pf: handle TTL expired during nat64
If the TTL (or hop limit) expires during nat64 translation we may
need to send the error message in the original address family (i.e.
pre-translation).
We'd usually handle this in pf_route()/pf_route6(), but at that point we
have already translated the packet, making it difficult to include it in
the generated ICMP message.
Check for this case in pf_translate_af() and send icmp errors directly
from it.
PR: 291527
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D54166
pf: relax sctp v_tag verification
pf was too strict when validating SCTP tags. When a server receives a
retransmitted INIT it will reply with a random initiate tag every time.
However, pf saves the first initiate tag and expects every subsequent INIT_ACK
retransmission to have the same tag. This is not the case, leading to endless
INIT/INIT_ACK cycles.
Allow the tag to be updated as long as we've not gone past COOKIE_WAIT.
Add a test case to verify this.
MFC after: 2 weeks
See also: https://redmine.pfsense.org/issues/16516
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit bc3b72ff48953551e0e8bd6e5a2c718ecd973285)
libpfctl: improve error handling
If we fail to open /dev/pf don't try to close it again. That would result in
errno getting overwritten by close(), hiding potentially useful information.
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 238ad591da9eede122a708be925b6b6a20e9046b)
pf: relax sctp v_tag verification
pf was too strict when validating SCTP tags. When a server receives a
retransmitted INIT it will reply with a random initiate tag every time.
However, pf saves the first initiate tag and expects every subsequent INIT_ACK
retransmission to have the same tag. This is not the case, leading to endless
INIT/INIT_ACK cycles.
Allow the tag to be updated as long as we've not gone past COOKIE_WAIT.
Add a test case to verify this.
MFC after: 2 weeks
See also: https://redmine.pfsense.org/issues/16516
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit bc3b72ff48953551e0e8bd6e5a2c718ecd973285)
pf: relax sctp v_tag verification
pf was too strict when validating SCTP tags. When a server receives a
retransmitted INIT it will reply with a random initiate tag every time.
However, pf saves the first initiate tag and expects every subsequent INIT_ACK
retransmission to have the same tag. This is not the case, leading to endless
INIT/INIT_ACK cycles.
Allow the tag to be updated as long as we've not gone past COOKIE_WAIT.
Add a test case to verify this.
MFC after: 2 weeks
See also: https://redmine.pfsense.org/issues/16516
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit bc3b72ff48953551e0e8bd6e5a2c718ecd973285)
vm: Fix kstack alignment assertion
The expectation that the allocation will be aligned to the kstack size
only applies when allocating from a kstack arena, not when allocating a
non-standard size from the kernel arena.
MFC after: 1 week
Sponsored by: Klara, Inc.
Sponsored by: NetApp, Inc.
Fixes: 7a79d0669761 ("vm: improve kstack_object pindex calculation to avoid pindex holes")
Reviewed by: bnovkov, siderop1_netapp.com
Differential Revision: https://reviews.freebsd.org/D54171
bhyve: pci-uart needs to also set subclass and function
edk2 PciSioSerialDxe driver setup depends on subclass and function
being set, adding them does make it possible to access pci-uart
serial port from UEFI.
Reviewed by: corvink
Differential Revision: https://reviews.freebsd.org/D54167
Sponsored by: Edgecast Cloud LLC
aq(4): Use sys, not userland, headers
And remove some unused definitions.
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D54152
bnxt.4: Adjust for recent HARDWARE
+ Adjust document description matching another terabit driver
+ Add BCM576XX family to DESCRIPTION, switch to XX notation
+ Add some model names, additional models, and improvements to HARDWARE
MFC after: 3 days
Reviewed by: sumit.saxena_broadcom.com (previous)
Differential Revision: https://reviews.freebsd.org/D54028
sockets: remove compat shim for divert(4)
All known software in ports had been addressed three years ago and the
shim stays in stable/14 and stable/15 for another couple years with its
printf(), so all ourliers are expected to conform before 16.0-RELEASE.
See 8624f4347e8133911b0554e816f6bedb56dc5fb3 for details.
LinuxKPI: 802.11: lock down the "txq_scheduled" tailq
For consistency rename the "scheduled_txqs" tailq to
"txq_scheduled" and add a lock per txq ("txq_scheduled_lock[]").
We use the "_bh" locking as this called from the device driver.
This fixes panics due to concurrent access to the tailq, especially
in between "first" and "remove" on the out-direction and between
"insert" and "elem_init" on the in-direction.
This was easily reproducible just running iperf3 at basic rates for
a few seconds to minutes with multiple chipsets, not only rtw89.
Sponsored by: The FreeBSD Foundation
PR: 290636
Reported by: arved, and others before
MFC after: 3 days
nvme: remove now-redundant consumer interface
Now that we've moved to newbus methods, we can delete this...
Sponsored by: Netflix
Reviewed by: dab
Differential Revision: https://reviews.freebsd.org/D54095
nvme: Use new method to do async notifications
Nothing uses these at the moment, but it would be useful to use in the
future so convert this functionality to an newbus function dispatch.
Sponsored by: Netflix
Reviewed by: dab
Differential Revision: https://reviews.freebsd.org/D51390
nvme_sim: Connect to events broadcast with nvme_if
Connect up the nvme_ns_* events. Copy code from old ways, as needed, and
refactor a little.
Sponsored by: Netflix
Reviewed by: dab
Differential Revision: https://reviews.freebsd.org/D51387
nvd: Attach as a child of nvme
Rather than registering as a consumer of the nvme controller, hook into
the child device and use that.
This is a small regression at the moment: we don't fail the device when
that happens at runtime.
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D51385
nvme_sim: Attach as a child of nvme
Rather than registering as a consumer of the nvme controller, hook into
the child device and use that.
This is a small regression at the moment: we don't fail the device when
that happens at runtime, and we don't handle new namespaces when they
arrive (though that feature is currently fragile).
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D51384
nvme: Add child device for each controller
Step 1 in the move from registering consumers for NVMe drives to newbus
nvme drives:
Add a child device and attach them for each controller that we
initialize. Detach them when we detach the main device.
Sponsored by: Netflix
Reviewed by: dab
Differential Revision: https://reviews.freebsd.org/D51383
nvme: Nvme controller generated events
Interface for the nvme driver notifying its children of different
events: async notifications, namespace events and device failure. These
aren't yet connected.
Sponsored by: Netflix
Reviewed by: dab
Differential Revision: https://reviews.freebsd.org/D51386
sendfile: if sendfile_getobj() fails jump to the function epilogue
The functional change here is that *sent would be zeroed. Note that some
portable applications, e.g. OpenSSL, use a wrapper around our sendfile(2)
to make it more Linux-like. These wrappers are usually written in a
manner that expects *sbytes to always be initialized regardless of the
error code returned.
cam: decode and print direct accecss block device sense data
A more efficient way to include multiple bits of data in a sense
decriptor was defined in SBC4 in 2020. Decode and print it.
Sponsored by: Netflix
rc.d/ipfilter: ipfilter must be enabled for options to take
ipfilter options are erased and reset to default when ipfilter is
disabled. This results in nullifying options from rc.conf that were
previously set.
8d6feaaaa26f, which added this code, was incorrect as it was for a bug in
ipfilter 4.2.28 and no longer applies to ipfilter 5.1.2.
Fixes: 8d6feaaaa26f
(cherry picked from commit cc1e4aae5a67a20f3c0fff13612364e6e4404f93)
