aboutsummaryrefslogtreecommitdiff
path: root/sbin/ifconfig
Commit message (Collapse)AuthorAgeFilesLines
* ifconfig: fix incorrect wg allowed-ips netmaskMichael Chiu2021-02-151-1/+1
| | | | | | | | | | | | | | Currently when peer information is displayed with `ifconfig wgN peer ..` or `ifconfig wgN peer-list`, the netmask of the first `allowed-ips` will be used as the netmask of all CIDR in `allowed-ips`. For example, if the list is `192.168.1.0/24, 172.16.0.0/16`, it will display as `192.168.1.0/24, 172.16.0.0/24`. While this does not affect the actual functionality, it is very confusing. Submitted by: Michael Chiu <nyan -at- myuji.xyz> Reviewed by: grehan Differential Revision: https://reviews.freebsd.org/D28655 MFC after: 1 day
* Catch up with 6edfd179c86: mechanically rename IFCAP_NOMAP to IFCAP_MEXTPG.Gleb Smirnoff2021-01-292-9/+11
| | | | | | | | | Originally IFCAP_NOMAP meant that the mbuf has external storage pointer that points to unmapped address. Then, this was extended to array of such pointers. Then, such mbufs were augmented with header/trailer. Basically, extended mbufs are extended, and set of features is subject to change. The new name should be generic enough to avoid further renaming.
* ifconfig: fix UBSan signed shift errorAlex Richardson2021-01-251-1/+1
| | | | Use 1u since UBSan complains about 1 << 31.
* ifconfig: add vlanproto "qiniq" as an alias for "802.1ad"Allan Jude2021-01-202-2/+8
| | | | | | | | | | QinQ is better known by this name, so accept it as an alias Reported-by: Mike Geiger Reviewed-by: melifaro, hselasky, rpokala MFC-with: 366917 Sponsored-by: Klara Inc. Differential-Revision: https://reviews.freebsd.org/D28245
* Fix bug in ifconfig preventing proper VLAN creation.Hans Petter Selasky2020-12-091-15/+15
| | | | | | | | | | | | | | | | | | | | | | Detection of interface type by filter must happen before detection of interface type by prefix. Else the following sequence of commands will try to create a LAGG interface instead of a VLAN interface, which accidentially worked previously, because the date pointed to by the ifr_data pointer was not parsed by VLAN create ioctl(2). This is a regression after r368229, because the VLAN creation now parses the ifr_data field. How to reproduce: # ifconfig lagg0 create # ifconfig lagg0.256 create Differential Revision: https://reviews.freebsd.org/D27521 Reviewed by: kib@ and kevans@ Reported by: raul.munoz@custos.es Sponsored by: Mellanox Technologies // NVIDIA Networking Notes: svn path=/head/; revision=368492
* Import kernel WireGuard supportMatt Macy2020-11-292-0/+620
| | | | | | | | | | | | | Data path largely shared with the OpenBSD implementation by Matt Dunwoodie <ncon@nconroy.net> Reviewed by: grehan@freebsd.org MFC after: 1 month Sponsored by: Rubicon LLC, (Netgate) Differential Revision: https://reviews.freebsd.org/D26137 Notes: svn path=/head/; revision=368163
* Ensure consistent error messages from ifconfig(8).Hans Petter Selasky2020-11-267-10/+19
| | | | | | | | | | | | | | | | | | | If multiple threads are invoking "ifconfig XXX create" a race may occur which can lead to two different error messages for the same error. a) ifconfig: SIOCIFCREATE2: File exists b) ifconfig: interface XXX already exists This patch ensures ifconfig prints the same error code for the same case. Reviewed by: imp@ and kib@ Differential Revision: https://reviews.freebsd.org/D27380 MFC after: 1 week Sponsored by: Mellanox Technologies // NVIDIA Networking Notes: svn path=/head/; revision=368058
* ifconfig: properly detect invalid mediaopt keywords.Konstantin Belousov2020-11-021-2/+3
| | | | | | | | | | | | | | | | | | | | | When invalid keyword is specified, ifconfig(8) is silent about it, instead random request is sent to the driver. Before the patch: root@r-freeb43:~ # ifconfig mce0 mediaopt -txpause,-rxpause ifconfig: SIOCSIFMEDIA (media): Device not configured After: root@r-freeb43:~ # ifconfig mce0 mediaopt -txpause,-rxpause ifconfig: unknown option: -txpause Reviewed by: hselasky, kp Sponsored by: Mellanox Technologies / NVidia Networking MFC after: 1 week Differential revision: https://reviews.freebsd.org/D27060 Notes: svn path=/head/; revision=367285
* ifconfig.8: Improve formatting of -f in synopsisMateusz Piotrowski2020-11-011-2/+2
| | | | | | | MFC after: 3 days Notes: svn path=/head/; revision=367259
* Remove Tn macros from ifconfig.8Mateusz Piotrowski2020-11-011-27/+10
| | | | | | | MFC after: 3 days Notes: svn path=/head/; revision=367258
* Support hardware rate limiting (pacing) with TLS offload.John Baldwin2020-10-292-2/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Add a new send tag type for a send tag that supports both rate limiting (packet pacing) and TLS offload (mostly similar to D22669 but adds a separate structure when allocating the new tag type). - When allocating a send tag for TLS offload, check to see if the connection already has a pacing rate. If so, allocate a tag that supports both rate limiting and TLS offload rather than a plain TLS offload tag. - When setting an initial rate on an existing ifnet KTLS connection, set the rate in the TCP control block inp and then reset the TLS send tag (via ktls_output_eagain) to reallocate a TLS + ratelimit send tag. This allocates the TLS send tag asynchronously from a task queue, so the TLS rate limit tag alloc is always sleepable. - When modifying a rate on a connection using KTLS, look for a TLS send tag. If the send tag is only a plain TLS send tag, assume we failed to allocate a TLS ratelimit tag (either during the TCP_TXTLS_ENABLE socket option, or during the send tag reset triggered by ktls_output_eagain) and ignore the new rate. If the send tag is a ratelimit TLS send tag, change the rate on the TLS tag and leave the inp tag alone. - Lock the inp lock when setting sb_tls_info for a socket send buffer so that the routines in tcp_ratelimit can safely dereference the pointer without needing to grab the socket buffer lock. - Add an IFCAP_TXTLS_RTLMT capability flag and associated administrative controls in ifconfig(8). TLS rate limit tags are only allocated if this capability is enabled. Note that TLS offload (whether unlimited or rate limited) always requires IFCAP_TXTLS[46]. Reviewed by: gallatin, hselasky Relnotes: yes Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D26691 Notes: svn path=/head/; revision=367123
* ifconfig.8: Remove spurious commasMateusz Piotrowski2020-10-251-3/+3
| | | | | | | | | | | | Correct misuse of commas/parentheses in an enumeration that makes the number of actual parameters more important than expected. PR: 250526 Submitted by: Samy Mahmoudi <samy.mahmoudi__gmail_com> MFC after: 1 week Notes: svn path=/head/; revision=367039
* Fix for colliding change (r366917).Hans Petter Selasky2020-10-221-1/+1
| | | | | | | | | | Differential Revision: https://reviews.freebsd.org/D26254 Reviewed by: melifaro@ MFC after: 1 week Sponsored by: Mellanox Technologies // NVIDIA Networking Notes: svn path=/head/; revision=366935
* Add support for IP over infiniband, IPoIB, to lagg(4). Currently onlyHans Petter Selasky2020-10-222-2/+37
| | | | | | | | | | | | | | | | | | | | | | the failover protocol is supported due to limitations in the IPoIB architecture. Refer to the lagg(4) manual page for how to configure and use this new feature. A new network interface type, IFT_INFINIBANDLAG, has been added, similar to the existing IFT_IEEE8023ADLAG . ifconfig(8) has been updated to accept a new laggtype argument when creating lagg(4) network interfaces. This new argument is used to distinguish between ethernet and infiniband type of lagg(4) network interface. The laggtype argument is optional and defaults to ethernet. The lagg(4) command line syntax is backwards compatible. Differential Revision: https://reviews.freebsd.org/D26254 Reviewed by: melifaro@ MFC after: 1 week Sponsored by: Mellanox Technologies // NVIDIA Networking Notes: svn path=/head/; revision=366933
* Add support for stacked VLANs (IEEE 802.1ad, AKA Q-in-Q).Alexander V. Chernikov2020-10-216-11/+126
| | | | | | | | | | | | | | | | | | | | | 802.1ad interfaces are created with ifconfig using the "vlanproto" parameter. Eg., the following creates a 802.1Q VLAN (id #42) over a 802.1ad S-VLAN (id #5) over a physical Ethernet interface (em0). ifconfig vlan5 create vlandev em0 vlan 5 vlanproto 802.1ad up ifconfig vlan42 create vlandev vlan5 vlan 42 inet 10.5.42.1/24 VLAN_MTU, VLAN_HWCSUM and VLAN_TSO capabilities should be properly supported. VLAN_HWTAGGING is only partially supported, as there is currently no IFCAP_VLAN_* denoting the possibility to set the VLAN EtherType to anything else than 0x8100 (802.1ad uses 0x88A8). Submitted by: Olivier Piras Sponsored by: RG Nets Differential Revision: https://reviews.freebsd.org/D26436 Notes: svn path=/head/; revision=366917
* Move list_cloners to libifconfigRyan Moeller2020-10-211-36/+19
| | | | | | | | | | | Move list_cloners() from ifconfig(8) to libifconfig(3) where it can be reused by other consumers. Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D26858 Notes: svn path=/head/; revision=366906
* net80211: update for (more) VHT160 supportBjoern A. Zeeb2020-10-181-1/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Implement two macros IEEE80211_VHTCAP_SUPP_CHAN_WIDTH_IS_160MHZ() and its 80+80 counter part to check in vhtcaps for appropriate levels of support and use the macros throughout the code. Add vht160_chan_ranges/is_vht160_valid_freq and handle analogue to vht80 in various parts of the code. Add ieee80211_add_channel_cbw() which also takes the CBW flag fields and make the former ieee80211_add_channel() a wrapper to it. With the CBW flags we can add HT/VHT channels passing them to getflags() for the 2/5ghz functions. In ifconfig(8) add the regdomain_addchans() support for VHT160 and VHT80P80. With this (+ regdoain.xml updates) VHT160 channels can be configured, listed, and pass regdomain where appropriate. Tested with: iwlwifi Reviewed by: adrian MFC after: 10 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D26712 Notes: svn path=/head/; revision=366800
* Fix a few mandoc issuesGordon Bergling2020-10-091-1/+1
| | | | | | | | | | | - no blank before trailing delimiter - whitespace at end of input line - sections out of conventional order - normalizing date format - AUTHORS section without An macro Notes: svn path=/head/; revision=366572
* 80211: ifconfig replace MS() with _IEEE80211_MASKSHIFT()Bjoern A. Zeeb2020-10-071-10/+17
| | | | | | | | | | | | | As we did in the kernel in r366112 replace the MS() macro with the version(s) added to the kernel: _IEEE80211_MASKSHIFT(). Also provide its counter part. This will later allow use to use other macros defined in net80211 headers here in ifconfig. MFC after: 1 week Sponsored by: The FreeBSD Foundation Notes: svn path=/head/; revision=366524
* 80211: non-functional changesBjoern A. Zeeb2020-10-071-2/+1
| | | | | | | | | | | | | Sort a few VHT160 and 80+80 lines, update some comments, and remove a superfluous ','. No functional changes intended. MFC after: 1 week Sponsored by: The FreeBSD Foundation Notes: svn path=/head/; revision=366522
* Add two new ifnet capabilities for hw checksumming and TSO for VXLAN traffic.Navdeep Parhar2020-09-183-3/+24
| | | | | | | | | | | These are similar to the existing VLAN capabilities. Reviewed by: kib@ Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D25873 Notes: svn path=/head/; revision=365868
* 80211: consistently order 160 and 80+80Bjoern A. Zeeb2020-08-171-7/+22
| | | | | | | | | | | | | | | | | | | | For flags and checks the order goes VHT160 and then VHT80P80 unless checks are in reverse order ("more comes first") in which case we deal with VHT80P80 first. The one reverse order to pick out is where we check channel prefernences. While it may seem that VHT160 is better, finding two "free" channels (VHT 80+80) is more likely so we do prefer that. While dealing with VHT160 and VHT80P80 add extra clauses previously missing or marked TODO in a few places. Reviewed by: adrian, gnn MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC (d/b/a "Netgate") Differential Revision: https://reviews.freebsd.org/D26002 Notes: svn path=/head/; revision=364303
* 80211: consistently spell 80P80Bjoern A. Zeeb2020-08-171-3/+3
| | | | | | | | | | | | | | | | | | | The standard uses 80+80 and 80p80 but nowhere 80_80. Switch the latter to 80P80 for all the macros and comments refering to #defined flags which I could find. The only place we leave as 80p80 is the ifconfig command line arguments as we spell them all in lower case. Ideally we would use 80+80 for any interactions with the user and 80P80 for anything internal but let us not confuse parsers and hence avoid the '+' in either case. Reviewed by: adrian, gnn MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC (d/b/a "Netgate") Differential Revision: https://reviews.freebsd.org/D26001 Notes: svn path=/head/; revision=364301
* net80211 / ifconfig: cleanup the use of IEEE80211_FVHT_USEVHT*Bjoern A. Zeeb2020-08-171-18/+27
| | | | | | | | | | | | | | | | | | Rather then using magic numbers duplicate IEEE80211_FVHT_VHT* in ifconfig (cleanup of these and other flags used and not exposed by net80211 should happen later) and use those. In the kernel this simplifies one ioctl path (the other one currently relies on individual bit flags being passed in). We also re-order the 80P80 and 160 flag for 160 to come before 80+80 and more clearly leave the flags as TODO in one of the 160/80+80 cases. Reviewed by: adrian MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC (d/b/a "Netgate") Differential Revision: https://reviews.freebsd.org/D26000 Notes: svn path=/head/; revision=364299
* ifconfig(8): plug memory leak after r361790 by me.Eugene Grosbein2020-08-131-0/+1
| | | | | | | MFC after: 3 days Notes: svn path=/head/; revision=364186
* Move ifconfig SFP status functionality into libifconfigRyan Moeller2020-08-092-916/+73
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | libifconfig_sfp.h provides an API in libifconfig for querying SFP module properties, operational status, and vendor strings, as well as descriptions of the various fields, string conversions, and other useful helpers for implementing user interfaces. SFP module status is obtained by reading registers via an I2C interface. Descriptions of these registers and the values therein have been collected in a Lua table which is used to generate all the boilerplace C headers and source files for accessing these values, their names, and descriptions. The generated code is fully commented and readable. This is the first use of libifconfig in ifconfig itself. For now, the scope remains very limited. Over time, more of ifconfig will be replaced with libifconfig. Some minor changes to the formatting of ifconfig output have been made: - Module memory hex dumps are indented one extra space as a result of using hexdump(3) instead of a bespoke hex dump function. - Media descriptions have an added two-character short-name in parenthesis. - QSFP modules were incorrectly displaying TX bias current as power. Now TX channels display bias current, and this change has been made for both SFP and QSFP modules for consistency. A Lua binding for libifconfig including this functionality is implemented but has not been included in this commit. The plan is for it to be committed after dynamic module loading has been enabled in flua. Reviewed by: kp, melifaro Relnotes: yes Differential Revision: https://reviews.freebsd.org/D25494 Notes: svn path=/head/; revision=364058
* net80211/ifconfig: print hardware device name for wlan interfacesBjoern A. Zeeb2020-08-071-0/+23
| | | | | | | | | | | | | | | | Add IEEE80211_IOC_IC_NAME to query the ic_name field and in ifconfig to print the parent interface again. This functionality was lost around r287197. It helps in case of multiple wlan interfaces and multiple underlying hardware devices to keep track which wlan interface belongs to which physical device. Sponsored by: Rubicon Communications, LLC (d/b/a "Netgate") Reviewed by: adrian, Idwer Vollering MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D25832 Notes: svn path=/head/; revision=364011
* libifconfig: Add function to get bridge statusRyan Moeller2020-07-011-30/+3
| | | | | | | | | | | | | | | | | | The new function operates similarly to ifconfig_lagg_get_lagg_status and likewise is accompanied by a function to free the bridge status data structure. I have included in this patch the relocation of some strings describing STP parameters and the PV2ID macro from ifconfig into net/if_bridgevar.h as they are useful for consumers of libifconfig. Reviewed by: kp, melifaro, mmacy Approved by: mmacy (mentor) MFC after: 1 week Relnotes: yes Differential Revision: https://reviews.freebsd.org/D25460 Notes: svn path=/head/; revision=362824
* ifconfig(8): optimize -f ether:dash modeAllan Jude2020-06-261-3/+3
| | | | | | | | | | | | Switch to the simplified while loop suggest by Aaron LI Post commit review via: https://reviews.freebsd.org/rS301185#inline-232 Submitted by: Aaron LI <aly@aaronly.me> Sponsored by: Klara Inc. Notes: svn path=/head/; revision=362654
* ifconfig(8): remove duplicate line from man pageAllan Jude2020-06-261-1/+0
| | | | | | | | Reported by: Weitian LI <liweitianux@live.com> Sponsored by: Klara Inc. Notes: svn path=/head/; revision=362652
* [ifconfig] add UAPSD and LPDC flagsAdrian Chadd2020-06-161-4/+10
| | | | | | | | | * Add UAPSD and LDPC flags * expand the FLAGS section; it's kinda grown since I started hacking on net80211.. Notes: svn path=/head/; revision=362216
* [net80211] Add uapsd option to ifconfigAdrian Chadd2020-06-161-0/+18
| | | | | | | | Add an enable/disable option for controlling uapsd. I'm not yet controlling the individual AC configs or the service period. Notes: svn path=/head/; revision=362211
* Decode the "LACP Fast Timeout" LAGG option flagRavi Pokala2020-06-111-4/+4
| | | | | | | | | | | | | | | | | | r286700 added the "lacp_fast_timeout" option to `ifconfig', but we forgot to include the new option in the string used to decode the option bits. Add "LACP_FAST_TIMO" to LAGG_OPT_BITS. Also, s/LAGG_OPT_LACP_TIMEOUT/LAGG_OPT_LACP_FAST_TIMO/g , to be clearer that the flag indicates "Fast Timeout" mode. Reported by: Greg Foster <gfoster at panasas dot com> Reviewed by: jpaetzel MFC after: 1 week Sponsored by: Panasas Differential Revision: https://reviews.freebsd.org/D25239 Notes: svn path=/head/; revision=362078
* ifconfig(8): make it possible to filter output by interface group.Eugene Grosbein2020-06-042-4/+111
| | | | | | | | | | | | | | | | | | | | | Now options -g/-G allow to select/unselect interfaces by groups in the "ifconfig -a" output just like already existing -d/-u. Examples: to exclude loopback from the list: ifconfig -a -G lo to show vlan interfaces only: ifconfig -a -g vlan to show tap interfaces that are up: ifconfig -aug tap Arguments to -g/-G may be shell patterns and both may be specified. Later options -g/-G override previous ones. MFC after: 2 weeks Relnotes: yes Differential Revision: https://reviews.freebsd.org/D25029 Notes: svn path=/head/; revision=361790
* ifconfig.8: fix cpability and flag descriptions for list scan / staAndriy Gapon2020-06-041-34/+29
| | | | | | | | | | | | | Some capability descriptions under list scan actually described flags. Some capability descriptions were missing. Some flag descriptions under list sta actually described capabilites. Reviewed by: adrian MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D25014 Notes: svn path=/head/; revision=361787
* ifconfig(8): spell "groupname" consistently with SYNOPSYS.Eugene Grosbein2020-05-271-2/+2
| | | | | | | MFC after: 1 week Notes: svn path=/head/; revision=361548
* lagg: Further cleanup of the rr_limit option.Mark Johnston2020-01-091-2/+5
| | | | | | | | | | | | | | | | | | Add an option flag so that arbitrary updates to a lagg's configuration do not clear sc_stride. Preseve compatibility for old ifconfig binaries. Update ifconfig to use the new flag and improve the casting used when parsing the option parameter. Modify the RR transmit function to avoid locklessly reading sc_stride twice. Ensure that sc_stride is always 1 or greater. Reviewed by: hselasky MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D23092 Notes: svn path=/head/; revision=356554
* lagg: Clean up handling of the rr_limit option.Mark Johnston2019-12-221-1/+4
| | | | | | | | | | | | | | | | | - Don't allow an unprivileged user to set the stride. [1] - Only set the stride under the softc lock. - Rename the internal fields to accurately reflect their use. Keep ro_bkt to avoid changing the user API. - Simplify the implementation. The port index is just sc_seq / stride. - Document rr_limit in ifconfig.8. Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> [1] MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D22857 Notes: svn path=/head/; revision=356029
* Update Makefile.depend filesSimon J. Gerraty2019-12-111-3/+0
| | | | | | | | | | | | | Update a bunch of Makefile.depend files as a result of adding Makefile.depend.options files Reviewed by: bdrewery MFC after: 1 week Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org/D22494 Notes: svn path=/head/; revision=355617
* Add Makefile.depend.optionsSimon J. Gerraty2019-12-111-0/+8
| | | | | | | | | | | | | | | | | | | | Leaf directories that have dependencies impacted by options need a Makefile.depend.options file to avoid churn in Makefile.depend DIRDEPS for cases such as OPENSSL, TCP_WRAPPERS etc can be set in local.dirdeps-options.mk which can add to those set in Makefile.depend.options See share/mk/dirdeps-options.mk Reviewed by: bdrewery MFC after: 1 week Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org/D22469 Notes: svn path=/head/; revision=355616
* ifconfig: add report of the string from SIOCGIFDOWNREASON.Konstantin Belousov2019-09-171-5/+27
| | | | | | | | | | | | | | | | | | | Sample output: # ifconfig mce0 mce0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=3ed07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWFILTER,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6,TXRTLMT,HWRXTSTMP> ether e4:1d:2d:e7:10:0a media: Ethernet autoselect <full-duplex,rxpause,txpause> status: no carrier (Negotiation failure) nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> Reviewed by: hselasky, rrs Sponsored by: Mellanox Technologies MFC after: 1 week Differential revision: https://reviews.freebsd.org/D21527 Notes: svn path=/head/; revision=352459
* Add kernel-side support for in-kernel TLS.John Baldwin2019-08-272-2/+26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | KTLS adds support for in-kernel framing and encryption of Transport Layer Security (1.0-1.2) data on TCP sockets. KTLS only supports offload of TLS for transmitted data. Key negotation must still be performed in userland. Once completed, transmit session keys for a connection are provided to the kernel via a new TCP_TXTLS_ENABLE socket option. All subsequent data transmitted on the socket is placed into TLS frames and encrypted using the supplied keys. Any data written to a KTLS-enabled socket via write(2), aio_write(2), or sendfile(2) is assumed to be application data and is encoded in TLS frames with an application data type. Individual records can be sent with a custom type (e.g. handshake messages) via sendmsg(2) with a new control message (TLS_SET_RECORD_TYPE) specifying the record type. At present, rekeying is not supported though the in-kernel framework should support rekeying. KTLS makes use of the recently added unmapped mbufs to store TLS frames in the socket buffer. Each TLS frame is described by a single ext_pgs mbuf. The ext_pgs structure contains the header of the TLS record (and trailer for encrypted records) as well as references to the associated TLS session. KTLS supports two primary methods of encrypting TLS frames: software TLS and ifnet TLS. Software TLS marks mbufs holding socket data as not ready via M_NOTREADY similar to sendfile(2) when TLS framing information is added to an unmapped mbuf in ktls_frame(). ktls_enqueue() is then called to schedule TLS frames for encryption. In the case of sendfile_iodone() calls ktls_enqueue() instead of pru_ready() leaving the mbufs marked M_NOTREADY until encryption is completed. For other writes (vn_sendfile when pages are available, write(2), etc.), the PRUS_NOTREADY is set when invoking pru_send() along with invoking ktls_enqueue(). A pool of worker threads (the "KTLS" kernel process) encrypts TLS frames queued via ktls_enqueue(). Each TLS frame is temporarily mapped using the direct map and passed to a software encryption backend to perform the actual encryption. (Note: The use of PHYS_TO_DMAP could be replaced with sf_bufs if someone wished to make this work on architectures without a direct map.) KTLS supports pluggable software encryption backends. Internally, Netflix uses proprietary pure-software backends. This commit includes a simple backend in a new ktls_ocf.ko module that uses the kernel's OpenCrypto framework to provide AES-GCM encryption of TLS frames. As a result, software TLS is now a bit of a misnomer as it can make use of hardware crypto accelerators. Once software encryption has finished, the TLS frame mbufs are marked ready via pru_ready(). At this point, the encrypted data appears as regular payload to the TCP stack stored in unmapped mbufs. ifnet TLS permits a NIC to offload the TLS encryption and TCP segmentation. In this mode, a new send tag type (IF_SND_TAG_TYPE_TLS) is allocated on the interface a socket is routed over and associated with a TLS session. TLS records for a TLS session using ifnet TLS are not marked M_NOTREADY but are passed down the stack unencrypted. The ip_output_send() and ip6_output_send() helper functions that apply send tags to outbound IP packets verify that the send tag of the TLS record matches the outbound interface. If so, the packet is tagged with the TLS send tag and sent to the interface. The NIC device driver must recognize packets with the TLS send tag and schedule them for TLS encryption and TCP segmentation. If the the outbound interface does not match the interface in the TLS send tag, the packet is dropped. In addition, a task is scheduled to refresh the TLS send tag for the TLS session. If a new TLS send tag cannot be allocated, the connection is dropped. If a new TLS send tag is allocated, however, subsequent packets will be tagged with the correct TLS send tag. (This latter case has been tested by configuring both ports of a Chelsio T6 in a lagg and failing over from one port to another. As the connections migrated to the new port, new TLS send tags were allocated for the new port and connections resumed without being dropped.) ifnet TLS can be enabled and disabled on supported network interfaces via new '[-]txtls[46]' options to ifconfig(8). ifnet TLS is supported across both vlan devices and lagg interfaces using failover, lacp with flowid enabled, or lacp with flowid enabled. Applications may request the current KTLS mode of a connection via a new TCP_TXTLS_MODE socket option. They can also use this socket option to toggle between software and ifnet TLS modes. In addition, a testing tool is available in tools/tools/switch_tls. This is modeled on tcpdrop and uses similar syntax. However, instead of dropping connections, -s is used to force KTLS connections to switch to software TLS and -i is used to switch to ifnet TLS. Various sysctls and counters are available under the kern.ipc.tls sysctl node. The kern.ipc.tls.enable node must be set to true to enable KTLS (it is off by default). The use of unmapped mbufs must also be enabled via kern.ipc.mb_use_ext_pgs to enable KTLS. KTLS is enabled via the KERN_TLS kernel option. This patch is the culmination of years of work by several folks including Scott Long and Randall Stewart for the original design and implementation; Drew Gallatin for several optimizations including the use of ext_pgs mbufs, the M_NOTREADY mechanism for TLS records awaiting software encryption, and pluggable software crypto backends; and John Baldwin for modifications to support hardware TLS offload. Reviewed by: gallatin, hselasky, rrs Obtained from: Netflix Sponsored by: Netflix, Chelsio Communications Differential Revision: https://reviews.freebsd.org/D21277 Notes: svn path=/head/; revision=351522
* net: Update SFF-8024 definitions and strings with values from rev 4.6Eric Joyner2019-08-171-6/+63
| | | | | | | | | | | | | | | This will let ifconfig -v's SFF eeprom read functionality recognize more module types. Signed-off-by: Eric Joyner <erj@freebsd.org> Reviewed by: gallatin@ MFC after: 1 week Sponsored by: Intel Corporation Differential Revision: https://reviews.freebsd.org/D21041 Notes: svn path=/head/; revision=351153
* finish the pcp feature, but documenting it in the man page...John-Mark Gurney2019-08-151-1/+8
| | | | Notes: svn path=/head/; revision=351086
* Remove RELEASE_CRUNCHWarner Losh2019-07-191-1/+1
| | | | | | | | RELEASE_CRUNCH isn't used for releases any more. If someone wants to subset, then they can set MK_JAIL=no instead. Notes: svn path=/head/; revision=350151
* Add an external mbuf buffer type that holds multiple unmapped pages.John Baldwin2019-06-292-2/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Unmapped mbufs allow sendfile to carry multiple pages of data in a single mbuf, without mapping those pages. It is a requirement for Netflix's in-kernel TLS, and provides a 5-10% CPU savings on heavy web serving workloads when used by sendfile, due to effectively compressing socket buffers by an order of magnitude, and hence reducing cache misses. For this new external mbuf buffer type (EXT_PGS), the ext_buf pointer now points to a struct mbuf_ext_pgs structure instead of a data buffer. This structure contains an array of physical addresses (this reduces cache misses compared to an earlier version that stored an array of vm_page_t pointers). It also stores additional fields needed for in-kernel TLS such as the TLS header and trailer data that are currently unused. To more easily detect these mbufs, the M_NOMAP flag is set in m_flags in addition to M_EXT. Various functions like m_copydata() have been updated to safely access packet contents (using uiomove_fromphys()), to make things like BPF safe. NIC drivers advertise support for unmapped mbufs on transmit via a new IFCAP_NOMAP capability. This capability can be toggled via the new 'nomap' and '-nomap' ifconfig(8) commands. For NIC drivers that only transmit packet contents via DMA and use bus_dma, adding the capability to if_capabilities and if_capenable should be all that is required. If a NIC does not support unmapped mbufs, they are converted to a chain of mapped mbufs (using sf_bufs to provide the mapping) in ip_output or ip6_output. If an unmapped mbuf requires software checksums, it is also converted to a chain of mapped mbufs before computing the checksum. Submitted by: gallatin (earlier version) Reviewed by: gallatin, hselasky, rrs Discussed with: ae, kp (firewalls) Relnotes: yes Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D20616 Notes: svn path=/head/; revision=349529
* Change ed(4), ep(4), and fxp(4) examples to em(4).Brooks Davis2019-05-181-8/+8
| | | | | | | | | | | | ed(4) and ep(4) have been removed. fxp(4) remains popular in older systems, but isn't as future proof as em(4). Reviewed by: bz, jhb MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D20311 Notes: svn path=/head/; revision=347963
* ifconfig(8): Add kld mappings for ipsec/encKyle Evans2019-05-101-3/+25
| | | | | | | | | | | | | | | Additionally, providing mappings makes the comparison for already loaded modules a little more strict. This should have been done at initial introduction, but there was no real reason- however, it proves necessary for enc which has a standard enc -> if_enc mapping but there also exists an 'enc' module that's actually CAM. The mapping lets us unambiguously determine the correct module. Discussed with: ae MFC after: 4 days Notes: svn path=/head/; revision=347429
* ifconfig(8): Partial revert of r347241Kyle Evans2019-05-091-11/+5
| | | | | | | | | | | | r347241 introduced an ifname <-> kld mapping table, mostly so tun/tap/vmnet can autoload the correct module on use. It also inadvertently made bogus some previously valid uses of sizeof(). Revert back to ifkind on the stack for simplicity sake. This reduces the diff from the previous version of ifmaybeload for easiser auditing. Notes: svn path=/head/; revision=347392
* tun/tap: merge and rename to `tuntap`Kyle Evans2019-05-081-6/+45
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | tun(4) and tap(4) share the same general management interface and have a lot in common. Bugs exist in tap(4) that have been fixed in tun(4), and vice-versa. Let's reduce the maintenance requirements by merging them together and using flags to differentiate between the three interface types (tun, tap, vmnet). This fixes a couple of tap(4)/vmnet(4) issues right out of the gate: - tap devices may no longer be destroyed while they're open [0] - VIMAGE issues already addressed in tun by kp [0] emaste had removed an easy-panic-button in r240938 due to devdrn blocking. A naive glance over this leads me to believe that this isn't quite complete -- destroy_devl will only block while executing d_* functions, but doesn't block the device from being destroyed while a process has it open. The latter is the intent of the condvar in tun, so this is "fixed" (for certain definitions of the word -- it wasn't really broken in tap, it just wasn't quite ideal). ifconfig(8) also grew the ability to map an interface name to a kld, so that `ifconfig {tun,tap}0` can continue to autoload the correct module, and `ifconfig vmnet0 create` will now autoload the correct module. This is a low overhead addition. (MFC commentary) This may get MFC'd if many bugs in tun(4)/tap(4) are discovered after this, and how critical they are. Changes after this are likely easily MFC'd without taking this merge, but the merge will be easier. I have no plans to do this MFC as of now. Reviewed by: bcr (manpages), tuexen (testing, syzkaller/packetdrill) Input also from: melifaro Relnotes: yes Differential Revision: https://reviews.freebsd.org/D20044 Notes: svn path=/head/; revision=347241