Commit Graph

8196 Commits

Author SHA1 Message Date
ak
937417c103 Remove last remnants of acd(4), mcd(4), and scd(4) drivers.
Approved by:	jhb
2016-08-25 19:36:58 +00:00
mav
cfd6778db0 Fix minor copy/paste bug.
Submitted by:	Dmitry Luhtionov <dmitryluhtionov@gmail.com>
MFC after:	1 week
2016-08-24 15:13:42 +00:00
badger
74fd002fd4 Fix missing substitution of @SBINDIR@ in resolvconf scripts
Certain features, such as resolv_conf_passthrough=NULL, do not work
correctly due to this missing substitution.

Also remove the @PREFIX@ substitution, which is no longer needed.

Reviewed by:	pfg
Approved by:	vangyzen (mentor)
MFC after:	1 week
Sponsored by:	Dell Inc.
Differential Revision:	https://reviews.freebsd.org/D7572
2016-08-23 02:06:20 +00:00
bz
55cbdc7ad3 Remove the kernel optoion for IPSEC_FILTERTUNNEL, which was deprecated
more than 7 years ago in favour of a sysctl in r192648.
2016-08-21 18:55:30 +00:00
mckusick
0a6411edec Fsck_ufs was using an int rather than a ufs2_daddr_t to store the
alternate superblock location when given in the -b option. When int
is 32-bits, block numbers larger than 2^32 would get truncated. This
commit changes the storage fpr the alternate superblock location
to a ufs2_daddr_t.

Submitted by: Dmitry Sivachenko <trtrmitya@gmail.com>
2016-08-19 00:03:41 +00:00
ae
fe7e60ec8a Add an ability to attach comment to check-state rules.
MFC after:	1 week
2016-08-14 18:34:16 +00:00
ae
de0a5f6a76 Do not warn about ambiguous state name when we inspect a comment token.
Reported by:	lev
2016-08-14 18:05:41 +00:00
ae
c20dcf312d Make statistics nat64lsn, nat64stl an nptv6 output netstat-like:
"@value @description" and fix build due to -Wformat errors.
2016-08-14 13:17:55 +00:00
ae
fbd6330956 Add stats reset command implementation to NPTv6 module
to be able reset statistics counters.

Obtained from:	Yandex LLC
Sponsored by:	Yandex LLC
2016-08-13 16:45:14 +00:00
ae
8c03d2551f Add ipfw_nat64 module that implements stateless and stateful NAT64.
The module works together with ipfw(4) and implemented as its external
action module.

Stateless NAT64 registers external action with name nat64stl. This
keyword should be used to create NAT64 instance and to address this
instance in rules. Stateless NAT64 uses two lookup tables with mapped
IPv4->IPv6 and IPv6->IPv4 addresses to perform translation.

A configuration of instance should looks like this:
 1. Create lookup tables:
 # ipfw table T46 create type addr valtype ipv6
 # ipfw table T64 create type addr valtype ipv4
 2. Fill T46 and T64 tables.
 3. Add rule to allow neighbor solicitation and advertisement:
 # ipfw add allow icmp6 from any to any icmp6types 135,136
 4. Create NAT64 instance:
 # ipfw nat64stl NAT create table4 T46 table6 T64
 5. Add rules that matches the traffic:
 # ipfw add nat64stl NAT ip from any to table(T46)
 # ipfw add nat64stl NAT ip from table(T64) to 64:ff9b::/96
 6. Configure DNS64 for IPv6 clients and add route to 64:ff9b::/96
    via NAT64 host.

Stateful NAT64 registers external action with name nat64lsn. The only
one option required to create nat64lsn instance - prefix4. It defines
the pool of IPv4 addresses used for translation.

A configuration of instance should looks like this:
 1. Add rule to allow neighbor solicitation and advertisement:
 # ipfw add allow icmp6 from any to any icmp6types 135,136
 2. Create NAT64 instance:
 # ipfw nat64lsn NAT create prefix4 A.B.C.D/28
 3. Add rules that matches the traffic:
 # ipfw add nat64lsn NAT ip from any to A.B.C.D/28
 # ipfw add nat64lsn NAT ip6 from any to 64:ff9b::/96
 4. Configure DNS64 for IPv6 clients and add route to 64:ff9b::/96
    via NAT64 host.

Obtained from:	Yandex LLC
Relnotes:	yes
Sponsored by:	Yandex LLC
Differential Revision:	https://reviews.freebsd.org/D6434
2016-08-13 16:09:49 +00:00
ae
4500e11f0a Restore "nat global" support.
Now zero value of arg1 used to specify "tablearg", use the old "tablearg"
value for "nat global". Introduce new macro IP_FW_NAT44_GLOBAL to replace
hardcoded magic number to specify "nat global". Also replace 65535 magic
number with corresponding macro. Fix typo in comments.

PR:		211256
Tested by:	Victor Chernov
MFC after:	3 days
2016-08-11 10:10:10 +00:00
ae
c6aaca92fc Fix formatting of setfib opcode.
Zero fib is correct value and it conflicts with IP_FW_TARG.
Use bprint_uint_arg() only when opcode contains IP_FW_TARG,
otherwise just print numeric value with cleared high-order bit.

MFC after:	3 days
2016-08-08 18:30:50 +00:00
ae
357073584e Fix constructing of setdscp opcode with tablearg keyword.
setdscp's argument can have zero value that conflicts with IP_FW_TARG value.
Always set high-order bit if parser doesn't find tablearg keyword.

MFC after:	3 days
2016-08-08 18:10:30 +00:00
loos
e8dc3f01c2 Fix a regression in pf.conf while parsing the 'interval' keyword.
The bug was introduced by r287009.

PR:		210924
Submitted by:	kp@
Sponsored by:	Rubicon Communications (Netgate)
Pointy hat to:	loos
2016-08-05 02:19:03 +00:00
kp
86090567a8 pfctl: Make most global variables static.
This will make it easier to link as a library.

Submitted by:	Christian Mauderer <christian.mauderer@embedded-brains.de>
2016-08-04 19:24:44 +00:00
kp
7f74bdcca7 pfctl: Add missing __FBSDID to pfctl_osfp.c 2016-08-04 19:24:05 +00:00
adrian
d99e1922b9 [etherswitch] add LED API to the documentation and command line tool.
Submitted by:	Dan Nelson <dnelson_1901@yahoo.com>
2016-08-04 17:46:07 +00:00
oshogbo
3f9009779b Fix misleading description of the -b option in the geli init command.
Reviewed by:		bjk, wblock
Differential Revision:	https://reviews.freebsd.org/D7226
Discussed with:		AllanJude
2016-08-03 18:02:10 +00:00
kp
119d258974 pfctl: Use const where possible.
This adds const qualifiers where it is possible.

Submitted by:	Christian Mauderer <christian.mauderer@embedded-brains.de>
2016-08-02 20:32:02 +00:00
kp
7999df886d pfctl: Match prototype of pfctl_load_hostid.
The prototype and the implementation of the pfctl_load_hostid used a
different data type for one of the parameters.

Submitted by:	Christian Mauderer <christian.mauderer@embedded-brains.de>
2016-08-02 19:54:40 +00:00
kp
f9eb7c538a pfctl: Allow TOS bits to be cleared
TOS value 0 is valid, so use 256 as an invalid value rather than zero.
This allows users to enforce TOS == 0 with pf.

Reported by:	Radek Krejča <radek.krejca@starnet.cz>
2016-08-02 15:41:42 +00:00
ae
24f451b374 An old tables implementation had all tables preallocated,
so when user did `ipfw table N flush` it always worked, but now
when table N doesn't exist the kernel returns ESRCH error.
This isn't fatal error for flush and destroy commands. Do not
call err(3) when errno is equal to ESRCH. Also warn only when
quiet mode isn't enabled. This fixes a regression in behavior,
when old rules are loaded from file.
Also use correct value for switch in the table_swap().

Reported by:	Kevin Oberman
MFC after:	3 days
2016-08-01 13:38:48 +00:00
pfg
fcca45d6df resolvconf(8) now needs an additional @RESTARTCMD@ replacement when installing.
After r303062, which brought openresolv 3.8.1, we need to replace an
additional @RESTARTCMD@ in resolvconf.
Apply a read fix this time.

Submitted by:	Guy Yur
X-MFC with:	r303062
2016-07-31 18:14:42 +00:00
pfg
27f5d114c1 resolvconf(8) now needs an additional @RESTARTCMD@ replacement when installing.
After r303062, which brought openresolv 3.8.1, we need to replace an
additional @RESTARTCMD@ in resolvconf.

Reported by:	Guy Yur
X-MFC with:	r303062
2016-07-31 02:54:27 +00:00
araujo
b81bbb0799 Use nitems() from sys/param.h.
Sponsored by:	gandi.net (BSD Day Taiwan)
2016-07-30 06:19:34 +00:00
ae
76a39ff8dc Due to dropped mbuf in netisr queue route(8) can fall into infinity
loop of reading the rtsock's feed. When it used by some scripts,
this leads to growing number of not finished route(8) instances and
thus growing number of rtsock consumers. Add SIGALRM handler to prevent this.

Reviewed by:	melifaro
Obtained from:	Yandex LLC
MFC after:	2 weeks
Sponsored by:	Yandex LLC
2016-07-27 08:26:34 +00:00
des
fb5bb38272 Rewrite the GPT and MBR examples. For GPT, ensure that the boot partition
is large enough for gptzfsboot, which has doubled in size since 10.

PR:		211361
MFC after:	3 days
2016-07-25 11:25:33 +00:00
ae
e679279326 Add named dynamic states support to ipfw(4).
The keep-state, limit and check-state now will have additional argument
flowname. This flowname will be assigned to dynamic rule by keep-state
or limit opcode. And then can be matched by check-state opcode or
O_PROBE_STATE internal opcode. To reduce possible breakage and to maximize
compatibility with old rulesets default flowname introduced.
It will be assigned to the rules when user has omitted state name in
keep-state and check-state opcodes. Also if name is ambiguous (can be
evaluated as rule opcode) it will be replaced to default.

Reviewed by:	julian
Obtained from:	Yandex LLC
MFC after:	1 month
Relnotes:	yes
Sponsored by:	Yandex LLC
Differential Revision:	https://reviews.freebsd.org/D6674
2016-07-19 04:56:59 +00:00
ae
2c47439b3f Add ipfw_nptv6 module that implements Network Prefix Translation for IPv6
as defined in RFC 6296. The module works together with ipfw(4) and
implemented as its external action module. When it is loaded, it registers
as eaction and can be used in rules. The usage pattern is similar to
ipfw_nat(4). All matched by rule traffic goes to the NPT module.

Reviewed by:	hrs
Obtained from:	Yandex LLC
MFC after:	1 month
Relnotes:	yes
Sponsored by:	Yandex LLC
Differential Revision:	https://reviews.freebsd.org/D6420
2016-07-18 19:46:31 +00:00
cy
7caf2cf8de r302561 broke buildworld. This patch fixes that.
MFC after:	3 days
X-MFC with:	r302561
2016-07-11 13:41:40 +00:00
ae
92de0ba37b Flush buffer after output. This fixes adding new data to already
printed flows.

PR:		210882
MFC after:	3 days
2016-07-11 12:44:58 +00:00
trasz
aea1562f16 Add new unmount(2) flag, MNT_NONBUSY, to check whether there are
any open vnodes before proceeding. Make autounmound(8) use this flag.
Without it, even an unsuccessfull unmount causes filesystem flush,
which interferes with normal operation.

Reviewed by:	kib@
Approved by:	re (gjb@)
MFC after:	1 month
Differential Revision:	https://reviews.freebsd.org/D7047
2016-07-07 09:03:57 +00:00
araujo
448dc2b255 Fix a regression introduced on revision r271909, when using argument -g
or several hops we have segmentation fault because we overwrite the same
structure to store information for host and gateway.

Submitted by:	Maryse Levavasseur <maryse.levavasseur@stormshield.eu>
Reworked by:	hrs
Approved by:	re (hrs)
Differential Revision:	https://reviews.freebsd.org/D6980
2016-07-05 07:01:42 +00:00
ae
fbde243b6c Hide warning about non-existent lookup tables and informational messages
about modified table entry when quied mode enabled.

Approved by:	re (hrs)
Obtained from:	Yandex LLC
2016-07-02 11:54:20 +00:00
phk
8c8129e2bd Do not coredump if the packet is too long in the global (non-interface
associated) instance.

The result is that the packet is dropped without an indication
that smaller MTU is advisable, which is not optimal, but better
than a NULL pointer deref.

Approved by:	re (glebius)
2016-06-28 20:10:30 +00:00
asomers
b5c3fb9427 Fix "sysctl vm.vmtotal" output on machines with > 2TB virtual memory
sbin/sysctl/sysctl.c
	Fix integer overflows in printf format strings

PR:		199673
Submitted by:	Vitaly Magerya
Reviewed by:	cem
Approved by:	re (marius)
MFC after:	4 weeks
Sponsored by:	Spectra Logic Corp
Differential Revision:	https://reviews.freebsd.org/D6941
2016-06-24 14:58:37 +00:00
kp
b06d3a64e7 pf: Filter on and set vlan PCP values
Adopt the OpenBSD syntax for setting and filtering on VLAN PCP values. This
introduces two new keywords: 'set prio' to set the PCP value, and 'prio' to
filter on it.

Reviewed by:    allanjude, araujo
Approved by:	re (gjb)
Obtained from:  OpenBSD (mostly)
Differential Revision:  https://reviews.freebsd.org/D6786
2016-06-17 18:21:55 +00:00
avos
9c33c8f38a ifconfig: fix wlan creation when unit number is not provided
(was broken after r300738).

Reported by:	Yoshihiro Ota <ota@j.email.ne.jp>, adrian
Tested by:	Yoshihiro Ota <ota@j.email.ne.jp>
2016-06-08 17:21:15 +00:00
araujo
910fd3b83d Bump date on ifconfig(8) and vlan(4) to reflect the changes made
on revision r301496.
2016-06-08 04:18:57 +00:00
araujo
af4ff984e7 Add support to priority code point (PCP) that is an 3-bit field
which refers to IEEE 802.1p class of service and maps to the frame
priority level.

Values in order of priority are: 1 (Background (lowest)),
0 (Best effort (default)), 2 (Excellent effort),
3 (Critical applications), 4 (Video, < 100ms latency),
5 (Video, < 10ms latency), 6 (Internetwork control) and
7 (Network control (highest)).

Example of usage:
root# ifconfig em0.1 create
root# ifconfig em0.1 vlanpcp 3

Note:
The review D801 includes the pf(4) part, but as discussed with kristof,
we won't commit the pf(4) bits for now.
The credits of the original code is from rwatson.

Differential Revision:	https://reviews.freebsd.org/D801
Reviewed by:	gnn, adrian, loos
Discussed with: rwatson, glebius, kristof
Tested by:	many including Matthew Grooms <mgrooms__shrew.net>
Obtained from:	pfSense
Relnotes:	Yes
2016-06-06 09:51:58 +00:00
pfg
bd6fcb16e5 dhclient(1): correct obvious mismatch in get_char().
Correct switch between current and previous line buffers when
encountering a carriage return in the input.

CID:		1305719
Obtained from:	OpenBSD (CVS rev. 1.30)
MFC after:	3 days
2016-06-03 03:40:39 +00:00
allanjude
8e48e06278 Address feedback from hrs@ re: r301059 (ifconfig subnet mask)
- Use NI_MAXHOST to size buffers for getnameinfo()
- remove non-standard 'full' inet6 address printing
- remove 'no scope' option
- use strchr(3) to optimize replacing separator character in lladdrs

Reviewed by:	gnn, jhb
Differential Revision:	https://reviews.freebsd.org/D2856
2016-06-02 03:16:02 +00:00
truckman
debdc06d9e Belatedly bump .Dd date for Dummynet AQM import in r300779. 2016-06-02 00:42:15 +00:00
allanjude
700d26896c ifconfig(8) now supports some output formatting options
specified by the -f flag or IFCONFIG_FORMAT environment variable, the user
can request that inet4 subnet masks be printed in CIDR or dotted-quad
notation, in addition to the traditional hex output.
inet6 prefixes can be printed in CIDR as well.

For more documentation see the ifconfig(8) man page.

PR:		169072
Requested by:	seanc, marcel, brd, many others
Reviewed by:	gnn, jhb (earlier version)
Relnotes:	yes
Sponsored by:	ScaleEngine Inc.
Differential Revision:	https://reviews.freebsd.org/D2856
2016-05-31 17:30:08 +00:00
ed
12cc424125 Stop using the non-standard basename_r() function.
This change makes the code use the POSIX basename() function. It has the
advantage that (if implemented correctly), it also imposes no restrict
on the pathname length.

Notice that I haven't added any error handling to the strdup() call. It
looks like none of the other calls to strdup() and malloc() performed by
this utility do it either.

Reviewed by:	hrs
Differential Revision:	https://reviews.freebsd.org/D6626
2016-05-31 06:45:19 +00:00
allanjude
b7cdaf3621 Add Documentation for missing ifconfig(8) flags
autoconf / -autoconf
deprecated / -deprecated
pltime
vltime

PR:		209822
Submitted by:	Sevan Janiyan <venture37@geeklan.co.uk>
MFC after:	2 weeks
2016-05-29 03:44:37 +00:00
allanjude
6d6e6f6722 Import the skein hashing algorithm, based on the threefish block cipher
Connect it to userland (libmd, libcrypt, sbin/md5) and kernel (crypto.ko)

Support for skein as a ZFS checksum algorithm was introduced in r289422
but is disconnected because FreeBSD lacked a Skein implementation.

A further commit will enable it in ZFS.

Reviewed by:	cem
Sponsored by:	ScaleEngine Inc.
Differential Revision:	https://reviews.freebsd.org/D6166
2016-05-29 01:15:36 +00:00
allanjude
4581e38971 Implement SHA-512 truncated (224 and 256 bits)
This implements SHA-512/256, which generates a 256 bit hash by
calculating the SHA-512 then truncating the result. A different initial
value is used, making the result different from the first 256 bits of
the SHA-512 of the same input. SHA-512 is ~50% faster than SHA-256 on
64bit platforms, so the result is a faster 256 bit hash.

The main goal of this implementation is to enable support for this
faster hashing algorithm in ZFS. The feature was introduced into ZFS
in r289422, but is disconnected because SHA-512/256 support was missing.
A further commit will enable it in ZFS.

This is the follow on to r292782

Reviewed by:	cem
Sponsored by:	ScaleEngine Inc.
Differential Revision:	https://reviews.freebsd.org/D6061
2016-05-28 16:06:07 +00:00
truckman
2a78edb668 Import Dummynet AQM version 0.2.1 (CoDel, FQ-CoDel, PIE and FQ-PIE).
Centre for Advanced Internet Architectures

Implementing AQM in FreeBSD

* Overview <http://caia.swin.edu.au/freebsd/aqm/index.html>

* Articles, Papers and Presentations
  <http://caia.swin.edu.au/freebsd/aqm/papers.html>

* Patches and Tools <http://caia.swin.edu.au/freebsd/aqm/downloads.html>

Overview

Recent years have seen a resurgence of interest in better managing
the depth of bottleneck queues in routers, switches and other places
that get congested. Solutions include transport protocol enhancements
at the end-hosts (such as delay-based or hybrid congestion control
schemes) and active queue management (AQM) schemes applied within
bottleneck queues.

The notion of AQM has been around since at least the late 1990s
(e.g. RFC 2309). In recent years the proliferation of oversized
buffers in all sorts of network devices (aka bufferbloat) has
stimulated keen community interest in four new AQM schemes -- CoDel,
FQ-CoDel, PIE and FQ-PIE.

The IETF AQM working group is looking to document these schemes,
and independent implementations are a corner-stone of the IETF's
process for confirming the clarity of publicly available protocol
descriptions. While significant development work on all three schemes
has occured in the Linux kernel, there is very little in FreeBSD.

Project Goals

This project began in late 2015, and aims to design and implement
functionally-correct versions of CoDel, FQ-CoDel, PIE and FQ_PIE
in FreeBSD (with code BSD-licensed as much as practical). We have
chosen to do this as extensions to FreeBSD's ipfw/dummynet firewall
and traffic shaper. Implementation of these AQM schemes in FreeBSD
will:
* Demonstrate whether the publicly available documentation is
  sufficient to enable independent, functionally equivalent implementations

* Provide a broader suite of AQM options for sections the networking
  community that rely on FreeBSD platforms

Program Members:

* Rasool Al Saadi (developer)

* Grenville Armitage (project lead)

Acknowledgements:

This project has been made possible in part by a gift from the
Comcast Innovation Fund.

Submitted by:	Rasool Al-Saadi <ralsaadi@swin.edu.au>
X-No objection:	core
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D6388
2016-05-26 21:40:13 +00:00
avos
7b68b2abeb ifconfig: set by default FCC regulatory domain for wireless interfaces.
Change default regulatory domain from DEBUG (no limitations;
exposes all device channels) to FCC; as a result, newly created wireless
interface with default settings will have less chances to violate
country-specific regulations.

This change will not affect drivers with pre-initialized regdomain
structure (currentry ath(4) and mwl(4)); in that case, the default
channel list must correspond to the default regdomain / country setting.

You can switch to another regdomain / country via corresponding
ifconfig(8) options; the driver must implement ic_getradiocaps()
method to restore full channel list.

Full country / regdomain list may be obtained via
'ifconfig <iface> list countries' command.

Example: change country to Germany:
ifconfig wlan0 down	# all wlans on the device must be down
ifconfig wlan0 country DE
ifconfig wlan0 up
# wpa_supplicant(8), dhclient(8) etc

At the creation time:
ifconfig wlan0 create wlandev wpi0 country DE

To make changes permanent add the following line to the rc.conf(5):
create_args_wlan0="country DE"

Tested with
 - Intel 3945BG (wpi(4)).
 - WUSB54GC (rum(4)).

Reviewed by:	adrian
Relnotes:	yes
Differential Revision:	https://reviews.freebsd.org/D6228
2016-05-26 13:14:08 +00:00