Various minor whitespace cleanups

Accumulated along the way.

sockbuf: Improve sbcreatecontrol() parameter types to save casts

- Change 'caddr_t p' to 'const void *p' to save casts for the callers.
The 'const' qualifier is also added meanwhile.
- Change 'int

sockbuf: Improve sbcreatecontrol() parameter types to save casts

- Change 'caddr_t p' to 'const void *p' to save casts for the callers.
The 'const' qualifier is also added meanwhile.
- Change 'int size' to 'size_t size', given that callers generally pass
this parameter as sizeof().
- Update all relevant callers.

For the reference, OpenBSD also did this for sbcreatecontrol().

show more ...

kernel: Remove unnecessary casts for updated mbuf(9) functions

kernel - Add per-process capability-based restrictions

* This new system allows userland to set capability restrictions which
turns off numerous kernel features and root accesses. These restricti

kernel - Add per-process capability-based restrictions

* This new system allows userland to set capability restrictions which
turns off numerous kernel features and root accesses. These restrictions
are inherited by sub-processes recursively. Once set, restrictions cannot
be removed.

Basic restrictions that mimic an unadorned jail can be enabled without
creating a jail, but generally speaking real security also requires
creating a chrooted filesystem topology, and a jail is still needed
to really segregate processes from each other. If you do so, however,
you can (for example) disable mount/umount and most global root-only
features.

* Add new system calls and a manual page for syscap_get(2) and syscap_set(2)

* Add sys/caps.h

* Add the "setcaps" userland utility and manual page.

* Remove priv.9 and the priv_check infrastructure, replacing it with
a newly designed caps infrastructure.

* The intention is to add path restriction lists and similar features to
improve jailess security in the near future, and to optimize the
priv_check code.

show more ...

netinet6 - Fix ipv6 mbuf packet type issue causing an NFS panic

* A forwarding case in ip6_input() was allocating an mbuf with
MT_HEADER instead of MT_DATA, causing an NFS case later
on to panic

netinet6 - Fix ipv6 mbuf packet type issue causing an NFS panic

* A forwarding case in ip6_input() was allocating an mbuf with
MT_HEADER instead of MT_DATA, causing an NFS case later
on to panic.

Submitted-by: iteratee (Kyle Butt)

show more ...

kernel: avoid possible use-after-free in ipv6

Fix improper mbuf handling when processing IPv6 Hop-by-Hop options.

Taken from: FreeBSD (FreeBSD-SA-20:24.ipv6)

kernel: Remove numerous #include <sys/thread2.h>.

Most of them were added when we converted spl*() calls to
crit_enter()/crit_exit(), almost 14 years ago. We can now
remove a good chunk of them agai

kernel: Remove numerous #include <sys/thread2.h>.

Most of them were added when we converted spl*() calls to
crit_enter()/crit_exit(), almost 14 years ago. We can now
remove a good chunk of them again for where crit_*() are
no longer used.

I had to adjust some files that were relying on thread2.h
or headers that it includes coming in via other headers
that it was removed from.

show more ...

Remove IPsec and related code from the system.

It was unmaintained ever since we inherited it from FreeBSD 4.8.

In fact, we had two implementations from that time: IPSEC and FAST_IPSEC.
FAST_IPSEC

Remove IPsec and related code from the system.

It was unmaintained ever since we inherited it from FreeBSD 4.8.

In fact, we had two implementations from that time: IPSEC and FAST_IPSEC.
FAST_IPSEC is the implementation to which FreeBSD has moved since, but
it didn't even build in DragonFly.

Fixes for dports have been committed to DeltaPorts.

Requested-by: dillon
Dports-testing-and-fixing: zrj

show more ...

Remove faith(4) and faithd(8) from the tree.

FreeBSD did that 3 years ago (r274331). Quoting from their commit msg:

-----8<-----
It looks like industry have chosen different (and more traditional)

Remove faith(4) and faithd(8) from the tree.

FreeBSD did that 3 years ago (r274331). Quoting from their commit msg:

-----8<-----
It looks like industry have chosen different (and more traditional)
stateless/stateful NAT64 as translation mechanism. Last non-trivial
commits to both faith(4) and faithd(8) happened more than 12 years
ago, so I assume it is time to drop RFC3142 in FreeBSD.
----->8-----

Some more info here:

https://lists.freebsd.org/pipermail/freebsd-net/2014-October/040224.html

Discussed-with: sephe

show more ...

loopback: Use ifclone APIs to create loopback interfaces.

This paves way for multiple FIB support.

inet6: Restore mbuf hash after defragmentation.

Reported-by: zach

inet6: Change scope to zone and use in6_clearscope() whenever possible

Obtained-from: KAME via FreeBSD

net/inet6: Add missing ;

* Unbreaks kernel.

Pointed-out-by: YRabbit

inet6: Cosmetic clean up

No functional changes.

Obtained-from: KAME via FreeBSD

kernel: Move us to using M_NOWAIT and M_WAITOK for mbuf functions.

The main reason is that our having to use the MB_WAIT and MB_DONTWAIT
flags was a recurring issue when porting drivers from FreeBSD

kernel: Move us to using M_NOWAIT and M_WAITOK for mbuf functions.

The main reason is that our having to use the MB_WAIT and MB_DONTWAIT
flags was a recurring issue when porting drivers from FreeBSD because
it tended to get forgotten and the code would compile anyway with the
wrong constants. And since MB_WAIT and MB_DONTWAIT ended up as ocflags
for an objcache_get() or objcache_reclaimlist call (which use M_WAITOK
and M_NOWAIT), it was just one big converting back and forth with some
sanitization in between.

This commit allows M_* again for the mbuf functions and keeps the
sanitizing as it was before: when M_WAITOK is among the passed flags,
objcache functions will be called with M_WAITOK and when it is absent,
they will be called with M_NOWAIT. All other flags are scrubbed by the
MB_OCFLAG() macro which does the same as the former MBTOM().

Approved-by: dillon

show more ...

inet6: Dispatch nd6_timer to netisr0 to run

This function now accesses ifindex2ifnet global variable in netisr0.

inet6: Dispatch in6_tmpaddrtimer to netisr0 to run

This function now access ifnet global variable in netisr.

inet6: Remove in6_prefix.[ch]

They have not been used for a while.

kernel - Implement IPV6 subnet routing / proxy ND6 (equiv to proxy ARP)

* Do not require per-host RTF_ANNOUNCE/AF_LINK entries. They still
work but they aren't needed any more (and they are such

kernel - Implement IPV6 subnet routing / proxy ND6 (equiv to proxy ARP)

* Do not require per-host RTF_ANNOUNCE/AF_LINK entries. They still
work but they aren't needed any more (and they are such a huge bitch
to set up anyway... best to avoid them).

* Machine must have net.inet6.ip6.forwarding mode enabled.

* Internet-facing interface must be promiscuous mode.

* Will automatically proxy ND6 any subnets if the interface
is different from the one receiving the multicast. So e.g.
you can route IPV6 which would otherwise have to be switched.

The subnet interface must currently be different because if it
were the same the solicitation would be directly received by the
target host anyway (being a multicast) and we would compete with
it. This is also a good safety.

Example:

ifconfig igb0 inet6 2999:499:1:555:1::72/80 For DNS
ifconfig igb0 inet6 2999:499:1:555:1::1/80 For subnet default route
ifconfig igb1 inet6 2999:499:1:555::2/80 For internet router
ifconfig igb1 promisc
route add -inet6 default 2999:499:1:555::1

The internet router is doing a terminal /64 block, e.g. it's address
is 2999:499:1:555::1/64, but we want to break the net up further and
route portions of it instead of switch.

show more ...

Correct BSD License clause numbering from 1-2-4 to 1-2-3.

Apparently everyone's doing it:
http://svnweb.freebsd.org/base?view=revision&revision=251069

Submitted-by: "Eitan Adler" <lists at eitanadl

Correct BSD License clause numbering from 1-2-4 to 1-2-3.

Apparently everyone's doing it:
http://svnweb.freebsd.org/base?view=revision&revision=251069

Submitted-by: "Eitan Adler" <lists at eitanadler.com>

show more ...

Remove advertising clause from all that isn't contrib or userland bin.

By: Eitan Adler <lists@eitanadler.com>

netisr: Renaming, cpufn -> hashfn; no functional changes

netisr: Inline netisr_cpuport() and netisr_curport()

These two functions do nothing more than just return pointer to the
element in the array.

Per our header file naming convention, put these two f

netisr: Inline netisr_cpuport() and netisr_curport()

These two functions do nothing more than just return pointer to the
element in the array.

Per our header file naming convention, put these two functions in
net/netisr2.h

show more ...

netisr: Function renaming; no functional changes

This cleans up code for keeping input packets' hash instead of masking
the hash with ncpus2_mask. netisr_hashport(), which maps packet hash
to netis

netisr: Function renaming; no functional changes

This cleans up code for keeping input packets' hash instead of masking
the hash with ncpus2_mask. netisr_hashport(), which maps packet hash
to netisr port, will be added soon.

show more ...

if: Per-cpu ifnet/ifaddr statistics, step 1/3

Wrap ifnet/ifaddr stats updating, setting and extraction into macros;
ease upcoming changes.