OPNSense/src 3b44f6fsys/dev/bnxt/bnxt_en bnxt_dcb.c bnxt.h

bnxt_en: Retrieve maximum of 128 APP TLVs

It appears that the maximum number of APP TLVs supported by the hardware
is 128 according to D45005. Well Daniel Porsch reported an issue PR284073
which shows that the number can exceed the limit, causing out of bound
write to on-stack allocated variable app[128] and the kernel panics.

Limit to 128 while retrieving APP TLVs.

PR:             284073
Reviewed by:    markj
Tested by:      Daniel Porsch <daniel.porsch at loopia.se>
Fixes:  35b53f8c989f bnxt_en: Add PFC, ETS & App TLVs protocols support
MFC after:      1 week
Differential Revision:  https://reviews.freebsd.org/D48589

(cherry picked from commit 3de231b4d956f7b9c22e31f75805030a417f7bf3)
DeltaFile
+10-7sys/dev/bnxt/bnxt_en/bnxt_dcb.c
+2-1sys/dev/bnxt/bnxt_en/bnxt.h
+1-1sys/dev/bnxt/bnxt_en/bnxt_sysctl.c
+1-0sys/dev/bnxt/bnxt_en/bnxt_mgmt.c
+14-94 files

OPNSense/src 52bb088sys/amd64/conf GENERIC.hints

Revert "amd64 GENERIC: Switch uart hints from "isa" to "acpi""

This reverts commit 74b9fc7adcf4afb1c3039267e338c3cfdf022957.
DeltaFile
+4-2sys/amd64/conf/GENERIC.hints
+4-21 files

OPNSense/src 3e87bbesbin/pfctl pfctl.c, tests/sys/netpfil/pf anchor.sh

pfctl: fix recursive printing of NAT rules

pfctl_show_nat() is called recursively to print nat anchors. This passes the
anchor path, but this path was modified by pfctl_show_nat(), leading to issues
printing the anchors.

Make a copy of the path ('npath') before we modify it. Ensure we do this
correctly by sprinking in 'const', and add a test case to verify that we do now
print things correctly.

Reported by:    Thomas Pasqualini <thomas.pasqualini at orange.com>
MFC after:      2 weeks
Sponsored by:   Rubicon Communications, LLC ("Netgate")

(cherry picked from commit 58164dcb55d62ca73b5e550b8344bf61e2d8a47a)
DeltaFile
+46-0tests/sys/netpfil/pf/anchor.sh
+15-14sbin/pfctl/pfctl.c
+61-142 files

OPNSense/src 8c6ca73sys/net pfvar.h, sys/netpfil/pf pf.c

pf: Use a macro to get the hash row in pf_find_state_byid()

This seems a bit preferable to open-coding it.  No functional change
intended.

Reviewed by:    kp, glebius
MFC after:      2 weeks
Differential Revision:  https://reviews.freebsd.org/D49518

(cherry picked from commit 27f70efebf1d9424462f291e9d04e62272083aa7)
DeltaFile
+2-1sys/net/pfvar.h
+1-1sys/netpfil/pf/pf.c
+3-22 files

OPNSense/src 5afe2eesys/netinet6 ip6_fastfwd.c

netinet6: work around synchronization issue in dying netgraph device #207
DeltaFile
+7-0sys/netinet6/ip6_fastfwd.c
+7-01 files

OPNSense/src d272089tests/sys/netpfil/pf snmp.sh

pf tests: test table information export via snmp_pf

Event:          Tokyo Hackathon 202503
(cherry picked from commit 36586800803d24f1137d861bbaf487a6bde16a09)
DeltaFile
+52-0tests/sys/netpfil/pf/snmp.sh
+52-01 files

OPNSense/src 2fa7d46tests/sys/netpfil/pf snmp.sh bsnmpd.conf

pf tests: add a basic snmp_pf test case

Event:          Tokyo Hackathon 202503
(cherry picked from commit c849f533326026501c28cb2c344b16723862551a)
DeltaFile
+71-0tests/sys/netpfil/pf/snmp.sh
+47-0tests/sys/netpfil/pf/bsnmpd.conf
+5-1tests/sys/netpfil/pf/Makefile
+123-13 files

OPNSense/src 04f6aedrelease/amd64 make-memstick.sh mkisoimages.sh, tools/boot install-boot.sh

Copy the new ia32 loader

This handles copying in install-boot.sh and bsdinstall's bootconfig.

install-boot.sh:
make_esp_file now optionally takes extra arguments so it can copy
multiple files. This is used by the amd64 release scripts.
make_esp_device also takes an extra optional argument for efibootname.
This is currently unused, but it can be used in the future to do
something like:
make_esp_device loader.efi bootx64
make_esp_device loader_ia32.efi bootia32

Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1098

(cherry picked from commit 599273f942b8dc6f957487bb28f36694dab9dad2)
DeltaFile
+38-14tools/boot/install-boot.sh
+22-14usr.sbin/bsdinstall/scripts/bootconfig
+6-1release/amd64/make-memstick.sh
+6-1release/amd64/mkisoimages.sh
+72-304 files

OPNSense/src 41e3b49sys/netpfil/pf pf.c

pf: improve pf_state_key_attach() error handling

If we fail to attach the stack key that means we've already attached the wire
key. That means the state could be found by other cores, and given that we then
free it, be used after free.
Fix this by not releasing the ID hashrow lock and key locks until after we've
removed the inserted key again, ensuring the state cannot be found by other
cores.

Reported by:    markj
Submitted by:   glebius
Reviewed by:    glebius, markj
MFC after:      3 weeks
Sponsored by:   Rubicon Communications, LLC ("Netgate")
Differential Revision:  https://reviews.freebsd.org/D49550
DeltaFile
+19-6sys/netpfil/pf/pf.c
+19-61 files

OPNSense/src 801c84asys/netinet tcp_subr.c sctp_usrreq.c, sys/netinet6 udp6_usrreq.c sctp6_usrreq.c

netinet: Fix getcred sysctl handlers to do nothing if no input is given

These routines were all assuming that the sysctl handler has some new
value, but this is not the case.  SYSCTL_IN() returns 0 in this
scenario, so they were all operating on an uninitialized address.  This
is mostly harmless, but trips KMSAN checks, so let's fix them.

Reviewed by:    zlei, rrs, glebius
MFC after:      2 weeks
Differential Revision:  https://reviews.freebsd.org/D49348

(cherry picked from commit 3ff865c6a7948b2cfc01d7056c619145b696700a)
DeltaFile
+4-0sys/netinet/tcp_subr.c
+2-1sys/netinet/sctp_usrreq.c
+2-0sys/netinet6/udp6_usrreq.c
+2-0sys/netinet/udp_usrreq.c
+2-0sys/netinet6/sctp6_usrreq.c
+12-15 files

OPNSense/src e0b3614sys/netinet tcp_log_buf.h

tcp: remove struct tcp_log_rack

struct tcp_log_rack is not used, therefore remove it.

Reviewed by:            Peter Lei
Sponsored by:           Netflix, Inc.
Differential Revision:  https://reviews.freebsd.org/D49669

(cherry picked from commit b1c62081feec535a4f2eeb4f8deb58913d9e281c)
DeltaFile
+0-10sys/netinet/tcp_log_buf.h
+0-101 files

OPNSense/src 8b88f44sys/netinet tcp_log_buf.c

tcp: clear sendfile logging struct

The sendfile black box logging struct is much smaller than the
encompassing stack specific logging union. Be sure to clear the
trailing unused memory when logging.

Reviewed by:    tuexen
Sponsored by:   Netflix, Inc.

(cherry picked from commit 3bd1e85fc13cb90853046300dcaa31d63b45ee21)
DeltaFile
+1-0sys/netinet/tcp_log_buf.c
+1-01 files

OPNSense/src 4d2ba6dsys/netinet sctp_pcb.c

sctp: fix double unlock in case adding a remote address fails

Thanks to glebius@ for pointing to the problem.

Reported by:    syzbot+1d5c164f1c10de84ad8a at syzkaller.appspotmail.com
Fixes:          2d5c48eccd9f ("sctp: Tighten up locking around sctp_aloc_assoc()")

(cherry picked from commit e8623834ca29b562687db945bdd12a3e2fe4aeb1)
DeltaFile
+0-1sys/netinet/sctp_pcb.c
+0-11 files

OPNSense/src 0f96247sys/dev/ixgbe ixgbe_mbx.c

ixgbe: fix mailbox ack handling

Check if CTS bit is set in the mailbox message before waiting for ACK.
Otherwise ACK will never be received causing the function to timeout. Add
a note for ixgbe_write_mbx that it should be called while holding a lock.

Fixes: 6d243d2 ("net/ixgbe/base: introduce new mailbox API")
Cc: stable at dpdk.org

Signed-off-by: Norbert Ciosek <norbertx.ciosek at intel.com>
Signed-off-by: Anatoly Burakov <anatoly.burakov at intel.com>
Acked-by: Bruce Richardson <bruce.richardson at intel.com>

Obtained from:  DPDK (1f119e4)

(cherry picked from commit 1580f8d9c1740e0c54554e6c185573d34f2dcf76)
DeltaFile
+12-2sys/dev/ixgbe/ixgbe_mbx.c
+12-21 files

OPNSense/src 6f33f12sys/dev/igc igc_api.c

igc(4): Fix attach for I226-K and LMVP devices

Summary:
The device IDs for these were in the driver's list of PCI ids to attach
to, but igc_set_mac_type() had never been setup to set the correct mac
type for these devices. Fix this by adding these IDs to the switch block
in order for them to be recognized by the driver instead of returning an
error.

This fixes the igc(4) attach for the I226-K LOM on the ASRock Z790
PG-ITX/TB4 motherboard, allowing it to be recognized and used.

Signed-off-by: Eric Joyner <erj at FreeBSD.org>

Reviewed by:    kbowling@
Relnotes:       yes
Differential Revision: https://reviews.freebsd.org/D49147

(cherry picked from commit 7ee310c80ea7b336972f53cc48b8c3d03029941e)
DeltaFile
+2-0sys/dev/igc/igc_api.c
+2-01 files

OPNSense/src f93d01fsys/net if_ovpn.c, tests/sys/net/if_ovpn if_ovpn.sh

if_ovpn: fix use-after-free of mbuf

m_unshare() can return a new mbuf pointer. We update the 'm' pointer in
ovpn_udp_input(), but if we decide to pass on the packet (e.g. because it's for
an unknown peer) the caller (udp_append()) continues with the old 'm' pointer,
eventually resulting in a use-after-free.

Re-order operations in ovpn_udp_input() so that we don't modify the 'm' pointer
until we're committed to keeping the packet.

PR:             283426
Test case by:   takahiro.kurosawa at gmail.com
MFC after:      2 weeks
Sponsored by:   Rubicon Communications, LLC ("Netgate")
DeltaFile
+81-0tests/sys/net/if_ovpn/if_ovpn.sh
+6-6sys/net/if_ovpn.c
+87-62 files

OPNSense/src f48a139sys/netpfil/pf pf.c

pf: upstream test patch
DeltaFile
+8-2sys/netpfil/pf/pf.c
+8-21 files

OPNSense/src 327986bsys/netpfil/pf pf.c pf_ioctl.c

pf: do atomic load/store of timeout value
DeltaFile
+6-6sys/netpfil/pf/pf.c
+4-4sys/netpfil/pf/pf_ioctl.c
+1-1sys/netpfil/pf/if_pfsync.c
+11-113 files

OPNSense/src 0688f52sys/netpfil/pf pf.c

pf: add INVARIANTS visibility and use it to sidestep a panic

If this pans out we can still release the lock that we are supposed
to unlock here.  We do not know the reason why this happens yet,
but we avoid the risk of chasing a pointer which is no longer dependable.

Also add mutex owned and recursed state checks in the output and
avoid unlocking if we no longer own the lock.
DeltaFile
+38-4sys/netpfil/pf/pf.c
+38-41 files

OPNSense/src dc89a5dsys/netpfil/pf pf.c

pf: add INVARIANTS visibility and use it to sidestep a panic

If this pans out wer can still release the lock that we're supposed
to unlock here.  We do not know the reason and if the state is actually
still locked, but we avoid the risk of chasing a pointer which is no
longer dependable.

Also add mutex owned and recursed state checks in the output and
avoid unlocking if we no longer own the lock.
DeltaFile
+38-4sys/netpfil/pf/pf.c
+38-41 files

OPNSense/src 5145ef0sys/netpfil/pf pf.c

pf: add INVARIANTS visibility and use it to sidestep a panic

If this pans out wer can still release the lock that we're supposed
to unlock here.  We do not know the reason and if the state is actually
still locked, but we avoid the risk of chasing a pointer which is no
longer dependable.
DeltaFile
+24-4sys/netpfil/pf/pf.c
+24-41 files

OPNSense/src d61f5e3sys/netpfil/pf pf.c

Revert "pf: do a lock dance in pf_unlink_state()"

This reverts commit fd23892d390fe9c60cc1ae34e04153080d9e9e1b.

Issue appears to sit a bit deeper.
DeltaFile
+2-4sys/netpfil/pf/pf.c
+2-41 files

OPNSense/src fd23892sys/netpfil/pf pf.c

pf: do a lock dance in pf_unlink_state()

Both pf_test() and pf_test6() can end up in a panic while
executing PF_UNLOCK_STATE which points to the state being
removed while it is in use.

The PF_LOCK_STATE in the removal subroutine makes sure
that pf_test/pf_test6 are no longer holding the state
and we can safely test and set PFTM_UNLINK.

The other bits of the OpenBSD commit probably apply as well
but for now make sure that this particular panic comes to
and end.

Based on: https://github.com/openbsd/src/commit/9d9f4dc6c83
DeltaFile
+4-2sys/netpfil/pf/pf.c
+4-21 files

OPNSense/src 8bc2fd1sys/netinet in_pcb_var.h in_pcb.h

inpcb: Move the definition of struct inpcblbgroup to in_pcb_var.h

It's only needed for in_pcb.c and in6_pcb.c, so can go to the private
header.

No functional change intended.

Reported by:    glebius
MFC after:      2 weeks
Sponsored by:   Klara, Inc.
Sponsored by:   Stormshield

(cherry picked from commit ca94f92c23fd09b28ac3398657ae2ae9367bcdf5)
DeltaFile
+22-0sys/netinet/in_pcb_var.h
+0-22sys/netinet/in_pcb.h
+22-222 files

OPNSense/src f8f116asys/netinet in_pcb.c in_pcb.h, sys/netinet6 in6_pcb.c in6_pcb.h

inpcb: Add FIB-aware inpcb lookup

Allow protocol layers to look up an inpcb belonging to a particular FIB.
This is indicated by setting INPLOOKUP_FIB; if it is set, the FIB to be
used is obtained from the specificed mbuf or ifnet.

No functional change intended.

Reviewed by:    glebius, melifaro
MFC after:      2 weeks
Sponsored by:   Klara, Inc.
Sponsored by:   Stormshield
Differential Revision:  https://reviews.freebsd.org/D48662

(cherry picked from commit da806e8db685eead02bc67888b16ebac6badb6b6)
DeltaFile
+42-32sys/netinet/in_pcb.c
+42-29sys/netinet6/in6_pcb.c
+2-1sys/netinet/in_pcb.h
+1-1sys/netinet6/in6_pcb.h
+87-634 files

OPNSense/src b37c9c8sys/netinet in_pcb.c tcp_usrreq.c, sys/netinet6 in6_pcb.c udp6_usrreq.c

inpcb: Add a flags parameter to in_pcbbind()

Add a flag, INPBIND_FIB, which means that the inpcb is local to its FIB
number.  When this flag is specified, duplicate bindings are permitted,
so long as each FIB contains at most one inpcb bound to the same
address/port.  If an inpcb is bound with this flag, it'll have the
INP_BOUNDFIB flag set.

No functional change intended.

Reviewed by:    glebius
MFC after:      2 weeks
Sponsored by:   Klara, Inc.
Sponsored by:   Stormshield
Differential Revision:  https://reviews.freebsd.org/D48661

(cherry picked from commit bbd0084baf7539c7042ce94f8c6770210f83f765)
DeltaFile
+25-12sys/netinet/in_pcb.c
+13-5sys/netinet6/in6_pcb.c
+5-5sys/netinet/tcp_usrreq.c
+5-4sys/netinet/in_pcb.h
+2-2sys/netinet6/udp6_usrreq.c
+2-2sys/netinet/udp_usrreq.c
+52-301 files not shown
+53-317 files

OPNSense/src 992d19dsys/netinet in_pcb.c in_pcb_var.h, sys/netinet6 in6_pcb.c in6_pcb.h

inpcb: Imbue in(6)_pcblookup_local() with a FIB parameter

This is to enable a mode where duplicate inpcb bindings are permitted,
and we want to look up an inpcb with a particular FIB.  Thus, add a
"fib" parameter to in_pcblookup() and related functions, and plumb it
through.

A fib value of RT_ALL_FIBS indicates that the lookup should ignore FIB
numbers when searching.  Otherwise, it should refer to a valid FIB
number, and the returned inpcb should belong to the specific FIB.  For
now, just add the fib parameter where needed, as there are several
layers to plumb through.

No functional change intended.

Reviewed by:    glebius
MFC after:      2 weeks
Sponsored by:   Klara, Inc.
Sponsored by:   Stormshield

    [3 lines not shown]
DeltaFile
+16-7sys/netinet/in_pcb.c
+13-7sys/netinet6/in6_pcb.c
+2-2sys/netinet/in_pcb_var.h
+1-1sys/netinet6/in6_pcb.h
+32-174 files

OPNSense/src 3b13309sys/netinet6 in6_pcb.h in6_pcb.c

inpcb: Constify address parameters to in6 pcb lookup routines

No functional change intended.

MFC after:      1 week
Sponsored by:   Klara, Inc.
Sponsored by:   Stormshield

(cherry picked from commit 52ef944b0f6f1df8eebe1cb877c6aadb1c247da0)
DeltaFile
+8-14sys/netinet6/in6_pcb.h
+8-8sys/netinet6/in6_pcb.c
+16-222 files

OPNSense/src 580dfe1sys/netinet6 in6.h in6.c

in6: Constify some sockaddr conversion functions

No functional change intended.

MFC after:      1 week
Sponsored by:   Klara, Inc.
Sponsored by:   Stormshield

(cherry picked from commit 3bb15ffc4ab4bfcd4c1bd700a64b3b5ed95389c3)
DeltaFile
+3-3sys/netinet6/in6.h
+2-2sys/netinet6/in6.c
+5-52 files

OPNSense/src a718536sys/netinet in_pcb.c, sys/netinet6 in6_pcb.c

inpcb: Further restrict binding to a port owned by a different UID

See commit 4f02a7d739b3 for more background.

I cannot see a good reason to continue ignoring mismatching UIDs when
binding to INADDR_ANY.  Looking at the sdr.V2.4a7n sources (mentioned in
bugzilla PR 7713), there is a CANT_MCAST_BIND hack wherein the
application binds to INADDR_ANY instead of a multicast address, but
CANT_MCAST_BIND isn't defined for FreeBSD builds.

It seems unlikely that we still have a use-case for allowing sockets
from different UIDs to bind to the same port when binding to the
unspecified address.  And, as noted in D47832, applications like sdr
would have been broken by the inverted SO_REUSEPORT check removed in
that revision, apparently without any bug reports.  Let's break
compatibility and simply disallow this case outright.

Also, add some comments, remove a hack in a regression test which tests
this funtionality, and add a new regression test to exercise the

    [8 lines not shown]
DeltaFile
+76-10tests/sys/netinet/socket_afinet.c
+9-2sys/netinet/in_pcb.c
+9-2sys/netinet6/in6_pcb.c
+94-143 files