driver(9): devsw_detach never fails. Make it return void.

Prune a whole lotta dead branches as a result of this. (Some logic
calling this is also wrong for other reasons; devsw_detach is final
-- you should never have any reason to decide to roll it back. To be
cleaned up in subsequent commits...)

XXX kernel ABI change to devsw_detach signature requires bump

Explicitly cast pointers to uintptr_t before casting to enums. They are
not necessarily the same size. Don't cast pointers to bool, check for
NULL instead.

branches: 1.56.6;
Fix compilation of PF/IPF...

Rename

ip6_undefer_csum -> in6_undefer_cksum
in6_delayed_cksum -> in6_undefer_cksum_tcpudp

The two previous names were inconsistent and misleading.

Put the two functions into in6_offload.c. Add comments to explain what
we're doing.

Same as IPv4.

Fix build. pf_ioctl.c needs netinet/in_offload.h (after previous change).
Because this is in a module, apparently, that means that netinet_in_offload.h
needs to get installed in /usr/include, so do that as well.

Feel free to fix this in a better way...

Rename

ip_undefer_csum -> in_undefer_cksum
in_delayed_cksum -> in_undefer_cksum_tcpudp

The two previous names were inconsistent and misleading.

Put the two functions into in_offload.c. Add comments to explain what
we're doing.

The same could be done for IPv6.

branches: 1.52.2; 1.52.4;
Defer initialization of pf_status.host_id

The call to cprng_fast32() requires that per-cpu data has been initialized
by corng_fast_init(), which doesn't get called until after the first part
of auto-configuration is done, long after pfattach() calls cprng_fast32().

Fixed PR kern/52620

XXX This needs pull-up to the -8 branch.

branches: 1.51.8; 1.51.10;
include "ioconf.h" to get the 'void <driver>attach(int count);' prototype.

branches: 1.50.4;
Add d_discard to all struct cdevsw instances I could find.

All have been set to "nodiscard"; some should get a real implementation.

branches: 1.49.2;
Change (mostly mechanically) every cdevsw/bdevsw I can find to use
designated initializers.

I have not built every extant kernel so I have probably broken at
least one build; however I've also found and fixed some wrong
cdevsw/bdevsw entries so even if so I think we come out ahead.

PFIL_HOOKS is dead.

Update pf to pfil(9) changes. Missed in previous commit.

branches: 1.46.8; 1.46.12;
Remove arc4random() and arc4randbytes() from the kernel API. Replace
arc4random() hacks in rump with stubs that call the host arc4random() to
get numbers that are hopefully actually random (arc4random() keyed with
stack junk is not). This should fix some of the currently failing anita
tests -- we should no longer generate duplicate "random" MAC addresses in
the test environment.

branches: 1.45.2;
fix -Wshadow warnings when ALTQ is enabled

build pf module with WARNS=3, and remove the need for -Wno-shadow

make sure the "overload_tbl" member of "struct pf_rule" copied in
from userland is initialized (it is used by the kernel only)
fixes crash or data injection (CVE-2010-3830), usually by root user only
OpenBSD has rewritten the code to start with a zero'd struct and fills
in needed parts only - to be considered in case a newer pf version
is imported.

branches: 1.42.2;
Add support for pfs(8)

pfs(8) is a tool similar to ipfs(8) but for pf(4). It allows the admin to
dump internal configuration of pf, and restore at a latter point, after a
maintenance reboot for example, in a transparent way for user.

This work has been done mostly during my GSoC 2009

No objections on tech-net@

Do not unload pf when enabled, not even manually.

change module class to driver.

Do not auto unload pf if it's enabled.

- Make the pf and pflog driver able to detach.
- Add code for module support.

Original patch from Jared McNeill

branches: 1.37.2; 1.37.4;
Move firewall/NAT policy back to respective subsystems (pf, ipf).

Note: the ipf code contains a lot of ifdefs, some of them for NetBSD
versions that are no longer maintained. It won't make the code more
readable, but we should consider removing them.

Import pfsync support from OpenBSD 4.2

Pfsync interface exposes change in the pf(4) over a pseudo-interface, and can
be used to synchronise different pf.

This work was part of my 2009 GSoC

No objection on tech-net@

Remove LKM code from pf.

Wrap definition of pfil6_wrapper in #ifdef INET6.

From Scott Ellis in PR/39007.

merge yamt-pf42 branch.
(import newer pf from OpenBSD 4.2)

ok'ed by peter@. requested by core@

branches: 1.32.8; 1.32.10; 1.32.12; 1.32.14; 1.32.16;
use __KERNEL_RCSID()

branches: 1.31.8; 1.31.16; 1.31.18; 1.31.20;
Merge some of the less invasive changes from the vmlocking branch:

- kthread, callout, devsw API changes
- select()/poll() improvements
- miscellaneous MT safety improvements

branches: 1.30.2;
Pass an ipl argument to pool_init/POOL_INIT to be used when initializing
the pool's lock.

branches: 1.29.2;
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.

branches: 1.28.4;
__unused removal on arguments; approved by core.

Merge the peter-altq branch.

(sync with KAME & add support for using ALTQ with pf(4)).

- sprinkle __unused on function decls.
- fix a couple of unused bugs
- no more -Wno-unused for i386

In pf, there are lots of #ifdef ALTQ, but our ALTQ is not what pf expects,
and if ALTQ and pf are both enabled, it leads to compile errors. So,
change all tests for ALTQ to ALTQ_NEW, which won't be defined.

This allows simultaneous compilation of pf and ALTQ and is a temporary
measure before the peter-altq brach is merged.

Tested and approved by Peter Postma.

Remove ugly (void *) casts from network scope authorization wrapper and
calls to it.

While here, adapt code for system scope listeners to avoid some more
casts (forgotten in previous run).

Update documentation.

branches: 1.23.2;
First take at security model abstraction.

- Add a few scopes to the kernel: system, network, and machdep.

- Add a few more actions/sub-actions (requests), and start using them as
opposed to the KAUTH_GENERIC_ISSUSER place-holders.

- Introduce a basic set of listeners that implement our "traditional"
security model, called "bsd44". This is the default (and only) model we
have at the moment.

- Update all relevant documentation.

- Add some code and docs to help folks who want to actually use this stuff:

* There's a sample overlay model, sitting on-top of "bsd44", for
fast experimenting with tweaking just a subset of an existing model.

This is pretty cool because it's *really* straightforward to do stuff
you had to use ugly hacks for until now...

* And of course, documentation describing how to do the above for quick
reference, including code samples.

All of these changes were tested for regressions using a Python-based
testsuite that will be (I hope) available soon via pkgsrc. Information
about the tests, and how to write new ones, can be found on:

http://kauth.linbsd.org/kauthwiki

NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the
following:

- Uses a KAUTH_GENERIC_ISSUSER kauth(9) request,
- Checks 'securelevel' directly,
- Checks a uid/gid directly.

(or if you feel you have to, contact me first)

This is still work in progress; It's far from being done, but now it'll
be a lot easier.

Relevant mailing list threads:

http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html
http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html
http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html
http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html

Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help
stablizing kauth(9).

Full credit for the regression tests, making sure these changes didn't break
anything, goes to Matt Fleming and Jaime Fournier.

Happy birthday Randi! :)

branches: 1.22.2;
add missing initializer

branches: 1.21.4; 1.21.8; 1.21.12;
merge ktrace-lwp.

pfil6_wrapper: handle M_CSUM_TCPv6|M_CSUM_UDPv6.

wrap INET only code by #if defined(INET). (in __NetBSD__ part)

pf_test() can set *mp to NULL, check for this before de-referencing it.
From Akihiro Sagawa in PR/30835.

branches: 1.17.2;
Resolve conflicts (pf from OpenBSD 3.7, kernel part).

branches: 1.16.2;
Fix a GCC warning when compiling on evbppc.
From FUKAUMI Naoki in PR #29669.

Merge in a fix from OPENBSD_3_6.
ok yamt@

> MFC:
> Fix by dhartmei@
>
> replace finer-grained spl locking in pfioctl() with a single broad lock
> around the entire body. this resolves the (misleading) panics in
> pf_tag_packet() during heavy ioctl operations (like when using authpf)
> that occur because softclock can interrupt ioctl on i386 since SMP.
> patch from camield@.

branches: 1.14.2; 1.14.4;
pfil4_wrapper: clear M_CANFASTFWD which is not compatible with pf.

Improve the cleanup routines for detachment. Fixes PR 28132.

Reviewed by yamt.

resolve conflicts. (pf from OpenBSD 3.6, kernel part)

backout whitespace changes to make further import easier.

pfil4_wrapper, pfil6_wrapper:
ensure that mbufs are writable beforehand as pf assumes it.
PR/26433.

branches: 1.9.2;
- rename PFIL_NEWIF to PFIL_IFNET, and handle interface detach events
as well.
- use it for pf(4).

mostly from Peter Postma. PR/26403.

fix dynaddr tracking.

from Peter Postma, PR/26369.
ok'ed by itojun.

call PFIL_NEWIF hooks at a correct place.
(on SIOCAIFADDR rather than SIOCGIFALIAS.)

from Peter Postma, PR/26402.
ok'ed by itojun.

make PF lkm working. from Peter Postma and Joel Wilsson.

remove pf_ioctl_head/pf_newif_head, which was never used.

PR kern/26011: pf leaks mbufs on disallowed packets. Peter Postma

Make it compile on non-IPv6 kernels.

add a pfdetach() method to be used by lkm's

PF from openbsd 3.5. missing features:
- pfsync (due to protocol # assignment issues)
- carp (not really a PF portion, but thought important to mention)
- PF and ALTQ are mutually-exclusive. this will be sorted out when
kjc@csl.sony.co.jp updates ALTQ and PF (and API inbetween)

reviewed by matt, christos, perry

torture-test is very welcomed.

branches: 1.1.1;
Initial revision

Explicitly cast pointers to uintptr_t before casting to enums. They are
not necessarily the same size. Don't cast pointers to bool, check for
NULL instead.

Fix compilation of PF/IPF...

Rename

ip6_undefer_csum -> in6_undefer_cksum
in6_delayed_cksum -> in6_undefer_cksum_tcpudp

The two previous names were inconsistent and misleading.

Put the two functions into in6_offload.c. Add comments to explain what
we're doing.

Same as IPv4.

Fix build. pf_ioctl.c needs netinet/in_offload.h (after previous change).
Because this is in a module, apparently, that means that netinet_in_offload.h
needs to get installed in /usr/include, so do that as well.

Feel free to fix this in a better way...

Rename

ip_undefer_csum -> in_undefer_cksum
in_delayed_cksum -> in_undefer_cksum_tcpudp

The two previous names were inconsistent and misleading.

Put the two functions into in_offload.c. Add comments to explain what
we're doing.

The same could be done for IPv6.

branches: 1.52.2; 1.52.4;
Defer initialization of pf_status.host_id

The call to cprng_fast32() requires that per-cpu data has been initialized
by corng_fast_init(), which doesn't get called until after the first part
of auto-configuration is done, long after pfattach() calls cprng_fast32().

Fixed PR kern/52620

XXX This needs pull-up to the -8 branch.

branches: 1.51.8; 1.51.10;
include "ioconf.h" to get the 'void <driver>attach(int count);' prototype.

branches: 1.50.4;
Add d_discard to all struct cdevsw instances I could find.

All have been set to "nodiscard"; some should get a real implementation.

branches: 1.49.2;
Change (mostly mechanically) every cdevsw/bdevsw I can find to use
designated initializers.

I have not built every extant kernel so I have probably broken at
least one build; however I've also found and fixed some wrong
cdevsw/bdevsw entries so even if so I think we come out ahead.

PFIL_HOOKS is dead.

Update pf to pfil(9) changes. Missed in previous commit.

branches: 1.46.8; 1.46.12;
Remove arc4random() and arc4randbytes() from the kernel API. Replace
arc4random() hacks in rump with stubs that call the host arc4random() to
get numbers that are hopefully actually random (arc4random() keyed with
stack junk is not). This should fix some of the currently failing anita
tests -- we should no longer generate duplicate "random" MAC addresses in
the test environment.

branches: 1.45.2;
fix -Wshadow warnings when ALTQ is enabled

build pf module with WARNS=3, and remove the need for -Wno-shadow

make sure the "overload_tbl" member of "struct pf_rule" copied in
from userland is initialized (it is used by the kernel only)
fixes crash or data injection (CVE-2010-3830), usually by root user only
OpenBSD has rewritten the code to start with a zero'd struct and fills
in needed parts only - to be considered in case a newer pf version
is imported.

branches: 1.42.2;
Add support for pfs(8)

pfs(8) is a tool similar to ipfs(8) but for pf(4). It allows the admin to
dump internal configuration of pf, and restore at a latter point, after a
maintenance reboot for example, in a transparent way for user.

This work has been done mostly during my GSoC 2009

No objections on tech-net@

Do not unload pf when enabled, not even manually.

change module class to driver.

Do not auto unload pf if it's enabled.

- Make the pf and pflog driver able to detach.
- Add code for module support.

Original patch from Jared McNeill

branches: 1.37.2; 1.37.4;
Move firewall/NAT policy back to respective subsystems (pf, ipf).

Note: the ipf code contains a lot of ifdefs, some of them for NetBSD
versions that are no longer maintained. It won't make the code more
readable, but we should consider removing them.

Import pfsync support from OpenBSD 4.2

Pfsync interface exposes change in the pf(4) over a pseudo-interface, and can
be used to synchronise different pf.

This work was part of my 2009 GSoC

No objection on tech-net@

Remove LKM code from pf.

Wrap definition of pfil6_wrapper in #ifdef INET6.

From Scott Ellis in PR/39007.

merge yamt-pf42 branch.
(import newer pf from OpenBSD 4.2)

ok'ed by peter@. requested by core@

branches: 1.32.8; 1.32.10; 1.32.12; 1.32.14; 1.32.16;
use __KERNEL_RCSID()

branches: 1.31.8; 1.31.16; 1.31.18; 1.31.20;
Merge some of the less invasive changes from the vmlocking branch:

- kthread, callout, devsw API changes
- select()/poll() improvements
- miscellaneous MT safety improvements

branches: 1.30.2;
Pass an ipl argument to pool_init/POOL_INIT to be used when initializing
the pool's lock.

branches: 1.29.2;
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.

branches: 1.28.4;
__unused removal on arguments; approved by core.

Merge the peter-altq branch.

(sync with KAME & add support for using ALTQ with pf(4)).

- sprinkle __unused on function decls.
- fix a couple of unused bugs
- no more -Wno-unused for i386

In pf, there are lots of #ifdef ALTQ, but our ALTQ is not what pf expects,
and if ALTQ and pf are both enabled, it leads to compile errors. So,
change all tests for ALTQ to ALTQ_NEW, which won't be defined.

This allows simultaneous compilation of pf and ALTQ and is a temporary
measure before the peter-altq brach is merged.

Tested and approved by Peter Postma.

Remove ugly (void *) casts from network scope authorization wrapper and
calls to it.

While here, adapt code for system scope listeners to avoid some more
casts (forgotten in previous run).

Update documentation.

branches: 1.23.2;
First take at security model abstraction.

- Add a few scopes to the kernel: system, network, and machdep.

- Add a few more actions/sub-actions (requests), and start using them as
opposed to the KAUTH_GENERIC_ISSUSER place-holders.

- Introduce a basic set of listeners that implement our "traditional"
security model, called "bsd44". This is the default (and only) model we
have at the moment.

- Update all relevant documentation.

- Add some code and docs to help folks who want to actually use this stuff:

* There's a sample overlay model, sitting on-top of "bsd44", for
fast experimenting with tweaking just a subset of an existing model.

This is pretty cool because it's *really* straightforward to do stuff
you had to use ugly hacks for until now...

* And of course, documentation describing how to do the above for quick
reference, including code samples.

All of these changes were tested for regressions using a Python-based
testsuite that will be (I hope) available soon via pkgsrc. Information
about the tests, and how to write new ones, can be found on:

http://kauth.linbsd.org/kauthwiki

NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the
following:

- Uses a KAUTH_GENERIC_ISSUSER kauth(9) request,
- Checks 'securelevel' directly,
- Checks a uid/gid directly.

(or if you feel you have to, contact me first)

This is still work in progress; It's far from being done, but now it'll
be a lot easier.

Relevant mailing list threads:

http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html
http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html
http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html
http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html

Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help
stablizing kauth(9).

Full credit for the regression tests, making sure these changes didn't break
anything, goes to Matt Fleming and Jaime Fournier.

Happy birthday Randi! :)

branches: 1.22.2;
add missing initializer

branches: 1.21.4; 1.21.8; 1.21.12;
merge ktrace-lwp.

pfil6_wrapper: handle M_CSUM_TCPv6|M_CSUM_UDPv6.

wrap INET only code by #if defined(INET). (in __NetBSD__ part)

pf_test() can set *mp to NULL, check for this before de-referencing it.
From Akihiro Sagawa in PR/30835.

branches: 1.17.2;
Resolve conflicts (pf from OpenBSD 3.7, kernel part).

branches: 1.16.2;
Fix a GCC warning when compiling on evbppc.
From FUKAUMI Naoki in PR #29669.

Merge in a fix from OPENBSD_3_6.
ok yamt@

> MFC:
> Fix by dhartmei@
>
> replace finer-grained spl locking in pfioctl() with a single broad lock
> around the entire body. this resolves the (misleading) panics in
> pf_tag_packet() during heavy ioctl operations (like when using authpf)
> that occur because softclock can interrupt ioctl on i386 since SMP.
> patch from camield@.

branches: 1.14.2; 1.14.4;
pfil4_wrapper: clear M_CANFASTFWD which is not compatible with pf.

Improve the cleanup routines for detachment. Fixes PR 28132.

Reviewed by yamt.

resolve conflicts. (pf from OpenBSD 3.6, kernel part)

backout whitespace changes to make further import easier.

pfil4_wrapper, pfil6_wrapper:
ensure that mbufs are writable beforehand as pf assumes it.
PR/26433.

branches: 1.9.2;
- rename PFIL_NEWIF to PFIL_IFNET, and handle interface detach events
as well.
- use it for pf(4).

mostly from Peter Postma. PR/26403.

fix dynaddr tracking.

from Peter Postma, PR/26369.
ok'ed by itojun.

call PFIL_NEWIF hooks at a correct place.
(on SIOCAIFADDR rather than SIOCGIFALIAS.)

from Peter Postma, PR/26402.
ok'ed by itojun.

make PF lkm working. from Peter Postma and Joel Wilsson.

remove pf_ioctl_head/pf_newif_head, which was never used.

PR kern/26011: pf leaks mbufs on disallowed packets. Peter Postma

Make it compile on non-IPv6 kernels.

add a pfdetach() method to be used by lkm's

PF from openbsd 3.5. missing features:
- pfsync (due to protocol # assignment issues)
- carp (not really a PF portion, but thought important to mention)
- PF and ALTQ are mutually-exclusive. this will be sorted out when
kjc@csl.sony.co.jp updates ALTQ and PF (and API inbetween)

reviewed by matt, christos, perry

torture-test is very welcomed.

branches: 1.1.1;
Initial revision

Fix compilation of PF/IPF...

Rename

ip6_undefer_csum -> in6_undefer_cksum
in6_delayed_cksum -> in6_undefer_cksum_tcpudp

The two previous names were inconsistent and misleading.

Put the two functions into in6_offload.c. Add comments to explain what
we're doing.

Same as IPv4.

Fix build. pf_ioctl.c needs netinet/in_offload.h (after previous change).
Because this is in a module, apparently, that means that netinet_in_offload.h
needs to get installed in /usr/include, so do that as well.

Feel free to fix this in a better way...

Rename

ip_undefer_csum -> in_undefer_cksum
in_delayed_cksum -> in_undefer_cksum_tcpudp

The two previous names were inconsistent and misleading.

Put the two functions into in_offload.c. Add comments to explain what
we're doing.

The same could be done for IPv6.

branches: 1.52.2;
Defer initialization of pf_status.host_id

The call to cprng_fast32() requires that per-cpu data has been initialized
by corng_fast_init(), which doesn't get called until after the first part
of auto-configuration is done, long after pfattach() calls cprng_fast32().

Fixed PR kern/52620

XXX This needs pull-up to the -8 branch.

branches: 1.51.8; 1.51.10;
include "ioconf.h" to get the 'void <driver>attach(int count);' prototype.

branches: 1.50.4;
Add d_discard to all struct cdevsw instances I could find.

All have been set to "nodiscard"; some should get a real implementation.

branches: 1.49.2;
Change (mostly mechanically) every cdevsw/bdevsw I can find to use
designated initializers.

I have not built every extant kernel so I have probably broken at
least one build; however I've also found and fixed some wrong
cdevsw/bdevsw entries so even if so I think we come out ahead.

PFIL_HOOKS is dead.

Update pf to pfil(9) changes. Missed in previous commit.

branches: 1.46.8; 1.46.12;
Remove arc4random() and arc4randbytes() from the kernel API. Replace
arc4random() hacks in rump with stubs that call the host arc4random() to
get numbers that are hopefully actually random (arc4random() keyed with
stack junk is not). This should fix some of the currently failing anita
tests -- we should no longer generate duplicate "random" MAC addresses in
the test environment.

branches: 1.45.2;
fix -Wshadow warnings when ALTQ is enabled

build pf module with WARNS=3, and remove the need for -Wno-shadow

make sure the "overload_tbl" member of "struct pf_rule" copied in
from userland is initialized (it is used by the kernel only)
fixes crash or data injection (CVE-2010-3830), usually by root user only
OpenBSD has rewritten the code to start with a zero'd struct and fills
in needed parts only - to be considered in case a newer pf version
is imported.

branches: 1.42.2;
Add support for pfs(8)

pfs(8) is a tool similar to ipfs(8) but for pf(4). It allows the admin to
dump internal configuration of pf, and restore at a latter point, after a
maintenance reboot for example, in a transparent way for user.

This work has been done mostly during my GSoC 2009

No objections on tech-net@

Do not unload pf when enabled, not even manually.

change module class to driver.

Do not auto unload pf if it's enabled.

- Make the pf and pflog driver able to detach.
- Add code for module support.

Original patch from Jared McNeill

branches: 1.37.2; 1.37.4;
Move firewall/NAT policy back to respective subsystems (pf, ipf).

Note: the ipf code contains a lot of ifdefs, some of them for NetBSD
versions that are no longer maintained. It won't make the code more
readable, but we should consider removing them.

Import pfsync support from OpenBSD 4.2

Pfsync interface exposes change in the pf(4) over a pseudo-interface, and can
be used to synchronise different pf.

This work was part of my 2009 GSoC

No objection on tech-net@

Remove LKM code from pf.

Wrap definition of pfil6_wrapper in #ifdef INET6.

From Scott Ellis in PR/39007.

merge yamt-pf42 branch.
(import newer pf from OpenBSD 4.2)

ok'ed by peter@. requested by core@

branches: 1.32.8; 1.32.10; 1.32.12; 1.32.14; 1.32.16;
use __KERNEL_RCSID()

branches: 1.31.8; 1.31.16; 1.31.18; 1.31.20;
Merge some of the less invasive changes from the vmlocking branch:

- kthread, callout, devsw API changes
- select()/poll() improvements
- miscellaneous MT safety improvements

branches: 1.30.2;
Pass an ipl argument to pool_init/POOL_INIT to be used when initializing
the pool's lock.

branches: 1.29.2;
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.

branches: 1.28.4;
__unused removal on arguments; approved by core.

Merge the peter-altq branch.

(sync with KAME & add support for using ALTQ with pf(4)).

- sprinkle __unused on function decls.
- fix a couple of unused bugs
- no more -Wno-unused for i386

In pf, there are lots of #ifdef ALTQ, but our ALTQ is not what pf expects,
and if ALTQ and pf are both enabled, it leads to compile errors. So,
change all tests for ALTQ to ALTQ_NEW, which won't be defined.

This allows simultaneous compilation of pf and ALTQ and is a temporary
measure before the peter-altq brach is merged.

Tested and approved by Peter Postma.

Remove ugly (void *) casts from network scope authorization wrapper and
calls to it.

While here, adapt code for system scope listeners to avoid some more
casts (forgotten in previous run).

Update documentation.

branches: 1.23.2;
First take at security model abstraction.

- Add a few scopes to the kernel: system, network, and machdep.

- Add a few more actions/sub-actions (requests), and start using them as
opposed to the KAUTH_GENERIC_ISSUSER place-holders.

- Introduce a basic set of listeners that implement our "traditional"
security model, called "bsd44". This is the default (and only) model we
have at the moment.

- Update all relevant documentation.

- Add some code and docs to help folks who want to actually use this stuff:

* There's a sample overlay model, sitting on-top of "bsd44", for
fast experimenting with tweaking just a subset of an existing model.

This is pretty cool because it's *really* straightforward to do stuff
you had to use ugly hacks for until now...

* And of course, documentation describing how to do the above for quick
reference, including code samples.

All of these changes were tested for regressions using a Python-based
testsuite that will be (I hope) available soon via pkgsrc. Information
about the tests, and how to write new ones, can be found on:

http://kauth.linbsd.org/kauthwiki

NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the
following:

- Uses a KAUTH_GENERIC_ISSUSER kauth(9) request,
- Checks 'securelevel' directly,
- Checks a uid/gid directly.

(or if you feel you have to, contact me first)

This is still work in progress; It's far from being done, but now it'll
be a lot easier.

Relevant mailing list threads:

http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html
http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html
http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html
http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html

Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help
stablizing kauth(9).

Full credit for the regression tests, making sure these changes didn't break
anything, goes to Matt Fleming and Jaime Fournier.

Happy birthday Randi! :)

branches: 1.22.2;
add missing initializer

branches: 1.21.4; 1.21.8; 1.21.12;
merge ktrace-lwp.

pfil6_wrapper: handle M_CSUM_TCPv6|M_CSUM_UDPv6.

wrap INET only code by #if defined(INET). (in __NetBSD__ part)

pf_test() can set *mp to NULL, check for this before de-referencing it.
From Akihiro Sagawa in PR/30835.

branches: 1.17.2;
Resolve conflicts (pf from OpenBSD 3.7, kernel part).

branches: 1.16.2;
Fix a GCC warning when compiling on evbppc.
From FUKAUMI Naoki in PR #29669.

Merge in a fix from OPENBSD_3_6.
ok yamt@

> MFC:
> Fix by dhartmei@
>
> replace finer-grained spl locking in pfioctl() with a single broad lock
> around the entire body. this resolves the (misleading) panics in
> pf_tag_packet() during heavy ioctl operations (like when using authpf)
> that occur because softclock can interrupt ioctl on i386 since SMP.
> patch from camield@.

branches: 1.14.2; 1.14.4;
pfil4_wrapper: clear M_CANFASTFWD which is not compatible with pf.

Improve the cleanup routines for detachment. Fixes PR 28132.

Reviewed by yamt.

resolve conflicts. (pf from OpenBSD 3.6, kernel part)

backout whitespace changes to make further import easier.

pfil4_wrapper, pfil6_wrapper:
ensure that mbufs are writable beforehand as pf assumes it.
PR/26433.

branches: 1.9.2;
- rename PFIL_NEWIF to PFIL_IFNET, and handle interface detach events
as well.
- use it for pf(4).

mostly from Peter Postma. PR/26403.

fix dynaddr tracking.

from Peter Postma, PR/26369.
ok'ed by itojun.

call PFIL_NEWIF hooks at a correct place.
(on SIOCAIFADDR rather than SIOCGIFALIAS.)

from Peter Postma, PR/26402.
ok'ed by itojun.

make PF lkm working. from Peter Postma and Joel Wilsson.

remove pf_ioctl_head/pf_newif_head, which was never used.

PR kern/26011: pf leaks mbufs on disallowed packets. Peter Postma

Make it compile on non-IPv6 kernels.

add a pfdetach() method to be used by lkm's

PF from openbsd 3.5. missing features:
- pfsync (due to protocol # assignment issues)
- carp (not really a PF portion, but thought important to mention)
- PF and ALTQ are mutually-exclusive. this will be sorted out when
kjc@csl.sony.co.jp updates ALTQ and PF (and API inbetween)

reviewed by matt, christos, perry

torture-test is very welcomed.

branches: 1.1.1;
Initial revision

Defer initialization of pf_status.host_id

The call to cprng_fast32() requires that per-cpu data has been initialized
by corng_fast_init(), which doesn't get called until after the first part
of auto-configuration is done, long after pfattach() calls cprng_fast32().

Fixed PR kern/52620

XXX This needs pull-up to the -8 branch.

branches: 1.51.8;
include "ioconf.h" to get the 'void <driver>attach(int count);' prototype.

branches: 1.50.4;
Add d_discard to all struct cdevsw instances I could find.

All have been set to "nodiscard"; some should get a real implementation.

branches: 1.49.2;
Change (mostly mechanically) every cdevsw/bdevsw I can find to use
designated initializers.

I have not built every extant kernel so I have probably broken at
least one build; however I've also found and fixed some wrong
cdevsw/bdevsw entries so even if so I think we come out ahead.

PFIL_HOOKS is dead.

Update pf to pfil(9) changes. Missed in previous commit.

branches: 1.46.8; 1.46.12;
Remove arc4random() and arc4randbytes() from the kernel API. Replace
arc4random() hacks in rump with stubs that call the host arc4random() to
get numbers that are hopefully actually random (arc4random() keyed with
stack junk is not). This should fix some of the currently failing anita
tests -- we should no longer generate duplicate "random" MAC addresses in
the test environment.

branches: 1.45.2;
fix -Wshadow warnings when ALTQ is enabled

build pf module with WARNS=3, and remove the need for -Wno-shadow

make sure the "overload_tbl" member of "struct pf_rule" copied in
from userland is initialized (it is used by the kernel only)
fixes crash or data injection (CVE-2010-3830), usually by root user only
OpenBSD has rewritten the code to start with a zero'd struct and fills
in needed parts only - to be considered in case a newer pf version
is imported.

branches: 1.42.2;
Add support for pfs(8)

pfs(8) is a tool similar to ipfs(8) but for pf(4). It allows the admin to
dump internal configuration of pf, and restore at a latter point, after a
maintenance reboot for example, in a transparent way for user.

This work has been done mostly during my GSoC 2009

No objections on tech-net@

Do not unload pf when enabled, not even manually.

change module class to driver.

Do not auto unload pf if it's enabled.

- Make the pf and pflog driver able to detach.
- Add code for module support.

Original patch from Jared McNeill

branches: 1.37.2; 1.37.4;
Move firewall/NAT policy back to respective subsystems (pf, ipf).

Note: the ipf code contains a lot of ifdefs, some of them for NetBSD
versions that are no longer maintained. It won't make the code more
readable, but we should consider removing them.

Import pfsync support from OpenBSD 4.2

Pfsync interface exposes change in the pf(4) over a pseudo-interface, and can
be used to synchronise different pf.

This work was part of my 2009 GSoC

No objection on tech-net@

Remove LKM code from pf.

Wrap definition of pfil6_wrapper in #ifdef INET6.

From Scott Ellis in PR/39007.

merge yamt-pf42 branch.
(import newer pf from OpenBSD 4.2)

ok'ed by peter@. requested by core@

branches: 1.32.8; 1.32.10; 1.32.12; 1.32.14; 1.32.16;
use __KERNEL_RCSID()

branches: 1.31.8; 1.31.16; 1.31.18; 1.31.20;
Merge some of the less invasive changes from the vmlocking branch:

- kthread, callout, devsw API changes
- select()/poll() improvements
- miscellaneous MT safety improvements

branches: 1.30.2;
Pass an ipl argument to pool_init/POOL_INIT to be used when initializing
the pool's lock.

branches: 1.29.2;
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.

branches: 1.28.4;
__unused removal on arguments; approved by core.

Merge the peter-altq branch.

(sync with KAME & add support for using ALTQ with pf(4)).

- sprinkle __unused on function decls.
- fix a couple of unused bugs
- no more -Wno-unused for i386

In pf, there are lots of #ifdef ALTQ, but our ALTQ is not what pf expects,
and if ALTQ and pf are both enabled, it leads to compile errors. So,
change all tests for ALTQ to ALTQ_NEW, which won't be defined.

This allows simultaneous compilation of pf and ALTQ and is a temporary
measure before the peter-altq brach is merged.

Tested and approved by Peter Postma.

Remove ugly (void *) casts from network scope authorization wrapper and
calls to it.

While here, adapt code for system scope listeners to avoid some more
casts (forgotten in previous run).

Update documentation.

branches: 1.23.2;
First take at security model abstraction.

- Add a few scopes to the kernel: system, network, and machdep.

- Add a few more actions/sub-actions (requests), and start using them as
opposed to the KAUTH_GENERIC_ISSUSER place-holders.

- Introduce a basic set of listeners that implement our "traditional"
security model, called "bsd44". This is the default (and only) model we
have at the moment.

- Update all relevant documentation.

- Add some code and docs to help folks who want to actually use this stuff:

* There's a sample overlay model, sitting on-top of "bsd44", for
fast experimenting with tweaking just a subset of an existing model.

This is pretty cool because it's *really* straightforward to do stuff
you had to use ugly hacks for until now...

* And of course, documentation describing how to do the above for quick
reference, including code samples.

All of these changes were tested for regressions using a Python-based
testsuite that will be (I hope) available soon via pkgsrc. Information
about the tests, and how to write new ones, can be found on:

http://kauth.linbsd.org/kauthwiki

NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the
following:

- Uses a KAUTH_GENERIC_ISSUSER kauth(9) request,
- Checks 'securelevel' directly,
- Checks a uid/gid directly.

(or if you feel you have to, contact me first)

This is still work in progress; It's far from being done, but now it'll
be a lot easier.

Relevant mailing list threads:

http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html
http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html
http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html
http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html

Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help
stablizing kauth(9).

Full credit for the regression tests, making sure these changes didn't break
anything, goes to Matt Fleming and Jaime Fournier.

Happy birthday Randi! :)

branches: 1.22.2;
add missing initializer

branches: 1.21.4; 1.21.8; 1.21.12;
merge ktrace-lwp.

pfil6_wrapper: handle M_CSUM_TCPv6|M_CSUM_UDPv6.

wrap INET only code by #if defined(INET). (in __NetBSD__ part)

pf_test() can set *mp to NULL, check for this before de-referencing it.
From Akihiro Sagawa in PR/30835.

branches: 1.17.2;
Resolve conflicts (pf from OpenBSD 3.7, kernel part).

branches: 1.16.2;
Fix a GCC warning when compiling on evbppc.
From FUKAUMI Naoki in PR #29669.

Merge in a fix from OPENBSD_3_6.
ok yamt@

> MFC:
> Fix by dhartmei@
>
> replace finer-grained spl locking in pfioctl() with a single broad lock
> around the entire body. this resolves the (misleading) panics in
> pf_tag_packet() during heavy ioctl operations (like when using authpf)
> that occur because softclock can interrupt ioctl on i386 since SMP.
> patch from camield@.

branches: 1.14.2; 1.14.4;
pfil4_wrapper: clear M_CANFASTFWD which is not compatible with pf.

Improve the cleanup routines for detachment. Fixes PR 28132.

Reviewed by yamt.

resolve conflicts. (pf from OpenBSD 3.6, kernel part)

backout whitespace changes to make further import easier.

pfil4_wrapper, pfil6_wrapper:
ensure that mbufs are writable beforehand as pf assumes it.
PR/26433.

branches: 1.9.2;
- rename PFIL_NEWIF to PFIL_IFNET, and handle interface detach events
as well.
- use it for pf(4).

mostly from Peter Postma. PR/26403.

fix dynaddr tracking.

from Peter Postma, PR/26369.
ok'ed by itojun.

call PFIL_NEWIF hooks at a correct place.
(on SIOCAIFADDR rather than SIOCGIFALIAS.)

from Peter Postma, PR/26402.
ok'ed by itojun.

make PF lkm working. from Peter Postma and Joel Wilsson.

remove pf_ioctl_head/pf_newif_head, which was never used.

PR kern/26011: pf leaks mbufs on disallowed packets. Peter Postma

Make it compile on non-IPv6 kernels.

add a pfdetach() method to be used by lkm's

PF from openbsd 3.5. missing features:
- pfsync (due to protocol # assignment issues)
- carp (not really a PF portion, but thought important to mention)
- PF and ALTQ are mutually-exclusive. this will be sorted out when
kjc@csl.sony.co.jp updates ALTQ and PF (and API inbetween)

reviewed by matt, christos, perry

torture-test is very welcomed.

branches: 1.1.1;
Initial revision