Document how 'ether' rules can be set, and what options they support.
Reviewed by: bcr
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31751
If we're not filtering on a specific MAC address don't print it at all,
rather than showing an all-zero address.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31749
Allow the evaluations/packets/bytes counters on Ethernet rules to be
cleared.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31748
Test that we correctly match inbound ('in') or outbound ('out') Ethernet
packets.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31747
Use the ether rules to selectively (i.e. per MAC address) redirect
certain connections. Test that tags carry over to the layer-3 pf code.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31746
Test that we can express 'ether block from ! 00:01:02:03:04:05'.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31744
Test the MAC address filtering capability in the new 'ether' feature in
pf.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31743
Avoid the overhead of the Ethernet pfil hooks if we don't have any
Ethernet rules.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31742
Avoid the overhead of acquiring a (read) RULES lock when processing the
Ethernet rules.
We can get away with that because when rules are modified they're staged
in V_pf_keth_inactive. We take care to ensure the swap to V_pf_keth is
atomic, so that pf_test_eth_rule() always sees either the old rules, or
the new ruleset.
We need to take care not to delete the old ruleset until we're sure no
pf_test_eth_rule() is still running with those. We accomplish that by
using NET_EPOCH_CALL() to actually free the old rules.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31739
Extent pfctl to be able to read configured Ethernet filtering rules from
the kernel and print them.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31738
This is the kernel side of stateless Ethernel level filtering for pf.
The primary use case for this is to enable captive portal functionality
to allow/deny access by MAC address, rather than per IP address.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31737
An upcoming OpenSSH update has multiple config.h settings that change
depending on whether builtin security key support is enabled. Prepare
for this by moving ENABLE_SK_INTERNAL to a new sk_config.h header
(similar to the approach used for optional krb5 support) and optionally
including that, instead of defining the macro directly from CFLAGS.
Reviewed by: kevans
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34407
The LibUSB v1.0 emulation layer uses pipes internally to signal between
threads. When USB devices are reset, as part of loading firmware, SIGPIPE
may happen, and that is expected and should be ignored.
PR: 261891
MFC after: 1 week
Sponsored by: NVIDIA Networking
Define NO_WUNUSED_BUT_SET_VARIABLE for newer clang, and use it in ATH_C
to account for different clang versions. Use it in Makefiles as well.
Sponsored by: Netflix
Reviewed by: kevans, jhb
Differential Revision: https://reviews.freebsd.org/D34408
Bump the minimum supported version to build -current from to 11.3R in
preparation of removing support for older systems. 11.4R was selected
as the most recent version to go out of support.
Sponsored by: Netflix
Reviewed by: delphij, emaste
Differential Revision: https://reviews.freebsd.org/D32444
We only need kbdcontrol when bootstrapping from FreeBSD 10 or
pre-FreeBSD 11.0 current. Since we can no longer build from these
versions of FreeBSD, remove the support for bootstrapping them.
Sponsored by: Netflix
Define a place for sysroot trees to live. This assumes they come from
the base in some way, though there's not yet a build/install/etc sysroot
target. Include the FreeBSD version so multiple verrsions can be
installed on one system (it also includes the whole uname version, so
one could, in theory, install variants like CheriBSD or whatever on the
same system as FreeBSD). Use MACHINE.MACHINE_ARCH to be consistent with
the release practices, /usr/obj and other naming conventions.
Sponsored by: Netflix
Reviewed by: brooks
Differential Revision: https://reviews.freebsd.org/D33754
Improve the installer: wlanconfig allows user to enter WiFi details
if no networks found, useful to connect to a hidden SSID.
PR: 246192
Reported by: emaste
Approved by: bapt (mentor)
Differential Revision: https://reviews.freebsd.org/D34149
exit1() sets P_WEXIT before waiting for holding threads to finish,
rather than after, so this assertion is racy.
Fixes: 12fb39ec3e6b ("proc: Relax proc_rwmem()'s assertion on the process hold count")
Reported by: Jenkins
This enables thread-aware timers which in turn fixes benchmark result
reports.
Reviewed by: cem
Differential Revision: https://reviews.freebsd.org/D34238
fasttrap instruments certain instructions by overwriting them and
copying the original instruction to some per-thread scratch space which
is executed after the probe fires. This trampoline jumps back to the
tracepoint after executing the original instruction.
The created mapping has both write and execute permissions, and so this
mechanism doesn't work when allow_wx is disabled. Work around the
restriction by using proc_rwmem() to write to the trampoline.
Reviewed by: vangyzen
Tested by: Amit <akamit91@hotmail.com>
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34304
This reference ensures that the process and its associated vmspace will
not be destroyed while proc_rwmem() is executing. If, however, the
calling thread belongs to the target process, then it is unnecessary to
hold the process. In particular, fasttrap - a module which enables
userspace dtrace - may frequently call proc_rwmem(), and we'd prefer to
avoid the overhead of locking and bumping the hold count when possible.
Thus, make the assertion conditional on "p != curproc". Also assert
that the process is not already exiting. No functional change intended.
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
And drop stray 'd' from the end of some printed numbers. I assume this
was the result of someone thinking u is a printf length modifier for d,
not a format specifier itself.
Reviewed by: kevans, rew
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34387
The ath driver has a lot of these warnings. It's an older driver, so
just supress these warnings until they can be fixed. They are a mix of
simple dead stores, debubgging output and stuff that would require
careful study to know if its safe to remove the access or not (there are
likely very few of the latter, but if there are any they are latent bugs
that compiler could optimize away). Since I have no ath hardware to test
on anymore, take the conservative approach.
Sponsored by: Netflix
Create g_part_getattr to allow gpart geoms to have their attributes queried.
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D32782
Allow wiring of unit numbers based any of the standard locators that
match.
Sponsored by: Netflix
Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D32787
Abstract out acpi_hint_device_matches_resources from
acpi_hint_device_unit to simplify that code. Continue matching like
we've always matched: no functional change.
Sponsored by: Netflix
Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D32786
"matches" is used as a bool and doesn't need to count anything. Convert
it to a bool.
Sponsored by: Netflix
Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D32785
If the pciX:Y:Z and pciW:X:Y:Z 'at' locations don't work, allow try the
LOCATOR:PATH syntax. Use dev_wired_cache to generically look them up.
Sponsored by: Netflix
Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D32784
A simple cache to cache differnet locators to the same device.
Sponsored by: Netflix
Changes Suggested by: jhb
Differential Revision: https://reviews.freebsd.org/D32783
If we find a match, then assign it. Flip the logic in the if and assign
the unit rather than continuing if it doesn't match. Will make it easier
to expand to other matching schemes.
Sponsored by: Netflix
Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D32779
Add a UEFI locator type. It prints the UEFI device names for a FreeBSD
device_t name. It works with PCI and ACPI device nodes. USB forthcoming.
Sponsored by: Netflix
Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D32749
Add support for printing ACPI paths. This is a bit of a degenerate case
for this interface since it's always just the device handle if the
device has one. But it is illustrtive of how to do this for a few nodes
in the tree.
Sponsored by: Netflix
Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D32748
Retrieves that path for a device. Different methods to enumerat the path
are supported, called locators.
Sponsored by: Netflix
Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D32747
Helper routine to call the kernel to get a path to the named device.
Different path enumeration methods (called locators) can be used
for different path types depending on what the kernel implements.
Sponsored by: Netflix
Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D32746
DEV_GET_PATH will get the path to a device based on different locators.
Sponsored by: Netflix
Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D32745
This returns the full path of a the child device requested. Since
there's different ways to recon the entire path, include a 'locator'
method. The default 'FreeBSD' method uses a filesystem-like path name
with each device to the root node separated by /. Other locators will be
UEFI, ACPI and fdt, though others are possible in the future. Make the
locator a string to allow maximum flexibility.
Sponsored by: Netflix
Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D32744
We make sure that we check for device privs (usually meaning root or
better) for everything. To allow other functions that don't require
this, default to 644 protection.
Sponsored by: Netflix
Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D32863
The option is security-key-builtin not security-key-internal. There is
no change to the generated config.h because the option defaults off
anyway.
MFC after: 3 days
Fixes: 87152f340549 ("ssh: disble internal security key...")
Sponsored by: The FreeBSD Foundation
This increases the size of the user map from 256GB to 128TB. The kernel
map is left unchanged for now.
For now SV48 mode is left disabled by default, but can be enabled with a
tunable. Note that extant hardware does not implement SV48, but QEMU
does.
- In pmap_bootstrap(), allocate a L0 page and attempt to enable SV48
mode. If the write to SATP doesn't take, the kernel continues to run
in SV39 mode.
- Define VM_MAX_USER_ADDRESS to refer to the SV48 limit. In SV39 mode,
the region [VM_MAX_USER_ADDRESS_SV39, VM_MAX_USER_ADDRESS_SV48] is not
mappable.
Reviewed by: jhb
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34280
This is required in SV48 mode.
Reviewed by: jhb
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34279