ip: Defer checks for an unspecified dstaddr until after pfil hooks
To comply with LINCE certification, it's necessary to ensure that
packets to 0.0.0.0/::0 are dropped and logged by the firewall. Such
packets are dropped by ip_input() and ip6_input() before reaching pfil
hooks; reorder the checks to give firewalls a chance to drop the packets
themselves, as this gives better observability.
Note that ip_forward() and ip6_forward() ensure that such packets are
not forwarded; they are passed back unmodified.
rc: ignore InsydeH2O UEFI BIOS UUID placeholder for hostid
This caused MAC addresses (e.g. bridge0) to clash on systems
running this particular BIOS.
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1544
iwlwifi: script to extract firmware details
When having to find a firmware image with a lower version number
we must only break the inner but not also the outer loop so we
keep looking at any possibly remaining firmware details.
While here also try to find a version from max..1 and not from 1..max.
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 52f8e99e7e5e6fab52b3fff535d62b873f8c02dd)
e1000: sysctl for TCP flag handling during TSO
Add tso_tcp_flags_mask_first_segment, tso_tcp_flags_mask_middle_segment,
and tso_tcp_flags_mask_last_segment sysctl-variables to control the
handling of TCP flags during TSO.
This allows to change the masks appropriate for classical ECN and to
configure appropriate masks for accurate ECN.
Reviewed by: rrs
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D44259
(cherry picked from commit 90853dfac851afa9e8840f5a38383256d75458b6)
pfctl: clear statistic for specified addresses
The ioctl DIOCRCLRASTATS provides the functionality of clearing stats
not only for the whole table for for addresses stored in that table. The
functionality was missing from pfctl, though. Add it now.
PR: 282877
Obtained from: OpenBSD, kirill <kirill at openbsd.org>, e496dff3a7
MFC after: 3 weeks
(cherry picked from commit 6463b6b59152fb1695bbe0de78f6e2675c5a765a)
e1000: Improve igb(4) SFP support
* Adds support for SFPs that are not correctly coded as an SFP
transceiver. i.e. Coherent-Finisar FCLF8522P2BTL.
* Configures multi-rate SFPs i.e. Coherent-Finisar FCLF8522P2BTL as
SGMII so they can do 10/100/1000 auto-negotiation.
* Adds support for 100BaseLX SGMII transceivers.
* Some code cleanup and additional debugging.
Reviewed by: emaste, markj, Franco Fichtner <franco at opnsense.org>
Tested by: Natalino Picone <natalino.picone at nozominetworks.com>
Sponsored by: Nozomi Networks
Sponsored by: BBOX.io
Differential Revision: https://reviews.freebsd.org/D47337
(cherry picked from commit 15853a5fc9548d9805a2ef22f24e2eb580198341)
e1000: Try auto-negotiation for fixed 100 or 10 configuration
This is a retread of https://reviews.freebsd.org/D34449 which I think
will fix the issue for the remote side not supporting autoneg. We now
attempt an autoneg, and if that fails fall back to the current code
that forces the link speed/duplex.
The original intent of this patch is to inform the remote switch of
duplex settings when we (the client) are specifying a fixed 10 or 100
speed. Otherwise it may get the duplex setting wrong.
The tricky case is when the remote (switch) side is fixing its
speed AND duplex while disabling autoneg and we (client) need to do
the same, which still seems to be common enough at some ISPs.
Original commit message follows:
Currently if an e1000 interface is set to a fixed media configuration,
for gigabit, it will participate in auto-negotiation as required by
IEEE 802.3-2018 Clause 37. However, if set to fixed media configuration
[37 lines not shown]
e1000: Style pass on if_em
Fix up some indentation and reflow long lines
Sponsored by: BBOX.io
(cherry picked from commit 6f14883066f10afc9e3e2af45c5b509586f9da9e)
rtsock: Use NULL for VNET_SYS[UN]INIT's last arg, which is a pointer type
MFC after: 3 days
(cherry picked from commit adc573c8e2179310777cef4d6bda19db2ae63dd5)
e1000: Remove old itr sysctl handler
This implementation had various bugs. bde@ reported that the unit
conversion/scaling is wrong, and it also does not handle 82574L or
igb(4) devices correctly.
With the new AIM code, it is expected most users will not need to
manually tune this.
If you do need static control:
hw.em.enable_aim=0 for all interfaces at boot or dev.em.X.enable_aim=0
for individual interfaces at runtime and they will track the
hw.em.max_interrupt_rate tunable. That codepath has been bugfixed for
all supported chipsets.
You may view the current rate with dev.em.X.queue_rx_0.interrupt_rate
which has been bugfixed for all supported chipsets.
If you need to set different rates per interface for some reason let me
[11 lines not shown]
routing: Use NULL for VNET_SYS[UN]INIT's last arg, which is a pointer type
MFC after: 3 days
(cherry picked from commit 12b2d68bed37e379929cd9b5e0afe34c387be360)
igc: Remove a bogus register write in igc_if_queues_free()
As explained in PR 277038, iflib calls IFDI_DETACH() and then
IFDI_QUEUES_FREE(). With igc, the latter writes to a register after it
has been unmapped.
igc_if_detach() already calls igc_release_hw_control(), and looking at
callers of igc_if_queues_free(), that appears to be sufficient. So,
just remove the igc_release_hw_control() call.
PR: 277038
Reported by: Mike Belanger <mibelanger at qnx.com>
Reviewed by: kbowling
Tested by: kbowling
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D47293
(cherry picked from commit 35d05a14ed7e9935be1ed0fe965b91aaaa4c92ef)
ixgbe: Style pass on FreeBSD part of driver
Fix up some indentation and reflow long lines
Sponsored by: BBOX.io
(cherry picked from commit c58d34dd67a419866ee50f152044e49cecbae261)
ixgbe: Add support for 1Gbit DAC links
This is a relatively well known trick for the X520 (82599), can be
useful for testing and lab settings. It's not an official standard or
particularly common but ubiquitous Broadcom switch ASICs deal with it.
We'll call it 1000Base-KX because it's SerDes on the passive cable and
I don't think it's worth adding another media type for this.
Reviewed by: emaste
Sponsored by: BBOX.io
Differential Revision: https://reviews.freebsd.org/D47352
(cherry picked from commit 48ddd1b9f88753c6875566fbb67bc622453e4993)
ixgbe: sysctl for TCP flag handling during TSO
Add tso_tcp_flags_mask_first_segment, tso_tcp_flags_mask_middle_segment,
and tso_tcp_flags_mask_last_segment sysctl-variables to control the
handling of TCP flags during TSO.
This allows to fix the masks appropriate for classical ECN and to
configure appropriate masks for accurate ECN.
Michael notes emperically 82599 has an unexpected middle mask:
Chip First Middle Last
82599 0xFF6 0xFF6 0xF7F
which should be fixed up to 0xF76 (RFC 3168) in a future commit.
Reviewed by: rrs, rscheff
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D44258
(cherry picked from commit eea2e089f8dadf850a30ed837edd7a386427a9ed)
igc: sysctl for TCP flag handling during TSO
Add tso_tcp_flags_mask_first_segment, tso_tcp_flags_mask_middle_segment,
and tso_tcp_flags_mask_last_segment sysctl-variables to control the
handling of TCP flags during TSO.
This allows to change the masks appropriate for classical ECN and to
configure appropriate masks for accurate ECN.
Sponsored by: Netflix
(cherry picked from commit ab540d44ba3201ff8313b90ba0096004603b2e34)
ixgbe: Add support for 1Gbit Active DAC links
1Gbit also emperically works on Active DACs.
Sponsored by: BBOX.io
(cherry picked from commit e38f9257c3fac5cb5a62f62c424a976446ae1220)
file: The f_ops table pointer can be a pointer to const
No functional change intended.
MFC after: 2 weeks
(cherry picked from commit c477d8974374402a16a42f5d62fbda19070a12a3)
netlink/route: Fix the argument list for rtnl_handle_iflink()
This function is registered as a ifnet_link_event and so should have the
corresponding argument list.
PR: 282870
Reported by: nakayamakenjiro at gmail.com
MFC after: 1 week
(cherry picked from commit 0289db3259532d51ebe58bc0b2647a0d9e6cae66)
pf: Let rdr rules modify the src port if doing so would avoid a conflict
If NAT rules cause inbound connections to different external IPs to be
mapped to the same internal IP, and some application uses the same
source port for multiple such connections, rdr translation may result in
conflicts that cause some of the connections to be dropped.
Address this by letting rdr rules detect state conflicts and modulate
the source port to avoid them.
Reviewed by: kp, allanjude
MFC after: 3 months
Sponsored by: Klara, Inc.
Sponsored by: Modirum
Differential Revision: https://reviews.freebsd.org/D44488
(cherry picked from commit 9897a66923a3e79c22fcbd4bc80afae9eb9f277c)
kern: Make fileops and filterops tables const where possible
No functional change intended.
MFC after: 1 week
(cherry picked from commit ef9ffb8594eee294334ced627755bf5b46b48f9f)
if_tuntap: Enable MEXTPG support
Fix tunread() to use m_mbuftouio() instead of manually copying (which
doesn't work for unmapped mbufs).
Reviewed by: jhb, gallatin
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D47295
(cherry picked from commit 01c738cd5c3938374cce8293c82753d977966154)
ipfw: fix order of memcpy arguments.
This fixes `ipfw table N lookup addr` command for MAC tables.
(cherry picked from commit e012d79c9c732a6aef21066feba2e5e48833cca4)
pf: Let pf_state_insert() handle redirect state conflicts
When handling a redirect state conflict, pf_get_translation() tries
modifying the source port to avoid it. If it fails to find a free port,
the translation is aborted.
Instead, if we fail to find a free source port, simply press on with the
original source port and let pf_state_insert() handle the conflict as it
pleases, rather than second-guessing what it will do. In particular,
pf_state_insert() has special handling for TCP connections in a terminal
state, and might succeed despite a state conflict.
Reviewed by: kp
MFC after: 3 months
Sponsored by: Klara, Inc.
Sponsored by: Modirum
Differential Revision: https://reviews.freebsd.org/D46612
(cherry picked from commit 9569fddd8d0e48211e67fdc63dd72eba83883525)
pf: Make pf_get_translation() more expressive
Currently pf_get_translation() returns a pointer to a matching
nat/rdr/binat rule, or NULL if no rule was matched or an error occurred
while applying the translation. That is, we don't distinguish between
errors and the lack of a matching rule. This, if an error (e.g., a
memory allocation failure or a state conflict) occurs, we simply handle
the packet as if no translation rule was present. This is not
desireable.
Make pf_get_translation() return the matching rule as an out-param and
instead return a reason code which indicates whether there was no
translation rule, or there was a translation rule and we failed to apply
it, or there was a translation rule and we applied it successfully.
Reviewed by: kp, allanjude
MFC after: 3 months
Sponsored by: Klara, Inc.
Sponsored by: Modirum
[3 lines not shown]
