When a system with pf_enable="YES" in /etc/rc.conf uses hostnames in
/etc/pf.conf, these hostnames cannot be resolved via external nameservers
because the default route is not yet set. This results in an empty
(all open) ruleset.
Since r195026 already put netif back to REQUIRE, this change does not affect
the issue that the firewall should rather have been setup before any
network traffic can occur.
PR: 211928
Submitted by: Robert Schulze
Reported by: Robert Schulze
Tested by: Mateusz Kwiatkowski
No objections from: kp
MFC after: 3 days
These kind of drops come for free in the sense that they do not use the
filter TCAM or any other resource that wouldn't normally be used during
rx. Frames dropped by the hardware get counted in the MAC's rx stats
but are not delivered to the driver.
hw.cxgbe.attack_filter
Set to 1 to enable the "attack filter". Default is 0. The attack
filter will drop an incoming frame if any of these conditions is true:
src ip/ip6 == dst ip/ip6; tcp and src/dst ip is not unicast; src/dst ip
is loopback (127.x.y.z); src ip6 is not unicast; src/dst ip6 is loopback
(::1/128) or unspecified (::/128); tcp and src/dst ip6 is mcast
(ff00::/8).
hw.cxgbe.drop_ip_fragments
Set to 1 to drop all incoming IP fragments. Default is 0. Note that
this drops valid frames.
hw.cxgbe.drop_pkts_with_l2_errors
Set to 1 to drop incoming frames with Layer 2 length or checksum errors.
Default is 1.
hw.cxgbe.drop_pkts_with_l3_errors
Set to 1 to drop incoming frames with IP version, length, or checksum
errors. Default is 0.
hw.cxgbe.drop_pkts_with_l4_errors
Set to 1 to drop incoming frames with Layer 4 length, checksum, or other
errors. Default is 0.
MFC after: 2 weeks
Sponsored by: Chelsio Communications
It is possible for elf_reloc_local() to fail in the unlikely case of
an unsupported relocation type. If this occurs, do not continue to
process the file.
Reviewed by: kib, markj (earlier version)
MFC after: 1 week
Sponsored by: NetApp, Inc.
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D26701
As we did in the kernel in r366112 replace the MS() macro with the version(s)
added to the kernel: _IEEE80211_MASKSHIFT(). Also provide its counter part.
This will later allow use to use other macros defined in net80211 headers
here in ifconfig.
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
This code was iteratively implemented during the work on various WiFi
drivers -- from individual functions to a macro-created implementations
for the various bit sized needed (and then extended to more for
comepleteness). Some of the bit combinations do not seem to make sense
so are left out.
The __bf_shf(x) was obtained from D26681 [1].
Requested by: manu [1]
Reviewed by: hselasky, manu
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D26708
Sort a few VHT160 and 80+80 lines, update some comments, and remove
a superfluous ','.
No functional changes intended.
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
The method was optional prior to r365938, which made it mandatory but did add
any test that an implementation provides the method nor implement it for
bhyveload. The code path might not be hit unless the user's loader was
configured to write to a file on disk, such as with nextboot(8).
Reviewed by: grehan, tsoome
Approved by: bhyve
X-MFC-With: r365938
Differential Revision: https://reviews.freebsd.org/D26710
It is unlikely, but possible, that an unrecognized or unsupported
relocation type is encountered while trying to load a kernel module. If
this occurs we should offer the symbol index as a hint to the user.
While here, fix some small style issues.
Reviewed by: markj, kib (amd64 part, in D26701)
Sponsored by: NetApp, Inc.
Sponsored by: Klara, Inc.
Cleanup all host resources, SYSCTLs, MSIX vectors and memory used
by the host and only leave the device allocated memory behind, if any,
because it may still be in use, when the PCI remove function is called.
Else future probe calls may fail due to SYSCTLs already existing.
MFC after: 1 week
Sponsored by: Mellanox Technologies // NVIDIA Networking
colcrt(1) and nroff(1) where removed in r319664.
Remove references to these commands in ul(1) man page.
PR: 244127
Reported by: freebsd@tim.thechases.com
Approved by: manpages (gbe@)
Differential Revision: https://reviews.freebsd.org/D2614
sys.capsicum.functional.Capability__NoBypassDAC
sys.capsicum.functional.Pdfork__OtherUserForked
PR: 250178, 250179
Sponsored by: The FreeBSD Foundation
This leaves the main test body untouched and only skip running in the CI env,
makes doing local test easier while developing.
PR: 244165
Sponsored by: The FreeBSD Foundation
The kernel globals for kenv are confined to 2 files that need them and
a few that likely shouldn't (but as written the code does). Move them
from sys/systm.h to sys/kenv.h. This removed a XXX from systm.h and
cleans it up a little bit...
Sometimes, this drive will be present in the system such that the the
firmware identification string doesn't start with ATA, such as when
it's behind a SATA-to-SAS interposer. Add another quirk for that.
Submitted by: github user mr44er
Github PR: 423
Update the to log fetch operation for latest WDC NVMe products.
Tested on HGST SN100 (a few years old) and WDC SN720 (more recent).
Submitted by: Akhilesh Rn <Akhilesh.RN@wdc.com> (minor style tweak by me)
Github PR: 435
The prototype was added with the creation of kern_shutdown.c in r17658,
but it appears to have never been implemented. Remove it now.
Reviewed by: cem, kib
Differential Revision: https://reviews.freebsd.org/D26702
We're not allowed to hold NET_EPOCH while sleeping, so when we call ioctl()
handlers for member interfaces we cannot be in NET_EPOCH. We still need some
protection of our CK_LISTs, so hold BRIDGE_LOCK instead.
That requires changing BRIDGE_LOCK into a sleepable lock, and separating the
BRIDGE_RT_LOCK, to protect bridge_rtnode lists. That lock is taken in the data
path (while in NET_EPOCH), so it cannot be a sleepable lock.
While here document the locking strategy.
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D26418
- Just use sw->octx != NULL to handle the HMAC case when finalizing
the MAC.
- Explicitly zero the on-stack auth context.
Reviewed by: markj
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D26688
if_capabilities is a read-only mask of supported capabilities.
if_capenable is a mask under administrative control via ifconfig(8).
Reviewed by: gallatin
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D26690
Both cxgbe(4) and mlx5(4) wrapped the existing send tag header with
their own identical headers that stored the type that the
type-specific tag structures inherited from, so in practice it seems
drivers need this in the tag anyway. This permits removing these
extra header indirections (struct cxgbe_snd_tag and struct
mlx5e_snd_tag).
In addition, this permits driver-independent code to query the type of
a tag, e.g. to know what type of tag is being queried via
if_snd_query.
Reviewed by: gallatin, hselasky, np, kib
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D26689
Since r366355 and r366284 we panic on access faults rather than treating
them like page faults so this condition is never true.
Reviewed by: jhb (mentor), markj, mhorne
Approved by: jhb (mentor), markj, mhorne
Differential Revision: https://reviews.freebsd.org/D26686
We should never take instruction page faults when in the kernel, but by
using the standard page fault code we should get a more-informative
message about faulting on a NOFAULT page rather than branching to the
default case here and printing an "Unknown kernel exception ..."
message.
Reviewed by: jhb (mentor), markj
Approved by: jhb (mentor), markj
Differential Revision: https://reviews.freebsd.org/D26685
sys.capsicum.functional.ForkedOpenatTest_WithFlagInCapabilityMode___
sys.capsicum.functional.OpenatTest__WithFlag
PR: 249960
Sponsored by: The FreeBSD Foundation
These names were inherited from the arm64 port and should be changed to
the RISC-V terminology.
Reviewed by: jhb (mentor), kp, markj
Approved by: jhb (mentor), kp, markj
Differential Revision: https://reviews.freebsd.org/D26671
- Extend the list of main libraries of section 3
- Extend the library functions that are included in the libc
MFC after: 2 weeks
Submitted by: Naga Chaitanya Vellanki <pnagato at protonmail dot com>
Approved by: gbe
Differential Revision: https://reviews.freebsd.org/D26476
Add release_pages needed by drm which simply calls put_page for
all the pages provided
Reviewed by: bz
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D26680
Add power_supply_is_system_supplied which is needed by drm.
Reviewed by: bz
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D26679
Only add prefetchw as it is the only function used by drm.
Simply use the __builtin_prefetch which is available in all
compiler for a long time.
Reviewed by: bz
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D26677
