cdefs.h: Introduce __nonstring attribute
This attribute can be used to annotate char arrays that are not supposed to
be terminated with a NUL char and is needed to silence clang's new
-Wunterminated-string-initialization warning. The name matches linuxkpi.
Reviewed by: emaste, jhb
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D52565
(cherry picked from commit 802c6d5d61d15494a54a386dc2ffbcfefc68c8ab)
IPv6: fix off-by-one in pltime and vltime expiration checks
Previously, the macros used '>' instead of '>=' when comparing elapsed
time against the preferred and valid lifetimes. This caused any deprecated
address to become usable again for one extra second after receiving each
Router Advertisement. In that short window, the address could be
selected as a source for outgoing connections.
Update the checks to use '>=' so that addresses are deprecated or
invalid when their lifetime expires.
PR: 289177
Reported by: Dmitry Nexus <fbsd.4f6a at nexus tel>
Reviewed by: zlei
Submitted by: Marek Zarychta
Differential Revision: https://reviews.freebsd.org/D52323
(cherry picked from commit 588a5fad3e8b98955b60707e3e92b8b43566e3f7)
ipv6: don't complain when deleting an address with prefix length of 128
Save prefix length in unused field in6_ifaddr->ia_plen, then on remove
check if an address has 128 prefix length, and if so, we don't need to
complain that there is none of related prefixes.
Reviewed by: kp
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D52952
(cherry picked from commit c4cce0a3e94e3b22f874508d1a9cd81442648238)
ifconfig: Fix the -L flag when using netlink
By default, when ifconfig shows a v6 address derived from a
router-advertised prefix, it shows the initial preferred and valid
lifetimes. When -L is specified, it is supposed to show the remaining
lifetimes, but this was broken in the conversion to netlink.
Fix that, and add a regression test which validates ifconfig output
before and after a short-lived address expires.
Reported by: Franco Fichtner <franco at opnsense.org>
Reviewed by: melifaro, allanjude, Seyed Pouria Mousavizadeh Tehrani
Fixes: 4c91a5dfe483 ("ifconfig: make interface and address listing use Netlink as transport")
MFC after: 2 weeks
Sponsored by: OPNsense
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D54294
(cherry picked from commit df6861d755c8f72380ae7fb8df535b27eba8c0be)
netlink: Don't directly access ifnet members
Summary:
Remove the final direct access of struct ifnet members from netlink.
Since only the first address is used, create the iterator and then free,
without fully iterating.
Reviewed By: kp
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D42972
(cherry picked from commit b224af946a17b8e7a7b4942157556b5bc86dd6fb)
netlink: Don't overwrite existing data in a linear buffer in snl_writer
First, a bit of background on some of the data structures netlink uses
to manage data associated with a netlink connection.
- struct linear_buffer contains a single virtually-contiguous buffer
of bytes. Regions of this buffer are suballocated via lb_allocz()
which uses a simple "bump" where the buffer is split into an
allocated region at the start and a free region at the end. Each
allocation "bumps" the boundary (lb->offset) forward by the
allocation size.
Individual allocations are not freed. Instead, the entire buffer is
freed once all of the allocations are no longer in use.
Linear buffers also contain an embedded link to permit chaining
buffers together.
- snl_state contains various state for a netlink connection including
[52 lines not shown]
bsdinstall: Mount /dev and /packages after using the shell to partition disks
Normally after partitions are created by the installer, the 'mount'
script is used to mount the target disk partitions under /mnt. The
tail end of this script also mounts a couple of additional filesystems
under /mnt so that chrooted programs can work such as devfs and
/packages.
When the "Shell" option is used to permit the user to manually mount
the destination filesystem, the "mount" script is not used as the user
is instructed to mount the target filesystems and construct
/mnt/etc/fstab, etc. However, this means that the user is responsible
for mounting devfs (which is not included in /etc/fstab) and /packages
as well. The help message for the "Shell" option doesn't mention
these requirements, so users may not know to do so. This can lead to
confusing errors as chrooted commands can fail to find needed /dev
entries. For example, running fwget to fetch wireless firmware fails
because /dev/pci doesn't exist.
[12 lines not shown]
ixgbe: Remove unused function ixgbe_is_media_cage_present
Remove the unused function ixgbe_is_media_cage_present that
generates a compiler warning.
Signed-off-by: Yogesh Bhosale yogesh.bhosale at intel.com
Reported by: markj
Differential Revision: https://reviews.freebsd.org/D52467
(cherry picked from commit 275f7d72ff6a71bbe46b4282a88f0ea9a24be22a)
cdefs: Add __deprecated
Add __deprecated decorator. This is for a deprecated interface. copystr
is tagged with this today in copy(9), but don't actually provide it or
use it. copystr is a #define so adding it will have to wait.
LinuxKPI was defining this away completely in compiler.h. Since this is
shared between Linux KPI consumers and OpenZFS, if it's already defined,
use the FreeBSD sys/cdefs.h version, otherwise define it away. For
OpenZFS this will retain it, while for Linux KPI it will tend to drop it
(I think always, but I didn't look at everything).
Sponsored by: Netflix
Reviewed by: jhb, emaste
Differential Revision: https://reviews.freebsd.org/D46137
(cherry picked from commit 16672453f12586703f1c51d909bd1900691bf884)
ipfw.8: fix documentation bug for setmark
A mark set with "setmark" keyword is intended to be "sticky"
and documented as such but in fact it is not yet,
as current implementation lacks "sticky" feature
and its implementation will be not MFC'd, most probably.
Correct the manual page until the implementation improved.
Discussed with: Boris Lytochkin <lytboris at gmail.com> (author)
(cherry picked from commit a7b8a5d37bcb0009297962137bfb6c6570e5af12)
(cherry picked from commit 9fdf49e8a501047b61a615ab1b4b133159ad76e1)
crypto: avoid warnings about too-long initializer strings
Mark `sigma` and `tau` as `__non_string`, to avoid warnings from clang
21 similar to:
sys/crypto/chacha20/chacha.c:53:31: error: initializer-string for character array is too long, array size is 16 but initializer has size 17 (including the null terminating character); did you mean to use the 'nonstring' attribute? [-Werror,-Wunterminated-string-initialization]
53 | static const char sigma[16] = "expand 32-byte k";
| ^~~~~~~~~~~~~~~~~~
sys/crypto/chacha20/chacha.c:54:29: error: initializer-string for character array is too long, array size is 16 but initializer has size 17 (including the null terminating character); did you mean to use the 'nonstring' attribute? [-Werror,-Wunterminated-string-initialization]
54 | static const char tau[16] = "expand 16-byte k";
| ^~~~~~~~~~~~~~~~~~
MFC after: 3 days
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D54364
(cherry picked from commit 710ec409dffed3306ced253bba85dbdc7758510b)
netmap: Let memory allocator parameters be settable via loader.conf
This is useful when dev.netmap.port_numa_affinity is set to 1. When
interfaces attach, they get a memory allocator that is copied from
nm_mem. Parameters in nm_mem can be set using sysctls, but this happens
after their values are copied.
To work around this, we can make it possible to set these memory
parameters as tunables.
Reviewed by: vmaffione
MFC after: 1 week
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D54178
(cherry picked from commit c694122f3cfb7d52b882fa79086d49f45a2c7fd2)
pfsync: Avoid zeroing the state export union
pfsync_state_export() takes a pointer to a union that is in reality a
pointer to one of the three state formats (1301, 1400, 1500), and zeros
the union. The three formats do not have the same size, so zeroing is
wrong when the format isn't that which has the largest size.
Refactor a bit so that the zeroing happens at the layer where we know
which format we're dealing with.
Reported by: CHERI
Reviewed by: kp
MFC after: 1 week
Sponsored by: CHERI Research Centre (EPSRC grant UKRI3001)
Differential Revision: https://reviews.freebsd.org/D54163
(cherry picked from commit 796abca7e281f0d4b7f72f48da4f941e1c8b139c)
divert: Use a jenkins hash to select the target socket
Using the pf state ID turned out to be a bad choice: we store the
big-endian representation of a global counter, so low bits are typically
zero.
divert: Define semantics for SO_REUSEPORT_LB on divert sockets
Allow SO_REUSEPORT_LB to be set on divert sockets. If set, then bind()
will add the socket to a "load-balancing group". When a divert-to rule
matches a port with an associated group, the corresponding state ID is
used to select a specific socket from the group. Packets without an
associated state are simply forwarded to the first socket in the group.
This implementation is simple but has some caveats, the main one being
that if sockets are added to the group while flows are being processed,
the size of the group will change and this changes the mapping of state
IDs to sockets. So, to get a consistent mapping, the divert socket
application must bind all of its sockets before any traffic is processed
by pf.
pf: Rationalize the ip_divert_ptr test
If a rule has a divert port set, then we can reasonably predict that
ipdivert.ko is loaded, and in particular that ip_divert_ptr is set.
Moreover, in this case, if ipdivert.ko is not loaded we should just drop
the packet instead of ignoring the divert rule.
No functional change intended.
ipdivert: Use CK_SLISTs for the divcb hash table
The hash table is accessed in ip_divert_packet(), and there the accesses
are synchronized only by the net epoch, so plain SLIST is not safe.
rtsold: check RA lifetime before triggering the one-shot always script
Historic context: rtsold is used by *sense to get a router address which
wasn't originally the daemon's purpose. We only ever get the first address
per interface lifetime so if the RA contains an invalid router with a zero
lifetime and we catch it we cannot get a valid one ever again.
This is suboptimal in a number of ways, but the obvious way to deal with
this is to ignore all RA messages from routers that do not advertise a
default route.
PR: https://github.com/opnsense/core/issues/9551
