| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
A few basic test cases for Ethernet rule parsing.
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
| |
Just as pfctl already does for other rules we print the ethernet rules
we would have loaded if '-n' is specified.
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
| |
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
| |
When filtering Ethernet packets allow rules to specify a mac address
with a mask. This indicates which bits of the specified address are
significant. This allows users to do things like filter based on device
manufacturer.
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
| |
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
| |
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
| |
Combine anchor, dummynet and rdr to produce a more complex captive
portal setup.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32484
|
| |
|
|
|
| |
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32483
|
| |
|
|
|
|
|
| |
Support anchors in ether rules.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32482
|
| |
|
|
|
|
|
|
|
| |
Teach the 'ether' rules to accept { mac1, mac2, ... } lists, similar to
the lists of interfaces or IP addresses we already supported for layer 3
filtering.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32481
|
| |
|
|
|
|
|
| |
Ensure that the 'match' keyword works with dummynet
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32480
|
| |
|
|
|
|
|
|
| |
Test that we can set dummynet information on L2, which is processed by
L3 later (assuming it's not overruled by L3 rules, of course).
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32223
|
| |
|
|
|
|
|
|
|
|
| |
Allow packets to be tagged with dummynet information. Note that we do
not apply dummynet shaping on the L2 traffic, but instead mark it for
dummynet processing in the L3 code. This is the same approach as we take
for ALTQ.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32222
|
| |
|
|
|
|
|
|
| |
Document how 'ether' rules can be set, and what options they support.
Reviewed by: bcr
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31751
|
| |
|
|
|
|
|
|
| |
Document the new 'pfctl -s ether' functionality.
Reviewed by: bcr
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31750
|
| |
|
|
|
|
|
|
| |
If we're not filtering on a specific MAC address don't print it at all,
rather than showing an all-zero address.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31749
|
| |
|
|
|
|
|
|
| |
Allow the evaluations/packets/bytes counters on Ethernet rules to be
cleared.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31748
|
| |
|
|
|
|
|
|
| |
Test that we correctly match inbound ('in') or outbound ('out') Ethernet
packets.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31747
|
| |
|
|
|
|
|
|
| |
Use the ether rules to selectively (i.e. per MAC address) redirect
certain connections. Test that tags carry over to the layer-3 pf code.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31746
|
| |
|
|
|
|
|
| |
Test filtering packets by their EtherType (i.e. ARP/IPv4/IPv6/...).
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31745
|
| |
|
|
|
|
|
| |
Test that we can express 'ether block from ! 00:01:02:03:04:05'.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31744
|
| |
|
|
|
|
|
|
| |
Test the MAC address filtering capability in the new 'ether' feature in
pf.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31743
|
| |
|
|
|
|
|
|
| |
Avoid the overhead of the Ethernet pfil hooks if we don't have any
Ethernet rules.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31742
|
| |
|
|
|
|
|
|
|
| |
Add static DTrace probe points to allow debugging of ether rule
matching.
Reviewed by: mjg
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31741
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid the overhead of acquiring a (read) RULES lock when processing the
Ethernet rules.
We can get away with that because when rules are modified they're staged
in V_pf_keth_inactive. We take care to ensure the swap to V_pf_keth is
atomic, so that pf_test_eth_rule() always sees either the old rules, or
the new ruleset.
We need to take care not to delete the old ruleset until we're sure no
pf_test_eth_rule() is still running with those. We accomplish that by
using NET_EPOCH_CALL() to actually free the old rules.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31739
|
| |
|
|
|
|
|
|
| |
Extent pfctl to be able to read configured Ethernet filtering rules from
the kernel and print them.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31738
|
| |
|
|
|
|
|
|
|
|
| |
This is the kernel side of stateless Ethernel level filtering for pf.
The primary use case for this is to enable captive portal functionality
to allow/deny access by MAC address, rather than per IP address.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31737
|
| |
|
|
|
|
|
| |
I suspect the variable names and comments were accidentally French.
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
An upcoming OpenSSH update has multiple config.h settings that change
depending on whether builtin security key support is enabled. Prepare
for this by moving ENABLE_SK_INTERNAL to a new sk_config.h header
(similar to the approach used for optional krb5 support) and optionally
including that, instead of defining the macro directly from CFLAGS.
Reviewed by: kevans
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34407
|
| |
|
|
|
|
|
|
|
|
| |
The LibUSB v1.0 emulation layer uses pipes internally to signal between
threads. When USB devices are reset, as part of loading firmware, SIGPIPE
may happen, and that is expected and should be ignored.
PR: 261891
MFC after: 1 week
Sponsored by: NVIDIA Networking
|
| |
|
|
|
|
|
|
|
| |
Define NO_WUNUSED_BUT_SET_VARIABLE for newer clang, and use it in ATH_C
to account for different clang versions. Use it in Makefiles as well.
Sponsored by: Netflix
Reviewed by: kevans, jhb
Differential Revision: https://reviews.freebsd.org/D34408
|
| |
|
|
|
|
|
|
|
|
| |
Bump the minimum supported version to build -current from to 11.3R in
preparation of removing support for older systems. 11.4R was selected
as the most recent version to go out of support.
Sponsored by: Netflix
Reviewed by: delphij, emaste
Differential Revision: https://reviews.freebsd.org/D32444
|
| |
|
|
|
|
|
|
| |
We only need kbdcontrol when bootstrapping from FreeBSD 10 or
pre-FreeBSD 11.0 current. Since we can no longer build from these
versions of FreeBSD, remove the support for bootstrapping them.
Sponsored by: Netflix
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Define a place for sysroot trees to live. This assumes they come from
the base in some way, though there's not yet a build/install/etc sysroot
target. Include the FreeBSD version so multiple verrsions can be
installed on one system (it also includes the whole uname version, so
one could, in theory, install variants like CheriBSD or whatever on the
same system as FreeBSD). Use MACHINE.MACHINE_ARCH to be consistent with
the release practices, /usr/obj and other naming conventions.
Sponsored by: Netflix
Reviewed by: brooks
Differential Revision: https://reviews.freebsd.org/D33754
|
| |
|
|
|
|
|
|
|
|
| |
Improve the installer: wlanconfig allows user to enter WiFi details
if no networks found, useful to connect to a hidden SSID.
PR: 246192
Reported by: emaste
Approved by: bapt (mentor)
Differential Revision: https://reviews.freebsd.org/D34149
|
| |
|
|
|
|
|
|
| |
This reverts commit 85eeb6ea62d45c5df893a16b87969bd7313a3dbb.
The issue has been fixed by 4be7d087c2b566f4910683836be279d55c1a81c6.
PR: 262086
|
| |
|
|
|
|
| |
Fixes: 8881d206f4e6 (reviewed by scottl, markj in D34401)
Noticed by: markj
Sponsored by: Netflix
|
| |
|
|
|
|
|
|
| |
exit1() sets P_WEXIT before waiting for holding threads to finish,
rather than after, so this assertion is racy.
Fixes: 12fb39ec3e6b ("proc: Relax proc_rwmem()'s assertion on the process hold count")
Reported by: Jenkins
|
| |
|
|
|
|
|
|
| |
This enables thread-aware timers which in turn fixes benchmark result
reports.
Reviewed by: cem
Differential Revision: https://reviews.freebsd.org/D34238
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
fasttrap instruments certain instructions by overwriting them and
copying the original instruction to some per-thread scratch space which
is executed after the probe fires. This trampoline jumps back to the
tracepoint after executing the original instruction.
The created mapping has both write and execute permissions, and so this
mechanism doesn't work when allow_wx is disabled. Work around the
restriction by using proc_rwmem() to write to the trampoline.
Reviewed by: vangyzen
Tested by: Amit <akamit91@hotmail.com>
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34304
|
| |
|
|
|
|
|
| |
No functional change intended.
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reference ensures that the process and its associated vmspace will
not be destroyed while proc_rwmem() is executing. If, however, the
calling thread belongs to the target process, then it is unnecessary to
hold the process. In particular, fasttrap - a module which enables
userspace dtrace - may frequently call proc_rwmem(), and we'd prefer to
avoid the overhead of locking and bumping the hold count when possible.
Thus, make the assertion conditional on "p != curproc". Also assert
that the process is not already exiting. No functional change intended.
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
|
| |
|
|
|
|
|
|
|
|
|
| |
And drop stray 'd' from the end of some printed numbers. I assume this
was the result of someone thinking u is a printf length modifier for d,
not a format specifier itself.
Reviewed by: kevans, rew
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34387
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The ath driver has a lot of these warnings. It's an older driver, so
just supress these warnings until they can be fixed. They are a mix of
simple dead stores, debubgging output and stuff that would require
careful study to know if its safe to remove the access or not (there are
likely very few of the latter, but if there are any they are latent bugs
that compiler could optimize away). Since I have no ath hardware to test
on anymore, take the conservative approach.
Sponsored by: Netflix
|
| |
|
|
|
|
|
| |
Create g_part_getattr to allow gpart geoms to have their attributes queried.
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D32782
|
| |
|
|
|
|
| |
Sponsored by: Netflix
Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D32788
|
| |
|
|
|
|
|
|
|
| |
Allow wiring of unit numbers based any of the standard locators that
match.
Sponsored by: Netflix
Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D32787
|
| |
|
|
|
|
|
|
|
|
| |
Abstract out acpi_hint_device_matches_resources from
acpi_hint_device_unit to simplify that code. Continue matching like
we've always matched: no functional change.
Sponsored by: Netflix
Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D32786
|
| |
|
|
|
|
|
|
|
| |
"matches" is used as a bool and doesn't need to count anything. Convert
it to a bool.
Sponsored by: Netflix
Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D32785
|
| |
|
|
|
|
|
|
|
| |
If the pciX:Y:Z and pciW:X:Y:Z 'at' locations don't work, allow try the
LOCATOR:PATH syntax. Use dev_wired_cache to generically look them up.
Sponsored by: Netflix
Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D32784
|
