ip: improve deferred computation of checksums
This patch adds the same functionality for the IPv4 header checksum
as was done erlier for the SCTP/TCP/UDP transport checksum.
When the IP implementation sends a packet, it does not compute the
corresponding checksum but defers that. It will determine whether the
network interface selected for the packet has the requested capability
and computes the checksum in software, if the selected network
interface does not have the requested capability.
Do this not only for packets being sent by the local IP stack, but
also when forwarding packets. Furthermore, when such packets are
delivered to a local IP stack, do not compute or validate the checksum,
since such packets have never been on the wire. This allows to support
checksum offloading also in the case of local virtual machines or
jails. Support for epair interfaces will be added in a separate commit.
Reviewed by: pouria, tuexen
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D54455
lualoader: fix pruning of non-existent default kernel
Removing the kernel from the list of available kernels is sufficient to
avoid rendering it in the list, but we need more for booting to actually
work. Notably, the 'kernel' loader.conf var was left intact to its
default value, so if one didn't use the kernel selector in the menu then
we'd try to boot the nonexistent 'kernel' instead of the new default
(first autodetected).
There's room to improve the error messages here, but for now let's just
make it actually work correctly.
PR: 292232
Fixes: d04415c520b03 ("loader: lua: remove the default kernel [...]")
(cherry picked from commit e30086ab4c8778ea70a3b19e83546ce1b4a16492)
bectl: log modifying functions to zpool history
Modeled directly after the method used by the zfs/zpool commands: flag
commands with a "please log me" flag, and when there, reconstruct the
command line. On success, call the library function to add it to the
log.
(Majority of the change by Rob; minor edits by kevans@)
Signed-off-by: Rob Norris <rob.norris at klarasystems.com>
Co-authored-by: Kyle Evans <kevans at FreeBSD.org>
Sponsored by: Modirum MDPay
Sponsored by: Klara, Inc.
(cherry picked from commit 2a87929671e6e6919c18f2c25d60f2c73c3d18f4)
makedev(9): drop an additional note about cdevpriv dtors
These were previously somewhat safe to call destroy_dev(9), but will now
also cause a deadlock in the same fashion that d_close doing so would
previously. Amend the note to point it out, in case it's useful for
someone.
Reviewed by: imp, kib, markj
(cherry picked from commit 90314c04f10f583c37c59ec51fd628e3deaf3622)
libc: report _SC_NPROCESSORS_ONLN more accurately in cpu-limited jails
We don't support CPU hotplug, but we do support cpuset(8) restrictions
on jails (including prison0, which uses cpuset 1). The process cannot
widen its cpuset beyond its root set, so it makes sense to instead
report the number of cpus enabled there rather than the total number
in the system.
This change is effectively a nop for the majority of systems and jails
in the wild, though it does reduce the performance of this query now
that we can't take advantage of AT_NCPUS being provided in the auxinfo.
The implementation here is notably different than Linux, which would not
take cgroups into account. They do, however, take CPU hotplug into
account, so the possibility for it to diverge from (and be lower than)
the # configured count to reflect what the process can actually be
scheduled on doesn't really diverge in semantics.
Reviewed by: kib
[2 lines not shown]
libutil: defer setting the MAC label until after the login class
MAC policies, like mac_biba(4), may forbid changing the login class once
a label has been applied. For setting up the initial login context,
this isn't really expected and in-fact may break some class-based
configuration.
Defer setting the MAC label until after the login class is set, and
remove the requirement that we have a pwd entry since the label is
pulled from the login class -- we only use pwd for syslog in this path.
Patch is largely by Kevin Barry, with some modifications and this commit
message by kevans@.
PR: 177698
Reviewed by: des, olce
Co-authored-by: Kevin Barry <ta0kira gmail com>
(cherry picked from commit 98edcbcce0a4650084bd86e704cfa38bf590250c)
libc: fix description issues in mac_text(3)/mac_free(3)
mac_text(3) as-written would seem to indicate that a `mac_t` should be
freed with free(3), but this isn't the case. One can derive from
context from when the change was introduced and COMPATIBILITY that this
was intended to talk about *text in `mac_to_text`, so move the comment
there.
PR: 179832
Co-authored-by: Priit Järv <priit cc ttu ee>
(cherry picked from commit 081218b7a2006e5b6783e51f66fd751871ac1272)
mac(4): also list jails in the example enumeration of objects
The prison may also be considered part of the subject by way of its
ucred association, but I don't think this is significantly different
enough today than before recent work -- policies could have always
taken them into account, and some did (e.g., mac_bsdextended).
Reported by: olce
Reviewed by: olce, ziaee
Differential Revision: https://reviews.freebsd.org/D54748
jail(3): fix common usage after mac.label support
Nobody else's mac.conf(5) has any entries for jails, so they get a
trivial ENOENT and we fail before we can fetch any jail parameters.
Most notably, this breaks `jls -s` / `jls -n` if you do not have any
loaded policy that applies jail labels.
Add an entry that works for everyone, and hardcode that as an ENOENT
fallback in libjail to provide a smoother transition. This is probably
not harmful to leave in long-term, since mac.conf(5) will override it.
This unearthed one additional issue, in that mac_get_prison() in the
MAC framework handled the no-label-policies bit wrong. We don't want
to break jail utilities enumerating jail parameters automatically, so
we must ingest the label in all cases -- we can still use it as a small
optimization to avoid trying to copy out any label. We will break
things if a non-optional element is specified in the copied in label,
but that's expected.
[8 lines not shown]
pfctl(8): change default limiter action from no-match to block
pf(4) users who use limiters in current should update the rules
accordingly to reflect the change in default behavior. The existing
rule which reads as follows:
pass in from any to any state limiter test
needs to be changed to:
pass in from any to any state limiter test (no-match)
OK dlg@
Obtained from: OpenBSD, sashan <sashan at openbsd.org>, c600931321
Sponsored by: Rubicon Communications, LLC ("Netgate")
sctp: improve compilation as module
When compiling SCTP as a module, don't compile sctp_crc32.c into
the module. This avoids code and variable duplication since
sctp_crc32.c is compiled into the kernel. In particular, the variable
system_base_info is not duplicated. This fixes the handling of the
statistic counters sctps_sendhwcrc and sctps_sendswcrc when using
sctp_delayed_cksum.
MFC after: 3 days
HBSD: Disable WITNESS' checking of vnode locks
FreeBSD relatively recently changed how vnode locking works in the
kernel. There are a few places that still need to be updated.
HardenedBSD's use of filesystem extended attributes seems to trip
WITNESS vnode lock checking when ZFS is used. This causes a kernel
panic, which is more likely to be triggered during a package build.
So, for now, let's disable the vnode lock checks. I plan to revisit this
when I have more available time.
Signed-off-by: Shawn Webb <shawn.webb at hardenedbsd.org>
grep/tests: Fix up the zgrep executable path in a newly added test
Fixes: da5d94d29a5e ("Remove obsolete BUGS section from zgrep(1) man page, add test")
(cherry picked from commit 045112f148fa092c92ec53204708f638b226ff8f)
Remove obsolete BUGS section from zgrep(1) man page, add test
I forgot to check/update the man page with D54217. While here add
a test for multiple -e flags.
Reviewed by: markj
Approved by: markj
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D54632
(cherry picked from commit da5d94d29a5ec29817476c39ae2b2ad1666c3f06)
