its attempt to install SA/SPD into the kernel results in cryptic
EINVAL error code.
Let it be a bit more user-friendly and try to load ipsec.ko
automatically if it is not loaded, just like ifconfig(8) does it
for modules it needs.
PR: 263379
MFC after: 2 weeks
The daemon can specify fsname=XXX in its mount options. If so, the file
system should report f_mntfromname as XXX during statfs. This will show
up in the output of commands like mount and df.
Submitted by: Ali Abdallah <ali.abdallah@suse.com>
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D35090
AEAD ciphers for IPsec combine both encryption and authentication. As
such, ESP configurations using an AEAD cipher should not use a
seperate authentication algorithm via -A. However, this was not
apparent from the setkey manpage and 12.x and earlier did not perform
sufficient argument validation permitting users to pair an explicit -A
such as SHA256-HMAC with AES-GCM. (The result was a non-standard
combination of AES-CTR with the specified MAC, but with the wrong
initial block counter (and thus different keystream) compared to using
AES-CTR as the cipher.)
Attempt to clarify this in the manpage by explicitly calling out AEAD
ciphers (currently only AES-GCM) and noting that AEAD ciphers should
not use -A.
While here, explicitly note which authentication algorithms can be
used with esp vs esp-old. Also add subsection headings for the
different algorithm lists and tidy some language.
I did not convert the tables to column lists (Bl -column) though that
would probably be more correct than using literal blocks (Bd
-literal).
PR: 263379
Reviewed by: Pau Amma <pauamma@gundo.com>, markj
Differential Revision: https://reviews.freebsd.org/D34947
Similar to ipfw rule timestamps, these timestamps internally are
uint32_t snaps of the system time in seconds. The timestamp is CPU local
and updated each time a rule or a state associated with a rule or state
is matched.
Reviewed by: kp
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D34970
Since a16732d670 we always print the l3 src/destination for Ethernet
rules. Update the tests to account for this.
Sponsored by: Rubicon Communications, LLC ("Netgate")
While the kernel only performs the L3 check for
ETHERTYPE_IP/ETHERTYPE_IP6 we should always print the source and
destination addresses.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D34918
Allow tables to be used for the l3 source/destination matching.
This requires taking the PF_RULES read lock.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D34917
After this, we'll be able to ping a host and not spam the terminal, and
no flooding will have to be involved. I've been doing this under Linux
as ping -fi1 host.
Reviewed by: rpokala, Pau Amma
Differential Revision: https://reviews.freebsd.org/D34882
The new '-L' flag will cause savecore to invoke the new mem(4) kernel
dump ioctl, taking a dump of the running system and writing the result
to a temporary file. Validation of the dump header is performed, similar
to regular crash dumps, and the final result is written to
livecore.X[.zst|.gz].
Also added is the '-Z' flag, which instructs the kernel to compress the
livedump compressed with zstd, akin to the existing -z flag. This option
has no effect in normal savecore(8) operation, but in theory could be
extended to perform such compression while reading the dump from the
dump device.
Encryption is unsupported for live dumps.
For example: 'savecore -Lz /var/crash' would create:
/var/crash/livecore.0.gz
Reviewed by: markj
MFC after: 2 weeks
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D34347
Move it to a separate function, allowing its reuse.
Reviewed by: markj
MFC after: 3 days
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D34822
All files are now created relative to savedirfd, e.g. with openat(2).
Therefore, we do not need character buffers to be PATH_MAX bytes long,
just long enough to hold the complete filename. 32 bytes is long enough
in all cases. These can be allocated on the stack.
While here, fix an error message that attempts to use an uninitialized
infoname.
Reviewed by: markj
MFC after: 3 days
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D34821
So that new callers of getbounds() don't need to duplicate it.
Reviewed by: markj
MFC after: 3 days
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D34783
When asked to print rules recursively, correctly recurse for anchors
included in pf.conf with "anchorname/*".
PR: 262590
Reviewed by: kp
MFC after: 3 weeks
This fixes a performance problem where poudriere -j 104 keeps remounting
filesystems, which induce wanting to signal mountd, if running. The
current code tries to do it by creating the pidfile in /var/run and
unlinking it if the operation succeeds, inducing contention against
anything doing an exec as it tries to look up /var/run/ld-elf.so.hints
Differential Revision: https://reviews.freebsd.org/D34681
This check was previously in `create` only, not applying to renames. It
should really be applied at the libbe level, so that we can avoid
writing about this restriction over and over again.
While we're here: `bectl rename` always succeeds, even when it doesn't.
Start returning the error.
Reported By: Christian McDonald <cmcdonald netgate com>
Reviewed by: rew, jwmaag_gmail.com (earlier version)
Differential Revision: https://reviews.freebsd.org/D34605
Discuss the standard type of layout, as well as the "deep" BE layout,
and some of the properties of both. Point the various -r flags at this
new section, to help users understand which they're working with and
what the -r flag is actually doing. Note that we may just deprecate the
-r flag in future versions, but the flag will be recognized as a NOP at
that point.
Reviewed by: pauamma_gundo.com, rew
Differential Revision: https://reviews.freebsd.org/D34538
"ifconfig -g groupname" prints a list of interface names,
which could be confusing, because it differs from
the behavior of "ifconfig -a -g groupname".
While here, add two examples showing the difference between
"ifconfig -a -g groupname" and "ifconfig -g groupname".
Fixes: 0dad3f0e15 Import interface groups from OpenBSD.
MFC after: 2 weeks
This reference has been present in the manual page since the initial
import of BSD 4.4 Lite sbin Sources. It's time for it to be removed.
MFC after: 2 weeks
- Remove extraneous examples
- Apply "-compact" to the list macros so that it is possible to fit the
definitions of the types and formats in one terminal screen.
MFC after: 2 weeks
This change is about moving the -f documentation into the right place in
the manual. Also, document the IFCONFIG_FORMAT variable in the
ENVIRONMENT section.
MFC after: 2 weeks
In order to clean up the layout of the manual page, let's keep
parameters in the end of the DESCRIPTION section. This patch does not
change any content, it's meant to only move the content around before
refactoring.
MFC after: 2 weeks
- There is no need to mention in the synopsis that -f can be a list of
comma-separated type:format pairs. Let's keep it simple instead.
- Mention that -f can be supplied multiple times.
- Add -f to other entries in the synopsis where it can be used.
MFC after: 2 weeks
As documented, the -C flag can only be used on its own. Any other
command modifiers and flags are ignored when -C is used. Reflect that in
synopsis.
MFC after: 2 weeks
We document capability codes (the CAPS field of "ifconfig wlan0 scan")
in both ifconfig(8) and the handbook. The list is more complete in the
manual page, while the descriptions of individual capabilities are more
detailed in the handbook.
In order to reduce content duplication and bit rot, let's move
handbook's details to the manual page and reference the manual page
whenever necessary.
Reviewed by: debdrup
Reviewed by: Pau Amma
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D34662
Disallow the use of tables in ethernet rules. Using tables requires
taking the PF_RULES lock. Moreover, the current table code isn't ready
to deal with ethernet rules.
Disallow their use for now.
Sponsored by: Rubicon Communications, LLC ("Netgate")
When using the snapshot option, all other options are ignored. This
update reflects changes made in ab2dbd9b87.
Reviewed by: 0mp, mckusick
Differential Revision: https://reviews.freebsd.org/D34584
When retrieving nat rules in anchors we need to set the path just like
we do for regular rules.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
The -r flag is ignored by the FreeBSD implementation of bsdlabel(8)
(also called disklabel(8) in the past). Remove its use from examples
and tests in the tree.
This commit does not touch historical documentation under share/doc/smm
and files under contrib/netbsd-tests.
Reviewed by: imp
MFC after: 2 weeks
Approved by: imp (src)
Fixes: 57dfbec57b More axe-work:
Differential Revision: https://reviews.freebsd.org/D34585
for missing devices.
The fsck_ffs(8) utility uses its internal function openfilesys()
when opening a disk to be checked. This change avoids the use
of pfatal() in openfilesys() which always exits with failure (exit
value 8) so that the caller can choose the correct exit value.
In the case of a non-existent device it should exit with value 3
which allows the startup system to wait for drives (such as those
attached by USB) to come online.
Reported by: karels
Tested by: karels
PR: 262580
MFC after: 3 days
Allow filtering based on the source or destination IP/IPv6 address in
the Ethernet layer rules.
Reviewed by: pauamma_gundo.com (man), debdrup (man)
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D34482
FreeBSD 14.0 is going to ship with a new implementation of the mixer(8)
command. Unfortunately, in order to support new features like mute, the
command-line interface of the new implementation is not backwards
compatible.
Update all the remaining documentation and scripts in the src tree
to use the new syntax.
While here, document in usbhidaction.1 that the mute functionality is
now supported.
Reviewed by: christos, debdrup, hselasky
Approved by: hselasky (src)
Fixes: 903873ce15 Implement and use new mixer(3) library for FreeBSD.
Differential Revision: https://reviews.freebsd.org/D34545
Traditionally the GEOM's primary channel of information from kernel to
user-space was confxml, fetched by libgeom through kern.geom.confxml
sysctl. It is convenient and informative, representing full state of
GEOM in a single XML document. But problems start to arise on systems
with hundreds of disks, where the full confxml size reaches many
megabytes, taking significant time to first write it and then parse.
This patch introduces alternative solution, allowing to fetch much
smaller XML document, subset of the full confxml, limited to 64KB and
representing only one specified geom and optionally its parents. It
uses existing GEOM control interface, extended with new "getxml" verb.
In case of any error, such as the buffer overflow, it just transparently
falls back to traditional full confxml. This patch uses the new API in
user-space GEOM tools where it is possible.
Reviewed by: imp
MFC after: 2 month
Sponsored by: iXsystems, Inc.
Differential Revision: https://reviews.freebsd.org/D34529
I see more user-friendly to do nothing if the module is already
loaded, rather than returning quite confusing error message.
As side effect it allows to avoid std_list_available() call, using
quite expensive on large systems geom_gettree().
MFC after: 1 month
Introduce pfctl_get_rules_info(), similar to pfctl_get_eth_rules_info()
to retrieve rules information (ticket and total number of rules).
Use the new function in pfctl.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D34443
Make gctl_add_param() API public, allowing more precise control over
parameter flags. Previously it was impossible to properly declare
write-only ASCII parameters, used for result reporting, they were
declared as read-write binary instead, that was not nice.
MFC after: 1 month
When printing the interface name from the ipstate_t struct the interface
name in is_ifp may not always be avaiable when reading it from kmem
(tested on FreeBSD and NetBSD). However the is_ifname (the interface
name character string) is almost always available -- it is not available
when the source of the packet is a process running on the firewall
itself. Rather than print both interface name strings, print only the
one.
MFC after: 1 week
Rather than use a kmem read to determine the interface name used by a
nat_t structure through a pointer, nat_ipfs->netif->if_xname, obtain it
directly from nat_ifnames in the nat_t structure itself using the new
FORMAT_IF macro.
MFC after: 1 week
Interface names stored in the ipstate_t and ipnat_t structures can be
NULL. This occurs when an application, such as named, is running on the
firewall machine itself. For example an application, i.e. named, running
on the firewall itself will cause a state table display and NAT mapping
display to show a null ingress interface and its egress interface. This
is perfectly valid but confusing to human eyes. Rather than print
nothing, print "(null)".
MFC after: 1 week
Just as pfctl already does for other rules we print the ethernet rules
we would have loaded if '-n' is specified.
Sponsored by: Rubicon Communications, LLC ("Netgate")
