Commit Graph

221041 Commits

Author SHA1 Message Date
Andrey V. Elsukov
22986c6740 Introduce the concept of IPsec security policies scope.
Currently are defined three scopes: global, ifnet, and pcb.
Generic security policies that IKE daemon can add via PF_KEY interface
or an administrator creates with setkey(8) utility have GLOBAL scope.
Such policies can be applied by the kernel to outgoing packets and checked
agains inbound packets after IPsec processing.
Security policies created by if_ipsec(4) interfaces have IFNET scope.
Such policies are applied to packets that are passed through if_ipsec(4)
interface.
And security policies created by application using setsockopt()
IP_IPSEC_POLICY option have PCB scope. Such policies are applied to
packets related to specific socket. Currently there is no way to list
PCB policies via setkey(8) utility.

Modify setkey(8) and libipsec(3) to be able distinguish the scope of
security policies in the `setkey -DP` listing. Add two optional flags:
'-t' to list only policies related to virtual *tunneling* interfaces,
i.e. policies with IFNET scope, and '-g' to list only policies with GLOBAL
scope. By default policies from all scopes are listed.

To implement this PF_KEY's sadb_x_policy structure was modified.
sadb_x_policy_reserved field is used to pass the policy scope from the
kernel to userland. SADB_SPDDUMP message extended to support filtering
by scope: sadb_msg_satype field is used to specify bit mask of requested
scopes.

For IFNET policies the sadb_x_policy_priority field of struct sadb_x_policy
is used to pass if_ipsec's interface if_index to the userland. For GLOBAL
policies sadb_x_policy_priority is used only to manage order of security
policies in the SPDB. For IFNET policies it is not used, so it can be used
to keep if_index.

After this change the output of `setkey -DP` now looks like:
# setkey -DPt
0.0.0.0/0[any] 0.0.0.0/0[any] any
	in ipsec
	esp/tunnel/87.250.242.144-87.250.242.145/unique:145
	spid=7 seq=3 pid=58025 scope=ifnet ifname=ipsec0
	refcnt=1
# setkey -DPg
::/0 ::/0 icmp6 135,0
	out none
	spid=5 seq=1 pid=872 scope=global
	refcnt=1

No objection from:	#network
Obtained from:	Yandex LLC
MFC after:	2 weeks
Sponsored by:	Yandex LLC
Differential Revision:	https://reviews.freebsd.org/D9805
2017-03-07 00:13:53 +00:00
Marius Strobl
b440e965da o Another round fixes for mmc(4), mmcsd(4) and sdhci(4) regarding
comments, marking unused parameters as such, style(9), whitespace,
  etc.
o In the mmc(4) bridges and sdhci(4) (bus) front-ends:
  - Remove redundant assignments of the default bus_generic_print_child
    device method (I've whipped these out of the tree as part of r227843
    once, but they keep coming back ...),
  - use DEVMETHOD_END,
  - use NULL instead of 0 for pointers.
o Trim/adjust includes.
2017-03-06 23:47:59 +00:00
Kristof Provost
98a9874f7b pf: Fix a crash in low-memory situations
If the call to pf_state_key_clone() in pf_get_translation() fails (i.e. there's
no more memory for it) it frees skp. This is wrong, because skp is a
pf_state_key **, so we need to free *skp, as is done later in the function.
Getting it wrong means we try to free a stack variable of the calling
pf_test_rule() function, and we panic.
2017-03-06 23:41:23 +00:00
Simon J. Gerraty
6d4f05fd11 Update dirdeps/meta bits from latest bmake. 2017-03-06 23:13:25 +00:00
Simon J. Gerraty
1ce939a7b7 Merge bmake-20170301 2017-03-06 23:02:33 +00:00
Enji Cooper
7532a6570b Move ATF_TC_WITHOUT_HEAD(getgrent) near the testcase it annotates
MFC after:	1 week
Sponsored by:	Dell EMC Isilon
2017-03-06 22:46:49 +00:00
Gleb Smirnoff
6cf0c1db55 Fix compilation of r314784 on 32 bit. 2017-03-06 22:32:56 +00:00
Enji Cooper
de5e156be6 Remove *-api(3) manpages removed in ATF 0.21
I overlooked the fact that these manpages had been removed upstream
and replaced with their non *-api(3) equivalents. Follow upstream's
lead and remove the unused manpages.

MFC after:	1 week
Sponsored by:	Dell EMC Isilon
2017-03-06 22:18:14 +00:00
Enji Cooper
af6edc1bfd Fix issues noted by igor/manlint
- Fix typos [1]:
-- manged -> managed
-- specifiying -> specifying
- Escape '.' at start of lines using & to tell the roff processor
  that the line isn't meant to be treated as a command [2].

Bump .Dd for the change

MFC after:	1 week
Reported by:	igor [1], manlint [2]
Sponsored by:	Dell EMC Isilon
2017-03-06 22:08:47 +00:00
Enji Cooper
b9684bc104 Fix typos
- specifiying -> specifying
- manged -> managed

Bump .Dd for the change

MFC after:	1 week
Reported by:	igor
Sponsored by:	Dell EMC Isilon
2017-03-06 21:50:35 +00:00
Enji Cooper
35c3281fb6 Fix atf-c-api(3) manpage issues
- Fix typo (specifiying -> specifying).
- Remove surrounding ellipses in i.e. section and add a comma before
  and after the i.e. reference.

Bump .Dd for the change

MFC after:	1 week
Reported by:	igor
Sponsored by:	Dell EMC Isilon
2017-03-06 21:45:25 +00:00
Enji Cooper
ddde9fa737 Fix igor/manlint issues with atf-c(3)
- Remove surrounding ellipses in i.e. section and add a comma before
  and after the i.e. reference [1].
- Fix typo (specifiying -> specifying) [1].
- Escape '.' at start of lines using & to tell the roff processor
  that the line isn't meant to be treated as a command [2].

Bump .Dd for the change

MFC after:	1 week
Reported by:	igor [1], manlint [2]
Sponsored by:	Dell EMC Isilon
2017-03-06 21:43:47 +00:00
Enji Cooper
459f307b4a Fix issues with atf-check(1) found by igor and refer to atf-check(1)
- Fix typo (specifiying -> specifying)
- Add atf-check(1) to SEE ALSO section for completeness. It's mentioned
  above, but by convention the SEE ALSO section should list all relevant
  references to other tools and APIs.

Bump .Dd for the change

MFC after:	1 week
Sponsored by:	Dell EMC Isilon
2017-03-06 21:39:57 +00:00
Enji Cooper
ed20d3f52f Fix manlint issues with atf-check(1)
- Use `.Bf Em`/`.Ef` instead of prefixing lines with `.Em`. The forms
  are equivalent with traditional roff, but unnecessarily verbose. The
  former form applies the .Em macro to the enclosed block.
- Move EXIT_STATUS section down so the section complies with section
  ordering specified by mdoc(7) and enforced by manlint(1).

Bump .Dd for the change

MFC after:	1 week
Sponsored by:	Dell EMC Isilon
2017-03-06 21:35:33 +00:00
Enji Cooper
b93c1b1a3b Fix out-of-order sections in atf-sh(1)
- `.Op` must be used in the SYNOPSIS section, not the NAME section.
- Move ATF_SHELL environment variable description up to first
  ENVIRONMENT section. Garbage collect the duplicate ENVIRONMENT
  section.

Bump .Dd for the change

MFC after:	1 week
Reported by:	manlint
Sponsored by:	Dell EMC Isilon
2017-03-06 21:30:06 +00:00
Enji Cooper
e5bab279a8 Fix grammar warning noted by igor
Remove surrounding ellipses in e.g. section and add a comma before and after
the e.g. reference.

MFC after:	1 week
Reported by:	igor
Sponsored by:	Dell EMC Isilon
2017-03-06 21:26:45 +00:00
Enji Cooper
ba31e895b9 Fix atf-sh(3) manpage issues
- Fix spelling errors (specifiying -> specifying) [1]
- Escape '.' at start of lines using & to tell the roff processor
  that the line isn't meant to be treated as a command [2].

Bump .Dd for the change

MFC after:	1 week
Reported by:	igor [1], manlint [2]
Sponsored by:	Dell EMC Isilon
2017-03-06 21:24:55 +00:00
Dimitry Andric
095282cf35 Reapply r287232 from upstream llvm trunk (by Daniil Fukalov):
[SCEV] limit recursion depth of CompareSCEVComplexity

  Summary:
  CompareSCEVComplexity goes too deep (50+ on a quite a big unrolled
  loop) and runs almost infinite time.

  Added cache of "equal" SCEV pairs to earlier cutoff of further
  estimation. Recursion depth limit was also introduced as a parameter.

  Reviewers: sanjoy

  Subscribers: mzolotukhin, tstellarAMD, llvm-commits

  Differential Revision: https://reviews.llvm.org/D26389

Pull in r296992 from upstream llvm trunk (by Sanjoy Das):

  [SCEV] Decrease the recursion threshold for CompareValueComplexity

  Fixes PR32142.

  r287232 accidentally increased the recursion threshold for
  CompareValueComplexity from 2 to 32.  This change reverses that
  change by introducing a separate flag for CompareValueComplexity's
  threshold.

The latter revision fixes the excessive compile times for skein_block.c.
2017-03-06 21:14:20 +00:00
Bryan Drewery
a1b9cad56b Fix bootstrapping libmd on older systems after r314709.
This follows another fix to bootstrap libmd after r313404.  The
MD5FileChunk prototype is needed to build libmd, but it is
only reliably in the src tree's sys/md5.h header.  Rather than
polluting the legacy build with this header for the entire build,
just symlink it in here for now as is done in the elftoolchain
build.  Libmd is already referencing other src tree headers by
its used of CFLAGS+= ${SRCTOP}/sys/crypto/sha2.  This, and
other uses of CFLAGS+= ${SRCTOP}/sys..., may later change to
be in the legacy mechanism.

Reported by:	bde, ian, sjg
Tested by:	ian
2017-03-06 21:06:55 +00:00
Enji Cooper
63bb40b55d Fix ATF_TP_ADD_TCS example in atf-c-api(3)
ATF_TP_ADD_TC should use `tp` as the second argument, not `tcs`, as
ATF_TP_ADD_TCS uses `tp` as its first argument.

Bump .Dd for the change.

MFC after:	1 week
Sponsored by:	Dell EMC Isilon
2017-03-06 20:54:21 +00:00
Bryan Drewery
0e4e8f1b33 Added comments for why nmtree/libmd are bootstrapped. 2017-03-06 20:32:17 +00:00
Simon J. Gerraty
60a7ffecc7 Import bmake-20170301 2017-03-06 19:54:54 +00:00
Alexander Motin
0656476aa6 Import mpr(4) driver P12 to P14 diff from vendor site.
This is mostly a version bump to stay in version number sync with firmware.
The only change there was cosmetic:  Display degraded speed message upon
receiving Active Cable Exception Event with DEGRADED reason code.

Discussed with:	slm@
MFC after:	1 week
2017-03-06 19:39:31 +00:00
Enji Cooper
59daefd7eb Fix some trivial manlint warnings
Sentences should begin on new lines, per manlint.

Bump .Dd for the change

MFC after:	1 month
Reviewed by:	bcr
Reported by:	make manlint
Sponsored by:	Dell EMC Isilon
2017-03-06 19:33:15 +00:00
Gleb Smirnoff
f2498877c9 In panic() print current timestamp, which matches timestamp in the dump
header.  This will help to correlate console server logs with dump files,
no matter how precise is clock on a console server appliance, and how
buggy the appliance is.
2017-03-06 19:14:08 +00:00
Mahdi Mokhtari
881b1219aa Regenerated Linuxulator syscall tables for r314782
Approved by:	dchagin
MFC after:	1 month
2017-03-06 18:20:37 +00:00
Mahdi Mokhtari
8049c6bfb8 Add UNIMPLEMENTED() placeholder macro for
the syscalls that are not implemented in Linux kernel itself.
Cleanup DUMMY() macros.

Reviewed by:	dchagin, trasz
Approved by:	dchagin
MFC after:	1 month
Differential Revision:	https://reviews.freebsd.org/D9804
2017-03-06 18:11:38 +00:00
Pedro F. Giffuni
b5120bbada libpam: extra bounds checking through reallocarray(3).
Reviewed by:	des
MFC after:	1 week
2017-03-06 15:45:46 +00:00
Pedro F. Giffuni
fdd2f2ebdd Revert r314777: wrong log, the change was to libpam. 2017-03-06 15:42:03 +00:00
Pedro F. Giffuni
0012b66baf libfetch: extra bounds checking through reallocarray(3).
Reviewed by:	des
MFC after:	1 week
2017-03-06 15:38:03 +00:00
Pedro F. Giffuni
bb7d0109d7 libfetch: extra bounds checking through reallocarray(3).
Reviewed by:	des
MFC after:	1 week
2017-03-06 15:37:34 +00:00
Hans Petter Selasky
def277d3ef Implement add_timer_on() function in the LinuxKPI.
Obtained from:		kmacy @
MFC after:		1 week
Sponsored by:		Mellanox Technologies
2017-03-06 14:56:57 +00:00
Konstantin Belousov
aaadc41f6c Instead of direct use of vm_map_insert(), call vm_map_fixed(MAP_CHECK_EXCL).
This KPI explicitely indicates the intent of creating the mapping at
the fixed address, and incorporates the map locking into the callee.

Suggested and reviewed by:	alc
Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
2017-03-06 14:09:54 +00:00
Hans Petter Selasky
19bf8ef562 Implement DECLARE_RWSEM() macro in the LinuxKPI to initialize a
Read-Write semaphore during module init time.

MFC after:		1 week
Sponsored by:		Mellanox Technologies
2017-03-06 12:22:05 +00:00
Hans Petter Selasky
684bcfec89 Give LinuxKPI Read-Write semaphores better debug names when
WITNESS_ALL is defined. The lock name is based on the filename and
line number where the initialisation happens.

MFC after:		1 week
Sponsored by:		Mellanox Technologies
2017-03-06 12:20:56 +00:00
Dexuan Cui
f4531c91ab loader.efi: fix recent UEFI-boot regression on physical machines
This patch fixes my recent patch
"loader.efi: reduce the size of the staging area if necessary", which
causes EFI-boot failure on physical machines since Mar 2:
on the host there is a 1MB LoaderData memory range, which splits
the big Conventional Memory range into a small one (15MB) and a
big one: the small one is too small to hold the staging area.

We can actually use the LoaderData range safely, because when
amd64_tramp -> efi_copy_finish() starts to run, we're almost at
the very end of the efi loader code and we're going to "return"
to the kernel entry, so we're pretty sure we won't access any loader
data any more.

For people who are interested in the details: please see
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211746#c22

PS, some people also reported the regression happened to FreeBSD VM
running on Bhyve in EFI mode. This patch should resolve it too,
though I don't have such a setup to test.

Reviewed by:	sephe
Approved by:	sephe (mentor)
MFC after:	2 weeks
Sponsored by:	Microsoft
Differential Revision:	https://reviews.freebsd.org/D9904
2017-03-06 09:34:31 +00:00
Xin LI
0d64c8a06d Remove compatibility with old libpcap.
Differential Revision:	https://reviews.freebsd.org/D9606
2017-03-06 08:13:19 +00:00
Cy Schubert
dae3dadc43 Fix mismerge of r280849.
Reported by:	des
MFC after:	3 days
2017-03-06 07:11:23 +00:00
Ian Lepore
a57e9aade2 Build the dtb files for the revb1 versions of wandboard. 2017-03-06 04:16:35 +00:00
Ermal Luçi
dce33a45c9 The patch provides the same socket option as Linux IP_ORIGDSTADDR.
Unfortunately they will have different integer value due to Linux value being already assigned in FreeBSD.

The patch is similar to IP_RECVDSTADDR but also provides the destination port value to the application.

This allows/improves implementation of transparent proxies on UDP sockets due to having the whole information on forwarded packets.

Reviewed by:	adrian, aw
Approved by:	ae (mentor)
Sponsored by:	rsync.net
Differential Revision:	D9235
2017-03-06 04:01:58 +00:00
Pedro F. Giffuni
25ef829b03 Revert r314669, r314670:
Bring back the i486 option in GENERIC by default.

The code related to i386 CPU variants configuration has received many
changes in the last years: most of the features are detected automatically,
so there are no performance penalties from keeping the 486 support enabled.

Re-instate the 486 support: while the general configuration could still be
cleaned a bit, there is no advantage in removing it.

Differential Revision:	https://reviews.freebsd.org/D9879
2017-03-06 03:52:15 +00:00
Dag-Erling Smørgrav
ca86bcf253 Upgrade to OpenSSH 7.4p1. 2017-03-06 01:37:05 +00:00
Andrey V. Elsukov
53de37f8ca Fix the build. Use new ipfw_lookup_table() in the nat64 too.
Reported by:	cy
MFC after:	2 weeks
2017-03-06 00:41:59 +00:00
Alan Cox
28e8da6517 Style and punctuation fixes.
Reviewed by:	kib
MFC after:	3 days
2017-03-05 23:59:04 +00:00
Andrey V. Elsukov
54e5669d8c Add IPv6 support to O_IP_DST_LOOKUP opcode.
o check the size of O_IP_SRC_LOOKUP opcode, it can not exceed the size of
  ipfw_insn_u32;
o rename ipfw_lookup_table_extended() function into ipfw_lookup_table() and
  remove old ipfw_lookup_table();
o use args->f_id.flow_id6 that is in host byte order to get DSCP value;
o add SCTP ports support to 'lookup src/dst-port' opcode;
o add IPv6 support to 'lookup src/dst-ip' opcode.

PR:		217292
Reviewed by:	melifaro
MFC after:	2 weeks
Sponsored by:	Yandex LLC
Differential Revision:	https://reviews.freebsd.org/D9873
2017-03-05 23:48:24 +00:00
Andrey V. Elsukov
c750a56914 Reject invalid object types that can not be used with specific opcodes.
When we doing reference counting of named objects in the new rule,
for existing objects check that opcode references to correct object,
otherwise return EINVAL.

PR:		217391
MFC after:	1 week
Sponsored by:	Yandex LLC
2017-03-05 22:19:43 +00:00
Bryan Drewery
27ca6260e0 Don't kill pid -1 on overflow from strtol(3).
Store the result in a proper long and then compare to the proper pid_t
for overflow, so that no MD assumptions are made.

Reviewed by:	jilles
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D9887
2017-03-05 21:56:04 +00:00
Bryan Drewery
51c6e78d91 Fix bootstrapping mtree after r313404 for older systems.
r313404 made libnetbsd require sha384.h from libmd.  Libmd added it in
r292782.  Update BOOTSTRAPPING to account for this.

Reported by:	bde
Reviewed by:	ngie
2017-03-05 21:16:50 +00:00
Dimitry Andric
d754696bcb For now, revert r287232 from upstream llvm trunk (by Daniil Fukalov):
[SCEV] limit recursion depth of CompareSCEVComplexity

  Summary:
  CompareSCEVComplexity goes too deep (50+ on a quite a big unrolled
  loop) and runs almost infinite time.

  Added cache of "equal" SCEV pairs to earlier cutoff of further
  estimation. Recursion depth limit was also introduced as a parameter.

  Reviewers: sanjoy

  Subscribers: mzolotukhin, tstellarAMD, llvm-commits

  Differential Revision: https://reviews.llvm.org/D26389

This commit is the cause of excessive compile times on skein_block.c
(and possibly other files) during kernel builds on amd64.

We never saw the problematic behavior described in this upstream commit,
so for now it is better to revert it.  An upstream bug has been filed
here: https://bugs.llvm.org/show_bug.cgi?id=32142

Reported by:	mjg
2017-03-05 19:56:20 +00:00
John-Mark Gurney
dac42e98ee add missing MLINKS for functions that this man page documents.
This page should be renamed to eliminate an unneeded inode.

Forgotten by: markm
2017-03-05 18:37:25 +00:00