2b1d0c00 oshogbo April 7, 2021, 7:16 p.m.
In situations when the current file name wasn't the first element on
the list we were cleaning the current name too early.
This might cause us to pre-cache the same file twice.
cgit
5a8d32b5 mav April 7, 2021, 7:09 p.m.
MFC after:	1 week
cgit
5984246f vangyzen April 7, 2021, 6:40 p.m.
Until now, the boot image can be embedded into the loader with
/sys/tools/embed_mfs.sh, and memory disk (MD) is already supported
in loader source. But due to memory disk (MD) driver isn't registered
to the loader yet, the boot image can't be boot from embedded memory
disk.

Reviewed by:	dab, tsoome
MFC after:	1 week
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D29512
cgit
0f07c234 markj April 7, 2021, 6:33 p.m.
Reviewed by:	imp
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D29626
cgit
27457983 markj April 7, 2021, 6:32 p.m.
Capsicum did not prevent certain privileged networking operations,
specifically creation of raw sockets and network configuration ioctls.
However, these facilities can be used to circumvent some of the
restrictions that capability mode is supposed to enforce.

Add capability mode checks to disallow network configuration ioctls and
creation of sockets other than PF_LOCAL and SOCK_DGRAM/STREAM/SEQPACKET
internet sockets.

Reviewed by:	oshogbo
Discussed with:	emaste
Reported by:	manu
Sponsored by:	The FreeBSD Foundation
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D29423
cgit
12db51d2 vangyzen April 7, 2021, 4:23 p.m.
loader.efi has an empty set_Xfic section.  Handle it correctly.

```
Sections:
Idx Name          Size      VMA               LMA               File off  Algn
[...]
3 set_Xcom      00000168  00000000000d4000  00000000000d4000  000d0e00  2**2
	      CONTENTS, ALLOC, LOAD, DATA
4 set_Xfic      00000000  00000000000d4168  00000000000d4168  00000000  2**2
	      ALLOC, LOAD, DATA
5 .sdata        00000448  00000000000d5000  00000000000d5000  000d1000  2**2
	      CONTENTS, ALLOC, LOAD, DATA
[...]
```

Reviewed by:	trasz, dab
Reported by:	andy.y.liu@dell.com
Tested by:	andy.y.liu@dell.com
MFC after:	1 week
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D29606
cgit
066a576c allanjude April 7, 2021, 3:37 p.m.
In d6164b77f8b779cd7357387dcfcd3407f1457579 the ability to show
ranges of nat log entries was removed.

PR:	254192
Reviewed by:	allanjude
cgit
f37667e2 kp April 7, 2021, 3:03 p.m.
This replicates an issue observed on pfSense: https://redmine.pfsense.org/issues/11436

In essence, reply-to is needed to ensure that connections always leave
the WAN interface they came in on, but this confused the state tracking.

MFC after:	2 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
cgit
6d786845 kp April 7, 2021, 3:03 p.m.
When we find a state for packets that was created by a reply-to rule we
still need to process the packet. The state may require us to modify the
packet (e.g. in rdr or nat cases), which we won't do with the shortcut.

MFC after:	2 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
cgit
ab8d2588 kp April 7, 2021, 1:54 p.m.
44c125c4cebc2fd87c6260b90eddae11201f5232 switched the nvlist allocations
to be M_WAITOK, but this precludes the use in non-sleepable contexts.
(E.g. with a nonsleepable lock held).

All callers for these allocation functions already cope with memory
alloation failures, so there's no reason to allow sleeping during
allocations.

Reviewed by:	melifaro, oshogbo
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D29556
cgit
5a562339 kp April 7, 2021, 11:05 a.m.
tests/sys/netfil/pf/synproxy fails if inetd has been running
outside of the jail because pidfile_open() fails with EEXIST.
tests/sys/netfil/pf/nat has the same problem but the test succeeds
because whether inetd is running is not so important.

Fix the problem by changing the pidfile path from the default
location.

Reviewed by:	kp
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D29622
cgit
86a52e26 khng April 7, 2021, 11:11 a.m.
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
Reviewed by:	bcr
Approved by:	philip (mentor)
Differential Revision:	https://reviews.freebsd.org/D29408
cgit
2bca8aa7 arichardson April 7, 2021, 10:35 a.m.
libarchive: Apply upstream commit a1b7bf8013fb7a11a486794247daae592db6f5ae

This fixes the failing test_read_append_filter_wrong_program test in CI
which has been failing since 01-Dec-2020.

Commit message from https://github.com/libarchive/libarchive/commit/a1b7bf8013fb7a11a486794247daae592db6f5ae

    Silence stderr in test_read_append_filter_program

    When the FreeBSD testsuite runs the libarchive tests it checks that stderr
    is empty. Since #1382 this is no longer the case. This change restores
    the behaviour of silencing bunzip2 stderr but doesn't bring back the
    output text check.

    Partially reverts 2e7aa5d9

MFC after:	3 days
Differential Revision: https://reviews.freebsd.org/D29036
cgit
83532eb6 arichardson April 7, 2021, 9:34 a.m.
They have been failing for 1.5 months and the patch to fix them is stuck
in review so mark them as XFAIL for now to get Jenkins back to green.

To be reverted when https://reviews.freebsd.org/D28886 (or similar) is
commited.

Reviewed By:	kp
MFC after:	3 days
Differential Revision: https://reviews.freebsd.org/D29528
cgit
b8028f9d jmg April 6, 2021, 11:32 p.m.