Using the same random jitter for multiple rate limits allows an
attacker to use one rate limiter to figure out the current jitter
and then use this knowledge to de-randomize the other rate limiters.
This can be mitigated by using a separate randomized jitter for each
rate limiter.
This issue was reported as issue number 10 in Keyu Man et al.:
SCAD: Towards a Universal and Automated Network Side-Channel
Vulnerability Detection
Reviewed by: rrs, Peter Lei, glebius
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D48804
(cherry picked from commit 923c223f27e792e51ca13c476428adbbf6887551)
Actually check the conditions that are enforced by the error checking
code instead of a condition which is
* checking a number to be non-negative instead of positive
* depending on a random number
Perform the checks consistently for ICMPv4 and ICMPv6.
Reviewed by: glebius, rrs, cc
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D48001
(cherry picked from commit c9febea3dc8ac8e308e8fc5a2e74dd0313fdc5d2)
To support DHCP for IPoIB links, DHCP clients and servers require the
ability to transmit link-layer broadcasts on the IB interfaces. BPF
provides the mechanism for doing this.
This change updates the if_infiniband driver to be capable of accepting
link-layer broadcast requests via BPF using Ethernet formatted frames
(the driver currently registers with BPF as DLT_EN10MB). Only Broadcast
frames can reliably be interpreted using the Ethernet header format so
detect unicast and multicast frames are rejected if passed in using the
Ethernet format. This doesn't impact the ability to support native
unicast, broadcast or multicast frames if native infiniband header
support is added to BPF at a later date.
Further the above, this commit also addresses an issue in the existing
code that can result in separation of part of the packet header from the
rest of the payload if a BPF write was attempted. This was caused by
mbuf preallocation of the infiniband header length regardless of length
of the prepend data.
Reviewed by: rpokala; Greg Foster <gfoster@vdura.com>
Tested by: Greg Foster <gfoster@vdura.com>
MFC after: 1 week
Sponsored by: Vdura
Pull Request: https://github.com/freebsd/freebsd-src/pull/1591
(cherry picked from commit 8d079c6a9a5dfdc75adaf9bc31f2ee8111b849a1)
1000Base-BX uses two wavelengths, commonly 1310nm, 1490nm, 1550nm, or
1590nm, in a Coarse Wavelength Division Multiplexing (CWDM) arrangement
so that a single fiber strand may carry both upstream and downstream.
It is sometimes referred to as BiDi for bi-directional usage of one
fiber.
Optics must be paired such that the RX and TX wavelengths cross over,
with one side often called U(pstream) and the other D(ownstream).
This technology is useful for increasing link density or working around
construction issues, and is also frequently used as a last mile delivery
technology for FTTx.
Sponsored by: BBOX.io (review/commits)
Pull Request: https://github.com/freebsd/freebsd-src/pull/1518
(cherry picked from commit 78c63ed260fa20b3500aedfe41dc0dcae9593f51)
Scapy is not needed to run this test. Remove it from the required
programs list.
Reviewed by: kp
Approved by: emaste (mentor)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D49006
(cherry picked from commit 1f1963bd32d669f89ea3b044636de0cb7a33134b)
Bring in code to call into rs-fw.c functionality for firmware
supported rate select.
Anything before AX200 (firmware matching iwlwiif-[0-9]*.ucode) will
still need further implementation, and so does iwl_mvm_rs_tx_status().
These bits marked with compat.linuxkpi.80211.debug TODO()s for now.
Implement some lindebugfs bits to gather more statistical information.
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 3f8cfb8a3a3b9fbe6d4aebde81aee80f8e89e2ea)
Add more test cases for pf fragment hole counter. Also look into
final fragment of echo reply and check total length of IP packet.
MFC after: 1 week
Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 640736615b
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit db100bd93036855c7688dc088b811dc7b660f51d)
Fragment reassembly finishes when no holes are left in the fragment
queue. In certain overlap conditions, the hole counter was wrong
and pf(4) created an incomplete IP packet. Before adjusting the
length, remove the overlapping fragment from the queue and insert
it again afterwards. pf_frent_remove() and pf_frent_insert() adjust
the hole counter automatically.
bug reported and fix tested by Lucas Aubard with Johan Mazel, Gilles
Guette and Pierre Chifflier; OK claudio@
MFC after: 1 week
Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 9915416fe8
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 8b2feafb535d10a559b995c6fc2529715f927e2a)
The reassembly state will be dropped after timeout, all related
fragments are dropped until that. This is conforming to RFC 5722.
- Sort pf_fragment fields while there.
- If the fr_queue is empty, we had overlapping fragments, don't add
new ones.
- If we detect overlapping IPv6 fragments, flush the fr_queue and
drop all fragments immediately.
- Rearrange debug output, to make clear what happens.
- An IPv4 fragment that is totaly overlapped does not inclease the
bad fragment counter.
- Put an KASSERT into pf_isfull_fragment() to make sure that the
fr_queue is never emtpy there.
discussed with Fernando Gont; ok henning@
Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 8b45f36762
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 6a3266f72e437aecf3edcfb8aa919466b270d548)
ieee80211_setupcurchan() compares the flags in a greater than manner.
In this case VHT160 should be > VHT80P80 as it is preferable.
Swap the two flags and add a comment to note this.
Sponsored by: The FreeBSD Foundation
Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D48976
(cherry picked from commit 8f2e5b6ef32304ce340b91057b1eb4b191dbeac1)
commit 49f39043a02d6011c1907e1b07eb034652a1269c
Author: phessler <phessler@openbsd.org>
Date: Fri Apr 28 14:08:34 2023 +0000
Relax the "pass all" rule so all forms of neighbor advertisements are allowed
in either direction.
This more closely matches the IPv4 ARP behaviour.
From sashan@
discussed with kn@ deraadt@
If rule was added in compact form and rule body is empty, print
'proto ip' opcode to be compatible with ipfw(8) syntax parser.
Before:
$ ipfw add allow proto ip
000700 allow
After:
$ ipfw add allow proto ip
000700 allow proto ip
(cherry picked from commit 706a03f61bbb6e0cf10e6c3727966495b30d763e)
Commit 20c4899a8eea4 modified pf_test_eth_rule() to not acquire the
rules read lock, so pf_commit_eth() was changed to wait until the
now-inactive rules are no longer in use before freeing them. In
particular, it uses the net_epoch to schedule callbacks once the
inactive rules are no longer visible to packet processing threads.
However, since commit 812839e5aaaf4, pf_test_eth_rule() acquires the
rules read lock, so this deferred action is unneeded. This patch
reverts a portion of 20c4899a8eea4 such that we avoid using deferred
callbacks to free inactive rules.
The main motivation is performance: epoch_drain_callbacks() is quite
slow, especially on busy systems, and its use in the DIOCXBEGIN handler
in particular causes long stalls in relayd when reloading configuration.
Reviewed by: kp
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Sponsored by: Modirum MDPay
Differential Revision: https://reviews.freebsd.org/D48822
(cherry picked from commit 7a66b3008693ce61957e8b2a3d99829063e1e4af)
Security: FreeBSD-SA-25:05.openssh
Approved by: so
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 62df41ae0a71e77ccb1e8fae06d82eec5dff441a)
(cherry picked from commit 24ce323f020fb1ee1b463e524a7a6c15f47ec2a4)
Replace is_power_of_2(length) with power2(length). When length != 0, as in
this case, they produce the same result. This will allow an implementation
of is_power_of_two to be dropped.
Reviewed by: alc, markj
Differential Revision: https://reviews.freebsd.org/D45536
(cherry picked from commit a94ed493b50752cee09245fc312c63b00331f217)
Bring in the LinuxKPI 802.11 compat bits which are altering
the mac80211 KPI.
* In struct ieee80211_bss_conf chandef -> chanreq.
* Various struct ieee80211_ops gained a link_id arguemnt,
stop gained a suspend flag.
* Various functions gained a link_id argument.
* ieee80211_tx_status() was renamed to ieee80211_tx_status_skb()
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 7b43f4d064195bcf66816cb9fe350a1392fe24ce)
Using MPASS in libkern breaks buildworld. Replace MPASS with KASSERT
in three places.
(cherry picked from commit 08f6f78f81e21b21dd002a9389436b0333cb3488)
order_base_2(n) is implemented with a variable, which keeps it from
being used at file scope. Implement it instead as ilog2(2*n-1), which
produces a different result when 2*n overflows, which appears unlikely
in practice.
Reviewed by: bz
Differential Revision: https://reviews.freebsd.org/D46826
(cherry picked from commit b7cbf741d55468ba34305a14ac3acc1c286af034)
Linux has a header file that defines an ilog2 function and some simple
functions/macros that use it: roundup_pow_of_two, is_power_of_2,
rounddown_pow_of_two, and order_base_2. This change moves three of
those simple functions (all but is_power_of_2) from linuxkpi to
libkern. It also deletes a few implementations of these functions
that have previously been copied into code for various device drivers,
so that they can use the libkern version. The is_power_of_2 macro was
not moved because powerof2 in param.h provides almost the same service
already (except that they disagree about whether 0 is a power of two).
Since the linux definitions of these functions were copied into
FreeBSD 11 years ago, linux has improved them, and this change
provides those improvements. In particular, a giant table of log
values for evaluating ilog2 for constant values is no longer
necessary.
Reviewed by: alc, markj (previous version)
Differential Revision: https://reviews.freebsd.org/D45536
(cherry picked from commit c8b0c33b03ac072413b27bed2bdae2ae27426f3a)
The kernel source contains several definitions of an ilog2 function;
some are slower than necessary, and one of them is incorrect.
Elimininate them all and define an ilog2 macro in libkern to replace
them, in a way that is fast, correct for all argument types, and, in a
GENERIC kernel, includes a check for an invalid zero parameter.
Folks at Microsoft have verified that having a correct ilog2
definition for their MANA driver doesn't break it.
Reviewed by: alc, markj, mhorne (older version), jhibbits (older version)
Differential Revision: https://reviews.freebsd.org/D45170
Differential Revision: https://reviews.freebsd.org/D45235
(cherry picked from commit b0056b31e90029553894d17c441cbb2c06d31412)
We don't use legacy receive descriptors and masking out the vlan ID
isn't necessary since the tag is in the standard format, so remove it.
(cherry picked from commit 124b7722aad7d4cf12d96c030659aef78175aa9c)
When an interface is moving to/from a vnet jail, it may still have BPF
descriptors attached. The userland (e.g. tcpdump) does not get noticed
that the interface is departing and still opens BPF descriptors thus
may result in leaking sensitive traffic (e.g. an interface is moved
back to parent jail but a user is still sniffing traffic over it in
the child jail).
Detach BPF descriptors so that the userland will be signaled.
Reviewed by: ae
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D45727
(cherry picked from commit 1ed9b381d4701fc9f66741256e93b96e22273217)
ifnet: Fix build without BPF
The newly introduced function bpf_ifdetach() is only available when
device bpf is enabled.
Fixes: 1ed9b381d470 ifnet: Detach BPF descriptors on interface vmove event
(cherry picked from commit d8413a1c3ba235a79ae6b8cc35767a861855c7e2)
if_detach_internal() never fail since change [1]. As a consequence,
also does its caller if_vmove(). While here, remove a stall comment.
No functional change intended.
This reverts commit c7bab2a7ca9a6dae79f970c6730a19b65a1ed86e.
[1] a779388f8bb3 if: Protect V_ifnet in vnet_if_return()
Reviewed by: glebius
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D48820
(cherry picked from commit bb0348a17974d83671becbd32ea0e4bd2ea61906)
Add probe points in the SCTP multihome parsing code. This is intended to help
debug a multihome issue, and is expected to be generally useful, so will be
included for everyone.
MFC after: 2 weeks
Sponsored by: Orange Business Services
(cherry picked from commit 2d2481c35f5a53322e982e47a2bb8f9085f525b7)
Make it harder to manipulate the firewall state by verifying the v tag before we
update states.
MFC after: 2 weeks
Sponsored by: Orange Business Services
(cherry picked from commit 4713d2fd5663eb64aa582dabced21d253c901a66)
RFC4960 3.3.7: DATA chunks MUST NOT be bundled with ABORT.
MFC after: 2 weeks
Sponsored by: Orange Business Services
(cherry picked from commit 541ea3d7828e0ede161ac2d8ef3e8419657ef5cb)
Much like we already do for TCP and UDP we should also parse SCTP-in-ICMP
messages to see if they apply to an SCTP connection we've already allowed. If so
we should allow the ICMP packet to pass, even if we'd otherwise block it.
Add a test case where we generate an 'ICMP unreachable - need to frag' packet
and check that it passes through pf.
MFC after: 2 weeks
Sponsored by: Orange Business Services
(cherry picked from commit 7d5e02b01577047290e937399accc02e6b184ce9)
d82c3e81:
net: if_media for 100BASE-BX
Renumber 1000BASE-BX and add 100BASE-BX sequentially
I added this 1000BASE-BX in 78c63ed260fa20b3500aedfe41dc0dcae9593f51 but
did not connect it to any code yet, appologize for the churn.
7835a4ad:
net: if_media fix syntax/build
Fixes: d82c3e815a5f ("net: if_media for 100BASE-BX")
(cherry picked from commit d82c3e815a5fc0069562b69145ad695f9aa183f9)
(cherry picked from commit 7835a4ad6948290c92ea55c7be34ae72f4e2b0bd)
If people like me having multiple cards in the same system
creating the debugfs dirctory leads to a panic upon attaching
the 2nd card due to the duplicate name.
Rather than using the hard coded driver name, use the device name
(e.g., rtw880, rtw881, rtw882).
This solves two issues: it avoids the duplicate name and we get
individual debugging/statistic information for each card.
Sponsored by: The FreeBSD Foundation
X-Note: ath1[01]k and mt76 likely will need a similar change
(cherry picked from commit b4886c4ece3e692c294aa853da7aec849f8d00a2)
In order to better test HT and VHT support with LinuxKPI add (tunable)
options disabled by default to on-demand enable HT/VHT
and for rtw89 also EHT.
It is expected that we will remove this FreeBSD-specific code again in
the future.
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 7a5b55e3b448744b099c274763992cba2e3ebce5)
This adds support for the Realtek 8922AE PCI
wireless network (Wi-Fi 7) adapter.
This version is based on
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
98f7e32f20d28ec452afb208f9cffc08448a2652 ( tag: v6.11 ).
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 6d67aabd63555ab62a2f2b7f52a75ef100a2fe75)
This version is based on
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
98f7e32f20d28ec452afb208f9cffc08448a2652 ( tag: v6.11 ).
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 11c53278a8a3e86e14377f09bbaa7bad193d3713)
Allow users to choose to allow permitted SCTP connections to set up additional
multihomed connections regardless of the ruleset. That is, allow an already
established connection to set up flows that would otherwise be disallowed.
In case of if-bound connections we initially set the extra associations to
be floating, because we don't know what path they'll be taking when they're
created. Once we see the first traffic we can bind them.
MFC after: 2 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D48453
(cherry picked from commit e4f2733df8c9d2fd0c5e8fdc8bec002bf39811f3)
Make iwlwifi compile with debugfs after the last updates and turn it on
for both iwlwifi and rtw88 in order to be able to get at least some
useful information on driver/firwmare state.
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 07f6575585bf69ae48dffe87c4578057ae4782d8)
Add IEEE80211_FVHT_STBC_(TX|RX) flags to allow userspace to manage
if STBC will be allowed for VHT RX/TX.
For RX this will only allow us to turn it off but no fine grained
control of the number of supported spatial streams.
Introduce IEEE80211_FVHT_CHANWIDTH_MASK as a helper to make the
spelling out of the IEEE80211_FVHT_MASK more readable.
Update ifconfig to allow setting of these flags.
Sponsored by: The FreeBSD Foundation
Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D47838
(cherry picked from commit 243f6925bf818a64f3c996c6a89fec6c8a6ff058)
Anyone testing VHT options would wonder about these extra two printfs
by now. Remove them from the tree before I have to do so locally again
in another branch.
Sponsored by: The FreeBSD Foundation
Fixes: e9bb7f9aa1b4f
Reviewed by: adrian, emaste
Differential Revision: https://reviews.freebsd.org/D48319
(cherry picked from commit 91a4107d6d3028acd96df96de33b8a7665d3eb03)
