15dc713c vmaffione April 7, 2021, 9:32 p.m.
Follow-up change to a6d768d845c173823785c71bb18b40074e7a8998.
This change adds support for netmap offsets.
cgit
f689cb23 vangyzen April 7, 2021, 8:05 p.m.
This function will be used for exposing DMI info as sysctls in the
smbios module (in an upcoming review).

While here, add __packed to the structs.

Reviewed by:	dab
MFC after:	1 week
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D29270
cgit
a29bff7a vangyzen April 7, 2021, 7:46 p.m.
On some systems (e.g. Lenovo ThinkPad X240, Apple MacBookPro12,1)
the SMBIOS entry point is not found in the <0xFFFFF space.

Follow the SMBIOS spec and use the EFI Configuration Table for
locating the entry point on EFI systems.

Reviewed by:	rpokala, dab
MFC after:	1 week
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D29276
cgit
13d4f961 rlibby April 7, 2021, 7:39 p.m.
Add a regression test for a scenario where a shadow vm object is shared
by multiple mappings.  If a page COW occurs through one of the mappings,
then the virtual-to-physical mapping may become invalidated.

This tests the scenario from CVE-2021-29626 which was fixed by
982693bb729badac4e65ecd59772979f2849a2b2.

Reviewed by:	markj
Sponsored by:	Dell EMC Isilon
cgit
2b1d0c00 oshogbo April 7, 2021, 7:16 p.m.
In situations when the current file name wasn't the first element on
the list we were cleaning the current name too early.
This might cause us to pre-cache the same file twice.
cgit
5a8d32b5 mav April 7, 2021, 7:09 p.m.
MFC after:	1 week
cgit
5984246f vangyzen April 7, 2021, 6:40 p.m.
Until now, the boot image can be embedded into the loader with
/sys/tools/embed_mfs.sh, and memory disk (MD) is already supported
in loader source. But due to memory disk (MD) driver isn't registered
to the loader yet, the boot image can't be boot from embedded memory
disk.

Reviewed by:	dab, tsoome
MFC after:	1 week
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D29512
cgit
0f07c234 markj April 7, 2021, 6:33 p.m.
Reviewed by:	imp
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D29626
cgit
27457983 markj April 7, 2021, 6:32 p.m.
Capsicum did not prevent certain privileged networking operations,
specifically creation of raw sockets and network configuration ioctls.
However, these facilities can be used to circumvent some of the
restrictions that capability mode is supposed to enforce.

Add capability mode checks to disallow network configuration ioctls and
creation of sockets other than PF_LOCAL and SOCK_DGRAM/STREAM/SEQPACKET
internet sockets.

Reviewed by:	oshogbo
Discussed with:	emaste
Reported by:	manu
Sponsored by:	The FreeBSD Foundation
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D29423
cgit
12db51d2 vangyzen April 7, 2021, 4:23 p.m.
loader.efi has an empty set_Xfic section.  Handle it correctly.

```
Sections:
Idx Name          Size      VMA               LMA               File off  Algn
[...]
3 set_Xcom      00000168  00000000000d4000  00000000000d4000  000d0e00  2**2
	      CONTENTS, ALLOC, LOAD, DATA
4 set_Xfic      00000000  00000000000d4168  00000000000d4168  00000000  2**2
	      ALLOC, LOAD, DATA
5 .sdata        00000448  00000000000d5000  00000000000d5000  000d1000  2**2
	      CONTENTS, ALLOC, LOAD, DATA
[...]
```

Reviewed by:	trasz, dab
Reported by:	andy.y.liu@dell.com
Tested by:	andy.y.liu@dell.com
MFC after:	1 week
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D29606
cgit
066a576c allanjude April 7, 2021, 3:37 p.m.
In d6164b77f8b779cd7357387dcfcd3407f1457579 the ability to show
ranges of nat log entries was removed.

PR:	254192
Reviewed by:	allanjude
cgit
f37667e2 kp April 7, 2021, 3:03 p.m.
This replicates an issue observed on pfSense: https://redmine.pfsense.org/issues/11436

In essence, reply-to is needed to ensure that connections always leave
the WAN interface they came in on, but this confused the state tracking.

MFC after:	2 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
cgit
6d786845 kp April 7, 2021, 3:03 p.m.
When we find a state for packets that was created by a reply-to rule we
still need to process the packet. The state may require us to modify the
packet (e.g. in rdr or nat cases), which we won't do with the shortcut.

MFC after:	2 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
cgit
ab8d2588 kp April 7, 2021, 1:54 p.m.
44c125c4cebc2fd87c6260b90eddae11201f5232 switched the nvlist allocations
to be M_WAITOK, but this precludes the use in non-sleepable contexts.
(E.g. with a nonsleepable lock held).

All callers for these allocation functions already cope with memory
alloation failures, so there's no reason to allow sleeping during
allocations.

Reviewed by:	melifaro, oshogbo
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D29556
cgit
5a562339 kp April 7, 2021, 11:05 a.m.
tests/sys/netfil/pf/synproxy fails if inetd has been running
outside of the jail because pidfile_open() fails with EEXIST.
tests/sys/netfil/pf/nat has the same problem but the test succeeds
because whether inetd is running is not so important.

Fix the problem by changing the pidfile path from the default
location.

Reviewed by:	kp
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D29622
cgit