| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
while here, rework the "set limit" section:
- use a simple list
- add some missing defaults and limit-item
mbuhl helped fill in some of the blanks
ok kn
Obtained from: OpenBSD, jmc <jmc@openbsd.org>, 4fbb390c4b
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
| |
According to some notes from sthen;
ok sthen
Obtained from: OpenBSD, jmc <jmc@openbsd.org>, 7f29e7e980
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
| |
Pull Request: https://github.com/freebsd/freebsd-src/pull/1801
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enabling and disabling LLVM assertions changes the ABI. There have
been multiple reports on the freebsd-current@ mailing list of broken
'cc'.
Out of caution, you may wish to do a clean build while crossing this
commit after building the reverted commit if you do not set
LLVM_ASSERTIONS in your src.conf.
Discussed with: kevans, jrtc27
This reverts commit 9b3055d0d4bcbe665d3c622c761adcc7d0a5b1c9.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This noticeably slows down the compiler execution and with the move to
pkgbase is one of the remaining differences that cannot be
administratively controlled; pkg kernels and malloc.conf(5) will allow
quickly testing a snapshot in a configuration closer to stable and
release branches.
dim@ notes that you need to set WITH_LLVM_ASSERTIONS in src.conf(5) if
you want to report an issue with LLVM.
Enabling WITH_LLVM_ASSERTIONS is also a consideration for CI and pkg
builders especially tracking main.
Approved by: dim, kevans
Differential Revision: https://reviews.freebsd.org/D50388
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The default and only stock coredumper will continue to be the
traditional vnode dumper, which will dump to a vnode and issue a devctl
notification. With this change, one can write a kmod that injects custom
handling of user coredumps that offers richer behavior, particularly in
case one wants to add more metadata than we can tap out via devd.
The main motivation here is to pave the way for my usercore daemon to be
able to reroute coredumps before they ever touch the disk. In some
cases they may be discarded and we can avoid the overhead of writing
anything, in others they allow us to capture coredumps that would be
written into an area that's transient in nature (e.g., kyua test work
directories) without having to do more tricks to keep those alive. My
WIP kmod writes the coredump into a shmfd instead of a vnode, then
installs that into ucored(8) with every read(2) of /dev/ucore. This
also allows me to capture more metadata reliably before the process and
jail disappear.
Reviewed by: kib (earlier version), markj
Differential Revision: https://reviews.freebsd.org/D51338
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This more cleanly contains the bits that are specifically relevant to
dumping coredumps out to a vnode, which will make future changes a bit
easier to review. This also makes the scope of the relevant sysctls
easier to reason about in the process, as they're not visible outside of
the vnode dumper file -- this will mostly become relevant when we allow
pluggable dumpers.
While we're here, move all of the coredump-related stuff out into its
own kern_ucoredump.c and sys/ucoredump.h. We have enough that it's
useful to separate it out and de-clutter kern_sig.c and sys/exec.h a
bit.
Reviewed by: kib, markj (both earlier version)
Differential Revision: https://reviews.freebsd.org/D51349
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At the moment, all the manpages in share/man are in the utilities-man
package. Move some of them to the package they should actually be in,
using the new MANGROUPS feature.
Move all of section 3 to clibs-man. Although some of these are from
/usr/include/sys rather than libc, you can't practically use them
without libc, and clibs-man is where the libc manpages live already.
Move all of sections 4 and 9 to a new kernel-man package, except for
atf-test-case.4 which goes to tests-man. atf-test-case.4 is in the
wrong section, but this needs to be fixed upstream.
kernel-man requires special handling in generate-ucl.lua since it's
got a -man suffix but doesn't want the ' (manual pages)' automatic
suffix. For now, fix this by adding a list of packages that don't
get automatic suffixes.
Reviewed by: ifreund_freebsdfoundation.org, manu, emaste
Differential Revision: https://reviews.freebsd.org/D51504
|
| |
|
|
|
|
|
|
|
|
| |
jmc@ dislikes a comma before "then" in a conditional, so leave those
untouched.
ok jmc@
Obtained from: OpenBSD, naddy <naddy@openbsd.org>, 41ce3b17e7
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
specific person.
Rewrite or use singular they.
ok thfr@ sthen@ daniel@ ian@ job@ kmos@ jcs@ ratchov@ phessler@ and
others I'm likely missing on an earlier version.
feedback tj@, feedback and ok jmc@
Obtained from: OpenBSD, jsg <jsg@openbsd.org>, 25a24f0b58
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
|
|
| |
Multiply the number of states in the example adaptive timeout calculation
by 10 so it works with the numbers in the config, which were previously
multiplied.
ok dlg@
Obtained from: OpenBSD, jmatthew <jmatthew@openbsd.org>, 5642facce3
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Setting multiple pf_fallback_rules in /etc/rc.conf as per the
documentation produces invalid pf syntax due to the lack of echo
quoting $pf_fallback_rules in /etc/rc.d/pf. Adding quotes around
the $pf_fallback_rules echo maintains newlines needed for valid
pfctl syntax. Provided patch resolves the issue
Also updating rc.conf(5) to reflect that multi-line pf_fallback_rules
should not include a trailing backslash (\) as line breaks are
needed when passing rules to pfctl via stdin.
PR: 288197
Reviewed by: kp
MFC after: 2 weeks
|
| |
|
|
|
|
|
|
|
|
| |
Only icmp(4)/icmp6(4) types are required for `icmp-type'/`icmp6-type' rules
while codes are optional.
From Martin Vahlensieck < openbsd at academicsolutions dot ch >, thanks!
Obtained from: OpenBSD, kn <kn@openbsd.org>, 5171218709
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
| |
issue noticed by sthen@. fix discussed with bluhm@ and procter@
OK bluhm@, kn@, procter@
Obtained from: OpenBSD, sashan <sashan@openbsd.org>, 4e62cf09d9
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
| |
Title macros are discouraged in mdoc(7) because they are not portable.
While here, remove a redundant "file". File is still in the title twice.
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
| |
Commit 4a3fb7547e6b ("powerpc: Disconnect 32-bit powerpc from make
universe") changed the default architecture lists. i386 hasn't chanaged
as only the kernels are disabled; i386 is still included in
TARGET_MACHINE_LIST.
Sponsored by: The FreeBSD Foundation
|
| |
|
|
|
|
|
|
|
| |
uid/gid.
OK @kn, OK @sthen
Obtained from: OpenBSD, sashan <sashan@openbsd.org>, 4521e23a38
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
| |
great input by Ingo, Jason and Klemens
OK schwarze@, OK kn@, OK jmc@
Obtained from: OpenBSD, sashan <sashan@openbsd.org>, acd7255d6a
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
| |
Fixes: 8e1e989c77d4 ("Add host.test.mk for DIRDEPS_BUILD")
Sponosred by: The FreeBSD Foundation
|
| |
|
|
|
|
|
|
| |
where we were showing "set limit states 10000" make that 100k as well,
and adjust adaptive.start/end as well (just like in the code)
Obtained from: OpenBSD, henning <henning@openbsd.org>, a47b29f6e6
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
| |
Allow pf to limit packets to a specified maximum size. This applies to all
packets, and if reassembly is enabled, looks at the reassembled size, not the
size of individual fragments.
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
|
|
|
| |
"We never actually added the sysctl. The limit was implemented, and the
sysctl to tune it was documented but never added (so the limit is there,
but is always 16 and cannot be changed)." ~kp
MFC after: 3 days
Fixes: 339a1977c324 (pf: Add a systl to limit work)
Reported by: kp
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D50859
|
| |
|
|
|
| |
Obtained from: OpenBSD, jmc <jmc@openbsd.org>, fbac9b3f44
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
allows things like
pass in proto icmp max-pkt-rate 100/10
all packets matching the rule in the direction the state was created are
taken into consideration (typically: requests, but not replies).
Just like with the other max-*, the rule stops matching if the maximum is
reached, so in typical scenarios the default block rule would kick in then.
with input from Holger Mikolon
ok mikeb
Obtained from: OpenBSD, henning <henning@openbsd.org>, 5a4ae9a9cb
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D50798
|
| |
|
|
| |
Sponsored by: The FreeBSD Foundation
|
| |
|
|
|
|
|
| |
PR: 287502
Reviewed by: kbowling, ziaee
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D50834
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current manpage has two PARAMETERS top-level sections, which can be
confusing when searching or browsing documentation quickly.
Since the parameters described in these two sections are actually
applicable within the scope of the sections they follow (ETHERNET
FILTERING and PACKET FILTERING respectively), I propose we move them to
subsections.
I also propose we reword the title of one of those subsections to
facilitate quick searching or browsing.
MFC after: 3 days
Reviewed by: imp, ziaee
Pull Request: https://github.com/freebsd/freebsd-src/pull/1516
Closes: https://github.com/freebsd/freebsd-src/pull/1516
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When defining network address ranges in macros that will later be used
as items in list macro, these ranges must be quoted with additiona
simple quotes.
For instance, the following does not work and is rejected as a syntax
error:
usr = "192.168.1.0/24"
srv = "192.168.2.10 - 192.168.29"
nat_ranges = "{" $usr $srv "}"
Defining ranges as the following instead will work:
usr = "'192.168.1.0/24'"
srv = "'192.168.2.10 - 192.168.29'"
MFC after: 3 days
Reviewed by: imp, ziaee
Pull Request: https://github.com/freebsd/freebsd-src/pull/1516
|
| |
|
|
|
|
|
| |
This option doesn't actually do anything yet, but we need to update
src.conf.5 to keep CI happy.
Fixes: 290e8aaa3840 ("share/mk: Add MIT KRB5 build knob")
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Clarify that filter rules are evaluated once per packet and interface,
not only once per packet.
* Clarify that the syntax anchor "name" { ... } both loads and
evaluates the anchor, rather than merely loading it.
Triggered by questions from Benedikt Neuffer <bene at usta dot de>.
OK mikeb@
Obtained from: OpenBSD, schwarze <schwarze@openbsd.org>, 7528bd0ba2
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
|
|
| |
the second prio given applies to
1) TCP ACKs
2) packets with ToS=lowdelay
and not TCP ACKs that have ToS=lowdelay
confusion discovered during bsdcan pf tutorial
Obtained from: OpenBSD, henning <henning@openbsd.org>, ab995ee558
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Block IPv6 packets in pf(4) that have hop-by-hop options header or
destination options header. Such packets can be passed by adding
"allow-opts" to the rule. So IPv6 options are handled like their
counterpart in IPv4 now.
tested by benno@; OK henning@
Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, c50c83ac27
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D50662
|
| |
|
|
|
|
|
| |
from michal mazurek, tweaked a bit by myself
Obtained from: OpenBSD, jmc <jmc@openbsd.org>, 5e78806cfb
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
| |
Reviewed by: kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D50536
|
| |
|
|
|
|
|
|
|
|
| |
This reverts commit 9ce5410b9094f9a2dce72e86a70fd086acdb3ff6. makeman
is actually sensitive to the host architecture it's run on, which may
result in silly little diffs like this. Likely we should pin it to
amd64/amd64 or something for consistency in future updates.
Reported by: emaste
Diagnosis by: Mark Millard
|
| |
|
|
|
| |
This appears to be reflecting the default witch for LLVM_BINUTILS in
1cae7121c667d9 ("Enable LLVM_BINUTILS by default").
|
| |
|
|
|
|
|
|
| |
And note that .init and .fini are legacy interfaces.
Reviewed by: kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D50380
|
| |
|
|
|
|
|
|
| |
This daemon has been removed; also remove things which reference it.
Reviewed by: manu, des, emaste
Approved by: des (mentor)
Differential Revision: https://reviews.freebsd.org/D50441
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Cross-compilation needs CPUTYPE to be set with ?= to be overideable via
make targets. This has historically been mentioned in the FOOTNOTES of
UPDATING. Note that in the CPUTYPE documentation in make.conf(5) for
discoverability. Leave it in UPDATING for now to create no regression in
the doc there.
MFC after: 3 days
Reviewed by: carlavilla, ivy
Approved by: carlavilla (mentor)
Differential Revision: https://reviews.freebsd.org/D50277
|
| |
|
|
|
|
| |
Reviewed by: kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D50443
|
| |
|
|
|
|
|
|
|
|
| |
"routing" enables the jail allow.routing permission, which allows the jail to
modify the system routing table. this can be used to run routing daemons
(e.g., BIRD) in a service jail.
Reviewed by: jamie, des
Approved by: des (mentor)
Differential Revision: https://reviews.freebsd.org/D49844
|
| |
|
|
|
|
|
|
| |
from matthew martin
ok henning
Obtained from: OpenBSD, jmc <jmc@openbsd.org>, 737fae0517
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
|
| |
People are turning on the option and then tripping over weird
consequences. See bugs 248338 and 271170 as examples.
Approved by: cy, imp, philip
Differential Revision: https://reviews.freebsd.org/D25902
Co-authored-by: Joseph Mingrone <jrm@FreeBSD.org>
|
| |
|
|
|
|
|
| |
Reviewed by: bapt
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D50215
|
| |
|
|
|
|
| |
Reviewed by: ziaee, kevans
Approved by: kevans (mentor)
Differential Revision: https://reviews.freebsd.org/D50113
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
llvm-strings may consume a large amount of memory while reading the
input file before producing any output.
ELF Tool Chain's strings is small and lightweight, and we always install
strings regardless of WITH_/WITHOUT_TOOLCHAIN settings (as it is useful
in many contexts). Return to always installing ELF Tool Chain's version
of strings.
This reverts commit 81fa5c4a828bec9f1ead280c59c31bd423e6eeea.
This reverts commit 7ca3db1999cd967f9d6d7b259aa7af54aae14a5f.
PR: 286605
Reported by: olivier
Reviewed by: olivier, brooks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D50084
|
| |
|
|
|
|
| |
Reported by: olivier
Fixes: 81fa5c4a828b ("llvm-strings: Install as strings when WITH_LLVM_BINUTILS=YES")
Sponsored by: The FreeBSD Foundation
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now that pfctl has separate functions for parsing redirection pools and
ports, we can finally add support for nat-to and rdr-to filter_opts.
NAT and RDR actions are marked by having the respective pools filled in.
Function pf_rule_apply_nat() is responsible for both NAT/RDR and af-to
address translations. It is called both for match rules and the final
pass rule.
Use FreeBSD's original address translation code by splitting it into
pf_translate_compat(). Call this function for old-style NAT ruleset
and for modern NAT rules via pf_rule_apply_nat().
Initialize pfctl_rule's redirection pools on rule allocation, also for
code paths not using expand_rule(), so that they can be safely checked
for being empty in filter_consistent().
Move map-e NAT test to nat.sh for convenience, duplicate critical NAT
tests into _compat (for old-style NAT ruleset) and _pass (for match/
pass) variants.
Reviewed by: kp
Approved by: kp (mentor)
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D49221
|
| |
|
|
|
|
|
|
|
|
| |
Specify "to" addresses in one of the examples that shows use of af-to for
inet6->inet. Without this, local network traffic (including neighbour
discovery etc) will also get translated. From Peter J. Philipp, with a
tweak to break long lines.
Obtained from: OpenBSD, sthen <sthen@openbsd.org>, bb46494cdb
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
| |
requested by janne johansson
ok henning
Obtained from: OpenBSD, jmc <jmc@openbsd.org>, 0a764fedff
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
