| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
All supported stable branches use netlink(4) API to configure carp(4).
The deleted code also has kernel stack leak vulnerability, that requires
extra effort to fix.
Reviewed by: pouria, kp
Differential Revision: https://reviews.freebsd.org/D55804
|
| |
|
|
|
|
| |
Reviewed by: emaste
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D55272
|
| |
|
|
|
|
|
|
|
|
|
| |
This used to be needed when interface renames were broadcast using the
ifnet_departure_event eventhandler, but since commit 349fcf079ca3
("net: add ifnet_rename_event EVENTHANDLER(9) for interface renaming"),
it has no purpose. Remove it.
Reviewed by: pouria, zlei
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D55171
|
| |
|
|
|
|
|
|
| |
This change was forgotten by me in the previous commit to this file.
Reported by: kib
Approved by: implicit (change omitted from previous commit)
Fixes: 31ec8b6407fdd5a87d70265762457c67ce618283
|
| |
|
|
|
|
|
|
| |
Reported by: pouria
Reviewed by: pouria, ziaee, glebius
Approved by: glebius
Fixes: 31ec8b6407fdd5a87d70265762457c67ce618283
Differential Revision: https://reviews.freebsd.org/D55136
|
| |
|
|
|
|
|
|
|
|
| |
Set `ifr->ifr_name` to display gre options
for the interface.
Reviewed by: glebius, zlei
Approved by: glebius (mentor)
MFC after: 1 day
Differential Revision: https://reviews.freebsd.org/D55099
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, setting an interface FIB to some invalid value would result
in a warning being printed, but the ifconfig command would exit with
status 0, but this is wrong.
Add a little regression test.
Reviewed by: pouria, zlei, melifaro
MFC after: 2 weeks
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D54918
|
| |
|
|
|
|
|
|
| |
No functional change intended.
Reviewed by: pouria, delphij, imp
Approved by: glebius (mentor)
Differential Revision: https://reviews.freebsd.org/D54752
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
By default, when ifconfig shows a v6 address derived from a
router-advertised prefix, it shows the initial preferred and valid
lifetimes. When -L is specified, it is supposed to show the remaining
lifetimes, but this was broken in the conversion to netlink.
Fix that, and add a regression test which validates ifconfig output
before and after a short-lived address expires.
Reported by: Franco Fichtner <franco@opnsense.org>
Reviewed by: melifaro, allanjude, Seyed Pouria Mousavizadeh Tehrani
Fixes: 4c91a5dfe483 ("ifconfig: make interface and address listing use Netlink as transport")
MFC after: 2 weeks
Sponsored by: OPNsense
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D54294
|
| |
|
|
|
|
|
| |
This should provide people a chance to remove ipfw0 and ipfwlog0 from
cloned_interfaces in their rc.conf during FreeBSD 16.x lifetime.
Differential Revision: https://reviews.freebsd.org/D53876
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
parse_vlans() does 's = strdup(str)', then calls strsep(&s, ...), then
attempts to free(s) at the end of the function. For the success case,
this is fine (s is NULL, so it's a trivial memory leak), but in the
error case, we will attempt to free an invalid pointer.
Fix this by storing the original return value from strdup() and freeing
that instead.
MFC after: 3 seconds
Reported by: David Gwynne <dlg@openbsd.org>
Reviewed by: zlei, kevans
Sponsored by: https://www.patreon.com/bsdivy
Differential Revision: https://reviews.freebsd.org/D53545
|
| |
|
|
|
| |
PR: 289113
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
|
|
| |
This command doesn't accept a vlan-id.
PR: 290141
MFC after: 3 days
Reported by: Paul Procacci <pprocacci@gmail.com>
Reviewed by: ziaee (manpages)
Sponsored by: https://www.patreon.com/bsdivy
Differential Revision: https://reviews.freebsd.org/D53049
|
| |
|
|
|
|
|
|
| |
The display of IFCAP_NV is handled by SIOCGIFCAPNV ioctl. The kernel
composes a nvlist of capabilities and the userland unpack them and
display. So this "NV" in IFCAPBITS is meaningless but rather misleading.
This reverts commit 0c1684dd456e3df306b359b04e61f9f2048d9ff2.
|
| |
|
|
|
|
|
|
| |
This follows the commit 051e7d78b039, which introduces the IFCAP_NV
capability.
Fixes: 051e7d78b039 Kernel-side infrastructure to implement nvlist-based set/get ifcaps
MFC after: 3 days
|
| |
|
|
|
|
|
|
| |
This follows the commit 4cdc1f5421c5, which introduces the IFCAP_HWSTATS
capability.
Fixes: 4cdc1f5421c5 There are some high performance NICs that count statistics in hardware
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement RFC 7217 (A Method for Generating Semantically Opaque
Interface Identifiers with IPv6 Stateless Address Autoconfiguration
(SLAAC)) in our IPv6 stack.
A new ifconfig `stableaddr` flag is added to enable the feature on
interfaces, which defaults to on or off for new interfaces based
on the sysctl `net.inet6.ip6.use_stableaddr` (off by default, so
this commit causes no change in behavior with default settings).
The algorithm follows the RFC in its logic, using SHA256-HMAC as
the algorithm to derive addresses so as to provide code that can
be leveraged by future implentations of RFC 8981, leveraging the
`hostuuid` as the secret.
The source of the hostidentifier can be configured using the sysctl
`net.inet6.ip6.stableaddr_netifsource`, while the number of retries
generating a new address in case of collision can be configured
using the `net.inet6.ip6.stableaddr_maxretries` sysctl (default 3).
Documentation about all these flags is added to the ifconfig(8) man
page.
Reviewed by: cognet, glebius, hrs
Tested by: zarychtam@plan-b.pwste.edu.pl
Approved by: cognet, glebius
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D49681
|
| |
|
|
|
|
|
|
|
| |
Historically this capability is IFCAP_NOMAP but it was renamed to
IFCAP_MEXTPG. Catch up with the change 3f43ada98c89.
PR: 289545
Fixes: 3f43ada98c89 Catch up with 6edfd179c86: mechanically rename IFCAP_NOMAP to IFCAP_MEXTPG
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some options (in particular, -g) are processed immediately upon being
parsed. This will produce the wrong result in combination with -j since
we only attach to the jail after we're done parsing arguments. Solve
this by attaching to the jail immediately when -j is encountered. The
downside is that e.g. `ifconfig -j foo -j bar` would previously attach
to jail “bar”, whereas now it will attempt to attach to jail “foo”, and
if successful, attempt to attach to jail “bar” within jail “foo”. This
may be considered a feature.
PR: 289134
MFC after: 1 week
Reviewed by: zlei
Differential Revision: https://reviews.freebsd.org/D52501
|
| |
|
|
|
|
|
| |
Reported by: bdrewery
MFC after: 1 week
See also: da50f49977cc4e6aae55cb2379313599249a8dd2
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
| |
Move the options from the VLAN filtering section into the main bridge
section. Some of these (e.g., ifuntagged and ifvlanproto) don't
specifically require VLAN filtering, and it would be confusing to
have only some of the vlan-related options in a separate section.
Differential Revision: https://reviews.freebsd.org/D51758
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current syntax to add an interface to a filtering bridge requires
repeating the interface name up to three times:
ifconfig bridge0 addm ix0 untagged ix0 10 tagged ix0 100-199
Since at least one of these options nearly always needs to be set,
this results in excessively verbose configuration.
Extend "addm" to support optional arguments, and add two arguments,
"untagged" and "tagged", which infer the interface name from the
addm command. Now the interface only has to be given once:
ifconfig bridge0 addm ix0 untagged 10 tagged 100-199
To avoid confusion with the existing untagged and tagged commands,
rename those to ifuntagged and iftagged.
In future, this syntax will make it possible to add an interface and
set its vlan configuration atomically (once the API supports that),
but switching to the new syntax now means we don't need to change it
after 15.0.
Differential Revision: https://reviews.freebsd.org/D51707
|
| |
|
|
|
|
|
|
|
| |
Add a new per-interface option "ifvlanproto", which can be either
"802.1q" (the default) or "802.1ad". This controls what type of
tag we attach to outgoing packets on the interface.
Reviewed by: pauamma_gundo.com (manpages)
Differential Revision: https://reviews.freebsd.org/D51231
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allowing tag stacking by default can permit VLAN-hopping attacks in
certain configurations. To mitigate this, disallow sending Q-in-Q
frames by default unless the new "qinq" option is enabled on the
interface. The bridge flag "defqinq" can be used to restore the
previous behaviour of allowing Q-in-Q on all interfaces.
The bridge.4 changes from the differential are omitted here and
will be landed via D51185.
Reviewed by: kevans, pauamma_gundo.com (manpages)
Differential Revision: https://reviews.freebsd.org/D51227
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
vlanfilter was originally a per-interface flag to allow more flexible
configurations where some interfaces had VLAN filtering enabled and
some didn't. In practice, this just makes the configuration more
confusing without any real benefit, so remove it, and make vlanfilter
a bridge flag instead.
Add a new bridge option "defuntagged", which sets the automatically
assigned PVID for new members. If set to 0 (the default) then no
PVID is assigned, which matches the current behaviour.
While here, add some more atf_checks to the bridge VLAN tests to
make debugging easier.
Differential Revision: https://reviews.freebsd.org/D51600
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
and the macro EN_SWABIPS.
The macro EN_SWABIPS is identical to IFF_LINK0 (also historically
IFF_LLC0) and we already have the parameter link0 to toggle IFF_LINK0.
These were inherited from 386BSD 0.1 and have never been used since
the very first FreeBSD release.
Reviewed by: adrian, #network
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D51368
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add an optional "vlan <n>" argument to the bridge static and deladdr
commands to allow addresses to be added to / removed from a particular
vlan. No changes to if_bridge are required as the kernel API already
supports this, it just wasn't exposed in ifconfig.
Add tests for the new functionality, and improve the test for the
existing "static" command.
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D51243
|
| |
|
|
|
|
|
|
|
|
| |
Add a new type of command, DEF_CMD_VARG, which takes an (argc, argv)
pair instead of a fixed number of arguments. This allows commands
to do their own argument parsing and accept a variable number of
arguments.
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D51243
|
| |
|
|
| |
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The PVID option is exposed to the user as 'untagged', but the API was
inconsistent on whether it's called 'untagged' or 'PVID'. Standardise
on calling it PVID everywhere in the code, since this is the 802.1Q
terminology.
Keep 'untagged' as the user-facing term since sysadmins are not network
admins and are often not familiar with the term PVID.
Approved by: des
Differential Revision: https://reviews.freebsd.org/D51182
|
| |
|
|
|
|
|
|
|
| |
This is like get_val() but takes an ether_vlanid_t* and ensures the
value is a valid VLAN ID. This avoids redundant comparisons and
casting when parsing VLAN IDs.
Reviewed by: des
Differential Revision: https://reviews.freebsd.org/D51548
|
| |
|
|
|
|
|
|
| |
Most bridge interfaces will have ifmaxaddr set to 0 (the default).
Save a little horizontal space by not printing it in this case.
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D51252
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The patch was originally written by hrs [1], and later modified by meta
to use named flags instead of generic link-layer flags.
[1] https://reviews.freebsd.org/D45854
PR: 280736
Co-authored-by: Hiroki Sato <hrs@FreeBSD.org>
Reviewed by: ae, ziaee, zlei, pauamma
Reported by: Kazuki Shimizu <kazubu@jtime.net>
Approved by: pauamma (manpages)
Approved by: ae
MFC after: 2 weeks
Sponsored by: Cybertrust Japan
Differential Revision: https://reviews.freebsd.org/D51297
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
It is removed long ago [1] and unavailable on FreeBSD 11 and later,
but the corresponding entries in the man page were not removed
accordingly.
[1] https://cgit.freebsd.org/src/commit/?id=b1c250ff3ff6af36e95f5cf910973133c3445704
MFH after: 3 days
Reviewed by: mhorne
Approved by: mhorne
Differential Revision: https://reviews.freebsd.org/D51261
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new ifconfig options 'tagged', '+tagged' and '-tagged' allow the
vlan access list of a bridge interface to be configured:
- Incoming tagged frames will be dropped if the vlan tag isn't in the
interface's access list.
- Outgoing frames will be dropped if the vlan tag isn't in the
interface's access list (e.g., for BUM traffic).
This has no effect if vlan filtering is not enabled on the interface.
Since we now add a tag to untagged frames at ingress, remove the
vlan argument from bridge_vfilter_out() and use VLANTAGOF instead.
Reviewed by: des, kp, adrian
Approved by: des (mentor)
Differential Revision: https://reviews.freebsd.org/D50503
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add two new bridge(4) interface options, 'vlanfilter' and 'untagged':
# ifconfig bridge0 vlanfilter ix0
# ifconfig bridge0 -vlanfilter ix0
# ifconfig bridge0 untagged ix0 20
# ifconfig bridge0 -untagged ix0
Setting 'vlanfilter' causes the bridge to filter ingress and egress
traffic on that interface based on the frame's VLAN, rather than simply
passing all frames. By default, an interface is not permitted on any
VLANs, so all frames will be dropped.
Setting 'untagged' allows the interface to send and receive untagged
traffic in the given VLAN, allowing two (or more) interfaces in the
same VLAN to communicate with each other, but not with any other
interface.
Setting 'untagged' on an interface automatically enables 'vlanfilter'
as well. The untagged VLAN may be removed using the '-untagged'
option, but this does not disable VLAN filtering automatically.
Tagged frames may not be sent or received on a port with VLAN filtering
enabled.
Update bridge.4 to document this change, and also add an overview of the
existing vlan/.1q support in if_bridge.
Basic tests for the new functionality are included.
Bump __FreeBSD_version for struct ibfreq ABI change.
Reviewed by: kevans, kp
Approved by: kevans (mentor)
Differential Revision: https://reviews.freebsd.org/D49993
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This change produced by melifaro and the commit is concerted with him
as he is pretty busy IRL these days.
The change restores performance of /sbin/ifconfig utility
for non-listing case after it switched from rtsock to netlink(4) API
in FreeBSD 14+.
PR: 287872
MFC-after: 2 weeks
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Start dealing with Element ID Extension present (IE T=255) and start
parsing elemants from the Element ID Extension set.
Namely (partially) decode HE_CAPA, HE_OPER, MU_EDCA_PARAM_SET,
and as well as SUP_OP_CLASS.
For length reasons also rename UNKNOWN_ELEMID_%d to ELEMID_%d.
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D50678
|
| |
|
|
|
|
|
| |
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D50675
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The node unicast key (PTK) uses a key index of (-1) and printing
a 64k number does not look great. Factor out printing the key
number into a buffer and use 'ucast' for the node unicast key.
Hope is that this will be useful for the future as well when we
will have more/different keys possibly.
Looks like (with -vk):
AES-CCM 2:128-bit <xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> rsc 0 tsc 0 rx
AES-CCM 3:128-bit <xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> rsc 0 tsc 0 rx
AES-GCM ucast:128-bit <xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> rsc 0 tsc 0 tx+rx
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D50555
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a variable when querying the BSSID so we can later use it rather
than losing the "data" buffer.
When printing key information also query the node unicast key if in
STA mode (the key for the BSSID). Do not error in case we fail.
This is helpful for debugging mostly; was also useful when testing
GCMP support.
Sponsored by: The FreeBSD Foundation
MFC after; 3 days
Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D50554
|
| |
|
|
|
|
|
|
|
|
|
| |
While we currently do not print the STA unicast key (PTK) we will not
see this but it is for fullness and in preparations for follow-up
hanges.
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D50553
|
| |
|
|
|
|
|
| |
Fixes: 59ee9260e6bb ("ifconfig: reject netmask and broadcast for inet6")
Reviewed by: des
Differential Revision: https://reviews.freebsd.org/D50566
|
| |
|
|
|
|
|
|
|
| |
s/can/cannot/
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D50552
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We don't support setting netmask or broadcast address for INET6
addresses, and trying to do crashes ifconfig. Handle this the
same way as af_link, by rejecting attempts to configure these
parameters.
PR: 286910
Reported by: Hayzam Sherif <hayzam@alchemilla.io>
MFC after: 3 days
Reviewed by: zlei, kevans, des, cy
Approved by: kevans (mentor)
Differential Revision: https://reviews.freebsd.org/D50413
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
instead of accepting any character as a delimiter, only accept ':', '.'
and '-', and only permit a single delimiter in an address.
this prevents accepting bizarre addresses like:
ifconfig epair2a link 10.1.2.200/28
... which is particularly problematic on an INET6-only system, in which
case ifconfig defaults to the 'link' family, meaning that:
ifconfig epair2a 10.1.2.200/28
... changes the Ethernet address of the interface.
bump __FreeBSD_version so link_addr() consumers can detect the change.
Reviewed by: kp, des
Approved by: des (mentor)
Differential Revision: https://reviews.freebsd.org/D49936
|
| |
|
|
|
|
|
|
|
| |
Only export the array of string names if _WANT_IFCAP_BIT_NAMES is
defined. Exporting them unconditionally can trigger unused variable
warnings if a consumer doesn't use the array.
Reviewed by: olce, bz, brooks
Differential Revision: https://reviews.freebsd.org/D49954
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the restriction on sending packets from anycast source addresses was
removed in RFC4291, so there's no reason to forbid binding to such
addresses. this allows anycast services (e.g., DNS) to actually use
anycast addresses, which was previously impossible.
RFC4291 also removes the restriction that only routers may configure
anycast addresses; this was never enforced in code but was documented in
ifconfig.8. update ifconfig.8 to document both changes.
PR: 285545
Reviewed by: des, adrian
Approved by: des (mentor)
Differential Revision: https://reviews.freebsd.org/D49905
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* add AES-GCM-256 and AES-CCM-256 ciphers
* add WPA-PSK-SHA256 and UNSPEC-SHA256 key management
This allows them to show in ifconfig -v wlan0 list scan, eg
RSN<v1 mc:AES-GCMP-256 uc:AES-CCMP-256+AES-GCMP-256 km:8021X-PSK+8021X-PSK-256>
Differential Revision: https://reviews.freebsd.org/D49481
Reviewed by: thj
|
| |
|
|
|
|
|
|
| |
This decodes the AES-GCMP OUI in ifconfig, ifconfig list sta,
ifconfig list scan, etc.
Differential Revision: https://reviews.freebsd.org/D49187
Reviewed by: bz
|
