FreeBSD/src 860c84bsys/net pfvar.h, sys/netpfil/pf pf_ioctl.c pf.c

pf: Stop using net_epoch to synchronize access to eth rules

Commit 20c4899a8eea4 modified pf_test_eth_rule() to not acquire the
rules read lock, so pf_commit_eth() was changed to wait until the
now-inactive rules are no longer in use before freeing them.  In
particular, it uses the net_epoch to schedule callbacks once the
inactive rules are no longer visible to packet processing threads.

However, since commit 812839e5aaaf4, pf_test_eth_rule() acquires the
rules read lock, so this deferred action is unneeded.  This patch
reverts a portion of 20c4899a8eea4 such that we avoid using deferred
callbacks to free inactive rules.

The main motivation is performance: epoch_drain_callbacks() is quite
slow, especially on busy systems, and its use in the DIOCXBEGIN handler
in particular causes long stalls in relayd when reloading configuration.

Reviewed by:    kp
MFC after:      2 weeks

    [5 lines not shown]
DeltaFile
+3-29sys/netpfil/pf/pf_ioctl.c
+3-6sys/netpfil/pf/pf.c
+0-1sys/net/pfvar.h
+6-363 files

FreeBSD/src 6342298sbin/ipfw ipfw2.c

ipfw: make 'ipfw show' output compatible with 'ipfw add' command

If rule was added in compact form and rule body is empty, print
'proto ip' opcode to be compatible with ipfw(8) syntax parser.

  Before:
  $ ipfw add allow proto ip
  000700 allow
  After:
  $ ipfw add allow proto ip
  000700 allow proto ip

(cherry picked from commit 706a03f61bbb6e0cf10e6c3727966495b30d763e)
DeltaFile
+7-0sbin/ipfw/ipfw2.c
+7-01 files

FreeBSD/src fd258b6sbin/ipfw ipfw2.c

ipfw: make 'ipfw show' output compatible with 'ipfw add' command

If rule was added in compact form and rule body is empty, print
'proto ip' opcode to be compatible with ipfw(8) syntax parser.

  Before:
  $ ipfw add allow proto ip
  000700 allow
  After:
  $ ipfw add allow proto ip
  000700 allow proto ip

(cherry picked from commit 706a03f61bbb6e0cf10e6c3727966495b30d763e)
DeltaFile
+7-0sbin/ipfw/ipfw2.c
+7-01 files

FreeBSD/src dbbcbaasys/netpfil/pf pf.c

pf: Cut down on if statements around pf_icmp_state_lookup

Checked with blambert@, OK millert, henning

Obtained from:  OpenBSD, mikeb <mikeb at openbsd.org>, 12e5d1443d
Sponsored by:   Rubicon Communications, LLC ("Netgate")
DeltaFile
+17-22sys/netpfil/pf/pf.c
+17-221 files

FreeBSD/src 5dad98dsys/netpfil/pf pf.c

pf: remove redundant argument from pf_icmp_state_lookup()

We already pass struct pf_pdesc to pf_icmp_state_lookup(). There's no need to
also pass the direction.

Sponsored by:   Rubicon Communications, LLC ("Netgate")
DeltaFile
+10-14sys/netpfil/pf/pf.c
+10-141 files

FreeBSD/src 94bf6a4sys/netpfil/pf pf.c

pf: Cleanup leftover PF_ICMP_MULTI_* code that is not needed anymore.

ok henning

Obtained from:  OpenBSD, mikeb <mikeb at openbsd.org>, ecdc46e922
Sponsored by:   Rubicon Communications, LLC ("Netgate")
DeltaFile
+17-19sys/netpfil/pf/pf.c
+17-191 files

FreeBSD/src 27cb332sys/netpfil/pf pf_norm.c

pf: micro-optimise padding check

In most cases, IP fragments do not have an Ethernet padding.  So
add a condition to save a useless call to m_adj() and have a paranoid
length check in the other cases.
OK henning@

Obtained from:  OpenBSD, bluhm <bluhm at openbsd.org>, fcf0d61153
Obtained from:  OpenBSD, chris <chris at openbsd.org>, ebe64b684c
Sponsored by:   Rubicon Communications, LLC ("Netgate")
DeltaFile
+4-2sys/netpfil/pf/pf_norm.c
+4-21 files

FreeBSD/src 08d0120usr.sbin/bsnmpd/modules/snmp_pf pf_snmp.c

snmp_pf: fix rules->label use

We now support multiple lables on a rule, so 'rule' is an array of strings, not
just one string. Adjust the check for 'is there a label?'.

CID:            1471808
Sponsored by:   Rubicon Communications, LLC ("Netgate")
DeltaFile
+1-1usr.sbin/bsnmpd/modules/snmp_pf/pf_snmp.c
+1-11 files

FreeBSD/src 207f938usr.sbin/bsnmpd/modules/snmp_pf pf_snmp.c

snmp_pf: address Coverity remarks about time_t

On most platforms time_t is 64 bits wide, but we assign it to 32 bits
variables. Unfortunately these are SNMP fields that are defined to be 32 bits
wide, so we cannot change this. We are similarly unable to prevent the passage
of time, meaning that time_t must remain 64 bits wide as well.

Explicitly cast to tell Coverity that we're aware of these limitations and do
not wish to be reminded of them.

CID:            1553869
CID:            1557025
CID:            1592232
CID:            1592234
Sponsored by:   Rubicon Communications, LLC ("Netgate")
DeltaFile
+4-4usr.sbin/bsnmpd/modules/snmp_pf/pf_snmp.c
+4-41 files

FreeBSD/src 71cf410share/man/man5 pf.conf.5

pf.conf.5: a shot at documenting the changed log(matches) semantics

Obtained from:  OpenBSD, henning <henning at openbsd.org>, eb4e49a617
Sponsored by:   Rubicon Communications, LLC ("Netgate")
DeltaFile
+4-2share/man/man5/pf.conf.5
+4-21 files

FreeBSD/src 83f9b68share/man/man5 pf.conf.5

pf.conf.5: Don't use greater-equal/less-equal symbols where "<="/">=" are intended.

Also, clean up some usage of predefined strings (which are discouraged by
mandoc_char(7) for portability reasons) and improve spacing in
hostapd.conf(5).

ok schwarze@

Obtained from:  OpenBSD, bentley <bentley at openbsd.org>, e369c2e695
Sponsored by:   Rubicon Communications, LLC ("Netgate")
DeltaFile
+49-49share/man/man5/pf.conf.5
+49-491 files

FreeBSD/src 1ba1e15sys/net if_pflog.h pfvar.h, sys/netpfil/pf pf.c if_pflog.c

pf: make log(matches) more useful

change log(matches) semantics slightly to make it more useful. since it
is a debug tool change of semantics not considered problematic.
up until now, log(matches) forced logging on subsequent matching rules,
the actual logging used the log settings from that matched rule.
now, log(matches) causes subsequent matches to be logged with the log settings
from the log(matches) rule. in particular (this was the driving point),
log(matches, to pflog23) allows you to have the trace log going to a seperate
pflog interface, not clobbering your regular pflogs, actually not affecting
them at all.
long conversation with bluhm about it, which didn't lead to a single bit
changed in the diff but was very very helpful. ok bluhm as well.

Obtained from:  OpenBSD, henning <henning at openbsd.org>, f61b1efcce
Sponsored by:   Rubicon Communications, LLC ("Netgate")
DeltaFile
+30-11sys/netpfil/pf/pf.c
+7-4sys/netpfil/pf/if_pflog.c
+3-3sys/netpfil/pf/pf_norm.c
+2-2sys/net/if_pflog.h
+1-1sys/net/pfvar.h
+43-215 files

FreeBSD/src 3c0a0deshare/man/man5 pf.conf.5

pf.conf.5: rephrase log() documentation

after some discussion with henning, document the various log options as
one section; some text was altered to make it read better;

ok henning

Obtained from:  OpenBSD, jmc <jmc at openbsd.org>, cea6f9db1f
Sponsored by:   Rubicon Communications, LLC ("Netgate")
DeltaFile
+33-23share/man/man5/pf.conf.5
+33-231 files

FreeBSD/src 921c9c7tests/sys/netpfil/pf pflog.sh

pf tests: test new log(matches) behaviour

Ensure that a log(matches, to pflog1) sends all future matches to pflog1.

Sponsored by:   Rubicon Communications, LLC ("Netgate")
DeltaFile
+60-1tests/sys/netpfil/pf/pflog.sh
+60-11 files

FreeBSD/src 8754ba5sbin/pfctl pfctl_table.c

pfctl: Rewrite to void using union sockaddr_union

ok mikeb

Obtained from:  OpenBSD, deraadt <deraadt at openbsd.org>, 8717211fe3
Sponsored by:   Rubicon Communications, LLC ("Netgate")
DeltaFile
+16-11sbin/pfctl/pfctl_table.c
+16-111 files

FreeBSD/src cf82a0dsys/arm/conf ASUS_AC1300

ASUS_AC1300: add storage device options

This adds the required bits for the installed NAND/NOR chips.

Differential Revision:  https://reviews.freebsd.org/D49028
DeltaFile
+14-0sys/arm/conf/ASUS_AC1300
+14-01 files

FreeBSD/src 9f32893sys/dev/qcom_ess_edma qcom_ess_edma.c qcom_ess_edma_hw.c

qcom_ess_edma: Add the IPQ4018/IPQ4019 ethernet MAC/MDIO driver.

This adds the ESS EDMA driver introduced by the IPQ4018/IPQ4019.

It provides a number of transmit and receive rings which can be mapped
into virtual ethernet devices, which this driver supports.

It's partially integrated into the ar40xx etherswitch which supplies
the port and some filtering/VPN offload functionality. This driver
only currently supports the per-port options which allow for the
virtual ethernet driver mapping.

This was written by reverse engineering the functionality of the
ethernet switch and ethernet driver support provided by Qualcomm
Atheros via their OpenWRT contributions.  The code is all originally
authored by myself.

Differential Revision:  https://reviews.freebsd.org/D49027
DeltaFile
+985-0sys/dev/qcom_ess_edma/qcom_ess_edma.c
+752-0sys/dev/qcom_ess_edma/qcom_ess_edma_hw.c
+514-0sys/dev/qcom_ess_edma/qcom_ess_edma_rx.c
+462-0sys/dev/qcom_ess_edma/qcom_ess_edma_gmac.c
+454-0sys/dev/qcom_ess_edma/qcom_ess_edma_tx.c
+429-0sys/dev/qcom_ess_edma/qcom_ess_edma_reg.h
+3,596-09 files not shown
+4,560-015 files

FreeBSD/src ac2cbb4. UPDATING, sys/conf newvers.sh

Add UPDATING entries and bump version

Approved by:    so
DeltaFile
+5-0UPDATING
+1-1sys/conf/newvers.sh
+6-12 files

FreeBSD/src 4b8a2f7crypto/openssh sshd_config sshd_config.5

ssh: Bump VersionAddendum for CVE fixes

Security:       FreeBSD-SA-25:05.openssh
Approved by:    so
Sponsored by:   The FreeBSD Foundation

(cherry picked from commit 62df41ae0a71e77ccb1e8fae06d82eec5dff441a)
(cherry picked from commit 24ce323f020fb1ee1b463e524a7a6c15f47ec2a4)
DeltaFile
+1-1crypto/openssh/sshd_config
+1-1crypto/openssh/sshd_config.5
+1-1crypto/openssh/version.h
+3-33 files

FreeBSD/src f389e68. UPDATING, sys/conf newvers.sh

Add UPDATING entries and bump version.

Approved by:    so
DeltaFile
+5-0UPDATING
+1-1sys/conf/newvers.sh
+6-12 files

FreeBSD/src fe49460crypto/openssh sshd_config sshd_config.5

ssh: Bump VersionAddendum for CVE fixes

Security:       FreeBSD-SA-25:05.openssh
Approved by:    so
Sponsored by:   The FreeBSD Foundation

(cherry picked from commit 62df41ae0a71e77ccb1e8fae06d82eec5dff441a)
(cherry picked from commit 24ce323f020fb1ee1b463e524a7a6c15f47ec2a4)
DeltaFile
+1-1crypto/openssh/sshd_config
+1-1crypto/openssh/sshd_config.5
+1-1crypto/openssh/version.h
+3-33 files

FreeBSD/src 27f132c. UPDATING, sys/conf newvers.sh

Add updating entries and bump version.

Approved by:    so
DeltaFile
+5-0UPDATING
+1-1sys/conf/newvers.sh
+6-12 files

FreeBSD/src 14c733fcrypto/openssh version.h sshd_config.5

ssh: Bump VersionAddendum for CVE fixes

Security:       FreeBSD-SA-25:05.openssh
Approved by:    so
Sponsored by:   The FreeBSD Foundation

(cherry picked from commit 62df41ae0a71e77ccb1e8fae06d82eec5dff441a)
(cherry picked from commit 24ce323f020fb1ee1b463e524a7a6c15f47ec2a4)
(cherry picked from commit 2fc62d0bd4f7ca90d7abdfaf076dd49022bf7d54)
DeltaFile
+1-1crypto/openssh/version.h
+1-1crypto/openssh/sshd_config.5
+1-1crypto/openssh/ssh_config
+1-1crypto/openssh/ssh_config.5
+1-1crypto/openssh/sshd_config
+5-55 files

FreeBSD/src 469f61ecrypto/openssh ssh-agent.c sshconnect2.c

ssh: Fix cases where error codes were not correctly set

Obtained from:  OpenSSH 38df39ecf278
Security:       CVE-2025-26465
Security:       FreeBSD-SA-25:05.openssh
Approved by:    so
Sponsored by:   The FreeBSD Foundation

(cherry picked from commit 170059d6d33cf4e890067097f3c0beb3061cabbd)
(cherry picked from commit 4ad8c195cf54411e3b3fa0bec227eb83ca078404)
(cherry picked from commit 8c67967cb14b0ab7e26ffa9ab6cef470a154e030)
DeltaFile
+5-0crypto/openssh/ssh-agent.c
+4-1crypto/openssh/sshconnect2.c
+3-1crypto/openssh/krl.c
+3-1crypto/openssh/ssh-sk-client.c
+1-0crypto/openssh/sshsig.c
+16-35 files

FreeBSD/src c57fcc2crypto/openssh packet.c

ssh: Don't reply to PING in preauth phase or during KEX

Obtained from:  OpenSSH 5e07dee272c3
Security:       CVE-2025-26466
Security:       FreeBSD-SA-25:05.openssh
Approved by:    so
Sponsored by:   The FreeBSD Foundation

(cherry picked from commit 8a16d0831e70530b2fbd682e748bd051de35f192)
(cherry picked from commit 34798cb576bbd2064ab8da372112482bf8e2a7e6)
(cherry picked from commit 3ea366f74475132a743f8667ecafe4a091a29d48)
DeltaFile
+9-1crypto/openssh/packet.c
+9-11 files

FreeBSD/src 3053f92crypto/openssh ssh-agent.c sshconnect2.c

ssh: Fix cases where error codes were not correctly set

Obtained from:  OpenSSH 38df39ecf278
Security:       CVE-2025-26465
Security:       FreeBSD-SA-25:05.openssh
Approved by:    so
Sponsored by:   The FreeBSD Foundation

(cherry picked from commit 170059d6d33cf4e890067097f3c0beb3061cabbd)
(cherry picked from commit 4ad8c195cf54411e3b3fa0bec227eb83ca078404)
DeltaFile
+5-0crypto/openssh/ssh-agent.c
+4-1crypto/openssh/sshconnect2.c
+3-1crypto/openssh/ssh-sk-client.c
+3-1crypto/openssh/krl.c
+1-0crypto/openssh/sshsig.c
+16-35 files

FreeBSD/src 8d05406crypto/openssh packet.c

ssh: Don't reply to PING in preauth phase or during KEX

Obtained from:  OpenSSH 5e07dee272c3
Security:       CVE-2025-26466
Security:       FreeBSD-SA-25:05.openssh
Approved by:    so
Sponsored by:   The FreeBSD Foundation

(cherry picked from commit 8a16d0831e70530b2fbd682e748bd051de35f192)
(cherry picked from commit 34798cb576bbd2064ab8da372112482bf8e2a7e6)
DeltaFile
+9-1crypto/openssh/packet.c
+9-11 files

FreeBSD/src 1920babcrypto/openssh sshconnect2.c ssh-agent.c

ssh: Fix cases where error codes were not correctly set

Obtained from:  OpenSSH 38df39ecf278
Security:       CVE-2025-26465
Security:       FreeBSD-SA-25:05.openssh
Approved by:    so
Sponsored by:   The FreeBSD Foundation

(cherry picked from commit 170059d6d33cf4e890067097f3c0beb3061cabbd)
(cherry picked from commit 4ad8c195cf54411e3b3fa0bec227eb83ca078404)
DeltaFile
+4-1crypto/openssh/sshconnect2.c
+5-0crypto/openssh/ssh-agent.c
+3-1crypto/openssh/ssh-sk-client.c
+3-1crypto/openssh/krl.c
+1-0crypto/openssh/sshsig.c
+16-35 files

FreeBSD/src 3ae1969crypto/openssh packet.c

ssh: Don't reply to PING in preauth phase or during KEX

Obtained from:  OpenSSH 5e07dee272c3
Security:       CVE-2025-26466
Security:       FreeBSD-SA-25:05.openssh
Approved by:    so
Sponsored by:   The FreeBSD Foundation

(cherry picked from commit 8a16d0831e70530b2fbd682e748bd051de35f192)
(cherry picked from commit 34798cb576bbd2064ab8da372112482bf8e2a7e6)
DeltaFile
+9-1crypto/openssh/packet.c
+9-11 files

FreeBSD/src b65e307sys/netinet in_pcb.h in_pcb_var.h

inpcb: Move the definition of struct inpcblbgroup to in_pcb_var.h

It's only needed for in_pcb.c and in6_pcb.c, so can go to the private
header.

No functional change intended.

Reported by:    glebius
MFC after:      2 weeks
Sponsored by:   Klara, Inc.
Sponsored by:   Stormshield

(cherry picked from commit ca94f92c23fd09b28ac3398657ae2ae9367bcdf5)
DeltaFile
+0-22sys/netinet/in_pcb.h
+22-0sys/netinet/in_pcb_var.h
+22-222 files