Author: kp
Date: Fri Apr 26 13:00:25 2019
New Revision: 346742
URL: https://svnweb.freebsd.org/changeset/base/346742
Log:
MFC r346349:
pf: No need to M_NOWAIT in DIOCRSETTFLAGS
Now that we don't hold a lock during DIOCRSETTFLAGS memory allocation we can
use M_WAITOK.
Pointed out
Author: kp
Date: Fri Apr 26 13:00:22 2019
New Revision: 346741
URL: https://svnweb.freebsd.org/changeset/base/346741
Log:
MFC r346349:
pf: No need to M_NOWAIT in DIOCRSETTFLAGS
Now that we don't hold a lock during DIOCRSETTFLAGS memory allocation we can
use M_WAITOK.
Pointed out
Author: kp
Date: Fri Apr 26 12:59:23 2019
New Revision: 346740
URL: https://svnweb.freebsd.org/changeset/base/346740
Log:
MFC r346347:
pf tests: Fail the test if we can't set the rules
The test should fail if pf rules can't be set. This is helpful both
while writing tests and to veri
Author: kp
Date: Wed Apr 24 15:02:59 2019
New Revision: 346638
URL: https://svnweb.freebsd.org/changeset/base/346638
Log:
MFC r346320:
pf tests: Try to provoke the panic with invalid DIOCRSETTFLAGS
There was an issue with copyin() on DIOCRSETTFLAGS, which would panic if
pfrio_buffer
Author: kp
Date: Wed Apr 24 14:08:14 2019
New Revision: 346635
URL: https://svnweb.freebsd.org/changeset/base/346635
Log:
MFC r346319:
pf: Fix panic on invalid DIOCRSETTFLAGS
If during DIOCRSETTFLAGS pfrio_buffer is NULL copyin() will fault, which we're
not allowed to do with a lock
Author: kp
Date: Wed Apr 24 14:08:16 2019
New Revision: 346636
URL: https://svnweb.freebsd.org/changeset/base/346636
Log:
MFC r346319:
pf: Fix panic on invalid DIOCRSETTFLAGS
If during DIOCRSETTFLAGS pfrio_buffer is NULL copyin() will fault, which we're
not allowed to do with a lock
On 22 Apr 2019, at 12:25, Enji Cooper wrote:
Either the sys/netinet/ or sys/netipsec/ tests triggered the panic.
Not sure which right now.
That looks to be happening during a vnet jail teardown, so it’s likely
the sys/netipsec or sys/netpfil/pf tests.
I’ve done a quick test with the pf tests
Author: kp
Date: Fri Apr 19 10:52:54 2019
New Revision: 346370
URL: https://svnweb.freebsd.org/changeset/base/346370
Log:
pfctl: Fix ifgroup check
We cannot just assume that any name which ends with a letter is a group
That's not been true since we allowed renaming of network interfaces.
Author: kp
Date: Thu Apr 18 11:37:44 2019
New Revision: 346349
URL: https://svnweb.freebsd.org/changeset/base/346349
Log:
pf: No need to M_NOWAIT in DIOCRSETTFLAGS
Now that we don't hold a lock during DIOCRSETTFLAGS memory allocation we can
use M_WAITOK.
MFC after:1 week
Event:
Author: kp
Date: Thu Apr 18 10:54:08 2019
New Revision: 346347
URL: https://svnweb.freebsd.org/changeset/base/346347
Log:
pf tests: Fail the test if we can't set the rules
The test should fail if pf rules can't be set. This is helpful both
while writing tests and to verify that pfctl work
On 17 Apr 2019, at 22:17, Gleb Smirnoff wrote:
Kristof,
On Wed, Apr 17, 2019 at 04:42:54PM +, Kristof Provost wrote:
K> Modified: head/sys/netpfil/pf/pf_ioctl.c
K>
==
K> --- head/sys/netpfil/pf/pf_ioctl.
Author: kp
Date: Wed Apr 17 16:45:35 2019
New Revision: 346320
URL: https://svnweb.freebsd.org/changeset/base/346320
Log:
pf tests: Try to provoke the panic with invalid DIOCRSETTFLAGS
There was an issue with copyin() on DIOCRSETTFLAGS, which would panic if
pfrio_buffer was NULL.
Test f
Author: kp
Date: Wed Apr 17 16:42:54 2019
New Revision: 346319
URL: https://svnweb.freebsd.org/changeset/base/346319
Log:
pf: Fix panic on invalid DIOCRSETTFLAGS
If during DIOCRSETTFLAGS pfrio_buffer is NULL copyin() will fault, which we're
not allowed to do with a lock held.
We must co
Author: kp
Date: Fri Mar 29 14:34:51 2019
New Revision: 345692
URL: https://svnweb.freebsd.org/changeset/base/345692
Log:
MFC r345177:
pf :Use counter(9) in pf tables.
The counters of pf tables are updated outside the rule lock. That means state
updates might overwrite each other. Fu
Author: kp
Date: Fri Mar 29 14:34:50 2019
New Revision: 345691
URL: https://svnweb.freebsd.org/changeset/base/345691
Log:
MFC r345177:
pf :Use counter(9) in pf tables.
The counters of pf tables are updated outside the rule lock. That means state
updates might overwrite each other. Fu
Author: kp
Date: Fri Mar 29 11:59:54 2019
New Revision: 345683
URL: https://svnweb.freebsd.org/changeset/base/345683
Log:
MFC r345178:
bridge: Fix panic if the STP root is removed
If the spanning tree root interface is removed from the bridge we panic
on the next 'ifconfig'.
While
Author: kp
Date: Fri Mar 29 11:59:53 2019
New Revision: 345682
URL: https://svnweb.freebsd.org/changeset/base/345682
Log:
MFC r345178:
bridge: Fix panic if the STP root is removed
If the spanning tree root interface is removed from the bridge we panic
on the next 'ifconfig'.
While
Author: kp
Date: Sat Mar 23 07:07:44 2019
New Revision: 345440
URL: https://svnweb.freebsd.org/changeset/base/345440
Log:
MFC r345223:
pf: Rename pfsync bucket lock
Previously the main pfsync lock and the bucket locks shared the same name.
This lead to spurious warnings from WITNESS
Author: kp
Date: Sat Mar 23 07:07:41 2019
New Revision: 345439
URL: https://svnweb.freebsd.org/changeset/base/345439
Log:
MFC r345223:
pf: Rename pfsync bucket lock
Previously the main pfsync lock and the bucket locks shared the same name.
This lead to spurious warnings from WITNESS
Author: kp
Date: Sat Mar 23 01:07:51 2019
New Revision: 345430
URL: https://svnweb.freebsd.org/changeset/base/345430
Log:
pf tests: Fix accidental duplication of content
Also use the correct name for the scapy test script.
Modified:
head/tests/sys/netpfil/pf/icmp.sh
Modified: head/tests
Author: kp
Date: Fri Mar 22 07:39:28 2019
New Revision: 345409
URL: https://svnweb.freebsd.org/changeset/base/345409
Log:
pf tests: Test CVE-2019-5598
Verify that pf correctly drops inconsistent ICMP packets (i.e. where the
IP src/dst do not match the IP src/dst in the ICMP packet.
Added
Author: kp
Date: Thu Mar 21 14:17:12 2019
New Revision: 345378
URL: https://svnweb.freebsd.org/changeset/base/345378
Log:
MFC r345366:
pf: Ensure that IP addresses match in ICMP error packets
States in pf(4) let ICMP and ICMP6 packets pass if they have a
packet in their payload that
Author: kp
Date: Thu Mar 21 14:17:10 2019
New Revision: 345377
URL: https://svnweb.freebsd.org/changeset/base/345377
Log:
MFC r345366:
pf: Ensure that IP addresses match in ICMP error packets
States in pf(4) let ICMP and ICMP6 packets pass if they have a
packet in their payload that
Author: kp
Date: Thu Mar 21 08:15:46 2019
New Revision: 345367
URL: https://svnweb.freebsd.org/changeset/base/345367
Log:
pf tests: Move Sniffer to its own file
Make it easier to re-use the sniffer class in other test support
scripts.
Added:
head/tests/sys/netpfil/pf/sniffer.py (cont
Author: kp
Date: Thu Mar 21 08:09:52 2019
New Revision: 345366
URL: https://svnweb.freebsd.org/changeset/base/345366
Log:
pf: Ensure that IP addresses match in ICMP error packets
States in pf(4) let ICMP and ICMP6 packets pass if they have a
packet in their payload that matches an exiting
Author: kp
Date: Wed Mar 20 01:55:24 2019
New Revision: 345313
URL: https://svnweb.freebsd.org/changeset/base/345313
Log:
if_tun: Fix MFC r344794:
VNET_DEFINE_STATIC does not exist on stable/11, so we should use 'static
VNET_DEFINE' instead.
Modified:
stable/11/sys/net/if_tun.c
Modifi
Author: kp
Date: Tue Mar 19 00:29:18 2019
New Revision: 345287
URL: https://svnweb.freebsd.org/changeset/base/345287
Log:
MFC r344797:
tun tests: Test renaming and destroying a tun interface in a vnet jail
There was a problem destroying renamed tun interfaces in vnet jails. This was
Author: kp
Date: Tue Mar 19 00:27:48 2019
New Revision: 345286
URL: https://svnweb.freebsd.org/changeset/base/345286
Log:
MFC r344794:
tun: VIMAGE fix for if_tun cloner
The if_tun cloner is not virtualised, but if_clone_attach() does use a
virtualised list of cloners.
The result is
Author: kp
Date: Tue Mar 19 00:27:45 2019
New Revision: 345285
URL: https://svnweb.freebsd.org/changeset/base/345285
Log:
MFC r344794:
tun: VIMAGE fix for if_tun cloner
The if_tun cloner is not virtualised, but if_clone_attach() does use a
virtualised list of cloners.
The result is
Author: kp
Date: Sat Mar 16 10:14:03 2019
New Revision: 345223
URL: https://svnweb.freebsd.org/changeset/base/345223
Log:
pf: Rename pfsync bucket lock
Previously the main pfsync lock and the bucket locks shared the same name.
This lead to spurious warnings from WITNESS like this:
On 2019-03-15 17:13:05 (+), Kyle Evans wrote:
> Author: kevans
> Date: Fri Mar 15 17:13:05 2019
> New Revision: 345192
> URL: https://svnweb.freebsd.org/changeset/base/345192
>
> Log:
> if_bridge(4): Drop pointless rtflush
>
> At this point, all routes should've already been dropped by
Author: kp
Date: Fri Mar 15 15:52:36 2019
New Revision: 345187
URL: https://svnweb.freebsd.org/changeset/base/345187
Log:
bridge: Fix STP-related panic
After r345180 we need to have the appropriate vnet context set to delete an
rtnode in bridge_rtnode_destroy().
That's usually the case,
Author: kp
Date: Fri Mar 15 11:21:20 2019
New Revision: 345178
URL: https://svnweb.freebsd.org/changeset/base/345178
Log:
bridge: Fix panic if the STP root is removed
If the spanning tree root interface is removed from the bridge we panic
on the next 'ifconfig'.
While the STP code is no
Author: kp
Date: Fri Mar 15 11:08:44 2019
New Revision: 345177
URL: https://svnweb.freebsd.org/changeset/base/345177
Log:
pf :Use counter(9) in pf tables.
The counters of pf tables are updated outside the rule lock. That means state
updates might overwrite each other. Furthermore allocati
Author: kp
Date: Fri Mar 15 11:01:52 2019
New Revision: 345176
URL: https://svnweb.freebsd.org/changeset/base/345176
Log:
MFC r344921:
pf: Fix DIOCGETSRCNODES
r343295 broke DIOCGETSRCNODES by failing to reset 'nr' after counting the
number of source tracking nodes.
This meant that
Author: kp
Date: Fri Mar 15 11:01:49 2019
New Revision: 345175
URL: https://svnweb.freebsd.org/changeset/base/345175
Log:
MFC r344921:
pf: Fix DIOCGETSRCNODES
r343295 broke DIOCGETSRCNODES by failing to reset 'nr' after counting the
number of source tracking nodes.
This meant that
Author: kp
Date: Tue Mar 12 19:03:47 2019
New Revision: 345076
URL: https://svnweb.freebsd.org/changeset/base/345076
Log:
pf tests: Disable noalias test
Direct commit to stable/12 to disable the noalias test. The noalias feature
has
not been merged to stable/12 as it is a (small) behavio
On 10 Mar 2019, at 17:54, Ian Lepore wrote:
> On Sun, 2019-03-10 at 10:34 +0100, Kristof Provost wrote:
>> Yes. I should see about scripting these MFCs someday, to avoid silly
>> mistakes like this.
>>
>
> Or looking into using gonzo's mfc helper website at
>
On 10 Mar 2019, at 10:16, Harry Schmalzbauer wrote:
Am 10.03.2019 um 01:56 schrieb Kristof Provost:
Author: kp
Date: Sun Mar 10 00:56:38 2019
New Revision: 344974
URL: https://svnweb.freebsd.org/changeset/base/344974
Log:
pf: Small performance tweak
Seems to be the MFC of 344493.
Indeed
Author: kp
Date: Sun Mar 10 00:56:38 2019
New Revision: 344974
URL: https://svnweb.freebsd.org/changeset/base/344974
Log:
pf: Small performance tweak
Because fetching a counter is a rather expansive function we should use
counter_u64_fetch() in pf_state_expires() only when necessary. A "r
Author: kp
Date: Sun Mar 10 00:56:39 2019
New Revision: 344975
URL: https://svnweb.freebsd.org/changeset/base/344975
Log:
pf: Small performance tweak
Because fetching a counter is a rather expansive function we should use
counter_u64_fetch() in pf_state_expires() only when necessary. A "r
Author: kp
Date: Sat Mar 9 10:28:36 2019
New Revision: 344964
URL: https://svnweb.freebsd.org/changeset/base/344964
Log:
MFC r340073, r341359:
pf: Keep a reference to struct ifnets we're using
Ensure that the struct ifnet we use can't go away until we're done with
it.
pf: Fix p
Author: kp
Date: Sat Mar 9 10:24:39 2019
New Revision: 344962
URL: https://svnweb.freebsd.org/changeset/base/344962
Log:
MFC r341360:
pf tests: Test name handling
Provoke a situation where two interfaces have the same name, and verify
pf's reaction to this.
Added:
stable/12/tests
Author: kp
Date: Sat Mar 9 10:34:42 2019
New Revision: 344966
URL: https://svnweb.freebsd.org/changeset/base/344966
Log:
MFC r344764
tests: Move common (vnet) test functions into a common file
The netipsec and pf tests have a number of common test functions. These
used to be duplica
Author: kp
Date: Sat Mar 9 10:35:37 2019
New Revision: 344967
URL: https://svnweb.freebsd.org/changeset/base/344967
Log:
MFC r344720:
pf tests: Test for nested inline anchor issue
PR: 196314
Modified:
stable/12/tests/sys/netpfil/pf/pass_block.sh
Directory Properties:
st
Author: kp
Date: Sat Mar 9 10:33:47 2019
New Revision: 344965
URL: https://svnweb.freebsd.org/changeset/base/344965
Log:
MFC r339836, r340286, r341358:
pf tests: Test ':0' ignoring link-local addresses
Fix test: sys.netpfil.pf.pass_block.noalias
Replace hard-coded epair0b with th
Author: kp
Date: Sat Mar 9 10:28:36 2019
New Revision: 344963
URL: https://svnweb.freebsd.org/changeset/base/344963
Log:
MFC r340073, r341359:
pf: Keep a reference to struct ifnets we're using
Ensure that the struct ifnet we use can't go away until we're done with
it.
pf: Fix p
Author: kp
Date: Fri Mar 8 09:33:16 2019
New Revision: 344921
URL: https://svnweb.freebsd.org/changeset/base/344921
Log:
pf: Fix DIOCGETSRCNODES
r343295 broke DIOCGETSRCNODES by failing to reset 'nr' after counting the
number of source tracking nodes.
This meant that we never copied th
Author: kp
Date: Thu Mar 7 11:09:29 2019
New Revision: 344876
URL: https://svnweb.freebsd.org/changeset/base/344876
Log:
pf tests: Accelerate tests
Make the tests run slightly faster by having pft_ping.py end the capture
of packets as soon as it sees the expected packet, rather than
co
Author: kp
Date: Tue Mar 5 15:49:30 2019
New Revision: 344797
URL: https://svnweb.freebsd.org/changeset/base/344797
Log:
tun tests: Test renaming and destroying a tun interface in a vnet jail
There was a problem destroying renamed tun interfaces in vnet jails. This was
fixed in r344794.
Author: kp
Date: Tue Mar 5 13:21:07 2019
New Revision: 344794
URL: https://svnweb.freebsd.org/changeset/base/344794
Log:
tun: VIMAGE fix for if_tun cloner
The if_tun cloner is not virtualised, but if_clone_attach() does use a
virtualised list of cloners.
The result is that we can't fin
Author: kp
Date: Tue Mar 5 08:45:07 2019
New Revision: 344793
URL: https://svnweb.freebsd.org/changeset/base/344793
Log:
MFC r344692:
pf tests: Test CVE-2019-5597
Generate a fragmented packet with different header chains, to provoke
the incorrect behaviour of pf.
Without the fix t
Author: kp
Date: Mon Mar 4 18:15:06 2019
New Revision: 344764
URL: https://svnweb.freebsd.org/changeset/base/344764
Log:
tests: Move common (vnet) test functions into a common file
The netipsec and pf tests have a number of common test functions. These
used to be duplicated, but it makes
Author: kp
Date: Sat Mar 2 12:30:59 2019
New Revision: 344720
URL: https://svnweb.freebsd.org/changeset/base/344720
Log:
pf tests: Test for nested inline anchor issue
PR: 196314
MFC after:1 week
Modified:
head/tests/sys/netpfil/pf/pass_block.sh
Modified: head/tests/sys/
Author: kp
Date: Fri Mar 1 22:33:24 2019
New Revision: 344712
URL: https://svnweb.freebsd.org/changeset/base/344712
Log:
MFC r343978:
pfctl: Fix ifa_grouplookup()
Setting the length of the request got lost in r343287, which means
SIOCGIFGMEMB
gives us the required length, but does
Author: kp
Date: Fri Mar 1 18:12:07 2019
New Revision: 344707
URL: https://svnweb.freebsd.org/changeset/base/344707
Log:
MFC r344691:
pf: IPv6 fragments with malformed extension headers could be erroneously
passed by pf or cause a panic
We mistakenly used the extoff value from the la
Author: kp
Date: Fri Mar 1 18:12:05 2019
New Revision: 344706
URL: https://svnweb.freebsd.org/changeset/base/344706
Log:
MFC r344691:
pf: IPv6 fragments with malformed extension headers could be erroneously
passed by pf or cause a panic
We mistakenly used the extoff value from the la
Author: kp
Date: Fri Mar 1 07:39:55 2019
New Revision: 344692
URL: https://svnweb.freebsd.org/changeset/base/344692
Log:
pf tests: Test CVE-2019-5597
Generate a fragmented packet with different header chains, to provoke
the incorrect behaviour of pf.
Without the fix this will trigger a
Author: kp
Date: Fri Mar 1 07:37:45 2019
New Revision: 344691
URL: https://svnweb.freebsd.org/changeset/base/344691
Log:
pf: IPv6 fragments with malformed extension headers could be erroneously
passed by pf or cause a panic
We mistakenly used the extoff value from the last packet to patch
Author: kp
Date: Sun Feb 24 17:23:55 2019
New Revision: 344493
URL: https://svnweb.freebsd.org/changeset/base/344493
Log:
pf: Small performance tweak
Because fetching a counter is a rather expansive function we should use
counter_u64_fetch() in pf_state_expires() only when necessary. A "r
Author: kp
Date: Tue Feb 19 18:22:57 2019
New Revision: 344282
URL: https://svnweb.freebsd.org/changeset/base/344282
Log:
MFC r344061:
garp: Fix vnet related panic for gratuitous arp
Gratuitous ARP packets are sent from a timer, which means we don't have a vnet
context set. As a resu
Author: kp
Date: Tue Feb 19 18:22:55 2019
New Revision: 344281
URL: https://svnweb.freebsd.org/changeset/base/344281
Log:
MFC r344061:
garp: Fix vnet related panic for gratuitous arp
Gratuitous ARP packets are sent from a timer, which means we don't have a vnet
context set. As a resu
Author: kp
Date: Tue Feb 12 21:22:57 2019
New Revision: 344061
URL: https://svnweb.freebsd.org/changeset/base/344061
Log:
garp: Fix vnet related panic for gratuitous arp
Gratuitous ARP packets are sent from a timer, which means we don't have a vnet
context set. As a result we panic trying
On 2019-02-12 15:54:51 (+0100), Kristof Provost wrote:
> On 2019-02-12 06:18:07 (-0800), Cy Schubert wrote:
> > In message <201902121403.x1ce3efp052...@repo.freebsd.org>, Dmitry
> > Morozovsky wr
> > ites:
> > > Author: marck (doc committer)
> >
On 2019-02-12 06:18:07 (-0800), Cy Schubert wrote:
> In message <201902121403.x1ce3efp052...@repo.freebsd.org>, Dmitry
> Morozovsky wr
> ites:
> > Author: marck (doc committer)
> > Date: Tue Feb 12 14:03:39 2019
> > New Revision: 344052
> > URL: https://svnweb.freebsd.org/changeset/base/344052
>
Author: kp
Date: Mon Feb 11 19:08:03 2019
New Revision: 344020
URL: https://svnweb.freebsd.org/changeset/base/344020
Log:
MFC r343520:
pfctl: Point users to net.pf.request_maxcount if large requests are rejected
The kernel will reject very large tables to avoid resource exhaustion
at
Author: kp
Date: Mon Feb 11 19:08:01 2019
New Revision: 344019
URL: https://svnweb.freebsd.org/changeset/base/344019
Log:
MFC r343520:
pfctl: Point users to net.pf.request_maxcount if large requests are rejected
The kernel will reject very large tables to avoid resource exhaustion
at
Author: kp
Date: Sun Feb 10 21:22:55 2019
New Revision: 343978
URL: https://svnweb.freebsd.org/changeset/base/343978
Log:
pfctl: Fix ifa_grouplookup()
Setting the length of the request got lost in r343287, which means
SIOCGIFGMEMB
gives us the required length, but does not copy the names
Author: kp
Date: Fri Feb 1 10:04:54 2019
New Revision: 343653
URL: https://svnweb.freebsd.org/changeset/base/343653
Log:
MFC r343418:
pf: Fix use-after-free of counters
When cleaning up a vnet we free the counters in V_pf_default_rule and
V_pf_status from shutdown_pf(), but we can s
Author: kp
Date: Fri Feb 1 10:04:53 2019
New Revision: 343652
URL: https://svnweb.freebsd.org/changeset/base/343652
Log:
MFC r343418:
pf: Fix use-after-free of counters
When cleaning up a vnet we free the counters in V_pf_default_rule and
V_pf_status from shutdown_pf(), but we can s
Author: kp
Date: Tue Jan 29 17:52:42 2019
New Revision: 343555
URL: https://svnweb.freebsd.org/changeset/base/343555
Log:
MFC r343297:
pf tests: Check size validation in DIOCGETSRCNODES
Ensure that invalid sizes for DIOCGETSRCNODES do not cause panics.
Modified:
stable/12/tests/sys/
Author: kp
Date: Tue Jan 29 17:49:38 2019
New Revision: 343553
URL: https://svnweb.freebsd.org/changeset/base/343553
Log:
MFC r343295:
pf: Validate psn_len in DIOCGETSRCNODES
psn_len is controlled by user space, but we allocated memory based on it.
Check how much memory we might need
Author: kp
Date: Tue Jan 29 17:49:39 2019
New Revision: 343554
URL: https://svnweb.freebsd.org/changeset/base/343554
Log:
MFC r343295:
pf: Validate psn_len in DIOCGETSRCNODES
psn_len is controlled by user space, but we allocated memory based on it.
Check how much memory we might need
Author: kp
Date: Mon Jan 28 08:36:10 2019
New Revision: 343520
URL: https://svnweb.freebsd.org/changeset/base/343520
Log:
pfctl: Point users to net.pf.request_maxcount if large requests are rejected
The kernel will reject very large tables to avoid resource exhaustion
attacks. Some users
Author: kp
Date: Fri Jan 25 01:06:06 2019
New Revision: 343418
URL: https://svnweb.freebsd.org/changeset/base/343418
Log:
pf: Fix use-after-free of counters
When cleaning up a vnet we free the counters in V_pf_default_rule and
V_pf_status from shutdown_pf(), but we can still use them late
Author: kp
Date: Tue Jan 22 02:56:36 2019
New Revision: 343297
URL: https://svnweb.freebsd.org/changeset/base/343297
Log:
pf tests: Check size validation in DIOCGETSRCNODES
Ensure that invalid sizes for DIOCGETSRCNODES do not cause panics.
MFC after: 1 week
Modified:
head/tests/
Author: kp
Date: Tue Jan 22 02:13:33 2019
New Revision: 343295
URL: https://svnweb.freebsd.org/changeset/base/343295
Log:
pf: Validate psn_len in DIOCGETSRCNODES
psn_len is controlled by user space, but we allocated memory based on it.
Check how much memory we might need at most (i.e. how
Author: kp
Date: Tue Jan 22 01:07:20 2019
New Revision: 343290
URL: https://svnweb.freebsd.org/changeset/base/343290
Log:
MFC r343041
pf: silence a runtime warning
Sometimes, for negated tables, pf can log 'pfr_update_stats: assertion
failed'.
This warning does not clarify anything
Author: kp
Date: Tue Jan 22 01:07:18 2019
New Revision: 343289
URL: https://svnweb.freebsd.org/changeset/base/343289
Log:
MFC r343041
pf: silence a runtime warning
Sometimes, for negated tables, pf can log 'pfr_update_stats: assertion
failed'.
This warning does not clarify anything
Author: kp
Date: Mon Jan 21 00:32:03 2019
New Revision: 343236
URL: https://svnweb.freebsd.org/changeset/base/343236
Log:
MFC r343130
pf: fix pfsync breaking carp
Fix missing initialisation of sc_flags into a valid sync state on clone which
breaks carp in pfsync.
This regression
Author: kp
Date: Mon Jan 21 00:32:04 2019
New Revision: 343237
URL: https://svnweb.freebsd.org/changeset/base/343237
Log:
MFC r343130
pf: fix pfsync breaking carp
Fix missing initialisation of sc_flags into a valid sync state on clone which
breaks carp in pfsync.
This regression
Author: kp
Date: Sun Jan 20 22:01:39 2019
New Revision: 343228
URL: https://svnweb.freebsd.org/changeset/base/343228
Log:
MFC r342989
pfctl: Fix 'set skip' handling for groups
When we skip on a group the kernel will automatically skip on the member
interfaces. We still need to update
Author: kp
Date: Sun Jan 20 22:01:41 2019
New Revision: 343229
URL: https://svnweb.freebsd.org/changeset/base/343229
Log:
MFC r342989
pfctl: Fix 'set skip' handling for groups
When we skip on a group the kernel will automatically skip on the member
interfaces. We still need to update
Author: kp
Date: Sun Jan 20 22:03:43 2019
New Revision: 343230
URL: https://svnweb.freebsd.org/changeset/base/343230
Log:
MFC r342990
pf tests: Test PR 229241
pfctl has an issue with 'set skip on ', which causes inconsistent
behaviour: the set skip directive works initially, but does
Author: kp
Date: Fri Jan 18 08:19:54 2019
New Revision: 343130
URL: https://svnweb.freebsd.org/changeset/base/343130
Log:
pf: fix pfsync breaking carp
Fix missing initialisation of sc_flags into a valid sync state on clone which
breaks carp in pfsync.
This regression was introduce by
Author: kp
Date: Wed Jan 16 05:17:27 2019
New Revision: 343084
URL: https://svnweb.freebsd.org/changeset/base/343084
Log:
MFC r342591,342599:
Make kernel print jail ID when logging a process exit
Kernel now includes jail ID when logging a process exit. jid is 0 for unjailed
processes
Author: kp
Date: Wed Jan 16 05:17:24 2019
New Revision: 343083
URL: https://svnweb.freebsd.org/changeset/base/343083
Log:
MFC r342591,342599:
Make kernel print jail ID when logging a process exit
Kernel now includes jail ID when logging a process exit. jid is 0 for unjailed
processes
Author: kp
Date: Tue Jan 15 08:59:51 2019
New Revision: 343041
URL: https://svnweb.freebsd.org/changeset/base/343041
Log:
pf: silence a runtime warning
Sometimes, for negated tables, pf can log 'pfr_update_stats: assertion
failed'.
This warning does not clarify anything for users, so sil
Author: kp
Date: Sun Jan 13 05:31:53 2019
New Revision: 342990
URL: https://svnweb.freebsd.org/changeset/base/342990
Log:
pf tests: Test PR 229241
pfctl has an issue with 'set skip on ', which causes inconsistent
behaviour: the set skip directive works initially, but does not take
effec
Author: kp
Date: Sun Jan 13 05:30:26 2019
New Revision: 342989
URL: https://svnweb.freebsd.org/changeset/base/342989
Log:
pfctl: Fix 'set skip' handling for groups
When we skip on a group the kernel will automatically skip on the member
interfaces. We still need to update our own cache th
Author: kp
Date: Sat Jan 12 05:44:10 2019
New Revision: 342956
URL: https://svnweb.freebsd.org/changeset/base/342956
Log:
MFC r342784:
pf: Remove references to pflow from the pf.conf man page
pflow no longer exists. It was removed as part of a pf update back in 2012
(r240233).
P
Author: kp
Date: Sat Jan 12 05:38:48 2019
New Revision: 342955
URL: https://svnweb.freebsd.org/changeset/base/342955
Log:
MFC r342784:
pf: Remove references to pflow from the pf.conf man page
pflow no longer exists. It was removed as part of a pf update back in 2012
(r240233).
P
On 2019-01-09 23:38:27 (-0800), Gleb Smirnoff wrote:
> On Thu, Jan 10, 2019 at 01:47:57AM +, Andrey V. Elsukov wrote:
> A> glebius@ has reported that they at Netflix discovered, that
> initialization
> A> of this variable produces significant overhead on packet processing.
> A> After pa
Author: kp
Date: Sat Jan 5 05:50:16 2019
New Revision: 342784
URL: https://svnweb.freebsd.org/changeset/base/342784
Log:
pf: Remove references to pflow from the pf.conf man page
pflow no longer exists. It was removed as part of a pf update back in 2012
(r240233).
PR: 22395
Author: kp
Date: Fri Jan 4 21:12:17 2019
New Revision: 342779
URL: https://svnweb.freebsd.org/changeset/base/342779
Log:
Remove unneeded NULL check for td_ucred
td_ucred is always set, so we don't need the ternary expression to check for
it.
Modified:
head/sys/kern/kern_sig.c
Modifie
On 1 Jan 2019, at 2:15, John Baldwin wrote:
On 12/29/18 1:36 PM, Kristof Provost wrote:
Author: kp
Date: Sat Dec 29 21:36:02 2018
New Revision: 342599
URL: https://svnweb.freebsd.org/changeset/base/342599
Log:
Simplify jail ID printing on process exit
As suggested by kib@, we don't
Author: kp
Date: Sat Dec 29 21:36:02 2018
New Revision: 342599
URL: https://svnweb.freebsd.org/changeset/base/342599
Log:
Simplify jail ID printing on process exit
As suggested by kib@, we don't need to check p_ucred, because that's only NULL
during process creation, and cr_prison is neve
Author: kp
Date: Sat Dec 29 14:48:51 2018
New Revision: 342591
URL: https://svnweb.freebsd.org/changeset/base/342591
Log:
Make kernel print jail ID when logging a process exit
Kernel now includes jail ID when logging a process exit. jid is 0 for unjailed
processes.
Submitted by: Mari
Author: kp
Date: Wed Dec 26 12:56:36 2018
New Revision: 342545
URL: https://svnweb.freebsd.org/changeset/base/342545
Log:
MFC r342000:
pf tests: Basic rdr test
Added:
stable/12/tests/sys/netpfil/pf/rdr.sh
- copied unchanged from r342000, head/tests/sys/netpfil/pf/rdr.sh
Modified:
Author: kp
Date: Wed Dec 26 12:55:35 2018
New Revision: 342544
URL: https://svnweb.freebsd.org/changeset/base/342544
Log:
MFC r341999:
pf tests: NAT exhaustion test
It's been reported that pf doesn't handle running out of available ports
for NAT correctly. It freezes until a state ex
201 - 300 of 704 matches
Mail list logo
