Remove SOC FPGA drivers

The drivers have been disconnected from the build since the removal of
the SOCFPGA kernel configs.

Reviewed by: manu, imp, andrew
Sponsored by: AFRL, DARPA
Differential Revi

Remove SOC FPGA drivers

The drivers have been disconnected from the build since the removal of
the SOCFPGA kernel configs.

Reviewed by: manu, imp, andrew
Sponsored by: AFRL, DARPA
Differential Revision: https://reviews.freebsd.org/D47885

show more ...

netinet: default mib counter probe points off

Disable the IP/IP6/ICMP/... counter probe points by default.
They are kept enabled in debug builds, and can be enabled with
'options KDTRACE_MIB_SDT'.

netinet: default mib counter probe points off

Disable the IP/IP6/ICMP/... counter probe points by default.
They are kept enabled in debug builds, and can be enabled with
'options KDTRACE_MIB_SDT'.

Requested by: glebius
Reviewed by: glebius
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47657

show more ...

filemon: Not an option.

MFC after: 3 days

conf: Remove kernel stack swapping support, part 12

Remove the NO_SWAPPING option. There is still some code in
vm_swapout.c, but it relates to RACCT handling. Remove the option and
make compilatio

conf: Remove kernel stack swapping support, part 12

Remove the NO_SWAPPING option. There is still some code in
vm_swapout.c, but it relates to RACCT handling. Remove the option and
make compilation of vm_swapout.c conditional on RACCT.

Tested by: pho
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D46130

show more ...

Retire non-NEW_PCIB code and remove config option

All architectures enable NEW_PCIB in DEFAULTS (arm being the most recent
to do so in 121be555997b (arm: Set NEW_PCIB in DEFAULTS rather than a
subse

Retire non-NEW_PCIB code and remove config option

All architectures enable NEW_PCIB in DEFAULTS (arm being the most recent
to do so in 121be555997b (arm: Set NEW_PCIB in DEFAULTS rather than a
subset of kernel configs")), so it's time we removed the legacy code
that no longer sees much testing and has a significant maintenance
burden.

Reviewed by: jhb, andrew, emaste
Differential Revision: https://reviews.freebsd.org/D32954

show more ...

ipsec_offload: kernel infrastructure

Inline IPSEC offload moves almost whole IPSEC processing from the
CPU/MCU and possibly crypto accelerator, to the network card.

The transmitted packet content i

ipsec_offload: kernel infrastructure

Inline IPSEC offload moves almost whole IPSEC processing from the
CPU/MCU and possibly crypto accelerator, to the network card.

The transmitted packet content is not touched by CPU during TX
operations, kernel only does the required policy and security
association lookups to find out that given flow is offloaded, and then
packet is transmitted as plain text to the card. For driver convenience,
a metadata is attached to the packet identifying SA which must process
the packet. Card does encryption of the payload, padding, calculates
authentication, and does the reformat according to the policy.

Similarly, on receive, card does the decapsulation, decryption, and
authentification. Kernel receives the identifier of SA that was
used to process the packet, together with the plain-text packet.

Overall, payload octets are only read or written by card DMA engine,
removing a lot of memory subsystem overhead, and saving CPU time because
IPSEC algos calculations are avoided.

If driver declares support for inline IPSEC offload (with the
IFCAP2_IPSEC_OFFLOAD capability set and registering method table struct
if_ipsec_accel_methods), kernel offers the SPD and SAD to driver.
Driver decides which policies and SAs can be offloaded based on
hardware capacity, and acks/nacks each SA for given interface to
kernel. Kernel needs to keep this information to make a decision to
skip software processing on TX, and to assume processing already done
on RX. This shadow SPD/SAD database of offloads is rooted from
policies (struct secpolicy accel_ifps, struct ifp_handle_sp) and SAs
(struct secasvar accel_ipfs, struct ifp_handle_sav).

Some extensions to the PF_KEY socket allow to limit interfaces for
which given SP/SA could be offloaded (proposed for offload). Also,
additional statistics extensions allow to observe allocation/octet/use
counters for specific SA.

Since SPs and SAs are typically instantiated in non-sleepable context,
while offloading them into card is expected to require costly async
manipulations of the card state, calls to the driver for offload and
termination are executed in the threaded taskqueue. It also solves
the issue of allocating resources needed for the offload database.
Neither ipf_handle_sp nor ipf_handle_sav do not add reference to the
owning SP/SA, the offload must be terminated before last reference is
dropped. ipsec_accel only adds transient references to ensure safe
pointer ownership by taskqueue.

Maintaining the SA counters for hardware-accelerated packets is the
duty of the driver. The helper ipsec_accel_drv_sa_lifetime_update()
is provided to hide accel infrastructure from drivers which would use
expected callout to query hardware periodically for updates.

Reviewed by: rscheff (transport, stack integration), np
Sponsored by: NVIDIA networking
Differential revision: https://reviews.freebsd.org/D44219

show more ...

bde: remove lingering references

Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D45874

Add an implementation of the 9P filesystem

This is derived from swills@ fork of the Juniper virtfs with many
changes by me including bug fixes, style improvements, clearer layering
and more consiste

Add an implementation of the 9P filesystem

This is derived from swills@ fork of the Juniper virtfs with many
changes by me including bug fixes, style improvements, clearer layering
and more consistent logging. The filesystem is renamed to p9fs to better
reflect its function and to prevent possible future confusion with
virtio-fs.

Several updates and fixes from Juniper have been integrated into this
version by Val Packett and these contributions along with the original
Juniper authors are credited below.

To use this with bhyve, add 'virtio_p9fs_load=YES' to loader.conf. The
bhyve virtio-9p device allows access from the guest to files on the host
by mapping a 'sharename' to a host path. It is possible to use p9fs as a
root filesystem by adding this to /boot/loader.conf:

vfs.root.mountfrom="p9fs:sharename"

for non-root filesystems add something like this to /etc/fstab:

sharename /mnt p9fs rw 0 0

In both examples, substitute the share name used on the bhyve command
line.

The 9P filesystem protocol relies on stateful file opens which map
protocol-level FIDs to host file descriptors. The FreeBSD vnode
interface doesn't really support this and we use heuristics to guess the
right FID to use for file operations. This can be confused by privilege
lowering and does not guarantee that the FID created for a given file
open is always used for file operations, even if the calling process is
using the file descriptor from the original open call. Improving this
would involve changes to the vnode interface which is out-of-scope for
this import.

Differential Revision: https://reviews.freebsd.org/D41844
Reviewed by: kib, emaste, dch
MFC after: 3 months
Co-authored-by: Val Packett <val@packett.cool>
Co-authored-by: Ka Ho Ng <kahon@juniper.net>
Co-authored-by: joyu <joyul@juniper.net>
Co-authored-by: Kumara Babu Narayanaswamy <bkumara@juniper.net>

show more ...

Remove TCP_SAD optional code now that the sack filter performs this function.

With the commit of D44903 we no longer need the SAD option. Instead all stacks that
use the sack filter inherit its prot

Remove TCP_SAD optional code now that the sack filter performs this function.

With the commit of D44903 we no longer need the SAD option. Instead all stacks that
use the sack filter inherit its protection against sack-attack.

Reviewed by: tuexen@
Differential Revision:https://reviews.freebsd.org/D45216

show more ...

sockets: hide socket hhook(9)s under SOCKET_HHOOK

There are no in-tree consumers of these hooks.

Reviewed by: stevek
Differential Revision: https://reviews.freebsd.org/D44928

accf_tls: accept filter that waits for TLS handshake header

sys: Retire the ISCSI_INITIATOR_DEBUG option

This was used by the old iSCSI initiator, not the current one.

Reported by: trasz

netinet: add a probe point for IP, IP6, ICMP, ICMP6, UDP and TCP stats counters

When debugging network issues one common clue is an unexpectedly
incrementing error counter. This is helpful, in that

netinet: add a probe point for IP, IP6, ICMP, ICMP6, UDP and TCP stats counters

When debugging network issues one common clue is an unexpectedly
incrementing error counter. This is helpful, in that it gives us an
idea of what might be going wrong, but often these counters may be
incremented in different functions.

Add a static probe point for them so that we can use dtrace to get
futher information (e.g. a stack trace).

For example:
dtrace -n 'mib:ip:count: { printf("%d", arg0); stack(); }'

This can be disabled by setting the following kernel option:
options KDTRACE_NO_MIB_SDT

Reviewed by: gallatin, tuexen (previous version), gnn (previous version)
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D43504

show more ...

kernel: Add options for MAC_DEBUG and MAC_VERIEXEC_DEBUG

ath(4): always enable 11n

Enabling 11n for ath(4) so far was handled by a kernel option, which
was only enabled for certain kernel configurations.
In order to allow loading ath(4) as a module with 1

ath(4): always enable 11n

Enabling 11n for ath(4) so far was handled by a kernel option, which
was only enabled for certain kernel configurations.
In order to allow loading ath(4) as a module with 11n support on
all platforms, remove the kernel option and unconditionally enable
11n in ath(4).

Reported by: pkubaj
Discussed with: adrian in D43549.
Reviewed by: adrian, imp
Differential Revision: https://reviews.freebsd.org/D43964

show more ...

hpts: remove from opt_inet.h

No conditionally compilable code left. The hpts.ko is fully functional.

Reviewed by: imp, tuexen, rrs
Differential Revision: https://reviews.freebsd.org/D42859

Add the BBR and RACK stacks to the LINT kernel.

While here, drop the EXTRA_TCP_STACKS option, which serves no purpose and
should never have been added. Instead, build bbr and rack as long as
either

Add the BBR and RACK stacks to the LINT kernel.

While here, drop the EXTRA_TCP_STACKS option, which serves no purpose and
should never have been added. Instead, build bbr and rack as long as
either or both of INET and INET6 is enabled. There is no risk to anyone
who doesn't load one or both and then twiddle the relevant sysctls.

Differential Revision: https://reviews.freebsd.org/D42088

show more ...

netlink: move NETLINK define to opt_global.h

Move the NETLINK define into opt_global.h so we can rely on it being
set correctly, without having to remember to include opt_netlink.h.
This ensures tha

netlink: move NETLINK define to opt_global.h

Move the NETLINK define into opt_global.h so we can rely on it being
set correctly, without having to remember to include opt_netlink.h.
This ensures that the NETLINK define is correctly set. If not we
may end up with unloadable modules, due to missing symbols (such as
nlmsg_get_group_writer).

PR: 274306
Reviewed by: imp, markj
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D42179

show more ...

nvme: Really remove NVME_2X_RESET

da8324a9258f removed one of the two instances of NVME_2X_RESET. It
failed to snag the other one, and remove it from the options file.
Remove from both of those here

nvme: Really remove NVME_2X_RESET

da8324a9258f removed one of the two instances of NVME_2X_RESET. It
failed to snag the other one, and remove it from the options file.
Remove from both of those here.

Sponsored by: Netflix
Reviewed by: chuck, gallatin, jhb
Differential Revision: https://reviews.freebsd.org/D42049

show more ...

Add a COMPAT_FREEBSD14 kernel option

Use it wherever COMPAT_FREEBSD13 is currently specified.

Reviewed by: brooks, zlei
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision:

Add a COMPAT_FREEBSD14 kernel option

Use it wherever COMPAT_FREEBSD13 is currently specified.

Reviewed by: brooks, zlei
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D42100

show more ...

kernel: remove unused HWPMC_MIPS_BACKTRACE option

MIPS was removed before FreeBSD 13.

Reported by: andrew

Add mac_grantbylabel

This module allows controlled privilege escallation via mac labels
securely associated with a process via mac_veriexec.

There are over 700 PRIV_* but we can compress many of th

Add mac_grantbylabel

This module allows controlled privilege escallation via mac labels
securely associated with a process via mac_veriexec.

There are over 700 PRIV_* but we can compress many of them into
a single GBL_* thus constraining the size of gbl labels.

The goal is to allow a daemon to run as an unprivileged process while
still being able a set of privileged operations needed.

We add APIs to libveriexec so that userland processes can check labels
and an exec_script API that allows a suitably labeled process to run
something like a python interpreter directly if necessary;
overcomming the 'indirect' flag applied to the interpreter.

Add -l option to sbin/veriexec to report labels.

Reviewed by: stevek
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D41431

show more ...

sys: Remove $FreeBSD$: one-line sh pattern

Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/

ath(4): Remove MIPS SoC build glue and AR9130 from FreeBSD HAL

All of these are obsoleted by the general removal of MIPS support.

Actually, corresponding to the removed AH_SUPPORT_x, there is more

ath(4): Remove MIPS SoC build glue and AR9130 from FreeBSD HAL

All of these are obsoleted by the general removal of MIPS support.

Actually, corresponding to the removed AH_SUPPORT_x, there is more
superfluous support sprinkled across the HAL source. However, that
code is left in place for now in order to ease a sync to NetBSD.

Reviewed by: emaste (w/ man page fix)
Approved by: adrian
Differential Revision: https://reviews.freebsd.org/D41355

show more ...

base: Remove support for the VTOC8 partitioning scheme

The removal of the sparc64 support in February 2020 obsoleted the
VTOC8 partitioning scheme as no other FreeBSD platform makes use
of it. Moreo

base: Remove support for the VTOC8 partitioning scheme

The removal of the sparc64 support in February 2020 obsoleted the
VTOC8 partitioning scheme as no other FreeBSD platform makes use
of it. Moreover, the code is bitrotting as nothing defines e. g.
LOADER_VTOC8_SUPPORT any more and, thus, should go now, too. With
this change, the following commits are reverted as far as VTOC8
is concerned and parts haven't already previously been deleted
along with prior sparc64 removals:
094fcb157d4c98211899cf09d06e2cf19149b7e0
a7d366e9589c95feda6f3bc78c59c6355d51f126
ba8d50d08b9df4e8213f9a6997ff6792ecebcd9b

The alignment example d9711c28efc4ec89ba5ea11f8fd63e9d0a7fc81b
added to the VTOC8 section of gpart.8 is folded into the MBR one.

This should finally conclude the deorbit of sparc64-specific bits.

We had joy, we had fun
we ran Unix on a Sun.
But that source and the song
of FreeBSD have all gone.

Credits to Michael Bueker for the original "Unix on a Sun" and Rod
McKuen for the "Seasons in the Sun" lyrics.

show more ...