0a539a0f kbowling Aug. 18, 2021, 5:15 p.m.
PR:		217978
Reported by:	Franco Fichtner <franco@opnsense.org>
Reviewed by:	markj
Obtained from:	OPNsense
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D31503
cgit
bb250fae kbowling Aug. 18, 2021, 5:05 p.m.
Use the early break to avoid else definitions. When RSS gains a
runtime option previous constructs would duplicate and convolute
the existing code.

While here init flowid and skip magic numbers and late default
assignment.

Reviewed by:	melifaro, kbowling
Obtained from:	OPNsense
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D31584
cgit
89c0d2b1 khng Aug. 18, 2021, 3:45 p.m.
Sponsored by:	The FreeBSD Foundation
cgit
aec8ad8a mjg Aug. 18, 2021, 3:24 p.m.
Stat collection using counter(9) is quite expensive on this platform and
these counters are normally not needed.

In particular we see about 1.5% bump in packet rate using Cortex-A9

Reviewed by:	ian
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Different Revision:	https://reviews.freebsd.org/D31592
cgit
8a46f021 hselasky Aug. 18, 2021, 9:42 a.m.
MFC after:	1 week
Sponsored by:	NVIDIA Networking
cgit
07edc89c kp Aug. 18, 2021, 6:51 a.m.
This lock no longer exists. It was removed in
a60100fdfc10 (if: Remove ifnet_rwlock, 2020-11-25)

Reviewed by:		mjg
Pointed out by:		Dheeraj Kandula <dheerajk@netapp.com>
Different Revision:	https://reviews.freebsd.org/D31585
cgit
a051ca72 kp Aug. 18, 2021, 6:48 a.m.
Introduce m_get3() which is similar to m_get2(), but can allocate up to
MJUM16BYTES bytes (m_get2() can only allocate up to MJUMPAGESIZE).

This simplifies the bpf improvement in f13da24715.

Suggested by:	glebius
Differential Revision:	https://reviews.freebsd.org/D31455
cgit
66fa12d8 kbowling Aug. 18, 2021, 7:17 a.m.
When iflib devices are in netmap mode the driver
counters are no longer updated making it look from
userspace tools that traffic has stopped.

Reported by:	Franco Fichtner <franco@opnsense.org>
Reviewed by:	vmaffione, iflib (erj, gallatin)
Obtained from:	OPNsense
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D31550
cgit
e3500c60 wma Aug. 18, 2021, 6:21 a.m.
Use wd_enable instead of wd_disable
cgit
04500107 scottl Aug. 17, 2021, 9:50 p.m.
- Fix a warning in growfs. gpart commit is supposed to be called on disk
  device.
- Silence a gpart commit warning in growfs.

Submitted by: loos
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D31587
Sponsored by: Rubicon Communications, LLC ("Netgate")
cgit
671a35b1 jhb Aug. 17, 2021, 9:43 p.m.
Sponsored by:	Netflix
MFC after:	5 days
Differential Revision:	https://reviews.freebsd.org/D31444
cgit
6372fd25 jhb Aug. 17, 2021, 9:41 p.m.
FreeBSD's kernel TLS supports Chacha20 for both TLS 1.2 and TLS 1.3.

NB: This commit has not yet been merged upstream as it is deemed a new
feature and did not make the feature freeze cutoff for OpenSSL 3.0.

Reviewed by:	jkim
MFC after:	5 days
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D31443
cgit
d6e78ecb jhb Aug. 17, 2021, 9:41 p.m.
Most of this upstream commit touched tests not included in the
vendor import.  The one change merged in is to remove a constant
only present in an internal header to appease the older tests.

Reviewed by:	jkim
Obtained from:	OpenSSL (e1fdd5262e4a45ce3aaa631768e877ee7b6da21b)
MFC after:	5 days
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D31442
cgit
a2082231 jhb Aug. 17, 2021, 9:41 p.m.
KTLS support has been changed to be off by default, and configuration is
via a single "option" rather two "modes". Documentation is updated
accordingly.

Reviewed by:	jkim
Obtained from:	OpenSSL (6878f4300213cfd7d4f01e26a8b97f70344da100)
MFC after:	5 days
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D31441
cgit
62ca9fc1 jhb Aug. 17, 2021, 9:41 p.m.
It has always been the case that KTLS is not compiled by default. However
if it is compiled then it was automatically used unless specifically
configured not to. This is problematic because it avoids any crypto
implementations from providers. A user who configures all crypto to use
the FIPS provider may unexpectedly find that TLS related crypto is actually
being performed outside of the FIPS boundary.

Instead we change KTLS so that it is disabled by default.

We also swap to using a single "option" (i.e. SSL_OP_ENABLE_KTLS) rather
than two separate "modes", (i.e. SSL_MODE_NO_KTLS_RX and
SSL_MODE_NO_KTLS_TX).

Reviewed by:	jkim
Obtained from:	OpenSSL (a3a54179b6754fbed6d88e434baac710a83aaf80)
MFC after:	5 days
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D31440
cgit