Comparing fsid_t objects requires internal knowledge of the fsid structure
and yet this is duplicated across a number of places in the code.
Simplify by creating a fsidcmp function (macro).
Reviewed by: mjg, rmacklem
Approved by: mav (mentor)
MFC after: 1 week
Sponsored by: iXsystems, Inc.
Differential Revision: https://reviews.freebsd.org/D24749
Before this change, swapon(8) implied that -F works as a standalone option,
which is not the case and would produce a usage message. This change extends
the description of the -F option to mention that -a is required with it.
PR: 238551
Submitted by: Christian Baltini
MFC after: 5 days
Examples of depecrated algorithms in manual pages and sample configs
are updated where relevant. I removed the one example of combining
ESP and AH (vs using a cipher and auth in ESP) as RFC 8221 says this
combination is NOT RECOMMENDED.
Specifically, this removes support for the following ciphers:
- des-cbc
- 3des-cbc
- blowfish-cbc
- cast128-cbc
- des-deriv
- des-32iv
- camellia-cbc
This also removes support for the following authentication algorithms:
- hmac-md5
- keyed-md5
- keyed-sha1
- hmac-ripemd160
Reviewed by: cem, gnn (older verisons)
Relnotes: yes
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D24342
o Be consistent about device-id and namespace-id
o Use consistent arg markup for these
o document you can use disk names too
o document nsid command better
o document the idenntify command
o add a couple of examples.
Differential Revision: https://reviews.freebsd.org/D24638
Reported by: Hyeongseok Kim <hyeongseok kim lge com>
Reviewed by: cem, Hyeongseok Kim
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D24603
r356313 broke handling of dirty file system because we have restricted
the correction of "odd" byte sequences to checkfat(), and as a result
the dirty bit is never cleared. The old fsck_msdosfs code would write
FAT twice to fix the dirty bit, which is also not ideal.
Fix this by introducing a new rountine, cleardirty() which will perform
the set of clean bit only, and use it in checkfilesys() if we thought
the file system was dirty.
Reviewed by: cem, emaste
MFC after: 3 day
Differential Revision: https://reviews.freebsd.org/D24581
dumpon(8) has not accepted 1024-bit RSA keys since prior to r339784 (2018-10).
The manual page language was not updated at that time (oops). The minimum
accepted is 2048 bits, which is also a good default choice.
Sponsored by: Dell EMC Isilon
Preload OpenSSL ERR string data so that the formatted error messages are
vaguely meaningful. Add OpenSSL error information to the RSA_public_encrypt()
operation failure case in one-time key generation.
For obsolescent OpenSSL versions (*cough* FIPS *cough*), pre-seed the PRNG
before entering Cap mode, as old versions of OpenSSL are unaware of kernel
RNG interfaces aside from /dev/random (such as the long-supported kern.arnd, or
the slightly more recent getentropy(3) or getrandom(2)). (RSA_public_encrypt()
wants a seeded PRNG to randomize the "PS" portion of PKCS 1.5 padding or the
"MGF" pseudo-random function in OAEP padding.)
Switch dumpon to encrypt the one-time key with OAEP padding (recommended since
1998; RFC2437) rather than the obsolescent PKCS 1.5 padding (1993; RFC2313).
Switch decryptcore to attempt OAEP decryption first, and try PKCS 1.5
decryption on failure. This is intended only for transition convenience, and
we should obsolete support for non-OAEP padding in a release or two.
Reviewed by: markj
MFC After: 2 weeks
Sponsored by: Dell EMC Isilon
Differential Revision: https://reviews.freebsd.org/D24534
It makes tool more convenient to not require user to explicitly convert
namespace device name into controller device name. There should be no
changes to already existing syntaxes.
MFC after: 1 week
ifa_grouplookup() uses the data loaded in ifa_load() (through is_a_group()), so
we must call ifa_load() before we can rely on any of the data it populates.
Submitted by: Nick Rogers
MFC after: 1 week
Sponsored by: RG Nets
Load the nls data before the openssl will try to do it in the
capability mode.
On my machine the sa_ossl_private_decrypt is trying to do that.
MFC after: 2 weeks
Trace the cause down to journalled soft updates recovery code in
fsck failing to recompute the check-hash after updating an inode.
As inode check-hash was first introduced to UFS in FreeBSD 13,
there is no need to MFC this commit.
Reported by: Chuck Silvers
Sponsored by: Netflix
soft update recovery code with the debugging (-d) option.
As inode check-hash was first introduced to UFS in FreeBSD 13,
there is no need to MFC this commit.
Reported by: Chuck Silvers
Sponsored by: Netflix
I recently made some bug fixes in nvmecontrol. It occurred to me that
since nvmecontrol lacks any kyua tests, I should convert the informal
testing I did into a more formal automated test. The test in this
change should be considered just a starting point; it is neither
complete nor thorough. While converting the test to ATF/kyua, I
discovered a small bug in nvmecontrol; the nvmecontrol devlist command
would always exit with an unsuccessful status. So I included the fix
for that, too, so that the test won't fail.
Reviewed by: imp@
MFC after: 3 days
Sponsored by: Dell EMC Isilon
Differential Revision: https://reviews.freebsd.org/D24269
utilities so that they will compile with -fno-common.
Started by: Kyle Evans (kevans)
Reviewed by: Kyle Evans (kevans)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D24210
data-archæology project:
-u pattern
Fill unread parts of the output with pattern.
Default pattern is "_UNREAD_", empty pattern disables.
-v
Fancy status reporting using ANSI escapes and UTF-8
This fixes several Coverity-detected errors in nvmecontrol. While in
here, a couple additional errors with shift/mask confusion that were
not diagnosed by Coverity are also fixed.
CIDs addressed: 1040299, 1040300, 1403972, 1403973, 1403985, 1403988,
1403990, 1404374, 1404427, 1404469, 1404510, 1404534, 1418118
CID 1403657 (resource leak of shared library handle) was marked
"intentional" in the Coverity scan database.
Reviewed by: vangyzen, robert.herndon_dell.com
Reviewed by: daniel.william.ryan_gmail.com (earlier version)
Reviewed by: rramsden_isilon.com (earlier version), imp
MFC after: 5 days
Sponsored by: Dell EMC Isilon
Differential Revision: https://reviews.freebsd.org/D24203
This one is also a small list:
- 3x duplicate definition (ufs2_zino, returntosingle, nflag)
- 5x 'needs extern', 3/5 of which are referenced in fsdb
-fno-common will become the default in GCC10/LLVM11.
MFC after: 1 week
NAT instance.
The NAT44 group of opcodes for IP_FW3 socket option is modern way
to control NAT instances and this method can be used in future to
switch from numeric to named NAT instances, like was done for ipfw
tables.
The IP_FW_NAT_DEL opcode is the last remnant of old ipfw_ctl control
plane that doesn't support versioned operations. This interface will
be retired soon.
Reviewed by: melifaro
MFC after: 10 days
Sponsored by: Yandex LLC
r343287 / D18759 introduced ifa_add_groups_to_map() which is now run by
ifa_load/ifa_lookup/host_if. When loading an anchor or ruleset via pfctl that
does NOT contain ifnames as hosts, host() still ends up iterating all
interfaces twice, grabbing SIOCGIFGROUP ioctl twice for each. This adds an
unnecessary amount of time on systems with thousands or tens of thousands of
interfaces.
Prioritize the IPv4/6 check over the interface name lookup, which skips loading
the iftab and iterating all interfaces when the configuration does not contain
interface names.
Submitted by: Nick Rogers
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D24100
aout support in ldconfig hasn't been required since FreeBSD 2.x.
Anyone still using FreeBSD 2 shared libraries can also use a FreeBSD 2
ldconfig to generate aout ldconfig hints.
Sponsored by: The FreeBSD Foundation
interfaces are configured, but for many interfaces (e.g. all Intel)
ifconfig causes link renegotiation, so the first attempt to mount
NFS always fails. After that mount_nfs sleeps for 30 seconds, while
only a couple seconds are actually required for interface to get up.
Instead of sleeping, do select(2) on routing socket and check if
some interface became UP and in this case retry immediately.
Reviewed by: rmacklem
Differential Revision: https://reviews.freebsd.org/D23934
As with gzip, let the dump device be smaller than physical memory
when using zstd and full dumps.
Also print the error message if the size check fails, even if -v
is not specified. Failing silently is not friendly.
Reviewed by: cem markj
MFC after: 2 weeks
Sponsored by: Dell EMC Isilon
Differential Revision: https://reviews.freebsd.org/D23923
When every sendto() call originated by ping6(1) fails, current code always
returns 2 ("transmission was successful but no responses were received")
which is incorrect. Return EX_OSERR instead as in many cases it indicates
some kernel-level problems.
MFC after: 3 weeks
sbin/sconfig/sconfig.c:909:5: error: misleading indentation; statement is not part of the previous 'else' [-Werror,-Wmisleading-indentation]
exit (-1);
^
sbin/sconfig/sconfig.c:907:6: note: previous statement is here
} else
^
The intent was to group the exit() call with the previous fprintf()
call.
MFC after: 3 days
It was only built on sparc64. Since it wasn't a general tool on other
architectures, no need to keep it around for another release.
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D23524
Specifically, when running /etc/rc. This allows one to specify via
login.conf(5) an environment that should be used when running services to
ease, e.g., setting up env vars for an HTTP proxy consistently across cron
and services alike.
Future changes will extend cron(8)/service(8) to use environment vars
pecified in login.conf(5) as well to promote a more cohesive experience.
This is a part of D21481.
Submitted by: Andrew Gierth <andrew_tao173.riddles.org.uk>