libpfctl: improve error handling
If we fail to open /dev/pf don't try to close it again. That would result in
errno getting overwritten by close(), hiding potentially useful information.
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
kernel linker: Disable local sym resolution by default
In 95c20faf11a1 and ecd8245e0d77 kib introduced support to have the
kernel linker stop resolving local symbols from other files, but did
not enable it by default to avoid surprises. Flip the default now,
before FreeBSD 16.0.
The debug.link_elf_leak_locals and debug.link_elf_obj_leak_locals
sysctls are available to revert to the previous behaviour if necessary.
PR: 207898
Reviewed by: bz
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47742
java/openjdk25: Add jre_headless flavor
Add flavor to make a headless jre package, where dev tools and x11
support is removed. As requested in Bug #266059.
PR: 266059
Reviewed by: fuz, jrm
Approved by: fuz (Mentor), jrm
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D53707
x11-toolkits/pangolin: update to 0.9.4
Update to a version which supports both ffmpeg 6 and 8.
While here incorporate an upstream patch to fix build with clang.
PR: 289703
www/freenginx-devel: don't link thumbextractor module with libpostproc
libpostproc has been removed from newer ffmpeg and it not needed
with ffmpeg6 either.
Bump PORTREVISION.
PR: 289067
Sponsored by: tipi.work
multimedia/x265: fix build on powerpc*
A couple of fixes:
1. Altivec code also uses VSX, so it should be enabled by default only
on powerpc64le. Additionaly ENABLE_ALTIVEC needs to be specified along
with CPU_POWER8.
2. Altivec code is 64-bit only, so the option should be removed on
powerpc altogether. On powerpc64 it should stay non-default.
3. Altivec code works only with 8 bits and causes build issues
elsewhere.
www/nginx: do not link to libpostproc for thumbextractor module
libpostproc has been removed from newer ffmpeg and it not needed
with ffmpeg6 either
PR: 289067
pf: fix udp_mapping cleanup
If we fail to obtain a new source port (pf_get_sport()) while we've
created a udp_mapping (for 'endpoint independent nat') we must free the
udp_mapping in pf_get_sport(). Otherwise the calling function will call
pf_udp_mapping_release(). This will then attempt to remove the udp_mapping from
a list it's not in, and crash.
Actually free the udp_mapping in all failure cases. While here sprinkle in a few
more assertions to ensure we don't forget leak udp_mappings and add a test case
to provoke this problem.
Reviewed by: thj
MFC after: 1 week
See also: https://redmine.pfsense.org/issues/16517
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D53737
(cherry picked from commit c12013f5bb3819e64499f02ecd199a635003c7ce)
if_ovpn: use IFT_TUNNEL
IFT_ENC has special behaviour in pf we don't desire, and this also ensures that
for all interface types there is N:1:1 correspondence between if_type:dlt:header len.
Requested by: glebius
MFC after: 1 week
(cherry picked from commit ff9f76a206c80c263050816735d537a151ee2999)
if_ovpn: use IFT_TUNNEL
IFT_ENC has special behaviour in pf we don't desire, and this also ensures that
for all interface types there is N:1:1 correspondence between if_type:dlt:header len.
Requested by: glebius
MFC after: 1 week
(cherry picked from commit ff9f76a206c80c263050816735d537a151ee2999)
em(4): fix capability bounds needed to access checksum context.
Ensure the offp capability bounds cover entire struct with checksum fields.
This is needed for CHERI systems to avoid bounds violation trap, as
otherwise offp allowed to dereference 4 bytes of csum_flags field only
so bzero failed.
Tested on ARM Morello.
Reviewed by: kbowling
Discussed with: jrtc27
Sponsored by: CHERI Research Centre
Differential Revision: https://reviews.freebsd.org/D53903
