"require" IPsec policy is not enforced on them, and unauthenticated
packets will be accepted.
Tested with a require-AH configuration. Sent on tech-net@, no comment.
Some others (e.g. sfp cage interrupt and bypass adapter stuff) will be merged
later:
- Initialize firmware command buffer correctly in ixgbe_read_ee_hostif_X550()
and ixgbe_read_ee_hostif_buffer_X550(). These functions are used when reading
NVM.
- Fix a bug that ixgbe_mng_present() misunderstand management capability on
X550 and newer on some environment. X550 changed FWSM bit definition.
See X540 document and X550's document and compare them.
- Fix checksum calculation in ixgbe_set_fw_drv_ver_generic(). This function is
not used in NetBSD.
- Add some unused funtions.
- Whitespace fix.
parameters. Use more .Ic and .Ar when defining syntax.
The manual is still rather inconsistent e.g. when referring to
parameters where it randomly uses both $0 and 0 or $@ and @ - but I'm
not shaving that yak at least for now.
- remove old package makefiles
- update makekeys for Xfuncproto.h being a real file now
- clean up deleted package X11SRCDIR.pkg settings
this should be functionally equivalent.
A new sysctl is added, machdep.spectreV2.mitigated, that controls whether
Spectre V2 is mitigated. For now it defaults to "false".
The code is written in such a way that there can be several methods. For
now only one method is supported, on AMD Families 10h, 12h and 16h, where
an MSR is available to disable branch prediction entirely.
Compile-tested on Intel, AMD will be tested soon.
The scopes needed to be set on the addresses before invoking ip6_output,
because ip6_output needs them. The reason they are not here already is
because pfil_run_hooks (in ip6_input) is called _before_ the kernel
initializes the scopes.
Until now ip6_output was always failing, and the IPv6-TCP-RST packet was
never actually sent.
Perhaps it would be better to have the kernel initialize the scopes
before invoking pfil_run_hooks, but several things will need to be fixed
in several places.
Tested with a simple TCPv6 server. Until now the client would block
waiting for an answer that never came; now it receives an RST right away
and closes the connection, as expected.
I believe that the same problem exists in the "return-icmp" rules, but I
can't investigate this right now (some problems with wireshark).
if_gif.c:r1.133 introduces gif_update_variant() which ensure ifp->if_flags
is set IFF_RUNNING when gif_softc->gif_var->gv_{psrc,pdst} are not null.
So, in6_gif_ctlinput() is not required IFF_RUNNING checking. In contrast,
it is required gv_{psrc,pdst} NULL checking.
New tests attempting to kill, stop, drop or revive a zombie:
- signal1 (SIGKILL)
- signal2 (SIGSTOP)
- signal3 (SIGABRT)
- signal4 (SIGHUP)
- signal5 (SIGCONT)
New test race1 verifying whether there are any kernel races when processing
signals to zombies, executing in a loop for 5 seconds.
These tests were inspired by a kernel unexpected behavior when a lookup
of a dying process could result in two detected entities once as an alive
process and once as a zombie.
race1 is similar to t_ptrace_wait* race1, however without ptrace(2) involved.
Sponsored by <The NetBSD Foundation>
might get an interrupt before re-enabling WP, and be rescheduled as a
result. In practice it never happens, because the previous PSL always
has interrupts disabled too.
is not happy in npf_reassembly, because NPC_IPFRAG is again returned after
the packet was reassembled.
I'm wondering whether it would not be better to just remove the fragment
header in frag6_input directly.
christos