blocklist: blacklist: Chase recent upstream changes
Upstream introduced an extra column in blocklistctl(8) to display the
name of the rule associated in the database entry.
It is intended to avoid confusion when seemingly duplicate locations
appear in the output of the blocklistctl dump command. Especially when
users are transitioning from the old nomenclature to the new one.
The latest patches will not be fully backported to blacklistctl(8), to
avoid breaking current scripts that may be parsing its output. Also we
are slowly preparing to feature-freeze everything related to blacklist.
Approved by: re (cperciva)
MFC: 2 days
(cherry picked from commit eae98e28a0e17f625e29f9849a4dc655636d9164)
(cherry picked from commit cd284c1e17eab4884cf4bc9479e8272af527f6b7)
libpfctl: Fix displaying deeply nested anchors
Set the number of rulesets (i.e., anchors) directly attached to the
anchor and its path in pfctl_get_ruleset().
While here, add a test to document this behavior.
Approved by: re (cperciva)
PR: 290478
Reviewed by: kp
Fixes: 041ce1d690f1 ("pfctl: recursively flush rules and tables")
MFC after: 2 days
Differential Revision: https://reviews.freebsd.org/D53358
(cherry picked from commit a943a96a50ba7e9d1e1935bdd18df0e11d158acb)
(cherry picked from commit 1c8a554f757de06f64e6fd0d86fc674a215ee314)
jail: fix a regression that creates zombies when removing dying jails
When adding jail descriptors, I split sys_jail remove in two, and
didn't properly track jail held between them when a jail was dying.
This fixes that as well as cleaning up the logic behind it.
Approved by: re (cperciva)
PR: 290217
Reported by: David 'equinox' Lamparter <equinox at diac24.net>
Reviewed by: markj
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D53200
(cherry picked from commit 78f70d4ff9dd4af2318b25023a7f55be7402ec60)
(cherry picked from commit 2d3c6a06edc3919455d1152f4ffaa60697e2c4f2)
ipfw: Remove more unused IP_FW_* cases
All of the do_cmd() calls are in dummynet.c and specify the socket
option at compile time; none of these removed cases are used in ipfw
after the v3 work.
Approved by: re (cperciva)
Reviewed by: markj
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D53378
(cherry picked from commit 0e2e0fb955adf15a217949bc4cc337d53d2c7259)
(cherry picked from commit 6b1e5d4d20a94b5bebd726eb6d1df8dca2738f8e)
ipfw: Update warning/error setsockopt references
Dummynet v3 switched to IP_DUMMYNET3 but did not update these
warnings/errors.
Approved by: re (cperciva)
Fixes: cc4d3c30ea28 ("Bring in the most recent version of ipfw and dummynet, developed")
Sponsored by: The FreeBSD Foundation
Differential Revision: sbin/ipfw/ipfw2.c
(cherry picked from commit 1f95a517880bae5fc0a9fe4463a8f2ec36ed734a)
(cherry picked from commit a5dd21c7dd1f3c8103c2fc6a1caa5635d70671aa)
cam: Bump deprecated sysctl removal to 16
The descriptions for these unmapped_io and rotating sysctls indicated
that they're deprecated and being removed for FreeBSD 15.0. That did
not happen, so update to FreeBSD 16 instead.
Approved by: re (cperciva)
Sponsored by: The FreeBSD Foundation
(cherry picked from commit e93db9abc9a62d662c40d783663d64cdb829a0cc)
(cherry picked from commit 469ab88d107c05ab533a15d4014d1a97b5a13c86)
netmap: Fix error handling in nm_os_extmem_create()
We bump the object reference count prior to mapping it into the kernel
map, at which point the vm_map_entry owns the reference. Then, if
vm_map_wire() fails, vm_map_remove() will release the reference, so we
should avoid decrementing it in the error path.
Approved by: re (cperciva)
Reported by: Ilja van Sprundel <ivansprundel at ioactive.com>
Reviewed by: vmaffione
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D53066
(cherry picked from commit dfc1041c08ba32f24b8050b4d635a0bbbfd9b767)
(cherry picked from commit 6e1f47765d3cf425b2b0e56d79f38b94aa107e71)
pt: Switch to swi(9)
The pt hwt(4) backend uses NMIs to receive updates about the latest t
racing buffer offsets from the tracing hardware. However, it uses
taskqueue(9) to schedule the bottom-half handler. This can lead to
a panic since the taskqueue(9) code isn't aware it's being called
from an NMI context and uses the regular scheduling interfaces.
Fix this by scheduling the bottom-half handler using swi(9) and the
SWI_FROMNMI flag.
Approved by: re (cperciva)
Fixes: 310162ea218a
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D52491
(cherry picked from commit 96d82d2d133acaf8effa2e3aee546276e39ff9f2)
(cherry picked from commit 56b4719076b654726a9d40144e3fa7917d2a4376)
sys/arm: add fp[gs]et* prototypes to <ieeefp.h>
We have provided implementations for hard float of these for
a while now. Add them to the header to make things official.
This is required for a bunch of legacy programs in ports.
Approved by: re (cperciva)
Approved by: markj (mentor)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D53156
(cherry picked from commit a8079d40ae7f3cee17c94e61e43c24780a64a010)
(cherry picked from commit af39e511ee158edc469f2f73aaa5bc5af872c747)
sys/arm64: fix COMPAT_FREEBSD32 __syscall()
It seems like _QUAD_LOWWORD was incorrectly expanded into 1,
which is correct for big endian but not little endian. This
means we always grab the padding word for the syscall number,
which is usually 0, causing SIGSYS to be delivered to the caller.
Reintroduce _QUAD_LOWWORD to fix the syscall.
Approved by: re (cperciva)
PR: 290411
MFC after: 1 week
Discussed with: jrtc27
Reviewed by: cognet, emaste
Approved by: markj (mentor)
Fixes: 8c9c3144ccfa3061879b8cec015ee7d1010e4766
Differential Revision: https://reviews.freebsd.org/D53250
(cherry picked from commit 1ca09538d94273601dac08204c1d0b3ca9115864)
(cherry picked from commit c824960b89af082e5f083c0c4f141965d203eaa1)
tcp: improve credential handling in syncache
When adding a syncache entry, take a reference count of the
credentials while the inp is still locked.
Thanks to markj@ for providing a hint regarding the root cause.
Approved by: re (cperciva)
Reported by: David Marker
Reviewed by: glebius
Tested by: David Marker
Fixes: cbc9438f0505 ("tcp: improve ref count handling when processing SYN")
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D53380
(cherry picked from commit 44cb1e857f048d2326bdc1a032ccd2c04d2bcdc9)
(cherry picked from commit 9611bf2fed71ca62161249630f98e7eac06eff6b)
