fix iwx(4) issues related to roaming and PMF and firmware crypto keys
Avoid a fatal firmware error on Bz firmware (and perhaps MA?) by removing
crypto keys from firmware before removing the AP firmware station.
Also improve roaming behaviour when PMF is enabled. We must send the deauth
frame to the old AP properly encrypted, so do this before keys get removed.
Thanks to Johannes Berg for deciphering firmware SYSASSERT code 0x0000251B.
ok kettenis@
Some content improvements:
* Describe more precisely how the FUSE open() operation works instead
of vaguely hinting that there are differences to other operating systems.
* Move the sentence about O_CREAT and O_TRUNC after the flags argument
has been introduced, and mark it up properly.
* Describe the symlink() operation more clearly.
OK helg@
Implement missing pieces of FIDO/webauthn signature support, mostly
related to certificate handling and enable acceptance of this
signature format by default. bz3748 GHPR624 GHPR625
Feedback tb / James Zhang; ok tb
revert "use pf_states to link mbufs/inpcbs and forwarded connections together"
Pedro Caetano on bugs@ has a setup that triggers the kasserts in
pf_state_link_reverse().
Retire ACTION_SET_NEXTHOP_REF, ACTION_PFTABLE_ID, and ACTION_RTLABEL_ID
With the filter_set & rde_filter_set_elm split there is no more need
to have extra types for nh_ref and id objects. Struct filter_set no
longer needs to hold nh_ref and id and rde_filter_set_elm only uses
id and nh_ref. rde_filterset_conv() takes care of the conversion.
Removes a lot of code that was just there to ensure that no unexpected
type sneaks through.
OK tb@
Improve rde_apply_set() performance by changing filter_sets in the RDE.
Switch away from a linked list of filter_set elements and instead use
an array of stripped down rde_filter_set_elm elements. As a result
rde_apply_set() becomes more efficent since the CPU is no longer waiting
all the time for memory accesses.
Introduce a new way to send and recv the imsgs for IMSG_FILTER_SET.
There is a send and receive function in the new bgpd_imsg.c file that
is also used by bgpctl. The receive function is a lot more strict
and on top of this add imsg_check_filterset() which validates messages
sent on the control socket before passing them on.
OK tb@
the advice about using sysconf(_SC_PAGESIZE) is nuts, noone should
actively go about changing existing code in such a pointless way.
also, remove the archaic reference to sbrk.
discussion with enh @ google
Use correct bit mask for mcu command field.
Both the vendor and Linux drivers store the mcu command in the cmd
field of the mcu tx descriptor, which is 7 bits wide.
ok hastings@
Export divert sockets from kernel to sysctl.
To show divert-packet sockets in netstat(1), the kernel has to
include the information about the divert and divert6 tables in
sysctl KERN_FILE_BYFILE.
reported by William B. OK mvs@ sthen@
rpki-client: rename cert_parse() into cert_parse_filemode()
Now that we added more specialized parsing functions, cert_parse() should
only be used in filemode. Make this more explicit by adjusting its name.
Keep the magic der == NUL check for now for consistency with the other API
parsing a cert from its DER.
ok claudio
Move more bits around to simplify the filter_set refactor.
Introduce rde_filter_dup() that takes care of duplicating a filter rule
with all depenencies.
Check that peer_apply_out_filter() does not return an old list for new
peers. This can't happen but it is one of those where a check makes
sense.
Move rde_l3vpn_import() to rde_filter.c since it works on a
struct filter_set to match against communities.
OK tb@
pfctl(9) with '-nvf ...' option must provide output which
matches pfctl grammar. This change fixes that for rules that
use source/state limiters.
The change also makes print_rule() to print the limiter name
instead of its numeric id to make output more human friendly.
Feedback and improvements from dlg@
OK dlg2
Update libexpat to version 2.7.4.
Relevant for OpenBSD are security fixes #1131 #1075, bug fixes
#1073, other changes #1105 #1106 #1051 #1109. Library bump is not
necessary. CVE-2026-24515CVE-2026-25210
tested and OK tb@
tweak previous:
* make struct fuse_args argument name consistent
* change some ellipses into complete sentences
* add a missing word
* use .Vt for a type name
* use .Fa for struct member names
* use "or" instead of "and" below RETURN VALUES
* add the missing fuse_mount(3) below SEE ALSO
qwx: update ni_rssi from ACK frame RSSI in tx completion
The hardware reports ack_rssi in the tx completion status when data
frames are acknowledged. Update ni_rssi with this value so ifconfig
reports accurate signal strength from the data path.
Like Linux ath11k, check WMI_TLV_SERVICE_HW_DB2DBM_CONVERSION_SUPPORT
to determine if the value is already in dBm or needs noise floor
adjustment. ACK frames may be sent with higher power than beacons,
providing a more accurate RSSI reading during active data transfer.
ok stsp@
