revision: https://reviews.freebsd.org/D28245
Detection of interface type by filter must happen before detection of
interface type by prefix. Else the following sequence of commands will
try to create a LAGG interface instead of a VLAN interface, which
accidentially worked previously, because the date pointed to by the
ifr_data pointer was not parsed by VLAN create ioctl(2). This is a
regression after r368229, because the VLAN creation now parses the
ifr_data field.
How to reproduce:
# ifconfig lagg0 create
# ifconfig lagg0.256 create
Differential Revision: https://reviews.freebsd.org/D27521
Reviewed by: kib@ and kevans@
Reported by: raul.munoz@custos.es
Sponsored by: Mellanox Technologies // NVIDIA Networking
If multiple threads are invoking "ifconfig XXX create" a race may occur
which can lead to two different error messages for the same error.
a) ifconfig: SIOCIFCREATE2: File exists
b) ifconfig: interface XXX already exists
This patch ensures ifconfig prints the same error code
for the same case.
Reviewed by: imp@ and kib@
Differential Revision: https://reviews.freebsd.org/D27380
MFC after: 1 week
Sponsored by: Mellanox Technologies // NVIDIA Networking
