| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add strtonumx(), a companion to strtonum(3) that preserves its safety
and error-reporting semantics while allowing the caller to specify a
conversion base, similar to the strtol(3) family of functions.
Reviewed by: emaste, kib, ziaee
Obtained from: https://www.illumos.org/issues/15365
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D54270
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The __aligned attribute in the previous version applied to the location
of the pointers, not the data the pointers pointed to. While this
could be fixed by applying the attribute to a local typedef of uint16_t,
just using memcpy() for the unaligned access is simpler and ISO C.
This fixes the build on CHERI architectures which do not support
misaligned pointers and were thus failing with:
lib/libc/string/swab.c:12:18: error: alignment (1) of 'const uint16_t *' (aka 'const unsigned short *') is less than the required capability alignment (16) [-Werror,-Wcheri-capability-misuse]
12 | const uint16_t *f __aligned(1) = from;
|
Co-authored by: Jessica Clarke <jrtc27@FreeBSD.org>
Fixes: 02ebbc781f08 ("swab: Fix implementation to support overlapping copies")
Sponsored by: AFRL, DARPA
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D54399
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Add a guard that expects a failure of the test on aarch64.
Reviewed by: emaste
Fixes: df1ea5887326 ("tests: Test libexecinfo backtrace call througth signal trampoline")
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D54675
|
| | |
| |
| |
| |
| |
| |
| | |
6.6 is ABI compatible with 6.5 (tested with abidiff)
Remove html documentation to ease updates
MFC After: 1 month
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This change extends pf(4) limiters so administrator
can specify action the rule executes when limit is
reached. By default when limit is reached the limiter
overrides action specified by rule to no-match.
If administrator wants to block packet instead then
rule with limiter should be changed to:
pass in from any to any state limiter test (block)
OK dlg@
Obtained from: OpenBSD, sashan <sashan@openbsd.org>, 04394254d9
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| | |
| |
| |
| |
| |
| |
| | |
This is a new feature with new ioctl calls, so we can safely remove them
right now.
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
both source and state limiters can provide constraints on the number
of states that a set of rules can create, and optionally the rate
at which they are created. state limiters have a single limit, but
source limiters apply limits against a source address (or network).
the source address entries are dynamically created and destroyed,
and are also limited.
this started out because i was struggling to understand the source and
state tracking options in pf.conf, and looking at the code made it
worse. it looked like some functionality was missing, and the code also
did some things that surprised me. taking a step back from it, even it
if did work, what is described doesn't work well outside very simple
environments.
the functionality i'm talking about is most of the stuff in the
Stateful Tracking Options section of pf.conf(4).
some of the problems are illustrated one of the simplest options:
the "max number" option that limits the number of states that a
rule is allowed to create:
- wiring limits up to rules is a problem because when you load a
new ruleset the limit is reset, allowing more states to be created
than you intended.
- a single "rule" in pf.conf can expand to multiple rules in the
kernel thanks to things like macro expansion for multiple ports.
"max 1000" on a line in pf.conf could end up being many times
that in effect.
- when a state limit on a rule is reached, the packet is dropped.
this makes it difficult to do other things with the packet, such a
redirect it to a tarpit or another server that replies with an
outage notices or such.
a state limiter solves these problems. the example from the pf.conf.5
change demonstrates this:
An example use case for a state limiter is to restrict the number of
connections allowed to a service that is accessible via multiple
protocols, e.g. a DNS server that can be accessed by both TCP and UDP on
port 53, DNS-over-TLS on TCP port 853, and DNS-over-HTTPS on TCP port 443
can be limited to 1000 concurrent connections:
state limiter "dns-server" id 1 limit 1000
pass in proto { tcp udp } to port domain state limiter "dns-server"
pass in proto tcp to port { 853 443 } state limiter "dns-server"
a single limit across all these protocols can't be implemented with
per rule state limits, and any limits that were applied are reset
if the ruleset is reloaded.
the existing source-track implementation appears to be incomplete,
i could only see code for "source-track global", but not "source-track
rule". source-track global is too heavy and unweildy a hammer, and
source-track rule would suffer the same issues around rule lifetimes
and expansions that the "max number" state tracking config above has.
a slightly expanded example from the pf.conf.5 change for source limiters:
An example use for a source limiter is the mitigation of denial of
service caused by the exhaustion of firewall resources by network or port
scans from outside the network. The states created by any one scanner
from any one source address can be limited to avoid impacting other
sources. Below, up to 10000 IPv4 hosts and IPv6 /64 networks from the
external network are each limited to a maximum of 1000 connections, and
are rate limited to creating 100 states over a 10 second interval:
source limiter "internet" id 1 entries 10000 \
limit 1000 rate 100/10 \
inet6 mask 64
block in on egress
pass in quick on egress source limiter "internet"
pass in on egress proto tcp probability 20% rdr-to $tarpit
the extra bit is if the source limiter doesn't have "space" for the
state, the rule doesn't match and you can fall through to tarpitting
20% of the tcp connections for fun.
i've been using this in anger in production for over 3 years now.
sashan@ has been poking me along (slowly) to get it in a good enough
shape for the tree for a long time. it's been one of those years.
bluhm@ says this doesnt break the regress tests.
ok sashan@
Obtained from: OpenBSD, dlg <dlg@openbsd.org>, 8463cae72e
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| | |
| |
| |
| |
| |
| | |
Reviewed by: andrew
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D54560
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Function arguments are based on Section 9.4.1 "GNU C Library IFUNC interface"
from "System V ABI for the Arm 64-bit Architecture (AArch64)", 2025Q1.
(https://github.com/ARM-software/abi-aa/releases/download/2025Q1/sysvabi64.pdf)
Reviewed by: andrew
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D54599
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is no longer used after commit
99282790b7d01ec3c4072621d46a0d7302517ad4 moved ELF notes from C to
assembly.
Reviewed by: kib
Fixes: 99282790b7d0 ("Remove the sed hack for ABI tag notes.")
Sponsored by: AFRL, DARPA
Differential Revision: https://reviews.freebsd.org/D54506
|
| | |
| |
| |
| | |
Fixes: f74f891581bc ("src.opts: Introduce MK_SOUND")
|
| | |
| |
| |
| |
| |
| |
| |
| | |
PR: 291853
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Reviewed by: zarychtam_plan-b.pwste.edu.pl, markj
Differential Revision: https://reviews.freebsd.org/D54456
|
| | |
| |
| |
| |
| |
| | |
Signed-off-by: Minsoo Choo <minsoochoo0122@proton.me>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1957
|
| | |
| |
| |
| |
| |
| |
| |
| | |
PR: 291649
Fixes: 905571c03119 ("Remove copyright strings printed at login time via login(1) or sshd(8).")
Signed-off-by: Simon Wollwage rootnode+freebsd@wollwage.com
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1926
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Make it possible to search for literal two colons (::) and actually
find something. Make the "x"/"x:"/"x::" examples more explicit and
more visibile.
Signed-off-by: Simon Wollwage <rootnode+freebsd@wollwage.com>
Obtained from: NetBSD, nbuwe <uwe@stderr.spb.ru>, 856d5b6
PR: 291374
Reviewed by: imp, jlduran
Pull Request: https://github.com/freebsd/freebsd-src/pull/1923
|
| | |
| |
| |
| |
| |
| |
| | |
Signed-off-by: Minsoo Choo <minsoochoo0122@proton.me>
Reviewed by: emaste
Pull Request: https://github.com/freebsd/freebsd-src/pull/1914
(cherry picked from commit 907cf3e4378f9d114af41d05a59ef4a075d3efb0)
|
| | |
| |
| |
| |
| |
| |
| | |
Sponsored by: Netflix
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1954
|
| | |
| |
| |
| |
| | |
Signed-off-by: Minsoo Choo <minsoochoo0122@proton.me>
Pull-request: https://github.com/freebsd/freebsd-src/pull/1909
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This enables additional searching the manual by sysctl variable.
This syntax is standardized in style.mdoc(5).
Reported by: bapt
MFC after: 3 days
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This avoids e.g. utilities or ssh depending on the full blocklist
package just because they link against libblocklist.
This change moves files between packages so, until we have a proper
policy on how to handle this in release/stable branches, it should
not be MFC'd.
MFC after: never
Reviewed by: bapt
Sponsored by: https://www.patreon.com/bsdivy
Differential Revision: https://reviews.freebsd.org/D53605
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This was previously in runtime, because pam_unix uses it and we don't
want to pull in the entire yp package as a dependency of runtime.
However, we can now use LIB_PACKAGE here to create a yp-lib package
to contain the library, which is a much more reasonable dependency.
Since libypclnt clearly belongs in the yp package, move it there.
This change moves files between packages so, until we have a proper
policy on how to handle this in release/stable branches, it should
not be MFC'd.
MFC after: never
Reviewed by: bapt
Sponsored by: https://www.patreon.com/bsdivy
Differential Revision: https://reviews.freebsd.org/D53600
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Zstd is a discrete, self-contained system component. To match how we
package zlib, bzip2 and xz, move it to its own package, with a separate
lib package.
Add the new package to the minimal set, since this is a core component
that users expect to be installed.
This change adds a new package to the system so, until we have a proper
policy on how to handle this in release/stable branches, it should not
be MFC'd.
MFC after: never
Reviewed by: bapt
Sponsored by: https://www.patreon.com/bsdivy
Differential Revision: https://reviews.freebsd.org/D53603
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The previous fix introduced a regression on machines without the BMI1
instruction set extension. The TZCNT instruction used in this function
behaves different on old machines when the source operand is zero, but
the code was originally designed to never trigger this case. The bug
fix caused this case to be possible, leading to a regression on
sufficiently old hardware.
Fix the code by messing with things such that the source operand is
never zero.
PR: 291720
Fixes: 66eb78377bf109af1d9e25626bf254b4369436ec
Tested by: cy
Approved by: markj (mentor)
Differential Revision: https://reviews.freebsd.org/D54303
|
| | |
| |
| |
| |
| | |
MFC after: 1 week
Fixes: 27894e20f140 ("libgeom: Fix segfault in 32-on-64 case")
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When resolving references, assert that the type of the object we find
is what we expect. This will help prevent memory corruption if two
objects of different types somehow end up with the same identifier.
MFC after: 1 week
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D54454
|
| | |
| |
| |
| |
| |
| | |
MFC after: 1 week
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D54453
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We were using strtoul() to parse object identifiers, which are kernel
pointers. This works fine as long as the kernel and userland match,
but in a 32-bit libgeom on a 64-bit kernel this will return ULONG_MAX
for all objects, resulting in memory corruption when we later pick the
wrong object while resolving consumer-producer references.
MFC after: 1 week
PR: 292127
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D54452
|
| | |
| |
| |
| | |
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| | |
| |
| |
| | |
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
ioctls can fail with EACCES, see sys/kern/tty.c
PR: 239504
MFC after: 3 days
Reviewed by: ziaee
Reported by: Brennan Vincent <brennan@umanwizard.com>
Differential Revision: https://reviews.freebsd.org/D49072
|
| | |
| |
| |
| |
| |
| |
| | |
Reviewed by: alc, emaste
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D54365
|
| | |
| |
| |
| |
| |
| |
| | |
Reviewed by: alc, emaste, ziaee
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D54365
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The function clears the whole tree.
Relnotes: yes
Reviewed by: alc, emaste
Discussed with: dougm
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D54365
|
| | |
| |
| |
| |
| |
| |
| | |
Reviewed by: alc, emaste
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D54365
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
This fixes a segfault on i386 and armv7 and numerous style violations.
PR: 292008
Fixes: 4f809ffec69c ("gpart: add libxo support for "show" subcommand + man page updates")
Reviewed by: js
Differential Revision: https://reviews.freebsd.org/D54393
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
, related functions, and the EXTERROR_VERBOSE environment variable.
Reviewed by: emaste, mckusick
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D54380
|
| | |
| |
| |
| |
| |
| |
| | |
Reviewed by: emaste, mckusick
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D54380
|
| | |
| |
| |
| | |
MFC after: 1 week
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If the variable is set and the process is not suid, __uexterr_format(),
used by err(3), prints errno/category/source line/pX always, not only
when there is no kernel message provided.
Requested by: mckusick
Reviewed by: emaste, mckusick
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D54380
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Note that we trust kernel code to only request the printout of integer
types, and use the 'j' modifier always.
Reviewed by: emaste, mckusick
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D54380
|
| | |
| |
| |
| |
| |
| |
| | |
Reviewed by: emaste, mckusick
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D54380
|
| | |
| |
| |
| |
| | |
This silences warnings about benign implicit character conversions in
googletest's gtest-printers.h.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This avoids warnings from clang 21, similar to:
/usr/src/lib/libcuse/cuse_lib.c:111:14: error: writing variable 'h_cuse' requires holding mutex 'm_cuse' exclusively [-Werror,-Wthread-safety-analysis]
111 | TAILQ_INIT(&h_cuse);
| ^
/usr/src/lib/libcuse/cuse_lib.c:111:14: error: writing variable 'h_cuse' requires holding mutex 'm_cuse' exclusively [-Werror,-Wthread-safety-analysis]
/usr/src/lib/libcuse/cuse_lib.c:112:14: error: writing variable 'h_cuse_entered' requires holding mutex 'm_cuse' exclusively [-Werror,-Wthread-safety-analysis]
112 | TAILQ_INIT(&h_cuse_entered);
| ^
/usr/src/lib/libcuse/cuse_lib.c:112:14: error: writing variable 'h_cuse_entered' requires holding mutex 'm_cuse' exclusively [-Werror,-Wthread-safety-analysis]
MFC after: 3 days
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In commit 2e47f35be5dc libllvm, libclang and liblldb were converted into
private shared libraries. This allowed clang, lld, lldb, and other llvm
tools to be linked against these shared libraries, which makes them
smaller and avoids duplication.
However, this also comes at the cost of some performance, since the
dynamic libraries are quite large, and contain lots of long symbols
(mangled C++ identifiers).
Add a WITH_LLVM_LINK_STATIC_LIBRARIES build knob that can be used to go
back to the previous behavior: libllvm, libclang and liblldb are built
as internal static libraries, i.e. only available during buildworld, and
fully linked into the various executables such as clang, lld, etc.
PR: 287447
Reviewed by: emaste
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D50956
|
| | |
| |
| |
| | |
MFC after: 7 days
|
| | |
| |
| |
| |
| | |
Fixes: cf1eaaf41cef
MFC after: 1 week
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In commit 2e47f35be5dc libllvm, libclang and liblldb were converted into
private shared libraries. This allowed clang, lld, lldb, and other llvm
tools to be linked against these shared libraries, which makes them
smaller and avoids duplication.
However, upstream builds the shared libraries using several visibility
options, which reduces the number of external symbols, and makes the
libraries a bit smaller.
On my test machine:
* libprivatellvm.so goes from 75643 to 34706 symbols (~54% reduction)
* libprivateclang.so goes from 53250 to 33531 symbols (~37% reduction)
* libprivatelldb.so goes from 27242 to 18798 symbols (~31% reduction)
Note: to get the full benefit, a clean build is required. Incremental
builds should still work, but I didn't want to force a full rebuild on
everybody.
MFC after: 1 week
|
| | |
| |
| |
| | |
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The mq_getfd_np function appeared in FreeBSD 11 with no documentation.
This function dereferences the mqd_t as a pointer to an int.
Relnotes: yes
MFC after: 3 days
Reviewed by: kib (previous), markj, ziaee
Differential Revision: https://reviews.freebsd.org/D43947
|
