| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
| |
| |
| |
| |
| |
| |
| |
| | |
sbin/mount: strcpy -> strlcpy
Reported by: Coverity
CID: 1011173, 1011174
Sponsored by: Spectra Logic Corp
|
| |
| |
| |
| |
| |
| | |
Document the "oneopenown" option added by r316792.
This is a content change.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add large replay widow support to setkey(8) and libipsec.
When the replay window size is large than UINT8_MAX, add to the request
the SADB_X_EXT_SA_REPLAY extension header that was added in r309144.
Also add support of SADB_X_EXT_NAT_T_TYPE, SADB_X_EXT_NAT_T_SPORT,
SADB_X_EXT_NAT_T_DPORT, SADB_X_EXT_NAT_T_OAI, SADB_X_EXT_NAT_T_OAR,
SADB_X_EXT_SA_REPLAY, SADB_X_EXT_NEW_ADDRESS_SRC, SADB_X_EXT_NEW_ADDRESS_DST
extension headers to the key_debug that is used by `setkey -x`.
Modify kdebug_sockaddr() to use inet_ntop() for IP addresses formatting.
And modify kdebug_sadb_x_policy() to show policy scope and priority.
Reviewed by: gnn, Emeric Poupon
Differential Revision: https://reviews.freebsd.org/D10375
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
r316530:
Fix clearing geom metadata if DIOCGSECTORSIZE fails
An unhandled error case would result in passing SIZE_MAX to malloc.
While I'm here, remove an unnecessary NULL check before free
Reported by: Coverity
CID: 1017793
Sponsored by: Spectra Logic Corp
r316535:
Fix memory leak in "gpart bootcode"
Also, annotate that gpart_issue never returns
Reported by: Coverity
CID: 1007105
Sponsored by: Spectra Logic Corp
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Misc Coverity fixes in camcontrol(8)
CID 1229913 Fix output of "camcontrol persist -i report_capabilities".
The reported Persistent Reservation Types were wrong in all
cases.
CID 1356029 Annotate the code so Coverity will know that this is a false
positive.
CID 1366830 Fix a memory leak in "camcontrol timestamp -s"
CID 1366832 Fix a segfault that could be caused by bad drive firmware
Also, fix the man page entry for the "camcontrol epc state" command to match
what the code does.
Reviewed by: ken, wblock
MFC after: 4 weeks
Sponsored by: Spectra Logic Corp
Differential Revision: https://reviews.freebsd.org/D9239
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Make setkey(8) more clear about anti-replay window size option semantics.
PR: 172913
Submitted by: john@saltant.com
Reviewed by: ae@
Differential Revision: https://reviews.freebsd.org/D10304
|
| |
| |
| |
| |
| |
| | |
Document how to use reroot with NFS.
Sponsored by: DARPA, AFRL
|
| |
| |
| |
| |
| |
| | |
In fsck_ffs pass1, prevent the inosused variable from wrapping.
PR: 218592
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add ipfw_pmod kernel module.
The module is designed for modification of a packets of any protocols.
For now it implements only TCP MSS modification. It adds the external
action handler for "tcp-setmss" action.
A rule with tcp-setmss action does additional check for protocol and
TCP flags. If SYN flag is present, it parses TCP options and modifies
MSS option if its value is greater than configured value in the rule.
Then it adjustes TCP checksum if needed. After handling the search
continues with the next rule.
Obtained from: Yandex LLC
Relnotes: yes
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D10150
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add O_EXTERNAL_DATA opcode support.
This opcode can be used to attach some data to external action opcode.
And unlike to O_EXTERNAL_INSTANCE opcode, this opcode does not require
creating of named instance to pass configuration arguments to external
action handler. The data is coming just next to O_EXTERNAL_ACTION opcode.
The userlevel part currenly supports formatting for opcode with ipfw_insn
size, by default it expects u16 numeric value in the arg1.
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
|
| |
| |
| |
| |
| |
| |
| | |
newfs_nandfs: Fix unaligned pointer warning
PR: 217532
Submitted by: Trond Endrestol <Trond.Endrestol at ximalas.info>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When we are doing SA lookup for TCP-MD5, check both source and
destination addresses. Previous code has used only destination address
for lookup. But for inbound packets the source address was used as SA
destination address. Thus only outbound SA were used for both directions.
Now we use addresses from a packet as is, thus SAs for both directions are
needed.
Reported by: Mike Tancsa
MFC r316507,316508:
In the example section show that TCP-MD5 connection needs SA for both
directions.
Use unique SPI.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Allow superseding the lease renewal and rebind times.
Also make sure that the renewal is never more than 1/2 * expiry and
rebind never more than 7/4 * renewal (the default values in the spec).
This should allow adjusting high values from the server as well as
making sure the values from the server make sense.
Renewal and rebind times will be adjusted down if the expiry time is set
very high in a server, not the other way around. This change just makes
sure the values keep making sense.
and 316285:
Make dhcp-lease-time option supersedable as well.
Note: It is not recommended to set this value to above the value that
the server provided, unless that value is bogus.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Move logging via BPF support into separate file.
* make interface cloner VNET-aware;
* simplify cloner code and use if_clone_simple();
* migrate LOGIF_LOCK() to rmlock;
* add ipfw_bpf_mtap2() function to pass mbuf to BPF;
* introduce new additional ipfwlog0 pseudo interface. It differs from
ipfw0 by DLT type used in bpfattach. This interface is intended to
used by ipfw modules to dump packets with additional info attached.
Currently pflog format is used. ipfw_bpf_mtap2() function uses second
argument to determine which interface use for dumping. If dlen is equal
to ETHER_HDR_LEN it uses old ipfw0 interface, if dlen is equal to
PFLOG_HDRLEN - ipfwlog0 will be used.
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
MFC r304043:
Add three helper function to manage tables from external modules.
ipfw_objhash_lookup_table_kidx does lookup kernel index of table;
ipfw_ref_table/ipfw_unref_table takes and releases reference to table.
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
MFC r304046, 304108:
Add ipfw_nat64 module that implements stateless and stateful NAT64.
The module works together with ipfw(4) and implemented as its external
action module.
Stateless NAT64 registers external action with name nat64stl. This
keyword should be used to create NAT64 instance and to address this
instance in rules. Stateless NAT64 uses two lookup tables with mapped
IPv4->IPv6 and IPv6->IPv4 addresses to perform translation.
A configuration of instance should looks like this:
1. Create lookup tables:
# ipfw table T46 create type addr valtype ipv6
# ipfw table T64 create type addr valtype ipv4
2. Fill T46 and T64 tables.
3. Add rule to allow neighbor solicitation and advertisement:
# ipfw add allow icmp6 from any to any icmp6types 135,136
4. Create NAT64 instance:
# ipfw nat64stl NAT create table4 T46 table6 T64
5. Add rules that matches the traffic:
# ipfw add nat64stl NAT ip from any to table(T46)
# ipfw add nat64stl NAT ip from table(T64) to 64:ff9b::/96
6. Configure DNS64 for IPv6 clients and add route to 64:ff9b::/96
via NAT64 host.
Stateful NAT64 registers external action with name nat64lsn. The only
one option required to create nat64lsn instance - prefix4. It defines
the pool of IPv4 addresses used for translation.
A configuration of instance should looks like this:
1. Add rule to allow neighbor solicitation and advertisement:
# ipfw add allow icmp6 from any to any icmp6types 135,136
2. Create NAT64 instance:
# ipfw nat64lsn NAT create prefix4 A.B.C.D/28
3. Add rules that matches the traffic:
# ipfw add nat64lsn NAT ip from any to A.B.C.D/28
# ipfw add nat64lsn NAT ip6 from any to 64:ff9b::/96
4. Configure DNS64 for IPv6 clients and add route to 64:ff9b::/96
via NAT64 host.
Obtained from: Yandex LLC
Relnotes: yes
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D6434
MFC r304048:
Replace __noinline with special debug macro NAT64NOINLINE.
MFC r304061:
Use %ju to print unsigned 64-bit value.
MFC r304076:
Make statistics nat64lsn, nat64stl an nptv6 output netstat-like:
"@value @description" and fix build due to -Wformat errors.
MFC r304378 (by bz):
Try to fix gcc compilation errors (which are right).
nat64_getlasthdr() returns an int, which can be -1 in case of error,
storing the result in an uint8_t and then comparing to < 0 is not
helpful. Do what is done in the rest of the code and make proto an
int here as well.
MFC r309187:
Fix ICMPv6 Time Exceeded error message translation.
MFC r314718:
Use new ipfw_lookup_table() in the nat64 too.
MFC r315204,315233:
Use memset with structure size.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add support for non-contiguous IPv6 masks in ipfw(8) rules.
For example fe::640:0:0/ffff::ffff:ffff:0:0 will match
addresses fe:*:*:*:0:640:*:*
Submitted by: Eugene Mamchits <mamchits at yandex-team dot ru>
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add ipfw_nptv6 module that implements Network Prefix Translation for IPv6
as defined in RFC 6296. The module works together with ipfw(4) and
implemented as its external action module. When it is loaded, it registers
as eaction and can be used in rules. The usage pattern is similar to
ipfw_nat(4). All matched by rule traffic goes to the NPT module.
Reviewed by: hrs
Obtained from: Yandex LLC
Relnotes: yes
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D6420
MFC r304049:
Add `stats reset` command implementation to NPTv6 module
to be able reset statistics counters.
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
MFC r304076:
Make statistics nat64lsn, nat64stl an nptv6 output netstat-like:
"@value @description" and fix build due to -Wformat errors.
MFC r314507:
Fix NPTv6 rule counters when one_pass is not enabled.
Consider the rule matching when both @done and @retval values
returned from ipfw_run_eaction() are zero. And modify ipfw_nptv6()
to return IP_FW_DENY and @done=0 when addresses do not match.
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add named dynamic states support to ipfw(4).
The keep-state, limit and check-state now will have additional argument
flowname. This flowname will be assigned to dynamic rule by keep-state
or limit opcode. And then can be matched by check-state opcode or
O_PROBE_STATE internal opcode. To reduce possible breakage and to maximize
compatibility with old rulesets default flowname introduced.
It will be assigned to the rules when user has omitted state name in
keep-state and check-state opcodes. Also if name is ambiguous (can be
evaluated as rule opcode) it will be replaced to default.
Reviewed by: julian
Obtained from: Yandex LLC
Relnotes: yes
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D6674
MFC r304087:
Do not warn about ambiguous state name when we inspect a comment token.
MFC r304089:
Add an ability to attach comment to check-state rules.
MFC r310727 (by marius):
Fix a bug in r272840; given that the optlen parameter of setsockopt(2)
is a 32-bit socklen_t, do_get3() passes the kernel to access the wrong
32-bit half on big-endian LP64 machines when simply casting the 64-bit
size_t optlen to a socklen_t pointer.
While at it and given that the intention of do_get3() apparently is to
hide/wrap the fact that socket options are used for communication with
ipfw(4), change the optlen parameter of do_set3() to be of type size_t
and as such more appropriate than uintptr_t, too.
MFC r315305:
Change the syntax of ipfw's named states.
Since the state name is an optional argument, it often can conflict
with other options. To avoid ambiguity now the state name must be
prefixed with a colon.
Sponsored by: Yandex LLC
|
| |
| |
| |
| |
| |
| | |
mount.conf(8): fix a .Xr call
Add the missing section number for devfs(5)
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
With the following in /etc/fstab:
/dev/gpt/swap.eli none swap sw,late 0 0
swap will not be enabled, with `swapon -aL' complaining:
swapon: Invalid option: late
This happens because swap_on_geli_args() which parses geli arguments
out of all mount options does not expect late or noauto among them.
Fix this by explicitly allowing these arguments.
Reviewed by: jilles
Approved by: jilles
Differential Revision: D9835
|
| |
| |
| |
| | |
Delete trailing whitespace (no functional change)
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
r315199:
sbin/dhclient: fix a memory leak in parse_client_lease_statement(..)
The memory stored by `lease` would have previously been leaked if an
unterminated lease declaration was found in an early-return code path.
CID: 1007114
r315200:
Fix -Wunused-but-set-warning with `ret`
While here, resolve Coverity warnings by demonstrating that vfprintf's
return value is being explicitly ignored.
Tested with: clang, gcc 4.2.1, gcc 6.3.0
r315203:
sbin/dhclient: fix `vendor` storage leak in parse_option_decl(..)
This ensures the storage isn't leaked when non-NULL and the function
returns early, prior to the `free(vendor)` later on in the function.
CID: 1007111-1007113
|
| |
| |
| |
| |
| | |
Make savecore(8) output nicer by specifying the maximum field width
instead of minimum one (precision instead of width).
|
| |
| |
| |
| | |
Make fsck(8) default to "ufs", like eg mount(8) does.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Remove the kernel optoion for IPSEC_FILTERTUNNEL, which was deprecated
more than 7 years ago in favour of a sysctl in r192648.
MFC r305122:
Remove redundant sanity checks from ipsec[46]_common_input_cb().
This check already has been done in the each protocol callback.
MFC r309144,309174,309201 (by fabient):
IPsec RFC6479 support for replay window sizes up to 2^32 - 32 packets.
Since the previous algorithm, based on bit shifting, does not scale
with large replay windows, the algorithm used here is based on
RFC 6479: IPsec Anti-Replay Algorithm without Bit Shifting.
The replay window will be fast to be updated, but will cost as many bits
in RAM as its size.
The previous implementation did not provide a lock on the replay window,
which may lead to replay issues.
Obtained from: emeric.poupon@stormshield.eu
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D8468
MFC r309143,309146 (by fabient):
In a dual processor system (2*6 cores) during IPSec throughput tests,
we see a lot of contention on the arc4 lock, used to generate the IV
of the ESP output packets.
The idea of this patch is to split this mutex in order to reduce the
contention on this lock.
Update r309143 to prevent false sharing.
Reviewed by: delphij, markm, ache
Approved by: so
Obtained from: emeric.poupon@stormshield.eu
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D8130
MFC r313330:
Merge projects/ipsec into head/.
Small summary
-------------
o Almost all IPsec releated code was moved into sys/netipsec.
o New kernel modules added: ipsec.ko and tcpmd5.ko. New kernel
option IPSEC_SUPPORT added. It enables support for loading
and unloading of ipsec.ko and tcpmd5.ko kernel modules.
o IPSEC_NAT_T option was removed. Now NAT-T support is enabled by
default. The UDP_ENCAP_ESPINUDP_NON_IKE encapsulation type
support was removed. Added TCP/UDP checksum handling for
inbound packets that were decapsulated by transport mode SAs.
setkey(8) modified to show run-time NAT-T configuration of SA.
o New network pseudo interface if_ipsec(4) added. For now it is
build as part of ipsec.ko module (or with IPSEC kernel).
It implements IPsec virtual tunnels to create route-based VPNs.
o The network stack now invokes IPsec functions using special
methods. The only one header file <netipsec/ipsec_support.h>
should be included to declare all the needed things to work
with IPsec.
o All IPsec protocols handlers (ESP/AH/IPCOMP protosw) were removed.
Now these protocols are handled directly via IPsec methods.
o TCP_SIGNATURE support was reworked to be more close to RFC.
o PF_KEY SADB was reworked:
- now all security associations stored in the single SPI namespace,
and all SAs MUST have unique SPI.
- several hash tables added to speed up lookups in SADB.
- SADB now uses rmlock to protect access, and concurrent threads
can do SA lookups in the same time.
- many PF_KEY message handlers were reworked to reflect changes
in SADB.
- SADB_UPDATE message was extended to support new PF_KEY headers:
SADB_X_EXT_NEW_ADDRESS_SRC and SADB_X_EXT_NEW_ADDRESS_DST. They
can be used by IKE daemon to change SA addresses.
o ipsecrequest and secpolicy structures were cardinally changed to
avoid locking protection for ipsecrequest. Now we support
only limited number (4) of bundled SAs, but they are supported
for both INET and INET6.
o INPCB security policy cache was introduced. Each PCB now caches
used security policies to avoid SP lookup for each packet.
o For inbound security policies added the mode, when the kernel does
check for full history of applied IPsec transforms.
o References counting rules for security policies and security
associations were changed. The proper SA locking added into xform
code.
o xform code was also changed. Now it is possible to unregister xforms.
tdb_xxx structures were changed and renamed to reflect changes in
SADB/SPDB, and changed rules for locking and refcounting.
Obtained from: Yandex LLC
Relnotes: yes
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D9352
MFC r313331:
Add removed headers into the ObsoleteFiles.inc.
MFC r313561 (by glebius):
Move tcp_fields_to_net() static inline into tcp_var.h, just below its
friend tcp_fields_to_host(). There is third party code that also uses
this inline.
MFC r313697:
Remove IPsec related PCB code from SCTP.
The inpcb structure has inp_sp pointer that is initialized by
ipsec_init_pcbpolicy() function. This pointer keeps strorage for IPsec
security policies associated with a specific socket.
An application can use IP_IPSEC_POLICY and IPV6_IPSEC_POLICY socket
options to configure these security policies. Then ip[6]_output()
uses inpcb pointer to specify that an outgoing packet is associated
with some socket. And IPSEC_OUTPUT() method can use a security policy
stored in the inp_sp. For inbound packet the protocol-specific input
routine uses IPSEC_CHECK_POLICY() method to check that a packet conforms
to inbound security policy configured in the inpcb.
SCTP protocol doesn't specify inpcb for ip[6]_output() when it sends
packets. Thus IPSEC_OUTPUT() method does not consider such packets as
associated with some socket and can not apply security policies
from inpcb, even if they are configured. Since IPSEC_CHECK_POLICY()
method is called from protocol-specific input routine, it can specify
inpcb pointer and associated with socket inbound policy will be
checked. But there are two problems:
1. Such check is asymmetric, becasue we can not apply security policy
from inpcb for outgoing packet.
2. IPSEC_CHECK_POLICY() expects that caller holds INPCB lock and
access to inp_sp is protected. But for SCTP this is not correct,
becasue SCTP uses own locks to protect inpcb.
To fix these problems remove IPsec related PCB code from SCTP.
This imply that IP_IPSEC_POLICY and IPV6_IPSEC_POLICY socket options
will be not applicable to SCTP sockets. To be able correctly check
inbound security policies for SCTP, mark its protocol header with
the PR_LASTHDR flag.
Differential Revision: https://reviews.freebsd.org/D9538
MFC r313746:
Add missing check to fix the build with IPSEC_SUPPORT and without MAC.
MFC r313805:
Fix LINT build for powerpc.
Build kernel modules support only when both IPSEC and TCP_SIGNATURE
are not defined.
MFC r313922:
For translated packets do not adjust UDP checksum if it is zero.
In case when decrypted and decapsulated packet is an UDP datagram,
check that its checksum is not zero before doing incremental checksum
adjustment.
MFC r314339:
Document that the size of AH ICV for HMAC-SHA2-NNN should be half of
NNN bits as described in RFC4868.
PR: 215978
MFC r314812:
Introduce the concept of IPsec security policies scope.
Currently are defined three scopes: global, ifnet, and pcb.
Generic security policies that IKE daemon can add via PF_KEY interface
or an administrator creates with setkey(8) utility have GLOBAL scope.
Such policies can be applied by the kernel to outgoing packets and checked
agains inbound packets after IPsec processing.
Security policies created by if_ipsec(4) interfaces have IFNET scope.
Such policies are applied to packets that are passed through if_ipsec(4)
interface.
And security policies created by application using setsockopt()
IP_IPSEC_POLICY option have PCB scope. Such policies are applied to
packets related to specific socket. Currently there is no way to list
PCB policies via setkey(8) utility.
Modify setkey(8) and libipsec(3) to be able distinguish the scope of
security policies in the `setkey -DP` listing. Add two optional flags:
'-t' to list only policies related to virtual *tunneling* interfaces,
i.e. policies with IFNET scope, and '-g' to list only policies with GLOBAL
scope. By default policies from all scopes are listed.
To implement this PF_KEY's sadb_x_policy structure was modified.
sadb_x_policy_reserved field is used to pass the policy scope from the
kernel to userland. SADB_SPDDUMP message extended to support filtering
by scope: sadb_msg_satype field is used to specify bit mask of requested
scopes.
For IFNET policies the sadb_x_policy_priority field of struct sadb_x_policy
is used to pass if_ipsec's interface if_index to the userland. For GLOBAL
policies sadb_x_policy_priority is used only to manage order of security
policies in the SPDB. For IFNET policies it is not used, so it can be used
to keep if_index.
After this change the output of `setkey -DP` now looks like:
# setkey -DPt
0.0.0.0/0[any] 0.0.0.0/0[any] any
in ipsec
esp/tunnel/87.250.242.144-87.250.242.145/unique:145
spid=7 seq=3 pid=58025 scope=ifnet ifname=ipsec0
refcnt=1
# setkey -DPg
::/0 ::/0 icmp6 135,0
out none
spid=5 seq=1 pid=872 scope=global
refcnt=1
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D9805
PR: 212018
Relnotes: yes
Sponsored by: Yandex LLC
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
sbin/devfs: clarify usage
- Note existence of -m option.
- Note that -s applies to rule keyword, only, by adding usage text
specifically for the `rule` and `ruleset` keywords.
Don't go into any further detail in usage(..) -- it's best that one
reads the manpage to get a better idea of how things work as there are
a number of different option-specific keywords and arguments, as well
as some rule grammar.
|
| |
| |
| |
| | |
Typo.
|
|\ \
| |/ |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
r311572:
Fix file descriptor leaks in cmp(1)
Also, add a few test cases
Reported by: Coverity
CID: 271624 275338
Reviewed by: ngie
MFC after: 4 weeks
Sponsored by: Spectra Logic Corp
Differential Revision: https://reviews.freebsd.org/D9074
r311895:
Fix memory leaks during "tail -r" of an irregular file
* Rewrite r_buf to use standard tail queues instead of a hand-rolled
circular linked list. Free dynamic allocations when done.
* Remove an optimization for the case where the file is a multiple of 128KB
in size and there is a scarcity of memory.
* Add ATF tests for "tail -r" and its variants.
Reported by: Valgrind
Reviewed by: ngie
MFC after: 4 weeks
Sponsored by: Spectra Logic Corp
Differential Revision: https://reviews.freebsd.org/D9067
r311928:
Fix build of usr.bin/tail with GCC
Submitted by: pluknet
Reported by: pluknet
MFC after: 27 days
X-MFC-with: 311895
Sponsored by: Spectra Logic Corp
r311985:
Fix uninitialized variable CIDs in route6d
The variables in question are actually return arguments, but it's still good
form to initialize them.
Reported by: Coverity
CID: 979679 979680
MFC after: 4 weeks
Sponsored by: Spectra Logic Corp
r312395:
Fix several Coverity CIDs in devd
CID 1362055, 1362054: File descriptor leaks during shutdown
CID 1362013: Potential null-termination fail with long network device names
CID 1362097: Uncaught exception during memory pressure
CID 1362017, 1362016: Unchecked errors, possibly resulting in weird behavior
if two devd instances start at the same time.
CID 1362015: Unchecked error that will probably never fail
Reported by: Coverity
CID: 1362055 1362054 1362013 1362097 1362017 1362016 1362015
MFC after: 4 weeks
Sponsored by: Spectra Logic Corp
r312417:
Fix build of devd with GCC 4.2
Reported by: olivier
Pointy-hat-to: asomers
MFC after: 27 days
X-MFC-with: 312395
Sponsored by: Spectra Logic Corp
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
------------------------------------------------------------------------
r313893 | ken | 2017-02-17 13:04:22 -0700 (Fri, 17 Feb 2017) | 48 lines
Add task attribute support to camcontrol(8).
Users can use the new generic argument, -Q task_attr, to specify a task
attribute (simple, ordered, head of queue, aca) for the commands issued.
The the default is simple, which works with all SCSI devices that support
tagged queueing.
This will mostly be useful for debugging target behavior in certain
situations.
You can try it out by compiling CTL with CTL_IO_DELAY turned on (in
sys/cam/ctl/ctl_io.h) and then do something like this with one of the CTL
LUNs:
ctladm delay 0:0 -l done -t 10
camcontrol tur da34 -v
And at then before the 10 second timer is up, in another terminal:
camcontrol inquiry da34 -Q ordered -v
The Inquiry should complete just after the TUR completes. Ordinarily
it would complete first because of the delay injection, but because the
task attribute is set to ordered in this case, CTL holds it up until the
previous command has completed.
sbin/camcontrol/camcontrol.c:
Add the new generic argument, -Q, which allows the user to specify
a SCSI task attribute. The user can specify task attributes by
name or numerically.
Add a new task_attr arguments to SCSI sub-functions.
sbin/camcontrol/attrib.c,
sbin/camcontrol/camcontrol.h,
sbin/camcontrol/fwdownload.c,
sbin/camcontrol/modeedit.c,
sbin/camcontrol/persist.c,
sbin/camcontrol/timestamp.c,
sbin/camcontrol/zone.c:
Add the new task_attr argument to SCSI sub-functions.
sbin/camcontrol/camcontrol.8:
Document the new -Q option, and add an example.
Sponsored by: Spectra Logic
------------------------------------------------------------------------
|
|\ \
| |/ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Add missing parameters to usage()
* Add missing parameters to manpage synopsis
* Add missing description of -d flag
* Sort flags descriptions
Reviewed by: allanjude, kib
Approved by: allanjude
MFC after: 1 week
Sponsored by: Rubicon Communications (Netgate)
Differential Revision: https://reviews.freebsd.org/D9152
|
| |
| |
| |
| |
| |
| |
| |
| | |
MFV r312970, 313160:
openresolv: update to version 3.9.0.
It is now possible to drop the _WITH_ARG vars thanks to a change to the
pdns_recursor upstreamed by Guy Yur.
|
| |
| |
| |
| |
| |
| |
| |
| | |
style(9) cleanup
- Delete trailing whitespace
- Fix alignment/variable sorting
- Delete single-line enclosing braces
|
|\ \
| |/ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
r311160:
misc minor fixes in mpr(4)
sys/dev/mpr/mpr_sas.c
* Fix a potential null pointer dereference (CID 1305731)
* Check for overrun of the ccb_scsiio.cdb_io.cdb_bytes buffer (CID
1211934)
sys/dev/mpr/mpr_sas_lsi.c
* Nullify a dangling pointer in mprsas_get_sata_identify
* Fix a memory leak in mprsas_SSU_to_SATA_devices (CID 1211935)
Reported by: Coverity (partially)
CID: 1305731 1211934 1211935
Reviewed by: slm
MFC after: 4 weeks
Sponsored by: Spectra Logic Corp
Differential Revision: https://reviews.freebsd.org/D8880
r311210:
Quell Coverity for diskinfo(8)
* CID 1198994: Don't run the speed disk on a disk with no sectors
* CID 1011442: Don't call close(2) if open(2) fails
* CID 1011161: Use snprintf instead of sprintf
* CID 1009825: Check the return value of lseek
Reported by: Coverity
CID: 1198994 1011442 1011161 1009825
MFC after: 4 weeks
Sponsored by: Spectra Logic Corp
r311288:
Delete dead code in chat(8)
It's always been dead, ever since first import in 1994. It's still dead in
OpenBSD's version, too.
Reported by: Coverity
CID: 270586
MFC after: 4 weeks
Sponsored by: Spectra Logic Corp
r311292:
Remove dead code in rpc_parse.c
It's been dead ever since it was imported from TI-RPC in 1995. The dead
code is still present in Illumos today, but was removed from NetBSD in 2006.
Reported by: Coverity
CID: 270097
Obtained from: NetBSD
MFC after: 4 weeks
Sponsored by: Spectra Logic Corp
r311298:
Remove dead code in dhclient(8)
The offending code has been dead ever since the import from OpenBSD in
r195805. OpenBSD later deleted that entire function.
Reported by: Coverity
CID: 500059
MFC after: 4 weeks
Sponsored by: Spectra Logic Corp
r311340:
Misc Coverity fixes for tail(1)
CID 1006402: Initialize stack variable
CID 271580: Don't leak memory when ENOMEM.
Reported by: Coverity
CID: 271580 1006402
MFC after: 4 weeks
Sponsored by: Spectra Logic Corp
|
| |
| |
| |
| |
| | |
Previously code ignored resid field and returned extra zeroes in case of
data underflow. Now it returns only real bytes received from target.
|
| |
| |
| |
| | |
ifconfig(8): fix '-stbc' parameter name.
|
| |
| |
| |
| |
| |
| |
| |
| | |
If our buffer is too small, we may receive part of the page, and should
not try read/write past the end of the buffer.
Reported by: Coverity
CID: 1368374, 1368375
|
| | |
|
| |
| |
| |
| | |
Abort format processing as soon as we have no enough data.
|
| |
| |
| |
| | |
Use type-independent formats for printing nlink_t and ino_t.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix the parsing of NPt binat rules.
In this specific case the src address can be set to any, which was not
accepted prior to this commit.
pfSense bug report: https://redmine.pfsense.org/issues/6985
Reviewed by: kp
Obtained from: pfSense
Sponsored by: Rubicon Communications, LLC (Netgate)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix clang 4.0.0 warnings about taking the address of a packed member of
struct ip in ping(8):
sbin/ping/ping.c:1684:53: error: taking address of packed member
'ip_src' of class or structure 'ip' may result in an unaligned pointer
value [-Werror,-Waddress-of-packed-member]
(void)printf(" %s ", inet_ntoa(*(struct in_addr *)&ip->ip_src.s_addr));
^~~~~~~~~~~~~~~~~
sbin/ping/ping.c:1685:53: error: taking address of packed member
'ip_dst' of class or structure 'ip' may result in an unaligned pointer
value [-Werror,-Waddress-of-packed-member]
(void)printf(" %s ", inet_ntoa(*(struct in_addr *)&ip->ip_dst.s_addr));
^~~~~~~~~~~~~~~~~
|
|\ \
| |/ |
|
| |
| |
| |
| | |
sysctl(8): fix typename for uint32_t
|
|\ \
| |/ |
|