param.h: Bump __FreeBSD_version for NFS api changes
Commits 171f66b0c2ca and 8e2a90ac8089 changed the internal
api between nfscommon.ko and the other nfs modules.
Bump __FreeBSD_version to 1500049 for this.
All NFS related modules must be rebuilt from up-to-date
sources.
pfctl: Use error label in host_if()
This brings it in line with host() and host_dns().
OK sashan miko
Obtained from: OpenBSD, kn <kn at openbsd.org>, d127311405
Sponsored by: Rubicon Communications, LLC ("Netgate")
pfctl: Move AF-specific mask logic from callers into set_ipmask()
Instead of doing the same dance with every caller, check for user provided
mask or address familiy specific maximum inside the function itself.
Feedback and OK claudio
Obtained from: OpenBSD, kn <kn at openbsd.org>, c04427dd30
Sponsored by: Rubicon Communications, LLC ("Netgate")
pfctl: Zap v4mask and v6mask in host()
Simply defer checks whether a mask has been specified to where it's set in
host_*(); this is to reduce address family specific code.
OK sashan
Obtained from: OpenBSD, kn <kn at openbsd.org>, 17e25e9423
Sponsored by: Rubicon Communications, LLC ("Netgate")
pfctl: Zap bits in host_v4(), use mask parameter
This avoids a duplicate strrchr() call and makes the function consistent
with host_v6() regarding mask handling.
While here, use the destination's size in memcpy instead of hardcoding its
type.
OK sashan
Obtained from: OpenBSD, kn <kn at openbsd.org>, a7ede25358
Sponsored by: Rubicon Communications, LLC ("Netgate")
pfctl: Simplify getaddrinfo() error handling
`error' is not used so drop it and jump to the end.
OK sashan
Obtained from: OpenBSD, kn <kn at openbsd.org>, da7f49d74e
Sponsored by: Rubicon Communications, LLC ("Netgate")
pfctl: Move duplicate code into new helper print_addr_str()
This simply puts the wiggle around inet_ntop() from four into one location.
OK benno
Obtained from: OpenBSD, kn <kn at openbsd.org>, 88d4e2f324
Sponsored by: Rubicon Communications, LLC ("Netgate")
pfctl: Use strtonum in host()
This is simpler than checking three cases for `q' and gives nicer error
messages. While here, use `v6mask' as maximum netmask instead of hardcoding
it.
OK sashan
Obtained from: OpenBSD, kn <kn at openbsd.org>, e351e6cba3
Sponsored by: Rubicon Communications, LLC ("Netgate")
nfscl: Use delegation ACE when mounted with nocto
For NFSv4.1/4.2, there is an ACE in the delegation reply.
Without this patch, this ACE is ignored by the NFSv4 client.
This patch enables use of the ACE to avoid the need for
Access RPCs when the "nocto" option is specified.
This requires a NFSv4.1/4.2 server that does not reply
with a bogus ACE that is too generous w.r.t. access permissions.
Note that the recent commit 0d51adee3072 added use of the NFSv4
ACL for generation of the ACE in the reply. This patch might be
needed for this client change to work correctly if NFSv4 ACLs are
being used on the NFSv4.1/4.2 exported file systems.
This only affects NFSv4 mounts with the "nocto" mount option
and only if NFSv4 servers are issuing delegations with ACEs
that specify access. Some NFSv4 servers, such as the Linux
knfsd reply with ACEs that do not allow any access, so this
patch has no effect for them.
gve: Add support for 4k RX Buffers when using DQO queue formats
This change adds support for using 4K RX Buffers when using DQO queue
formats when a boot-time tunable flag is set to true by the user.
When this flag is enabled, the driver will use 4K RX Buffer size either
when HW LRO is enabled or mtu > 2048.
Signed-off-by: Vee Agarwal <veethebee at google.com>
Reviewed by: markj, ziaee
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D50786
(cherry picked from commit 71702df6126226b31dc3ec66459388e32b993be1)
gve: Relax a static assertion
It's okay if MCLBYTES is larger than the default receive buffer size.
Fixes: 71702df61262 ("gve: Add support for 4k RX Buffers when using DQO queue formats")
(cherry picked from commit 3b4bc5d70e1c2066fcb6e8535941258c88999fa2)
namei: clear internal flags in NDREINIT()
same as it is done for NDRESTART()
Fixes: e05e33041c252
Reported and tested by: pho
Reviewed by: markj
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 58b2bd33aff71c0268d99d63e9c83f6544d3beb3)
vfs cache: Add NAMEILOOKUP to the whitelist of fastpath lookup flags
Otherwise the lockless name lookup path is inadvertently disabled since
NAMEILOOKUP isn't recognized.
Reviewed by: olce, kib
Fixes: 7587f6d4840f ("namei: Make stackable filesystems check harder for jail roots")
Differential Revision: https://reviews.freebsd.org/D50532
(cherry picked from commit f4158953007f557061d91f99d2374d48d8376cc6)
vfs: Don't clobber namei flags in vn_open_cred()
Otherwise NAMEILOOKUP is cleared. More generally it seems quite
surprising that the flags set by vn_open_cred() callers are not
automatically preserved. Modify open2nameif() such that it takes
already-set namei flags into account.
Reviewed by: olce, kib
Fixes: 7587f6d4840f ("namei: Make stackable filesystems check harder for jail roots")
Differential Revision: https://reviews.freebsd.org/D50531
(cherry picked from commit e05e33041c252dc236939683c01ca4b7b083562c)
linux: Fix usage of ptrace(PT_GET_SC_ARGS)
The native handler expects the argument to be a pointer to an array of 8
syscall arguments, whereas the emulation provided an array that holds up
to 6.
Handle this by adding a new range of Linuxulator-specific ptrace
commands. In particular, introduce PTLINUX_GET_SC_ARGS, which always
copies exactly six arguments. This fixes the problem and removes the
hack of checking the target thread ABI to decide whether to apply a
Linux-specific quirk to PT_GET_SC_ARGS.
Reviewed by: kib
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D50758
(cherry picked from commit 48a656c588f9fb995b9c524b57dd5febd9f69168)
namei: Make stackable filesystems check harder for jail roots
Suppose a process has its cwd pointing to a nullfs directory, where the
lower directory is also visible in the jail's filesystem namespace.
Suppose that the lower directory vnode is moved out from under the
nullfs mount. The nullfs vnode still shadows the lower vnode, and
dotdot lookups relative to that directory will instantiate new nullfs
vnodes outside of the nullfs mountpoint, effectively shadowing the lower
filesystem.
This phenomenon can be abused to escape a chroot, since the nullfs
vnodes instantiated by these dotdot lookups defeat the root vnode check
in vfs_lookup(), which uses vnode pointer equality to test for the
process root.
Fix this by extending nullfs and unionfs to perform the same check,
exploiting the fact that the passed componentname is embedded in a
nameidata structure to avoid changing the VOP_LOOKUP interface. That
is, add a flag to indicate that containerof can be used to get the full
[9 lines not shown]
pfctl: Stop checking table commands for `create'
Tiny left over from 2003 when it was removed. Twist the logic by checking
for `show' and `test' to make it even simpler.
OK sashan henning
Obtained from: OpenBSD, kn <kn at openbsd.org>, 764778e2ff
Sponsored by: Rubicon Communications, LLC ("Netgate")
pf: trade few 'goto unlock: for 'break' in pf_test()
OK mpi@, OK henning@, OK jca@
Obtained from: OpenBSD, sashan <sashan at openbsd.org>, 18b958d7c9
Sponsored by: Rubicon Communications, LLC ("Netgate")
pf: remove STATE_LOOKUP
the STATE_LOOKUP macro made sense ages ago. It stopped making sense
when we moved most of the functionality into a function. g/c the macro
and just call the function. ok mpi jca
Obtained from: OpenBSD, henning <henning at openbsd.org>, 4fc68ab0d1
Sponsored by: Rubicon Communications, LLC ("Netgate")
pfctl: use __func__ rather than hardcoding function names for errors
Do for most running out of memory err() what was done for most running
out of memory log_warn(). i.e. ("%s", __func__) instead of manual
function names and redundant verbiage about which wrapper detected the
out of memory condition.
ok henning@
Obtained from: OpenBSD, krw <krw at openbsd.org>, a062aa9d6a
Sponsored by: Rubicon Communications, LLC ("Netgate")