Commit Graph

10345 Commits

Author SHA1 Message Date
ae
0fb6ad528e Merge projects/ipsec into head/.
Small summary
 -------------

o Almost all IPsec releated code was moved into sys/netipsec.
o New kernel modules added: ipsec.ko and tcpmd5.ko. New kernel
  option IPSEC_SUPPORT added. It enables support for loading
  and unloading of ipsec.ko and tcpmd5.ko kernel modules.
o IPSEC_NAT_T option was removed. Now NAT-T support is enabled by
  default. The UDP_ENCAP_ESPINUDP_NON_IKE encapsulation type
  support was removed. Added TCP/UDP checksum handling for
  inbound packets that were decapsulated by transport mode SAs.
  setkey(8) modified to show run-time NAT-T configuration of SA.
o New network pseudo interface if_ipsec(4) added. For now it is
  build as part of ipsec.ko module (or with IPSEC kernel).
  It implements IPsec virtual tunnels to create route-based VPNs.
o The network stack now invokes IPsec functions using special
  methods. The only one header file <netipsec/ipsec_support.h>
  should be included to declare all the needed things to work
  with IPsec.
o All IPsec protocols handlers (ESP/AH/IPCOMP protosw) were removed.
  Now these protocols are handled directly via IPsec methods.
o TCP_SIGNATURE support was reworked to be more close to RFC.
o PF_KEY SADB was reworked:
  - now all security associations stored in the single SPI namespace,
    and all SAs MUST have unique SPI.
  - several hash tables added to speed up lookups in SADB.
  - SADB now uses rmlock to protect access, and concurrent threads
    can do SA lookups in the same time.
  - many PF_KEY message handlers were reworked to reflect changes
    in SADB.
  - SADB_UPDATE message was extended to support new PF_KEY headers:
    SADB_X_EXT_NEW_ADDRESS_SRC and SADB_X_EXT_NEW_ADDRESS_DST. They
    can be used by IKE daemon to change SA addresses.
o ipsecrequest and secpolicy structures were cardinally changed to
  avoid locking protection for ipsecrequest. Now we support
  only limited number (4) of bundled SAs, but they are supported
  for both INET and INET6.
o INPCB security policy cache was introduced. Each PCB now caches
  used security policies to avoid SP lookup for each packet.
o For inbound security policies added the mode, when the kernel does
  check for full history of applied IPsec transforms.
o References counting rules for security policies and security
  associations were changed. The proper SA locking added into xform
  code.
o xform code was also changed. Now it is possible to unregister xforms.
  tdb_xxx structures were changed and renamed to reflect changes in
  SADB/SPDB, and changed rules for locking and refcounting.

Reviewed by:	gnn, wblock
Obtained from:	Yandex LLC
Relnotes:	yes
Sponsored by:	Yandex LLC
Differential Revision:	https://reviews.freebsd.org/D9352
2017-02-06 08:49:57 +00:00
np
603f7d66d4 cxgbe(4): Allow tunables that control the number of queues to be set to
'-n' to tell the driver to create _up to_ 'n' queues if enough cores are
available.  For example, setting hw.cxgbe.nrxq10g="-32" will result in
16 queues if the system has 16 cores, 32 if it has 32.

There is no change in the default number of queues of any type.

MFC after:	1 week
Sponsored by:	Chelsio Communications
2017-02-06 05:19:29 +00:00
jilles
a61eaf8db2 Clean up documentation of AF_UNIX control messages.
Document AF_UNIX control messages in unix(4) only, not split between unix(4)
and recv(2).

Also, warn about LOCAL_CREDS effective uid/gid fields, since the write could
be from a setuid or setgid program (with the explicit SCM_CREDS and
LOCAL_PEERCRED, the credentials are read at such a time that it can be
assumed that the process intends for them to be used in this context).

Reviewed by:	wblock
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D9298
2017-02-03 20:33:23 +00:00
hiren
1097c9bdb6 Man page update to go along with r312907.
Reviewed by:	    Allanjude
MFC after:	    2 weeks
Sponsored by:	    Limelight Networks
2017-01-30 02:25:55 +00:00
ngie
ad3e1317f5 Update TARGET/TARGET_ARCH examples to use arm64/aarch64 instead of i386/pc98
pc98 support was removed in r312910
2017-01-28 23:58:17 +00:00
nyan
dda518ce79 Remove more pc98 support. 2017-01-28 09:58:00 +00:00
nyan
dd885e962b Regen after r312910. 2017-01-28 02:25:33 +00:00
nyan
259480b6de Remove pc98 support completely.
I thank all developers and contributors for pc98.

Relnotes:	yes
2017-01-28 02:22:15 +00:00
sbruno
8c2c935f91 Add iflib man pages for developers.
Doc review is probably waranted here for editing.

Submitted by:	Nicole Graziano
2017-01-28 00:40:36 +00:00
obrien
fef274c665 Correct grammar. 2017-01-26 16:36:12 +00:00
kevlo
3dfa47ebb8 Add support for the Realtek RTL8192EU chipset.
Committed over the D-Link DWA-131 rev E1 on amd64 with WPA.

Reviewed by:	avos
2017-01-24 02:35:38 +00:00
kib
5c7955abff Document mount option "nonc" for tmpfs.
Sponsored by:	The FreeBSD Foundation
MFC after:	2 weeks
Differential revision:	https://reviews.freebsd.org/D9258
2017-01-22 19:50:23 +00:00
kib
d1597b221e Editing and clarifications for tmpfs(5).
Submitted by:	wblock
Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
Differential revision:	https://reviews.freebsd.org/D9211
2017-01-22 19:46:14 +00:00
kevlo
2cd47566ff Mention softfloat and hardfloat supports for RISC-V.
Reviewed by:	br
2017-01-21 07:07:50 +00:00
kib
a9d8825913 Refresh tmpfs(5) man page.
Provide more useful explanation of features and quirks.

Reviewed by:	emaste, vangyzen
Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
Differential revision:	https://reviews.freebsd.org/D9211
2017-01-19 18:26:06 +00:00
ngie
8d8e2ef9e3 Add manpage for mlx4ib(4)
This manpage isn't differentiated from mlx4en except where necessary,
replacing eth/ETH with ib/IB.

Eventually the manpages will be split and the common bits be placed
in a manpage named "mlx4.4".

MFC after:	3 weeks
Reviewed by:	hselasky
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D9241
2017-01-19 17:09:11 +00:00
cem
4d542f9fe8 ufs/extattr.h: Fix documentation of ea_name termination
The ea_name string is not nul-terminated.  Correct the documentation.

Because the subsequent field is padded to 8 bytes, and the padding is
zeroed, the ea_name string will appear to be nul-terminated whenever the
length isn't exactly one (mod eight).

This was introduced in r167010 (2007).

Additionally, mark the length fields as unsigned.  This particularly
matters for the single byte ea_namelength field, which can represent
extended attribute names up to 255 bytes long.

No functional change.

PR:		216127
Reported by:	dewayne at heuristicsystems.com.au
Reviewed by:	kib@
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D9206
2017-01-18 17:55:49 +00:00
hselasky
ed611621d4 Add USB audio support for S/PDIF output with C-Media CM6206 devices.
Submitted by:		Julien Nadeau <vedge@hypertriton.com>
PR:			216131
MFC after:		1 week
2017-01-17 08:15:10 +00:00
sephe
71c833bcbc alc: Add Killer E2500 support
Reviewed by:	jhb, yongari
MFC after:	1 week
Sponsored by:	Microsoft
Differential Revision:	https://reviews.freebsd.org/D9058
2017-01-16 03:03:47 +00:00
cem
b2000e56f9 "Buses" is the preferred plural of "bus"
Replace archaic "busses" with modern form "buses."

Intentionally excluded:
* Old/random drivers I didn't recognize
  * Old hardware in general
* Use of "busses" in code as identifiers

No functional change.

http://grammarist.com/spelling/buses-busses/

PR:		216099
Reported by:	bltsrc at mail.ru
Sponsored by:	Dell EMC Isilon
2017-01-15 17:54:01 +00:00
sbruno
bb80e303c9 Purge EM_MULTIQUEUE references from the man page for em(4). 2017-01-12 16:44:40 +00:00
arybchik
ce74585957 sfxge(4): add sysctl to change MAC stats update period
The sysctl controls the period per interface.

Reviewed by:    gnn
Sponsored by:   Solarflare Communications, Inc.
MFC after:      2 days
Differential Revision:  https://reviews.freebsd.org/D9153
2017-01-12 15:26:23 +00:00
arybchik
f676a0fd74 sfxge(4): add tunable to configure MAC stats update period
Reviewed by:    philip
Sponsored by:   Solarflare Communications, Inc.
MFC after:      2 days
Differential Revision:  https://reviews.freebsd.org/D9151
2017-01-12 13:00:17 +00:00
ian
cd73df196a Rework tty_drain() to poll the hardware for completion, and restore
drain timeout handling to historical freebsd behavior.

The primary reason for these changes is the need to have tty_drain() call
ttydevsw_busy() at some reasonable sub-second rate, to poll hardware that
doesn't signal an interrupt when the transmit shift register becomes empty
(which includes virtually all USB serial hardware).  Such hardware hangs
in a ttyout wait, because it never gets an opportunity to trigger a wakeup
from the sleep in tty_drain() by calling ttydisc_getc() again, after
handing the last of the buffered data to the hardware.

While researching the history of changes to tty_drain() I stumbled across
some email describing the historical BSD behavior of tcdrain() and close()
on serial ports, and the ability of comcontrol(1) to control timeout
behavior.  Using that and some advice from Bruce Evans as a guide, I've
put together these changes to implement the hardware polling and restore
the historical timeout behaviors...

 - tty_drain() now calls ttydevsw_busy() in a loop at 10 Hz to accomodate
   hardware that requires polling for busy state.

 - The "new historical" behavior for draining during close(2) is retained:
   the drain timeout is "1 second without making any progress".  When the
   1-second timeout expires, if the count of bytes remaining in the tty
   layer buffer is smaller than last time, the timeout is extended for
   another second.  Unfortunately, the same logic cannot be extended all
   the way down to the hardware, because the interface to that layer is a
   simple busy/not-busy indication.

 - Due to the previous point, an application that needs a guarantee that
   all data has been transmitted must use TIOCDRAIN/tcdrain(3) before
   calling close(2).

 - The historical behavior of honoring the drainwait setting for TIOCDRAIN
   (used by tcdrain(3)) is restored.

 - The historical kern.drainwait sysctl to control the global default
   drainwait time is restored, but is now named kern.tty_drainwait.

 - The historical default drainwait timeout of 300 seconds is restored.

 - Handling of TIOCGDRAINWAIT and TIOCSDRAINWAIT ioctls is restored
   (this also makes the comcontrol(1) drainwait verb work again).

 - Manpages are updated to document these behaviors.

Reviewed by:	bde (prior version)
2017-01-12 00:48:06 +00:00
ngie
656d99b82a Regenerate src.conf(5) after r311548
MFC after:	1 week
2017-01-06 21:14:07 +00:00
wblock
95d4425cb2 Fix src.conf(5) description of WITHOUT_USB_GADGET_EXAMPLES.
PR:		215831
Submitted by:	p5B2E9A8F@t-online.de
MFC after:	1 week
Sponsored by:	iXsystems
2017-01-06 16:43:45 +00:00
kevlo
0000b2ecb7 Add new USB device ID. 2017-01-06 14:05:31 +00:00
bjk
f915e97cac Fix typo 2017-01-03 21:11:30 +00:00
mjg
510ddab00f Add the upcoming atomic_fcmpset family to the atomic(9) man page.
These primitives give the caller the read value if the exchange attempt
failed which saves an explicit reload for cmpset loops.

The man page was partially submitted by kib.

Reviewed by:	kib (previous version), jhb (previous version)
2017-01-03 20:59:50 +00:00
ngie
59b0ab49ed Regen src.conf after recent changes to tools/build/options/... and
src.opts.mk
2017-01-02 20:14:06 +00:00
np
e646fbd053 cxgbe(4): Updates to link configuration.
- Update struct link_settings and associated shared code.

- Add tunables to control FEC and autonegotiation.  All ports inherit
  these values as their initial settings.
  hw.cxgbe.fec
  hw.cxgbe.autoneg

- Add per-port sysctls to control FEC and autonegotiation.  These can be
  modified at any time.
  dev.<port>.<n>.fec
  dev.<port>.<n>.autoneg

MFC after:	3 days
Sponsored by:	Chelsio Communications
2016-12-30 08:59:49 +00:00
avos
ab32f2f502 rum.4, run.4, runfw.4, zyd.4: do not install when MK_USB == no.
While here, add missing if_rtwn_usb.4.gz symlink into
OptionalObsoleteFiles.inc
2016-12-28 09:32:02 +00:00
jhb
6a45912ef2 Replace passive voice with active voice and other tweaks.
- Drop uses of 'will'.
- Replace 'to use' with active voice.
- Tidy language around interrupt types and clarify that INTx doesn't
  work on VFs.
- Drop leading articles from sysctl/tunable descriptions.
- Tweak the wording of several sysctl/tunable descriptions.

Submitted by:	wblock (1, 2, 4)
Sponsored by:	Chelsio Communications
MFC after:	3 days
Differential Revision:	https://reviews.freebsd.org/D8812
2016-12-22 18:05:22 +00:00
ken
dd133c9fc1 Turn on FC-Tape by default in the isp(4) driver.
FC-Tape provides additional link level error recovery, and is
highly recommended for tape devices.  It will only be turned on for
a given target if the target supports it.

Without this setting, we default to whatever FC-Tape setting is in
NVRAM on the card.

This can be overridden by setting the following loader tunable, for
example for isp0:

hint.isp.0.nofctape=1

sys/conf/options:
	Add a new kernel config option, ISP_FCTAPE_OFF, that
	defaults the FC-Tape configuration to off.

sys/dev/isp/isp_pci.c:
	If ISP_FCTAPE_OFF is defined, turn off FC-Tape.  Otherwise,
	turn it on if the card supports it.

share/man/man4/isp.4:
	Add a description of FC-Tape to the isp(4) man page.

	Add descriptions of the fctape and nofctape options, as well as the
	ISP_FCTAPE_OFF kernel configuration option.

	Add the ispfw module and kernel drivers to the suggested
	configurations at the top of the man page so that users are less
	likely to leave it out.  The driver works well with the included
	firmware, but may not work at all with whatever firmware the user
	has flashed on their card.

MFC after:	3 days
Sponsored by:	Spectra Logic
2016-12-20 21:17:07 +00:00
br
005320a001 Add xDMA -- the DMA abstraction layer, initial verison.
xDMA is a DMA framework designed to abstract the interaction
between device drivers and DMA engines.

Project wiki: https://wiki.freebsd.org/xdma

Sponsored by:	DARPA, AFRL
Differential Revision:	https://reviews.freebsd.org/D8807
2016-12-20 18:02:07 +00:00
emaste
8cf971138f Restore missing comment in src.conf.5
I'm not sure how I managed to generate src.conf.5 without the comment;
add it manually while looking into that.

Reported by:	gjb
2016-12-19 15:05:46 +00:00
emaste
4f0567702d src.conf.5: regen after r310268 (WITH_REPRODUCIBLE_BUILD) 2016-12-19 14:54:06 +00:00
ed
2e5ad04e96 Add support for attaching aggregation labels to sysctl objects.
I'm currently working on writing a metrics exporter for the Prometheus
monitoring system to provide access to sysctl metrics. Prometheus and
sysctl have some structural differences:

- sysctl is a tree of string component names.
- Prometheus uses a flat namespace for its metrics, but allows you to
  attach labels with values to them, so that you can do aggregation.

An initial version of my exporter simply translated

    hw.acpi.thermal.tz1.temperature

to

    sysctl_hw_acpi_thermal_tz1_temperature_celcius

while we should ideally have

    sysctl_hw_acpi_thermal_temperature_celcius{thermal_zone="tz1"}

allowing you to graph all thermal zones on a system in one go.

The change presented in this commit adds support for accomplishing this,
by providing the ability to attach labels to nodes. In the example I
gave above, the label "thermal_zone" would be attached to "tz1". As this
is a feature that will only be used very rarely, I decided to not change
the KPI too aggressively.

Discussed on:	hackers@
Reviewed by:	cem
Differential Revision:	https://reviews.freebsd.org/D8775
2016-12-14 12:47:34 +00:00
avos
aaf1f842d2 rsu(4): refresh the manpage.
- Add monitor mode into the list of supported modes.
- Describe promiscuous mode limitations in CAVEATS section.

Reported by:	adrian
2016-12-10 19:14:51 +00:00
def
f63c437216 Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.

A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.

dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable.  Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.

When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore

A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.

Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.

savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.

decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.

Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.

EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.

Designed by:	def, pjd
Reviewed by:	cem, oshogbo, pjd
Partial review:	delphij, emaste, jhb, kib
Approved by:	pjd (mentor)
Differential Revision:	https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
bapt
0a2a0bf8cc Regen after 309805 2016-12-10 13:30:18 +00:00
emaste
382ab60337 src.conf.5: regen after r309142 (WITH_LLD_AS_LD knob)
Reported by:	Nikolai Lifanov
Sponsored by:	The FreeBSD Foundation
2016-12-09 19:09:58 +00:00
glebius
592e0af9a0 Provide counter_ratecheck(), a MP-friendly substitution to ppsratecheck().
When rated event happens at a very quick rate, the ppsratecheck() is not
only racy, but also becomes a performance bottleneck.

Together with:	rrs, jtl
2016-12-09 17:58:34 +00:00
jhb
a214cd24e9 Bump Dd for addition of T6.
Pointy hat to:	jhb
2016-12-06 00:05:38 +00:00
jhb
c6da7e2984 Document support for Terminator 6 adapters in cxgbe(4) and cxgbev(4).
Approved by:	np
MFC after:	3 days
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D8716
2016-12-06 00:01:53 +00:00
kevlo
81ff59d1b0 Add Edimax EW-7622UMN to the list of devices supported by rsu(4). 2016-12-05 01:46:45 +00:00
vangyzen
abbf63d36b thr_set_name(): silently truncate the given name as needed
Instead of failing with ENAMETOOLONG, which is swallowed by
pthread_set_name_np() anyway, truncate the given name to MAXCOMLEN+1
bytes.  This is more likely what the user wants, and saves the
caller from truncating it before the call (which was the only
recourse).

Polish pthread_set_name_np(3) and add a .Xr to thr_set_name(2)
so the user might find the documentation for this behavior.

Reviewed by:	jilles
MFC after:	3 days
Sponsored by:	Dell EMC
2016-12-03 01:14:21 +00:00
n_hibma
89094027b2 Fix man page:
- It should say 'read' in the I2CREAD section.
- last in the struct indicates the last command in a sequence, not the
  reverse.

Reviewed by:	imp
MFC after:	3 days
2016-12-02 11:32:11 +00:00
julian
0a67be8d9d Changes to allow the patching of packets with an offset (and other changes.. see man page)
PR:	206185
Submitted by:	Dmitry Vagin <daemon-hammer@ya.ru>
MFC after:	 1 week
Relnotes:	yes (also ng_checksum node)
2016-12-02 10:47:10 +00:00
julian
f36a106ad5 A little light wordsmithing only.
Sponsored by:	FreeBSD
2016-12-02 09:51:12 +00:00