076b3a50 kp Oct. 16, 2021, 9:02 p.m.
For some traffic there might be no matching rule in the current ruleset,
for example when a state was imported via pfsync from a sytem with a
different ruleset checksum. In this case pf_route uses s->rt_addr for
routing target instead of r->rpool.cur but r->rpool is checked anyway,
resulting in dropped packets.

PR:		259183
Submitted by:	Kajetan Staszkiewicz <vegeta tuxpowered.net>
Sponsored by:	InnoGames GmbH
e2aab5e2 rmacklem Oct. 16, 2021, 10:49 p.m.
This patch moves release of the shared clientID lock from nfsrpc_close()
just after the nfscl_doclose() call to the end of nfscl_doclose() call.
This does make the code cleaner, since the shared lock is acquired at
the beginning of nfscl_doclose().  The only semantics change is that
the code no longer drops and reaquires the NFSCLSTATELOCK() mutex,
which I do not believe will have a negative effect on the NFSv4 client.

This is being done to prepare the code for a future patch that fixes
the case where an NFSv4.1/4.2 server replies NFSERR_DELAY to a Close

MFC after:	2 week
79239b5b dim Oct. 16, 2021, 9:16 p.m.
In some configurations (e.g. powerpc64) the llvm-readobj tool also needs
contrib/llvm-project/llvm/BinaryFormat/MsgPackWriter.cpp, so add it to

Reported by:	Shawn Webb <shawn.webb@hardenedbsd.org>
Fixes:		1b85b68da0b2
7dd419ca mjg Oct. 16, 2021, 8:08 p.m.
This avoids spurious drop offs as EMPTY is passed regardless of the
actual path name.

Pushign the work inside the lookup instead of just ignorign the flag
allows avoid checking for empty pathname for all other lookups.
46dd801a cperciva Oct. 16, 2021, 6:47 p.m.
On kernels compiled with 'options TSLOG', record for each process ID:
* The timestamp of the fork() which creates it and the parent
process ID,
* The first path passed to execve(), if any,
* The first path resolved by namei, if any, and
* The timestamp of the exit() which terminates the process.

Expose this information via a new sysctl, debug.tslog_user.

On kernels lacking 'options TSLOG' (the default), no information is
recorded and the sysctl does not exist.

Note that recording namei is needed in order to obtain the names of
rc.d scripts being launched, as the rc system sources them in a
subshell rather than execing the scripts.

With this commit it is now possible to generate flamecharts of the
entire boot process from the start of the loader to the end of
/etc/rc.  The code needed to perform this processing is currently
found in github: https://github.com/cperciva/freebsd-boot-profiling

Reviewed by:	mhorne
Sponsored by:	https://www.patreon.com/cperciva
Differential Revision: https://reviews.freebsd.org/D32493
498cca14 kp Oct. 16, 2021, 7:32 a.m.
When a redirection/nat IP address is selected by pf_map_addr it is
logged with PF_DEBUG_MISC level. This one according to the manual means
"Generate debug messages for various errors". Selecting an IP address is
not an error, it's a normal function of pf for route-to, nat and some
other operations. Therefore PF_DEBUG_NOISY level should be choosen which
is means "Generate debug messages for common conditions".

PR:		259184
Submitted by:	Kajetan Staszkiewicz <vegeta tuxpowered.net>
Sponsored by:	InnoGames GmbH
aa92785a hselasky Oct. 16, 2021, 8:40 a.m.
Differential Revision:	https://reviews.freebsd.org/D32508
Submitted by:	christos@
Sponsored by:	NVIDIA Networking
899a3b38 gbe Oct. 16, 2021, 6:09 a.m.
- s/alocated/allocated/
- s/realocated/reallocated/

MFC after:	3 days
461e6f23 sobomax Oct. 15, 2021, 11:48 p.m.
Consider IP_MF flag when checking length of the UDP packet to
match the declared value.

Sponsored by:	Sippy Software, Inc.
Differential Revision:	https://reviews.freebsd.org/D32363
MFC after:	2 weeks
fc393054 cy Oct. 15, 2021, 11:06 p.m.
This reverts commit 55263180628a386ad38b4b6621919220b137f770 because the
underlying problem was fixed by 889b56c8cd84c9a9f2d9e3b019c154d6f14d9021.

MFC after:	1 month
733a832f cy Oct. 15, 2021, 11:06 p.m.
This reverts commit af949c590bd8a00a5973b5875d7e0fa6832ea64a because
889b56c8cd84c9a9f2d9e3b019c154d6f14d9021 fixes the underlying problem.

MFC after:	1 month
914ec9c7 kp Oct. 15, 2021, 8:19 p.m.
Test the $nr expansion in labels is correct, even if the optimiser
reduces the rule count.

MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D32489
09c7f238 kp Oct. 15, 2021, 8:19 p.m.
We used to expand the $nr macro in labels into the rule number prior to
the optimisation step. This would occasionally produce incorrect rule
numbers in the labels.

Delay all macro expansion until after the optimisation step to ensure
that we expand the correct values.

MFC after:	1 week
Reported by:	Özkan KIRIK <ozkan.kirik@gmail.com>
Differential Revision:	https://reviews.freebsd.org/D32488
77c595ce rmacklem Oct. 15, 2021, 9:25 p.m.
This patch adds a new argument to nfscl_tryclose() to indicate
whether or not it should loop when a NFSERR_DELAY reply is received
from the NFSv4 server.  Since this new argument is always passed in
as "true" at this time, no semantics change should occur.

This is being done to prepare the code for a future patch that fixes
the case where an NFSv4.1/4.2 server replies NFSERR_DELAY to a Close

MFC after:	2 week
2e85df65 emaste Oct. 15, 2021, 7:10 p.m.
From https://github.com/PJK/libcbor:

    libcbor is a C library for parsing and generating CBOR, the general-
    purpose schema-less binary data format.

libcbor will be used by ssh to support FIDO/U2F keys.  It is currently
intended only for use by ssh, and so is installed as a PRIVATELIB and is
placed in the ssh pkgbase package.

cbor_export.h and configuration.h were generated by the upstream CMake
build.  We could create them with bmake rules instead (as NetBSD has
done) but this is a fine start.

This is currently disabled for the 32-bit library build as libfido2 is
not compatible with the COMPAT_32BIT hack in usb_ioctl.h, and there is
no need for libcbor without libfido2.

Reviewed by:	kevans
MFC after:	2 weeks
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D32347