Commit 0637b12b13be added the -2 option to allow
TLS 1.2 NFS-over-TLS mounts. It did not add -2
to the usage message.
This patch adds -2 to the usage message.
MFC after: 2 weeks
Since the KTLS now supports TLS1.3, the daemons default
to version 1.3, since the draft (to be an RFC someday)
requires TLS1.3.
However, since FreeBSD 13,0, 13,1 uses TLS1.2 for
NFS-over-TLS, the "-2" option is added to both daemons
for compatibility with FreeBSD 13.0, 13.1.
This patch updates the man pages for this.
This is a content change.
Reviewed by: pauamma_gundo.com
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D35290
Since the KTLS now supports TLS1.3, the daemons default
to version 1.3, since the draft (to be an RFC someday)
requires TLS1.3.
However, since FreeBSD 13,0, 13,1 uses TLS1.2 for
NFS-over-TLS, the "-2" option is added to both daemons
for compatibility with FreeBSD 13.0, 13.1.
This patch updates the man pages for this.
This is a content change.
Reviewed by: pauamma_gundo.com
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D35290
Commit f5b40aa0dea6 modifies the -C command line option
for rpc.tlsclntd to use the TLS 1.3 SSL_CTX_set_ciphersuites().
This patch updates the man page for this modified command
line option.
This is a content change.
Reviewed by: jhb, pauamma_gundo.com (same change for rpc.tlsservd.8)
MFC after: 2 weeks
Commit 0b4f2ab0e913 fixes the krpc so that it can use TLS
version 1.3 for NFS-over-TLS, as required by
the draft (someday to be an RFC).
This patch replaces SSL_CTX_set_cipher_list() with
SSL_CTX_set_ciphersuites(), since that is the function
that is used for TLS1.3.
The man page will be updated in a separate commit.
MFC after: 2 weeks
Commit 0b4f2ab0e913 fixes the krpc so that it can use TLS
version 1.3 for NFS-over-TLS, as required by
the draft (someday to be an RFC).
This patch replaces SSL_CTX_set_cipher_list() with
SSL_CTX_set_ciphersuites(), since that is the function
that is used for TLS1.3.
The man page has already been updated.
MFC after: 2 weeks
According to pam_exec(8), the `expose_authtok` option should be ignored
when the service function is `pam_sm_setcred`. Currently `pam_exec` only
prevent prompt for anth token when `expose_authtok` is set on
`pam_sm_setcred`. This subsequently led to segfault when there isn't an
existing auth token available.
Bug reported on this: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263893
After reading https://reviews.freebsd.org/rS349556 I am not sure if the
default behaviour supposed to be simply not prompt for authentication
token, or is it to ignore the option entirely as stated in the man page.
This patch is therefore only adding an additional NULL check on the item
`pam_get_item` provide, and exit with `PAM_SYSTEM_ERR` when such item is
NULL.
MFC after: 1 week
Reviewed by: des, khng
Differential Revision: https://reviews.freebsd.org/D35169
If pfctl is called with "pfctl -a ''" we read outside of the anchoropt
buffer. Check that the buffer is sufficiently long to avoid that.
Maintain the existing (and desired, because it's used as such in
/etc/periodic/security/520.pfdenied) behaviour of treating "-a ''" as a
request for the root anchor (or no anchor specified).
PR: 264128
Reviewed by: kp
Commit 712aac1389e8 adds a new -C command line option
to rpc.tlsservd.
This patch updates the man page for this new command
line option.
This is a content change.
Reviewed by: jhb, pauamma_gundo.com
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D35136
Some makefs(8) patches make use of zfsimpl.h (not zfsimpl.c though) to
provide definitions for various on-disk structures. Most of this diff
simply adds new definitions that are useful.
Also reduce dependencies of the header:
- remove an unused list_node_t field to drop the sys/list.h dependency
- replace CTASSERT with _Static_assert
And fix the declaration of decode_embedded_bp_compressed().
No functional change intended.
Reviewed by: tsoome
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D35278
bsdinstall(8) has an option to enable moused support.
However, if it is not selected, moused is still started
through the configuration of nondefault devices.
So, automatically add the moused_nondefault_enable="NO"
setting to rc.conf unless moused support is selected.
PR: 227999
Reported by: bcran
Reviewed by: bapt
Differential Revision: https://reviews.freebsd.org/D35193
When reading the UEFI memory map we pass in a pointer to the memory to
hold the map. Unfortunately it wasn't initialised before the first use
so clang decided it was undefined behaviour so the entire loop was
removed. This leads to everything in bi_load after this to also be
removed as dead code.
The next function after bi_load in the binary is efi_copy_init. The
above caused us to enter efi_copy_init with a return address of the
start of the function. Because of this it would enter an infinite
loop of calling the function, allocating memory, then returning to
the start of the function.
PR: 264021
head_errlog is new format for errlog, but we do not really
use errlog, so we can just mark it supported, to enable reading
from pool.
MFC after: 1 week
The command "ping -S dotted.quad hostname" fails on dual-stack hosts
with the confusing message "ping: invalid source address: Name does
not resolve" because IPv6 is selected in preference. If the argument
to -S is numeric (likely), select the corresponding address family,
as if -4 or -6 was specified. Add tests that either IPv4 or IPv6 can
be forced via a -S parameter.
Reviewed by: asomers
Differential Revision: https://reviews.freebsd.org/D35271
MFC after: 1 week
Commit 0b4f2ab0e913 fixes the krpc so that it can use TLS
version 1.3 for NFS-over-TLS, as required by
the draft (someday to be an RFC).
Since FreeBSD 13.0, 13.1 use TLS version 1.2 for
NFS-over-TLS mounts, this command line option
may be used so that NFS-over-TLS mounts to 13.0, 13.1
servers will still work.
Without the command line option, NFS-over-TLS mounts
will use TLS version 1.3.
The man page update will be a separate commit.
MFC after: 2 weeks
Commit 0b4f2ab0e913 fixes the krpc so that it can use TLS
version 1.3 for NFS-over-TLS, as required by
the draft (someday to be an RFC).
Since FreeBSD 13.0, 13.1 use TLS version 1.2 for
NFS-over-TLS mounts, this command line option
may be used so that mounts from 13.0, 13.1 will still work.
Without the command line option, only TLS version 1.3
mounts are permitted.
The man page update will be a separate commit.
MFC after: 2 weeks
Working on an update for rtw88 baed on wireless-testing I ran into
a build issue with struct ieee802211_sta. Some fields were factored
out into their own struct apparently preparing for MLO (Multi Link
Operation).
In order to be able to update one driver we have to adjust both
rtw88 and iwlwifi (and the ones still out-of-tree) now.
This is mostly a sed-replace job and no functional changes are
intended.
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
This fixes a userland race where bhyveload or bhyve can fail to reuse
a VM name after bhyvectl --destroy has returned.
Reported by: Michael Dexter
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D35186
Validate the cases where a match can be found immediately and where no
match can be found. This extends the existing test cases and is enough
to catch the bug fixed in commit 6e7a585348d5 ("bitstring: fix ff_area()
when start!=0").
Reviewed by: dougm
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D35259
Move declarations into a new nvlist.h rather than putting everything in
libzfs.h. This makes this nvlist code easier to reuse elsewhere. In
particular, the nvlist implementation in sys/contrib/libnv does not
provide XDR encoding, but this is needed when reading from or writing to
ZFS pools.
Also:
- Remove references to boolean_t. It has to be a 32-bit int here, so
just reference the underlying type.
- Add includes needed when compiling the nvlist code outside of stand/.
No functional change intended.
Reviewed by: tsoome
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D35255
When adding an entry to an nvlist, the data buffer might need to be
resized. When this happens, the XDR encoder's notion of the buffer size
also needs to be updated, otherwise the operation may erroneously fail.
Reviewed by: tsoome, imp
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D35254
Rename the "copyin" and "copyout" fields of struct cpuset_copy_cb to
something less generic, since sanitizers define interceptors for
copyin() and copyout() using #define.
Reported by: syzbot+2db5d644097fc698fb6f@syzkaller.appspotmail.com
Fixes: 47a57144af25 ("cpuset: Byte swap cpuset for compat32 on big endian architectures")
Sponsored by: The FreeBSD Foundation
Extend the existing ethernet dummynet test to also test dummynet on the
outbound direction.
This used to be a problem as traffic shaping wasn't done in the ethernet
code. It merely tagged the packet and left shaping up to the layer 3 pf
code. This works in the inbound direction, but not for outbound traffic
where we hit the L3 code first and only then the L2 code.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D35258
Until recently dummynet in ethernet rules did not send packets directly
to dummynet but instead marked them and left the interactions with
dummynet to the layer 3 pf code.
This worked fine for incoming packets (where we process ethernet rules
before layer 3 rules), but not for outbound packets (where the order of
operations is the reverse).
Dummynet does support handling layer 2 traffic, so send the packets
directly to dummynet.
The main limitation now is that pf does not inspect layer 4 (i.e.
TCP/UDP) so we don't have protocol information or port numbers. Dummynet
potentially uses this to separate traffic flows, which will not work for
ethernet dummynet rules. However, pipes (i.e. adding latency or
restricting bandwidth) will work exactly as expected.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D35257
The dn_pkt_tag tag contained a struct ifnet pointer. If we persist that
across NET_EPOCH boundaries (as we did in dummynet) we risk panics if
the interface is removed between the packet being enqueued and it being
dequeued.
Convert the pointer into an index/generation pair and restore it when
the packet is taken out of the queue.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D35256
Add more values to the ieee80211_min_mpdu_start_spacing enum with
two missing given we do not know how they are called. Also update
the reference while here.
Add struct ieee80211_hdr_3addr and correct the comment on the
ieee80211_hdr to match the one in net80211 to avoid future confusion.
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Implement pcie_capability_set_word() using the already available
read/write functions.
Also define the completion timeout disable value to our PCI one.
Both needed by a driver update.
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Reviewed by: manu, hselasky
Differential Revision: https://reviews.freebsd.org/D35250
c4iw_zero_addr is supposed to check for all-zero addresses but was using
IN_ZERONET (which does something different) for IPv4 addresses. Fix it
by simply checking for 0 as is done for IPv6 addresses.
Reported by: karels@
MFC after: 3 days
Sponsored by: Chelsio Communications
The += for unique assignments is equivalent to =. Make these confusing
assignments simply assignments.
Reviewed by: emaste
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D35242
To enable it user-space needs to call feenableexcept().
FPE_FLTIDO has been added as the IDF bit can't be mapped to any existing
FPE code.
Reviewed by: andrew@
Differential revision: https://reviews.freebsd.org/D35247
MFC after: 2 weeks
Follow the 11a6ecd4. Check and handle the case when the ll/sc casu fails
even when the compare succeeds.
For more details PR/263825, https://reviews.freebsd.org/D35150.
Obtained from: Andrew@
MFC after: 2 weeks
Summary:
BITSET uses long as its basic underlying type, which is dependent on the
compile type, meaning on 32-bit builds the basic type is 32 bits, but on
64-bit builds it's 64 bits. On little endian architectures this doesn't
matter, because the LSB is always at the low bit, so the words get
effectively concatenated moving between 32-bit and 64-bit, but on
big-endian architectures it throws a wrench in, as setting bit 0 in
32-bit mode is equivalent to setting bit 32 in 64-bit mode. To
demonstrate:
32-bit mode:
BIT_SET(foo, 0): 0x00000001
64-bit sees: 0x0000000100000000
cpuset is the only system interface that uses bitsets, so solve this
by swapping the integer sub-components at the copyin/copyout points.
Reviewed by: kib
MFC after: 3 days
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D35225
