pf: Document broadcast/multicast forwarding through route-to
pf_route() and pf_route6() forward broadcast and multicast traffic
when a route-to rule matches, without any check against the output
interface's broadcast domain. This is a deliberate property of the
route option code path, but it is not documented and the workaround
is non-obvious.
Document the behavior in pf.conf(5) with example block-out rules on
the target interface, scoped with the received-on qualifier so that
only forwarded traffic is dropped while the router's own broadcast
and multicast traffic continues to pass.
Add regression tests covering the full broadcast/multicast and
forwarded/local matrix on both IPv4 and IPv6.
Reviewed by: glebius, kp
Approved by: kp (mentor)
MFC after: 1 week
[2 lines not shown]
ctld: Move the pidfile handle out to a global variable
This ensures it will be destroyed (removing the associated pidfile)
anytime the process exits, including from exit(3) calls. This fixes
a few places that would "leak" the pidfile on certain errors.
This also removes the need for some convoluted logic where
configuration objects would hand-off ownership of the pidfile handle
from the old configuration to the new configuration.
Reviewed by: asomers
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D56527
ctld: Ports without a portal group are not dummy ports
The default implementation of is_dummy should return false. Only
portal group ports should possibly return true.
PR: 293076
Reported by: Ken J. Thomson <thomsonk at yandex.com>
Fixes: 6acc7afa34aa ("ctld: Convert struct port to a hierarchy of C++ classes")
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D56524
kern: mac: sprinkle a bit of const correctness
mpc_name and mpc_fullname are string literals in correct usage, so they
should really be const instead.
mpc_ops aren't typically const, but the framework shouldn't be doing
anything to clobber it; thus, good to constify it as a reminder.
Switch to using a slightly more semantically correct `void **` in the
fastpath bits while we're here, since we only do arithmetic on the outer
layer of pointer and compare the inner to a pointer-typed (NULL).
Reviewed by: bapt
Differential Revision: https://reviews.freebsd.org/D55702
kern: vfs: add MAC checks for mount/unmount/update
The unmount check is straightforward and only really needs the
struct mount and flags used, in case a MAC policy wants to reject
force-unmounts or do special handling for FSID-based unmounts.
The mount check offers as much information as I think might be of
interest to a MAC policy: the vnode to be mounted on, vfsconf, and
applicable mount options. XNU also has a later version that just takes
a struct mount for everything that VFS_MOUNT() has to offer, but my
draft policy doesn't need any of that. It also doesn't really need the
unmount check, but it seems reasonable to add it while I'm here.
The update check similarly passes the flags/options for the operation,
along with the struct mount and label.
Reviewed by: kib, olce
Differential Revision: https://reviews.freebsd.org/D55601
security/strongswan: Enable ML plugin by default to allow Post-Quantum Key Exchange Methods
Currently ML-DSA (used for Digital Signatures) is a draft in strongswan
(ETA Version 6.1.0 or later). So CNSA 2.0 cannot be fully supported yet.
https://linux-ipsec.org/slides/2025/steffen-pqc-auth-for-ikev2.pdf
But most firewalls (Palo Alto / Fortigate) already support ML-KEM Key
Exchange in addition to standard proposals.
E.g. aes128gcm16-ecp256-ke1_mlkem512.
More details:
https://docs.strongswan.org/docs/latest/config/proposals.html
PR: 294305
Approved by: strongswan at Nanoteq.com (maintainer, timeout 2 weeks)
Sponsored by: UNIS Labs
(cherry picked from commit fb347f77757066e2bc0989fd66c8f02c9bf862d9)
