diff options
89 files changed, 3341 insertions, 217 deletions
diff --git a/contrib/tcpdump/netdissect.h b/contrib/tcpdump/netdissect.h index 0cd7c12..ea2920f 100644 --- a/contrib/tcpdump/netdissect.h +++ b/contrib/tcpdump/netdissect.h @@ -577,6 +577,7 @@ extern void smtp_print(netdissect_options *, const u_char *, u_int); extern void geneve_print(netdissect_options *, const u_char *, u_int); extern void pfsync_ip_print(netdissect_options *, const u_char *, u_int); +extern u_int pfsync_if_print(netdissect_options *, const struct pcap_pkthdr *, const u_char *); /* stuff that has not yet been rototiled */ diff --git a/contrib/tcpdump/print-pfsync.c b/contrib/tcpdump/print-pfsync.c index eb9aed8..67d29cf 100644 --- a/contrib/tcpdump/print-pfsync.c +++ b/contrib/tcpdump/print-pfsync.c @@ -54,21 +54,20 @@ static void print_src_dst(netdissect_options *, const struct pfsync_state_peer *, uint8_t); static void print_state(netdissect_options *, struct pfsync_state *); -#ifdef notyet -void -pfsync_if_print(u_char *user, const struct pcap_pkthdr *h, +u_int +pfsync_if_print(netdissect_options *ndo, const struct pcap_pkthdr *h, register const u_char *p) { u_int caplen = h->caplen; - ts_print(&h->ts); + ts_print(ndo, &h->ts); if (caplen < PFSYNC_HDRLEN) { ND_PRINT((ndo, "[|pfsync]")); goto out; } - pfsync_print((struct pfsync_header *)p, + pfsync_print(ndo, (struct pfsync_header *)p, p + sizeof(struct pfsync_header), caplen - sizeof(struct pfsync_header)); out: @@ -76,8 +75,8 @@ out: default_print((const u_char *)p, caplen); } safeputchar(ndo, '\n'); + return (caplen); } -#endif /* notyet */ void pfsync_ip_print(netdissect_options *ndo , const u_char *bp, u_int len) diff --git a/contrib/tcpdump/tcpdump.c b/contrib/tcpdump/tcpdump.c index 2bec0b8..0939896 100644 --- a/contrib/tcpdump/tcpdump.c +++ b/contrib/tcpdump/tcpdump.c @@ -305,6 +305,9 @@ static const struct ndo_printer ndo_printers[] = { #ifdef DLT_LINUX_SLL { sll_if_print, DLT_LINUX_SLL }, #endif +#if defined(DLT_PFSYNC) && defined(HAVE_NET_PFVAR_H) + { pfsync_if_print, DLT_PFSYNC}, +#endif #ifdef DLT_FR { fr_if_print, DLT_FR }, #endif diff --git a/contrib/wpa/src/l2_packet/l2_packet_freebsd.c b/contrib/wpa/src/l2_packet/l2_packet_freebsd.c index aa83648..23a4155 100644 --- a/contrib/wpa/src/l2_packet/l2_packet_freebsd.c +++ b/contrib/wpa/src/l2_packet/l2_packet_freebsd.c @@ -208,6 +208,7 @@ static int eth_get(const char *device, u8 ea[ETH_ALEN]) (ifm->ifm_addrs & RTA_IFP) == 0) continue; if (sdl->sdl_family != AF_LINK || sdl->sdl_nlen == 0 || + (strlen(device) != sdl->sdl_nlen) || os_memcmp(sdl->sdl_data, device, sdl->sdl_nlen) != 0) continue; os_memcpy(ea, LLADDR(sdl), sdl->sdl_alen); diff --git a/etc/crontab b/etc/crontab index e1e6e88..2264691 100644 --- a/etc/crontab +++ b/etc/crontab @@ -7,19 +7,19 @@ PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin # #minute hour mday month wday who command # -*/5 * * * * root /usr/libexec/atrun +#*/5 * * * * root /usr/libexec/atrun # # Save some entropy so that /dev/random can re-seed on boot. -*/11 * * * * operator /usr/libexec/save-entropy +#*/11 * * * * operator /usr/libexec/save-entropy # # Rotate log files every hour, if necessary. -0 * * * * root newsyslog +#0 * * * * root newsyslog # # Perform daily/weekly/monthly maintenance. -1 3 * * * root periodic daily -15 4 * * 6 root periodic weekly -30 5 1 * * root periodic monthly +#1 3 * * * root periodic daily +#15 4 * * 6 root periodic weekly +#30 5 1 * * root periodic monthly # # Adjust the time zone if the CMOS clock keeps local time, as opposed to # UTC time. See adjkerntz(8) for details. -1,31 0-5 * * * root adjkerntz -a +#1,31 0-5 * * * root adjkerntz -a diff --git a/etc/gettytab b/etc/gettytab index 2dbd1f7..14a0a60 100644 --- a/etc/gettytab +++ b/etc/gettytab @@ -237,3 +237,7 @@ al.Pc:\ :np:nc:sp#115200: 3wire.230400|230400-3wire:\ :np:nc:sp#230400: + +# autologin for 3wire serial terminals. +al.3wire:\ + :al=root:tc=3wire diff --git a/etc/pam.d/passwd b/etc/pam.d/passwd index e655083..fb768cf 100644 --- a/etc/pam.d/passwd +++ b/etc/pam.d/passwd @@ -8,4 +8,4 @@ # password #password requisite pam_passwdqc.so enforce=users -password required pam_unix.so no_warn try_first_pass nullok +password required pam_unix.so no_warn try_first_pass diff --git a/etc/pam.d/system b/etc/pam.d/system index b8b7101..faf006b 100644 --- a/etc/pam.d/system +++ b/etc/pam.d/system @@ -9,7 +9,7 @@ auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass -auth required pam_unix.so no_warn try_first_pass nullok +auth required pam_unix.so no_warn try_first_pass # account #account required pam_krb5.so @@ -28,6 +28,12 @@ # $FreeBSD$ # +# Call pfSense version of this script when it's available +if [ -f /etc/pfSense-rc ]; then + . /etc/pfSense-rc + exit 0 +fi + # System startup script run by init on autoboot # or after single-user. # Output and error are redirected to console by init, diff --git a/etc/rc.shutdown b/etc/rc.shutdown index 15779c7..8105f76 100644 --- a/etc/rc.shutdown +++ b/etc/rc.shutdown @@ -27,6 +27,12 @@ # $FreeBSD$ # +# Call pfSense version of this script when it's available +if [ -f /etc/pfSense-rc.shutdown ]; then + . /etc/pfSense-rc.shutdown + exit 0 +fi + # Site-specific closing actions for daemons run by init on shutdown, # or before going single-user from multi-user. # Output and errors are directed to console by init, and the diff --git a/release/conf/pfSense_make.conf b/release/conf/pfSense_make.conf new file mode 100644 index 0000000..41a3db4 --- /dev/null +++ b/release/conf/pfSense_make.conf @@ -0,0 +1,7 @@ +#HOSTAPD_CFLAGS+=-DEAP_PAX -DEAP_SAKE -DCONFIG_RSN_PREAUTH -DCONFIG_IEEE80211N +#HOSTAPD_CFLAGS+=-DEAP_SERVER -DEAP_GTC -DEAP_AKA -DEAP_SIM -DEAP_GPSK +#WPA_SUPPLICANT_CFLAGS+=-DCONFIG_IEEE80211N + +# Default serial console speed +BOOT_COMCONSOLE_SPEED=115200 +BOOT_BOOT0_COMCONSOLE_SPEED=0 diff --git a/release/conf/pfSense_src-env.conf b/release/conf/pfSense_src-env.conf new file mode 100644 index 0000000..90c70e7 --- /dev/null +++ b/release/conf/pfSense_src-env.conf @@ -0,0 +1,2 @@ +WITH_META_MODE=YES +WITHOUT_SYSTEM_COMPILER=YES diff --git a/release/conf/pfSense_src.conf b/release/conf/pfSense_src.conf new file mode 100644 index 0000000..8288105 --- /dev/null +++ b/release/conf/pfSense_src.conf @@ -0,0 +1,50 @@ +WITHOUT_AMD=YES +WITHOUT_ASSERT_DEBUG=YES +WITHOUT_ATM=YES +WITHOUT_AUDIT=YES +WITHOUT_AUTHPF=YES +WITHOUT_BLACKLIST=YES +WITHOUT_BLUETOOTH=YES +WITHOUT_CALENDAR=YES +WITHOUT_CAPSICUM=YES +WITHOUT_CASPER=YES +WITHOUT_CCD=YES +WITHOUT_CTM=YES +WITHOUT_CUSE=YES +WITHOUT_DICT=YES +WITHOUT_EXAMPLES=YES +WITHOUT_FINGER=YES +WITHOUT_FLOPPY=YES +WITHOUT_FREEBSD_UPDATE=YES +WITHOUT_GAMES=YES +WITHOUT_GCOV=YES +WITHOUT_GROFF=YES +WITHOUT_HAST=YES +WITHOUT_HTML=YES +WITHOUT_INETD=YES +WITHOUT_IPFILTER=YES +WITHOUT_JAIL=YES +WITHOUT_LIB32=YES +WITHOUT_LOCALES=YES +WITHOUT_LOCATE=YES +WITHOUT_LPR=YES +WITHOUT_MAIL=YES +WITHOUT_MAN=YES +WITHOUT_NIS=YES +WITHOUT_NLS=YES +WITHOUT_NLS_CATALOGS=YES +WITHOUT_NS_CACHING=YES +WITHOUT_NTP=YES +WITHOUT_PC_SYSINSTALL=yes +WITHOUT_PORTSNAP=yes +WITHOUT_PROFILE=YES +WITHOUT_QUOTAS=YES +WITHOUT_RCMDS=YES +WITHOUT_RCS=YES +WITHOUT_SETUID_LOGIN=YES +WITHOUT_SHAREDOCS=YES +WITHOUT_SVNLITE=YES +WITHOUT_TALK=YES +WITHOUT_TESTS=yes +WITHOUT_TOOLCHAIN=YES +WITHOUT_UNBOUND=YES diff --git a/release/pkg_repos/pfSense-repo-devel.conf b/release/pkg_repos/pfSense-repo-devel.conf new file mode 100644 index 0000000..c4e69fa --- /dev/null +++ b/release/pkg_repos/pfSense-repo-devel.conf @@ -0,0 +1,17 @@ +FreeBSD: { enabled: no } + +%%PRODUCT_NAME%%-core: { + url: "%%PKG_REPO_SERVER_DEVEL%%/%%PRODUCT_NAME%%_%%PKG_REPO_BRANCH_DEVEL%%_%%ARCH%%-core", + mirror_type: "srv", + signature_type: "fingerprints", + fingerprints: "/usr/local/share/%%PRODUCT_NAME%%/keys/pkg", + enabled: yes +} + +%%PRODUCT_NAME%%: { + url: "%%PKG_REPO_SERVER_DEVEL%%/%%PRODUCT_NAME%%_%%PKG_REPO_BRANCH_DEVEL%%_%%ARCH%%-%%POUDRIERE_PORTS_NAME%%", + mirror_type: "srv", + signature_type: "fingerprints", + fingerprints: "/usr/local/share/%%PRODUCT_NAME%%/keys/pkg", + enabled: yes +} diff --git a/release/pkg_repos/pfSense-repo-devel.descr b/release/pkg_repos/pfSense-repo-devel.descr new file mode 100644 index 0000000..c2c9eb2 --- /dev/null +++ b/release/pkg_repos/pfSense-repo-devel.descr @@ -0,0 +1 @@ +Development Snapshots (Experimental) diff --git a/release/pkg_repos/pfSense-repo.conf b/release/pkg_repos/pfSense-repo.conf new file mode 100644 index 0000000..c4e69fa --- /dev/null +++ b/release/pkg_repos/pfSense-repo.conf @@ -0,0 +1,17 @@ +FreeBSD: { enabled: no } + +%%PRODUCT_NAME%%-core: { + url: "%%PKG_REPO_SERVER_DEVEL%%/%%PRODUCT_NAME%%_%%PKG_REPO_BRANCH_DEVEL%%_%%ARCH%%-core", + mirror_type: "srv", + signature_type: "fingerprints", + fingerprints: "/usr/local/share/%%PRODUCT_NAME%%/keys/pkg", + enabled: yes +} + +%%PRODUCT_NAME%%: { + url: "%%PKG_REPO_SERVER_DEVEL%%/%%PRODUCT_NAME%%_%%PKG_REPO_BRANCH_DEVEL%%_%%ARCH%%-%%POUDRIERE_PORTS_NAME%%", + mirror_type: "srv", + signature_type: "fingerprints", + fingerprints: "/usr/local/share/%%PRODUCT_NAME%%/keys/pkg", + enabled: yes +} diff --git a/release/pkg_repos/pfSense-repo.descr b/release/pkg_repos/pfSense-repo.descr new file mode 100644 index 0000000..e892126 --- /dev/null +++ b/release/pkg_repos/pfSense-repo.descr @@ -0,0 +1 @@ +Stable (Default) diff --git a/release/rc.local b/release/rc.local index cb44227..f053f32 100755 --- a/release/rc.local +++ b/release/rc.local @@ -37,7 +37,7 @@ if [ $? -eq 0 ]; then else # Serial or other console echo - echo "Welcome to FreeBSD!" + echo "Welcome to pfSense!" echo echo "Please choose the appropriate terminal type for your system." echo "Common console types are:" @@ -54,15 +54,15 @@ export TERM if [ -f /etc/installerconfig ]; then if bsdinstall script /etc/installerconfig; then - dialog --backtitle "FreeBSD Installer" --title "Complete" --no-cancel --ok-label "Reboot" --pause "Installation of FreeBSD complete! Rebooting in 10 seconds" 10 30 10 + dialog --backtitle "pfSense Installer" --title "Complete" --no-cancel --ok-label "Reboot" --pause "Installation of pfSense complete! Rebooting in 10 seconds" 10 30 10 reboot else - dialog --backtitle "FreeBSD Installer" --title "Error" --textbox /tmp/bsdinstall_log 0 0 + dialog --backtitle "pfSense Installer" --title "Error" --textbox /tmp/bsdinstall_log 0 0 fi exit fi -dialog --backtitle "FreeBSD Installer" --title "Welcome" --extra-button --extra-label "Shell" --ok-label "Install" --cancel-label "Live CD" --yesno "Welcome to FreeBSD! Would you like to begin an installation or use the live CD?" 0 0 +dialog --backtitle "pfSense Installer" --title "Welcome" --extra-button --extra-label "Shell" --ok-label "Install" --cancel-label "Live CD" --yesno "Welcome to pfSense! Would you like to begin an installation or use the live CD?" 0 0 case $? in $DIALOG_OK) # Install @@ -75,7 +75,7 @@ $DIALOG_OK) # Install trap true SIGINT # Ignore cntrl-C here bsdinstall if [ $? -eq 0 ]; then - dialog --backtitle "FreeBSD Installer" --title "Complete" --yes-label "Reboot" --no-label "Live CD" --yesno "Installation of FreeBSD complete! Would you like to reboot into the installed system now?" 0 0 && reboot + dialog --backtitle "pfSense Installer" --title "Complete" --yes-label "Reboot" --no-label "Live CD" --yesno "Installation of pfSense complete! Would you like to reboot into the installed system now?" 0 0 && reboot else . /etc/rc.local fi diff --git a/sbin/ifconfig/ifpfsync.c b/sbin/ifconfig/ifpfsync.c index 9dbe1d6..4094610 100644 --- a/sbin/ifconfig/ifpfsync.c +++ b/sbin/ifconfig/ifpfsync.c @@ -203,7 +203,8 @@ pfsync_status(int s) if (preq.pfsyncr_syncdev[0] != '\0' || preq.pfsyncr_syncpeer.s_addr != INADDR_PFSYNC_GROUP) { printf("maxupd: %d ", preq.pfsyncr_maxupdates); - printf("defer: %s\n", preq.pfsyncr_defer ? "on" : "off"); + printf("defer: %s\n", (preq.pfsyncr_defer & PFSYNCF_DEFER) ? "on" : "off"); + printf("\tsyncok: %d\n", (preq.pfsyncr_defer & PFSYNCF_OK) ? 1 : 0); } } diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 934037c..dcfddfc 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -217,6 +217,7 @@ struct filter_opts { #define FOM_TOS 0x04 #define FOM_KEEP 0x08 #define FOM_SRCTRACK 0x10 +#define FOM_DSCP 0x20 #define FOM_SETPRIO 0x0400 #define FOM_PRIO 0x2000 struct node_uid *uid; @@ -229,7 +230,9 @@ struct filter_opts { } flags; struct node_icmp *icmpspec; u_int32_t tos; + u_int32_t dscp; u_int32_t prob; + u_int32_t tracker; struct { int action; struct node_state_opt *options; @@ -237,10 +240,14 @@ struct filter_opts { int fragment; int allowopts; char *label; + char *schedule; struct node_qassign queues; char *tag; char *match_tag; u_int8_t match_tag_not; + u_int32_t dnpipe; + u_int32_t pdnpipe; + u_int32_t free_flags; u_int rtableid; u_int8_t prio; u_int8_t set_prio[2]; @@ -252,6 +259,7 @@ struct filter_opts { struct antispoof_opts { char *label; + u_int32_t tracker; u_int rtableid; } antispoof_opts; @@ -344,6 +352,7 @@ int expand_skip_interface(struct node_if *); int check_rulestate(int); int getservice(char *); int rule_label(struct pf_rule *, char *); +int rule_schedule(struct pf_rule *, char *); int rt_tableid_max(void); void mv_rules(struct pf_ruleset *, struct pf_ruleset *); @@ -445,11 +454,11 @@ int parseport(char *, struct range *r, int); %} -%token PASS BLOCK SCRUB RETURN IN OS OUT LOG QUICK ON FROM TO FLAGS +%token PASS BLOCK MATCH SCRUB RETURN IN OS OUT LOG QUICK ON FROM TO FLAGS %token RETURNRST RETURNICMP RETURNICMP6 PROTO INET INET6 ALL ANY ICMPTYPE %token ICMP6TYPE CODE KEEP MODULATE STATE PORT RDR NAT BINAT ARROW NODF -%token MINTTL ERROR ALLOWOPTS FASTROUTE FILENAME ROUTETO DUPTO REPLYTO NO LABEL -%token NOROUTE URPFFAILED FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE +%token MINTTL ERROR ALLOWOPTS FASTROUTE FILENAME ROUTETO DUPTO REPLYTO NO LABEL SCHEDULE +%token NOROUTE URPFFAILED FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DSCP DROP TABLE TRACKER %token REASSEMBLE FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR %token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY RANDOMID %token REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID @@ -457,6 +466,7 @@ int parseport(char *, struct range *r, int); %token BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT PROBABILITY %token ALTQ CBQ CODEL PRIQ HFSC FAIRQ BANDWIDTH TBRSIZE LINKSHARE REALTIME %token UPPERLIMIT QUEUE PRIORITY QLIMIT HOGS BUCKETS RTABLE TARGET INTERVAL +%token DNPIPE DNQUEUE %token LOAD RULESET_OPTIMIZATION PRIO %token STICKYADDRESS MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE %token MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY @@ -467,7 +477,7 @@ int parseport(char *, struct range *r, int); %token <v.i> PORTBINARY %type <v.interface> interface if_list if_item_not if_item %type <v.number> number icmptype icmp6type uid gid -%type <v.number> tos not yesno +%type <v.number> tos dscp not yesno %type <v.probability> probability %type <v.i> no dir af fragcache optimizer %type <v.i> sourcetrack flush unaryop statelock @@ -492,7 +502,7 @@ int parseport(char *, struct range *r, int); %type <v.gid> gids gid_list gid_item %type <v.route> route %type <v.redirection> redirection redirpool -%type <v.string> label stringall tag anchorname +%type <v.string> label schedule stringall tag anchorname %type <v.string> string varstring numberstring %type <v.keep_state> keep %type <v.state_opt> state_opt_spec state_opt_list state_opt_item @@ -1237,6 +1247,7 @@ antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts { if (rule_label(&r, $5.label)) YYERROR; r.rtableid = $5.rtableid; + r.cuid = $5.tracker; j = calloc(1, sizeof(struct node_if)); if (j == NULL) err(1, "antispoof: calloc"); @@ -1286,6 +1297,7 @@ antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts { r.logif = $2.logif; r.quick = $2.quick; r.af = $4; + r.cuid = $5.tracker; if (rule_label(&r, $5.label)) YYERROR; r.rtableid = $5.rtableid; @@ -1347,6 +1359,9 @@ antispoof_opt : label { } antispoof_opts.label = $1; } + | TRACKER number { + antispoof_opts.tracker = $2; + } | RTABLE NUMBER { if ($2 < 0 || $2 > rt_tableid_max()) { yyerror("invalid rtable id"); @@ -2061,6 +2076,11 @@ pfrule : action dir logquick interface route af proto fromto if (rule_label(&r, $9.label)) YYERROR; free($9.label); + if (rule_schedule(&r, $9.schedule)) + YYERROR; + free($9.schedule); + if ($9.tracker) + r.cuid = $9.tracker; r.flags = $9.flags.b1; r.flagset = $9.flags.b2; if (($9.flags.b1 & $9.flags.b2) != $9.flags.b1) { @@ -2092,7 +2112,14 @@ pfrule : action dir logquick interface route af proto fromto #endif } - r.tos = $9.tos; + if ($9.tos) { + r.tos = $9.tos; + r.rule_flag |= PFRULE_TOS; + } + if ($9.dscp) { + r.tos = $9.dscp; + r.rule_flag |= PFRULE_DSCP; + } r.keep_state = $9.keep.action; o = $9.keep.options; @@ -2410,6 +2437,15 @@ pfrule : action dir logquick interface route af proto fromto } #endif + if ($9.dnpipe) { + r.dnpipe = $9.dnpipe; + if ($9.free_flags & PFRULE_DN_IS_PIPE) + r.free_flags |= PFRULE_DN_IS_PIPE; + else + r.free_flags |= PFRULE_DN_IS_QUEUE; + r.pdnpipe = $9.pdnpipe; + } + expand_rule(&r, $4, $5.host, $7, $8.src_os, $8.src.host, $8.src.port, $8.dst.host, $8.dst.port, $9.uid, $9.gid, $9.icmpspec, ""); @@ -2482,6 +2518,14 @@ filter_opt : USER uids { filter_opts.marker |= FOM_TOS; filter_opts.tos = $2; } + | dscp { + if (filter_opts.marker & FOM_DSCP) { + yyerror("dscp cannot be redefined"); + YYERROR; + } + filter_opts.marker |= FOM_DSCP; + filter_opts.dscp = $1; + } | keep { if (filter_opts.marker & FOM_KEEP) { yyerror("modulate or keep cannot be redefined"); @@ -2491,6 +2535,9 @@ filter_opt : USER uids { filter_opts.keep.action = $1.action; filter_opts.keep.options = $1.options; } + | TRACKER number { + filter_opts.tracker = $2; + } | FRAGMENT { filter_opts.fragment = 1; } @@ -2504,6 +2551,13 @@ filter_opt : USER uids { } filter_opts.label = $1; } + | schedule { + if (filter_opts.schedule) { + yyerror("schedule label cannot be redefined"); + YYERROR; + } + filter_opts.schedule = $1; + } | qname { if (filter_opts.queues.qname) { yyerror("queue cannot be redefined"); @@ -2511,6 +2565,32 @@ filter_opt : USER uids { } filter_opts.queues = $1; } + | DNPIPE number { + filter_opts.dnpipe = $2; + filter_opts.free_flags |= PFRULE_DN_IS_PIPE; + } + | DNPIPE '(' number ')' { + filter_opts.dnpipe = $3; + filter_opts.free_flags |= PFRULE_DN_IS_PIPE; + } + | DNPIPE '(' number comma number ')' { + filter_opts.pdnpipe = $5; + filter_opts.dnpipe = $3; + filter_opts.free_flags |= PFRULE_DN_IS_PIPE; + } + | DNQUEUE number { + filter_opts.dnpipe = $2; + filter_opts.free_flags |= PFRULE_DN_IS_QUEUE; + } + | DNQUEUE '(' number comma number ')' { + filter_opts.pdnpipe = $5; + filter_opts.dnpipe = $3; + filter_opts.free_flags |= PFRULE_DN_IS_QUEUE; + } + | DNQUEUE '(' number ')' { + filter_opts.dnpipe = $3; + filter_opts.free_flags |= PFRULE_DN_IS_QUEUE; + } | TAG string { filter_opts.tag = $2; } @@ -2633,6 +2713,7 @@ probability : STRING { action : PASS { $$.b1 = PF_PASS; $$.b2 = $$.w = 0; } + | MATCH { $$.b1 = PF_MATCH; $$.b2 = $$.w = 0; } | BLOCK blockspec { $$ = $2; $$.b1 = PF_DROP; } ; @@ -3610,6 +3691,48 @@ tos : STRING { } ; +dscp : DSCP STRING { + if (!strcmp($2, "EF")) + $$ = DSCP_EF; + else if (!strcmp($2, "VA")) + $$ = DSCP_VA; + else if (!strcmp($2, "af11")) + $$ = DSCP_AF11; + else if (!strcmp($2, "af12")) + $$ = DSCP_AF12; + else if (!strcmp($2, "af13")) + $$ = DSCP_AF13; + else if (!strcmp($2, "af21")) + $$ = DSCP_AF21; + else if (!strcmp($2, "af22")) + $$ = DSCP_AF22; + else if (!strcmp($2, "af23")) + $$ = DSCP_AF23; + else if (!strcmp($2, "af31")) + $$ = DSCP_AF31; + else if (!strcmp($2, "af32")) + $$ = DSCP_AF32; + else if (!strcmp($2, "af33")) + $$ = DSCP_AF33; + else if (!strcmp($2, "af41")) + $$ = DSCP_AF41; + else if (!strcmp($2, "af42")) + $$ = DSCP_AF42; + else if (!strcmp($2, "af43")) + $$ = DSCP_AF43; + else if ($2[0] == '0' && $2[1] == 'x') + $$ = strtoul($2, NULL, 16) * 4; + else + $$ = strtoul($2, NULL, 10) * 4; + if (!$$ || $$ > 255) { + yyerror("illegal dscp value %s", $2); + free($2); + YYERROR; + } + free($2); + } + ; + sourcetrack : SOURCETRACK { $$ = PF_SRCTRACK; } | SOURCETRACK GLOBAL { $$ = PF_SRCTRACK_GLOBAL; } | SOURCETRACK RULE { $$ = PF_SRCTRACK_RULE; } @@ -3816,6 +3939,11 @@ label : LABEL STRING { } ; +schedule : SCHEDULE STRING { + $$ = $2; + } + ; + qname : QUEUE STRING { $$.qname = $2; $$.pqname = NULL; @@ -4662,6 +4790,15 @@ filter_consistent(struct pf_rule *r, int anchor_call) "synproxy state or modulate state"); problems++; } + if ((r->rule_flag & PFRULE_TOS) && (r->rule_flag & PFRULE_DSCP)) { + yyerror("tos and dscp cannot be used together"); + problems++; + } + if (r->dnpipe && r->pdnpipe && !r->direction) { + yyerror("dummynet cannot be specified without direction"); + problems++; + } + return (-problems); } @@ -5207,6 +5344,7 @@ expand_rule(struct pf_rule *r, int added = 0, error = 0; char ifname[IF_NAMESIZE]; char label[PF_RULE_LABEL_SIZE]; + char schedule[PF_RULE_LABEL_SIZE]; char tagname[PF_TAG_NAME_SIZE]; char match_tagname[PF_TAG_NAME_SIZE]; struct pf_pooladdr *pa; @@ -5215,6 +5353,8 @@ expand_rule(struct pf_rule *r, if (strlcpy(label, r->label, sizeof(label)) >= sizeof(label)) errx(1, "expand_rule: strlcpy"); + if (strlcpy(schedule, r->schedule, sizeof(schedule)) > sizeof(schedule)) + errx(1, "expand_rule: strlcpy"); if (strlcpy(tagname, r->tagname, sizeof(tagname)) >= sizeof(tagname)) errx(1, "expand_rule: strlcpy"); if (strlcpy(match_tagname, r->match_tagname, sizeof(match_tagname)) >= @@ -5266,6 +5406,9 @@ expand_rule(struct pf_rule *r, if (strlcpy(r->label, label, sizeof(r->label)) >= sizeof(r->label)) errx(1, "expand_rule: strlcpy"); + if (strlcpy(r->schedule, schedule, sizeof(r->schedule)) >= + sizeof(r->schedule)) + errx(1, "expand_rule: strlcpy"); if (strlcpy(r->tagname, tagname, sizeof(r->tagname)) >= sizeof(r->tagname)) errx(1, "expand_rule: strlcpy"); @@ -5274,6 +5417,8 @@ expand_rule(struct pf_rule *r, errx(1, "expand_rule: strlcpy"); expand_label(r->label, PF_RULE_LABEL_SIZE, r->ifname, r->af, src_host, src_port, dst_host, dst_port, proto->proto); + expand_label(r->schedule, PF_RULE_LABEL_SIZE, r->ifname, r->af, + src_host, src_port, dst_host, dst_port, proto->proto); expand_label(r->tagname, PF_TAG_NAME_SIZE, r->ifname, r->af, src_host, src_port, dst_host, dst_port, proto->proto); expand_label(r->match_tagname, PF_TAG_NAME_SIZE, r->ifname, @@ -5458,8 +5603,11 @@ lookup(char *s) { "debug", DEBUG}, { "divert-reply", DIVERTREPLY}, { "divert-to", DIVERTTO}, + { "dnpipe", DNPIPE}, + { "dnqueue", DNQUEUE}, { "drop", DROP}, { "drop-ovl", FRAGDROP}, + { "dscp", DSCP}, { "dup-to", DUPTO}, { "fairq", FAIRQ}, { "fastroute", FASTROUTE}, @@ -5491,6 +5639,7 @@ lookup(char *s) { "load", LOAD}, { "log", LOG}, { "loginterface", LOGINTERFACE}, + { "match", MATCH}, { "max", MAXIMUM}, { "max-mss", MAXMSS}, { "max-src-conn", MAXSRCCONN}, @@ -5538,6 +5687,7 @@ lookup(char *s) { "rtable", RTABLE}, { "rule", RULE}, { "ruleset-optimization", RULESET_OPTIMIZATION}, + { "schedule", SCHEDULE}, { "scrub", SCRUB}, { "set", SET}, { "set-tos", SETTOS}, @@ -5559,6 +5709,7 @@ lookup(char *s) { "timeout", TIMEOUT}, { "to", TO}, { "tos", TOS}, + { "tracker", TRACKER}, { "ttl", TTL}, { "upperlimit", UPPERLIMIT}, { "urpf-failed", URPFFAILED}, @@ -6170,6 +6321,20 @@ rule_label(struct pf_rule *r, char *s) return (0); } +int +rule_schedule(struct pf_rule *r, char *s) +{ + if (s) { + if (strlcpy(r->schedule, s, sizeof(r->label)) >= + sizeof(r->label)) { + yyerror("rule schedule label too long (max %d chars)", + sizeof(r->label)-1); + return (-1); + } + } + return (0); +} + u_int16_t parseicmpspec(char *w, sa_family_t af) { diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 43d9dc5..c7a7459 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -75,6 +75,7 @@ void pfctl_addrprefix(char *, struct pf_addr *); int pfctl_kill_src_nodes(int, const char *, int); int pfctl_net_kill_states(int, const char *, int); int pfctl_label_kill_states(int, const char *, int); +int pfctl_kill_schedule(int, const char *, int); int pfctl_id_kill_states(int, const char *, int); void pfctl_init_options(struct pfctl *); int pfctl_load_options(struct pfctl *); @@ -114,6 +115,7 @@ const char *optiopt = NULL; char *pf_device = "/dev/pf"; char *ifaceopt; char *tableopt; +char *schedule = NULL; const char *tblcmdopt; int src_node_killers; char *src_node_kill[2]; @@ -649,6 +651,25 @@ pfctl_net_kill_states(int dev, const char *iface, int opts) } int +pfctl_kill_schedule(int dev, const char *sched, int opts) +{ + struct pfioc_schedule_kill psk; + + memset(&psk, 0, sizeof(psk)); + if (sched != NULL && strlcpy(psk.schedule, sched, + sizeof(psk.schedule)) >= sizeof(psk.schedule)) + errx(1, "invalid schedule label: %s", sched); + + if (ioctl(dev, DIOCKILLSCHEDULE, &psk)) + err(1, "DIOCKILLSCHEDULE"); + + if ((opts & PF_OPT_QUIET) == 0) + fprintf(stderr, "killed %d states from %s schedule label\n", + psk.numberkilled, sched); + return (0); +} + +int pfctl_label_kill_states(int dev, const char *iface, int opts) { struct pfioc_state_kill psk; @@ -799,10 +820,17 @@ pfctl_print_rule_counters(struct pf_rule *rule, int opts) (unsigned long long)(rule->bytes[0] + rule->bytes[1]), (uintmax_t)rule->u_states_cur); if (!(opts & PF_OPT_DEBUG)) +#ifdef PF_USER_INFO printf(" [ Inserted: uid %u pid %u " "State Creations: %-6ju]\n", (unsigned)rule->cuid, (unsigned)rule->cpid, (uintmax_t)rule->u_states_tot); +#else + printf(" [ Inserted: pid %u " + "State Creations: %-6ju]\n", + (unsigned)rule->cpid, + (uintmax_t)rule->u_states_tot); +#endif } } @@ -1999,7 +2027,7 @@ main(int argc, char *argv[]) usage(); while ((ch = getopt(argc, argv, - "a:AdD:eqf:F:ghi:k:K:mnNOo:Pp:rRs:t:T:vx:z")) != -1) { + "a:AdD:eqf:F:ghi:k:K:mnNOo:Pp:rRs:t:T:vx:y:z")) != -1) { switch (ch) { case 'a': anchoropt = optarg; @@ -2113,6 +2141,12 @@ main(int argc, char *argv[]) opts |= PF_OPT_VERBOSE2; opts |= PF_OPT_VERBOSE; break; + case 'y': + if (schedule != NULL && strlen(schedule) > 64) + errx(1, "Schedule label cannot be more than 64 characters\n"); + schedule = optarg; + mode = O_RDWR; + break; case 'x': debugopt = pfctl_lookup_option(optarg, debugopt_list); if (debugopt == NULL) { @@ -2321,6 +2355,9 @@ main(int argc, char *argv[]) if (src_node_killers) pfctl_kill_src_nodes(dev, ifaceopt, opts); + if (schedule) + pfctl_kill_schedule(dev, schedule, opts); + if (tblcmdopt != NULL) { error = pfctl_command_tables(argc, argv, tableopt, tblcmdopt, rulesopt, anchorname, opts); diff --git a/sbin/pfctl/pfctl_altq.c b/sbin/pfctl/pfctl_altq.c index 6b0443a..4c479bc 100644 --- a/sbin/pfctl/pfctl_altq.c +++ b/sbin/pfctl/pfctl_altq.c @@ -735,13 +735,6 @@ eval_pfqueue_hfsc(struct pfctl *pf, struct pf_altq *pa) return (-1); } - if ((opts->rtsc_m1 < opts->rtsc_m2 && opts->rtsc_m1 != 0) || - (opts->lssc_m1 < opts->lssc_m2 && opts->lssc_m1 != 0) || - (opts->ulsc_m1 < opts->ulsc_m2 && opts->ulsc_m1 != 0)) { - warnx("m1 must be zero for convex curve: %s", pa->qname); - return (-1); - } - /* * admission control: * for the real-time service curve, the sum of the service curves diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 4bb1477..af1c73e 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -683,8 +683,14 @@ print_rule(struct pf_rule *r, const char *anchor_call, int verbose, int numeric) int i, opts; if (verbose) +#ifdef PF_USER_INFO printf("@%d ", r->nr); - if (r->action > PF_NORDR) +#else + printf("@%d(%u) ", r->nr, r->cuid); +#endif + if (r->action == PF_MATCH) + printf("match"); + else if (r->action > PF_NORDR) printf("action(%d)", r->action); else if (anchor_call[0]) { if (anchor_call[0] == '_') { @@ -839,8 +845,10 @@ print_rule(struct pf_rule *r, const char *anchor_call, int verbose, int numeric) printf(" code %u", r->code-1); } } - if (r->tos) + if (r->tos && (r->rule_flag & PFRULE_TOS)) printf(" tos 0x%2.2x", r->tos); + if (r->tos && (r->rule_flag & PFRULE_DSCP)) + printf(" dscp 0x%2.2x", r->tos & DSCP_MASK); if (r->prio) printf(" prio %u", r->prio == PF_PRIO_ZERO ? 0 : r->prio); if (r->scrub_flags & PFSTATE_SETMASK) { @@ -1001,6 +1009,14 @@ print_rule(struct pf_rule *r, const char *anchor_call, int verbose, int numeric) } if (r->label[0]) printf(" label \"%s\"", r->label); + if (r->dnpipe && r->pdnpipe) + printf(" %s(%d, %d)", + r->free_flags & PFRULE_DN_IS_PIPE ? "dnpipe" : "dnqueue", + r->dnpipe, r->pdnpipe); + else if (r->dnpipe) + printf(" %s %d", + r->free_flags & PFRULE_DN_IS_PIPE ? "dnpipe" : "dnqueue", + r->dnpipe); if (r->qname[0] && r->pqname[0]) printf(" queue(%s, %s)", r->qname, r->pqname); else if (r->qname[0]) diff --git a/sys/amd64/conf/pfSense b/sys/amd64/conf/pfSense new file mode 100644 index 0000000..67399be --- /dev/null +++ b/sys/amd64/conf/pfSense @@ -0,0 +1,184 @@ +include GENERIC + +nooptions KDB_TRACE + +ident pfSense + +nooptions MAC # TrustedBSD MAC Framework +nooptions COMPAT_FREEBSD4 # Compatible with FreeBSD4 +nooptions COMPAT_FREEBSD5 # Compatible with FreeBSD5 +nooptions COMPAT_FREEBSD6 # Compatible with FreeBSD6 +nooptions COMPAT_FREEBSD7 # Compatible with FreeBSD7 + +options GEOM_MIRROR +options GEOM_UZIP +options GEOM_ELI +options GEOM_BDE + +options TMPFS +options UNIONFS +options NULLFS +options PPS_SYNC + +# Wireless +nooptions IEEE80211_DEBUG # enable debug msgs +device wlan_rssadapt +device wlan_xauth +device wlan_acl +device iwifw +device ipwfw # Firmware for Intel PRO/Wireless 2100 IEEE 802.11 driver +device wpifw # Firmware for Intel 3945ABG Wireless LAN IEEE 802.11 driver +device iwnfw # Firmware for Intel Wireless WiFi Link 4965AGN IEEE 802.11n driver +device uath # Atheros USB IEEE 802.11a/b/g wireless network device +device ralfw # Firmware for Ralink Technology RT2500 wireless NICs. +device ural # Ralink Technology RT2500USB IEEE 802.11 driver +device urtw # Realtek RTL8187B/L USB IEEE 802.11b/g wireless network device +device rum # Ralink Technology USB IEEE 802.11a/b/g wireless network device +device mwlfw # Firmware for Marvell 88W8363 IEEE 802.11n wireless network driver +device zyd # ZyDAS ZD1211/ZD1211B USB IEEE 802.11b/g wireless network device +device upgt # Conexant/Intersil PrismGT SoftMAC USB IEEE 802.11b/g wireless +device udav # Davicom DM9601 USB Ethernet driver +device axe +device axge +device aue +device cue +device kue +device mos +device rsu +device rsufw +device run # Ralink RT2700U/RT2800U/RT3000U USB 802.11agn +device runfw +device rue +#device urtwn +#device urtwnfw +device siba_bwn # Broadcom BCM43xx IEEE 802.11b/g wireless network driver +device bwn # Broadcom BCM43xx IEEE 802.11b/g wireless network driver +device bwi # Broadcom BCM43xx IEEE 802.11b/g wireless network driver + +# Pseudo devices. +#device pty # Pseudo-ttys (telnet etc) + +# USB support +nooptions USB_DEBUG # enable debug msgs + +# 3G devices +device ufoma +device ucom +device uslcom +device uplcom +device umct +device uvisor +device uark +device uftdi +device uvscom +device umodem +device u3g +device cdce + +device uhid # "Human Interface Devices" + +# FireWire support +device firewire # FireWire bus code +device sbp # SCSI over FireWire (Requires scbus and da) + +# pfsense addons + +device tap +device gre +device if_bridge +device carp +device lagg +device vte + +# IP/IPFW +options IPFIREWALL_DEFAULT_TO_ACCEPT +options IPFIREWALL_VERBOSE +options IPSTEALTH + +# Netgraph +options NETGRAPH #netgraph(4) system +options NETGRAPH_VLAN +options NETGRAPH_L2TP +options NETGRAPH_BPF +options NETGRAPH_ETHER +options NETGRAPH_IFACE +options NETGRAPH_EIFACE +options NETGRAPH_PPP +options NETGRAPH_PPPOE +options NETGRAPH_PPTPGRE +options NETGRAPH_RFC1490 +options NETGRAPH_SOCKET +options NETGRAPH_TTY +options NETGRAPH_MPPC_ENCRYPTION +options NETGRAPH_UI +options NETGRAPH_VJC +options NETGRAPH_KSOCKET +options NETGRAPH_LMI +options NETGRAPH_ONE2MANY +options NETGRAPH_BRIDGE +options NETGRAPH_CISCO +options NETGRAPH_ECHO +options NETGRAPH_ASYNC +options NETGRAPH_FRAME_RELAY +options NETGRAPH_HOLE +options NETGRAPH_TEE +options NETGRAPH_TCPMSS +options NETGRAPH_PIPE +options NETGRAPH_CAR +options NETGRAPH_DEFLATE +options NETGRAPH_PRED1 + +# IPSEC +options IPSEC_NAT_T +options TCP_SIGNATURE +device enc + +# ALTQ +options ALTQ +options ALTQ_CBQ +options ALTQ_RED +options ALTQ_RIO +options ALTQ_HFSC +options ALTQ_PRIQ +options ALTQ_FAIRQ +options ALTQ_NOPCC +options ALTQ_CODEL + +# Squid related settings +options MSGMNB=8192 # max # of bytes in a queue +options MSGMNI=40 # number of message queue identifiers +options MSGSEG=512 # number of message segments per queue +options MSGSSZ=32 # size of a message segment +options MSGTQL=2048 # max messages in system + +device pf +device pflog +device pfsync + +device rndtest # FIPS 140-2 entropy tester +device hifn # Hifn 7951, 7781, etc. +options HIFN_DEBUG # enable debugging support: hw.hifn.debug +options HIFN_RNDTEST # enable rndtest support +device ubsec # Broadcom 5501, 5601, 58xx +device safe # safe -- SafeNet crypto accelerator +device padlock + +device speaker + +options DEVICE_POLLING + +options MROUTING + +# Additional cards +device mxge # mxge - Myricom Myri10GE 10 Gigabit Ethernet adapter driver +device cxgb # cxgb -- Chelsio T3 10 Gigabit Ethernet adapter driver +device cxgbe # cxgbe -- Chelsio T5 10 Gigabit Ethernet adapter driver +#device nve # nVidia nForce MCP on-board Ethernet Networking +device oce + +# Default serial speed +options CONSPEED=115200 + +# Enable gpioapu +#device gpioapu +#device gpiorcc diff --git a/sys/arm/altera/socfpga/files.socfpga b/sys/arm/altera/socfpga/files.socfpga index 1b8aaa0..8c6d7b3 100644 --- a/sys/arm/altera/socfpga/files.socfpga +++ b/sys/arm/altera/socfpga/files.socfpga @@ -9,7 +9,6 @@ arm/altera/socfpga/socfpga_rstmgr.c standard arm/altera/socfpga/socfpga_mp.c optional smp arm/altera/socfpga/socfpga_gpio.c optional gpio -dev/mii/micphy.c optional micphy dev/mmc/host/dwmmc.c optional dwmmc # BERI specific diff --git a/sys/arm/conf/pfSense-uBMC b/sys/arm/conf/pfSense-uBMC new file mode 100644 index 0000000..6d7e1c2 --- /dev/null +++ b/sys/arm/conf/pfSense-uBMC @@ -0,0 +1,124 @@ +include uBMC + +nooptions KDB_TRACE + +ident pfSense-uBMC + +nooptions MAC # TrustedBSD MAC Framework +nooptions COMPAT_FREEBSD4 # Compatible with FreeBSD4 +nooptions COMPAT_FREEBSD5 # Compatible with FreeBSD5 +nooptions COMPAT_FREEBSD6 # Compatible with FreeBSD6 +nooptions COMPAT_FREEBSD7 # Compatible with FreeBSD7 + +options GEOM_MIRROR +options GEOM_UZIP +options GEOM_ELI +options GEOM_BDE + +options UNIONFS +options NULLFS +options PPS_SYNC + +# USB support +nooptions USB_DEBUG # enable debug msgs + +# 3G devices +device ufoma +device ucom +device uslcom +device uplcom +device umct +device uvisor +device uark +device uftdi +device uvscom +device umodem +device u3g +device cdce + +device uhid # "Human Interface Devices" + +# pfsense addons + +device tap +device gre +device if_bridge +device carp +device lagg +device vte + +# IP/IPFW +options IPFIREWALL_DEFAULT_TO_ACCEPT +options IPFIREWALL_VERBOSE +options IPSTEALTH + +# Netgraph +options NETGRAPH #netgraph(4) system +options NETGRAPH_VLAN +options NETGRAPH_L2TP +options NETGRAPH_BPF +options NETGRAPH_ETHER +options NETGRAPH_IFACE +options NETGRAPH_EIFACE +options NETGRAPH_PPP +options NETGRAPH_PPPOE +options NETGRAPH_PPTPGRE +options NETGRAPH_RFC1490 +options NETGRAPH_SOCKET +options NETGRAPH_TTY +options NETGRAPH_MPPC_ENCRYPTION +options NETGRAPH_UI +options NETGRAPH_VJC +options NETGRAPH_KSOCKET +options NETGRAPH_LMI +options NETGRAPH_ONE2MANY +options NETGRAPH_BRIDGE +options NETGRAPH_CISCO +options NETGRAPH_ECHO +options NETGRAPH_ASYNC +options NETGRAPH_FRAME_RELAY +options NETGRAPH_HOLE +options NETGRAPH_TEE +options NETGRAPH_TCPMSS +options NETGRAPH_PIPE +options NETGRAPH_CAR +options NETGRAPH_DEFLATE +options NETGRAPH_PRED1 + +# IPSEC +options IPSEC_NAT_T +options TCP_SIGNATURE +device enc + +# ALTQ +options ALTQ +options ALTQ_CBQ +options ALTQ_RED +options ALTQ_RIO +options ALTQ_HFSC +options ALTQ_PRIQ +options ALTQ_FAIRQ +options ALTQ_NOPCC +options ALTQ_CODEL + +# Squid related settings +options MSGMNB=8192 # max # of bytes in a queue +options MSGMNI=40 # number of message queue identifiers +options MSGSEG=512 # number of message segments per queue +options MSGSSZ=32 # size of a message segment +options MSGTQL=2048 # max messages in system + +device pf +device pflog +device pfsync + +device rndtest # FIPS 140-2 entropy tester +device hifn # Hifn 7951, 7781, etc. +options HIFN_DEBUG # enable debugging support: hw.hifn.debug +options HIFN_RNDTEST # enable rndtest support +device ubsec # Broadcom 5501, 5601, 58xx +device safe # safe -- SafeNet crypto accelerator + +options DEVICE_POLLING + +options MROUTING diff --git a/sys/arm/conf/pfSense-uFW b/sys/arm/conf/pfSense-uFW new file mode 100644 index 0000000..a02723a --- /dev/null +++ b/sys/arm/conf/pfSense-uFW @@ -0,0 +1,124 @@ +include uFW + +nooptions KDB_TRACE + +ident pfSense-uFW + +nooptions MAC # TrustedBSD MAC Framework +nooptions COMPAT_FREEBSD4 # Compatible with FreeBSD4 +nooptions COMPAT_FREEBSD5 # Compatible with FreeBSD5 +nooptions COMPAT_FREEBSD6 # Compatible with FreeBSD6 +nooptions COMPAT_FREEBSD7 # Compatible with FreeBSD7 + +options GEOM_MIRROR +options GEOM_UZIP +options GEOM_ELI +options GEOM_BDE + +options UNIONFS +options NULLFS +options PPS_SYNC + +# USB support +nooptions USB_DEBUG # enable debug msgs + +# 3G devices +device ufoma +device ucom +device uslcom +device uplcom +device umct +device uvisor +device uark +device uftdi +device uvscom +device umodem +device u3g +device cdce + +device uhid # "Human Interface Devices" + +# pfsense addons + +device tap +device gre +device if_bridge +device carp +device lagg +device vte + +# IP/IPFW +options IPFIREWALL_DEFAULT_TO_ACCEPT +options IPFIREWALL_VERBOSE +options IPSTEALTH + +# Netgraph +options NETGRAPH #netgraph(4) system +options NETGRAPH_VLAN +options NETGRAPH_L2TP +options NETGRAPH_BPF +options NETGRAPH_ETHER +options NETGRAPH_IFACE +options NETGRAPH_EIFACE +options NETGRAPH_PPP +options NETGRAPH_PPPOE +options NETGRAPH_PPTPGRE +options NETGRAPH_RFC1490 +options NETGRAPH_SOCKET +options NETGRAPH_TTY +options NETGRAPH_MPPC_ENCRYPTION +options NETGRAPH_UI +options NETGRAPH_VJC +options NETGRAPH_KSOCKET +options NETGRAPH_LMI +options NETGRAPH_ONE2MANY +options NETGRAPH_BRIDGE +options NETGRAPH_CISCO +options NETGRAPH_ECHO +options NETGRAPH_ASYNC +options NETGRAPH_FRAME_RELAY +options NETGRAPH_HOLE +options NETGRAPH_TEE +options NETGRAPH_TCPMSS +options NETGRAPH_PIPE +options NETGRAPH_CAR +options NETGRAPH_DEFLATE +options NETGRAPH_PRED1 + +# IPSEC +options IPSEC_NAT_T +options TCP_SIGNATURE +device enc + +# ALTQ +options ALTQ +options ALTQ_CBQ +options ALTQ_RED +options ALTQ_RIO +options ALTQ_HFSC +options ALTQ_PRIQ +options ALTQ_FAIRQ +options ALTQ_NOPCC +options ALTQ_CODEL + +# Squid related settings +options MSGMNB=8192 # max # of bytes in a queue +options MSGMNI=40 # number of message queue identifiers +options MSGSEG=512 # number of message segments per queue +options MSGSSZ=32 # size of a message segment +options MSGTQL=2048 # max messages in system + +device pf +device pflog +device pfsync + +device rndtest # FIPS 140-2 entropy tester +device hifn # Hifn 7951, 7781, etc. +options HIFN_DEBUG # enable debugging support: hw.hifn.debug +options HIFN_RNDTEST # enable rndtest support +device ubsec # Broadcom 5501, 5601, 58xx +device safe # safe -- SafeNet crypto accelerator + +options DEVICE_POLLING + +options MROUTING diff --git a/sys/arm/conf/std.armv6 b/sys/arm/conf/std.armv6 index 3a6d5c8..37637ef 100644 --- a/sys/arm/conf/std.armv6 +++ b/sys/arm/conf/std.armv6 @@ -2,8 +2,8 @@ # # $FreeBSD$ +options HZ=1000 options ARM_L2_PIPT # Only L2 PIPT is supported - options PREEMPTION # Enable kernel thread preemption options INET # InterNETworking options INET6 # IPv6 communications protocols diff --git a/sys/arm/conf/uBMC b/sys/arm/conf/uBMC new file mode 100644 index 0000000..baff3ef --- /dev/null +++ b/sys/arm/conf/uBMC @@ -0,0 +1,126 @@ +# +# uBMC -- Custom configuration for the micro-BMC development kit, check out +# http://www.netgate.com and http://www.adi.com +# +# For more information on this file, please read the config(5) manual page, +# and/or the handbook section on Kernel Configuration Files: +# +# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html +# +# The handbook is also available locally in /usr/share/doc/handbook +# if you've installed the doc distribution, otherwise always see the +# FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the +# latest information. +# +# An exhaustive list of options and more detailed explanations of the +# device lines is also present in the ../../conf/NOTES and NOTES files. +# If you are in doubt as to the purpose or necessity of a line, check first +# in NOTES. +# +# $FreeBSD$ + +ident uBMC + +include "std.armv6" +include "../ti/am335x/std.am335x" + +makeoptions MODULES_EXTRA="dtb/am335x am335x_dmtpps" + +options INTRNG + +options SCHED_4BSD # 4BSD scheduler +options PLATFORM + +# NFS server support +#options NFSD + +# NFS root from boopt/dhcp +#options BOOTP +#options BOOTP_NFSROOT +#options BOOTP_COMPAT +#options BOOTP_NFSV3 +#options BOOTP_WIRED_TO=cpsw0 + +# Boot device is 2nd slice on eMMC card +options ROOTDEVNAME=\"ufs:mmcsd0s2a\" + +# MMC/SD/SDIO Card slot support +device mmc # mmc/sd bus +device mmcsd # mmc/sd flash cards +device sdhci # mmc/sd host controller + +# I2C support +device iicbus +device iic +device ti_i2c + +# eeprom +device icee + +# lm75 (carrier board) +device lm75 + +#define am335x_dmtpps # Pulse Per Second capture driver + +# Console and misc +device uart +device uart_ns8250 +device pty +device snp +device md +device random # Entropy device + +# GPIO +device gpio +device gpioled + +# ADC support +device ti_adc + +# SPI +device ti_spi +device spibus +device mx25l + +# Watchdog support +# If we don't enable the watchdog driver, the system could potentially +# reboot automatically because the boot loader might have enabled the +# watchdog. +device ti_wdt + +# Mailbox support +device ti_mbox + +# PMU support (for CCNT). +device pmu + +# USB support +device usb +options USB_HOST_ALIGN=64 # Align usb buffers to cache line size. +device musb +device umass +device scbus # SCSI bus (required for ATA/SCSI) +device da # Direct Access (disks) + +# USB ethernet support, requires miibus +device miibus + +# Ethernet +device loop +device ether +device micphy +device cpsw +device bpf + +# Netmap provides direct access to TX/RX rings on supported NICs +#device netmap # netmap(4) support + +# Device mode support and USFS template +device usb_template # Control of the gadget +device usfs + +# Pinmux +device fdt_pinctrl + +# Flattened Device Tree +options FDT # Configure using FDT/DTB data diff --git a/sys/arm/conf/uBMC-netboot b/sys/arm/conf/uBMC-netboot new file mode 100644 index 0000000..9d1160b --- /dev/null +++ b/sys/arm/conf/uBMC-netboot @@ -0,0 +1,128 @@ +# +# uBMC -- Custom configuration for the micro-BMC development kit, check out +# http://www.netgate.com and http://www.adi.com +# +# For more information on this file, please read the config(5) manual page, +# and/or the handbook section on Kernel Configuration Files: +# +# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html +# +# The handbook is also available locally in /usr/share/doc/handbook +# if you've installed the doc distribution, otherwise always see the +# FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the +# latest information. +# +# An exhaustive list of options and more detailed explanations of the +# device lines is also present in the ../../conf/NOTES and NOTES files. +# If you are in doubt as to the purpose or necessity of a line, check first +# in NOTES. +# +# $FreeBSD$ + +ident uBMC-netboot + +include "std.armv6" +include "../ti/am335x/std.am335x" + +makeoptions MODULES_EXTRA="dtb/am335x am335x_dmtpps" + +options INTRNG + +options SCHED_4BSD # 4BSD scheduler +options PLATFORM + +# NFS server support +#options NFSD + +# NFS root from boopt/dhcp +options BOOTP +options BOOTP_NFSROOT +options BOOTP_COMPAT +options BOOTP_NFSV3 +options BOOTP_WIRED_TO=cpsw0 + +# Boot device is 2nd slice on eMMC card +options ROOTDEVNAME=\"ufs:mmcsd0s2a\" + +# MMC/SD/SDIO Card slot support +device mmc # mmc/sd bus +device mmcsd # mmc/sd flash cards +device sdhci # mmc/sd host controller + +# I2C support +device iicbus +device iic +device ti_i2c + +# eeprom +device icee + +# lm75 (carrier board) +device lm75 + +#define am335x_dmtpps # Pulse Per Second capture driver + +# Console and misc +device uart +device uart_ns8250 +device pty +device snp +device md +device random # Entropy device + +# GPIO +device gpio +device gpioled + +# ADC support +device ti_adc + +# SPI +device ti_spi +device spibus +device mx25l + +# Watchdog support +# If we don't enable the watchdog driver, the system could potentially +# reboot automatically because the boot loader might have enabled the +# watchdog. +device ti_wdt + +# Mailbox support +device ti_mbox + +# PMU support (for CCNT). +device pmu + +# USB support +device usb +options USB_HOST_ALIGN=64 # Align usb buffers to cache line size. +device musb +device umass +device scbus # SCSI bus (required for ATA/SCSI) +device da # Direct Access (disks) + +# USB ethernet support, requires miibus +device miibus + +# Ethernet +device loop +device ether +device micphy +device cpsw +device bpf + +# Netmap provides direct access to TX/RX rings on supported NICs +device netmap # netmap(4) support + +# Device mode support and USFS template +device usb_template # Control of the gadget +device usfs + +# Pinmux +device fdt_pinctrl + +# Flattened Device Tree +options FDT # Configure using FDT/DTB data +options FDT_DTB_STATIC +makeoptions FDT_DTS_FILE=ubmc.dts diff --git a/sys/arm/conf/uFW b/sys/arm/conf/uFW new file mode 100644 index 0000000..359f445 --- /dev/null +++ b/sys/arm/conf/uFW @@ -0,0 +1,118 @@ +# +# uFW -- Custom configuration for the micro-firewall kit, check out +# http://www.netgate.com +# +# For more information on this file, please read the config(5) manual page, +# and/or the handbook section on Kernel Configuration Files: +# +# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html +# +# The handbook is also available locally in /usr/share/doc/handbook +# if you've installed the doc distribution, otherwise always see the +# FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the +# latest information. +# +# An exhaustive list of options and more detailed explanations of the +# device lines is also present in the ../../conf/NOTES and NOTES files. +# If you are in doubt as to the purpose or necessity of a line, check first +# in NOTES. +# +# $FreeBSD$ + +ident uFW + +include "std.armv6" +include "../ti/am335x/std.am335x" + +makeoptions MODULES_EXTRA="dtb/am335x am335x_dmtpps" + +options INTRNG + +options SCHED_4BSD # 4BSD scheduler +options PLATFORM + +# NFS server support +#options NFSD + +# NFS root from boopt/dhcp +#options BOOTP +#options BOOTP_NFSROOT +#options BOOTP_COMPAT +#options BOOTP_NFSV3 +#options BOOTP_WIRED_TO=cpsw0 + +# Boot device is 2nd slice on MMC/SD card +options ROOTDEVNAME=\"ufs:mmcsd0s2a\" + +# MMC/SD/SDIO Card slot support +device mmc # mmc/sd bus +device mmcsd # mmc/sd flash cards +device sdhci # mmc/sd host controller + +# I2C support +device iicbus +device iic +device ti_i2c + +# eeprom +device icee + +#define am335x_dmtpps # Pulse Per Second capture driver + +# Console and misc +device uart +device uart_ns8250 +device pty +device snp +device md +device random # Entropy device + +# GPIO +device gpio +#device gpioled + +# ADC support +device ti_adc + +# Watchdog support +# If we don't enable the watchdog driver, the system could potentially +# reboot automatically because the boot loader might have enabled the +# watchdog. +device ti_wdt + +# Mailbox support +device ti_mbox + +# PMU support (for CCNT). +device pmu + +# USB support +device usb +options USB_HOST_ALIGN=64 # Align usb buffers to cache line size. +device musb +device umass +device scbus # SCSI bus (required for ATA/SCSI) +device da # Direct Access (disks) + +# USB ethernet support, requires miibus +device miibus + +# Ethernet +device loop +device ether +device micphy +device cpsw +device bpf + +# Netmap provides direct access to TX/RX rings on supported NICs +#device netmap # netmap(4) support + +# Device mode support and USFS template +device usb_template # Control of the gadget +device usfs + +# Pinmux +device fdt_pinctrl + +# Flattened Device Tree +options FDT # Configure using FDT/DTB data diff --git a/sys/arm/ti/am335x/am335x_ecap.c b/sys/arm/ti/am335x/am335x_ecap.c index eba5f72..ea05a70 100644 --- a/sys/arm/ti/am335x/am335x_ecap.c +++ b/sys/arm/ti/am335x/am335x_ecap.c @@ -25,7 +25,7 @@ */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); +__FBSDID("$FreeBSD: head/sys/arm/ti/am335x/am335x_ecap.c 283276 2015-05-22 03:16:18Z gonzo $"); #include <sys/param.h> #include <sys/systm.h> @@ -53,10 +53,27 @@ __FBSDID("$FreeBSD$"); #define ECAP_CAP2 0x0C #define ECAP_CAP3 0x10 #define ECAP_CAP4 0x14 +#define ECAP_ECCTL1 0x28 +#define ECCTL1_CAPLDEN (1 << 8) +#define ECCTL1_CTRRST4 (1 << 7) +#define ECCTL1_CTRRST3 (1 << 5) +#define ECCTL1_CTRRST2 (1 << 3) +#define ECCTL1_CTRRST1 (1 << 1) #define ECAP_ECCTL2 0x2A #define ECCTL2_MODE_APWM (1 << 9) #define ECCTL2_SYNCO_SEL (3 << 6) #define ECCTL2_TSCTRSTOP_FREERUN (1 << 4) +#define ECCTL2_REARM (1 << 3) +#define ECCTL2_STOP_WRAP_EVENT1 (0 << 1) +#define ECCTL2_STOP_WRAP_EVENT2 (1 << 1) +#define ECCTL2_STOP_WRAP_EVENT3 (2 << 1) +#define ECCTL2_STOP_WRAP_EVENT4 (3 << 1) +#define ECCTL2_CONT_ONESHT (1 << 0) +#define ECAP_ECEINT 0x2C +#define ECEINT_CEVT4 (1 << 4) +#define ECAP_ECFLG 0x2E +#define ECAP_ECCLR 0x30 +#define ECCLR_MASK 0xff #define ECAP_READ2(_sc, reg) bus_read_2((_sc)->sc_mem_res, reg); #define ECAP_WRITE2(_sc, reg, value) \ @@ -78,8 +95,13 @@ static device_detach_t am335x_ecap_detach; struct am335x_ecap_softc { device_t sc_dev; struct mtx sc_mtx; + struct resource *sc_irq_res; struct resource *sc_mem_res; + int sc_ecap_mode; + int sc_irq_rid; int sc_mem_rid; + uint32_t sc_period; + void *sc_intrhand; }; static device_method_t am335x_ecap_methods[] = { @@ -119,6 +141,9 @@ am335x_pwm_config_ecap(int unit, int period, int duty) return (EINVAL); sc = device_get_softc(dev); + if (sc->sc_ecap_mode) + return (EINVAL); + PWM_LOCK(sc); reg = ECAP_READ2(sc, ECAP_ECCTL2); @@ -138,6 +163,31 @@ am335x_pwm_config_ecap(int unit, int period, int duty) return (0); } +static void +am335x_ecap_intr(void *arg) +{ + struct am335x_ecap_softc *sc; + uint16_t reg; + uint64_t v; + + sc = (struct am335x_ecap_softc *)arg; + PWM_LOCK(sc); + v = ECAP_READ4(sc, ECAP_CAP1); + v += ECAP_READ4(sc, ECAP_CAP2); + v += ECAP_READ4(sc, ECAP_CAP3); + v += ECAP_READ4(sc, ECAP_CAP4); + v /= 4; + sc->sc_period = (uint32_t)v; + + reg = ECAP_READ2(sc, ECAP_ECFLG); + ECAP_WRITE2(sc, ECAP_ECCLR, ECCLR_MASK); + + reg = ECAP_READ2(sc, ECAP_ECCTL2); + reg |= ECCTL2_REARM; + ECAP_WRITE2(sc, ECAP_ECCTL2, reg); + PWM_UNLOCK(sc); +} + static int am335x_ecap_probe(device_t dev) { @@ -157,9 +207,11 @@ static int am335x_ecap_attach(device_t dev) { struct am335x_ecap_softc *sc; + uint16_t reg; sc = device_get_softc(dev); sc->sc_dev = dev; + sc->sc_ecap_mode = 1; PWM_LOCK_INIT(sc); @@ -169,6 +221,45 @@ am335x_ecap_attach(device_t dev) device_printf(dev, "cannot allocate memory resources\n"); goto fail; } + sc->sc_irq_res = bus_alloc_resource_any(dev, SYS_RES_IRQ, + &sc->sc_irq_rid, RF_ACTIVE); + if (sc->sc_irq_res == NULL) { + bus_release_resource(dev, SYS_RES_MEMORY, sc->sc_mem_rid, + sc->sc_mem_res); + device_printf(dev, "cannot allocate interrupt\n"); + return (ENXIO); + } + + /* Hook up our interrupt handler. */ + if (bus_setup_intr(dev, sc->sc_irq_res, INTR_TYPE_MISC | INTR_MPSAFE, + NULL, am335x_ecap_intr, sc, &sc->sc_intrhand)) { + bus_release_resource(dev, SYS_RES_IRQ, sc->sc_irq_rid, + sc->sc_irq_res); + bus_release_resource(dev, SYS_RES_MEMORY, sc->sc_mem_rid, + sc->sc_mem_res); + device_printf(dev, "cannot setup the interrupt handler\n"); + return (ENXIO); + } + + SYSCTL_ADD_INT(device_get_sysctl_ctx(sc->sc_dev), + SYSCTL_CHILDREN(device_get_sysctl_tree(sc->sc_dev)), + OID_AUTO, "period", CTLFLAG_RD, &sc->sc_period, 0, "eCMP period"); + + /* One shot, wrap counter after read event 4, no sync, stopped. */ + ECAP_WRITE2(sc, ECAP_ECCTL2, ECCTL2_SYNCO_SEL | + ECCTL2_STOP_WRAP_EVENT4 | ECCTL2_CONT_ONESHT); + /* Delta mode, rising edge. */ + ECAP_WRITE2(sc, ECAP_ECCTL1, ECCTL1_CAPLDEN | ECCTL1_CTRRST1 | + ECCTL1_CTRRST2 | ECCTL1_CTRRST3 | ECCTL1_CTRRST4); + /* Restart counter */ + ECAP_WRITE4(sc, ECAP_TSCTR, 0); + /* Enable overflow interrupt. */ + ECAP_WRITE2(sc, ECAP_ECCLR, ECCLR_MASK); + ECAP_WRITE2(sc, ECAP_ECEINT, ECEINT_CEVT4); + /* Start count. */ + reg = ECAP_READ2(sc, ECAP_ECCTL2); + reg |= ECCTL2_TSCTRSTOP_FREERUN; + ECAP_WRITE2(sc, ECAP_ECCTL2, reg); return (0); @@ -185,6 +276,13 @@ am335x_ecap_detach(device_t dev) sc = device_get_softc(dev); PWM_LOCK(sc); + ECAP_WRITE2(sc, ECAP_ECEINT, 0); + ECAP_WRITE2(sc, ECAP_ECCLR, ECCLR_MASK); + if (sc->sc_intrhand) + bus_teardown_intr(dev, sc->sc_irq_res, sc->sc_intrhand); + if (sc->sc_irq_res) + bus_release_resource(dev, SYS_RES_IRQ, + sc->sc_irq_rid, sc->sc_irq_res); if (sc->sc_mem_res) bus_release_resource(dev, SYS_RES_MEMORY, sc->sc_mem_rid, sc->sc_mem_res); diff --git a/sys/boot/fdt/dts/arm/ubmc.dts b/sys/boot/fdt/dts/arm/ubmc.dts new file mode 100644 index 0000000..e33498c --- /dev/null +++ b/sys/boot/fdt/dts/arm/ubmc.dts @@ -0,0 +1,159 @@ +/*- + * Copyright (c) 2016 Rubicon Communications (Netgate) + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +/dts-v1/; + +#include "am33xx.dtsi" +#include "ubmc.dtsi" + +/ { + model = "AM335x uBMC"; + compatible = "ti,am335x-ubmc", "ti,am33xx"; +}; + +&mmc1 { + status = "okay"; +}; + +&mmc2 { + vmmc-supply = <&vmmcsd_fixed>; + pinctrl-names = "default"; + pinctrl-0 = <&emmc_pins>; + bus-width = <8>; + ti,dual-volt; + non-removable; + status = "okay"; +}; + +&i2c0 { + pinctrl-names = "default"; + pinctrl-0 = <&i2c0_pins>; + + status = "okay"; + + lm750 { + compatible = "national,lm75"; + i2c-address = <0x48>; + }; +}; + +&i2c1 { + pinctrl-names = "default"; + pinctrl-0 = <&i2c1_pins>; + + status = "okay"; + + eeprom1 { + compatible = "atmel,24c256"; + i2c-address = <0x50>; + }; +}; + +&spi0 { + pinctrl-names = "default"; + pinctrl-0 = <&spi0_pins>; + status = "okay"; + + flash1: m25p64@1 { + #address-cells = <1>; + #size-cells = <1>; + compatible = "st,m25p64", "st,m25p"; + spi-max-frequency = <20000000>; + reg = <0>; + }; +}; + +&spi1 { + pinctrl-names = "default"; + pinctrl-0 = <&spi1_pins>; + status = "okay"; + + flash2: m25p64@2 { + #address-cells = <1>; + #size-cells = <1>; + compatible = "st,m25p64", "st,m25p"; + spi-max-frequency = <20000000>; + reg = <0>; + }; +}; + +&tscadc { + status = "okay"; + + adc { + #io-channel-cells = <0x1>; + compatible = "ti,am3359-adc"; + ti,adc-channels = <0x00 0x01 0x02 0x03 0x4 0x5 0x6 0x7>; + }; +}; + +&epwmss0 { + status = "okay"; +}; + +&ecap0 { + pinctrl-names = "default"; + pinctrl-0 = <&ecap0_pins>; + status = "okay"; +}; + +&ehrpwm0 { + status = "okay"; +}; + +&epwmss1 { + status = "okay"; +}; + +&ecap1 { + pinctrl-names = "default"; + pinctrl-0 = <&ecap1_pins>; + status = "okay"; +}; + +&ehrpwm1 { + pinctrl-names = "default"; + pinctrl-0 = <&ehrpwm1_pins>; + status = "okay"; +}; + +&epwmss2 { + status = "okay"; +}; + +&ecap2 { + pinctrl-names = "default"; + pinctrl-0 = <&ecap2_pins>; + status = "okay"; +}; + +&ehrpwm2 { + pinctrl-names = "default"; + pinctrl-0 = <&ehrpwm2_pins>; + status = "okay"; +}; diff --git a/sys/boot/fdt/dts/arm/ubmc.dtsi b/sys/boot/fdt/dts/arm/ubmc.dtsi new file mode 100644 index 0000000..e5b0d20 --- /dev/null +++ b/sys/boot/fdt/dts/arm/ubmc.dtsi @@ -0,0 +1,313 @@ +/* + * Copyright (C) 2012 Texas Instruments Incorporated - http://www.ti.com/ + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ + +/ { + memory { + device_type = "memory"; + reg = <0x80000000 0x10000000>; /* 256 MB */ + }; + + vmmcsd_fixed: fixedregulator@0 { + compatible = "regulator-fixed"; + regulator-name = "vmmcsd_fixed"; + regulator-min-microvolt = <3300000>; + regulator-max-microvolt = <3300000>; + }; +}; + +&am33xx_pinmux { + pinctrl-names = "default"; + pinctrl-0 = <&clkout2_pin>; + + i2c0_pins: pinmux_i2c0_pins { + pinctrl-single,pins = < + AM33XX_IOPAD(0x988, PIN_INPUT_PULLUP | MUX_MODE0) /* i2c0_sda.i2c0_sda */ + AM33XX_IOPAD(0x98c, PIN_INPUT_PULLUP | MUX_MODE0) /* i2c0_scl.i2c0_scl */ + >; + }; + + i2c1_pins: pinmux_i2c1_pins { + pinctrl-single,pins = < + AM33XX_IOPAD(0x968, PIN_INPUT_PULLUP | MUX_MODE3) /* uart0_ctsn.i2c1_sda */ + AM33XX_IOPAD(0x96c, PIN_INPUT_PULLUP | MUX_MODE3) /* uart0_rtsn.i2c1_scl */ + >; + }; + + spi0_pins: pinmux_spi0_pins { + pinctrl-single,pins = < + AM33XX_IOPAD(0x950, PIN_INPUT_PULLDOWN | MUX_MODE0) /* spi0_sclk.spi0_sclk */ + AM33XX_IOPAD(0x954, PIN_INPUT_PULLDOWN | MUX_MODE0) /* spi0_d0.spi0_miso */ + AM33XX_IOPAD(0x958, PIN_INPUT_PULLUP | MUX_MODE0) /* spi0_d1.spi0_mosi */ + AM33XX_IOPAD(0x95c, PIN_INPUT_PULLUP | MUX_MODE0) /* spi0_cs0.spi0_cs0 */ + >; + }; + + spi1_pins: pinmux_spi1_pins { + pinctrl-single,pins = < + AM33XX_IOPAD(0x908, PIN_INPUT_PULLDOWN | MUX_MODE2) /* mii1_col.spi1_sclk */ + AM33XX_IOPAD(0x90c, PIN_INPUT_PULLDOWN | MUX_MODE2) /* mii1_crs.spi1_miso */ + AM33XX_IOPAD(0x910, PIN_INPUT_PULLUP | MUX_MODE2) /* mii1_rx_er.spi1_mosi */ + AM33XX_IOPAD(0x944, PIN_INPUT_PULLUP | MUX_MODE2) /* rmii1_ref_clk.spi1_cs0 */ + >; + }; + + uart0_pins: pinmux_uart0_pins { + pinctrl-single,pins = < + AM33XX_IOPAD(0x970, PIN_INPUT_PULLUP | MUX_MODE0) /* uart0_rxd.uart0_rxd */ + AM33XX_IOPAD(0x974, PIN_OUTPUT_PULLDOWN | MUX_MODE0) /* uart0_txd.uart0_txd */ + >; + }; + + clkout2_pin: pinmux_clkout2_pin { + pinctrl-single,pins = < + AM33XX_IOPAD(0x9b4, PIN_OUTPUT_PULLDOWN | MUX_MODE3) /* xdma_event_intr1.clkout2 */ + >; + }; + + cpsw_default: cpsw_default { + pinctrl-single,pins = < + /* Slave 1 */ + AM33XX_IOPAD(0x914, PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* mii1_txen.rgmii_1_txen */ + AM33XX_IOPAD(0x918, PIN_INPUT_PULLUP | MUX_MODE2) /* mii1_rxdv.rgmii_1_rxdv */ + AM33XX_IOPAD(0x91c, PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* mii1_txd3.rgmii_1_txd3 */ + AM33XX_IOPAD(0x920, PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* mii1_txd2.rgmii_1_txd2 */ + AM33XX_IOPAD(0x924, PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* mii1_txd1.rgmii_1_txd1 */ + AM33XX_IOPAD(0x928, PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* mii1_txd0.rgmii_1_txd0 */ + AM33XX_IOPAD(0x92c, PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* mii1_txclk.rgmii_1_txclk */ + AM33XX_IOPAD(0x930, PIN_INPUT_PULLUP | MUX_MODE2) /* mii1_rxclk.rgmii_1_rxclk */ + AM33XX_IOPAD(0x934, PIN_INPUT_PULLUP | MUX_MODE2) /* mii1_rxd3.rgmii_1_rxd3 */ + AM33XX_IOPAD(0x938, PIN_INPUT_PULLUP | MUX_MODE2) /* mii1_rxd2.rgmii_1_rxd2 */ + AM33XX_IOPAD(0x93c, PIN_INPUT_PULLUP | MUX_MODE2) /* mii1_rxd1.rgmii_1_rxd1 */ + AM33XX_IOPAD(0x940, PIN_INPUT_PULLUP | MUX_MODE2) /* mii1_rxd0.rgmii_1_rxd0 */ + + /* Slave 2 */ + AM33XX_IOPAD(0x840, PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* gmpc_a0.rgmii_2_txen */ + AM33XX_IOPAD(0x844, PIN_INPUT_PULLUP | MUX_MODE2) /* gmpc_a1.rgmii_2_rxdv */ + AM33XX_IOPAD(0x848, PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* gmpc_a2.rgmii_2_txd3 */ + AM33XX_IOPAD(0x84c, PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* gmpc_a3.rgmii_2_txd2 */ + AM33XX_IOPAD(0x850, PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* gmpc_a4.rgmii_2_txd1 */ + AM33XX_IOPAD(0x854, PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* gmpc_a5.rgmii_2_txd0 */ + AM33XX_IOPAD(0x858, PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* gmpc_a6.rgmii_2_txclk */ + AM33XX_IOPAD(0x85c, PIN_INPUT_PULLUP | MUX_MODE2) /* gmpc_a7.rgmii_2_rxclk */ + AM33XX_IOPAD(0x860, PIN_INPUT_PULLUP | MUX_MODE2) /* gmpc_a8.rgmii_2_rxd3 */ + AM33XX_IOPAD(0x864, PIN_INPUT_PULLUP | MUX_MODE2) /* gmpc_a9.rgmii_2_rxd2 */ + AM33XX_IOPAD(0x868, PIN_INPUT_PULLUP | MUX_MODE2) /* gmpc_a10.rgmii_2_rxd1 */ + AM33XX_IOPAD(0x86c, PIN_INPUT_PULLUP | MUX_MODE2) /* gmpc_a11.rgmii_2_rxd0 */ + >; + }; + + cpsw_sleep: cpsw_sleep { + pinctrl-single,pins = < + /* Slave 1 reset value */ + AM33XX_IOPAD(0x914, PIN_INPUT_PULLDOWN | MUX_MODE7) + AM33XX_IOPAD(0x918, PIN_INPUT_PULLDOWN | MUX_MODE7) + AM33XX_IOPAD(0x91c, PIN_INPUT_PULLDOWN | MUX_MODE7) + AM33XX_IOPAD(0x920, PIN_INPUT_PULLDOWN | MUX_MODE7) + AM33XX_IOPAD(0x924, PIN_INPUT_PULLDOWN | MUX_MODE7) + AM33XX_IOPAD(0x928, PIN_INPUT_PULLDOWN | MUX_MODE7) + AM33XX_IOPAD(0x92c, PIN_INPUT_PULLDOWN | MUX_MODE7) + AM33XX_IOPAD(0x930, PIN_INPUT_PULLDOWN | MUX_MODE7) + AM33XX_IOPAD(0x934, PIN_INPUT_PULLDOWN | MUX_MODE7) + AM33XX_IOPAD(0x938, PIN_INPUT_PULLDOWN | MUX_MODE7) + AM33XX_IOPAD(0x93c, PIN_INPUT_PULLDOWN | MUX_MODE7) + AM33XX_IOPAD(0x940, PIN_INPUT_PULLDOWN | MUX_MODE7) + + /* Slave 2 reset value */ + AM33XX_IOPAD(0x840, PIN_INPUT_PULLDOWN | MUX_MODE7) + AM33XX_IOPAD(0x844, PIN_INPUT_PULLDOWN | MUX_MODE7) + AM33XX_IOPAD(0x848, PIN_INPUT_PULLDOWN | MUX_MODE7) + AM33XX_IOPAD(0x84c, PIN_INPUT_PULLDOWN | MUX_MODE7) + AM33XX_IOPAD(0x850, PIN_INPUT_PULLDOWN | MUX_MODE7) + AM33XX_IOPAD(0x854, PIN_INPUT_PULLDOWN | MUX_MODE7) + AM33XX_IOPAD(0x858, PIN_INPUT_PULLDOWN | MUX_MODE7) + AM33XX_IOPAD(0x85c, PIN_INPUT_PULLDOWN | MUX_MODE7) + AM33XX_IOPAD(0x860, PIN_INPUT_PULLDOWN | MUX_MODE7) + AM33XX_IOPAD(0x864, PIN_INPUT_PULLDOWN | MUX_MODE7) + AM33XX_IOPAD(0x868, PIN_INPUT_PULLDOWN | MUX_MODE7) + AM33XX_IOPAD(0x86c, PIN_INPUT_PULLDOWN | MUX_MODE7) + >; + }; + + davinci_mdio_default: davinci_mdio_default { + pinctrl-single,pins = < + /* MDIO */ + AM33XX_IOPAD(0x948, PIN_INPUT_PULLUP | SLEWCTRL_FAST | MUX_MODE0) /* mdio_data.mdio_data */ + AM33XX_IOPAD(0x94c, PIN_OUTPUT_PULLUP | MUX_MODE0) /* mdio_clk.mdio_clk */ + >; + }; + + davinci_mdio_sleep: davinci_mdio_sleep { + pinctrl-single,pins = < + /* MDIO reset value */ + AM33XX_IOPAD(0x948, PIN_INPUT_PULLDOWN | MUX_MODE7) + AM33XX_IOPAD(0x94c, PIN_INPUT_PULLDOWN | MUX_MODE7) + >; + }; + + mmc1_pins: pinmux_mmc1_pins { + pinctrl-single,pins = < + AM33XX_IOPAD(0x8f0, PIN_INPUT_PULLUP | MUX_MODE0) /* mmc0_dat3.mmc0_dat3 */ + AM33XX_IOPAD(0x8f4, PIN_INPUT_PULLUP | MUX_MODE0) /* mmc0_dat2.mmc0_dat2 */ + AM33XX_IOPAD(0x8f8, PIN_INPUT_PULLUP | MUX_MODE0) /* mmc0_dat1.mmc0_dat1 */ + AM33XX_IOPAD(0x8fc, PIN_INPUT_PULLUP | MUX_MODE0) /* mmc0_dat0.mmc0_dat0 */ + AM33XX_IOPAD(0x900, PIN_INPUT_PULLUP | MUX_MODE0) /* mmc0_clk.mmc0_clk */ + AM33XX_IOPAD(0x904, PIN_INPUT_PULLUP | MUX_MODE0) /* mmc0_cmd.mmc0_cmd */ + AM33XX_IOPAD(0x960, PIN_INPUT_PULLUP | MUX_MODE5) /* spi0_cs1.mmc0_cd */ + >; + }; + + emmc_pins: pinmux_emmc_pins { + pinctrl-single,pins = < + AM33XX_IOPAD(0x994, PIN_INPUT_PULLUP | MUX_MODE4) /* mcasp0_fsx.mmc1_cd */ + AM33XX_IOPAD(0x880, PIN_INPUT_PULLUP | MUX_MODE2) /* gpmc_csn1.mmc1_clk */ + AM33XX_IOPAD(0x884, PIN_INPUT_PULLUP | MUX_MODE2) /* gpmc_csn2.mmc1_cmd */ + AM33XX_IOPAD(0x800, PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad0.mmc1_dat0 */ + AM33XX_IOPAD(0x804, PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad1.mmc1_dat1 */ + AM33XX_IOPAD(0x808, PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad2.mmc1_dat2 */ + AM33XX_IOPAD(0x80c, PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad3.mmc1_dat3 */ + AM33XX_IOPAD(0x810, PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad4.mmc1_dat4 */ + AM33XX_IOPAD(0x814, PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad5.mmc1_dat5 */ + AM33XX_IOPAD(0x818, PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad6.mmc1_dat6 */ + AM33XX_IOPAD(0x81c, PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad7.mmc1_dat7 */ + >; + }; + + ecap0_pins: pinmux_ecap0_pins { + pinctrl-single,pins = < + AM33XX_IOPAD(0x964, PIN_INPUT | MUX_MODE0) /* ecap0_in_pwm0_out.ecap0_in_pwm0_out */ + >; + }; + + ecap1_pins: pinmux_ecap1_pins { + pinctrl-single,pins = < + AM33XX_IOPAD(0x960, PIN_INPUT | MUX_MODE2) /* spi0_cs1.ecap1_in_pwm1_out */ + >; + }; + + ehrpwm1_pins: pinmux_ehrpwm1_pins { + pinctrl-single,pins = < + AM33XX_IOPAD(0x8c8, PIN_OUTPUT | MUX_MODE2) /* lcd_data10.ehrpwm1a */ + >; + }; + + ecap2_pins: pinmux_ecap2_pins { + pinctrl-single,pins = < + AM33XX_IOPAD(0x99c, PIN_INPUT | MUX_MODE4) /* mcasp0_ahclkr.ecap2_in_pwm2_out */ + >; + }; + + ehrpwm2_pins: pinmux_ehrpwm2_pins { + pinctrl-single,pins = < + AM33XX_IOPAD(0x8a0, PIN_OUTPUT | MUX_MODE3) /* lcd_data0.ehrpwm2a */ + >; + }; +}; + +&uart0 { + pinctrl-names = "default"; + pinctrl-0 = <&uart0_pins>; + + status = "okay"; +}; + +&usb { + status = "okay"; +}; + +&usb_ctrl_mod { + status = "okay"; +}; + +&usb0_phy { + status = "okay"; +}; + +&usb1_phy { + status = "okay"; +}; + +&usb0 { + status = "okay"; + dr_mode = "host"; +}; + +&usb1 { + status = "okay"; + dr_mode = "peripheral"; +}; + +&cppi41dma { + status = "okay"; +}; + +&i2c0 { + pinctrl-names = "default"; + pinctrl-0 = <&i2c0_pins>; + + status = "okay"; + clock-frequency = <400000>; + + baseboard_eeprom: baseboard_eeprom@50 { + compatible = "atmel,24c256"; + reg = <0x50>; + + #address-cells = <1>; + #size-cells = <1>; + baseboard_data: baseboard_data@0 { + reg = <0 0x100>; + }; + }; +}; + +&cpsw_emac0 { + phy_id = <&davinci_mdio>, <1>; + phy-mode = "rgmii"; + dual_emac_res_vlan = <1>; +}; + +&cpsw_emac1 { + phy_id = <&davinci_mdio>, <2>; + phy-mode = "rgmii"; + dual_emac_res_vlan = <2>; +}; + +&mac { + pinctrl-names = "default", "sleep"; + pinctrl-0 = <&cpsw_default>; + pinctrl-1 = <&cpsw_sleep>; + active_slave = <1>; + status = "okay"; + dual_emac; + txen-skew-ps = <0>; + rxdv-skew-ps = <1400>; + rxd0-skew-ps = <1400>; + rxd1-skew-ps = <1400>; + rxd2-skew-ps = <1400>; + rxd3-skew-ps = <1400>; + txd0-skew-ps = <0>; + txd1-skew-ps = <0>; + txd2-skew-ps = <0>; + txd3-skew-ps = <0>; + rxc-skew-ps = <4400>; + txc-skew-ps = <6200>; +}; + +&davinci_mdio { + pinctrl-names = "default", "sleep"; + pinctrl-0 = <&davinci_mdio_default>; + pinctrl-1 = <&davinci_mdio_sleep>; + status = "okay"; +}; + +&aes { + status = "okay"; +}; + +&sham { + status = "okay"; +}; diff --git a/sys/boot/fdt/dts/arm/ufw.dts b/sys/boot/fdt/dts/arm/ufw.dts new file mode 100644 index 0000000..d02dd3b --- /dev/null +++ b/sys/boot/fdt/dts/arm/ufw.dts @@ -0,0 +1,70 @@ +/*- + * Copyright (c) 2016 Rubicon Communications (Netgate) + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +/dts-v1/; + +#include "am33xx.dtsi" +#include "ubmc.dtsi" + +/ { + model = "AM335x uFW"; + compatible = "ti,am335x-ufw", "ti,am335x-ubmc", "ti,am33xx"; +}; + +&mmc1 { + vmmc-supply = <&vmmcsd_fixed>; + pinctrl-names = "default"; + pinctrl-0 = <&mmc1_pins>; + bus-width = <4>; + non-removable; + status = "okay"; +}; + +&mmc2 { + vmmc-supply = <&vmmcsd_fixed>; + pinctrl-names = "default"; + pinctrl-0 = <&emmc_pins>; + bus-width = <8>; + ti,dual-volt; + non-removable; + status = "okay"; +}; + +&i2c0 { + pinctrl-names = "default"; + pinctrl-0 = <&i2c0_pins>; + + status = "okay"; +}; + +&i2c1 { + pinctrl-names = "default"; + pinctrl-0 = <&i2c1_pins>; + + status = "okay"; +}; diff --git a/sys/boot/forth/Makefile.inc b/sys/boot/forth/Makefile.inc index 97ab433..7c82ac4 100644 --- a/sys/boot/forth/Makefile.inc +++ b/sys/boot/forth/Makefile.inc @@ -23,3 +23,7 @@ FILES+= shortcuts.4th FILES+= support.4th FILES+= version.4th FILESDIR_loader.conf= /boot/defaults + +# pfSense +FILES+= logo-pfSensebw.4th +FILES+= brand-pfSense.4th diff --git a/sys/boot/forth/brand-pfSense.4th b/sys/boot/forth/brand-pfSense.4th new file mode 100644 index 0000000..d56ecc2 --- /dev/null +++ b/sys/boot/forth/brand-pfSense.4th @@ -0,0 +1,46 @@ +\ Copyright (c) 2004-2015 Electric Sheep Fencing LLC +\ All rights reserved. +\ +\ Redistribution and use in source and binary forms, with or without +\ modification, are permitted provided that the following conditions +\ are met: +\ 1. Redistributions of source code must retain the above copyright +\ notice, this list of conditions and the following disclaimer. +\ 2. Redistributions in binary form must reproduce the above copyright +\ notice, this list of conditions and the following disclaimer in the +\ documentation and/or other materials provided with the distribution. +\ +\ THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +\ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +\ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +\ ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +\ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +\ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +\ OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +\ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +\ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +\ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +\ SUCH DAMAGE. +\ +\ $FreeBSD$ + +2 brandX ! 1 brandY ! \ Initialize brand placement defaults + +: brand+ ( x y c-addr/u -- x y' ) + 2swap 2dup at-xy 2swap \ position the cursor + type \ print to the screen + 1+ \ increase y for next time we're called +; + +: brand ( x y -- ) \ "pfSense" [wide] logo in B/W (7 rows x 42 columns) + + s" __ ____ " brand+ + s" _ __ / _/ ___| ___ _ __ ___ ___ " brand+ + s" | '_ \| |_\___ \ / _ \ '_ \/ __|/ _ \ " brand+ + s" | |_) | _|___) | __/ | | \__ \ __/ " brand+ + s" | .__/|_| |____/ \___|_| |_|___/\___| " brand+ + s" |_| " brand+ + s" " brand+ + + 2drop +; diff --git a/sys/boot/forth/loader.conf b/sys/boot/forth/loader.conf index 69a4fcd..dee59e5 100644 --- a/sys/boot/forth/loader.conf +++ b/sys/boot/forth/loader.conf @@ -567,3 +567,10 @@ mac_seeotheruids_load="NO" # UID visbility MAC policy #module_before="cmd" # executes "cmd" before loading the module #module_after="cmd" # executes "cmd" after loading the module #module_error="cmd" # executes "cmd" if load fails + +# pfSense specific default values +loader_color="NO" +loader_logo="pfSensebw" +loader_brand="pfSense" +hw.usb.no_pf="1" +net.isr.maxthreads="-1" diff --git a/sys/boot/forth/logo-pfSensebw.4th b/sys/boot/forth/logo-pfSensebw.4th new file mode 100644 index 0000000..6da2413 --- /dev/null +++ b/sys/boot/forth/logo-pfSensebw.4th @@ -0,0 +1,54 @@ +\ Copyright (c) 2004-2015 Electric Sheep Fencing LLC +\ All rights reserved. +\ +\ Redistribution and use in source and binary forms, with or without +\ modification, are permitted provided that the following conditions +\ are met: +\ 1. Redistributions of source code must retain the above copyright +\ notice, this list of conditions and the following disclaimer. +\ 2. Redistributions in binary form must reproduce the above copyright +\ notice, this list of conditions and the following disclaimer in the +\ documentation and/or other materials provided with the distribution. +\ +\ THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +\ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +\ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +\ ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +\ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +\ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +\ OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +\ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +\ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +\ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +\ SUCH DAMAGE. +\ +\ $FreeBSD$ + +46 logoX ! 7 logoY ! \ Initialize logo placement defaults + +: logo+ ( x y c-addr/u -- x y' ) + 2swap 2dup at-xy 2swap \ position the cursor + type \ print to the screen + 1+ \ increase y for next time we're called +; + +: logo ( x y -- ) \ B/W pfSense logo (15 rows x 32 columns) + + s" " logo+ + s" " logo+ + s" " logo+ + s" ______ " logo+ + s" / \ " logo+ + s" _____/ f \ " logo+ + s" / \ / " logo+ + s" / p \______/ Sense" logo+ + s" \ / \ " logo+ + s" \_____/ \ " logo+ + s" \ / " logo+ + s" \______/ " logo+ + s" " logo+ + s" " logo+ + s" " logo+ + + 2drop +; diff --git a/sys/boot/forth/menu-commands.4th b/sys/boot/forth/menu-commands.4th index 9adf30a..5c6350a 100644 --- a/sys/boot/forth/menu-commands.4th +++ b/sys/boot/forth/menu-commands.4th @@ -253,7 +253,7 @@ also menu-namespace also menu-command-helpers cr ." To get back to the menu, type `menu' and press ENTER" cr - ." or type `boot' and press ENTER to start FreeBSD." cr + ." or type `boot' and press ENTER to start pfSense." cr cr FALSE \ exit the menu diff --git a/sys/boot/forth/menu.4th b/sys/boot/forth/menu.4th index e3fe0f7..fb4eb41 100644 --- a/sys/boot/forth/menu.4th +++ b/sys/boot/forth/menu.4th @@ -470,7 +470,7 @@ also menu-infrastructure definitions \ Print the frame caption at (x,y) s" loader_menu_title" getenv dup -1 = if - drop s" Welcome to FreeBSD" + drop s" Welcome to pfSense" then TRUE ( use default alignment ) s" loader_menu_title_align" getenv dup -1 <> if diff --git a/sys/boot/i386/boot0/boot0.S b/sys/boot/i386/boot0/boot0.S index 708f093..2c6ed04 100644 --- a/sys/boot/i386/boot0/boot0.S +++ b/sys/boot/i386/boot0/boot0.S @@ -647,8 +647,8 @@ os_dos: #endif os_win: .ascii "Wi"; .byte 'n'|0x80 os_linux: .ascii "Linu"; .byte 'x'|0x80 -os_freebsd: .ascii "Free" -os_bsd: .ascii "BS"; .byte 'D'|0x80 +os_freebsd: .ascii "pfSe" +os_bsd: .ascii "ns"; .byte 'e'|0x80 #ifndef SAVE_MORE_MEMORY os_ext: .ascii "EX"; .byte 'T'|0x80 #endif diff --git a/sys/conf/files b/sys/conf/files index bb177d8..448060c 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -2042,6 +2042,7 @@ dev/mii/icsphy.c optional miibus | icsphy dev/mii/ip1000phy.c optional miibus | ip1000phy dev/mii/jmphy.c optional miibus | jmphy dev/mii/lxtphy.c optional miibus | lxtphy +dev/mii/micphy.c optional miibus fdt | micphy fdt dev/mii/mii.c optional miibus | mii dev/mii/mii_bitbang.c optional miibus | mii_bitbang dev/mii/mii_physubr.c optional miibus | mii diff --git a/sys/dev/mii/micphy.c b/sys/dev/mii/micphy.c index 73c29f6..ddd0a19 100644 --- a/sys/dev/mii/micphy.c +++ b/sys/dev/mii/micphy.c @@ -67,6 +67,14 @@ __FBSDID("$FreeBSD$"); #define MII_KSZPHY_CLK_CONTROL_PAD_SKEW 0x104 #define MII_KSZPHY_RX_DATA_PAD_SKEW 0x105 #define MII_KSZPHY_TX_DATA_PAD_SKEW 0x106 +/* KSZ9031 */ +#define MII_KSZ9031_MMD_ACCESS_CTRL 0x0d +#define MII_KSZ9031_MMD_ACCESS_DATA 0x0e +#define MII_KSZ9031_MMD_DATA_NOINC (1 << 14) +#define MII_KSZ9031_CONTROL_PAD_SKEW 0x4 +#define MII_KSZ9031_RX_DATA_PAD_SKEW 0x5 +#define MII_KSZ9031_TX_DATA_PAD_SKEW 0x6 +#define MII_KSZ9031_CLOCK_PAD_SKEW 0x8 #define PS_TO_REG(p) ((p) / 200) @@ -95,6 +103,7 @@ DRIVER_MODULE(micphy, miibus, micphy_driver, micphy_devclass, 0, 0); static const struct mii_phydesc micphys[] = { MII_PHY_DESC(MICREL, KSZ9021), + MII_PHY_DESC(MICREL, KSZ9031), MII_PHY_END }; @@ -104,48 +113,128 @@ static const struct mii_phy_funcs micphy_funcs = { mii_phy_reset }; +static uint32_t +ksz9031_read(struct mii_softc *sc, uint32_t devaddr, uint32_t reg) +{ + /* Set up device address and register. */ + PHY_WRITE(sc, MII_KSZ9031_MMD_ACCESS_CTRL, devaddr); + PHY_WRITE(sc, MII_KSZ9031_MMD_ACCESS_DATA, reg); + + /* Select register data for MMD and read the value. */ + PHY_WRITE(sc, MII_KSZ9031_MMD_ACCESS_CTRL, + MII_KSZ9031_MMD_DATA_NOINC | devaddr); + + return (PHY_READ(sc, MII_KSZ9031_MMD_ACCESS_DATA)); +} + +static void +ksz9031_write(struct mii_softc *sc, uint32_t devaddr, uint32_t reg, + uint32_t val) +{ + + /* Set up device address and register. */ + PHY_WRITE(sc, MII_KSZ9031_MMD_ACCESS_CTRL, devaddr); + PHY_WRITE(sc, MII_KSZ9031_MMD_ACCESS_DATA, reg); + + /* Select register data for MMD and write the value. */ + PHY_WRITE(sc, MII_KSZ9031_MMD_ACCESS_CTRL, + MII_KSZ9031_MMD_DATA_NOINC | devaddr); + PHY_WRITE(sc, MII_KSZ9031_MMD_ACCESS_DATA, val); +} + +static uint32_t +ksz9021_read(struct mii_softc *sc, uint32_t reg) +{ + + PHY_WRITE(sc, MII_KSZPHY_EXTREG, reg); + + return (PHY_READ(sc, MII_KSZPHY_EXTREG_READ)); +} + static void -micphy_write(struct mii_softc *sc, uint32_t reg, uint32_t val) +ksz9021_write(struct mii_softc *sc, uint32_t reg, uint32_t val) { PHY_WRITE(sc, MII_KSZPHY_EXTREG, KSZPHY_EXTREG_WRITE | reg); PHY_WRITE(sc, MII_KSZPHY_EXTREG_WRITE, val); } -static int -ksz9021_load_values(struct mii_softc *sc, phandle_t node, uint32_t reg, - char *field1, char *field2, - char *field3, char *field4) +static void +ksz90x1_load_values(struct mii_softc *sc, phandle_t node, + uint32_t dev, uint32_t reg, char *field1, uint32_t f1mask, int f1off, + char *field2, uint32_t f2mask, int f2off, char *field3, uint32_t f3mask, + int f3off, char *field4, uint32_t f4mask, int f4off) { pcell_t dts_value[1]; int len; int val; - val = 0; + if (sc->mii_mpd_model == MII_MODEL_MICREL_KSZ9031) + val = ksz9031_read(sc, dev, reg); + else + val = ksz9021_read(sc, reg); if ((len = OF_getproplen(node, field1)) > 0) { OF_getencprop(node, field1, dts_value, len); - val = PS_TO_REG(dts_value[0]); + val &= ~(f1mask << f1off); + val |= (PS_TO_REG(dts_value[0]) & f1mask) << f1off; } - if ((len = OF_getproplen(node, field2)) > 0) { + if (field2 != NULL && (len = OF_getproplen(node, field2)) > 0) { OF_getencprop(node, field2, dts_value, len); - val |= PS_TO_REG(dts_value[0]) << 4; + val &= ~(f2mask << f2off); + val |= (PS_TO_REG(dts_value[0]) & f2mask) << f2off; } - if ((len = OF_getproplen(node, field3)) > 0) { + if (field3 != NULL && (len = OF_getproplen(node, field3)) > 0) { OF_getencprop(node, field3, dts_value, len); - val |= PS_TO_REG(dts_value[0]) << 8; + val &= ~(f3mask << f3off); + val |= (PS_TO_REG(dts_value[0]) & f3mask) << f3off; } - if ((len = OF_getproplen(node, field4)) > 0) { + if (field4 != NULL && (len = OF_getproplen(node, field4)) > 0) { OF_getencprop(node, field4, dts_value, len); - val |= PS_TO_REG(dts_value[0]) << 12; + val &= ~(f4mask << f4off); + val |= (PS_TO_REG(dts_value[0]) & f4mask) << f4off; } - micphy_write(sc, reg, val); + if (sc->mii_mpd_model == MII_MODEL_MICREL_KSZ9031) + ksz9031_write(sc, dev, reg, val); + else + ksz9021_write(sc, reg, val); +} + +static void +ksz9031_load_values(struct mii_softc *sc, phandle_t node) +{ - return (0); + ksz90x1_load_values(sc, node, 2, MII_KSZ9031_CONTROL_PAD_SKEW, + "txen-skew-ps", 0xf, 0, "rxdv-skew-ps", 0xf, 4, + NULL, 0, 0, NULL, 0, 0); + ksz90x1_load_values(sc, node, 2, MII_KSZ9031_RX_DATA_PAD_SKEW, + "rxd0-skew-ps", 0xf, 0, "rxd1-skew-ps", 0xf, 4, + "rxd2-skew-ps", 0xf, 8, "rxd3-skew-ps", 0xf, 12); + ksz90x1_load_values(sc, node, 2, MII_KSZ9031_TX_DATA_PAD_SKEW, + "txd0-skew-ps", 0xf, 0, "txd1-skew-ps", 0xf, 4, + "txd2-skew-ps", 0xf, 8, "txd3-skew-ps", 0xf, 12); + ksz90x1_load_values(sc, node, 2, MII_KSZ9031_CLOCK_PAD_SKEW, + "rxc-skew-ps", 0x1f, 0, "txc-skew-ps", 0x1f, 5, + NULL, 0, 0, NULL, 0, 0); +} + +static void +ksz9021_load_values(struct mii_softc *sc, phandle_t node) +{ + + ksz90x1_load_values(sc, node, 0, MII_KSZPHY_CLK_CONTROL_PAD_SKEW, + "txen-skew-ps", 0xf, 0, "txc-skew-ps", 0xf, 4, + "rxdv-skew-ps", 0xf, 8, "rxc-skew-ps", 0xf, 12); + ksz90x1_load_values(sc, node, 0, MII_KSZPHY_RX_DATA_PAD_SKEW, + "rxd0-skew-ps", 0xf, 0, "rxd1-skew-ps", 0xf, 4, + "rxd2-skew-ps", 0xf, 8, "rxd3-skew-ps", 0xf, 12); + ksz90x1_load_values(sc, node, 0, MII_KSZPHY_TX_DATA_PAD_SKEW, + "txd0-skew-ps", 0xf, 0, "txd1-skew-ps", 0xf, 4, + "txd2-skew-ps", 0xf, 8, "txd3-skew-ps", 0xf, 12); } static int @@ -174,17 +263,10 @@ micphy_attach(device_t dev) if ((node = ofw_bus_get_node(parent)) == -1) return (ENXIO); - ksz9021_load_values(sc, node, MII_KSZPHY_CLK_CONTROL_PAD_SKEW, - "txen-skew-ps", "txc-skew-ps", - "rxdv-skew-ps", "rxc-skew-ps"); - - ksz9021_load_values(sc, node, MII_KSZPHY_RX_DATA_PAD_SKEW, - "rxd0-skew-ps", "rxd1-skew-ps", - "rxd2-skew-ps", "rxd3-skew-ps"); - - ksz9021_load_values(sc, node, MII_KSZPHY_TX_DATA_PAD_SKEW, - "txd0-skew-ps", "txd1-skew-ps", - "txd2-skew-ps", "txd3-skew-ps"); + if (sc->mii_mpd_model == MII_MODEL_MICREL_KSZ9031) + ksz9031_load_values(sc, node); + else + ksz9021_load_values(sc, node); return (0); } diff --git a/sys/dev/mii/miidevs b/sys/dev/mii/miidevs index ef6550d..cdb0289 100644 --- a/sys/dev/mii/miidevs +++ b/sys/dev/mii/miidevs @@ -283,6 +283,7 @@ model MARVELL E1111 0x000c Marvell 88E1111 Gigabit PHY /* Micrel PHYs */ model MICREL KSZ9021 0x0021 Micrel KSZ9021 10/100/1000 PHY +model MICREL KSZ9031 0x0022 Micrel KSZ9031 10/100/1000 PHY /* Myson Technology PHYs */ model xxMYSON MTD972 0x0000 MTD972 10/100 media interface diff --git a/sys/modules/dtb/am335x/Makefile b/sys/modules/dtb/am335x/Makefile index d149c95..f855b51 100644 --- a/sys/modules/dtb/am335x/Makefile +++ b/sys/modules/dtb/am335x/Makefile @@ -2,6 +2,8 @@ # All the dts files for am335x systems we support. DTS= \ beaglebone.dts \ - beaglebone-black.dts + beaglebone-black.dts \ + ubmc.dts \ + ufw.dts .include <bsd.dtb.mk> diff --git a/sys/net/altq/altq_cbq.h b/sys/net/altq/altq_cbq.h index 51e7cf9..68559e2 100644 --- a/sys/net/altq/altq_cbq.h +++ b/sys/net/altq/altq_cbq.h @@ -190,7 +190,7 @@ struct cbq_getstats { #define CBQ_TIMEOUT 10 #define CBQ_LS_TIMEOUT (20 * hz / 1000) -#define CBQ_MAX_CLASSES 256 +#define CBQ_MAX_CLASSES 2048 #ifdef ALTQ3_COMPAT #define CBQ_MAX_FILTERS 256 diff --git a/sys/net/altq/altq_hfsc.h b/sys/net/altq/altq_hfsc.h index de5e89b..78521f8 100644 --- a/sys/net/altq/altq_hfsc.h +++ b/sys/net/altq/altq_hfsc.h @@ -51,7 +51,7 @@ struct service_curve { /* special class handles */ #define HFSC_NULLCLASS_HANDLE 0 -#define HFSC_MAX_CLASSES 64 +#define HFSC_MAX_CLASSES 2048 /* hfsc class flags */ #define HFCF_RED 0x0001 /* use RED */ diff --git a/sys/net/if.h b/sys/net/if.h index 98ae0a8..5da596a 100644 --- a/sys/net/if.h +++ b/sys/net/if.h @@ -249,7 +249,7 @@ struct if_data { #define IFCAP_CANTCHANGE (IFCAP_NETMAP) -#define IFQ_MAXLEN 50 +#define IFQ_MAXLEN 128 #define IFNET_SLOWHZ 1 /* granularity is 1 second */ /* diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c index ed2176c..3b723c1 100644 --- a/sys/net/if_bridge.c +++ b/sys/net/if_bridge.c @@ -865,6 +865,8 @@ bridge_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data) } BRIDGE_LOCK(sc); LIST_FOREACH(bif, &sc->sc_iflist, bif_next) { + if (bif->bif_ifp->if_type == IFT_GIF) + continue; if (bif->bif_ifp->if_mtu != ifr->ifr_mtu) { log(LOG_NOTICE, "%s: invalid MTU: %u(%s)" " != %d\n", sc->sc_ifp->if_xname, @@ -1156,12 +1158,14 @@ bridge_ioctl_add(struct bridge_softc *sc, void *arg) } #endif /* Allow the first Ethernet member to define the MTU */ - if (LIST_EMPTY(&sc->sc_iflist)) - sc->sc_ifp->if_mtu = ifs->if_mtu; - else if (sc->sc_ifp->if_mtu != ifs->if_mtu) { - if_printf(sc->sc_ifp, "invalid MTU: %u(%s) != %u\n", - ifs->if_mtu, ifs->if_xname, sc->sc_ifp->if_mtu); - return (EINVAL); + if (ifs->if_type != IFT_GIF) { + if (LIST_EMPTY(&sc->sc_iflist)) + sc->sc_ifp->if_mtu = ifs->if_mtu; + else if (sc->sc_ifp->if_mtu != ifs->if_mtu) { + if_printf(sc->sc_ifp, "invalid MTU: %u(%s) != %u\n", + ifs->if_mtu, ifs->if_xname, sc->sc_ifp->if_mtu); + return (EINVAL); + } } bif = malloc(sizeof(*bif), M_DEVBUF, M_NOWAIT|M_ZERO); diff --git a/sys/net/if_ethersubr.c b/sys/net/if_ethersubr.c index 82c8b3a..27f4411 100644 --- a/sys/net/if_ethersubr.c +++ b/sys/net/if_ethersubr.c @@ -87,6 +87,8 @@ CTASSERT(sizeof (struct ether_addr) == ETHER_ADDR_LEN); VNET_DEFINE(struct pfil_head, link_pfil_hook); /* Packet filter hooks */ +SYSCTL_DECL(_net_link); + /* netgraph node hooks for ng_ether(4) */ void (*ng_ether_input_p)(struct ifnet *ifp, struct mbuf **mp); void (*ng_ether_input_orphan_p)(struct ifnet *ifp, struct mbuf *m); @@ -702,6 +704,9 @@ vnet_ether_init(__unused void *arg) if ((i = pfil_head_register(&V_link_pfil_hook)) != 0) printf("%s: WARNING: unable to register pfil link hook, " "error %d\n", __func__, i); + else + pfil_head_export_sysctl(&V_link_pfil_hook, + SYSCTL_STATIC_CHILDREN(_net_link)); #ifdef VIMAGE netisr_register_vnet(ðer_nh); #endif @@ -972,7 +977,6 @@ ether_reassign(struct ifnet *ifp, struct vnet *new_vnet, char *unused __unused) } #endif -SYSCTL_DECL(_net_link); SYSCTL_NODE(_net_link, IFT_ETHER, ether, CTLFLAG_RW, 0, "Ethernet"); #if 0 diff --git a/sys/net/if_pflog.h b/sys/net/if_pflog.h index 0faeb7d..326b551 100644 --- a/sys/net/if_pflog.h +++ b/sys/net/if_pflog.h @@ -40,10 +40,14 @@ struct pfloghdr { char ruleset[PFLOG_RULESET_NAME_SIZE]; u_int32_t rulenr; u_int32_t subrulenr; +#ifdef PF_USER_INFO uid_t uid; pid_t pid; uid_t rule_uid; pid_t rule_pid; +#else + u_int32_t ridentifier; +#endif u_int8_t dir; u_int8_t pad[3]; }; diff --git a/sys/net/if_pfsync.h b/sys/net/if_pfsync.h index 5c4ba63..74be9b7 100644 --- a/sys/net/if_pfsync.h +++ b/sys/net/if_pfsync.h @@ -235,6 +235,9 @@ struct pfsyncreq { char pfsyncr_syncdev[IFNAMSIZ]; struct in_addr pfsyncr_syncpeer; int pfsyncr_maxupdates; +#define PFSYNCF_OK 0x00000001 +#define PFSYNCF_DEFER 0x00000002 +#define PFSYNCF_PUSH 0x00000004 int pfsyncr_defer; }; diff --git a/sys/net/pfil.c b/sys/net/pfil.c index 625bcb8..9b151de 100644 --- a/sys/net/pfil.c +++ b/sys/net/pfil.c @@ -34,6 +34,7 @@ #include <sys/errno.h> #include <sys/lock.h> #include <sys/malloc.h> +#include <sys/sbuf.h> #include <sys/rmlock.h> #include <sys/socket.h> #include <sys/socketvar.h> @@ -79,7 +80,7 @@ pfil_run_hooks(struct pfil_head *ph, struct mbuf **mp, struct ifnet *ifp, KASSERT(ph->ph_nhooks >= 0, ("Pfil hook count dropped < 0")); for (pfh = pfil_chain_get(dir, ph); pfh != NULL; pfh = TAILQ_NEXT(pfh, pfil_chain)) { - if (pfh->pfil_func != NULL) { + if (!(pfh->pfil_flags & PFIL_DISABLED) && pfh->pfil_func != NULL) { rv = (*pfh->pfil_func)(pfh->pfil_arg, &m, ifp, dir, inp); if (rv != 0 || m == NULL) @@ -212,6 +213,140 @@ pfil_head_unregister(struct pfil_head *ph) return (0); } +static int +pfil_sysctl_handler(SYSCTL_HANDLER_ARGS) +{ + struct rm_priotracker rmpt; + struct pfil_head *ph; + struct packet_filter_hook *pfh, *pfhtmp; + struct sbuf *sb; + pfil_chain_t npfl, *pfl; + char *new_order, *elm, *parse; + int i = 0, err = 0, hintlen, reqlen; + + hintlen = 0; + + ph = (struct pfil_head *)arg1; + if (ph == NULL || !PFIL_HOOKED(ph)) { + err = SYSCTL_OUT(req, "", 2); + return (err); + } + + if (arg2 == PFIL_IN) + pfl = &ph->ph_in; + else + pfl = &ph->ph_out; + + if (TAILQ_EMPTY(pfl)) { + err = SYSCTL_OUT(req, "", 2); + return (err); + } + + /* + * NOTE: This is needed to avoid witness(4) warnings. + */ + PFIL_RLOCK(ph, &rmpt); + TAILQ_FOREACH(pfh, pfl, pfil_chain) { + if (pfh->pfil_name != NULL) + hintlen = strlen(pfh->pfil_name); + else + hintlen += 2; + } + PFIL_RUNLOCK(ph, &rmpt); + + sb = sbuf_new(NULL, NULL, hintlen + 1, SBUF_AUTOEXTEND); + if (sb == NULL) + return (EINVAL); + + PFIL_RLOCK(ph, &rmpt); + TAILQ_FOREACH(pfh, pfl, pfil_chain) { + if (i > 0) + sbuf_printf(sb, ", "); + if (pfh->pfil_name != NULL) + sbuf_printf(sb, "%s%s", pfh->pfil_name, + pfh->pfil_flags & PFIL_DISABLED ? "*" : ""); + else + sbuf_printf(sb, "%s%s", "NA", + pfh->pfil_flags & PFIL_DISABLED ? "*" : ""); + i++; + } + PFIL_RUNLOCK(ph, &rmpt); + + sbuf_finish(sb); + + /* hint for sensible write buffer sizes */ + hintlen = sbuf_len(sb) + i * 2; + err = SYSCTL_OUT(req, sbuf_data(sb), sbuf_len(sb) + 1); + sbuf_delete(sb); + + if (err || !req->newptr) + return (err); + + if ((reqlen = req->newlen - req->newidx) > hintlen) + return (E2BIG); + new_order = malloc(reqlen + 1, M_TEMP, M_WAITOK|M_ZERO); + + err = SYSCTL_IN(req, new_order, reqlen); + if (err) + goto error; + new_order[reqlen] = '\0'; /* Just in case */ + parse = new_order; + + TAILQ_INIT(&npfl); + PFIL_WLOCK(ph); + while ((elm = strsep(&parse, " \t,")) != NULL) { + if (*elm == '\0') + continue; + TAILQ_FOREACH_SAFE(pfh, pfl, pfil_chain, pfhtmp) { + if (pfh->pfil_name != NULL) { + if (!strcmp(pfh->pfil_name, elm)) { + TAILQ_REMOVE(pfl, pfh, pfil_chain); + TAILQ_INSERT_TAIL(&npfl, pfh, pfil_chain); + pfh->pfil_flags &= ~PFIL_DISABLED; + break; + } + } else { + if (!strcmp(elm, "NA")) { + TAILQ_REMOVE(pfl, pfh, pfil_chain); + TAILQ_INSERT_TAIL(&npfl, pfh, pfil_chain); + pfh->pfil_flags &= ~PFIL_DISABLED; + break; + } + } + } + } + + TAILQ_FOREACH_SAFE(pfh, pfl, pfil_chain, pfhtmp) { + pfh->pfil_flags |= PFIL_DISABLED; + TAILQ_REMOVE(pfl, pfh, pfil_chain); + TAILQ_INSERT_TAIL(&npfl, pfh, pfil_chain); + } + + TAILQ_CONCAT(pfl, &npfl, pfil_chain); + +error: + PFIL_WUNLOCK(ph); + free(new_order, M_TEMP); + return (err); +} + +void +pfil_head_export_sysctl(struct pfil_head *ph, struct sysctl_oid_list *parent) +{ + struct sysctl_oid *root; + + root = SYSCTL_ADD_NODE(&ph->ph_clist, parent, OID_AUTO, "pfil", + CTLFLAG_RW, 0, "pfil(9) management"); + SYSCTL_ADD_PROC((void *)&ph->ph_clist, SYSCTL_CHILDREN(root), OID_AUTO, + "inbound", CTLTYPE_STRING|CTLFLAG_RW|CTLFLAG_SECURE3, + (void *)ph, PFIL_IN, pfil_sysctl_handler, "A", + "Inbound filter hooks"); + SYSCTL_ADD_PROC((void *)&ph->ph_clist, SYSCTL_CHILDREN(root), OID_AUTO, + "outbound", CTLTYPE_STRING|CTLFLAG_RW|CTLFLAG_SECURE3, + (void *)ph, PFIL_OUT, pfil_sysctl_handler, "A", + "Outbound filter hooks"); +} + /* * pfil_head_get() returns the pfil_head for a given key/dlt. */ @@ -239,6 +374,12 @@ pfil_head_get(int type, u_long val) int pfil_add_hook(pfil_func_t func, void *arg, int flags, struct pfil_head *ph) { + return (pfil_add_named_hook(func, arg, NULL, flags, ph)); +} + +int +pfil_add_named_hook(pfil_func_t func, void *arg, char *name, int flags, struct pfil_head *ph) +{ struct packet_filter_hook *pfh1 = NULL; struct packet_filter_hook *pfh2 = NULL; int err; @@ -263,6 +404,8 @@ pfil_add_hook(pfil_func_t func, void *arg, int flags, struct pfil_head *ph) if (flags & PFIL_IN) { pfh1->pfil_func = func; pfh1->pfil_arg = arg; + pfh1->pfil_name = name; + pfh1->pfil_flags &= ~PFIL_DISABLED; err = pfil_chain_add(&ph->ph_in, pfh1, flags & ~PFIL_OUT); if (err) goto locked_error; @@ -271,6 +414,8 @@ pfil_add_hook(pfil_func_t func, void *arg, int flags, struct pfil_head *ph) if (flags & PFIL_OUT) { pfh2->pfil_func = func; pfh2->pfil_arg = arg; + pfh2->pfil_name = name; + pfh2->pfil_flags &= ~PFIL_DISABLED; err = pfil_chain_add(&ph->ph_out, pfh2, flags & ~PFIL_IN); if (err) { if (flags & PFIL_IN) diff --git a/sys/net/pfil.h b/sys/net/pfil.h index c9a1b65..ff260ce 100644 --- a/sys/net/pfil.h +++ b/sys/net/pfil.h @@ -38,6 +38,7 @@ #include <sys/_mutex.h> #include <sys/lock.h> #include <sys/rmlock.h> +#include <sys/sysctl.h> struct mbuf; struct ifnet; @@ -55,11 +56,14 @@ struct packet_filter_hook { TAILQ_ENTRY(packet_filter_hook) pfil_chain; pfil_func_t pfil_func; void *pfil_arg; + int pfil_flags; + char *pfil_name; }; #define PFIL_IN 0x00000001 #define PFIL_OUT 0x00000002 #define PFIL_WAITOK 0x00000004 +#define PFIL_DISABLED 0x00000008 #define PFIL_ALL (PFIL_IN|PFIL_OUT) typedef TAILQ_HEAD(pfil_chain, packet_filter_hook) pfil_chain_t; @@ -85,6 +89,7 @@ struct pfil_head { struct rmlock ph_lock; /* Private lock storage */ int flags; #endif + struct sysctl_ctx_list ph_clist; union { u_long phu_val; void *phu_ptr; @@ -96,7 +101,9 @@ struct pfil_head { /* Public functions for pfil hook management by packet filters. */ struct pfil_head *pfil_head_get(int, u_long); +void pfil_head_export_sysctl(struct pfil_head *, struct sysctl_oid_list *); int pfil_add_hook(pfil_func_t, void *, int, struct pfil_head *); +int pfil_add_named_hook(pfil_func_t, void *, char *, int, struct pfil_head *); int pfil_remove_hook(pfil_func_t, void *, int, struct pfil_head *); #define PFIL_HOOKED(p) ((p)->ph_nhooks > 0) diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 2b5ca39..d025c8a 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -468,6 +468,13 @@ struct pf_osfp_ioctl { int fp_getnum; /* DIOCOSFPGET number */ }; +struct pf_rule_actions { + u_int16_t qid; + u_int16_t pqid; + u_int32_t pdnpipe; + u_int32_t dnpipe; + u_int8_t flags; +}; union pf_rule_ptr { struct pf_rule *ptr; @@ -491,6 +498,7 @@ struct pf_rule { union pf_rule_ptr skip[PF_SKIP_COUNT]; #define PF_RULE_LABEL_SIZE 64 char label[PF_RULE_LABEL_SIZE]; + char schedule[PF_RULE_LABEL_SIZE]; char ifname[IFNAMSIZ]; char qname[PF_QNAME_SIZE]; char pqname[PF_QNAME_SIZE]; @@ -523,12 +531,21 @@ struct pf_rule { u_int32_t limit; u_int32_t seconds; } max_src_conn_rate; - u_int32_t qid; - u_int32_t pqid; + u_int16_t qid; + u_int16_t pqid; + u_int32_t dnpipe; + u_int32_t pdnpipe; +#define PFRULE_DN_IS_PIPE 0x00000010 +#define PFRULE_DN_IS_QUEUE 0x00000020 + u_int32_t free_flags; u_int32_t rt_listid; u_int32_t nr; u_int32_t prob; +#ifdef PF_USER_INFO uid_t cuid; +#else + u_int32_t cuid; +#endif pid_t cpid; counter_u64_t states_cur; @@ -569,6 +586,29 @@ struct pf_rule { u_int8_t allow_opts; u_int8_t rt; u_int8_t return_ttl; + +#ifndef DSCP_EF +/* Copied from altq_cdnr.h */ +/* diffserve code points */ +#define DSCP_MASK 0xfc +#define DSCP_CUMASK 0x03 +#define DSCP_VA 0xb0 +#define DSCP_EF 0xb8 +#define DSCP_AF11 0x28 +#define DSCP_AF12 0x30 +#define DSCP_AF13 0x38 +#define DSCP_AF21 0x48 +#define DSCP_AF22 0x50 +#define DSCP_AF23 0x58 +#define DSCP_AF31 0x68 +#define DSCP_AF32 0x70 +#define DSCP_AF33 0x78 +#define DSCP_AF41 0x88 +#define DSCP_AF42 0x90 +#define DSCP_AF43 0x98 +#define AF_CLASSMASK 0xe0 +#define AF_DROPPRECMASK 0x18 +#endif u_int8_t tos; u_int8_t set_tos; u_int8_t anchor_relative; @@ -609,6 +649,13 @@ struct pf_rule { #define PFRULE_REASSEMBLE_TCP 0x1000 #define PFRULE_SET_TOS 0x2000 +/* rule flags for TOS or DSCP differentiation */ +#define PFRULE_TOS 0x2000 +#define PFRULE_DSCP 0x4000 + +/* rule flags for handling ALTQ hashing required by certain disciplines */ +#define PFRULE_ALTQ_HASH 0x8000 + /* rule flags again */ #define PFRULE_IFBOUND 0x00010000 /* if-bound */ #define PFRULE_STATESLOPPY 0x00020000 /* sloppy state tracking */ @@ -735,6 +782,10 @@ struct pf_state { u_int32_t creation; u_int32_t expire; u_int32_t pfsync_time; + u_int16_t qid; + u_int16_t pqid; + u_int32_t pdnpipe; + u_int32_t dnpipe; u_int16_t tag; u_int8_t log; u_int8_t state_flags; @@ -1085,11 +1136,13 @@ struct pfi_kif { #define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */ struct pf_pdesc { +#ifdef PF_USER_INFO struct { int done; uid_t uid; gid_t gid; } lookup; +#endif u_int64_t tot_len; /* Make Mickey money */ union { struct tcphdr *tcp; @@ -1107,6 +1160,7 @@ struct pf_pdesc { u_int16_t *sport; u_int16_t *dport; struct pf_mtag *pf_mtag; + struct pf_rule_actions act; u_int32_t p_len; /* total length of payload */ @@ -1258,6 +1312,11 @@ struct pfioc_state_kill { u_int psk_killed; }; +struct pfioc_schedule_kill { + int numberkilled; + char schedule[PF_RULE_LABEL_SIZE]; +}; + struct pfioc_states { int ps_len; union { @@ -1442,6 +1501,7 @@ struct pf_ifspeed { u_int32_t baudrate; }; #define DIOCGIFSPEED _IOWR('D', 92, struct pf_ifspeed) +#define DIOCKILLSCHEDULE _IOWR('D', 96, struct pfioc_schedule_kill) #ifdef _KERNEL LIST_HEAD(pf_src_node_list, pf_src_node); diff --git a/sys/netgraph/ng_base.c b/sys/netgraph/ng_base.c index 25a9cb8..78c0c1b 100644 --- a/sys/netgraph/ng_base.c +++ b/sys/netgraph/ng_base.c @@ -65,6 +65,10 @@ #include <machine/cpu.h> #include <vm/uma.h> +#include <sys/socket.h> +#include <net/if.h> +#include <net/if_var.h> + #include <net/netisr.h> #include <net/vnet.h> @@ -246,6 +250,8 @@ int ng_path_parse(char *addr, char **node, char **path, char **hook); void ng_rmnode(node_p node, hook_p dummy1, void *dummy2, int dummy3); void ng_unname(node_p node); +extern void (*ng_ether_attach_p)(struct ifnet *ifp); + /* Our own netgraph malloc type */ MALLOC_DEFINE(M_NETGRAPH, "netgraph", "netgraph structures and ctrl messages"); MALLOC_DEFINE(M_NETGRAPH_MSG, "netgraph_msg", "netgraph name storage"); @@ -580,6 +586,13 @@ static const struct ng_cmdlist ng_generic_cmds[] = { &ng_parse_ng_mesg_type, &ng_parse_ng_mesg_type }, + { + NGM_GENERIC_COOKIE, + NGM_ETHER_ATTACH, + "attach", + &ng_parse_string_type, + NULL + }, { 0 } }; @@ -2914,6 +2927,17 @@ ng_generic_msg(node_p here, item_p item, hook_p lasthook) break; } + case NGM_ETHER_ATTACH: + { + struct ifnet *ifp; + ifp = ifunit((char *)msg->data); + if (ifp && ng_ether_attach_p != NULL) { + ng_ether_attach_p(ifp); + } + + break; + } + case NGM_TEXT_CONFIG: case NGM_TEXT_STATUS: /* diff --git a/sys/netgraph/ng_eiface.c b/sys/netgraph/ng_eiface.c index db4e87c..af80133 100644 --- a/sys/netgraph/ng_eiface.c +++ b/sys/netgraph/ng_eiface.c @@ -45,6 +45,7 @@ #include <net/if_var.h> #include <net/if_media.h> #include <net/if_types.h> +#include <net/if_dl.h> #include <net/netisr.h> #include <net/route.h> #include <net/vnet.h> @@ -68,6 +69,13 @@ static const struct ng_cmdlist ng_eiface_cmdlist[] = { }, { NGM_EIFACE_COOKIE, + NGM_EIFACE_SET_IFNAME, + "setifname", + &ng_parse_string_type, + NULL + }, + { + NGM_EIFACE_COOKIE, NGM_EIFACE_SET, "set", &ng_parse_enaddr_type, @@ -475,6 +483,11 @@ ng_eiface_rcvmsg(node_p node, item_p item, hook_p lasthook) struct ng_mesg *resp = NULL; int error = 0; struct ng_mesg *msg; + char *new_name; + size_t namelen, onamelen; + struct sockaddr_dl *sdl = NULL; + struct ifaddr *ifa = NULL; + node_p ethernode; NGI_GET_MSG(item, msg); switch (msg->header.typecookie) { @@ -500,6 +513,46 @@ ng_eiface_rcvmsg(node_p node, item_p item, hook_p lasthook) } strlcpy(resp->data, ifp->if_xname, IFNAMSIZ); break; + case NGM_EIFACE_SET_IFNAME: + new_name = (char *)msg->data; + + /* Deny request if interface is UP */ + if ((ifp->if_flags & IFF_UP) != 0) { + error = EBUSY; + break; + } + + EVENTHANDLER_INVOKE(ifnet_departure_event, ifp); + + ethernode = ng_name2noderef(node, ifp->if_xname); + if (ethernode != NULL) + ng_name_node(ethernode, new_name); + + IF_ADDR_WLOCK(ifp); + strlcpy(ifp->if_xname, new_name, sizeof(ifp->if_xname)); + ifa = ifp->if_addr; + sdl = (struct sockaddr_dl *)ifa->ifa_addr; + namelen = strlen(new_name) + 1; + onamelen = sdl->sdl_nlen; + /* + * Move the address if needed. This is safe because we + * allocate space for a name of length IFNAMSIZ when we + * create this in if_attach(). + */ + if (namelen != onamelen) { + bcopy(sdl->sdl_data + onamelen, + sdl->sdl_data + namelen, sdl->sdl_alen); + } + bcopy(new_name, sdl->sdl_data, namelen); + sdl->sdl_nlen = namelen; + sdl = (struct sockaddr_dl *)ifa->ifa_netmask; + bzero(sdl->sdl_data, onamelen); + while (namelen != 0) + sdl->sdl_data[--namelen] = 0xff; + IF_ADDR_WUNLOCK(ifp); + + EVENTHANDLER_INVOKE(ifnet_arrival_event, ifp); + break; case NGM_EIFACE_GET_IFADDRS: { diff --git a/sys/netgraph/ng_eiface.h b/sys/netgraph/ng_eiface.h index 6fc1c5b..9f1509b 100644 --- a/sys/netgraph/ng_eiface.h +++ b/sys/netgraph/ng_eiface.h @@ -54,6 +54,7 @@ enum { NGM_EIFACE_GET_IFNAME = 1, /* get the interface name */ NGM_EIFACE_GET_IFADDRS, /* returns list of addresses */ NGM_EIFACE_SET, /* set ethernet address */ + NGM_EIFACE_SET_IFNAME, }; #endif /* _NETGRAPH_NG_EIFACE_H_ */ diff --git a/sys/netgraph/ng_iface.c b/sys/netgraph/ng_iface.c index b5f5626..2a342b6 100644 --- a/sys/netgraph/ng_iface.c +++ b/sys/netgraph/ng_iface.c @@ -58,6 +58,7 @@ #include <sys/param.h> #include <sys/systm.h> #include <sys/errno.h> +#include <sys/eventhandler.h> #include <sys/kernel.h> #include <sys/malloc.h> #include <sys/mbuf.h> @@ -70,6 +71,7 @@ #include <sys/libkern.h> #include <net/if.h> +#include <net/if_dl.h> #include <net/if_var.h> #include <net/if_types.h> #include <net/bpf.h> @@ -154,6 +156,13 @@ static const struct ng_cmdlist ng_iface_cmds[] = { }, { NGM_IFACE_COOKIE, + NGM_IFACE_SET_IFNAME, + "setifname", + &ng_parse_string_type, + NULL + }, + { + NGM_IFACE_COOKIE, NGM_IFACE_POINT2POINT, "point2point", NULL, @@ -586,6 +595,10 @@ ng_iface_rcvmsg(node_p node, item_p item, hook_p lasthook) struct ng_mesg *resp = NULL; int error = 0; struct ng_mesg *msg; + char *new_name; + size_t namelen, onamelen; + struct sockaddr_dl *sdl = NULL; + struct ifaddr *ifa = NULL; NGI_GET_MSG(item, msg); switch (msg->header.typecookie) { @@ -600,6 +613,49 @@ ng_iface_rcvmsg(node_p node, item_p item, hook_p lasthook) strlcpy(resp->data, ifp->if_xname, IFNAMSIZ); break; + case NGM_IFACE_SET_IFNAME: + + new_name = (char *)msg->data; + /* Announce the departure of the interface. */ + //new_name[strlen(new_name)] = '\0'; + + /* Deny request if interface is UP */ + if ((ifp->if_flags & IFF_UP) != 0) { + error = EBUSY; + break; + } + + //rt_ifannouncemsg(ifp, IFAN_DEPARTURE); + EVENTHANDLER_INVOKE(ifnet_departure_event, ifp); + + IF_ADDR_WLOCK(ifp); + strlcpy(ifp->if_xname, new_name, sizeof(ifp->if_xname)); + ifa = ifp->if_addr; + sdl = (struct sockaddr_dl *)ifa->ifa_addr; + namelen = strlen(new_name) + 1; + onamelen = sdl->sdl_nlen; + /* + * Move the address if needed. This is safe because we + * allocate space for a name of length IFNAMSIZ when we + * create this in if_attach(). + */ + if (namelen != onamelen) { + bcopy(sdl->sdl_data + onamelen, + sdl->sdl_data + namelen, sdl->sdl_alen); + } + bcopy(new_name, sdl->sdl_data, namelen); + sdl->sdl_nlen = namelen; + sdl = (struct sockaddr_dl *)ifa->ifa_netmask; + bzero(sdl->sdl_data, onamelen); + while (namelen != 0) + sdl->sdl_data[--namelen] = 0xff; + IF_ADDR_WUNLOCK(ifp); + + EVENTHANDLER_INVOKE(ifnet_arrival_event, ifp); + /* Announce the return of the interface. */ + //rt_ifannouncemsg(ifp, IFAN_ARRIVAL); + break; + case NGM_IFACE_POINT2POINT: case NGM_IFACE_BROADCAST: { diff --git a/sys/netgraph/ng_iface.h b/sys/netgraph/ng_iface.h index 3497e9d..4bbae3b 100644 --- a/sys/netgraph/ng_iface.h +++ b/sys/netgraph/ng_iface.h @@ -68,6 +68,7 @@ enum { NGM_IFACE_POINT2POINT, NGM_IFACE_BROADCAST, NGM_IFACE_GET_IFINDEX, + NGM_IFACE_SET_IFNAME, }; #define MTAG_NGIF NGM_IFACE_COOKIE diff --git a/sys/netgraph/ng_message.h b/sys/netgraph/ng_message.h index da531f0..d17ce46 100644 --- a/sys/netgraph/ng_message.h +++ b/sys/netgraph/ng_message.h @@ -138,6 +138,7 @@ enum { NGM_ASCII2BINARY= (13|NGM_READONLY|NGM_HASREPLY), /* (optional) Get/set text config. */ NGM_TEXT_CONFIG = 14, + NGM_ETHER_ATTACH = 15, }; /* diff --git a/sys/netinet/ip_carp.c b/sys/netinet/ip_carp.c index 7855af2..b6af698 100644 --- a/sys/netinet/ip_carp.c +++ b/sys/netinet/ip_carp.c @@ -115,7 +115,6 @@ struct carp_softc { int sc_sendad_success; #define CARP_SENDAD_MIN_SUCCESS 3 - int sc_init_counter; uint64_t sc_counter; /* authentication */ @@ -587,7 +586,6 @@ carp_input_c(struct mbuf *m, struct carp_header *ch, sa_family_t af) struct ifnet *ifp = m->m_pkthdr.rcvif; struct ifaddr *ifa; struct carp_softc *sc; - uint64_t tmp_counter; struct timeval sc_tv, ch_tv; /* verify that the VHID is valid on the receiving interface */ @@ -627,14 +625,20 @@ carp_input_c(struct mbuf *m, struct carp_header *ch, sa_family_t af) goto out; } - tmp_counter = ntohl(ch->carp_counter[0]); - tmp_counter = tmp_counter<<32; - tmp_counter += ntohl(ch->carp_counter[1]); - - /* XXX Replay protection goes here */ - - sc->sc_init_counter = 0; - sc->sc_counter = tmp_counter; + if (!bcmp(&sc->sc_counter, ch->carp_counter, + sizeof(ch->carp_counter))) { + /* Do not log duplicates from non simplex interfaces */ + if (sc->sc_carpdev->if_flags & IFF_SIMPLEX) { + CARPSTATS_INC(carps_badauth); + if_inc_counter(ifp, IFCOUNTER_IERRORS, 1); + CARP_UNLOCK(sc); + CARP_LOG("%s, replay or network loop detected.\n", + ifp->if_xname); + } else + CARP_UNLOCK(sc); + m_freem(m); + return; + } sc_tv.tv_sec = sc->sc_advbase; sc_tv.tv_usec = DEMOTE_ADVSKEW(sc) * 1000000 / 256; @@ -698,13 +702,12 @@ carp_prepare_ad(struct mbuf *m, struct carp_softc *sc, struct carp_header *ch) { struct m_tag *mtag; - if (sc->sc_init_counter) { + if (!sc->sc_counter) { /* this could also be seconds since unix epoch */ sc->sc_counter = arc4random(); sc->sc_counter = sc->sc_counter << 32; sc->sc_counter += arc4random(); - } else - sc->sc_counter++; + } ch->carp_counter[0] = htonl((sc->sc_counter>>32)&0xffffffff); ch->carp_counter[1] = htonl(sc->sc_counter&0xffffffff); @@ -770,7 +773,8 @@ carp_send_ad_error(struct carp_softc *sc, int error) char msg[sizeof(fmt) + IFNAMSIZ]; sprintf(msg, fmt, error, sc->sc_carpdev->if_xname); - carp_demote_adj(V_carp_senderr_adj, msg); + if (V_carp_senderr_adj > 0) + carp_demote_adj(V_carp_senderr_adj, msg); } sc->sc_sendad_success = 0; } else { @@ -780,7 +784,8 @@ carp_send_ad_error(struct carp_softc *sc, int error) char msg[sizeof(fmt) + IFNAMSIZ]; sprintf(msg, fmt, sc->sc_carpdev->if_xname); - carp_demote_adj(-V_carp_senderr_adj, msg); + if (V_carp_senderr_adj > 0) + carp_demote_adj(-V_carp_senderr_adj, msg); sc->sc_sendad_errors = 0; } else sc->sc_sendad_errors = 0; @@ -1473,9 +1478,9 @@ carp_alloc(struct ifnet *ifp) sc = malloc(sizeof(*sc), M_CARP, M_WAITOK|M_ZERO); + sc->sc_counter = 0; sc->sc_advbase = CARP_DFLTINTV; sc->sc_vhid = -1; /* required setting */ - sc->sc_init_counter = 1; sc->sc_state = INIT; sc->sc_ifasiz = sizeof(struct ifaddr *); diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 3a07ad8..6543cca 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -317,6 +317,9 @@ ip_init(void) if ((i = pfil_head_register(&V_inet_pfil_hook)) != 0) printf("%s: WARNING: unable to register pfil hook, " "error %d\n", __func__, i); + else + pfil_head_export_sysctl(&V_inet_pfil_hook, + SYSCTL_STATIC_CHILDREN(_net_inet_ip)); if (hhook_head_register(HHOOK_TYPE_IPSEC_IN, AF_INET, &V_ipsec_hhh_in[HHOOK_IPSEC_INET], diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index e5f1c1a..b5d4951 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -227,9 +227,8 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags, struct rtentry *rte; /* cache for ro->ro_rt */ uint32_t fibnum; int have_ia_ref; -#ifdef IPSEC - int no_route_but_check_spd = 0; -#endif + int no_route_but_check = 0; + M_ASSERTPKTHDR(m); if (inp != NULL) { @@ -387,10 +386,11 @@ again: * There is no route for this packet, but it is * possible that a matching SPD entry exists. */ - no_route_but_check_spd = 1; mtu = 0; /* Silence GCC warning. */ - goto sendit; #endif + no_route_but_check = 1; + goto sendit; + IPSTAT_INC(ips_noroute); error = EHOSTUNREACH; goto bad; @@ -562,19 +562,14 @@ sendit: default: break; /* Continue with packet processing. */ } - /* - * Check if there was a route for this packet; return error if not. - */ - if (no_route_but_check_spd) { - IPSTAT_INC(ips_noroute); - error = EHOSTUNREACH; - goto bad; - } /* Update variables that are affected by ipsec4_output(). */ ip = mtod(m, struct ip *); hlen = ip->ip_hl << 2; #endif /* IPSEC */ + if (ifp == NULL) + ifp = V_loif; + /* Jump over all PFIL processing if hooks are not active. */ if (PFIL_HOOKED(&V_inet_pfil_hook)) { switch (ip_output_pfil(&m, ifp, inp, dst, &fibnum, &error)) { @@ -599,6 +594,15 @@ sendit: } } + /* + * Check if there was a route for this packet; return error if not. + */ + if (no_route_but_check) { + IPSTAT_INC(ips_noroute); + error = EHOSTUNREACH; + goto bad; + } + /* 127/8 must not appear on wire - RFC1122. */ if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET || (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) { diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index ba0fd1f..c0cd811 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -193,6 +193,7 @@ SYSCTL_PROC(_net_inet6_ip6, IPV6CTL_INTRDQMAXLEN, intr_direct_queue_maxlen, #endif +SYSCTL_DECL(_net_inet6_ip6); VNET_DEFINE(struct pfil_head, inet6_pfil_hook); VNET_PCPUSTAT_DEFINE(struct ip6stat, ip6stat); @@ -234,6 +235,9 @@ ip6_init(void) if ((i = pfil_head_register(&V_inet6_pfil_hook)) != 0) printf("%s: WARNING: unable to register pfil hook, " "error %d\n", __func__, i); + else + pfil_head_export_sysctl(&V_inet6_pfil_hook, + SYSCTL_STATIC_CHILDREN(_net_inet6_ip6)); if (hhook_head_register(HHOOK_TYPE_IPSEC_IN, AF_INET6, &V_ipsec_hhh_in[HHOOK_IPSEC_INET6], diff --git a/sys/netpfil/ipfw/ip_dn_io.c b/sys/netpfil/ipfw/ip_dn_io.c index 831b909..6509006 100644 --- a/sys/netpfil/ipfw/ip_dn_io.c +++ b/sys/netpfil/ipfw/ip_dn_io.c @@ -776,6 +776,7 @@ dummynet_send(struct mbuf *m) dst = DIR_DROP; } else { dst = pkt->dn_dir; + pkt->rule.info |= IPFW_IS_DUMMYNET; ifp = pkt->ifp; tag->m_tag_cookie = MTAG_IPFW_RULE; tag->m_tag_id = 0; diff --git a/sys/netpfil/ipfw/ip_dummynet.c b/sys/netpfil/ipfw/ip_dummynet.c index f6d9c28..cce302d 100644 --- a/sys/netpfil/ipfw/ip_dummynet.c +++ b/sys/netpfil/ipfw/ip_dummynet.c @@ -2632,7 +2632,6 @@ static moduledata_t dummynet_mod = { #define DN_SI_SUB SI_SUB_PROTO_FIREWALL #define DN_MODEV_ORD (SI_ORDER_ANY - 128) /* after ipfw */ DECLARE_MODULE(dummynet, dummynet_mod, DN_SI_SUB, DN_MODEV_ORD); -MODULE_DEPEND(dummynet, ipfw, 3, 3, 3); MODULE_VERSION(dummynet, 3); /* diff --git a/sys/netpfil/ipfw/ip_fw_pfil.c b/sys/netpfil/ipfw/ip_fw_pfil.c index 3460036..f34fd54 100644 --- a/sys/netpfil/ipfw/ip_fw_pfil.c +++ b/sys/netpfil/ipfw/ip_fw_pfil.c @@ -513,7 +513,11 @@ ipfw_hook(int onoff, int pf) hook_func = (pf == AF_LINK) ? ipfw_check_frame : ipfw_check_packet; - (void) (onoff ? pfil_add_hook : pfil_remove_hook) + if (onoff) + (void) pfil_add_named_hook + (hook_func, NULL, "ipfw", PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh); + else + (void) pfil_remove_hook (hook_func, NULL, PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh); return 0; diff --git a/sys/netpfil/pf/if_pflog.c b/sys/netpfil/pf/if_pflog.c index bf3b5f6..f2155eb 100644 --- a/sys/netpfil/pf/if_pflog.c +++ b/sys/netpfil/pf/if_pflog.c @@ -213,7 +213,7 @@ pflog_packet(struct pfi_kif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir, return (0); bzero(&hdr, sizeof(hdr)); - hdr.length = PFLOG_REAL_HDRLEN; + hdr.length = PFLOG_HDRLEN; hdr.af = af; hdr.action = rm->action; hdr.reason = reason; @@ -222,13 +222,16 @@ pflog_packet(struct pfi_kif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir, if (am == NULL) { hdr.rulenr = htonl(rm->nr); hdr.subrulenr = 1; + hdr.ridentifier = rm->cuid; } else { hdr.rulenr = htonl(am->nr); hdr.subrulenr = htonl(rm->nr); + hdr.ridentifier = rm->cuid; if (ruleset != NULL && ruleset->anchor != NULL) strlcpy(hdr.ruleset, ruleset->anchor->name, sizeof(hdr.ruleset)); } +#ifdef PF_USER_INFO /* * XXXGL: we avoid pf_socket_lookup() when we are holding * state lock, since this leads to unsafe LOR. @@ -243,6 +246,7 @@ pflog_packet(struct pfi_kif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir, hdr.pid = NO_PID; hdr.rule_uid = rm->cuid; hdr.rule_pid = rm->cpid; +#endif hdr.dir = dir; #ifdef INET diff --git a/sys/netpfil/pf/if_pfsync.c b/sys/netpfil/pf/if_pfsync.c index de6494e..cbe7b1b 100644 --- a/sys/netpfil/pf/if_pfsync.c +++ b/sys/netpfil/pf/if_pfsync.c @@ -188,9 +188,6 @@ struct pfsync_softc { struct ip_moptions sc_imo; struct in_addr sc_sync_peer; uint32_t sc_flags; -#define PFSYNCF_OK 0x00000001 -#define PFSYNCF_DEFER 0x00000002 -#define PFSYNCF_PUSH 0x00000004 uint8_t sc_maxupdates; struct ip sc_template; struct callout sc_tmo; @@ -368,7 +365,7 @@ pfsync_clone_destroy(struct ifnet *ifp) callout_drain(&sc->sc_bulkfail_tmo); callout_drain(&sc->sc_bulk_tmo); - if (!(sc->sc_flags & PFSYNCF_OK) && carp_demote_adj_p) + if (!(sc->sc_flags & PFSYNCF_OK) && carp_demote_adj_p && V_pfsync_carp_adj > 0) (*carp_demote_adj_p)(-V_pfsync_carp_adj, "pfsync destroy"); bpfdetach(ifp); if_detach(ifp); @@ -1156,7 +1153,7 @@ pfsync_in_bus(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count) sc->sc_ureq_sent = 0; sc->sc_bulk_tries = 0; callout_stop(&sc->sc_bulkfail_tmo); - if (!(sc->sc_flags & PFSYNCF_OK) && carp_demote_adj_p) + if (!(sc->sc_flags & PFSYNCF_OK) && carp_demote_adj_p && V_pfsync_carp_adj > 0) (*carp_demote_adj_p)(-V_pfsync_carp_adj, "pfsync bulk done"); sc->sc_flags |= PFSYNCF_OK; @@ -1314,8 +1311,7 @@ pfsyncioctl(struct ifnet *ifp, u_long cmd, caddr_t data) } pfsyncr.pfsyncr_syncpeer = sc->sc_sync_peer; pfsyncr.pfsyncr_maxupdates = sc->sc_maxupdates; - pfsyncr.pfsyncr_defer = (PFSYNCF_DEFER == - (sc->sc_flags & PFSYNCF_DEFER)); + pfsyncr.pfsyncr_defer = sc->sc_flags; PFSYNC_UNLOCK(sc); return (copyout(&pfsyncr, ifr->ifr_data, sizeof(pfsyncr))); @@ -1407,7 +1403,7 @@ pfsyncioctl(struct ifnet *ifp, u_long cmd, caddr_t data) ip->ip_dst.s_addr = sc->sc_sync_peer.s_addr; /* Request a full state table update. */ - if ((sc->sc_flags & PFSYNCF_OK) && carp_demote_adj_p) + if ((sc->sc_flags & PFSYNCF_OK) && carp_demote_adj_p && V_pfsync_carp_adj > 0) (*carp_demote_adj_p)(V_pfsync_carp_adj, "pfsync bulk start"); sc->sc_flags &= ~PFSYNCF_OK; @@ -1637,6 +1633,7 @@ pfsync_sendout(int schedswi) if_inc_counter(sc->sc_ifp, IFCOUNTER_OBYTES, m->m_pkthdr.len); sc->sc_len = PFSYNC_MINPKT; + /* XXX: Sould not drop voluntarily update packets! */ if (!_IF_QFULL(&sc->sc_ifp->if_snd)) _IF_ENQUEUE(&sc->sc_ifp->if_snd, m); else { @@ -2150,7 +2147,7 @@ pfsync_bulk_fail(void *arg) sc->sc_ureq_sent = 0; sc->sc_bulk_tries = 0; PFSYNC_LOCK(sc); - if (!(sc->sc_flags & PFSYNCF_OK) && carp_demote_adj_p) + if (!(sc->sc_flags & PFSYNCF_OK) && carp_demote_adj_p && V_pfsync_carp_adj > 0) (*carp_demote_adj_p)(-V_pfsync_carp_adj, "pfsync bulk fail"); sc->sc_flags |= PFSYNCF_OK; diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 2d32b7a..17797fa 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -89,6 +89,8 @@ __FBSDID("$FreeBSD$"); #include <netinet/udp_var.h> #include <netpfil/ipfw/ip_fw_private.h> /* XXX: only for DIR_IN/DIR_OUT */ +#include <netinet/ip_fw.h> +#include <netinet/ip_dummynet.h> #ifdef INET6 #include <netinet/ip6.h> @@ -229,6 +231,8 @@ static int pf_state_key_attach(struct pf_state_key *, static void pf_state_key_detach(struct pf_state *, int); static int pf_state_key_ctor(void *, int, void *, int); static u_int32_t pf_tcp_iss(struct pf_pdesc *); +void pf_rule_to_actions(struct pf_rule *, + struct pf_rule_actions *); static int pf_test_rule(struct pf_rule **, struct pf_state **, int, struct pfi_kif *, struct mbuf *, int, struct pf_pdesc *, struct pf_rule **, @@ -261,7 +265,8 @@ static int pf_test_state_icmp(struct pf_state **, int, struct pfi_kif *, struct mbuf *, int, void *, struct pf_pdesc *, u_short *); static int pf_test_state_other(struct pf_state **, int, - struct pfi_kif *, struct mbuf *, struct pf_pdesc *); + struct pfi_kif *, struct mbuf *, int, + struct pf_pdesc *); static u_int8_t pf_get_wscale(struct mbuf *, int, u_int16_t, sa_family_t); static u_int16_t pf_get_mss(struct mbuf *, int, u_int16_t, @@ -284,6 +289,10 @@ static u_int pf_purge_expired_states(u_int, int); static void pf_purge_unlinked_rules(void); static int pf_mtag_uminit(void *, int, int); static void pf_mtag_free(struct m_tag *); +static void pf_packet_redo_nat(struct mbuf *, struct pf_pdesc *, + int, struct pf_state *, int); +static void pf_packet_undo_nat(struct mbuf *, struct pf_pdesc *, + int, struct pf_state *, int); #ifdef INET static void pf_route(struct mbuf **, struct pf_rule *, int, struct ifnet *, struct pf_state *, @@ -311,20 +320,21 @@ VNET_DEFINE(struct pf_limit, pf_limits[PF_LIMIT_MAX]); (s) = pf_find_state((i), (k), (d)); \ if ((s) == NULL) \ return (PF_DROP); \ - if (PACKET_LOOPED(pd)) \ + if (PACKET_LOOPED(pd)) { \ + if ((s)->key[PF_SK_WIRE] != (s)->key[PF_SK_STACK]) { \ + pf_packet_redo_nat(m, pd, off, s, direction); \ + } \ return (PF_PASS); \ + } \ if ((d) == PF_OUT && \ (((s)->rule.ptr->rt == PF_ROUTETO && \ - (s)->rule.ptr->direction == PF_OUT) || \ - ((s)->rule.ptr->rt == PF_REPLYTO && \ - (s)->rule.ptr->direction == PF_IN)) && \ + (s)->rule.ptr->direction == PF_OUT)) && \ (s)->rt_kif != NULL && \ (s)->rt_kif != (i)) \ return (PF_PASS); \ } while (0) -#define BOUND_IFACE(r, k) \ - ((r)->rule_flag & PFRULE_IFBOUND) ? (k) : V_pfi_all +#define BOUND_IFACE(r, k) k #define STATE_INC_COUNTERS(s) \ do { \ @@ -410,6 +420,160 @@ pf_addr_cmp(struct pf_addr *a, struct pf_addr *b, sa_family_t af) return (0); } +static void +pf_packet_undo_nat(struct mbuf *m, struct pf_pdesc *pd, int off, + struct pf_state *state, int direction) +{ + struct pf_state_key *nk; + + if (state == NULL || state->nat_rule.ptr == NULL) + return; + + if (state->nat_rule.ptr->action == PF_RDR || + state->nat_rule.ptr->action == PF_BINAT) + nk = (state)->key[PF_SK_WIRE]; + else + nk = (state)->key[PF_SK_STACK]; + + switch (pd->proto) { + case IPPROTO_TCP: { + struct tcphdr *th = pd->hdr.tcp; + + if (direction == PF_OUT) { + pf_change_ap(m, pd->src, &th->th_sport, pd->ip_sum, + &th->th_sum, &nk->addr[pd->sidx], + nk->port[pd->sidx], 0, pd->af); + } else { + pf_change_ap(m, pd->dst, &th->th_dport, pd->ip_sum, + &th->th_sum, &nk->addr[pd->didx], + nk->port[pd->didx], 0, pd->af); + } + m_copyback(m, off, sizeof(*th), (caddr_t)th); + } + break; + case IPPROTO_UDP: { + struct udphdr *uh = pd->hdr.udp; + + if (direction == PF_OUT) { + pf_change_ap(m, pd->src, &uh->uh_sport, pd->ip_sum, + &uh->uh_sum, &nk->addr[pd->sidx], + nk->port[pd->sidx], 1, pd->af); + } else { + pf_change_ap(m, pd->dst, &uh->uh_dport, pd->ip_sum, + &uh->uh_sum, &nk->addr[pd->didx], + nk->port[pd->didx], 1, pd->af); + } + m_copyback(m, off, sizeof(*uh), (caddr_t)uh); + } + break; + /* case IPPROTO_ICMP: */ + /* XXX: If we want to do this for icmp is probably wrong!?! */ + /* break; */ + default: + if (direction == PF_OUT) { + switch (pd->af) { + case AF_INET: + pf_change_a(&pd->src->v4.s_addr, + pd->ip_sum, nk->addr[pd->sidx].v4.s_addr, + 0); + break; + case AF_INET6: + PF_ACPY(pd->src, &nk->addr[pd->sidx], pd->af); + break; + } + } else { + switch (pd->af) { + case AF_INET: + pf_change_a(&pd->dst->v4.s_addr, + pd->ip_sum, nk->addr[pd->didx].v4.s_addr, + 0); + break; + case AF_INET6: + PF_ACPY(pd->dst, &nk->addr[pd->didx], pd->af); + break; + } + } + break; + } +} + +static void +pf_packet_redo_nat(struct mbuf *m, struct pf_pdesc *pd, int off, + struct pf_state *state, int direction) +{ + struct pf_state_key *nk; + + if (state == NULL || state->nat_rule.ptr == NULL) + return; + + if (state->nat_rule.ptr->action == PF_RDR || + state->nat_rule.ptr->action == PF_BINAT) + nk = (state)->key[PF_SK_STACK]; + else + nk = (state)->key[PF_SK_WIRE]; + + switch (pd->proto) { + case IPPROTO_TCP: { + struct tcphdr *th = pd->hdr.tcp; + + if (direction == PF_OUT) { + pf_change_ap(m, pd->src, &th->th_sport, pd->ip_sum, + &th->th_sum, &nk->addr[pd->sidx], + nk->port[pd->sidx], 0, pd->af); + } else { + pf_change_ap(m, pd->dst, &th->th_dport, pd->ip_sum, + &th->th_sum, &nk->addr[pd->didx], + nk->port[pd->didx], 0, pd->af); + } + m_copyback(m, off, sizeof(*th), (caddr_t)th); + } + break; + case IPPROTO_UDP: { + struct udphdr *uh = pd->hdr.udp; + + if (direction == PF_OUT) { + pf_change_ap(m, pd->src, &uh->uh_sport, pd->ip_sum, + &uh->uh_sum, &nk->addr[pd->sidx], + nk->port[pd->sidx], 1, pd->af); + } else { + pf_change_ap(m, pd->dst, &uh->uh_dport, pd->ip_sum, + &uh->uh_sum, &nk->addr[pd->didx], + nk->port[pd->didx], 1, pd->af); + } + m_copyback(m, off, sizeof(*uh), (caddr_t)uh); + } + break; + /* case IPPROTO_ICMP: */ + /* XXX: If we want to do this for icmp is probably wrong!?! */ + /* break; */ + default: + if (direction == PF_OUT) { + switch (pd->af) { + case AF_INET: + pf_change_a(&pd->src->v4.s_addr, + pd->ip_sum, nk->addr[pd->sidx].v4.s_addr, + 0); + break; + case AF_INET6: + PF_ACPY(pd->src, &nk->addr[pd->sidx], pd->af); + break; + } + } else { + switch (pd->af) { + case AF_INET: + pf_change_a(&pd->dst->v4.s_addr, + pd->ip_sum, nk->addr[pd->didx].v4.s_addr, + 0); + break; + case AF_INET6: + PF_ACPY(pd->dst, &nk->addr[pd->didx], pd->af); + break; + } + } + break; + } +} + static __inline uint32_t pf_hashkey(struct pf_state_key *sk) { @@ -1291,7 +1455,7 @@ pf_find_state(struct pfi_kif *kif, struct pf_state_key_cmp *key, u_int dir) /* List is sorted, if-bound states before floating ones. */ TAILQ_FOREACH(s, &sk->states[idx], key_list[idx]) - if (s->kif == V_pfi_all || s->kif == kif) { + { PF_STATE_LOCK(s); PF_HASHROW_UNLOCK(kh); if (s->timeout >= PFTM_MAX) { @@ -2663,6 +2827,7 @@ pf_match_port(u_int8_t op, u_int16_t a1, u_int16_t a2, u_int16_t p) return (pf_match(op, a1, a2, p)); } +#ifdef PF_USER_INFO static int pf_match_uid(u_int8_t op, uid_t a1, uid_t a2, uid_t u) { @@ -2678,6 +2843,7 @@ pf_match_gid(u_int8_t op, gid_t a1, gid_t a2, gid_t g) return (0); return (pf_match(op, a1, a2, g)); } +#endif int pf_match_tag(struct mbuf *m, struct pf_rule *r, int *tag, int mtag) @@ -2871,6 +3037,22 @@ pf_addr_inc(struct pf_addr *addr, sa_family_t af) } #endif /* INET6 */ +void +pf_rule_to_actions(struct pf_rule *r, struct pf_rule_actions *a) +{ + if (r->qid) + a->qid = r->qid; + if (r->pqid) + a->pqid = r->pqid; + if (r->pdnpipe) + a->pdnpipe = r->pdnpipe; + if (r->dnpipe) + a->dnpipe = r->dnpipe; + if (r->free_flags & PFRULE_DN_IS_PIPE) + a->flags |= PFRULE_DN_IS_PIPE; +} + +#ifdef PF_USER_INFO int pf_socket_lookup(int direction, struct pf_pdesc *pd, struct mbuf *m) { @@ -2950,6 +3132,7 @@ pf_socket_lookup(int direction, struct pf_pdesc *pd, struct mbuf *m) return (1); } +#endif static u_int8_t pf_get_wscale(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af) @@ -3127,12 +3310,14 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, PF_RULES_RASSERT(); +#ifdef PF_USER_INFO if (inp != NULL) { INP_LOCK_ASSERT(inp); pd->lookup.uid = inp->inp_cred->cr_uid; pd->lookup.gid = inp->inp_cred->cr_groups[0]; pd->lookup.done = 1; } +#endif switch (pd->proto) { case IPPROTO_TCP: @@ -3343,7 +3528,11 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, /* icmp only. type always 0 in other cases */ else if (r->code && r->code != icmpcode + 1) r = TAILQ_NEXT(r, entries); - else if (r->tos && !(r->tos == pd->tos)) + else if ((r->rule_flag & PFRULE_TOS) && r->tos && + !(r->tos == pd->tos)) + r = TAILQ_NEXT(r, entries); + else if ((r->rule_flag & PFRULE_DSCP) && r->tos && + !(r->tos == (pd->tos & DSCP_MASK))) r = TAILQ_NEXT(r, entries); else if (r->rule_flag & PFRULE_FRAGMENT) r = TAILQ_NEXT(r, entries); @@ -3351,6 +3540,7 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, (r->flagset & th->th_flags) != r->flags) r = TAILQ_NEXT(r, entries); /* tcp/udp only. uid.op always 0 in other cases */ +#ifdef PF_USER_INFO else if (r->uid.op && (pd->lookup.done || (pd->lookup.done = pf_socket_lookup(direction, pd, m), 1)) && !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1], @@ -3362,6 +3552,7 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], pd->lookup.gid)) r = TAILQ_NEXT(r, entries); +#endif else if (r->prio && !pf_match_ieee8021q_pcp(r->prio, m)) r = TAILQ_NEXT(r, entries); @@ -3382,10 +3573,20 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, if (r->rtableid >= 0) rtableid = r->rtableid; if (r->anchor == NULL) { - match = 1; - *rm = r; - *am = a; - *rsm = ruleset; + if (r->action == PF_MATCH) { + r->packets[direction == PF_OUT]++; + r->bytes[direction == PF_OUT] += pd->tot_len; + pf_rule_to_actions(r, &pd->act); + if (r->log) + PFLOG_PACKET(kif, m, af, + direction, PFRES_MATCH, r, + a, ruleset, pd, 1); + } else { + match = 1; + *rm = r; + *am = a; + *rsm = ruleset; + } if ((*rm)->quick) break; r = TAILQ_NEXT(r, entries); @@ -3404,6 +3605,9 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, REASON_SET(&reason, PFRES_MATCH); + /* apply actions for last matching pass/block rule */ + pf_rule_to_actions(r, &pd->act); + if (r->log || (nr != NULL && nr->log)) { if (rewrite) m_copyback(m, off, hdrlen, pd->hdr.any); @@ -3577,6 +3781,11 @@ pf_create_state(struct pf_rule *r, struct pf_rule *nr, struct pf_rule *a, s->state_flags |= PFSTATE_SLOPPY; s->log = r->log & PF_LOG_ALL; s->sync_state = PFSYNC_S_NONE; + s->qid = pd->act.qid; + s->pqid = pd->act.pqid; + s->pdnpipe = pd->act.pdnpipe; + s->dnpipe = pd->act.dnpipe; + s->state_flags |= pd->act.flags; if (nr != NULL) s->log |= nr->log & PF_LOG_ALL; switch (pd->proto) { @@ -3815,6 +4024,9 @@ pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif, r = r->skip[PF_SKIP_DST_ADDR].ptr; else if (r->tos && !(r->tos == pd->tos)) r = TAILQ_NEXT(r, entries); + else if ((r->rule_flag & PFRULE_DSCP) && r->tos && + !(r->tos == (pd->tos & DSCP_MASK))) + r = TAILQ_NEXT(r, entries); else if (r->os_fingerprint != PF_OSFP_ANY) r = TAILQ_NEXT(r, entries); else if (pd->proto == IPPROTO_UDP && @@ -3838,10 +4050,20 @@ pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif, r = TAILQ_NEXT(r, entries); else { if (r->anchor == NULL) { - match = 1; - *rm = r; - *am = a; - *rsm = ruleset; + if (r->action == PF_MATCH) { + r->packets[direction == PF_OUT]++; + r->bytes[direction == PF_OUT] += pd->tot_len; + pf_rule_to_actions(r, &pd->act); + if (r->log) + PFLOG_PACKET(kif, m, af, + direction, PFRES_MATCH, r, + a, ruleset, pd, 1); + } else { + match = 1; + *rm = r; + *am = a; + *rsm = ruleset; + } if ((*rm)->quick) break; r = TAILQ_NEXT(r, entries); @@ -3860,6 +4082,9 @@ pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif, REASON_SET(&reason, PFRES_MATCH); + /* apply actions for last matching pass/block rule */ + pf_rule_to_actions(r, &pd->act); + if (r->log) PFLOG_PACKET(kif, m, af, direction, reason, r, a, ruleset, pd, 1); @@ -5098,7 +5323,7 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif, static int pf_test_state_other(struct pf_state **state, int direction, struct pfi_kif *kif, - struct mbuf *m, struct pf_pdesc *pd) + struct mbuf *m, int off, struct pf_pdesc *pd) { struct pf_state_peer *src, *dst; struct pf_state_key_cmp key; @@ -5434,6 +5659,12 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, ip = mtod(m0, struct ip *); + if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { + if (s) + PF_STATE_UNLOCK(s); + return; + } + bzero(&dst, sizeof(dst)); dst.sin_family = AF_INET; dst.sin_len = sizeof(dst); @@ -5478,7 +5709,72 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, if (ifp == NULL) goto bad; - if (oifp != ifp) { + else if (r->rt == PF_REPLYTO || (r->rt == PF_ROUTETO && ifp->if_type == IFT_ENC)) { + /* XXX: Copied from ifaof_ifpforaddr() since it mostly will not return NULL! */ + struct sockaddr_in inaddr; + struct sockaddr *addr; + struct ifaddr *ifa; + char *cp, *cp2, *cp3; + char *cplim; + + inaddr.sin_addr = ip->ip_dst; + inaddr.sin_family = AF_INET; + inaddr.sin_len = sizeof(inaddr); + inaddr.sin_port = 0; + addr = (struct sockaddr *)&inaddr; + + IF_ADDR_RLOCK(ifp); + TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) { + if (ifa->ifa_addr->sa_family != AF_INET) + continue; + if (ifa->ifa_netmask == 0) { + if ((bcmp(addr, ifa->ifa_addr, addr->sa_len) == 0) || + (ifa->ifa_dstaddr && + (bcmp(addr, ifa->ifa_dstaddr, addr->sa_len) == 0))) { + IF_ADDR_RUNLOCK(ifp); + return; + } + continue; + } + if (ifp->if_flags & IFF_POINTOPOINT) { + if (bcmp(addr, ifa->ifa_dstaddr, addr->sa_len) == 0) { + IF_ADDR_RUNLOCK(ifp); + return; + } + } else { + cp = addr->sa_data; + cp2 = ifa->ifa_addr->sa_data; + cp3 = ifa->ifa_netmask->sa_data; + cplim = ifa->ifa_netmask->sa_len + (char *)ifa->ifa_netmask; + for (; cp3 < cplim; cp3++) + if ((*cp++ ^ *cp2++) & *cp3) + break; + if (cp3 == cplim) { + IF_ADDR_RUNLOCK(ifp); + return; + } + } + } + IF_ADDR_RUNLOCK(ifp); + } + else if (r->rt == PF_ROUTETO && r->direction == dir && in_localip(ip->ip_dst)) + return; + + if (s != NULL && r->rt == PF_REPLYTO) { + /* + * Send it out since it came from state recorded ifp(rt_addr). + * Routing table lookup might have chosen not correct interface! + */ + } else if (oifp != ifp) { + if (in_broadcast(ip->ip_dst, oifp)) /* XXX: LOCKING of address list?! */ + return; + + if (s && r->rt == PF_ROUTETO && pd->nat_rule != NULL && + r->direction == PF_OUT && r->direction == dir && + pd->pf_mtag->routed < 2) { + pf_packet_undo_nat(m0, pd, ntohs(ip->ip_off), s, dir); + } + if (pf_test(PF_OUT, ifp, &m0, NULL) != PF_PASS) goto bad; else if (m0 == NULL) @@ -5531,6 +5827,9 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, error = EMSGSIZE; KMOD_IPSTAT_INC(ips_cantfrag); if (r->rt != PF_DUPTO) { + if (s && pd->nat_rule != NULL) + pf_packet_undo_nat(m0, pd, ntohs(ip->ip_off), s, dir); + icmp_error(m0, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 0, ifp->if_mtu); goto done; @@ -5610,6 +5909,12 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, ip6 = mtod(m0, struct ip6_hdr *); + if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src)) { + if (s) + PF_STATE_UNLOCK(s); + return; + } + bzero(&dst, sizeof(dst)); dst.sin6_family = AF_INET6; dst.sin6_len = sizeof(dst); @@ -5649,8 +5954,70 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, if (ifp == NULL) goto bad; + else if (r->rt == PF_REPLYTO) { + /* XXX: Copied from ifaof_ifpforaddr() since it mostly will not return NULL! */ + struct sockaddr_in6 inaddr6; + struct sockaddr *addr; + struct ifaddr *ifa; + char *cp, *cp2, *cp3; + char *cplim; + + inaddr6.sin6_addr = ip6->ip6_dst; + inaddr6.sin6_family = AF_INET6; + inaddr6.sin6_len = sizeof(inaddr6); + inaddr6.sin6_port = 0; + inaddr6.sin6_flowinfo = 0; + addr = (struct sockaddr *)&inaddr6; + + IF_ADDR_RLOCK(ifp); + TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) { + if (ifa->ifa_addr->sa_family != AF_INET6) + continue; + if (ifa->ifa_netmask == 0) { + if ((bcmp(addr, ifa->ifa_addr, addr->sa_len) == 0) || + (ifa->ifa_dstaddr && + (bcmp(addr, ifa->ifa_dstaddr, addr->sa_len) == 0))) { + IF_ADDR_RUNLOCK(ifp); + return; + } + continue; + } + if (ifp->if_flags & IFF_POINTOPOINT) { + if (bcmp(addr, ifa->ifa_dstaddr, addr->sa_len) == 0) { + IF_ADDR_RUNLOCK(ifp); + return; + } + } else { + cp = addr->sa_data; + cp2 = ifa->ifa_addr->sa_data; + cp3 = ifa->ifa_netmask->sa_data; + cplim = ifa->ifa_netmask->sa_len + (char *)ifa->ifa_netmask; + for (; cp3 < cplim; cp3++) + if ((*cp++ ^ *cp2++) & *cp3) + break; + if (cp3 == cplim) { + IF_ADDR_RUNLOCK(ifp); + return; + } + } + } + IF_ADDR_RUNLOCK(ifp); + } else if (r->rt == PF_ROUTETO && r->direction == dir && in6_localaddr(&ip6->ip6_dst)) + return; + + if (s != NULL && r->rt == PF_REPLYTO) { + /* + * Send it out since it came from state recorded ifp(rt_addr). + * Routing table lookup might have chosen not correct interface! + */ + } else if (oifp != ifp) { + if (s && r->rt == PF_ROUTETO && pd->nat_rule != NULL && + r->direction == PF_OUT && r->direction == dir && + pd->pf_mtag->routed < 2) { + int ip_off = ((caddr_t)ip6 - m0->m_data) + sizeof(struct ip6_hdr); + pf_packet_undo_nat(m0, pd, ip_off, s, dir); + } - if (oifp != ifp) { if (pf_test6(PF_FWD, ifp, &m0, NULL) != PF_PASS) goto bad; else if (m0 == NULL) @@ -5684,9 +6051,12 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, nd6_output_ifp(ifp, ifp, m0, &dst, NULL); else { in6_ifstat_inc(ifp, ifs6_in_toobig); - if (r->rt != PF_DUPTO) + if (r->rt != PF_DUPTO) { + if (s && pd->nat_rule != NULL) + pf_packet_undo_nat(m0, pd, ((caddr_t)ip6 - m0->m_data) + sizeof(struct ip6_hdr), s, dir); + icmp6_error(m0, ICMP6_PACKET_TOO_BIG, 0, ifp->if_mtu); - else + } else goto bad; } @@ -5852,7 +6222,9 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp) struct pf_state *s = NULL; struct pf_ruleset *ruleset = NULL; struct pf_pdesc pd; - int off, dirndx, pqid = 0; + int off = 0, dirndx, pqid = 0; + int loopedfrom = 0; + struct ip_fw_args dnflow; M_ASSERTPKTHDR(m); @@ -5878,10 +6250,13 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp) PF_RULES_RLOCK(); - if (ip_divert_ptr != NULL && + if ((ip_divert_ptr != NULL || ip_dn_io_ptr != NULL) && ((ipfwtag = m_tag_locate(m, MTAG_IPFW_RULE, 0, NULL)) != NULL)) { struct ipfw_rule_ref *rr = (struct ipfw_rule_ref *)(ipfwtag+1); - if (rr->info & IPFW_IS_DIVERT && rr->rulenum == 0) { + if (rr->info & IPFW_IS_DUMMYNET) + loopedfrom = 1; + if (rr->info & IPFW_IS_DUMMYNET || + (rr->info & IPFW_IS_DIVERT && rr->rulenum == 0)) { if (pd.pf_mtag == NULL && ((pd.pf_mtag = pf_get_mtag(m)) == NULL)) { action = PF_DROP; @@ -5936,6 +6311,10 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp) struct tcphdr th; pd.hdr.tcp = &th; + dnflow.f_id._flags = th.th_flags; + dnflow.f_id.dst_port = ntohs(th.th_dport); + dnflow.f_id.src_port = ntohs(th.th_sport); + if (!pf_pull_hdr(m, off, &th, sizeof(th), &action, &reason, AF_INET)) { log = action != PF_PASS; @@ -5965,6 +6344,9 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp) struct udphdr uh; pd.hdr.udp = &uh; + dnflow.f_id.dst_port = ntohs(uh.uh_dport); + dnflow.f_id.src_port = ntohs(uh.uh_sport); + if (!pf_pull_hdr(m, off, &uh, sizeof(uh), &action, &reason, AF_INET)) { log = action != PF_PASS; @@ -6023,7 +6405,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp) #endif default: - action = pf_test_state_other(&s, dir, kif, m, &pd); + action = pf_test_state_other(&s, dir, kif, m, off, &pd); if (action == PF_PASS) { if (pfsync_update_state_ptr != NULL) pfsync_update_state_ptr(s); @@ -6067,6 +6449,13 @@ done: } #ifdef ALTQ + if (s && s->qid) { + pd.act.pqid = s->pqid; + pd.act.qid = s->qid; + } else if (r->qid) { + pd.act.pqid = r->pqid; + pd.act.qid = r->qid; + } if (action == PF_PASS && r->qid) { if (pd.pf_mtag == NULL && ((pd.pf_mtag = pf_get_mtag(m)) == NULL)) { @@ -6086,6 +6475,70 @@ done: } #endif /* ALTQ */ + if (pd.pf_mtag == NULL && + ((pd.pf_mtag = pf_get_mtag(m)) == NULL)) { + action = PF_DROP; + REASON_SET(&reason, PFRES_MEMORY); + } + if (s && (s->dnpipe || s->pdnpipe)) { + pd.act.dnpipe = s->dnpipe; + pd.act.pdnpipe = s->pdnpipe; + pd.act.flags = s->state_flags; + } else if (r->dnpipe || r->pdnpipe) { + pd.act.dnpipe = r->dnpipe; + pd.act.dnpipe = r->pdnpipe; + pd.act.flags = r->free_flags; + } + + if (pd.act.dnpipe && ip_dn_io_ptr != NULL && loopedfrom != 1) { + if (dir != r->direction && pd.act.pdnpipe) { + dnflow.rule.info = pd.act.pdnpipe; + } else if (dir == r->direction) { + dnflow.rule.info = pd.act.dnpipe; + } else + goto continueprocessing; + + if (pd.act.flags & PFRULE_DN_IS_PIPE) + dnflow.rule.info |= IPFW_IS_PIPE; + dnflow.f_id.addr_type = 4; /* IPv4 type */ + dnflow.f_id.proto = pd.proto; + if (dir == PF_OUT && s != NULL && s->nat_rule.ptr != NULL && + s->nat_rule.ptr->action == PF_NAT) + dnflow.f_id.src_ip = + ntohl(s->key[(s->direction == PF_IN)]-> + addr[(s->direction == PF_OUT)].v4.s_addr); + else + dnflow.f_id.src_ip = ntohl(h->ip_src.s_addr); + dnflow.f_id.dst_ip = ntohl(h->ip_dst.s_addr); + dnflow.f_id.extra = dnflow.rule.info; + + if (m->m_flags & M_FASTFWD_OURS) { + pd.pf_mtag->flags |= PF_FASTFWD_OURS_PRESENT; + m->m_flags &= ~M_FASTFWD_OURS; + } + + if (s != NULL && s->nat_rule.ptr) + pf_packet_undo_nat(m, &pd, off, s, dir); + + ip_dn_io_ptr(m0, + (dir == PF_IN) ? DIR_IN : DIR_OUT, + &dnflow); + /* This is dummynet fast io processing */ + if (*m0 != NULL) { + m_tag_delete(*m0, m_tag_first(*m0)); + pd.pf_mtag->flags &= ~PF_PACKET_LOOPED; + if (s != NULL && s->nat_rule.ptr) + pf_packet_redo_nat(m, &pd, off, s, dir); + } else { + *m0 = NULL; + if (s) + PF_STATE_UNLOCK(s); + return (action); + } + } else + pd.pf_mtag->flags &= ~PF_PACKET_LOOPED; +continueprocessing: + /* * connections redirected to loopback should not match sockets * bound specifically to loopback due to security implications, @@ -6239,7 +6692,10 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp) struct pf_state *s = NULL; struct pf_ruleset *ruleset = NULL; struct pf_pdesc pd; - int off, terminal = 0, dirndx, rh_cnt = 0, pqid = 0; + int off = 0, terminal = 0, dirndx, rh_cnt = 0, pqid = 0; + int loopedfrom = 0; + struct m_tag *dn_tag; + struct ip_fw_args dnflow; int fwdir = dir; M_ASSERTPKTHDR(m); @@ -6282,8 +6738,25 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp) PF_RULES_RLOCK(); + if (ip_dn_io_ptr != NULL && + ((dn_tag = m_tag_locate(m, MTAG_IPFW_RULE, 0, NULL)) != NULL)) { + struct ipfw_rule_ref *rr = (struct ipfw_rule_ref *)(dn_tag+1); + if (pd.pf_mtag == NULL && + ((pd.pf_mtag = pf_get_mtag(m)) == NULL)) { + action = PF_DROP; + goto done; + } + if (rr->info & IPFW_IS_DUMMYNET) + loopedfrom = 1; + if (pd.pf_mtag->flags & PF_FASTFWD_OURS_PRESENT) { + m->m_flags |= M_FASTFWD_OURS; + pd.pf_mtag->flags &= ~PF_FASTFWD_OURS_PRESENT; + } + pd.pf_mtag->flags |= PF_PACKET_LOOPED; + m_tag_delete(m, dn_tag); + } /* We do IP header normalization and packet reassembly here */ - if (pf_normalize_ip6(m0, dir, kif, &reason, &pd) != PF_PASS) { + else if (pf_normalize_ip6(m0, dir, kif, &reason, &pd) != PF_PASS) { action = PF_DROP; goto done; } @@ -6392,6 +6865,10 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp) struct tcphdr th; pd.hdr.tcp = &th; + dnflow.f_id._flags = th.th_flags; + dnflow.f_id.dst_port = th.th_dport; + dnflow.f_id.src_port = th.th_sport; + if (!pf_pull_hdr(m, off, &th, sizeof(th), &action, &reason, AF_INET6)) { log = action != PF_PASS; @@ -6419,6 +6896,9 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp) struct udphdr uh; pd.hdr.udp = &uh; + dnflow.f_id.dst_port = uh.uh_dport; + dnflow.f_id.src_port = uh.uh_sport; + if (!pf_pull_hdr(m, off, &uh, sizeof(uh), &action, &reason, AF_INET6)) { log = action != PF_PASS; @@ -6475,7 +6955,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp) } default: - action = pf_test_state_other(&s, dir, kif, m, &pd); + action = pf_test_state_other(&s, dir, kif, m, off, &pd); if (action == PF_PASS) { if (pfsync_update_state_ptr != NULL) pfsync_update_state_ptr(s); @@ -6525,7 +7005,14 @@ done: } #ifdef ALTQ - if (action == PF_PASS && r->qid) { + if (s && s->qid) { + pd.act.pqid = s->pqid; + pd.act.qid = s->qid; + } else if (r->qid) { + pd.act.pqid = r->pqid; + pd.act.qid = r->qid; + } + if (action == PF_PASS && pd.act.qid) { if (pd.pf_mtag == NULL && ((pd.pf_mtag = pf_get_mtag(m)) == NULL)) { action = PF_DROP; @@ -6534,15 +7021,73 @@ done: if (s != NULL) pd.pf_mtag->qid_hash = pf_state_hash(s); if (pd.tos & IPTOS_LOWDELAY) - pd.pf_mtag->qid = r->pqid; + pd.pf_mtag->qid = pd.act.pqid; else - pd.pf_mtag->qid = r->qid; + pd.pf_mtag->qid = pd.act.qid; /* Add hints for ecn. */ pd.pf_mtag->hdr = h; } } #endif /* ALTQ */ + if (pd.pf_mtag == NULL && + ((pd.pf_mtag = pf_get_mtag(m)) == NULL)) { + action = PF_DROP; + REASON_SET(&reason, PFRES_MEMORY); + } + if (s && (s->dnpipe || s->pdnpipe)) { + pd.act.dnpipe = s->dnpipe; + pd.act.pdnpipe = s->pdnpipe; + pd.act.flags = s->state_flags; + } else if (r->dnpipe || r->pdnpipe) { + pd.act.dnpipe = r->dnpipe; + pd.act.dnpipe = r->pdnpipe; + pd.act.flags = r->free_flags; + } + if ((pd.act.dnpipe || pd.act.pdnpipe) && + ip_dn_io_ptr != NULL && loopedfrom != 1) { + if (dir != r->direction && pd.act.pdnpipe) { + dnflow.rule.info = pd.act.pdnpipe; + } else if (dir == r->direction && pd.act.dnpipe) { + dnflow.rule.info = pd.act.dnpipe; + } else + goto continueprocessing6; + + if (pd.act.flags & PFRULE_DN_IS_PIPE) + dnflow.rule.info |= IPFW_IS_PIPE; + dnflow.f_id.addr_type = 6; /* IPv4 type */ + dnflow.f_id.proto = pd.proto; + dnflow.f_id.src_ip = 0; + dnflow.f_id.dst_ip = 0; + if (dir == PF_OUT && s != NULL && s->nat_rule.ptr != NULL && + s->nat_rule.ptr->action == PF_NAT) + dnflow.f_id.src_ip6 = s->key[(s->direction == PF_IN)]->addr[0].v6; + else + dnflow.f_id.src_ip6 = h->ip6_src; + dnflow.f_id.dst_ip6 = h->ip6_dst; + + if (s != NULL && s->nat_rule.ptr) + pf_packet_undo_nat(m, &pd, off, s, dir); + + ip_dn_io_ptr(m0, + ((dir == PF_IN) ? DIR_IN : DIR_OUT) | PROTO_IPV6, + &dnflow); + /* This is dummynet fast io processing */ + if (*m0 != NULL) { + m_tag_delete(*m0, m_tag_first(*m0)); + pd.pf_mtag->flags &= ~PF_PACKET_LOOPED; + if (s != NULL && s->nat_rule.ptr) + pf_packet_redo_nat(m, &pd, off, s, dir); + } else { + *m0 = NULL; + if (s) + PF_STATE_UNLOCK(s); + return (action); + } + } else + pd.pf_mtag->flags &= ~PF_PACKET_LOOPED; +continueprocessing6: + if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP || pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL && (s->nat_rule.ptr->action == PF_RDR || diff --git a/sys/netpfil/pf/pf.h b/sys/netpfil/pf/pf.h index ac0e0fb..16e60eb 100644 --- a/sys/netpfil/pf/pf.h +++ b/sys/netpfil/pf/pf.h @@ -45,7 +45,8 @@ enum { PF_INOUT, PF_IN, PF_OUT, PF_FWD }; enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT, - PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP, PF_DEFER }; + PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP, PF_DEFER, + PF_MATCH }; enum { PF_RULESET_SCRUB, PF_RULESET_FILTER, PF_RULESET_NAT, PF_RULESET_BINAT, PF_RULESET_RDR, PF_RULESET_MAX }; enum { PF_OP_NONE, PF_OP_IRG, PF_OP_EQ, PF_OP_NE, PF_OP_LT, diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index cf7f6f2..5672c78 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -1168,7 +1168,9 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td rule->states_cur = counter_u64_alloc(M_WAITOK); rule->states_tot = counter_u64_alloc(M_WAITOK); rule->src_nodes = counter_u64_alloc(M_WAITOK); +#ifdef PF_USER_INFO rule->cuid = td->td_ucred->cr_ruid; +#endif rule->cpid = td->td_proc ? td->td_proc->p_pid : 0; TAILQ_INIT(&rule->rpool.list); @@ -1194,7 +1196,6 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td V_ticket_pabuf)); ERROUT(EBUSY); } - tail = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr, pf_rulequeue); if (tail) @@ -1278,8 +1279,29 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td } rule->rpool.cur = TAILQ_FIRST(&rule->rpool.list); +#ifndef PF_USER_INFO + if (rule->cuid) { + tail = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr); + while ((tail != NULL) && (tail->cuid != rule->cuid)) + tail = TAILQ_NEXT(tail, entries); + if (tail != NULL) { + rule->evaluations = tail->evaluations; + rule->packets[0] = tail->packets[0]; + rule->packets[1] = tail->packets[1]; + rule->bytes[0] = tail->bytes[0]; + rule->bytes[1] = tail->bytes[1]; + } else { + rule->evaluations = rule->packets[0] = rule->packets[1] = + rule->bytes[0] = rule->bytes[1] = 0; + } + } else { + rule->evaluations = rule->packets[0] = rule->packets[1] = + rule->bytes[0] = rule->bytes[1] = 0; + } +#else rule->evaluations = rule->packets[0] = rule->packets[1] = rule->bytes[0] = rule->bytes[1] = 0; +#endif TAILQ_INSERT_TAIL(ruleset->rules[rs_num].inactive.ptr, rule, entries); ruleset->rules[rs_num].inactive.rcount++; @@ -1429,7 +1451,9 @@ DIOCADDRULE_error: newrule->states_cur = counter_u64_alloc(M_WAITOK); newrule->states_tot = counter_u64_alloc(M_WAITOK); newrule->src_nodes = counter_u64_alloc(M_WAITOK); +#ifdef PF_USER_INFO newrule->cuid = td->td_ucred->cr_ruid; +#endif newrule->cpid = td->td_proc ? td->td_proc->p_pid : 0; TAILQ_INIT(&newrule->rpool.list); } @@ -1717,6 +1741,30 @@ relock_DIOCKILLSTATES: break; } + case DIOCKILLSCHEDULE: { + struct pf_state *state; + struct pfioc_schedule_kill *psk = (struct pfioc_schedule_kill *)addr; + int killed = 0; + u_int i; + + for (i = 0; i <= pf_hashmask; i++) { + struct pf_idhash *ih = &V_pf_idhash[i]; + +relock_DIOCKILLSCHEDULE: + PF_HASHROW_LOCK(ih); + LIST_FOREACH(state, &ih->states, entry) { + if (!strcmp(psk->schedule, state->rule.ptr->schedule)) { + pf_unlink_state(state, PF_ENTER_LOCKED); + killed++; + goto relock_DIOCKILLSCHEDULE; + } + } + PF_HASHROW_UNLOCK(ih); + } + psk->numberkilled = killed; + break; + } + case DIOCADDSTATE: { struct pfioc_state *ps = (struct pfioc_state *)addr; struct pfsync_state *sp = &ps->state; @@ -3646,8 +3694,8 @@ hook_pf(void) pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET); if (pfh_inet == NULL) return (ESRCH); /* XXX */ - pfil_add_hook(pf_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet); - pfil_add_hook(pf_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet); + pfil_add_named_hook(pf_check_in, NULL, "pf", PFIL_IN | PFIL_WAITOK, pfh_inet); + pfil_add_named_hook(pf_check_out, NULL, "pf", PFIL_OUT | PFIL_WAITOK, pfh_inet); #endif #ifdef INET6 pfh_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6); @@ -3660,8 +3708,10 @@ hook_pf(void) #endif return (ESRCH); /* XXX */ } - pfil_add_hook(pf_check6_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet6); - pfil_add_hook(pf_check6_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet6); + pfil_add_named_hook(pf_check6_in, NULL, "pf", PFIL_IN | PFIL_WAITOK, + pfh_inet6); + pfil_add_named_hook(pf_check6_out, NULL, "pf", PFIL_OUT | PFIL_WAITOK, + pfh_inet6); #endif V_pf_pfil_hooked = 1; diff --git a/sys/netpfil/pf/pf_ruleset.c b/sys/netpfil/pf/pf_ruleset.c index 61da586..5bb3be6 100644 --- a/sys/netpfil/pf/pf_ruleset.c +++ b/sys/netpfil/pf/pf_ruleset.c @@ -121,6 +121,7 @@ pf_get_ruleset_number(u_int8_t action) return (PF_RULESET_SCRUB); break; case PF_PASS: + case PF_MATCH: case PF_DROP: return (PF_RULESET_FILTER); break; diff --git a/usr.sbin/bsdinstall/distextract/distextract.c b/usr.sbin/bsdinstall/distextract/distextract.c index 94536bc..4acafbb 100644 --- a/usr.sbin/bsdinstall/distextract/distextract.c +++ b/usr.sbin/bsdinstall/distextract/distextract.c @@ -69,7 +69,7 @@ main(void) size_t span; struct dpv_config *config; struct dpv_file_node *dist = dists; - static char backtitle[] = "FreeBSD Installer"; + static char backtitle[] = "pfSense Installer"; static char title[] = "Archive Extraction"; static char aprompt[] = "\n Overall Progress:"; static char pprompt[] = "Extracting distribution files...\n"; diff --git a/usr.sbin/bsdinstall/distfetch/distfetch.c b/usr.sbin/bsdinstall/distfetch/distfetch.c index 219847d..e5af4ad 100644 --- a/usr.sbin/bsdinstall/distfetch/distfetch.c +++ b/usr.sbin/bsdinstall/distfetch/distfetch.c @@ -67,7 +67,7 @@ main(void) } init_dialog(stdin, stdout); - dialog_vars.backtitle = __DECONST(char *, "FreeBSD Installer"); + dialog_vars.backtitle = __DECONST(char *, "pfSense Installer"); dlg_put_backtitle(); for (i = 0; i < ndists; i++) { diff --git a/usr.sbin/bsdinstall/partedit/part_wizard.c b/usr.sbin/bsdinstall/partedit/part_wizard.c index 1e9c899..e0eec9f 100644 --- a/usr.sbin/bsdinstall/partedit/part_wizard.c +++ b/usr.sbin/bsdinstall/partedit/part_wizard.c @@ -152,7 +152,7 @@ boot_disk(struct gmesh *mesh) if (n > 1) { err = dlg_menu("Partitioning", - "Select the disk on which to install FreeBSD.", 0, 0, 0, + "Select the disk on which to install pfSense.", 0, 0, 0, n, disks, &selected, NULL); chosen = (err == 0) ? strdup(disks[selected].name) : NULL; @@ -234,7 +234,7 @@ query: dialog_vars.defaultno = TRUE; snprintf(message, sizeof(message), "Would you like to use this entire " - "disk (%s) for FreeBSD or partition it to share it with other " + "disk (%s) for pfSense or partition it to share it with other " "operating systems? Using the entire disk will erase any data " "currently stored there.", disk); choice = dialog_yesno("Partition", message, 0, 0); @@ -249,7 +249,7 @@ query: sprintf(warning, "The existing partition scheme on this " "disk (%s) is not bootable on this platform. To install " - "FreeBSD, it must be repartitioned. This will destroy all " + "pfSense, it must be repartitioned. This will destroy all " "data on the disk. Are you sure you want to proceed?", scheme); subchoice = dialog_yesno("Non-bootable Disk", warning, 0, 0); @@ -331,7 +331,7 @@ wizard_makeparts(struct gmesh *mesh, const char *disk, const char *fstype, int i humanize_number(neededstr, 7, MIN_FREE_SPACE, "B", HN_AUTOSCALE, HN_DECIMAL); sprintf(message, "There is not enough free space on %s to " - "install FreeBSD (%s free, %s required). Would you like " + "install pfSense (%s free, %s required). Would you like " "to choose another disk or to open the partition editor?", disk, availablestr, neededstr); diff --git a/usr.sbin/bsdinstall/partedit/partedit.c b/usr.sbin/bsdinstall/partedit/partedit.c index 6723af5..fd7817a 100644 --- a/usr.sbin/bsdinstall/partedit/partedit.c +++ b/usr.sbin/bsdinstall/partedit/partedit.c @@ -87,7 +87,7 @@ main(int argc, const char **argv) init_dialog(stdin, stdout); if (!sade_mode) - dialog_vars.backtitle = __DECONST(char *, "FreeBSD Installer"); + dialog_vars.backtitle = __DECONST(char *, "pfSense Installer"); dialog_vars.item_help = TRUE; nscroll = i = 0; @@ -111,7 +111,7 @@ main(int argc, const char **argv) return (error); } } else { - prompt = "Create partitions for FreeBSD. No changes will be " + prompt = "Create partitions for pfSense. No changes will be " "made until you select Finish."; } @@ -281,7 +281,7 @@ validate_setup(void) if (root == NULL) { dialog_msgbox("Error", "No root partition was found. " - "The root FreeBSD partition must have a mountpoint of '/'.", + "The root pfSense partition must have a mountpoint of '/'.", 0, 0, TRUE); return (FALSE); } @@ -294,7 +294,7 @@ validate_setup(void) dialog_vars.defaultno = TRUE; cancel = dialog_yesno("Warning", "The chosen root partition " "has a preexisting filesystem. If it contains an existing " - "FreeBSD system, please update it with freebsd-update " + "pfSense system, please update it " "instead of installing a new system on it. The partition " "can also be erased by pressing \"No\" and then deleting " "and recreating it. Are you sure you want to proceed?", diff --git a/usr.sbin/bsdinstall/scripts/auto b/usr.sbin/bsdinstall/scripts/auto index 61b2193..9408c5a 100755 --- a/usr.sbin/bsdinstall/scripts/auto +++ b/usr.sbin/bsdinstall/scripts/auto @@ -42,7 +42,7 @@ error() { fi test -n "$DISTDIR_IS_UNIONFS" && umount -f $BSDINSTALL_DISTDIR test -f $PATH_FSTAB && bsdinstall umount - dialog --backtitle "FreeBSD Installer" --title "Abort" \ + dialog --backtitle "pfSense Installer" --title "Abort" \ --no-label "Exit" --yes-label "Restart" --yesno \ "${msg}An installation step has been aborted. Would you like to restart the installation or exit the installer?" 0 0 if [ $? -ne 0 ]; then @@ -111,23 +111,25 @@ trap true SIGINT # This section is optional bsdinstall keymap trap error SIGINT # Catch cntrl-C here -bsdinstall hostname || error "Set hostname failed" +#bsdinstall hostname || error "Set hostname failed" -export DISTRIBUTIONS="base.txz kernel.txz" +export DISTRIBUTIONS="base.txz" if [ -f $BSDINSTALL_DISTDIR/MANIFEST ]; then DISTMENU=`awk -F'\t' '!/^(kernel\.txz|base\.txz)/{print $1,$5,$6}' $BSDINSTALL_DISTDIR/MANIFEST` DISTMENU="$(echo ${DISTMENU} | sed -E 's/\.txz//g')" - exec 3>&1 - EXTRA_DISTS=$( eval dialog \ - --backtitle \"FreeBSD Installer\" \ - --title \"Distribution Select\" --nocancel --separate-output \ - --checklist \"Choose optional system components to install:\" \ - 0 0 0 $DISTMENU \ - 2>&1 1>&3 ) - for dist in $EXTRA_DISTS; do - export DISTRIBUTIONS="$DISTRIBUTIONS $dist.txz" - done + if [ -n "$DISTMENU" ]; then + exec 3>&1 + EXTRA_DISTS=$( eval dialog \ + --backtitle \"pfSense Installer\" \ + --title \"Distribution Select\" --nocancel --separate-output \ + --checklist \"Choose optional system components to install:\" \ + 0 0 0 $DISTMENU \ + 2>&1 1>&3 ) + for dist in $EXTRA_DISTS; do + export DISTRIBUTIONS="$DISTRIBUTIONS $dist.txz" + done + fi fi LOCAL_DISTRIBUTIONS="MANIFEST" @@ -143,7 +145,7 @@ LOCAL_DISTRIBUTIONS=`echo $LOCAL_DISTRIBUTIONS` # Trim white space FETCH_DISTRIBUTIONS=`echo $FETCH_DISTRIBUTIONS` # Trim white space if [ -n "$FETCH_DISTRIBUTIONS" -a -n "$BSDINSTALL_CONFIGCURRENT" ]; then - dialog --backtitle "FreeBSD Installer" --title "Network Installation" --msgbox "Some installation files were not found on the boot volume. The next few screens will allow you to configure networking so that they can be downloaded from the Internet." 0 0 + dialog --backtitle "pfSense Installer" --title "Network Installation" --msgbox "Some installation files were not found on the boot volume. The next few screens will allow you to configure networking so that they can be downloaded from the Internet." 0 0 bsdinstall netconfig || error NETCONFIG_DONE=yes fi @@ -268,7 +270,7 @@ case $CURARCH in esac exec 3>&1 -PARTMODE=`echo $PMODES | xargs dialog --backtitle "FreeBSD Installer" \ +PARTMODE=`echo $PMODES | xargs dialog --backtitle "pfSense Installer" \ --title "Partitioning" \ --menu "How would you like to partition your disk?" \ 0 0 0 2>&1 1>&3` || exit 1 @@ -377,25 +379,25 @@ fi bsdinstall checksum || error "Distribution checksum failed" bsdinstall distextract || error "Distribution extract failed" -bsdinstall rootpass || error "Could not set root password" +#bsdinstall rootpass || error "Could not set root password" trap true SIGINT # This section is optional if [ "$NETCONFIG_DONE" != yes ]; then - bsdinstall netconfig # Don't check for errors -- the user may cancel +# bsdinstall netconfig # Don't check for errors -- the user may cancel fi -bsdinstall time -bsdinstall services -bsdinstall hardening +#bsdinstall time +#bsdinstall services +#bsdinstall hardening -dialog --backtitle "FreeBSD Installer" --title "Add User Accounts" --yesno \ - "Would you like to add users to the installed system now?" 0 0 && \ - bsdinstall adduser +#dialog --backtitle "pfSense Installer" --title "Add User Accounts" --yesno \ +# "Would you like to add users to the installed system now?" 0 0 && \ +# bsdinstall adduser finalconfig() { exec 3>&1 - REVISIT=$(dialog --backtitle "FreeBSD Installer" \ + REVISIT=$(dialog --backtitle "pfSense Installer" \ --title "Final Configuration" --no-cancel --menu \ - "Setup of your FreeBSD system is nearly complete. You can now modify your configuration choices. After this screen, you will have an opportunity to make more complex changes using a shell." 0 0 0 \ + "Setup of your pfSense system is nearly complete. You can now modify your configuration choices. After this screen, you will have an opportunity to make more complex changes using a shell." 0 0 0 \ "Exit" "Apply configuration and exit installer" \ "Add User" "Add a user to the system" \ "Root Password" "Change root password" \ @@ -404,7 +406,7 @@ finalconfig() { "Services" "Set daemons to run on startup" \ "System Hardening" "Set security options" \ "Time Zone" "Set system timezone" \ - "Handbook" "Install FreeBSD Handbook (requires network)" 2>&1 1>&3) + "Handbook" "Install pfSense Handbook (requires network)" 2>&1 1>&3) exec 3>&- case "$REVISIT" in @@ -444,7 +446,7 @@ finalconfig() { } # Allow user to change his mind -finalconfig +#finalconfig trap error SIGINT # SIGINT is bad again bsdinstall config || error "Failed to save config" @@ -455,7 +457,7 @@ if [ ! -z "$BSDINSTALL_FETCHDEST" ]; then rm -rf "$BSDINSTALL_FETCHDEST" fi -dialog --backtitle "FreeBSD Installer" --title "Manual Configuration" \ +dialog --backtitle "pfSense Installer" --title "Manual Configuration" \ --default-button no --yesno \ "The installation is now finished. Before exiting the installer, would you like to open a shell in the new system to make any final manual modifications?" 0 0 if [ $? -eq 0 ]; then diff --git a/usr.sbin/bsdinstall/scripts/checksum b/usr.sbin/bsdinstall/scripts/checksum index 1c537f3..ddf7f8e6 100755 --- a/usr.sbin/bsdinstall/scripts/checksum +++ b/usr.sbin/bsdinstall/scripts/checksum @@ -37,7 +37,7 @@ for dist in $DISTRIBUTIONS; do for i in $DISTRIBUTIONS; do items="$items $i `eval echo \\\${status_$(basename $i .txz):-Pending}`" done - dialog --backtitle "FreeBSD Installer" --title "Checksum Verification" \ + dialog --backtitle "pfSense Installer" --title "Checksum Verification" \ --mixedgauge "Verifying checksums of selected distributions." \ 0 0 $percentage $items @@ -62,7 +62,7 @@ for dist in $DISTRIBUTIONS; do percentage=$(echo $percentage + 100/`echo $DISTRIBUTIONS | wc -w` | bc) else eval "status_$distname=1" - dialog --backtitle "FreeBSD Installer" --title "Error" \ + dialog --backtitle "pfSense Installer" --title "Error" \ --msgbox "The checksum for $dist does not match. It may have become corrupted, and should be redownloaded." 0 0 exit 1 fi diff --git a/usr.sbin/bsdinstall/scripts/config b/usr.sbin/bsdinstall/scripts/config index 90ee257..8cd0f17 100755 --- a/usr.sbin/bsdinstall/scripts/config +++ b/usr.sbin/bsdinstall/scripts/config @@ -29,8 +29,8 @@ # ############################################################ MAIN -cat $BSDINSTALL_TMPETC/rc.conf.* >> $BSDINSTALL_TMPETC/rc.conf -rm $BSDINSTALL_TMPETC/rc.conf.* +#cat $BSDINSTALL_TMPETC/rc.conf.* >> $BSDINSTALL_TMPETC/rc.conf +#rm $BSDINSTALL_TMPETC/rc.conf.* cat $BSDINSTALL_CHROOT/etc/sysctl.conf $BSDINSTALL_TMPETC/sysctl.conf.hardening >> $BSDINSTALL_TMPETC/sysctl.conf rm $BSDINSTALL_TMPETC/sysctl.conf.* @@ -46,7 +46,7 @@ cp $BSDINSTALL_TMPBOOT/* $BSDINSTALL_CHROOT/boot [ "${debugFile#+}" ] && cp "${debugFile#+}" $BSDINSTALL_CHROOT/var/log/ # Set up other things from installed config -chroot $BSDINSTALL_CHROOT /usr/bin/newaliases > /dev/null 2>&1 +#chroot $BSDINSTALL_CHROOT /usr/bin/newaliases > /dev/null 2>&1 exit $SUCCESS diff --git a/usr.sbin/bsdinstall/scripts/keymap b/usr.sbin/bsdinstall/scripts/keymap index 7b42571..cb20b78 100755 --- a/usr.sbin/bsdinstall/scripts/keymap +++ b/usr.sbin/bsdinstall/scripts/keymap @@ -57,8 +57,8 @@ hline_arrows_tab_enter="Press arrows, TAB or ENTER" msg_continue_with_keymap="Continue with %s keymap" msg_default="default" msg_error="Error" -msg_freebsd_installer="FreeBSD Installer" -msg_keymap_menu_text="The system console driver for FreeBSD defaults to standard \"US\"\nkeyboard map. Other keymaps can be chosen below." +msg_freebsd_installer="pfSense Installer" +msg_keymap_menu_text="The system console driver for pfSense defaults to standard \"US\"\nkeyboard map. Other keymaps can be chosen below." msg_keymap_selection="Keymap Selection" msg_ok="OK" msg_select="Select" diff --git a/usr.sbin/bsdinstall/scripts/mount b/usr.sbin/bsdinstall/scripts/mount index fca8000..157997f 100755 --- a/usr.sbin/bsdinstall/scripts/mount +++ b/usr.sbin/bsdinstall/scripts/mount @@ -44,7 +44,7 @@ for i in $FILESYSTEMS; do mkdir -p $i 2>/dev/null MNTERROR=`mount -F $TMP_FSTAB $i 2>&1` if [ $? -ne 0 ]; then - dialog --backtitle "FreeBSD Installer" --title "Error" \ + dialog --backtitle "pfSense Installer" --title "Error" \ --msgbox "Error mounting partition $i:\n$MNTERROR" 0 0 exit 1 fi diff --git a/usr.sbin/bsdinstall/scripts/zfsboot b/usr.sbin/bsdinstall/scripts/zfsboot index 9fbf5c9..311320b 100755 --- a/usr.sbin/bsdinstall/scripts/zfsboot +++ b/usr.sbin/bsdinstall/scripts/zfsboot @@ -250,7 +250,7 @@ msg_encrypt_disks_help="Use geli(8) to encrypt all data partitions" msg_error="Error" msg_force_4k_sectors="Force 4K Sectors?" msg_force_4k_sectors_help="Align partitions to 4K sector boundries and set vfs.zfs.min_auto_ashift=12" -msg_freebsd_installer="FreeBSD Installer" +msg_freebsd_installer="pfSense Installer" msg_geli_password="Enter a strong passphrase, used to protect your encryption keys. You will be required to enter this passphrase each time the system is booted" msg_geli_setup="Initializing encryption on selected disks,\n this will take several seconds per disk" msg_install="Install" diff --git a/usr.sbin/rtsold/rtsol.c b/usr.sbin/rtsold/rtsol.c index 118206a..ced0a73 100644 --- a/usr.sbin/rtsold/rtsol.c +++ b/usr.sbin/rtsold/rtsol.c @@ -92,7 +92,7 @@ static int ra_opt_rdnss_dispatch(struct ifinfo *, struct rainfo *, struct script_msg_head_t *, struct script_msg_head_t *); static char *make_rsid(const char *, const char *, struct rainfo *); -#define _ARGS_OTHER otherconf_script, ifi->ifname +#define _ARGS_OTHER otherconf_script, ifi->ifname, ntopbuf #define _ARGS_RESADD resolvconf_script, "-a", rsid #define _ARGS_RESDEL resolvconf_script, "-d", rsid @@ -374,8 +374,8 @@ rtsol_input(int s) warnmsg(LOG_DEBUG, __func__, "OtherConfigFlag on %s is turned on", ifi->ifname); ifi->otherconfig = 1; - CALL_SCRIPT(OTHER, NULL); } + CALL_SCRIPT(OTHER, NULL); clock_gettime(CLOCK_MONOTONIC_FAST, &now); newent_rai = 0; rai = find_rainfo(ifi, &from); diff --git a/usr.sbin/syslogd/clog.h b/usr.sbin/syslogd/clog.h new file mode 100644 index 0000000..ed9e7a2 --- /dev/null +++ b/usr.sbin/syslogd/clog.h @@ -0,0 +1,52 @@ +/*- + * Copyright (c) 2001 + * Jeff Wheelhouse (jdw@wwwi.com) + * + * This code was originally developed by Jeff Wheelhouse (jdw@wwwi.com). + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistribution of source code must retail the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY JEFF WHEELHOUSE ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN + * NO EVENT SHALL JEFF WHEELHOUSE BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, + * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, + * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * $Id: clog.h,v 1.2 2001/10/02 04:43:52 jdw Exp $ + * $DragonFly: src/usr.sbin/clog/clog.h,v 1.1 2004/10/30 20:26:46 dillon Exp $ + */ + + +#ifndef _CLOG_H_ +#define _CLOG_H_ + +/* + * This magic constant is used to identify a valid circular log file. + * syslogd will ignore any circular log file that doesn't have this constant. + */ + +const char MAGIC_CONST[4] = "CLOG"; + + +struct clog_footer { + uint32_t cf_magic; + uint32_t cf_wrap; + uint32_t cf_next; + uint32_t cf_max; + uint32_t cf_lock; +}; + + +#endif /* _CLOG_H_ */ diff --git a/usr.sbin/syslogd/syslogd.c b/usr.sbin/syslogd/syslogd.c index df01676..a1fb217 100644 --- a/usr.sbin/syslogd/syslogd.c +++ b/usr.sbin/syslogd/syslogd.c @@ -89,6 +89,7 @@ __FBSDID("$FreeBSD$"); #include <sys/resource.h> #include <sys/syslimits.h> #include <sys/types.h> +#include <sys/mman.h> #include <netinet/in.h> #include <netdb.h> @@ -110,6 +111,8 @@ __FBSDID("$FreeBSD$"); #include <utmpx.h> #include "pathnames.h" +#include "clog.h" + #include "ttymsg.h" #define SYSLOG_NAMES @@ -118,6 +121,7 @@ __FBSDID("$FreeBSD$"); const char *ConfFile = _PATH_LOGCONF; const char *PidFile = _PATH_LOGPID; const char ctty[] = _PATH_CONSOLE; +const char ring_magic[] = "CLOG"; #define dprintf if (Debug) printf @@ -192,6 +196,11 @@ struct filed { char f_pname[MAXPATHLEN]; pid_t f_pid; } f_pipe; + struct { + char f_rname[MAXPATHLEN]; + struct clog_footer *f_footer; + size_t f_size; + } f_ring; } f_un; char f_prevline[MAXSVLINE]; /* last message logged */ char f_lasttime[16]; /* time of last occurrence */ @@ -270,10 +279,12 @@ int repeatinterval[] = { 30, 120, 600 }; /* # of secs before flush */ #define F_USERS 5 /* list of users */ #define F_WALL 6 /* everyone logged on */ #define F_PIPE 7 /* pipe to program */ +#define F_RING 8 /* ring buffer (circular log) */ -const char *TypeNames[8] = { +const char *TypeNames[9] = { "UNUSED", "FILE", "TTY", "CONSOLE", - "FORW", "USERS", "WALL", "PIPE" + "FORW", "USERS", "WALL", "PIPE", + "RING" }; static struct filed *Files; /* Log files that we write to */ @@ -339,6 +350,8 @@ static int skip_message(const char *, const char *, int); static void printline(const char *, char *, int); static void printsys(char *); static int p_open(const char *, pid_t *); +ssize_t rbwrite __P((struct filed *, char *, size_t)); +ssize_t rbwritev __P((struct filed *, struct iovec *, int)); static void readklog(void); static void reapchild(int); static const char *ttymsg_check(struct iovec *, int, char *, int); @@ -962,7 +975,7 @@ logmsg(int pri, const char *msg, const char *from, int flags) struct filed *f; int i, fac, msglen, omask, prilev; const char *timestamp; - char prog[NAME_MAX+1]; + char prog[NAME_MAX+1]; char buf[MAXLINE+1]; dprintf("logmsg: pri %o, flags %x, from %s, msg %s\n", @@ -1336,6 +1349,20 @@ fprintlog(struct filed *f, int flags, const char *msg) needdofsync = 1; } break; + case F_RING: + dprintf(" %s\n", f->f_un.f_ring.f_rname); + v->iov_base = "\n"; + v->iov_len = 1; + if (rbwritev(f, iov, 7)==-1) { + int e = errno; + (void)munmap(f->f_un.f_ring.f_footer,sizeof(struct clog_footer)); + (void)close(f->f_file); + f->f_type = F_UNUSED; + errno = e; + logerror(f->f_un.f_fname); + } + + break; case F_PIPE: dprintf(" %s\n", f->f_un.f_pipe.f_pname); @@ -1615,7 +1642,7 @@ init(int signo) struct filed *f, *next, **nextp; char *p; char cline[LINE_MAX]; - char prog[LINE_MAX]; + char prog[LINE_MAX]; char host[MAXHOSTNAMELEN]; char oldLocalHostName[MAXHOSTNAMELEN]; char hostMsg[2*MAXHOSTNAMELEN+40]; @@ -1680,6 +1707,10 @@ init(int signo) } f->f_un.f_pipe.f_pid = 0; break; + case F_RING: + (void)munmap(f->f_un.f_ring.f_footer,sizeof(struct clog_footer)); + (void)close(f->f_file); + break; } next = f->f_next; if (f->f_program) free(f->f_program); @@ -1821,6 +1852,10 @@ init(int signo) } break; + case F_RING: + printf("%s", f->f_un.f_ring.f_rname); + break; + case F_PIPE: printf("%s", f->f_un.f_pipe.f_pname); break; @@ -1871,6 +1906,7 @@ cfline(const char *line, struct filed *f, const char *prog, const char *host) const char *p, *q; char *bp; char buf[MAXLINE], ebuf[100]; + struct stat sb; dprintf("cfline(\"%s\", f, \"%s\", \"%s\")\n", line, prog, host); @@ -2044,9 +2080,16 @@ cfline(const char *line, struct filed *f, const char *prog, const char *host) p++; endkey = ']'; } - while (*p && (*p != endkey) && (i-- > 0)) { + while (*p && (*p != endkey) && (*p != '[') && (i-- > 0)) { *tp++ = *p++; } + if (*p == '[') { + p++; + while (*p && (*p != ']') && (i-- > 0)) { + *tp++ = *p++; + } + p++; + } if (endkey == ']' && *p == endkey) p++; *tp = '\0'; @@ -2091,6 +2134,38 @@ cfline(const char *line, struct filed *f, const char *prog, const char *host) } break; + case '%': + if ((f->f_file = open(p+1, O_RDWR, 0 )) < 0) { + f->f_type = F_UNUSED; + logerror(p+1); + break; + } + if (fstat(f->f_file,&sb)<0) { + (void)close(f->f_file); + f->f_type = F_UNUSED; + logerror(p+1); + break; + } + f->f_un.f_ring.f_footer = mmap(NULL,sizeof(struct clog_footer),PROT_READ|PROT_WRITE,MAP_SHARED,f->f_file,sb.st_size-sizeof(struct clog_footer)); + if (f->f_un.f_ring.f_footer==NULL) { + (void)close(f->f_file); + f->f_type = F_UNUSED; + logerror(p+1); + break; + } + if (memcmp(&(f->f_un.f_ring.f_footer->cf_magic),MAGIC_CONST,4)!=0) { + (void)munmap(f->f_un.f_ring.f_footer,sizeof(struct clog_footer)); + (void)close(f->f_file); + f->f_type = F_UNUSED; + errno = ENODEV; + logerror(p+1); + break; + } + f->f_un.f_ring.f_size = sb.st_size; + (void)strcpy(f->f_un.f_ring.f_rname, p + 1); + f->f_type = F_RING; + break; + case '|': f->f_un.f_pipe.f_pid = 0; (void)strlcpy(f->f_un.f_pipe.f_pname, p + 1, @@ -2835,6 +2910,49 @@ socksetup(int af, char *bindhostname) return (socks); } +ssize_t rbwritev(struct filed *f, struct iovec *iov, int iovcnt) { + int i; + ssize_t out = 0; + ssize_t err; + + for(i=0;i<iovcnt;i++) { + err = rbwrite(f,iov[i].iov_base,iov[i].iov_len); + if (err==-1) return -1; + out += err; + } + return out; +} + + +ssize_t rbwrite(struct filed *f, char *buf, size_t nbytes) { + size_t maxwrite = f->f_un.f_ring.f_footer->cf_max - f->f_un.f_ring.f_footer->cf_next; + ssize_t err; + ssize_t out = 0; + + f->f_un.f_ring.f_footer->cf_lock = 1; + while (nbytes>0) { + maxwrite = f->f_un.f_ring.f_footer->cf_max - f->f_un.f_ring.f_footer->cf_next; + if (maxwrite>nbytes) maxwrite = nbytes; + err = pwrite(f->f_file,buf,maxwrite,f->f_un.f_ring.f_footer->cf_next); + if (err==-1) { + f->f_un.f_ring.f_footer->cf_lock = 0; + return -1; + } + nbytes -= err; + out += err; + buf += err; + f->f_un.f_ring.f_footer->cf_next += err; + if (f->f_un.f_ring.f_footer->cf_next==f->f_un.f_ring.f_footer->cf_max) { + f->f_un.f_ring.f_footer->cf_next = 0; + f->f_un.f_ring.f_footer->cf_wrap = 1; + } + + } + + f->f_un.f_ring.f_footer->cf_lock = 0; + return out; +} + static void increase_rcvbuf(int fd) { diff --git a/usr.sbin/traceroute6/traceroute6.c b/usr.sbin/traceroute6/traceroute6.c index d9dbb40..a18dbeb 100644 --- a/usr.sbin/traceroute6/traceroute6.c +++ b/usr.sbin/traceroute6/traceroute6.c @@ -956,6 +956,10 @@ main(argc, argv) } break; } + else if (deltaT(&t1, &t2) > waittime * 1000) { + cc = 0; + break; + } } if (cc == 0) printf(" *"); |
