pf: avoid passing through dummynet multiple times
In some setups we end up with multiple states created for a single
packet, which in turn can mean we run the packet through dummynet
multiple times. That's not expected or intended. Mark each packet when
it goes through dummynet, and do not pass packet through dummynet if
they're marked as having already passed through.
See also: https://redmine.pfsense.org/issues/14854
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D44365
pf: fix dummynet + route-to for IPv6
Apply the fixes from c6f1116357904 and b8ef285f6cc6a to IPv6 as well.
Ensure that when dummynet re-injects it does so in the correct direction, and
uses the correct dummynet pipes.
Sponsored by: Rubicon Communications, LLC ("Netgate")
pf: fix dummynet + route-to
Ensure that we pick the correct dummynet pipe (i.e. forward vs. reverse
direction) when applying route-to.
We mark the processing as outbound so that dummynet will re-inject in
the correct phase of processing after it's done with the packet, but
that will cause us to pick the wrong pipe number. Reverse them so that
the incorrect decision ends up picking the correct pipe.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D44366
pf: ensure dummynet gets the correct direction after route-to
If we apply a route-to to an inbound packet pf_route() may hand that
packet over to dummynet. Dummynet may then delay the packet, and later
re-inject it. This re-injection (in dummynet_send()) needs to know
if the packet was inbound or outbound, to call the correct path for
continued processing.
That's done based on the pf_pdesc we pass along (through
pf_dummynet_route() and pf_pdesc_to_dnflow()). In the case of pf_route()
on inbound packets that may be wrong, because we're called in the input
path, and didn't update pf_pdesc->dir.
This can manifest in issues with fragmented packets. For example, a
fragmented packet will be re-fragmented in pf_route(), and if dummynet
makes different decisions for some of the fragments (that is, it delays
some and allows others to pass through directly) this will break.
The packets that pass through dummynet without delay will be transmitted
[15 lines not shown]
pf: SCTP abort messages fully close the connection
As per RFC (RFC4960 section 3.3.7) an ABORT terminates the connection fully. We
should mode the state to CLOSED rather than CLOSING.
Suggested by: Oliver Thomas
See also: https://redmine.pfsense.org/issues/15924
Sponsored by: Rubicon Communications, LLC ("Netgate")
ipfw: Update warning/error setsockopt references
Dummynet v3 switched to IP_DUMMYNET3 but did not update these
warnings/errors.
Fixes: cc4d3c30ea28 ("Bring in the most recent version of ipfw and dummynet, developed")
Sponsored by: The FreeBSD Foundation
Differential Revision: sbin/ipfw/ipfw2.c
(cherry picked from commit 1f95a517880bae5fc0a9fe4463a8f2ec36ed734a)
(cherry picked from commit a5dd21c7dd1f3c8103c2fc6a1caa5635d70671aa)
igb(4): Fix out-of-bounds register access on VFs
Virtual Functions have access to a limited number of registers,
and their bus space size is lower. Use KASSERT to detect out-of-bounds
access and eliminate them to avoid kernel panics in production
environment.
Signed-off-by: Krzysztof Galazka <krzysztof.galazka at intel.com>
Reviewed by: jmg
Tested by: mateusz.moga_intel.com
Approved by: kbowling (mentor), erj (mentor)
Sponsored by: Intel Corporation
Differential Revision: https://reviews.freebsd.org/D52976
(cherry picked from commit 2c02e6ca7154593d214b62578f67d9fe7db23d70)
ice(4): Add support for E835-XXV-4 adapter
Add subdevice ID and branding string for E835-XXV-4
adapter.
Signed-off-by: Krzysztof Galazka <krzysztof.galazka at intel.com>
Approved by: kbowling (mentor), erj (mentor)
Sponsored by: Intel Corporation
Differential Revision: https://reviews.freebsd.org/D53319
(cherry picked from commit 09b48f811b4bf3a17485680b4720d1c0a81bbe07)
ice(4): Add PCI IDs for E835 devices
Add device IDs and branding strings for E835 adapters.
This is a follow up for E830 adapters with Security Protocol
and Data Model (SPDM) support and RDMA support available
on 100 and 200Gbps links.
Signed-off-by: Krzysztof Galazka <krzysztof.galazka at intel.com>
Approved by: kbowling (mentor), erj (mentor)
Sponsored by: Intel Corporation
Differential Revision: https://reviews.freebsd.org/D52782
(cherry picked from commit b202176dc76d862f886778439b96dd1243d8b999)
ix/ixv: Add support for new Intel Ethernet E610 family devices
This is part 1 of the support for the new Intel Ethernet E610 family of devices.
Introduce new PCI device IDs:
• 57AE: Intel(R) E610 (Backplane)
• 57AF: Intel(R) E610 (SFP)
• 57B0: Intel(R) E610 (10 GbE)
• 57B1: Intel(R) E610 (2.5 GbE)
• 57B2: Intel(R) E610 (SGMII)
Key updates for E610 family:
• Firmware manages Link and PHY
• Implement new CSR-based Admin Command Interface (ACI) for SW-FW interaction
• Tested exclusively for x64 operating systems on E610-XT2/XT4 (10G) and E610-IT4 (2.5G)
• Enable link speeds above 1G: 2.5G, 5G and 10G
• NVM Recovery Mode and Rollback support
Signed-off-by: Yogesh Bhosale yogesh.bhosale at intel.com
[9 lines not shown]
ixl(4): fix multicast promiscuous mode state tracking and filter management
This change reapplies the improvements from commit 89e7335 and adds
additional fixes and code optimizations on top of it.
The ixl driver supports up to 128 multicast filters in hardware. When this
limit is exceeded, the driver should enable multicast promiscuous mode.
When the count drops below 128, it should disable promiscuous mode and
restore individual filters.
The driver previously had problems that could corrupt multicast filters list.
The main issue was that ixl_dis_multi_promisc() would attempt to disable
promiscuous mode without checking if it was actually enabled, potentially
corrupting existing filters. There was also no state tracking across driver
functions, leading to redundant operations.
This change adds an IXL_FLAGS_MC_PROMISC flag to track the multicast
promiscuous mode state. The flag is set when enabling promiscuous mode and
cleared when disabling it. Early return checks prevent redundant operations
[12 lines not shown]
vtnet: don't provide VIRTIO_NET_HDR_F_DATA_VALID
According to section 5.1.6.2.1 of version 1.3 of the virtio
specification, the driver MUST NOT set VIRTIO_NET_HDR_F_DATA_VALID in
the flags. So don't do that.
Reviewed by: Timo Völker
Differential Revision: https://reviews.freebsd.org/D53650
(cherry picked from commit 836b3cd9d7910aff5225e9e58189067ca03fae30)
vtnet: fix enabling/disabling tso
Transmit segment offloading depends on transmit checksum offloading.
Enforce that constraint. This also fixes a bug, since if_hwassist bits
are from the CSUM_ space, not from the IFCAP_ space.
PR: 290773
Reviewed by: Timo Völker
Tested by: lg at efficientip.com
Differential Revision: https://reviews.freebsd.org/D53629
(cherry picked from commit 4c50ac68166caf7e08c5a9984d63fa91490fa50d)
altq: Clear stats structures in get_class_stats()
These structures are copied out to userspace, and it's possible to leak
uninitialized stack bytes since these routines and their callers weren't
careful to clear them first. Add memsets to avoid this.
Reported by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Reviewed by: kp, emaste
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D53342
(cherry picked from commit ff08916e9ac689e6ce734de72325fc2bd9495a35)
net: Validate interface group names in ioctl handlers
The handlers were not checking that the group names are nul-terminated.
Add checks for this.
Reported by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Reviewed by: zlei
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D53344
(cherry picked from commit 32919a34f17ac1af99dec7376f22a8393c251602)
if_vxlan: fix byteorder of source port
Fix the htons byteorder of vxlan packets after
`vxlan_pick_source_port` picks a source port during encapsulation.
Reviewed by: zlei, kp, adrian
Differential Revision: https://reviews.freebsd.org/D53022
(cherry picked from commit 1cc316727ebae157b3d035d9fb1ad38310a80698)
ipfw: Retire obsolete compat code
The current IPFW version 3 dates to 2010 (commit cc4d3c30ea28, "Bring in
the most recent version of ipfw and dummynet, developed").
The compat code for FreeBSD 8 and earlier has a number of issues and is
no longer needed, so remove it.
Reported by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Reviewed by: ae, glebius
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D53343
(cherry picked from commit c59aab9a5b3970b3ccec744f759e6cb87e938dbe)
(cherry picked from commit 9657c50cdd7741404d99881fdd9243175086ede1)
ipfw: pmod: avoid further rule processing after tcp-mod failures
m_pullup() here will have freed the mbuf chain, but we pass back an
IP_FW_DENY without any signal that the outer loop should finish. Thus,
rule processing continues without an mbuf and there's a chance that we
conclude that the packet may pass (but there's no mbuf remaining)
depending on the rules that follow it.
PR: 284606
Reviewed by: ae
(cherry picked from commit c0382512bfce872102d213b9bc2550de0bc30b67)
pf: improve add state validation
Both for the DIOCADDSTATE ioctl and for states imported through pfsync packets.
Add a test case to exercise this code path.
Reported by: Ilja Van Sprundel <ivansprundel at ioactive.com>
MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit faacc0d968816cf8714c974b6d8df6191cfb0e0d)
pf: improve DIOCRCLRTABLES validation
Unterminated strings in the anchor or name could cause crashes.
Validate them, and add a test case.
Reported by: Ilja Van Sprundel <ivansprundel at ioactive.com>
MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 1da3c0ca5b1decaa9cf55859cd134bdcd1218116)
partedit: make minimum FreeBSD install size just under 1 GiB
1 GiB is a convenient disk image size for testing. It is also the
installer's minimum size, but the minimum applies to the partition
rather than the whole disk. Testing with a 1 GiB image resulted in the
counterintuitive error "There is not enough free space on <disk> to
install FreeBSD (1.0 GB free, 1.0 GB required)."
Reduce the installer's minimum size slightly to support this case.
Reviewed by: brd
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D38881
(cherry picked from commit 57e12d397387542b13f175d4c0b8b5adca198690)
bsdinstall: Fix newfs bsddialog menu
The second and third members of struct bsddialog_menuitem are `bool on`
and `unsigned int depth`. The newfs dialog options in bsdinstall's
partition tool had these two swapped, so the default selection did not
work.
PR: 290857
Reviewed by: asiciliano
Fixes: 50e244964e9b ("bsdinstall/partedit: Replace libdialog with libbsddialog")
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D53639
(cherry picked from commit 4e36942420712c2ab6ebc2c646e61d47b2b68e7b)
(cherry picked from commit 980aa8d4cfdf57a1f99401fa4160c0d82c927d7c)
