lang/gnat1[2-4]: Restore check-phase
lang/gnat12,13, and 14:
* After PR 294657, restore the testing target check-phase, move the if
conditional on ${UID} != 0 below the GNAT Ports' internal _ marked
variables, and drop bsd.port.options.mk, and terminate the Port with
bsd.port.post.mk over bsd.port.mk
* Add fix for rpath (PR 292708)
* Move ${PIE_UNSAFE} to the correct block (portclippy)
* Move gettext-runtime from ${USES} to ${NLS_USES}
* Regroup internal variables and sort
* Remove ${EXTRACT_CMD} from aarch64 specific section syncing with the update
to the Ports Mk infrastructure (D57295) which by default now uses
LC_ALL=en_US.UTF-8 in the environment
* Sort ${GNU_CONFIGURE_PREFIX}
* Specific to GNAT-12, follow GNAT-13 and 14's use of ${MASTER_SITE_GCC}
in ${MASTER_SITES}; sort the architecture specific ${PLIST_SUB} entries
PR: 295872
[4 lines not shown]
Firewall: NAT: Source NAT: Add migration for Outbound NAT into Source NAT page (#10373)
Firewall: add Source NAT mode bridge and outbound NAT migration
Reflect legacy `nat.outbound.mode` into the Firewall MVC model as volatile
`general.snat_mode` and expose it in the new Source NAT view. Persist the value
back into the legacy configuration through `serializeToConfig()` using a scoped
general-section setter to avoid unrelated model validation.
Adjust the Source NAT grid output based on the selected mode. Automatic and
hybrid modes include synthetic automatic rule rows for display purposes, while
advanced mode only shows manual rules and disabled mode hides the grid.
Extend the migration assistant with an outbound NAT migration tab and add a
configd exporter for legacy `nat.outbound.rule` entries. Exported rows
use empty UUIDs so imports create fresh MVC rule identifiers.
Add missing Source NAT parity fields for `tag` and `nosync`, include them in
generated rows, and export them from legacy outbound NAT rules.
[22 lines not shown]
editors/vscode: Add patches to fix build error of keytar node module with clang 21
The error in question was:
CXX(target) Release/obj.target/keytar/src/async.o
In file included from ../src/async.cc:4:
../node_modules/node-addon-api/napi.h:1147:39: error: in-class initializer for static data member is not a constant expression
1147 | static const napi_typedarray_type unknown_array_type = static_cast<napi_typedarray_type>(-1);
| ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../node_modules/node-addon-api/napi.h:1147:60: note: integer value -1 is outside the valid range of values [0, 15] for the enumeration type 'napi_typedarray_type'
1147 | static const napi_typedarray_type unknown_array_type = static_cast<napi_typedarray_type>(-1);
| ^
1 error generated.
PR: 295862
Reported by: Alexey Shuvaev <bugsbeastie at gmail.com>
databases/mongosh: Fix build with node 24.16
Recent node update made
scripts/nodejs-patches/008-windows-tcp-connect-crash-fix-node-62561.patch
redundant and now it fails to apply.
PR: 295587
Approved by: blanket (fix build)
Sponsored by: UNIS Labs
divert: Avoid using atomic_(load|store)_(acq|rel)_16
It's not implemented on some arches. Use a plain int to count the
number of sockets in a divert lbgroup.
Reported by: Jenkins
Fixes: 895a0ae67fe2 ("divert: Define semantics for SO_REUSEPORT_LB on divert sockets")
axgbe: XXX leftovers to figure out
axgbe: several patches from 22.1 not yet present in FreeBSD
axgbe: remove old annotations and a bit of whitespace cleanup
This is a stub from applying f45a2d1e5a + b9eca9d898 on top of
the upstreamed changes. The enable_rss remove is correct and
looks like an oversight in the upstreaming. About the others
I'm not sure but since we have them on file here we can discuss
and rearrange.
axgbe: LED control for A30 platform
Since the I/O expander chip does not do a reset when soft power
cycling, the driver will first turn off all LEDs when initializing,
although no specific routine seems to be called when powering down.
This means that the LEDs will stay on until the driver has booted up,
after which the driver will be in a consistent state.
rss: add sysctl enable toggle
This commit also includes the original refactoring changes
This change allows the kernel to operate with the default netisr cpu-affinity settings while having RSS compiled in. Normally, RSS changes quite a bit of the behaviour of the kernel dispatch service - this change allows for reducing impact on incompatible hardware while preserving the option to boost throughput speeds based on packet flow CPU affinity.
Make sure to compile the following options in the kernel:
options RSS
As well as setting the following sysctls:
net.inet.rss.enabled: 1
net.isr.bindthreads: 1
net.isr.maxthreads: -1 (automatically sets it to the number of CPUs)
And optionally (to force a 1:1 mapping between CPUs and buckets):
net.inet.rss.bits: 3 (for 8 CPUs)
[5 lines not shown]
divert: Define semantics for SO_REUSEPORT_LB on divert sockets
Allow SO_REUSEPORT_LB to be set on divert sockets. If set, then bind()
will add the socket to a "load-balancing group". When a divert-to rule
matches a port with an associated group, the corresponding state ID is
used to select a specific socket from the group. Packets without an
associated state are simply forwarded to the first socket in the group.
For now I only pass a state ID from pf, as I couldn't see a useful
identifier on the ipfw side.
This implementation is simple but has a caveat, that being that if
sockets are added to the group while flows are being processed, the size
of the group will change and this changes the mapping of state IDs to
sockets. So, to get a consistent mapping, the divert socket application
must bind all of its sockets before any traffic is diverted by the
firewall.
Reviewed by: glebius
MFC after: 1 month
[3 lines not shown]
axgbe: gracefully handle i2c bus failures
In (unknown) situations it seems the i2c bus can have trouble,
while nothing about the current link state has changed, the driver
would react by going into a link down state, and start busylooping
on up to 4 cores. Even if there was a valid link, such spinning
on a cpu by a kernel thread would wreak havoc to existing and
new connections.
This patch does the following:
1. If such a bus failure occurs, we keep the last known link state.
2. Prevent busy looping by implementing the lockmgr() facility to
be able to sleep while the i2c code waits on the i2c ISR. We cap
this with a timeout.
3. Pin the admin queues to the last CPU in the system, to prevent
other scenarios where busy looping might occur from landing on CPU
0, which especially seems to cause a lot of issues.
Given the design constraints both in hardware and in software,
[9 lines not shown]
rtsold: check RA lifetime before triggering the one-shot always script
Historic context: rtsold is used by *sense to get a router address which
wasn't originally the daemon's purpose. We only ever get the first address
per interface lifetime so if the RA contains an invalid router with a zero
lifetime and we catch it we cannot get a valid one ever again.
This is suboptimal in a number of ways, but the obvious way to deal with
this is to ignore all RA messages from routers that do not advertise a
default route.
PR: https://github.com/opnsense/core/issues/9551
pf|ipfw|netinet6?: shared IP forwarding
This removes the if_output calls in the pf(4) code that escape further
processing by defering the forwarding execution to the network stack
using on/off style sysctls for both IPv4 and IPv6.
Also see: https://reviews.freebsd.org/D8877
pf: backport changes around the following commit #242
commit 49f39043a02d6011c1907e1b07eb034652a1269c
Author: phessler <phessler at openbsd.org>
Date: Fri Apr 28 14:08:34 2023 +0000
Relax the "pass all" rule so all forms of neighbor advertisements are allowed
in either direction.
This more closely matches the IPv4 ARP behaviour.
From sashan@
discussed with kn@ deraadt@
dummynet: passin after dispatch
Based on a patch originally found in m0n0wall, expanded
to IPv6 and aligned with FreeBSD's IP input path.
The limit may not be correctly accounted for on the WAN
interface due to dummynet counting the packet again even
though it was already processed.
The problem here is that there's no proper way to reinject
the packet at the point where it was previously removed
from so we make the assumption that ip input was already
done (including pfil) and more or less directly move to
packet output processing.
While here move the passin label up to take the extra check
but avoiding a second label. Also remove the spurious tag
read for forward check since we don't use it and we should
really trust the mbuf flag.
libfetch: allow use of SSL_CRL_VERIFY
Since the default store already points to /etc/ssl/certs and the
CRLs are hashed there too it is trivial to bring libfetch applications
to verifying the CRLs contained when doing a SSL connection.
libfetch: ignore the error of an absence of a CRL
... when passing SSL_CRL_FILE / SSL_CRL_VERIFY.
The situation isn't ideal, but since we don't know what we are going to deal
with the situation is tricky. It's especially pointless in scenarios of
pkg multi-repo cases where we need to deal wit a mixed bag of URLs during
the same context. For the benefit of the doubt print the appropriate message
for the user to see.
In general it would be a bit safer if we could enforce the existence of a
CRL distribution point as a mandatory CRL check and the others as an optional
one with the warning as printed for the user to see. It would also need a
[18 lines not shown]
