OPNSense/src ed79fecsys/net if.c, sys/netinet in.c

ifnet: Defer detaching address family dependent data

While diagnosing PR 279653 and PR 285129, I observed that thread may
write to freed memory but the system does not crash. This hides the
real problem. A clear NULL pointer derefence is much better than writing
to freed memory.

PR:     279653
PR:     285129
Reviewed by:    glebius
MFC after:      3 weeks
Differential Revision:  https://reviews.freebsd.org/D49444
DeltaFile
+21-5sys/net/if.c
+2-0sys/netinet/in.c
+2-0sys/netinet6/in6.c
+25-53 files

OPNSense/src ab2281dsys/netinet tcp_subr.c

Revert "tcp: mitigate a side channel for detection of TCP connections"

This reverts commit 89cd3740e963bf205979c6a36c235de30866d1e3.
DeltaFile
+0-8sys/netinet/tcp_subr.c
+0-81 files

OPNSense/src ea9d2ddsys/net if.c, sys/netinet in.c

ifnet: Defer detaching address family dependent data

While diagnosing PR 279653 and PR 285129, I observed that thread may
write to freed memory but the system does not crash. This hides the
real problem. A clear NULL pointer derefence is much better than writing
to freed memory.

PR:     279653
PR:     285129
Reviewed by:    glebius
MFC after:      3 weeks
Differential Revision:  https://reviews.freebsd.org/D49444
DeltaFile
+21-5sys/net/if.c
+2-0sys/netinet6/in6.c
+2-0sys/netinet/in.c
+25-53 files

OPNSense/src 50cf88bsys/kern kern_jail.c kern_sysctl.c, sys/sys jail.h

jail: Make prison_owns_vnet() operate on a prison instead of a ucred

This will be useful in an upcoming change.  No functional change
intended.

Reviewed by:    jamie
MFC after:      2 weeks
Sponsored by:   Stormshield
Sponsored by:   Klara, Inc.
Differential Revision:  https://reviews.freebsd.org/D51524

(cherry picked from commit 748a4ea1caffca48c4949d5a7b964853c44fbdae)
DeltaFile
+7-10sys/kern/kern_jail.c
+1-1sys/sys/jail.h
+1-1sys/kern/kern_sysctl.c
+9-123 files

OPNSense/src dcaa394sys/net if.c, sys/netinet in.c

ifnet: Defer detaching address family dependent data

While diagnosing PR 279653 and PR 285129, I observed that thread may
write to freed memory but the system does not crash. This hides the
real problem. A clear NULL pointer derefence is much better than writing
to freed memory.

PR:     279653
PR:     285129
Reviewed by:    glebius
MFC after:      3 weeks
Differential Revision:  https://reviews.freebsd.org/D49444
DeltaFile
+21-5sys/net/if.c
+2-0sys/netinet6/in6.c
+2-0sys/netinet/in.c
+25-53 files

OPNSense/src 3c9b52csys/netinet udp_usrreq.c

udp: use appropriate error counters

Since there are multicast and broadcast specific error counters,
use them.

Reviewed by:            rrs
Sponsored by:           Netflix, Inc.
Differential Revision:  https://reviews.freebsd.org/D51869

(cherry picked from commit 0312f80349eedfc2b0d2f24b4fd073795148d3d5)
DeltaFile
+5-1sys/netinet/udp_usrreq.c
+5-11 files

OPNSense/src 499bfeasys/netinet ip_icmp.c

icmp: clear offset and flags when reflecting a packet

When reflecting a packet, use an offset of 0 and clear all three bits,
in particular the DF bit.

PR:                     288558
Reviewed by:            markj, zlei
Sponsored by:           Netflix, Inc.
Differential Revision:  https://reviews.freebsd.org/D51991

(cherry picked from commit b9a2d84b1bf7f9cf556e2f0b68023d5af8362797)
DeltaFile
+2-1sys/netinet/ip_icmp.c
+2-11 files

OPNSense/src 89cd374sys/netinet tcp_subr.c

tcp: mitigate a side channel for detection of TCP connections

If a blind attacker wants to guess by sending ACK segments if there
exists a TCP connection , this might trigger a challenge ACK on an
existing TCP connection. To make this hit non-observable for the
attacker, also increment the global counter, which would have been
incremented if it would have been a non-hit.
This issue was reported as issue number 11 in Keyu Man et al.:
SCAD: Towards a Universal and Automated Network Side-Channel
      Vulnerability Detection

Reviewed by:            Nick Banks, Peter Lei
Sponsored by:           Netflix, Inc.
Differential Revision:  https://reviews.freebsd.org/D51724

(cherry picked from commit f0f6e50388963cae44bb92bb69ed7a1135dd2eec)
DeltaFile
+8-0sys/netinet/tcp_subr.c
+8-01 files

OPNSense/src 269fccasys/netinet tcp_syncache.c

tcp: remove stale comment

Sponsored by:   Netflix, Inc.

(cherry picked from commit 9a4b30dabf075ce1c7565ffbec1d34d52f7dbefd)
DeltaFile
+0-1sys/netinet/tcp_syncache.c
+0-11 files

OPNSense/src 2c3e72esys/netinet tcp_timer.h

tcp: remove TCPTV_TWTRUNC

It is not used anymore...

Reviewed by:            rscheff, Peter Lei
Sponsored by:           Netflix, Inc.
Differential Revision:  https://reviews.freebsd.org/D50900

(cherry picked from commit 124120d44ba23ccc44144f9fc48d35818c660dc1)
DeltaFile
+0-2sys/netinet/tcp_timer.h
+0-21 files

OPNSense/src b17ec1asys/netinet6 udp6_usrreq.c

udp: fix local blackholing

The sysctl-variable net.inet.udp.blackhole_local should affect
UDP packets from an IPv6 address of the local host, not of a host on
the local area network.
Thanks to cc@ for pointing me to the issue.

Reviewed by:            cc
Sponsored by:           Netflix, Inc.
Differential Revision:  https://reviews.freebsd.org/D50829

(cherry picked from commit 16587f60a69820f1a319644da4ec1a40efbcbdf0)
DeltaFile
+1-1sys/netinet6/udp6_usrreq.c
+1-11 files

OPNSense/src d9519ecsys/netinet tcp_input.c

tcp: fix local blackholing

The sysctl-variable net.inet.tcp.blackhole_local should affect
TCP segments from an IPv6 address of the local host, not of a host
on the local area network.
Thanks to cc@ for pointing me to the issue.

Reviewed by:            cc
Sponsored by:           Netflix, Inc.
Differential Revision:  https://reviews.freebsd.org/D50828

(cherry picked from commit de8fb1b3835758998a53d772deeebcdb71bbb823)
DeltaFile
+1-1sys/netinet/tcp_input.c
+1-11 files

OPNSense/src f5585f4sys/netinet/tcp_stacks tcp_rack.h tcp_bbr.h

tcp: remove references to Lock(b)

Reviewed by:    tuexen
Sponsored by:   Netflix, Inc.

(cherry picked from commit 41c1db8a4daae24dff545ee2d20ba6ffe8abd625)
DeltaFile
+1-3sys/netinet/tcp_stacks/tcp_rack.h
+0-2sys/netinet/tcp_stacks/tcp_bbr.h
+1-52 files

OPNSense/src 4e81318sys/netinet/tcp_stacks rack.c

tcp rack: remove duplicate header include

Reviewed by:    tuexen
Sponsored by:   Netflix, Inc.

(cherry picked from commit 2385565fac21554085a818975d3b7a97f7a4591e)
DeltaFile
+0-1sys/netinet/tcp_stacks/rack.c
+0-11 files

OPNSense/src 81de3b0sys/netinet tcp_timewait.c

tcp: use 0 as the value being ignored

No functional change intended.

Sponsored by:   Netflix, Inc.

(cherry picked from commit 36ba7339d4df0803f8e0655e2ba8d174d4ccec38)
DeltaFile
+1-1sys/netinet/tcp_timewait.c
+1-11 files

OPNSense/src 3627125sys/netinet tcp_timewait.c

tcp: fix handling of TIME WAIT for local TCP connections

The sysctl-variable net.inet.tcp.nolocaltimewait should affect
TCP connections where the remote endpoint is on the local host and
not on the local area network.

Reported by:            cc
Reviewed by:            cc
Sponsored by:           Netflix, Inc.
Differential Revision:  https://reviews.freebsd.org/D50830

(cherry picked from commit 49eabd405f661fa3a9f0a005c2e54dc4cad07e48)
DeltaFile
+1-1sys/netinet/tcp_timewait.c
+1-11 files

OPNSense/src 0fce0e3sys/netinet/cc cc.c

mod_cc(4): Fix a typo in a source code comment

- s/assigments/assignments/

(cherry picked from commit 88ed58d7f88471dc69e943e94d420cd4ef090042)
DeltaFile
+1-1sys/netinet/cc/cc.c
+1-11 files

OPNSense/src f7537f7sys/net if_epair.c

epair: don't include if_var.h twice

Sponsored by:   Netflix, Inc.

(cherry picked from commit f5dbf1b1c725da226fd45937decb5a5652ac1422)
DeltaFile
+0-1sys/net/if_epair.c
+0-11 files

OPNSense/src f53bffbsys/net if.c bpf.c

IfAPI: fix LINT-NOIP build

Also, reimplement the wrappers with __strong_reference macro.

Fixes:          7b3094df479f
Reported by:    zlei
Sponsored by:   Juniper Networks, Inc.
Reviewed by:    zlei, jhibbits
Differential Revision:  https://reviews.freebsd.org/D52362
DeltaFile
+0-12sys/net/if.c
+2-0sys/net/bpf.c
+2-0sys/net/if_ethersubr.c
+4-123 files

OPNSense/src c63ca22sys/net if.c if_var.h

IfAPI: restore KBI after bceb9c2f2b19

This commit restores if_bpfmtap and if_etherbpfmtap functions, and
implement them as wrappers around bpf_mtap_if and ether_bpf_mtap_if
funcitons.

Fixes:          bceb9c2f2b19
Sponsored by:   Juniper Networks, Inc.
DeltaFile
+12-0sys/net/if.c
+2-0sys/net/if_var.h
+14-02 files

OPNSense/src d98887csys/arm/allwinner if_awg.c, sys/arm64/broadcom/genet if_genet.c

IfAPI: Retire if_etherbpfmtap() and if_bpfmtap()

Summary:
These came in the original DrvAPI commits in 2014, and are obsoleted by
bpf_mtap_if() and ether_bpf_mtap_if().  The `_if` suffix, rather than
prefix, conveys that it's operating on the bpf of the interface, instead
than the interface itself.

Reviewed by:    glebius
Sponsored by:   Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D41146

(cherry picked from commit 2a3716432d209c5fef1eb1a719f4c1914e7c8b5a)
DeltaFile
+0-12sys/net/if.c
+2-2sys/dev/bxe/bxe.c
+1-1sys/arm64/broadcom/genet/if_genet.c
+1-1sys/arm/allwinner/if_awg.c
+1-1sys/dev/bge/if_bge.c
+1-1sys/dev/dwc/if_dwc.c
+6-185 files not shown
+10-2411 files

OPNSense/src 410be6csys/dev/netmap if_ptnet.c, sys/dev/virtio/network if_vtnet.c

vtnet, ptnet: include opt_*.h files early

Include opt_inet.h and opt_inet6.h early in the files including
virtio_net.h, since they use INET and/or INET6.
While there, remove redundant inclusion of sys/types.h, since it is
included already by sys/param.h.

There was a discussion to include opt_inet.h and opt_inet6.h also
in virtio_net.h. glebius suggested to add a mechanism for files
to check, if required opt_*.h files were included. virtio_net.h
will be the first consumer of this mechanism.

Reviewed by:            glebius, Peter Lei
Sponsored by:           Netflix, Inc.
Differential Revision:  https://reviews.freebsd.org/D52046

(cherry picked from commit 3077532b1bb2911d3012ee90bae9d9499c960569)
DeltaFile
+2-4sys/dev/netmap/if_ptnet.c
+3-3sys/dev/virtio/network/if_vtnet.c
+5-72 files

OPNSense/src 444c56asys/compat/linuxkpi/common/include/acpi acpi.h

linuxkpi: Fix a typo in a source code comment

- s/__FreeBSD_verison/__FreeBSD_version/

(cherry picked from commit e0875bf019e11f93d5e23b9839e1a7f0c4317320)
DeltaFile
+1-1sys/compat/linuxkpi/common/include/acpi/acpi.h
+1-11 files

OPNSense/src aeb52a8sys/net if.c

ifnet: Don't include ethernet.h twice

MFC after:      3 days

(cherry picked from commit 393356f25fb8b76e38b10347f0ad40d4a23372ba)
DeltaFile
+0-1sys/net/if.c
+0-11 files

OPNSense/src 62156bbsys/dev/ice ice_fw_logging.c

ice(4): Fix a typo in a source code comment

- s/firwmare/firmware/

(cherry picked from commit 62db40b5644726ca61e84aa56fff2fbaf30b05ca)
DeltaFile
+1-1sys/dev/ice/ice_fw_logging.c
+1-11 files

OPNSense/src 4d2a165sys/net if_ovpn.c if_ovpn.h, sys/sys mbuf.h

if_ovpn: support floating clients

If a client changes its IP address notify userspace of this.

The UDP filtering function supplies the remote IP address, so we check if the
address changed there. If so, we tag the packet with the new address. Once the
packet is decrypted (and as part of that, has had its signature checked) we
can commit to the address change. Take the write lock and notify userspace of
the change.

Reviewed by:    markj
MFC after:      3 weeks
Sponsored by:   Rubicon Communications, LLC ("Netgate")
Differential Revision:  https://reviews.freebsd.org/D51468

(cherry picked from commit 9c52600a5a150117b4396df3b868cf2516e1674c)
DeltaFile
+192-1sys/net/if_ovpn.c
+1-0sys/net/if_ovpn.h
+1-0sys/sys/mbuf.h
+194-13 files

OPNSense/src 5631736sys/net if_ovpn.c, tests/sys/net/if_ovpn if_ovpn.sh

if_ovpn: support IPv6 link-local addresses

MFC after:      3 weeks
Sponsored by:   Rubicon Communications, LLC ("Netgate")
Differential Revision:  https://reviews.freebsd.org/D51596

(cherry picked from commit 60e92d17cfeba02bc3c7a6edfa0bcaf7c63e5f35)
DeltaFile
+76-0tests/sys/net/if_ovpn/if_ovpn.sh
+20-1sys/net/if_ovpn.c
+96-12 files

OPNSense/src 251f880sys/net if_ovpn.c

if_ovpn: fill out sin_len/sin6_len

When we parse an nvlist sockaddr we should set the sockaddr_in(6)'s length
field. This isn't currently used by anything yet, but it's reasonable to expect
a sockaddr to contain its length.

MFC after:      3 weeks
Sponsored by:   Rubicon Communications, LLC ("Netgate")

(cherry picked from commit e83df5367d30761803e09bd7fcf518638dfe43d2)
DeltaFile
+2-0sys/net/if_ovpn.c
+2-01 files

OPNSense/src 33f9214sys/net if_ovpn.c

if_ovpn: Destroy cloned interfaces via a prison removal callback

A if_ovpn interface carries a reference to a socket, which has a
credential reference, which holds a reference on the containing prison
and prevents SYSUNINITs from being invoked.  So, register a
PR_METHOD_REMOVE callback and destroy the cloner from there instead,
since that mechanism doesn't require the prison refcount to drop to zero
first.

This fixes a bug where jails get left stuck in the DYING state after
running if_ovpn regression tests.

Reviewed by:    kp
MFC after:      2 weeks
Sponsored by:   Stormshield
Sponsored by:   Klara, Inc.
Differential Revision:  https://reviews.freebsd.org/D51526

(cherry picked from commit 96b29c7f0cffd377a757ad8ccc0cdd8fcb96d0dd)
DeltaFile
+40-8sys/net/if_ovpn.c
+40-81 files

OPNSense/src 75829casys/net if.c, sys/netinet in.c

ifnet: Defer detaching address family dependent data

While diagnosing PR 279653 and PR 285129, I observed that thread may
write to freed memory but the system does not crash. This hides the
real problem. A clear NULL pointer derefence is much better than writing
to freed memory.

PR:     279653
PR:     285129
Reviewed by:    glebius
MFC after:      3 weeks
Differential Revision:  https://reviews.freebsd.org/D49444
DeltaFile
+21-5sys/net/if.c
+2-0sys/netinet/in.c
+2-0sys/netinet6/in6.c
+25-53 files