The ping tests were originally broken by an unrelated isue that
is now fixed ( 2926c25942 ).
THanks to kp@ for fixing the test and Jose Luis Duran for pinting it out.
This reverts commit 7bc0cb91a2.
Scapy 2.6.0 now appears to parse the IPOption during construction, and it then
gets confused at a single-byte option. IP Options typically contain at least a 1
byte type and 1 byte length. Avoid this by just returning the raw bytes, rather
than an IPOption object.
MFC after: 1 week
Reviewed by: Jose Luis Duran <jlduran@gmail.com>
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47151
Only super-user could specify a packet size larger than the default 56 bytes.
This restriction was added by Matt Dillon in 1998 during the BEST days [0].
This restriction doesn't exist in ping IPV6 or on NetBSD, OpenBSD and Linux.
UMS [1] uses this feature to estimate the client's bandwidth to optimize the
streaming experience.
[0] DFGit 526f06b278
[1] UMS: https://github.com/UniversalMediaServer/UniversalMediaServer
Obtained from: DragonFlyBSD
Differential Revision: https://reviews.freebsd.org/D45774
These were reported by `mandoc -T lint ...` as warnings:
- unusual Xr order
- unusual Xr punctuation
Fixes made by script in https://github.com/Tarsnap/freebsd-doc-scripts
Signed-off-by: Graham Percival <gperciva@tarsnap.com>
Reviewed by: mhorne, Alexander Ziaee <concussious.bugzilla@runbox.com>
Sponsored by: Tarsnap Backup Inc.
Pull Request: https://github.com/freebsd/freebsd-src/pull/1464
As of 2015 (commit b8c19fd719) the fdisk man page claimed the command
is obsolete, but had no explicit mention of removal. Add another note
that follows our current deprecation notice format.
Reviewed by: imp
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47067
These were reported by `mandoc -T lint ...` as errors.
The rendered output (in ascii and html) is not affected by this commit.
Signed-off-by: Graham Percival <gperciva@tarsnap.com>
Reviewed by: mhorne
MFC after: 3 days
Sponsored by: Tarsnap Backup Inc.
Pull Request: https://github.com/freebsd/freebsd-src/pull/1448
These were reported by `mandoc -T lint ...` as errors; this commit only
handles unnecessary .Ed commands.
The rendered output (in ascii and html) is not affected by this commit.
Signed-off-by: Graham Percival <gperciva@tarsnap.com>
Reviewed by: mhorne
MFC after: 3 days
Sponsored by: Tarsnap Backup Inc.
Pull Request: https://github.com/freebsd/freebsd-src/pull/1435
When soft updates began being enabled by default that change carried
over to mdmfs(8) which does not want or need them. This fix ensures
that they are only enabled in mdmfs(8) when requested with the -U flag.
Reported by: Ivan Rozhuk
Tested by: Ivan Rozhuk
PR: 279308
MFC after: 1 week
Reduces code and fixes a bunch of bugs with fragment handling not being in sync
with the rest of the ruleset.
Much feedback from mpf, bluhm & markus
Thanks to Tony Sarendal for help with testing
ok bluhm; various previous versions ok henning, claudio, mpf, markus
Note that while this changes the order of src addr/src port/dst addr/dst port
skips this doesn't actually affect the kernel/userspace ABI. The kernel always
recalculates skip steps. As a result we have to fix one of the pfctl parser
tests. Note that this is an order change that does not affect what packets are
acceppted or dropped.
Obtained from: OpenBSD, mcbride <mcbride@openbsd.org>, 04c69899a7
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46705
Ignore DHCP options 124 and 125 to shut up the warning messages.
These options are defined in the RFC 3925.
PR: 281361
Reviewed by: jrm (mentor), otis (mentor), thj
Tested by: jlduran@gmail.com
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D46760
These changes were made by accident in:
ipfilter: Adjust userland returns to conform to style(9)
2582ae5740
That commit made similar mistakes in other man pages, but those have
already been fixed.
Signed-off-by: Graham Percival <gperciva@tarsnap.com>
Reviewed by: mhorne
Sponsored by: Tarsnap Backup Inc.
Pull Request: https://github.com/freebsd/freebsd-src/pull/1433
forces logging on all subsequent matching rules
new log opt "matches"
awesome for debugging, a rule like
match log(matches) from $testbox
will show you exactly which subsequent rules match on that packet
real ok theo assumed oks ryan & dlg bikeshedding many
Obtained from: OpenBSD, henning <henning@openbsd.org>, 1603e01ae4
Obtained from: OpenBSD, henning <henning@openbsd.org>, f496e91672
Obtained from: OpenBSD, henning <henning@openbsd.org>, 07481a9fee
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46588
In some cases the netmask gets set to a full 128 bit mask even if no
address family is selected; don't print the v6 mask if it's a v4 address.
Obtained from: OpenBSD, mcbride <mcbride@openbsd.org>, f6d7b41f07
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46584
lex <=, >=, and != into a single token for correctness and to reduce the
lookahead in the parser
ok henning otto
Reviewed by: zlei
Obtained from: OpenBSD, deraadt <deraadt@openbsd.org>, e6e3ecf338
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46582
In the non-optimized case, an address list containing "any" (ie. { any 10.0.0.1 })
should be folded in the parser to any, not to 10.0.0.1. How long this bug has
been with us is unclear.
ok guenther mcbride
Obtained from: OpenBSD, deraadt <deraadt@openbsd.org>, e3b4bc25a0
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46580
add support to pf for filtering a packet by the interface it was received
on. use the received-on IFNAME filter option on a pf.conf rule to restrict
which packet the interface had to be received on. eg:
pass out on em0 from $foo to $bar received-on fxp0
ive been running this in production for a week now. i find it particularly
usefull with interface groups.
no objections, and a few "i like"s from henning, claudio, deraadt, mpf
Obtained from: OpenBSD, dlg <dlg@openbsd.org>, 95b4320893
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46577
Similar to "promisc", this allows the IFF_ALLMULTI flag to be toggled
from userspace if it happens to be useful to disable multicast packet
filtering. One use-case is when implementing IPv6 neighbour discovery
over netmap.
Reviewed by: zlei, glebius
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D46525
With Endpoint Independent NAT bindings for UDP flows from a NATed source
address are always mapped to the same ip:port pair on the NAT router.
This allows a client to connect to multiple external servers while
appearing as the same host and enables NAT traversal without requiring
the client to use a middlebox traversal protocol such as STUN or TURN.
Introduce the 'endpoint-independent' option to NAT rules to allow
configuration of endpoint independent without effecting existing
deployments.
This change satisfies REQ 1 and 3 of RFC 4787 also known as 'full cone'
NAT.
Using Endpoint Independent NAT changes NAT exhaustion behaviour it does
not introduce any additional security considerations compared to other
forms of NAT.
PR: 219803
Co-authored-by: Damjan Jovanovic <damjan.jov@gmail.com>
Co-authored-by: Naman Sood <mail@nsood.in>
Reviewed-by: kp
Sponsored-by: Tailscale
Sponsored-by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D11137
The pfik_ifp field is not provided by the kernel, it is always NULL. Do not
check for it. This caused us to not clear the skip flag on interfaces, leading
to unexpected behaviour when a 'set skip' was removed.
PR: 280834
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46311
When route_to() processes a packet without state, pf_map_addr() is called for
each packet. Pf_map_addr() will search for a source node and will find none
since those are created only in pf_create_state(). Thus sticky address,
even though requested in rule definition, will never work.
Raise an error when a stateless filter rule uses sticky address to avoid
confusion and to keep ruleset limitations in sync with what the pf code
really does.
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D46310
Linux's `nvme sanititze -a` takes a number, not a string. Accept 1-4 for
compatibility so vendor's recepies are easier to implmement.
Sponsored by: Netflix
Document new n flag for disabling ARP resolution within dhclient.
Sponsored by: Google LLC (GSoC 2024)
Signed-off-by: Isaac Cilia Attard <icattard@FreeBSD.org>
MFC after: 10 days
Reviwed by: cperciva, brooks, Tom Hukins, Alexander Ziaee
Pull Request: https://github.com/freebsd/freebsd-src/pull/1368
Make arp_timeout available to dhclient.c, set the default timeout to 250
ms, and provide a new command-line argument, 'n' for setting the timeout
to 0.
Sponsored by: Google LLC (GSoC 2024)
Signed-off-by: Isaac Cilia Attard <icattard@FreeBSD.org>
MFC after: 10 days
Reviwed by: cperciva, brooks, Tom Hukins, Alexander Ziaee
Pull Request: https://github.com/freebsd/freebsd-src/pull/1368
Change the use of time() to clock_gettime() to have millisecond-accurate
rather than second-accurate timeouts.
Sponsored by: Google LLC (GSoC 2024)
Signed-off-by: Isaac Cilia Attard <icattard@FreeBSD.org>
MFC after: 10 days
Reviwed by: cperciva, brooks, Tom Hukins, Alexander Ziaee
Pull Request: https://github.com/freebsd/freebsd-src/pull/1368
Use the new add_timeout_timespec() API to handle timeouts for
state_selecting within dhclient.c. No functional change intended.
Sponsored by: Google LLC (GSoC 2024)
Signed-off-by: Isaac Cilia Attard <icattard@FreeBSD.org>
MFC after: 10 days
Reviwed by: cperciva, brooks, Tom Hukins, Alexander Ziaee
Pull Request: https://github.com/freebsd/freebsd-src/pull/1368
Introduce a new function, add_timeout_timespec(), to use timespec
structs to handle timeouts. Make add_timeout() into a wrapper for the
latter function to retain compatibility with the rest of the codebase.
No functional change intended.
Sponsored by: Google LLC (GSoC 2024)
Signed-off-by: Isaac Cilia Attard <icattard@FreeBSD.org>
MFC after: 10 days
Reviwed by: cperciva, brooks, Tom Hukins, Alexander Ziaee
Pull Request: https://github.com/freebsd/freebsd-src/pull/1368
A last minute change moved this from -W to -q; fix the sorting in a few
places to reflect that.
Fixes: 6c7ec630c2 ("shutdown: add a -q(uiet) flag to suppress [...]")
Sponsored by: Klara, Inc.
The system-wide warning makes sense in multi-user environments, but
shutdown(8) may be used on systems or in scenarios where there's nobody
to warn and wall(1) just introduces unnecessary complexity and overhead
to the shutdown process.
Add an option to suppress the warning entirely for those contexts that
want to do so, which are anticipated to mainly be in appliance or
single-user desktop-style systems.
Reviewed by: des
Reviewed by: allanjude, imp (earlier version)
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D46216
Add missing flags to veriexec(8) as well as some examples to
help explain usage.
Also add veriexec.4
Sponsored by: Juniper Networks, Inc.
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D46207
+ real-time and rtc added to search keywords
- local dropped from search keywords
+ ntpd added to see also
+ use machine independent language
Reported by: emaste (MI language)
MFC after: 3 days
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1326
libpfctl doesn't set errno, instead it returns error codes. Take that into
account when handling errors so that we report the actual error.
Sponsored by: Rubicon Communications, LLC ("Netgate")