pf: rework anchor handling to recurse
- percpu anchor stacks
we actually don't need to pre-allocate per_anchor_stack[], if we use
a 'natural' recursion, when doing anchor tree traversal.
O.K. mikeb@, mpi@
Extended because FreeBSD pf still has separate NAT rules processing, which also
needed this change.
Obtained from: OpenBSD, sashan <sashan at openbsd.org>, e236f0fa7b
Obtained from: OpenBSD, sashan <sashan at openbsd.org>, 5e4ad307dc
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D50579
pf: convert NAT rule handling to PF_TEST_ATTRIB as well
We previously made this change in the filter rules, apply it to the NAT rules
as well.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D50580
pf: use struct pf_test_ctx as function argument
Use the struct rather than passing individual fields as arguments.
No functional change.
Sponsored by: Rubicon Communications, LLC ("Netgate")
cam nvme: Decode NVMe status for NVMe command failures
Similar to ATA and SCSI, log the command status (in this case the
status code from the CQE) on the console for failed NVMe commands.
Reviewed by: imp
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D50632
cam nvme: Move opcode and status code tables from CTL to base CAM
This adds support for decoding admin opcodes to the existing opcode
decoding and also removes one of the duplicate NVMe opcode string
tables.
- Add nvme_opcode_sbuf and nvme_cpl_sbuf which are CCB
type-independent and handle the guts of the CTL-specific routines.
- Use nvme_opcode_sbuf to decode the opcode in nvme_command_sbuf.
- Add nvme_status_sbuf to decode the CPL/CQE in a ccb_nvmeio.
Reviewed by: imp
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D50631
arm64: Mask out the PAC ID fields when disabled
When we disable PAC we need to mask out the ID registers for userspace.
Call update_special_reg to mask them out so userspace gets a correct
view of the registers and hwcaps.
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D50573
arm64: Add a function to restrict the ID registers
This will be used when we need to restrict the register values, e.g.
when an erratum is present that means we need to disable a feature we
will need to remove some fields from these registers.
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D50572
arm64: Move users of sanitised ID registers later
To allow for masking of ID registers in the presence of errata move
the late ifunc resolvers and CPU identification functions until after
the errata detection has run.
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D50571
glob2_test: Add tests for error callback functions and blocks
This change adds tests that check basic callback functionality for
blocks and function pointers. The tests also make sure that GLOB_ERR
overrides the callback's return value.
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D50486
loader: allow for exceptions to restricted settings.
We restrict what an unverified loader.conf etc can set,
and the same restrictions are applied to interactive input.
We need to allow for exceptions (eg boot_verbose).
It is best if any allowed settings match up to '='.
If we do not allow it to be set, do not allow it to be unset
Reviewed by: stevek
Sponsored by: Juniper Networks, Inc.
libarchive: merge from vendor branch
libarchive 3.8.1
New features:
#2088 7-zip reader: improve self-extracting archive detection
#2137 zip writer: added XZ, LZMA, ZSTD and BZIP2 support
#2403 zip writer: added LZMA + RISCV BCJ filter
#2601 bsdtar: support --mtime and --clamp-mtime
#2602 libarchive: mbedtls 3.x compatibility
Security fixes:
#2422 tar reader: Handle truncation in the middle of a GNU long linkname
CVE-2024-57970
#2532 tar reader: fix unchecked return value in list_item_verbose()
CVE-2025-25724
#2532 unzip: fix null pointer dereference
CVE-2025-1632
#2568 warc: prevent signed integer overflow
[28 lines not shown]
netinet6: Do not forward or send ICMPv6 messages to the unspec address
As in f7174eb2b4c4 ("netinet: Do not forward or ICMP response to
INADDR_ANY"), the IPv6 stack should avoid sending packets to the
unspecified address. In particular:
- Make sure that we do not forward received packets to the unspecified
address; the check in ip6_input() catches this in the common case, but
after commit 40faf87894ff it's possible for a pfil hook to bypass this
check and pass the packet to ip6_forward() using the
PACKET_TAG_IPFORWARD tag.
- Make sure that we do not reflect packets back to the unspecified
address; RFC 4443 section 2.4 states that we must not generate error
messages in response to packets from the unspecified address.
Reviewed by: zlei, glebius
Reported by: Franco Fichtner <franco at opnsense.org>
MFC after: 1 month
Sponsored by: Klara, Inc.
Sponsored by: OPNsense
[3 lines not shown]
vfs cache: Simplify cache_enter_time() a bit
The condition `flag == NFC_ISDOTDOT && vp != NULL && vp->v_type != VDIR`
is never true at this point in the function. This is asserted slightly
earlier. So, remove some dead code and simplify control flow.
N.B. we set v_cache_dd for all vnode types, not just VDIR. This seems
to be intentional, see commit ce575cd0e2f9069. For regular files it
appears to effectively represent the most recently entered cache entry
for the vnode.
No functional change intended.
Reviewed by: olce, kib
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D50107
(cherry picked from commit 01435e28211220f985c66569f60939e440f0887f)
makefs: Ensure that FFS superblocks are reproducible
The superblock structure has space reserved for a pointer to an
in-memory structure that gets created at mount time. makefs populates
it since that simplifies code elsewhere. However, the pointer value
ends up in the output file, which breaks reproducibility.
Zero the field when writing the superblock instead, as its on-disk value
is ignored.
Reviewed by: emaste
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D50196
(cherry picked from commit 764ccf410c3c5453c4656113d75cd81fcf01828d)
krb5: Fix handling of transient crypto request failures
- Instead of using CRYPTO_F_DONE to decide whether a request has
completed, use a custom protocol of setting crp_opaque = NULL in the
callback and checking that instead. CRYPTO_F_DONE is set independent
of whether an error occurred, but for transient errors signaled by
EAGAIN, we want to simply retry the request.
- Clear CRYPTO_F_DONE before retrying the request.
- Panic if the request truly failed, as we currently have no way to
pass hard errors back up.
Reviewed by: jhb
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D50238
(cherry picked from commit 04421fda140b92eb0d22bc4c0f81b6de05f21225)
file: Simplify an INVARIANTS check in _fdrop()
No functional change intended.
MFC after: 1 week
Sponsored by: Klara, Inc.
(cherry picked from commit a2e22ed3420d92d9d98a1e9681b5c9b1fbe40fca)
sysrc: Fix check flag logic for append and subtract
When using sysrc with the check flag (-c), the append (+=) and subtract
(-=) operations result in incorrect return values because on the check
path the necessary union/difference calculation logic is not performed.
However, the correct union/difference calculation is already performed
when running without the check flag. We fix the issue on the check path
by using the results from the existing union/difference calculation in
the check logic to get the correct return values.
PR: 279200
Reviewed by: markj
MFC after: 1 month
Pull Request: https://github.com/freebsd/freebsd-src/pull/1664
(cherry picked from commit c97460c4d97db1bd46dab9f2bdbc90cd1ed7757f)
ifnet: Integrate if_unroute() into if_down()
if_unroute() is static since 2004 and is not used anywhere except for
if_down().
This also makes it easier to grep by the pattern `if_flags &= ~IFF_UP`.
No functional change intended.
Reviewed by: glebius
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D49356
(cherry picked from commit 0693c3f7cb3d9e5389863a0c131ddef799c77091)
