From owner-dev-commits-src-branches@freebsd.org Fri Jan 1 00:53:21 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8E3314B8A84; Fri, 1 Jan 2021 00:53:21 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D6RN13YCwz4gdH; Fri, 1 Jan 2021 00:53:21 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 6CAE81A0AE; Fri, 1 Jan 2021 00:53:21 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1010rLq8055036; Fri, 1 Jan 2021 00:53:21 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1010rL6F055035; Fri, 1 Jan 2021 00:53:21 GMT (envelope-from git) Date: Fri, 1 Jan 2021 00:53:21 GMT Message-Id: <202101010053.1010rL6F055035@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Stefan Eßer Subject: git: f1031f07fb8b - stable/11 - MFC: Fix calendar -a processing of files included in the user's home directory MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: se X-Git-Repository: src X-Git-Refname: refs/heads/stable/11 X-Git-Reftype: branch X-Git-Commit: f1031f07fb8b3994ffe14b5d780304e4de1f32fb Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jan 2021 00:53:21 -0000 The branch stable/11 has been updated by se: URL: https://cgit.FreeBSD.org/src/commit/?id=f1031f07fb8b3994ffe14b5d780304e4de1f32fb commit f1031f07fb8b3994ffe14b5d780304e4de1f32fb Author: Stefan Eßer AuthorDate: 2020-10-29 08:26:38 +0000 Commit: Stefan Eßer CommitDate: 2021-01-01 00:46:48 +0000 MFC: Fix calendar -a processing of files included in the user's home directory The existing code performed a chdir() into the home directory, but the parser fell back to using the invoking user's home directory as the base directory for the search for an include file. Since use of the -a option is limited to UID==0, the directory searched was typically ~root/.calendar, not the .calendar directory of the user whose file is being processed. PR: 205580 Reported by: greg.bal4@gmail.com (Greg Balfour) MFC after: 3 days (cherry picked from commit 3fa2a149d68d22fa32ba7b6c09773388ac490fd1) The code in -CURRENT is quite different (forks sub-processes tp process the files for each user) but this change should provide the same functionality as the referenced commit to -CURRENT. --- usr.bin/calendar/calendar.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr.bin/calendar/calendar.c b/usr.bin/calendar/calendar.c index 84d188071ea9..222cd57cfd1b 100644 --- a/usr.bin/calendar/calendar.c +++ b/usr.bin/calendar/calendar.c @@ -209,8 +209,10 @@ main(int argc, char *argv[]) (void)setegid(pw->pw_gid); (void)initgroups(pw->pw_name, pw->pw_gid); (void)seteuid(pw->pw_uid); - if (!chdir(pw->pw_dir)) + if (!chdir(pw->pw_dir)) { + setenv("HOME", pw->pw_dir, 1); cal(); + } (void)seteuid(0); } else From owner-dev-commits-src-branches@freebsd.org Fri Jan 1 07:58:20 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1825C4C1A45; Fri, 1 Jan 2021 07:58:20 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D6cpN07v8z4Yxm; Fri, 1 Jan 2021 07:58:20 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id E74B91F37C; Fri, 1 Jan 2021 07:58:19 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1017wJJm069871; Fri, 1 Jan 2021 07:58:19 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1017wJIq069870; Fri, 1 Jan 2021 07:58:19 GMT (envelope-from git) Date: Fri, 1 Jan 2021 07:58:19 GMT Message-Id: <202101010758.1017wJIq069870@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kirk McKusick Subject: git: 41cf333f9b2a - stable/12 - MFC: Correct and add some comments. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mckusick X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: 41cf333f9b2a494e7bb54f42a3790b6df99d09c9 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jan 2021 07:58:20 -0000 The branch stable/12 has been updated by mckusick: URL: https://cgit.FreeBSD.org/src/commit/?id=41cf333f9b2a494e7bb54f42a3790b6df99d09c9 commit 41cf333f9b2a494e7bb54f42a3790b6df99d09c9 Author: Kirk McKusick AuthorDate: 2020-12-31 23:15:44 +0000 Commit: Kirk McKusick CommitDate: 2021-01-01 07:49:58 +0000 MFC: Correct and add some comments. Sponsored by: Netflix (cherry picked from commit 68dc94c7d314b02ef80fe972f524a2b3c6e68a1c) --- sbin/fsck_ffs/fsck.h | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/sbin/fsck_ffs/fsck.h b/sbin/fsck_ffs/fsck.h index b05bc5f7a3c2..3394949189b5 100644 --- a/sbin/fsck_ffs/fsck.h +++ b/sbin/fsck_ffs/fsck.h @@ -137,11 +137,11 @@ extern struct inostatlist { */ struct bufarea { TAILQ_ENTRY(bufarea) b_list; /* buffer list */ - ufs2_daddr_t b_bno; - int b_size; - int b_errs; - int b_flags; - int b_type; + ufs2_daddr_t b_bno; /* disk block number */ + int b_size; /* size of I/O */ + int b_errs; /* I/O error */ + int b_flags; /* B_ flags below */ + int b_type; /* BT_ type below */ union { char *b_buf; /* buffer space */ ufs1_daddr_t *b_indir1; /* UFS1 indirect block */ @@ -172,14 +172,14 @@ struct bufarea { /* * Type of data in buffer */ -#define BT_UNKNOWN 0 /* Buffer holds a superblock */ +#define BT_UNKNOWN 0 /* Buffer type is unknown */ #define BT_SUPERBLK 1 /* Buffer holds a superblock */ #define BT_CYLGRP 2 /* Buffer holds a cylinder group map */ #define BT_LEVEL1 3 /* Buffer holds single level indirect */ #define BT_LEVEL2 4 /* Buffer holds double level indirect */ #define BT_LEVEL3 5 /* Buffer holds triple level indirect */ #define BT_EXTATTR 6 /* Buffer holds external attribute data */ -#define BT_INODES 7 /* Buffer holds external attribute data */ +#define BT_INODES 7 /* Buffer holds inodes */ #define BT_DIRDATA 8 /* Buffer holds directory data */ #define BT_DATA 9 /* Buffer holds user data */ #define BT_NUMBUFTYPES 10 From owner-dev-commits-src-branches@freebsd.org Sat Jan 2 01:08:10 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id EF1B54BAA8B; Sat, 2 Jan 2021 01:08:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D73ff6R2zz4cZT; Sat, 2 Jan 2021 01:08:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D00CD4266; Sat, 2 Jan 2021 01:08:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 10218As1097713; Sat, 2 Jan 2021 01:08:10 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 10218A9I097712; Sat, 2 Jan 2021 01:08:10 GMT (envelope-from git) Date: Sat, 2 Jan 2021 01:08:10 GMT Message-Id: <202101020108.10218A9I097712@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Xin LI Subject: git: 14dff150ef9a - stable/12 - Update leap-seconds to leap-seconds.3676924800. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: delphij X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: 14dff150ef9ac64d47810833c309759e4f5d9642 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jan 2021 01:08:11 -0000 The branch stable/12 has been updated by delphij: URL: https://cgit.FreeBSD.org/src/commit/?id=14dff150ef9ac64d47810833c309759e4f5d9642 commit 14dff150ef9ac64d47810833c309759e4f5d9642 Author: Xin LI AuthorDate: 2020-12-30 06:01:46 +0000 Commit: Xin LI CommitDate: 2021-01-02 01:07:34 +0000 Update leap-seconds to leap-seconds.3676924800. Obtained from: ftp://ftp.nist.gov/pub/time/leap-seconds.3676924800 MFC after: 3 days (cherry picked from commit 2edcc10cb123ea845e00127f3241155dd98dac3b) --- usr.sbin/ntp/ntpd/leap-seconds | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr.sbin/ntp/ntpd/leap-seconds b/usr.sbin/ntp/ntpd/leap-seconds index ac153daebf86..e897a867e164 100644 --- a/usr.sbin/ntp/ntpd/leap-seconds +++ b/usr.sbin/ntp/ntpd/leap-seconds @@ -204,10 +204,10 @@ # current -- the update time stamp, the data and the name of the file # will not change. # -# Updated through IERS Bulletin C59 -# File expires on: 28 December 2020 +# Updated through IERS Bulletin C60 +# File expires on: 28 June 2021 # -#@ 3818102400 +#@ 3833827200 # 2272060800 10 # 1 Jan 1972 2287785600 11 # 1 Jul 1972 @@ -252,4 +252,4 @@ # the hash line is also ignored in the # computation. # -#h a1c168ae 27c79a7d 9dddcfc3 bcfe616b 2e2c44ea +#h 064356a8 39268b92 76e4d5ef 3e22fae1 0cca529c From owner-dev-commits-src-branches@freebsd.org Sat Jan 2 01:10:52 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9B6504BAE48; Sat, 2 Jan 2021 01:10:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D73jm41zxz4dBV; Sat, 2 Jan 2021 01:10:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 7D43E47C6; Sat, 2 Jan 2021 01:10:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1021AqOI008052; Sat, 2 Jan 2021 01:10:52 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1021AqVO008051; Sat, 2 Jan 2021 01:10:52 GMT (envelope-from git) Date: Sat, 2 Jan 2021 01:10:52 GMT Message-Id: <202101020110.1021AqVO008051@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Xin LI Subject: git: 72492c6d5385 - stable/11 - Update leap-seconds to leap-seconds.3676924800. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: delphij X-Git-Repository: src X-Git-Refname: refs/heads/stable/11 X-Git-Reftype: branch X-Git-Commit: 72492c6d5385acba86425bf7244c3563426e2ac7 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jan 2021 01:10:52 -0000 The branch stable/11 has been updated by delphij: URL: https://cgit.FreeBSD.org/src/commit/?id=72492c6d5385acba86425bf7244c3563426e2ac7 commit 72492c6d5385acba86425bf7244c3563426e2ac7 Author: Xin LI AuthorDate: 2020-12-30 06:01:46 +0000 Commit: Xin LI CommitDate: 2021-01-02 01:10:35 +0000 Update leap-seconds to leap-seconds.3676924800. Obtained from: ftp://ftp.nist.gov/pub/time/leap-seconds.3676924800 MFC after: 3 days (cherry picked from commit 2edcc10cb123ea845e00127f3241155dd98dac3b) --- etc/ntp/leap-seconds | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/etc/ntp/leap-seconds b/etc/ntp/leap-seconds index ac153daebf86..e897a867e164 100644 --- a/etc/ntp/leap-seconds +++ b/etc/ntp/leap-seconds @@ -204,10 +204,10 @@ # current -- the update time stamp, the data and the name of the file # will not change. # -# Updated through IERS Bulletin C59 -# File expires on: 28 December 2020 +# Updated through IERS Bulletin C60 +# File expires on: 28 June 2021 # -#@ 3818102400 +#@ 3833827200 # 2272060800 10 # 1 Jan 1972 2287785600 11 # 1 Jul 1972 @@ -252,4 +252,4 @@ # the hash line is also ignored in the # computation. # -#h a1c168ae 27c79a7d 9dddcfc3 bcfe616b 2e2c44ea +#h 064356a8 39268b92 76e4d5ef 3e22fae1 0cca529c From owner-dev-commits-src-branches@freebsd.org Sat Jan 2 04:53:11 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E82B34C2176; Sat, 2 Jan 2021 04:53:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D78fH4rh6z4trG; Sat, 2 Jan 2021 04:53:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 99B73791A; Sat, 2 Jan 2021 04:53:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1024rBwv095765; Sat, 2 Jan 2021 04:53:11 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1024rBfw095764; Sat, 2 Jan 2021 04:53:11 GMT (envelope-from git) Date: Sat, 2 Jan 2021 04:53:11 GMT Message-Id: <202101020453.1024rBfw095764@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kyle Evans Subject: git: 25a6b709b6b6 - stable/12 - Also pass SKEIN_USE_ASM to the assembler, via AFLAGS MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: 25a6b709b6b66800481249b5d27d3351636543ac Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jan 2021 04:53:12 -0000 The branch stable/12 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=25a6b709b6b66800481249b5d27d3351636543ac commit 25a6b709b6b66800481249b5d27d3351636543ac Author: Ed Maste AuthorDate: 2020-06-05 18:56:43 +0000 Commit: Kyle Evans CommitDate: 2021-01-02 04:52:23 +0000 Also pass SKEIN_USE_ASM to the assembler, via AFLAGS (cherry picked from commit f2b86886645fc3fa331543565268808b80d5abdb) --- lib/libmd/Makefile | 2 +- sys/modules/crypto/Makefile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/libmd/Makefile b/lib/libmd/Makefile index 2cb0e75f1d27..2381d6da9e93 100644 --- a/lib/libmd/Makefile +++ b/lib/libmd/Makefile @@ -120,7 +120,7 @@ CFLAGS+= -DRMD160_ASM .if defined(XAS) || ${MK_BINUTILS_BOOTSTRAP} != "no" AFLAGS += --strip-local-absolute # Fully unroll all loops in the assembly optimized version -AFLAGS+= --defsym SKEIN_LOOP=0 +AFLAGS+= --defsym SKEIN_LOOP=0 --defsym SKEIN_USE_ASM=1792 SRCS+= skein_block_asm.s CFLAGS+= -DSKEIN_ASM -DSKEIN_USE_ASM=1792 # list of block functions to replace with assembly: 256+512+1024 = 1792 .else diff --git a/sys/modules/crypto/Makefile b/sys/modules/crypto/Makefile index 7c34717597fd..4762b9250e9c 100644 --- a/sys/modules/crypto/Makefile +++ b/sys/modules/crypto/Makefile @@ -36,7 +36,7 @@ SRCS += skein_block_asm.s CFLAGS += -DSKEIN_ASM -DSKEIN_USE_ASM=1792 # list of block functions to replace with assembly: 256+512+1024 = 1792 ACFLAGS += -DELF -Wa,--noexecstack # Fully unroll all loops in the assembly optimized version -AFLAGS+= --defsym SKEIN_LOOP=0 +AFLAGS+= --defsym SKEIN_LOOP=0 --defsym SKEIN_USE_ASM=1792 .endif SRCS += siphash.c SRCS += gmac.c gfmult.c From owner-dev-commits-src-branches@freebsd.org Sat Jan 2 04:53:11 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E89E04C278B; Sat, 2 Jan 2021 04:53:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D78fH5gM0z4v4k; Sat, 2 Jan 2021 04:53:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id B58517654; Sat, 2 Jan 2021 04:53:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1024rBcG095782; Sat, 2 Jan 2021 04:53:11 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1024rBOI095781; Sat, 2 Jan 2021 04:53:11 GMT (envelope-from git) Date: Sat, 2 Jan 2021 04:53:11 GMT Message-Id: <202101020453.1024rBOI095781@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kyle Evans Subject: git: 8372f2f679e0 - stable/12 - Apply C SKEIN_LOOP setting only to skein_block.c MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: 8372f2f679e0f7a74c14810cdf93af52a783e68c Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jan 2021 04:53:12 -0000 The branch stable/12 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=8372f2f679e0f7a74c14810cdf93af52a783e68c commit 8372f2f679e0f7a74c14810cdf93af52a783e68c Author: Ed Maste AuthorDate: 2020-06-05 17:00:38 +0000 Commit: Kyle Evans CommitDate: 2021-01-02 04:52:23 +0000 Apply C SKEIN_LOOP setting only to skein_block.c Otherwise if assembling skein_block_asm.s with Clang's integrated assembler we can pass conflicting SKEIN_LOOP settings (via CFLAGS and ACFLAGS). (cherry picked from commit 310e81aede569411ad005f6d6e7259ae0cdafd82) --- lib/libmd/Makefile | 2 +- sys/modules/crypto/Makefile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/libmd/Makefile b/lib/libmd/Makefile index edeb308c82d6..2cb0e75f1d27 100644 --- a/lib/libmd/Makefile +++ b/lib/libmd/Makefile @@ -97,7 +97,7 @@ CFLAGS+= -I${.CURDIR} -I${SRCTOP}/sys/crypto/sha2 CFLAGS+= -I${SRCTOP}/sys/crypto/skein CFLAGS+= -DWEAK_REFS # unroll the 256 and 512 loops, half unroll the 1024 -CFLAGS+= -DSKEIN_LOOP=995 +CFLAGS.skein_block.c+= -DSKEIN_LOOP=995 .PATH: ${.CURDIR}/${MACHINE_ARCH} ${SRCTOP}/sys/crypto/sha2 .PATH: ${SRCTOP}/sys/crypto/skein ${SRCTOP}/sys/crypto/skein/${MACHINE_ARCH} diff --git a/sys/modules/crypto/Makefile b/sys/modules/crypto/Makefile index 09c5d710e985..7c34717597fd 100644 --- a/sys/modules/crypto/Makefile +++ b/sys/modules/crypto/Makefile @@ -29,7 +29,7 @@ SRCS += des_ecb.c des_enc.c des_setkey.c SRCS += sha1.c sha256c.c sha512c.c SRCS += skein.c skein_block.c # unroll the 256 and 512 loops, half unroll the 1024 -CFLAGS+= -DSKEIN_LOOP=995 +CFLAGS.skein_block.c += -DSKEIN_LOOP=995 .if exists(${MACHINE_ARCH}/skein_block_asm.s) .PATH: ${SRCTOP}/sys/crypto/skein/${MACHINE_ARCH} SRCS += skein_block_asm.s From owner-dev-commits-src-branches@freebsd.org Sat Jan 2 05:27:40 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5F62D4C284E; Sat, 2 Jan 2021 05:27:40 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D79Q421jxz3Cc4; Sat, 2 Jan 2021 05:27:40 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 2DE5510100; Sat, 2 Jan 2021 05:27:40 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1025RdU6035513; Sat, 2 Jan 2021 05:27:39 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1025RdQ7035512; Sat, 2 Jan 2021 05:27:39 GMT (envelope-from git) Date: Sat, 2 Jan 2021 05:27:39 GMT Message-Id: <202101020527.1025RdQ7035512@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kyle Evans Subject: git: 1e6afe0f7d23 - stable/12 - Fix bad libbxo format strings in jls MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: 1e6afe0f7d2346ac5b864b6b01bb9458f5349347 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jan 2021 05:27:40 -0000 The branch stable/12 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=1e6afe0f7d2346ac5b864b6b01bb9458f5349347 commit 1e6afe0f7d2346ac5b864b6b01bb9458f5349347 Author: Alex Richardson AuthorDate: 2020-11-04 14:31:52 +0000 Commit: Kyle Evans CommitDate: 2021-01-02 05:27:10 +0000 Fix bad libbxo format strings in jls The existing format string for the empty case was trying to read varargs values that weren't passed to xo_emit. This appears to work on x86 (since the next argument is probably a pointer an empty string), but for CHERI we can bound variadic arguments and detect a read past the end. While touching these lines also use the libxo 'a' modifier to avoid having to construct the libxo format string using asprintf. Found by: CHERI Reviewed By: allanjude Differential Revision: https://reviews.freebsd.org/D26885 (cherry picked from commit d24f17df969107b47af60e5ccc1ed0f1a467fc6f) --- usr.sbin/jls/jls.c | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/usr.sbin/jls/jls.c b/usr.sbin/jls/jls.c index 46c5a5c8b15e..374ee14bf080 100644 --- a/usr.sbin/jls/jls.c +++ b/usr.sbin/jls/jls.c @@ -505,17 +505,13 @@ quoted_print(int pflags, char *name, char *value) { int qc; char *p = value; - char *param_name_value; /* An empty string needs quoting. */ if (!*p) { - asprintf(¶m_name_value, "{k:%s}{d:%s/\"\"}", name, name); - xo_emit(param_name_value); - free(param_name_value); + xo_emit("{ea:/%s}{da:/\"\"}", name, value, name); return; } - asprintf(¶m_name_value, "{:%s/%%s}", name); /* * The value will be surrounded by quotes if it contains spaces * or quotes. @@ -528,9 +524,7 @@ quoted_print(int pflags, char *name, char *value) if (qc && pflags & PRINT_QUOTED) xo_emit("{P:/%c}", qc); - xo_emit(param_name_value, value); - - free(param_name_value); + xo_emit("{a:/%s}", name, value); if (qc && pflags & PRINT_QUOTED) xo_emit("{P:/%c}", qc); From owner-dev-commits-src-branches@freebsd.org Sat Jan 2 05:40:15 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id F07634C3950; Sat, 2 Jan 2021 05:40:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D79hb6KS0z3DL3; Sat, 2 Jan 2021 05:40:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C3D487EE9; Sat, 2 Jan 2021 05:40:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1025eF7u053568; Sat, 2 Jan 2021 05:40:15 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1025eFPr053544; Sat, 2 Jan 2021 05:40:15 GMT (envelope-from git) Date: Sat, 2 Jan 2021 05:40:15 GMT Message-Id: <202101020540.1025eFPr053544@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kyle Evans Subject: git: f182d0c7e87a - stable/12 - caroot: drop $FreeBSD$ expansion from root bundle MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: f182d0c7e87a5164c3b4f4940c0882dc58481de5 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jan 2021 05:40:16 -0000 The branch stable/12 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=f182d0c7e87a5164c3b4f4940c0882dc58481de5 commit f182d0c7e87a5164c3b4f4940c0882dc58481de5 Author: Kyle Evans AuthorDate: 2020-12-28 03:47:41 +0000 Commit: Kyle Evans CommitDate: 2021-01-02 05:40:03 +0000 caroot: drop $FreeBSD$ expansion from root bundle This debatably could have waited until the next update would have taken place, but it's easier to see what changes if we get it out of the way now. (cherry picked from commit f20c0e3319524d51ab474608851bc705d57a7482) --- secure/caroot/trusted/ACCVRAIZ1.pem | 2 +- secure/caroot/trusted/AC_RAIZ_FNMT-RCM.pem | 2 +- secure/caroot/trusted/Actalis_Authentication_Root_CA.pem | 2 +- secure/caroot/trusted/AffirmTrust_Commercial.pem | 2 +- secure/caroot/trusted/AffirmTrust_Networking.pem | 2 +- secure/caroot/trusted/AffirmTrust_Premium.pem | 2 +- secure/caroot/trusted/AffirmTrust_Premium_ECC.pem | 2 +- secure/caroot/trusted/Amazon_Root_CA_1.pem | 2 +- secure/caroot/trusted/Amazon_Root_CA_2.pem | 2 +- secure/caroot/trusted/Amazon_Root_CA_3.pem | 2 +- secure/caroot/trusted/Amazon_Root_CA_4.pem | 2 +- secure/caroot/trusted/Atos_TrustedRoot_2011.pem | 2 +- .../Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem | 2 +- secure/caroot/trusted/Baltimore_CyberTrust_Root.pem | 2 +- secure/caroot/trusted/Buypass_Class_2_Root_CA.pem | 2 +- secure/caroot/trusted/Buypass_Class_3_Root_CA.pem | 2 +- secure/caroot/trusted/CA_Disig_Root_R2.pem | 2 +- secure/caroot/trusted/CFCA_EV_ROOT.pem | 2 +- secure/caroot/trusted/COMODO_Certification_Authority.pem | 2 +- secure/caroot/trusted/COMODO_ECC_Certification_Authority.pem | 2 +- secure/caroot/trusted/COMODO_RSA_Certification_Authority.pem | 2 +- secure/caroot/trusted/Camerfirma_Chambers_of_Commerce_Root.pem | 2 +- secure/caroot/trusted/Camerfirma_Global_Chambersign_Root.pem | 2 +- secure/caroot/trusted/Certigna.pem | 2 +- secure/caroot/trusted/Certigna_Root_CA.pem | 2 +- secure/caroot/trusted/Certum_Root_CA.pem | 2 +- secure/caroot/trusted/Certum_Trusted_Network_CA.pem | 2 +- secure/caroot/trusted/Certum_Trusted_Network_CA_2.pem | 2 +- secure/caroot/trusted/Chambers_of_Commerce_Root_-_2008.pem | 2 +- secure/caroot/trusted/Comodo_AAA_Services_root.pem | 2 +- secure/caroot/trusted/Cybertrust_Global_Root.pem | 2 +- secure/caroot/trusted/D-TRUST_Root_CA_3_2013.pem | 2 +- secure/caroot/trusted/D-TRUST_Root_Class_3_CA_2_2009.pem | 2 +- secure/caroot/trusted/D-TRUST_Root_Class_3_CA_2_EV_2009.pem | 2 +- secure/caroot/trusted/DST_Root_CA_X3.pem | 2 +- secure/caroot/trusted/DigiCert_Assured_ID_Root_CA.pem | 2 +- secure/caroot/trusted/DigiCert_Assured_ID_Root_G2.pem | 2 +- secure/caroot/trusted/DigiCert_Assured_ID_Root_G3.pem | 2 +- secure/caroot/trusted/DigiCert_Global_Root_CA.pem | 2 +- secure/caroot/trusted/DigiCert_Global_Root_G2.pem | 2 +- secure/caroot/trusted/DigiCert_Global_Root_G3.pem | 2 +- secure/caroot/trusted/DigiCert_High_Assurance_EV_Root_CA.pem | 2 +- secure/caroot/trusted/DigiCert_Trusted_Root_G4.pem | 2 +- secure/caroot/trusted/E-Tugra_Certification_Authority.pem | 2 +- secure/caroot/trusted/EC-ACC.pem | 2 +- secure/caroot/trusted/Entrust_Root_Certification_Authority.pem | 2 +- secure/caroot/trusted/Entrust_Root_Certification_Authority_-_EC1.pem | 2 +- secure/caroot/trusted/Entrust_Root_Certification_Authority_-_G2.pem | 2 +- secure/caroot/trusted/Entrust_Root_Certification_Authority_-_G4.pem | 2 +- secure/caroot/trusted/Entrust_net_Premium_2048_Secure_Server_CA.pem | 2 +- secure/caroot/trusted/GDCA_TrustAUTH_R5_ROOT.pem | 2 +- secure/caroot/trusted/GTS_Root_R1.pem | 2 +- secure/caroot/trusted/GTS_Root_R2.pem | 2 +- secure/caroot/trusted/GTS_Root_R3.pem | 2 +- secure/caroot/trusted/GTS_Root_R4.pem | 2 +- secure/caroot/trusted/GeoTrust_Primary_Certification_Authority_-_G2.pem | 2 +- secure/caroot/trusted/GlobalSign_ECC_Root_CA_-_R4.pem | 2 +- secure/caroot/trusted/GlobalSign_ECC_Root_CA_-_R5.pem | 2 +- secure/caroot/trusted/GlobalSign_Root_CA.pem | 2 +- secure/caroot/trusted/GlobalSign_Root_CA_-_R2.pem | 2 +- secure/caroot/trusted/GlobalSign_Root_CA_-_R3.pem | 2 +- secure/caroot/trusted/GlobalSign_Root_CA_-_R6.pem | 2 +- secure/caroot/trusted/Global_Chambersign_Root_-_2008.pem | 2 +- secure/caroot/trusted/Go_Daddy_Class_2_CA.pem | 2 +- secure/caroot/trusted/Go_Daddy_Root_Certificate_Authority_-_G2.pem | 2 +- .../Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.pem | 2 +- .../trusted/Hellenic_Academic_and_Research_Institutions_RootCA_2011.pem | 2 +- .../trusted/Hellenic_Academic_and_Research_Institutions_RootCA_2015.pem | 2 +- secure/caroot/trusted/Hongkong_Post_Root_CA_1.pem | 2 +- secure/caroot/trusted/Hongkong_Post_Root_CA_3.pem | 2 +- secure/caroot/trusted/ISRG_Root_X1.pem | 2 +- secure/caroot/trusted/IdenTrust_Commercial_Root_CA_1.pem | 2 +- secure/caroot/trusted/IdenTrust_Public_Sector_Root_CA_1.pem | 2 +- secure/caroot/trusted/Izenpe_com.pem | 2 +- secure/caroot/trusted/Microsec_e-Szigno_Root_CA_2009.pem | 2 +- secure/caroot/trusted/Microsoft_ECC_Root_Certificate_Authority_2017.pem | 2 +- secure/caroot/trusted/Microsoft_RSA_Root_Certificate_Authority_2017.pem | 2 +- secure/caroot/trusted/NAVER_Global_Root_Certification_Authority.pem | 2 +- secure/caroot/trusted/NetLock_Arany__Class_Gold__F__tan__s__tv__ny.pem | 2 +- secure/caroot/trusted/Network_Solutions_Certificate_Authority.pem | 2 +- secure/caroot/trusted/OISTE_WISeKey_Global_Root_GA_CA.pem | 2 +- secure/caroot/trusted/OISTE_WISeKey_Global_Root_GB_CA.pem | 2 +- secure/caroot/trusted/OISTE_WISeKey_Global_Root_GC_CA.pem | 2 +- secure/caroot/trusted/QuoVadis_Root_CA.pem | 2 +- secure/caroot/trusted/QuoVadis_Root_CA_1_G3.pem | 2 +- secure/caroot/trusted/QuoVadis_Root_CA_2.pem | 2 +- secure/caroot/trusted/QuoVadis_Root_CA_2_G3.pem | 2 +- secure/caroot/trusted/QuoVadis_Root_CA_3.pem | 2 +- secure/caroot/trusted/QuoVadis_Root_CA_3_G3.pem | 2 +- secure/caroot/trusted/SSL_com_EV_Root_Certification_Authority_ECC.pem | 2 +- .../caroot/trusted/SSL_com_EV_Root_Certification_Authority_RSA_R2.pem | 2 +- secure/caroot/trusted/SSL_com_Root_Certification_Authority_ECC.pem | 2 +- secure/caroot/trusted/SSL_com_Root_Certification_Authority_RSA.pem | 2 +- secure/caroot/trusted/SZAFIR_ROOT_CA2.pem | 2 +- secure/caroot/trusted/SecureSign_RootCA11.pem | 2 +- secure/caroot/trusted/SecureTrust_CA.pem | 2 +- secure/caroot/trusted/Secure_Global_CA.pem | 2 +- secure/caroot/trusted/Security_Communication_RootCA2.pem | 2 +- secure/caroot/trusted/Security_Communication_Root_CA.pem | 2 +- secure/caroot/trusted/Sonera_Class_2_Root_CA.pem | 2 +- secure/caroot/trusted/Staat_der_Nederlanden_EV_Root_CA.pem | 2 +- secure/caroot/trusted/Staat_der_Nederlanden_Root_CA_-_G3.pem | 2 +- secure/caroot/trusted/Starfield_Class_2_CA.pem | 2 +- secure/caroot/trusted/Starfield_Root_Certificate_Authority_-_G2.pem | 2 +- .../trusted/Starfield_Services_Root_Certificate_Authority_-_G2.pem | 2 +- secure/caroot/trusted/SwissSign_Gold_CA_-_G2.pem | 2 +- secure/caroot/trusted/SwissSign_Platinum_CA_-_G2.pem | 2 +- secure/caroot/trusted/SwissSign_Silver_CA_-_G2.pem | 2 +- .../Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem | 2 +- .../Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem | 2 +- secure/caroot/trusted/T-TeleSec_GlobalRoot_Class_2.pem | 2 +- secure/caroot/trusted/T-TeleSec_GlobalRoot_Class_3.pem | 2 +- secure/caroot/trusted/TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.pem | 2 +- secure/caroot/trusted/TWCA_Global_Root_CA.pem | 2 +- secure/caroot/trusted/TWCA_Root_Certification_Authority.pem | 2 +- secure/caroot/trusted/TeliaSonera_Root_CA_v1.pem | 2 +- secure/caroot/trusted/TrustCor_ECA-1.pem | 2 +- secure/caroot/trusted/TrustCor_RootCert_CA-1.pem | 2 +- secure/caroot/trusted/TrustCor_RootCert_CA-2.pem | 2 +- secure/caroot/trusted/Trustis_FPS_Root_CA.pem | 2 +- secure/caroot/trusted/Trustwave_Global_Certification_Authority.pem | 2 +- .../trusted/Trustwave_Global_ECC_P256_Certification_Authority.pem | 2 +- .../trusted/Trustwave_Global_ECC_P384_Certification_Authority.pem | 2 +- secure/caroot/trusted/UCA_Extended_Validation_Root.pem | 2 +- secure/caroot/trusted/UCA_Global_G2_Root.pem | 2 +- secure/caroot/trusted/USERTrust_ECC_Certification_Authority.pem | 2 +- secure/caroot/trusted/USERTrust_RSA_Certification_Authority.pem | 2 +- .../caroot/trusted/VeriSign_Universal_Root_Certification_Authority.pem | 2 +- .../Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem | 2 +- .../Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem | 2 +- secure/caroot/trusted/XRamp_Global_CA_Root.pem | 2 +- secure/caroot/trusted/certSIGN_ROOT_CA.pem | 2 +- secure/caroot/trusted/certSIGN_Root_CA_G2.pem | 2 +- secure/caroot/trusted/e-Szigno_Root_CA_2017.pem | 2 +- secure/caroot/trusted/ePKI_Root_Certification_Authority.pem | 2 +- secure/caroot/trusted/emSign_ECC_Root_CA_-_C3.pem | 2 +- secure/caroot/trusted/emSign_ECC_Root_CA_-_G3.pem | 2 +- secure/caroot/trusted/emSign_Root_CA_-_C1.pem | 2 +- secure/caroot/trusted/emSign_Root_CA_-_G1.pem | 2 +- 139 files changed, 139 insertions(+), 139 deletions(-) diff --git a/secure/caroot/trusted/ACCVRAIZ1.pem b/secure/caroot/trusted/ACCVRAIZ1.pem index 136f7bddb6f3..0c7c7c41b57d 100644 --- a/secure/caroot/trusted/ACCVRAIZ1.pem +++ b/secure/caroot/trusted/ACCVRAIZ1.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/AC_RAIZ_FNMT-RCM.pem b/secure/caroot/trusted/AC_RAIZ_FNMT-RCM.pem index d327b3ecf2cb..579f50d8d730 100644 --- a/secure/caroot/trusted/AC_RAIZ_FNMT-RCM.pem +++ b/secure/caroot/trusted/AC_RAIZ_FNMT-RCM.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/Actalis_Authentication_Root_CA.pem b/secure/caroot/trusted/Actalis_Authentication_Root_CA.pem index 6e7823d4b81f..7248545350e2 100644 --- a/secure/caroot/trusted/Actalis_Authentication_Root_CA.pem +++ b/secure/caroot/trusted/Actalis_Authentication_Root_CA.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/AffirmTrust_Commercial.pem b/secure/caroot/trusted/AffirmTrust_Commercial.pem index e0a8ebdf12e1..1d85c32853c8 100644 --- a/secure/caroot/trusted/AffirmTrust_Commercial.pem +++ b/secure/caroot/trusted/AffirmTrust_Commercial.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/AffirmTrust_Networking.pem b/secure/caroot/trusted/AffirmTrust_Networking.pem index a96b036f4153..222bde26c934 100644 --- a/secure/caroot/trusted/AffirmTrust_Networking.pem +++ b/secure/caroot/trusted/AffirmTrust_Networking.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/AffirmTrust_Premium.pem b/secure/caroot/trusted/AffirmTrust_Premium.pem index ee259e197476..dc1447429465 100644 --- a/secure/caroot/trusted/AffirmTrust_Premium.pem +++ b/secure/caroot/trusted/AffirmTrust_Premium.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/AffirmTrust_Premium_ECC.pem b/secure/caroot/trusted/AffirmTrust_Premium_ECC.pem index 5f600162a941..a6f01409a2ef 100644 --- a/secure/caroot/trusted/AffirmTrust_Premium_ECC.pem +++ b/secure/caroot/trusted/AffirmTrust_Premium_ECC.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/Amazon_Root_CA_1.pem b/secure/caroot/trusted/Amazon_Root_CA_1.pem index 9221de0cea44..6bf1acafd4c7 100644 --- a/secure/caroot/trusted/Amazon_Root_CA_1.pem +++ b/secure/caroot/trusted/Amazon_Root_CA_1.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/Amazon_Root_CA_2.pem b/secure/caroot/trusted/Amazon_Root_CA_2.pem index 418ffc0b8de0..80a1eb66bee2 100644 --- a/secure/caroot/trusted/Amazon_Root_CA_2.pem +++ b/secure/caroot/trusted/Amazon_Root_CA_2.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/Amazon_Root_CA_3.pem b/secure/caroot/trusted/Amazon_Root_CA_3.pem index 36ff13dc4708..6b61b3e18fa0 100644 --- a/secure/caroot/trusted/Amazon_Root_CA_3.pem +++ b/secure/caroot/trusted/Amazon_Root_CA_3.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/Amazon_Root_CA_4.pem b/secure/caroot/trusted/Amazon_Root_CA_4.pem index c1f88d6bc8a3..df7aa6f1c165 100644 --- a/secure/caroot/trusted/Amazon_Root_CA_4.pem +++ b/secure/caroot/trusted/Amazon_Root_CA_4.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/Atos_TrustedRoot_2011.pem b/secure/caroot/trusted/Atos_TrustedRoot_2011.pem index 3f038d3c239c..21b229561733 100644 --- a/secure/caroot/trusted/Atos_TrustedRoot_2011.pem +++ b/secure/caroot/trusted/Atos_TrustedRoot_2011.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem b/secure/caroot/trusted/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem index da12de780be6..4d2eaa61962f 100644 --- a/secure/caroot/trusted/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem +++ b/secure/caroot/trusted/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/Baltimore_CyberTrust_Root.pem b/secure/caroot/trusted/Baltimore_CyberTrust_Root.pem index cc5d711bc08d..3dc1de849346 100644 --- a/secure/caroot/trusted/Baltimore_CyberTrust_Root.pem +++ b/secure/caroot/trusted/Baltimore_CyberTrust_Root.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/Buypass_Class_2_Root_CA.pem b/secure/caroot/trusted/Buypass_Class_2_Root_CA.pem index 5ebb2edfcf84..dc2c86edbed1 100644 --- a/secure/caroot/trusted/Buypass_Class_2_Root_CA.pem +++ b/secure/caroot/trusted/Buypass_Class_2_Root_CA.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/Buypass_Class_3_Root_CA.pem b/secure/caroot/trusted/Buypass_Class_3_Root_CA.pem index 1aab9dec0adc..fda39f8731d1 100644 --- a/secure/caroot/trusted/Buypass_Class_3_Root_CA.pem +++ b/secure/caroot/trusted/Buypass_Class_3_Root_CA.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/CA_Disig_Root_R2.pem b/secure/caroot/trusted/CA_Disig_Root_R2.pem index a6db02606c5d..0ecc9d1ee08d 100644 --- a/secure/caroot/trusted/CA_Disig_Root_R2.pem +++ b/secure/caroot/trusted/CA_Disig_Root_R2.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/CFCA_EV_ROOT.pem b/secure/caroot/trusted/CFCA_EV_ROOT.pem index 460785cc21e6..7eb37baa3bed 100644 --- a/secure/caroot/trusted/CFCA_EV_ROOT.pem +++ b/secure/caroot/trusted/CFCA_EV_ROOT.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/COMODO_Certification_Authority.pem b/secure/caroot/trusted/COMODO_Certification_Authority.pem index f6c1cb232ac6..7aa1237bb8e1 100644 --- a/secure/caroot/trusted/COMODO_Certification_Authority.pem +++ b/secure/caroot/trusted/COMODO_Certification_Authority.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/COMODO_ECC_Certification_Authority.pem b/secure/caroot/trusted/COMODO_ECC_Certification_Authority.pem index 322154206039..215581b14fdf 100644 --- a/secure/caroot/trusted/COMODO_ECC_Certification_Authority.pem +++ b/secure/caroot/trusted/COMODO_ECC_Certification_Authority.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/COMODO_RSA_Certification_Authority.pem b/secure/caroot/trusted/COMODO_RSA_Certification_Authority.pem index 53c540ff2146..38e275f1365e 100644 --- a/secure/caroot/trusted/COMODO_RSA_Certification_Authority.pem +++ b/secure/caroot/trusted/COMODO_RSA_Certification_Authority.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/Camerfirma_Chambers_of_Commerce_Root.pem b/secure/caroot/trusted/Camerfirma_Chambers_of_Commerce_Root.pem index 601df8f89e10..cf7de6cc122b 100644 --- a/secure/caroot/trusted/Camerfirma_Chambers_of_Commerce_Root.pem +++ b/secure/caroot/trusted/Camerfirma_Chambers_of_Commerce_Root.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/Camerfirma_Global_Chambersign_Root.pem b/secure/caroot/trusted/Camerfirma_Global_Chambersign_Root.pem index 203fb13108c8..b1fa96bc405e 100644 --- a/secure/caroot/trusted/Camerfirma_Global_Chambersign_Root.pem +++ b/secure/caroot/trusted/Camerfirma_Global_Chambersign_Root.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/Certigna.pem b/secure/caroot/trusted/Certigna.pem index 3a25f25160ea..bbcd413be511 100644 --- a/secure/caroot/trusted/Certigna.pem +++ b/secure/caroot/trusted/Certigna.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/Certigna_Root_CA.pem b/secure/caroot/trusted/Certigna_Root_CA.pem index 564d3fe8f50d..c1a0286ab2a0 100644 --- a/secure/caroot/trusted/Certigna_Root_CA.pem +++ b/secure/caroot/trusted/Certigna_Root_CA.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/Certum_Root_CA.pem b/secure/caroot/trusted/Certum_Root_CA.pem index ec03a0f913de..f815c49ddae0 100644 --- a/secure/caroot/trusted/Certum_Root_CA.pem +++ b/secure/caroot/trusted/Certum_Root_CA.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/Certum_Trusted_Network_CA.pem b/secure/caroot/trusted/Certum_Trusted_Network_CA.pem index 5ced43da18d8..a321445a502c 100644 --- a/secure/caroot/trusted/Certum_Trusted_Network_CA.pem +++ b/secure/caroot/trusted/Certum_Trusted_Network_CA.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/Certum_Trusted_Network_CA_2.pem b/secure/caroot/trusted/Certum_Trusted_Network_CA_2.pem index 0493c488801c..62cee7fc2058 100644 --- a/secure/caroot/trusted/Certum_Trusted_Network_CA_2.pem +++ b/secure/caroot/trusted/Certum_Trusted_Network_CA_2.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/Chambers_of_Commerce_Root_-_2008.pem b/secure/caroot/trusted/Chambers_of_Commerce_Root_-_2008.pem index b705886574c8..1e3864180a66 100644 --- a/secure/caroot/trusted/Chambers_of_Commerce_Root_-_2008.pem +++ b/secure/caroot/trusted/Chambers_of_Commerce_Root_-_2008.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/Comodo_AAA_Services_root.pem b/secure/caroot/trusted/Comodo_AAA_Services_root.pem index 5e2506239c66..3ab5ce74bc37 100644 --- a/secure/caroot/trusted/Comodo_AAA_Services_root.pem +++ b/secure/caroot/trusted/Comodo_AAA_Services_root.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/Cybertrust_Global_Root.pem b/secure/caroot/trusted/Cybertrust_Global_Root.pem index 54647522233b..b6261df7f2df 100644 --- a/secure/caroot/trusted/Cybertrust_Global_Root.pem +++ b/secure/caroot/trusted/Cybertrust_Global_Root.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/D-TRUST_Root_CA_3_2013.pem b/secure/caroot/trusted/D-TRUST_Root_CA_3_2013.pem index ab9d138bd3e1..debf7b30c2ef 100644 --- a/secure/caroot/trusted/D-TRUST_Root_CA_3_2013.pem +++ b/secure/caroot/trusted/D-TRUST_Root_CA_3_2013.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/D-TRUST_Root_Class_3_CA_2_2009.pem b/secure/caroot/trusted/D-TRUST_Root_Class_3_CA_2_2009.pem index a460f18db523..37b0f004ef94 100644 --- a/secure/caroot/trusted/D-TRUST_Root_Class_3_CA_2_2009.pem +++ b/secure/caroot/trusted/D-TRUST_Root_Class_3_CA_2_2009.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/D-TRUST_Root_Class_3_CA_2_EV_2009.pem b/secure/caroot/trusted/D-TRUST_Root_Class_3_CA_2_EV_2009.pem index f270c37caa80..71d0f7fc323f 100644 --- a/secure/caroot/trusted/D-TRUST_Root_Class_3_CA_2_EV_2009.pem +++ b/secure/caroot/trusted/D-TRUST_Root_Class_3_CA_2_EV_2009.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/DST_Root_CA_X3.pem b/secure/caroot/trusted/DST_Root_CA_X3.pem index 47f5f3212169..aeaa167d590c 100644 --- a/secure/caroot/trusted/DST_Root_CA_X3.pem +++ b/secure/caroot/trusted/DST_Root_CA_X3.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/DigiCert_Assured_ID_Root_CA.pem b/secure/caroot/trusted/DigiCert_Assured_ID_Root_CA.pem index f768b06d12db..12ce54725012 100644 --- a/secure/caroot/trusted/DigiCert_Assured_ID_Root_CA.pem +++ b/secure/caroot/trusted/DigiCert_Assured_ID_Root_CA.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/DigiCert_Assured_ID_Root_G2.pem b/secure/caroot/trusted/DigiCert_Assured_ID_Root_G2.pem index 0135f133c7ac..7c5d96a053e4 100644 --- a/secure/caroot/trusted/DigiCert_Assured_ID_Root_G2.pem +++ b/secure/caroot/trusted/DigiCert_Assured_ID_Root_G2.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/DigiCert_Assured_ID_Root_G3.pem b/secure/caroot/trusted/DigiCert_Assured_ID_Root_G3.pem index cdd8f0be47f5..901c33448725 100644 --- a/secure/caroot/trusted/DigiCert_Assured_ID_Root_G3.pem +++ b/secure/caroot/trusted/DigiCert_Assured_ID_Root_G3.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/DigiCert_Global_Root_CA.pem b/secure/caroot/trusted/DigiCert_Global_Root_CA.pem index 3a273557ab67..75c9fd45ebab 100644 --- a/secure/caroot/trusted/DigiCert_Global_Root_CA.pem +++ b/secure/caroot/trusted/DigiCert_Global_Root_CA.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/DigiCert_Global_Root_G2.pem b/secure/caroot/trusted/DigiCert_Global_Root_G2.pem index 7b80ce72c72e..363d93b2c9ac 100644 --- a/secure/caroot/trusted/DigiCert_Global_Root_G2.pem +++ b/secure/caroot/trusted/DigiCert_Global_Root_G2.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/DigiCert_Global_Root_G3.pem b/secure/caroot/trusted/DigiCert_Global_Root_G3.pem index 6538535dd73b..45776f544654 100644 --- a/secure/caroot/trusted/DigiCert_Global_Root_G3.pem +++ b/secure/caroot/trusted/DigiCert_Global_Root_G3.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/DigiCert_High_Assurance_EV_Root_CA.pem b/secure/caroot/trusted/DigiCert_High_Assurance_EV_Root_CA.pem index dcb88fb3d1b4..d76acb3c3896 100644 --- a/secure/caroot/trusted/DigiCert_High_Assurance_EV_Root_CA.pem +++ b/secure/caroot/trusted/DigiCert_High_Assurance_EV_Root_CA.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/DigiCert_Trusted_Root_G4.pem b/secure/caroot/trusted/DigiCert_Trusted_Root_G4.pem index 92295c4ec38e..7ebb30081d81 100644 --- a/secure/caroot/trusted/DigiCert_Trusted_Root_G4.pem +++ b/secure/caroot/trusted/DigiCert_Trusted_Root_G4.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/E-Tugra_Certification_Authority.pem b/secure/caroot/trusted/E-Tugra_Certification_Authority.pem index 256c0b3e524b..04d1e630a816 100644 --- a/secure/caroot/trusted/E-Tugra_Certification_Authority.pem +++ b/secure/caroot/trusted/E-Tugra_Certification_Authority.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/EC-ACC.pem b/secure/caroot/trusted/EC-ACC.pem index 7fca8890028f..a4b43b39414b 100644 --- a/secure/caroot/trusted/EC-ACC.pem +++ b/secure/caroot/trusted/EC-ACC.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/Entrust_Root_Certification_Authority.pem b/secure/caroot/trusted/Entrust_Root_Certification_Authority.pem index 2ed6ff3e94a2..50b0d2ed5c94 100644 --- a/secure/caroot/trusted/Entrust_Root_Certification_Authority.pem +++ b/secure/caroot/trusted/Entrust_Root_Certification_Authority.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/Entrust_Root_Certification_Authority_-_EC1.pem b/secure/caroot/trusted/Entrust_Root_Certification_Authority_-_EC1.pem index ae0d6859b1d6..eb15c3801be6 100644 --- a/secure/caroot/trusted/Entrust_Root_Certification_Authority_-_EC1.pem +++ b/secure/caroot/trusted/Entrust_Root_Certification_Authority_-_EC1.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/Entrust_Root_Certification_Authority_-_G2.pem b/secure/caroot/trusted/Entrust_Root_Certification_Authority_-_G2.pem index d82aaf71ecae..b92fd4aef90f 100644 --- a/secure/caroot/trusted/Entrust_Root_Certification_Authority_-_G2.pem +++ b/secure/caroot/trusted/Entrust_Root_Certification_Authority_-_G2.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/Entrust_Root_Certification_Authority_-_G4.pem b/secure/caroot/trusted/Entrust_Root_Certification_Authority_-_G4.pem index a84b6ca03d42..8443ae5ca195 100644 --- a/secure/caroot/trusted/Entrust_Root_Certification_Authority_-_G4.pem +++ b/secure/caroot/trusted/Entrust_Root_Certification_Authority_-_G4.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/Entrust_net_Premium_2048_Secure_Server_CA.pem b/secure/caroot/trusted/Entrust_net_Premium_2048_Secure_Server_CA.pem index 1d18cb8d6a4b..b429d96786ea 100644 --- a/secure/caroot/trusted/Entrust_net_Premium_2048_Secure_Server_CA.pem +++ b/secure/caroot/trusted/Entrust_net_Premium_2048_Secure_Server_CA.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/GDCA_TrustAUTH_R5_ROOT.pem b/secure/caroot/trusted/GDCA_TrustAUTH_R5_ROOT.pem index 59b80e1f45ce..f9db5d422b8e 100644 --- a/secure/caroot/trusted/GDCA_TrustAUTH_R5_ROOT.pem +++ b/secure/caroot/trusted/GDCA_TrustAUTH_R5_ROOT.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/GTS_Root_R1.pem b/secure/caroot/trusted/GTS_Root_R1.pem index 422977ba0649..9abe191b9bb9 100644 --- a/secure/caroot/trusted/GTS_Root_R1.pem +++ b/secure/caroot/trusted/GTS_Root_R1.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/GTS_Root_R2.pem b/secure/caroot/trusted/GTS_Root_R2.pem index 06abfca8ccbb..8c5f92d1e610 100644 --- a/secure/caroot/trusted/GTS_Root_R2.pem +++ b/secure/caroot/trusted/GTS_Root_R2.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/GTS_Root_R3.pem b/secure/caroot/trusted/GTS_Root_R3.pem index 04d8829f66aa..d621d3053df1 100644 --- a/secure/caroot/trusted/GTS_Root_R3.pem +++ b/secure/caroot/trusted/GTS_Root_R3.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/GTS_Root_R4.pem b/secure/caroot/trusted/GTS_Root_R4.pem index c423a356f791..5a7a71764294 100644 --- a/secure/caroot/trusted/GTS_Root_R4.pem +++ b/secure/caroot/trusted/GTS_Root_R4.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/GeoTrust_Primary_Certification_Authority_-_G2.pem b/secure/caroot/trusted/GeoTrust_Primary_Certification_Authority_-_G2.pem index 65a90850db69..b03758a63c98 100644 --- a/secure/caroot/trusted/GeoTrust_Primary_Certification_Authority_-_G2.pem +++ b/secure/caroot/trusted/GeoTrust_Primary_Certification_Authority_-_G2.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/GlobalSign_ECC_Root_CA_-_R4.pem b/secure/caroot/trusted/GlobalSign_ECC_Root_CA_-_R4.pem index 7566a58a862b..c63f8d8c441a 100644 --- a/secure/caroot/trusted/GlobalSign_ECC_Root_CA_-_R4.pem +++ b/secure/caroot/trusted/GlobalSign_ECC_Root_CA_-_R4.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/GlobalSign_ECC_Root_CA_-_R5.pem b/secure/caroot/trusted/GlobalSign_ECC_Root_CA_-_R5.pem index 9d273a384295..7a989c4577d8 100644 --- a/secure/caroot/trusted/GlobalSign_ECC_Root_CA_-_R5.pem +++ b/secure/caroot/trusted/GlobalSign_ECC_Root_CA_-_R5.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/GlobalSign_Root_CA.pem b/secure/caroot/trusted/GlobalSign_Root_CA.pem index 71a5de48edad..0e2348e6c4f1 100644 --- a/secure/caroot/trusted/GlobalSign_Root_CA.pem +++ b/secure/caroot/trusted/GlobalSign_Root_CA.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/GlobalSign_Root_CA_-_R2.pem b/secure/caroot/trusted/GlobalSign_Root_CA_-_R2.pem index 810db4a2984b..616fe024937a 100644 --- a/secure/caroot/trusted/GlobalSign_Root_CA_-_R2.pem +++ b/secure/caroot/trusted/GlobalSign_Root_CA_-_R2.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/GlobalSign_Root_CA_-_R3.pem b/secure/caroot/trusted/GlobalSign_Root_CA_-_R3.pem index 0835e56cd757..aedb37900191 100644 --- a/secure/caroot/trusted/GlobalSign_Root_CA_-_R3.pem +++ b/secure/caroot/trusted/GlobalSign_Root_CA_-_R3.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/GlobalSign_Root_CA_-_R6.pem b/secure/caroot/trusted/GlobalSign_Root_CA_-_R6.pem index 5d792a7da0e5..112aaf7fde17 100644 --- a/secure/caroot/trusted/GlobalSign_Root_CA_-_R6.pem +++ b/secure/caroot/trusted/GlobalSign_Root_CA_-_R6.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/Global_Chambersign_Root_-_2008.pem b/secure/caroot/trusted/Global_Chambersign_Root_-_2008.pem index cceb29ac1bfd..cd9bebaf8c0f 100644 --- a/secure/caroot/trusted/Global_Chambersign_Root_-_2008.pem +++ b/secure/caroot/trusted/Global_Chambersign_Root_-_2008.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +## with $FreeBSD$ ## ## @generated ## diff --git a/secure/caroot/trusted/Go_Daddy_Class_2_CA.pem b/secure/caroot/trusted/Go_Daddy_Class_2_CA.pem index cb38b1b1c417..5083a0fcf21d 100644 --- a/secure/caroot/trusted/Go_Daddy_Class_2_CA.pem +++ b/secure/caroot/trusted/Go_Daddy_Class_2_CA.pem @@ -6,7 +6,7 @@ ## root CA list (the file `certdata.txt' in security/nss). ## ## Extracted from nss -## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ *** 979 LINES SKIPPED *** From owner-dev-commits-src-branches@freebsd.org Sat Jan 2 23:34:41 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E1F064BBDDB; Sat, 2 Jan 2021 23:34:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D7dXK60Czz3PJC; Sat, 2 Jan 2021 23:34:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C0B221DE53; Sat, 2 Jan 2021 23:34:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 102NYfAX046497; Sat, 2 Jan 2021 23:34:41 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 102NYfO5046496; Sat, 2 Jan 2021 23:34:41 GMT (envelope-from git) Date: Sat, 2 Jan 2021 23:34:41 GMT Message-Id: <202101022334.102NYfO5046496@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Gordon Bergling Subject: git: f6065a1ee3f9 - stable/12 - MFC r368802: nvmecontrol(8): Fix a few mandoc related issues and add a SEE ALSO section MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: gbe X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: f6065a1ee3f9eb3aa1ed2333a0f899fa17b56699 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jan 2021 23:34:41 -0000 The branch stable/12 has been updated by gbe (doc committer): URL: https://cgit.FreeBSD.org/src/commit/?id=f6065a1ee3f9eb3aa1ed2333a0f899fa17b56699 commit f6065a1ee3f9eb3aa1ed2333a0f899fa17b56699 Author: Gordon Bergling AuthorDate: 2020-12-19 11:47:38 +0000 Commit: Gordon Bergling CommitDate: 2021-01-02 23:32:56 +0000 MFC r368802: nvmecontrol(8): Fix a few mandoc related issues and add a SEE ALSO section - inserting missing end of block: Ss breaks Bl - skipping paragraph macro: Pp before Ss - referenced manual not found: Xr nvme 4 (2 times) - unknown standard specifier: St The The macro .St can only be used for standards known by mdoc(7). So add a SEE ALSO section and add a reference to the NVM Express Base Specification. (cherry picked from commit 9bca273d8496a078787ffbff18b9ae925e25cc36) --- sbin/nvmecontrol/nvmecontrol.8 | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/sbin/nvmecontrol/nvmecontrol.8 b/sbin/nvmecontrol/nvmecontrol.8 index a9796cf735da..976532932a69 100644 --- a/sbin/nvmecontrol/nvmecontrol.8 +++ b/sbin/nvmecontrol/nvmecontrol.8 @@ -35,7 +35,7 @@ .\" .\" $FreeBSD$ .\" -.Dd April 30, 2020 +.Dd December 19, 2020 .Dt NVMECONTROL 8 .Os .Sh NAME @@ -205,7 +205,6 @@ .Sh DESCRIPTION NVM Express (NVMe) is a storage protocol standard, for SSDs and other high-speed storage devices over PCI Express. -.Pp .Ss identify The identify commands reports information from the drive's .Dv IDENTIFY_CONTROLLER @@ -238,6 +237,7 @@ of is used to retrieve the .Dv IDENTIFY_CONTROLLER data associated with that drive. +.El .Ss logpage The logpage command knows how to print log pages of various types. It also knows about vendor specific log pages from hgst/wdc and intel. @@ -482,9 +482,7 @@ and commands send NVMe commands to either the administrative or the data part of the device. These commands are expected to be compatible with nvme-cli. -Please see -.St The NVMe Standard -for details. +Please see the NVMe Standard for details. .Bl -tag -width 16n .It Fl o -opcode Ar opcode Opcode to send. @@ -674,6 +672,12 @@ linker set are added to the top-level commands. The members of the .Va logpage linker set are added to the logpage parsers. +.Sh SEE ALSO +.Rs +.%T The NVM Express Base Specification +.%D June 10, 2019 +.%U https://nvmexpress.org/wp-content/uploads/NVM-Express-1_4-2019.06.10-Ratified.pdf +.Re .Sh HISTORY The .Nm From owner-dev-commits-src-branches@freebsd.org Sun Jan 3 00:12:09 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A3A814BD6D4; Sun, 3 Jan 2021 00:12:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D7fMY4D3Kz3R97; Sun, 3 Jan 2021 00:12:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 838951E698; Sun, 3 Jan 2021 00:12:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1030C9GV097840; Sun, 3 Jan 2021 00:12:09 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1030C9Mp097839; Sun, 3 Jan 2021 00:12:09 GMT (envelope-from git) Date: Sun, 3 Jan 2021 00:12:09 GMT Message-Id: <202101030012.1030C9Mp097839@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Guangyuan Yang Subject: git: 4cc87848753d - stable/12 - 81720dba: mmap(2): Fix a typo MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: ygy X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: 4cc87848753d161dbd1af405073b70085dcb838d Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jan 2021 00:12:09 -0000 The branch stable/12 has been updated by ygy (doc committer): URL: https://cgit.FreeBSD.org/src/commit/?id=4cc87848753d161dbd1af405073b70085dcb838d commit 4cc87848753d161dbd1af405073b70085dcb838d Author: Guangyuan Yang AuthorDate: 2021-01-03 00:11:49 +0000 Commit: Guangyuan Yang CommitDate: 2021-01-03 00:11:49 +0000 81720dba: mmap(2): Fix a typo PR: 252097 Reported by: Nick Frampton a1d78367: mmap(2): Update .Dd missed in the last commit (cherry picked from commit 81720dbab2a84669ec719149501b75ae78c3d4ee) (cherry picked from commit a1d783675213798620550f4af137340458abe6c5) --- lib/libc/sys/mmap.2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/libc/sys/mmap.2 b/lib/libc/sys/mmap.2 index d5367737fe42..58a34d513d83 100644 --- a/lib/libc/sys/mmap.2 +++ b/lib/libc/sys/mmap.2 @@ -28,7 +28,7 @@ .\" @(#)mmap.2 8.4 (Berkeley) 5/11/95 .\" $FreeBSD$ .\" -.Dd October 21, 2020 +.Dd December 24, 2020 .Dt MMAP 2 .Os .Sh NAME @@ -79,7 +79,7 @@ If references a device file, the interpretation of the .Fa offset value is device specific and defined by the device driver. -The virtual memory subsystem does not impose any restrictitions on the +The virtual memory subsystem does not impose any restrictions on the .Fa offset value in this case, passing it unchanged to the driver. .Pp From owner-dev-commits-src-branches@freebsd.org Sun Jan 3 09:30:08 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4604C4CB4F8; Sun, 3 Jan 2021 09:30:08 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D7tlN1YCQz4fwn; Sun, 3 Jan 2021 09:30:08 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 23CB8252D0; Sun, 3 Jan 2021 09:30:08 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1039U8xp020262; Sun, 3 Jan 2021 09:30:08 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1039U8Dc020257; Sun, 3 Jan 2021 09:30:08 GMT (envelope-from git) Date: Sun, 3 Jan 2021 09:30:08 GMT Message-Id: <202101030930.1039U8Dc020257@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: ea7401fe6764 - stable/12 - pf: Use counter(9) for pf_state byte/packet tracking MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: ea7401fe67649c3eaeff39b6d909d79bfeb709ee Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jan 2021 09:30:08 -0000 The branch stable/12 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=ea7401fe67649c3eaeff39b6d909d79bfeb709ee commit ea7401fe67649c3eaeff39b6d909d79bfeb709ee Author: Kristof Provost AuthorDate: 2020-12-23 08:37:59 +0000 Commit: Kristof Provost CommitDate: 2021-01-03 09:29:40 +0000 pf: Use counter(9) for pf_state byte/packet tracking This improves cache behaviour by not writing to the same variable from multiple cores simultaneously. pf_state is only used in the kernel, so can be safely modified. Reviewed by: Lutz Donnerhacke, philip MFC after: 1 week Sponsed by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D27661 (cherry picked from commit 1c00efe98ed7d103b9684ff692ffd5e3b64d0237) --- sys/net/pfvar.h | 4 ++-- sys/netpfil/pf/if_pfsync.c | 13 +++++++++++++ sys/netpfil/pf/pf.c | 34 ++++++++++++++++++++++++++-------- sys/netpfil/pf/pf_ioctl.c | 10 ++++++---- 4 files changed, 47 insertions(+), 14 deletions(-) diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 597bc2ffec8e..d0eb226ee41d 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -742,8 +742,8 @@ struct pf_state { struct pfi_kif *rt_kif; struct pf_src_node *src_node; struct pf_src_node *nat_src_node; - u_int64_t packets[2]; - u_int64_t bytes[2]; + counter_u64_t packets[2]; + counter_u64_t bytes[2]; u_int32_t creation; u_int32_t expire; u_int32_t pfsync_time; diff --git a/sys/netpfil/pf/if_pfsync.c b/sys/netpfil/pf/if_pfsync.c index 0566593b7616..a6967d2297a6 100644 --- a/sys/netpfil/pf/if_pfsync.c +++ b/sys/netpfil/pf/if_pfsync.c @@ -508,6 +508,13 @@ pfsync_state_import(struct pfsync_state *sp, u_int8_t flags) if ((st = uma_zalloc(V_pf_state_z, M_NOWAIT | M_ZERO)) == NULL) goto cleanup; + for (int i = 0; i < 2; i++) { + st->packets[i] = counter_u64_alloc(M_NOWAIT); + st->bytes[i] = counter_u64_alloc(M_NOWAIT); + if (st->packets[i] == NULL || st->bytes[i] == NULL) + goto cleanup; + } + if ((skw = uma_zalloc(V_pf_state_key_z, M_NOWAIT)) == NULL) goto cleanup; @@ -617,6 +624,12 @@ cleanup: cleanup_state: /* pf_state_insert() frees the state keys. */ if (st) { + for (int i = 0; i < 2; i++) { + if (st->packets[i] != NULL) + counter_u64_free(st->packets[i]); + if (st->bytes[i] != NULL) + counter_u64_free(st->bytes[i]); + } if (st->dst.scrub) uma_zfree(V_pf_state_scrub_z, st->dst.scrub); if (st->src.scrub) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 343d2aed434a..693e45504745 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -1710,6 +1710,13 @@ pf_free_state(struct pf_state *cur) KASSERT(cur->timeout == PFTM_UNLINKED, ("%s: timeout %u", __func__, cur->timeout)); + for (int i = 0; i < 2; i++) { + if (cur->bytes[i] != NULL) + counter_u64_free(cur->bytes[i]); + if (cur->packets[i] != NULL) + counter_u64_free(cur->packets[i]); + } + pf_normalize_tcp_cleanup(cur); uma_zfree(V_pf_state_z, cur); counter_u64_add(V_pf_status.fcounters[FCNT_STATE_REMOVALS], 1); @@ -3652,6 +3659,16 @@ pf_create_state(struct pf_rule *r, struct pf_rule *nr, struct pf_rule *a, REASON_SET(&reason, PFRES_MEMORY); goto csfailed; } + for (int i = 0; i < 2; i++) { + s->bytes[i] = counter_u64_alloc(M_NOWAIT); + s->packets[i] = counter_u64_alloc(M_NOWAIT); + + if (s->bytes[i] == NULL || s->packets[i] == NULL) { + pf_free_state(s); + REASON_SET(&reason, PFRES_MEMORY); + goto csfailed; + } + } s->rule.ptr = r; s->nat_rule.ptr = nr; s->anchor.ptr = a; @@ -4213,8 +4230,9 @@ pf_tcp_track_full(struct pf_state_peer *src, struct pf_state_peer *dst, pf_print_flags(th->th_flags); printf(" seq=%u (%u) ack=%u len=%u ackskew=%d " "pkts=%llu:%llu dir=%s,%s\n", seq, orig_seq, ack, - pd->p_len, ackskew, (unsigned long long)(*state)->packets[0], - (unsigned long long)(*state)->packets[1], + pd->p_len, ackskew, + (unsigned long long)counter_u64_fetch((*state)->packets[0]), + (unsigned long long)counter_u64_fetch((*state)->packets[1]), pd->dir == PF_IN ? "in" : "out", pd->dir == (*state)->direction ? "fwd" : "rev"); } @@ -4269,8 +4287,8 @@ pf_tcp_track_full(struct pf_state_peer *src, struct pf_state_peer *dst, printf(" seq=%u (%u) ack=%u len=%u ackskew=%d " "pkts=%llu:%llu dir=%s,%s\n", seq, orig_seq, ack, pd->p_len, ackskew, - (unsigned long long)(*state)->packets[0], - (unsigned long long)(*state)->packets[1], + (unsigned long long)counter_u64_fetch((*state)->packets[0]), + (unsigned long long)counter_u64_fetch((*state)->packets[1]), pd->dir == PF_IN ? "in" : "out", pd->dir == (*state)->direction ? "fwd" : "rev"); printf("pf: State failure on: %c %c %c %c | %c %c\n", @@ -6259,8 +6277,8 @@ done: s->nat_src_node->bytes[dirndx] += pd.tot_len; } dirndx = (dir == s->direction) ? 0 : 1; - s->packets[dirndx]++; - s->bytes[dirndx] += pd.tot_len; + counter_u64_add(s->packets[dirndx], 1); + counter_u64_add(s->bytes[dirndx], pd.tot_len); } tr = r; nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule; @@ -6658,8 +6676,8 @@ done: s->nat_src_node->bytes[dirndx] += pd.tot_len; } dirndx = (dir == s->direction) ? 0 : 1; - s->packets[dirndx]++; - s->bytes[dirndx] += pd.tot_len; + counter_u64_add(s->packets[dirndx], 1); + counter_u64_add(s->bytes[dirndx], pd.tot_len); } tr = r; nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule; diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index 4a091041a769..65f71ad8399e 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -3981,10 +3981,12 @@ pfsync_state_export(struct pfsync_state *sp, struct pf_state *st) else sp->nat_rule = htonl(st->nat_rule.ptr->nr); - pf_state_counter_hton(st->packets[0], sp->packets[0]); - pf_state_counter_hton(st->packets[1], sp->packets[1]); - pf_state_counter_hton(st->bytes[0], sp->bytes[0]); - pf_state_counter_hton(st->bytes[1], sp->bytes[1]); + pf_state_counter_hton(counter_u64_fetch(st->packets[0]), + sp->packets[0]); + pf_state_counter_hton(counter_u64_fetch(st->packets[1]), + sp->packets[1]); + pf_state_counter_hton(counter_u64_fetch(st->bytes[0]), sp->bytes[0]); + pf_state_counter_hton(counter_u64_fetch(st->bytes[1]), sp->bytes[1]); } From owner-dev-commits-src-branches@freebsd.org Sun Jan 3 13:27:05 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0A4644D1E29; Sun, 3 Jan 2021 13:27:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D800m6jl7z4v81; Sun, 3 Jan 2021 13:27:04 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D4ECB526; Sun, 3 Jan 2021 13:27:04 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 103DR4VV032657; Sun, 3 Jan 2021 13:27:04 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 103DR4e9032656; Sun, 3 Jan 2021 13:27:04 GMT (envelope-from git) Date: Sun, 3 Jan 2021 13:27:04 GMT Message-Id: <202101031327.103DR4e9032656@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Gordon Bergling Subject: git: e56b2f0b2804 - stable/12 - MFC r364117 by glebius: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: gbe X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: e56b2f0b28048cea88fa6000a2bf08a75f055526 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jan 2021 13:27:05 -0000 The branch stable/12 has been updated by gbe (doc committer): URL: https://cgit.FreeBSD.org/src/commit/?id=e56b2f0b28048cea88fa6000a2bf08a75f055526 commit e56b2f0b28048cea88fa6000a2bf08a75f055526 Author: Gleb Smirnoff AuthorDate: 2020-08-11 15:46:22 +0000 Commit: Gordon Bergling CommitDate: 2021-01-03 13:23:48 +0000 MFC r364117 by glebius: ipfw: make the "frag" keyword accept additional options "mf", "df", "rf" and "offset". This allows to match on specific bits of ip_off field. For compatibility reasons lack of keyword means "offset". Reviewed by: ae Approved by: glebius Differential Revision: https://reviews.freebsd.org/D26021 (cherry picked from commit 825398f946221045c565363a0349f68d054d6455) --- sbin/ipfw/ipfw.8 | 33 +++++++++++++++++++++++++-------- sbin/ipfw/ipfw2.c | 20 ++++++++++++++++++-- sys/netpfil/ipfw/ip_fw2.c | 18 +++++++++++++++++- 3 files changed, 60 insertions(+), 11 deletions(-) diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index ea35a2767845..58bc3662fcc7 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd June 21, 2019 +.Dd August 10, 2020 .Dt IPFW 8 .Os .Sh NAME @@ -600,7 +600,7 @@ See Section By name or address .It Misc. IP header fields Version, type of service, datagram length, identification, -fragment flag (non-zero IP offset), +fragmentation flags, Time To Live .It IP options .It IPv6 Extension headers @@ -1602,12 +1602,29 @@ Matches IPv6 packets containing any of the flow labels given in .Ar labels . .Ar labels is a comma separated list of numeric flow labels. -.It Cm frag -Matches packets that are fragments and not the first -fragment of an IP datagram. -Note that these packets will not have -the next protocol header (e.g.\& TCP, UDP) so options that look into -these headers cannot match. +.It Cm frag Ar spec +Matches IPv4 packets whose +.Cm ip_off +field contains the comma separated list of IPv4 fragmentation +options specified in +.Ar spec . +The recognized options are: +.Cm df +.Pq Dv don't fragment , +.Cm mf +.Pq Dv more fragments , +.Cm rf +.Pq Dv reserved fragment bit +.Cm offset +.Pq Dv non-zero fragment offset . +The absence of a particular options may be denoted +with a +.Ql \&! . +.Pp +Empty list of options defaults to matching on non-zero fragment offset. +Such rule would match all not the first fragment datagrams, +both IPv4 and IPv6. +This is a backward compatibility with older rulesets. .It Cm gid Ar group Matches all TCP or UDP packets sent by or received for a .Ar group . diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c index cf66422d2ff0..e0b5371adb91 100644 --- a/sbin/ipfw/ipfw2.c +++ b/sbin/ipfw/ipfw2.c @@ -168,6 +168,14 @@ static struct _s_x f_iptos[] = { { NULL, 0 } }; +static struct _s_x f_ipoff[] = { + { "rf", IP_RF >> 8 }, + { "df", IP_DF >> 8 }, + { "mf", IP_MF >> 8 }, + { "offset", 0x1 }, + { NULL, 0} +}; + struct _s_x f_ipdscp[] = { { "af11", IPTOS_DSCP_AF11 >> 2 }, /* 001010 */ { "af12", IPTOS_DSCP_AF12 >> 2 }, /* 001100 */ @@ -1531,7 +1539,7 @@ print_instruction(struct buf_pr *bp, const struct format_opts *fo, IPPROTO_ETHERTYPE, cmd->opcode); break; case O_FRAG: - bprintf(bp, " frag"); + print_flags(bp, "frag", cmd, f_ipoff); break; case O_FIB: bprintf(bp, " fib %u", cmd->arg1); @@ -4553,7 +4561,15 @@ read_options: break; case TOK_FRAG: - fill_cmd(cmd, O_FRAG, 0, 0); + fill_flags_cmd(cmd, O_FRAG, f_ipoff, *av); + /* + * Compatibility: no argument after "frag" + * keyword equals to "frag offset". + */ + if (cmd->arg1 == 0) + cmd->arg1 = 0x1; + else + av++; break; case TOK_LAYER2: diff --git a/sys/netpfil/ipfw/ip_fw2.c b/sys/netpfil/ipfw/ip_fw2.c index 90f3b3c08198..f639a3bfabbd 100644 --- a/sys/netpfil/ipfw/ip_fw2.c +++ b/sys/netpfil/ipfw/ip_fw2.c @@ -1916,7 +1916,23 @@ do { \ break; case O_FRAG: - match = (offset != 0); + if (is_ipv4) { + /* + * Since flags_match() works with + * uint8_t we pack ip_off into 8 bits. + * For this match offset is a boolean. + */ + match = flags_match(cmd, + ((ntohs(ip->ip_off) & ~IP_OFFMASK) + >> 8) | (offset != 0)); + } else { + /* + * Compatiblity: historically bare + * "frag" would match IPv6 fragments. + */ + match = (cmd->arg1 == 0x1 && + (offset != 0)); + } break; case O_IN: /* "out" is "not in" */ From owner-dev-commits-src-branches@freebsd.org Sun Jan 3 13:28:56 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 997944D2002; Sun, 3 Jan 2021 13:28:56 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D802w3xTnz4vBp; Sun, 3 Jan 2021 13:28:56 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 7A0F4527; Sun, 3 Jan 2021 13:28:56 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 103DSuaW033041; Sun, 3 Jan 2021 13:28:56 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 103DSuVp033039; Sun, 3 Jan 2021 13:28:56 GMT (envelope-from git) Date: Sun, 3 Jan 2021 13:28:56 GMT Message-Id: <202101031328.103DSuVp033039@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Gordon Bergling Subject: git: 796d9b45c7c9 - stable/12 - MFC r365628 by ae: Fix compatibility regression after r364117. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: gbe X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: 796d9b45c7c917f0fd09e7c578e8189932debae5 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jan 2021 13:28:56 -0000 The branch stable/12 has been updated by gbe (doc committer): URL: https://cgit.FreeBSD.org/src/commit/?id=796d9b45c7c917f0fd09e7c578e8189932debae5 commit 796d9b45c7c917f0fd09e7c578e8189932debae5 Author: Andrey V. Elsukov AuthorDate: 2020-09-11 10:07:09 +0000 Commit: Gordon Bergling CommitDate: 2021-01-03 13:27:50 +0000 MFC r365628 by ae: Fix compatibility regression after r364117. Properly handle the case, when some opcode keywords follow after the `frag` opcode without additional options. Reported by: Evgeniy Khramtsov Approved by: glebius (cherry picked from commit b876085f5589f4e6d531d97ad902c5730ec55339) --- sbin/ipfw/ipfw2.c | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c index e0b5371adb91..85347b1add03 100644 --- a/sbin/ipfw/ipfw2.c +++ b/sbin/ipfw/ipfw2.c @@ -4560,17 +4560,24 @@ read_options: fill_cmd(cmd, O_DIVERTED, 0, 2); break; - case TOK_FRAG: - fill_flags_cmd(cmd, O_FRAG, f_ipoff, *av); - /* - * Compatibility: no argument after "frag" - * keyword equals to "frag offset". - */ - if (cmd->arg1 == 0) - cmd->arg1 = 0x1; - else + case TOK_FRAG: { + uint32_t set = 0, clear = 0; + + if (*av != NULL && fill_flags(f_ipoff, *av, NULL, + &set, &clear) == 0) av++; + else { + /* + * Compatibility: no argument after "frag" + * keyword equals to "frag offset". + */ + set = 0x01; + clear = 0; + } + fill_cmd(cmd, O_FRAG, 0, + (set & 0xff) | ( (clear & 0xff) << 8)); break; + } case TOK_LAYER2: fill_cmd(cmd, O_LAYER2, 0, 0); From owner-dev-commits-src-branches@freebsd.org Sun Jan 3 13:35:10 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4C36D4D2074; Sun, 3 Jan 2021 13:35:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D80B61c09z4vk2; Sun, 3 Jan 2021 13:35:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 29ECF6BF; Sun, 3 Jan 2021 13:35:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 103DZAoS045440; Sun, 3 Jan 2021 13:35:10 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 103DZAgv045439; Sun, 3 Jan 2021 13:35:10 GMT (envelope-from git) Date: Sun, 3 Jan 2021 13:35:10 GMT Message-Id: <202101031335.103DZAgv045439@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Gordon Bergling Subject: git: 85562bddad18 - stable/12 - MFC r368804: ipfw(8): Fix a few mandoc related issues MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: gbe X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: 85562bddad1843b4798f9f25202a14f64b7e8ec0 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jan 2021 13:35:10 -0000 The branch stable/12 has been updated by gbe (doc committer): URL: https://cgit.FreeBSD.org/src/commit/?id=85562bddad1843b4798f9f25202a14f64b7e8ec0 commit 85562bddad1843b4798f9f25202a14f64b7e8ec0 Author: Gordon Bergling AuthorDate: 2020-12-19 12:47:40 +0000 Commit: Gordon Bergling CommitDate: 2021-01-03 13:34:50 +0000 MFC r368804: ipfw(8): Fix a few mandoc related issues - no blank before trailing delimiter - missing section argument: Xr inet_pton - skipping paragraph macro: Pp before Ss - unusual Xr order: syslogd after sysrc - tab in filled text There were a few multiline NAT examples which used the .Dl macro with tabs. I converted them to .Bd, which is a more suitable macro for that case. (cherry picked from commit bae74ca92238e7df070c22f4b53dab12f60d82ef) --- sbin/ipfw/ipfw.8 | 98 +++++++++++++++++++++++++++++--------------------------- 1 file changed, 50 insertions(+), 48 deletions(-) diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index c99a9252c693..e77930355094 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -305,7 +305,6 @@ Finally, counters can be reset with the and .Cm resetlog commands. -.Pp .Ss COMMAND OPTIONS The following general options are available when invoking .Nm : @@ -389,7 +388,8 @@ listed. When listing pipes, sort according to one of the four counters (total or current packets or bytes). .It Fl t -When listing, show last match timestamp converted with ctime(). +When listing, show last match timestamp converted with +.Fn ctime . .It Fl T When listing, show last match timestamp as seconds from the epoch. This form can be more convenient for postprocessing by scripts. @@ -1441,7 +1441,7 @@ list. Matches all IPv6 addresses with base .Ar addr (specified as allowed by -.Xr inet_pton +.Xr inet_pton 3 or a hostname) and mask width of .Cm masklen @@ -1450,12 +1450,12 @@ bits. Matches all IPv6 addresses with base .Ar addr (specified as allowed by -.Xr inet_pton +.Xr inet_pton 3 or a hostname) and the mask of .Ar mask , specified as allowed by -.Xr inet_pton . +.Xr inet_pton 3 . As an example, fe::640:0:0/ffff::ffff:ffff:0:0 will match fe:*:*:*:0:640:*:*. This form is advised only for non-contiguous @@ -1518,7 +1518,7 @@ operand, and possibly grouped into .Pp The following match patterns can be used (listed in alphabetical order): .Bl -tag -width indent -.It Cm // this is a comment. +.It Cm // this is a comment . Inserts the specified text as a comment in the rule. Everything following // is considered as a comment and stored in the rule. You can have comment-only rules, which are listed as having a @@ -1806,7 +1806,10 @@ keyword is special name used for compatibility with old rulesets. .It Cm layer2 Matches only layer2 packets, i.e., those passed to .Nm -from ether_demux() and ether_output_frame(). +from +.Fn ether_demux +and +.Fn ether_output_frame . .It Cm limit Bro Cm src-addr | src-port | dst-addr | dst-port Brc Ar N Op Ar :flowname The firewall will only allow .Ar N @@ -2258,8 +2261,8 @@ Shows generic table information and algo-specific data. The following lookup algorithms are supported: .Bl -tag -width indent .It Ar algo-desc : algo-name | "algo-name algo-data" -.It Ar algo-name: Ar addr:radix | addr:hash | iface:array | number:array | flow:hash -.It Cm addr:radix +.It Ar algo-name : Ar addr: radix | addr: hash | iface: array | number: array | flow: hash +.It Cm addr: radix Separate Radix trees for IPv4 and IPv6, the same way as the routing table (see .Xr route 4 ) . Default choice for @@ -2330,11 +2333,11 @@ IPv6 nexthop to fwd packets to. The .Cm tablearg argument can be used with the following actions: -.Cm nat, pipe , queue, divert, tee, netgraph, ngtee, fwd, skipto, setfib, +.Cm nat, pipe, queue, divert, tee, netgraph, ngtee, fwd, skipto, setfib , action parameters: -.Cm tag, untag, +.Cm tag, untag , rule options: -.Cm limit, tagged. +.Cm limit, tagged . .Pp When used with the .Cm skipto @@ -2614,7 +2617,6 @@ mode can be enabled by setting the .Va net.inet.ip.dummynet.io_fast .Xr sysctl 8 variable to a non-zero value. -.Pp .Ss PIPE, QUEUE AND SCHEDULER CONFIGURATION The .Em pipe , @@ -3550,7 +3552,6 @@ Note that the behavior of stateless translator with respect to not matched packets differs from stateful translator. If corresponding addresses was not found in the lookup tables, the packet will not be dropped and the search continues. -.Pp .Ss XLAT464 CLAT translation XLAT464 CLAT NAT64 translator implements client-side stateless translation as defined in RFC6877 and is very similar to statless NAT64 translator @@ -3662,12 +3663,12 @@ or .Xr kenv 1 before ipfw module gets loaded. .Bl -tag -width indent -.It Va net.inet.ip.fw.default_to_accept: No 0 +.It Va net.inet.ip.fw.default_to_accept : No 0 Defines ipfw last rule behavior. This value overrides .Cd "options IPFW_DEFAULT_TO_(ACCEPT|DENY)" from kernel configuration file. -.It Va net.inet.ip.fw.tables_max: No 128 +.It Va net.inet.ip.fw.tables_max : No 128 Defines number of tables available in ipfw. Number cannot exceed 65534. .El @@ -3682,7 +3683,7 @@ These are shown below together with their default value .Xr sysctl 8 command what value is actually in use) and meaning: .Bl -tag -width indent -.It Va net.inet.ip.alias.sctp.accept_global_ootb_addip: No 0 +.It Va net.inet.ip.alias.sctp.accept_global_ootb_addip : No 0 Defines how the .Nm nat responds to receipt of global OOTB ASCONF-AddIP: @@ -3698,7 +3699,7 @@ will accept and process all OOTB global AddIP messages. Option 1 should never be selected as this forms a security risk. An attacker can establish multiple fake associations by sending AddIP messages. -.It Va net.inet.ip.alias.sctp.chunk_proc_limit: No 5 +.It Va net.inet.ip.alias.sctp.chunk_proc_limit : No 5 Defines the maximum number of chunks in an SCTP packet that will be parsed for a packet that matches an existing association. @@ -3708,7 +3709,7 @@ A high value is a DoS risk yet setting too low a value may result in important control chunks in the packet not being located and parsed. -.It Va net.inet.ip.alias.sctp.error_on_ootb: No 1 +.It Va net.inet.ip.alias.sctp.error_on_ootb : No 1 Defines when the .Nm nat responds to any Out-of-the-Blue (OOTB) packets with ErrorM packets. @@ -3745,7 +3746,7 @@ ASCONF-AddIP. Value 3 should never be chosen (except for debugging) as the .Nm nat will respond to all OOTB global packets (a DoS risk). -.It Va net.inet.ip.alias.sctp.hashtable_size: No 2003 +.It Va net.inet.ip.alias.sctp.hashtable_size : No 2003 Size of hash tables used for .Nm nat lookups (100 < prime_number > 1000001). @@ -3764,35 +3765,35 @@ should make these larger. A prime number is best for the table size. The sysctl update function will adjust your input value to the next highest prime number. -.It Va net.inet.ip.alias.sctp.holddown_time: No 0 +.It Va net.inet.ip.alias.sctp.holddown_time : No 0 Hold association in table for this many seconds after receiving a SHUTDOWN-COMPLETE. This allows endpoints to correct shutdown gracefully if a shutdown_complete is lost and retransmissions are required. -.It Va net.inet.ip.alias.sctp.init_timer: No 15 +.It Va net.inet.ip.alias.sctp.init_timer : No 15 Timeout value while waiting for (INIT-ACK|AddIP-ACK). This value cannot be 0. -.It Va net.inet.ip.alias.sctp.initialising_chunk_proc_limit: No 2 +.It Va net.inet.ip.alias.sctp.initialising_chunk_proc_limit : No 2 Defines the maximum number of chunks in an SCTP packet that will be parsed when no existing association exists that matches that packet. Ideally this packet will only be an INIT or ASCONF-AddIP packet. A higher value may become a DoS risk as malformed packets can consume processing resources. -.It Va net.inet.ip.alias.sctp.param_proc_limit: No 25 +.It Va net.inet.ip.alias.sctp.param_proc_limit : No 25 Defines the maximum number of parameters within a chunk that will be parsed in a packet. As for other similar sysctl variables, larger values pose a DoS risk. -.It Va net.inet.ip.alias.sctp.log_level: No 0 +.It Va net.inet.ip.alias.sctp.log_level : No 0 Level of detail in the system log messages (0 \- minimal, 1 \- event, 2 \- info, 3 \- detail, 4 \- debug, 5 \- max debug). May be a good option in high loss environments. -.It Va net.inet.ip.alias.sctp.shutdown_time: No 15 +.It Va net.inet.ip.alias.sctp.shutdown_time : No 15 Timeout value while waiting for SHUTDOWN-COMPLETE. This value cannot be 0. -.It Va net.inet.ip.alias.sctp.track_global_addresses: No 0 +.It Va net.inet.ip.alias.sctp.track_global_addresses : No 0 Enables/disables global IP address tracking within the .Nm nat and places an @@ -3819,7 +3820,7 @@ problems in complex networks with multiple We recommend not tracking global IP addresses, this will still result in a fully functional .Nm nat . -.It Va net.inet.ip.alias.sctp.up_timer: No 300 +.It Va net.inet.ip.alias.sctp.up_timer : No 300 Timeout value to keep an association up with no traffic. This value cannot be 0. .It Va net.inet.ip.dummynet.codel.interval : No 100000 @@ -4050,7 +4051,7 @@ and must be strictly lower than 5 seconds, the period of repetition of keepalives. The firewall enforces that. -.It Va net.inet.ip.fw.dyn_keep_states: No 0 +.It Va net.inet.ip.fw.dyn_keep_states : No 0 Keep dynamic states on rule/set deletion. States are relinked to default rule (65535). This can be handly for ruleset reload. @@ -4131,7 +4132,6 @@ List all table lookup algorithms currently available. There are far too many possible uses of .Nm so this Section will only give a small set of examples. -.Pp .Ss BASIC PACKET FILTERING This command adds an entry which denies all tcp packets from .Em cracker.evil.org @@ -4542,24 +4542,26 @@ To see configurations of all instances: .Dl "ipfw nat show config" .Pp Or a redirect rule with mixed modes could looks like: -.Pp -.Dl "ipfw nat 123 config redirect_addr 10.0.0.1 10.0.0.66" -.Dl " redirect_port tcp 192.168.0.1:80 500" -.Dl " redirect_proto udp 192.168.1.43 192.168.1.1" -.Dl " redirect_addr 192.168.0.10,192.168.0.11" -.Dl " 10.0.0.100 # LSNAT" -.Dl " redirect_port tcp 192.168.0.1:80,192.168.0.10:22" -.Dl " 500 # LSNAT" +.Bd -literal -offset 2n +ipfw nat 123 config redirect_addr 10.0.0.1 10.0.0.66 + redirect_port tcp 192.168.0.1:80 500 + redirect_proto udp 192.168.1.43 192.168.1.1 + redirect_addr 192.168.0.10,192.168.0.11 + 10.0.0.100 # LSNAT + redirect_port tcp 192.168.0.1:80,192.168.0.10:22 + 500 # LSNAT +.Ed .Pp or it could be split in: -.Pp -.Dl "ipfw nat 1 config redirect_addr 10.0.0.1 10.0.0.66" -.Dl "ipfw nat 2 config redirect_port tcp 192.168.0.1:80 500" -.Dl "ipfw nat 3 config redirect_proto udp 192.168.1.43 192.168.1.1" -.Dl "ipfw nat 4 config redirect_addr 192.168.0.10,192.168.0.11,192.168.0.12" -.Dl " 10.0.0.100" -.Dl "ipfw nat 5 config redirect_port tcp" -.Dl " 192.168.0.1:80,192.168.0.10:22,192.168.0.20:25 500" +.Bd -literal -offset 2n +ipfw nat 1 config redirect_addr 10.0.0.1 10.0.0.66 +ipfw nat 2 config redirect_port tcp 192.168.0.1:80 500 +ipfw nat 3 config redirect_proto udp 192.168.1.43 192.168.1.1 +ipfw nat 4 config redirect_addr 192.168.0.10,192.168.0.11,192.168.0.12 + 10.0.0.100 +ipfw nat 5 config redirect_port tcp + 192.168.0.1:80,192.168.0.10:22,192.168.0.20:25 500 +.Ed .Pp Sometimes you may want to mix NAT and dynamic rules. It could be achieved with @@ -4711,8 +4713,8 @@ can be changed in a similar way as for .Xr kldload 8 , .Xr reboot 8 , .Xr sysctl 8 , -.Xr sysrc 8 , -.Xr syslogd 8 +.Xr syslogd 8 , +.Xr sysrc 8 .Sh HISTORY The .Nm From owner-dev-commits-src-branches@freebsd.org Sun Jan 3 13:35:10 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 585C64D2332; Sun, 3 Jan 2021 13:35:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D80B625sVz4vmM; Sun, 3 Jan 2021 13:35:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3B159545; Sun, 3 Jan 2021 13:35:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 103DZAaO045457; Sun, 3 Jan 2021 13:35:10 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 103DZA9U045456; Sun, 3 Jan 2021 13:35:10 GMT (envelope-from git) Date: Sun, 3 Jan 2021 13:35:10 GMT Message-Id: <202101031335.103DZA9U045456@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Gordon Bergling Subject: git: 2b29cc2621be - stable/12 - MFC r366402: ipfw(8): Bugfixes for some issues reported by mandoc MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: gbe X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: 2b29cc2621be4781298262cb3c0264932e99f459 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jan 2021 13:35:10 -0000 The branch stable/12 has been updated by gbe (doc committer): URL: https://cgit.FreeBSD.org/src/commit/?id=2b29cc2621be4781298262cb3c0264932e99f459 commit 2b29cc2621be4781298262cb3c0264932e99f459 Author: Gordon Bergling AuthorDate: 2020-10-03 18:30:01 +0000 Commit: Gordon Bergling CommitDate: 2021-01-03 13:34:02 +0000 MFC r366402: ipfw(8): Bugfixes for some issues reported by mandoc - whitespace at end of input line - new sentence, new line - skipping paragraph macro: Pp before Pp (cherry picked from commit 8636dd5703dbacff4e8f88385f98c9251526b751) --- sbin/ipfw/ipfw.8 | 109 +++++++++++++++++++++++++++++++------------------------ 1 file changed, 61 insertions(+), 48 deletions(-) diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 4a0853274af3..c99a9252c693 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -527,9 +527,9 @@ ipfw add 10 skipto 4000 all from any to any layer2 out ether_demux and bdg_forward). .Pp Also note that only actions -.Cm allow, -.Cm deny, -.Cm netgraph, +.Cm allow , +.Cm deny , +.Cm netgraph , .Cm ngtee and related to .Cm dummynet @@ -682,7 +682,7 @@ to simulate the effect of multiple paths leading to out-of-order packet delivery. .Pp Note: this condition is checked before any other condition, including -ones such as +ones such as .Cm keep-state or .Cm check-state @@ -991,7 +991,8 @@ It is possible to use the .Cm tablearg keyword with a skipto for a .Em computed -skipto. Skipto may work either in O(log(N)) or in O(1) depending +skipto. +Skipto may work either in O(log(N)) or in O(1) depending on amount of memory and/or sysctl variables. See the .Sx SYSCTL VARIABLES @@ -1454,7 +1455,7 @@ or a hostname) and the mask of .Ar mask , specified as allowed by -.Xr inet_pton. +.Xr inet_pton . As an example, fe::640:0:0/ffff::ffff:ffff:0:0 will match fe:*:*:*:0:640:*:*. This form is advised only for non-contiguous @@ -1528,7 +1529,8 @@ Alias for .Cm layer2 . .It Cm defer-immediate-action | defer-action A rule with this option will not perform normal action -upon a match. This option is intended to be used with +upon a match. +This option is intended to be used with .Cm record-state or .Cm keep-state @@ -1539,8 +1541,9 @@ Rules with both and .Cm defer-immediate-action create a dynamic rule and continue with the next rule without actually -performing the action part of this rule. When the rule is later activated -via the state table, the action is performed as usual. +performing the action part of this rule. +When the rule is later activated via the state table, the action is +performed as usual. .It Cm diverted Matches only packets generated by a divert socket. .It Cm diverted-loopback @@ -1604,7 +1607,7 @@ Matches IPv6 packets containing any of the flow labels given in is a comma separated list of numeric flow labels. .It Cm frag Ar spec Matches IPv4 packets whose -.Cm ip_off +.Cm ip_off field contains the comma separated list of IPv4 fragmentation options specified in .Ar spec . @@ -1793,7 +1796,8 @@ packet is found. The .Ar :flowname is used to assign additional to addresses, ports and protocol parameter -to dynamic rule. It can be used for more accurate matching by +to dynamic rule. +It can be used for more accurate matching by .Cm check-state rule. The @@ -2212,8 +2216,8 @@ One or more entries can be added to a table at once using command. Addition of all items are performed atomically. By default, error in addition of one entry does not influence -addition of other entries. However, non-zero error code is returned -in that case. +addition of other entries. +However, non-zero error code is returned in that case. Special .Cm atomic keyword may be specified before @@ -2224,8 +2228,8 @@ One or more entries can be removed from a table at once using .Cm delete command. By default, error in removal of one entry does not influence -removing of other entries. However, non-zero error code is returned -in that case. +removing of other entries. +However, non-zero error code is returned in that case. .Pp It may be possible to check what entry will be found on particular .Ar table-key @@ -2983,10 +2987,12 @@ and are integer numbers specifying thresholds for queue management (thresholds are computed in bytes if the queue has been defined in bytes, in slots otherwise). -The two parameters can also be of the same value if needed. The +The two parameters can also be of the same value if needed. +The .Nm dummynet also supports the gentle RED variant (gred) and ECN (Explicit Congestion -Notification) as optional. Three +Notification) as optional. +Three .Xr sysctl 8 variables can be used to control the RED behaviour: .Bl -tag -width indent @@ -3266,7 +3272,7 @@ Skip instance in case of global state lookup (see below). .El .Pp Some specials value can be supplied instead of -.Va nat_number: +.Va nat_number : .Bl -tag -width indent .It Cm global Looks up translation state in all configured nat instances. @@ -3370,7 +3376,7 @@ Thus translator host should be configured as IPv4 and IPv6 router. Also this means, that a packet is handled by firewall twice. First time an original packet is handled and consumed by translator, and then it is handled again as translated packet. -This behavior can be changed by sysctl variable +This behavior can be changed by sysctl variable .Va net.inet.ip.fw.nat64_direct_output . Also translated packet can be tagged using .Cm tag @@ -3400,7 +3406,8 @@ in the states table will be dropped by translator. Make sure that translation rules handle packets, destined to configured prefix. .It Cm prefix6 Ar ipv6_prefix/length The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator -to represent IPv4 addresses. This IPv6 prefix should be configured in DNS64. +to represent IPv4 addresses. +This IPv6 prefix should be configured in DNS64. The translator implementation follows RFC6052, that restricts the length of prefixes to one of following: 32, 40, 48, 56, 64, or 96. The Well-Known IPv6 Prefix 64:ff9b:: must be 96 bits long. @@ -3475,9 +3482,9 @@ you are able to see each handled packet before and after translation. .It Cm -log Turn off logging of all handled packets via BPF. .It Cm allow_private -Turn on processing private IPv4 addresses. By default IPv6 packets with -destinations mapped to private address ranges defined by RFC1918 are not -processed. +Turn on processing private IPv4 addresses. +By default IPv6 packets with destinations mapped to private address ranges +defined by RFC1918 are not processed. .It Cm -allow_private Turn off private address handling in .Nm nat64 @@ -3493,7 +3500,6 @@ To inspect a states table of stateful NAT64 the following command can be used: .Ek .Ed .Pp -.Pp Stateless NAT64 translator doesn't use a states table for translation and converts IPv4 addresses to IPv6 and vice versa solely based on the mappings taken from configured lookup tables. @@ -3514,7 +3520,8 @@ The following parameters can be configured: .Bl -tag -width indent .It Cm prefix6 Ar ipv6_prefix/length The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator -to represent IPv4 addresses. This IPv6 prefix should be configured in DNS64. +to represent IPv4 addresses. +This IPv6 prefix should be configured in DNS64. .It Cm table4 Ar table46 The lookup table .Ar table46 @@ -3530,9 +3537,9 @@ interface. .It Cm -log Turn off logging of all handled packets via BPF. .It Cm allow_private -Turn on processing private IPv4 addresses. By default IPv6 packets with -destinations mapped to private address ranges defined by RFC1918 are not -processed. +Turn on processing private IPv4 addresses. +By default IPv6 packets with destinations mapped to private address ranges +defined by RFC1918 are not processed. .It Cm -allow_private Turn off private address handling in .Nm nat64 @@ -3544,12 +3551,12 @@ packets differs from stateful translator. If corresponding addresses was not found in the lookup tables, the packet will not be dropped and the search continues. .Pp -.Pp .Ss XLAT464 CLAT translation XLAT464 CLAT NAT64 translator implements client-side stateless translation as defined in RFC6877 and is very similar to statless NAT64 translator -explained above. Instead of lookup tables it uses one-to-one mapping -between IPv4 and IPv6 addresses using configured prefixes. +explained above. +Instead of lookup tables it uses one-to-one mapping between IPv4 and IPv6 +addresses using configured prefixes. This mode can be used as a replacement of DNS64 service for applications that are not using it (e.g. VoIP) allowing them to access IPv4-only Internet over IPv6-only networks with help of remote NAT64 translator. @@ -3571,8 +3578,8 @@ The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator to represent source IPv4 addresses. .It Cm plat_prefix Ar ipv6_prefix/length The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator -to represent destination IPv4 addresses. This IPv6 prefix should be configured -on a remote NAT64 translator. +to represent destination IPv4 addresses. +This IPv6 prefix should be configured on a remote NAT64 translator. .It Cm log Turn on logging of all handled packets via BPF through .Ar ipfwlog0 @@ -3580,7 +3587,8 @@ interface. .It Cm -log Turn off logging of all handled packets via BPF. .It Cm allow_private -Turn on processing private IPv4 addresses. By default +Turn on processing private IPv4 addresses. +By default .Nm nat64clat instance will not process IPv4 packets with destination address from private ranges as defined in RFC1918. @@ -3632,7 +3640,8 @@ and .Cm ext_if options are mutually exclusive. .It Cm prefixlen Ar length -The length of specified IPv6 prefixes. It must be in range from 8 to 64. +The length of specified IPv6 prefixes. +It must be in range from 8 to 64. .El .Pp Note that the prefix translation rules are silently ignored when IPv6 packet @@ -4086,7 +4095,7 @@ Controls the output method used by module: .Bl -tag -width indent .It Cm 0 -A packet is handled by +A packet is handled by .Nm ipfw twice. First time an original packet is handled by @@ -4277,11 +4286,11 @@ ruleset to minimize the amount of work scanning the ruleset. Your mileage may vary. .Pp For more complex scenarios with dynamic rules -.Cm record-state +.Cm record-state and .Cm defer-action can be used to precisely control creation and checking of dynamic rules. -Example of usage of these options are provided in +Example of usage of these options are provided in .Sx NETWORK ADDRESS TRANSLATION (NAT) Section. .Pp @@ -4552,21 +4561,24 @@ or it could be split in: .Dl "ipfw nat 5 config redirect_port tcp" .Dl " 192.168.0.1:80,192.168.0.10:22,192.168.0.20:25 500" .Pp -Sometimes you may want to mix NAT and dynamic rules. It could be achieved with +Sometimes you may want to mix NAT and dynamic rules. +It could be achieved with .Cm record-state and .Cm defer-action -options. Problem is, you need to create dynamic rule before NAT and check it +options. +Problem is, you need to create dynamic rule before NAT and check it after NAT actions (or vice versa) to have consistent addresses and ports. Rule with .Cm keep-state option will trigger activation of existing dynamic state, and action of such -rule will be performed as soon as rule is matched. In case of NAT and +rule will be performed as soon as rule is matched. +In case of NAT and .Cm allow rule packet need to be passed to NAT, not allowed as soon is possible. .Pp -There is example of set of rules to achieve this. Bear in mind that this -is example only and it is not very useful by itself. +There is example of set of rules to achieve this. +Bear in mind that this is example only and it is not very useful by itself. .Pp On way out, after all checks place this rules: .Pp @@ -4579,10 +4591,11 @@ And on way in there should be something like this: .Dl "ipfw add check-state" .Pp Please note, that first rule on way out doesn't allow packet and doesn't -execute existing dynamic rules. All it does, create new dynamic rule with +execute existing dynamic rules. +All it does, create new dynamic rule with .Cm allow -action, if it is not created yet. Later, this dynamic rule is used on way -in by +action, if it is not created yet. +Later, this dynamic rule is used on way in by .Cm check-state rule. .Ss CONFIGURING CODEL, PIE, FQ-CODEL and FQ-PIE AQM @@ -4593,7 +4606,7 @@ AQM can be configured for .Nm dummynet .Cm pipe or -.Cm queue. +.Cm queue . .Pp To configure a .Cm pipe @@ -4665,7 +4678,7 @@ to 10ms, we do: .Dl "ipfw sched 1 config pipe 1 type fq_codel target 10ms noecn" .Pp Similar to -.Cm fq_codel, +.Cm fq_codel , to configure .Cm fq_pie scheduler using different configurations parameters for traffic from From owner-dev-commits-src-branches@freebsd.org Sun Jan 3 13:35:10 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6AAF24D2075; Sun, 3 Jan 2021 13:35:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D80B62dnJz4vgl; Sun, 3 Jan 2021 13:35:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4D17581B; Sun, 3 Jan 2021 13:35:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 103DZA7r045474; Sun, 3 Jan 2021 13:35:10 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 103DZA9h045473; Sun, 3 Jan 2021 13:35:10 GMT (envelope-from git) Date: Sun, 3 Jan 2021 13:35:10 GMT Message-Id: <202101031335.103DZA9h045473@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Gordon Bergling Subject: git: d0d27682eefd - stable/12 - MFC r364459 (by fernape): ipfw(8): Fix typo in man page MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: gbe X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: d0d27682eefdd70100f26037b2575fbd929dd7c6 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jan 2021 13:35:10 -0000 The branch stable/12 has been updated by gbe (doc committer): URL: https://cgit.FreeBSD.org/src/commit/?id=d0d27682eefdd70100f26037b2575fbd929dd7c6 commit d0d27682eefdd70100f26037b2575fbd929dd7c6 Author: Fernando Apesteguía AuthorDate: 2020-08-21 17:45:17 +0000 Commit: Gordon Bergling CommitDate: 2021-01-03 13:33:00 +0000 MFC r364459 (by fernape): ipfw(8): Fix typo in man page s/exmaple/example Approved by: manpages (gbe@) Differential Revision: https://reviews.freebsd.org/D26147 (cherry picked from commit 71230912a70c5a64c02005603bf077d1d4b767cd) --- sbin/ipfw/ipfw.8 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 58bc3662fcc7..4a0853274af3 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd August 10, 2020 +.Dd August 21, 2020 .Dt IPFW 8 .Os .Sh NAME @@ -4566,7 +4566,7 @@ rule will be performed as soon as rule is matched. In case of NAT and rule packet need to be passed to NAT, not allowed as soon is possible. .Pp There is example of set of rules to achieve this. Bear in mind that this -is exmaple only and it is not very useful by itself. +is example only and it is not very useful by itself. .Pp On way out, after all checks place this rules: .Pp From owner-dev-commits-src-branches@freebsd.org Sun Jan 3 16:30:09 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id EDDA14D64DA; Sun, 3 Jan 2021 16:30:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D844160fLz3MvQ; Sun, 3 Jan 2021 16:30:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C0B092B1A; Sun, 3 Jan 2021 16:30:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 103GU92s069072; Sun, 3 Jan 2021 16:30:09 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 103GU9JU069065; Sun, 3 Jan 2021 16:30:09 GMT (envelope-from git) Date: Sun, 3 Jan 2021 16:30:09 GMT Message-Id: <202101031630.103GU9JU069065@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Michael Reifenberger Subject: git: 72b42d209ff5 - stable/11 - MFC r340361: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mr X-Git-Repository: src X-Git-Refname: refs/heads/stable/11 X-Git-Reftype: branch X-Git-Commit: 72b42d209ff5b37c615048fb251d7bf9eb276381 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jan 2021 16:30:10 -0000 The branch stable/11 has been updated by mr: URL: https://cgit.FreeBSD.org/src/commit/?id=72b42d209ff5b37c615048fb251d7bf9eb276381 commit 72b42d209ff5b37c615048fb251d7bf9eb276381 Author: Michael Tuexen AuthorDate: 2018-11-15 17:25:32 +0000 Commit: Michael Reifenberger CommitDate: 2021-01-03 16:29:50 +0000 MFC r340361: Fix printing of 64-bit counters on 32-bit ppc platforms. Several statistic counters are uint64_t values and are printed by systat using %lu. This results in displaying wrong numbers. Use PRIu64 instead. While there, print variables of size_t using %zd. Approved by: re (gjb@) Differential Revision: https://reviews.freebsd.org/D17838 (cherry picked from commit 45e9405ea4b05926b22a743237cbfe918206db50) systat: use and correctly display 64bit counters. Following struct vmtotal changes, make systat use and correctly display 64-bit counters. Switch to humanize_number(3) to overcome homegrown arithmetics limits in pretty printing large numbers. Use 1024 as a divisor for memory fields to make it consistent with other tools and users expectations. Submitted by: Pawel Biernacki Sponsored by: Mysterious Code Ltd. PR: 2137 Differential revision: https://reviews.freebsd.org/D13105 (cherry picked from commit 90dd3e79cc4d721b17c473fdaf3ba3d6d912b138) Order declarations alphabetically. Match signess of the format and the value. Noted by: bde Sponsored by: The FreeBSD Foundation (cherry picked from commit 1b7a3d1f5ffe700203f12654cd01a08a84551b4a) MFC r340361, r345804: catch up on systat in head/ [Neither of these originally mine, but the latter commit referenced fixes an -fno-common issue and the former is a bugfix] r340361: Fix printing of 64-bit counters on 32-bit ppc platforms. Several statistic counters are uint64_t values and are printed by systat using %lu. This results in displaying wrong numbers. Use PRIu64 instead. While there, print variables of size_t using %zd. r345804: systat -zarc to display disk activities like -vm PR: 213310 (cherry picked from commit a70af2507f720c2d7f56f51a18d358123b4770a5) MFC r360919,r360929,r361084: Patch systat -zarc to display cumulative rate and round down large numbers by SI units Introduce sysputpage() to display large page size with human readable format. Using UI units allows to fit larger numbers in columns. Stop calling v_page_size - this is a value that doesn't change at runtime. Renamed WINDOW *wnd to *wd to avoid conflict with global *wnd variable. Use bit-shift to convert page size to byte. PR: 237664, 246458 Submitted by: ota@j.email.ne.jp (cherry picked from commit 65d1fd13ac2182f7ca0c223bb723fba6d780740f) MFC r363095: Handle device removal and removal+add cases to fix infinity rate. PR: 219829 Submitted by: ota@j.email.ne.jp Reported by: rezo@live.cn Differential Revision: https://reviews.freebsd.org/D25226 (cherry picked from commit 7a446028cedb13a0d2004cf6f584291a976392da) PR: 219829, 237664, 246458, 213310, 2137 --- usr.bin/systat/Makefile | 4 +- usr.bin/systat/devs.c | 126 +++++++++++++++++++++++++-- usr.bin/systat/devs.h | 16 +++- usr.bin/systat/extern.h | 7 +- usr.bin/systat/fetch.c | 9 +- usr.bin/systat/icmp6.c | 9 +- usr.bin/systat/ifcmds.c | 2 + usr.bin/systat/ifstat.c | 118 ++++++++++++++++---------- usr.bin/systat/iostat.c | 46 +++++----- usr.bin/systat/ip.c | 7 +- usr.bin/systat/ip6.c | 7 +- usr.bin/systat/main.c | 13 +-- usr.bin/systat/swap.c | 17 +++- usr.bin/systat/sysput.c | 118 ++++++++++++++++++++++++++ usr.bin/systat/systat.1 | 1 + usr.bin/systat/systat.h | 4 + usr.bin/systat/tcp.c | 3 +- usr.bin/systat/vmstat.c | 221 +++++++++++++++++------------------------------- usr.bin/systat/zarc.c | 124 ++++++++++++++++----------- 19 files changed, 548 insertions(+), 304 deletions(-) diff --git a/usr.bin/systat/Makefile b/usr.bin/systat/Makefile index f0de9fbaeecf..ca3f7ed72ce4 100644 --- a/usr.bin/systat/Makefile +++ b/usr.bin/systat/Makefile @@ -4,7 +4,7 @@ .include PROG= systat -SRCS= cmds.c cmdtab.c devs.c fetch.c iostat.c keyboard.c main.c \ +SRCS= cmds.c cmdtab.c devs.c fetch.c iostat.c keyboard.c main.c sysput.c \ netcmds.c netstat.c pigs.c swap.c icmp.c \ mode.c ip.c sctp.c tcp.c zarc.c \ vmstat.c convtbl.c ifcmds.c ifstat.c @@ -16,6 +16,6 @@ CFLAGS+= -DINET6 WARNS?= 1 -LIBADD= ncursesw m devstat kvm +LIBADD= ncursesw m devstat kvm util .include diff --git a/usr.bin/systat/devs.c b/usr.bin/systat/devs.c index 3c74fb7690e3..6c0461fd531f 100644 --- a/usr.bin/systat/devs.c +++ b/usr.bin/systat/devs.c @@ -1,5 +1,6 @@ /* * Copyright (c) 1998 Kenneth D. Merry. + * 2015 Yoshihiro Ota * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -67,7 +68,6 @@ static const char sccsid[] = "@(#)disks.c 8.1 (Berkeley) 6/6/93"; #include #include -#include #include #include #include @@ -82,6 +82,8 @@ typedef enum { DS_MATCHTYPE_PATTERN } last_match_type; +struct statinfo cur_dev, last_dev, run_dev; + last_match_type last_type; struct device_selection *dev_select; long generation; @@ -99,10 +101,8 @@ static int dsselect(const char *args, devstat_select_mode select_mode, int maxshowdevs, struct statinfo *s1); int -dsinit(int maxshowdevs, struct statinfo *s1, struct statinfo *s2 __unused, - struct statinfo *s3 __unused) +dsinit(int maxshowdevs) { - /* * Make sure that the userland devstat version matches the kernel * devstat version. If not, exit and print a message informing @@ -111,6 +111,18 @@ dsinit(int maxshowdevs, struct statinfo *s1, struct statinfo *s2 __unused, if (devstat_checkversion(NULL) < 0) errx(1, "%s", devstat_errbuf); + if( cur_dev.dinfo ) // init was alreay ran + return(1); + + if ((num_devices = devstat_getnumdevs(NULL)) < 0) { + warnx("%s", devstat_errbuf); + return(0); + } + + cur_dev.dinfo = calloc(1, sizeof(struct devinfo)); + last_dev.dinfo = calloc(1, sizeof(struct devinfo)); + run_dev.dinfo = calloc(1, sizeof(struct devinfo)); + generation = 0; num_devices = 0; num_selected = 0; @@ -118,11 +130,11 @@ dsinit(int maxshowdevs, struct statinfo *s1, struct statinfo *s2 __unused, select_generation = 0; last_type = DS_MATCHTYPE_NONE; - if (devstat_getdevs(NULL, s1) == -1) + if (devstat_getdevs(NULL, &cur_dev) == -1) errx(1, "%s", devstat_errbuf); - num_devices = s1->dinfo->numdevs; - generation = s1->dinfo->generation; + num_devices = cur_dev.dinfo->numdevs; + generation = cur_dev.dinfo->generation; dev_select = NULL; @@ -132,13 +144,31 @@ dsinit(int maxshowdevs, struct statinfo *s1, struct statinfo *s2 __unused, * or 1. If we get back -1, though, there is an error. */ if (devstat_selectdevs(&dev_select, &num_selected, &num_selections, - &select_generation, generation, s1->dinfo->devices, num_devices, + &select_generation, generation, cur_dev.dinfo->devices, num_devices, NULL, 0, NULL, 0, DS_SELECT_ADD, maxshowdevs, 0) == -1) errx(1, "%d %s", __LINE__, devstat_errbuf); return(1); } + +void +dsgetinfo(struct statinfo* dev) +{ + switch (devstat_getdevs(NULL, dev)) { + case -1: + errx(1, "%s", devstat_errbuf); + break; + case 1: + num_devices = dev->dinfo->numdevs; + generation = dev->dinfo->generation; + cmdkre("refresh", NULL); + break; + default: + break; + } +} + int dscmd(const char *cmd, const char *args, int maxshowdevs, struct statinfo *s1) { @@ -319,3 +349,83 @@ dsselect(const char *args, devstat_select_mode select_mode, int maxshowdevs, } return(1); } + + +void +dslabel(int maxdrives, int diskcol, int diskrow) +{ + int i, j; + + mvprintw(diskrow, diskcol, "Disks"); + mvprintw(diskrow + 1, diskcol, "KB/t"); + mvprintw(diskrow + 2, diskcol, "tps"); + mvprintw(diskrow + 3, diskcol, "MB/s"); + mvprintw(diskrow + 4, diskcol, "%%busy"); + /* + * For now, we don't support a fourth disk statistic. So there's + * no point in providing a label for it. If someone can think of a + * fourth useful disk statistic, there is room to add it. + */ + /* mvprintw(diskrow + 4, diskcol, " msps"); */ + j = 0; + for (i = 0; i < num_devices && j < maxdrives; i++) + if (dev_select[i].selected) { + char tmpstr[80]; + sprintf(tmpstr, "%s%d", dev_select[i].device_name, + dev_select[i].unit_number); + mvprintw(diskrow, diskcol + 5 + 6 * j, + " %5.5s", tmpstr); + j++; + } +} + +static void +dsshow2(int diskcol, int diskrow, int dn, int lc, struct statinfo *now, struct statinfo *then) +{ + long double transfers_per_second; + long double kb_per_transfer, mb_per_second; + long double elapsed_time, device_busy; + int di; + + di = dev_select[dn].position; + + if (then != NULL) { + /* Calculate relative to previous sample */ + elapsed_time = now->snap_time - then->snap_time; + } else { + /* Calculate relative to device creation */ + elapsed_time = now->snap_time - devstat_compute_etime( + &now->dinfo->devices[di].creation_time, NULL); + } + + if (devstat_compute_statistics(&now->dinfo->devices[di], then ? + &then->dinfo->devices[di] : NULL, elapsed_time, + DSM_KB_PER_TRANSFER, &kb_per_transfer, + DSM_TRANSFERS_PER_SECOND, &transfers_per_second, + DSM_MB_PER_SECOND, &mb_per_second, + DSM_BUSY_PCT, &device_busy, + DSM_NONE) != 0) + errx(1, "%s", devstat_errbuf); + + lc = diskcol + lc * 6; + putlongdouble(kb_per_transfer, diskrow + 1, lc, 5, 2, 0); + putlongdouble(transfers_per_second, diskrow + 2, lc, 5, 0, 0); + putlongdouble(mb_per_second, diskrow + 3, lc, 5, 2, 0); + putlongdouble(device_busy, diskrow + 4, lc, 5, 0, 0); +} + +static void +dsshow3(int diskcol, int diskrow, int dn, int lc, struct statinfo *now, struct statinfo *then) +{ + dsshow2(diskcol, diskrow, dn, lc, now, then); +} + +void +dsshow(int maxdrives, int diskcol, int diskrow, struct statinfo *now, struct statinfo *then) +{ + int i, lc; + + for (i = 0, lc = 0; i < num_devices && lc < maxdrives; i++) + if (dev_select[i].selected) + dsshow3(diskcol, diskrow, i, ++lc, now, then); +} diff --git a/usr.bin/systat/devs.h b/usr.bin/systat/devs.h index b25cc962bb21..cbedd844290e 100644 --- a/usr.bin/systat/devs.h +++ b/usr.bin/systat/devs.h @@ -2,6 +2,7 @@ * SPDX-License-Identifier: BSD-2-Clause-FreeBSD * * Copyright (c) 1998 David E. O'Brien + * 2015 Yoshihiro Ota * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -28,5 +29,18 @@ * $FreeBSD$ */ -int dsinit(int, struct statinfo *, struct statinfo *, struct statinfo *); +#ifndef DEVS_H +#define DEVS_H + +#include + +int dsinit(int); +void dsgetinfo(struct statinfo *); int dscmd(const char *, const char *, int, struct statinfo *); + +void dslabel(int, int, int); +void dsshow(int, int, int, struct statinfo *, struct statinfo *); + +extern struct statinfo cur_dev, last_dev, run_dev; + +#endif diff --git a/usr.bin/systat/extern.h b/usr.bin/systat/extern.h index 272eead74c01..c36255e531b4 100644 --- a/usr.bin/systat/extern.h +++ b/usr.bin/systat/extern.h @@ -163,6 +163,11 @@ void showtcp(void); void status(void); void suspend(int); char *sysctl_dynread(const char *, size_t *); +void sysputpage(WINDOW* , int, int, int, uint64_t, int); +void sysputspaces(WINDOW* , int, int, int); +void sysputstrs(WINDOW* , int, int, int); +void sysputuint64(WINDOW* , int, int, int, uint64_t, int); +void sysputwuint64(WINDOW* , int, int, int, uint64_t, int); #define SYSTAT_CMD(name) \ void close ## name(WINDOW *); \ @@ -174,4 +179,4 @@ char *sysctl_dynread(const char *, size_t *); void show ## name(void) SYSTAT_CMD( zarc ); -SYSTAT_CMD ( sctp ); +SYSTAT_CMD( sctp ); diff --git a/usr.bin/systat/fetch.c b/usr.bin/systat/fetch.c index d159e51c1e79..4cd9af64b43d 100644 --- a/usr.bin/systat/fetch.c +++ b/usr.bin/systat/fetch.c @@ -58,17 +58,18 @@ kvm_ckread(void *a, void *b, int l) return (1); } -void getsysctl(const char *name, void *ptr, size_t len) +void +getsysctl(const char *name, void *ptr, size_t len) { size_t nlen = len; + if (sysctlbyname(name, ptr, &nlen, NULL, 0) != 0) { error("sysctl(%s...) failed: %s", name, strerror(errno)); } if (nlen != len) { - error("sysctl(%s...) expected %lu, got %lu", name, - (unsigned long)len, (unsigned long)nlen); - } + error("sysctl(%s...) expected %zu, got %zu", name, len, nlen); + } } /* diff --git a/usr.bin/systat/icmp6.c b/usr.bin/systat/icmp6.c index 2a3bbb70289c..4260179b5689 100644 --- a/usr.bin/systat/icmp6.c +++ b/usr.bin/systat/icmp6.c @@ -48,6 +48,7 @@ static char sccsid[] = "@(#)mbufs.c 8.1 (Berkeley) 6/6/93"; #include #include +#include #include #include #include @@ -171,7 +172,7 @@ void showicmp6(void) { struct icmp6stat stats; - u_long totalin, totalout; + uint64_t totalin, totalout; int i; memset(&stats, 0, sizeof stats); @@ -182,11 +183,11 @@ showicmp6(void) } totalin += stats.icp6s_badcode + stats.icp6s_badlen + stats.icp6s_checksum + stats.icp6s_tooshort; - mvwprintw(wnd, 1, 0, "%9lu", totalin); - mvwprintw(wnd, 1, 35, "%9lu", totalout); + mvwprintw(wnd, 1, 0, "%9"PRIu64, totalin); + mvwprintw(wnd, 1, 35, "%9"PRIu64, totalout); #define DO(stat, row, col) \ - mvwprintw(wnd, row, col, "%9lu", stats.stat) + mvwprintw(wnd, row, col, "%9"PRIu64, stats.stat) DO(icp6s_badcode, 2, 0); DO(icp6s_badlen, 3, 0); diff --git a/usr.bin/systat/ifcmds.c b/usr.bin/systat/ifcmds.c index f5091603d0e9..5336075f7472 100644 --- a/usr.bin/systat/ifcmds.c +++ b/usr.bin/systat/ifcmds.c @@ -74,6 +74,8 @@ ifcmd(const char *cmd, const char *args) } } else if (prefix(cmd, "pps")) showpps = !showpps; + else + return (0); return (1); } diff --git a/usr.bin/systat/ifstat.c b/usr.bin/systat/ifstat.c index 4c174c0b89e1..37ea81ba558c 100644 --- a/usr.bin/systat/ifstat.c +++ b/usr.bin/systat/ifstat.c @@ -36,6 +36,7 @@ #include #include +#include #include #include #include @@ -66,7 +67,8 @@ SLIST_HEAD(, if_stat_disp) displist; struct if_stat { SLIST_ENTRY(if_stat) link; - char if_name[IF_NAMESIZE]; + char display_name[IF_NAMESIZE]; + char dev_name[IFNAMSIZ]; /* copied from ifmibdata */ struct ifmibdata if_mib; struct timeval tv; struct timeval tv_lastchanged; @@ -80,7 +82,7 @@ struct if_stat { uint64_t if_out_pps_peak; u_int if_row; /* Index into ifmib sysctl */ int if_ypos; /* -1 if not being displayed */ - u_int display; + bool display; u_int match; }; @@ -90,11 +92,13 @@ extern int showpps; extern int needsort; static int needclear = 0; +static bool displayall = false; -static void right_align_string(struct if_stat *); -static void getifmibdata(const int, struct ifmibdata *); +static void format_device_name(struct if_stat *); +static int getifmibdata(const int, struct ifmibdata *); static void sort_interface_list(void); static u_int getifnum(void); +static void clearifstat(void); #define IFSTAT_ERR(n, s) do { \ putchar('\014'); \ @@ -164,7 +168,7 @@ static u_int getifnum(void); } while (0) #define PUTNAME(p) do { \ - mvprintw(p->if_ypos, 0, "%s", p->if_name); \ + mvprintw(p->if_ypos, 0, "%s", p->display_name); \ mvprintw(p->if_ypos, col2-3, "%s", (const char *)"in"); \ mvprintw(p->if_ypos+1, col2-3, "%s", (const char *)"out"); \ } while (0) @@ -213,7 +217,7 @@ showifstat(void) SLIST_FOREACH(ifp, &curlist, link) { if (ifp->if_ypos < LINES - 3 && ifp->if_ypos != -1) - if (ifp->display == 0 || ifp->match == 0) { + if (!ifp->display || ifp->match == 0) { wmove(wnd, ifp->if_ypos, 0); wclrtoeol(wnd); wmove(wnd, ifp->if_ypos + 1, 0); @@ -234,7 +238,7 @@ int initifstat(void) { struct if_stat *p = NULL; - u_int n = 0, i = 0; + u_int n, i; n = getifnum(); if (n <= 0) @@ -246,18 +250,21 @@ initifstat(void) p = (struct if_stat *)calloc(1, sizeof(struct if_stat)); if (p == NULL) IFSTAT_ERR(1, "out of memory"); - SLIST_INSERT_HEAD(&curlist, p, link); p->if_row = i+1; - getifmibdata(p->if_row, &p->if_mib); - right_align_string(p); + if (getifmibdata(p->if_row, &p->if_mib) == -1) { + free(p); + continue; + } + SLIST_INSERT_HEAD(&curlist, p, link); + format_device_name(p); p->match = 1; /* * Initially, we only display interfaces that have - * received some traffic. + * received some traffic unless display-all is on. */ - if (p->if_mib.ifmd_data.ifi_ibytes != 0) - p->display = 1; + if (displayall || p->if_mib.ifmd_data.ifi_ibytes != 0) + p->display = true; } sort_interface_list(); @@ -268,13 +275,13 @@ initifstat(void) void fetchifstat(void) { - struct if_stat *ifp = NULL; + struct if_stat *ifp = NULL, *temp_var; struct timeval tv, new_tv, old_tv; double elapsed = 0.0; uint64_t new_inb, new_outb, old_inb, old_outb = 0; uint64_t new_inp, new_outp, old_inp, old_outp = 0; - SLIST_FOREACH(ifp, &curlist, link) { + SLIST_FOREACH_SAFE(ifp, &curlist, link, temp_var) { /* * Grab a copy of the old input/output values before we * call getifmibdata(). @@ -286,7 +293,22 @@ fetchifstat(void) ifp->tv_lastchanged = ifp->if_mib.ifmd_data.ifi_lastchange; (void)gettimeofday(&new_tv, NULL); - (void)getifmibdata(ifp->if_row, &ifp->if_mib); + if (getifmibdata(ifp->if_row, &ifp->if_mib) == -1 ) { + /* if a device was removed */ + SLIST_REMOVE(&curlist, ifp, if_stat, link); + free(ifp); + needsort = 1; + clearifstat(); + } else if (strcmp(ifp->dev_name, ifp->if_mib.ifmd_name) != 0 ) { + /* a device was removed and another one was added */ + format_device_name(ifp); + /* clear to the current value for the new device */ + old_inb = ifp->if_mib.ifmd_data.ifi_ibytes; + old_outb = ifp->if_mib.ifmd_data.ifi_obytes; + old_inp = ifp->if_mib.ifmd_data.ifi_ipackets; + old_outp = ifp->if_mib.ifmd_data.ifi_opackets; + needsort = 1; + } new_inb = ifp->if_mib.ifmd_data.ifi_ibytes; new_outb = ifp->if_mib.ifmd_data.ifi_obytes; @@ -294,8 +316,8 @@ fetchifstat(void) new_outp = ifp->if_mib.ifmd_data.ifi_opackets; /* Display interface if it's received some traffic. */ - if (new_inb > 0 && old_inb == 0) { - ifp->display = 1; + if (!ifp->display && new_inb > 0 && old_inb == 0) { + ifp->display = true; needsort = 1; } @@ -350,28 +372,18 @@ fetchifstat(void) /* * We want to right justify our interface names against the first column * (first sixteen or so characters), so we need to do some alignment. + * We save original name so that we can find a same spot is take by a + * different device. */ static void -right_align_string(struct if_stat *ifp) +format_device_name(struct if_stat *ifp) { - int str_len = 0, pad_len = 0; - char *newstr = NULL, *ptr = NULL; - - if (ifp == NULL || ifp->if_mib.ifmd_name == NULL) - return; - else { - /* string length + '\0' */ - str_len = strlen(ifp->if_mib.ifmd_name)+1; - pad_len = IF_NAMESIZE-(str_len); - - newstr = ifp->if_name; - ptr = newstr + pad_len; - (void)memset((void *)newstr, (int)' ', IF_NAMESIZE); - (void)strncpy(ptr, (const char *)&ifp->if_mib.ifmd_name, - str_len); - } - return; + if (ifp != NULL ) { + snprintf(ifp->display_name, IF_NAMESIZE, "%*s", IF_NAMESIZE-1, + ifp->if_mib.ifmd_name); + strcpy(ifp->dev_name, ifp->if_mib.ifmd_name); + } } static int @@ -460,9 +472,10 @@ getifnum(void) return (data); } -static void +static int getifmibdata(int row, struct ifmibdata *data) { + int ret = 0; size_t datalen = 0; static int name[] = { CTL_NET, PF_LINK, @@ -473,9 +486,12 @@ getifmibdata(int row, struct ifmibdata *data) datalen = sizeof(*data); name[4] = row; - if ((sysctl(name, 6, (void *)data, (size_t *)&datalen, (void *)NULL, - (size_t)0) != 0) && (errno != ENOENT)) + ret = sysctl(name, 6, (void *)data, (size_t *)&datalen, (void *)NULL, + (size_t)0); + if ((ret != 0) && (errno != ENOENT)) IFSTAT_ERR(2, "sysctl error getting interface data"); + + return (ret); } int @@ -486,13 +502,23 @@ cmdifstat(const char *cmd, const char *args) retval = ifcmd(cmd, args); /* ifcmd() returns 1 on success */ if (retval == 1) { - if (needclear) { - showifstat(); - refresh(); - werase(wnd); - labelifstat(); - needclear = 0; - } + if (needclear) + clearifstat(); + } + else if (prefix(cmd, "all")) { + retval = 1; + displayall = true; } return (retval); } + +static void +clearifstat(void) +{ + + showifstat(); + refresh(); + werase(wnd); + labelifstat(); + needclear = 0; +} diff --git a/usr.bin/systat/iostat.c b/usr.bin/systat/iostat.c index fa275ebbbf2a..28cc40b9c760 100644 --- a/usr.bin/systat/iostat.c +++ b/usr.bin/systat/iostat.c @@ -77,8 +77,6 @@ static const char sccsid[] = "@(#)iostat.c 8.1 (Berkeley) 6/6/93"; #include "extern.h" #include "devs.h" -struct statinfo cur, last; - static int linesperregion; static double etime; static int numbers = 0; /* default display bar graphs */ @@ -109,17 +107,11 @@ closeiostat(WINDOW *w) int initiostat(void) { - if ((num_devices = devstat_getnumdevs(NULL)) < 0) - return(0); - - cur.dinfo = calloc(1, sizeof(struct devinfo)); - last.dinfo = calloc(1, sizeof(struct devinfo)); - /* * This value for maxshowdevs (100) is bogus. I'm not sure exactly * how to calculate it, though. */ - if (dsinit(100, &cur, &last, NULL) != 1) + if (dsinit(7) != 1) return(0); return(1); @@ -131,17 +123,17 @@ fetchiostat(void) struct devinfo *tmp_dinfo; size_t len; - len = sizeof(cur.cp_time); - if (sysctlbyname("kern.cp_time", &cur.cp_time, &len, NULL, 0) - || len != sizeof(cur.cp_time)) { + len = sizeof(cur_dev.cp_time); + if (sysctlbyname("kern.cp_time", &cur_dev.cp_time, &len, NULL, 0) + || len != sizeof(cur_dev.cp_time)) { perror("kern.cp_time"); exit (1); } - tmp_dinfo = last.dinfo; - last.dinfo = cur.dinfo; - cur.dinfo = tmp_dinfo; + tmp_dinfo = last_dev.dinfo; + last_dev.dinfo = cur_dev.dinfo; + cur_dev.dinfo = tmp_dinfo; - last.snap_time = cur.snap_time; + last_dev.snap_time = cur_dev.snap_time; /* * Here what we want to do is refresh our device stats. @@ -150,7 +142,7 @@ fetchiostat(void) * the selection process again, in case a device that we * were previously displaying has gone away. */ - switch (devstat_getdevs(NULL, &cur)) { + switch (devstat_getdevs(NULL, &cur_dev)) { case -1: errx(1, "%s", devstat_errbuf); break; @@ -160,8 +152,8 @@ fetchiostat(void) default: break; } - num_devices = cur.dinfo->numdevs; - generation = cur.dinfo->generation; + num_devices = cur_dev.dinfo->numdevs; + generation = cur_dev.dinfo->generation; } @@ -258,11 +250,11 @@ showiostat(void) long t; int i, row, _col; -#define X(fld) t = cur.fld[i]; cur.fld[i] -= last.fld[i]; last.fld[i] = t +#define X(fld) t = cur_dev.fld[i]; cur_dev.fld[i] -= last_dev.fld[i]; last_dev.fld[i] = t etime = 0; for(i = 0; i < CPUSTATES; i++) { X(cp_time); - etime += cur.cp_time[i]; + etime += cur_dev.cp_time[i]; } if (etime == 0.0) etime = 1.0; @@ -311,10 +303,10 @@ devstats(int row, int _col, int dn) di = dev_select[dn].position; - busy_seconds = cur.snap_time - last.snap_time; + busy_seconds = cur_dev.snap_time - last_dev.snap_time; - if (devstat_compute_statistics(&cur.dinfo->devices[di], - &last.dinfo->devices[di], busy_seconds, + if (devstat_compute_statistics(&cur_dev.dinfo->devices[di], + &last_dev.dinfo->devices[di], busy_seconds, DSM_KB_PER_TRANSFER, &kb_per_transfer, DSM_TRANSFERS_PER_SECOND, &transfers_per_second, DSM_MB_PER_SECOND, &mb_per_second, DSM_NONE) != 0) @@ -347,12 +339,12 @@ stat1(int row, int o) dtime = 0.0; for (i = 0; i < CPUSTATES; i++) - dtime += cur.cp_time[i]; + dtime += cur_dev.cp_time[i]; if (dtime == 0.0) dtime = 1.0; wmove(wnd, row, INSET); #define CPUSCALE 0.5 - histogram(100.0 * cur.cp_time[o] / dtime, 50, CPUSCALE); + histogram(100.0 * cur_dev.cp_time[o] / dtime, 50, CPUSCALE); } static void @@ -386,7 +378,7 @@ cmdiostat(const char *cmd, const char *args) numbers = 1; else if (prefix(cmd, "bars")) numbers = 0; - else if (!dscmd(cmd, args, 100, &cur)) + else if (!dscmd(cmd, args, 100, &cur_dev)) return (0); wclear(wnd); labeliostat(); diff --git a/usr.bin/systat/ip.c b/usr.bin/systat/ip.c index 8e12a6a0b0b8..471ae2648133 100644 --- a/usr.bin/systat/ip.c +++ b/usr.bin/systat/ip.c @@ -51,6 +51,7 @@ static const char sccsid[] = "@(#)mbufs.c 8.1 (Berkeley) 6/6/93"; #include #include +#include #include #include #include @@ -201,16 +202,16 @@ void showip(void) { struct stat stats; - u_long totalout; + uint64_t totalout; domode(&stats); totalout = stats.i.ips_forward + stats.i.ips_localout; #define DO(stat, row, col) \ - mvwprintw(wnd, row, col, "%9lu", stats.stat) + mvwprintw(wnd, row, col, "%9"PRIu64, stats.stat) DO(i.ips_total, 1, 0); - mvwprintw(wnd, 1, 35, "%9lu", totalout); + mvwprintw(wnd, 1, 35, "%9"PRIu64, totalout); DO(i.ips_badsum, 2, 0); DO(i.ips_localout, 2, 35); DO(i.ips_tooshort, 3, 0); diff --git a/usr.bin/systat/ip6.c b/usr.bin/systat/ip6.c index 5d2c2103cf45..f5b943801211 100644 --- a/usr.bin/systat/ip6.c +++ b/usr.bin/systat/ip6.c @@ -50,6 +50,7 @@ static const char sccsid[] = "@(#)mbufs.c 8.1 (Berkeley) 6/6/93"; #include #include +#include #include #include #include @@ -188,16 +189,16 @@ void showip6(void) { struct ip6stat stats; - u_long totalout; + uint64_t totalout; domode(&stats); totalout = stats.ip6s_forward + stats.ip6s_localout; #define DO(stat, row, col) \ - mvwprintw(wnd, row, col, "%9lu", stats.stat) + mvwprintw(wnd, row, col, "%9"PRIu64, stats.stat) DO(ip6s_total, 1, 0); - mvwprintw(wnd, 1, 35, "%9lu", totalout); + mvwprintw(wnd, 1, 35, "%9"PRIu64, totalout); DO(ip6s_tooshort, 2, 0); DO(ip6s_localout, 2, 35); DO(ip6s_toosmall, 3, 0); diff --git a/usr.bin/systat/main.c b/usr.bin/systat/main.c index 74195f606aec..983d319f464f 100644 --- a/usr.bin/systat/main.c +++ b/usr.bin/systat/main.c @@ -293,17 +293,8 @@ display(void) GETSYSCTL("kstat.zfs.misc.arcstats.l2_hdr_size", arc[5]); GETSYSCTL("kstat.zfs.misc.arcstats.other_size", arc[6]); wmove(wload, 0, 0); wclrtoeol(wload); - for (i = 0 ; i < nitems(arc); i++) { - if (arc[i] > 10llu * 1024 * 1024 * 1024 ) { - wprintw(wload, "%7lluG", arc[i] >> 30); - } - else if (arc[i] > 10 * 1024 * 1024 ) { - wprintw(wload, "%7lluM", arc[i] >> 20); - } - else { - wprintw(wload, "%7lluK", arc[i] >> 10); - } - } + for (i = 0 ; i < nitems(arc); i++) + sysputuint64(wload, 0, i*8+2, 6, arc[i], 0); } } (*curcmd->c_refresh)(); diff --git a/usr.bin/systat/swap.c b/usr.bin/systat/swap.c index 01d4ed0378fe..bb84187c8944 100644 --- a/usr.bin/systat/swap.c +++ b/usr.bin/systat/swap.c @@ -1,6 +1,7 @@ /*- * Copyright (c) 1980, 1992, 1993 * The Regents of the University of California. All rights reserved. + * Copyright (c) 2017 Yoshihiro Ota * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -53,6 +54,7 @@ static const char sccsid[] = "@(#)swap.c 8.3 (Berkeley) 4/29/95"; #include "systat.h" #include "extern.h" +#include "devs.h" static char *header; static long blocksize; @@ -133,13 +135,15 @@ initswap(void) oulen = ulen; once = 1; + + dsinit(12); + return (1); } void fetchswap(void) { - okvnsw = kvnsw; if ((kvnsw = kvm_getswapinfo(kd, kvmsw, NSWAP, 0)) < 0) { error("systat: kvm_getswapinfo failed"); @@ -149,6 +153,15 @@ fetchswap(void) odlen = dlen; oulen = ulen; calclens(); + + struct devinfo *tmp_dinfo; + + tmp_dinfo = last_dev.dinfo; + last_dev.dinfo = cur_dev.dinfo; + cur_dev.dinfo = tmp_dinfo; + + last_dev.snap_time = cur_dev.snap_time; + dsgetinfo( &cur_dev ); } void @@ -174,6 +187,7 @@ labelswap(void) name = kvmsw[i].ksw_devname; mvwprintw(wnd, i + 1, 0, "%*s", -dlen, name); } + dslabel(12, 0, 18); } void @@ -213,4 +227,5 @@ showswap(void) waddch(wnd, 'X'); wclrtoeol(wnd); } + dsshow(12, 0, 18, &cur_dev, &last_dev); } diff --git a/usr.bin/systat/sysput.c b/usr.bin/systat/sysput.c *** 815 LINES SKIPPED *** From owner-dev-commits-src-branches@freebsd.org Sun Jan 3 22:18:48 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 60F3B4C128C; Sun, 3 Jan 2021 22:18:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D8CpJ2FWgz4rDM; Sun, 3 Jan 2021 22:18:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3BD8873CB; Sun, 3 Jan 2021 22:18:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 103MImV6020337; Sun, 3 Jan 2021 22:18:48 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 103MImrU020336; Sun, 3 Jan 2021 22:18:48 GMT (envelope-from git) Date: Sun, 3 Jan 2021 22:18:48 GMT Message-Id: <202101032218.103MImrU020336@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: 5c712c8748f3 - stable/12 - pf tests: Verify (tcp) checksum modification on unaligned options MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: 5c712c8748f304f57e18b09f890b46d5f3d13a2e Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jan 2021 22:18:48 -0000 The branch stable/12 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=5c712c8748f304f57e18b09f890b46d5f3d13a2e commit 5c712c8748f304f57e18b09f890b46d5f3d13a2e Author: Kristof Provost AuthorDate: 2020-12-19 15:06:03 +0000 Commit: Kristof Provost CommitDate: 2021-01-03 22:11:08 +0000 pf tests: Verify (tcp) checksum modification on unaligned options It turns out pf incorrectly updates the TCP checksum if the TCP option we're modifying is not 2-byte algined with respect to the start of the packet. Create a TCP packet with such an option and throw it through a scrub rule, which will update timestamps and modify the packet. PR: 240416 MFC after: 1 week Differential revision: https://reviews.freebsd.org/D27688 (cherry picked from commit 2d3fda5fa1dc99aa8788e5f8d8bb71e682101063) --- tests/sys/netpfil/common/pft_ping.py | 69 +++++++++++++++++++++++++++-- tests/sys/netpfil/pf/Makefile | 1 + tests/sys/netpfil/pf/checksum.sh | 85 ++++++++++++++++++++++++++++++++++++ 3 files changed, 151 insertions(+), 4 deletions(-) diff --git a/tests/sys/netpfil/common/pft_ping.py b/tests/sys/netpfil/common/pft_ping.py index 89cb3e1a5d01..8c47df24ea0d 100644 --- a/tests/sys/netpfil/common/pft_ping.py +++ b/tests/sys/netpfil/common/pft_ping.py @@ -2,6 +2,7 @@ import argparse import scapy.all as sp +import socket import sys from sniffer import Sniffer @@ -87,6 +88,53 @@ def ping6(send_if, dst_ip, args): req = ether / ip6 / icmp sp.sendp(req, iface=send_if, verbose=False) +def check_tcpsyn(args, packet): + dst_ip = args.to[0] + + ip = packet.getlayer(sp.IP) + if not ip: + return False + if ip.dst != dst_ip: + return False + + tcp = packet.getlayer(sp.TCP) + if not tcp: + return False + + # Verify IP checksum + chksum = ip.chksum + ip.chksum = None + new_chksum = sp.IP(sp.raw(ip)).chksum + if chksum != new_chksum: + print("Expected IP checksum %x but found %x\n" % (new_cshkum, chksum)) + return False + + # Verify TCP checksum + chksum = tcp.chksum + packet_raw = sp.raw(packet) + tcp.chksum = None + newpacket = sp.Ether(sp.raw(packet[sp.Ether])) + new_chksum = newpacket[sp.TCP].chksum + if chksum != new_chksum: + print("Expected TCP checksum %x but found %x\n" % (new_chksum, chksum)) + return False + + return True + +def tcpsyn(send_if, dst_ip, args): + opts=[('Timestamp', (1, 1)), ('MSS', 1280)] + + if args.tcpopt_unaligned: + opts = [('NOP', 0 )] + opts + + ether = sp.Ether() + ip = sp.IP(dst=dst_ip) + tcp = sp.TCP(dport=666, flags='S', options=opts) + + req = ether / ip / tcp + sp.sendp(req, iface=send_if, verbose=False) + + def main(): parser = argparse.ArgumentParser("pft_ping.py", description="Ping test tool") @@ -101,6 +149,12 @@ def main(): required=True, help='The destination IP address for the ICMP echo request') + # TCP options + parser.add_argument('--tcpsyn', action='store_true', + help='Send a TCP SYN packet') + parser.add_argument('--tcpopt_unaligned', action='store_true', + help='Include unaligned TCP options') + # Packet settings parser.add_argument('--send-tos', nargs=1, help='Set the ToS value for the transmitted packet') @@ -116,12 +170,19 @@ def main(): sniffer = None if not args.recvif is None: - sniffer = Sniffer(args, check_ping_request) + checkfn=check_ping_request + if args.tcpsyn: + checkfn=check_tcpsyn - if args.ip6: - ping6(args.sendif[0], args.to[0], args) + sniffer = Sniffer(args, checkfn) + + if args.tcpsyn: + tcpsyn(args.sendif[0], args.to[0], args) else: - ping(args.sendif[0], args.to[0], args) + if args.ip6: + ping6(args.sendif[0], args.to[0], args) + else: + ping(args.sendif[0], args.to[0], args) if sniffer: sniffer.join() diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile index 8e38ccf341de..4a07298c4900 100644 --- a/tests/sys/netpfil/pf/Makefile +++ b/tests/sys/netpfil/pf/Makefile @@ -7,6 +7,7 @@ TESTS_SUBDIRS+= ioctl ATF_TESTS_SH+= anchor \ pass_block \ + checksum \ forward \ fragmentation \ names \ diff --git a/tests/sys/netpfil/pf/checksum.sh b/tests/sys/netpfil/pf/checksum.sh new file mode 100644 index 000000000000..778ae1cd6e9f --- /dev/null +++ b/tests/sys/netpfil/pf/checksum.sh @@ -0,0 +1,85 @@ +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright (c) 2020 Kristof Provost +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + +. $(atf_get_srcdir)/utils.subr + +common_dir=$(atf_get_srcdir)/../common + +atf_test_case "unaligned" "cleanup" +unaligned_head() +{ + atf_set descr 'Test unaligned checksum updates' + atf_set require.user root +} + +unaligned_body() +{ + pft_init + + epair_in=$(vnet_mkepair) + epair_out=$(vnet_mkepair) + + vnet_mkjail alcatraz ${epair_in}b ${epair_out}a + + ifconfig ${epair_in}a 192.0.2.2/24 up + route add -net 198.51.100.0/24 192.0.2.1 + + jexec alcatraz ifconfig ${epair_in}b 192.0.2.1/24 up + jexec alcatraz sysctl net.inet.ip.forwarding=1 + + jexec alcatraz ifconfig ${epair_out}a 198.51.100.1/24 up + jexec alcatraz arp -s 198.51.100.2 00:01:02:03:04:05 + + ifconfig ${epair_out}b up + + jexec alcatraz pfctl -e + pft_set_rules alcatraz \ + "scrub on ${epair_in}b reassemble tcp max-mss 1200" + + # Check aligned + atf_check -s exit:0 ${common_dir}/pft_ping.py \ + --sendif ${epair_in}a \ + --to 198.51.100.2 \ + --recvif ${epair_out}b \ + --tcpsyn + + # And unaligned + atf_check -s exit:0 ${common_dir}/pft_ping.py \ + --sendif ${epair_in}a \ + --to 198.51.100.2 \ + --recvif ${epair_out}b \ + --tcpsyn \ + --tcpopt_unaligned +} + +unaligned_cleanup() +{ + pft_cleanup +} + +atf_init_test_cases() +{ + atf_add_test_case "unaligned" +} From owner-dev-commits-src-branches@freebsd.org Sun Jan 3 22:18:48 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6BC714C1071; Sun, 3 Jan 2021 22:18:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D8CpJ2Vgzz4r0S; Sun, 3 Jan 2021 22:18:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 44EA37586; Sun, 3 Jan 2021 22:18:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 103MImW0020355; Sun, 3 Jan 2021 22:18:48 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 103MImmF020354; Sun, 3 Jan 2021 22:18:48 GMT (envelope-from git) Date: Sun, 3 Jan 2021 22:18:48 GMT Message-Id: <202101032218.103MImmF020354@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: 21745738a2b5 - stable/12 - pf: Fix unaligned checksum updates MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: 21745738a2b5662dfbe730b6338aa38e829cb0eb Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jan 2021 22:18:48 -0000 The branch stable/12 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=21745738a2b5662dfbe730b6338aa38e829cb0eb commit 21745738a2b5662dfbe730b6338aa38e829cb0eb Author: Kristof Provost AuthorDate: 2020-12-20 20:06:32 +0000 Commit: Kristof Provost CommitDate: 2021-01-03 22:11:08 +0000 pf: Fix unaligned checksum updates The algorithm we use to update checksums only works correctly if the updated data is aligned on 16-bit boundaries (relative to the start of the packet). Import the OpenBSD fix for this issue. PR: 240416 Obtained from: OpenBSD MFC after: 1 week Reviewed by: tuexen (previous version) Differential Revision: https://reviews.freebsd.org/D27696 (cherry picked from commit c3f69af03ae7acc167cc1151f0c1ecc5e014ce4e) --- sys/net/pfvar.h | 5 +++ sys/netpfil/pf/pf.c | 81 +++++++++++++++++++++++++++++++++++++++--------- sys/netpfil/pf/pf_norm.c | 23 ++++++++++---- 3 files changed, 89 insertions(+), 20 deletions(-) diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index d0eb226ee41d..24faee5d45c6 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -330,6 +330,7 @@ extern struct sx pf_end_lock; (neg) \ ) +#define PF_ALGNMNT(off) (((off) % 2) == 0) struct pf_rule_uid { uid_t uid[2]; @@ -1727,6 +1728,10 @@ void pf_change_a(void *, u_int16_t *, u_int32_t, u_int8_t); void pf_change_proto_a(struct mbuf *, void *, u_int16_t *, u_int32_t, u_int8_t); void pf_change_tcp_a(struct mbuf *, void *, u_int16_t *, u_int32_t); +void pf_patch_16_unaligned(struct mbuf *, u_int16_t *, void *, u_int16_t, + bool, u_int8_t); +void pf_patch_32_unaligned(struct mbuf *, u_int16_t *, void *, u_int32_t, + bool, u_int8_t); void pf_send_deferred_syn(struct pf_state *); int pf_match_addr(u_int8_t, struct pf_addr *, struct pf_addr *, struct pf_addr *, sa_family_t); diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 693e45504745..84133039eb45 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -289,6 +289,8 @@ static void pf_print_state_parts(struct pf_state *, struct pf_state_key *, struct pf_state_key *); static int pf_addr_wrap_neq(struct pf_addr_wrap *, struct pf_addr_wrap *); +static void pf_patch_8(struct mbuf *, u_int16_t *, u_int8_t *, u_int8_t, + bool, u_int8_t); static struct pf_state *pf_find_state(struct pfi_kif *, struct pf_state_key_cmp *, u_int); static int pf_src_connlimit(struct pf_state **); @@ -2091,16 +2093,60 @@ pf_addr_wrap_neq(struct pf_addr_wrap *aw1, struct pf_addr_wrap *aw2) u_int16_t pf_cksum_fixup(u_int16_t cksum, u_int16_t old, u_int16_t new, u_int8_t udp) { - u_int32_t l; - - if (udp && !cksum) - return (0x0000); - l = cksum + old - new; - l = (l >> 16) + (l & 65535); - l = l & 65535; - if (udp && !l) - return (0xFFFF); - return (l); + u_int32_t x; + + x = cksum + old - new; + x = (x + (x >> 16)) & 0xffff; + + /* optimise: eliminate a branch when not udp */ + if (udp && cksum == 0x0000) + return cksum; + if (udp && x == 0x0000) + x = 0xffff; + + return (u_int16_t)(x); +} + +static void +pf_patch_8(struct mbuf *m, u_int16_t *cksum, u_int8_t *f, u_int8_t v, bool hi, + u_int8_t udp) +{ + u_int16_t old = htons(hi ? (*f << 8) : *f); + u_int16_t new = htons(hi ? ( v << 8) : v); + + if (*f == v) + return; + + *f = v; + + if (m->m_pkthdr.csum_flags & (CSUM_DELAY_DATA | CSUM_DELAY_DATA_IPV6)) + return; + + *cksum = pf_cksum_fixup(*cksum, old, new, udp); +} + +void +pf_patch_16_unaligned(struct mbuf *m, u_int16_t *cksum, void *f, u_int16_t v, + bool hi, u_int8_t udp) +{ + u_int8_t *fb = (u_int8_t *)f; + u_int8_t *vb = (u_int8_t *)&v; + + pf_patch_8(m, cksum, fb++, *vb++, hi, udp); + pf_patch_8(m, cksum, fb++, *vb++, !hi, udp); +} + +void +pf_patch_32_unaligned(struct mbuf *m, u_int16_t *cksum, void *f, u_int32_t v, + bool hi, u_int8_t udp) +{ + u_int8_t *fb = (u_int8_t *)f; + u_int8_t *vb = (u_int8_t *)&v; + + pf_patch_8(m, cksum, fb++, *vb++, hi, udp); + pf_patch_8(m, cksum, fb++, *vb++, !hi, udp); + pf_patch_8(m, cksum, fb++, *vb++, hi, udp); + pf_patch_8(m, cksum, fb++, *vb++, !hi, udp); } u_int16_t @@ -2327,6 +2373,7 @@ pf_modulate_sack(struct mbuf *m, int off, struct pf_pdesc *pd, return 0; while (hlen >= TCPOLEN_SACKLEN) { + size_t startoff = opt - opts; olen = opt[1]; switch (*opt) { case TCPOPT_EOL: /* FALLTHROUGH */ @@ -2341,10 +2388,16 @@ pf_modulate_sack(struct mbuf *m, int off, struct pf_pdesc *pd, for (i = 2; i + TCPOLEN_SACK <= olen; i += TCPOLEN_SACK) { memcpy(&sack, &opt[i], sizeof(sack)); - pf_change_proto_a(m, &sack.start, &th->th_sum, - htonl(ntohl(sack.start) - dst->seqdiff), 0); - pf_change_proto_a(m, &sack.end, &th->th_sum, - htonl(ntohl(sack.end) - dst->seqdiff), 0); + pf_patch_32_unaligned(m, + &th->th_sum, &sack.start, + htonl(ntohl(sack.start) - dst->seqdiff), + PF_ALGNMNT(startoff), + 0); + pf_patch_32_unaligned(m, &th->th_sum, + &sack.end, + htonl(ntohl(sack.end) - dst->seqdiff), + PF_ALGNMNT(startoff), + 0); memcpy(&opt[i], &sack, sizeof(sack)); } copyback = 1; diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c index 7234c1def914..4bfdcd7898fe 100644 --- a/sys/netpfil/pf/pf_norm.c +++ b/sys/netpfil/pf/pf_norm.c @@ -1371,6 +1371,7 @@ pf_normalize_tcp_stateful(struct mbuf *m, int off, struct pf_pdesc *pd, u_int8_t *opt; int copyback = 0; int got_ts = 0; + size_t startoff; KASSERT((src->scrub || dst->scrub), ("%s: src->scrub && dst->scrub!", __func__)); @@ -1414,6 +1415,7 @@ pf_normalize_tcp_stateful(struct mbuf *m, int off, struct pf_pdesc *pd, opt = hdr + sizeof(struct tcphdr); hlen = (th->th_off << 2) - sizeof(struct tcphdr); while (hlen >= TCPOLEN_TIMESTAMP) { + startoff = opt - (hdr + sizeof(struct tcphdr)); switch (*opt) { case TCPOPT_EOL: /* FALLTHROUGH */ case TCPOPT_NOP: @@ -1443,10 +1445,12 @@ pf_normalize_tcp_stateful(struct mbuf *m, int off, struct pf_pdesc *pd, (src->scrub->pfss_flags & PFSS_TIMESTAMP)) { tsval = ntohl(tsval); - pf_change_proto_a(m, &opt[2], + pf_patch_32_unaligned(m, &th->th_sum, + &opt[2], htonl(tsval + src->scrub->pfss_ts_mod), + PF_ALGNMNT(startoff), 0); copyback = 1; } @@ -1459,8 +1463,11 @@ pf_normalize_tcp_stateful(struct mbuf *m, int off, struct pf_pdesc *pd, PFSS_TIMESTAMP)) { tsecr = ntohl(tsecr) - dst->scrub->pfss_ts_mod; - pf_change_proto_a(m, &opt[6], - &th->th_sum, htonl(tsecr), + pf_patch_32_unaligned(m, + &th->th_sum, + &opt[6], + htonl(tsecr), + PF_ALGNMNT(startoff), 0); copyback = 1; } @@ -1761,6 +1768,7 @@ pf_normalize_tcpopt(struct pf_rule *r, struct mbuf *m, struct tcphdr *th, int rewrite = 0; u_char opts[TCP_MAXOLEN]; u_char *optp = opts; + size_t startoff; thoff = th->th_off << 2; cnt = thoff - sizeof(struct tcphdr); @@ -1770,6 +1778,7 @@ pf_normalize_tcpopt(struct pf_rule *r, struct mbuf *m, struct tcphdr *th, return (rewrite); for (; cnt > 0; cnt -= optlen, optp += optlen) { + startoff = optp - opts; opt = optp[0]; if (opt == TCPOPT_EOL) break; @@ -1786,9 +1795,11 @@ pf_normalize_tcpopt(struct pf_rule *r, struct mbuf *m, struct tcphdr *th, case TCPOPT_MAXSEG: mss = (u_int16_t *)(optp + 2); if ((ntohs(*mss)) > r->max_mss) { - th->th_sum = pf_proto_cksum_fixup(m, - th->th_sum, *mss, htons(r->max_mss), 0); - *mss = htons(r->max_mss); + pf_patch_16_unaligned(m, + &th->th_sum, + mss, htons(r->max_mss), + PF_ALGNMNT(startoff), + 0); rewrite = 1; } break; From owner-dev-commits-src-branches@freebsd.org Sun Jan 3 22:18:48 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8AA684C128F; Sun, 3 Jan 2021 22:18:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D8CpJ3VMpz4qp6; Sun, 3 Jan 2021 22:18:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 6A32E749C; Sun, 3 Jan 2021 22:18:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 103MImNU020389; Sun, 3 Jan 2021 22:18:48 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 103MIm5c020388; Sun, 3 Jan 2021 22:18:48 GMT (envelope-from git) Date: Sun, 3 Jan 2021 22:18:48 GMT Message-Id: <202101032218.103MIm5c020388@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: 8c45c8982a07 - stable/12 - Upgrade (scapy) py2 tests to work on py3. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: 8c45c8982a071c8e9878fb4cc755e6a2e3f31718 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jan 2021 22:18:48 -0000 The branch stable/12 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=8c45c8982a071c8e9878fb4cc755e6a2e3f31718 commit 8c45c8982a071c8e9878fb4cc755e6a2e3f31718 Author: Bjoern A. Zeeb AuthorDate: 2019-10-26 21:19:55 +0000 Commit: Kristof Provost CommitDate: 2021-01-03 20:26:50 +0000 Upgrade (scapy) py2 tests to work on py3. In order to move python2 out of the test framework to avoid py2 vs. py3 confusions upgrade the remaining test cases using scapy to work with py3. That means only one version of scapy needs to be installed in the CI system. It also gives a path forward for testing i386 issues observed in the CI system with some of these tests. Fixes are: - Use default python from environment (which is 3.x these days). - properly ident some lines as common for the rest of the file to avoid errors. - cast the calculated offset to an int as the division result is considered a float which is not accepted input. - when comparing payload to a magic number make sure we always add the payload properly to the packet and do not try to compare string in the result but convert the data payload back into an integer. - fix print formating. Discussed with: lwhsu, kp (taking it off his todo :) MFC after: 2 weeks (cherry picked from commit f0297f121aee3ff9ae6de9d445fc4a7981385d05) --- tests/sys/netpfil/common/pft_ping.py | 14 +++++++------- tests/sys/netpfil/pf/CVE-2019-5597.py | 5 +++-- tests/sys/netpfil/pf/CVE-2019-5598.py | 14 +++++++------- 3 files changed, 17 insertions(+), 16 deletions(-) diff --git a/tests/sys/netpfil/common/pft_ping.py b/tests/sys/netpfil/common/pft_ping.py index e77d0835134f..da8edd9f7b63 100644 --- a/tests/sys/netpfil/common/pft_ping.py +++ b/tests/sys/netpfil/common/pft_ping.py @@ -1,4 +1,4 @@ -#!/usr/local/bin/python2.7 +#!/usr/bin/env python import argparse import scapy.all as sp @@ -34,15 +34,15 @@ def check_ping4_request(args, packet): raw = packet.getlayer(sp.Raw) if not raw: return False - if raw.load != str(PAYLOAD_MAGIC): + if int(raw.load) != PAYLOAD_MAGIC: return False # Wait to check expectations until we've established this is the packet we # sent. if args.expect_tos: if ip.tos != int(args.expect_tos[0]): - print "Unexpected ToS value %d, expected %s" \ - % (ip.tos, args.expect_tos[0]) + print("Unexpected ToS value %d, expected %d" \ + % (ip.tos, int(args.expect_tos[0]))) return False return True @@ -62,7 +62,7 @@ def check_ping6_request(args, packet): icmp = packet.getlayer(sp.ICMPv6EchoRequest) if not icmp: return False - if icmp.data != str(PAYLOAD_MAGIC): + if int(icmp.data) != PAYLOAD_MAGIC: return False return True @@ -71,7 +71,7 @@ def ping(send_if, dst_ip, args): ether = sp.Ether() ip = sp.IP(dst=dst_ip) icmp = sp.ICMP(type='echo-request') - raw = sp.Raw(str(PAYLOAD_MAGIC)) + raw = sp.raw(str(PAYLOAD_MAGIC)) if args.send_tos: ip.tos = int(args.send_tos[0]) @@ -82,7 +82,7 @@ def ping(send_if, dst_ip, args): def ping6(send_if, dst_ip, args): ether = sp.Ether() ip6 = sp.IPv6(dst=dst_ip) - icmp = sp.ICMPv6EchoRequest(data=PAYLOAD_MAGIC) + icmp = sp.ICMPv6EchoRequest(data=sp.raw(str(PAYLOAD_MAGIC))) req = ether / ip6 / icmp sp.sendp(req, iface=send_if, verbose=False) diff --git a/tests/sys/netpfil/pf/CVE-2019-5597.py b/tests/sys/netpfil/pf/CVE-2019-5597.py index 524d26d72b2d..68579e99590c 100644 --- a/tests/sys/netpfil/pf/CVE-2019-5597.py +++ b/tests/sys/netpfil/pf/CVE-2019-5597.py @@ -1,4 +1,4 @@ -#!/usr/local/bin/python2.7 +#!/usr/bin/env python import random import scapy.all as sp @@ -18,7 +18,8 @@ def main(): padding = 8 fid = random.randint(0,100000) frag_0 = sp.IPv6ExtHdrFragment(id=fid, nh=UDP_PROTO, m=1, offset=0) - frag_1 = sp.IPv6ExtHdrFragment(id=fid, nh=UDP_PROTO, m=0, offset=padding/8) + foff_1 = (int)(padding/8) + frag_1 = sp.IPv6ExtHdrFragment(id=fid, nh=UDP_PROTO, m=0, offset=foff_1) pkt1_opts = sp.AH(nh=AH_PROTO, payloadlen=200) \ / sp.Raw('XXXX' * 199) \ diff --git a/tests/sys/netpfil/pf/CVE-2019-5598.py b/tests/sys/netpfil/pf/CVE-2019-5598.py index 1a019ea23fab..1a2619f7e52f 100644 --- a/tests/sys/netpfil/pf/CVE-2019-5598.py +++ b/tests/sys/netpfil/pf/CVE-2019-5598.py @@ -1,4 +1,4 @@ -#!/usr/local/bin/python2.7 +#!/usr/bin/env python import argparse import scapy.all as sp @@ -38,18 +38,18 @@ def main(): args = parser.parse_args() - # Send the allowed packet to establish state - udp = sp.Ether() / \ - sp.IP(src=args.src[0], dst=args.to[0]) / \ - sp.UDP(dport=53, sport=1234) - sp.sendp(udp, iface=args.sendif[0], verbose=False) + # Send the allowed packet to establish state + udp = sp.Ether() / \ + sp.IP(src=args.src[0], dst=args.to[0]) / \ + sp.UDP(dport=53, sport=1234) + sp.sendp(udp, iface=args.sendif[0], verbose=False) # Start sniffing on recvif sniffer = Sniffer(args, check_icmp_error) # Send the bad error packet icmp_reachable = sp.Ether() / \ - sp.IP(src=args.src[0], dst=args.to[0]) / \ + sp.IP(src=args.src[0], dst=args.to[0]) / \ sp.ICMP(type=3, code=3) / \ sp.IP(src="4.3.2.1", dst="1.2.3.4") / \ sp.UDP(dport=53, sport=1234) From owner-dev-commits-src-branches@freebsd.org Sun Jan 3 22:18:48 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B23C94C144F; Sun, 3 Jan 2021 22:18:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D8CpJ4cNbz4r78; Sun, 3 Jan 2021 22:18:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 9035F73CC; Sun, 3 Jan 2021 22:18:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 103MImd1020424; Sun, 3 Jan 2021 22:18:48 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 103MImf5020423; Sun, 3 Jan 2021 22:18:48 GMT (envelope-from git) Date: Sun, 3 Jan 2021 22:18:48 GMT Message-Id: <202101032218.103MImf5020423@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: f0cb921e361a - stable/12 - netpfil tests: Move pft_ping.py and sniffer.py to the common test directory MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: f0cb921e361a8dcefec6c469839e26e6d79f958f Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jan 2021 22:18:48 -0000 The branch stable/12 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=f0cb921e361a8dcefec6c469839e26e6d79f958f commit f0cb921e361a8dcefec6c469839e26e6d79f958f Author: Kristof Provost AuthorDate: 2019-08-19 10:48:27 +0000 Commit: Kristof Provost CommitDate: 2021-01-03 20:26:49 +0000 netpfil tests: Move pft_ping.py and sniffer.py to the common test directory The pft_ping.py and sniffer.py tool is moved from tests/sys/netpfil/pf to tests/sys/netpfil/common directory because these tools are to be used in common for all the firewalls. Submitted by: Ahsan Barkati Reviewed by: kp, thj Sponsored by: Google, Inc. (GSoC 2019) Differential Revision: https://reviews.freebsd.org/D21276 (cherry picked from commit 9531253098a1b889520b49a98af0bb81a2373ac0) --- ObsoleteFiles.inc | 3 +++ tests/sys/netpfil/common/Makefile | 13 +++++++++++++ tests/sys/netpfil/{pf => common}/pft_ping.py | 0 tests/sys/netpfil/{pf => common}/sniffer.py | 0 tests/sys/netpfil/pf/Makefile | 3 --- tests/sys/netpfil/pf/forward.sh | 18 ++++++++++-------- tests/sys/netpfil/pf/set_tos.sh | 14 ++++++++------ 7 files changed, 34 insertions(+), 17 deletions(-) diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc index 622d1b79f557..3c505f9610f4 100644 --- a/ObsoleteFiles.inc +++ b/ObsoleteFiles.inc @@ -1100,6 +1100,9 @@ OLD_FILES+=usr/lib/clang/8.0.0/lib/freebsd/libclang_rt.ubsan_standalone_cxx-x86_ OLD_DIRS+=usr/lib/clang/8.0.0/lib/freebsd OLD_DIRS+=usr/lib/clang/8.0.0/lib OLD_DIRS+=usr/lib/clang/8.0.0 +# 20190817: pft_ping.py and sniffer.py moved to /usr/tests/sys/netpfil/common +OLD_FILES+=usr/tests/sys/netpfil/pf/sniffer.py +OLD_FILES+=usr/tests/sys/netpfil/pf/pft_ping.py # 20190509: tests/sys/opencrypto requires the net/py-dpkt package. OLD_FILES+=usr/tests/sys/opencrypto/dpkt.py OLD_FILES+=usr/tests/sys/opencrypto/dpkt.pyc diff --git a/tests/sys/netpfil/common/Makefile b/tests/sys/netpfil/common/Makefile new file mode 100644 index 000000000000..9e2fa132c84f --- /dev/null +++ b/tests/sys/netpfil/common/Makefile @@ -0,0 +1,13 @@ +# $FreeBSD$ + +PACKAGE= tests + +TESTSDIR= ${TESTSBASE}/sys/netpfil/common + +${PACKAGE}FILES+= \ + pft_ping.py \ + sniffer.py + +${PACKAGE}FILESMODE_pft_ping.py= 0555 + +.include diff --git a/tests/sys/netpfil/pf/pft_ping.py b/tests/sys/netpfil/common/pft_ping.py similarity index 100% rename from tests/sys/netpfil/pf/pft_ping.py rename to tests/sys/netpfil/common/pft_ping.py diff --git a/tests/sys/netpfil/pf/sniffer.py b/tests/sys/netpfil/common/sniffer.py similarity index 100% rename from tests/sys/netpfil/pf/sniffer.py rename to tests/sys/netpfil/common/sniffer.py diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile index 474b3c3b9b4b..8e38ccf341de 100644 --- a/tests/sys/netpfil/pf/Makefile +++ b/tests/sys/netpfil/pf/Makefile @@ -23,12 +23,9 @@ ATF_TESTS_SH+= anchor \ ${PACKAGE}FILES+= utils.subr \ echo_inetd.conf \ - sniffer.py \ - pft_ping.py \ CVE-2019-5597.py \ CVE-2019-5598.py -${PACKAGE}FILESMODE_pft_ping.py= 0555 ${PACKAGE}FILESMODE_CVE-2019-5597.py= 0555 ${PACKAGE}FILESMODE_CVE-2019-5598.py= 0555 diff --git a/tests/sys/netpfil/pf/forward.sh b/tests/sys/netpfil/pf/forward.sh index 0c97d9601cdc..0d9c9d7787a3 100755 --- a/tests/sys/netpfil/pf/forward.sh +++ b/tests/sys/netpfil/pf/forward.sh @@ -2,6 +2,8 @@ . $(atf_get_srcdir)/utils.subr +common_dir=$(atf_get_srcdir)/../common + atf_test_case "v4" "cleanup" v4_head() { @@ -39,20 +41,20 @@ v4_body() # Forward with pf enabled pft_set_rules alcatraz "block in" - atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \ + atf_check -s exit:1 ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a pft_set_rules alcatraz "block out" - atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \ + atf_check -s exit:1 ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recv ${epair_recv}a # Allow ICMP pft_set_rules alcatraz "block in" "pass in proto icmp" - atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ + atf_check -s exit:0 ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a @@ -90,7 +92,7 @@ v6_body() route add -6 2001:db8:43::/64 2001:db8:42::2 # Sanity check, can we forward ICMP echo requests without pf? - atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ + atf_check -s exit:0 ${common_dir}/pft_ping.py \ --ip6 \ --sendif ${epair_send}a \ --to 2001:db8:43::3 \ @@ -101,7 +103,7 @@ v6_body() # Block incoming echo request packets pft_set_rules alcatraz \ "block in inet6 proto icmp6 icmp6-type echoreq" - atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \ + atf_check -s exit:1 ${common_dir}/pft_ping.py \ --ip6 \ --sendif ${epair_send}a \ --to 2001:db8:43::3 \ @@ -110,7 +112,7 @@ v6_body() # Block outgoing echo request packets pft_set_rules alcatraz \ "block out inet6 proto icmp6 icmp6-type echoreq" - atf_check -s exit:1 -e ignore $(atf_get_srcdir)/pft_ping.py \ + atf_check -s exit:1 -e ignore ${common_dir}/pft_ping.py \ --ip6 \ --sendif ${epair_send}a \ --to 2001:db8:43::3 \ @@ -120,7 +122,7 @@ v6_body() pft_set_rules alcatraz \ "block out" \ "pass out inet6 proto icmp6" - atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ + atf_check -s exit:0 ${common_dir}/pft_ping.py \ --ip6 \ --sendif ${epair_send}a \ --to 2001:db8:43::3 \ @@ -130,7 +132,7 @@ v6_body() pft_set_rules alcatraz \ "block out inet6 proto icmp6 icmp6-type echoreq" \ "pass in proto icmp" - atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \ + atf_check -s exit:1 ${common_dir}/pft_ping.py \ --ip6 \ --sendif ${epair_send}a \ --to 2001:db8:43::3 \ diff --git a/tests/sys/netpfil/pf/set_tos.sh b/tests/sys/netpfil/pf/set_tos.sh index 246c7e1724da..4f92456cf40d 100755 --- a/tests/sys/netpfil/pf/set_tos.sh +++ b/tests/sys/netpfil/pf/set_tos.sh @@ -2,6 +2,8 @@ . $(atf_get_srcdir)/utils.subr +common_dir=$(atf_get_srcdir)/../common + atf_test_case "v4" "cleanup" v4_head() { @@ -33,7 +35,7 @@ v4_body() # No change is done if not requested pft_set_rules alcatraz "scrub out proto icmp" - atf_check -s exit:1 -o ignore $(atf_get_srcdir)/pft_ping.py \ + atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ @@ -41,7 +43,7 @@ v4_body() # The requested ToS is set pft_set_rules alcatraz "scrub out proto icmp set-tos 42" - atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ + atf_check -s exit:0 ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ @@ -49,7 +51,7 @@ v4_body() # ToS is not changed if the scrub rule does not match pft_set_rules alcatraz "scrub out proto tcp set-tos 42" - atf_check -s exit:1 -o ignore $(atf_get_srcdir)/pft_ping.py \ + atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ @@ -58,14 +60,14 @@ v4_body() # Multiple scrub rules match as expected pft_set_rules alcatraz "scrub out proto tcp set-tos 13" \ "scrub out proto icmp set-tos 14" - atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ + atf_check -s exit:0 ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ --expect-tos 14 # And this works even if the packet already has ToS values set - atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ + atf_check -s exit:0 ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ @@ -74,7 +76,7 @@ v4_body() # ToS values are unmolested if the packets do not match a scrub rule pft_set_rules alcatraz "scrub out proto tcp set-tos 13" - atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ + atf_check -s exit:0 ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ From owner-dev-commits-src-branches@freebsd.org Sun Jan 3 22:18:49 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 29F254C145A; Sun, 3 Jan 2021 22:18:49 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D8CpJ5Y4yz4r3J; Sun, 3 Jan 2021 22:18:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id A239476C9; Sun, 3 Jan 2021 22:18:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 103MImI0020441; Sun, 3 Jan 2021 22:18:48 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 103MImns020440; Sun, 3 Jan 2021 22:18:48 GMT (envelope-from git) Date: Sun, 3 Jan 2021 22:18:48 GMT Message-Id: <202101032218.103MImns020440@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: b5c7812dd376 - stable/12 - pf tests: Fix accidental duplication of content MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: b5c7812dd376dcfa513d948e0d7682c1f613b4ab Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jan 2021 22:18:49 -0000 The branch stable/12 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=b5c7812dd376dcfa513d948e0d7682c1f613b4ab commit b5c7812dd376dcfa513d948e0d7682c1f613b4ab Author: Mateusz Piotrowski <0mp@FreeBSD.org> AuthorDate: 2019-08-15 12:00:59 +0000 Commit: Kristof Provost CommitDate: 2021-01-03 20:26:49 +0000 pf tests: Fix accidental duplication of content Some files got their contented duplicated in r345409. Some mistakes where fixed in r345430. The only file that was left with a duplicated content was CVE-2019-5598.py. Reviewed by: kp Approved by: src (kp) Differential Revision: https://reviews.freebsd.org/D21267 (cherry picked from commit 03d8a4b7d39af6da7ceaaf07211cf0fde1e623ed) --- tests/sys/netpfil/pf/CVE-2019-5598.py | 65 ----------------------------------- 1 file changed, 65 deletions(-) diff --git a/tests/sys/netpfil/pf/CVE-2019-5598.py b/tests/sys/netpfil/pf/CVE-2019-5598.py index 648b8ef9d6f0..1a019ea23fab 100644 --- a/tests/sys/netpfil/pf/CVE-2019-5598.py +++ b/tests/sys/netpfil/pf/CVE-2019-5598.py @@ -63,68 +63,3 @@ def main(): if __name__ == '__main__': main() -#!/usr/local/bin/python2.7 - -import argparse -import scapy.all as sp -import sys -from sniffer import Sniffer - -def check_icmp_error(args, packet): - ip = packet.getlayer(sp.IP) - if not ip: - return False - if ip.dst != args.to[0]: - return False - - icmp = packet.getlayer(sp.ICMP) - if not icmp: - return False - if icmp.type != 3 or icmp.code != 3: - return False - - return True - -def main(): - parser = argparse.ArgumentParser("CVE-2019-icmp.py", - description="CVE-2019-icmp test tool") - parser.add_argument('--sendif', nargs=1, - required=True, - help='The interface through which the packet will be sent') - parser.add_argument('--recvif', nargs=1, - required=True, - help='The interface on which to check for the packet') - parser.add_argument('--src', nargs=1, - required=True, - help='The source IP address') - parser.add_argument('--to', nargs=1, - required=True, - help='The destination IP address') - - args = parser.parse_args() - - # Send the allowed packet to establish state - udp = sp.Ether() / \ - sp.IP(src=args.src[0], dst=args.to[0]) / \ - sp.UDP(dport=53, sport=1234) - sp.sendp(udp, iface=args.sendif[0], verbose=False) - - # Start sniffing on recvif - sniffer = Sniffer(args, check_icmp_error) - - # Send the bad error packet - icmp_reachable = sp.Ether() / \ - sp.IP(src=args.src[0], dst=args.to[0]) / \ - sp.ICMP(type=3, code=3) / \ - sp.IP(src=args.src[0], dst=args.to[0]) / \ - sp.UDP(dport=53, sport=1234) - sp.sendp(icmp_reachable, iface=args.sendif[0], verbose=False) - - sniffer.join() - if sniffer.foundCorrectPacket: - sys.exit(1) - - sys.exit(0) - -if __name__ == '__main__': - main() From owner-dev-commits-src-branches@freebsd.org Sun Jan 3 22:18:49 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 47DB44C0F66; Sun, 3 Jan 2021 22:18:49 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D8CpJ6Rn3z4qty; Sun, 3 Jan 2021 22:18:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id B5FBB749D; Sun, 3 Jan 2021 22:18:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 103MIm2D020458; Sun, 3 Jan 2021 22:18:48 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 103MImg8020457; Sun, 3 Jan 2021 22:18:48 GMT (envelope-from git) Date: Sun, 3 Jan 2021 22:18:48 GMT Message-Id: <202101032218.103MImg8020457@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: 9caf8a4a0822 - stable/12 - pf tests: Fix accidental duplication of content MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: 9caf8a4a08223ee84cf0e63bde2c42adefe1e5f5 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jan 2021 22:18:50 -0000 The branch stable/12 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=9caf8a4a08223ee84cf0e63bde2c42adefe1e5f5 commit 9caf8a4a08223ee84cf0e63bde2c42adefe1e5f5 Author: Kristof Provost AuthorDate: 2019-03-23 01:07:51 +0000 Commit: Kristof Provost CommitDate: 2021-01-03 20:26:49 +0000 pf tests: Fix accidental duplication of content Also use the correct name for the scapy test script. (cherry picked from commit dcccc93ae404ab8ead535efc4ddcd0fe9e3ee612) --- tests/sys/netpfil/pf/icmp.sh | 51 +------------------------------------------- 1 file changed, 1 insertion(+), 50 deletions(-) diff --git a/tests/sys/netpfil/pf/icmp.sh b/tests/sys/netpfil/pf/icmp.sh index 5cc1a769c799..a02cbf45e34c 100755 --- a/tests/sys/netpfil/pf/icmp.sh +++ b/tests/sys/netpfil/pf/icmp.sh @@ -32,56 +32,7 @@ cve_2019_5598_body() "pass in proto udp to 198.51.100.3 port 53" \ "pass out proto udp to 198.51.100.3 port 53" - atf_check -s exit:0 $(atf_get_srcdir)/CVE-2019-icmp.py \ - --sendif ${epair_in}a \ - --recvif ${epair_out}a \ - --src 192.0.2.1 \ - --to 198.51.100.3 -} - -cve_2019_5598_cleanup() -{ - pft_cleanup -} - -atf_init_test_cases() -{ - atf_add_test_case "cve_2019_5598" -} -# $FreeBSD$ - -. $(atf_get_srcdir)/utils.subr - -atf_test_case "cve_2019_5598" "cleanup" -cve_2019_5598_head() -{ - atf_set descr 'Test CVE-2019-5598' - atf_set require.user root - atf_set require.progs scapy -} - -cve_2019_5598_body() -{ - pft_init - - epair_in=$(vnet_mkepair) - epair_out=$(vnet_mkepair) - ifconfig ${epair_in}a 192.0.2.1/24 up - ifconfig ${epair_out}a up - - vnet_mkjail alcatraz ${epair_in}b ${epair_out}b - jexec alcatraz ifconfig ${epair_in}b 192.0.2.2/24 up - jexec alcatraz ifconfig ${epair_out}b 198.51.100.2/24 up - jexec alcatraz sysctl net.inet.ip.forwarding=1 - jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05 - route add -net 198.51.100.0/24 192.0.2.2 - - jexec alcatraz pfctl -e - pft_set_rules alcatraz "block all" \ - "pass in proto udp to 198.51.100.3 port 53" \ - "pass out proto udp to 198.51.100.3 port 53" - - atf_check -s exit:0 $(atf_get_srcdir)/CVE-2019-icmp.py \ + atf_check -s exit:0 $(atf_get_srcdir)/CVE-2019-5598.py \ --sendif ${epair_in}a \ --recvif ${epair_out}a \ --src 192.0.2.1 \ From owner-dev-commits-src-branches@freebsd.org Sun Jan 3 22:18:48 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 807344C1073; Sun, 3 Jan 2021 22:18:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D8CpJ3DsCz4r77; Sun, 3 Jan 2021 22:18:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 56BD47068; Sun, 3 Jan 2021 22:18:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 103MImLo020372; Sun, 3 Jan 2021 22:18:48 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 103MImm2020371; Sun, 3 Jan 2021 22:18:48 GMT (envelope-from git) Date: Sun, 3 Jan 2021 22:18:48 GMT Message-Id: <202101032218.103MImm2020371@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: 63fb868d2913 - stable/12 - Follow r354121 to fix some python3 errors in sys.netpfil.* MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: 63fb868d2913d5cb4efcc123eb57fe0287837758 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jan 2021 22:18:48 -0000 The branch stable/12 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=63fb868d2913d5cb4efcc123eb57fe0287837758 commit 63fb868d2913d5cb4efcc123eb57fe0287837758 Author: Li-Wen Hsu AuthorDate: 2019-10-27 21:07:50 +0000 Commit: Kristof Provost CommitDate: 2021-01-03 20:26:50 +0000 Follow r354121 to fix some python3 errors in sys.netpfil.* stderr: Traceback (most recent call last): File "/usr/tests/sys/netpfil/common/pft_ping.py", line 135, in main() File "/usr/tests/sys/netpfil/common/pft_ping.py", line 124, in main ping(args.sendif[0], args.to[0], args) File "/usr/tests/sys/netpfil/common/pft_ping.py", line 74, in ping raw = sp.raw(str(PAYLOAD_MAGIC)) File "/usr/local/lib/python3.6/site-packages/scapy/compat.py", line 52, in raw return bytes(x) TypeError: string argument without an encoding MFC with: r354121 Sponsored by: The FreeBSD Foundation (cherry picked from commit cfa8b6482740b2be1719d51e927f76b4adec3b92) --- tests/sys/netpfil/common/pft_ping.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/sys/netpfil/common/pft_ping.py b/tests/sys/netpfil/common/pft_ping.py index da8edd9f7b63..89cb3e1a5d01 100644 --- a/tests/sys/netpfil/common/pft_ping.py +++ b/tests/sys/netpfil/common/pft_ping.py @@ -5,7 +5,7 @@ import scapy.all as sp import sys from sniffer import Sniffer -PAYLOAD_MAGIC = 0x42c0ffee +PAYLOAD_MAGIC = bytes.fromhex('42c0ffee') def check_ping_request(args, packet): if args.ip6: @@ -34,7 +34,7 @@ def check_ping4_request(args, packet): raw = packet.getlayer(sp.Raw) if not raw: return False - if int(raw.load) != PAYLOAD_MAGIC: + if raw.load != PAYLOAD_MAGIC: return False # Wait to check expectations until we've established this is the packet we @@ -62,7 +62,7 @@ def check_ping6_request(args, packet): icmp = packet.getlayer(sp.ICMPv6EchoRequest) if not icmp: return False - if int(icmp.data) != PAYLOAD_MAGIC: + if icmp.data != PAYLOAD_MAGIC: return False return True @@ -71,7 +71,7 @@ def ping(send_if, dst_ip, args): ether = sp.Ether() ip = sp.IP(dst=dst_ip) icmp = sp.ICMP(type='echo-request') - raw = sp.raw(str(PAYLOAD_MAGIC)) + raw = sp.raw(PAYLOAD_MAGIC) if args.send_tos: ip.tos = int(args.send_tos[0]) @@ -82,7 +82,7 @@ def ping(send_if, dst_ip, args): def ping6(send_if, dst_ip, args): ether = sp.Ether() ip6 = sp.IPv6(dst=dst_ip) - icmp = sp.ICMPv6EchoRequest(data=sp.raw(str(PAYLOAD_MAGIC))) + icmp = sp.ICMPv6EchoRequest(data=sp.raw(PAYLOAD_MAGIC)) req = ether / ip6 / icmp sp.sendp(req, iface=send_if, verbose=False) From owner-dev-commits-src-branches@freebsd.org Sun Jan 3 22:18:48 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9F32E4C0F55; Sun, 3 Jan 2021 22:18:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D8CpJ46NGz4rDN; Sun, 3 Jan 2021 22:18:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 7BA0676C8; Sun, 3 Jan 2021 22:18:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 103MImvT020406; Sun, 3 Jan 2021 22:18:48 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 103MImBj020405; Sun, 3 Jan 2021 22:18:48 GMT (envelope-from git) Date: Sun, 3 Jan 2021 22:18:48 GMT Message-Id: <202101032218.103MImBj020405@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: 0c772900dcae - stable/12 - Fix path issues after r351212 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: 0c772900dcae7ded1c8f1ca336878322a5483ffe Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jan 2021 22:18:48 -0000 The branch stable/12 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=0c772900dcae7ded1c8f1ca336878322a5483ffe commit 0c772900dcae7ded1c8f1ca336878322a5483ffe Author: Li-Wen Hsu AuthorDate: 2019-08-22 12:08:35 +0000 Commit: Kristof Provost CommitDate: 2021-01-03 20:26:50 +0000 Fix path issues after r351212 This fixes sys.netpfil.pf.forward.v4 and sys.netpfil.pf.icmp.cve_2019_5598 failures in CI system. Sponsored by: The FreeBSD Foundation (cherry picked from commit cdac716946b14572d8c5c764a99617fe5a176da2) --- tests/sys/netpfil/pf/forward.sh | 2 +- tests/sys/netpfil/pf/icmp.sh | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/sys/netpfil/pf/forward.sh b/tests/sys/netpfil/pf/forward.sh index 0d9c9d7787a3..5cb22e9c1384 100755 --- a/tests/sys/netpfil/pf/forward.sh +++ b/tests/sys/netpfil/pf/forward.sh @@ -32,7 +32,7 @@ v4_body() route add -net 198.51.100.0/24 192.0.2.2 # Sanity check, can we forward ICMP echo requests without pf? - atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ + atf_check -s exit:0 ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a diff --git a/tests/sys/netpfil/pf/icmp.sh b/tests/sys/netpfil/pf/icmp.sh index a02cbf45e34c..fbb62da09efd 100755 --- a/tests/sys/netpfil/pf/icmp.sh +++ b/tests/sys/netpfil/pf/icmp.sh @@ -2,6 +2,8 @@ . $(atf_get_srcdir)/utils.subr +common_dir=$(atf_get_srcdir)/../common + atf_test_case "cve_2019_5598" "cleanup" cve_2019_5598_head() { @@ -32,7 +34,8 @@ cve_2019_5598_body() "pass in proto udp to 198.51.100.3 port 53" \ "pass out proto udp to 198.51.100.3 port 53" - atf_check -s exit:0 $(atf_get_srcdir)/CVE-2019-5598.py \ + atf_check -s exit:0 env PYTHONPATH=${common_dir} \ + $(atf_get_srcdir)/CVE-2019-5598.py \ --sendif ${epair_in}a \ --recvif ${epair_out}a \ --src 192.0.2.1 \ From owner-dev-commits-src-branches@freebsd.org Sun Jan 3 22:18:50 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C45244C14B0; Sun, 3 Jan 2021 22:18:49 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D8CpK0T6yz4rDQ; Sun, 3 Jan 2021 22:18:49 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D87AD749E; Sun, 3 Jan 2021 22:18:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 103MImoj020492; Sun, 3 Jan 2021 22:18:48 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 103MImBF020491; Sun, 3 Jan 2021 22:18:48 GMT (envelope-from git) Date: Sun, 3 Jan 2021 22:18:48 GMT Message-Id: <202101032218.103MImBF020491@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: a343d1c8acfc - stable/12 - pf tests: Move Sniffer to its own file MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: a343d1c8acfc78abfd7f12823c5297c8ca2ee4f4 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jan 2021 22:18:51 -0000 The branch stable/12 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=a343d1c8acfc78abfd7f12823c5297c8ca2ee4f4 commit a343d1c8acfc78abfd7f12823c5297c8ca2ee4f4 Author: Kristof Provost AuthorDate: 2019-03-21 08:15:46 +0000 Commit: Kristof Provost CommitDate: 2021-01-03 20:26:48 +0000 pf tests: Move Sniffer to its own file Make it easier to re-use the sniffer class in other test support scripts. (cherry picked from commit d1805f60afc3f3c65f5d2bb360ed1ab55ea705da) --- tests/sys/netpfil/pf/Makefile | 1 + tests/sys/netpfil/pf/pft_ping.py | 23 +---------------------- tests/sys/netpfil/pf/sniffer.py | 25 +++++++++++++++++++++++++ 3 files changed, 27 insertions(+), 22 deletions(-) diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile index 9bb40b911d4c..115a38666cc7 100644 --- a/tests/sys/netpfil/pf/Makefile +++ b/tests/sys/netpfil/pf/Makefile @@ -22,6 +22,7 @@ ATF_TESTS_SH+= anchor \ ${PACKAGE}FILES+= utils.subr \ echo_inetd.conf \ + sniffer.py \ pft_ping.py \ CVE-2019-5597.py diff --git a/tests/sys/netpfil/pf/pft_ping.py b/tests/sys/netpfil/pf/pft_ping.py index 0b70c2235894..e77d0835134f 100644 --- a/tests/sys/netpfil/pf/pft_ping.py +++ b/tests/sys/netpfil/pf/pft_ping.py @@ -3,31 +3,10 @@ import argparse import scapy.all as sp import sys -import threading +from sniffer import Sniffer PAYLOAD_MAGIC = 0x42c0ffee -class Sniffer(threading.Thread): - def __init__(self, args, check_function): - threading.Thread.__init__(self) - - self._args = args - self._recvif = args.recvif[0] - self._check_function = check_function - self.foundCorrectPacket = False - - self.start() - - def _checkPacket(self, packet): - ret = self._check_function(self._args, packet) - if ret: - self.foundCorrectPacket = True - return ret - - def run(self): - self.packets = sp.sniff(iface=self._recvif, - stop_filter=self._checkPacket, timeout=3) - def check_ping_request(args, packet): if args.ip6: return check_ping6_request(args, packet) diff --git a/tests/sys/netpfil/pf/sniffer.py b/tests/sys/netpfil/pf/sniffer.py new file mode 100644 index 000000000000..c71f6e1f5729 --- /dev/null +++ b/tests/sys/netpfil/pf/sniffer.py @@ -0,0 +1,25 @@ +# $FreeBSD$ + +import threading +import scapy.all as sp + +class Sniffer(threading.Thread): + def __init__(self, args, check_function): + threading.Thread.__init__(self) + + self._args = args + self._recvif = args.recvif[0] + self._check_function = check_function + self.foundCorrectPacket = False + + self.start() + + def _checkPacket(self, packet): + ret = self._check_function(self._args, packet) + if ret: + self.foundCorrectPacket = True + return ret + + def run(self): + self.packets = sp.sniff(iface=self._recvif, + stop_filter=self._checkPacket, timeout=3) From owner-dev-commits-src-branches@freebsd.org Sun Jan 3 22:18:51 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id CFF484C1460; Sun, 3 Jan 2021 22:18:49 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D8CpK1ZCYz4r3K; Sun, 3 Jan 2021 22:18:49 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 07FEE749F; Sun, 3 Jan 2021 22:18:49 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 103MImfd020509; Sun, 3 Jan 2021 22:18:48 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 103MImYe020508; Sun, 3 Jan 2021 22:18:48 GMT (envelope-from git) Date: Sun, 3 Jan 2021 22:18:48 GMT Message-Id: <202101032218.103MImYe020508@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: cc136589fadb - stable/12 - pf tests: Add a defer mode test for pfsync MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: cc136589fadb85996f9ba772a236fa500b6901dd Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jan 2021 22:18:53 -0000 The branch stable/12 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=cc136589fadb85996f9ba772a236fa500b6901dd commit cc136589fadb85996f9ba772a236fa500b6901dd Author: Kristof Provost AuthorDate: 2018-12-05 19:53:09 +0000 Commit: Kristof Provost CommitDate: 2021-01-03 20:26:48 +0000 pf tests: Add a defer mode test for pfsync Repeat the pfsync test, this time with the 'defer' option enabled. This exercises slightly different code paths. (cherry picked from commit 369d9a2c153e45e2645bc78cdc3a8cdc42f45b7b) --- tests/sys/netpfil/pf/pfsync.sh | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/tests/sys/netpfil/pf/pfsync.sh b/tests/sys/netpfil/pf/pfsync.sh index 85e54675c498..95209b832c62 100755 --- a/tests/sys/netpfil/pf/pfsync.sh +++ b/tests/sys/netpfil/pf/pfsync.sh @@ -7,12 +7,16 @@ basic_head() { atf_set descr 'Basic pfsync test' atf_set require.user root - - atf_set require.progs scapy } basic_body() { + common_body +} + +common_body() +{ + defer=$1 pfsynct_init epair_sync=$(vnet_mkepair) @@ -28,12 +32,14 @@ basic_body() jexec one ifconfig pfsync0 \ syncdev ${epair_sync}a \ maxupd 1 \ + $defer \ up jexec two ifconfig ${epair_two}a 198.51.100.2/24 up jexec two ifconfig ${epair_sync}b 192.0.2.2/24 up jexec two ifconfig pfsync0 \ syncdev ${epair_sync}b \ maxupd 1 \ + $defer \ up # Enable pf! @@ -64,7 +70,25 @@ basic_cleanup() pfsynct_cleanup } +atf_test_case "defer" "cleanup" +defer_head() +{ + atf_set descr 'Defer mode pfsync test' + atf_set require.user root +} + +defer_body() +{ + common_body defer +} + +defer_cleanup() +{ + pfsynct_cleanup +} + atf_init_test_cases() { atf_add_test_case "basic" + atf_add_test_case "defer" } From owner-dev-commits-src-branches@freebsd.org Sun Jan 3 22:18:49 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5625D4C1506; Sun, 3 Jan 2021 22:18:49 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D8CpJ6cxhz4qrd; Sun, 3 Jan 2021 22:18:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D29597515; Sun, 3 Jan 2021 22:18:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 103MImnK020475; Sun, 3 Jan 2021 22:18:48 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 103MIm5L020474; Sun, 3 Jan 2021 22:18:48 GMT (envelope-from git) Date: Sun, 3 Jan 2021 22:18:48 GMT Message-Id: <202101032218.103MIm5L020474@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: 0fc80e44f600 - stable/12 - pf tests: Test CVE-2019-5598 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: 0fc80e44f600b65830da93b7b56e47250f978f06 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jan 2021 22:18:57 -0000 The branch stable/12 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=0fc80e44f600b65830da93b7b56e47250f978f06 commit 0fc80e44f600b65830da93b7b56e47250f978f06 Author: Kristof Provost AuthorDate: 2019-03-22 07:39:28 +0000 Commit: Kristof Provost CommitDate: 2021-01-03 20:26:49 +0000 pf tests: Test CVE-2019-5598 Verify that pf correctly drops inconsistent ICMP packets (i.e. where the IP src/dst do not match the IP src/dst in the ICMP packet. (cherry picked from commit 7de4bd92b8a1f510c88ea3b5af0bcb106af6ba11) --- tests/sys/netpfil/pf/CVE-2019-5598.py | 130 ++++++++++++++++++++++++++++++++++ tests/sys/netpfil/pf/Makefile | 7 +- tests/sys/netpfil/pf/icmp.sh | 99 ++++++++++++++++++++++++++ 3 files changed, 234 insertions(+), 2 deletions(-) diff --git a/tests/sys/netpfil/pf/CVE-2019-5598.py b/tests/sys/netpfil/pf/CVE-2019-5598.py new file mode 100644 index 000000000000..648b8ef9d6f0 --- /dev/null +++ b/tests/sys/netpfil/pf/CVE-2019-5598.py @@ -0,0 +1,130 @@ +#!/usr/local/bin/python2.7 + +import argparse +import scapy.all as sp +import sys +from sniffer import Sniffer + +def check_icmp_error(args, packet): + ip = packet.getlayer(sp.IP) + if not ip: + return False + if ip.dst != args.to[0]: + return False + + icmp = packet.getlayer(sp.ICMP) + if not icmp: + return False + if icmp.type != 3 or icmp.code != 3: + return False + + return True + +def main(): + parser = argparse.ArgumentParser("CVE-2019-icmp.py", + description="CVE-2019-icmp test tool") + parser.add_argument('--sendif', nargs=1, + required=True, + help='The interface through which the packet will be sent') + parser.add_argument('--recvif', nargs=1, + required=True, + help='The interface on which to check for the packet') + parser.add_argument('--src', nargs=1, + required=True, + help='The source IP address') + parser.add_argument('--to', nargs=1, + required=True, + help='The destination IP address') + + args = parser.parse_args() + + # Send the allowed packet to establish state + udp = sp.Ether() / \ + sp.IP(src=args.src[0], dst=args.to[0]) / \ + sp.UDP(dport=53, sport=1234) + sp.sendp(udp, iface=args.sendif[0], verbose=False) + + # Start sniffing on recvif + sniffer = Sniffer(args, check_icmp_error) + + # Send the bad error packet + icmp_reachable = sp.Ether() / \ + sp.IP(src=args.src[0], dst=args.to[0]) / \ + sp.ICMP(type=3, code=3) / \ + sp.IP(src="4.3.2.1", dst="1.2.3.4") / \ + sp.UDP(dport=53, sport=1234) + sp.sendp(icmp_reachable, iface=args.sendif[0], verbose=False) + + sniffer.join() + if sniffer.foundCorrectPacket: + sys.exit(1) + + sys.exit(0) + +if __name__ == '__main__': + main() +#!/usr/local/bin/python2.7 + +import argparse +import scapy.all as sp +import sys +from sniffer import Sniffer + +def check_icmp_error(args, packet): + ip = packet.getlayer(sp.IP) + if not ip: + return False + if ip.dst != args.to[0]: + return False + + icmp = packet.getlayer(sp.ICMP) + if not icmp: + return False + if icmp.type != 3 or icmp.code != 3: + return False + + return True + +def main(): + parser = argparse.ArgumentParser("CVE-2019-icmp.py", + description="CVE-2019-icmp test tool") + parser.add_argument('--sendif', nargs=1, + required=True, + help='The interface through which the packet will be sent') + parser.add_argument('--recvif', nargs=1, + required=True, + help='The interface on which to check for the packet') + parser.add_argument('--src', nargs=1, + required=True, + help='The source IP address') + parser.add_argument('--to', nargs=1, + required=True, + help='The destination IP address') + + args = parser.parse_args() + + # Send the allowed packet to establish state + udp = sp.Ether() / \ + sp.IP(src=args.src[0], dst=args.to[0]) / \ + sp.UDP(dport=53, sport=1234) + sp.sendp(udp, iface=args.sendif[0], verbose=False) + + # Start sniffing on recvif + sniffer = Sniffer(args, check_icmp_error) + + # Send the bad error packet + icmp_reachable = sp.Ether() / \ + sp.IP(src=args.src[0], dst=args.to[0]) / \ + sp.ICMP(type=3, code=3) / \ + sp.IP(src=args.src[0], dst=args.to[0]) / \ + sp.UDP(dport=53, sport=1234) + sp.sendp(icmp_reachable, iface=args.sendif[0], verbose=False) + + sniffer.join() + if sniffer.foundCorrectPacket: + sys.exit(1) + + sys.exit(0) + +if __name__ == '__main__': + main() diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile index 115a38666cc7..474b3c3b9b4b 100644 --- a/tests/sys/netpfil/pf/Makefile +++ b/tests/sys/netpfil/pf/Makefile @@ -18,15 +18,18 @@ ATF_TESTS_SH+= anchor \ synproxy \ set_skip \ pfsync \ - table + table \ + icmp ${PACKAGE}FILES+= utils.subr \ echo_inetd.conf \ sniffer.py \ pft_ping.py \ - CVE-2019-5597.py + CVE-2019-5597.py \ + CVE-2019-5598.py ${PACKAGE}FILESMODE_pft_ping.py= 0555 ${PACKAGE}FILESMODE_CVE-2019-5597.py= 0555 +${PACKAGE}FILESMODE_CVE-2019-5598.py= 0555 .include diff --git a/tests/sys/netpfil/pf/icmp.sh b/tests/sys/netpfil/pf/icmp.sh new file mode 100755 index 000000000000..5cc1a769c799 --- /dev/null +++ b/tests/sys/netpfil/pf/icmp.sh @@ -0,0 +1,99 @@ +# $FreeBSD$ + +. $(atf_get_srcdir)/utils.subr + +atf_test_case "cve_2019_5598" "cleanup" +cve_2019_5598_head() +{ + atf_set descr 'Test CVE-2019-5598' + atf_set require.user root + atf_set require.progs scapy +} + +cve_2019_5598_body() +{ + pft_init + + epair_in=$(vnet_mkepair) + epair_out=$(vnet_mkepair) + ifconfig ${epair_in}a 192.0.2.1/24 up + ifconfig ${epair_out}a up + + vnet_mkjail alcatraz ${epair_in}b ${epair_out}b + jexec alcatraz ifconfig ${epair_in}b 192.0.2.2/24 up + jexec alcatraz ifconfig ${epair_out}b 198.51.100.2/24 up + jexec alcatraz sysctl net.inet.ip.forwarding=1 + jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05 + jexec alcatraz route add default 198.51.100.3 + route add -net 198.51.100.0/24 192.0.2.2 + + jexec alcatraz pfctl -e + pft_set_rules alcatraz "block all" \ + "pass in proto udp to 198.51.100.3 port 53" \ + "pass out proto udp to 198.51.100.3 port 53" + + atf_check -s exit:0 $(atf_get_srcdir)/CVE-2019-icmp.py \ + --sendif ${epair_in}a \ + --recvif ${epair_out}a \ + --src 192.0.2.1 \ + --to 198.51.100.3 +} + +cve_2019_5598_cleanup() +{ + pft_cleanup +} + +atf_init_test_cases() +{ + atf_add_test_case "cve_2019_5598" +} +# $FreeBSD$ + +. $(atf_get_srcdir)/utils.subr + +atf_test_case "cve_2019_5598" "cleanup" +cve_2019_5598_head() +{ + atf_set descr 'Test CVE-2019-5598' + atf_set require.user root + atf_set require.progs scapy +} + +cve_2019_5598_body() +{ + pft_init + + epair_in=$(vnet_mkepair) + epair_out=$(vnet_mkepair) + ifconfig ${epair_in}a 192.0.2.1/24 up + ifconfig ${epair_out}a up + + vnet_mkjail alcatraz ${epair_in}b ${epair_out}b + jexec alcatraz ifconfig ${epair_in}b 192.0.2.2/24 up + jexec alcatraz ifconfig ${epair_out}b 198.51.100.2/24 up + jexec alcatraz sysctl net.inet.ip.forwarding=1 + jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05 + route add -net 198.51.100.0/24 192.0.2.2 + + jexec alcatraz pfctl -e + pft_set_rules alcatraz "block all" \ + "pass in proto udp to 198.51.100.3 port 53" \ + "pass out proto udp to 198.51.100.3 port 53" + + atf_check -s exit:0 $(atf_get_srcdir)/CVE-2019-icmp.py \ + --sendif ${epair_in}a \ + --recvif ${epair_out}a \ + --src 192.0.2.1 \ + --to 198.51.100.3 +} + +cve_2019_5598_cleanup() +{ + pft_cleanup +} + +atf_init_test_cases() +{ + atf_add_test_case "cve_2019_5598" +}