Small summary
-------------
o Almost all IPsec releated code was moved into sys/netipsec.
o New kernel modules added: ipsec.ko and tcpmd5.ko. New kernel
option IPSEC_SUPPORT added. It enables support for loading
and unloading of ipsec.ko and tcpmd5.ko kernel modules.
o IPSEC_NAT_T option was removed. Now NAT-T support is enabled by
default. The UDP_ENCAP_ESPINUDP_NON_IKE encapsulation type
support was removed. Added TCP/UDP checksum handling for
inbound packets that were decapsulated by transport mode SAs.
setkey(8) modified to show run-time NAT-T configuration of SA.
o New network pseudo interface if_ipsec(4) added. For now it is
build as part of ipsec.ko module (or with IPSEC kernel).
It implements IPsec virtual tunnels to create route-based VPNs.
o The network stack now invokes IPsec functions using special
methods. The only one header file <netipsec/ipsec_support.h>
should be included to declare all the needed things to work
with IPsec.
o All IPsec protocols handlers (ESP/AH/IPCOMP protosw) were removed.
Now these protocols are handled directly via IPsec methods.
o TCP_SIGNATURE support was reworked to be more close to RFC.
o PF_KEY SADB was reworked:
- now all security associations stored in the single SPI namespace,
and all SAs MUST have unique SPI.
- several hash tables added to speed up lookups in SADB.
- SADB now uses rmlock to protect access, and concurrent threads
can do SA lookups in the same time.
- many PF_KEY message handlers were reworked to reflect changes
in SADB.
- SADB_UPDATE message was extended to support new PF_KEY headers:
SADB_X_EXT_NEW_ADDRESS_SRC and SADB_X_EXT_NEW_ADDRESS_DST. They
can be used by IKE daemon to change SA addresses.
o ipsecrequest and secpolicy structures were cardinally changed to
avoid locking protection for ipsecrequest. Now we support
only limited number (4) of bundled SAs, but they are supported
for both INET and INET6.
o INPCB security policy cache was introduced. Each PCB now caches
used security policies to avoid SP lookup for each packet.
o For inbound security policies added the mode, when the kernel does
check for full history of applied IPsec transforms.
o References counting rules for security policies and security
associations were changed. The proper SA locking added into xform
code.
o xform code was also changed. Now it is possible to unregister xforms.
tdb_xxx structures were changed and renamed to reflect changes in
SADB/SPDB, and changed rules for locking and refcounting.
Reviewed by: gnn, wblock
Obtained from: Yandex LLC
Relnotes: yes
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D9352
The use of DES for anything is discouraged, especially with a static IV of 0
If you still need bdes(1) to decrypt Kirk's video lectures, see
security/bdes in ports.
This commit brought to you by the FOSDEM DevSummit and the
"remove unneeded dependancies on openssl in base" working group
Reviewed by: bapt, brnrd
Relnotes: yes
Sponsored by: FOSDEM DevSummit
Differential Revision: https://reviews.freebsd.org/D9424
Use S_ISREG instead of manual & (also it's better to compare the
result from & and the pattern instead of just assuming it's one bit
value).
Pointed out by Tianjie Mao <tjmao tjmao com>.
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D4827
Worker threads now use a pthread_cond_t to wait for work instead of
burning the cpu up.
Obtained from: DragonflyBSD (07774aea0ccf64a48fcfad8899e3bf7c8f18277a)
MFC after: 2 weeks
Note that mandoc does not use anymore sqlite3 but a home made database format
An important improvement has been made as well in makewhatis performance:
Tests on my laptop shows makewhatis on the entire system goes from 26s to 12s
result from & and the pattern instead of just assuming it's one bit
value).
Pointed out by Tianjie Mao <tjmao tjmao com>.
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D4827
Avoid "unused variable 'i'" warnings in generated .c files by only
emitting the "int i;" for non-opaque arrays. Opaque arrays use
xdr_opaque() rather than iterating over the array.
Obtained from: OpenBSD (CVS rev 1.28)
MFC after: 1 week
when fortune and other games moved from /usr/games to /usr/bin; I am
removing rather than correcting it since we normally do not mention in
the FILES section the paths to programs in /usr/bin/.
PR: 215962
Reported by: Andras Farkas
* Rewrite r_buf to use standard tail queues instead of a hand-rolled
circular linked list. Free dynamic allocations when done.
* Remove an optimization for the case where the file is a multiple of 128KB
in size and there is a scarcity of memory.
* Add ATF tests for "tail -r" and its variants.
Reported by: Valgrind
Reviewed by: ngie
MFC after: 4 weeks
Sponsored by: Spectra Logic Corp
Differential Revision: https://reviews.freebsd.org/D9067
Instead of collecting statistics for each combination of ports and logical
units, that consumed ~45KB per LU with present number of ports, collect
separate statistics for every port and every logical unit separately, that
consume only 176 bytes per each single LU/port. This reduces struct
ctl_lun size down to just 6KB.
Also new IOCTL API/ABI does not hardcode number of LUs/ports, and should
allow handling of very large quantities.
MFC after: 2 weeks (probably keeping old API enabled for some time)
Load kvm symbols earlier to prevent rstat: symbol not in namelist
error when running netstat -rs.
Submitted by: Sebastian Huber <sebastian.huber@embedded-brains.de>
MFC after: 1 week
Sponsored by: Multiplay
invoked as llvm-ranlib, it can create an archive symbol table for
archives of objects compiled for LTO by an LLVM compiler.
Submitted by: Dan McGregor <danismostlikely@gmail.com>
MFC after: 3 days
Expand inet6name() line buffer to NI_MAXHOST and use strlcpy/snprintf
in various places.
Reported by: Anton Yuzhaninov <citrin citrin ru>
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D8916
It's been dead ever since it was imported from TI-RPC in 1995. The dead
code is still present in Illumos today, but was removed from NetBSD in 2006.
Reported by: Coverity
CID: 270097
Obtained from: NetBSD
MFC after: 4 weeks
Sponsored by: Spectra Logic Corp
It's always been dead, ever since first import in 1994. It's still dead in
OpenBSD's version, too.
Reported by: Coverity
CID: 270586
MFC after: 4 weeks
Sponsored by: Spectra Logic Corp
party software, this provides more standarized import workflow and
makes future upgrades easier.
The following files are new with this commit:
zconf.h.in
zlib.map
zlib.pc.in
They are not connected to build, but were kept in tree for reference
for future maintenance.
All our local trivial changes were applied to contrib/zlib, and the
contrib/zlib vendor source code is intended to 100% match lib/libz
before this commit.
MFC after: 2 weeks
As a followup to r310638, update libsysdecode (and kdump) to decode the
'mode' argument to getfsstat(). sysdecode_getfsstat_flags() has been
renamed to sysdecode_getfsstat_mode() and now treats the argument as an
enumerated value rather than a mask of flags.
