pf: always mark states as unlinked before detaching them
Users have reported crashes in pf_test_state_udp() where at least one state key
is NULL.
That suggests that pf_detach_state() ran concurrently with pf_test_state_udp().
pf_test_state_udp() holds the state lock (aka the id lock), but
pf_detach_state() does not.
The intent is that detached states are not returned by STATE_LOOKUP/
pf_find_state(), as the state's timeout is set to PFTM_UNLINKED and thus
pf_find_state() does not find the state.
There are other paths to pf_detach_state() (outside of pf_unlink_state())
though, where we did not set the timeout to PFTM_UNLINKED. Fix those, and assert
that the timeout is set correctly when we enter pf_detach_state().
MFC after: 1 week
See also: https://redmine.pfsense.org/issues/15413
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D45101
carp: isolate VRRP from CARP
There is only one functional change here - we don't allow SIOCSVH (or
netlink request) to change sc->sc_version. I'm convinced that allowing
such a change doesn't brings any practical value, but creates enless
minefields in front of both developers and end users (sysadmins). If
you want to switch from VRRP to CARP or vice versa, you'd need to recreate
the VHID.
Oh, one tiny funtional change: carp_ioctl_set() won't modify any fields
if it returns EINVAL. Previously you could provide valid advbase with
invalid advskew - that used to modify advbase and return EINVAL.
All other changes is a sweep around not ever using CARP fields when
we are in VRRP mode and vice versa. Also adding assertions on sc_version
where necessary.
Do not send VRRP vars in CARP mode via NetLink and vice versa. However
in compat ioctl SIOCGVH for VRRP mode the CARP fields would be zeroes.
[6 lines not shown]
carp: refactor packet tagging for ether_output()
- Separate HMAC preparation (CARP specific) from tagging.
- In unicast mode (CARP specific) don't put tag at all.
- Don't put pointer to software context into the tag. Putting just vhid,
an integer value, is a safer design.
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D45038
carp: don't chain call vrrp_send_ad via carp_send_ad
Provide inline send_ad_locked() that switches between protocol
specific sending function.
Rename carp_send_ad() to carp_callout() to avoid getting lost in
all these multiple foo_send_ad.
No functional change intended.
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D45036
carp: support VRRPv3
Allow carp(4) to use the VRRPv3 protocol (RFC 5798). We can distinguish carp and
VRRP based on the protocol version number (carp is 2, VRRPv3 is 3), and support
both from the carp(4) code.
Reviewed by: glebius
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D44774
devel/jujutsu: upgrade to version 0.17.1
Compared to version 0.16.0, this version contains a number of fixes
and improvements.
See the release notes at
https://github.com/martinvonz/jj/releases/tag/v0.17.0
for details.
Version 0.17.1 speeds up "jj status" by no longer scanning through
the entire history to look for ancestors with conflicts.
devel/fbthrift: Fix build with ninja >= 1.12.0
Address a potential race condition where generated headers not created
before they used in the build.
https://github.com/facebook/fbthrift/pull/599
PR: 278693
Approved by: portmgr (blanket)
www/oauth2-proxy: convert rc script to be instance-aware
Like the tomcat ports or openhab, make the rc script instance aware.
To use it:
- cp /usr/local/etc/oauth2-proxy.cfg.sample /usr/local/etc/oauth2-proxy-myapp.cfg
- vi /usr/local/etc/oauth2-proxy-myapp.cfg
- ln -s oauth2_proxy /usr/local/etc/rc.d/oauth2_proxy_myapp
- sysctl oauth2_proxy_myapp_enable=YES
- service oauth2_proxy_myapp start
Approved by: maintainer timeout (3 weeks)
PR: 278325
dtb: rockchip: Add Radxa ROCK 4C Plus to the build.
The ROCK 4C Plus is a cost-reduced variant of the ROCK Pi 4 based on
the RockChip RK3399-T.
Reviewed by: manu
MFC after: 1 week
Differential Revision: <https://reviews.freebsd.org/D45110
archivers/lzip: Update to 1.24
This includes the following changes:
- New option --empty-error, which forces exit status 2 if any empty
member is found.
- New option -marking-error, which forces exit status 2 if the first
LZMA byte is non-zero in any member.
- Improved diagnostics.
- The option -o / --output preserves dates, permissions, and ownership
of the file when (de)compressing exactly one file.
- It also creates missing intermediate directories when writing a file.
release: Stage non-UFS images in vm-images-stage
When the VM image building code was updated to support building
non-UFS images, the vm-images-stage target was not updated to
install those newly built images to the FTP site. As a result, we
have been sending weekly snapshot announcements since August claiming
that ZFS VM images are available when they are not in fact present
anywhere publicly accessible.
Fixes: 32ae9a6b3937 "release: Build UFS and ZFS VM images"
Reported by: Michael Dexter
MFC after: 5 days
(cherry picked from commit f4b08097d8e274e1a8526d864c31462ea42d9e9f)
